收集 Chrome 企业版数据
支持的平台:
Google SecOps
SIEM
本文档介绍了如何使用企业报告连接器将 Google Chrome 日志收集到 Google SecOps 中。该文档详细介绍了 Google Chrome 企业核心版和 Chrome 企业进阶版部署的数据注入流程,同时指出某些高级日志数据需要 Chrome 企业进阶版许可。
典型部署
典型部署包含以下组件的组合:
Chrome:您要收集的 Chrome 浏览器和 ChromeOS 管理事件。
ChromeOS:您可以配置 ChromeOS 受管设备,以将日志发送到 Google SecOps。ChromeOS 设备是可选的。
Chrome 企业版报告连接器:Chrome 企业版报告连接器会将 Chrome 日志转发到 Google SecOps。
Google SecOps:保留和分析 Chrome 日志。
准备工作
- Google Workspace 管理员账号。
- Google Chrome 137 或更高版本。早期版本不提供完整的引荐来源网址数据。
- Chrome 企业进阶版许可,用于使用高级功能。
- 可选:Google SecOps 注入令牌。如果使用此选项,您还需要从 Google Workspace 管理控制台中获取 Google Workspace
Customer ID。 - 可选:由 Google SecOps 代表提供的 Chronicle Ingestion API 密钥。
设置 Chrome 浏览器云管理
注册目标设备,以便对 Chrome 浏览器进行云管理。如需了解详情,请参阅注册通过云管理的 Chrome 浏览器。
可选:配置 Evidence Locker 以调查可疑文件。(仅限 Chrome 企业进阶版)
可选:如果您使用 Identity-Aware Proxy,请按照收集 Chrome Enterprise 进阶版情境感知访问权限数据中的步骤将此数据集成到 Google SecOps 中。
将 Chrome 数据连接到您的 Google SecOps 实例
配置 Chrome 管理解析器和 Chrome 企业版报告连接器。
配置 Chrome 管理解析器
您可能需要更新到新版本的 Chrome 管理解析器,才能支持最新的 Chrome 日志。
- 在 Google SecOps 实例中,依次前往菜单 > 设置 > 解析器。
- 找到 Chrome 管理预建条目,然后应用所有待处理的更新,验证您使用的是 2025-08-14 或更新的版本。
配置 Chrome Enterprise 进阶版
本部分介绍如何为 Chrome Enterprise Premium 设置日志记录。
您可以为 Chrome Enterprise 进阶版配置日志转发,其中包含安全浏览功能提供的上下文。Chrome 企业进阶版的 Chrome 企业版报告连接器可以配置以下日志类型,并可选择性地转发这些日志类型:
- 浏览器崩溃
- 内容传输
- 数据访问权限控制
- 扩展程序安装
- 扩展程序遥测
- Google 登录活动记录
- 传输恶意软件
- 密码盗用
- 更改了密码
- 重复使用密码
- 敏感数据传输
- 可疑网址
- 访问不安全的网站
- 网址过滤插页
- 网址导航
设置要导出的 Chrome 企业进阶版数据
如需使用建议的安全设置来配置 Chrome 企业版报告连接器以进行 Chrome 企业进阶版日志记录,请执行以下操作:
- 在 Google 管理控制台中,依次点击菜单 > Chrome 浏览器 > 连接器。
- 在 Google SecOps for Chrome Enterprise Data 简介横幅中,点击查看详细信息并启用。
- 在启用 Google SecOps for Chrome 企业进阶版页面上,输入配置名称。
- 选择一种转发选项,如配置 Chrome 企业版报告连接器中所述。
配置 Chrome 企业版报告连接器
Chrome 企业版报告连接器会将日志数据发送到 Google SecOps,适用于 Chrome 企业进阶版和 Chrome 企业核心版。
使用以下任一选项配置 Chrome 企业版报告连接器,以将 Chrome 数据发送到 Google SecOps:
如果您之前已将 Google Cloud Audit Logs 配置为转发到 Google SecOps,则可以选择发送 Chrome Enterprise Premium 日志。如需了解详情,请参阅
将 Chrome 转发配置为同一组织中的 Google SecOps 实例。您可以使用 Google SecOps 生成的临时令牌代码来配置转发到 Chrome 企业进阶版实例。如需了解详情,请参阅
使用集成令牌配置 Chrome 转发到 Google SecOps。或者,您也可以使用 Chronicle 提取 API 密钥。如需了解详情,请参阅
使用 Chronicle Ingestion API 将 Chrome 转发配置为 Google SecOps。
将 Chrome 转发配置为同一组织中的 Google SecOps 实例
如果满足以下所有前提条件,您或许可以在连接器配置中选择现有的 Google SecOps 实例:
Google SecOps 实例已连接到 Google Cloud 项目。
Google Cloud 项目与管理 Chrome Enterprise Premium 的 Google Workspace 位于同一组织中。
您之前已将该组织的 Cloud Audit Logs 集成到 Google SecOps。
如果满足这些前提条件,Google SecOps 实例应会显示在使用关联的 GCP 账号中的实例下的选择列表中。
如需将 Chrome 转发配置到同一组织中的 Google SecOps 实例,请执行以下操作:
- 输入配置的名称。
- 从使用关联 GCP 账号中的实例选项中,选择 Google SecOps 实例。
- 在日志导出设置中选择要转发的日志类型。
- 点击测试连接。
- 成功测试连接后,点击启用。
- 配置完成后,点击完成。
使用集成令牌将 Chrome 转发配置为 Google SecOps
如果目标 Google SecOps 实例未显示在选择列表中,或者您需要将 Chrome 日志转发到其他 Google Cloud中的 Google SecOps 实例,请执行以下操作:
向目标实例的 Google SecOps 管理员提供您的 Google Workspace 客户 ID,并让对方获取您的 Google SecOps 实例 ID 和令牌。该令牌的有效期为 24 小时。
输入配置的名称。
选择使用组织外部的实例。
输入 Google SecOps 管理员提供的令牌代码。
在日志导出设置中选择要转发的日志类型。
点击测试连接。
成功测试连接后,点击启用。
配置完成后,点击完成。
使用 Chronicle Ingestion API 将 Chrome 转发配置为 Google SecOps
您可以使用 Chronicle Ingestion API 密钥配置 Google Chrome 报告连接器。只有在没有其他集成方法时,您才应使用此方法。
在管理控制台中,依次前往菜单 > 设备 > Chrome > 连接器。
点击 + 添加新的提供商配置。
在侧边栏中,找到 Google SecOps 设置,然后点击设置。
输入配置 ID、API 密钥和主机名:
配置 ID:该 ID 显示在用户和浏览器设置页面和连接器页面上。
API 密钥:在调用 Chronicle 提取 API 时用于指定客户的 API 密钥。
主机名:提取 API 端点。对于美国客户,此值必须为 malachiteingestion-pa.googleapis.com。对于其他地区的客户,请参阅区域端点文档。
点击 Add Configuration 以添加新的提供商配置。
收集 Chrome 企业进阶版情境感知访问权限数据
设置 Feed 以注入与 Identity-Aware Proxy (IAP) 和情境感知访问权限数据相关的 Chrome Enterprise Premium 内容。
谁应启用 Identity-Aware Proxy API?
- 使用 Identity-Aware Proxy (IAP) 数据的 Chrome Enterprise Premium 客户应启用此功能。
- 对于不使用 Identity-Aware Proxy 数据的 Chrome Enterprise Premium 客户,是否启用 Identity-Aware Proxy API 是可选的(但建议启用)。这样做会将更多情境感知访问数据字段添加到您的日志数据中。
如需启用 Identity-Aware Proxy API,请按照收集 Chrome Enterprise 进阶版情境感知访问权限数据中的步骤操作。
验证数据流
如需验证数据流,请执行以下操作:
- 打开您的 Google SecOps 实例。
- 依次前往菜单 > 搜索。
- 运行以下搜索查询以查找原始的未解析事件:
metadata.log_type = "CHROME_MANAGEMENT"
支持的日志类型
以下部分适用于 CHROME_MANAGEMENT 解析器。
支持的日志事件
| 安全类别 | 事件类型 |
|---|---|
Audit Activity |
|
ChromeOS |
ChromeOS 登录失败 ChromeOS 登录成功 ChromeOS 退出 添加了 ChromeOS 用户 移除了 ChromeOS 用户 ChromeOS 锁定成功 ChromeOS 解锁成功 ChromeOS 解锁失败 ChromeOS 设备启动状态发生变化 ChromeOS 添加了 USB 设备 ChromeOS 移除了 USB 设备 ChromeOS USB 状态更改 ChromeOS CRD 主机已启动 ChromeOS CRD 客户端已连接 ChromeOS CRD 客户端已断开连接 ChromeOS CRD 主机已停止 |
Credential Security |
|
Data Protection |
|
File Transfer |
|
Malicious Activity |
|
Navigation |
|
支持的 Chrome 日志格式
CHROME_MANAGEMENT 解析器支持 JSON 格式的日志。
支持的 Chrome 示例日志
以下是 JSON 格式的原始日志示例,可供 Chrome Management 解析器提取:
JSON:
{ "event": "badNavigationEvent", "time": "1622093983.104", "reason": "SOCIAL_ENGINEERING", "result": "EVENT_RESULT_WARNED", "device_name": "", "device_user": "", "profile_user": "sample@domain.io", "url": "https://test.domain.com/s/phishing.html", "device_id": "e9806c71-0f4e-4dfa-8c52-93c05420bb8f", "os_platform": "", "os_version": "", "browser_version": "109.0.5414.120", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36", "client_type": "CHROME_BROWSER_PROFILE" }
字段映射参考
以下字段映射表与 CHROME_MANAGEMENT 解析器(日志类型)相关。
本部分介绍了 Google SecOps 解析器如何将 Chrome 日志字段映射到 Google SecOps Unified Data Model (UDM) 字段(针对相应的数据集)。
字段映射参考信息:事件标识符到事件类型
下表列出了 CHROME_MANAGEMENT 日志类型及其对应的 UDM 事件类型。
| Event Identifier | Event Type | Security Category |
|---|---|---|
badNavigationEvent - SOCIAL_ENGINEERING |
USER_RESOURCE_ACCESS |
SOCIAL_ENGINEERING |
badNavigationEvent - SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
badNavigationEvent - MALWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
badNavigationEvent - UNWANTED_SOFTWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_PUA |
badNavigationEvent - THREAT_TYPE_UNSPECIFIED |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
browserCrashEvent |
STATUS_UPDATE |
|
browserExtensionInstallEvent |
USER_RESOURCE_UPDATE_CONTENT |
|
Extension install - BROWSER_EXTENSION_INSTALL |
USER_RESOURCE_UPDATE_CONTENT |
|
EXTENSION_REQUEST |
USER_UNCATEGORIZED |
|
CHROME_OS_ADD_USER - CHROMEOS_AFFILIATED_USER_ADDED |
USER_CREATION |
|
CHROME_OS_ADD_USER - CHROMEOS_UNAFFILIATED_USER_ADDED |
USER_CREATION |
|
ChromeOS user added - CHROMEOS_UNAFFILIATED_USER_ADDED |
USER_CREATION |
|
ChromeOS user removed - CHROMEOS_UNAFFILIATED_USER_REMOVED |
USER_DELETION |
|
CHROME_OS_REMOVE_USER - CHROMEOS_AFFILIATED_USER_REMOVED |
USER_DELETION |
|
CHROME_OS_REMOVE_USER - CHROMEOS_UNAFFILIATED_USER_REMOVED |
USER_DELETION |
|
Login events |
USER_LOGIN |
|
LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
loginEvent |
USER_LOGIN |
|
ChromeOS login success |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_KIOSK_SESSION_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_SESSION_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGIN |
USER_LOGIN |
|
ChromeOS login failure - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_UNAFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_KIOSK_SESSION_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_SESSION_LOGOUT |
USER_LOGOUT |
|
ChromeOS logout - CHROMEOS_AFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_REPORTING_DATA_LOST |
STATUS_UPDATE |
|
ChromeOS CRD client connected - CHROMEOS_CRD_CLIENT_CONNECTED |
USER_LOGIN |
|
ChromeOS CRD client disconnected |
USER_LOGOUT |
|
CHROME_OS_CRD_HOST_STARTED - CHROMEOS_CRD_HOST_STARTED |
STATUS_STARTUP |
|
ChromeOS CRD host started - CHROMEOS_CRD_HOST_STARTED |
STATUS_STARTUP |
|
ChromeOS CRD host stopped - CHROMEOS_CRD_HOST_ENDED |
STATUS_STARTUP |
|
ChromeOS device boot state change - CHROME_OS_VERIFIED_MODE |
SETTING_MODIFICATION |
|
ChromeOS device boot state change - CHROME_OS_DEV_MODE |
SETTING_MODIFICATION |
|
DEVICE_BOOT_STATE_CHANGE - CHROME_OS_VERIFIED_MODE |
SETTING_MODIFICATION |
|
ChromeOS lock success - CHROMEOS_AFFILIATED_LOCK_SUCCESS |
USER_LOGOUT |
|
ChromeOS unlock success - CHROMEOS_AFFILIATED_UNLOCK_SUCCESS |
USER_LOGIN |
|
ChromeOS unlock failure - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
ChromeOS USB device added - CHROMEOS_PERIPHERAL_ADDED |
USER_RESOURCE_ACCESS |
|
ChromeOS USB device removed - CHROMEOS_PERIPHERAL_REMOVED |
USER_RESOURCE_DELETION |
|
ChromeOS USB status change - CHROMEOS_PERIPHERAL_STATUS_UPDATED |
USER_RESOURCE_UPDATE_CONTENT |
|
CHROMEOS_PERIPHERAL_STATUS_UPDATED - CHROMEOS_PERIPHERAL_STATUS_UPDATED |
USER_RESOURCE_UPDATE_CONTENT |
|
Client Side Detection |
USER_UNCATEGORIZED |
|
Content transfer |
SCAN_FILE |
|
CONTENT_TRANSFER |
SCAN_FILE |
|
contentTransferEvent |
SCAN_FILE |
|
Content unscanned |
SCAN_UNCATEGORIZED |
|
CONTENT_UNSCANNED |
SCAN_UNCATEGORIZED |
|
dataAccessControlEvent |
USER_RESOURCE_ACCESS |
|
dangerousDownloadEvent - Dangerous |
SCAN_FILE |
SOFTWARE_PUA |
dangerousDownloadEvent - DANGEROUS_HOST |
SCAN_HOST |
|
dangerousDownloadEvent - UNCOMMON |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - POTENTIALLY_UNWANTED |
SCAN_UNCATEGORIZED |
SOFTWARE_PUA |
dangerousDownloadEvent - UNKNOWN |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - DANGEROUS_URL |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - UNWANTED_SOFTWARE |
SCAN_FILE |
SOFTWARE_PUA |
dangerousDownloadEvent - DANGEROUS_FILE_TYPE |
SCAN_FILE |
SOFTWARE_MALICIOUS |
Desktop DLP Warnings |
USER_UNCATEGORIZED |
|
DLP_EVENT |
USER_UNCATEGORIZED |
|
interstitialEvent - Malware |
NETWORK_HTTP |
NETWORK_SUSPICIOUS |
IOS/OSX Warnings |
SCAN_UNCATEGORIZED |
|
Malware transfer - MALWARE_TRANSFER_DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNCOMMON |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNWANTED_SOFTWARE |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNKNOWN |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS_HOST |
SCAN_FILE |
SOFTWARE_MALICIOUS |
malwareTransferEvent - DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
malwareTransferEvent - UNSPECIFIED |
SCAN_FILE |
SOFTWARE_MALICIOUS |
Password breach |
USER_RESOURCE_ACCESS |
|
PASSWORD_BREACH |
USER_RESOURCE_ACCESS |
|
passwordBreachEvent - PASSWORD_ENTRY |
USER_RESOURCE_ACCESS |
|
Password changed |
USER_CHANGE_PASSWORD |
|
PASSWORD_CHANGED |
USER_CHANGE_PASSWORD |
|
passwordChangedEvent |
USER_CHANGE_PASSWORD |
|
Password reuse - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
Password reuse - PASSWORD_REUSED_PHISHING_URL |
USER_UNCATEGORIZED |
PHISHING |
PASSWORD_REUSE - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
passwordReuseEvent - Unauthorized site |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
passwordReuseEvent - PASSWORD_REUSED_PHISHING_URL |
USER_UNCATEGORIZED |
PHISHING |
passwordReuseEvent - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
Permissions Blacklisting |
RESOURCE_PERMISSIONS_CHANGE |
|
Sensitive data transfer |
SCAN_FILE |
DATA_EXFILTRATION |
SENSITIVE_DATA_TRANSFER |
SCAN_FILE |
DATA_EXFILTRATION |
sensitiveDataEvent - [test_user_5] warn |
SCAN_FILE |
DATA_EXFILTRATION |
sensitiveDataTransferEvent |
SCAN_FILE |
DATA_EXFILTRATION |
Unsafe site visit - UNSAFE_SITE_VISIT_SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_MALWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_UNWANTED_SOFTWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_SUSPICIOUS |
UNSAFE_SITE_VISIT - EVENT_REASON_UNSPECIFIED |
USER_RESOURCE_ACCESS |
|
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SOCIAL_ENGINEERING |
USER_RESOURCE_ACCESS |
SOCIAL_ENGINEERING |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
unscannedFileEvent - FILE_PASSWORD_PROTECTED |
SCAN_FILE |
|
unscannedFileEvent - FILE_TOO_LARGE |
SCAN_FILE |
|
urlFilteringInterstitialEvent |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION |
extensionTelemetryEvent |
If the telemetry_event_signals.signal_name log field value is equal to the COOKIES_GET_ALL_INFO, COOKIES_GET_INFO, TABS_API_INFO, then the event_type set to USER_RESOURCE_ACCESS.Else, if the telemetry_event_signals.signal_name log field value is equal to REMOTE_HOST_CONTACTED_INFO, then if the telemetry_event_signals.connection_protocol log field value is equal to HTTP_HTTPS, then the event_type is set to NETWORK_HTTP.Else, the event_type UDM field is set to NETWORK_UNCATEGORIZED. |
If the telemetry_event_signals.signal_name log field value is equal to REMOTE_HOST_CONTACTED_INFO, then the security category is set to NETWORK_SUSPICIOUS.Else, if the telemetry_event_signals.signal_name log field value contain one of the following values, then the security category UDM field is set to SOFTWARE_SUSPICIOUS.
|
字段映射参考信息:CHROME_MANAGEMENT
下表列出了 CHROME_MANAGEMENT 日志类型的日志字段及其对应的 UDM 字段。
| Log field | UDM mapping | Logic |
|---|---|---|
id.customerId |
about.resource.product_object_id |
|
event_detail |
metadata.description |
|
time |
metadata.event_timestamp |
|
events.parameters.name [TIMESTAMP] |
metadata.event_timestamp |
|
event |
metadata.product_event_type |
|
events.name |
metadata.product_event_type |
|
id.uniqueQualifier |
metadata.product_log_id |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to Chrome Management. |
id.applicationName |
|
|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE. |
user_agent |
network.http.user_agent |
|
userAgent |
network.http.user_agent |
|
events.parameters.name [USER_AGENT] |
network.http.user_agent |
|
events.parameters.name [SESSION_ID] |
network.session_id |
|
client_type |
principal.application |
|
clientType |
principal.application |
|
events.parameters.name [CLIENT_TYPE] |
principal.application |
|
device_id |
principal.asset.product_object_id |
|
deviceId |
principal.asset.product_object_id |
|
events.parameters.name [DEVICE_ID] |
principal.asset.product_object_id |
|
device_name |
principal.hostname |
|
deviceName |
principal.hostname |
|
events.parameters.name [DEVICE_NAME] |
principal.hostname |
|
os_platform |
principal.platform |
The principal.platform UDM field is set to one of the following values:
Else, if the os_platform log field value is not empty and osVersion log field value is not empty, then the os_platform osVersion log field is mapped to the principal.platform_version UDM field. |
os_platform |
principal.asset.platform_software.platform |
The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
os_platform |
principal.asset.platform_software.platform |
The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
osPlatform |
principal.platform |
The principal.platform UDM field is set to one of the following values:
Else, if the osPlatform log field value is not empty and osVersion log field value is not empty, then the osPlatform osVersion log field is mapped to the principal.platform_version UDM field. |
osPlatform |
principal.asset.platform_software.platform |
The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
events.parameters.name [DEVICE_PLATFORM] |
principal.platform |
The os_platform and os_version is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern.The principal.platform UDM field is set to one of the following values:
Else, if the os_platform log field value is not empty and osVersion log field value is not empty, then the os_platform osVersion log field is mapped to the principal.platform_version UDM field. |
events.parameters.name [DEVICE_PLATFORM] |
principal.asset.platform_software.platform |
The os_platform is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern.The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
os_version |
principal.platform_version |
|
osVersion |
principal.platform_version |
|
events.parameters.name [DEVICE_PLATFORM] |
principal.platform_version |
The Version is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern. |
device_id |
principal.resource.id |
|
deviceId |
principal.resource.id |
|
events.parameters.name [DEVICE_ID] |
principal.resource.id |
|
directory_device_id |
principal.resource.product_object_id |
|
events.parameters.name [DIRECTORY_DEVICE_ID] |
principal.resource.product_object_id |
|
|
principal.resource.resource_subtype |
If the event log field value is equal to CHROMEOS_PERIPHERAL_STATUS_UPDATED, then the principal.resource.resource_subtype UDM field is set to USB.Else, if the events.name log field value is equal to CHROMEOS_PERIPHERAL_STATUS_UPDATED, then the principal.resource.resource_subtype UDM field is set to USB. |
|
principal.resource.resource_type |
If the device_id log field value is not empty, then the principal.resource.resource_type UDM field is set to DEVICE. |
actor.email |
principal.user.email_addresses |
|
actor.profileId |
principal.user.userid |
|
result |
security_result.action_details |
|
events.parameters.name [EVENT_RESULT] |
security_result.action_details |
|
event_result |
security_result.action_details |
|
|
security_result.action |
The security_result.action UDM field is set to one of the following values:
|
reason |
security_result.category_details |
|
events.parameters.name [EVENT_REASON] |
security_result.category_details |
|
events.parameters.name [EVENT_REASON] |
security_result.summary |
|
events.parameters.name [LOGIN_FAILURE_REASON] |
security_result.description |
|
events.parameters.name [REMOVE_USER_REASON] |
security_result.description |
If the events.name log field value is equal to CHROME_OS_REMOVE_USER, then the events.parameters.name REMOVE_USER_REASON log field value is mapped to the security_result.description UDM field. |
triggered_rules |
security_result.rule_name |
|
events.type |
security_result.category_details |
|
events.parameters.name [PRODUCT_NAME] |
target.application |
If the events.name log field value contains one of the following values, then the events.parameters.name [PRODUCT_NAME] log field is mapped to the target.resource.name UDM field:
|
content_name |
target.file.full_path |
|
contentName |
target.file.full_path |
|
events.parameters.name [CONTENT_NAME] |
target.file.full_path |
|
content_type |
target.file.mime_type |
|
contentType |
target.file.mime_type |
|
events.parameters.name [CONTENT_TYPE] |
target.file.mime_type |
|
content_hash |
target.file.sha256 |
|
events.parameters.name [CONTENT_HASH] |
target.file.sha256 |
|
content_size |
target.file.size |
|
contentSize |
target.file.size |
|
events.parameters.name [CONTENT_SIZE] |
target.file.size |
|
|
target.file.file_type |
The fileType is extracted from the content_name log field using Grok pattern, Then target.file.file_type UDM field is set to one of the following values:
|
extension_id |
target.resource.product_object_id |
|
events.parameters.name [APP_ID] |
target.resource.product_object_id |
|
extension_name |
target.resource.name |
If the event log field value is equal to badNavigationEvent or the events.name log field value is equal to badNavigationEvent, then the extension_name log field is mapped to the target.resource.name UDM field. |
telemetry_event_signals.signal_name |
target.resource.name |
If the event log field value is equal to extensionTelemetryEvent, then the telemetry_event_signals.signal_name log field is mapped to the target.resource.name UDM field. |
events.parameters.name [APP_NAME] |
target.resource.name |
|
url |
target.url |
|
events.parameters.name [URL] |
target.url |
|
telemetry_event_signals.url |
target.url |
If the telemetry_event_signals.url log field value matches the regular expression pattern the [http:\/\/ or https:\/\/].*, then the telemetry_event_signals.url log field is mapped to the target.url UDM field. |
device_user |
target.user.userid |
|
deviceUser |
principal.user.userid |
If the event log field value is equal to passwordChangedEvent, then the deviceUser log field is mapped to the principal.user.userid UDM field.Else, the deviceUser log field is mapped to the principal.user.user_display_name UDM field. |
events.parameters.name [DEVICE_USER] |
If the event log field value is equal to passwordChangedEvent, then the events.parameters.name [DEVICE_USER] log field is mapped to the principal.user.userid UDM field.Else, the events.parameters.name [DEVICE_USER] log field is mapped to the principal.user.user_display_name UDM field. |
|
scan_id |
about.labels [scan_id] |
|
events.parameters.name [CONNECTION_TYPE] |
about.labels [connection_type] |
|
etag |
about.labels [etag] |
|
kind |
about.labels [kind] |
|
actor.key |
principal.user.attribute.labels [actor_key] |
|
actor.callerType |
principal.user.attribute.labels [actor_callerType] |
|
events.parameters.name [EVIDENCE_LOCKER_FILEPATH] |
security_result.about.labels [evidence_locker_filepath] |
|
federated_origin |
security_result.about.labels [federated_origin] |
|
is_federated |
security_result.about.labels [is_federated] |
|
destination |
security_result.about.labels [trigger_destination] |
|
events.parameters.name [TRIGGER_DESTINATION] |
security_result.about.labels [trigger_destination] |
|
source |
security_result.about.labels [trigger_source] |
|
events.parameters.name [TRIGGER_SOURCE] |
security_result.about.labels [trigger_source] |
|
trigger_type |
security_result.about.labels [trigger_type] |
|
trigger_type |
additional.fields [trigger_type] |
|
triggerType |
security_result.about.labels [trigger_type] |
|
triggerType |
additional.fields [trigger_type] |
|
events.parameters.name [TRIGGER_TYPE] |
security_result.about.labels [trigger_type] |
|
trigger_user |
security_result.about.labels [trigger_user] |
|
events.parameters.name [TRIGGER_USER] |
security_result.about.labels [trigger_user] |
|
events.parameters.name [MALWARE_CATEGORY] |
security_result.threat_name |
|
events.parameters.name [MALWARE_FAMILY] |
security_result.detection_fields [malware_family] |
|
events.parameters.name [VENDOR_ID] |
src.labels [vendor_id] |
|
events.parameters.name [VENDOR_NAME] |
src.labels [vendor_name] |
|
events.parameters.name [VIRTUAL_DEVICE_ID] |
src.labels [virtual_device_id] |
|
events.parameters.name [VIRTUAL_DEVICE_ID] |
additional.fields [virtual_device_id] |
|
events.parameters.name [NEW_BOOT_MODE] |
target.asset.attribute.labels [new_boot_mode] |
|
events.parameters.name [PREVIOUS_BOOT_MODE] |
target.asset.attribute.labels [previous_boot_mode] |
|
id.time |
target.asset.attribute.labels [timestamp] |
|
events.parameters.name [PRODUCT_ID] |
target.labels [product_id] |
If the events.name log field value contains one of the following values, then the events.parameters.name [PRODUCT_ID] log field is mapped to the target.resource.product_object_id UDM field:
Else, the events.parameters.name [PRODUCT_ID] log field is mapped to the target.labels UDM field. |
|
extensions.auth.mechanism |
If the events.name log field value contains one of the following values, then the extensions.auth.mechanism UDM field is set to USERNAME_PASSWORD:
|
events.parameters.name [UNLOCK_TYPE] |
target.labels [unlock_type] |
|
extension_description |
target.resource.attribute.labels [extension_description] |
|
extension_action |
target.resource.attribute.labels [extension_action] |
|
extension_version |
target.resource.attribute.labels [extension_version] |
If the event log field value is not equal to extensionTelemetryEvent, then the extension_version log field is mapped to the target.resource.attribute.labels[extension_version] UDM field. |
extension_source |
target.resource.attribute.labels[extension_source] |
If the event log field value is not equal to extensionTelemetryEvent, then the extension_source log field is mapped to the target.resource.attribute.labels[extension_source] UDM field. |
browser_version |
target.resource.attributes.labels [browser_version] |
|
browserVersion |
target.resource.attributes.labels [browser_version] |
|
events.parameters.name [BROWSER_VERSION] |
target.resource.attributes.labels [browser_version] |
|
profile_user |
target.user.email_addresses |
If the event log field value contain one of the following values and the profile_user log field value matches the regular expression pattern ^.+@.+$, then the profile_user log field is mapped to the target.user.email_addresses UDM field.
|
profile_user |
principal.user.email_addresses |
If the event log field value does not contain one of the following values and the profile_user log field value matches the regular expression pattern ^.+@.+$ and the actor.email log field value is not equal to the profile_user, then the profile_user log field is mapped to the principal.user.email_addresses UDM field.
|
profile_user |
target.user.attribute.labels[profile_user_name] |
If the event log field value contain one of the following values and the profile_user log field value does not match the regular expression pattern ^.+@.+$, then the profile_user log field is mapped to the target.user.attribute.labels.profile_user_name UDM field.
|
profile_user |
principal.user.attribute.labels[profile_user_name] |
If the event log field value does not contain one of the following values and the profile_user log field value does not match the regular expression pattern ^.+@.+$ or the actor.email log field value is equal to the profile_user, then the profile_user log field is mapped to the principal.user.attribute.labels.profile_user_name UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
target.user.email_addresses |
If the event log field value contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value matches the regular expression pattern ^.+@.+$, then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the target.user.email_addresses UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
principal.user.email_addresses |
If the event log field value does not contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value matches the regular expression pattern ^.+@.+$ and the actor.email log field value is not equal to the events.parameters.name [PROFILE_USER_NAME], then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the principal.user.email_addresses UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
target.user.attribute.labels[profile_user_name] |
If the event log field value contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value does not match the regular expression pattern ^.+@.+$, then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the target.user.attribute.labels.profile_user_name UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
principal.user.attribute.labels[profile_user_name] |
If the event log field value does not contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value does not match the regular expression pattern ^.+@.+$ or the actor.email log field value is equal to the events.parameters.name [PROFILE_USER_NAME], then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the principal.user.attribute.labels.profile_user_name UDM field.
|
|
target.resource.resource_type |
If the events.name log field value is equal to DEVICE_BOOT_STATE_CHANGE, then the target.resource.resource_type UDM field is set to SETTING. |
url_category |
target.labels [url_category] |
|
browser_channel |
target.resource.attribute.labels [browser_channel] |
|
report_id |
target.labels [report_id] |
|
clickedThrough |
target.labels [clickedThrough] |
|
threat_type |
security_result.detection_fields [threatType] |
|
triggered_rule_info.action |
security_result.action |
If the triggered_rule_info.action log field value contains one of the following values, then the triggered_rule_info.action log field is mapped to the security_result.action UDM field:
Else, the triggered_rule_info.action log field is mapped to the security_result.rule_labels [triggeredRuleInfo_action] UDM field. |
triggered_rule_info.rule_id |
security_result.rule_id |
|
triggered_rule_info.rule_name |
security_result.rule_name |
|
triggered_rule_info.url_category |
security_result.category_details |
|
transfer_method |
additional.fields [transfer_method] |
|
extension_name |
target.resource_ancestors.name |
If the event log field value is equal to extensionTelemetryEvent, then the extension_name log field is mapped to the target.resource_ancestors.name UDM field. |
extension_id |
target.resource_ancestors.product_object_id |
If the event log field value is equal to extensionTelemetryEvent, then the extension_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
extension_version |
target.resource_ancestors.attribute.labels[extension_version] |
If the event log field value is equal to extensionTelemetryEvent, then the extension_version log field is mapped to the target.resource_ancestors.attribute.labels[extension_version] UDM field. |
extension_source |
target.resource_ancestors.attribute.labels[extension_source] |
If the event log field value is equal to extensionTelemetryEvent, then the extension_source log field is mapped to the target.resource_ancestors.attribute.labels[extension_source] UDM field. |
profile_identifier |
additional.fields[profile_identifier] |
|
extension_files_info.file_name |
target.resource_ancestors.file.names |
|
extension_files_info.file_hash.hash |
target.resource_ancestors.attribute.labels[file_hash] |
|
telemetry_event_signals.count |
target.resource.attribute.labels[count] |
|
telemetry_event_signals.tabs_api_method |
target.resource.attribute.labels[tabs_api_method] |
|
|
target.hostname |
If the telemetry_event_signals.url log field value does not match the regular expression pattern the [http:\/\/ or https:\/\/].*, then the telemetry_event_signals.url log field is mapped to the target.hostname UDM field. |
telemetry_event_signals.destination |
target.resource.attribute.labels[destination] |
|
telemetry_event_signals.source |
target.resource.attribute.labels[source] |
|
telemetry_event_signals.domain |
target.domain.name |
|
telemetry_event_signals.cookie_name |
target.resource.attribute.labels[cookie_name] |
|
telemetry_event_signals.cookie_path |
target.resource.attribute.labels[cookie_path] |
|
telemetry_event_signals.cookie_is_secure |
target.resource.attribute.labels[cookie_is_secure] |
|
telemetry_event_signals.cookie_store_id |
target.resource.attribute.labels[cookie_store_id] |
|
telemetry_event_signals.cookie_is_session |
target.resource.attribute.labels[cookie_is_session] |
|
telemetry_event_signals.connection_protocol |
network.application_protocol |
If the telemetry_event_signals.connection_protocol log field value is equal to HTTP_HTTPS, then the network.application_protocol UDM field is set to HTTP Else, If the telemetry_event_signals.connection_protocol log field value is equal to UNSPECIFIED, then the network.application_protocol UDM field is set to UNKNOWN_APPLICATION_PROTOCOLElse, the telemetry_event_signals.connection_protocol log field is mapped to the target.resource.attribute.labels UDM field. |
telemetry_event_signals.contacted_by |
target.resource.attribute.labels[contacted_by] |
|
local_ips |
principal.ip |
If the event log field value is equal to extensionTelemetryEvent, then the local_ips log field is mapped to the principal.ip UDM field. |
remote_ip |
target.ip |
If the event log field value is equal to extensionTelemetryEvent, then the remote_ip log field is mapped to the target.ip UDM field. |
device_fqdn |
principal.asset.attribute.labels |
If the event log field value is equal to extensionTelemetryEvent, then the device_fqdn log field is mapped to the principal.asset.attribute.labels UDM field. |
network_name |
principal.network.carrier_name |
If the event log field value is equal to extensionTelemetryEvent, then the network_name log field is mapped to the principal.network.carrier_name UDM field. |
web_app_signed_in_account |
target.user.email_addresses |
If the event log field value contains one of the following values, then the web_app_signed_in_account log field is mapped to the target.user.email_addresses UDM field:
|
字段映射参考(预览版)
所有字段均适用于 Chrome 企业核心版客户和 Chrome 企业进阶版客户。仅适用于 Chrome 企业进阶版客户的字段会标记为“[仅限 CEP]”。
字段映射参考信息:CHROME_MANAGEMENT(预览版)
下表列出了 CHROME_MANAGEMENT 日志类型的日志字段及其对应的 UDM 字段。
| Log field | UDM mapping | Logic |
|---|---|---|
pehash_sha256 |
about.file.sha256 |
[CEP Only] The SHA256 file hash (pehash_sha256) reported from a dangerousDownloadEvent
or contentTransferEvent. |
device_fqdn |
principal.asset.attribute.labels |
[CEP Only] The device's fully qualified domain name reported in a urlNavigationEvent,
suspiciousUrlEvent, or urlFilteringInterstitialEvent. Not reported for unmanaged devices
with managed user profiles. |
network_name |
principal.network.carrier_name |
[CEP Only] The network name (SSID) the device is connected to reported in a
urlNavigationEvent, suspiciousUrlEvent, or urlFilteringInterstitialEvent.
|
content_risk.threat_type |
security_result.threat_name |
[CEP Only] The threat type of the content reported in a dangerousDownloadEvent or
contentTransferEvent. |
content_risk_level, content_risk.risk_level |
security_result.severity |
[CEP Only] The content risk level reported by Safe Browsing in a dangerousDownloadEvent or
contentTransferEvent. |
content_risk.risk_reasons |
security_result.rule_label |
[CEP Only] The content risk reason reported by Safe Browsing in a dangerousDownloadEvent or
contentTransferEvent. |
content_risk.risk_indicators |
security_result.detection_fields[content_risk_indicators] |
[CEP Only] The list of indicators from the Safe Browsing risk level in a dangerousDownloadEvent or
contentTransferEvent. |
content_risk.risk_source |
security_result.detection_fields[content_risk_source] |
[CEP Only] The risk source of the content reported by Safe Browsing in a dangerousDownloadEvent or
contentTransferEvent. |
is_encrypted |
additional.fields[is_encrypted] |
[CEP Only] Set to true if the content is encrypted in dangerousDownloadEvent or
contentTransferEvent. |
server_scan_status |
additional.fields[server_scan_status] |
[CEP Only] The status of whether the content in dangerousDownloadEvent or
contentTransferEvent was successfully scanned by Safe Browsing. |
url_info.url |
principal.url |
[CEP Only] The URL of dangerousDownloadEvent, contentTransferEvent,
urlNavigationEvent, suspiciousUrlEvent, or urlFilteringInterstitialEvent.
|
url_info.ip |
principal.ip |
[CEP Only] The IP address of dangerousDownloadEvent, contentTransferEvent,
urlNavigationEvent, suspiciousUrlEvent, or urlFilteringInterstitialEvent.
|
url_info.type |
principal.security_result.detection_fields[url_info_type] |
[CEP Only] The URL type (download, tab, or redirect) of dangerousDownloadEvent,
contentTransferEvent, urlNavigationEvent, suspiciousUrlEvent, or
urlFilteringInterstitialEvent. |
url_info.risk_level |
principal.security_result.severity |
[CEP Only] The risk level of the URL reported by Safe Browsing. |
url_info.risk_infos.risk_level |
principal.security_result.severity |
[CEP Only] Additional risk information reported by Safe Browsing. |
url_info.navigation_initiator.initiator_type |
principal.security_result.detection_fields[url_info_initiator_type] |
[CEP Only] This maps the url_info_initiator_type in a dangerousDownloadEvent or
contentTransferEvent. In a urlNavigationEvent, suspiciousUrlEvent, or
urlFilteringInterstitialEvent this maps the url_navigation_initiator. |
url_info.navigation_initiator.entity |
principal.security_result.detection_fields[url_info_entity] |
[CEP Only] This maps the url_info_entity in a dangerousDownloadEvent or
contentTransferEvent. In a urlNavigationEvent, suspiciousUrlEvent, or
urlFilteringInterstitialEvent this maps the url_infos_navigation_entity. |
url_info.request_http_method |
principal.security_result.detection_fields[url_info_request_http_method] |
[CEP Only] The HTTP method used to contact the URL. |
url_info.url_categories |
principal.url_metadata.categories |
[CEP Only] The URL category reported by Safe Browsing of urlNavigationEvent or
suspiciousUrlEvent. |
url_info.risk_infos.risk_indicators |
principal.security_result.detection_fields[url_info_risk_infos_risk_indicators_key] |
[CEP Only] The URL risk indicators reported by Safe Browsing of urlNavigationEvent or
suspiciousUrlEvent. |
url_info.risk_infos.risk_reasons |
principal.security_result.rule_label[risk_reason] |
[CEP Only] The Safe Browsing reason for the URL risk classification of urlNavigationEvent or
suspiciousUrlEvent. |
url_info.risk_infos.risk_source |
principal.security_result.detection_fields[content_risk_source] |
[CEP Only] The risk source determination reported by Safe Browsing. This includes URL and file reputation
and content scanning results for urlNavigationEvent, suspiciousUrlEvent, or
urlFilteringInterstitialEvent. |
url_info.risk_infos.threat_type |
security_result.threat_name |
[CEP Only] The threat type reported by Safe Browsing of the URL for urlNavigationEvent,
suspiciousUrlEvent, or urlFilteringInterstitialEvent. |
tab_url_info.url, tab_url, referrers.url |
about.url |
[CEP Only] Maps the tab_url_info.url of dangerousDownloadEvent or
contentTransferEvent. Maps the referrers.url of a urlNavigationEvent, or
suspiciousUrlEvent. |
tab_url_info.ip, referrers.ip |
about.ip |
[CEP Only] Maps the tab_url_info_ip IP address associated with dangerousDownloadEvent
or contentTransferEvent. Maps the IP address of referrers.ip
in urlNavigationEvent or suspiciousUrlEvent. |
remote_ip |
target.ip |
[CEP Only] If the event log field value contains one of the following values, then the remote_ip log field is mapped to the target.ip UDM field:
|
tab_url_info.type |
about.security_result.detection_fields[tab_url_info_type] |
[CEP Only] The URL tab type for dangerousDownloadEvent or contentTransferEvent.
|
tab_url_info.risk_level |
about.security_result.severity |
[CEP Only] The Safe Browsing risk level associated with the URL from a tab event for
dangerousDownloadEvent or contentTransferEvent. |
tab_url_info.navigation_initiator.initiator_type |
about.security_result.detection_fields[tab_url_info_initiator_type] |
[CEP Only] The initiator type of the tab event for dangerousDownloadEvent or
contentTransferEvent. |
tab_url_info.navigation_initiator.entity |
about.security_result.detection_fields[tab_url_info_entity] |
[CEP Only] The tab_url_info_entity for dangerousDownloadEvent or
contentTransferEvent. |
tab_url_info.request_http_method |
about.security_result.detection_fields[tab_url_info_request_http_method] |
[CEP Only] The HTTP method a tab used to contact the URL of dangerousDownloadEvent or
contentTransferEvent. |
referrers.navigation_initiator.entity |
about.security_result.detection_fields[referrers_navigation_initiator_entity] |
[CEP Only] The referrer entity name that initiated the navigation event for
urlNavigationEvent or suspiciousUrlEvent. |
referrers.navigation_initiator.initiator_type |
about.security_result.detection_fields[referrers_navigation_initiator_initiator_type] |
[CEP Only] The referrer type that initiated urlNavigationEvent or
suspiciousUrlEvent. |
referrers.request_http_method |
about.security_result.detection_fields[referrers_request_http_method] |
[CEP Only] The HTTP method of urlNavigationEvent or suspiciousUrlEvent. |
referrers.risk_infos.risk_categories |
about.security_result.detection_fields[referrers_risk_infos_risk_categories] |
[CEP Only] The URL category of the referrer, as provided by the Safe Browsing service, associated with urlNavigationEvent or suspiciousUrlEvent. |
referrers.risk_infos.risk_level, referrers.risk_level |
about.security_result.severity |
[CEP Only] Maps the risk level provided by Safe Browsing referrers.risk_level for a
urlNavigationEvent or suspiciousUrlEvent or
referrers.risk_infos.risk_level for urlNavigationEvent or
suspiciousUrlEvent. |
referrers.type |
about.security_result.detection_fields[referrers_type] |
[CEP Only] The URL type provided by Safe Browsing of the referrer URL of urlNavigationEvent or
suspiciousUrlEvent. |
referrers.risk_infos.risk_source |
about.security_result.detection_fields[referrers_risk_source] |
[CEP Only] The risk source provided by Safe Browsing for the referrer URL of urlNavigationEvent or
suspiciousUrlEvent. |
referrers.risk_infos.threat_type |
about.security_result.threat_name |
[CEP Only] The threat type provided by Safe Browsing for the referrer URL of urlNavigationEvent or
suspiciousUrlEvent. |
referrers.url_categories |
about.url_metadata.categories |
[CEP Only] The URL category provided by Safe Browsing for the referrer URL of urlNavigationEvent or
suspiciousUrlEvent. |
需要更多帮助?获得社区成员和 Google SecOps 专业人士的解答。