收集 Chrome Enterprise 資料
支援的國家/地區:
Google SecOps
SIEM
本文說明如何使用 Enterprise 報表連接器,將 Google Chrome 記錄收集到 Google SecOps。這份文件詳細說明 Google Chrome Enterprise 基本版和 Chrome Enterprise 進階版部署作業的資料擷取程序,並指出部分進階記錄資料需要 Chrome Enterprise 進階版授權。
一般部署作業
一般部署作業會結合下列元件:
Chrome:您要收集的 Chrome 瀏覽器和 ChromeOS 管理事件。
ChromeOS:您可以設定 ChromeOS 受管理裝置,將記錄傳送至 Google SecOps。ChromeOS 裝置為選用項目。
Chrome Enterprise 報告連接器:Chrome Enterprise 報告連接器會將 Chrome 記錄轉送至 Google SecOps。
Google SecOps:保留及分析 Chrome 記錄。
事前準備
- Google Workspace 管理員帳戶。
- Google Chrome 137 以上版本。舊版不會提供完整的參照網址資料。
- Chrome Enterprise 進階版授權,可使用進階功能。
- 選用:Google SecOps 擷取權杖。如果使用這個選項,您也需要 Google Workspace
Customer ID(可從 Google Workspace 管理控制台取得)。 - 選用:Google SecOps 代表提供的 Chronicle Ingestion API 金鑰。
設定 Chrome 瀏覽器雲端管理
註冊目標裝置,啟用 Chrome 瀏覽器雲端管理。詳情請參閱「註冊採用雲端式管理的 Chrome 瀏覽器」。
選用:如果您使用 Identity-Aware Proxy,請按照「收集 Chrome Enterprise Premium 環境感知存取權感知資料」一文中的步驟操作,將這項資料整合至 Google SecOps。
將 Chrome 資料連結至 Google SecOps 執行個體
設定 Chrome 管理剖析器和 Chrome Enterprise 報告連接器。
設定 Chrome 管理服務剖析器
您可能需要更新 Chrome 管理剖析器,才能支援最新的 Chrome 記錄。
- 在 Google SecOps 執行個體中,依序前往「選單」 >「設定」 >「剖析器」。
- 找到 Chrome 管理服務預建項目,並套用所有待處理的更新,確認您使用的是 2025 年 8 月 14 日或更新的版本。
設定 Chrome Enterprise 進階版
本節說明如何設定 Chrome Enterprise 進階版的記錄功能。
您可以設定 Chrome Enterprise 進階版的記錄轉送功能,其中包含安全瀏覽的內容。Chrome Enterprise 進階版的 Chrome Enterprise 報表連接器可設定下列記錄類型,並視需要轉送:
- 瀏覽器當機
- 內容轉移
- 資料存取權控管
- 擴充功能安裝
- 擴充功能遙測
- Google 登入活動
- 轉移惡意軟體
- 密碼外洩
- 密碼已變更
- 密碼重複使用
- 機密資料移轉
- 可疑網址
- 造訪不安全的網站
- 網址篩選插頁式
- 網址導覽
設定要匯出的 Chrome Enterprise 進階版資料
如要使用建議的安全設定,為 Chrome Enterprise Premium 記錄設定 Chrome Enterprise 報告連接器,請按照下列步驟操作:
- 在 Google 管理控制台中,依序前往「選單」>「Chrome 瀏覽器」>「連接器」。
- 在「隆重推出 Google SecOps for Chrome Enterprise Data」橫幅中,按一下「查看詳細資料並啟用功能」。
- 在「啟用 Google SecOps for Chrome Enterprise 進階版」頁面中,輸入「設定名稱」。
- 選取轉送選項,詳情請參閱「 設定 Chrome Enterprise 報告連接器」。
設定 Chrome Enterprise 報告連接器
Chrome Enterprise 報表連接器會將記錄資料傳送至 Google SecOps,適用於 Chrome Enterprise 進階版和 Chrome Enterprise 基本版。
設定 Chrome Enterprise 報告連接器,透過下列任一選項將 Chrome 資料傳送至 Google SecOps:
如果您先前已設定將 Google Cloud 稽核記錄轉送至 Google SecOps,系統可能會提供傳送 Chrome Enterprise Premium 記錄的選項。詳情請參閱「
在相同機構中,將 Chrome 轉送設定為 Google SecOps 執行個體」。您可以使用 Google SecOps 產生的臨時權杖代碼,設定轉送至 Chrome Enterprise Premium 執行個體。詳情請參閱「
使用整合權杖設定 Chrome 轉送至 Google SecOps」。或者,您也可以使用 Chronicle Ingestion API 金鑰。詳情請參閱「
使用 Chronicle Ingestion API 設定 Chrome 轉送至 Google SecOps」。
將 Chrome 轉送設定為同一個機構中的 Google SecOps 執行個體
如果符合下列所有必要條件,您或許可以在連結器設定中選取現有的 Google SecOps 執行個體:
Google SecOps 執行個體已連結至 Google Cloud 專案。
Google Cloud 專案與管理 Chrome Enterprise Premium 的 Google Workspace 位於同一機構。
您先前已設定從該機構到 Google SecOps 的 Cloud 稽核記錄整合。
如果符合這些必要條件,Google SecOps 執行個體就會顯示在「使用相關聯 GCP 帳戶中的執行個體」下方的選取清單中。
如要將 Chrome 轉送設定至同一機構中的 Google SecOps 執行個體,請按照下列步驟操作:
- 輸入設定名稱。
- 從「使用相關聯 GCP 帳戶中的執行個體」選項中,選取 Google SecOps 執行個體。
- 從「記錄檔匯出設定」中選取要轉送的記錄類型。
- 按一下「測試連線」。
- 測試連線成功後,按一下「啟用」。
- 設定完成後,按一下「完成」。
使用整合式權杖設定 Chrome 轉送至 Google SecOps
如果目標 Google SecOps 執行個體未顯示在選取清單中,或您需要將 Chrome 記錄轉送至其他 Google Cloud的 Google SecOps 執行個體,請按照下列步驟操作:
將 Google Workspace 客戶 ID 提供給目標執行個體的 Google SecOps 管理員,請他們取得您的 Google SecOps 執行個體 ID 和權杖。權杖的有效期為 24 小時。
輸入設定名稱。
選取「使用貴機構外部的執行個體」。
輸入 Google SecOps 管理員提供的權杖代碼。
從「記錄檔匯出設定」中選取要轉送的記錄類型。
按一下「測試連線」。
測試連線成功後,按一下「啟用」。
設定完成後,請按一下「完成」。
使用 Chronicle Ingestion API 設定 Chrome 轉送至 Google SecOps
您可以使用 Chronicle Ingestion API 金鑰設定 Google Chrome 報表連接器。只有在沒有其他整合方法時,才應使用這個方法。
在管理控制台中,依序前往「選單」>「裝置」>「Chrome」>「連接器」。
按一下「+ 新增供應商設定」。
在側邊面板中找到 Google SecOps 設定,然後按一下「設定」。
輸入「設定 ID」、「API 金鑰」和「主機名稱」:
設定 ID:這個 ID 會顯示在「使用者與瀏覽器設定」和「連接器」頁面。
API 金鑰:在呼叫 Chronicle 擷取 API 時,所需指定的 API 金鑰,用以識別客戶。
主機名稱:Ingestion API 端點。如果是美國客戶,則必須為 malachiteingestion-pa.googleapis.com。如果是其他地區,請參閱地區端點說明文件。
按一下「新增設定」,新增供應商設定。
收集 Chrome Enterprise Premium 情境感知存取權資料
設定動態饋給,擷取與 Identity-Aware Proxy (IAP) 和情境感知存取權資料相關的 Chrome Enterprise Premium 內容。
誰應啟用 Identity-Aware Proxy API?
- 如果 Chrome Enterprise Premium 客戶使用 Identity-Aware Proxy (IAP) 資料,就應啟用這項功能。
- 如果 Chrome Enterprise Premium 客戶不使用 Identity-Aware Proxy 資料,可以選擇是否啟用 Identity-Aware Proxy API (建議啟用)。這樣做會在記錄資料中新增額外的內容感知存取資料欄位。
如要啟用 Identity-Aware Proxy API,請按照「 收集 Chrome Enterprise 進階版情境感知存取權資料」中的步驟操作。
驗證資料流程
如要驗證資料流,請按照下列步驟操作:
- 開啟 Google SecOps 執行個體。
- 依序前往「選單」>「搜尋」。
- 執行下列搜尋查詢,尋找未經剖析的原始事件:
metadata.log_type = "CHROME_MANAGEMENT"
支援的記錄類型
下列各節適用於 CHROME_MANAGEMENT 剖析器。
支援的記錄事件
| 安全類別 | 事件類型 |
|---|---|
Audit Activity |
|
ChromeOS |
ChromeOS 登入失敗 ChromeOS 登入成功 登出 ChromeOS 已新增 ChromeOS 使用者 已移除 ChromeOS 使用者 ChromeOS 鎖定成功 ChromeOS 解鎖成功 ChromeOS 解鎖失敗 ChromeOS 裝置啟動狀態變更 已新增 ChromeOS USB 裝置 已移除 ChromeOS USB 裝置 ChromeOS USB 狀態變更 ChromeOS CRD 主機已啟動 ChromeOS CRD 用戶端已連線 ChromeOS CRD 用戶端已中斷連線 ChromeOS CRD 主機已停止 |
Credential Security |
|
Data Protection |
|
File Transfer |
|
Malicious Activity |
|
Navigation |
|
支援的 Chrome 記錄格式
CHROME_MANAGEMENT 剖析器支援 JSON 格式的記錄。
支援的 Chrome 範例記錄
以下是 JSON 格式的原始記錄範例,可供 Chrome Management 剖析器擷取:
JSON:
{ "event": "badNavigationEvent", "time": "1622093983.104", "reason": "SOCIAL_ENGINEERING", "result": "EVENT_RESULT_WARNED", "device_name": "", "device_user": "", "profile_user": "sample@domain.io", "url": "https://test.domain.com/s/phishing.html", "device_id": "e9806c71-0f4e-4dfa-8c52-93c05420bb8f", "os_platform": "", "os_version": "", "browser_version": "109.0.5414.120", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36", "client_type": "CHROME_BROWSER_PROFILE" }
欄位對應參考資料
下列欄位對應表與 CHROME_MANAGEMENT 解譯器 (記錄類型) 相關。
本節說明 Google SecOps 剖析器如何將 Chrome 記錄檔欄位對應至資料集的 Google SecOps 統合式資料模型 (UDM) 欄位。
欄位對應參照:事件 ID 對應至事件類型
下表列出 CHROME_MANAGEMENT 記錄類型和對應的 UDM 事件類型。
| Event Identifier | Event Type | Security Category |
|---|---|---|
badNavigationEvent - SOCIAL_ENGINEERING |
USER_RESOURCE_ACCESS |
SOCIAL_ENGINEERING |
badNavigationEvent - SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
badNavigationEvent - MALWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
badNavigationEvent - UNWANTED_SOFTWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_PUA |
badNavigationEvent - THREAT_TYPE_UNSPECIFIED |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
browserCrashEvent |
STATUS_UPDATE |
|
browserExtensionInstallEvent |
USER_RESOURCE_UPDATE_CONTENT |
|
Extension install - BROWSER_EXTENSION_INSTALL |
USER_RESOURCE_UPDATE_CONTENT |
|
EXTENSION_REQUEST |
USER_UNCATEGORIZED |
|
CHROME_OS_ADD_USER - CHROMEOS_AFFILIATED_USER_ADDED |
USER_CREATION |
|
CHROME_OS_ADD_USER - CHROMEOS_UNAFFILIATED_USER_ADDED |
USER_CREATION |
|
ChromeOS user added - CHROMEOS_UNAFFILIATED_USER_ADDED |
USER_CREATION |
|
ChromeOS user removed - CHROMEOS_UNAFFILIATED_USER_REMOVED |
USER_DELETION |
|
CHROME_OS_REMOVE_USER - CHROMEOS_AFFILIATED_USER_REMOVED |
USER_DELETION |
|
CHROME_OS_REMOVE_USER - CHROMEOS_UNAFFILIATED_USER_REMOVED |
USER_DELETION |
|
Login events |
USER_LOGIN |
|
LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
loginEvent |
USER_LOGIN |
|
ChromeOS login success |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_KIOSK_SESSION_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_SESSION_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGIN |
USER_LOGIN |
|
ChromeOS login failure - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_UNAFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_KIOSK_SESSION_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_SESSION_LOGOUT |
USER_LOGOUT |
|
ChromeOS logout - CHROMEOS_AFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_REPORTING_DATA_LOST |
STATUS_UPDATE |
|
ChromeOS CRD client connected - CHROMEOS_CRD_CLIENT_CONNECTED |
USER_LOGIN |
|
ChromeOS CRD client disconnected |
USER_LOGOUT |
|
CHROME_OS_CRD_HOST_STARTED - CHROMEOS_CRD_HOST_STARTED |
STATUS_STARTUP |
|
ChromeOS CRD host started - CHROMEOS_CRD_HOST_STARTED |
STATUS_STARTUP |
|
ChromeOS CRD host stopped - CHROMEOS_CRD_HOST_ENDED |
STATUS_STARTUP |
|
ChromeOS device boot state change - CHROME_OS_VERIFIED_MODE |
SETTING_MODIFICATION |
|
ChromeOS device boot state change - CHROME_OS_DEV_MODE |
SETTING_MODIFICATION |
|
DEVICE_BOOT_STATE_CHANGE - CHROME_OS_VERIFIED_MODE |
SETTING_MODIFICATION |
|
ChromeOS lock success - CHROMEOS_AFFILIATED_LOCK_SUCCESS |
USER_LOGOUT |
|
ChromeOS unlock success - CHROMEOS_AFFILIATED_UNLOCK_SUCCESS |
USER_LOGIN |
|
ChromeOS unlock failure - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
ChromeOS USB device added - CHROMEOS_PERIPHERAL_ADDED |
USER_RESOURCE_ACCESS |
|
ChromeOS USB device removed - CHROMEOS_PERIPHERAL_REMOVED |
USER_RESOURCE_DELETION |
|
ChromeOS USB status change - CHROMEOS_PERIPHERAL_STATUS_UPDATED |
USER_RESOURCE_UPDATE_CONTENT |
|
CHROMEOS_PERIPHERAL_STATUS_UPDATED - CHROMEOS_PERIPHERAL_STATUS_UPDATED |
USER_RESOURCE_UPDATE_CONTENT |
|
Client Side Detection |
USER_UNCATEGORIZED |
|
Content transfer |
SCAN_FILE |
|
CONTENT_TRANSFER |
SCAN_FILE |
|
contentTransferEvent |
SCAN_FILE |
|
Content unscanned |
SCAN_UNCATEGORIZED |
|
CONTENT_UNSCANNED |
SCAN_UNCATEGORIZED |
|
dataAccessControlEvent |
USER_RESOURCE_ACCESS |
|
dangerousDownloadEvent - Dangerous |
SCAN_FILE |
SOFTWARE_PUA |
dangerousDownloadEvent - DANGEROUS_HOST |
SCAN_HOST |
|
dangerousDownloadEvent - UNCOMMON |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - POTENTIALLY_UNWANTED |
SCAN_UNCATEGORIZED |
SOFTWARE_PUA |
dangerousDownloadEvent - UNKNOWN |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - DANGEROUS_URL |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - UNWANTED_SOFTWARE |
SCAN_FILE |
SOFTWARE_PUA |
dangerousDownloadEvent - DANGEROUS_FILE_TYPE |
SCAN_FILE |
SOFTWARE_MALICIOUS |
Desktop DLP Warnings |
USER_UNCATEGORIZED |
|
DLP_EVENT |
USER_UNCATEGORIZED |
|
interstitialEvent - Malware |
NETWORK_HTTP |
NETWORK_SUSPICIOUS |
IOS/OSX Warnings |
SCAN_UNCATEGORIZED |
|
Malware transfer - MALWARE_TRANSFER_DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNCOMMON |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNWANTED_SOFTWARE |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNKNOWN |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS_HOST |
SCAN_FILE |
SOFTWARE_MALICIOUS |
malwareTransferEvent - DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
malwareTransferEvent - UNSPECIFIED |
SCAN_FILE |
SOFTWARE_MALICIOUS |
Password breach |
USER_RESOURCE_ACCESS |
|
PASSWORD_BREACH |
USER_RESOURCE_ACCESS |
|
passwordBreachEvent - PASSWORD_ENTRY |
USER_RESOURCE_ACCESS |
|
Password changed |
USER_CHANGE_PASSWORD |
|
PASSWORD_CHANGED |
USER_CHANGE_PASSWORD |
|
passwordChangedEvent |
USER_CHANGE_PASSWORD |
|
Password reuse - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
Password reuse - PASSWORD_REUSED_PHISHING_URL |
USER_UNCATEGORIZED |
PHISHING |
PASSWORD_REUSE - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
passwordReuseEvent - Unauthorized site |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
passwordReuseEvent - PASSWORD_REUSED_PHISHING_URL |
USER_UNCATEGORIZED |
PHISHING |
passwordReuseEvent - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
Permissions Blacklisting |
RESOURCE_PERMISSIONS_CHANGE |
|
Sensitive data transfer |
SCAN_FILE |
DATA_EXFILTRATION |
SENSITIVE_DATA_TRANSFER |
SCAN_FILE |
DATA_EXFILTRATION |
sensitiveDataEvent - [test_user_5] warn |
SCAN_FILE |
DATA_EXFILTRATION |
sensitiveDataTransferEvent |
SCAN_FILE |
DATA_EXFILTRATION |
Unsafe site visit - UNSAFE_SITE_VISIT_SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_MALWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_UNWANTED_SOFTWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_SUSPICIOUS |
UNSAFE_SITE_VISIT - EVENT_REASON_UNSPECIFIED |
USER_RESOURCE_ACCESS |
|
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SOCIAL_ENGINEERING |
USER_RESOURCE_ACCESS |
SOCIAL_ENGINEERING |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
unscannedFileEvent - FILE_PASSWORD_PROTECTED |
SCAN_FILE |
|
unscannedFileEvent - FILE_TOO_LARGE |
SCAN_FILE |
|
urlFilteringInterstitialEvent |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION |
extensionTelemetryEvent |
If the telemetry_event_signals.signal_name log field value is equal to the COOKIES_GET_ALL_INFO, COOKIES_GET_INFO, TABS_API_INFO, then the event_type set to USER_RESOURCE_ACCESS.Else, if the telemetry_event_signals.signal_name log field value is equal to REMOTE_HOST_CONTACTED_INFO, then if the telemetry_event_signals.connection_protocol log field value is equal to HTTP_HTTPS, then the event_type is set to NETWORK_HTTP.Else, the event_type UDM field is set to NETWORK_UNCATEGORIZED. |
If the telemetry_event_signals.signal_name log field value is equal to REMOTE_HOST_CONTACTED_INFO, then the security category is set to NETWORK_SUSPICIOUS.Else, if the telemetry_event_signals.signal_name log field value contain one of the following values, then the security category UDM field is set to SOFTWARE_SUSPICIOUS.
|
欄位對應參考資料:CHROME_MANAGEMENT
下表列出 CHROME_MANAGEMENT 記錄類型的記錄欄位,以及對應的 UDM 欄位。
| Log field | UDM mapping | Logic |
|---|---|---|
id.customerId |
about.resource.product_object_id |
|
event_detail |
metadata.description |
|
time |
metadata.event_timestamp |
|
events.parameters.name [TIMESTAMP] |
metadata.event_timestamp |
|
event |
metadata.product_event_type |
|
events.name |
metadata.product_event_type |
|
id.uniqueQualifier |
metadata.product_log_id |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to Chrome Management. |
id.applicationName |
|
|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE. |
user_agent |
network.http.user_agent |
|
userAgent |
network.http.user_agent |
|
events.parameters.name [USER_AGENT] |
network.http.user_agent |
|
events.parameters.name [SESSION_ID] |
network.session_id |
|
client_type |
principal.application |
|
clientType |
principal.application |
|
events.parameters.name [CLIENT_TYPE] |
principal.application |
|
device_id |
principal.asset.product_object_id |
|
deviceId |
principal.asset.product_object_id |
|
events.parameters.name [DEVICE_ID] |
principal.asset.product_object_id |
|
device_name |
principal.hostname |
|
deviceName |
principal.hostname |
|
events.parameters.name [DEVICE_NAME] |
principal.hostname |
|
os_platform |
principal.platform |
The principal.platform UDM field is set to one of the following values:
Else, if the os_platform log field value is not empty and osVersion log field value is not empty, then the os_platform osVersion log field is mapped to the principal.platform_version UDM field. |
os_platform |
principal.asset.platform_software.platform |
The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
os_platform |
principal.asset.platform_software.platform |
The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
osPlatform |
principal.platform |
The principal.platform UDM field is set to one of the following values:
Else, if the osPlatform log field value is not empty and osVersion log field value is not empty, then the osPlatform osVersion log field is mapped to the principal.platform_version UDM field. |
osPlatform |
principal.asset.platform_software.platform |
The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
events.parameters.name [DEVICE_PLATFORM] |
principal.platform |
The os_platform and os_version is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern.The principal.platform UDM field is set to one of the following values:
Else, if the os_platform log field value is not empty and osVersion log field value is not empty, then the os_platform osVersion log field is mapped to the principal.platform_version UDM field. |
events.parameters.name [DEVICE_PLATFORM] |
principal.asset.platform_software.platform |
The os_platform is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern.The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
os_version |
principal.platform_version |
|
osVersion |
principal.platform_version |
|
events.parameters.name [DEVICE_PLATFORM] |
principal.platform_version |
The Version is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern. |
device_id |
principal.resource.id |
|
deviceId |
principal.resource.id |
|
events.parameters.name [DEVICE_ID] |
principal.resource.id |
|
directory_device_id |
principal.resource.product_object_id |
|
events.parameters.name [DIRECTORY_DEVICE_ID] |
principal.resource.product_object_id |
|
|
principal.resource.resource_subtype |
If the event log field value is equal to CHROMEOS_PERIPHERAL_STATUS_UPDATED, then the principal.resource.resource_subtype UDM field is set to USB.Else, if the events.name log field value is equal to CHROMEOS_PERIPHERAL_STATUS_UPDATED, then the principal.resource.resource_subtype UDM field is set to USB. |
|
principal.resource.resource_type |
If the device_id log field value is not empty, then the principal.resource.resource_type UDM field is set to DEVICE. |
actor.email |
principal.user.email_addresses |
|
actor.profileId |
principal.user.userid |
|
result |
security_result.action_details |
|
events.parameters.name [EVENT_RESULT] |
security_result.action_details |
|
event_result |
security_result.action_details |
|
|
security_result.action |
The security_result.action UDM field is set to one of the following values:
|
reason |
security_result.category_details |
|
events.parameters.name [EVENT_REASON] |
security_result.category_details |
|
events.parameters.name [EVENT_REASON] |
security_result.summary |
|
events.parameters.name [LOGIN_FAILURE_REASON] |
security_result.description |
|
events.parameters.name [REMOVE_USER_REASON] |
security_result.description |
If the events.name log field value is equal to CHROME_OS_REMOVE_USER, then the events.parameters.name REMOVE_USER_REASON log field value is mapped to the security_result.description UDM field. |
triggered_rules |
security_result.rule_name |
|
events.type |
security_result.category_details |
|
events.parameters.name [PRODUCT_NAME] |
target.application |
If the events.name log field value contains one of the following values, then the events.parameters.name [PRODUCT_NAME] log field is mapped to the target.resource.name UDM field:
|
content_name |
target.file.full_path |
|
contentName |
target.file.full_path |
|
events.parameters.name [CONTENT_NAME] |
target.file.full_path |
|
content_type |
target.file.mime_type |
|
contentType |
target.file.mime_type |
|
events.parameters.name [CONTENT_TYPE] |
target.file.mime_type |
|
content_hash |
target.file.sha256 |
|
events.parameters.name [CONTENT_HASH] |
target.file.sha256 |
|
content_size |
target.file.size |
|
contentSize |
target.file.size |
|
events.parameters.name [CONTENT_SIZE] |
target.file.size |
|
|
target.file.file_type |
The fileType is extracted from the content_name log field using Grok pattern, Then target.file.file_type UDM field is set to one of the following values:
|
extension_id |
target.resource.product_object_id |
|
events.parameters.name [APP_ID] |
target.resource.product_object_id |
|
extension_name |
target.resource.name |
If the event log field value is equal to badNavigationEvent or the events.name log field value is equal to badNavigationEvent, then the extension_name log field is mapped to the target.resource.name UDM field. |
telemetry_event_signals.signal_name |
target.resource.name |
If the event log field value is equal to extensionTelemetryEvent, then the telemetry_event_signals.signal_name log field is mapped to the target.resource.name UDM field. |
events.parameters.name [APP_NAME] |
target.resource.name |
|
url |
target.url |
|
events.parameters.name [URL] |
target.url |
|
telemetry_event_signals.url |
target.url |
If the telemetry_event_signals.url log field value matches the regular expression pattern the [http:\/\/ or https:\/\/].*, then the telemetry_event_signals.url log field is mapped to the target.url UDM field. |
device_user |
target.user.userid |
|
deviceUser |
principal.user.userid |
If the event log field value is equal to passwordChangedEvent, then the deviceUser log field is mapped to the principal.user.userid UDM field.Else, the deviceUser log field is mapped to the principal.user.user_display_name UDM field. |
events.parameters.name [DEVICE_USER] |
If the event log field value is equal to passwordChangedEvent, then the events.parameters.name [DEVICE_USER] log field is mapped to the principal.user.userid UDM field.Else, the events.parameters.name [DEVICE_USER] log field is mapped to the principal.user.user_display_name UDM field. |
|
scan_id |
about.labels [scan_id] |
|
events.parameters.name [CONNECTION_TYPE] |
about.labels [connection_type] |
|
etag |
about.labels [etag] |
|
kind |
about.labels [kind] |
|
actor.key |
principal.user.attribute.labels [actor_key] |
|
actor.callerType |
principal.user.attribute.labels [actor_callerType] |
|
events.parameters.name [EVIDENCE_LOCKER_FILEPATH] |
security_result.about.labels [evidence_locker_filepath] |
|
federated_origin |
security_result.about.labels [federated_origin] |
|
is_federated |
security_result.about.labels [is_federated] |
|
destination |
security_result.about.labels [trigger_destination] |
|
events.parameters.name [TRIGGER_DESTINATION] |
security_result.about.labels [trigger_destination] |
|
source |
security_result.about.labels [trigger_source] |
|
events.parameters.name [TRIGGER_SOURCE] |
security_result.about.labels [trigger_source] |
|
trigger_type |
security_result.about.labels [trigger_type] |
|
trigger_type |
additional.fields [trigger_type] |
|
triggerType |
security_result.about.labels [trigger_type] |
|
triggerType |
additional.fields [trigger_type] |
|
events.parameters.name [TRIGGER_TYPE] |
security_result.about.labels [trigger_type] |
|
trigger_user |
security_result.about.labels [trigger_user] |
|
events.parameters.name [TRIGGER_USER] |
security_result.about.labels [trigger_user] |
|
events.parameters.name [MALWARE_CATEGORY] |
security_result.threat_name |
|
events.parameters.name [MALWARE_FAMILY] |
security_result.detection_fields [malware_family] |
|
events.parameters.name [VENDOR_ID] |
src.labels [vendor_id] |
|
events.parameters.name [VENDOR_NAME] |
src.labels [vendor_name] |
|
events.parameters.name [VIRTUAL_DEVICE_ID] |
src.labels [virtual_device_id] |
|
events.parameters.name [VIRTUAL_DEVICE_ID] |
additional.fields [virtual_device_id] |
|
events.parameters.name [NEW_BOOT_MODE] |
target.asset.attribute.labels [new_boot_mode] |
|
events.parameters.name [PREVIOUS_BOOT_MODE] |
target.asset.attribute.labels [previous_boot_mode] |
|
id.time |
target.asset.attribute.labels [timestamp] |
|
events.parameters.name [PRODUCT_ID] |
target.labels [product_id] |
If the events.name log field value contains one of the following values, then the events.parameters.name [PRODUCT_ID] log field is mapped to the target.resource.product_object_id UDM field:
Else, the events.parameters.name [PRODUCT_ID] log field is mapped to the target.labels UDM field. |
|
extensions.auth.mechanism |
If the events.name log field value contains one of the following values, then the extensions.auth.mechanism UDM field is set to USERNAME_PASSWORD:
|
events.parameters.name [UNLOCK_TYPE] |
target.labels [unlock_type] |
|
extension_description |
target.resource.attribute.labels [extension_description] |
|
extension_action |
target.resource.attribute.labels [extension_action] |
|
extension_version |
target.resource.attribute.labels [extension_version] |
If the event log field value is not equal to extensionTelemetryEvent, then the extension_version log field is mapped to the target.resource.attribute.labels[extension_version] UDM field. |
extension_source |
target.resource.attribute.labels[extension_source] |
If the event log field value is not equal to extensionTelemetryEvent, then the extension_source log field is mapped to the target.resource.attribute.labels[extension_source] UDM field. |
browser_version |
target.resource.attributes.labels [browser_version] |
|
browserVersion |
target.resource.attributes.labels [browser_version] |
|
events.parameters.name [BROWSER_VERSION] |
target.resource.attributes.labels [browser_version] |
|
profile_user |
target.user.email_addresses |
If the event log field value contain one of the following values and the profile_user log field value matches the regular expression pattern ^.+@.+$, then the profile_user log field is mapped to the target.user.email_addresses UDM field.
|
profile_user |
principal.user.email_addresses |
If the event log field value does not contain one of the following values and the profile_user log field value matches the regular expression pattern ^.+@.+$ and the actor.email log field value is not equal to the profile_user, then the profile_user log field is mapped to the principal.user.email_addresses UDM field.
|
profile_user |
target.user.attribute.labels[profile_user_name] |
If the event log field value contain one of the following values and the profile_user log field value does not match the regular expression pattern ^.+@.+$, then the profile_user log field is mapped to the target.user.attribute.labels.profile_user_name UDM field.
|
profile_user |
principal.user.attribute.labels[profile_user_name] |
If the event log field value does not contain one of the following values and the profile_user log field value does not match the regular expression pattern ^.+@.+$ or the actor.email log field value is equal to the profile_user, then the profile_user log field is mapped to the principal.user.attribute.labels.profile_user_name UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
target.user.email_addresses |
If the event log field value contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value matches the regular expression pattern ^.+@.+$, then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the target.user.email_addresses UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
principal.user.email_addresses |
If the event log field value does not contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value matches the regular expression pattern ^.+@.+$ and the actor.email log field value is not equal to the events.parameters.name [PROFILE_USER_NAME], then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the principal.user.email_addresses UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
target.user.attribute.labels[profile_user_name] |
If the event log field value contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value does not match the regular expression pattern ^.+@.+$, then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the target.user.attribute.labels.profile_user_name UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
principal.user.attribute.labels[profile_user_name] |
If the event log field value does not contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value does not match the regular expression pattern ^.+@.+$ or the actor.email log field value is equal to the events.parameters.name [PROFILE_USER_NAME], then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the principal.user.attribute.labels.profile_user_name UDM field.
|
|
target.resource.resource_type |
If the events.name log field value is equal to DEVICE_BOOT_STATE_CHANGE, then the target.resource.resource_type UDM field is set to SETTING. |
url_category |
target.labels [url_category] |
|
browser_channel |
target.resource.attribute.labels [browser_channel] |
|
report_id |
target.labels [report_id] |
|
clickedThrough |
target.labels [clickedThrough] |
|
threat_type |
security_result.detection_fields [threatType] |
|
triggered_rule_info.action |
security_result.action |
If the triggered_rule_info.action log field value contains one of the following values, then the triggered_rule_info.action log field is mapped to the security_result.action UDM field:
Else, the triggered_rule_info.action log field is mapped to the security_result.rule_labels [triggeredRuleInfo_action] UDM field. |
triggered_rule_info.rule_id |
security_result.rule_id |
|
triggered_rule_info.rule_name |
security_result.rule_name |
|
triggered_rule_info.url_category |
security_result.category_details |
|
transfer_method |
additional.fields [transfer_method] |
|
extension_name |
target.resource_ancestors.name |
If the event log field value is equal to extensionTelemetryEvent, then the extension_name log field is mapped to the target.resource_ancestors.name UDM field. |
extension_id |
target.resource_ancestors.product_object_id |
If the event log field value is equal to extensionTelemetryEvent, then the extension_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
extension_version |
target.resource_ancestors.attribute.labels[extension_version] |
If the event log field value is equal to extensionTelemetryEvent, then the extension_version log field is mapped to the target.resource_ancestors.attribute.labels[extension_version] UDM field. |
extension_source |
target.resource_ancestors.attribute.labels[extension_source] |
If the event log field value is equal to extensionTelemetryEvent, then the extension_source log field is mapped to the target.resource_ancestors.attribute.labels[extension_source] UDM field. |
profile_identifier |
additional.fields[profile_identifier] |
|
extension_files_info.file_name |
target.resource_ancestors.file.names |
|
extension_files_info.file_hash.hash |
target.resource_ancestors.attribute.labels[file_hash] |
|
telemetry_event_signals.count |
target.resource.attribute.labels[count] |
|
telemetry_event_signals.tabs_api_method |
target.resource.attribute.labels[tabs_api_method] |
|
|
target.hostname |
If the telemetry_event_signals.url log field value does not match the regular expression pattern the [http:\/\/ or https:\/\/].*, then the telemetry_event_signals.url log field is mapped to the target.hostname UDM field. |
telemetry_event_signals.destination |
target.resource.attribute.labels[destination] |
|
telemetry_event_signals.source |
target.resource.attribute.labels[source] |
|
telemetry_event_signals.domain |
target.domain.name |
|
telemetry_event_signals.cookie_name |
target.resource.attribute.labels[cookie_name] |
|
telemetry_event_signals.cookie_path |
target.resource.attribute.labels[cookie_path] |
|
telemetry_event_signals.cookie_is_secure |
target.resource.attribute.labels[cookie_is_secure] |
|
telemetry_event_signals.cookie_store_id |
target.resource.attribute.labels[cookie_store_id] |
|
telemetry_event_signals.cookie_is_session |
target.resource.attribute.labels[cookie_is_session] |
|
telemetry_event_signals.connection_protocol |
network.application_protocol |
If the telemetry_event_signals.connection_protocol log field value is equal to HTTP_HTTPS, then the network.application_protocol UDM field is set to HTTP Else, If the telemetry_event_signals.connection_protocol log field value is equal to UNSPECIFIED, then the network.application_protocol UDM field is set to UNKNOWN_APPLICATION_PROTOCOLElse, the telemetry_event_signals.connection_protocol log field is mapped to the target.resource.attribute.labels UDM field. |
telemetry_event_signals.contacted_by |
target.resource.attribute.labels[contacted_by] |
|
local_ips |
principal.ip |
If the event log field value is equal to extensionTelemetryEvent, then the local_ips log field is mapped to the principal.ip UDM field. |
remote_ip |
target.ip |
If the event log field value is equal to extensionTelemetryEvent, then the remote_ip log field is mapped to the target.ip UDM field. |
device_fqdn |
principal.asset.attribute.labels |
If the event log field value is equal to extensionTelemetryEvent, then the device_fqdn log field is mapped to the principal.asset.attribute.labels UDM field. |
network_name |
principal.network.carrier_name |
If the event log field value is equal to extensionTelemetryEvent, then the network_name log field is mapped to the principal.network.carrier_name UDM field. |
web_app_signed_in_account |
target.user.email_addresses |
If the event log field value contains one of the following values, then the web_app_signed_in_account log field is mapped to the target.user.email_addresses UDM field:
|
欄位對應參考資料 (預先發布版)
所有欄位都適用於 Chrome Enterprise 基本版和 Chrome Enterprise 進階版客戶。僅適用於 Chrome Enterprise 進階版客戶的欄位會標示為「[CEP Only]」。
欄位對應參考資料:CHROME_MANAGEMENT (預覽版)
下表列出 CHROME_MANAGEMENT 記錄類型的記錄欄位,以及對應的 UDM 欄位。
| Log field | UDM mapping | Logic |
|---|---|---|
pehash_sha256 |
about.file.sha256 |
[CEP Only] The SHA256 file hash (pehash_sha256) reported from a dangerousDownloadEvent
or contentTransferEvent. |
device_fqdn |
principal.asset.attribute.labels |
[CEP Only] The device's fully qualified domain name reported in a urlNavigationEvent,
suspiciousUrlEvent, or urlFilteringInterstitialEvent. Not reported for unmanaged devices
with managed user profiles. |
network_name |
principal.network.carrier_name |
[CEP Only] The network name (SSID) the device is connected to reported in a
urlNavigationEvent, suspiciousUrlEvent, or urlFilteringInterstitialEvent.
|
content_risk.threat_type |
security_result.threat_name |
[CEP Only] The threat type of the content reported in a dangerousDownloadEvent or
contentTransferEvent. |
content_risk_level, content_risk.risk_level |
security_result.severity |
[CEP Only] The content risk level reported by Safe Browsing in a dangerousDownloadEvent or
contentTransferEvent. |
content_risk.risk_reasons |
security_result.rule_label |
[CEP Only] The content risk reason reported by Safe Browsing in a dangerousDownloadEvent or
contentTransferEvent. |
content_risk.risk_indicators |
security_result.detection_fields[content_risk_indicators] |
[CEP Only] The list of indicators from the Safe Browsing risk level in a dangerousDownloadEvent or
contentTransferEvent. |
content_risk.risk_source |
security_result.detection_fields[content_risk_source] |
[CEP Only] The risk source of the content reported by Safe Browsing in a dangerousDownloadEvent or
contentTransferEvent. |
is_encrypted |
additional.fields[is_encrypted] |
[CEP Only] Set to true if the content is encrypted in dangerousDownloadEvent or
contentTransferEvent. |
server_scan_status |
additional.fields[server_scan_status] |
[CEP Only] The status of whether the content in dangerousDownloadEvent or
contentTransferEvent was successfully scanned by Safe Browsing. |
url_info.url |
principal.url |
[CEP Only] The URL of dangerousDownloadEvent, contentTransferEvent,
urlNavigationEvent, suspiciousUrlEvent, or urlFilteringInterstitialEvent.
|
url_info.ip |
principal.ip |
[CEP Only] The IP address of dangerousDownloadEvent, contentTransferEvent,
urlNavigationEvent, suspiciousUrlEvent, or urlFilteringInterstitialEvent.
|
url_info.type |
principal.security_result.detection_fields[url_info_type] |
[CEP Only] The URL type (download, tab, or redirect) of dangerousDownloadEvent,
contentTransferEvent, urlNavigationEvent, suspiciousUrlEvent, or
urlFilteringInterstitialEvent. |
url_info.risk_level |
principal.security_result.severity |
[CEP Only] The risk level of the URL reported by Safe Browsing. |
url_info.risk_infos.risk_level |
principal.security_result.severity |
[CEP Only] Additional risk information reported by Safe Browsing. |
url_info.navigation_initiator.initiator_type |
principal.security_result.detection_fields[url_info_initiator_type] |
[CEP Only] This maps the url_info_initiator_type in a dangerousDownloadEvent or
contentTransferEvent. In a urlNavigationEvent, suspiciousUrlEvent, or
urlFilteringInterstitialEvent this maps the url_navigation_initiator. |
url_info.navigation_initiator.entity |
principal.security_result.detection_fields[url_info_entity] |
[CEP Only] This maps the url_info_entity in a dangerousDownloadEvent or
contentTransferEvent. In a urlNavigationEvent, suspiciousUrlEvent, or
urlFilteringInterstitialEvent this maps the url_infos_navigation_entity. |
url_info.request_http_method |
principal.security_result.detection_fields[url_info_request_http_method] |
[CEP Only] The HTTP method used to contact the URL. |
url_info.url_categories |
principal.url_metadata.categories |
[CEP Only] The URL category reported by Safe Browsing of urlNavigationEvent or
suspiciousUrlEvent. |
url_info.risk_infos.risk_indicators |
principal.security_result.detection_fields[url_info_risk_infos_risk_indicators_key] |
[CEP Only] The URL risk indicators reported by Safe Browsing of urlNavigationEvent or
suspiciousUrlEvent. |
url_info.risk_infos.risk_reasons |
principal.security_result.rule_label[risk_reason] |
[CEP Only] The Safe Browsing reason for the URL risk classification of urlNavigationEvent or
suspiciousUrlEvent. |
url_info.risk_infos.risk_source |
principal.security_result.detection_fields[content_risk_source] |
[CEP Only] The risk source determination reported by Safe Browsing. This includes URL and file reputation
and content scanning results for urlNavigationEvent, suspiciousUrlEvent, or
urlFilteringInterstitialEvent. |
url_info.risk_infos.threat_type |
security_result.threat_name |
[CEP Only] The threat type reported by Safe Browsing of the URL for urlNavigationEvent,
suspiciousUrlEvent, or urlFilteringInterstitialEvent. |
tab_url_info.url, tab_url, referrers.url |
about.url |
[CEP Only] Maps the tab_url_info.url of dangerousDownloadEvent or
contentTransferEvent. Maps the referrers.url of a urlNavigationEvent, or
suspiciousUrlEvent. |
tab_url_info.ip, referrers.ip |
about.ip |
[CEP Only] Maps the tab_url_info_ip IP address associated with dangerousDownloadEvent
or contentTransferEvent. Maps the IP address of referrers.ip
in urlNavigationEvent or suspiciousUrlEvent. |
remote_ip |
target.ip |
[CEP Only] If the event log field value contains one of the following values, then the remote_ip log field is mapped to the target.ip UDM field:
|
tab_url_info.type |
about.security_result.detection_fields[tab_url_info_type] |
[CEP Only] The URL tab type for dangerousDownloadEvent or contentTransferEvent.
|
tab_url_info.risk_level |
about.security_result.severity |
[CEP Only] The Safe Browsing risk level associated with the URL from a tab event for
dangerousDownloadEvent or contentTransferEvent. |
tab_url_info.navigation_initiator.initiator_type |
about.security_result.detection_fields[tab_url_info_initiator_type] |
[CEP Only] The initiator type of the tab event for dangerousDownloadEvent or
contentTransferEvent. |
tab_url_info.navigation_initiator.entity |
about.security_result.detection_fields[tab_url_info_entity] |
[CEP Only] The tab_url_info_entity for dangerousDownloadEvent or
contentTransferEvent. |
tab_url_info.request_http_method |
about.security_result.detection_fields[tab_url_info_request_http_method] |
[CEP Only] The HTTP method a tab used to contact the URL of dangerousDownloadEvent or
contentTransferEvent. |
referrers.navigation_initiator.entity |
about.security_result.detection_fields[referrers_navigation_initiator_entity] |
[CEP Only] The referrer entity name that initiated the navigation event for
urlNavigationEvent or suspiciousUrlEvent. |
referrers.navigation_initiator.initiator_type |
about.security_result.detection_fields[referrers_navigation_initiator_initiator_type] |
[CEP Only] The referrer type that initiated urlNavigationEvent or
suspiciousUrlEvent. |
referrers.request_http_method |
about.security_result.detection_fields[referrers_request_http_method] |
[CEP Only] The HTTP method of urlNavigationEvent or suspiciousUrlEvent. |
referrers.risk_infos.risk_categories |
about.security_result.detection_fields[referrers_risk_infos_risk_categories] |
[CEP Only] The URL category of the referrer, as provided by the Safe Browsing service, associated with urlNavigationEvent or suspiciousUrlEvent. |
referrers.risk_infos.risk_level, referrers.risk_level |
about.security_result.severity |
[CEP Only] Maps the risk level provided by Safe Browsing referrers.risk_level for a
urlNavigationEvent or suspiciousUrlEvent or
referrers.risk_infos.risk_level for urlNavigationEvent or
suspiciousUrlEvent. |
referrers.type |
about.security_result.detection_fields[referrers_type] |
[CEP Only] The URL type provided by Safe Browsing of the referrer URL of urlNavigationEvent or
suspiciousUrlEvent. |
referrers.risk_infos.risk_source |
about.security_result.detection_fields[referrers_risk_source] |
[CEP Only] The risk source provided by Safe Browsing for the referrer URL of urlNavigationEvent or
suspiciousUrlEvent. |
referrers.risk_infos.threat_type |
about.security_result.threat_name |
[CEP Only] The threat type provided by Safe Browsing for the referrer URL of urlNavigationEvent or
suspiciousUrlEvent. |
referrers.url_categories |
about.url_metadata.categories |
[CEP Only] The URL category provided by Safe Browsing for the referrer URL of urlNavigationEvent or
suspiciousUrlEvent. |
還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。