Se usó la API de Cloud Translation para traducir esta página.

Recopila datos de Chrome Enterprise

Se admite en los siguientes sistemas operativos:

Google SecOps SIEM

En este documento, se describe cómo recopilar registros de Google Chrome en Google SecOps con el conector de informes empresariales. Detalla el proceso de transferencia de datos para las implementaciones de Google Chrome Enterprise Core y Chrome Enterprise Premium, y señala que algunos datos de registro avanzados requieren una licencia de Chrome Enterprise Premium.

Implementación típica

Una implementación típica consta de una combinación de los siguientes componentes:

Chrome: Son los eventos de administración del navegador Chrome y ChromeOS que deseas recopilar.
ChromeOS: Puedes configurar los dispositivos ChromeOS administrados para que envíen registros a Google SecOps. Los dispositivos ChromeOS son opcionales.
Conector de informes de Chrome Enterprise: El conector de informes de Chrome Enterprise reenvía los registros de Chrome a Google SecOps.
Google SecOps: Conserva y analiza los registros de Chrome.

Antes de comenzar

Una cuenta de administrador de Google Workspace
Google Chrome 137 o versiones posteriores Las versiones anteriores no proporcionan datos completos de la URL de referencia.
Licencias de Chrome Enterprise Premium para funciones avanzadas
Opcional: Es un token de transferencia de Google SecOps. Si usas esta opción, también necesitas tu Customer ID de Google Workspace de la Consola del administrador de Google Workspace.
Opcional: Una clave de la API de Ingestión de Chronicle proporcionada por tu representante de Google SecOps.

Configura la Administración en la nube para el navegador Chrome

Inscribe los dispositivos objetivo para habilitar la administración en la nube de los navegadores Chrome. Para obtener más detalles, consulta Cómo inscribir navegadores Chrome administrados en la nube.
Opcional: Configura el Evidence Locker para investigar archivos sospechosos. (Solo para Chrome Enterprise Premium)
Opcional: Si usas Identity-Aware Proxy, sigue los pasos que se indican en Recopila datos de Chrome Enterprise Premium que tengan en cuenta el acceso contextual para integrar estos datos en Google SecOps.

Conecta los datos de Chrome a tu instancia de Google SecOps

Configura el analizador de Chrome Management y el conector de informes de Chrome Enterprise.

Configura el analizador de la Administración de Chrome

Es posible que debas actualizar a una nueva versión del analizador de Chrome Management para admitir los registros recientes de Chrome.

En tu instancia de Google SecOps, ve a Menú > Configuración > Analizadores.
Busca la entrada precompilada de Chrome Management y verifica que estés usando una fecha de versión 2025-08-14 o posterior. Para ello, aplica las actualizaciones pendientes.

Configura Chrome Enterprise Premium

En esta sección, se describe cómo configurar el registro para Chrome Enterprise Premium.

Puedes configurar el reenvío de registros para Chrome Enterprise Premium, que incluye contexto de la Navegación segura. El conector de informes de Chrome Enterprise para Chrome Enterprise Premium puede configurar y, de manera opcional, reenviar los siguientes tipos de registros:

Fallas del navegador
Transferencias de contenido
Controles de acceso a los datos
Instalaciones de extensiones
Telemetría de extensiones
Actividad de acceso de Google
Transferencia de software malicioso
Violación de la seguridad de la contraseña
Se cambió la contraseña
Reutilización de las contraseñas
Transferencia de datos sensibles
URL sospechosa
Visitas a sitios no seguros
Intersticial de filtrado de URLs
Navegaciones a URLs

Configura los datos de Chrome Enterprise Premium para la exportación

Para configurar el conector de informes de Chrome Enterprise para el registro de Chrome Enterprise Premium con la configuración de seguridad recomendada, haz lo siguiente:

En la Consola del administrador de Google, ve a Menú > Navegador Chrome > Conectores.
En el banner Presentamos Google SecOps para Chrome Enterprise Data, haz clic en Ver detalles y habilitar.
En la página Habilita Google SecOps para Chrome Enterprise Premium, ingresa un Nombre de configuración.
Selecciona una opción de reenvío, como se describe en Configura el conector de informes de Chrome Enterprise.

Configura el conector de informes de Chrome Enterprise

El conector de informes de Chrome Enterprise envía datos de registro a Google SecOps tanto para Chrome Enterprise Premium como para Chrome Enterprise Core.

Configura el conector de informes de Chrome Enterprise para enviar datos de Chrome a Google SecOps con una de las siguientes opciones:

Si ya configuraste los registros de auditoría de Google Cloud para que se reenvíen a un equipo de SecOps de Google, es posible que tengas la opción de enviar registros de Chrome Enterprise Premium. Para obtener más información, consulta
Cómo configurar el reenvío de Chrome a una instancia de SecOps de Google en la misma organización.
Puedes usar un código de token temporal generado a partir de Google SecOps para configurar el reenvío a una instancia de Chrome Enterprise Premium. Para obtener más información, consulta
Cómo configurar el reenvío de Chrome a Google SecOps con un token de integración.
Como alternativa, puedes usar una clave de API de Chronicle Ingestion. Para obtener más información, consulta
Cómo configurar el reenvío de Chrome a Google SecOps con la API de Chronicle Ingestion.

Configura el reenvío de Chrome a una instancia de Google SecOps en la misma organización

Es posible que tengas la opción de seleccionar una instancia existente de Google SecOps en la configuración del conector si se cumplen todos los siguientes requisitos previos:

La instancia de Google SecOps está conectada a un proyecto Google Cloud .
El proyecto Google Cloud pertenece a la misma organización que la cuenta de Google Workspace que administra tu suscripción a Chrome Enterprise Premium.
Anteriormente, configuraste una integración de los registros de auditoría de Cloud desde esa organización a Google SecOps.

Si se cumplen estos requisitos previos, la instancia de Google SecOps debería aparecer en la lista de selección en Usar la instancia en la cuenta de GCP asociada.

Para configurar el reenvío de Chrome a una instancia de Google SecOps en la misma organización, haz lo siguiente:

Escribe un nombre para la configuración.
En la opción Usar la instancia en la cuenta de GCP asociada, selecciona la instancia de Google SecOps.
Selecciona los tipos de registros que se reenviarán en Configuración de exportación de registros.
Haz clic en Test Connection.
Haz clic en Habilitar después de probar la conexión correctamente.
Haz clic en Listo cuando se complete la configuración.

Configura el reenvío de Chrome a Google SecOps con un token de integración

Si la instancia de Google SecOps de destino no aparece en la lista de selección o necesitas reenviar los registros de Chrome a una instancia de Google SecOps en un Google Clouddiferente, haz lo siguiente:

Proporciona tu ID de cliente de Google Workspace al administrador de Google SecOps de la instancia de destino y pídele que obtenga el ID y el token de tu instancia de Google SecOps. Este token es válido durante 24 horas.
Escribe un nombre para la configuración.
Selecciona Usar la instancia fuera de tu organización.
Ingresa el código de token que te proporcionó el administrador de Operaciones de seguridad de Google.
Selecciona los tipos de registros que se reenviarán en Configuración de exportación de registros.
Haz clic en Test Connection.
Haz clic en Habilitar después de probar la conexión correctamente.
Haz clic en Listo cuando se complete la configuración.

Configura el reenvío de Chrome a Google SecOps con la API de Chronicle Ingestion

Puedes configurar el conector de informes de Google Chrome con una clave de la API de Ingestion de Chronicle. Solo debes usar este método si no hay otro método de integración disponible.

En la Consola del administrador, ve a Menú > Dispositivos > Chrome > Conectores.
Haz clic en + Configuración de proveedor nuevo.
En el panel lateral, busca la configuración de Google SecOps y haz clic en Configurar.
Ingresa el ID de configuración, la clave de API y el nombre de host:
- ID de configuración: El ID se muestra en la página Configuración de usuarios y navegadores y en la página Conectores.
- Clave de API: Es la clave de API que se especifica cuando se llama a la API de transferencia de datos de Chronicle para identificar al cliente.
- Nombre de host: extremo de API de Ingestion. Para los clientes de EE.UU., debe ser malachiteingestion-pa.googleapis.com. Para otras regiones, consulta la documentación de extremos regionales.
Haz clic en Agregar configuración para agregar la nueva configuración del proveedor.

Recopila datos de Chrome Enterprise Premium que tengan en cuenta el acceso al contexto

Configura feeds para transferir contenido de Chrome Enterprise Premium específico de Identity-Aware Proxy (IAP) y datos de acceso adaptado al contexto.

¿Quién debe habilitar la API de Identity-Aware Proxy?

Los clientes de Chrome Enterprise Premium que usan datos de Identity-Aware Proxy (IAP) deben habilitarlo.
Para los clientes de Chrome Enterprise Premium que no usan datos de Identity-Aware Proxy, habilitar la API de Identity-Aware Proxy es opcional (pero se recomienda). Si lo haces, se agregarán campos de datos de acceso adicionales que tienen en cuenta el contexto a tus datos de registro.

Para habilitar la API de Identity-Aware Proxy, sigue los pasos que se indican en Recopila datos de acceso adaptado al contexto de Chrome Enterprise Premium.

Verifica el flujo de datos

Para verificar el flujo de datos, haz lo siguiente:

Abre tu instancia de Google SecOps.
Ve a Menú > Buscar.
Ejecuta la siguiente búsqueda para encontrar eventos sin procesar y sin analizar: metadata.log_type = "CHROME_MANAGEMENT"

Tipos de registros admitidos

Las siguientes secciones se aplican al analizador CHROME_MANAGEMENT.

Eventos de registro admitidos

Categoría de seguridad	Tipo de evento
`Audit Activity`	`CONTENT_TRANSFER` `CONTENT_UNSCANNED` `EXTENSION_REQUEST` `LOGIN_EVENT` `MALWARE_TRANSFER` `PASSWORD_BREACH` `SENSITIVE_DATA_TRANSFER` `UNSAFE_SITE_VISIT` `browserExtensionInstallEvent` `browserCrashEvent` `extensionTelemetryEvent` `loginEvent` `passwordChangedEvent`
`ChromeOS`	Error de acceso a ChromeOS `(CHROME_OS_LOGIN_FAILURE_EVENT)` Acceso correcto a ChromeOS `(CHROME_OS_LOGIN_EVENT)` Salida de ChromeOS `(CHROME_OS_LOGOUT_EVENT)` Se agregó un usuario de ChromeOS `(CHROME_OS_ADD_USER)` Se quitó el usuario de ChromeOS `(CHROME_OS_REMOVE_USER)` Se bloqueó correctamente ChromeOS `(CHROMEOS_AFFILIATED_LOCK_SUCCESS)` Se desbloqueó correctamente ChromeOS `(CHROMEOS_AFFILIATED_UNLOCK_SUCCESS)` No se pudo desbloquear ChromeOS `(CHROMEOS_AFFILIATED_UNLOCK_FAILURE)` Cambio de estado de inicio del dispositivo ChromeOS `(CHROMEOS_DEVICE_BOOT_STATE_CHANGE)` Se agregó un dispositivo USB de ChromeOS `(CHROMEOS_PERIPHERAL_ADDED)` Se quitó el dispositivo USB de ChromeOS `(CHROMEOS_PERIPHERAL_REMOVED)` Cambio de estado de USB de ChromeOS `(CHROMEOS_PERIPHERAL_STATUS_UPDATED)` Inicio del host de CRD de ChromeOS `(CHROME_OS_CRD_HOST_STARTED)` Conexión del cliente de CRD de ChromeOS `(CHROME_OS_CRD_CLIENT_CONNECTED)` Desconexión del cliente de CRD de ChromeOS `(CHROME_OS_CRD_CLIENT_DISCONNECTED)` Se detuvo el host de CRD de ChromeOS `(CHROME_OS_CRD_HOST_ENDED)`
`Credential Security`	`passwordReuseEvent` `passwordBreachEvent`
`Data Protection`	`dataAccessControlEvent` `sensitiveDataEvent` `sensitiveDataTransferEvent`
`File Transfer`	`contentTransferEvent` `dangerousDownloadEvent` `unscannedFileEvent`
`Malicious Activity`	`badNavigationEvent` `dangerousDownloadEvent` `malwareTransferEvent`
`Navigation`	`interstitialEvent` `urlFilteringInterstitialEvent` `urlNavigationEvent` `SafeBrowsingInterstitialEvent` `suspiciousUrlEvent`

Formatos de registro de Chrome admitidos

El analizador CHROME_MANAGEMENT admite registros en formato JSON.

Registro de muestra de Chrome compatible

Muestra de un registro sin procesar para la transferencia al analizador Chrome Management, en formato JSON:

JSON:

{
  "event": "badNavigationEvent",
  "time": "1622093983.104",
  "reason": "SOCIAL_ENGINEERING",
  "result": "EVENT_RESULT_WARNED",
  "device_name": "",
  "device_user": "",
  "profile_user": "sample@domain.io",
  "url": "https://test.domain.com/s/phishing.html",
  "device_id": "e9806c71-0f4e-4dfa-8c52-93c05420bb8f",
  "os_platform": "",
  "os_version": "",
  "browser_version": "109.0.5414.120",
  "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36",
  "client_type": "CHROME_BROWSER_PROFILE"
}

Referencia de la asignación de campos

Las siguientes tablas de asignación de campos son pertinentes para el analizador CHROME_MANAGEMENT (tipo de registro).

En esta sección, se explica cómo el analizador de Google SecOps asigna los campos de registro de Chrome a los campos del Modelo de datos unificado (UDM) de Google SecOps para los conjuntos de datos.

Referencia de asignación de campos: Del identificador de evento al tipo de evento

En la siguiente tabla, se enumeran los tipos de registros de CHROME_MANAGEMENT y sus tipos de eventos de UDM correspondientes.

Event Identifier	Event Type	Security Category
`badNavigationEvent - SOCIAL_ENGINEERING`	`USER_RESOURCE_ACCESS`	`SOCIAL_ENGINEERING`
`badNavigationEvent - SSL_ERROR`	`USER_RESOURCE_ACCESS`	`NETWORK_SUSPICIOUS`
`badNavigationEvent - MALWARE`	`USER_RESOURCE_ACCESS`	`SOFTWARE_MALICIOUS`
`badNavigationEvent - UNWANTED_SOFTWARE`	`USER_RESOURCE_ACCESS`	`SOFTWARE_PUA`
`badNavigationEvent - THREAT_TYPE_UNSPECIFIED`	`USER_RESOURCE_ACCESS`	`SOFTWARE_MALICIOUS`
`browserCrashEvent`	`STATUS_UPDATE`
`browserExtensionInstallEvent`	`USER_RESOURCE_UPDATE_CONTENT`
`Extension install - BROWSER_EXTENSION_INSTALL`	`USER_RESOURCE_UPDATE_CONTENT`
`EXTENSION_REQUEST`	`USER_UNCATEGORIZED`
`CHROME_OS_ADD_USER - CHROMEOS_AFFILIATED_USER_ADDED`	`USER_CREATION`
`CHROME_OS_ADD_USER - CHROMEOS_UNAFFILIATED_USER_ADDED`	`USER_CREATION`
`ChromeOS user added - CHROMEOS_UNAFFILIATED_USER_ADDED`	`USER_CREATION`
`ChromeOS user removed - CHROMEOS_UNAFFILIATED_USER_REMOVED`	`USER_DELETION`
`CHROME_OS_REMOVE_USER - CHROMEOS_AFFILIATED_USER_REMOVED`	`USER_DELETION`
`CHROME_OS_REMOVE_USER - CHROMEOS_UNAFFILIATED_USER_REMOVED`	`USER_DELETION`
`Login events`	`USER_LOGIN`
`LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN`	`USER_LOGIN`
`loginEvent`	`USER_LOGIN`
`ChromeOS login success`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_AFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_KIOSK_SESSION_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_SESSION_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGIN`	`USER_LOGIN`
`ChromeOS login failure - CHROMEOS_AFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_AFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_UNAFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_UNAFFILIATED_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_KIOSK_SESSION_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_SESSION_LOGOUT`	`USER_LOGOUT`
`ChromeOS logout - CHROMEOS_AFFILIATED_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_REPORTING_DATA_LOST`	`STATUS_UPDATE`
`ChromeOS CRD client connected - CHROMEOS_CRD_CLIENT_CONNECTED`	`USER_LOGIN`
`ChromeOS CRD client disconnected`	`USER_LOGOUT`
`CHROME_OS_CRD_HOST_STARTED - CHROMEOS_CRD_HOST_STARTED`	`STATUS_STARTUP`
`ChromeOS CRD host started - CHROMEOS_CRD_HOST_STARTED`	`STATUS_STARTUP`
`ChromeOS CRD host stopped - CHROMEOS_CRD_HOST_ENDED`	`STATUS_STARTUP`
`ChromeOS device boot state change - CHROME_OS_VERIFIED_MODE`	`SETTING_MODIFICATION`
`ChromeOS device boot state change - CHROME_OS_DEV_MODE`	`SETTING_MODIFICATION`
`DEVICE_BOOT_STATE_CHANGE - CHROME_OS_VERIFIED_MODE`	`SETTING_MODIFICATION`
`ChromeOS lock success - CHROMEOS_AFFILIATED_LOCK_SUCCESS`	`USER_LOGOUT`
`ChromeOS unlock success - CHROMEOS_AFFILIATED_UNLOCK_SUCCESS`	`USER_LOGIN`
`ChromeOS unlock failure - CHROMEOS_AFFILIATED_LOGIN`	`USER_LOGIN`
`ChromeOS USB device added - CHROMEOS_PERIPHERAL_ADDED`	`USER_RESOURCE_ACCESS`
`ChromeOS USB device removed - CHROMEOS_PERIPHERAL_REMOVED`	`USER_RESOURCE_DELETION`
`ChromeOS USB status change - CHROMEOS_PERIPHERAL_STATUS_UPDATED`	`USER_RESOURCE_UPDATE_CONTENT`
`CHROMEOS_PERIPHERAL_STATUS_UPDATED - CHROMEOS_PERIPHERAL_STATUS_UPDATED`	`USER_RESOURCE_UPDATE_CONTENT`
`Client Side Detection`	`USER_UNCATEGORIZED`
`Content transfer`	`SCAN_FILE`
`CONTENT_TRANSFER`	`SCAN_FILE`
`contentTransferEvent`	`SCAN_FILE`
`Content unscanned`	`SCAN_UNCATEGORIZED`
`CONTENT_UNSCANNED`	`SCAN_UNCATEGORIZED`
`dataAccessControlEvent`	`USER_RESOURCE_ACCESS`
`dangerousDownloadEvent - Dangerous`	`SCAN_FILE`	`SOFTWARE_PUA`
`dangerousDownloadEvent - DANGEROUS_HOST`	`SCAN_HOST`
`dangerousDownloadEvent - UNCOMMON`	`SCAN_UNCATEGORIZED`
`dangerousDownloadEvent - POTENTIALLY_UNWANTED`	`SCAN_UNCATEGORIZED`	`SOFTWARE_PUA`
`dangerousDownloadEvent - UNKNOWN`	`SCAN_UNCATEGORIZED`
`dangerousDownloadEvent - DANGEROUS_URL`	`SCAN_UNCATEGORIZED`
`dangerousDownloadEvent - UNWANTED_SOFTWARE`	`SCAN_FILE`	`SOFTWARE_PUA`
`dangerousDownloadEvent - DANGEROUS_FILE_TYPE`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`Desktop DLP Warnings`	`USER_UNCATEGORIZED`
`DLP_EVENT`	`USER_UNCATEGORIZED`
`interstitialEvent - Malware`	`NETWORK_HTTP`	`NETWORK_SUSPICIOUS`
`IOS/OSX Warnings`	`SCAN_UNCATEGORIZED`
`Malware transfer - MALWARE_TRANSFER_DANGEROUS`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`MALWARE_TRANSFER - MALWARE_TRANSFER_UNCOMMON`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`MALWARE_TRANSFER - MALWARE_TRANSFER_UNWANTED_SOFTWARE`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`MALWARE_TRANSFER - MALWARE_TRANSFER_UNKNOWN`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS_HOST`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`malwareTransferEvent - DANGEROUS`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`malwareTransferEvent - UNSPECIFIED`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`Password breach`	`USER_RESOURCE_ACCESS`
`PASSWORD_BREACH`	`USER_RESOURCE_ACCESS`
`passwordBreachEvent - PASSWORD_ENTRY`	`USER_RESOURCE_ACCESS`
`Password changed`	`USER_CHANGE_PASSWORD`
`PASSWORD_CHANGED`	`USER_CHANGE_PASSWORD`
`passwordChangedEvent`	`USER_CHANGE_PASSWORD`
`Password reuse - PASSWORD_REUSED_UNAUTHORIZED_SITE`	`USER_RESOURCE_ACCESS`	`POLICY_VIOLATION, AUTH_VIOLATION`
`Password reuse - PASSWORD_REUSED_PHISHING_URL`	`USER_UNCATEGORIZED`	`PHISHING`
`PASSWORD_REUSE - PASSWORD_REUSED_UNAUTHORIZED_SITE`	`USER_RESOURCE_ACCESS`	`POLICY_VIOLATION, AUTH_VIOLATION`
`passwordReuseEvent - Unauthorized site`	`USER_RESOURCE_ACCESS`	`POLICY_VIOLATION, AUTH_VIOLATION`
`passwordReuseEvent - PASSWORD_REUSED_PHISHING_URL`	`USER_UNCATEGORIZED`	`PHISHING`
`passwordReuseEvent - PASSWORD_REUSED_UNAUTHORIZED_SITE`	`USER_RESOURCE_ACCESS`	`POLICY_VIOLATION, AUTH_VIOLATION`
`Permissions Blacklisting`	`RESOURCE_PERMISSIONS_CHANGE`
`Sensitive data transfer`	`SCAN_FILE`	`DATA_EXFILTRATION`
`SENSITIVE_DATA_TRANSFER`	`SCAN_FILE`	`DATA_EXFILTRATION`
`sensitiveDataEvent - [test_user_5] warn`	`SCAN_FILE`	`DATA_EXFILTRATION`
`sensitiveDataTransferEvent`	`SCAN_FILE`	`DATA_EXFILTRATION`
`Unsafe site visit - UNSAFE_SITE_VISIT_SSL_ERROR`	`USER_RESOURCE_ACCESS`	`NETWORK_SUSPICIOUS`
`UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_MALWARE`	`USER_RESOURCE_ACCESS`	`SOFTWARE_MALICIOUS`
`UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_UNWANTED_SOFTWARE`	`USER_RESOURCE_ACCESS`	`SOFTWARE_SUSPICIOUS`
`UNSAFE_SITE_VISIT - EVENT_REASON_UNSPECIFIED`	`USER_RESOURCE_ACCESS`
`UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SOCIAL_ENGINEERING`	`USER_RESOURCE_ACCESS`	`SOCIAL_ENGINEERING`
`UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SSL_ERROR`	`USER_RESOURCE_ACCESS`	`NETWORK_SUSPICIOUS`
`unscannedFileEvent - FILE_PASSWORD_PROTECTED`	`SCAN_FILE`
`unscannedFileEvent - FILE_TOO_LARGE`	`SCAN_FILE`
`urlFilteringInterstitialEvent`	`USER_RESOURCE_ACCESS`	`POLICY_VIOLATION`
`extensionTelemetryEvent`	If the `telemetry_event_signals.signal_name` log field value is equal to the `COOKIES_GET_ALL_INFO, COOKIES_GET_INFO, TABS_API_INFO`, then the `event_type` set to `USER_RESOURCE_ACCESS`. Else, if the `telemetry_event_signals.signal_name` log field value is equal to `REMOTE_HOST_CONTACTED_INFO`, then if the `telemetry_event_signals.connection_protocol` log field value is equal to `HTTP_HTTPS`, then the `event_type` is set to `NETWORK_HTTP`. Else, the `event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.	If the `telemetry_event_signals.signal_name` log field value is equal to `REMOTE_HOST_CONTACTED_INFO`, then the `security category` is set to `NETWORK_SUSPICIOUS`. Else, if the `telemetry_event_signals.signal_name` log field value contain one of the following values, then the `security category` UDM field is set to `SOFTWARE_SUSPICIOUS`. `COOKIES_GET_INFO` `COOKIES_GET_ALL_INFO`

Referencia de la asignación de campos: CHROME_MANAGEMENT

En la siguiente tabla, se enumeran los campos de registro del tipo de registro CHROME_MANAGEMENT y sus campos de UDM correspondientes.

Log field	UDM mapping	Logic
`id.customerId`	`about.resource.product_object_id`
`event_detail`	`metadata.description`
`time`	`metadata.event_timestamp`
`events.parameters.name [TIMESTAMP]`	`metadata.event_timestamp`
`event`	`metadata.product_event_type`
`events.name`	`metadata.product_event_type`
`id.uniqueQualifier`	`metadata.product_log_id`
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Chrome Management`.
`id.applicationName`
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `GOOGLE`.
`user_agent`	`network.http.user_agent`
`userAgent`	`network.http.user_agent`
`events.parameters.name [USER_AGENT]`	`network.http.user_agent`
`events.parameters.name [SESSION_ID]`	`network.session_id`
`client_type`	`principal.application`
`clientType`	`principal.application`
`events.parameters.name [CLIENT_TYPE]`	`principal.application`
`device_id`	`principal.asset.product_object_id`
`deviceId`	`principal.asset.product_object_id`
`events.parameters.name [DEVICE_ID]`	`principal.asset.product_object_id`
`device_name`	`principal.hostname`
`deviceName`	`principal.hostname`
`events.parameters.name [DEVICE_NAME]`	`principal.hostname`
`os_platform`	`principal.platform`	The `principal.platform` UDM field is set to one of the following values: `LINUX` if the `os_platform` log field value is matched with regular expression pattern `linux`. `MAC` if the `os_platform` log field value is matched with regular expression pattern `mac`. `WINDOWS` if the `os_platform` log field value is matched with regular expression pattern `windows`. `CHROME_OS` if the `os_platform` log field value is matched with regular expression pattern `chromeos`. Else, if the `os_platform` log field value is not empty and `osVersion` log field value is not empty, then the `os_platform osVersion` log field is mapped to the `principal.platform_version` UDM field.
`os_platform`	`principal.asset.platform_software.platform`	The `principal.asset.platform_software.platform` UDM field is set to one of the following values: `LINUX` if the `os_platform` log field value is matched with regular expression pattern `linux`. `MAC` if the `os_platform` log field value is matched with regular expression pattern `mac`. `WINDOWS` if the `os_platform` log field value is matched with regular expression pattern `windows`. `CHROME_OS` if the `os_platform` log field value is matched with regular expression pattern `chromeos`.
`os_platform`	`principal.asset.platform_software.platform`	The `principal.asset.platform_software.platform` UDM field is set to one of the following values: `LINUX` if the `os_platform` log field value is matched with regular expression pattern `linux`. `MAC` if the `os_platform` log field value is matched with regular expression pattern `mac`. `WINDOWS` if the `os_platform` log field value is matched with regular expression pattern `windows`. `CHROME_OS` if the `os_platform` log field value is matched with regular expression pattern `chromeos`.
`osPlatform`	`principal.platform`	The `principal.platform` UDM field is set to one of the following values: `LINUX` if the `osPlatform` log field value is matched with regular expression pattern `linux`. `MAC` if the `osPlatform` log field value is matched with regular expression pattern `mac`. `WINDOWS` if the `osPlatform` log field value is matched with regular expression pattern `windows`. `CHROME_OS` if the `osPlatform` log field value is matched with regular expression pattern `chromeos`. Else, if the `osPlatform` log field value is not empty and `osVersion` log field value is not empty, then the `osPlatform osVersion` log field is mapped to the `principal.platform_version` UDM field.
`osPlatform`	`principal.asset.platform_software.platform`	The `principal.asset.platform_software.platform` UDM field is set to one of the following values: `LINUX` if the `osPlatform` log field value is matched with regular expression pattern `linux`. `MAC` if the `osPlatform` log field value is matched with regular expression pattern `mac`. `WINDOWS` if the `osPlatform` log field value is matched with regular expression pattern `windows`. `CHROME_OS` if the `osPlatform` log field value is matched with regular expression pattern `chromeos`.
`events.parameters.name [DEVICE_PLATFORM]`	`principal.platform`	The `os_platform` and `os_version` is extracted from the `events.parameters.name [DEVICE_PLATFORM]` log field using Grok pattern. The `principal.platform` UDM field is set to one of the following values: `LINUX` if the `os_platform` log field value is matched with regular expression pattern `linux`. `MAC` if the `os_platform` log field value is matched with regular expression pattern `mac`. `WINDOWS` if the `os_platform` log field value is matched with regular expression pattern `windows`. `CHROME_OS` if the `os_platform` log field value is matched with regular expression pattern `chromeos`. Else, if the `os_platform` log field value is not empty and `osVersion` log field value is not empty, then the `os_platform osVersion` log field is mapped to the `principal.platform_version` UDM field.
`events.parameters.name [DEVICE_PLATFORM]`	`principal.asset.platform_software.platform`	The `os_platform` is extracted from the `events.parameters.name [DEVICE_PLATFORM]` log field using Grok pattern. The `principal.asset.platform_software.platform` UDM field is set to one of the following values: `LINUX` if the `os_platform` log field value is matched with regular expression pattern `linux`. `MAC` if the `os_platform` log field value is matched with regular expression pattern `mac`. `WINDOWS` if the `os_platform` log field value is matched with regular expression pattern `windows`. `CHROME_OS` if the `os_platform` log field value is matched with regular expression pattern `chromeos`.
`os_version`	`principal.platform_version`
`osVersion`	`principal.platform_version`
`events.parameters.name [DEVICE_PLATFORM]`	`principal.platform_version`	The `Version` is extracted from the `events.parameters.name [DEVICE_PLATFORM]` log field using Grok pattern.
`device_id`	`principal.resource.id`
`deviceId`	`principal.resource.id`
`events.parameters.name [DEVICE_ID]`	`principal.resource.id`
`directory_device_id`	`principal.resource.product_object_id`
`events.parameters.name [DIRECTORY_DEVICE_ID]`	`principal.resource.product_object_id`
	`principal.resource.resource_subtype`	If the `event` log field value is equal to `CHROMEOS_PERIPHERAL_STATUS_UPDATED`, then the `principal.resource.resource_subtype` UDM field is set to `USB`. Else, if the `events.name` log field value is equal to `CHROMEOS_PERIPHERAL_STATUS_UPDATED`, then the `principal.resource.resource_subtype` UDM field is set to `USB`.
	`principal.resource.resource_type`	If the `device_id` log field value is not empty, then the `principal.resource.resource_type` UDM field is set to `DEVICE`.
`actor.email`	`principal.user.email_addresses`
`actor.profileId`	`principal.user.userid`
`result`	`security_result.action_details`
`events.parameters.name [EVENT_RESULT]`	`security_result.action_details`
`event_result`	`security_result.action_details`
	`security_result.action`	The `security_result.action` UDM field is set to one of the following values: `ALLOW` if the `result` or `events.parameters.name [EVENT_RESULT]` log field value is matched with regular expression pattern `ALLOWED` or `EVENT_RESULT_ALLOWED`. `BLOCK` if the `result` or `events.parameters.name [EVENT_RESULT]` log field value is matched with regular expression pattern `BLOCKED` or `EVENT_RESULT_BLOCKED`.
`reason`	`security_result.category_details`
`events.parameters.name [EVENT_REASON]`	`security_result.category_details`
`events.parameters.name [EVENT_REASON]`	`security_result.summary`
`events.parameters.name [LOGIN_FAILURE_REASON]`	`security_result.description`
`events.parameters.name [REMOVE_USER_REASON]`	`security_result.description`	If the `events.name` log field value is equal to `CHROME_OS_REMOVE_USER`, then the `events.parameters.name` `REMOVE_USER_REASON` log field value is mapped to the `security_result.description` UDM field.
`triggered_rules`	`security_result.rule_name`
`events.type`	`security_result.category_details`
`events.parameters.name [PRODUCT_NAME]`	`target.application`	If the `events.name` log field value contains one of the following values, then the `events.parameters.name [PRODUCT_NAME]` log field is mapped to the `target.resource.name` UDM field: `ChromeOS USB device added` `ChromeOS USB device removed` `ChromeOS USB status change` `CHROMEOS_PERIPHERAL_STATUS_UPDATED`
`content_name`	`target.file.full_path`
`contentName`	`target.file.full_path`
`events.parameters.name [CONTENT_NAME]`	`target.file.full_path`
`content_type`	`target.file.mime_type`
`contentType`	`target.file.mime_type`
`events.parameters.name [CONTENT_TYPE]`	`target.file.mime_type`
`content_hash`	`target.file.sha256`
`events.parameters.name [CONTENT_HASH]`	`target.file.sha256`
`content_size`	`target.file.size`
`contentSize`	`target.file.size`
`events.parameters.name [CONTENT_SIZE]`	`target.file.size`
	`target.file.file_type`	The `fileType` is extracted from the `content_name` log field using Grok pattern, Then `target.file.file_type` UDM field is set to one of the following values: `FILE_TYPE_ZIP` if the `fileType` value is equal to `zip`. `FILE_TYPE_DOS_EXE` if the `fileType` value is equal to `exe`. `FILE_TYPE_PDF` if the `fileType` value is equal to `pdf`. `FILE_TYPE_XLSX` if the `fileType` value is equal to `xlsx`.
`extension_id`	`target.resource.product_object_id`
`events.parameters.name [APP_ID]`	`target.resource.product_object_id`
`extension_name`	`target.resource.name`	If the `event` log field value is equal to `badNavigationEvent` or the `events.name` log field value is equal to `badNavigationEvent`, then the `extension_name` log field is mapped to the `target.resource.name` UDM field.
`telemetry_event_signals.signal_name`	`target.resource.name`	If the `event` log field value is equal to `extensionTelemetryEvent`, then the `telemetry_event_signals.signal_name` log field is mapped to the `target.resource.name` UDM field.
`events.parameters.name [APP_NAME]`	`target.resource.name`
`url`	`target.url`
`events.parameters.name [URL]`	`target.url`
`telemetry_event_signals.url`	`target.url`	If the `telemetry_event_signals.url` log field value matches the regular expression pattern the `[http:\/\/ or https:\/\/].*`, then the `telemetry_event_signals.url` log field is mapped to the `target.url` UDM field.
`device_user`	`target.user.userid`
`deviceUser`	`principal.user.userid`	If the `event` log field value is equal to `passwordChangedEvent`, then the `deviceUser` log field is mapped to the `principal.user.userid` UDM field. Else, the `deviceUser` log field is mapped to the `principal.user.user_display_name` UDM field.
`events.parameters.name [DEVICE_USER]`	If the `event` log field value is equal to `passwordChangedEvent`, then the `events.parameters.name [DEVICE_USER]` log field is mapped to the `principal.user.userid` UDM field. Else, the `events.parameters.name [DEVICE_USER]` log field is mapped to the `principal.user.user_display_name` UDM field.
`scan_id`	`about.labels [scan_id]`
`events.parameters.name [CONNECTION_TYPE]`	`about.labels [connection_type]`
`etag`	`about.labels [etag]`
`kind`	`about.labels [kind]`
`actor.key`	`principal.user.attribute.labels [actor_key]`
`actor.callerType`	`principal.user.attribute.labels [actor_callerType]`
`events.parameters.name [EVIDENCE_LOCKER_FILEPATH]`	`security_result.about.labels [evidence_locker_filepath]`
`federated_origin`	`security_result.about.labels [federated_origin]`
`is_federated`	`security_result.about.labels [is_federated]`
`destination`	`security_result.about.labels [trigger_destination]`
`events.parameters.name [TRIGGER_DESTINATION]`	`security_result.about.labels [trigger_destination]`
`source`	`security_result.about.labels [trigger_source]`
`events.parameters.name [TRIGGER_SOURCE]`	`security_result.about.labels [trigger_source]`
`trigger_type`	`security_result.about.labels [trigger_type]`
`trigger_type`	`additional.fields [trigger_type]`
`triggerType`	`security_result.about.labels [trigger_type]`
`triggerType`	`additional.fields [trigger_type]`
`events.parameters.name [TRIGGER_TYPE]`	`security_result.about.labels [trigger_type]`
`trigger_user`	`security_result.about.labels [trigger_user]`
`events.parameters.name [TRIGGER_USER]`	`security_result.about.labels [trigger_user]`
`events.parameters.name [MALWARE_CATEGORY]`	`security_result.threat_name`
`events.parameters.name [MALWARE_FAMILY]`	`security_result.detection_fields [malware_family]`
`events.parameters.name [VENDOR_ID]`	`src.labels [vendor_id]`
`events.parameters.name [VENDOR_NAME]`	`src.labels [vendor_name]`
`events.parameters.name [VIRTUAL_DEVICE_ID]`	`src.labels [virtual_device_id]`
`events.parameters.name [VIRTUAL_DEVICE_ID]`	`additional.fields [virtual_device_id]`
`events.parameters.name [NEW_BOOT_MODE]`	`target.asset.attribute.labels [new_boot_mode]`
`events.parameters.name [PREVIOUS_BOOT_MODE]`	`target.asset.attribute.labels [previous_boot_mode]`
`id.time`	`target.asset.attribute.labels [timestamp]`
`events.parameters.name [PRODUCT_ID]`	`target.labels [product_id]`	If the `events.name` log field value contains one of the following values, then the `events.parameters.name [PRODUCT_ID]` log field is mapped to the `target.resource.product_object_id` UDM field: `CHROMEOS_PERIPHERAL_ADDED` `CHROMEOS_PERIPHERAL_REMOVED` `CHROMEOS_PERIPHERAL_STATUS_UPDATED` Else, the `events.parameters.name [PRODUCT_ID]` log field is mapped to the `target.labels` UDM field.
	`extensions.auth.mechanism`	If the `events.name` log field value contains one of the following values, then the `extensions.auth.mechanism` UDM field is set to `USERNAME_PASSWORD`: `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS`
`events.parameters.name [UNLOCK_TYPE]`	`target.labels [unlock_type]`
`extension_description`	`target.resource.attribute.labels [extension_description]`
`extension_action`	`target.resource.attribute.labels [extension_action]`
`extension_version`	`target.resource.attribute.labels [extension_version]`	If the `event` log field value is not equal to `extensionTelemetryEvent`, then the `extension_version` log field is mapped to the `target.resource.attribute.labels[extension_version]` UDM field.
`extension_source`	`target.resource.attribute.labels[extension_source]`	If the `event` log field value is not equal to `extensionTelemetryEvent`, then the `extension_source` log field is mapped to the `target.resource.attribute.labels[extension_source]` UDM field.
`browser_version`	`target.resource.attributes.labels [browser_version]`
`browserVersion`	`target.resource.attributes.labels [browser_version]`
`events.parameters.name [BROWSER_VERSION]`	`target.resource.attributes.labels [browser_version]`
`profile_user`	`target.user.email_addresses`	If the `event` log field value contain one of the following values and the `profile_user` log field value matches the regular expression pattern `^.+@.+$`, then the `profile_user` log field is mapped to the `target.user.email_addresses` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
`profile_user`	`principal.user.email_addresses`	If the `event` log field value does not contain one of the following values and the `profile_user` log field value matches the regular expression pattern `^.+@.+$` and the `actor.email` log field value is not equal to the `profile_user`, then the `profile_user` log field is mapped to the `principal.user.email_addresses` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
`profile_user`	`target.user.attribute.labels[profile_user_name]`	If the `event` log field value contain one of the following values and the `profile_user` log field value does not match the regular expression pattern `^.+@.+$`, then the `profile_user` log field is mapped to the `target.user.attribute.labels.profile_user_name` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
`profile_user`	`principal.user.attribute.labels[profile_user_name]`	If the `event` log field value does not contain one of the following values and the `profile_user` log field value does not match the regular expression pattern `^.+@.+$` or the `actor.email` log field value is equal to the `profile_user`, then the `profile_user` log field is mapped to the `principal.user.attribute.labels.profile_user_name` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
`events.parameters.name [PROFILE_USER_NAME]`	`target.user.email_addresses`	If the `event` log field value contain one of the following values and the `events.parameters.name [PROFILE_USER_NAME]` log field value matches the regular expression pattern `^.+@.+$`, then the `events.parameters.name [PROFILE_USER_NAME]` log field is mapped to the `target.user.email_addresses` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
`events.parameters.name [PROFILE_USER_NAME]`	`principal.user.email_addresses`	If the `event` log field value does not contain one of the following values and the `events.parameters.name [PROFILE_USER_NAME]` log field value matches the regular expression pattern `^.+@.+$` and the `actor.email` log field value is not equal to the `events.parameters.name [PROFILE_USER_NAME]`, then the `events.parameters.name [PROFILE_USER_NAME]` log field is mapped to the `principal.user.email_addresses` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
`events.parameters.name [PROFILE_USER_NAME]`	`target.user.attribute.labels[profile_user_name]`	If the `event` log field value contain one of the following values and the `events.parameters.name [PROFILE_USER_NAME]` log field value does not match the regular expression pattern `^.+@.+$`, then the `events.parameters.name [PROFILE_USER_NAME]` log field is mapped to the `target.user.attribute.labels.profile_user_name` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
`events.parameters.name [PROFILE_USER_NAME]`	`principal.user.attribute.labels[profile_user_name]`	If the `event` log field value does not contain one of the following values and the `events.parameters.name [PROFILE_USER_NAME]` log field value does not match the regular expression pattern `^.+@.+$` or the `actor.email` log field value is equal to the `events.parameters.name [PROFILE_USER_NAME]`, then the `events.parameters.name [PROFILE_USER_NAME]` log field is mapped to the `principal.user.attribute.labels.profile_user_name` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
	`target.resource.resource_type`	If the `events.name` log field value is equal to `DEVICE_BOOT_STATE_CHANGE`, then the `target.resource.resource_type` UDM field is set to `SETTING`.
`url_category`	`target.labels [url_category]`
`browser_channel`	`target.resource.attribute.labels [browser_channel]`
`report_id`	`target.labels [report_id]`
`clickedThrough`	`target.labels [clickedThrough]`
`threat_type`	`security_result.detection_fields [threatType]`
`triggered_rule_info.action`	`security_result.action`	If the `triggered_rule_info.action` log field value contains one of the following values, then the `triggered_rule_info.action` log field is mapped to the `security_result.action` UDM field: `ALLOW` `ALLOW_WITH_MODIFICATION` `BLOCK` `CHALLENGE` `FAIL` `QUARANTINE` `UNKNOWN_ACTION` Else, the `triggered_rule_info.action` log field is mapped to the `security_result.rule_labels [triggeredRuleInfo_action]` UDM field.
`triggered_rule_info.rule_id`	`security_result.rule_id`
`triggered_rule_info.rule_name`	`security_result.rule_name`
`triggered_rule_info.url_category`	`security_result.category_details`
`transfer_method`	`additional.fields [transfer_method]`
`extension_name`	`target.resource_ancestors.name`	If the `event` log field value is `equal` to `extensionTelemetryEvent`, then the `extension_name` log field is mapped to the `target.resource_ancestors.name` UDM field.
`extension_id`	`target.resource_ancestors.product_object_id`	If the `event` log field value is `equal` to `extensionTelemetryEvent`, then the `extension_id` log field is mapped to the `target.resource_ancestors.product_object_id` UDM field.
`extension_version`	`target.resource_ancestors.attribute.labels[extension_version]`	If the `event` log field value is equal to `extensionTelemetryEvent`, then the `extension_version` log field is mapped to the `target.resource_ancestors.attribute.labels[extension_version]` UDM field.
`extension_source`	`target.resource_ancestors.attribute.labels[extension_source]`	If the `event` log field value is equal to `extensionTelemetryEvent`, then the `extension_source` log field is mapped to the `target.resource_ancestors.attribute.labels[extension_source]` UDM field.
`profile_identifier`	`additional.fields[profile_identifier]`
`extension_files_info.file_name`	`target.resource_ancestors.file.names`
`extension_files_info.file_hash.hash`	`target.resource_ancestors.attribute.labels[file_hash]`
`telemetry_event_signals.count`	`target.resource.attribute.labels[count]`
`telemetry_event_signals.tabs_api_method`	`target.resource.attribute.labels[tabs_api_method]`
	`target.hostname`	If the `telemetry_event_signals.url` log field value does not match the regular expression pattern the `[http:\/\/ or https:\/\/].*`, then the `telemetry_event_signals.url` log field is mapped to the `target.hostname` UDM field.
`telemetry_event_signals.destination`	`target.resource.attribute.labels[destination]`
`telemetry_event_signals.source`	`target.resource.attribute.labels[source]`
`telemetry_event_signals.domain`	`target.domain.name`
`telemetry_event_signals.cookie_name`	`target.resource.attribute.labels[cookie_name]`
`telemetry_event_signals.cookie_path`	`target.resource.attribute.labels[cookie_path]`
`telemetry_event_signals.cookie_is_secure`	`target.resource.attribute.labels[cookie_is_secure]`
`telemetry_event_signals.cookie_store_id`	`target.resource.attribute.labels[cookie_store_id]`
`telemetry_event_signals.cookie_is_session`	`target.resource.attribute.labels[cookie_is_session]`
`telemetry_event_signals.connection_protocol`	`network.application_protocol`	If the `telemetry_event_signals.connection_protocol` log field value is equal to `HTTP_HTTPS`, then the `network.application_protocol` UDM field is set to `HTTP` Else, If the `telemetry_event_signals.connection_protocol` log field value is equal to `UNSPECIFIED`, then the `network.application_protocol` UDM field is set to `UNKNOWN_APPLICATION_PROTOCOL` Else, the `telemetry_event_signals.connection_protocol` log field is mapped to the `target.resource.attribute.labels` UDM field.
`telemetry_event_signals.contacted_by`	`target.resource.attribute.labels[contacted_by]`
`local_ips`	`principal.ip`	If the event log field value is equal to `extensionTelemetryEvent`, then the `local_ips` log field is mapped to the `principal.ip` UDM field.
`remote_ip`	`target.ip`	If the event log field value is equal to `extensionTelemetryEvent`, then the `remote_ip` log field is mapped to the `target.ip` UDM field.
`device_fqdn`	`principal.asset.attribute.labels`	If the event log field value is equal to `extensionTelemetryEvent`, then the `device_fqdn` log field is mapped to the `principal.asset.attribute.labels` UDM field.
`network_name`	`principal.network.carrier_name`	If the event log field value is equal to `extensionTelemetryEvent`, then the `network_name` log field is mapped to the `principal.network.carrier_name` UDM field.
`web_app_signed_in_account`	`target.user.email_addresses`	If the `event` log field value contains one of the following values, then the `web_app_signed_in_account` log field is mapped to the `target.user.email_addresses` UDM field: `contentTransferEvent` `sensitiveDataEvent` `urlFilteringInterstitialEvent`

Referencia de la asignación de campos (versión preliminar)

Todos los campos se aplican a los clientes de Chrome Enterprise Core y Chrome Enterprise Premium. Los campos que solo se aplican a los clientes de Chrome Enterprise Premium están etiquetados como "[Solo para CEP]".

Referencia de la asignación de campos: CHROME_MANAGEMENT (versión preliminar)

En la siguiente tabla, se enumeran los campos de registro del tipo de registro CHROME_MANAGEMENT y sus campos de UDM correspondientes.

Log field	UDM mapping	Logic
`pehash_sha256`	`about.file.sha256`	[CEP Only] The SHA256 file hash (`pehash_sha256`) reported from a `dangerousDownloadEvent` or `contentTransferEvent`.
`device_fqdn`	`principal.asset.attribute.labels`	[CEP Only] The device's fully qualified domain name reported in a `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`. Not reported for unmanaged devices with managed user profiles.
`network_name`	`principal.network.carrier_name`	[CEP Only] The network name (SSID) the device is connected to reported in a `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`content_risk.threat_type`	`security_result.threat_name`	[CEP Only] The threat type of the content reported in a `dangerousDownloadEvent` or `contentTransferEvent`.
`content_risk_level, content_risk.risk_level`	`security_result.severity`	[CEP Only] The content risk level reported by Safe Browsing in a `dangerousDownloadEvent` or `contentTransferEvent`.
`content_risk.risk_reasons`	`security_result.rule_label`	[CEP Only] The content risk reason reported by Safe Browsing in a `dangerousDownloadEvent` or `contentTransferEvent`.
`content_risk.risk_indicators`	`security_result.detection_fields[content_risk_indicators]`	[CEP Only] The list of indicators from the Safe Browsing risk level in a `dangerousDownloadEvent` or `contentTransferEvent`.
`content_risk.risk_source`	`security_result.detection_fields[content_risk_source]`	[CEP Only] The risk source of the content reported by Safe Browsing in a `dangerousDownloadEvent` or `contentTransferEvent`.
`is_encrypted`	`additional.fields[is_encrypted]`	[CEP Only] Set to `true` if the content is encrypted in `dangerousDownloadEvent` or `contentTransferEvent`.
`server_scan_status`	`additional.fields[server_scan_status]`	[CEP Only] The status of whether the content in `dangerousDownloadEvent` or `contentTransferEvent` was successfully scanned by Safe Browsing.
`url_info.url`	`principal.url`	[CEP Only] The URL of `dangerousDownloadEvent`, `contentTransferEvent`, `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`url_info.ip`	`principal.ip`	[CEP Only] The IP address of `dangerousDownloadEvent`, `contentTransferEvent`, `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`url_info.type`	`principal.security_result.detection_fields[url_info_type]`	[CEP Only] The URL type (download, tab, or redirect) of `dangerousDownloadEvent`, `contentTransferEvent`, `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`url_info.risk_level`	`principal.security_result.severity`	[CEP Only] The risk level of the URL reported by Safe Browsing.
`url_info.risk_infos.risk_level`	`principal.security_result.severity`	[CEP Only] Additional risk information reported by Safe Browsing.
`url_info.navigation_initiator.initiator_type`	`principal.security_result.detection_fields[url_info_initiator_type]`	[CEP Only] This maps the `url_info_initiator_type` in a `dangerousDownloadEvent` or `contentTransferEvent`. In a `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent` this maps the `url_navigation_initiator`.
`url_info.navigation_initiator.entity`	`principal.security_result.detection_fields[url_info_entity]`	[CEP Only] This maps the `url_info_entity` in a `dangerousDownloadEvent` or `contentTransferEvent`. In a `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent` this maps the `url_infos_navigation_entity`.
`url_info.request_http_method`	`principal.security_result.detection_fields[url_info_request_http_method]`	[CEP Only] The HTTP method used to contact the URL.
`url_info.url_categories`	`principal.url_metadata.categories`	[CEP Only] The URL category reported by Safe Browsing of `urlNavigationEvent` or `suspiciousUrlEvent`.
`url_info.risk_infos.risk_indicators`	`principal.security_result.detection_fields[url_info_risk_infos_risk_indicators_key]`	[CEP Only] The URL risk indicators reported by Safe Browsing of `urlNavigationEvent` or `suspiciousUrlEvent`.
`url_info.risk_infos.risk_reasons`	`principal.security_result.rule_label[risk_reason]`	[CEP Only] The Safe Browsing reason for the URL risk classification of `urlNavigationEvent` or `suspiciousUrlEvent`.
`url_info.risk_infos.risk_source`	`principal.security_result.detection_fields[content_risk_source]`	[CEP Only] The risk source determination reported by Safe Browsing. This includes URL and file reputation and content scanning results for `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`url_info.risk_infos.threat_type`	`security_result.threat_name`	[CEP Only] The threat type reported by Safe Browsing of the URL for `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`tab_url_info.url, tab_url, referrers.url`	`about.url`	[CEP Only] Maps the `tab_url_info.url` of `dangerousDownloadEvent` or `contentTransferEvent`. Maps the `referrers.url` of a `urlNavigationEvent`, or `suspiciousUrlEvent`.
`tab_url_info.ip, referrers.ip`	`about.ip`	[CEP Only] Maps the `tab_url_info_ip` IP address associated with `dangerousDownloadEvent` or `contentTransferEvent`. Maps the IP address of `referrers.ip` in `urlNavigationEvent` or `suspiciousUrlEvent`.
`remote_ip`	`target.ip`	[CEP Only] If the `event` log field value contains one of the following values, then the `remote_ip` log field is mapped to the `target.ip` UDM field: `dangerousDownloadEvent` `contentTransferEvent` `urlNavigationEvent` `suspiciousUrlEvent` `urlFilteringInterstitialEvent`
`tab_url_info.type`	`about.security_result.detection_fields[tab_url_info_type]`	[CEP Only] The URL tab type for `dangerousDownloadEvent` or `contentTransferEvent`.
`tab_url_info.risk_level`	`about.security_result.severity`	[CEP Only] The Safe Browsing risk level associated with the URL from a tab event for `dangerousDownloadEvent` or `contentTransferEvent`.
`tab_url_info.navigation_initiator.initiator_type`	`about.security_result.detection_fields[tab_url_info_initiator_type]`	[CEP Only] The initiator type of the tab event for `dangerousDownloadEvent` or `contentTransferEvent`.
`tab_url_info.navigation_initiator.entity`	`about.security_result.detection_fields[tab_url_info_entity]`	[CEP Only] The `tab_url_info_entity` for `dangerousDownloadEvent` or `contentTransferEvent`.
`tab_url_info.request_http_method`	`about.security_result.detection_fields[tab_url_info_request_http_method]`	[CEP Only] The HTTP method a tab used to contact the URL of `dangerousDownloadEvent` or `contentTransferEvent`.
`referrers.navigation_initiator.entity`	`about.security_result.detection_fields[referrers_navigation_initiator_entity]`	[CEP Only] The referrer entity name that initiated the navigation event for `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.navigation_initiator.initiator_type`	`about.security_result.detection_fields[referrers_navigation_initiator_initiator_type]`	[CEP Only] The referrer type that initiated `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.request_http_method`	`about.security_result.detection_fields[referrers_request_http_method]`	[CEP Only] The HTTP method of `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.risk_infos.risk_categories`	`about.security_result.detection_fields[referrers_risk_infos_risk_categories]`	[CEP Only] The URL category of the referrer, as provided by the Safe Browsing service, associated with `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.risk_infos.risk_level, referrers.risk_level`	`about.security_result.severity`	[CEP Only] Maps the risk level provided by Safe Browsing `referrers.risk_level` for a `urlNavigationEvent` or `suspiciousUrlEvent` or `referrers.risk_infos.risk_level` for `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.type`	`about.security_result.detection_fields[referrers_type]`	[CEP Only] The URL type provided by Safe Browsing of the referrer URL of `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.risk_infos.risk_source`	`about.security_result.detection_fields[referrers_risk_source]`	[CEP Only] The risk source provided by Safe Browsing for the referrer URL of `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.risk_infos.threat_type`	`about.security_result.threat_name`	[CEP Only] The threat type provided by Safe Browsing for the referrer URL of `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.url_categories`	`about.url_metadata.categories`	[CEP Only] The URL category provided by Safe Browsing for the referrer URL of `urlNavigationEvent` or `suspiciousUrlEvent`.

¿Necesitas más ayuda? Obtén respuestas de miembros de la comunidad y profesionales de Google SecOps.