Cette page a été traduite par l'API Cloud Translation.

Collecter des données Chrome Enterprise

Compatible avec :

Google SecOps SIEM

Ce document explique comment collecter les journaux Google Chrome dans Google SecOps à l'aide du connecteur de création de rapports Enterprise. Il décrit en détail le processus d'ingestion des données pour les déploiements Google Chrome Enterprise Core et Chrome Enterprise Premium, tout en précisant que certaines données de journaux avancées nécessitent une licence Chrome Enterprise Premium.

Déploiement type

Un déploiement type se compose d'une combinaison des composants suivants :

Chrome : événements de gestion du navigateur Chrome et de ChromeOS que vous souhaitez collecter.
ChromeOS : vous pouvez configurer les appareils ChromeOS gérés pour qu'ils envoient des journaux à Google SecOps. Les appareils ChromeOS sont facultatifs.
Connecteur de reporting Chrome Enterprise : ce connecteur transfère les journaux Chrome vers Google SecOps.
Google SecOps : conserve et analyse les journaux Chrome.

Avant de commencer

Un compte administrateur Google Workspace.
Google Chrome 137 ou version ultérieure. Les versions antérieures ne fournissent pas de données complètes sur l'URL de provenance.
Licences Chrome Enterprise Premium pour les fonctionnalités avancées.
Facultatif : jeton d'ingestion Google SecOps. Si vous utilisez cette option, vous avez également besoin de votre Customer ID Google Workspace depuis la console d'administration Google Workspace.
Facultatif : une clé API d'ingestion Chronicle fournie par votre représentant Google SecOps.

Configurer la gestion cloud du navigateur Chrome

Enregistrez les appareils cibles pour activer la gestion cloud des navigateurs Chrome. Pour en savoir plus, consultez Enregistrer des navigateurs Chrome gérés dans le cloud.
Facultatif : Configurez Evidence Locker pour examiner les fichiers suspects. (Chrome Enterprise Premium uniquement)
Facultatif : Si vous utilisez Identity-Aware Proxy, suivez les étapes décrites dans Collecter les données contextuelles de Chrome Enterprise Premium pour l'accès contextuel afin d'intégrer ces données à Google SecOps.

Associer les données Chrome à votre instance Google SecOps

Configurez l'analyseur Chrome Management et le connecteur de reporting Chrome Enterprise.

Configurer l'analyseur Chrome Management

Vous devrez peut-être passer à une nouvelle version de l'analyseur Chrome Management pour prendre en charge les journaux Chrome récents.

Dans votre instance Google SecOps, accédez à Menu > Paramètres > Analyseurs.
Recherchez l'entrée prédéfinie "Gestion Chrome" et vérifiez que vous utilisez une version datée du 14/08/2025 ou ultérieure en appliquant les mises à jour en attente.

Configurer Chrome Enterprise Premium

Cette section explique comment configurer la journalisation pour Chrome Enterprise Premium.

Vous pouvez configurer le transfert de journaux pour Chrome Enterprise Premium, qui inclut le contexte de la navigation sécurisée. Le connecteur de reporting Chrome Enterprise pour Chrome Enterprise Premium peut configurer et, éventuellement, transférer les types de journaux suivants :

Plantages du navigateur
Transferts de contenus
Contrôles des accès aux données
Installations d'extensions
Télémétrie des extensions
Activité de connexion Google
Transfert de logiciel malveillant
Violation du mot de passe
Mot de passe modifié
Réutilisation des mots de passe
Transfert de données sensibles
URL suspecte
Visites de sites non sécurisés
Interstitiel de filtrage d'URL
Navigation vers des URL

Configurer l'exportation des données Chrome Enterprise Premium

Pour configurer le connecteur de reporting Chrome Enterprise pour la journalisation Chrome Enterprise Premium à l'aide des paramètres de sécurité recommandés :

Dans la console d'administration Google, accédez à Menu > Navigateur Chrome > Connecteurs.
Dans la bannière Présentation de Google SecOps pour les données Chrome Enterprise, cliquez sur Afficher les détails et activer.
Sur la page Activer Google SecOps pour Chrome Enterprise Premium, saisissez un nom de configuration.
Sélectionnez une option de transfert, comme décrit dans Configurer le connecteur de reporting Chrome Enterprise.

Configurer le connecteur de reporting Chrome Enterprise

Le connecteur de rapports Chrome Enterprise envoie des données de journaux à Google SecOps pour Chrome Enterprise Premium et Chrome Enterprise Core.

Configurez le connecteur de reporting Chrome Enterprise pour envoyer les données Chrome à Google SecOps à l'aide de l'une des options suivantes :

Si vous avez déjà configuré les journaux d'audit Google Cloud pour les transférer vers Google SecOps, vous pouvez peut-être envoyer les journaux Chrome Enterprise Premium. Pour en savoir plus, consultez
Configurer le transfert Chrome vers une instance Google SecOps dans la même organisation.
Vous pouvez utiliser un code de jeton temporaire généré à partir de Google SecOps pour configurer le transfert vers une instance Chrome Enterprise Premium. Pour en savoir plus, consultez
Configurer le transfert Chrome vers Google SecOps à l'aide d'un jeton d'intégration.
Vous pouvez également utiliser une clé API Chronicle Ingestion. Pour en savoir plus, consultez
Configurer le transfert Chrome vers Google SecOps à l'aide de l'API Chronicle Ingestion.

Configurer le transfert Chrome vers une instance Google SecOps dans la même organisation

Vous pouvez sélectionner une instance Google SecOps existante dans la configuration du connecteur si toutes les conditions préalables suivantes sont remplies :

L'instance Google SecOps est associée à un projet Google Cloud .
Le projet Google Cloud se trouve dans la même organisation que l'instance Google Workspace qui gère votre abonnement Chrome Enterprise Premium.
Vous avez déjà configuré une intégration Cloud Audit Logs de cette organisation à Google SecOps.

Si ces conditions préalables sont remplies, l'instance Google SecOps devrait apparaître dans la liste de sélection sous Utiliser l'instance dans le compte GCP associé.

Pour configurer le transfert Chrome vers une instance Google SecOps dans la même organisation, procédez comme suit :

Saisissez un nom pour la configuration.
Dans l'option Utiliser l'instance dans le compte GCP associé, sélectionnez l'instance Google SecOps.
Sélectionnez les types de journaux à transférer dans les paramètres d'exportation des journaux.
Cliquez sur Test connection (Tester la connexion).
Cliquez sur Activer une fois la connexion testée avec succès.
Cliquez sur OK une fois la configuration terminée.

Configurer le transfert Chrome vers Google SecOps à l'aide d'un jeton d'intégration

Si l'instance Google SecOps de destination n'apparaît pas dans la liste de sélection ou si vous devez transférer les journaux Chrome vers une instance Google SecOps dans un autre Google Cloud, procédez comme suit :

Communiquez votre numéro client Google Workspace à l'administrateur Google SecOps de l'instance de destination et demandez-lui d'obtenir l'ID et le jeton de votre instance Google SecOps. Ce jeton est valide pendant 24 heures.
Saisissez un nom pour la configuration.
Sélectionnez Utiliser une instance en dehors de votre organisation.
Saisissez le code de jeton fourni par l'administrateur Google SecOps.
Sélectionnez les types de journaux à transférer dans les paramètres d'exportation des journaux.
Cliquez sur Test Connection (Tester la connexion).
Cliquez sur Activer une fois la connexion testée avec succès.
Cliquez sur OK une fois la configuration terminée.

Configurer le transfert Chrome vers Google SecOps à l'aide de l'API Chronicle Ingestion

Vous pouvez configurer le connecteur de création de rapports Google Chrome à l'aide d'une clé API Chronicle Ingestion. Vous ne devez utiliser cette méthode que si aucune autre méthode d'intégration n'est disponible.

Dans la console d'administration, accédez à Menu > Appareils > Chrome > Connecteurs.
Cliquez sur + Configuration d'un nouveau fournisseur.
Dans le panneau latéral, recherchez la configuration Google SecOps, puis cliquez sur Configurer.
Saisissez l'ID de configuration, la clé API et le nom d'hôte :
- ID de configuration : cet ID s'affiche sur les pages Paramètres des utilisateurs et des navigateurs et Connecteurs.
- Clé API : clé API à spécifier lorsque vous appelez l'API Chronicle Ingestion pour identifier le client.
- Nom d'hôte : point de terminaison de l'API Ingestion. Pour les clients aux États-Unis, il doit s'agir de malachiteingestion-pa.googleapis.com. Pour les autres régions, consultez la documentation sur les points de terminaison régionaux.
Cliquez sur Add Configuration (Ajouter une configuration) pour ajouter la nouvelle configuration du fournisseur.

Collecter des données contextuelles pour l'accès contextuel Chrome Enterprise Premium

Configurez des flux pour ingérer du contenu Chrome Enterprise Premium spécifique à Identity-Aware Proxy (IAP) et aux données d'accès contextuel.

Qui doit activer l'API Identity-Aware Proxy ?

Les clients Chrome Enterprise Premium qui utilisent les données Identity-Aware Proxy (IAP) doivent l'activer.
Pour les clients Chrome Enterprise Premium qui n'utilisent pas les données Identity-Aware Proxy, l'activation de l'API Identity-Aware Proxy est facultative (mais recommandée). Cela ajoute des champs de données d'accès contextuel supplémentaires à vos données de journaux.

Pour activer l'API Identity-Aware Proxy, suivez les étapes décrites dans Collecter des données sur l'accès contextuel Chrome Enterprise Premium.

Vérifier le flux de données

Pour vérifier le flux de données :

Ouvrez votre instance Google SecOps.
Accédez à Menu > Rechercher.
Exécutez la requête de recherche suivante pour rechercher des événements bruts et non analysés : metadata.log_type = "CHROME_MANAGEMENT"

Types de journaux acceptés

Les sections suivantes s'appliquent au parseur CHROME_MANAGEMENT.

Événements de journaux compatibles

Catégorie de sécurité	Type d'événement
`Audit Activity`	`CONTENT_TRANSFER` `CONTENT_UNSCANNED` `EXTENSION_REQUEST` `LOGIN_EVENT` `MALWARE_TRANSFER` `PASSWORD_BREACH` `SENSITIVE_DATA_TRANSFER` `UNSAFE_SITE_VISIT` `browserExtensionInstallEvent` `browserCrashEvent` `extensionTelemetryEvent` `loginEvent` `passwordChangedEvent`
`ChromeOS`	Échec de la connexion à ChromeOS `(CHROME_OS_LOGIN_FAILURE_EVENT)` Connexion à ChromeOS réussie `(CHROME_OS_LOGIN_EVENT)` Déconnexion de ChromeOS `(CHROME_OS_LOGOUT_EVENT)` Utilisateur ChromeOS ajouté `(CHROME_OS_ADD_USER)` Utilisateur ChromeOS supprimé `(CHROME_OS_REMOVE_USER)` Verrouillage de ChromeOS réussi `(CHROMEOS_AFFILIATED_LOCK_SUCCESS)` Déverrouillage de ChromeOS réussi `(CHROMEOS_AFFILIATED_UNLOCK_SUCCESS)` Échec du déverrouillage de ChromeOS `(CHROMEOS_AFFILIATED_UNLOCK_FAILURE)` Changement de l'état de démarrage de l'appareil ChromeOS `(CHROMEOS_DEVICE_BOOT_STATE_CHANGE)` Périphérique USB ChromeOS ajouté `(CHROMEOS_PERIPHERAL_ADDED)` Périphérique USB ChromeOS retiré `(CHROMEOS_PERIPHERAL_REMOVED)` Modification de l'état USB ChromeOS `(CHROMEOS_PERIPHERAL_STATUS_UPDATED)` Hôte du bureau à distance ChromeOS démarré `(CHROME_OS_CRD_HOST_STARTED)` Client du bureau à distance ChromeOS connecté `(CHROME_OS_CRD_CLIENT_CONNECTED)` Client du bureau à distance ChromeOS déconnecté `(CHROME_OS_CRD_CLIENT_DISCONNECTED)` Hôte du bureau à distance ChromeOS arrêté `(CHROME_OS_CRD_HOST_ENDED)`
`Credential Security`	`passwordReuseEvent` `passwordBreachEvent`
`Data Protection`	`dataAccessControlEvent` `sensitiveDataEvent` `sensitiveDataTransferEvent`
`File Transfer`	`contentTransferEvent` `dangerousDownloadEvent` `unscannedFileEvent`
`Malicious Activity`	`badNavigationEvent` `dangerousDownloadEvent` `malwareTransferEvent`
`Navigation`	`interstitialEvent` `urlFilteringInterstitialEvent` `urlNavigationEvent` `SafeBrowsingInterstitialEvent` `suspiciousUrlEvent`

Formats de journaux Chrome acceptés

L'analyseur CHROME_MANAGEMENT est compatible avec les journaux au format JSON.

Exemple de journal Chrome compatible

Exemple de journal brut à ingérer par l'analyseur Chrome Management, au format JSON :

JSON :

{
  "event": "badNavigationEvent",
  "time": "1622093983.104",
  "reason": "SOCIAL_ENGINEERING",
  "result": "EVENT_RESULT_WARNED",
  "device_name": "",
  "device_user": "",
  "profile_user": "sample@domain.io",
  "url": "https://test.domain.com/s/phishing.html",
  "device_id": "e9806c71-0f4e-4dfa-8c52-93c05420bb8f",
  "os_platform": "",
  "os_version": "",
  "browser_version": "109.0.5414.120",
  "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36",
  "client_type": "CHROME_BROWSER_PROFILE"
}

Référence du mappage de champs

Les tableaux de mappage des champs suivants sont pertinents pour l'analyseur CHROME_MANAGEMENT (type de journal).

Cette section explique comment l'analyseur Google SecOps mappe les champs de journaux Chrome aux champs du modèle de données unifié (UDM) Google SecOps pour les ensembles de données.

Référence du mappage des champs : identifiant d'événement vers type d'événement

Le tableau suivant liste les types de journaux CHROME_MANAGEMENT et les types d'événements UDM correspondants.

Event Identifier	Event Type	Security Category
`badNavigationEvent - SOCIAL_ENGINEERING`	`USER_RESOURCE_ACCESS`	`SOCIAL_ENGINEERING`
`badNavigationEvent - SSL_ERROR`	`USER_RESOURCE_ACCESS`	`NETWORK_SUSPICIOUS`
`badNavigationEvent - MALWARE`	`USER_RESOURCE_ACCESS`	`SOFTWARE_MALICIOUS`
`badNavigationEvent - UNWANTED_SOFTWARE`	`USER_RESOURCE_ACCESS`	`SOFTWARE_PUA`
`badNavigationEvent - THREAT_TYPE_UNSPECIFIED`	`USER_RESOURCE_ACCESS`	`SOFTWARE_MALICIOUS`
`browserCrashEvent`	`STATUS_UPDATE`
`browserExtensionInstallEvent`	`USER_RESOURCE_UPDATE_CONTENT`
`Extension install - BROWSER_EXTENSION_INSTALL`	`USER_RESOURCE_UPDATE_CONTENT`
`EXTENSION_REQUEST`	`USER_UNCATEGORIZED`
`CHROME_OS_ADD_USER - CHROMEOS_AFFILIATED_USER_ADDED`	`USER_CREATION`
`CHROME_OS_ADD_USER - CHROMEOS_UNAFFILIATED_USER_ADDED`	`USER_CREATION`
`ChromeOS user added - CHROMEOS_UNAFFILIATED_USER_ADDED`	`USER_CREATION`
`ChromeOS user removed - CHROMEOS_UNAFFILIATED_USER_REMOVED`	`USER_DELETION`
`CHROME_OS_REMOVE_USER - CHROMEOS_AFFILIATED_USER_REMOVED`	`USER_DELETION`
`CHROME_OS_REMOVE_USER - CHROMEOS_UNAFFILIATED_USER_REMOVED`	`USER_DELETION`
`Login events`	`USER_LOGIN`
`LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN`	`USER_LOGIN`
`loginEvent`	`USER_LOGIN`
`ChromeOS login success`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_AFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_KIOSK_SESSION_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_SESSION_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGIN`	`USER_LOGIN`
`ChromeOS login failure - CHROMEOS_AFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_AFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_UNAFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_UNAFFILIATED_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_KIOSK_SESSION_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_SESSION_LOGOUT`	`USER_LOGOUT`
`ChromeOS logout - CHROMEOS_AFFILIATED_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_REPORTING_DATA_LOST`	`STATUS_UPDATE`
`ChromeOS CRD client connected - CHROMEOS_CRD_CLIENT_CONNECTED`	`USER_LOGIN`
`ChromeOS CRD client disconnected`	`USER_LOGOUT`
`CHROME_OS_CRD_HOST_STARTED - CHROMEOS_CRD_HOST_STARTED`	`STATUS_STARTUP`
`ChromeOS CRD host started - CHROMEOS_CRD_HOST_STARTED`	`STATUS_STARTUP`
`ChromeOS CRD host stopped - CHROMEOS_CRD_HOST_ENDED`	`STATUS_STARTUP`
`ChromeOS device boot state change - CHROME_OS_VERIFIED_MODE`	`SETTING_MODIFICATION`
`ChromeOS device boot state change - CHROME_OS_DEV_MODE`	`SETTING_MODIFICATION`
`DEVICE_BOOT_STATE_CHANGE - CHROME_OS_VERIFIED_MODE`	`SETTING_MODIFICATION`
`ChromeOS lock success - CHROMEOS_AFFILIATED_LOCK_SUCCESS`	`USER_LOGOUT`
`ChromeOS unlock success - CHROMEOS_AFFILIATED_UNLOCK_SUCCESS`	`USER_LOGIN`
`ChromeOS unlock failure - CHROMEOS_AFFILIATED_LOGIN`	`USER_LOGIN`
`ChromeOS USB device added - CHROMEOS_PERIPHERAL_ADDED`	`USER_RESOURCE_ACCESS`
`ChromeOS USB device removed - CHROMEOS_PERIPHERAL_REMOVED`	`USER_RESOURCE_DELETION`
`ChromeOS USB status change - CHROMEOS_PERIPHERAL_STATUS_UPDATED`	`USER_RESOURCE_UPDATE_CONTENT`
`CHROMEOS_PERIPHERAL_STATUS_UPDATED - CHROMEOS_PERIPHERAL_STATUS_UPDATED`	`USER_RESOURCE_UPDATE_CONTENT`
`Client Side Detection`	`USER_UNCATEGORIZED`
`Content transfer`	`SCAN_FILE`
`CONTENT_TRANSFER`	`SCAN_FILE`
`contentTransferEvent`	`SCAN_FILE`
`Content unscanned`	`SCAN_UNCATEGORIZED`
`CONTENT_UNSCANNED`	`SCAN_UNCATEGORIZED`
`dataAccessControlEvent`	`USER_RESOURCE_ACCESS`
`dangerousDownloadEvent - Dangerous`	`SCAN_FILE`	`SOFTWARE_PUA`
`dangerousDownloadEvent - DANGEROUS_HOST`	`SCAN_HOST`
`dangerousDownloadEvent - UNCOMMON`	`SCAN_UNCATEGORIZED`
`dangerousDownloadEvent - POTENTIALLY_UNWANTED`	`SCAN_UNCATEGORIZED`	`SOFTWARE_PUA`
`dangerousDownloadEvent - UNKNOWN`	`SCAN_UNCATEGORIZED`
`dangerousDownloadEvent - DANGEROUS_URL`	`SCAN_UNCATEGORIZED`
`dangerousDownloadEvent - UNWANTED_SOFTWARE`	`SCAN_FILE`	`SOFTWARE_PUA`
`dangerousDownloadEvent - DANGEROUS_FILE_TYPE`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`Desktop DLP Warnings`	`USER_UNCATEGORIZED`
`DLP_EVENT`	`USER_UNCATEGORIZED`
`interstitialEvent - Malware`	`NETWORK_HTTP`	`NETWORK_SUSPICIOUS`
`IOS/OSX Warnings`	`SCAN_UNCATEGORIZED`
`Malware transfer - MALWARE_TRANSFER_DANGEROUS`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`MALWARE_TRANSFER - MALWARE_TRANSFER_UNCOMMON`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`MALWARE_TRANSFER - MALWARE_TRANSFER_UNWANTED_SOFTWARE`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`MALWARE_TRANSFER - MALWARE_TRANSFER_UNKNOWN`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS_HOST`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`malwareTransferEvent - DANGEROUS`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`malwareTransferEvent - UNSPECIFIED`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`Password breach`	`USER_RESOURCE_ACCESS`
`PASSWORD_BREACH`	`USER_RESOURCE_ACCESS`
`passwordBreachEvent - PASSWORD_ENTRY`	`USER_RESOURCE_ACCESS`
`Password changed`	`USER_CHANGE_PASSWORD`
`PASSWORD_CHANGED`	`USER_CHANGE_PASSWORD`
`passwordChangedEvent`	`USER_CHANGE_PASSWORD`
`Password reuse - PASSWORD_REUSED_UNAUTHORIZED_SITE`	`USER_RESOURCE_ACCESS`	`POLICY_VIOLATION, AUTH_VIOLATION`
`Password reuse - PASSWORD_REUSED_PHISHING_URL`	`USER_UNCATEGORIZED`	`PHISHING`
`PASSWORD_REUSE - PASSWORD_REUSED_UNAUTHORIZED_SITE`	`USER_RESOURCE_ACCESS`	`POLICY_VIOLATION, AUTH_VIOLATION`
`passwordReuseEvent - Unauthorized site`	`USER_RESOURCE_ACCESS`	`POLICY_VIOLATION, AUTH_VIOLATION`
`passwordReuseEvent - PASSWORD_REUSED_PHISHING_URL`	`USER_UNCATEGORIZED`	`PHISHING`
`passwordReuseEvent - PASSWORD_REUSED_UNAUTHORIZED_SITE`	`USER_RESOURCE_ACCESS`	`POLICY_VIOLATION, AUTH_VIOLATION`
`Permissions Blacklisting`	`RESOURCE_PERMISSIONS_CHANGE`
`Sensitive data transfer`	`SCAN_FILE`	`DATA_EXFILTRATION`
`SENSITIVE_DATA_TRANSFER`	`SCAN_FILE`	`DATA_EXFILTRATION`
`sensitiveDataEvent - [test_user_5] warn`	`SCAN_FILE`	`DATA_EXFILTRATION`
`sensitiveDataTransferEvent`	`SCAN_FILE`	`DATA_EXFILTRATION`
`Unsafe site visit - UNSAFE_SITE_VISIT_SSL_ERROR`	`USER_RESOURCE_ACCESS`	`NETWORK_SUSPICIOUS`
`UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_MALWARE`	`USER_RESOURCE_ACCESS`	`SOFTWARE_MALICIOUS`
`UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_UNWANTED_SOFTWARE`	`USER_RESOURCE_ACCESS`	`SOFTWARE_SUSPICIOUS`
`UNSAFE_SITE_VISIT - EVENT_REASON_UNSPECIFIED`	`USER_RESOURCE_ACCESS`
`UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SOCIAL_ENGINEERING`	`USER_RESOURCE_ACCESS`	`SOCIAL_ENGINEERING`
`UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SSL_ERROR`	`USER_RESOURCE_ACCESS`	`NETWORK_SUSPICIOUS`
`unscannedFileEvent - FILE_PASSWORD_PROTECTED`	`SCAN_FILE`
`unscannedFileEvent - FILE_TOO_LARGE`	`SCAN_FILE`
`urlFilteringInterstitialEvent`	`USER_RESOURCE_ACCESS`	`POLICY_VIOLATION`
`extensionTelemetryEvent`	If the `telemetry_event_signals.signal_name` log field value is equal to the `COOKIES_GET_ALL_INFO, COOKIES_GET_INFO, TABS_API_INFO`, then the `event_type` set to `USER_RESOURCE_ACCESS`. Else, if the `telemetry_event_signals.signal_name` log field value is equal to `REMOTE_HOST_CONTACTED_INFO`, then if the `telemetry_event_signals.connection_protocol` log field value is equal to `HTTP_HTTPS`, then the `event_type` is set to `NETWORK_HTTP`. Else, the `event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.	If the `telemetry_event_signals.signal_name` log field value is equal to `REMOTE_HOST_CONTACTED_INFO`, then the `security category` is set to `NETWORK_SUSPICIOUS`. Else, if the `telemetry_event_signals.signal_name` log field value contain one of the following values, then the `security category` UDM field is set to `SOFTWARE_SUSPICIOUS`. `COOKIES_GET_INFO` `COOKIES_GET_ALL_INFO`

Référence du mappage de champ : CHROME_MANAGEMENT

Le tableau suivant liste les champs de journaux du type de journal CHROME_MANAGEMENT et les champs UDM correspondants.

Log field	UDM mapping	Logic
`id.customerId`	`about.resource.product_object_id`
`event_detail`	`metadata.description`
`time`	`metadata.event_timestamp`
`events.parameters.name [TIMESTAMP]`	`metadata.event_timestamp`
`event`	`metadata.product_event_type`
`events.name`	`metadata.product_event_type`
`id.uniqueQualifier`	`metadata.product_log_id`
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Chrome Management`.
`id.applicationName`
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `GOOGLE`.
`user_agent`	`network.http.user_agent`
`userAgent`	`network.http.user_agent`
`events.parameters.name [USER_AGENT]`	`network.http.user_agent`
`events.parameters.name [SESSION_ID]`	`network.session_id`
`client_type`	`principal.application`
`clientType`	`principal.application`
`events.parameters.name [CLIENT_TYPE]`	`principal.application`
`device_id`	`principal.asset.product_object_id`
`deviceId`	`principal.asset.product_object_id`
`events.parameters.name [DEVICE_ID]`	`principal.asset.product_object_id`
`device_name`	`principal.hostname`
`deviceName`	`principal.hostname`
`events.parameters.name [DEVICE_NAME]`	`principal.hostname`
`os_platform`	`principal.platform`	The `principal.platform` UDM field is set to one of the following values: `LINUX` if the `os_platform` log field value is matched with regular expression pattern `linux`. `MAC` if the `os_platform` log field value is matched with regular expression pattern `mac`. `WINDOWS` if the `os_platform` log field value is matched with regular expression pattern `windows`. `CHROME_OS` if the `os_platform` log field value is matched with regular expression pattern `chromeos`. Else, if the `os_platform` log field value is not empty and `osVersion` log field value is not empty, then the `os_platform osVersion` log field is mapped to the `principal.platform_version` UDM field.
`os_platform`	`principal.asset.platform_software.platform`	The `principal.asset.platform_software.platform` UDM field is set to one of the following values: `LINUX` if the `os_platform` log field value is matched with regular expression pattern `linux`. `MAC` if the `os_platform` log field value is matched with regular expression pattern `mac`. `WINDOWS` if the `os_platform` log field value is matched with regular expression pattern `windows`. `CHROME_OS` if the `os_platform` log field value is matched with regular expression pattern `chromeos`.
`os_platform`	`principal.asset.platform_software.platform`	The `principal.asset.platform_software.platform` UDM field is set to one of the following values: `LINUX` if the `os_platform` log field value is matched with regular expression pattern `linux`. `MAC` if the `os_platform` log field value is matched with regular expression pattern `mac`. `WINDOWS` if the `os_platform` log field value is matched with regular expression pattern `windows`. `CHROME_OS` if the `os_platform` log field value is matched with regular expression pattern `chromeos`.
`osPlatform`	`principal.platform`	The `principal.platform` UDM field is set to one of the following values: `LINUX` if the `osPlatform` log field value is matched with regular expression pattern `linux`. `MAC` if the `osPlatform` log field value is matched with regular expression pattern `mac`. `WINDOWS` if the `osPlatform` log field value is matched with regular expression pattern `windows`. `CHROME_OS` if the `osPlatform` log field value is matched with regular expression pattern `chromeos`. Else, if the `osPlatform` log field value is not empty and `osVersion` log field value is not empty, then the `osPlatform osVersion` log field is mapped to the `principal.platform_version` UDM field.
`osPlatform`	`principal.asset.platform_software.platform`	The `principal.asset.platform_software.platform` UDM field is set to one of the following values: `LINUX` if the `osPlatform` log field value is matched with regular expression pattern `linux`. `MAC` if the `osPlatform` log field value is matched with regular expression pattern `mac`. `WINDOWS` if the `osPlatform` log field value is matched with regular expression pattern `windows`. `CHROME_OS` if the `osPlatform` log field value is matched with regular expression pattern `chromeos`.
`events.parameters.name [DEVICE_PLATFORM]`	`principal.platform`	The `os_platform` and `os_version` is extracted from the `events.parameters.name [DEVICE_PLATFORM]` log field using Grok pattern. The `principal.platform` UDM field is set to one of the following values: `LINUX` if the `os_platform` log field value is matched with regular expression pattern `linux`. `MAC` if the `os_platform` log field value is matched with regular expression pattern `mac`. `WINDOWS` if the `os_platform` log field value is matched with regular expression pattern `windows`. `CHROME_OS` if the `os_platform` log field value is matched with regular expression pattern `chromeos`. Else, if the `os_platform` log field value is not empty and `osVersion` log field value is not empty, then the `os_platform osVersion` log field is mapped to the `principal.platform_version` UDM field.
`events.parameters.name [DEVICE_PLATFORM]`	`principal.asset.platform_software.platform`	The `os_platform` is extracted from the `events.parameters.name [DEVICE_PLATFORM]` log field using Grok pattern. The `principal.asset.platform_software.platform` UDM field is set to one of the following values: `LINUX` if the `os_platform` log field value is matched with regular expression pattern `linux`. `MAC` if the `os_platform` log field value is matched with regular expression pattern `mac`. `WINDOWS` if the `os_platform` log field value is matched with regular expression pattern `windows`. `CHROME_OS` if the `os_platform` log field value is matched with regular expression pattern `chromeos`.
`os_version`	`principal.platform_version`
`osVersion`	`principal.platform_version`
`events.parameters.name [DEVICE_PLATFORM]`	`principal.platform_version`	The `Version` is extracted from the `events.parameters.name [DEVICE_PLATFORM]` log field using Grok pattern.
`device_id`	`principal.resource.id`
`deviceId`	`principal.resource.id`
`events.parameters.name [DEVICE_ID]`	`principal.resource.id`
`directory_device_id`	`principal.resource.product_object_id`
`events.parameters.name [DIRECTORY_DEVICE_ID]`	`principal.resource.product_object_id`
	`principal.resource.resource_subtype`	If the `event` log field value is equal to `CHROMEOS_PERIPHERAL_STATUS_UPDATED`, then the `principal.resource.resource_subtype` UDM field is set to `USB`. Else, if the `events.name` log field value is equal to `CHROMEOS_PERIPHERAL_STATUS_UPDATED`, then the `principal.resource.resource_subtype` UDM field is set to `USB`.
	`principal.resource.resource_type`	If the `device_id` log field value is not empty, then the `principal.resource.resource_type` UDM field is set to `DEVICE`.
`actor.email`	`principal.user.email_addresses`
`actor.profileId`	`principal.user.userid`
`result`	`security_result.action_details`
`events.parameters.name [EVENT_RESULT]`	`security_result.action_details`
`event_result`	`security_result.action_details`
	`security_result.action`	The `security_result.action` UDM field is set to one of the following values: `ALLOW` if the `result` or `events.parameters.name [EVENT_RESULT]` log field value is matched with regular expression pattern `ALLOWED` or `EVENT_RESULT_ALLOWED`. `BLOCK` if the `result` or `events.parameters.name [EVENT_RESULT]` log field value is matched with regular expression pattern `BLOCKED` or `EVENT_RESULT_BLOCKED`.
`reason`	`security_result.category_details`
`events.parameters.name [EVENT_REASON]`	`security_result.category_details`
`events.parameters.name [EVENT_REASON]`	`security_result.summary`
`events.parameters.name [LOGIN_FAILURE_REASON]`	`security_result.description`
`events.parameters.name [REMOVE_USER_REASON]`	`security_result.description`	If the `events.name` log field value is equal to `CHROME_OS_REMOVE_USER`, then the `events.parameters.name` `REMOVE_USER_REASON` log field value is mapped to the `security_result.description` UDM field.
`triggered_rules`	`security_result.rule_name`
`events.type`	`security_result.category_details`
`events.parameters.name [PRODUCT_NAME]`	`target.application`	If the `events.name` log field value contains one of the following values, then the `events.parameters.name [PRODUCT_NAME]` log field is mapped to the `target.resource.name` UDM field: `ChromeOS USB device added` `ChromeOS USB device removed` `ChromeOS USB status change` `CHROMEOS_PERIPHERAL_STATUS_UPDATED`
`content_name`	`target.file.full_path`
`contentName`	`target.file.full_path`
`events.parameters.name [CONTENT_NAME]`	`target.file.full_path`
`content_type`	`target.file.mime_type`
`contentType`	`target.file.mime_type`
`events.parameters.name [CONTENT_TYPE]`	`target.file.mime_type`
`content_hash`	`target.file.sha256`
`events.parameters.name [CONTENT_HASH]`	`target.file.sha256`
`content_size`	`target.file.size`
`contentSize`	`target.file.size`
`events.parameters.name [CONTENT_SIZE]`	`target.file.size`
	`target.file.file_type`	The `fileType` is extracted from the `content_name` log field using Grok pattern, Then `target.file.file_type` UDM field is set to one of the following values: `FILE_TYPE_ZIP` if the `fileType` value is equal to `zip`. `FILE_TYPE_DOS_EXE` if the `fileType` value is equal to `exe`. `FILE_TYPE_PDF` if the `fileType` value is equal to `pdf`. `FILE_TYPE_XLSX` if the `fileType` value is equal to `xlsx`.
`extension_id`	`target.resource.product_object_id`
`events.parameters.name [APP_ID]`	`target.resource.product_object_id`
`extension_name`	`target.resource.name`	If the `event` log field value is equal to `badNavigationEvent` or the `events.name` log field value is equal to `badNavigationEvent`, then the `extension_name` log field is mapped to the `target.resource.name` UDM field.
`telemetry_event_signals.signal_name`	`target.resource.name`	If the `event` log field value is equal to `extensionTelemetryEvent`, then the `telemetry_event_signals.signal_name` log field is mapped to the `target.resource.name` UDM field.
`events.parameters.name [APP_NAME]`	`target.resource.name`
`url`	`target.url`
`events.parameters.name [URL]`	`target.url`
`telemetry_event_signals.url`	`target.url`	If the `telemetry_event_signals.url` log field value matches the regular expression pattern the `[http:\/\/ or https:\/\/].*`, then the `telemetry_event_signals.url` log field is mapped to the `target.url` UDM field.
`device_user`	`target.user.userid`
`deviceUser`	`principal.user.userid`	If the `event` log field value is equal to `passwordChangedEvent`, then the `deviceUser` log field is mapped to the `principal.user.userid` UDM field. Else, the `deviceUser` log field is mapped to the `principal.user.user_display_name` UDM field.
`events.parameters.name [DEVICE_USER]`	If the `event` log field value is equal to `passwordChangedEvent`, then the `events.parameters.name [DEVICE_USER]` log field is mapped to the `principal.user.userid` UDM field. Else, the `events.parameters.name [DEVICE_USER]` log field is mapped to the `principal.user.user_display_name` UDM field.
`scan_id`	`about.labels [scan_id]`
`events.parameters.name [CONNECTION_TYPE]`	`about.labels [connection_type]`
`etag`	`about.labels [etag]`
`kind`	`about.labels [kind]`
`actor.key`	`principal.user.attribute.labels [actor_key]`
`actor.callerType`	`principal.user.attribute.labels [actor_callerType]`
`events.parameters.name [EVIDENCE_LOCKER_FILEPATH]`	`security_result.about.labels [evidence_locker_filepath]`
`federated_origin`	`security_result.about.labels [federated_origin]`
`is_federated`	`security_result.about.labels [is_federated]`
`destination`	`security_result.about.labels [trigger_destination]`
`events.parameters.name [TRIGGER_DESTINATION]`	`security_result.about.labels [trigger_destination]`
`source`	`security_result.about.labels [trigger_source]`
`events.parameters.name [TRIGGER_SOURCE]`	`security_result.about.labels [trigger_source]`
`trigger_type`	`security_result.about.labels [trigger_type]`
`trigger_type`	`additional.fields [trigger_type]`
`triggerType`	`security_result.about.labels [trigger_type]`
`triggerType`	`additional.fields [trigger_type]`
`events.parameters.name [TRIGGER_TYPE]`	`security_result.about.labels [trigger_type]`
`trigger_user`	`security_result.about.labels [trigger_user]`
`events.parameters.name [TRIGGER_USER]`	`security_result.about.labels [trigger_user]`
`events.parameters.name [MALWARE_CATEGORY]`	`security_result.threat_name`
`events.parameters.name [MALWARE_FAMILY]`	`security_result.detection_fields [malware_family]`
`events.parameters.name [VENDOR_ID]`	`src.labels [vendor_id]`
`events.parameters.name [VENDOR_NAME]`	`src.labels [vendor_name]`
`events.parameters.name [VIRTUAL_DEVICE_ID]`	`src.labels [virtual_device_id]`
`events.parameters.name [VIRTUAL_DEVICE_ID]`	`additional.fields [virtual_device_id]`
`events.parameters.name [NEW_BOOT_MODE]`	`target.asset.attribute.labels [new_boot_mode]`
`events.parameters.name [PREVIOUS_BOOT_MODE]`	`target.asset.attribute.labels [previous_boot_mode]`
`id.time`	`target.asset.attribute.labels [timestamp]`
`events.parameters.name [PRODUCT_ID]`	`target.labels [product_id]`	If the `events.name` log field value contains one of the following values, then the `events.parameters.name [PRODUCT_ID]` log field is mapped to the `target.resource.product_object_id` UDM field: `CHROMEOS_PERIPHERAL_ADDED` `CHROMEOS_PERIPHERAL_REMOVED` `CHROMEOS_PERIPHERAL_STATUS_UPDATED` Else, the `events.parameters.name [PRODUCT_ID]` log field is mapped to the `target.labels` UDM field.
	`extensions.auth.mechanism`	If the `events.name` log field value contains one of the following values, then the `extensions.auth.mechanism` UDM field is set to `USERNAME_PASSWORD`: `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS`
`events.parameters.name [UNLOCK_TYPE]`	`target.labels [unlock_type]`
`extension_description`	`target.resource.attribute.labels [extension_description]`
`extension_action`	`target.resource.attribute.labels [extension_action]`
`extension_version`	`target.resource.attribute.labels [extension_version]`	If the `event` log field value is not equal to `extensionTelemetryEvent`, then the `extension_version` log field is mapped to the `target.resource.attribute.labels[extension_version]` UDM field.
`extension_source`	`target.resource.attribute.labels[extension_source]`	If the `event` log field value is not equal to `extensionTelemetryEvent`, then the `extension_source` log field is mapped to the `target.resource.attribute.labels[extension_source]` UDM field.
`browser_version`	`target.resource.attributes.labels [browser_version]`
`browserVersion`	`target.resource.attributes.labels [browser_version]`
`events.parameters.name [BROWSER_VERSION]`	`target.resource.attributes.labels [browser_version]`
`profile_user`	`target.user.email_addresses`	If the `event` log field value contain one of the following values and the `profile_user` log field value matches the regular expression pattern `^.+@.+$`, then the `profile_user` log field is mapped to the `target.user.email_addresses` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
`profile_user`	`principal.user.email_addresses`	If the `event` log field value does not contain one of the following values and the `profile_user` log field value matches the regular expression pattern `^.+@.+$` and the `actor.email` log field value is not equal to the `profile_user`, then the `profile_user` log field is mapped to the `principal.user.email_addresses` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
`profile_user`	`target.user.attribute.labels[profile_user_name]`	If the `event` log field value contain one of the following values and the `profile_user` log field value does not match the regular expression pattern `^.+@.+$`, then the `profile_user` log field is mapped to the `target.user.attribute.labels.profile_user_name` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
`profile_user`	`principal.user.attribute.labels[profile_user_name]`	If the `event` log field value does not contain one of the following values and the `profile_user` log field value does not match the regular expression pattern `^.+@.+$` or the `actor.email` log field value is equal to the `profile_user`, then the `profile_user` log field is mapped to the `principal.user.attribute.labels.profile_user_name` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
`events.parameters.name [PROFILE_USER_NAME]`	`target.user.email_addresses`	If the `event` log field value contain one of the following values and the `events.parameters.name [PROFILE_USER_NAME]` log field value matches the regular expression pattern `^.+@.+$`, then the `events.parameters.name [PROFILE_USER_NAME]` log field is mapped to the `target.user.email_addresses` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
`events.parameters.name [PROFILE_USER_NAME]`	`principal.user.email_addresses`	If the `event` log field value does not contain one of the following values and the `events.parameters.name [PROFILE_USER_NAME]` log field value matches the regular expression pattern `^.+@.+$` and the `actor.email` log field value is not equal to the `events.parameters.name [PROFILE_USER_NAME]`, then the `events.parameters.name [PROFILE_USER_NAME]` log field is mapped to the `principal.user.email_addresses` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
`events.parameters.name [PROFILE_USER_NAME]`	`target.user.attribute.labels[profile_user_name]`	If the `event` log field value contain one of the following values and the `events.parameters.name [PROFILE_USER_NAME]` log field value does not match the regular expression pattern `^.+@.+$`, then the `events.parameters.name [PROFILE_USER_NAME]` log field is mapped to the `target.user.attribute.labels.profile_user_name` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
`events.parameters.name [PROFILE_USER_NAME]`	`principal.user.attribute.labels[profile_user_name]`	If the `event` log field value does not contain one of the following values and the `events.parameters.name [PROFILE_USER_NAME]` log field value does not match the regular expression pattern `^.+@.+$` or the `actor.email` log field value is equal to the `events.parameters.name [PROFILE_USER_NAME]`, then the `events.parameters.name [PROFILE_USER_NAME]` log field is mapped to the `principal.user.attribute.labels.profile_user_name` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
	`target.resource.resource_type`	If the `events.name` log field value is equal to `DEVICE_BOOT_STATE_CHANGE`, then the `target.resource.resource_type` UDM field is set to `SETTING`.
`url_category`	`target.labels [url_category]`
`browser_channel`	`target.resource.attribute.labels [browser_channel]`
`report_id`	`target.labels [report_id]`
`clickedThrough`	`target.labels [clickedThrough]`
`threat_type`	`security_result.detection_fields [threatType]`
`triggered_rule_info.action`	`security_result.action`	If the `triggered_rule_info.action` log field value contains one of the following values, then the `triggered_rule_info.action` log field is mapped to the `security_result.action` UDM field: `ALLOW` `ALLOW_WITH_MODIFICATION` `BLOCK` `CHALLENGE` `FAIL` `QUARANTINE` `UNKNOWN_ACTION` Else, the `triggered_rule_info.action` log field is mapped to the `security_result.rule_labels [triggeredRuleInfo_action]` UDM field.
`triggered_rule_info.rule_id`	`security_result.rule_id`
`triggered_rule_info.rule_name`	`security_result.rule_name`
`triggered_rule_info.url_category`	`security_result.category_details`
`transfer_method`	`additional.fields [transfer_method]`
`extension_name`	`target.resource_ancestors.name`	If the `event` log field value is `equal` to `extensionTelemetryEvent`, then the `extension_name` log field is mapped to the `target.resource_ancestors.name` UDM field.
`extension_id`	`target.resource_ancestors.product_object_id`	If the `event` log field value is `equal` to `extensionTelemetryEvent`, then the `extension_id` log field is mapped to the `target.resource_ancestors.product_object_id` UDM field.
`extension_version`	`target.resource_ancestors.attribute.labels[extension_version]`	If the `event` log field value is equal to `extensionTelemetryEvent`, then the `extension_version` log field is mapped to the `target.resource_ancestors.attribute.labels[extension_version]` UDM field.
`extension_source`	`target.resource_ancestors.attribute.labels[extension_source]`	If the `event` log field value is equal to `extensionTelemetryEvent`, then the `extension_source` log field is mapped to the `target.resource_ancestors.attribute.labels[extension_source]` UDM field.
`profile_identifier`	`additional.fields[profile_identifier]`
`extension_files_info.file_name`	`target.resource_ancestors.file.names`
`extension_files_info.file_hash.hash`	`target.resource_ancestors.attribute.labels[file_hash]`
`telemetry_event_signals.count`	`target.resource.attribute.labels[count]`
`telemetry_event_signals.tabs_api_method`	`target.resource.attribute.labels[tabs_api_method]`
	`target.hostname`	If the `telemetry_event_signals.url` log field value does not match the regular expression pattern the `[http:\/\/ or https:\/\/].*`, then the `telemetry_event_signals.url` log field is mapped to the `target.hostname` UDM field.
`telemetry_event_signals.destination`	`target.resource.attribute.labels[destination]`
`telemetry_event_signals.source`	`target.resource.attribute.labels[source]`
`telemetry_event_signals.domain`	`target.domain.name`
`telemetry_event_signals.cookie_name`	`target.resource.attribute.labels[cookie_name]`
`telemetry_event_signals.cookie_path`	`target.resource.attribute.labels[cookie_path]`
`telemetry_event_signals.cookie_is_secure`	`target.resource.attribute.labels[cookie_is_secure]`
`telemetry_event_signals.cookie_store_id`	`target.resource.attribute.labels[cookie_store_id]`
`telemetry_event_signals.cookie_is_session`	`target.resource.attribute.labels[cookie_is_session]`
`telemetry_event_signals.connection_protocol`	`network.application_protocol`	If the `telemetry_event_signals.connection_protocol` log field value is equal to `HTTP_HTTPS`, then the `network.application_protocol` UDM field is set to `HTTP` Else, If the `telemetry_event_signals.connection_protocol` log field value is equal to `UNSPECIFIED`, then the `network.application_protocol` UDM field is set to `UNKNOWN_APPLICATION_PROTOCOL` Else, the `telemetry_event_signals.connection_protocol` log field is mapped to the `target.resource.attribute.labels` UDM field.
`telemetry_event_signals.contacted_by`	`target.resource.attribute.labels[contacted_by]`
`local_ips`	`principal.ip`	If the event log field value is equal to `extensionTelemetryEvent`, then the `local_ips` log field is mapped to the `principal.ip` UDM field.
`remote_ip`	`target.ip`	If the event log field value is equal to `extensionTelemetryEvent`, then the `remote_ip` log field is mapped to the `target.ip` UDM field.
`device_fqdn`	`principal.asset.attribute.labels`	If the event log field value is equal to `extensionTelemetryEvent`, then the `device_fqdn` log field is mapped to the `principal.asset.attribute.labels` UDM field.
`network_name`	`principal.network.carrier_name`	If the event log field value is equal to `extensionTelemetryEvent`, then the `network_name` log field is mapped to the `principal.network.carrier_name` UDM field.
`web_app_signed_in_account`	`target.user.email_addresses`	If the `event` log field value contains one of the following values, then the `web_app_signed_in_account` log field is mapped to the `target.user.email_addresses` UDM field: `contentTransferEvent` `sensitiveDataEvent` `urlFilteringInterstitialEvent`

Documentation de référence sur le mappage de champs (version preview)

Tous les champs s'appliquent aux clients Chrome Enterprise Core et Chrome Enterprise Premium. Les champs qui ne s'appliquent qu'aux clients Chrome Enterprise Premium sont indiqués par la mention "[CEP uniquement]".

Documentation de référence sur le mappage de champ : CHROME_MANAGEMENT (version preview)

Le tableau suivant liste les champs de journaux du type de journal CHROME_MANAGEMENT et les champs UDM correspondants.

Log field	UDM mapping	Logic
`pehash_sha256`	`about.file.sha256`	[CEP Only] The SHA256 file hash (`pehash_sha256`) reported from a `dangerousDownloadEvent` or `contentTransferEvent`.
`device_fqdn`	`principal.asset.attribute.labels`	[CEP Only] The device's fully qualified domain name reported in a `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`. Not reported for unmanaged devices with managed user profiles.
`network_name`	`principal.network.carrier_name`	[CEP Only] The network name (SSID) the device is connected to reported in a `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`content_risk.threat_type`	`security_result.threat_name`	[CEP Only] The threat type of the content reported in a `dangerousDownloadEvent` or `contentTransferEvent`.
`content_risk_level, content_risk.risk_level`	`security_result.severity`	[CEP Only] The content risk level reported by Safe Browsing in a `dangerousDownloadEvent` or `contentTransferEvent`.
`content_risk.risk_reasons`	`security_result.rule_label`	[CEP Only] The content risk reason reported by Safe Browsing in a `dangerousDownloadEvent` or `contentTransferEvent`.
`content_risk.risk_indicators`	`security_result.detection_fields[content_risk_indicators]`	[CEP Only] The list of indicators from the Safe Browsing risk level in a `dangerousDownloadEvent` or `contentTransferEvent`.
`content_risk.risk_source`	`security_result.detection_fields[content_risk_source]`	[CEP Only] The risk source of the content reported by Safe Browsing in a `dangerousDownloadEvent` or `contentTransferEvent`.
`is_encrypted`	`additional.fields[is_encrypted]`	[CEP Only] Set to `true` if the content is encrypted in `dangerousDownloadEvent` or `contentTransferEvent`.
`server_scan_status`	`additional.fields[server_scan_status]`	[CEP Only] The status of whether the content in `dangerousDownloadEvent` or `contentTransferEvent` was successfully scanned by Safe Browsing.
`url_info.url`	`principal.url`	[CEP Only] The URL of `dangerousDownloadEvent`, `contentTransferEvent`, `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`url_info.ip`	`principal.ip`	[CEP Only] The IP address of `dangerousDownloadEvent`, `contentTransferEvent`, `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`url_info.type`	`principal.security_result.detection_fields[url_info_type]`	[CEP Only] The URL type (download, tab, or redirect) of `dangerousDownloadEvent`, `contentTransferEvent`, `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`url_info.risk_level`	`principal.security_result.severity`	[CEP Only] The risk level of the URL reported by Safe Browsing.
`url_info.risk_infos.risk_level`	`principal.security_result.severity`	[CEP Only] Additional risk information reported by Safe Browsing.
`url_info.navigation_initiator.initiator_type`	`principal.security_result.detection_fields[url_info_initiator_type]`	[CEP Only] This maps the `url_info_initiator_type` in a `dangerousDownloadEvent` or `contentTransferEvent`. In a `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent` this maps the `url_navigation_initiator`.
`url_info.navigation_initiator.entity`	`principal.security_result.detection_fields[url_info_entity]`	[CEP Only] This maps the `url_info_entity` in a `dangerousDownloadEvent` or `contentTransferEvent`. In a `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent` this maps the `url_infos_navigation_entity`.
`url_info.request_http_method`	`principal.security_result.detection_fields[url_info_request_http_method]`	[CEP Only] The HTTP method used to contact the URL.
`url_info.url_categories`	`principal.url_metadata.categories`	[CEP Only] The URL category reported by Safe Browsing of `urlNavigationEvent` or `suspiciousUrlEvent`.
`url_info.risk_infos.risk_indicators`	`principal.security_result.detection_fields[url_info_risk_infos_risk_indicators_key]`	[CEP Only] The URL risk indicators reported by Safe Browsing of `urlNavigationEvent` or `suspiciousUrlEvent`.
`url_info.risk_infos.risk_reasons`	`principal.security_result.rule_label[risk_reason]`	[CEP Only] The Safe Browsing reason for the URL risk classification of `urlNavigationEvent` or `suspiciousUrlEvent`.
`url_info.risk_infos.risk_source`	`principal.security_result.detection_fields[content_risk_source]`	[CEP Only] The risk source determination reported by Safe Browsing. This includes URL and file reputation and content scanning results for `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`url_info.risk_infos.threat_type`	`security_result.threat_name`	[CEP Only] The threat type reported by Safe Browsing of the URL for `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`tab_url_info.url, tab_url, referrers.url`	`about.url`	[CEP Only] Maps the `tab_url_info.url` of `dangerousDownloadEvent` or `contentTransferEvent`. Maps the `referrers.url` of a `urlNavigationEvent`, or `suspiciousUrlEvent`.
`tab_url_info.ip, referrers.ip`	`about.ip`	[CEP Only] Maps the `tab_url_info_ip` IP address associated with `dangerousDownloadEvent` or `contentTransferEvent`. Maps the IP address of `referrers.ip` in `urlNavigationEvent` or `suspiciousUrlEvent`.
`remote_ip`	`target.ip`	[CEP Only] If the `event` log field value contains one of the following values, then the `remote_ip` log field is mapped to the `target.ip` UDM field: `dangerousDownloadEvent` `contentTransferEvent` `urlNavigationEvent` `suspiciousUrlEvent` `urlFilteringInterstitialEvent`
`tab_url_info.type`	`about.security_result.detection_fields[tab_url_info_type]`	[CEP Only] The URL tab type for `dangerousDownloadEvent` or `contentTransferEvent`.
`tab_url_info.risk_level`	`about.security_result.severity`	[CEP Only] The Safe Browsing risk level associated with the URL from a tab event for `dangerousDownloadEvent` or `contentTransferEvent`.
`tab_url_info.navigation_initiator.initiator_type`	`about.security_result.detection_fields[tab_url_info_initiator_type]`	[CEP Only] The initiator type of the tab event for `dangerousDownloadEvent` or `contentTransferEvent`.
`tab_url_info.navigation_initiator.entity`	`about.security_result.detection_fields[tab_url_info_entity]`	[CEP Only] The `tab_url_info_entity` for `dangerousDownloadEvent` or `contentTransferEvent`.
`tab_url_info.request_http_method`	`about.security_result.detection_fields[tab_url_info_request_http_method]`	[CEP Only] The HTTP method a tab used to contact the URL of `dangerousDownloadEvent` or `contentTransferEvent`.
`referrers.navigation_initiator.entity`	`about.security_result.detection_fields[referrers_navigation_initiator_entity]`	[CEP Only] The referrer entity name that initiated the navigation event for `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.navigation_initiator.initiator_type`	`about.security_result.detection_fields[referrers_navigation_initiator_initiator_type]`	[CEP Only] The referrer type that initiated `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.request_http_method`	`about.security_result.detection_fields[referrers_request_http_method]`	[CEP Only] The HTTP method of `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.risk_infos.risk_categories`	`about.security_result.detection_fields[referrers_risk_infos_risk_categories]`	[CEP Only] The URL category of the referrer, as provided by the Safe Browsing service, associated with `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.risk_infos.risk_level, referrers.risk_level`	`about.security_result.severity`	[CEP Only] Maps the risk level provided by Safe Browsing `referrers.risk_level` for a `urlNavigationEvent` or `suspiciousUrlEvent` or `referrers.risk_infos.risk_level` for `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.type`	`about.security_result.detection_fields[referrers_type]`	[CEP Only] The URL type provided by Safe Browsing of the referrer URL of `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.risk_infos.risk_source`	`about.security_result.detection_fields[referrers_risk_source]`	[CEP Only] The risk source provided by Safe Browsing for the referrer URL of `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.risk_infos.threat_type`	`about.security_result.threat_name`	[CEP Only] The threat type provided by Safe Browsing for the referrer URL of `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.url_categories`	`about.url_metadata.categories`	[CEP Only] The URL category provided by Safe Browsing for the referrer URL of `urlNavigationEvent` or `suspiciousUrlEvent`.

Vous avez encore besoin d'aide ? Obtenez des réponses de membres de la communauté et de professionnels Google SecOps.