收集 Security Command Center 发现结果
本文档介绍了如何通过配置 Security Command Center 并将发现结果提取到 Google Security Operations 来收集 Security Command Center 日志。本文档还列出了支持的活动。
如需了解详情,请参阅将数据注入 Google Security Operations 和将 Security Command Center 发现结果导出到 Google Security Operations。 典型部署包括 Security Command Center 和配置为将日志发送到 Google Security Operations 的 Google Security Operations Feed。每个客户部署都可能有所不同,并且可能更复杂。
部署包含以下组件:
- Google Cloud:要监控的系统,其中安装了 Security Command Center。 
- Security Command Center Event Threat Detection 发现结果:从数据源收集信息并生成发现结果。 
- Google Security Operations:保留并分析来自 Security Command Center 的日志。 
注入标签用于标识将原始日志数据标准化为结构化 UDM 格式的解析器。本文档中的信息适用于具有以下注入标签的 Security Command Center 解析器:
- GCP_SECURITYCENTER_ERROR
- GCP_SECURITYCENTER_MISCONFIGURATION
- GCP_SECURITYCENTER_OBSERVATION
- GCP_SECURITYCENTER_THREAT
- GCP_SECURITYCENTER_UNSPECIFIED
- GCP_SECURITYCENTER_VULNERABILITY
- GCP_SECURITYCENTER_POSTURE_VIOLATION
- GCP_SECURITYCENTER_TOXIC_COMBINATION
- GCP_SECURITYCENTER_CHOKEPOINT
配置 Security Command Center 和 Google Cloud 以将发现结果发送到 Google Security Operations
- 确保部署中的所有系统都配置为使用世界协调时间 (UTC) 时区。 
- 启用 Security Command Center 发现结果的提取。 
受支持的 Event Threat Detection 发现结果
本部分列出了受支持的 Event Threat Detection 发现结果。如需了解 Security Command Center Event Threat Detection 规则和发现结果,请参阅 Event Threat Detection 规则。
| 查找名称 | 说明 | 
|---|---|
| 主动扫描:Log4j 易受 RCE 攻击 | 通过识别由受支持的 Log4j 漏洞扫描工具启动的经过去混淆处理的网域的 DNS 查询,检测活跃的 Log4j 漏洞。 | 
| 暴力破解:SSH | 检测主机上的 SSH 暴力破解能力。 | 
| 凭据访问:添加到特权群组的外部成员 | 检测外部成员添加到特权 Google 群组(被授予敏感角色或权限的群组)的时间。仅当群组尚未包含与新添加的成员相同的组织中的其他外部成员时,才会生成发现结果。如需了解详情,请参阅不安全的 Google 群组更改。 | 
| 凭据访问:向公众开放的特权群组 | 检测特权 Google 群组(授予了敏感角色或权限的群组)何时变为可供公众访问。如需了解详情,请参阅不安全的 Google 群组更改。 | 
| 凭据访问:授予混合群组的敏感角色 | 检测何时向外部成员授予 Google 群组的敏感角色。如需了解详情,请参阅不安全的 Google 群组更改。 | 
| 防护规避:修改 VPC Service Controls | 检测对现有 VPC Service Controls 边界的更改,这些更改会导致该边界提供的保护减少。 | 
| 发现:可以获取敏感的 Kubernetes 对象检查(预览版) | 恶意方尝试使用 kubectl auth can-i get 命令来确定他们可以查询 Google Kubernetes Engine (GKE) 中的哪些敏感对象。 | 
| 发现:服务账号自行调查 | 检测用于调查与同一服务账号关联的角色和权限的 Identity and Access Management (IAM) 服务账号凭据。 | 
| 规避:通过匿名代理访问 | 检测源自匿名代理 IP 地址(例如 Tor IP 地址)的 Google Cloud 服务修改。 | 
| 数据渗漏:BigQuery 数据渗漏 | 检测以下场景: 
 | 
| 渗漏:BigQuery 数据提取 | 检测以下场景: 
 | 
| 渗漏:BigQuery 数据进入 Google 云端硬盘 | 检测以下场景: 系统通过提取操作将受保护组织拥有的 BigQuery 资源保存到 Google 云端硬盘文件夹。 | 
| 渗漏:Cloud SQL 数据渗漏 | 检测以下场景: 
 | 
| 渗漏:Cloud SQL 将备份恢复到外部组织 | 检测 Cloud SQL 实例的备份何时恢复到组织外部的实例。 | 
| 渗漏:Cloud SQL SQL 过度授予特权 | 检测 Cloud SQL Postgres 用户或角色何时被授予对数据库或架构中所有表、过程或函数的所有权限。 | 
| 防御受影响:强身份验证被停用 | 您的组织已停用两步验证。 | 
| 防御受影响:两步验证被停用 | 用户停用了两步验证。 | 
| 初始访问权限:账号因遭到盗用而被停用 | 用户的账号因可疑活动而被暂停。 | 
| 初始访问权限:因密码泄露而被停用 | 由于检测到密码泄露,用户的账号已被停用。 | 
| 初始访问权限:受政府支持的攻击 | 政府支持的攻击者可能尝试破解了用户账号或计算机。 | 
| 初始访问权限:Log4j 入侵尝试 | 检测标头或网址参数中的 Java 命名和目录接口 (JNDI) 查找。这些查找可能表示有些攻击在尝试利用 Log4Shell 漏洞。这些发现结果的严重程度较低,因为它们仅表示检测或漏洞利用尝试,而非漏洞或危害。 | 
| 初始访问权限:可疑登录被阻止 | 检测到并阻止了用户账号的可疑登录。 | 
| Log4j 恶意软件:网域错误 | 根据与 Log4j 攻击中使用的已知网域的连接或查询来检测 Log4j 漏洞流量。 | 
| Log4j 恶意软件:IP 错误 | 根据与 Log4j 攻击中使用的已知 IP 地址的连接来检测 Log4j 漏洞流量。 | 
| 恶意软件:网域错误 | 根据与已知恶意网域的连接或查询内容的恶意软件检测恶意软件。 | 
| 恶意软件:IP 错误 | 根据与已知不良 IP 地址的连接检测恶意软件。 | 
| 恶意软件:加密货币挖矿网域错误 | 根据与已知加密货币挖矿网域的连接或查询来检测加密货币挖矿活动。 | 
| 恶意软件:加密货币挖矿不良 IP | 根据与已知挖矿 IP 地址的连接检测加密货币挖矿活动。 | 
| 传出 DoS | 检测拒绝服务攻击流量传出事件。 | 
| 持久性:Compute Engine 管理员添加了 SSH 密钥 | 检测到对已建立的实例(超过 1 周)上的 Compute Engine 实例元数据 SSH 密钥值的修改。 | 
| 持久性:Compute Engine 管理员添加了启动脚本 | 检测到对已建立的实例(早于 1 周)上的 Compute Engine 实例元数据启动脚本值的修改。 | 
| 持久性:IAM 异常授权 | 检测向非组织成员的 IAM 用户和服务账号授予的权限。此检测器使用组织的现有 IAM 政策作为上下文。如果发生向外部成员发出的敏感 IAM 授权,并且存在三个与此类似的现有 IAM 政策,则此检测器会生成发现结果。 | 
| 持久性:新的 API 方法预览版 | 检测 IAM 服务账号对 Google Cloud 服务的异常使用情况。 | 
| 持久性:新地理位置 | 根据发出请求的 IP 地址的地理位置,检测到 IAM 用户和服务账号从异常位置访问 Google Cloud。 | 
| 持久性:新用户代理 | 检测到 IAM 服务账号从异常或可疑用户代理访问 Google Cloud。 | 
| 持久性:单点登录启用切换 | 管理员账号的“启用单点登录 (SSO)”设置已停用。 | 
| 持久性:单点登录设置发生了更改 | 管理员账号的 SSO 设置已更改。 | 
| 提升权限:对敏感 Kubernetes RBAC 对象的更改(预览版) | 为了提升权限,恶意操作者试图使用 PUT 或 PATCH 请求修改 cluster-admin ClusterRole 和 ClusterRoleBinding 对象。 | 
| 提升权限:为主证书创建 Kubernetes CSR 预览版 | 潜在恶意方已创建一个 Kubernetes 主证书签名请求 (CSR),该请求会授予他们 cluster-admin 访问权限。 | 
| 提升权限:创建敏感的 Kubernetes 绑定(预览版) | 恶意操作者试图创建新的 cluster-admin RoleBinding 或 ClusterRoleBinding 对象以提升其权限。 | 
| 提升权限:使用被破解的引导凭据获取 Kubernetes CSR 预览版 | 恶意方已使用 kubectl 命令和被盗的引导凭据查询了证书签名请求 (CSR)。 | 
| 提升权限:启动特权 Kubernetes 容器预览版 | 恶意操作者创建了包含特权容器或具有提权能力的容器的 Pod。 对于特权容器,privileged 字段设置为 true。对于具有提升权限功能的容器,allowPrivilegeEscalation 字段设置为 true。 | 
| 初始访问:已创建休眠服务账号密钥 | 检测为用户管理的休眠服务账号创建密钥的事件。在此上下文中,如果服务账号处于非活跃状态超过 180 天,则会被视为休眠。 | 
| 进程树 | 检测器会检查所有正在运行的进程的进程树。如果某个进程是 shell 二进制文件,检测器会检查其父进程。如果父进程是不应生成 shell 进程的二进制文件,检测器会触发发现结果。 | 
| 意外的子 shell | 检测器会检查所有正在运行的进程的进程树。如果某个进程是 shell 二进制文件,检测器会检查其父进程。如果父进程是不应生成 shell 进程的二进制文件,检测器会触发发现结果。 | 
| 执行:已执行添加的恶意二进制文件 | 检测器会查找正在执行的二进制文件,该二进制文件不是原始容器映像的一部分,并且根据威胁情报被标识为恶意。 | 
| 执行:已执行修改的恶意二进制文件 | 检测器会查找正在执行的二进制文件,该二进制文件最初包含在容器映像中,但在运行时期间被修改,并且根据威胁情报被识别为恶意文件。 | 
| 提升权限:针对管理员活动的异常多步服务账号委托 | 检测何时发现针对管理活动的异常多步委托请求。 | 
| 使用了紧急访问 (Breakglass) 账号:break_glass_account | 检测紧急访问 (Breakglass) 账号的使用情况 | 
| 可配置的错误域名:APT29_Domains | 检测到与指定域名的连接 | 
| 意外的角色授予:禁止的角色 | 检测何时向用户授予指定角色 | 
| 可配置的错误 IP | 检测到与指定 IP 地址的连接 | 
| 意外的 Compute Engine 实例类型 | 检测到与指定实例类型或配置不匹配的 Compute Engine 实例创建操作。 | 
| 异常 Compute Engine 来源映像 | 检测到系统使用与指定列表不匹配的映像或映像系列创建 Compute Engine 实例的操作 | 
| 意外的 Compute Engine 区域 | 检测到系统在指定列表以外的区域中创建 Compute Engine 实例的操作。 | 
| 具有遭禁止权限的自定义角色 | 检测何时向主账号授予具有任何指定 IAM 权限的自定义角色。 | 
| 意外的 Cloud API 调用 | 检测指定主账号对指定资源调用了指定方法的操作。只有当单个日志条目中所有正则表达式都匹配时,才会生成发现结果。 | 
支持的 GCP_SECURITYCENTER_ERROR 发现结果
您可以在字段映射参考信息:ERROR 表中找到 UDM 映射。
| 查找名称 | 说明 | 
|---|---|
| VPC_SC_RESTRICTION | Security Health Analytics 无法为项目生成某些发现结果。该项目受服务边界保护,而 Security Command Center 服务账号无权访问该边界。 | 
| MISCONFIGURED_CLOUD_LOGGING_EXPORT | 配置为持续导出到 Cloud Logging 的项目不可用。Security Command Center 无法将发现结果发送到 Logging。 | 
| API_DISABLED | 项目已停用所需的 API。已停用的服务无法将发现结果发送到 Security Command Center。 | 
| KTD_IMAGE_PULL_FAILURE | 无法为集群启用 Container Threat Detection,因为无法从 Container Registry 映像主机 gcr.io 拉取(下载)所需的容器映像。需要映像才能部署 Container Threat Detection 所需的 Container Threat Detection DaemonSet。 | 
| KTD_BLOCKED_BY_ADMISSION_CONTROLLER | 无法在 Kubernetes 集群上启用 Container Threat Detection。第三方准入控制器阻止部署 Container Threat Detection 所需的 Kubernetes DaemonSet 对象。 在 Google Cloud 控制台中查看时,发现结果详细信息包括当 Container Threat Detection 尝试部署 Container Threat Detection DaemonSet 对象时 Google Kubernetes Engine 返回的错误消息。 | 
| KTD_SERVICE_ACCOUNT_MISSING_PERMISSIONS | 服务账号缺少 Container Threat Detection 所需的权限。Container Threat Detection 可能会停止运行,因为无法启用、升级或停用检测插桩。 | 
| GKE_SERVICE_ACCOUNT_MISSING_PERMISSIONS | Container Threat Detection 无法为 Google Kubernetes Engine 集群生成发现结果,因为集群上的 GKE 默认服务账号缺少权限。这会阻止在集群上成功启用 Container Threat Detection。 | 
| SCC_SERVICE_ACCOUNT_MISSING_PERMISSIONS | Security Command Center 服务账号缺少正常运行所需的权限。系统不会生成任何发现结果。 | 
支持的 GCP_SECURITYCENTER_OBSERVATION 发现结果
您可以在字段映射参考:OBSERVATION 表中找到 UDM 映射。
| 查找名称 | 说明 | 
|---|---|
| 持久性:项目 SSH 密钥已添加 | 项目级 SSH 密钥已在超过 10 天前的项目中创建。 | 
| 持久化:添加了敏感角色 | 在存在时间超过 10 天的组织中授予了敏感或高权限组织级 IAM 角色。 | 
支持的 GCP_SECURITYCENTER_UNSPECIFIED 发现结果
您可以在字段映射参考信息:UNSPECIFIED 表中找到 UDM 映射。
| 查找名称 | 说明 | 
|---|---|
| OPEN_FIREWALL | 防火墙配置为开放给公众访问。 | 
支持的 GCP_SECURITYCENTER_VULNERABILITY 发现结果
您可以在字段映射参考信息:VULNERABILITY 表中找到 UDM 映射。
| 查找名称 | 说明 | 
|---|---|
| DISK_CSEK_DISABLED | 此虚拟机上的磁盘未使用客户提供的加密密钥 (CSEK) 进行加密。此检测器需要额外配置才能启用。如需查看相关说明,请参阅特殊案例检测器。 | 
| ALPHA_CLUSTER_ENABLED | GKE 集群启用了 Alpha 版集群功能。 | 
| AUTO_REPAIR_DISABLED | GKE 集群的自动修复功能已停用,此功能可使节点保持正常运行状态。 | 
| AUTO_UPGRADE_DISABLED | GKE 集群的自动升级功能已停用,此功能会保持集群和节点池使用 Kubernetes 的最新稳定版。 | 
| CLUSTER_SHIELDED_NODES_DISABLED | 集群未启用安全强化型 GKE 节点 | 
| COS_NOT_USED | Compute Engine 虚拟机未使用为在 Google Cloud 上安全运行 Docker 容器而设计的 Container-Optimized OS。 | 
| INTEGRITY_MONITORING_DISABLED | GKE 集群已停用完整性监控。 | 
| IP_ALIAS_DISABLED | 创建 GKE 集群时停用了别名 IP 范围。 | 
| LEGACY_METADATA_ENABLED | 在 GKE 集群上启用了旧版元数据。 | 
| RELEASE_CHANNEL_DISABLED | GKE 集群未订阅发布渠道。 | 
| DATAPROC_IMAGE_OUTDATED | 创建 Dataproc 集群时使用了受 Apache Log4j 2 实用程序(CVE-2021-44228 和 CVE-2021-45046)中的安全漏洞影响的 Dataproc 映像版本。 | 
| PUBLIC_DATASET | 数据集配置为开放给公众访问。 | 
| DNSSEC_DISABLED | 已为 Cloud DNS 区域停用 DNSSEC。 | 
| RSASHA1_FOR_SIGNING | RSASHA1 用于 Cloud DNS 区域中的密钥签名。 | 
| REDIS_ROLE_USED_ON_ORG | Redis IAM 角色在组织或文件夹级层分配。 | 
| KMS_PUBLIC_KEY | Cloud KMS 加密密钥可公开访问。 | 
| SQL_CONTAINED_DATABASE_AUTHENTICATION | Cloud SQL for SQL Server 实例的“包含的数据库身份验证”数据库标志未设置为“关闭”。 | 
| SQL_CROSS_DB_OWNERSHIP_CHAINING | Cloud SQL for SQL Server 实例的 cross_db_ownership_chaining 数据库标志未设置为“关闭”。 | 
| SQL_EXTERNAL_SCRIPTS_ENABLED | Cloud SQL for SQL Server 实例的“external scripts enabled”数据库标志未设置为“关闭”。 | 
| SQL_LOCAL_INFILE | Cloud SQL for MySQL 实例的 local_infile 数据库标志未设置为“关闭”。 | 
| SQL_LOG_ERROR_VERBOSITY | Cloud SQL for PostgreSQL 实例的 log_error_verbosity 数据库标志未设置为“default”或更严格的值。 | 
| SQL_LOG_MIN_DURATION_STATEMENT_ENABLED | Cloud SQL for PostgreSQL 实例的 log_min_duration_statement 数据库标志未设置为“-1”。 | 
| SQL_LOG_MIN_ERROR_STATEMENT | Cloud SQL for PostgreSQL 实例的 log_min_error_statement 数据库标志未正确设置。 | 
| SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY | Cloud SQL for PostgreSQL 实例的 log_min_error_statement 数据库标志没有适当的严重级别。 | 
| SQL_LOG_MIN_MESSAGES | Cloud SQL for PostgreSQL 实例的 log_min_messages 数据库标志未设置为“警告”。 | 
| SQL_LOG_EXECUTOR_STATS_ENABLED | Cloud SQL for PostgreSQL 实例的 log_executor_status 数据库标志未设置为“关闭”。 | 
| SQL_LOG_HOSTNAME_ENABLED | Cloud SQL for PostgreSQL 实例的 log_hostname 数据库标志未设置为“关闭”。 | 
| SQL_LOG_PARSER_STATS_ENABLED | Cloud SQL for PostgreSQL 实例的 log_parser_stats 数据库标志未设置为“关闭”。 | 
| SQL_LOG_PLANNER_STATS_ENABLED | Cloud SQL for PostgreSQL 实例的 log_planner_stats 数据库标志未设置为“关闭”。 | 
| SQL_LOG_STATEMENT_STATS_ENABLED | Cloud SQL for PostgreSQL 实例的 log_statement_stats 数据库标志未设置为“关闭”。 | 
| SQL_LOG_TEMP_FILES | Cloud SQL for PostgreSQL 实例的 log_temp_files 数据库标志未设置为“0”。 | 
| SQL_REMOTE_ACCESS_ENABLED | Cloud SQL for SQL Server 实例的远程访问数据库标志未设置为“关闭”。 | 
| SQL_SKIP_SHOW_DATABASE_DISABLED | Cloud SQL for MySQL 实例的 skip_show_database 数据库标志未设置为“开启”。 | 
| SQL_TRACE_FLAG_3625 | Cloud SQL for SQL Server 实例的 3625(跟踪记录标志)数据库标志未设置为“开启”。 | 
| SQL_USER_CONNECTIONS_CONFIGURED | Cloud SQL for SQL Server 实例的用户连接数据库标志已配置。 | 
| SQL_USER_OPTIONS_CONFIGURED | 已配置 Cloud SQL for SQL Server 实例的用户选项数据库标志。 | 
| SQL_WEAK_ROOT_PASSWORD | Cloud SQL 数据库为根账号配置了安全系数低的密码。此检测器需要额外配置才能启用。如需了解相关说明,请参阅启用和停用检测器。 | 
| PUBLIC_LOG_BUCKET | 用作日志接收器的存储桶可公开访问。 | 
| ACCESSIBLE_GIT_REPOSITORY | Git 代码库被公开。如需解决此发现结果,请移除对 Git 代码库的意外公开访问权限。 | 
| ACCESSIBLE_SVN_REPOSITORY | SVN 代码库会公开。如需解决此发现结果,请移除对 SVN 代码库的意外公开访问权限。 | 
| ACCESSIBLE_ENV_FILE | ENV 文件会公开。如需解决此发现结果,请移除对 ENV 文件的意外公开访问权限。 | 
| CACHEABLE_PASSWORD_INPUT | 在 Web 应用中输入的密码可以缓存在常规浏览器的缓存中,而不是安全的密码存储空间中。 | 
| CLEAR_TEXT_PASSWORD | 密码以明文形式传输,可以被拦截。如需解决此发现结果,请对通过网络传输的密码进行加密。 | 
| INSECURE_ALLOW_ORIGIN_ENDS_WITH_VALIDATION | 跨站点 HTTP 或 HTTPS 端点仅验证来源请求标头的一个后缀,然后将其呈现在 Access-Control-Allow-Origin 响应标头内。若要解决此问题,请先验证预期的根网域是 Origin 标头值的一部分,然后再将其反映在 Access-Control-Allow-Origin 响应标头中。对于子网域通配符,请在根域名前面附加英文句点,例如 .endsWith("".google.com"")。 | 
| INSECURE_ALLOW_ORIGIN_STARTS_WITH_VALIDATION | 跨站点 HTTP 或 HTTPS 端点仅验证源请求标头的一个前缀,然后将其呈现在 Access-Control-Allow-Origin 响应标头内。若要解决此问题,请先验证预期的网域与 Origin 标头值完全一致,然后再反映到 Access-Control-Allow-Origin 响应标头中(例如 .equals("".google.com""))。 | 
| INVALID_CONTENT_TYPE | 加载的资源与响应的 Content-Type HTTP 标头不匹配。 如需解决此发现结果,请将 X-Content-Type-Options HTTP 标头设置为正确的值。 | 
| INVALID_HEADER | 安全标头存在语法错误,因此被浏览器忽略。要解决此发现结果,请正确设置 HTTP 安全标头。 | 
| MISMATCHING_SECURITY_HEADER_VALUES | 安全标头具有重复的、不匹配的值,这会导致未定义的行为。要解决此发现结果,请正确设置 HTTP 安全标头。 | 
| MISSPELLED_SECURITY_HEADER_NAME | 安全标头拼写错误并且被忽略。要解决此发现结果,请正确设置 HTTP 安全标头。 | 
| MIXED_CONTENT | 资源是通过 HTTPS 页面上的 HTTP 提供的。要解决此发现结果,请确保所有资源通过 HTTPS 传送。 | 
| OUTDATED_LIBRARY | 检测到有已知漏洞的库。如需解决此发现结果,请将库升级到新版本。 | 
| SERVER_SIDE_REQUEST_FORGERY | 检测到服务器端请求伪造 (SSRF) 漏洞。要解决此发现结果,请使用许可名单限制 Web 应用可以向其发出请求的网域和 IP 地址。 | 
| SESSION_ID_LEAK | 在发出跨网域的请求时,Web 应用的 Referer 请求标头中包含用户的会话标识符。此漏洞会向接收网域授予会话标识符的访问权限,可用于假冒或唯一标识用户。 | 
| SQL_INJECTION | 检测到潜在的 SQL 注入漏洞。如需解决此发现结果,请使用参数化查询以防止用户输入影响 SQL 查询的结构。 | 
| STRUTS_INSECURE_DESERIALIZATION | 检测到使用易受攻击的 Apache Struts 版本。如需解决此发现结果,请将 Apache Struts 升级到最新版本。 | 
| XSS | 此 Web 应用中的字段容易受到跨站脚本 (XSS) 攻击。要解决此发现结果,请验证和转义不受信任的用户提供的数据。 | 
| XSS_ANGULAR_CALLBACK | 用户提供的字符串没有转义,并且 AngularJS 可以对其进行插入。要解决此发现结果,请验证和转义 Angular 框架处理的不受信任用户提供的数据。 | 
| XSS_ERROR | 此 Web 应用中的字段容易受到跨站脚本攻击。要解决此发现结果,请验证和转义不受信任的用户提供的数据。 | 
| XXE_REFLECTED_FILE_LEAKAGE | 检测到 XML 外部实体 (XXE) 漏洞。此漏洞可能会导致 Web 应用泄露主机上的文件。如需解决此发现结果,请配置 XML 解析器以禁止外部实体。 | 
| BASIC_AUTHENTICATION_ENABLED | 应在 Kubernetes 集群上启用 IAM 或客户端证书身份验证。 | 
| CLIENT_CERT_AUTHENTICATION_DISABLED | 应在启用客户端证书的情况下创建 Kubernetes 集群。 | 
| LABELS_NOT_USED | 标签可用于细分结算信息。 | 
| PUBLIC_STORAGE_OBJECT | 存储对象 ACL 不应向 allUsers 授予访问权限。 | 
| SQL_BROAD_ROOT_LOGIN | 对 SQL 数据库的根权限应限于允许列表中的可信 IP 地址。 | 
| WEAK_CREDENTIALS | 此检测器使用 ncrack 暴力破解方法检查弱凭据。 支持的服务:SSH、RDP、FTP、WordPress、TELNET、POP3、IMAP、VCS、SMB、SMB2、VNC、SIP、REDIS、PSQL、MYSQL、MSSQL、MQTT、MONGODB、WINRM、DICOM | 
| ELASTICSEARCH_API_EXPOSED | 借助 Elasticsearch API,调用者可以执行任意查询、编写和执行脚本,以及向服务添加其他文档。 | 
| EXPOSED_GRAFANA_ENDPOINT | 在 Grafana 8.0.0 到 8.3.0 中,用户不进行身份验证即可访问存在目录遍历漏洞的端点,该漏洞允许任何用户不进行身份验证即可读取服务器上的任何文件。如需了解详情,请参阅 CVE-2021-43798。 | 
| EXPOSED_METABASE | x.40.0 到 x.40.4 版本的 Metabase 是一个开源数据分析平台,自定义 GeoJSON 映射支持和潜在本地文件包含(包括环境变量)中存在漏洞。网址在加载之前未进行验证。如需了解详情,请参阅 CVE-2021-41277。 | 
| EXPOSED_SPRING_BOOT_ACTUATOR_ENDPOINT | 此检测器会检查 Spring Boot 应用的敏感执行器端点是否公开。某些默认端点(如 /heapdump)可能会泄露敏感信息。其他端点(如 /env)可能会导致远程代码执行。目前仅检查了 /heapdump。 | 
| HADOOP_YARN_UNAUTHENTICATED_RESOURCE_MANAGER_API | 此检测器会检查 Hadoop Yarn ResourceManager API(用于控制 Hadoop 集群的计算和存储资源)是否已公开,并允许未经身份验证的代码执行。 | 
| JAVA_JMX_RMI_EXPOSED | Java Management Extension (JMX) 允许对 Java 应用进行远程监控和诊断。通过不受保护的远程方法调用端点运行 JMX,这样任何远程用户都可以创建 javax.management.loading.MLet MBean,并使用它从任意网址创建新的 MBean。 | 
| JUPYTER_NOTEBOOK_EXPOSED_UI | 此检测器会检查未经身份验证的 Jupyter 笔记本是否已公开。Jupyter 允许在宿主机上按设计执行远程代码执行。未经身份验证的 Jupyter 笔记本会导致托管虚拟机面临远程代码执行风险。 | 
| KUBERNETES_API_EXPOSED | Kubernetes API 已公开,未经身份验证的调用者可以访问。这将允许在 Kubernetes 集群上执行任意代码。 | 
| UNFINISHED_WORDPRESS_INSTALLATION | 此检测器会检查 WordPress 安装是否尚未完成。未完成的 WordPress 安装会公开 /wp-admin/install.php 页面,此页面让攻击者可设置管理员密码,并可能入侵系统。 | 
| UNAUTHENTICATED_JENKINS_NEW_ITEM_CONSOLE | 此检测器会通过以匿名访问者身份向 /view/all/newJob 端点发送探测 ping 来检查是否有未经身份验证的 Jenkins 实例。经过身份验证的 Jenkins 实例会显示 createItem 表单,该表单允许创建可能导致远程代码执行的任意作业。 | 
| APACHE_HTTPD_RCE | Apache HTTP Server 2.4.49 中发现了一个缺陷,该缺陷允许攻击者使用路径遍历攻击将网址映射到预期文档根目录之外的文件,并查看已解读文件的来源,如 CGI 脚本。此问题已知在自然情况下被利用。此问题会影响 Apache 2.4.49 和 2.4.50,但不会影响更早版本。如需详细了解此漏洞,请参阅: | 
| APACHE_HTTPD_SSRF | 攻击者可以编写 Apache Web 服务器的 URI,导致 mod_proxy 将请求转发到攻击者选择的源服务器。此问题会影响 Apache HTTP Server 2.4.48 及更早版本。如需详细了解此漏洞,请参阅: | 
| CONSUL_RCE | 由于 Consul 实例在 -enable-script-checks 设置为 true 的情况下进行配置,Consul HTTP API 不安全并且可通过网络访问,因此攻击者可以在 Consul 服务器上执行任意代码。在 Consul 0.9.0 及更早版本中,脚本检查默认处于启用状态。如需了解详情,请参阅保护 Consul 免受特定配置中的 RCE 风险。为了检查此漏洞,快速漏洞检测会使用 /v1/health/service REST 端点在 Consul 实例上注册服务,然后执行以下任一命令: * 向网络外部的远程服务器发送 curl 命令。攻击者可以使用 curl 命令从服务器中渗漏数据。 * printf 命令。然后,快速漏洞检测会使用 /v1/health/service REST 端点验证该命令的输出。 * 检查后,快速漏洞检测会使用 /v1/agent/service/deregister/ REST 端点清理并取消注册服务。 | 
| DRUID_RCE | Apache Druid 能够执行嵌入在各类请求中的用户提供的 JavaScript 代码。此功能适用于信任度较高的环境,默认处于停用状态。但是,在 Druid 0.20.0 及更早版本中,经过身份验证的用户可能会发送特别编写的请求,无论服务器配置如何,都强制 Druid 针对该请求运行用户提供的 JavaScript 代码。这可以被利用在具有 Druid 服务器进程权限的目标机器上执行代码。如需了解详情,请参阅 CVE-2021-25646 详细信息。 | 
| DRUPAL_RCE | Drupal 7.58 之前的版本、8.3.9 之前的 8.x 版本、8.4.6 之前的 8.4.x 版本以及 8.5.1 之前的 8.5.x 版本容易在 Form API AJAX 请求上发生远程代码执行。 Drupal 8.5.11 之前的 8.5.x 版本和 8.6.10 之前的 8.6.x 版本在 RESTful Web 服务模块或 JSON:API 处于启用状态时容易发生远程代码执行。未经身份验证的攻击者可通过自定义 POST 请求来利用此漏洞。 | 
| FLINK_FILE_DISCLOSURE | Apache Flink 1.11.0、1.11.1 和 1.11.2 版本中的漏洞允许攻击者通过 JobManager 进程的 REST 接口读取 JobManager 的本地文件系统中的任何文件。访问权限仅限于 JobManager 进程可访问的文件。 | 
| GITLAB_RCE | 在 GitLab 社区版 (CE) 和企业版 (EE) 11.9 及更高版本中,GitLab 无法正确验证传递给文件解析器的图片文件。攻击者可以利用此漏洞执行远程命令。 | 
| GoCD_RCE | 在 GoCD 21.2.0 及更早版本中,存在一个无需身份验证即可访问的端点。此端点存在一个目录遍历漏洞,允许用户不进行身份验证即可读取服务器上的任何文件。 | 
| JENKINS_RCE | Jenkins 2.56 版及更早版本和 2.46.1 版 LTS 及更早版本容易发生远程代码执行。未经身份验证的攻击者可使用恶意序列化 Java 对象触发此漏洞。 | 
| JOOMLA_RCE | 3.4.6 之前的 Joomla 版本 1.5.x、2.x 和 3.x 容易受到远程代码执行的影响。可通过专门编写的包含序列化 PHP 对象的标头触发此漏洞。 Joomla 版本 3.0.0 到 3.4.6 很容易受到远程代码执行的影响。可通过发送包含专门编写的序列化 PHP 对象的 POST 请求触发此漏洞。 | 
| LOG4J_RCE | 在 Apache Log4j2 2.14.1 及更早版本中,配置、日志消息和参数中使用的 JNDI 功能无法防范攻击者控制的 LDAP 和其他 JNDI 相关端点。如需了解详情,请参阅 CVE-2021-44228。 | 
| MANTISBT_PRIVILEGE_ESCALATION | MantisBT(版本最高为 2.3.0)允许通过向 verify.php 提供空的 confirm_hash 值来任意重置密码和进行未经身份验证的管理员访问。 | 
| OGNL_RCE | Confluence Server 和 Confluence Data Center 实例存在 OGNL 注入漏洞,该漏洞允许未经身份验证的攻击者执行任意代码。如需了解详情,请参阅 CVE-2021-26084。 | 
| OPENAM_RCE | OpenAM Server 14.6.2 及更早版本和 ForgeRock AM Server 6.5.3 及更早版本的 jato.pageSession 参数在多个页面上存在 Java 反序列化漏洞。利用该漏洞无需进行身份验证,通过向服务器发送单个专门编写的 /ccversion/* 请求可触发远程代码执行。此漏洞存在是因为使用 Sun ONE 应用。如需了解详情,请参阅 CVE-2021-35464。 | 
| ORACLE_WEBLOGIC_RCE | Oracle 融合中间件(组件:控制台)的特定版本的 Oracle WebLogic Server 产品存在漏洞,其中包括 10.3.6.0.0、12.1.3.0.0、12.2.1.3.0、12.2.1.4.0 和 14.1.1.0.0 版本。这是一个容易被利用的漏洞,允许具有网络访问权限的未经身份验证的攻击者通过 HTTP 入侵 Oracle WebLogic Server。成功攻击此漏洞的可能导致 Oracle WebLogic Server 接管。如需了解详情,请参阅 CVE-2020-14882。 | 
| PHPUNIT_RCE | 5.6.3 之前的 PHPUnit 版本允许通过单个未经身份验证的 POST 请求远程执行代码。 | 
| PHP_CGI_RCE | PHP 5.3.12 之前的版本和 5.4.2 之前的 5.4.x 版本在配置为 CGI 脚本时允许远程代码执行。易受攻击的代码无法正确处理缺少 =(等号)字符的查询字符串。这可让攻击者添加在服务器上执行的命令行选项。 | 
| PORTAL_RCE | 在 7.2.1 CE GA2 之前的 Liferay Portal 版本中,不受信任的数据的反序列化允许远程攻击者通过 JSON Web 服务执行任意代码。 | 
| REDIS_RCE | 如果 Redis 实例无需身份验证即可执行管理员命令,攻击者或许能够执行任意代码。 | 
| SOLR_FILE_EXPOSED | Apache Solr 是一个开源搜索服务器,未启用身份验证。当 Apache Solr 不需要身份验证时,攻击者可以直接编写请求来启用特定配置,并最终实现服务器端请求伪造 (SSRF) 或读取任意文件。 | 
| SOLR_RCE | 如果将 params.resource.loader.enabled 设置为 true,Apache Solr 版本 5.0.0 到 Apache Solr 8.3.1 容易受到通过 VelocityResponseWriter 的远程代码执行的影响。这样一来,攻击者就可以创建包含恶意 Velocity 模板的参数。 | 
| STRUTS_RCE | 
 | 
| TOMCAT_FILE_DISCLOSURE | Apache Tomcat 9.0.31 之前的 9.x 版本、8.5.51 之前的 8.x 版本、7.0.100 之前的 7.x 版本以及所有 6.x 版本都容易受到源代码和配置披露的影响,这是通过公开的 Apache JServ 协议连接器实现的。在某些情况下,如果允许上传文件,则使用此方法可执行远程代码执行。 | 
| VBULLETIN_RCE | 运行 5.0.0 至 5.5.4 版本的 vBulletin 服务器容易受到远程代码执行。未经身份验证的攻击者可通过在路由字符串请求中使用查询参数来利用此漏洞。 | 
| VCENTER_RCE | VMware vCenter Server 7.0 U1c 之前的 7.x 版本、6.7 U3l 之前的 6.7 版本和 6.5 U3n 之前的 6.5 版本容易受到远程代码执行的影响。攻击者可能会将此漏洞的恶意服务器服务器页面上传到可通过网络访问的目录,然后触发该文件的执行,从而触发此漏洞。 | 
| WEBLOGIC_RCE | Oracle 融合中间件(组件:控制台)的特定版本的 Oracle WebLogic Server 产品存在远程代码执行漏洞,其中包括 10.3.6.0.0、12.1.3.0.0、12.2.1.3.0、12.2.1.4.0 和 14.1.1.0.0 版本。此漏洞与 CVE-2020-14750、CVE-2020-14882、CVE-2020-14883 相关。如需了解详情,请参阅 CVE-2020-14883。 | 
| OS_VULNERABILITY | 虚拟机管理器在 Compute Engine 虚拟机的安装操作系统 (OS) 软件包中检测到漏洞。 | 
| UNUSED_IAM_ROLE | IAM Recommender 检测到有用户账号具有在过去 90 天内未使用过的 IAM 角色。 | 
| GKE_RUNTIME_OS_VULNERABILITY | GKE 会持续扫描在已注册的 GKE 集群上运行的容器映像,以查找漏洞。GKE 使用来自公共 CVE 数据库(例如 NIST)的漏洞数据。虽然 GKE 可以扫描来自任何注册表的映像,但操作系统版本必须受支持。如需查看支持的操作系统列表,请参阅支持的 Linux 版本。 | 
| GKE_SECURITY_BULLETIN | 在 GKE 中发现漏洞时,我们会修补漏洞,然后发布安全公告。如需详细了解漏洞修补流程和时间表,请参阅 GKE 安全修补。 | 
| SERVICE_AGENT_ROLE_REPLACED_WITH_BASIC_ROLE | IAM Recommender 检测到授予服务代理的原始默认 IAM 角色被替换为以下基本 IAM 角色之一:Owner、Editor 或 Viewer。基本角色是权限过多的旧角色,不应授予服务代理。 | 
支持的 GCP_SECURITYCENTER_MISCONFIGURATION 发现结果
您可以在字段映射参考信息:配置错误表中找到 UDM 映射。
| 查找名称 | 说明 | 
|---|---|
| API_KEY_APIS_UNRESTRICTED | 有些 API 密钥使用的过于广泛。如需解决此问题,请限制 API 密钥的使用,仅允许使用应用需要的 API。 | 
| API_KEY_APPS_UNRESTRICTED | 有些 API 密钥可以不受限制地使用,允许任何不受信任的应用使用 | 
| API_KEY_EXISTS | 项目使用 API 密钥,而不是标准身份验证。 | 
| API_KEY_NOT_ROTATED | API 密钥已经超过 90 天没有轮替 | 
| PUBLIC_COMPUTE_IMAGE | Compute Engine 映像可公开访问。 | 
| CONFIDENTIAL_COMPUTING_DISABLED | Compute Engine 实例上已停用机密计算。 | 
| COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED | 使用项目范围的 SSH 密钥,允许登录项目中的所有实例。 | 
| COMPUTE_SECURE_BOOT_DISABLED | 此安全强化型虚拟机未启用安全启动。使用安全启动功能可帮助保护虚拟机实例免受 rootkit 和 bootkit 等高级威胁。 | 
| DEFAULT_SERVICE_ACCOUNT_USED | 实例配置为使用默认服务账号。 | 
| FULL_API_ACCESS | 实例配置为使用能够全面访问所有 Google Cloud API 的默认服务账号。 | 
| OS_LOGIN_DISABLED | 此实例已停用 OS Login。 | 
| PUBLIC_IP_ADDRESS | 实例具有公共 IP 地址。 | 
| SHIELDED_VM_DISABLED | 此实例已停用安全强化型虚拟机。 | 
| COMPUTE_SERIAL_PORTS_ENABLED | 为实例启用串行端口,允许连接到实例的串行控制台。 | 
| DISK_CMEK_DISABLED | 此虚拟机上的磁盘未使用客户管理的加密密钥 (CMEK) 进行加密。此检测器需要额外配置才能启用。如需了解相关说明,请参阅启用和停用检测器。 | 
| HTTP_LOAD_BALANCER | 实例使用的负载均衡器被配置为使用目标 HTTP 代理,而不是使用目标 HTTPS 代理。 | 
| IP_FORWARDING_ENABLED | 实例上已启用 IP 转发。 | 
| WEAK_SSL_POLICY | 实例的 SSL 政策较弱。 | 
| BINARY_AUTHORIZATION_DISABLED | GKE 集群上已停用 Binary Authorization。 | 
| CLUSTER_LOGGING_DISABLED | 没有为 GKE 集群启用日志记录功能。 | 
| CLUSTER_MONITORING_DISABLED | GKE 集群上已停用 Monitoring。 | 
| CLUSTER_PRIVATE_GOOGLE_ACCESS_DISABLED | 集群主机未配置为仅使用内部专用 IP 地址来访问 Google API。 | 
| CLUSTER_SECRETS_ENCRYPTION_DISABLED | GKE 集群上已停用应用层 Secret 加密。 | 
| INTRANODE_VISIBILITY_DISABLED | GKE 集群已停用节点内可见性。 | 
| MASTER_AUTHORIZED_NETWORKS_DISABLED | 未在 GKE 集群上启用控制层面授权网络。 | 
| NETWORK_POLICY_DISABLED | 已在 GKE 集群上停用网络政策。 | 
| NODEPOOL_SECURE_BOOT_DISABLED | GKE 集群已停用安全启动。 | 
| OVER_PRIVILEGED_ACCOUNT | 服务账号在集群中的项目访问权限过于宽泛。 | 
| OVER_PRIVILEGED_SCOPES | 节点服务账号具有广泛的访问权限范围。 | 
| POD_SECURITY_POLICY_DISABLED | GKE 集群上已停用 PodSecurityPolicy。 | 
| PRIVATE_CLUSTER_DISABLED | GKE 集群停用了专用集群。 | 
| WORKLOAD_IDENTITY_DISABLED | GKE 集群未订阅发布渠道。 | 
| LEGACY_AUTHORIZATION_ENABLED | 在 GKE 集群上启用了旧版授权。 | 
| NODEPOOL_BOOT_CMEK_DISABLED | 此节点池中的启动磁盘未使用客户管理的加密密钥 (CMEK) 进行加密。此检测器需要额外配置才能启用。如需了解相关说明,请参阅启用和停用检测器。 | 
| WEB_UI_ENABLED | GKE 网页界面(信息中心)已启用。 | 
| AUTO_REPAIR_DISABLED | GKE 集群的自动修复功能已停用,此功能可使节点保持正常运行状态。 | 
| AUTO_UPGRADE_DISABLED | GKE 集群的自动升级功能已停用,此功能会保持集群和节点池使用 Kubernetes 的最新稳定版。 | 
| CLUSTER_SHIELDED_NODES_DISABLED | 集群未启用安全强化型 GKE 节点 | 
| RELEASE_CHANNEL_DISABLED | GKE 集群未订阅发布渠道。 | 
| BIGQUERY_TABLE_CMEK_DISABLED | BigQuery 表未配置为使用客户管理的加密密钥 (CMEK)。此检测器需要额外配置才能启用。 | 
| DATASET_CMEK_DISABLED | BigQuery 数据集未配置为使用默认 CMEK。此检测器需要额外配置才能启用。 | 
| EGRESS_DENY_RULE_NOT_SET | 防火墙上未设置出站流量拒绝规则。出站流量拒绝规则应设置为阻止不必要的出站流量。 | 
| FIREWALL_RULE_LOGGING_DISABLED | 防火墙规则日志记录已停用。应启用防火墙规则日志记录,以便您可以审核网络访问权限。 | 
| OPEN_CASSANDRA_PORT | 防火墙配置为具有允许通用访问的开放 Cassandra 端口。 | 
| OPEN_SMTP_PORT | 防火墙配置为具有允许通用访问的开放 SMTP 端口。 | 
| OPEN_REDIS_PORT | 防火墙配置为具有允许通用访问的开放 REDIS 端口。 | 
| OPEN_POSTGRESQL_PORT | 防火墙配置为具有允许通用访问的开放 PostgreSQL 端口。 | 
| OPEN_POP3_PORT | 防火墙配置为具有允许通用访问的开放 POP3 端口。 | 
| OPEN_ORACLEDB_PORT | 防火墙配置为具有允许通用访问的开放 NETBIOS 端口。 | 
| OPEN_NETBIOS_PORT | 防火墙配置为具有允许通用访问的开放 NETBIOS 端口。 | 
| OPEN_MYSQL_PORT | 防火墙配置为具有允许通用访问的开放 MYSQL 端口。 | 
| OPEN_MONGODB_PORT | 防火墙配置为具有允许通用访问的开放 MONGODB 端口。 | 
| OPEN_MEMCACHED_PORT | 防火墙配置为具有允许通用访问的开放 MEMCACHED 端口。 | 
| OPEN_LDAP_PORT | 防火墙配置为具有允许通用访问的开放 LDAP 端口。 | 
| OPEN_FTP_PORT | 防火墙配置为具有允许通用访问的开放 FTP 端口。 | 
| OPEN_ELASTICSEARCH_PORT | 防火墙配置为具有允许通用访问的开放 ELASTICSEARCH 端口。 | 
| OPEN_DNS_PORT | 防火墙配置为具有允许通用访问的开放 DNS 端口。 | 
| OPEN_HTTP_PORT | 防火墙配置为具有允许通用访问的开放 HTTP 端口。 | 
| OPEN_DIRECTORY_SERVICES_PORT | 防火墙配置为具有允许通用访问的开放 DIRECTORY_SERVICES 端口。 | 
| OPEN_CISCOSECURE_WEBSM_PORT | 防火墙配置为具有允许通用访问的开放 CISCOSECURE_WEBSM 端口。 | 
| OPEN_RDP_PORT | 防火墙配置为具有允许通用访问的开放 RDP 端口。 | 
| OPEN_TELNET_PORT | 防火墙配置为具有允许通用访问的开放 TELNET 端口。 | 
| OPEN_FIREWALL | 防火墙配置为开放给公众访问。 | 
| OPEN_SSH_PORT | 防火墙配置为具有允许通用访问的开放 SSH 端口。 | 
| SERVICE_ACCOUNT_ROLE_SEPARATION | 为用户分配了服务账号管理员和服务账号用户角色。这违反了“职责分离”原则。 | 
| NON_ORG_IAM_MEMBER | 有用户不使用组织凭据。根据 CIS Google Cloud Foundations 1.0,目前只有具有 @gmail.com 电子邮件地址的身份才会触发此检测器。 | 
| OVER_PRIVILEGED_SERVICE_ACCOUNT_USER | 用户在项目级层(而不是特定服务账号)拥有 Service Account User 或 Service Account Token Creator 角色。 | 
| ADMIN_SERVICE_ACCOUNT | 服务账号具有 Admin、Owner 或 Editor 权限。这些角色不应分配给用户创建的服务账号。 | 
| SERVICE_ACCOUNT_KEY_NOT_ROTATED | 服务账号密钥已经超过 90 天没有轮替。 | 
| USER_MANAGED_SERVICE_ACCOUNT_KEY | 用户管理服务账号密钥。 | 
| PRIMITIVE_ROLES_USED | 用户具有基本角色 Owner、Writer 或 Reader。这些角色权限过于宽松,不应使用。 | 
| KMS_ROLE_SEPARATION | 未强制执行职责分离,并且存在同时具有以下任何 Cloud Key Management Service (Cloud KMS) 角色的用户:CryptoKey Encrypter/Decrypter、Encrypter 或 Decrypter。 | 
| OPEN_GROUP_IAM_MEMBER | 有无需批准即可加入的 Google 群组账号被用作 IAM 允许政策的主账号。 | 
| KMS_KEY_NOT_ROTATED | 没有在 Cloud KMS 加密密钥上配置轮替。 应在 90 天的时段内轮替密钥。 | 
| KMS_PROJECT_HAS_OWNER | 有用户对具有加密密钥的项目拥有“所有者”权限。 | 
| TOO_MANY_KMS_USERS | 有 3 个以上的加密密钥用户。 | 
| OBJECT_VERSIONING_DISABLED | 配置了接收器的存储桶上未启用对象版本控制。 | 
| LOCKED_RETENTION_POLICY_NOT_SET | 没有为日志设置锁定的保留政策。 | 
| BUCKET_LOGGING_DISABLED | 有一个存储桶未启用日志记录。 | 
| LOG_NOT_EXPORTED | 有一个资源未配置适当的日志接收器。 | 
| AUDIT_LOGGING_DISABLED | 已停用此资源的审核日志记录功能。 | 
| MFA_NOT_ENFORCED | 有些用户没有使用两步验证。 | 
| ROUTE_NOT_MONITORED | 日志指标和提醒未配置为监控 VPC 网络路由更改。 | 
| OWNER_NOT_MONITORED | 日志指标和提醒未配置为监控项目所有权分配或更改。 | 
| AUDIT_CONFIG_NOT_MONITORED | 日志指标和提醒未配置为监控审核配置更改。 | 
| BUCKET_IAM_NOT_MONITORED | 日志指标和提醒未配置为监控 Cloud Storage IAM 权限更改。 | 
| CUSTOM_ROLE_NOT_MONITORED | 日志指标和提醒未配置为监控自定义角色更改。 | 
| FIREWALL_NOT_MONITORED | 日志指标和提醒未配置为监控 Virtual Private Cloud (VPC) 网络防火墙规则更改。 | 
| NETWORK_NOT_MONITORED | 日志指标和提醒未配置为监控 VPC 网络更改。 | 
| SQL_INSTANCE_NOT_MONITORED | 日志指标和提醒未配置为监控 Cloud SQL 实例配置更改。 | 
| DEFAULT_NETWORK | 项目中存在默认网络。 | 
| DNS_LOGGING_DISABLED | 在 VPC 网络上未启用 DNS 日志记录。 | 
| PUBSUB_CMEK_DISABLED | Pub/Sub 主题未使用客户管理的加密密钥 (CMEK) 进行加密。此检测器需要额外配置才能启用。如需了解相关说明,请参阅启用和停用检测器。 | 
| PUBLIC_SQL_INSTANCE | Cloud SQL 数据库实例接受来自所有 IP 地址的连接。 | 
| SSL_NOT_ENFORCED | Cloud SQL 数据库实例不要求所有传入连接都使用 SSL。 | 
| AUTO_BACKUP_DISABLED | Cloud SQL 数据库未启用自动备份。 | 
| SQL_CMEK_DISABLED | SQL 数据库实例未使用客户管理的加密密钥 (CMEK) 进行加密。此检测器需要额外配置才能启用。如需了解相关说明,请参阅启用和停用检测器。 | 
| SQL_LOG_CHECKPOINTS_DISABLED | Cloud SQL for PostgreSQL 实例的 log_checkpoints 数据库标志未设置为“开启”。 | 
| SQL_LOG_CONNECTIONS_DISABLED | Cloud SQL for PostgreSQL 实例的 log_connections 数据库标志未设置为“启用”。 | 
| SQL_LOG_DISCONNECTIONS_DISABLED | Cloud SQL for PostgreSQL 实例的 log_disconnections 数据库标志未设置为“开启”。 | 
| SQL_LOG_DURATION_DISABLED | Cloud SQL for PostgreSQL 实例的 log_duration 数据库标志未设置为“开启”。 | 
| SQL_LOG_LOCK_WAITS_DISABLED | Cloud SQL for PostgreSQL 实例的 log_lock_waits 数据库标志未设置为“开启”。 | 
| SQL_LOG_STATEMENT | Cloud SQL for PostgreSQL 实例的 log_statement 数据库标志未设置为 Ddl(所有数据定义语句)。 | 
| SQL_NO_ROOT_PASSWORD | Cloud SQL 数据库没有为根账号配置密码。此检测器需要额外配置才能启用。如需了解相关说明,请参阅启用和停用检测器。 | 
| SQL_PUBLIC_IP | Cloud SQL 数据库具有公共 IP 地址。 | 
| SQL_CONTAINED_DATABASE_AUTHENTICATION | Cloud SQL for SQL Server 实例的“包含的数据库身份验证”数据库标志未设置为“关闭”。 | 
| SQL_CROSS_DB_OWNERSHIP_CHAINING | Cloud SQL for SQL Server 实例的 cross_db_ownership_chaining 数据库标志未设置为“关闭”。 | 
| SQL_LOCAL_INFILE | Cloud SQL for MySQL 实例的 local_infile 数据库标志未设置为“关闭”。 | 
| SQL_LOG_MIN_ERROR_STATEMENT | Cloud SQL for PostgreSQL 实例的 log_min_error_statement 数据库标志未正确设置。 | 
| SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY | Cloud SQL for PostgreSQL 实例的 log_min_error_statement 数据库标志没有适当的严重级别。 | 
| SQL_LOG_TEMP_FILES | Cloud SQL for PostgreSQL 实例的 log_temp_files 数据库标志未设置为“0”。 | 
| SQL_REMOTE_ACCESS_ENABLED | Cloud SQL for SQL Server 实例的远程访问数据库标志未设置为“关闭”。 | 
| SQL_SKIP_SHOW_DATABASE_DISABLED | Cloud SQL for MySQL 实例的 skip_show_database 数据库标志未设置为“开启”。 | 
| SQL_TRACE_FLAG_3625 | Cloud SQL for SQL Server 实例的 3625(跟踪记录标志)数据库标志未设置为“开启”。 | 
| SQL_USER_CONNECTIONS_CONFIGURED | Cloud SQL for SQL Server 实例的用户连接数据库标志已配置。 | 
| SQL_USER_OPTIONS_CONFIGURED | 已配置 Cloud SQL for SQL Server 实例的用户选项数据库标志。 | 
| PUBLIC_BUCKET_ACL | Cloud Storage 存储桶可公开访问。 | 
| BUCKET_POLICY_ONLY_DISABLED | 未配置统一存储桶级访问权限(以前称为“仅限存储桶政策”)。 | 
| BUCKET_CMEK_DISABLED | 存储桶未使用客户管理的加密密钥 (CMEK) 进行加密。此检测器需要额外配置才能启用。如需了解相关说明,请参阅启用和停用检测器。 | 
| FLOW_LOGS_DISABLED | 有一个 VPC 子网已停用流日志。 | 
| PRIVATE_GOOGLE_ACCESS_DISABLED | 有一些专用子网无权访问 Google 公共 API。 | 
| kms_key_region_europe | 根据公司政策,所有加密密钥都应存储在欧洲。 | 
| kms_non_euro_region | 根据公司政策,所有加密密钥都应存储在欧洲。 | 
| LEGACY_NETWORK | 项目中存在旧版网络。 | 
| LOAD_BALANCER_LOGGING_DISABLED | 已为负载均衡器停用日志记录。 | 
支持的 GCP_SECURITYCENTER_POSTURE_VIOLATION 发现结果
您可以在字段映射参考信息:姿势违规表格中找到 UDM 映射。
| 查找名称 | 说明 | 
|---|---|
| SECURITY_POSTURE_DRIFT | 偏离安全状况中定义的政策。安全状况服务会检测到此问题。 | 
| SECURITY_POSTURE_POLICY_DRIFT | 安全状况服务检测到组织政策发生了变更,而该变更发生在状况更新之外。 | 
| SECURITY_POSTURE_POLICY_DELETE | 安全状况服务检测到某个组织政策已删除。此删除操作发生在姿态更新之外。 | 
| SECURITY_POSTURE_DETECTOR_DRIFT | 安全状况服务检测到 Security Health Analytics 检测器发生了变更,而该变更发生在状况更新之外。 | 
| SECURITY_POSTURE_DETECTOR_DELETE | 安全状况服务检测到 Security Health Analytics 自定义模块已删除。此删除操作发生在姿态更新之外。 | 
支持的安全中心日志格式
安全中心解析器支持 JSON 格式的日志。
支持的安全中心日志示例
- GCP_SECURITYCENTER_THREAT 示例日志 - JSON
 - { "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME", "state": "ACTIVE", "category": "Credential Access: External Member Added To Privileged Group", "sourceProperties": { "sourceId": { "organizationNumber": "ORGANIZATION_ID", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "technique": "persistence", "indicator": "audit_log", "ruleName": "external_member_added_to_privileged_group" }, "detectionPriority": "HIGH", "affectedResources": [ { "gcpResourceName": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" } ], "evidence": [ { "sourceLogId": { "resourceContainer": "organizations/ORGANIZATION_ID", "timestamp": { "seconds": "1633622881", "nanos": 6.73869E8 }, "insertId": "INSERT_ID" } } ], "properties": { "externalMemberAddedToPrivilegedGroup": { "principalEmail": "abc@gmail.com", "groupName": "group:GROUP_NAME@ORGANIZATION_NAME", "externalMember": "user:abc@gamil.com", "sensitiveRoles": [ { "resource": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "roleName": [ "ROLES" ] } ] } }, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "dummy display name", "url": " dummy.url.com" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query\\u003dtimestamp%3D%222022-10-01T16:08:01.673869Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22%22?project\\u003d" } ] } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2022-10-01T16:08:03.888Z", "createTime": "2022-10-01T16:08:04.516Z", "severity": "HIGH", "workflowState": "NEW", "canonicalName": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "findingClass": "THREAT" }, "resource": { "name": "//cloudidentity.googleapis.com/groups/GROUP_NAME@ORGANIZATION_NAME" } }
- GCP_SECURITYCENTER_MISCONFIGURATION 示例日志 - JSON
 - { "findings": { "access": {}, "assetDisplayName": "eventApps", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/1032183397765/sources/4563429019522465317/findings/fdb789f992c67f6386ec735aca337bab", "category": "API_KEY_APIS_UNRESTRICTED", "compliances": [ { "standard": "cis", "version": "1.0", "ids": [ "1.12" ] }, { "standard": "cis", "version": "1.1", "ids": [ "1.14" ] }, { "standard": "cis", "version": "1.2", "ids": [ "1.14" ] } ], "contacts": { "security": { "contacts": [ { "email": "test@domainname.com" } ] }, "technical": { "contacts": [ { "email": "test@domainname.com" } ] } }, "createTime": "2022-12-01T15:16:21.119Z", "database": {}, "description": "Unrestricted API keys are insecure because they can be retrieved on devices on which the key is stored or can be seen publicly, e.g., from within a browser. In accordance with the principle of least privileges, it is recommended to restrict the APIs that can be called using each API key to only those required by an application. For more information, see https://cloud.google.com/docs/authentication/api-keys#api_key_restrictions", "eventTime": "2022-12-01T14:35:42.317Z", "exfiltration": {}, "externalUri": "https://console.cloud.google.com/apis/credentials?project=eventapps-27705", "findingClass": "MISCONFIGURATION", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/security_health_advisor", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Security Health Analytics", "resourceName": "//cloudresourcemanager.googleapis.com/projects/1032183397765", "severity": "MEDIUM", "sourceDisplayName": "Security Health Analytics", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/1032183397765", "display_name": "dummy-display-name", "project_name": "//cloudresourcemanager.googleapis.com/projects/1032183397765", "project_display_name": "dummy-project", "parent_name": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID", "parent_display_name": "domainname.com", "type": "google.cloud.resourcemanager.Project", "folders": [] }, "sourceProperties": { "Recommendation": "Go to https://console.cloud.google.com/apis/credentials?project=eventapps-27705. In the section \\"API keys,\\" for each API key, click the name of the key. It will display API Key properties on a new page. In the \\"Key restrictions\\" section, set API restrictions to \\"Restrict key.\\" Click the \\"Select APIs\\" drop-down menu to choose which APIs to allow. Click \\"Save.\\" "ExceptionInstructions": "Add the security mark \\"allow_api_key_apis_unrestricted\\" to the asset with a value of \\"true\\" to prevent this finding from being activated again.", "Explanation": "Unrestricted API keys are insecure because they can be retrieved on devices on which the key is stored or can be seen publicly, e.g., from within a browser. In accordance with the principle of least privileges, it is recommended to restrict the APIs that can be called using each API key to only those required by an application. For more information, see https://cloud.google.com/docs/authentication/api-keys#api_key_restrictions", "ScannerName": "API_KEY_SCANNER", "ResourcePath": [ "projects/eventapps-27705/", "organizations/ORGANIZATION_ID/" ], "compliance_standards": { "cis": [ { "version": "1.0", "ids": [ "1.12" ] }, { "version": "1.1", "ids": [ "1.14" ] }, { "version": "1.2", "ids": [ "1.14" ] } ] }, "ReactivationCount": 0 } }
- GCP_SECURITYCENTER_OBSERVATION 示例日志 - JSON
 - { "findings": { "access": { "principalEmail": "dummy.user@dummy.com", "callerIp": "198.51.100.1", "callerIpGeo": { "regionCode": "SG" }, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.projects.setCommonInstanceMetadata", "principalSubject": "user:dummy.user@dummy.com" }, "canonicalName": "projects/856289305908/sources/SOURCE_ID/findings/FINDING_ID", "category": "Persistence: Project SSH Key Added", "contacts": { "security": { "contacts": [ { "email": "dummy.user@dummy.com" } ] }, "technical": { "contacts": [ { "email": "dummy.user@dummy.xyz" } ] } }, "createTime": "2022-11-10T18:33:07.631Z", "database": {}, "eventTime": "2022-11-10T18:33:07.271Z", "exfiltration": {}, "findingClass": "OBSERVATION", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/sensitive_actions", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "primaryTactic": "PERSISTENCE", "primaryTechniques": [ "ACCOUNT_MANIPULATION", "SSH_AUTHORIZED_KEYS" ] }, "mute": "UNDEFINED", "name": "organizations/595779152576/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/595779152576/sources/SOURCE_ID", "parentDisplayName": "Sensitive Actions Service", "resourceName": "//compute.googleapis.com/projects/spring-banner-350111", "severity": "LOW", "sourceDisplayName": "Sensitive Actions Service", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/spring-banner-350111", "display_name": "spring-banner-350111", "project_name": "//cloudresourcemanager.googleapis.com/projects/856289305908", "project_display_name": "dummy-project", "parent_name": "//cloudresourcemanager.googleapis.com/projects/856289305908", "parent_display_name": "spring-banner-350111", "type": "google.compute.Project", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "856289305908", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "sensitive_action", "subRuleName": "add_ssh_key" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//compute.googleapis.com/projects/spring-banner-350111" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/856289305908" } ], "evidence": [ { "sourceLogId": { "projectId": "spring-banner-350111", "resourceContainer": "projects/spring-banner-350111", "timestamp": { "seconds": "1668105185", "nanos": 642158000 }, "insertId": "v2stobd9ihi" } } ], "properties": {}, "findingId": "findingId", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "dummy.domain.com" } } } }
- GCP_SECURITYCENTER_VULNERABILITY 示例日志 - JSON
 - { "findings": { "access": {}, "assetDisplayName": "Sample-00000", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "CLEAR_TEXT_PASSWORD", "compliances": [ { "standard": "owasp", "version": "2017", "ids": [ "A3" ] }, { "standard": "owasp", "version": "2021", "ids": [ "A02" ] } ], "contacts": { "security": { "contacts": [ { "email": "dummy@sample.com" } ] }, "technical": { "contacts": [ { "email": "dummy@sample.com" } ] } }, "createTime": "2022-11-24T09:28:52.589Z", "database": {}, "description": "An application appears to be transmitting a password field in clear text. An attacker can eavesdrop network traffic and sniff the password field.", "eventTime": "2022-11-24T04:56:26Z", "exfiltration": {}, "externalUri": "https://sample.dummy.com/", "findingClass": "VULNERABILITY", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/css", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Web Security Scanner", "resourceName": "//dummy.sample.com", "severity": "MEDIUM", "sourceDisplayName": "Web Security Scanner", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//cloudresourcemanager.googleapis.com", "display_name": "dummy_name", "project_name": "//cloudresourcemanager.googleapis.com", "project_display_name": "dummy_name", "parent_name": "//dummy.sample.com", "parent_display_name": "Sample-Dev-Project", "type": "sample.cloud.dummy.Project", "folders": [ { "resourceFolderDisplayName": "Sample-Dev-Project", "resourceFolder": "//cloudresourcemanager.googleapis.com/" } ] }, "sourceProperties": { "severity": "MEDIUM", "fuzzedUrl": "dummy.domain.com", "form": { "actionUri": "dummy.domain.com", "fields": [ "os_username", "os_password", "", "os_cookie", "os_destination", "user_role", "atl_token", "login" ] }, "name": "projects/PROJECT_ID/scanConfigs/SCAN_CONFIG_ID/scanRuns/SCAN_RUN_ID/findings/FINDING_ID", "description": "An application appears to be transmitting a password field in clear text. An attacker can eavesdrop network traffic and sniff the password field.", "reproductionUrl": "http://198.51.100.1:0000/login.jsp?searchString=", "httpMethod": "GET", "finalUrl": "http://0.0.0.0:0000/sample.dummy=", "ResourcePath": [ "projects/sample-dummy/", "folders/FOLDER_ID/", "organizations/ORGANIZATION_ID/" ], "compliance_standards": { "owasp": [ { "version": "2017", "ids": [ "A3" ] }, { "version": "2021", "ids": [ "A02" ] } ] } } }
- GCP_SECURITYCENTER_ERROR 示例日志 - JSON
 - { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//cloudresourcemanager.googleapis.com/projects/742742027423", "state": "ACTIVE", "category": "KTD_SERVICE_ACCOUNT_MISSING_PERMISSIONS", "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2022-11-23T16:36:03.458107Z", "createTime": "2022-11-01T07:36:37.078Z", "severity": "CRITICAL", "canonicalName": "projects/742742027423/sources/SOURCE_ID/findings/FINDING_ID", "mute": "UNDEFINED", "findingClass": "SCC_ERROR", "access": { "callerIpGeo": {} }, "contacts": { "security": { "contacts": [ { "email": "test.user@domain.com" } ] }, "technical": { "contacts": [ { "email": "test.user@domain.com" } ] } }, "parentDisplayName": "Security Command Center", "description": "Either all or some Container Threat Detection findings aren\\u0027t being sent to Security Command Center. A service account is missing permissions required for Container Threat Detection.", "iamBindings": [ { "member": "test.user@domain.com" } ], "nextSteps": "Restore the required IAM roles on the Container Threat Detection service account. \\n1. Go to [IAM](/iam-admin/iam) \\n2. Select the service account: \\"test.user@domain.com\\" \\n - If you don\\u0027t see the service account listed, click **Add** at the top of the page and enter it as a new principal \\n3. Apply the following role:* \\n 1. Container Threat Detection Service Agent \\n4. Click **Save**. \\n \\n*If you use custom roles, apply these missing permissions: \\n - container.clusterRoleBindings.create,container.clusterRoleBindings.delete,container.clusterRoleBindings.update,container.clusterRoles.create,container.clusterRoles.delete,container.clusterRoles.escalate,container.clusterRoles.update,container.customResourceDefinitions.create,container.customResourceDefinitions.delete,container.customResourceDefinitions.update,container.daemonSets.create,container.daemonSets.delete,container.daemonSets.update,container.daemonSets.updateStatus,container.networkPolicies.update,container.pods.attach,container.pods.create,container.pods.delete,container.pods.exec,container.pods.getLogs,container.pods.portForward,container.pods.update,container.roleBindings.create,container.roleBindings.delete,container.roleBindings.update,container.roles.bind,container.roles.create,container.roles.delete,container.roles.escalate,container.roles.update,container.secrets.create,container.secrets.list,container.secrets.delete,container.secrets.update,container.serviceAccounts.create,container.serviceAccounts.delete,container.serviceAccounts.update" }
- GCP_SECURITYCENTER_UNSPECIFIED 示例日志 - JSON
 - { "findings": { "access": {}, "canonicalName": "organizations/595779152576/sources/SOURCE_ID/findings/FINDING_ID", "category": "OPEN_FIREWALL", "compliances": [ { "standard": "pci", "ids": [ "1.2.1" ] } ], "contacts": { "security": { "contacts": [ { "email": "test.user@dummy.xyz" } ] }, "technical": { "contacts": [ { "email": "test.user@dummy.xyz" } ] } }, "createTime": "2021-07-20T08:33:25.343Z", "database": {}, "eventTime": "2022-07-19T07:44:38.374Z", "exfiltration": {}, "externalUri": "dummy.domain.com", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": {}, "mute": "MUTED", "muteInitiator": "Muted by test.user@dummy.xyz", "muteUpdateTime": "2022-03-08T05:41:06.507Z", "name": "organizations/595779152576/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/595779152576/sources/SOURCE_ID" "parentDisplayName": "Security Health Analytics", "resourceName": "//compute.googleapis.com/projects/calcium-vial-280707/global/firewalls/3199326669616479704", "severity": "HIGH", "sourceDisplayName": "Sanity_grc", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/calcium-vial-280707/global/firewalls/3199326669616479704", "display_name": "", "project_name": "", "project_display_name": "", "parent_name": "", "parent_display_name": "", "type": "", "folders": [] }, "sourceProperties": { "ScannerName": "FIREWALL_SCANNER", "ResourcePath": [ "projects/calcium-vial-280707/", "organizations/ORGANIZATION_ID/" ], "ReactivationCount": 0, "AllowedIpRange": "All", "ExternallyAccessibleProtocolsAndPorts": [ { "IPProtocol": "tcp", "ports": [ "80" ] } ] } }
字段映射参考
本部分介绍了 Google Security Operations 解析器如何将 Security Command Center 日志字段映射到 Google Security Operations 统一数据模型 (UDM) 字段(针对数据集)。
字段映射参考信息:原始日志字段到 UDM 字段
下表列出了 Security Command Center Event Threat Detection 发现结果的日志字段和相应的 UDM 映射。
| RawLog 字段 | UDM 映射 | 逻辑 | 
|---|---|---|
| compliances.ids | about.labels [compliance_ids](已弃用) | |
| compliances.ids | additional.fields [compliance_ids] | |
| compliances.version | about.labels [compliance_version](已弃用) | |
| compliances.version | additional.fields [compliance_version] | |
| compliances.standard | about.labels [compliances_standard](已弃用) | |
| compliances.standard | additional.fields [compliances_standard] | |
| connections.destinationIp | about.labels [connections_destination_ip](已弃用) | 如果 connections.destinationIp日志字段值不等于sourceProperties.properties.ipConnection.destIp,则connections.destinationIp日志字段会映射到about.labels.valueUDM 字段。 | 
| connections.destinationIp | additional.fields [connections_destination_ip] | 如果 connections.destinationIp日志字段值不等于sourceProperties.properties.ipConnection.destIp,则connections.destinationIp日志字段会映射到additional.fields.value.string_valueUDM 字段。 | 
| connections.destinationPort | about.labels [connections_destination_port](已弃用) | |
| connections.destinationPort | additional.fields [connections_destination_port] | |
| connections.protocol | about.labels [connections_protocol](已弃用) | |
| connections.protocol | additional.fields [connections_protocol] | |
| connections.sourceIp | about.labels [connections_source_ip](已弃用) | |
| connections.sourceIp | additional.fields [connections_source_ip] | |
| connections.sourcePort | about.labels [connections_source_port](已弃用) | |
| connections.sourcePort | additional.fields [connections_source_port] | |
| kubernetes.pods.ns | target.resource_ancestors.attribute.labels.key/value [kubernetes_pods_ns] | |
| kubernetes.pods.name | target.resource_ancestors.name | |
| kubernetes.nodes.name | target.resource_ancestors.name | |
| kubernetes.nodePools.name | target.resource_ancestors.name | |
|  | target.resource_ancestors.resource_type | 如果 message日志字段值与正则表达式模式kubernetes匹配,则target.resource_ancestors.resource_typeUDM 字段设置为 CLUSTER。否则,如果 message日志字段值与正则表达式kubernetes.*?pods匹配,则target.resource_ancestors.resource_typeUDM 字段设置为 POD。 | 
|  | about.resource.attribute.cloud.environment | about.resource.attribute.cloud.environmentUDM 字段设置为GOOGLE_CLOUD_PLATFORM。 | 
| externalSystems.assignees | about.resource.attribute.labels.key/value [externalSystems_assignees] | |
| externalSystems.status | about.resource.attribute.labels.key/value [externalSystems_status] | |
| kubernetes.nodePools.nodes.name | target.resource.attribute.labels.key/value [kubernetes_nodePools_nodes_name] | |
| kubernetes.pods.containers.uri | target.resource_ancestors.attribute.labels.key/value [kubernetes_pods_containers_uri] | |
| kubernetes.pods.containers.createTime | target.resource_ancestors.attribute.labels[kubernetes_pods_containers_createTime] | |
| kubernetes.roles.kind | target.resource.attribute.labels.key/value [kubernetes_roles_kind] | |
| kubernetes.roles.name | target.resource.attribute.labels.key/value [kubernetes_roles_name] | |
| kubernetes.roles.ns | target.resource.attribute.labels.key/value [kubernetes_roles_ns] | |
| kubernetes.pods.containers.labels.name/value | target.resource.attribute.labels.key/value [kubernetes.pods.containers.labels.name/value] | |
| kubernetes.pods.labels.name/value | target.resource.attribute.labels.key/value [kubernetes.pods.labels.name/value] | |
| externalSystems.externalSystemUpdateTime | about.resource.attribute.last_update_time | |
| externalSystems.name | about.resource.name | |
| externalSystems.externalUid | about.resource.product_object_id | |
| indicator.uris | about.url | |
|  | extension.auth.type | 如果 category日志字段值等于Initial Access: Account Disabled Hijacked、Initial Access: Disabled Password Leak、Initial Access: Government Based Attack、Initial Access: Suspicious Login Blocked、Impair Defenses: Two Step Verification Disabled或Persistence: SSO Enablement Toggle,则extension.auth.typeUDM 字段设置为SSO。 | 
|  | extension.mechanism | 如果 category日志字段值等于Brute Force: SSH,则extension.mechanismUDM 字段设置为USERNAME_PASSWORD。 | 
|  | extensions.auth.type | 如果 principal.user.user_authentication_status日志字段值等于ACTIVE,则extensions.auth.typeUDM 字段设置为SSO。 | 
| vulnerability.cve.references.uri | extensions.vulns.vulnerabilities.about.labels [vulnerability.cve.references.uri](已弃用) | |
| vulnerability.cve.references.uri | additional.fields [vulnerability.cve.references.uri] | |
| vulnerability.cve.cvssv3.attackComplexity | extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_attackComplexity](已弃用) | |
| vulnerability.cve.cvssv3.attackComplexity | additional.fields [vulnerability_cve_cvssv3_attackComplexity] | |
| vulnerability.cve.cvssv3.availabilityImpact | extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_availabilityImpact](已弃用) | |
| vulnerability.cve.cvssv3.availabilityImpact | additional.fields [vulnerability_cve_cvssv3_availabilityImpact] | |
| vulnerability.cve.cvssv3.confidentialityImpact | extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_confidentialityImpact](已弃用) | |
| vulnerability.cve.cvssv3.confidentialityImpact | additional.fields [vulnerability_cve_cvssv3_confidentialityImpact] | |
| vulnerability.cve.cvssv3.integrityImpact | extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_integrityImpact](已弃用) | |
| vulnerability.cve.cvssv3.integrityImpact | additional.fields [vulnerability_cve_cvssv3_integrityImpact] | |
| vulnerability.cve.cvssv3.privilegesRequired | extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_privilegesRequired](已弃用) | |
| vulnerability.cve.cvssv3.privilegesRequired | additional.fields [vulnerability_cve_cvssv3_privilegesRequired] | |
| vulnerability.cve.cvssv3.scope | extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_scope](已弃用) | |
| vulnerability.cve.cvssv3.scope | additional.fields [vulnerability_cve_cvssv3_scope] | |
| vulnerability.cve.cvssv3.userInteraction | extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_userInteraction](已弃用) | |
| vulnerability.cve.cvssv3.userInteraction | additional.fields [vulnerability_cve_cvssv3_userInteraction] | |
| vulnerability.cve.references.source | extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_references_source](已弃用) | |
| vulnerability.cve.references.source | additional.fields [vulnerability_cve_references_source] | |
| vulnerability.cve.upstreamFixAvailable | extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_upstreamFixAvailable](已弃用) | |
| vulnerability.cve.upstreamFixAvailable | additional.fields [vulnerability_cve_upstreamFixAvailable] | |
| vulnerability.cve.id | extensions.vulns.vulnerabilities.cve_id | |
| vulnerability.cve.cvssv3.baseScore | extensions.vulns.vulnerabilities.cvss_base_score | |
| vulnerability.cve.cvssv3.attackVector | extensions.vulns.vulnerabilities.cvss_vector | |
| sourceProperties.properties.loadBalancerName | intermediary.resource.name | 如果 category日志字段值等于Initial Access: Log4j Compromise Attempt,则sourceProperties.properties.loadBalancerName日志字段会映射到intermediary.resource.nameUDM 字段。 | 
|  | intermediary.resource.resource_type | 如果 category日志字段值等于Initial Access: Log4j Compromise Attempt,则intermediary.resource.resource_typeUDM 字段设置为BACKEND_SERVICE。 | 
| parentDisplayName | metadata.description | |
| eventTime | metadata.event_timestamp | |
| category | metadata.product_event_type | |
| sourceProperties.evidence.sourceLogId.insertId | metadata.product_log_id | 如果 canonicalName日志字段值不为空,则使用 Grok 模式从canonicalName日志字段中提取finding_id。如果 finding_id日志字段值为空,则将sourceProperties.evidence.sourceLogId.insertId日志字段映射到metadata.product_log_idUDM 字段。如果 canonicalName日志字段值为空,则将sourceProperties.evidence.sourceLogId.insertId日志字段映射到metadata.product_log_idUDM 字段。 | 
|  | metadata.product_name | metadata.product_nameUDM 字段设置为Security Command Center。 | 
| sourceProperties.contextUris.cloudLoggingQueryUri.url | security_result.detection_fields.key/value[sourceProperties_contextUris_cloudLoggingQueryUri_url] | |
|  | metadata.vendor_name | metadata.vendor_nameUDM 字段设置为Google。 | 
|  | network.application_protocol | 如果 category日志字段值等于Malware: Bad Domain或Malware: Cryptomining Bad Domain,则network.application_protocolUDM 字段设置为DNS。 | 
| sourceProperties.properties.indicatorContext.asn | network.asn | 如果 category日志字段值等于Malware: Cryptomining Bad IP,则sourceProperties.properties.indicatorContext.asn日志字段会映射到network.asnUDM 字段。 | 
| sourceProperties.properties.indicatorContext.carrierName | network.carrier_name | 如果 category日志字段值等于Malware: Cryptomining Bad IP,则sourceProperties.properties.indicatorContext.carrierName日志字段会映射到network.carrier_nameUDM 字段。 | 
| sourceProperties.properties.indicatorContext.reverseDnsDomain | network.dns_domain | 如果 category日志字段值等于Malware: Cryptomining Bad IP或Malware: Bad IP,则sourceProperties.properties.indicatorContext.reverseDnsDomain日志字段会映射到network.dns_domainUDM 字段。 | 
| sourceProperties.properties.dnsContexts.responseData.responseClass | network.dns.answers.class | 如果 category日志字段值等于Malware: Bad Domain,则sourceProperties.properties.dnsContexts.responseData.responseClass日志字段会映射到network.dns.answers.classUDM 字段。 | 
| sourceProperties.properties.dnsContexts.responseData.responseValue | network.dns.answers.data | 如果 category日志字段值与正则表达式Malware: Bad Domain匹配,则sourceProperties.properties.dnsContexts.responseData.responseValue日志字段会映射到network.dns.answers.dataUDM 字段。 | 
| sourceProperties.properties.dnsContexts.responseData.domainName | network.dns.answers.name | 如果 category日志字段值等于Malware: Bad Domain,则sourceProperties.properties.dnsContexts.responseData.domainName日志字段会映射到network.dns.answers.nameUDM 字段。 | 
| sourceProperties.properties.dnsContexts.responseData.ttl | network.dns.answers.ttl | 如果 category日志字段值等于Malware: Bad Domain,则sourceProperties.properties.dnsContexts.responseData.ttl日志字段会映射到network.dns.answers.ttlUDM 字段。 | 
| sourceProperties.properties.dnsContexts.responseData.responseType | network.dns.answers.type | 如果 category日志字段值等于Malware: Bad Domain,则sourceProperties.properties.dnsContexts.responseData.responseType日志字段会映射到network.dns.answers.typeUDM 字段。 | 
| sourceProperties.properties.dnsContexts.authAnswer | network.dns.authoritative | 如果 category日志字段值等于Malware: Bad Domain或Malware: Cryptomining Bad Domain,则sourceProperties.properties.dnsContexts.authAnswer日志字段会映射到network.dns.authoritativeUDM 字段。 | 
| sourceProperties.properties.dnsContexts.queryName | network.dns.questions.name | 如果 category日志字段值等于Malware: Bad Domain或Malware: Cryptomining Bad Domain,则sourceProperties.properties.dnsContexts.queryName日志字段会映射到network.dns.questions.nameUDM 字段。 | 
| sourceProperties.properties.dnsContexts.queryType | network.dns.questions.type | 如果 category日志字段值等于Malware: Bad Domain或Malware: Cryptomining Bad Domain,则sourceProperties.properties.dnsContexts.queryType日志字段会映射到network.dns.questions.typeUDM 字段。 | 
| sourceProperties.properties.dnsContexts.responseCode | network.dns.response_code | 如果 category日志字段值等于Malware: Bad Domain或Malware: Cryptomining Bad Domain,则sourceProperties.properties.dnsContexts.responseCode日志字段会映射到network.dns.response_codeUDM 字段。 | 
| sourceProperties.properties.anomalousSoftware.callerUserAgent | network.http.user_agent | 如果 category日志字段值等于Persistence: New User Agent,则sourceProperties.properties.anomalousSoftware.callerUserAgent日志字段会映射到network.http.user_agentUDM 字段。 | 
| sourceProperties.properties.callerUserAgent | network.http.user_agent | 如果 category日志字段值等于Persistence: GCE Admin Added SSH Key或Persistence: GCE Admin Added Startup Script,则sourceProperties.properties.callerUserAgent日志字段会映射到network.http.user_agentUDM 字段。 | 
| access.userAgentFamily | network.http.user_agent | |
| finding.access.userAgent | network.http.user_agent | |
| sourceProperties.properties.serviceAccountGetsOwnIamPolicy.rawUserAgent | network.http.user_agent | 如果 category日志字段值等于Discovery: Service Account Self-Investigation,则sourceProperties.properties.serviceAccountGetsOwnIamPolicy.rawUserAgent日志字段会映射到network.http.user_agentUDM 字段。 | 
| sourceProperties.properties.ipConnection.protocol | network.ip_protocol | 如果 category日志字段值等于Malware: Bad IP或Malware: Cryptomining Bad IP或Malware: Outgoing DoS,则network.ip_protocolUDM 字段会设置为以下值之一:
 | 
| sourceProperties.properties.indicatorContext.organizationName | network.organization_name | 如果 category日志字段值等于Malware: Cryptomining Bad IP或Malware: Bad IP,则sourceProperties.properties.indicatorContext.organizationName日志字段会映射到network.organization_nameUDM 字段。 | 
| sourceProperties.properties.anomalousSoftware.behaviorPeriod | network.session_duration | 如果 category日志字段值等于Persistence: New User Agent,则sourceProperties.properties.anomalousSoftware.behaviorPeriod日志字段会映射到network.session_durationUDM 字段。 | 
| sourceProperties.properties.sourceIp | principal.ip | 如果 category日志字段值与正则表达式Active Scan: Log4j Vulnerable to RCE匹配,则sourceProperties.properties.sourceIp日志字段会映射到principal.ipUDM 字段。 | 
| sourceProperties.properties.attempts.sourceIp | principal.ip | 如果 category日志字段值等于Brute Force: SSH,则sourceProperties.properties.attempts.sourceIp日志字段会映射到principal.ipUDM 字段。 | 
| access.callerIp | principal.ip | 如果 category日志字段值等于Defense Evasion: Modify VPC Service Control或access.callerIp或Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive或Exfiltration: CloudSQL Data Exfiltration或Exfiltration: CloudSQL Restore Backup to External Organization或Persistence: New Geography或Persistence: IAM Anomalous Grant,则access.callerIp日志字段会映射到principal.ipUDM 字段。 | 
| sourceProperties.properties.serviceAccountGetsOwnIamPolicy.callerIp | principal.ip | 如果 category日志字段值等于Discovery: Service Account Self-Investigation,则sourceProperties.properties.serviceAccountGetsOwnIamPolicy.callerIp日志字段会映射到principal.ipUDM 字段。 | 
| sourceProperties.properties.changeFromBadIp.ip | principal.ip | 如果 category日志字段值等于Evasion: Access from Anonymizing Proxy,则sourceProperties.properties.changeFromBadIp.ip日志字段会映射到principal.ipUDM 字段。 | 
| sourceProperties.properties.dnsContexts.sourceIp | principal.ip | 如果 category日志字段值等于Malware: Bad Domain或Malware: Cryptomining Bad Domain,则sourceProperties.properties.dnsContexts.sourceIp日志字段会映射到principal.ipUDM 字段。 | 
| sourceProperties.properties.ipConnection.srcIp | principal.ip | 如果 category日志字段值等于Malware: Bad IP或Malware: Cryptomining Bad IP或Malware: Outgoing DoS,则sourceProperties.properties.ipConnection.srcIp日志字段会映射到principal.ipUDM 字段。 | 
| sourceProperties.properties.callerIp sourceProperties.properties.indicatorContext.ipAddress | principal.ip | 如果 category日志字段值等于Malware: Cryptomining Bad IP或Malware: Bad IP,则当sourceProperties.properties.ipConnection.srcIp日志字段值不等于sourceProperties.properties.indicatorContext.ipAddress时,sourceProperties.properties.indicatorContext.ipAddress日志字段会映射到principal.ipUDM 字段。 | 
| sourceProperties.properties.anomalousLocation.callerIp | principal.ip | 如果 category日志字段值等于Persistence: New Geography,则sourceProperties.properties.anomalousLocation.callerIp日志字段会映射到principal.ipUDM 字段。 | 
| sourceProperties.properties.scannerDomain | principal.labels [sourceProperties_properties_scannerDomain](已弃用) | 如果 category日志字段值与正则表达式Active Scan: Log4j Vulnerable to RCE匹配,则sourceProperties.properties.scannerDomain日志字段会映射到principal.labels.key/valueUDM 字段。 | 
| sourceProperties.properties.scannerDomain | additional.fields [sourceProperties_properties_scannerDomain] | 如果 category日志字段值与正则表达式Active Scan: Log4j Vulnerable to RCE匹配,则sourceProperties.properties.scannerDomain日志字段会映射到additional.fields.value.string_valueUDM 字段。 | 
| sourceProperties.properties.dataExfiltrationAttempt.jobState | principal.labels [sourceProperties.properties.dataExfiltrationAttempt.jobState](已弃用) | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则sourceProperties.properties.dataExfiltrationAttempt.jobState日志字段会映射到principal.labels.key/valueUDM 字段。 | 
| sourceProperties.properties.dataExfiltrationAttempt.jobState | additional.fields [sourceProperties.properties.dataExfiltrationAttempt.jobState] | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则sourceProperties.properties.dataExfiltrationAttempt.jobState日志字段会映射到additional.fields.value.string_valueUDM 字段。 | 
| access.callerIpGeo.regionCode | principal.location.country_or_region | |
| sourceProperties.properties.indicatorContext.countryCode | principal.location.country_or_region | 如果 category日志字段值等于Malware: Cryptomining Bad IP或Malware: Bad IP,则sourceProperties.properties.indicatorContext.countryCode日志字段会映射到principal.location.country_or_regionUDM 字段。 | 
| sourceProperties.properties.dataExfiltrationAttempt.job.location | principal.location.country_or_region | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则sourceProperties.properties.dataExfiltrationAttempt.job.location日志字段会映射到principal.location.country_or_regionUDM 字段。 | 
| sourceProperties.properties.extractionAttempt.job.location | principal.location.country_or_region | 如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive,则sourceProperties.properties.extractionAttempt.job.location日志字段会映射到principal.location.country_or_regionUDM 字段。 | 
| sourceProperties.properties.anomalousLocation.typicalGeolocations.country.identifier | principal.location.country_or_region | 如果 category日志字段值等于Persistence: New Geography或Persistence: IAM Anomalous Grant,则sourceProperties.properties.anomalousLocation.typicalGeolocations.country.identifier日志字段会映射到principal.location.country_or_regionUDM 字段。 | 
| sourceProperties.properties.anomalousLocation.anomalousLocation | principal.location.name | 如果 category日志字段值等于Persistence: IAM Anomalous Grant,则sourceProperties.properties.anomalousLocation.anomalousLocation日志字段会映射到principal.location.nameUDM 字段。 | 
| sourceProperties.properties.ipConnection.srcPort | principal.port | 如果 category日志字段值等于Malware: Bad IP或Malware: Outgoing DoS,则sourceProperties.properties.ipConnection.srcPort日志字段会映射到principal.portUDM 字段。 | 
| sourceProperties.properties.extractionAttempt.jobLink | principal.process.file.full_path | 如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive,则sourceProperties.properties.extractionAttempt.jobLink日志字段会映射到principal.process.file.full_pathUDM 字段。 | 
| sourceProperties.properties.dataExfiltrationAttempt.jobLink | principal.process.file.full_path | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则sourceProperties.properties.dataExfiltrationAttempt.jobLink日志字段会映射到principal.process.file.full_pathUDM 字段。 | 
| sourceProperties.properties.dataExfiltrationAttempt.job.jobId | principal.process.pid | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则sourceProperties.properties.dataExfiltrationAttempt.job.jobId日志字段会映射到principal.process.pidUDM 字段。 | 
| sourceProperties.properties.extractionAttempt.job.jobId | principal.process.pid | 如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive,则sourceProperties.properties.extractionAttempt.job.jobId日志字段会映射到principal.process.pidUDM 字段。 | 
| sourceProperties.properties.srcVpc.subnetworkName | principal.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_destVpc_subnetworkName] | 如果 category日志字段值等于Malware: Cryptomining Bad IP或Malware: Bad IP,则sourceProperties.properties.srcVpc.subnetworkName日志字段会映射到principal.resource_ancestors.attribute.labels.valueUDM 字段。 | 
| principal.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_srcVpc_projectId] | principal.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_srcVpc_projectId] | 如果 category日志字段值等于Malware: Cryptomining Bad IP或Malware: Bad IP,则sourceProperties.properties.srcVpc.projectId日志字段会映射到principal.resource_ancestors.attribute.labels.valueUDM 字段。 | 
| sourceProperties.properties.srcVpc.vpcName | principal.resource_ancestors.name | 如果 category日志字段值等于Malware: Cryptomining Bad IP或Malware: Bad IP,则sourceProperties.properties.destVpc.vpcName日志字段会映射到principal.resource_ancestors.nameUDM 字段,并且principal.resource_ancestors.resource_typeUDM 字段会设置为VIRTUAL_MACHINE。 | 
| sourceProperties.sourceId.customerOrganizationNumber | principal.resource.attribute.labels.key/value [sourceProperties_sourceId_customerOrganizationNumber] | 如果 message日志字段值与正则表达式sourceProperties.sourceId.*?customerOrganizationNumber匹配,则sourceProperties.sourceId.customerOrganizationNumber日志字段会映射到principal.resource.attribute.labels.key/valueUDM 字段。 | 
| resource.projectName | principal.resource.name | |
| sourceProperties.properties.projectId | principal.resource.name | 如果 sourceProperties.properties.projectId日志字段值不为空,则sourceProperties.properties.projectId日志字段会映射到principal.resource.nameUDM 字段。 | 
| sourceProperties.properties.serviceAccountGetsOwnIamPolicy.projectId | principal.resource.name | 如果 category日志字段值等于Discovery: Service Account Self-Investigation,则sourceProperties.properties.serviceAccountGetsOwnIamPolicy.projectId日志字段会映射到principal.resource.nameUDM 字段。 | 
| sourceProperties.properties.sourceInstanceDetails | principal.resource.name | 如果 category日志字段值等于Malware: Outgoing DoS,则sourceProperties.properties.sourceInstanceDetails日志字段会映射到principal.resource.nameUDM 字段。 | 
|  | principal.user.account_type | 如果 access.principalSubject日志字段值与正则表达式serviceAccount匹配,则principal.user.account_typeUDM 字段设置为SERVICE_ACCOUNT_TYPE。否则,如果 access.principalSubject日志字段值与正则表达式user匹配,则principal.user.account_typeUDM 字段设置为CLOUD_ACCOUNT_TYPE。 | 
| access.principalSubject | principal.user.attribute.labels.key/value [access_principalSubject] | |
| access.serviceAccountDelegationInfo.principalSubject | principal.user.attribute.labels.key/value [access_serviceAccountDelegationInfo_principalSubject] | |
| access.serviceAccountKeyName | principal.user.attribute.labels.key/value [access_serviceAccountKeyName] | |
| sourceProperties.properties.serviceAccountGetsOwnIamPolicy.callerUserAgent | principal.user.attribute.labels.key/value [sourceProperties_properties_serviceAccountGetsOwnIamPolicy_callerUserAgent] | 如果 category日志字段值等于Discovery: Service Account Self-Investigation,则principal.user.attribute.labels.keyUDM 字段设置为rawUserAgent,并且sourceProperties.properties.serviceAccountGetsOwnIamPolicy.callerUserAgent日志字段映射到principal.user.attribute.labels.valueUDM 字段。 | 
| sourceProperties.properties.serviceAccountGetsOwnIamPolicy.principalEmail | principal.user.email_addresses | 如果 category日志字段值等于Discovery: Service Account Self-Investigation,则sourceProperties.properties.serviceAccountGetsOwnIamPolicy.principalEmail日志字段会映射到principal.user.email_addressesUDM 字段。 | 
| sourceProperties.properties.changeFromBadIp.principalEmail | principal.user.email_addresses | 如果 category日志字段值等于Evasion: Access from Anonymizing Proxy,则sourceProperties.properties.changeFromBadIp.principalEmail日志字段会映射到principal.user.email_addressesUDM 字段。 | 
| sourceProperties.properties.dataExfiltrationAttempt.userEmail | principal.user.email_addresses | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则sourceProperties.properties.dataExfiltrationAttempt.userEmail日志字段会映射到principal.user.email_addressesUDM 字段。 | 
| sourceProperties.properties.principalEmail | principal.user.email_addresses | 如果 category日志字段值等于Exfiltration: BigQuery Data to Google Drive或Initial Access: Account Disabled Hijacked或Initial Access: Disabled Password Leak或Initial Access: Government Based Attack或Impair Defenses: Strong Authentication Disabled或Impair Defenses: Two Step Verification Disabled或Persistence: GCE Admin Added Startup Script或Persistence: GCE Admin Added SSH Key,则sourceProperties.properties.principalEmail日志字段会映射到principal.user.email_addressesUDM 字段。如果 category日志字段值等于Initial Access: Suspicious Login Blocked,则sourceProperties.properties.principalEmail日志字段会映射到principal.user.email_addressesUDM 字段。 | 
| access.principalEmail | principal.user.email_addresses | 如果 category日志字段值等于Defense Evasion: Modify VPC Service Control或Exfiltration: CloudSQL Data Exfiltration或Exfiltration: CloudSQL Restore Backup to External Organization或Persistence: New Geography,则access.principalEmail日志字段会映射到principal.user.email_addressesUDM 字段。 | 
| sourceProperties.properties.sensitiveRoleGrant.principalEmail | principal.user.email_addresses | 如果 category日志字段值等于Persistence: IAM Anomalous Grant,则sourceProperties.properties.sensitiveRoleGrant.principalEmail日志字段会映射到principal.user.email_addressesUDM 字段。 | 
| sourceProperties.properties.anomalousSoftware.principalEmail | principal.user.email_addresses | 如果 category日志字段值等于Persistence: New User Agent,则sourceProperties.properties.anomalousSoftware.principalEmail日志字段会映射到principal.user.email_addressesUDM 字段。 | 
| sourceProperties.properties.exportToGcs.principalEmail | principal.user.email_addresses | |
| sourceProperties.properties.restoreToExternalInstance.principalEmail | principal.user.email_addresses | 如果 category日志字段值等于Exfiltration: CloudSQL Restore Backup to External Organization,则sourceProperties.properties.restoreToExternalInstance.principalEmail日志字段会映射到principal.user.email_addressesUDM 字段。 | 
| access.serviceAccountDelegationInfo.principalEmail | principal.user.email_addresses | |
| sourceProperties.properties.customRoleSensitivePermissions.principalEmail | principal.user.email_addresses | 如果 category日志字段值等于Persistence: IAM Anomalous Grant,则sourceProperties.properties.customRoleSensitivePermissions.principalEmail日志字段会映射到principal.user.email_addressesUDM 字段。 | 
| sourceProperties.properties.anomalousLocation.principalEmail | principal.user.email_addresses | 如果 category日志字段值等于Persistence: New Geography,则sourceProperties.properties.anomalousLocation.principalEmail日志字段会映射到principal.user.email_addressesUDM 字段。 | 
| sourceProperties.properties.externalMemberAddedToPrivilegedGroup.principalEmail | principal.user.email_addresses | 如果 category日志字段值等于Credential Access: External Member Added To Privileged Group,则sourceProperties.properties.externalMemberAddedToPrivilegedGroup.principalEmail日志字段会映射到principal.user.email_addressesUDM 字段。 | 
| sourceProperties.properties.privilegedGroupOpenedToPublic.principalEmail | principal.user.email_addresses | 如果 category日志字段值等于Credential Access: Privileged Group Opened To Public,则sourceProperties.properties.privilegedGroupOpenedToPublic.principalEmail日志字段会映射到principal.user.email_addressesUDM 字段。 | 
| sourceProperties.properties.sensitiveRoleToHybridGroup.principalEmail | principal.user.email_addresses | 如果 category日志字段值等于Credential Access: Sensitive Role Granted To Hybrid Group,则sourceProperties.properties.sensitiveRoleToHybridGroup.principalEmail日志字段会映射到principal.user.email_addressesUDM 字段。 | 
| sourceProperties.properties.vpcViolation.userEmail | principal.user.email_addresses | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则sourceProperties.properties.vpcViolation.userEmail日志字段会映射到principal.user.email_addressesUDM 字段。 | 
| sourceProperties.properties.ssoState | principal.user.user_authentication_status | 如果 category日志字段值等于Initial Access: Account Disabled Hijacked或Initial Access: Disabled Password Leak或Initial Access: Government Based Attack或Initial Access: Suspicious Login Blocked或Impair Defenses: Two Step Verification Disabled或Persistence: SSO Enablement Toggle,则sourceProperties.properties.ssoState日志字段会映射到principal.user.user_authentication_statusUDM 字段。 | 
| database.userName | principal.user.userid | 如果 category日志字段值等于Exfiltration: CloudSQL Over-Privileged Grant,则database.userName日志字段会映射到principal.user.useridUDM 字段。 | 
| sourceProperties.properties.threatIntelligenceSource | security_result.about.application | 如果 category日志字段值等于Malware: Bad IP,则sourceProperties.properties.threatIntelligenceSource日志字段会映射到security_result.about.applicationUDM 字段。 | 
| workflowState | security_result.about.investigation.status | |
| sourceProperties.properties.attempts.sourceIp | security_result.about.ip | 如果 category日志字段值等于Brute Force: SSH,则sourceProperties.properties.attempts.sourceIp日志字段会映射到security_result.about.ipUDM 字段。 | 
| sourceProperties.findingId | metadata.product_log_id | |
| kubernetes.accessReviews.group | target.resource.attribute.labels.key/value [kubernetes_accessReviews_group] | |
| kubernetes.accessReviews.name | target.resource.attribute.labels.key/value [kubernetes_accessReviews_name] | |
| kubernetes.accessReviews.ns | target.resource.attribute.labels.key/value [kubernetes_accessReviews_ns] | |
| kubernetes.accessReviews.resource | target.resource.attribute.labels.key/value [kubernetes_accessReviews_resource] | |
| kubernetes.accessReviews.subresource | target.resource.attribute.labels.key/value [kubernetes_accessReviews_subresource] | |
| kubernetes.accessReviews.verb | target.resource.attribute.labels.key/value [kubernetes_accessReviews_verb] | |
| kubernetes.accessReviews.version | target.resource.attribute.labels.key/value [kubernetes_accessReviews_version] | |
| kubernetes.bindings.name | target.resource.attribute.labels.key/value [kubernetes_bindings_name] | |
| kubernetes.bindings.ns | target.resource.attribute.labels.key/value [kubernetes_bindings_ns] | |
| kubernetes.bindings.role.kind | target.resource.attribute.labels.key/value [kubernetes_bindings_role_kind] | |
| kubernetes.bindings.role.ns | target.resource.attribute.labels.key/value [kubernetes_bindings_role_ns] | |
| kubernetes.bindings.subjects.kind | target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_kind] | |
| kubernetes.bindings.subjects.name | target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_name] | |
| kubernetes.bindings.subjects.ns | target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_ns] | |
| kubernetes.bindings.role.name | target.resource.attribute.roles.name | |
| sourceProperties.properties.delta.restrictedResources.resourceName | security_result.about.resource.name | 如果 category日志字段值等于Defense Evasion: Modify VPC Service Control,则Restricted Resource: sourceProperties.properties.delta.restrictedResources.resourceName日志字段会映射到security_result.about.resource.nameUDM 字段。如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则sourceProperties.properties.delta.restrictedResources.resourceName日志字段会映射到security_result.about.resource.nameUDM 字段,并且security_result.about.resource_typeUDM 字段会设置为CLOUD_PROJECT。 | 
| sourceProperties.properties.delta.allowedServices.serviceName | security_result.about.resource.name | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则sourceProperties.properties.delta.allowedServices.serviceName日志字段会映射到security_result.about.resource.nameUDM 字段,并且security_result.about.resource_typeUDM 字段会设置为BACKEND_SERVICE。 | 
| sourceProperties.properties.delta.restrictedServices.serviceName | security_result.about.resource.name | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则sourceProperties.properties.delta.restrictedServices.serviceName日志字段会映射到security_result.about.resource.nameUDM 字段,并且security_result.about.resource_typeUDM 字段会设置为BACKEND_SERVICE。 | 
| sourceProperties.properties.delta.accessLevels.policyName | security_result.about.resource.name | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则sourceProperties.properties.delta.accessLevels.policyName日志字段会映射到security_result.about.resource.nameUDM 字段,并且security_result.about.resource_typeUDM 字段会设置为ACCESS_POLICY。 | 
|  | security_result.about.user.attribute.roles.name | 如果 message日志字段值与正则表达式contacts.?security匹配,则security_result.about.user.attribute.roles.nameUDM 字段设置为security。如果 message日志字段值与正则表达式contacts.?technical匹配,则security_result.about.user.attribute.roles.nameUDM 字段设置为Technical。 | 
| contacts.security.contacts.email | security_result.about.user.email_addresses | |
| contacts.technical.contacts.email | security_result.about.user.email_addresses | |
|  | security_result.action | 如果 category日志字段值等于Initial Access: Suspicious Login Blocked,则将security_result.actionUDM 字段设置为BLOCK。如果 category日志字段值等于Brute Force: SSH,则如果sourceProperties.properties.attempts.authResult日志字段值等于SUCCESS,则将security_result.actionUDM 字段设置为BLOCK。否则,将 security_result.actionUDM 字段设置为BLOCK。 | 
| sourceProperties.properties.delta.restrictedResources.action | security_result.action_details | 如果 category日志字段值等于Defense Evasion: Modify VPC Service Control,则sourceProperties.properties.delta.restrictedResources.action日志字段会映射到security_result.action_detailsUDM 字段。 | 
| sourceProperties.properties.delta.restrictedServices.action | security_result.action_details | 如果 category日志字段值等于Defense Evasion: Modify VPC Service Control,则sourceProperties.properties.delta.restrictedServices.action日志字段会映射到security_result.action_detailsUDM 字段。 | 
| sourceProperties.properties.delta.allowedServices.action | security_result.action_details | 如果 category日志字段值等于Defense Evasion: Modify VPC Service Control,则sourceProperties.properties.delta.allowedServices.action日志字段会映射到security_result.action_detailsUDM 字段。 | 
| sourceProperties.properties.delta.accessLevels.action | security_result.action_details | 如果 category日志字段值等于Defense Evasion: Modify VPC Service Control,则sourceProperties.properties.delta.accessLevels.action日志字段会映射到security_result.action_detailsUDM 字段。 | 
|  | security_result.alert_state | 如果 state日志字段值等于ACTIVE,则将security_result.alert_stateUDM 字段设置为ALERTING。否则,将 security_result.alert_stateUDM 字段设置为NOT_ALERTING。 | 
| findingClass | security_result.catgory_details | findingClass - category日志字段会映射到security_result.catgory_detailsUDM 字段。 | 
| category | security_result.catgory_details | findingClass - category日志字段会映射到security_result.catgory_detailsUDM 字段。 | 
| description | security_result.description | |
| indicator.signatures.memoryHashSignature.binaryFamily | security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_binaryFamily] | |
| indicator.signatures.memoryHashSignature.detections.binary | security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_detections_binary] | |
| indicator.signatures.memoryHashSignature.detections.percentPagesMatched | security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_detections_percentPagesMatched] | |
| indicator.signatures.yaraRuleSignature.yararule | security_result.detection_fields.key/value [indicator_signatures_yaraRuleSignature_yararule] | |
| mitreAttack.additionalTactics | security_result.detection_fields.key/value [mitreAttack_additionalTactics] | |
| mitreAttack.additionalTechniques | security_result.detection_fields.key/value [mitreAttack_additionalTechniques] | |
| mitreAttack.primaryTactic | security_result.detection_fields.key/value [mitreAttack_primaryTactic] | |
| mitreAttack.primaryTechniques.0 | security_result.detection_fields.key/value [mitreAttack_primaryTechniques] | |
| mitreAttack.version | security_result.detection_fields.key/value [mitreAttack_version] | |
| muteInitiator | security_result.detection_fields.key/value [mute_initiator] | 如果 mute日志字段值等于MUTED或UNMUTED,则muteInitiator日志字段会映射到security_result.detection_fields.valueUDM 字段。 | 
| muteUpdateTime | security_result.detection_fields.key/value [mute_update_time] | 如果 mute日志字段值等于MUTED或UNMUTED,则muteUpdateTimer日志字段会映射到security_result.detection_fields.valueUDM 字段。 | 
| mute | security_result.detection_fields.key/value [mute] | |
| securityMarks.canonicalName | security_result.detection_fields.key/value [securityMarks_cannonicleName] | |
| securityMarks.marks | security_result.detection_fields.key/value [securityMarks_marks] | |
| securityMarks.name | security_result.detection_fields.key/value [securityMarks_name] | |
| sourceProperties.detectionCategory.indicator | security_result.detection_fields.key/value [sourceProperties_detectionCategory_indicator] | |
| sourceProperties.detectionCategory.technique | security_result.detection_fields.key/value [sourceProperties_detectionCategory_technique] | |
| sourceProperties.properties.anomalousSoftware.anomalousSoftwareClassification | security_result.detection_fields.key/value [sourceProperties_properties_anomalousSoftware_anomalousSoftwareClassification] | 如果 category日志字段值等于Persistence: New User Agent,则sourceProperties.properties.anomalousSoftware.anomalousSoftwareClassification日志字段会映射到security_result.detection_fields.valueUDM 字段。 | 
| sourceProperties.properties.attempts.authResult | security_result.detection_fields.key/value [sourceProperties_properties_attempts_authResult] | 如果 category日志字段值等于Brute Force: SSH,则sourceProperties.properties.attempts.authResult日志字段会映射到security_result.detection_fields.valueUDM 字段。 | 
| sourceProperties.properties.autofocusContextCards.indicator.indicatorType | security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_indicator_indicatorType] | 如果 category日志字段值等于Malware: Bad IP,则sourceProperties.properties.autofocusContextCards.indicator.indicatorType日志字段会映射到security_result.detection_fields.valueUDM 字段。 | 
| sourceProperties.properties.autofocusContextCards.indicator.lastSeenTsGlobal | security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_indicator_lastSeenTsGlobal] | 如果 category日志字段值等于Malware: Bad IP,则sourceProperties.properties.autofocusContextCards.indicator.lastSeenTsGlobal日志字段会映射到security_result.detection_fields.valueUDM 字段。 | 
| sourceProperties.properties.autofocusContextCards.indicator.summaryGenerationTs | security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_indicator_summaryGenerationTs] | 如果 category日志字段值等于Malware: Bad IP,则sourceProperties.properties.autofocusContextCards.indicator.summaryGenerationTs日志字段会映射到security_result.detection_fields.valueUDM 字段。 | 
| sourceProperties.properties.autofocusContextCards.tags.customer_industry | security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_customer_industry] | 如果 category日志字段值等于Malware: Bad IP,则sourceProperties.properties.autofocusContextCards.tags.customer_industry日志字段会映射到security_result.detection_fields.valueUDM 字段。 | 
| sourceProperties.properties.autofocusContextCards.tags.customer_name | security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_customer_name] | 如果 category日志字段值等于Malware: Bad IP,则sourceProperties.properties.autofocusContextCards.tags.customer_name日志字段会映射到security_result.detection_fields.valueUDM 字段。 | 
| sourceProperties.properties.autofocusContextCards.tags.lasthit | security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_lasthit] | 如果 category日志字段值等于Malware: Bad IP,则sourceProperties.properties.autofocusContextCards.tags.lasthit日志字段会映射到security_result.detection_fields.valueUDM 字段。 | 
| sourceProperties.properties.autofocusContextCards.tags.myVote | security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_myVote] | 如果 category日志字段值等于Malware: Bad IP,则sourceProperties.properties.autofocusContextCards.tags.tag_definition_scope_id日志字段会映射到security_result.detection_fields.valueUDM 字段。 | 
| sourceProperties.properties.autofocusContextCards.tags.source | security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_source] | 如果 category日志字段值等于Malware: Bad IP,则sourceProperties.properties.autofocusContextCards.tags.myVote日志字段会映射到security_result.detection_fields.valueUDM 字段。 | 
| sourceProperties.properties.autofocusContextCards.tags.support_id | security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_support_id] | 如果 category日志字段值等于Malware: Bad IP,则sourceProperties.properties.autofocusContextCards.tags.support_id日志字段会映射到security_result.detection_fields.valueUDM 字段。 | 
| sourceProperties.properties.autofocusContextCards.tags.tag_class_id | security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_tag_class_id] | 如果 category日志字段值等于Malware: Bad IP,则sourceProperties.properties.autofocusContextCards.tags.tag_class_id日志字段会映射到security_result.detection_fields.valueUDM 字段。 | 
| sourceProperties.properties.autofocusContextCards.tags.tag_definition_id | security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_tag_definition_id] | 如果 category日志字段值等于Malware: Bad IP,则sourceProperties.properties.autofocusContextCards.tags.tag_definition_id日志字段会映射到security_result.detection_fields.valueUDM 字段。 | 
| sourceProperties.properties.autofocusContextCards.tags.tag_definition_scope_id | security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_tag_definition_scope_id] | 如果 category日志字段值等于Malware: Bad IP,则sourceProperties.properties.autofocusContextCards.tags.tag_definition_scope_id日志字段会映射到security_result.detection_fields.valueUDM 字段。 | 
| sourceProperties.properties.autofocusContextCards.tags.tag_definition_status_id | security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_tag_definition_status_id] | 如果 category日志字段值等于Malware: Bad IP,则sourceProperties.properties.autofocusContextCards.tags.tag_definition_status_id日志字段会映射到security_result.detection_fields.valueUDM 字段。 | 
| sourceProperties.properties.autofocusContextCards.tags.tag_name | security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_tag_name] | 如果 category日志字段值等于Malware: Bad IP,则sourceProperties.properties.autofocusContextCards.tags.tag_name日志字段会映射到security_result.detection_fields.valueUDM 字段。 | 
| sourceProperties.properties.autofocusContextCards.tags.upVotes | security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_upVotes] | 如果 category日志字段值等于Malware: Bad IP,则sourceProperties.properties.autofocusContextCards.tags.upVotes日志字段会映射到security_result.detection_fields.valueUDM 字段。 | 
| sourceProperties.properties.autofocusContextCards.tags.downVotes | security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tagsdownVotes] | 如果 category日志字段值等于Malware: Bad IP,则sourceProperties.properties.autofocusContextCards.tags.downVotes日志字段会映射到security_result.detection_fields.valueUDM 字段。 | 
| sourceProperties.contextUris.mitreUri.url/displayName | security_result.detection_fields.key/value [sourceProperties.contextUris.mitreUri.url/displayName] | |
| sourceProperties.contextUris.relatedFindingUri.url/displayName | metadata.url_back_to_product | 如果 category日志字段值等于Active Scan: Log4j Vulnerable to RCE或Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive或Exfiltration: CloudSQL Data Exfiltration或Exfiltration: CloudSQL Over-Privileged Grant或Exfiltration: CloudSQL Restore Backup to External Organization或Initial Access: Log4j Compromise Attempt或Malware: Cryptomining Bad Domain或Malware: Cryptomining Bad IP或Persistence: IAM Anomalous Grant,则security_result.detection_fields.keyUDM 字段设置为sourceProperties_contextUris_relatedFindingUri_url,并且sourceProperties.contextUris.relatedFindingUri.url日志字段映射到metadata.url_back_to_productUDM 字段。 | 
| sourceProperties.contextUris.virustotalIndicatorQueryUri.url/displayName | security_result.detection_fields.key/value [sourceProperties.contextUris.virustotalIndicatorQueryUri.url/displayName] | 如果 category日志字段值等于Malware: Bad Domain或Malware: Bad IP或Malware: Cryptomining Bad Domain或Malware: Cryptomining Bad IP,则sourceProperties.contextUris.virustotalIndicatorQueryUri.displayName日志字段会映射到security_result.detection_fields.keyUDM 字段,而sourceProperties.contextUris.virustotalIndicatorQueryUri.url日志字段会映射到security_result.detection_fields.valueUDM 字段。 | 
| sourceProperties.contextUris.workspacesUri.url/displayName | security_result.detection_fields.key/value [sourceProperties.contextUris.workspacesUri.url/displayName] | 如果 category日志字段值等于Initial Access: Account Disabled Hijacked或Initial Access: Disabled Password Leak或Initial Access: Government Based Attack或Initial Access: Suspicious Login Blocked或Impair Defenses: Strong Authentication Disabled或Persistence: SSO Enablement Toggle或Persistence: SSO Settings Changed,则sourceProperties.contextUris.workspacesUri.displayName日志字段会映射到security_result.detection_fields.keyUDM 字段,而sourceProperties.contextUris.workspacesUri.url日志字段会映射到security_result.detection_fields.key/valueUDM 字段。 | 
| sourceProperties.properties.autofocusContextCards.tags.public_tag_name | security_result.detection_fields.key/value [sourceProperties.properties.autofocusContextCards.tags.public_tag_name/description] | 如果 category日志字段值等于Malware: Bad IP,则sourceProperties.properties.autofocusContextCards.tags.public_tag_name日志字段会映射到intermediary.labels.keyUDM 字段。 | 
| sourceProperties.properties.autofocusContextCards.tags.description | security_result.detection_fields.key/value [sourceProperties.properties.autofocusContextCards.tags.public_tag_name/description] | 如果 category日志字段值等于Malware: Bad IP,则sourceProperties.properties.autofocusContextCards.tags.description日志字段会映射到intermediary.labels.valueUDM 字段。 | 
| sourceProperties.properties.autofocusContextCards.indicator.firstSeenTsGlobal | security_result.detection_fields.key/value [sourcePropertiesproperties_autofocusContextCards_indicator_firstSeenTsGlobal] | 如果 category日志字段值等于Malware: Bad IP,则sourceProperties.properties.autofocusContextCards.indicator.firstSeenTsGlobal日志字段会映射到security_result.detection_fields.valueUDM 字段。 | 
| createTime | security_result.detection_fields.key/value[create_time] | |
| nextSteps | security_result.outcomes.key/value [next_steps] | |
| sourceProperties.detectionPriority | security_result.priority | 如果 sourceProperties.detectionPriority日志字段值等于HIGH,则security_result.priorityUDM 字段设置为HIGH_PRIORITY。否则,如果 sourceProperties.detectionPriority日志字段值等于MEDIUM,则security_result.priorityUDM 字段设置为MEDIUM_PRIORITY。否则,如果 sourceProperties.detectionPriority日志字段值等于LOW,则security_result.priorityUDM 字段设置为LOW_PRIORITY。 | 
| sourceProperties.detectionPriority | security_result.priority_details | |
| sourceProperties.detectionCategory.subRuleName | security_result.rule_labels.key/value [sourceProperties_detectionCategory_subRuleName] | |
| sourceProperties.detectionCategory.ruleName | security_result.rule_name | |
| severity | security_result.severity | |
| sourceProperties.properties.vpcViolation.violationReason | security_result.summary | 如果 category日志字段值等于Exfiltration: BigQuery Exfiltration,则sourceProperties.properties.vpcViolation.violationReason日志字段会映射到security_result.summaryUDM 字段。 | 
| name | security_result.url_back_to_product | |
| database.query | src.process.command_line | 如果 category日志字段值等于Exfiltration: CloudSQL Over-Privileged Grant,则database.query日志字段会映射到src.process.command_lineUDM 字段。 | 
| resource.folders.resourceFolderDisplayName | src.resource_ancestors.attribute.labels.key/value [resource_folders_resourceFolderDisplayName] | 如果 category日志字段值等于Exfiltration: BigQuery Data to Google Drive,则resource.folders.resourceFolderDisplayName日志字段会映射到src.resource_ancestors.attribute.labels.valueUDM 字段。 | 
| resource.parentDisplayName | src.resource_ancestors.attribute.labels.key/value [resource_parentDisplayName] | 如果 category日志字段值等于Exfiltration: BigQuery Data to Google Drive,则resource.parentDisplayName日志字段会映射到src.resource_ancestors.attribute.labels.valueUDM 字段。 | 
| resource.parentName | src.resource_ancestors.attribute.labels.key/value [resource_parentName] | 如果 category日志字段值等于Exfiltration: BigQuery Data to Google Drive,则resource.parentName日志字段会映射到src.resource_ancestors.attribute.labels.valueUDM 字段。 | 
| resource.projectDisplayName | src.resource_ancestors.attribute.labels.key/value [resource_projectDisplayName] | 如果 category日志字段值等于Exfiltration: BigQuery Data to Google Drive,则resource.projectDisplayName日志字段会映射到src.resource_ancestors.attribute.labels.valueUDM 字段。 | 
| sourceProperties.properties.dataExfiltrationAttempt.sourceTables.datasetId | src.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_sourceTables_datasetId] | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则sourceProperties.properties.dataExfiltrationAttempt.sourceTables.datasetId日志字段会映射到src.resource_ancestors.attribute.labels.valueUDM 字段。 | 
| sourceProperties.properties.dataExfiltrationAttempt.sourceTables.projectId | src.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_sourceTables_projectId] | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则sourceProperties.properties.dataExfiltrationAttempt.sourceTables.projectId日志字段会映射到src.resource_ancestors.attribute.labels.valueUDM 字段。 | 
| sourceProperties.properties.dataExfiltrationAttempt.sourceTables.resourceUri | src.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_sourceTables_resourceUri] | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则sourceProperties.properties.dataExfiltrationAttempt.sourceTables.resourceUri日志字段会映射到src.resource_ancestors.attribute.labels.valueUDM 字段。 | 
| parent | src.resource_ancestors.name | 如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive或Exfiltration: BigQuery Data Exfiltration,则parent日志字段会映射到src.resource_ancestors.nameUDM 字段。 | 
| sourceProperties.properties.dataExfiltrationAttempt.sourceTables.tableId | src.resource_ancestors.name | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则sourceProperties.properties.dataExfiltrationAttempt.sourceTables.tableId日志字段会映射到src.resource_ancestors.nameUDM 字段,并且src.resource_ancestors.resource_typeUDM 字段会设置为TABLE。 | 
| resourceName | src.resource_ancestors.name | 如果 category日志字段值等于Exfiltration: CloudSQL Restore Backup to External Organization,则resourceName日志字段会映射到src.resource_ancestors.nameUDM 字段。 | 
| resource.folders.resourceFolder | src.resource_ancestors.name | 如果 category日志字段值等于Exfiltration: BigQuery Data to Google Drive,则resource.folders.resourceFolder日志字段会映射到src.resource_ancestors.nameUDM 字段。 | 
| sourceProperties.sourceId.customerOrganizationNumber | src.resource_ancestors.product_object_id | 如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive或Exfiltration: BigQuery Data Exfiltration,则sourceProperties.sourceId.customerOrganizationNumber日志字段会映射到src.resource_ancestors.product_object_idUDM 字段。 | 
| sourceProperties.sourceId.projectNumber | src.resource_ancestors.product_object_id | 如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive或Exfiltration: BigQuery Data Exfiltration,则sourceProperties.sourceId.projectNumber日志字段会映射到src.resource_ancestors.product_object_idUDM 字段。 | 
| sourceProperties.sourceId.organizationNumber | src.resource_ancestors.product_object_id | 如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive或Exfiltration: BigQuery Data Exfiltration,则sourceProperties.sourceId.organizationNumber日志字段会映射到src.resource_ancestors.product_object_idUDM 字段。 | 
| resource.type | src.resource_ancestors.resource_subtype | 如果 category日志字段值等于Exfiltration: BigQuery Data to Google Drive,则resource.type日志字段会映射到src.resource_ancestors.resource_subtypeUDM 字段。 | 
| database.displayName | src.resource.attribute.labels.key/value [database_displayName] | 如果 category日志字段值等于Exfiltration: CloudSQL Over-Privileged Grant,则database.displayName日志字段会映射到src.resource.attribute.labels.valueUDM 字段。 | 
| database.grantees | src.resource.attribute.labels.key/value [database_grantees] | 如果 category日志字段值等于Exfiltration: CloudSQL Over-Privileged Grant,则src.resource.attribute.labels.keyUDM 字段设置为grantees,并且database.grantees日志字段映射到src.resource.attribute.labels.valueUDM 字段。 | 
| resource.displayName | src.resource.attribute.labels.key/value [resource_displayName] | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration或Exfiltration: BigQuery Data to Google Drive,则resource.displayName日志字段会映射到src.resource.attribute.labels.valueUDM 字段。 | 
| resource.displayName | principal.hostname | 如果 resource.type日志字段值与正则表达式模式(?i)google.compute.Instance or google.container.Cluster匹配,则resource.displayName日志字段会映射到principal.hostnameUDM 字段。 | 
| resource.display_name | src.resource.attribute.labels.key/value [resource_display_name] | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration或Exfiltration: BigQuery Data to Google Drive,则resource.display_name日志字段会映射到src.resource.attribute.labels.valueUDM 字段。 | 
| sourceProperties.properties.extractionAttempt.sourceTable.datasetId | src.resource.attribute.labels.key/value [sourceProperties_properties_extractionAttempt_sourceTable_datasetId] | 如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive,则sourceProperties.properties.extractionAttempt.sourceTable.datasetId日志字段会映射到src.resource.attribute.labels.valueUDM 字段。 | 
| sourceProperties.properties.extractionAttempt.sourceTable.projectId | src.resource.attribute.labels.key/value [sourceProperties_properties_extractionAttempt_sourceTable_projectId] | 如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive,则sourceProperties.properties.extractionAttempt.sourceTable.projectId日志字段会映射到src.resource.attribute.labels.valueUDM 字段。 | 
| sourceProperties.properties.extractionAttempt.sourceTable.resourceUri | src.resource.attribute.labels.key/value [sourceProperties_properties_extractionAttempt_sourceTable_resourceUri] | 如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive,则sourceProperties.properties.extractionAttempt.sourceTable.resourceUri日志字段会映射到src.resource.attribute.labels.valueUDM 字段。 | 
| sourceProperties.properties.restoreToExternalInstance.backupId | src.resource.attribute.labels.key/value [sourceProperties_properties_restoreToExternalInstance_backupId] | 如果 category日志字段值等于Exfiltration: CloudSQL Restore Backup to External Organization,则sourceProperties.properties.restoreToExternalInstance.backupId日志字段会映射到src.resource.attribute.labels.valueUDM 字段。 | 
| exfiltration.sources.components | src.resource.attribute.labels.key/value[exfiltration_sources_components] | 如果 category日志字段值等于Exfiltration: CloudSQL Data Exfiltration或Exfiltration: BigQuery Data Extraction,则src.resource.attribute.labels.key/value日志字段会映射到src.resource.attribute.labels.valueUDM 字段。 | 
| resourceName | src.resource.name | 如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive或Exfiltration: BigQuery Data Exfiltration,则exfiltration.sources.name日志字段会映射到src.resource.nameUDM 字段,而resourceName日志字段会映射到src.resource_ancestors.nameUDM 字段。 | 
| sourceProperties.properties.restoreToExternalInstance.sourceCloudsqlInstanceResource | src.resource.name | 如果 category日志字段值等于Exfiltration: CloudSQL Restore Backup to External Organization,则sourceProperties.properties.restoreToExternalInstance.sourceCloudsqlInstanceResource日志字段会映射到src.resource.nameUDM 字段,并且src.resource.resource_subtypeUDM 字段会设置为CloudSQL。 | 
| sourceProperties.properties.exportToGcs.cloudsqlInstanceResource | src.resource.name | 如果 category日志字段值等于Exfiltration: CloudSQL Restore Backup to External Organization,则sourceProperties.properties.restoreToExternalInstance.sourceCloudsqlInstanceResource日志字段会映射到src.resource.nameUDM 字段,并且src.resource.resource_subtypeUDM 字段会设置为CloudSQL。否则,如果 category日志字段值等于Exfiltration: CloudSQL Data Exfiltration,则sourceProperties.properties.exportToGcs.cloudsqlInstanceResource日志字段会映射到src.resource.nameUDM 字段,并且src.resource.resource_subtypeUDM 字段会设置为CloudSQL。 | 
| database.name | src.resource.name | |
| exfiltration.sources.name | src.resource.name | 如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive或Exfiltration: BigQuery Data Exfiltration,则exfiltration.sources.name日志字段会映射到src.resource.nameUDM 字段,而resourceName日志字段会映射到src.resource_ancestors.nameUDM 字段。 | 
| sourceProperties.properties.extractionAttempt.sourceTable.tableId | src.resource.product_object_id | 如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive,则sourceProperties.properties.extractionAttempt.sourceTable.tableId日志字段会映射到src.resource.product_object_idUDM 字段。 | 
| access.serviceName | target.application | 如果 category日志字段值等于Defense Evasion: Modify VPC Service Control或Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive或Exfiltration: CloudSQL Data Exfiltration或Exfiltration: CloudSQL Restore Backup to External Organization或Exfiltration: CloudSQL Over-Privileged Grant或Persistence: New Geography或Persistence: IAM Anomalous Grant,则access.serviceName日志字段会映射到target.applicationUDM 字段。 | 
| sourceProperties.properties.serviceName | target.application | 如果 category日志字段值等于Initial Access: Account Disabled Hijacked或Initial Access: Disabled Password Leak或Initial Access: Government Based Attack或Initial Access: Suspicious Login Blocked或Impair Defenses: Strong Authentication Disabled或Impair Defenses: Two Step Verification Disabled或Persistence: SSO Enablement Toggle或Persistence: SSO Settings Changed,则sourceProperties.properties.serviceName日志字段会映射到target.applicationUDM 字段。 | 
| sourceProperties.properties.domainName | target.domain.name | 如果 category日志字段值等于Persistence: SSO Enablement Toggle或Persistence: SSO Settings Changed,则sourceProperties.properties.domainName日志字段会映射到target.domain.nameUDM 字段。 | 
| sourceProperties.properties.domains.0 | target.domain.name | 如果 category日志字段值等于Malware: Bad Domain或Malware: Cryptomining Bad Domain或Configurable Bad Domain,则sourceProperties.properties.domains.0日志字段会映射到target.domain.nameUDM 字段。 | 
| sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.action | target.group.attribute.labels.key/value [sourceProperties_properties_sensitiveRoleGrant_bindingDeltas_action] | 如果 category日志字段值等于Persistence: IAM Anomalous Grant,则sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.action日志字段会映射到target.group.attribute.labels.key/valueUDM 字段。 | 
| sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.action | target.group.attribute.labels.key/value [sourceProperties_properties_sensitiveRoleToHybridGroup_bindingDeltas_action] | 如果 category日志字段值等于Credential Access: Sensitive Role Granted To Hybrid Group,则sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.action日志字段会映射到target.group.attribute.labels.key/valueUDM 字段。 | 
| sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.member | target.group.attribute.labels.key/value[sourceProperties_properties_sensitiveRoleGrant_bindingDeltas_member] | 如果 category日志字段值等于Persistence: IAM Anomalous Grant,则sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.member日志字段会映射到target.group.attribute.labels.key/valueUDM 字段。 | 
| sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.member | target.group.attribute.labels.key/value[sourceProperties_properties_sensitiveRoleToHybridGroup] | 如果 category日志字段值等于Credential Access: Sensitive Role Granted To Hybrid Group,则sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.member日志字段会映射到target.group.attribute.labels.key/valueUDM 字段。 | 
| sourceProperties.properties.privilegedGroupOpenedToPublic.whoCanJoin | target.group.attribute.permissions.name | 如果 category日志字段值等于Credential Access: Privileged Group Opened To Public,则sourceProperties.properties.privilegedGroupOpenedToPublic.whoCanJoin日志字段会映射到target.group.attribute.permissions.nameUDM 字段。 | 
| sourceProperties.properties.customRoleSensitivePermissions.permissions | target.group.attribute.permissions.name | 如果 category日志字段值等于Persistence: IAM Anomalous Grant,则sourceProperties.properties.customRoleSensitivePermissions.permissions日志字段会映射到target.group.attribute.permissions.nameUDM 字段。 | 
| sourceProperties.properties.externalMemberAddedToPrivilegedGroup.sensitiveRoles.roleName | target.group.attribute.roles.name | 如果 category日志字段值等于Credential Access: External Member Added To Privileged Group,则sourceProperties.properties.externalMemberAddedToPrivilegedGroup.sensitiveRoles.roleName日志字段会映射到target.group.attribute.roles.nameUDM 字段。 | 
| sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.role | target.group.attribute.roles.name | 如果 category日志字段值等于Credential Access: Sensitive Role Granted To Hybrid Group,则sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.role日志字段会映射到target.group.attribute.roles.nameUDM 字段。 | 
| sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.role | target.group.attribute.roles.name | 如果 category日志字段值等于Persistence: IAM Anomalous Grant,则sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.role日志字段会映射到target.group.attribute.roles.nameUDM 字段。 | 
| sourceProperties.properties.privilegedGroupOpenedToPublic.sensitiveRoles.roleName | target.group.attribute.roles.name | 如果 category日志字段值等于Credential Access: Privileged Group Opened To Public,则sourceProperties.properties.privilegedGroupOpenedToPublic.sensitiveRoles.roleName日志字段会映射到target.group.attribute.roles.nameUDM 字段。 | 
| sourceProperties.properties.customRoleSensitivePermissions.roleName | target.group.attribute.roles.name | 如果 category日志字段值等于Persistence: IAM Anomalous Grant,则sourceProperties.properties.customRoleSensitivePermissions.roleName日志字段会映射到target.group.attribute.roles.nameUDM 字段。 | 
| sourceProperties.properties.externalMemberAddedToPrivilegedGroup.groupName | target.group.group_display_name | 如果 category日志字段值等于Credential Access: External Member Added To Privileged Group,则sourceProperties.properties.externalMemberAddedToPrivilegedGroup.groupName日志字段会映射到target.group.group_display_nameUDM 字段。 | 
| sourceProperties.properties.privilegedGroupOpenedToPublic.groupName | target.group.group_display_name | 如果 category日志字段值等于Credential Access: Privileged Group Opened To Public,则sourceProperties.properties.privilegedGroupOpenedToPublic.groupName日志字段会映射到target.group.group_display_nameUDM 字段。 | 
| sourceProperties.properties.sensitiveRoleToHybridGroup.groupName | target.group.group_display_name | 如果 category日志字段值等于Credential Access: Sensitive Role Granted To Hybrid Group,则sourceProperties.properties.sensitiveRoleToHybridGroup.groupName日志字段会映射到target.group.group_display_nameUDM 字段。 | 
| sourceProperties.properties.ipConnection.destIp | target.ip | 如果 category日志字段值等于Malware: Bad IP或Malware: Cryptomining Bad IP或Malware: Outgoing DoS,则sourceProperties.properties.ipConnection.destIp日志字段会映射到target.ipUDM 字段。 | 
| access.methodName | target.labels [access_methodName](已弃用) | |
| access.methodName | additional.fields [access_methodName] | |
| processes.argumentsTruncated | target.labels [processes_argumentsTruncated](已弃用) | |
| processes.argumentsTruncated | additional.fields [processes_argumentsTruncated] | |
| processes.binary.contents | target.labels [processes_binary_contents](已弃用) | |
| processes.binary.contents | additional.fields [processes_binary_contents] | |
| processes.binary.hashedSize | target.labels [processes_binary_hashedSize](已弃用) | |
| processes.binary.hashedSize | additional.fields [processes_binary_hashedSize] | |
| processes.binary.partiallyHashed | target.labels [processes_binary_partiallyHashed](已弃用) | |
| processes.binary.partiallyHashed | additional.fields [processes_binary_partiallyHashed] | |
| processes.envVariables.name | target.labels [processes_envVariables_name](已弃用) | |
| processes.envVariables.name | additional.fields [processes_envVariables_name] | |
| processes.envVariables.val | target.labels [processes_envVariables_val](已弃用) | |
| processes.envVariables.val | additional.fields [processes_envVariables_val] | |
| processes.envVariablesTruncated | target.labels [processes_envVariablesTruncated](已弃用) | |
| processes.envVariablesTruncated | additional.fields [processes_envVariablesTruncated] | |
| processes.libraries.contents | target.labels [processes_libraries_contents](已弃用) | |
| processes.libraries.contents | additional.fields [processes_libraries_contents] | |
| processes.libraries.hashedSize | target.labels [processes_libraries_hashedSize](已弃用) | |
| processes.libraries.hashedSize | additional.fields [processes_libraries_hashedSize] | |
| processes.libraries.partiallyHashed | target.labels [processes_libraries_partiallyHashed](已弃用) | |
| processes.libraries.partiallyHashed | additional.fields [processes_libraries_partiallyHashed] | |
| processes.script.contents | target.labels [processes_script_contents](已弃用) | |
| processes.script.contents | additional.fields [processes_script_contents] | |
| processes.script.hashedSize | target.labels [processes_script_hashedSize](已弃用) | |
| processes.script.hashedSize | additional.fields [processes_script_hashedSize] | |
| processes.script.partiallyHashed | target.labels [processes_script_partiallyHashed](已弃用) | |
| processes.script.partiallyHashed | additional.fields [processes_script_partiallyHashed] | |
| sourceProperties.properties.methodName | target.labels [sourceProperties_properties_methodName](已弃用) | 如果 category日志字段值等于Impair Defenses: Strong Authentication Disabled或Initial Access: Government Based Attack或Initial Access: Suspicious Login Blocked或Persistence: SSO Enablement Toggle或Persistence: SSO Settings Changed,则sourceProperties.properties.methodName日志字段会映射到target.labels.valueUDM 字段。 | 
| sourceProperties.properties.methodName | additional.fields [sourceProperties_properties_methodName] | 如果 category日志字段值等于Impair Defenses: Strong Authentication Disabled或Initial Access: Government Based Attack或Initial Access: Suspicious Login Blocked或Persistence: SSO Enablement Toggle或Persistence: SSO Settings Changed,则sourceProperties.properties.methodName日志字段会映射到additional.fields.value.string_valueUDM 字段。 | 
| sourceProperties.properties.network.location | target.location.name | 如果 category日志字段值等于Malware: Bad Domain或Malware: Bad IP或Malware: Cryptomining Bad IP或Malware: Cryptomining Bad Domain或Configurable Bad Domain,则sourceProperties.properties.network.location日志字段会映射到target.location.nameUDM 字段。 | 
| processes.parentPid | target.parent_process.pid | |
| sourceProperties.properties.ipConnection.destPort | target.port | 如果 category日志字段值等于Malware: Bad IP或Malware: Outgoing DoS,则sourceProperties.properties.ipConnection.destPort日志字段会映射到target.portUDM 字段。 | 
| sourceProperties.properties.dataExfiltrationAttempt.query | target.process.command_line | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则sourceProperties.properties.dataExfiltrationAttempt.query日志字段会映射到target.process.command_lineUDM 字段。 | 
| processes.args | target.process.command_line_history [processes.args] | |
| processes.name | target.process.file.full_path | |
| processes.binary.path | target.process.file.full_path | |
| processes.libraries.path | target.process.file.full_path | |
| processes.script.path | target.process.file.full_path | |
| processes.binary.sha256 | target.process.file.sha256 | |
| processes.libraries.sha256 | target.process.file.sha256 | |
| processes.script.sha256 | target.process.file.sha256 | |
| processes.binary.size | target.process.file.size | |
| processes.libraries.size | target.process.file.size | |
| processes.script.size | target.process.file.size | |
| processes.pid | target.process.pid | |
| containers.uri | target.resource_ancestors.attribute.labels.key/value [containers_uri] | |
| containers.labels.name/value | target.resource_ancestors.attribute.labels.key/value [containers.labels.name/value] | containers.labels.name日志字段映射到target.resource_ancestors.attribute.labels.keyUDM 字段,containers.labels.value日志字段映射到target.resource_ancestors.attribute.labels.valueUDM 字段。 | 
| sourceProperties.properties.destVpc.projectId | target.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_destVpc_projectId] | 如果 category日志字段值等于Malware: Cryptomining Bad IP或Malware: Bad IP,则sourceProperties.properties.destVpc.projectId日志字段会映射到target.resource_ancestors.attribute.labels.valueUDM 字段。 | 
| sourceProperties.properties.destVpc.subnetworkName | target.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_destVpc_subnetworkName] | 如果 category日志字段值等于Malware: Cryptomining Bad IP或Malware: Bad IP,则sourceProperties.properties.destVpc.subnetworkName日志字段会映射到target.resource_ancestors.attribute.labels.valueUDM 字段。 | 
| sourceProperties.properties.network.subnetworkName | target.resource_ancestors.key/value [sourceProperties_properties_network_subnetworkName] | 如果 category日志字段值等于Malware: Bad IP或Malware: Cryptomining Bad IP,则sourceProperties.properties.network.subnetworkName日志字段会映射到target.resource_ancestors.valueUDM 字段。 | 
| sourceProperties.properties.network.subnetworkId | target.resource_ancestors.labels.key/value [sourceProperties_properties_network_subnetworkId] | 如果 category日志字段值等于Malware: Bad IP或Malware: Cryptomining Bad IP,则sourceProperties.properties.network.subnetworkId日志字段会映射到target.resource_ancestors.valueUDM 字段。 | 
| sourceProperties.affectedResources.gcpResourceName | target.resource_ancestors.name | 如果 category日志字段值等于Malware: Cryptomining Bad IP或Malware: Bad IP或Malware: Cryptomining Bad Domain或Malware: Bad Domain或Configurable Bad Domain,则sourceProperties.properties.destVpc.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,sourceProperties.properties.vpc.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource_ancestors.resource_typeUDM 字段会设置为VPC_NETWORK。否则,如果 category日志字段值等于Active Scan: Log4j Vulnerable to RCE,则sourceProperties.properties.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource_ancestors.resource_typeUDM 字段会设置为VIRTUAL_MACHINE。否则,如果 category日志字段值等于Malware: Bad Domain或Malware: Bad IP或Malware: Cryptomining Bad IP,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Brute Force: SSH,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Persistence: GCE Admin Added SSH Key或Persistence: GCE Admin Added Startup Script,则sourceProperties.properties.projectId日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Increasing Deny Ratio或Allowed Traffic Spike,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。 | 
| sourceProperties.properties.destVpc.vpcName | target.resource_ancestors.name | 如果 category日志字段值等于Malware: Cryptomining Bad IP或Malware: Bad IP或Malware: Cryptomining Bad Domain或Malware: Bad Domain或Configurable Bad Domain,则sourceProperties.properties.destVpc.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,sourceProperties.properties.vpc.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource_ancestors.resource_typeUDM 字段会设置为VPC_NETWORK。否则,如果 category日志字段值等于Active Scan: Log4j Vulnerable to RCE,则sourceProperties.properties.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource_ancestors.resource_typeUDM 字段会设置为VIRTUAL_MACHINE。否则,如果 category日志字段值等于Malware: Bad Domain或Malware: Bad IP或Malware: Cryptomining Bad IP,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Brute Force: SSH,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Persistence: GCE Admin Added SSH Key或Persistence: GCE Admin Added Startup Script,则sourceProperties.properties.projectId日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Increasing Deny Ratio或Allowed Traffic Spike,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。 | 
| sourceProperties.properties.vpcName | target.resource_ancestors.name | 如果 category日志字段值等于Malware: Cryptomining Bad IP或Malware: Bad IP或Malware: Cryptomining Bad Domain或Malware: Bad Domain或Configurable Bad Domain,则sourceProperties.properties.destVpc.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,sourceProperties.properties.vpc.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource_ancestors.resource_typeUDM 字段会设置为VPC_NETWORK。否则,如果 category日志字段值等于Active Scan: Log4j Vulnerable to RCE,则sourceProperties.properties.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource_ancestors.resource_typeUDM 字段会设置为VIRTUAL_MACHINE。否则,如果 category日志字段值等于Malware: Bad Domain或Malware: Bad IP或Malware: Cryptomining Bad IP,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Brute Force: SSH,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Persistence: GCE Admin Added SSH Key或Persistence: GCE Admin Added Startup Script,则sourceProperties.properties.projectId日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Increasing Deny Ratio或Allowed Traffic Spike,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。 | 
| resourceName | target.resource_ancestors.name | 如果 category日志字段值等于Malware: Cryptomining Bad IP或Malware: Bad IP或Malware: Cryptomining Bad Domain或Malware: Bad Domain或Configurable Bad Domain,则sourceProperties.properties.destVpc.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,sourceProperties.properties.vpc.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource_ancestors.resource_typeUDM 字段会设置为VPC_NETWORK。否则,如果 category日志字段值等于Active Scan: Log4j Vulnerable to RCE,则sourceProperties.properties.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource_ancestors.resource_typeUDM 字段会设置为VIRTUAL_MACHINE。否则,如果 category日志字段值等于Malware: Bad Domain或Malware: Bad IP或Malware: Cryptomining Bad IP,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Brute Force: SSH,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Persistence: GCE Admin Added SSH Key或Persistence: GCE Admin Added Startup Script,则sourceProperties.properties.projectId日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Increasing Deny Ratio或Allowed Traffic Spike,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。 | 
| sourceProperties.properties.projectId | target.resource_ancestors.name | 如果 category日志字段值等于Malware: Cryptomining Bad IP或Malware: Bad IP或Malware: Cryptomining Bad Domain或Malware: Bad Domain或Configurable Bad Domain,则sourceProperties.properties.destVpc.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,sourceProperties.properties.vpc.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource_ancestors.resource_typeUDM 字段会设置为VPC_NETWORK。否则,如果 category日志字段值等于Active Scan: Log4j Vulnerable to RCE,则sourceProperties.properties.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource_ancestors.resource_typeUDM 字段会设置为VIRTUAL_MACHINE。否则,如果 category日志字段值等于Malware: Bad Domain或Malware: Bad IP或Malware: Cryptomining Bad IP,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Brute Force: SSH,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Persistence: GCE Admin Added SSH Key或Persistence: GCE Admin Added Startup Script,则sourceProperties.properties.projectId日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Increasing Deny Ratio或Allowed Traffic Spike,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。 | 
| sourceProperties.properties.vpc.vpcName | target.resource_ancestors.name | 如果 category日志字段值等于Malware: Cryptomining Bad IP或Malware: Bad IP或Malware: Cryptomining Bad Domain或Malware: Bad Domain或Configurable Bad Domain,则sourceProperties.properties.destVpc.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,sourceProperties.properties.vpc.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource_ancestors.resource_typeUDM 字段会设置为VPC_NETWORK。否则,如果 category日志字段值等于Active Scan: Log4j Vulnerable to RCE,则sourceProperties.properties.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource_ancestors.resource_typeUDM 字段会设置为VIRTUAL_MACHINE。否则,如果 category日志字段值等于Malware: Bad Domain或Malware: Bad IP或Malware: Cryptomining Bad IP,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Brute Force: SSH,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Persistence: GCE Admin Added SSH Key或Persistence: GCE Admin Added Startup Script,则sourceProperties.properties.projectId日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Increasing Deny Ratio或Allowed Traffic Spike,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。 | 
| parent | target.resource_ancestors.name | 如果 category日志字段值等于Malware: Cryptomining Bad IP或Malware: Bad IP或Malware: Cryptomining Bad Domain或Malware: Bad Domain或Configurable Bad Domain,则sourceProperties.properties.destVpc.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,sourceProperties.properties.vpc.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource_ancestors.resource_typeUDM 字段会设置为VPC_NETWORK。否则,如果 category日志字段值等于Active Scan: Log4j Vulnerable to RCE,则sourceProperties.properties.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource_ancestors.resource_typeUDM 字段会设置为VIRTUAL_MACHINE。否则,如果 category日志字段值等于Malware: Bad Domain或Malware: Bad IP或Malware: Cryptomining Bad IP,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Brute Force: SSH,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Persistence: GCE Admin Added SSH Key或Persistence: GCE Admin Added Startup Script,则sourceProperties.properties.projectId日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Increasing Deny Ratio或Allowed Traffic Spike,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。 | 
| sourceProperties.affectedResources.gcpResourceName | target.resource_ancestors.name | 如果 category日志字段值等于Malware: Cryptomining Bad IP或Malware: Bad IP或Malware: Cryptomining Bad Domain或Malware: Bad Domain或Configurable Bad Domain,则sourceProperties.properties.destVpc.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,sourceProperties.properties.vpc.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource_ancestors.resource_typeUDM 字段会设置为VPC_NETWORK。否则,如果 category日志字段值等于Active Scan: Log4j Vulnerable to RCE,则sourceProperties.properties.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource_ancestors.resource_typeUDM 字段会设置为VIRTUAL_MACHINE。否则,如果 category日志字段值等于Malware: Bad Domain或Malware: Bad IP或Malware: Cryptomining Bad IP,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Brute Force: SSH,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Persistence: GCE Admin Added SSH Key或Persistence: GCE Admin Added Startup Script,则sourceProperties.properties.projectId日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Increasing Deny Ratio或Allowed Traffic Spike,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。 | 
| containers.name | target.resource_ancestors.name | 如果 category日志字段值等于Malware: Cryptomining Bad IP或Malware: Bad IP或Malware: Cryptomining Bad Domain或Malware: Bad Domain或Configurable Bad Domain,则sourceProperties.properties.destVpc.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,sourceProperties.properties.vpc.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource_ancestors.resource_typeUDM 字段会设置为VPC_NETWORK。否则,如果 category日志字段值等于Active Scan: Log4j Vulnerable to RCE,则sourceProperties.properties.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource_ancestors.resource_typeUDM 字段会设置为VIRTUAL_MACHINE。否则,如果 category日志字段值等于Malware: Bad Domain或Malware: Bad IP或Malware: Cryptomining Bad IP,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Brute Force: SSH,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Persistence: GCE Admin Added SSH Key或Persistence: GCE Admin Added Startup Script,则sourceProperties.properties.projectId日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Increasing Deny Ratio或Allowed Traffic Spike,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。 | 
| sourceProperties.properties.externalMemberAddedToPrivilegedGroup.sensitiveRoles.resource | target.resource_ancestors.name | 如果 category日志字段值等于Credential Access: External Member Added To Privileged Group,则sourceProperties.properties.externalMemberAddedToPrivilegedGroup.sensitiveRoles.resource日志字段会映射到target.resource_ancestors.nameUDM 字段。 | 
| sourceProperties.properties.privilegedGroupOpenedToPublic.sensitiveRoles.resource | target.resource_ancestors.name | 如果 category日志字段值等于Credential Access: Privileged Group Opened To Public,则sourceProperties.properties.privilegedGroupOpenedToPublic.sensitiveRoles.resource日志字段会映射到target.resource_ancestors.nameUDM 字段。 | 
| kubernetes.pods.containers.name | target.resource_ancestors.name | 如果 category日志字段值等于Malware: Cryptomining Bad IP或Malware: Bad IP或Malware: Cryptomining Bad Domain或Malware: Bad Domain或Configurable Bad Domain,则sourceProperties.properties.destVpc.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,sourceProperties.properties.vpc.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource_ancestors.resource_typeUDM 字段会设置为VPC_NETWORK。否则,如果 category日志字段值等于Active Scan: Log4j Vulnerable to RCE,则sourceProperties.properties.vpcName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource_ancestors.resource_typeUDM 字段会设置为VIRTUAL_MACHINE。否则,如果 category日志字段值等于Malware: Bad Domain或Malware: Bad IP或Malware: Cryptomining Bad IP,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Brute Force: SSH,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Persistence: GCE Admin Added SSH Key或Persistence: GCE Admin Added Startup Script,则sourceProperties.properties.projectId日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Increasing Deny Ratio或Allowed Traffic Spike,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。 | 
| sourceProperties.properties.gceInstanceId | target.resource_ancestors.product_object_id | 如果 category日志字段值等于Persistence: GCE Admin Added Startup Script或Persistence: GCE Admin Added SSH Key,则sourceProperties.properties.gceInstanceId日志字段会映射到target.resource_ancestors.product_object_idUDM 字段,并且target.resource_ancestors.resource_typeUDM 字段会设置为VIRTUAL_MACHINE。 | 
| sourceProperties.sourceId.projectNumber | target.resource_ancestors.product_object_id | 如果 category日志字段值等于Persistence: GCE Admin Added Startup Script或Persistence: GCE Admin Added SSH Key,则target.resource_ancestors.resource_typeUDM 字段设置为VIRTUAL_MACHINE。 | 
| sourceProperties.sourceId.customerOrganizationNumber | target.resource_ancestors.product_object_id | 如果 category日志字段值等于Persistence: GCE Admin Added Startup Script或Persistence: GCE Admin Added SSH Key,则target.resource_ancestors.resource_typeUDM 字段设置为VIRTUAL_MACHINE。 | 
| sourceProperties.sourceId.organizationNumber | target.resource_ancestors.product_object_id | 如果 category日志字段值等于Persistence: GCE Admin Added Startup Script或Persistence: GCE Admin Added SSH Key,则target.resource_ancestors.resource_typeUDM 字段设置为VIRTUAL_MACHINE。 | 
| containers.imageId | target.resource_ancestors.product_object_id | 如果 category日志字段值等于Persistence: GCE Admin Added Startup Script或Persistence: GCE Admin Added SSH Key,则target.resource_ancestors.resource_typeUDM 字段设置为VIRTUAL_MACHINE。 | 
| sourceProperties.properties.zone | target.resource.attribute.cloud.availability_zone | 如果 category日志字段值等于Brute Force: SSH,则sourceProperties.properties.zone日志字段会映射到target.resource.attribute.cloud.availability_zoneUDM 字段。 | 
| canonicalName | metadata.product_log_id | finding_id是使用 Grok 模式从canonicalName日志字段中提取的。如果 finding_id日志字段值不为空,则finding_id日志字段会映射到metadata.product_log_idUDM 字段。 | 
| canonicalName | src.resource.attribute.labels.key/value [finding_id] | 如果 finding_id日志字段值不为空,则finding_id日志字段会映射到src.resource.attribute.labels.key/value [finding_id]UDM 字段。如果 category日志字段值等于以下某个值,则使用 Grok 模式从canonicalName日志字段中提取finding_id:
 | 
| canonicalName | src.resource.product_object_id | 如果 source_id日志字段值不为空,则source_id日志字段会映射到src.resource.product_object_idUDM 字段。如果 category日志字段值等于以下某个值,则使用 Grok 模式从canonicalName日志字段中提取source_id:
 | 
| canonicalName | src.resource.attribute.labels.key/value [source_id] | 如果 source_id日志字段值不为空,则source_id日志字段会映射到src.resource.attribute.labels.key/value [source_id]UDM 字段。如果 category日志字段值等于以下某个值,则使用 Grok 模式从canonicalName日志字段中提取source_id:
 | 
| canonicalName | target.resource.attribute.labels.key/value [finding_id] | 如果 finding_id日志字段值不为空,则finding_id日志字段会映射到target.resource.attribute.labels.key/value [finding_id]UDM 字段。如果 category日志字段值不等于以下任何值,则使用 Grok 模式从canonicalName日志字段中提取finding_id:
 | 
| canonicalName | target.resource.product_object_id | 如果 source_id日志字段值不为空,则source_id日志字段会映射到target.resource.product_object_idUDM 字段。如果 category日志字段值不等于以下任何值,则使用 Grok 模式从canonicalName日志字段中提取source_id:
 | 
| canonicalName | target.resource.attribute.labels.key/value [source_id] | 如果 source_id日志字段值不为空,则source_id日志字段会映射到target.resource.attribute.labels.key/value [source_id]UDM 字段。如果 category日志字段值不等于以下任何值,则使用 Grok 模式从canonicalName日志字段中提取source_id:
 | 
| sourceProperties.properties.dataExfiltrationAttempt.destinationTables.datasetId | target.resource.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_destinationTables_datasetId] | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则sourceProperties.properties.dataExfiltrationAttempt.destinationTables.datasetId日志字段会映射到target.resource.attribute.labels.valueUDM 字段。 | 
| sourceProperties.properties.dataExfiltrationAttempt.destinationTables.projectId | target.resource.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_destinationTables_projectId] | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则sourceProperties.properties.dataExfiltrationAttempt.destinationTables.projectId日志字段会映射到target.resource.attribute.labels.valueUDM 字段。 | 
| sourceProperties.properties.dataExfiltrationAttempt.destinationTables.resourceUri | target.resource.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_destinationTables_resourceUri] | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则sourceProperties.properties.dataExfiltrationAttempt.destinationTables.resourceUri日志字段会映射到target.resource.attribute.labels.valueUDM 字段。 | 
| sourceProperties.properties.exportToGcs.exportScope | target.resource.attribute.labels.key/value [sourceProperties_properties_exportToGcs_exportScope] | 如果 category日志字段值等于Exfiltration: CloudSQL Data Exfiltration,则target.resource.attribute.labels.keyUDM 字段设置为exportScope,并且sourceProperties.properties.exportToGcs.exportScope日志字段映射到target.resource.attribute.labels.valueUDM 字段。 | 
| sourceProperties.properties.extractionAttempt.destinations.objectName | target.resource.attribute.labels.key/value [sourceProperties_properties_extractionAttempt_destinations_objectName] | 如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive,则sourceProperties.properties.extractionAttempt.destinations.objectName日志字段会映射到target.resource.attribute.labels.valueUDM 字段。 | 
| sourceProperties.properties.extractionAttempt.destinations.originalUri | target.resource.attribute.labels.key/value [sourceProperties_properties_extractionAttempt_destinations_originalUri] | 如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive,则sourceProperties.properties.extractionAttempt.destinations.originalUri日志字段会映射到target.resource.attribute.labels.valueUDM 字段。 | 
| sourceProperties.properties.metadataKeyOperation | target.resource.attribute.labels.key/value [sourceProperties_properties_metadataKeyOperation] | 如果 category日志字段值等于Persistence: GCE Admin Added SSH Key或Persistence: GCE Admin Added Startup Script,则sourceProperties.properties.metadataKeyOperation日志字段会映射到target.resource.attribute.labels.key/valueUDM 字段。 | 
| exfiltration.targets.components | target.resource.attribute.labels.key/value[exfiltration_targets_components] | 如果 category日志字段值等于Exfiltration: CloudSQL Data Exfiltration或Exfiltration: BigQuery Data Extraction,则exfiltration.targets.components日志字段会映射到target.resource.attribute.labels.key/valueUDM 字段。 | 
| sourceProperties.properties.exportToGcs.bucketAccess | target.resource.attribute.permissions.name | 如果 category日志字段值等于Exfiltration: CloudSQL Data Exfiltration,则sourceProperties.properties.exportToGcs.bucketAccess日志字段会映射到target.resource.attribute.permissions.nameUDM 字段。 | 
| sourceProperties.properties.name | target.resource.name | 如果 category日志字段值等于Defense Evasion: Modify VPC Service Control,则sourceProperties.properties.name日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: CloudSQL Data Exfiltration,则sourceProperties.properties.exportToGcs.bucketResource日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: CloudSQL Restore Backup to External Organization,则sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Brute Force: SSH,则sourceProperties.properties.attempts.vmName日志字段会映射到target.resource.nameUDM 字段,并且resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于“恶意软件:不良网域”或Malware: Bad IP或Malware: Cryptomining Bad IP或Malware: Cryptomining Bad Domain或Configurable Bad Domain,则sourceProperties.properties.instanceDetails日志字段会映射到target.resource.nameUDM 字段,并且resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource.resource_typeUDM 字段会设置为VIRTUAL_MACHINE。否则,如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive,则sourceProperties.properties.extractionAttempt.destinations.collectionName日志字段会映射到target.resource.attribute.nameUDM 字段,并且exfiltration.target.name日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则exfiltration.target.name日志字段会映射到target.resource.nameUDM 字段,并且sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId日志字段会映射到target.resource.attribute.labelsUDM 字段,并且target.resource.resource_typeUDM 字段会设置为TABLE。否则, resourceName日志字段会映射到target.resource.nameUDM 字段。 | 
| sourceProperties.properties.exportToGcs.bucketResource | target.resource.name | 如果 category日志字段值等于Defense Evasion: Modify VPC Service Control,则sourceProperties.properties.name日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: CloudSQL Data Exfiltration,则sourceProperties.properties.exportToGcs.bucketResource日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: CloudSQL Restore Backup to External Organization,则sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Brute Force: SSH,则sourceProperties.properties.attempts.vmName日志字段会映射到target.resource.nameUDM 字段,并且resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于“恶意软件:不良网域”或Malware: Bad IP或Malware: Cryptomining Bad IP或Malware: Cryptomining Bad Domain或Configurable Bad Domain,则sourceProperties.properties.instanceDetails日志字段会映射到target.resource.nameUDM 字段,并且resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource.resource_typeUDM 字段会设置为VIRTUAL_MACHINE。否则,如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive,则sourceProperties.properties.extractionAttempt.destinations.collectionName日志字段会映射到target.resource.attribute.nameUDM 字段,并且exfiltration.target.name日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则exfiltration.target.name日志字段会映射到target.resource.nameUDM 字段,并且sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId日志字段会映射到target.resource.attribute.labelsUDM 字段,并且target.resource.resource_typeUDM 字段会设置为TABLE。否则, resourceName日志字段会映射到target.resource.nameUDM 字段。 | 
| sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource | target.resource.name | 如果 category日志字段值等于Defense Evasion: Modify VPC Service Control,则sourceProperties.properties.name日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: CloudSQL Data Exfiltration,则sourceProperties.properties.exportToGcs.bucketResource日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: CloudSQL Restore Backup to External Organization,则sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Brute Force: SSH,则sourceProperties.properties.attempts.vmName日志字段会映射到target.resource.nameUDM 字段,并且resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于“恶意软件:不良网域”或Malware: Bad IP或Malware: Cryptomining Bad IP或Malware: Cryptomining Bad Domain或Configurable Bad Domain,则sourceProperties.properties.instanceDetails日志字段会映射到target.resource.nameUDM 字段,并且resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource.resource_typeUDM 字段会设置为VIRTUAL_MACHINE。否则,如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive,则sourceProperties.properties.extractionAttempt.destinations.collectionName日志字段会映射到target.resource.attribute.nameUDM 字段,并且exfiltration.target.name日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则exfiltration.target.name日志字段会映射到target.resource.nameUDM 字段,并且sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId日志字段会映射到target.resource.attribute.labelsUDM 字段,并且target.resource.resource_typeUDM 字段会设置为TABLE。否则, resourceName日志字段会映射到target.resource.nameUDM 字段。 | 
| resourceName | target.resource.name | 如果 category日志字段值等于Defense Evasion: Modify VPC Service Control,则sourceProperties.properties.name日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: CloudSQL Data Exfiltration,则sourceProperties.properties.exportToGcs.bucketResource日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: CloudSQL Restore Backup to External Organization,则sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Brute Force: SSH,则sourceProperties.properties.attempts.vmName日志字段会映射到target.resource.nameUDM 字段,并且resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于“恶意软件:不良网域”或Malware: Bad IP或Malware: Cryptomining Bad IP或Malware: Cryptomining Bad Domain或Configurable Bad Domain,则sourceProperties.properties.instanceDetails日志字段会映射到target.resource.nameUDM 字段,并且resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource.resource_typeUDM 字段会设置为VIRTUAL_MACHINE。否则,如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive,则sourceProperties.properties.extractionAttempt.destinations.collectionName日志字段会映射到target.resource.attribute.nameUDM 字段,并且exfiltration.target.name日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则exfiltration.target.name日志字段会映射到target.resource.nameUDM 字段,并且sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId日志字段会映射到target.resource.attribute.labelsUDM 字段,并且target.resource.resource_typeUDM 字段会设置为TABLE。否则, resourceName日志字段会映射到target.resource.nameUDM 字段。 | 
| sourceProperties.properties.attempts.vmName | target.resource.name | 如果 category日志字段值等于Defense Evasion: Modify VPC Service Control,则sourceProperties.properties.name日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: CloudSQL Data Exfiltration,则sourceProperties.properties.exportToGcs.bucketResource日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: CloudSQL Restore Backup to External Organization,则sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Brute Force: SSH,则sourceProperties.properties.attempts.vmName日志字段会映射到target.resource.nameUDM 字段,并且resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于“恶意软件:不良网域”或Malware: Bad IP或Malware: Cryptomining Bad IP或Malware: Cryptomining Bad Domain或Configurable Bad Domain,则sourceProperties.properties.instanceDetails日志字段会映射到target.resource.nameUDM 字段,并且resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource.resource_typeUDM 字段会设置为VIRTUAL_MACHINE。否则,如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive,则sourceProperties.properties.extractionAttempt.destinations.collectionName日志字段会映射到target.resource.attribute.nameUDM 字段,并且exfiltration.target.name日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则exfiltration.target.name日志字段会映射到target.resource.nameUDM 字段,并且sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId日志字段会映射到target.resource.attribute.labelsUDM 字段,并且target.resource.resource_typeUDM 字段会设置为TABLE。否则, resourceName日志字段会映射到target.resource.nameUDM 字段。 | 
| sourceProperties.properties.instanceDetails | target.resource.name | 如果 category日志字段值等于Defense Evasion: Modify VPC Service Control,则sourceProperties.properties.name日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: CloudSQL Data Exfiltration,则sourceProperties.properties.exportToGcs.bucketResource日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: CloudSQL Restore Backup to External Organization,则sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Brute Force: SSH,则sourceProperties.properties.attempts.vmName日志字段会映射到target.resource.nameUDM 字段,并且resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于“恶意软件:不良网域”或Malware: Bad IP或Malware: Cryptomining Bad IP或Malware: Cryptomining Bad Domain或Configurable Bad Domain,则sourceProperties.properties.instanceDetails日志字段会映射到target.resource.nameUDM 字段,并且resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource.resource_typeUDM 字段会设置为VIRTUAL_MACHINE。否则,如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive,则sourceProperties.properties.extractionAttempt.destinations.collectionName日志字段会映射到target.resource.attribute.nameUDM 字段,并且exfiltration.target.name日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则exfiltration.target.name日志字段会映射到target.resource.nameUDM 字段,并且sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId日志字段会映射到target.resource.attribute.labelsUDM 字段,并且target.resource.resource_typeUDM 字段会设置为TABLE。否则, resourceName日志字段会映射到target.resource.nameUDM 字段。 | 
| sourceProperties.properties.extractionAttempt.destinations.collectionName | target.resource.name | 如果 category日志字段值等于Defense Evasion: Modify VPC Service Control,则sourceProperties.properties.name日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: CloudSQL Data Exfiltration,则sourceProperties.properties.exportToGcs.bucketResource日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: CloudSQL Restore Backup to External Organization,则sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Brute Force: SSH,则sourceProperties.properties.attempts.vmName日志字段会映射到target.resource.nameUDM 字段,并且resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于“恶意软件:不良网域”或Malware: Bad IP或Malware: Cryptomining Bad IP或Malware: Cryptomining Bad Domain或Configurable Bad Domain,则sourceProperties.properties.instanceDetails日志字段会映射到target.resource.nameUDM 字段,并且resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource.resource_typeUDM 字段会设置为VIRTUAL_MACHINE。否则,如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive,则sourceProperties.properties.extractionAttempt.destinations.collectionName日志字段会映射到target.resource.attribute.nameUDM 字段,并且exfiltration.target.name日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则exfiltration.target.name日志字段会映射到target.resource.nameUDM 字段,并且sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId日志字段会映射到target.resource.attribute.labelsUDM 字段,并且target.resource.resource_typeUDM 字段会设置为TABLE。否则, resourceName日志字段会映射到target.resource.nameUDM 字段。 | 
| sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId | target.resource.name | 如果 category日志字段值等于Defense Evasion: Modify VPC Service Control,则sourceProperties.properties.name日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: CloudSQL Data Exfiltration,则sourceProperties.properties.exportToGcs.bucketResource日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: CloudSQL Restore Backup to External Organization,则sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Brute Force: SSH,则sourceProperties.properties.attempts.vmName日志字段会映射到target.resource.nameUDM 字段,并且resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于“恶意软件:不良网域”或Malware: Bad IP或Malware: Cryptomining Bad IP或Malware: Cryptomining Bad Domain或Configurable Bad Domain,则sourceProperties.properties.instanceDetails日志字段会映射到target.resource.nameUDM 字段,并且resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource.resource_typeUDM 字段会设置为VIRTUAL_MACHINE。否则,如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive,则sourceProperties.properties.extractionAttempt.destinations.collectionName日志字段会映射到target.resource.attribute.nameUDM 字段,并且exfiltration.target.name日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则exfiltration.target.name日志字段会映射到target.resource.nameUDM 字段,并且sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId日志字段会映射到target.resource.attribute.labelsUDM 字段,并且target.resource.resource_typeUDM 字段会设置为TABLE。否则, resourceName日志字段会映射到target.resource.nameUDM 字段。 | 
| exfiltration.targets.name | target.resource.name | 如果 category日志字段值等于Defense Evasion: Modify VPC Service Control,则sourceProperties.properties.name日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: CloudSQL Data Exfiltration,则sourceProperties.properties.exportToGcs.bucketResource日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: CloudSQL Restore Backup to External Organization,则sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Brute Force: SSH,则sourceProperties.properties.attempts.vmName日志字段会映射到target.resource.nameUDM 字段,并且resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于“恶意软件:不良网域”或Malware: Bad IP或Malware: Cryptomining Bad IP或Malware: Cryptomining Bad Domain或Configurable Bad Domain,则sourceProperties.properties.instanceDetails日志字段会映射到target.resource.nameUDM 字段,并且resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource.resource_typeUDM 字段会设置为VIRTUAL_MACHINE。否则,如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive,则sourceProperties.properties.extractionAttempt.destinations.collectionName日志字段会映射到target.resource.attribute.nameUDM 字段,并且exfiltration.target.name日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则exfiltration.target.name日志字段会映射到target.resource.nameUDM 字段,并且sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId日志字段会映射到target.resource.attribute.labelsUDM 字段,并且target.resource.resource_typeUDM 字段会设置为TABLE。否则, resourceName日志字段会映射到target.resource.nameUDM 字段。 | 
| sourceProperties.properties.instanceId | target.resource.product_object_id | 如果 category日志字段值等于Brute Force: SSH,则sourceProperties.properties.instanceId日志字段会映射到target.resource.product_object_idUDM 字段。 | 
| kubernetes.pods.containers.imageId | target.resource_ancestors.attribute.labels[kubernetes_pods_containers_imageId] | |
| sourceProperties.properties.extractionAttempt.destinations.collectionType | target.resource.resource_subtype | 如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive,则sourceProperties.properties.extractionAttempt.destinations.collectionName日志字段会映射到target.resource.resource_subtypeUDM 字段。否则,如果 category日志字段值等于Credential Access: External Member Added To Privileged Group,则target.resource.resource_subtypeUDM 字段会设置为Privileged Group。否则,如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则target.resource.resource_subtypeUDM 字段会设置为BigQuery。 | 
|  | target.resource.resource_type | 如果 sourceProperties.properties.extractionAttempt.destinations.collectionType日志字段值与正则表达式BUCKET匹配,则将target.resource.resource_typeUDM 字段设置为STORAGE_BUCKET。否则,如果 category日志字段值等于Brute Force: SSH,则将target.resource.resource_typeUDM 字段设置为VIRTUAL_MACHINE。否则,如果 category日志字段值等于Malware: Bad Domain或Malware: Bad IP或Malware: Cryptomining Bad IP,则将target.resource.resource_typeUDM 字段设置为VIRTUAL_MACHINE。否则,如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则将target.resource.resource_typeUDM 字段设置为TABLE。 | 
| sourceProperties.properties.extractionAttempt.jobLink | target.url | 如果 category日志字段值等于Exfiltration: BigQuery Data to Google Drive,则sourceProperties.properties.extractionAttempt.jobLink日志字段会映射到target.urlUDM 字段。如果 category日志字段值等于Exfiltration: BigQuery Data Extraction,则sourceProperties.properties.extractionAttempt.jobLink日志字段会映射到target.urlUDM 字段。 | 
| sourceProperties.properties.exportToGcs.gcsUri | target.url | 如果 category日志字段值等于Exfiltration: CloudSQL Data Exfiltration,则sourceProperties.properties.exportToGcs.gcsUri日志字段会映射到target.urlUDM 字段。 | 
| sourceProperties.properties.requestUrl | target.url | 如果 category日志字段值等于Initial Access: Log4j Compromise Attempt,则sourceProperties.properties.requestUrl日志字段会映射到target.urlUDM 字段。 | 
| sourceProperties.properties.policyLink | target.url | 如果 category日志字段值等于Defense Evasion: Modify VPC Service Control,则sourceProperties.properties.policyLink日志字段会映射到target.urlUDM 字段。 | 
| sourceProperties.properties.anomalousLocation.notSeenInLast | target.user.attribute.labels.key/value [sourceProperties_properties_anomalousLocation_notSeenInLast] | 如果 category日志字段值等于Persistence: New Geography,则sourceProperties.properties.anomalousLocation.notSeenInLast日志字段会映射到target.user.attribute.labels.valueUDM 字段。 | 
| sourceProperties.properties.attempts.username | target.user.userid | 如果 category日志字段值等于Brute Force: SSH,则sourceProperties.properties.attempts.username日志字段会映射到target.user.useridUDM 字段。如果 category日志字段值等于Initial Access: Suspicious Login Blocked,则userid日志字段会映射到target.user.useridUDM 字段。 | 
| sourceProperties.properties.principalEmail | target.user.userid | 如果 category日志字段值等于Initial Access: Suspicious Login Blocked,则userid日志字段会映射到target.user.useridUDM 字段。 | 
| sourceProperties.Added_Binary_Kind | target.resource.attribute.labels[sourceProperties_Added_Binary_Kind] | |
| sourceProperties.Container_Creation_Timestamp.nanos | target.resource.attribute.labels[sourceProperties_Container_Creation_Timestamp_nanos] | |
| sourceProperties.Container_Creation_Timestamp.seconds | target.resource.attribute.labels[sourceProperties_Container_Creation_Timestamp_seconds] | |
| sourceProperties.Container_Image_Id | target.resource_ancestors.product_object_id | |
| sourceProperties.Container_Image_Uri | target.resource.attribute.labels[sourceProperties_Container_Image_Uri] | |
| sourceProperties.Container_Name | target.resource_ancestors.name | |
| sourceProperties.Environment_Variables | target.labels [Environment_Variables_name](已弃用) | |
| sourceProperties.Environment_Variables | additional.fields [Environment_Variables_name] | |
|  | target.labels [Environment_Variables_val](已弃用) | |
|  | additional.fields [Environment_Variables_val] | |
| sourceProperties.Kubernetes_Labels | target.resource.attribute.labels.key/value [sourceProperties_Kubernetes_Labels.name/value] | |
| sourceProperties.Parent_Pid | target.process.parent_process.pid | |
| sourceProperties.Pid | target.process.pid | |
| sourceProperties.Pod_Name | target.resource_ancestors.name | |
| sourceProperties.Pod_Namespace | target.resource_ancestors.attribute.labels.key/value [sourceProperties_Pod_Namespace] | |
| sourceProperties.Process_Arguments | target.process.command_line | |
| sourceProperties.Process_Binary_Fullpath | target.process.file.full_path | |
| sourceProperties.Process_Creation_Timestamp.nanos | target.labels [sourceProperties_Process_Creation_Timestamp_nanos](已弃用) | |
| sourceProperties.Process_Creation_Timestamp.nanos | additional.fields [sourceProperties_Process_Creation_Timestamp_nanos] | |
| sourceProperties.Process_Creation_Timestamp.seconds | target.labels [sourceProperties_Process_Creation_Timestamp_seconds](已弃用) | |
| sourceProperties.Process_Creation_Timestamp.seconds | additional.fields [sourceProperties_Process_Creation_Timestamp_seconds] | |
| sourceProperties.VM_Instance_Name | target.resource_ancestors.name | 如果 category日志字段值等于Added Binary Executed或Added Library Loaded,则sourceProperties.VM_Instance_Name日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource_ancestors.resource_typeUDM 字段会设置为VIRTUAL_MACHINE。 | 
|  | target.resource_ancestors.resource_type | |
| resource.parent | target.resource_ancestors.attribute.labels.key/value [resource_project] | |
| resource.project | target.resource_ancestors.attribute.labels.key/value [resource_parent] | |
| sourceProperties.Added_Library_Fullpath | target.process.file.full_path | |
| sourceProperties.Added_Library_Kind | target.resource.attribute.labels[sourceProperties_Added_Library_Kind | |
| sourceProperties.affectedResources.gcpResourceName | target.resource_ancestors.name | |
| sourceProperties.Backend_Service | target.resource.name | 如果 category日志字段值等于Increasing Deny Ratio或Allowed Traffic Spike或Application DDoS Attack Attempt,则sourceProperties.Backend_Service日志字段会映射到target.resource.nameUDM 字段,而resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。 | 
| sourceProperties.Long_Term_Allowed_RPS | target.resource.attribute.labels[sourceProperties_Long_Term_Allowed_RPS] | |
| sourceProperties.Long_Term_Denied_RPS | target.resource.attribute.labels[sourceProperties_Long_Term_Denied_RPS] | |
| sourceProperties.Long_Term_Incoming_RPS | target.resource.attribute.labels[sourceProperties_Long_Term_Incoming_RPS] | |
| sourceProperties.properties.customProperties.domain_category | target.resource.attribute.labels[sourceProperties_properties_customProperties_domain_category] | |
| sourceProperties.Security_Policy | target.resource.attribute.labels[sourceProperties_Security_Policy] | |
| sourceProperties.Short_Term_Allowed_RPS | target.resource.attribute.labels[sourceProperties_Short_Term_Allowed_RPS] | |
|  | target.resource.resource_type | 如果 category日志字段值等于Increasing Deny Ratio、Allowed Traffic Spike或Application DDoS Attack Attempt,则target.resource.resource_typeUDM 字段设置为BACKEND_SERVICE。如果 category日志字段值等于Configurable Bad Domain,则target.resource.resource_typeUDM 字段设置为VIRTUAL_MACHINE。 | 
| sourceProperties.properties.sensitiveRoleGrant.principalEmail | principal.user.userid | Grok:从 sourceProperties.properties.sensitiveRoleGrant.principalEmail日志字段中提取user_id,然后将user_id字段映射到principal.user.useridUDM 字段。 | 
| sourceProperties.properties.customRoleSensitivePermissions.principalEmail | principal.user.userid | Grok:从 sourceProperties.properties.customRoleSensitivePermissions.principalEmail日志字段中提取user_id,然后将user_id字段映射到principal.user.useridUDM 字段。 | 
| resourceName | principal.asset.location.name | 如果 parentDisplayName日志字段值等于Virtual Machine Threat Detection,则 Grok:从resourceName日志字段中提取project_name、region、zone_suffix、asset_prod_obj_id,然后将region日志字段映射到principal.asset.location.nameUDM 字段。 | 
| resourceName | principal.asset.product_object_id | 如果 parentDisplayName日志字段值等于Virtual Machine Threat Detection,则 Grok:从resourceName日志字段中提取project_name、region、zone_suffix、asset_prod_obj_id,然后将asset_prod_obj_id日志字段映射到principal.asset.product_object_idUDM 字段。 | 
| resourceName | principal.asset.attribute.cloud.availability_zone | 如果 parentDisplayName日志字段值等于Virtual Machine Threat Detection,则 Grok:从resourceName日志字段中提取project_name、region、zone_suffix、asset_prod_obj_id,然后将zone_suffix日志字段映射到principal.asset.attribute.cloud.availability_zoneUDM 字段。 | 
| resourceName | principal.asset.attribute.labels[project_name] | 如果 parentDisplayName日志字段值等于Virtual Machine Threat Detection,则 Grok:从resourceName日志字段中提取project_name、region、zone_suffix、asset_prod_obj_id,然后将project_name日志字段映射到principal.asset.attribute.labels.valueUDM 字段。 | 
| sourceProperties.threats.memory_hash_detector.detections.binary_name | security_result.detection_fields[binary_name] |  | 
| sourceProperties.threats.memory_hash_detector.detections.percent_pages_matched | security_result.detection_fields[percent_pages_matched] |  | 
| sourceProperties.threats.memory_hash_detector.binary | security_result.detection_fields[memory_hash_detector_binary] |  | 
| sourceProperties.threats.yara_rule_detector.yara_rule_name | security_result.detection_fields[yara_rule_name] |  | 
| sourceProperties.Script_SHA256 | target.resource.attribute.labels[script_sha256] |  | 
| sourceProperties.Script_Content | target.resource.attribute.labels[script_content] |  | 
| state | security_result.detection_fields[state] |  | 
| assetDisplayName | target.asset.attribute.labels[asset_display_name] |  | 
| assetId | target.asset.asset_id |  | 
| findingProviderId | target.resource.attribute.labels[finding_provider_id] |  | 
| sourceDisplayName | target.resource.attribute.labels[source_display_name] |  | 
| processes.name | target.process.file.names |  | 
| target.labels[failedActions_methodName] | sourceProperties.properties.failedActions.methodName | 如果 category日志字段值等于Initial Access: Excessive Permission Denied Actions,则sourceProperties.properties.failedActions.methodName日志字段会映射到target.labelsUDM 字段。 | 
| additional.fields[failedActions_methodName] | sourceProperties.properties.failedActions.methodName | 如果 category日志字段值等于Initial Access: Excessive Permission Denied Actions,则sourceProperties.properties.failedActions.methodName日志字段会映射到additional.fieldsUDM 字段。 | 
| target.labels[failedActions_serviceName] | sourceProperties.properties.failedActions.serviceName | 如果 category日志字段值等于Initial Access: Excessive Permission Denied Actions,则sourceProperties.properties.failedActions.serviceName日志字段会映射到target.labelsUDM 字段。 | 
| additional.fields[failedActions_serviceName] | sourceProperties.properties.failedActions.serviceName | 如果 category日志字段值等于Initial Access: Excessive Permission Denied Actions,则sourceProperties.properties.failedActions.serviceName日志字段会映射到additional.fieldsUDM 字段。 | 
| target.labels[failedActions_attemptTimes] | sourceProperties.properties.failedActions.attemptTimes | 如果 category日志字段值等于Initial Access: Excessive Permission Denied Actions,则sourceProperties.properties.failedActions.attemptTimes日志字段会映射到target.labelsUDM 字段。 | 
| additional.fields[failedActions_attemptTimes] | sourceProperties.properties.failedActions.attemptTimes | 如果 category日志字段值等于Initial Access: Excessive Permission Denied Actions,则sourceProperties.properties.failedActions.attemptTimes日志字段会映射到additional.fieldsUDM 字段。 | 
| target.labels[failedActions_lastOccurredTime] | sourceProperties.properties.failedActions.lastOccurredTime | 如果 category日志字段值等于Initial Access: Excessive Permission Denied Actions,则sourceProperties.properties.failedActions.lastOccurredTime日志字段会映射到target.labelsUDM 字段。 | 
| additional.fields[failedActions_lastOccurredTime] | sourceProperties.properties.failedActions.lastOccurredTime | 如果 category日志字段值等于Initial Access: Excessive Permission Denied Actions,则sourceProperties.properties.failedActions.lastOccurredTime日志字段会映射到additional.fieldsUDM 字段。 | 
| resource.resourcePathString | src.resource.attribute.labels[resource_path_string] | 如果 category日志字段值包含以下值之一,则resource.resourcePathString日志字段会映射到src.resource.attribute.labels[resource_path_string]UDM 字段。
 resource.resourcePathString日志字段会映射到target.resource.attribute.labels[resource_path_string]UDM 字段。 | 
字段映射参考信息:事件标识符到事件类型
| 活动标识符 | 事件类型 | 安全类别 | 
|---|---|---|
| Active Scan: Log4j Vulnerable to RCE | SCAN_UNCATEGORIZED | |
| Brute Force: SSH | USER_LOGIN | AUTH_VIOLATION | 
| Credential Access: External Member Added To Privileged Group | GROUP_MODIFICATION | |
| Credential Access: Privileged Group Opened To Public | GROUP_MODIFICATION | |
| Credential Access: Sensitive Role Granted To Hybrid Group | GROUP_MODIFICATION | |
| Defense Evasion: Modify VPC Service Control | SERVICE_MODIFICATION | |
| Discovery: Can get sensitive Kubernetes object checkPreview | SCAN_UNCATEGORIZED | |
| Discovery: Service Account Self-Investigation | USER_UNCATEGORIZED | |
| Evasion: Access from Anonymizing Proxy | SERVICE_MODIFICATION | |
| Exfiltration: BigQuery Data Exfiltration | USER_RESOURCE_ACCESS | DATA_EXFILTRATION | 
| Exfiltration: BigQuery Data Extraction | USER_RESOURCE_ACCESS | DATA_EXFILTRATION | 
| Exfiltration: BigQuery Data to Google Drive | USER_RESOURCE_ACCESS | DATA_EXFILTRATION | 
| Exfiltration: CloudSQL Data Exfiltration | USER_RESOURCE_ACCESS | DATA_EXFILTRATION | 
| Exfiltration: CloudSQL Over-Privileged Grant | USER_RESOURCE_ACCESS | DATA_EXFILTRATION | 
| Exfiltration: CloudSQL Restore Backup to External Organization | USER_RESOURCE_ACCESS | DATA_EXFILTRATION | 
| Impair Defenses: Strong Authentication Disabled | USER_CHANGE_PERMISSIONS | |
| Impair Defenses: Two Step Verification Disabled | USER_CHANGE_PERMISSIONS | |
| Initial Access: Account Disabled Hijacked | SETTING_MODIFICATION | |
| Initial Access: Disabled Password Leak | SETTING_MODIFICATION | |
| Initial Access: Government Based Attack | USER_UNCATEGORIZED | |
| Initial Access: Log4j Compromise Attempt | SCAN_UNCATEGORIZED | EXPLOIT | 
| Initial Access: Suspicious Login Blocked | USER_LOGIN | ACL_VIOLATION | 
| Initial Access: Dormant Service Account Action | SCAN_UNCATEGORIZED | |
| Log4j Malware: Bad Domain | NETWORK_CONNECTION | SOFTWARE_MALICIOUS | 
| Log4j Malware: Bad IP | SCAN_UNCATEGORIZED | SOFTWARE_MALICIOUS | 
| Malware: Bad Domain | NETWORK_CONNECTION | SOFTWARE_MALICIOUS | 
| Malware: Bad IP | SCAN_UNCATEGORIZED | SOFTWARE_MALICIOUS | 
| Malware: Cryptomining Bad Domain | NETWORK_CONNECTION | SOFTWARE_MALICIOUS | 
| Malware: Cryptomining Bad IP | NETWORK_CONNECTION | SOFTWARE_MALICIOUS | 
| Malware: Outgoing DoS | NETWORK_CONNECTION | NETWORK_DENIAL_OF_SERVICE | 
| Persistence: GCE Admin Added SSH Key | SETTING_MODIFICATION | |
| Persistence: GCE Admin Added Startup Script | SETTING_MODIFICATION | |
| Persistence: IAM Anomalous Grant | USER_UNCATEGORIZED | POLICY_VIOLATION | 
| Persistence: New API MethodPreview | SCAN_UNCATEGORIZED | |
| Persistence: New Geography | USER_RESOURCE_ACCESS | NETWORK_SUSPICIOUS | 
| Persistence: New User Agent | USER_RESOURCE_ACCESS | |
| Persistence: SSO Enablement Toggle | SETTING_MODIFICATION | |
| Persistence: SSO Settings Changed | SETTING_MODIFICATION | |
| Privilege Escalation: Changes to sensitive Kubernetes RBAC objectsPreview | RESOURCE_PERMISSIONS_CHANGE | |
| Privilege Escalation: Create Kubernetes CSR for master certPreview | RESOURCE_CREATION | |
| Privilege Escalation: Creation of sensitive Kubernetes bindingsPreview | RESOURCE_CREATION | |
| Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentialsPreview | USER_RESOURCE_ACCESS | |
| Privilege Escalation: Launch of privileged Kubernetes containerPreview | RESOURCE_CREATION | |
| Added Binary Executed | USER_RESOURCE_ACCESS | |
| Added Library Loaded | USER_RESOURCE_ACCESS | |
| Allowed Traffic Spike | USER_RESOURCE_ACCESS | |
| Increasing Deny Ratio | USER_RESOURCE_UPDATE_CONTENT | |
| Configurable bad domain | NETWORK_CONNECTION | |
| Execution: Cryptocurrency Mining Hash Match | SCAN_UNCATEGORIZED |  | 
| Execution: Cryptocurrency Mining YARA Rule | SCAN_UNCATEGORIZED |  | 
| Malicious Script Executed | SCAN_UNCATEGORIZED | SOFTWARE_MALICIOUS | 
| Malicious URL Observed | SCAN_UNCATEGORIZED | NETWORK_MALICIOUS | 
| Execution: Cryptocurrency Mining Combined Detection | SCAN_UNCATEGORIZED |  | 
| Application DDoS Attack Attempt | SCAN_NETWORK |  | 
| Defense Evasion: Unexpected ftrace handler | SCAN_UNCATEGORIZED | SOFTWARE_MALICIOUS | 
| Defense Evasion: Unexpected interrupt handler | SCAN_UNCATEGORIZED | SOFTWARE_MALICIOUS | 
| Defense Evasion: Unexpected kernel code modification | USER_RESOURCE_UPDATE_CONTENT | SOFTWARE_MALICIOUS | 
| Defense Evasion: Unexpected kernel modules | SCAN_UNCATEGORIZED | SOFTWARE_MALICIOUS | 
| Defense Evasion: Unexpected kernel read-only data modification | USER_RESOURCE_UPDATE_CONTENT | SOFTWARE_MALICIOUS | 
| Defense Evasion: Unexpected kprobe handler | SCAN_UNCATEGORIZED | SOFTWARE_MALICIOUS | 
| Defense Evasion: Unexpected processes in runqueue | PROCESS_UNCATEGORIZED | SOFTWARE_MALICIOUS | 
| Defense Evasion: Unexpected system call handler | SCAN_UNCATEGORIZED | SOFTWARE_MALICIOUS | 
| Reverse Shell | SCAN_UNCATEGORIZED | EXPLOIT | 
| account_has_leaked_credentials | SCAN_UNCATEGORIZED | DATA_AT_REST | 
| Initial Access: Dormant Service Account Key Created | RESOURCE_CREATION | |
| Process Tree | PROCESS_UNCATEGORIZED | |
| Unexpected Child Shell | PROCESS_UNCATEGORIZED | |
| Execution: Added Malicious Binary Executed | SCAN_UNCATEGORIZED | SOFTWARE_MALICIOUS | 
| Execution: Modified Malicious Binary Executed | SCAN_UNCATEGORIZED | SOFTWARE_MALICIOUS | 
| Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity | SCAN_UNCATEGORIZED | |
| Breakglass Account Used: break_glass_account | SCAN_UNCATEGORIZED | |
| Configurable Bad Domain: APT29_Domains | SCAN_UNCATEGORIZED | |
| Unexpected Role Grant: Forbidden roles | SCAN_UNCATEGORIZED | |
| Configurable Bad IP | SCAN_UNCATEGORIZED | |
| Unexpected Compute Engine instance type | SCAN_UNCATEGORIZED | |
| Unexpected Compute Engine source image | SCAN_UNCATEGORIZED | |
| Unexpected Compute Engine region | SCAN_UNCATEGORIZED | |
| Custom role with prohibited permission | SCAN_UNCATEGORIZED | |
| Unexpected Cloud API Call | SCAN_UNCATEGORIZED | 
下表包含 Security Command Center - VULNERABILITY、MISCONFIGURATION、OBSERVATION、ERROR、UNSPECIFIED、POSTURE_VIOLATION 发现结果类别的 UDM 事件类型和 UDM 字段映射。
VULNERABILITY 类别到 UDM 事件类型
下表列出了“VULNERABILITY”类别及其对应的 UDM 事件类型。
| 活动标识符 | 事件类型 | 安全类别 | 
|---|---|---|
| DISK_CSEK_DISABLED | SCAN_UNCATEGORIZED | |
| ALPHA_CLUSTER_ENABLED | SCAN_UNCATEGORIZED | |
| AUTO_REPAIR_DISABLED | SCAN_UNCATEGORIZED | |
| AUTO_UPGRADE_DISABLED | SCAN_UNCATEGORIZED | |
| CLUSTER_SHIELDED_NODES_DISABLED | SCAN_UNCATEGORIZED | |
| COS_NOT_USED | SCAN_UNCATEGORIZED | |
| INTEGRITY_MONITORING_DISABLED | SCAN_UNCATEGORIZED | |
| IP_ALIAS_DISABLED | SCAN_UNCATEGORIZED | |
| LEGACY_METADATA_ENABLED | SCAN_UNCATEGORIZED | |
| RELEASE_CHANNEL_DISABLED | SCAN_UNCATEGORIZED | |
| DATAPROC_IMAGE_OUTDATED | SCAN_VULN_NETWORK | |
| PUBLIC_DATASET | SCAN_UNCATEGORIZED | |
| DNSSEC_DISABLED | SCAN_UNCATEGORIZED | |
| RSASHA1_FOR_SIGNING | SCAN_UNCATEGORIZED | |
| REDIS_ROLE_USED_ON_ORG | SCAN_UNCATEGORIZED | |
| KMS_PUBLIC_KEY | SCAN_UNCATEGORIZED | |
| SQL_CONTAINED_DATABASE_AUTHENTICATION | SCAN_UNCATEGORIZED | |
| SQL_CROSS_DB_OWNERSHIP_CHAINING | SCAN_UNCATEGORIZED | |
| SQL_EXTERNAL_SCRIPTS_ENABLED | SCAN_UNCATEGORIZED | |
| SQL_LOCAL_INFILE | SCAN_UNCATEGORIZED | |
| SQL_LOG_ERROR_VERBOSITY | SCAN_UNCATEGORIZED | |
| SQL_LOG_MIN_DURATION_STATEMENT_ENABLED | SCAN_UNCATEGORIZED | |
| SQL_LOG_MIN_ERROR_STATEMENT | SCAN_UNCATEGORIZED | |
| SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY | SCAN_UNCATEGORIZED | |
| SQL_LOG_MIN_MESSAGES | SCAN_UNCATEGORIZED | |
| SQL_LOG_EXECUTOR_STATS_ENABLED | SCAN_UNCATEGORIZED | |
| SQL_LOG_HOSTNAME_ENABLED | SCAN_UNCATEGORIZED | |
| SQL_LOG_PARSER_STATS_ENABLED | SCAN_UNCATEGORIZED | |
| SQL_LOG_PLANNER_STATS_ENABLED | SCAN_UNCATEGORIZED | |
| SQL_LOG_STATEMENT_STATS_ENABLED | SCAN_UNCATEGORIZED | |
| SQL_LOG_TEMP_FILES | SCAN_UNCATEGORIZED | |
| SQL_REMOTE_ACCESS_ENABLED | SCAN_UNCATEGORIZED | |
| SQL_SKIP_SHOW_DATABASE_DISABLED | SCAN_UNCATEGORIZED | |
| SQL_TRACE_FLAG_3625 | SCAN_UNCATEGORIZED | |
| SQL_USER_CONNECTIONS_CONFIGURED | SCAN_UNCATEGORIZED | |
| SQL_USER_OPTIONS_CONFIGURED | SCAN_UNCATEGORIZED | |
| SQL_WEAK_ROOT_PASSWORD | SCAN_UNCATEGORIZED | |
| PUBLIC_LOG_BUCKET | SCAN_UNCATEGORIZED | |
| ACCESSIBLE_GIT_REPOSITORY | SCAN_UNCATEGORIZED | DATA_EXFILTRATION | 
| ACCESSIBLE_SVN_REPOSITORY | SCAN_NETWORK | DATA_EXFILTRATION | 
| CACHEABLE_PASSWORD_INPUT | SCAN_NETWORK | NETWORK_SUSPICIOUS | 
| CLEAR_TEXT_PASSWORD | SCAN_NETWORK | NETWORK_MALICIOUS | 
| INSECURE_ALLOW_ORIGIN_ENDS_WITH_VALIDATION | SCAN_UNCATEGORIZED | |
| INSECURE_ALLOW_ORIGIN_STARTS_WITH_VALIDATION | SCAN_UNCATEGORIZED | |
| INVALID_CONTENT_TYPE | SCAN_UNCATEGORIZED | |
| INVALID_HEADER | SCAN_UNCATEGORIZED | |
| MISMATCHING_SECURITY_HEADER_VALUES | SCAN_UNCATEGORIZED | |
| MISSPELLED_SECURITY_HEADER_NAME | SCAN_UNCATEGORIZED | |
| MIXED_CONTENT | SCAN_UNCATEGORIZED | |
| OUTDATED_LIBRARY | SCAN_VULN_HOST | SOFTWARE_SUSPICIOUS | 
| SERVER_SIDE_REQUEST_FORGERY | SCAN_NETWORK | NETWORK_MALICIOUS | 
| SESSION_ID_LEAK | SCAN_NETWORK | DATA_EXFILTRATION | 
| SQL_INJECTION | SCAN_NETWORK | EXPLOIT | 
| STRUTS_INSECURE_DESERIALIZATION | SCAN_VULN_HOST | SOFTWARE_SUSPICIOUS | 
| XSS | SCAN_NETWORK | SOFTWARE_SUSPICIOUS | 
| XSS_ANGULAR_CALLBACK | SCAN_NETWORK | SOFTWARE_SUSPICIOUS | 
| XSS_ERROR | SCAN_HOST | SOFTWARE_SUSPICIOUS | 
| XXE_REFLECTED_FILE_LEAKAGE | SCAN_HOST | SOFTWARE_SUSPICIOUS | 
| BASIC_AUTHENTICATION_ENABLED | SCAN_UNCATEGORIZED | |
| CLIENT_CERT_AUTHENTICATION_DISABLED | SCAN_UNCATEGORIZED | |
| LABELS_NOT_USED | SCAN_UNCATEGORIZED | |
| PUBLIC_STORAGE_OBJECT | SCAN_UNCATEGORIZED | |
| SQL_BROAD_ROOT_LOGIN | SCAN_UNCATEGORIZED | |
| WEAK_CREDENTIALS | SCAN_VULN_NETWORK | NETWORK_MALICIOUS | 
| ELASTICSEARCH_API_EXPOSED | SCAN_VULN_NETWORK | NETWORK_MALICIOUS | 
| EXPOSED_GRAFANA_ENDPOINT | SCAN_VULN_NETWORK | NETWORK_MALICIOUS | 
| EXPOSED_METABASE | SCAN_VULN_NETWORK | NETWORK_MALICIOUS | 
| EXPOSED_SPRING_BOOT_ACTUATOR_ENDPOINT | SCAN_VULN_NETWORK | |
| HADOOP_YARN_UNAUTHENTICATED_RESOURCE_MANAGER_API | SCAN_VULN_NETWORK | NETWORK_SUSPICIOUS | 
| JAVA_JMX_RMI_EXPOSED | SCAN_VULN_NETWORK | NETWORK_SUSPICIOUS | 
| JUPYTER_NOTEBOOK_EXPOSED_UI | SCAN_VULN_NETWORK | |
| KUBERNETES_API_EXPOSED | SCAN_VULN_NETWORK | NETWORK_SUSPICIOUS | 
| UNFINISHED_WORDPRESS_INSTALLATION | SCAN_VULN_NETWORK | NETWORK_SUSPICIOUS | 
| UNAUTHENTICATED_JENKINS_NEW_ITEM_CONSOLE | SCAN_VULN_NETWORK | NETWORK_SUSPICIOUS | 
| APACHE_HTTPD_RCE | SCAN_VULN_NETWORK | NETWORK_SUSPICIOUS | 
| APACHE_HTTPD_SSRF | SCAN_VULN_NETWORK | NETWORK_SUSPICIOUS | 
| CONSUL_RCE | SCAN_VULN_NETWORK | NETWORK_SUSPICIOUS | 
| DRUID_RCE | SCAN_VULN_NETWORK | |
| DRUPAL_RCE | SCAN_VULN_NETWORK | NETWORK_SUSPICIOUS | 
| FLINK_FILE_DISCLOSURE | SCAN_VULN_NETWORK | NETWORK_SUSPICIOUS | 
| GITLAB_RCE | SCAN_VULN_NETWORK | SOFTWARE_SUSPICIOUS | 
| GoCD_RCE | SCAN_VULN_NETWORK | SOFTWARE_SUSPICIOUS | 
| JENKINS_RCE | SCAN_VULN_NETWORK | SOFTWARE_SUSPICIOUS | 
| JOOMLA_RCE | SCAN_VULN_NETWORK | SOFTWARE_SUSPICIOUS | 
| LOG4J_RCE | SCAN_VULN_NETWORK | SOFTWARE_SUSPICIOUS | 
| MANTISBT_PRIVILEGE_ESCALATION | SCAN_VULN_NETWORK | SOFTWARE_SUSPICIOUS | 
| OGNL_RCE | SCAN_VULN_NETWORK | SOFTWARE_SUSPICIOUS | 
| OPENAM_RCE | SCAN_VULN_NETWORK | SOFTWARE_SUSPICIOUS | 
| ORACLE_WEBLOGIC_RCE | SCAN_VULN_NETWORK | SOFTWARE_SUSPICIOUS | 
| PHPUNIT_RCE | SCAN_VULN_NETWORK | SOFTWARE_SUSPICIOUS | 
| PHP_CGI_RCE | SCAN_VULN_NETWORK | SOFTWARE_SUSPICIOUS | 
| PORTAL_RCE | SCAN_VULN_NETWORK | SOFTWARE_SUSPICIOUS | 
| REDIS_RCE | SCAN_VULN_NETWORK | SOFTWARE_SUSPICIOUS | 
| SOLR_FILE_EXPOSED | SCAN_VULN_NETWORK | SOFTWARE_SUSPICIOUS | 
| SOLR_RCE | SCAN_VULN_NETWORK | SOFTWARE_SUSPICIOUS | 
| STRUTS_RCE | SCAN_VULN_NETWORK | SOFTWARE_SUSPICIOUS | 
| TOMCAT_FILE_DISCLOSURE | SCAN_VULN_NETWORK | SOFTWARE_SUSPICIOUS | 
| VBULLETIN_RCE | SCAN_VULN_NETWORK | SOFTWARE_SUSPICIOUS | 
| VCENTER_RCE | SCAN_VULN_NETWORK | SOFTWARE_SUSPICIOUS | 
| WEBLOGIC_RCE | SCAN_VULN_NETWORK | SOFTWARE_SUSPICIOUS | 
| OS_VULNERABILITY | SCAN_VULN_HOST | |
| IAM_ROLE_HAS_EXCESSIVE_PERMISSIONS | SCAN_UNCATEGORIZED | SOFTWARE_SUSPICIOUS | 
| SERVICE_AGENT_GRANTED_BASIC_ROLE | SCAN_UNCATEGORIZED | SOFTWARE_SUSPICIOUS | 
| UNUSED_IAM_ROLE | SCAN_UNCATEGORIZED | |
| SERVICE_AGENT_ROLE_REPLACED_WITH_BASIC_ROLE | SCAN_UNCATEGORIZED | SOFTWARE_SUSPICIOUS | 
“配置错误”类别到 UDM 事件类型
下表列出了“配置错误”类别及其对应的 UDM 事件类型。
| 活动标识符 | 事件类型 | 
|---|---|
| API_KEY_APIS_UNRESTRICTED | SCAN_UNCATEGORIZED | 
| API_KEY_APPS_UNRESTRICTED | SCAN_UNCATEGORIZED | 
| API_KEY_EXISTS | SCAN_UNCATEGORIZED | 
| API_KEY_NOT_ROTATED | SCAN_UNCATEGORIZED | 
| PUBLIC_COMPUTE_IMAGE | SCAN_HOST | 
| CONFIDENTIAL_COMPUTING_DISABLED | SCAN_HOST | 
| COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED | SCAN_UNCATEGORIZED | 
| COMPUTE_SECURE_BOOT_DISABLED | SCAN_HOST | 
| DEFAULT_SERVICE_ACCOUNT_USED | SCAN_UNCATEGORIZED | 
| FULL_API_ACCESS | SCAN_UNCATEGORIZED | 
| OS_LOGIN_DISABLED | SCAN_UNCATEGORIZED | 
| PUBLIC_IP_ADDRESS | SCAN_UNCATEGORIZED | 
| SHIELDED_VM_DISABLED | SCAN_UNCATEGORIZED | 
| COMPUTE_SERIAL_PORTS_ENABLED | SCAN_NETWORK | 
| DISK_CMEK_DISABLED | SCAN_UNCATEGORIZED | 
| HTTP_LOAD_BALANCER | SCAN_NETWORK | 
| IP_FORWARDING_ENABLED | SCAN_UNCATEGORIZED | 
| WEAK_SSL_POLICY | SCAN_NETWORK | 
| BINARY_AUTHORIZATION_DISABLED | SCAN_UNCATEGORIZED | 
| CLUSTER_LOGGING_DISABLED | SCAN_UNCATEGORIZED | 
| CLUSTER_MONITORING_DISABLED | SCAN_UNCATEGORIZED | 
| CLUSTER_PRIVATE_GOOGLE_ACCESS_DISABLED | SCAN_UNCATEGORIZED | 
| CLUSTER_SECRETS_ENCRYPTION_DISABLED | SCAN_UNCATEGORIZED | 
| INTRANODE_VISIBILITY_DISABLED | SCAN_UNCATEGORIZED | 
| MASTER_AUTHORIZED_NETWORKS_DISABLED | SCAN_UNCATEGORIZED | 
| NETWORK_POLICY_DISABLED | SCAN_UNCATEGORIZED | 
| NODEPOOL_SECURE_BOOT_DISABLED | SCAN_UNCATEGORIZED | 
| OVER_PRIVILEGED_ACCOUNT | SCAN_UNCATEGORIZED | 
| OVER_PRIVILEGED_SCOPES | SCAN_UNCATEGORIZED | 
| POD_SECURITY_POLICY_DISABLED | SCAN_UNCATEGORIZED | 
| PRIVATE_CLUSTER_DISABLED | SCAN_UNCATEGORIZED | 
| WORKLOAD_IDENTITY_DISABLED | SCAN_UNCATEGORIZED | 
| LEGACY_AUTHORIZATION_ENABLED | SCAN_UNCATEGORIZED | 
| NODEPOOL_BOOT_CMEK_DISABLED | SCAN_UNCATEGORIZED | 
| WEB_UI_ENABLED | SCAN_UNCATEGORIZED | 
| AUTO_REPAIR_DISABLED | SCAN_UNCATEGORIZED | 
| AUTO_UPGRADE_DISABLED | SCAN_UNCATEGORIZED | 
| CLUSTER_SHIELDED_NODES_DISABLED | SCAN_UNCATEGORIZED | 
| RELEASE_CHANNEL_DISABLED | SCAN_UNCATEGORIZED | 
| BIGQUERY_TABLE_CMEK_DISABLED | SCAN_UNCATEGORIZED | 
| DATASET_CMEK_DISABLED | SCAN_UNCATEGORIZED | 
| EGRESS_DENY_RULE_NOT_SET | SCAN_NETWORK | 
| FIREWALL_RULE_LOGGING_DISABLED | SCAN_NETWORK | 
| OPEN_CASSANDRA_PORT | SCAN_NETWORK | 
| OPEN_SMTP_PORT | SCAN_NETWORK | 
| OPEN_REDIS_PORT | SCAN_NETWORK | 
| OPEN_POSTGRESQL_PORT | SCAN_NETWORK | 
| OPEN_POP3_PORT | SCAN_NETWORK | 
| OPEN_ORACLEDB_PORT | SCAN_NETWORK | 
| OPEN_NETBIOS_PORT | SCAN_NETWORK | 
| OPEN_MYSQL_PORT | SCAN_NETWORK | 
| OPEN_MONGODB_PORT | SCAN_NETWORK | 
| OPEN_MEMCACHED_PORT | SCAN_NETWORK | 
| OPEN_LDAP_PORT | SCAN_NETWORK | 
| OPEN_FTP_PORT | SCAN_NETWORK | 
| OPEN_ELASTICSEARCH_PORT | SCAN_NETWORK | 
| OPEN_DNS_PORT | SCAN_NETWORK | 
| OPEN_HTTP_PORT | SCAN_NETWORK | 
| OPEN_DIRECTORY_SERVICES_PORT | SCAN_NETWORK | 
| OPEN_CISCOSECURE_WEBSM_PORT | SCAN_NETWORK | 
| OPEN_RDP_PORT | SCAN_NETWORK | 
| OPEN_TELNET_PORT | SCAN_NETWORK | 
| OPEN_FIREWALL | SCAN_NETWORK | 
| OPEN_SSH_PORT | SCAN_NETWORK | 
| SERVICE_ACCOUNT_ROLE_SEPARATION | SCAN_UNCATEGORIZED | 
| NON_ORG_IAM_MEMBER | SCAN_UNCATEGORIZED | 
| OVER_PRIVILEGED_SERVICE_ACCOUNT_USER | SCAN_UNCATEGORIZED | 
| ADMIN_SERVICE_ACCOUNT | SCAN_UNCATEGORIZED | 
| SERVICE_ACCOUNT_KEY_NOT_ROTATED | SCAN_UNCATEGORIZED | 
| USER_MANAGED_SERVICE_ACCOUNT_KEY | SCAN_UNCATEGORIZED | 
| PRIMITIVE_ROLES_USED | SCAN_UNCATEGORIZED | 
| KMS_ROLE_SEPARATION | SCAN_UNCATEGORIZED | 
| OPEN_GROUP_IAM_MEMBER | SCAN_UNCATEGORIZED | 
| KMS_KEY_NOT_ROTATED | SCAN_UNCATEGORIZED | 
| KMS_PROJECT_HAS_OWNER | SCAN_UNCATEGORIZED | 
| TOO_MANY_KMS_USERS | SCAN_UNCATEGORIZED | 
| OBJECT_VERSIONING_DISABLED | SCAN_UNCATEGORIZED | 
| LOCKED_RETENTION_POLICY_NOT_SET | SCAN_UNCATEGORIZED | 
| BUCKET_LOGGING_DISABLED | SCAN_UNCATEGORIZED | 
| LOG_NOT_EXPORTED | SCAN_UNCATEGORIZED | 
| AUDIT_LOGGING_DISABLED | SCAN_UNCATEGORIZED | 
| MFA_NOT_ENFORCED | SCAN_UNCATEGORIZED | 
| ROUTE_NOT_MONITORED | SCAN_NETWORK | 
| OWNER_NOT_MONITORED | SCAN_NETWORK | 
| AUDIT_CONFIG_NOT_MONITORED | SCAN_UNCATEGORIZED | 
| BUCKET_IAM_NOT_MONITORED | SCAN_UNCATEGORIZED | 
| CUSTOM_ROLE_NOT_MONITORED | SCAN_UNCATEGORIZED | 
| FIREWALL_NOT_MONITORED | SCAN_NETWORK | 
| NETWORK_NOT_MONITORED | SCAN_NETWORK | 
| SQL_INSTANCE_NOT_MONITORED | SCAN_UNCATEGORIZED | 
| DEFAULT_NETWORK | SCAN_NETWORK | 
| DNS_LOGGING_DISABLED | SCAN_NETWORK | 
| PUBSUB_CMEK_DISABLED | SCAN_UNCATEGORIZED | 
| PUBLIC_SQL_INSTANCE | SCAN_NETWORK | 
| SSL_NOT_ENFORCED | SCAN_NETWORK | 
| AUTO_BACKUP_DISABLED | SCAN_UNCATEGORIZED | 
| SQL_CMEK_DISABLED | SCAN_UNCATEGORIZED | 
| SQL_LOG_CHECKPOINTS_DISABLED | SCAN_UNCATEGORIZED | 
| SQL_LOG_CONNECTIONS_DISABLED | SCAN_UNCATEGORIZED | 
| SQL_LOG_DISCONNECTIONS_DISABLED | SCAN_UNCATEGORIZED | 
| SQL_LOG_DURATION_DISABLED | SCAN_UNCATEGORIZED | 
| SQL_LOG_LOCK_WAITS_DISABLED | SCAN_UNCATEGORIZED | 
| SQL_LOG_STATEMENT | SCAN_UNCATEGORIZED | 
| SQL_NO_ROOT_PASSWORD | SCAN_UNCATEGORIZED | 
| SQL_PUBLIC_IP | SCAN_NETWORK | 
| SQL_CONTAINED_DATABASE_AUTHENTICATION | SCAN_UNCATEGORIZED | 
| SQL_CROSS_DB_OWNERSHIP_CHAINING | SCAN_UNCATEGORIZED | 
| SQL_LOCAL_INFILE | SCAN_UNCATEGORIZED | 
| SQL_LOG_MIN_ERROR_STATEMENT | SCAN_UNCATEGORIZED | 
| SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY | SCAN_UNCATEGORIZED | 
| SQL_LOG_TEMP_FILES | SCAN_UNCATEGORIZED | 
| SQL_REMOTE_ACCESS_ENABLED | SCAN_UNCATEGORIZED | 
| SQL_SKIP_SHOW_DATABASE_DISABLED | SCAN_UNCATEGORIZED | 
| SQL_TRACE_FLAG_3625 | SCAN_UNCATEGORIZED | 
| SQL_USER_CONNECTIONS_CONFIGURED | SCAN_UNCATEGORIZED | 
| SQL_USER_OPTIONS_CONFIGURED | SCAN_UNCATEGORIZED | 
| PUBLIC_BUCKET_ACL | SCAN_UNCATEGORIZED | 
| BUCKET_POLICY_ONLY_DISABLED | SCAN_UNCATEGORIZED | 
| BUCKET_CMEK_DISABLED | SCAN_UNCATEGORIZED | 
| FLOW_LOGS_DISABLED | SCAN_NETWORK | 
| PRIVATE_GOOGLE_ACCESS_DISABLED | SCAN_NETWORK | 
| kms_key_region_europe | SCAN_UNCATEGORIZED | 
| kms_non_euro_region | SCAN_UNCATEGORIZED | 
| LEGACY_NETWORK | SCAN_NETWORK | 
| LOAD_BALANCER_LOGGING_DISABLED | SCAN_NETWORK | 
| INSTANCE_OS_LOGIN_DISABLED | SCAN_UNCATEGORIZED | 
| GKE_PRIVILEGE_ESCALATION | SCAN_UNCATEGORIZED | 
| GKE_RUN_AS_NONROOT | SCAN_UNCATEGORIZED | 
| GKE_HOST_PATH_VOLUMES | SCAN_UNCATEGORIZED | 
| GKE_HOST_NAMESPACES | SCAN_UNCATEGORIZED | 
| GKE_PRIVILEGED_CONTAINERS | SCAN_UNCATEGORIZED | 
| GKE_HOST_PORTS | SCAN_UNCATEGORIZED | 
| GKE_CAPABILITIES | SCAN_UNCATEGORIZED | 
“观察”类别到 UDM 事件类型
下表列出了观测类别及其对应的 UDM 事件类型。
| 活动标识符 | 事件类型 | 
|---|---|
| 持久性:项目 SSH 密钥已添加 | SETTING_MODIFICATION | 
| 持久化:添加了敏感角色 | RESOURCE_PERMISSIONS_CHANGE | 
| 影响:创建了 GPU 实例 | USER_RESOURCE_CREATION | 
| 影响:许多实例已创建 | USER_RESOURCE_CREATION | 
错误类别到 UDM 事件类型
下表列出了“错误”类别及其对应的 UDM 事件类型。
| 活动标识符 | 事件类型 | 
|---|---|
| VPC_SC_RESTRICTION | SCAN_UNCATEGORIZED | 
| MISCONFIGURED_CLOUD_LOGGING_EXPORT | SCAN_UNCATEGORIZED | 
| API_DISABLED | SCAN_UNCATEGORIZED | 
| KTD_IMAGE_PULL_FAILURE | SCAN_UNCATEGORIZED | 
| KTD_BLOCKED_BY_ADMISSION_CONTROLLER | SCAN_UNCATEGORIZED | 
| KTD_SERVICE_ACCOUNT_MISSING_PERMISSIONS | SCAN_UNCATEGORIZED | 
| GKE_SERVICE_ACCOUNT_MISSING_PERMISSIONS | SCAN_UNCATEGORIZED | 
| SCC_SERVICE_ACCOUNT_MISSING_PERMISSIONS | SCAN_UNCATEGORIZED | 
“UNSPECIFIED”类别到 UDM 事件类型
下表列出了 UNSPECIFIED 类别及其对应的 UDM 事件类型。
| 活动标识符 | 事件类型 | 安全类别 | 
|---|---|---|
| OPEN_FIREWALL | SCAN_VULN_HOST | POLICY_VIOLATION | 
POSTURE_VIOLATION 类别到 UDM 事件类型
下表列出了 POSTURE_VIOLATION 类别及其对应的 UDM 事件类型。
| 活动标识符 | 事件类型 | 
|---|---|
| SECURITY_POSTURE_DRIFT | SERVICE_MODIFICATION | 
| SECURITY_POSTURE_POLICY_DRIFT | SCAN_UNCATEGORIZED | 
| SECURITY_POSTURE_POLICY_DELETE | SCAN_UNCATEGORIZED | 
| SECURITY_POSTURE_DETECTOR_DRIFT | SCAN_UNCATEGORIZED | 
| SECURITY_POSTURE_DETECTOR_DELETE | SCAN_UNCATEGORIZED | 
字段映射参考信息:VULNERABILITY
下表列出了 VULNERABILITY 类别的日志字段及其对应的 UDM 字段。
| RawLog 字段 | UDM 映射 | 逻辑 | 
|---|---|---|
| assetDisplayName | target.asset.attribute.labels.key/value [assetDisplayName] | |
| assetId | target.asset.asset_id | |
| findingProviderId | target.resource.attribute.labels.key/value [findings_findingProviderId] | |
| sourceDisplayName | target.resource.attribute.labels.key/value [sourceDisplayName] | |
| sourceProperties.description | extensions.vuln.vulnerabilities.description | |
| sourceProperties.finalUrl | network.http.referral_url | |
| sourceProperties.form.fields | target.resource.attribute.labels.key/value [sourceProperties_form_fields] | |
| sourceProperties.httpMethod | network.http.method | |
| sourceProperties.name | target.resource.attribute.labels.key/value [sourceProperties_name] | |
| sourceProperties.outdatedLibrary.learnMoreUrls | target.resource.attribute.labels.key/value[sourceProperties_outdatedLibrary_learnMoreUrls] | |
| sourceProperties.outdatedLibrary.libraryName | target.resource.attribute.labels.key/value[outdatedLibrary.libraryName] | |
| sourceProperties.outdatedLibrary.version | target.resource.attribute.labels.key/value[sourceProperties_outdatedLibrary_libraryName] | |
| sourceProperties.ResourcePath | target.resource.attribute.labels.key/value[sourceProperties_ResourcePath] | |
| externalUri | about.url | |
| 类别 | extensions.vuln.vulnerabilities.name | |
| resourceName | principal.asset.location.name | 使用 Grok 模式从 resourceName中提取region,并将其映射到principal.asset.location.nameUDM 字段。 | 
| resourceName | principal.asset.product_object_id | 使用 Grok 模式从 resourceName中提取asset_prod_obj_id,并将其映射到principal.asset.product_object_idUDM 字段。 | 
| resourceName | principal.asset.attribute.cloud.availability_zone | 使用 Grok 模式从 resourceName中提取zone_suffix,并将其映射到principal.asset.attribute.cloud.availability_zoneUDM 字段。 | 
| sourceProperties.RevokedIamPermissionsCount | security_result.detection_fields.key/value[revoked_Iam_permissions_count] | |
| sourceProperties.TotalRecommendationsCount | security_result.detection_fields.key/value[total_recommendations_count] | |
| sourceProperties.DeactivationReason | security_result.detection_fields.key/value[deactivation_reason] | |
| iamBindings.role | about.user.attribute.roles.name | |
| iamBindings.member | about.user.email_addresses | |
| iamBindings.action | about.user.attribute.labels.key/value[action] | 
字段映射参考信息:MISCONFIGURATION
下表列出了 MISCONFIGURATION 类别的日志字段及其对应的 UDM 字段。
| RawLog 字段 | UDM 映射 | 
|---|---|
| assetDisplayName | target.asset.attribute.labels.key/value [assetDisplayName] | 
| assetId | target.asset.asset_id | 
| externalUri | about.url | 
| findingProviderId | target.resource.attribute.labels[findingProviderId] | 
| sourceDisplayName | target.resource.attribute.labels[sourceDisplayName] | 
| sourceProperties.Recommendation | security_result.detection_fields.key/value[sourceProperties_Recommendation] | 
| sourceProperties.ExceptionInstructions | security_result.detection_fields.key/value[sourceProperties_ExceptionInstructions] | 
| sourceProperties.ScannerName | principal.labels.key/value[sourceProperties_ScannerName] | 
| sourceProperties.ResourcePath | target.resource.attribute.labels.key/value[sourceProperties_ResourcePath] | 
| sourceProperties.ReactivationCount | target.resource.attribute.labels.key/value [sourceProperties_ReactivationCount] | 
| sourceProperties.DeactivationReason | target.resource.attribute.labels.key/value [DeactivationReason] | 
| sourceProperties.ActionRequiredOnProject | target.resource.attribute.labels.key/value [sourceProperties_ActionRequiredOnProject] | 
| sourceProperties.VulnerableNetworkInterfaceNames | target.resource.attribute.labels.key/value [sourceProperties_VulnerableNetworkInterfaceNames] | 
| sourceProperties.VulnerableNodePools | target.resource.attribute.labels.key/value [sourceProperties_VulnerableNodePools] | 
| sourceProperties.VulnerableNodePoolsList | target.resource.attribute.labels.key/value [sourceProperties_VulnerableNodePoolsList] | 
| sourceProperties.AllowedOauthScopes | target.resource.attribute.permissions.name | 
| sourceProperties.ExposedService | target.application | 
| sourceProperties.OpenPorts.TCP | target.resource.attribute.labels.key/value[sourceProperties_OpenPorts_TCP] | 
| sourceProperties.OffendingIamRolesList.member | about.user.email_addresses | 
| sourceProperties.OffendingIamRolesList.roles | about.user.attribute.roles.name | 
| sourceProperties.ActivationTrigger | target.resource.attribute.labels.key/value [sourceProperties_ActivationTrigger] | 
| sourceProperties.MfaDetails.users | target.resource.attribute.labels.key/value [sourceProperties_MfaDetails_users] | 
| sourceProperties.MfaDetails.enrolled | target.resource.attribute.labels.key/value [sourceProperties_MfaDetails_enrolled] | 
| sourceProperties.MfaDetails.enforced | target.resource.attribute.labels.key/value [sourceProperties_MfaDetails_enforced] | 
| sourceProperties.MfaDetails.advancedProtection | target.resource.attribute.labels.key/value [sourceProperties_MfaDetails_advancedProtection] | 
| sourceProperties.cli_remediation | target.process.command_line_history | 
| sourceProperties.OpenPorts.UDP | target.resource.attribute.labels.key/value[sourceProperties_OpenPorts_UDP] | 
| sourceProperties.HasAdminRoles | target.resource.attribute.labels.key/value [sourceProperties_HasAdminRoles] | 
| sourceProperties.HasEditRoles | target.resource.attribute.labels.key/value [sourceProperties_HasEditRoles] | 
| sourceProperties.AllowedIpRange | target.resource.attribute.labels.key/value [sourceProperties_AllowedIpRange] | 
| sourceProperties.ExternalSourceRanges | target.resource.attribute.labels.key/value [sourceProperties_ExternalSourceRanges] | 
| sourceProperties.ExternallyAccessibleProtocolsAndPorts.IPProtocol | target.resource.attribute.labels.key/value [sourceProperties_ExternallyAccessibleProtocolsAndPorts_IPProtocol] | 
| sourceProperties.OpenPorts.SCTP | target.resource.attribute.labels.key/value[sourceProperties_OpenPorts_SCTP] | 
| sourceProperties.RecommendedLogFilter | target.resource.attribute.labels.key/value [sourceProperties_RecommendedLogFilter] | 
| sourceProperties.QualifiedLogMetricNames | target.resource.attribute.labels.key/value [sourceProperties_QualifiedLogMetricNames] | 
| sourceProperties.HasDefaultPolicy | target.resource.attribute.labels.key/value [sourceProperties_HasDefaultPolicy] | 
| sourceProperties.CompatibleFeatures | target.resource.attribute.labels.key/value [sourceProperties_CompatibleFeatures] | 
| sourceProperties.TargetProxyUrl | target.url | 
| sourceProperties.OffendingIamRolesList.description | about.user.attribute.roles.description | 
| sourceProperties.DatabaseVersion | target.resource.attribute.label[sourceProperties_DatabaseVersion] | 
字段映射参考信息:OBSERVATION
下表列出了 OBSERVATION 类别的日志字段及其对应的 UDM 字段。
| RawLog 字段 | UDM 映射 | 
|---|---|
| findingProviderId | target.resource.attribute.labels[findingProviderId] | 
| sourceDisplayName | target.resource.attribute.labels.key/value [sourceDisplayName] | 
| assetDisplayName | target.asset.attribute.labels.key/value [asset_display_name] | 
| assetId | target.asset.asset_id | 
字段映射参考信息:ERROR
下表列出了 ERROR 类别的日志字段及其对应的 UDM 字段。
| RawLog 字段 | UDM 映射 | 
|---|---|
| externalURI | about.url | 
| sourceProperties.ReactivationCount | target.resource.attribute.labels.key/value [sourceProperties_ReactivationCount] | 
| findingProviderId | target.resource.attribute.labels[findingProviderId] | 
| sourceDisplayName | target.resource.attribute.labels.key/value [sourceDisplayName] | 
字段映射参考信息:UNSPECIFIED
下表列出了 UNSPECIFIED 类别的日志字段及其对应的 UDM 字段。
| RawLog 字段 | UDM 映射 | 
|---|---|
| sourceProperties.ScannerName | principal.labels.key/value [sourceProperties_ScannerName] | 
| sourceProperties.ResourcePath | src.resource.attribute.labels.key/value [sourceProperties_ResourcePath] | 
| sourceProperties.ReactivationCount | target.resource.attribute.labels.key/value [sourceProperties_ReactivationCount] | 
| sourceProperties.AllowedIpRange | target.resource.attribute.labels.key/value [sourceProperties_AllowedIpRange] | 
| sourceProperties.ExternallyAccessibleProtocolsAndPorts.IPProtocol | target.resource.attribute.labels.key/value [sourceProperties_ExternallyAccessibleProtocolsAndPorts_IPProtocol] | 
| sourceProperties.ExternallyAccessibleProtocolsAndPorts.ports | target.resource.attribute.labels.key/value [sourceProperties_ExternallyAccessibleProtocolsAndPorts_ports | 
| sourceDisplayName | target.resource.attribute.labels.key/value [sourceDisplayName] | 
字段映射参考信息:POSTURE_VIOLATION
下表列出了 POSTURE_VIOLATION 类别的日志字段及其对应的 UDM 字段。
| 日志字段 | UDM 映射 | 逻辑 | 
|---|---|---|
| finding.resourceName | target.resource_ancestors.name | 如果 finding.resourceName日志字段值不为空,则finding.resourceName日志字段会映射到target.resource.nameUDM 字段。系统会使用 Grok 模式从 finding.resourceName日志字段中提取project_name字段。如果 project_name字段值不为空,则将project_name字段映射到target.resource_ancestors.nameUDM 字段。 | 
| resourceName | target.resource_ancestors.name | 如果 resourceName日志字段值不为空,则将resourceName日志字段映射到target.resource.nameUDM 字段。使用 Grok 模式从 resourceName日志字段中提取project_name字段。如果 project_name字段值不为空,则将project_name字段映射到target.resource_ancestors.nameUDM 字段。 | 
| finding.sourceProperties.posture_revision_id | security_result.detection_fields[source_properties_posture_revision_id] | |
| sourceProperties.posture_revision_id | security_result.detection_fields[source_properties_posture_revision_id] | |
| sourceProperties.revision_id | security_result.detection_fields[source_properties_posture_revision_id] | |
| finding.sourceProperties.policy_drift_details.drift_details.expected_configuration | security_result.rule_labels[policy_drift_details_expected_configuration] | |
| sourceProperties.policy_drift_details.drift_details.expected_configuration | security_result.rule_labels[policy_drift_details_expected_configuration] | |
| finding.sourceProperties.policy_drift_details.drift_details.detected_configuration | security_result.rule_labels[policy_drift_details_detected_configuration] | |
| sourceProperties.policy_drift_details.drift_details.detected_configuration | security_result.rule_labels[policy_drift_details_detected_configuration] | |
| finding.sourceProperties.policy_drift_details.field_name | security_result.rule_labels[policy_drift_details_field_name] | |
| sourceProperties.policy_drift_details.field_name | security_result.rule_labels[policy_drift_details_field_name] | |
| finding.sourceProperties.changed_policy | security_result.rule_name | |
| sourceProperties.changed_policy | security_result.rule_name | |
| finding.sourceProperties.posture_deployment_resource | security_result.detection_fields[source_properties_posture_deployment_resource] | |
| sourceProperties.posture_deployment_resource | security_result.detection_fields[source_properties_posture_deployment_resource] | |
| finding.sourceProperties.posture_name | target.application | |
| sourceProperties.posture_name | target.application | |
| sourceProperties.name | target.application | |
| finding.sourceProperties.posture_deployment_name | security_result.detection_fields[source_properties_posture_deployment_name] | |
| sourceProperties.posture_deployment_name | security_result.detection_fields[source_properties_posture_deployment_name] | |
| sourceProperties.posture_deployment | security_result.detection_fields[source_properties_posture_deployment_name] | |
| finding.propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.drift_details.structValue.fields.expected_configuration.primitiveDataType | security_result.rule_labels[expected_configuration_primitive_data_type] | |
| propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.drift_details.structValue.fields.expected_configuration.primitiveDataType | security_result.rule_labels[expected_configuration_primitive_data_type] | |
| finding.propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.drift_details.structValue.fields.detected_configuration.primitiveDataType | security_result.rule_labels[detected_configuration_primitive_data_type] | |
| propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.drift_details.structValue.fields.detected_configuration.primitiveDataType | security_result.rule_labels[detected_configuration_primitive_data_type] | |
| finding.propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.field_name.primitiveDataType | security_result.rule_labels[field_name_primitive_data_type] | |
| propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.field_name.primitiveDataType | security_result.rule_labels[field_name_primitive_data_type] | |
| finding.propertyDataTypes.changed_policy.primitiveDataType | security_result.rule_labels[changed_policy_primitive_data_type] | |
| propertyDataTypes.changed_policy.primitiveDataType | security_result.rule_labels[changed_policy_primitive_data_type] | |
| finding.propertyDataTypes.posture_revision_id.primitiveDataType | security_result.detection_fields[posture_revision_id_primitiveDataType] | |
| propertyDataTypes.posture_revision_id.primitiveDataType | security_result.detection_fields[posture_revision_id_primitiveDataType] | |
| finding.propertyDataTypes.posture_name.primitiveDataType | security_result.detection_fields[posture_name_primitiveDataType] | |
| propertyDataTypes.posture_name.primitiveDataType | security_result.detection_fields[posture_name_primitiveDataType] | |
| finding.propertyDataTypes.posture_deployment_name.primitiveDataType | security_result.detection_fields[posture_deployment_name_primitiveDataType] | |
| propertyDataTypes.posture_deployment_name.primitiveDataType | security_result.detection_fields[posture_deployment_name_primitiveDataType] | |
| finding.propertyDataTypes.posture_deployment_resource.primitiveDataType | security_result.detection_fields[posture_deployment_resource_primitiveDataType] | |
| propertyDataTypes.posture_deployment_resource.primitiveDataType | security_result.detection_fields[posture_deployment_resource_primitiveDataType] | |
| finding.originalProviderId | target.resource.attribute.labels[original_provider_id] | |
| originalProviderId | target.resource.attribute.labels[original_provider_id] | |
| finding.securityPosture.name | security_result.detection_fields[security_posture_name] | |
| securityPosture.name | security_result.detection_fields[security_posture_name] | |
| finding.securityPosture.revisionId | security_result.detection_fields[security_posture_revision_id] | |
| securityPosture.revisionId | security_result.detection_fields[security_posture_revision_id] | |
| finding.securityPosture.postureDeploymentResource | security_result.detection_fields[posture_deployment_resource] | |
| securityPosture.postureDeploymentResource | security_result.detection_fields[posture_deployment_resource] | |
| finding.securityPosture.postureDeployment | security_result.detection_fields[posture_deployment] | |
| securityPosture.postureDeployment | security_result.detection_fields[posture_deployment] | |
| finding.securityPosture.changedPolicy | security_result.rule_labels[changed_policy] | |
| securityPosture.changedPolicy | security_result.rule_labels[changed_policy] | |
| finding.cloudProvider | about.resource.attribute.cloud.environment | 如果 finding.cloudProvider日志字段值包含以下值之一,则finding.cloudProvider日志字段会映射到about.resource.attribute.cloud.environmentUDM 字段。
 | 
| finding.files.path | target.file.full_path | 遍历日志字段 finding.files,然后遍历。如果 index值等于0,则将finding.files.path日志字段映射到target.file.full_pathUDM 字段。否则, finding.files.path日志字段会映射到about.file.full_pathUDM 字段。 | 
| files.path | target.file.full_path | 遍历日志字段 files,然后遍历。如果 index值等于0,则将files.path日志字段映射到target.file.full_pathUDM 字段。否则, files.path日志字段会映射到about.file.full_pathUDM 字段。 | 
| finding.files.size | target.file.size | 遍历日志字段 finding.files,然后遍历。如果 index值等于0,则将finding.files.size日志字段映射到target.file.sizeUDM 字段。否则, finding.files.size日志字段会映射到about.file.sizeUDM 字段。 | 
| files.size | target.file.size | 遍历日志字段 files,然后遍历。如果 index值等于0,则将files.size日志字段映射到target.file.sizeUDM 字段。否则, files.size日志字段会映射到about.file.sizeUDM 字段。 | 
| finding.files.sha256 | target.file.sha256 | 遍历日志字段 finding.files,然后遍历。如果 index值等于0,则如果finding.files.size值等于finding.files.hashedSize,则将finding.files.sha256日志字段映射到target.file.sha256UDM 字段。否则,如果 finding.files.size值等于finding.files.hashedSize,则finding.files.sha256日志字段会映射到about.file.sha256UDM 字段。 | 
| files.sha256 | target.file.sha256 | 遍历日志字段 files,然后遍历。如果 index值等于0,则如果files.size值等于files.hashedSize,则将files.sha256日志字段映射到target.file.sha256UDM 字段。否则,如果 files.size值等于files.hashedSize,则files.sha256日志字段会映射到about.file.sha256UDM 字段。 | 
| finding.files.hashedSize | additional.fields | 遍历日志字段 finding.files,然后将additional.fields.keyUDM 字段设置为file_hashedSize_%{index},并将finding.files.hashedSize日志字段映射到additional.fields.value.string_valueUDM 字段。 | 
| files.hashedSize | additional.fields | 遍历日志字段 files,然后将additional.fields.keyUDM 字段设置为file_hashedSize_%{index},并将files.hashedSize日志字段映射到additional.fields.value.string_valueUDM 字段。 | 
| finding.files.partiallyHashed | additional.fields | 遍历日志字段 finding.files,然后将additional.fields.keyUDM 字段设置为file_partiallyHashed_%{index},并将finding.files.partiallyHashed日志字段映射到additional.fields.value.string_valueUDM 字段。 | 
| files.partiallyHashed | additional.fields | 遍历日志字段 files,然后将additional.fields.keyUDM 字段设置为file_partiallyHashed_%{index},并将files.partiallyHashed日志字段映射到additional.fields.value.string_valueUDM 字段。 | 
| finding.files.contents | additional.fields | 遍历日志字段 finding.files,然后将additional.fields.keyUDM 字段设置为file_contents_%{index},并将finding.files.contents日志字段映射到additional.fields.value.string_valueUDM 字段。 | 
| files.contents | additional.fields | 遍历日志字段 files,然后将additional.fields.keyUDM 字段设置为file_contents_%{index},并将files.contents日志字段映射到additional.fields.value.string_valueUDM 字段。 | 
| finding.files.diskPath.partitionUuid | additional.fields | 遍历日志字段 finding.files,然后将additional.fields.keyUDM 字段设置为file_diskPath_partitionUuid_%{index},并将finding.files.diskPath.partitionUuid日志字段映射到additional.fields.value.string_valueUDM 字段。 | 
| files.diskPath.partitionUuid | additional.fields | 遍历日志字段 files,然后将additional.fields.keyUDM 字段设置为file_diskPath_partitionUuid_%{index},并将files.diskPath.partitionUuid日志字段映射到additional.fields.value.string_valueUDM 字段。 | 
| finding.files.diskPath.relativePath | additional.fields | 遍历日志字段 finding.files,然后将additional.fields.keyUDM 字段设置为file_diskPath_relativePath_%{index},并将finding.files.diskPath.relativePath日志字段映射到additional.fields.value.string_valueUDM 字段。 | 
| files.diskPath.relativePath | additional.fields | 遍历日志字段 files,然后将additional.fields.keyUDM 字段设置为file_diskPath_relativePath_%{index},并将files.diskPath.relativePath日志字段映射到additional.fields.value.string_valueUDM 字段。 | 
| finding.files.operations.type | additional.fields | 遍历日志字段 finding.files,然后将additional.fields.keyUDM 字段设置为file_operations_type_%{index},并将finding.files.operations.type日志字段映射到additional.fields.value.string_valueUDM 字段。 | 
| files.operations.type | additional.fields | 遍历日志字段 files,然后将additional.fields.keyUDM 字段设置为file_operations_type_%{index},并将files.operations.type日志字段映射到additional.fields.value.string_valueUDM 字段。 | 
| cloudProvider | about.resource.attribute.cloud.environment | 如果 cloudProvider日志字段值包含以下值之一,则cloudProvider日志字段会映射到about.resource.attribute.cloud.environmentUDM 字段。
 | 
| resource.cloudProvider | target.resource.attribute.cloud.environment | 如果 resource.cloudProvider日志字段值包含以下值之一,则resource.cloudProvider日志字段会映射到target.resource.attribute.cloud.environmentUDM 字段。
 | 
| resource.organization | target.resource.attribute.labels[resource_organization] | |
| resource.gcpMetadata.organization | target.resource.attribute.labels[resource_organization] | |
| resource.service | target.resource_ancestors.name | |
| resource.resourcePath.nodes.nodeType | target.resource_ancestors.resource_subtype | |
| resource.resourcePath.nodes.id | target.resource_ancestors.product_object_id | |
| resource.resourcePath.nodes.displayName | target.resource_ancestors.name | |
| resource.resourcePathString | target.resource.attribute.labels[resource_path_string] | |
| finding.risks.riskCategory | security_result.detection_fields[risk_category] | |
| finding.securityPosture.policyDriftDetails.field | security_result.rule_labels[policy_drift_details_field] | |
| finding.securityPosture.policyDriftDetails.expectedValue | security_result.rule_labels[policy_drift_details_expected_value] | |
| finding.securityPosture.policyDriftDetails.detectedValue | security_result.rule_labels[policy_drift_details_detected_value] | |
| finding.securityPosture.policySet | security_result.rule_set | |
| sourceProperties.categories | security_result.detection_fields[source_properties_categories] | 
字段映射参考信息:CHOKEPOINT
下表列出了 CHOKEPOINT 类别的日志字段及其对应的 UDM 字段。
| 日志字段 | UDM 映射 | 逻辑 | |
|---|---|---|---|
| finding.chokepoint.relatedFindings | about.resource.attribute.labels.key/value [chokepoint_relatedFindings] | 遍历日志字段 finding.chokepoint.relatedFindings,然后将about.resource.attribute.labels.keyUDM 字段设置为chokepoint_relatedFindings_%{index},并将finding.chokepoint.relatedFindings日志字段映射到about.resource.attribute.labels.valueUDM 字段。 | |
| finding.originalProviderId | target.resource.attribute.labels[original_provider_id] | ||
| resource.cloudProvider | target.resource.attribute.cloud.environment | 如果 resource.cloudProvider日志字段值包含以下值之一,则resource.cloudProvider日志字段会映射到target.resource.attribute.cloud.environmentUDM 字段。
 | |
| resource.resourcePath.nodes.nodeType | target.resource_ancestors.resource_subtype | ||
| resource.resourcePath.nodes.id | target.resource_ancestors.product_object_id | ||
| resource.resourcePath.nodes.displayName | target.resource_ancestors.name | ||
| resource.organization | target.resource.attribute.labels[resource_organization] | 
常见字段:SECURITY COMMAND CENTER - VULNERABILITY、MISCONFIGURATION、OBSERVATION、ERROR、UNSPECIFIED、POSTURE_VIOLATION、TOXIC_COMBINATION、CHOKEPOINT
下表列出了“SECURITY COMMAND CENTER”的常见字段 - VULNERABILITY、MISCONFIGURATION、OBSERVATION、ERROR、UNSPECIFIED、POSTURE_VIOLATION、TOXIC_COMBINATION 类别及其对应的 UDM 字段。
| RawLog 字段 | UDM 映射 | 逻辑 | |
|---|---|---|---|
| compliances.ids | about.labels [compliance_ids](已弃用) | ||
| compliances.ids | additional.fields [compliance_ids] | ||
| compliances.version | about.labels [compliance_version](已弃用) | ||
| compliances.version | additional.fields [compliance_version] | ||
| compliances.standard | about.labels [compliances_standard](已弃用) | ||
| compliances.standard | additional.fields [compliances_standard] | ||
| connections.destinationIp | about.labels [connections_destination_ip](已弃用) | 如果 connections.destinationIp日志字段值不等于sourceProperties.properties.ipConnection.destIp,则connections.destinationIp日志字段会映射到about.labels.valueUDM 字段。 | |
| connections.destinationIp | additional.fields [connections_destination_ip] | 如果 connections.destinationIp日志字段值不等于sourceProperties.properties.ipConnection.destIp,则connections.destinationIp日志字段会映射到additional.fields.valueUDM 字段。 | |
| connections.destinationPort | about.labels [connections_destination_port](已弃用) | ||
| connections.destinationPort | additional.fields [connections_destination_port] | ||
| connections.protocol | about.labels [connections_protocol](已弃用) | ||
| connections.protocol | additional.fields [connections_protocol] | ||
| connections.sourceIp | about.labels [connections_source_ip](已弃用) | ||
| connections.sourceIp | additional.fields [connections_source_ip] | ||
| connections.sourcePort | about.labels [connections_source_port](已弃用) | ||
| connections.sourcePort | additional.fields [connections_source_port] | ||
| kubernetes.pods.ns | target.resource_ancestors.attribute.labels.key/value [kubernetes_pods_ns] | ||
| kubernetes.pods.name | target.resource_ancestors.name | ||
| kubernetes.nodes.name | target.resource_ancestors.name | ||
| kubernetes.nodePools.name | target.resource_ancestors.name | ||
|  | target.resource_ancestors.resource_type | target.resource_ancestors.resource_typeUDM 字段设置为CLUSTER。 | |
|  | about.resource.attribute.cloud.environment | about.resource.attribute.cloud.environmentUDM 字段设置为GOOGLE_CLOUD_PLATFORM。 | |
| externalSystems.assignees | about.resource.attribute.labels.key/value [externalSystems_assignees] | ||
| externalSystems.status | about.resource.attribute.labels.key/value [externalSystems_status] | ||
| kubernetes.nodePools.nodes.name | target.resource.attribute.labels.key/value [kubernetes_nodePools_nodes_name] | ||
| kubernetes.pods.containers.uri | target.resource.attribute.labels.key/value [kubernetes_pods_containers_uri] | ||
| kubernetes.roles.kind | target.resource.attribute.labels.key/value [kubernetes_roles_kind] | ||
| kubernetes.roles.name | target.resource.attribute.labels.key/value [kubernetes_roles_name] | ||
| kubernetes.roles.ns | target.resource.attribute.labels.key/value [kubernetes_roles_ns] | ||
| kubernetes.pods.containers.labels.name/value | target.resource.attribute.labels.key/value [kubernetes.pods.containers.labels.name/value] | ||
| kubernetes.pods.labels.name/value | target.resource.attribute.labels.key/value [kubernetes.pods.labels.name/value] | ||
| externalSystems.externalSystemUpdateTime | about.resource.attribute.last_update_time | ||
| externalSystems.name | about.resource.name | ||
| externalSystems.externalUid | about.resource.product_object_id | ||
| indicator.uris | about.url | ||
| vulnerability.cve.references.uri | extensions.vulns.vulnerabilities.about.labels [vulnerability.cve.references.uri](已弃用) | ||
| vulnerability.cve.references.uri | additional.fields [vulnerability.cve.references.uri] | ||
| vulnerability.cve.cvssv3.attackComplexity | extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_attackComplexity](已弃用) | ||
| vulnerability.cve.cvssv3.attackComplexity | additional.fields [vulnerability_cve_cvssv3_attackComplexity] | ||
| vulnerability.cve.cvssv3.availabilityImpact | extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_availabilityImpact](已弃用) | ||
| vulnerability.cve.cvssv3.availabilityImpact | additional.fields [vulnerability_cve_cvssv3_availabilityImpact] | ||
| vulnerability.cve.cvssv3.confidentialityImpact | extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_confidentialityImpact](已弃用) | ||
| vulnerability.cve.cvssv3.confidentialityImpact | additional.fields [vulnerability_cve_cvssv3_confidentialityImpact] | ||
| vulnerability.cve.cvssv3.integrityImpact | extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_integrityImpact](已弃用) | ||
| vulnerability.cve.cvssv3.integrityImpact | additional.fields [vulnerability_cve_cvssv3_integrityImpact] | ||
| vulnerability.cve.cvssv3.privilegesRequired | extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_privilegesRequired](已弃用) | ||
| vulnerability.cve.cvssv3.privilegesRequired | additional.fields [vulnerability_cve_cvssv3_privilegesRequired] | ||
| vulnerability.cve.cvssv3.scope | extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_scope](已弃用) | ||
| vulnerability.cve.cvssv3.scope | additional.fields [vulnerability_cve_cvssv3_scope] | ||
| vulnerability.cve.cvssv3.userInteraction | extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_userInteraction](已弃用) | ||
| vulnerability.cve.cvssv3.userInteraction | additional.fields [vulnerability_cve_cvssv3_userInteraction] | ||
| vulnerability.cve.references.source | extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_references_source](已弃用) | ||
| vulnerability.cve.references.source | additional.fields [vulnerability_cve_references_source] | ||
| vulnerability.cve.upstreamFixAvailable | extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_upstreamFixAvailable](已弃用) | ||
| vulnerability.cve.upstreamFixAvailable | additional.fields [vulnerability_cve_upstreamFixAvailable] | ||
| vulnerability.cve.id | extensions.vulns.vulnerabilities.cve_id | ||
| vulnerability.cve.cvssv3.baseScore | extensions.vulns.vulnerabilities.cvss_base_score | ||
| vulnerability.cve.cvssv3.attackVector | extensions.vulns.vulnerabilities.cvss_vector | ||
| vulnerability.cve.impact | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_cve_impact] | ||
| vulnerability.cve.exploitationActivity | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_cve_exploitation_activity] | ||
| parentDisplayName | metadata.description | ||
| eventTime | metadata.event_timestamp | ||
| category | metadata.product_event_type | ||
| sourceProperties.evidence.sourceLogId.insertId | metadata.product_log_id | 如果 canonicalName日志字段值不为空,则使用 Grok 模式从canonicalName日志字段中提取finding_id。如果 finding_id日志字段值为空,则将sourceProperties.evidence.sourceLogId.insertId日志字段映射到metadata.product_log_idUDM 字段。如果 canonicalName日志字段值为空,则将sourceProperties.evidence.sourceLogId.insertId日志字段映射到metadata.product_log_idUDM 字段。 | |
| sourceProperties.contextUris.cloudLoggingQueryUri.url | security_result.detection_fields.key/value[sourceProperties_contextUris_cloudLoggingQueryUri_url] | ||
| sourceProperties.sourceId.customerOrganizationNumber | principal.resource.attribute.labels.key/value [sourceProperties_sourceId_customerOrganizationNumber] | 如果 message日志字段值与正则表达式sourceProperties.sourceId.*?customerOrganizationNumber匹配,则sourceProperties.sourceId.customerOrganizationNumber日志字段会映射到principal.resource.attribute.labels.valueUDM 字段。 | |
| resource.projectName | principal.resource.name | ||
| resource.gcpMetadata.project | principal.resource.name | ||
|  | principal.user.account_type | 如果 access.principalSubject日志字段值与正则表达式serviceAccount匹配,则principal.user.account_typeUDM 字段设置为SERVICE_ACCOUNT_TYPE。否则,如果 access.principalSubject日志字段值与正则表达式user匹配,则principal.user.account_typeUDM 字段设置为CLOUD_ACCOUNT_TYPE。 | |
| access.principalSubject | principal.user.attribute.labels.key/value [access_principalSubject] | ||
| access.serviceAccountDelegationInfo.principalSubject | principal.user.attribute.labels.key/value [access_serviceAccountDelegationInfo_principalSubject] | ||
| access.serviceAccountKeyName | principal.user.attribute.labels.key/value [access_serviceAccountKeyName] | ||
| access.principalEmail | principal.user.email_addresses | 如果 access.principalEmail日志字段值不为空,且access.principalEmail日志字段值与正则表达式^.+@.+$匹配,则access.principalEmail日志字段会映射到principal.user.email_addressesUDM 字段。 | |
| access.principalEmail | principal.user.userid | 如果 access.principalEmail日志字段值不为空,且access.principalEmail日志字段值与正则表达式^.+@.+$不匹配,则access.principalEmail日志字段会映射到principal.user.useridUDM 字段。 | |
| database.userName | principal.user.userid | ||
| workflowState | security_result.about.investigation.status | ||
| sourceProperties.findingId | metadata.product_log_id | ||
| kubernetes.accessReviews.group | target.resource.attribute.labels.key/value [kubernetes_accessReviews_group] | ||
| kubernetes.accessReviews.name | target.resource.attribute.labels.key/value [kubernetes_accessReviews_name] | ||
| kubernetes.accessReviews.ns | target.resource.attribute.labels.key/value [kubernetes_accessReviews_ns] | ||
| kubernetes.accessReviews.resource | target.resource.attribute.labels.key/value [kubernetes_accessReviews_resource] | ||
| kubernetes.accessReviews.subresource | target.resource.attribute.labels.key/value [kubernetes_accessReviews_subresource] | ||
| kubernetes.accessReviews.verb | target.resource.attribute.labels.key/value [kubernetes_accessReviews_verb] | ||
| kubernetes.accessReviews.version | target.resource.attribute.labels.key/value [kubernetes_accessReviews_version] | ||
| kubernetes.bindings.name | security_result.about.resource.attribute.labels.key/value [kubernetes_bindings_name] | ||
| kubernetes.bindings.ns | target.resource.attribute.labels.key/value [kubernetes_bindings_ns] | ||
| kubernetes.bindings.role.kind | target.resource.attribute.labels.key/value [kubernetes_bindings_role_kind] | ||
| kubernetes.bindings.role.ns | target.resource.attribute.labels.key/value [kubernetes_bindings_role_ns] | ||
| kubernetes.bindings.subjects.kind | target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_kind] | ||
| kubernetes.bindings.subjects.name | target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_name] | ||
| kubernetes.bindings.subjects.ns | target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_ns] | ||
| kubernetes.bindings.role.name | target.resource.attribute.roles.name | ||
|  | security_result.about.user.attribute.roles.name | 如果 message日志字段值与正则表达式contacts.?security匹配,则security_result.about.user.attribute.roles.nameUDM 字段设置为security。如果 message日志字段值与正则表达式contacts.?technical匹配,则security_result.about.user.attribute.roles.nameUDM 字段设置为Technical。 | |
| contacts.security.contacts.email | security_result.about.user.email_addresses | ||
| contacts.technical.contacts.email | security_result.about.user.email_addresses | ||
|  | security_result.alert_state | 如果 state日志字段值等于ACTIVE,则将security_result.alert_stateUDM 字段设置为ALERTING。否则,将 security_result.alert_stateUDM 字段设置为NOT_ALERTING。 | |
| findingClass, category | security_result.catgory_details | findingClass - category日志字段会映射到security_result.catgory_detailsUDM 字段。 | |
| description | security_result.description | ||
| indicator.signatures.memoryHashSignature.binaryFamily | security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_binaryFamily] | ||
| indicator.signatures.memoryHashSignature.detections.binary | security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_detections_binary] | ||
| indicator.signatures.memoryHashSignature.detections.percentPagesMatched | security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_detections_percentPagesMatched] | ||
| indicator.signatures.yaraRuleSignature.yararule | security_result.detection_fields.key/value [indicator_signatures_yaraRuleSignature_yararule] | ||
| mitreAttack.additionalTactics | security_result.detection_fields.key/value [mitreAttack_additionalTactics] | ||
| mitreAttack.additionalTechniques | security_result.detection_fields.key/value [mitreAttack_additionalTechniques] | ||
| mitreAttack.primaryTactic | security_result.detection_fields.key/value [mitreAttack_primaryTactic] | ||
| mitreAttack.primaryTechniques.0 | security_result.detection_fields.key/value [mitreAttack_primaryTechniques] | ||
| mitreAttack.version | security_result.detection_fields.key/value [mitreAttack_version] | ||
| muteInitiator | security_result.detection_fields.key/value [mute_initiator] | 如果 mute日志字段值等于MUTED或UNMUTED,则muteInitiator日志字段会映射到security_result.detection_fields.valueUDM 字段。 | |
| muteUpdateTime | security_result.detection_fields.key/value [mute_update_time] | 如果 mute日志字段值等于MUTED或UNMUTED,则muteUpdateTimer日志字段会映射到security_result.detection_fields.valueUDM 字段。 | |
| mute | security_result.detection_fields.key/value [mute] | ||
| securityMarks.canonicalName | security_result.detection_fields.key/value [securityMarks_cannonicleName] | ||
| securityMarks.marks | security_result.detection_fields.key/value [securityMarks_marks] | ||
| securityMarks.name | security_result.detection_fields.key/value [securityMarks_name] | ||
| sourceProperties.detectionCategory.indicator | security_result.detection_fields.key/value [sourceProperties_detectionCategory_indicator] | ||
| sourceProperties.detectionCategory.technique | security_result.detection_fields.key/value [sourceProperties_detectionCategory_technique] | ||
| sourceProperties.contextUris.mitreUri.url/displayName | security_result.detection_fields.key/value [sourceProperties.contextUris.mitreUri.url/displayName] | ||
| sourceProperties.contextUris.relatedFindingUri.url/displayName | metadata.url_back_to_product | 如果 category日志字段值等于Active Scan: Log4j Vulnerable to RCE或Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive或Exfiltration: CloudSQL Data Exfiltration或Exfiltration: CloudSQL Over-Privileged Grant或Exfiltration: CloudSQL Restore Backup to External Organization或Initial Access: Log4j Compromise Attempt或Malware: Cryptomining Bad Domain或Malware: Cryptomining Bad IP或Persistence: IAM Anomalous Grant,则security_result.detection_fields.keyUDM 字段设置为sourceProperties_contextUris_relatedFindingUri_url,并且sourceProperties.contextUris.relatedFindingUri.url日志字段映射到metadata.url_back_to_productUDM 字段。 | |
| sourceProperties.contextUris.virustotalIndicatorQueryUri.url/displayName | security_result.detection_fields.key/value [sourceProperties.contextUris.virustotalIndicatorQueryUri.url/displayName] | 如果 category日志字段值等于Malware: Bad Domain或Malware: Bad IP或Malware: Cryptomining Bad Domain或Malware: Cryptomining Bad IP,则sourceProperties.contextUris.virustotalIndicatorQueryUri.displayName日志字段会映射到security_result.detection_fields.keyUDM 字段,而sourceProperties.contextUris.virustotalIndicatorQueryUri.url日志字段会映射到security_result.detection_fields.valueUDM 字段。 | |
| sourceProperties.contextUris.workspacesUri.url/displayName | security_result.detection_fields.key/value [sourceProperties.contextUris.workspacesUri.url/displayName] | 如果 category日志字段值等于Initial Access: Account Disabled Hijacked或Initial Access: Disabled Password Leak或Initial Access: Government Based Attack或Initial Access: Suspicious Login Blocked或Impair Defenses: Strong Authentication Disabled或Persistence: SSO Enablement Toggle或Persistence: SSO Settings Changed,则sourceProperties.contextUris.workspacesUri.displayName日志字段会映射到security_result.detection_fields.keyUDM 字段,而sourceProperties.contextUris.workspacesUri.url日志字段会映射到security_result.detection_fields.valueUDM 字段。 | |
| createTime | security_result.detection_fields.key/value [create_time] | ||
| nextSteps | security_result.outcomes.key/value [next_steps] | ||
| sourceProperties.detectionPriority | security_result.priority | 如果 sourceProperties.detectionPriority日志字段值等于HIGH,则security_result.priorityUDM 字段设置为HIGH_PRIORITY。否则,如果 sourceProperties.detectionPriority日志字段值等于MEDIUM,则security_result.priorityUDM 字段设置为MEDIUM_PRIORITY。否则,如果 sourceProperties.detectionPriority日志字段值等于LOW,则security_result.priorityUDM 字段设置为LOW_PRIORITY。 | |
| sourceProperties.detectionCategory.subRuleName | security_result.rule_labels.key/value [sourceProperties_detectionCategory_subRuleName] | ||
| sourceProperties.detectionCategory.ruleName | security_result.rule_name | ||
| severity | security_result.severity | ||
| name | security_result.url_back_to_product | ||
| database.query | src.process.command_line | 如果 category日志字段值等于Exfiltration: CloudSQL Over-Privileged Grant,则database.query日志字段会映射到src.process.command_lineUDM 字段。否则, database.query日志字段会映射到target.process.command_lineUDM 字段。 | |
| resource.folders.resourceFolderDisplayName | src.resource_ancestors.attribute.labels.key/value [resource_folders_resourceFolderDisplayName] | 如果 category日志字段值等于Exfiltration: BigQuery Data to Google Drive,则resource.folders.resourceFolderDisplayName日志字段会映射到src.resource_ancestors.attribute.labels.valueUDM 字段。否则, resource.folders.resourceFolderDisplayName日志字段会映射到target.resource.attribute.labels.valueUDM 字段。 | |
| resource.gcpMetadata.folders.resourceFolderDisplay | src.resource_ancestors.attribute.labels.key/value [resource_folders_resourceFolderDisplayName] | 如果 category日志字段值等于Exfiltration: BigQuery Data to Google Drive,则resource.gcpMetadata.folders.resourceFolderDisplay日志字段会映射到src.resource_ancestors.attribute.labels.valueUDM 字段。否则, resource.gcpMetadata.folders.resourceFolderDisplay日志字段会映射到target.resource.attribute.labels.valueUDM 字段。 | |
| resource.gcpMetadata.folders.resourceFolder | src.resource_ancestors.name | 如果 category日志字段值等于Exfiltration: BigQuery Data to Google Drive,则resource.gcpMetadata.folders.resourceFolder日志字段会映射到src.resource_ancestors.nameUDM 字段。否则, resource.gcpMetadata.folders.resourceFolder日志字段会映射到target.resource_ancestors.nameUDM 字段。 | |
| resource.organization | src.resource_ancestors.name | 如果 category日志字段值等于Exfiltration: BigQuery Data to Google Drive,则resource.organization日志字段会映射到src.resource_ancestors.nameUDM 字段。否则, resource.organization日志字段会映射到target.resource_ancestors.nameUDM 字段。 | |
| resource.gcpMetadata.organization | src.resource_ancestors.name | 如果 category日志字段值等于Exfiltration: BigQuery Data to Google Drive,则resource.gcpMetadata.organization日志字段会映射到src.resource_ancestors.nameUDM 字段。否则, resource.gcpMetadata.organization日志字段会映射到target.resource_ancestors.nameUDM 字段。 | |
| resource.parentDisplayName | src.resource_ancestors.attribute.labels.key/value [resource_parentDisplayName] | 如果 category日志字段值等于Exfiltration: BigQuery Data to Google Drive,则resource.parentDisplayName日志字段会映射到src.resource_ancestors.attribute.labels.key/valueUDM 字段。否则, resource.parentDisplayName日志字段会映射到target.resource.attribute.labels.valueUDM 字段。 | |
| resource.gcpMetadata.parentDisplayName | src.resource_ancestors.attribute.labels.key/value [resource_parentDisplayName] | 如果 category日志字段值等于Exfiltration: BigQuery Data to Google Drive,则resource.gcpMetadata.parentDisplayName日志字段会映射到src.resource_ancestors.attribute.labels.key/valueUDM 字段。否则, resource.gcpMetadata.parentDisplayName日志字段会映射到target.resource.attribute.labels.valueUDM 字段。 | |
| resource.parentName | src.resource_ancestors.attribute.labels.key/value [resource_parentName] | 如果 category日志字段值等于Exfiltration: BigQuery Data to Google Drive,则resource.parentName日志字段会映射到src.resource_ancestors.attribute.labels.key/valueUDM 字段。否则, resource.parentName日志字段会映射到target.resource.attribute.labels.valueUDM 字段。 | |
| resource.gcpMetadata.parent | src.resource_ancestors.attribute.labels.key/value [resource_parentName] | 如果 category日志字段值等于Exfiltration: BigQuery Data to Google Drive,则resource.gcpMetadata.parent日志字段会映射到src.resource_ancestors.attribute.labels.key/valueUDM 字段。否则, resource.gcpMetadata.parent日志字段会映射到target.resource.attribute.labels.valueUDM 字段。 | |
| resource.projectDisplayName | src.resource_ancestors.attribute.labels.key/value [resource_projectDisplayName] | 如果 category日志字段值等于Exfiltration: BigQuery Data to Google Drive,则resource.projectDisplayName日志字段会映射到src.resource_ancestors.attribute.labels.key/valueUDM 字段。否则, resource.projectDisplayName日志字段会映射到target.resource.attribute.labels.valueUDM 字段。 | |
| resource.gcpMetadata.projectDisplayName | src.resource_ancestors.attribute.labels.key/value [resource_projectDisplayName] | 如果 category日志字段值等于Exfiltration: BigQuery Data to Google Drive,则resource.gcpMetadata.projectDisplayName日志字段会映射到src.resource_ancestors.attribute.labels.key/valueUDM 字段。否则, resource.gcpMetadata.projectDisplayName日志字段会映射到target.resource.attribute.labels.valueUDM 字段。 | |
| resource.type | src.resource_ancestors.resource_subtype | 如果 category日志字段值等于Exfiltration: BigQuery Data to Google Drive,则resource.type日志字段会映射到src.resource_ancestors.resource_subtypeUDM 字段。 | |
| database.displayName | src.resource.attribute.labels.key/value [database_displayName] | 如果 category日志字段值等于Exfiltration: CloudSQL Over-Privileged Grant,则database.displayName日志字段会映射到src.resource.attribute.labels.valueUDM 字段。 | |
| database.grantees | src.resource.attribute.labels.key/value [database_grantees] | 如果 category日志字段值等于Exfiltration: CloudSQL Over-Privileged Grant,则src.resource.attribute.labels.keyUDM 字段设置为grantees,并且database.grantees日志字段映射到src.resource.attribute.labels.valueUDM 字段。 | |
| resource.displayName | src.resource.attribute.labels.key/value [resource_displayName] | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration或Exfiltration: BigQuery Data to Google Drive,则resource.displayName日志字段会映射到src.resource.attribute.labels.valueUDM 字段。否则, resource.displayName日志字段会映射到target.resource.attribute.labels.valueUDM 字段。 | |
| resource.display_name | src.resource.attribute.labels.key/value [resource_display_name] | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration或Exfiltration: BigQuery Data to Google Drive,则resource.display_name日志字段会映射到src.resource.attribute.labels.valueUDM 字段。否则, resource.display_name日志字段会映射到target.resource.attribute.labels.valueUDM 字段。 | |
| resource.type | src.resource_ancestors.resource_subtype | 如果 category日志字段值等于Exfiltration: BigQuery Data to Google Drive,则resource.type日志字段会映射到src.resource_ancestors.resource_subtypeUDM 字段。 | |
| database.displayName | src.resource.attribute.labels.key/value [database_displayName] | ||
| database.grantees | src.resource.attribute.labels.key/value [database_grantees] | ||
| resource.displayName | target.resource.attribute.labels.key/value [resource_displayName] | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration或Exfiltration: BigQuery Data to Google Drive,则resource.displayName日志字段会映射到src.resource.attribute.labels.valueUDM 字段。否则, resource.displayName日志字段会映射到target.resource.attribute.labels.valueUDM 字段。 | |
| resource.display_name | target.resource.attribute.labels.key/value [resource_display_name] | 如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration或Exfiltration: BigQuery Data to Google Drive,则resource.display_name日志字段会映射到src.resource.attribute.labels.valueUDM 字段。否则, resource.display_name日志字段会映射到target.resource.attribute.labels.valueUDM 字段。 | |
| exfiltration.sources.components | src.resource.attribute.labels.key/value[exfiltration_sources_components] | 如果 category日志字段值等于Exfiltration: CloudSQL Data Exfiltration或Exfiltration: BigQuery Data Extraction,则exfiltration.sources.components日志字段会映射到src.resource.attribute.labels.valueUDM 字段。 | |
| resourceName | src.resource.name | 如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive或Exfiltration: BigQuery Data Exfiltration,则resourceName日志字段会映射到src.resource.nameUDM 字段。 | |
| database.name | src.resource.name | ||
| exfiltration.sources.name | src.resource.name | ||
| access.serviceName | target.application | 如果 category日志字段值等于Defense Evasion: Modify VPC Service Control或Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive或Exfiltration: CloudSQL Data Exfiltration或Exfiltration: CloudSQL Restore Backup to External Organization或Exfiltration: CloudSQL Over-Privileged Grant或Persistence: New Geography或Persistence: IAM Anomalous Grant,则access.serviceName日志字段会映射到target.applicationUDM 字段。 | |
| access.methodName | target.labels [access_methodName](已弃用) | ||
| access.methodName | additional.fields [access_methodName] | ||
| processes.argumentsTruncated | target.labels [processes_argumentsTruncated](已弃用) | ||
| processes.argumentsTruncated | additional.fields [processes_argumentsTruncated] | ||
| processes.binary.contents | target.labels [processes_binary_contents](已弃用) | ||
| processes.binary.contents | additional.fields [processes_binary_contents] | ||
| processes.binary.hashedSize | target.labels [processes_binary_hashedSize](已弃用) | ||
| processes.binary.hashedSize | additional.fields [processes_binary_hashedSize] | ||
| processes.binary.partiallyHashed | target.labels [processes_binary_partiallyHashed](已弃用) | ||
| processes.binary.partiallyHashed | additional.fields [processes_binary_partiallyHashed] | ||
| processes.envVariables.name | target.labels [processes_envVariables_name](已弃用) | ||
| processes.envVariables.name | additional.fields [processes_envVariables_name] | ||
| processes.envVariables.val | target.labels [processes_envVariables_val](已弃用) | ||
| processes.envVariables.val | additional.fields [processes_envVariables_val] | ||
| processes.envVariablesTruncated | target.labels [processes_envVariablesTruncated](已弃用) | ||
| processes.envVariablesTruncated | additional.fields [processes_envVariablesTruncated] | ||
| processes.libraries.contents | target.labels [processes_libraries_contents](已弃用) | ||
| processes.libraries.contents | additional.fields [processes_libraries_contents] | ||
| processes.libraries.hashedSize | target.labels [processes_libraries_hashedSize](已弃用) | ||
| processes.libraries.hashedSize | additional.fields [processes_libraries_hashedSize] | ||
| processes.libraries.partiallyHashed | target.labels [processes_libraries_partiallyHashed](已弃用) | ||
| processes.libraries.partiallyHashed | additional.fields [processes_libraries_partiallyHashed] | ||
| processes.script.contents | target.labels [processes_script_contents](已弃用) | ||
| processes.script.contents | additional.fields [processes_script_contents] | ||
| processes.script.hashedSize | target.labels [processes_script_hashedSize](已弃用) | ||
| processes.script.hashedSize | additional.fields [processes_script_hashedSize] | ||
| processes.script.partiallyHashed | target.labels [processes_script_partiallyHashed](已弃用) | ||
| processes.script.partiallyHashed | additional.fields [processes_script_partiallyHashed] | ||
| processes.parentPid | target.parent_process.pid | ||
| processes.args | target.process.command_line_history [processes.args] | ||
| processes.name | target.process.file.full_path | ||
| processes.binary.path | target.process.file.full_path | ||
| processes.libraries.path | target.process.file.full_path | ||
| processes.script.path | target.process.file.full_path | ||
| processes.binary.sha256 | target.process.file.sha256 | ||
| processes.libraries.sha256 | target.process.file.sha256 | ||
| processes.script.sha256 | target.process.file.sha256 | ||
| processes.binary.size | target.process.file.size | ||
| processes.libraries.size | target.process.file.size | ||
| processes.script.size | target.process.file.size | ||
| processes.pid | target.process.pid | ||
| containers.uri | target.resource_ancestors.attribute.labels.key/value [containers_uri] | ||
| containers.labels.name/value | target.resource_ancestors.attribute.labels.key/value [containers.labels.name/value] | ||
| resourceName | target.resource_ancestors.name | 如果 category日志字段值等于Malware: Bad Domain或Malware: Bad IP或Malware: Cryptomining Bad IP,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Brute Force: SSH,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Persistence: GCE Admin Added SSH Key或Persistence: GCE Admin Added Startup Script,则sourceProperties.properties.projectId日志字段会映射到target.resource_ancestors.nameUDM 字段。 | |
| parent | target.resource_ancestors.name | ||
| sourceProperties.affectedResources.gcpResourceName | target.resource_ancestors.name | ||
| containers.name | target.resource_ancestors.name | ||
| kubernetes.pods.containers.name | target.resource_ancestors.name | ||
| sourceProperties.sourceId.projectNumber | target.resource_ancestors.product_object_id | ||
| sourceProperties.sourceId.customerOrganizationNumber | target.resource_ancestors.product_object_id | ||
| sourceProperties.sourceId.organizationNumber | target.resource_ancestors.product_object_id | ||
| containers.imageId | target.resource_ancestors.product_object_id | ||
| sourceProperties.properties.zone | target.resource.attribute.cloud.availability_zone | 如果 category日志字段值等于Brute Force: SSH,则sourceProperties.properties.zone日志字段会映射到target.resource.attribute.cloud.availability_zoneUDM 字段。 | |
| canonicalName | metadata.product_log_id | finding_id是使用 Grok 模式从canonicalName日志字段中提取的。如果 finding_id日志字段值不为空,则finding_id日志字段会映射到metadata.product_log_idUDM 字段。 | |
| canonicalName | src.resource.attribute.labels.key/value [finding_id] | 如果 finding_id日志字段值不为空,则finding_id日志字段会映射到src.resource.attribute.labels.key/value [finding_id]UDM 字段。如果 category日志字段值等于以下某个值,则使用 Grok 模式从canonicalName日志字段中提取finding_id:
 | |
| canonicalName | src.resource.product_object_id | 如果 source_id日志字段值不为空,则source_id日志字段会映射到src.resource.product_object_idUDM 字段。如果 category日志字段值等于以下某个值,则使用 Grok 模式从canonicalName日志字段中提取source_id:
 | |
| canonicalName | src.resource.attribute.labels.key/value [source_id] | 如果 source_id日志字段值不为空,则source_id日志字段会映射到src.resource.attribute.labels.key/value [source_id]UDM 字段。如果 category日志字段值等于以下某个值,则使用 Grok 模式从canonicalName日志字段中提取source_id:
 | |
| canonicalName | target.resource.attribute.labels.key/value [finding_id] | 如果 finding_id日志字段值不为空,则finding_id日志字段会映射到target.resource.attribute.labels.key/value [finding_id]UDM 字段。如果 category日志字段值不等于以下任何值,则使用 Grok 模式从canonicalName日志字段中提取finding_id:
 | |
| canonicalName | target.resource.product_object_id | 如果 source_id日志字段值不为空,则source_id日志字段会映射到target.resource.product_object_idUDM 字段。如果 category日志字段值不等于以下任何值,则使用 Grok 模式从canonicalName日志字段中提取source_id:
 | |
| canonicalName | target.resource.attribute.labels.key/value [source_id] | 如果 source_id日志字段值不为空,则source_id日志字段会映射到target.resource.attribute.labels.key/value [source_id]UDM 字段。如果 category日志字段值不等于以下任何值,则使用 Grok 模式从canonicalName日志字段中提取source_id:
 | |
| exfiltration.targets.components | target.resource.attribute.labels.key/value[exfiltration_targets_components] | 如果 category日志字段值等于Exfiltration: CloudSQL Data Exfiltration或Exfiltration: BigQuery Data Extraction,则exfiltration.targets.components日志字段会映射到target.resource.attribute.labels.key/valueUDM 字段。 | |
| resourceName | target.resource.name | 如果 category日志字段值等于Brute Force: SSH,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段。否则,如果 category日志字段值等于Malware: Bad Domain或Malware: Bad IP或Malware: Cryptomining Bad IP,则resourceName日志字段会映射到target.resource_ancestors.nameUDM 字段,并且target.resource.resource_typeUDM 字段会设为VIRTUAL_MACHINE。否则,如果 category日志字段值等于Exfiltration: BigQuery Data Extraction或Exfiltration: BigQuery Data to Google Drive,则exfiltration.target.name日志字段会映射到target.resource.nameUDM 字段。否则,如果 category日志字段值等于Exfiltration: BigQuery Data Exfiltration,则exfiltration.target.name日志字段会映射到target.resource.nameUDM 字段。否则, resourceName日志字段会映射到target.resource.nameUDM 字段。 | |
| kubernetes.pods.containers.imageId | target.resource_ancestors.product_object_id | ||
| resource.project | target.resource.attribute.labels.key/value [resource_project] | ||
| resource.parent | target.resource.attribute.labels.key/value [resource_parent] | ||
|  |  |  | |
| sourceProperties.Header_Signature.significantValues.value | principal.location.country_or_region | 如果 sourceProperties.Header_Signature.name日志字段值等于RegionCode,则sourceProperties.Header_Signature.significantValues.value日志字段会映射到principal.location.country_or_regionUDM 字段。 | |
| sourceProperties.Header_Signature.significantValues.value | principal.ip | 如果 sourceProperties.Header_Signature.name日志字段值等于RemoteHost,则sourceProperties.Header_Signature.significantValues.value日志字段会映射到principal.ipUDM 字段。 | |
| sourceProperties.Header_Signature.significantValues.value | network.http.user_agent | 如果 sourceProperties.Header_Signature.name日志字段值等于UserAgent,则sourceProperties.Header_Signature.significantValues.value日志字段会映射到network.http.user_agentUDM 字段。 | |
| sourceProperties.Header_Signature.significantValues.value | principal.url | 如果 sourceProperties.Header_Signature.name日志字段值等于RequestUriPath,则sourceProperties.Header_Signature.significantValues.value日志字段会映射到principal.urlUDM 字段。 | |
| sourceProperties.Header_Signature.significantValues.proportionInAttack | security_result.detection_fields [proportionInAttack] | ||
| sourceProperties.Header_Signature.significantValues.attackLikelihood | security_result.detection_fields [attackLikelihood] | ||
| sourceProperties.Header_Signature.significantValues.matchType | security_result.detection_fields [matchType] | ||
| sourceProperties.Header_Signature.significantValues.proportionInBaseline | security_result.detection_fields [proportionInBaseline] | ||
| sourceProperties.compromised_account | principal.user.userid | 如果 category日志字段值等于account_has_leaked_credentials,则sourceProperties.compromised_account日志字段会映射到principal.user.useridUDM 字段,并且principal.user.account_typeUDM 字段会设置为SERVICE_ACCOUNT_TYPE。 | |
| sourceProperties.project_identifier | principal.resource.product_object_id | 如果 category日志字段值等于account_has_leaked_credentials,则sourceProperties.project_identifier日志字段会映射到principal.resource.product_object_idUDM 字段。 | |
| sourceProperties.private_key_identifier | principal.user.attribute.labels.key/value [private_key_identifier] | 如果 category日志字段值等于account_has_leaked_credentials,则sourceProperties.private_key_identifier日志字段会映射到principal.user.attribute.labels.valueUDM 字段。 | |
| sourceProperties.action_taken | principal.labels [action_taken](已弃用) | 如果 category日志字段值等于account_has_leaked_credentials,则sourceProperties.action_taken日志字段会映射到principal.labels.valueUDM 字段。 | |
| sourceProperties.action_taken | additional.fields [action_taken] | 如果 category日志字段值等于account_has_leaked_credentials,则sourceProperties.action_taken日志字段会映射到additional.fields.valueUDM 字段。 | |
| sourceProperties.finding_type | principal.labels [finding_type](已弃用) | 如果 category日志字段值等于account_has_leaked_credentials,则sourceProperties.finding_type日志字段会映射到principal.labels.valueUDM 字段。 | |
| sourceProperties.finding_type | additional.fields [finding_type] | 如果 category日志字段值等于account_has_leaked_credentials,则sourceProperties.finding_type日志字段会映射到additional.fields.valueUDM 字段。 | |
| sourceProperties.url | principal.user.attribute.labels.key/value [key_file_path] | 如果 category日志字段值等于account_has_leaked_credentials,则sourceProperties.url日志字段会映射到principal.user.attribute.labels.valueUDM 字段。 | |
| sourceProperties.security_result.summary | security_result.summary | 如果 category日志字段值等于account_has_leaked_credentials,则sourceProperties.security_result.summary日志字段会映射到security_result.summaryUDM 字段。 | |
| kubernetes.objects.kind | target.resource.attribute.labels[kubernetes_objects_kind] | ||
| kubernetes.objects.ns | target.resource.attribute.labels[kubernetes_objects_ns] | ||
| kubernetes.objects.name | target.resource.attribute.labels[kubernetes_objects_name] | ||
| extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_offendingPackage_packageName] | vulnerability.offendingPackage.packageName | ||
| extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_offendingPackage_cpeUri] | vulnerability.offendingPackage.cpeUri | ||
| extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_offendingPackage_packageType] | vulnerability.offendingPackage.packageType | ||
| extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_offendingPackage_packageVersion] | vulnerability.offendingPackage.packageVersion | ||
| extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_fixedPackage_packageName] | vulnerability.fixedPackage.packageName | ||
| extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_fixedPackage_cpeUri] | vulnerability.fixedPackage.cpeUri | ||
| extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_fixedPackage_packageType] | vulnerability.fixedPackage.packageType | ||
| extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_fixedPackage_packageVersion] | vulnerability.fixedPackage.packageVersion | ||
| extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_securityBulletin_bulletinId] | vulnerability.securityBulletin.bulletinId | ||
| security_result.detection_fields[vulnerability_securityBulletin_submissionTime] | vulnerability.securityBulletin.submissionTime | ||
| security_result.detection_fields[vulnerability_securityBulletin_suggestedUpgradeVersion] | vulnerability.securityBulletin.suggestedUpgradeVersion | ||
| target.location.name | resource.location | ||
| additional.fields[resource_service] | resource.service | ||
| target.resource_ancestors.attribute.labels[kubernetes_object_kind] | kubernetes.objects.kind | ||
| target.resource_ancestors.name | kubernetes.objects.name | ||
| kubernetes_res_ancestor.attribute.labels[kubernetes_objects_ns] | kubernetes.objects.ns | ||
| kubernetes_res_ancestor.attribute.labels[kubernetes_objects_group] | kubernetes.objects.group | ||
| finding.groupMemberships.groupType | security_result.about.group.attribute.labels.key/value [groupType] | 遍历日志字段 finding.groupMemberships.groupType,然后将security_result.about.group.attribute.labels.keyUDM 字段设置为groupType_%{index},并将finding.groupMemberships.groupType日志字段映射到security_result.about.group.attribute.labels.valueUDM 字段。 | |
| finding.groupMemberships.groupId | security_result.about.group.attribute.labels.key/value [groupId] | 遍历日志字段 finding.groupMemberships.groupId,然后将security_result.about.group.attribute.labels.keyUDM 字段设置为groupId_%{index},并将finding.groupMemberships.groupId日志字段映射到security_result.about.group.attribute.labels.valueUDM 字段。 | |
| finding.attackExposure.score | security_result.detection_fields.key/value [var_attackExposure_score] | ||
| finding.attackExposure.latestCalculationTime | security_result.detection_fields.key/value [var_attackExposure_latestCalculationTime] | ||
| finding.attackExposure.attackExposureResult | security_result.detection_fields.key/value [var_attackExposure_attackExposureResult] | ||
| finding.attackExposure.state | security_result.detection_fields.key/value [var_attackExposure_state] | ||
| finding.attackExposure.exposedHighValueResourcesCount | security_result.detection_fields.key/value [var_attackExposure_exposedHighValueResourcesCount] | ||
| finding.attackExposure.exposedMediumValueResourcesCount | security_result.detection_fields.key/value [var_attackExposure_exposedMediumValueResourcesCount] | ||
| finding.attackExposure.exposedLowValueResourcesCount | security_result.detection_fields.key/value [var_attackExposure_exposedLowValueResourcesCount] | ||
| finding.muteInfo.staticMute.state | security_result.detection_fields.key/value [var_static_mute_state] | ||
| finding.muteInfo.staticMute.applyTime | security_result.detection_fields.key/value [static_mute_apply_time] | ||
| finding.muteInfo.staticMute.applyTime | security_result.detection_fields.key/value [static_mute_apply_time] | 
后续步骤
需要更多帮助?从社区成员和 Google SecOps 专业人士那里获得解答。