Collect Google Cloud DNS logs
This document describes how you can collect Cloud DNS logs by enabling Google Cloud telemetry ingestion to Google Security Operations and how log fields of Cloud DNS logs map to Google Security Operations Unified Data Model (UDM) fields. This document also lists the supported Cloud DNS version.
For more information, see Data ingestion to Google Security Operations.
A typical deployment consists of Cloud DNS logs enabled for ingestion to Google Security Operations. Each customer deployment might differ from this representation and might be more complex.
The deployment contains the following components:
- Google Cloud: The Google Cloud services and products from which you collect logs. 
- Cloud DNS logs: The Cloud DNS logs that are enabled for ingestion to Google Security Operations. 
- Google Security Operations: Google Security Operations retains and analyzes the logs from Cloud DNS. 
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser
with the GCP_DNS ingestion label.
Before you begin
- Ensure that you have set up Google Cloud. 
- Ensure that the Cloud DNS service is properly deployed and configured. For detailed setup instructions, refer to the Cloud DNS documentation. 
- Ensure that you are using Cloud DNS version 1. 
- Ensure that all systems in the deployment architecture are configured in the UTC time zone. 
Configure Google Cloud to ingest Cloud DNS logs
To ingest Cloud DNS logs to Google Security Operations, follow the steps on the Ingest Google Cloud logs to Google Security Operations page.
If you encounter issues when you ingest Cloud DNS logs, contact Google Security Operations support.
Supported Cloud DNS log formats
The Google Cloud DNS parser supports logs in both JSON format.
Supported Cloud DNS Sample Logs
- JSON - { "insertId": "of4onjd9km0", "jsonPayload": { "authAnswer": true, "serverLatency": 0.0, "queryName": "dNs.DataSOfT.cLoUDnS.pH.", "vmProjectId": "abc12-123456", "vmZoneName": "us-central1-c", "vmInstanceName": "329088982544.vm-707dd8df-9e19-4537-410d-e2b5597f49b8", "authAnswer": true, "responseCode": "BADCOOKIE", "destinationIP": "198.51.100.5", "protocol": "UDP", "structuredRdata": [ { "class": "IN", "ttl": "300", "domainName": "dummy.domain.name.com.", "rvalue": "198.51.100.4", "type": "A" } ], "queryType": "AAAA" }, "resource": { "type": "dns_query", "labels": { "target_type": "public-zone", "location": "global", "source_type": "internet", "project_id": "chronical-34531", "target_name": "clouddns-zone" } }, "timestamp": "2023-08-01T10:24:59.349280070Z", "severity": "INFO", "logName": "projects/chronical-34531/logs/dns.googleapis.com%2Fdns_queries", "receiveTimestamp": "2023-08-01T10:25:00.651062191Z" }
Field mapping reference
This section explains how the Google Security Operations parser maps Google Cloud DNS fields to Google Security Operations Unified Data Model (UDM) fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| alias_query_response_code | about.labels[alias_query_response_code](deprecated) | |
| alias_query_response_code | additional.fields[alias_query_response_code] | |
| egressError | about.labels[egress_error](deprecated) | |
| egressError | additional.fields[egress_error] | |
| healthyIps | about.ip | |
| jsonPayload.serverLatency | about.labels[server_latency](deprecated) | |
| jsonPayload.serverLatency | additional.fields[server_latency] | |
| unHealthyIps | about.labels[un_healthy_ips](deprecated) | |
| unHealthyIps | additional.fields[un_healthy_ips] | |
| jsonPayload.responseCode | additional.fields[response_code] | |
| jsonPayload.egressIP | intermediary.ip | |
| receiveTimestamp | metadata.collected_timestamp | |
| timestamp | metadata.event_timestamp | |
| metadata.event_type | If the jsonPayload.sourceIPlog field value is not empty and thejsonPayload.queryNamelog field value is not empty or does not contain an end period (.), then themetadata.event_typeUDM field is set toNETWORK_DNS.Else, if the jsonPayload.sourceIPlog field value is not empty and thejsonPayload.queryNamelog field value is not empty or does not contain an end period (.), then themetadata.event_typeUDM field is set toSTATUS_UPDATE.Else, the metadata.event_typeUDM field is set toGENERIC_EVENT. | |
| insertId | metadata.product_log_id | |
| metadata.product_name | The metadata.product_nameUDM field is set toGoogle Cloud DNS. | |
| metadata.vendor_name | The metadata.vendor_nameUDM field is set toGoogle Cloud Platform. | |
| resource.type | metadata.description | |
| network.application_protocol | The network.application_protocolUDM field is set toDNS. | |
| jsonPayload.structuredRdata.class | network.dns.answers.class | If the jsonPayload.structuredRdata.classlog field value is equal toIN, then thenetwork.dns.answers.classUDM field is set to1.Else, if the jsonPayload.structuredRdata.classlog field value is equal toCH, then thenetwork.dns.answers.classUDM field is set to3.Else, if the jsonPayload.structuredRdata.classlog field value is equal toHS, then thenetwork.dns.answers.classUDM field is set to4. | 
| jsonPayload.rdata.class | network.dns.answers.class | If the jsonPayload.rdata.classlog field value is equal toIN, then thenetwork.dns.answers.classUDM field is set to1.Else, if the jsonPayload.rdata.classlog field value is equal toCH, then thenetwork.dns.answers.classUDM field is set to3.Else, if the jsonPayload.rdata.classlog field value is equal toHS, then thenetwork.dns.answers.classUDM field is set to4. | 
| jsonPayload.structuredRdata.rvalue | network.dns.answers.data | |
| jsonPayload.rdata.data | network.dns.answers.data | |
| jsonPayload.structuredRdata.domainName | network.dns.answers.name | Extracted domainNamefrom thejsonPayload.structuredRdata.domainNamelog field using the Grok pattern and mapped to thenetwork.dns.answers.nameUDM field. | 
| jsonPayload.rdata.name | network.dns.answers.name | Extracted domainNamefrom thejsonPayload.rdata.namelog field using the Grok pattern and mapped to thenetwork.dns.answers.nameUDM field. | 
| jsonPayload.structuredRdata.ttl | network.dns.answers.ttl | |
| jsonPayload.rdata.ttl | network.dns.answers.ttl | |
| jsonPayload.structuredRdata.type | network.dns.answers.type | If the jsonPayload.structuredRdata.typelog field value is equal toA, then thenetwork.dns.answers.typeUDM field is set to1.Else, if the jsonPayload.structuredRdata.typelog field value is equal toNS, then thenetwork.dns.answers.typeUDM field is set to2.Else, if the jsonPayload.structuredRdata.typelog field value is equal toMD, then thenetwork.dns.answers.typeUDM field is set to3.Else, if the jsonPayload.structuredRdata.typelog field value is equal toMF, then thenetwork.dns.answers.typeUDM field is set to4.Else, if the jsonPayload.structuredRdata.typelog field value is equal toCNAME, then thenetwork.dns.answers.typeUDM field is set to5.Else, if the jsonPayload.structuredRdata.typelog field value is equal toSOA, then thenetwork.dns.answers.typeUDM field is set to6.Else, if the jsonPayload.structuredRdata.typelog field value is equal toMB, then thenetwork.dns.answers.typeUDM field is set to7.Else, if the jsonPayload.structuredRdata.typelog field value is equal toMG, then thenetwork.dns.answers.typeUDM field is set to8.Else, if the jsonPayload.structuredRdata.typelog field value is equal toMR, then thenetwork.dns.answers.typeUDM field is set to9.Else, if the jsonPayload.structuredRdata.typelog field value is equal toNULL, then thenetwork.dns.answers.typeUDM field is set to10.Else, if the jsonPayload.structuredRdata.typelog field value is equal toWKS, then thenetwork.dns.answers.typeUDM field is set to11.Else, if the jsonPayload.structuredRdata.typelog field value is equal toPTR, then thenetwork.dns.answers.typeUDM field is set to12.Else, if the jsonPayload.structuredRdata.typelog field value is equal toHINFO, then thenetwork.dns.answers.typeUDM field is set to13.Else, if the jsonPayload.structuredRdata.typelog field value is equal toMINFO, then thenetwork.dns.answers.typeUDM field is set to14.Else, if the jsonPayload.structuredRdata.typelog field value is equal toMX, then thenetwork.dns.answers.typeUDM field is set to15.Else, if the jsonPayload.structuredRdata.typelog field value is equal toTXT, then thenetwork.dns.answers.typeUDM field is set to16.Else, if the jsonPayload.structuredRdata.typelog field value is equal toRP, then thenetwork.dns.answers.typeUDM field is set to17.Else, if the jsonPayload.structuredRdata.typelog field value is equal toAFSDB, then thenetwork.dns.answers.typeUDM field is set to18.Else, if the jsonPayload.structuredRdata.typelog field value is equal toX25, then thenetwork.dns.answers.typeUDM field is set to19.Else, if the jsonPayload.structuredRdata.typelog field value is equal toISDN, then thenetwork.dns.answers.typeUDM field is set to20.Else, if the jsonPayload.structuredRdata.typelog field value is equal toRT, then thenetwork.dns.answers.typeUDM field is set to21.Else, if the jsonPayload.structuredRdata.typelog field value is equal toNSAP, then thenetwork.dns.answers.typeUDM field is set to22.Else, if the jsonPayload.structuredRdata.typelog field value is equal toNSAP-PTR, then thenetwork.dns.answers.typeUDM field is set to23.Else, if the jsonPayload.structuredRdata.typelog field value is equal toSIG, then thenetwork.dns.answers.typeUDM field is set to24.Else, if the jsonPayload.structuredRdata.typelog field value is equal toKEY, then thenetwork.dns.answers.typeUDM field is set to25.Else, if the jsonPayload.structuredRdata.typelog field value is equal toPX, then thenetwork.dns.answers.typeUDM field is set to26.Else, if the jsonPayload.structuredRdata.typelog field value is equal toGPOS, then thenetwork.dns.answers.typeUDM field is set to27.Else, if the jsonPayload.structuredRdata.typelog field value is equal toAAAA, then thenetwork.dns.answers.typeUDM field is set to28.Else, if the jsonPayload.structuredRdata.typelog field value is equal toLOC, then thenetwork.dns.answers.typeUDM field is set to29.Else, if the jsonPayload.structuredRdata.typelog field value is equal toNXT, then thenetwork.dns.answers.typeUDM field is set to30.Else, if the jsonPayload.structuredRdata.typelog field value is equal toEID, then thenetwork.dns.answers.typeUDM field is set to31.Else, if the jsonPayload.structuredRdata.typelog field value is equal toNIMLOC, then thenetwork.dns.answers.typeUDM field is set to32.Else, if the jsonPayload.structuredRdata.typelog field value is equal toSRV, then thenetwork.dns.answers.typeUDM field is set to33.Else, if the jsonPayload.structuredRdata.typelog field value is equal toATMA, then thenetwork.dns.answers.typeUDM field is set to34.Else, if the jsonPayload.structuredRdata.typelog field value is equal toNAPTR, then thenetwork.dns.answers.typeUDM field is set to35.Else, if the jsonPayload.structuredRdata.typelog field value is equal toKX, then thenetwork.dns.answers.typeUDM field is set to36.Else, if the jsonPayload.structuredRdata.typelog field value is equal toCERT, then thenetwork.dns.answers.typeUDM field is set to37.Else, if the jsonPayload.structuredRdata.typelog field value is equal toA6, then thenetwork.dns.answers.typeUDM field is set to38.Else, if the jsonPayload.structuredRdata.typelog field value is equal toDNAME, then thenetwork.dns.answers.typeUDM field is set to39.Else, if the jsonPayload.structuredRdata.typelog field value is equal toSINK, then thenetwork.dns.answers.typeUDM field is set to40.Else, if the jsonPayload.structuredRdata.typelog field value is equal toOPT, then thenetwork.dns.answers.typeUDM field is set to41.Else, if the jsonPayload.structuredRdata.typelog field value is equal toAPL, then thenetwork.dns.answers.typeUDM field is set to42.Else, if the jsonPayload.structuredRdata.typelog field value is equal toDS, then thenetwork.dns.answers.typeUDM field is set to43.Else, if the jsonPayload.structuredRdata.typelog field value is equal toSSHFP, then thenetwork.dns.answers.typeUDM field is set to44.Else, if the jsonPayload.structuredRdata.typelog field value is equal toIPSECKEY, then thenetwork.dns.answers.typeUDM field is set to45.Else, if the jsonPayload.structuredRdata.typelog field value is equal toRRSIG, then thenetwork.dns.answers.typeUDM field is set to46.Else, if the jsonPayload.structuredRdata.typelog field value is equal toNSEC, then thenetwork.dns.answers.typeUDM field is set to47.Else, if the jsonPayload.structuredRdata.typelog field value is equal toDNSKEY, then thenetwork.dns.answers.typeUDM field is set to48.Else, if the jsonPayload.structuredRdata.typelog field value is equal toDHCID, then thenetwork.dns.answers.typeUDM field is set to49.Else, if the jsonPayload.structuredRdata.typelog field value is equal toNSEC3, then thenetwork.dns.answers.typeUDM field is set to50.Else, if the jsonPayload.structuredRdata.typelog field value is equal toNSEC3PARAM, then thenetwork.dns.answers.typeUDM field is set to51.Else, if the jsonPayload.structuredRdata.typelog field value is equal toTLSA, then thenetwork.dns.answers.typeUDM field is set to52.Else, if the jsonPayload.structuredRdata.typelog field value is equal toSMIMEA, then thenetwork.dns.answers.typeUDM field is set to53.Else, if the jsonPayload.structuredRdata.typelog field value is equal toUNASSIGN, then thenetwork.dns.answers.typeUDM field is set to54.Else, if the jsonPayload.structuredRdata.typelog field value is equal toHIP, then thenetwork.dns.answers.typeUDM field is set to55.Else, if the jsonPayload.structuredRdata.typelog field value is equal toNINFO, then thenetwork.dns.answers.typeUDM field is set to56.Else, if the jsonPayload.structuredRdata.typelog field value is equal toRKEY, then thenetwork.dns.answers.typeUDM field is set to57.Else, if the jsonPayload.structuredRdata.typelog field value is equal toTALINK, then thenetwork.dns.answers.typeUDM field is set to58.Else, if the jsonPayload.structuredRdata.typelog field value is equal toCDS, then thenetwork.dns.answers.typeUDM field is set to59.Else, if the jsonPayload.structuredRdata.typelog field value is equal toCDNSKEY, then thenetwork.dns.answers.typeUDM field is set to60.Else, if the jsonPayload.structuredRdata.typelog field value is equal toOPENPGPK, then thenetwork.dns.answers.typeUDM field is set to61.Else, if the jsonPayload.structuredRdata.typelog field value is equal toCSYNC, then thenetwork.dns.answers.typeUDM field is set to62.Else, if the jsonPayload.structuredRdata.typelog field value is equal toZONEMD, then thenetwork.dns.answers.typeUDM field is set to63.Else, if the jsonPayload.structuredRdata.typelog field value is equal toSVCB, then thenetwork.dns.answers.typeUDM field is set to64.Else, if the jsonPayload.structuredRdata.typelog field value is equal toHTTPS, then thenetwork.dns.answers.typeUDM field is set to65.Else, if the jsonPayload.structuredRdata.typelog field value is equal toSPF, then thenetwork.dns.answers.typeUDM field is set to99.Else, if the jsonPayload.structuredRdata.typelog field value is equal toUINFO, then thenetwork.dns.answers.typeUDM field is set to100.Else, if the jsonPayload.structuredRdata.typelog field value is equal toUID, then thenetwork.dns.answers.typeUDM field is set to101.Else, if the jsonPayload.structuredRdata.typelog field value is equal toGID, then thenetwork.dns.answers.typeUDM field is set to102.Else, if the jsonPayload.structuredRdata.typelog field value is equal toUNSPEC, then thenetwork.dns.answers.typeUDM field is set to103.Else, if the jsonPayload.structuredRdata.typelog field value is equal toNID, then thenetwork.dns.answers.typeUDM field is set to104.Else, if the jsonPayload.structuredRdata.typelog field value is equal toL32, then thenetwork.dns.answers.typeUDM field is set to105.Else, if the jsonPayload.structuredRdata.typelog field value is equal toL64, then thenetwork.dns.answers.typeUDM field is set to106.Else, if the jsonPayload.structuredRdata.typelog field value is equal toLP, then thenetwork.dns.answers.typeUDM field is set to107.Else, if the jsonPayload.structuredRdata.typelog field value is equal toEUI48, then thenetwork.dns.answers.typeUDM field is set to108.Else, if the jsonPayload.structuredRdata.typelog field value is equal toEUI64, then thenetwork.dns.answers.typeUDM field is set to109.Else, if the jsonPayload.structuredRdata.typelog field value is equal toTKEY, then thenetwork.dns.answers.typeUDM field is set to249.Else, if the jsonPayload.structuredRdata.typelog field value is equal toTSIG, then thenetwork.dns.answers.typeUDM field is set to250.Else, if the jsonPayload.structuredRdata.typelog field value is equal toIXFR, then thenetwork.dns.answers.typeUDM field is set to251.Else, if the jsonPayload.structuredRdata.typelog field value is equal toAXFR, then thenetwork.dns.answers.typeUDM field is set to252.Else, if the jsonPayload.structuredRdata.typelog field value is equal toMAILB, then thenetwork.dns.answers.typeUDM field is set to253.Else, if the jsonPayload.structuredRdata.typelog field value is equal toMAILA, then thenetwork.dns.answers.typeUDM field is set to254.Else, if the jsonPayload.structuredRdata.typelog field value is equal toALL, then thenetwork.dns.answers.typeUDM field is set to255.Else, if the jsonPayload.structuredRdata.typelog field value is equal toURI, then thenetwork.dns.answers.typeUDM field is set to256.Else, if the jsonPayload.structuredRdata.typelog field value is equal toCAA, then thenetwork.dns.answers.typeUDM field is set to257.Else, if the jsonPayload.structuredRdata.typelog field value is equal toAVC, then thenetwork.dns.answers.typeUDM field is set to258.Else, if the jsonPayload.structuredRdata.typelog field value is equal toDOA, then thenetwork.dns.answers.typeUDM field is set to259.Else, if the jsonPayload.structuredRdata.typelog field value is equal toAMTRELAY, then thenetwork.dns.answers.typeUDM field is set to260.Else, if the jsonPayload.structuredRdata.typelog field value is equal toTA, then thenetwork.dns.answers.typeUDM field is set to32768.Else, if the jsonPayload.structuredRdata.typelog field value is equal toDLV, then thenetwork.dns.answers.typeUDM field is set to32769. | 
| jsonPayload.rdata.type | network.dns.answers.type | If the jsonPayload.rdata.typelog field value is equal toA, then thenetwork.dns.answers.typeUDM field is set to1.Else, if the jsonPayload.rdata.typelog field value is equal toNS, then thenetwork.dns.answers.typeUDM field is set to2.Else, if the jsonPayload.rdata.typelog field value is equal toMD, then thenetwork.dns.answers.typeUDM field is set to3.Else, if the jsonPayload.rdata.typelog field value is equal toMF, then thenetwork.dns.answers.typeUDM field is set to4.Else, if the jsonPayload.rdata.typelog field value is equal toCNAME, then thenetwork.dns.answers.typeUDM field is set to5.Else, if the jsonPayload.rdata.typelog field value is equal toSOA, then thenetwork.dns.answers.typeUDM field is set to6.Else, if the jsonPayload.rdata.typelog field value is equal toMB, then thenetwork.dns.answers.typeUDM field is set to7.Else, if the jsonPayload.rdata.typelog field value is equal toMG, then thenetwork.dns.answers.typeUDM field is set to8.Else, if the jsonPayload.rdata.typelog field value is equal toMR, then thenetwork.dns.answers.typeUDM field is set to9.Else, if the jsonPayload.rdata.typelog field value is equal toNULL, then thenetwork.dns.answers.typeUDM field is set to10.Else, if the jsonPayload.rdata.typelog field value is equal toWKS, then thenetwork.dns.answers.typeUDM field is set to11.Else, if the jsonPayload.rdata.typelog field value is equal toPTR, then thenetwork.dns.answers.typeUDM field is set to12.Else, if the jsonPayload.rdata.typelog field value is equal toHINFO, then thenetwork.dns.answers.typeUDM field is set to13.Else, if the jsonPayload.rdata.typelog field value is equal toMINFO, then thenetwork.dns.answers.typeUDM field is set to14.Else, if the jsonPayload.rdata.typelog field value is equal toMX, then thenetwork.dns.answers.typeUDM field is set to15.Else, if the jsonPayload.rdata.typelog field value is equal toTXT, then thenetwork.dns.answers.typeUDM field is set to16.Else, if the jsonPayload.rdata.typelog field value is equal toRP, then thenetwork.dns.answers.typeUDM field is set to17.Else, if the jsonPayload.rdata.typelog field value is equal toAFSDB, then thenetwork.dns.answers.typeUDM field is set to18.Else, if the jsonPayload.rdata.typelog field value is equal toX25, then thenetwork.dns.answers.typeUDM field is set to19.Else, if the jsonPayload.rdata.typelog field value is equal toISDN, then thenetwork.dns.answers.typeUDM field is set to20.Else, if the jsonPayload.rdata.typelog field value is equal toRT, then thenetwork.dns.answers.typeUDM field is set to21.Else, if the jsonPayload.rdata.typelog field value is equal toNSAP, then thenetwork.dns.answers.typeUDM field is set to22.Else, if the jsonPayload.rdata.typelog field value is equal toNSAP-PTR, then thenetwork.dns.answers.typeUDM field is set to23.Else, if the jsonPayload.rdata.typelog field value is equal toSIG, then thenetwork.dns.answers.typeUDM field is set to24.Else, if the jsonPayload.rdata.typelog field value is equal toKEY, then thenetwork.dns.answers.typeUDM field is set to25.Else, if the jsonPayload.rdata.typelog field value is equal toPX, then thenetwork.dns.answers.typeUDM field is set to26.Else, if the jsonPayload.rdata.typelog field value is equal toGPOS, then thenetwork.dns.answers.typeUDM field is set to27.Else, if the jsonPayload.rdata.typelog field value is equal toAAAA, then thenetwork.dns.answers.typeUDM field is set to28.Else, if the jsonPayload.rdata.typelog field value is equal toLOC, then thenetwork.dns.answers.typeUDM field is set to29.Else, if the jsonPayload.rdata.typelog field value is equal toNXT, then thenetwork.dns.answers.typeUDM field is set to30.Else, if the jsonPayload.rdata.typelog field value is equal toEID, then thenetwork.dns.answers.typeUDM field is set to31.Else, if the jsonPayload.rdata.typelog field value is equal toNIMLOC, then thenetwork.dns.answers.typeUDM field is set to32.Else, if the jsonPayload.rdata.typelog field value is equal toSRV, then thenetwork.dns.answers.typeUDM field is set to33.Else, if the jsonPayload.rdata.typelog field value is equal toATMA, then thenetwork.dns.answers.typeUDM field is set to34.Else, if the jsonPayload.rdata.typelog field value is equal toNAPTR, then thenetwork.dns.answers.typeUDM field is set to35.Else, if the jsonPayload.rdata.typelog field value is equal toKX, then thenetwork.dns.answers.typeUDM field is set to36.Else, if the jsonPayload.rdata.typelog field value is equal toCERT, then thenetwork.dns.answers.typeUDM field is set to37.Else, if the jsonPayload.rdata.typelog field value is equal toA6, then thenetwork.dns.answers.typeUDM field is set to38.Else, if the jsonPayload.rdata.typelog field value is equal toDNAME, then thenetwork.dns.answers.typeUDM field is set to39.Else, if the jsonPayload.rdata.typelog field value is equal toSINK, then thenetwork.dns.answers.typeUDM field is set to40.Else, if the jsonPayload.rdata.typelog field value is equal toOPT, then thenetwork.dns.answers.typeUDM field is set to41.Else, if the jsonPayload.rdata.typelog field value is equal toAPL, then thenetwork.dns.answers.typeUDM field is set to42.Else, if the jsonPayload.rdata.typelog field value is equal toDS, then thenetwork.dns.answers.typeUDM field is set to43.Else, if the jsonPayload.rdata.typelog field value is equal toSSHFP, then thenetwork.dns.answers.typeUDM field is set to44.Else, if the jsonPayload.rdata.typelog field value is equal toIPSECKEY, then thenetwork.dns.answers.typeUDM field is set to45.Else, if the jsonPayload.rdata.typelog field value is equal toRRSIG, then thenetwork.dns.answers.typeUDM field is set to46.Else, if the jsonPayload.rdata.typelog field value is equal toNSEC, then thenetwork.dns.answers.typeUDM field is set to47.Else, if the jsonPayload.rdata.typelog field value is equal toDNSKEY, then thenetwork.dns.answers.typeUDM field is set to48.Else, if the jsonPayload.rdata.typelog field value is equal toDHCID, then thenetwork.dns.answers.typeUDM field is set to49.Else, if the jsonPayload.rdata.typelog field value is equal toNSEC3, then thenetwork.dns.answers.typeUDM field is set to50.Else, if the jsonPayload.rdata.typelog field value is equal toNSEC3PARAM, then thenetwork.dns.answers.typeUDM field is set to51.Else, if the jsonPayload.rdata.typelog field value is equal toTLSA, then thenetwork.dns.answers.typeUDM field is set to52.Else, if the jsonPayload.rdata.typelog field value is equal toSMIMEA, then thenetwork.dns.answers.typeUDM field is set to53.Else, if the jsonPayload.rdata.typelog field value is equal toUNASSIGN, then thenetwork.dns.answers.typeUDM field is set to54.Else, if the jsonPayload.rdata.typelog field value is equal toHIP, then thenetwork.dns.answers.typeUDM field is set to55.Else, if the jsonPayload.rdata.typelog field value is equal toNINFO, then thenetwork.dns.answers.typeUDM field is set to56.Else, if the jsonPayload.rdata.typelog field value is equal toRKEY, then thenetwork.dns.answers.typeUDM field is set to57.Else, if the jsonPayload.rdata.typelog field value is equal toTALINK, then thenetwork.dns.answers.typeUDM field is set to58.Else, if the jsonPayload.rdata.typelog field value is equal toCDS, then thenetwork.dns.answers.typeUDM field is set to59.Else, if the jsonPayload.rdata.typelog field value is equal toCDNSKEY, then thenetwork.dns.answers.typeUDM field is set to60.Else, if the jsonPayload.rdata.typelog field value is equal toOPENPGPK, then thenetwork.dns.answers.typeUDM field is set to61.Else, if the jsonPayload.rdata.typelog field value is equal toCSYNC, then thenetwork.dns.answers.typeUDM field is set to62.Else, if the jsonPayload.rdata.typelog field value is equal toZONEMD, then thenetwork.dns.answers.typeUDM field is set to63.Else, if the jsonPayload.rdata.typelog field value is equal toSVCB, then thenetwork.dns.answers.typeUDM field is set to64.Else, if the jsonPayload.rdata.typelog field value is equal toHTTPS, then thenetwork.dns.answers.typeUDM field is set to65.Else, if the jsonPayload.rdata.typelog field value is equal toSPF, then thenetwork.dns.answers.typeUDM field is set to99.Else, if the jsonPayload.rdata.typelog field value is equal toUINFO, then thenetwork.dns.answers.typeUDM field is set to100.Else, if the jsonPayload.rdata.typelog field value is equal toUID, then thenetwork.dns.answers.typeUDM field is set to101.Else, if the jsonPayload.rdata.typelog field value is equal toGID, then thenetwork.dns.answers.typeUDM field is set to102.Else, if the jsonPayload.rdata.typelog field value is equal toUNSPEC, then thenetwork.dns.answers.typeUDM field is set to103.Else, if the jsonPayload.rdata.typelog field value is equal toNID, then thenetwork.dns.answers.typeUDM field is set to104.Else, if the jsonPayload.rdata.typelog field value is equal toL32, then thenetwork.dns.answers.typeUDM field is set to105.Else, if the jsonPayload.rdata.typelog field value is equal toL64, then thenetwork.dns.answers.typeUDM field is set to106.Else, if the jsonPayload.rdata.typelog field value is equal toLP, then thenetwork.dns.answers.typeUDM field is set to107.Else, if the jsonPayload.rdata.typelog field value is equal toEUI48, then thenetwork.dns.answers.typeUDM field is set to108.Else, if the jsonPayload.rdata.typelog field value is equal toEUI64, then thenetwork.dns.answers.typeUDM field is set to109.Else, if the jsonPayload.rdata.typelog field value is equal toTKEY, then thenetwork.dns.answers.typeUDM field is set to249.Else, if the jsonPayload.rdata.typelog field value is equal toTSIG, then thenetwork.dns.answers.typeUDM field is set to250.Else, if the jsonPayload.rdata.typelog field value is equal toIXFR, then thenetwork.dns.answers.typeUDM field is set to251.Else, if the jsonPayload.rdata.typelog field value is equal toAXFR, then thenetwork.dns.answers.typeUDM field is set to252.Else, if the jsonPayload.rdata.typelog field value is equal toMAILB, then thenetwork.dns.answers.typeUDM field is set to253.Else, if the jsonPayload.rdata.typelog field value is equal toMAILA, then thenetwork.dns.answers.typeUDM field is set to254.Else, if the jsonPayload.rdata.typelog field value is equal toALL, then thenetwork.dns.answers.typeUDM field is set to255.Else, if the jsonPayload.rdata.typelog field value is equal toURI, then thenetwork.dns.answers.typeUDM field is set to256.Else, if the jsonPayload.rdata.typelog field value is equal toCAA, then thenetwork.dns.answers.typeUDM field is set to257.Else, if the jsonPayload.rdata.typelog field value is equal toAVC, then thenetwork.dns.answers.typeUDM field is set to258.Else, if the jsonPayload.rdata.typelog field value is equal toDOA, then thenetwork.dns.answers.typeUDM field is set to259.Else, if the jsonPayload.rdata.typelog field value is equal toAMTRELAY, then thenetwork.dns.answers.typeUDM field is set to260.Else, if the jsonPayload.rdata.typelog field value is equal toTA, then thenetwork.dns.answers.typeUDM field is set to32768.Else, if the jsonPayload.rdata.typelog field value is equal toDLV, then thenetwork.dns.answers.typeUDM field is set to32769. | 
| jsonPayload.authAnswer | network.dns.authoritative | If the jsonPayload.authAnswerlog field value is equal totrue, then thenetwork.dns.authoritativeUDM field is set totest. | 
| jsonPayload.queryName | network.dns.questions.name | If the jsonPayload.queryNamelog field matches the regular expression pattern%{WORD:part1}%{GREEDYDATA}\\\\%{WORD}%{GREEDYDATA:part2}, then the extracted fieldspart1andpart2are mapped to
thenetwork.dns.questions.nameUDM field.Else, if the jsonPayload.queryNamelog field matches the regular expression pattern(?P, then the extracted fielddomainis mapped to thenetwork.dns.questions.nameUDM field. | 
| jsonPayload.queryType | network.dns.questions.type | If the jsonPayload.queryTypelog field value is equal toA, then thenetwork.dns.questions.typeUDM field is set to1.Else, if the jsonPayload.queryTypelog field value is equal toNS, then thenetwork.dns.questions.typeUDM field is set to2.Else, if the jsonPayload.queryTypelog field value is equal toMD, then thenetwork.dns.questions.typeUDM field is set to3.Else, if the jsonPayload.queryTypelog field value is equal toMF, then thenetwork.dns.questions.typeUDM field is set to4.Else, if the jsonPayload.queryTypelog field value is equal toCNAME, then thenetwork.dns.questions.typeUDM field is set to5.Else, if the jsonPayload.queryTypelog field value is equal toSOA, then thenetwork.dns.questions.typeUDM field is set to6.Else, if the jsonPayload.queryTypelog field value is equal toMB, then thenetwork.dns.questions.typeUDM field is set to7.Else, if the jsonPayload.queryTypelog field value is equal toMG, then thenetwork.dns.questions.typeUDM field is set to8.Else, if the jsonPayload.queryTypelog field value is equal toMR, then thenetwork.dns.questions.typeUDM field is set to9.Else, if the jsonPayload.queryTypelog field value is equal toNULL, then thenetwork.dns.questions.typeUDM field is set to10.Else, if the jsonPayload.queryTypelog field value is equal toWKS, then thenetwork.dns.questions.typeUDM field is set to11.Else, if the jsonPayload.queryTypelog field value is equal toPTR, then thenetwork.dns.questions.typeUDM field is set to12.Else, if the jsonPayload.queryTypelog field value is equal toHINFO, then thenetwork.dns.questions.typeUDM field is set to13.Else, if the jsonPayload.queryTypelog field value is equal toMINFO, then thenetwork.dns.questions.typeUDM field is set to14.Else, if the jsonPayload.queryTypelog field value is equal toMX, then thenetwork.dns.questions.typeUDM field is set to15.Else, if the jsonPayload.queryTypelog field value is equal toTXT, then thenetwork.dns.questions.typeUDM field is set to16.Else, if the jsonPayload.queryTypelog field value is equal toRP, then thenetwork.dns.questions.typeUDM field is set to17.Else, if the jsonPayload.queryTypelog field value is equal toAFSDB, then thenetwork.dns.questions.typeUDM field is set to18.Else, if the jsonPayload.queryTypelog field value is equal toX25, then thenetwork.dns.questions.typeUDM field is set to19.Else, if the jsonPayload.queryTypelog field value is equal toISDN, then thenetwork.dns.questions.typeUDM field is set to20.Else, if the jsonPayload.queryTypelog field value is equal toRT, then thenetwork.dns.questions.typeUDM field is set to21.Else, if the jsonPayload.queryTypelog field value is equal toNSAP, then thenetwork.dns.questions.typeUDM field is set to22.Else, if the jsonPayload.queryTypelog field value is equal toNSAP-PTR, then thenetwork.dns.questions.typeUDM field is set to23.Else, if the jsonPayload.queryTypelog field value is equal toSIG, then thenetwork.dns.questions.typeUDM field is set to24.Else, if the jsonPayload.queryTypelog field value is equal toKEY, then thenetwork.dns.questions.typeUDM field is set to25.Else, if the jsonPayload.queryTypelog field value is equal toPX, then thenetwork.dns.questions.typeUDM field is set to26.Else, if the jsonPayload.queryTypelog field value is equal toGPOS, then thenetwork.dns.questions.typeUDM field is set to27.Else, if the jsonPayload.queryTypelog field value is equal toAAAA, then thenetwork.dns.questions.typeUDM field is set to28.Else, if the jsonPayload.queryTypelog field value is equal toLOC, then thenetwork.dns.questions.typeUDM field is set to29.Else, if the jsonPayload.queryTypelog field value is equal toNXT, then thenetwork.dns.questions.typeUDM field is set to30.Else, if the jsonPayload.queryTypelog field value is equal toEID, then thenetwork.dns.questions.typeUDM field is set to31.Else, if the jsonPayload.queryTypelog field value is equal toNIMLOC, then thenetwork.dns.questions.typeUDM field is set to32.Else, if the jsonPayload.queryTypelog field value is equal toSRV, then thenetwork.dns.questions.typeUDM field is set to33.Else, if the jsonPayload.queryTypelog field value is equal toATMA, then thenetwork.dns.questions.typeUDM field is set to34.Else, if the jsonPayload.queryTypelog field value is equal toNAPTR, then thenetwork.dns.questions.typeUDM field is set to35.Else, if the jsonPayload.queryTypelog field value is equal toKX, then thenetwork.dns.questions.typeUDM field is set to36.Else, if the jsonPayload.queryTypelog field value is equal toCERT, then thenetwork.dns.questions.typeUDM field is set to37.Else, if the jsonPayload.queryTypelog field value is equal toA6, then thenetwork.dns.questions.typeUDM field is set to38.Else, if the jsonPayload.queryTypelog field value is equal toDNAME, then thenetwork.dns.questions.typeUDM field is set to39.Else, if the jsonPayload.queryTypelog field value is equal toSINK, then thenetwork.dns.questions.typeUDM field is set to40.Else, if the jsonPayload.queryTypelog field value is equal toOPT, then thenetwork.dns.questions.typeUDM field is set to41.Else, if the jsonPayload.queryTypelog field value is equal toAPL, then thenetwork.dns.questions.typeUDM field is set to42.Else, if the jsonPayload.queryTypelog field value is equal toDS, then thenetwork.dns.questions.typeUDM field is set to43.Else, if the jsonPayload.queryTypelog field value is equal toSSHFP, then thenetwork.dns.questions.typeUDM field is set to44.Else, if the jsonPayload.queryTypelog field value is equal toIPSECKEY, then thenetwork.dns.questions.typeUDM field is set to45.Else, if the jsonPayload.queryTypelog field value is equal toRRSIG, then thenetwork.dns.questions.typeUDM field is set to46.Else, if the jsonPayload.queryTypelog field value is equal toNSEC, then thenetwork.dns.questions.typeUDM field is set to47.Else, if the jsonPayload.queryTypelog field value is equal toDNSKEY, then thenetwork.dns.questions.typeUDM field is set to48.Else, if the jsonPayload.queryTypelog field value is equal toDHCID, then thenetwork.dns.questions.typeUDM field is set to49.Else, if the jsonPayload.queryTypelog field value is equal toNSEC3, then thenetwork.dns.questions.typeUDM field is set to50.Else, if the jsonPayload.queryTypelog field value is equal toNSEC3PARAM, then thenetwork.dns.questions.typeUDM field is set to51.Else, if the jsonPayload.queryTypelog field value is equal toTLSA, then thenetwork.dns.questions.typeUDM field is set to52.Else, if the jsonPayload.queryTypelog field value is equal toSMIMEA, then thenetwork.dns.questions.typeUDM field is set to53.Else, if the jsonPayload.queryTypelog field value is equal toUNASSIGN, then thenetwork.dns.questions.typeUDM field is set to54.Else, if the jsonPayload.queryTypelog field value is equal toHIP, then thenetwork.dns.questions.typeUDM field is set to55.Else, if the jsonPayload.queryTypelog field value is equal toNINFO, then thenetwork.dns.questions.typeUDM field is set to56.Else, if the jsonPayload.queryTypelog field value is equal toRKEY, then thenetwork.dns.questions.typeUDM field is set to57.Else, if the jsonPayload.queryTypelog field value is equal toTALINK, then thenetwork.dns.questions.typeUDM field is set to58.Else, if the jsonPayload.queryTypelog field value is equal toCDS, then thenetwork.dns.questions.typeUDM field is set to59.Else, if the jsonPayload.queryTypelog field value is equal toCDNSKEY, then thenetwork.dns.questions.typeUDM field is set to60.Else, if the jsonPayload.queryTypelog field value is equal toOPENPGPK, then thenetwork.dns.questions.typeUDM field is set to61.Else, if the jsonPayload.queryTypelog field value is equal toCSYNC, then thenetwork.dns.questions.typeUDM field is set to62.Else, if the jsonPayload.queryTypelog field value is equal toZONEMD, then thenetwork.dns.questions.typeUDM field is set to63.Else, if the jsonPayload.queryTypelog field value is equal toSVCB, then thenetwork.dns.questions.typeUDM field is set to64.Else, if the jsonPayload.queryTypelog field value is equal toHTTPS, then thenetwork.dns.questions.typeUDM field is set to65.Else, if the jsonPayload.queryTypelog field value is equal toSPF, then thenetwork.dns.questions.typeUDM field is set to99.Else, if the jsonPayload.queryTypelog field value is equal toUINFO, then thenetwork.dns.questions.typeUDM field is set to100.Else, if the jsonPayload.queryTypelog field value is equal toUID, then thenetwork.dns.questions.typeUDM field is set to101.Else, if the jsonPayload.queryTypelog field value is equal toGID, then thenetwork.dns.questions.typeUDM field is set to102.Else, if the jsonPayload.queryTypelog field value is equal toUNSPEC, then thenetwork.dns.questions.typeUDM field is set to103.Else, if the jsonPayload.queryTypelog field value is equal toNID, then thenetwork.dns.questions.typeUDM field is set to104.Else, if the jsonPayload.queryTypelog field value is equal toL32, then thenetwork.dns.questions.typeUDM field is set to105.Else, if the jsonPayload.queryTypelog field value is equal toL64, then thenetwork.dns.questions.typeUDM field is set to106.Else, if the jsonPayload.queryTypelog field value is equal toLP, then thenetwork.dns.questions.typeUDM field is set to107.Else, if the jsonPayload.queryTypelog field value is equal toEUI48, then thenetwork.dns.questions.typeUDM field is set to108.Else, if the jsonPayload.queryTypelog field value is equal toEUI64, then thenetwork.dns.questions.typeUDM field is set to109.Else, if the jsonPayload.queryTypelog field value is equal toTKEY, then thenetwork.dns.questions.typeUDM field is set to249.Else, if the jsonPayload.queryTypelog field value is equal toTSIG, then thenetwork.dns.questions.typeUDM field is set to250.Else, if the jsonPayload.queryTypelog field value is equal toIXFR, then thenetwork.dns.questions.typeUDM field is set to251.Else, if the jsonPayload.queryTypelog field value is equal toAXFR, then thenetwork.dns.questions.typeUDM field is set to252.Else, if the jsonPayload.queryTypelog field value is equal toMAILB, then thenetwork.dns.questions.typeUDM field is set to253.Else, if the jsonPayload.queryTypelog field value is equal toMAILA, then thenetwork.dns.questions.typeUDM field is set to254.Else, if the jsonPayload.queryTypelog field value is equal toALL, then thenetwork.dns.questions.typeUDM field is set to255.Else, if the jsonPayload.queryTypelog field value is equal toURI, then thenetwork.dns.questions.typeUDM field is set to256.Else, if the jsonPayload.queryTypelog field value is equal toCAA, then thenetwork.dns.questions.typeUDM field is set to257.Else, if the jsonPayload.queryTypelog field value is equal toAVC, then thenetwork.dns.questions.typeUDM field is set to258.Else, if the jsonPayload.queryTypelog field value is equal toDOA, then thenetwork.dns.questions.typeUDM field is set to259.Else, if the jsonPayload.queryTypelog field value is equal toAMTRELAY, then thenetwork.dns.questions.typeUDM field is set to260.Else, if the jsonPayload.queryTypelog field value is equal toTA, then thenetwork.dns.questions.typeUDM field is set to32768.Else, if the jsonPayload.queryTypelog field value is equal toDLV, then thenetwork.dns.questions.typeUDM field is set to32769. | 
| jsonPayload.responseCode | network.dns.response_code | If the jsonPayload.responseCodelog field value is equal toFORMERR, then thenetwork.dns.response_codeUDM field is set to1.Else, if the jsonPayload.responseCodelog field value is equal toSERVFAIL, then thenetwork.dns.response_codeUDM field is set to2.Else, if the jsonPayload.responseCodelog field value is equal toNXDOMAIN, then thenetwork.dns.response_codeUDM field is set to3.Else, if the jsonPayload.responseCodelog field value is equal toNOTIMP, then thenetwork.dns.response_codeUDM field is set to4.Else, if the jsonPayload.responseCodelog field value is equal toREFUSED, then thenetwork.dns.response_codeUDM field is set to5.Else, if the jsonPayload.responseCodelog field value is equal toYXDOMAIN, then thenetwork.dns.response_codeUDM field is set to6.Else, if the jsonPayload.responseCodelog field value is equal toYXRRSET, then thenetwork.dns.response_codeUDM field is set to7.Else, if the jsonPayload.responseCodelog field value is equal toNXRRSET, then thenetwork.dns.response_codeUDM field is set to8.Else, if the jsonPayload.responseCodelog field value is equal toNOTAUTH, then thenetwork.dns.response_codeUDM field is set to9.Else, if the jsonPayload.responseCodelog field value is equal toNOTZONE, then thenetwork.dns.response_codeUDM field is set to10.Else, if the jsonPayload.responseCodelog field value is equal toDSOTYPENI, then thenetwork.dns.response_codeUDM field is set to11.Else, if the jsonPayload.responseCodelog field value is equal toBADVERS, then thenetwork.dns.response_codeUDM field is set to16.Else, if the jsonPayload.responseCodelog field value is equal toBADSIG, then thenetwork.dns.response_codeUDM field is set to16.Else, if the jsonPayload.responseCodelog field value is equal toBADKEY, then thenetwork.dns.response_codeUDM field is set to17.Else, if the jsonPayload.responseCodelog field value is equal toBADTIME, then thenetwork.dns.response_codeUDM field is set to18.Else, if the jsonPayload.responseCodelog field value is equal toBADMODE, then thenetwork.dns.response_codeUDM field is set to19.Else, if the jsonPayload.responseCodelog field value is equal toBADNAME, then thenetwork.dns.response_codeUDM field is set to20.Else, if the jsonPayload.responseCodelog field value is equal toBADALG, then thenetwork.dns.response_codeUDM field is set to21.Else, if the jsonPayload.responseCodelog field value is equal toBADTRUNC, then thenetwork.dns.response_codeUDM field is set to22.Else, if the jsonPayload.responseCodelog field value is equal toBADCOOKIE, then thenetwork.dns.response_codeUDM field is set to23. | 
| network.dns.truncated | If the jsonPayload.rdatalog field value is not empty, then thenetwork.dns.truncatedUDM field is set totrue. | |
| jsonPayload.protocol | network.ip_protocol | If the jsonPayload.protocollog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toICMP.
 jsonPayload.protocollog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toIGMP.
 jsonPayload.protocollog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toTCP.
 jsonPayload.protocollog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toUDP.
 jsonPayload.protocollog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toIP6IN4.
 jsonPayload.protocollog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toGRE.
 jsonPayload.protocollog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toESP.
 jsonPayload.protocollog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toEIGRP.
 jsonPayload.protocollog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toETHERIP.
 jsonPayload.protocollog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toPIM.
 jsonPayload.protocollog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toVRRP.
 | 
| jsonPayload.sourceIP | principal.ip | |
| jsonPayload.sourceNetwork | additional.fields[source_network] | |
| resource.labels.location | principal.location.name | |
| jsonPayload.vmZoneName | principal.resource.attribute.cloud.availability_zone | |
| principal.resource.attribute.cloud.environment | The principal.resource.attribute.cloud.environmentUDM field is set toGOOGLE_CLOUD_PLATFORM. | |
| principal.cloud.environment | The principal.cloud.environmentUDM field is set toGOOGLE_CLOUD_PLATFORM. | |
| resource.labels.source_type | principal.resource.attribute.labels[source_type] | |
| resource.labels.target_name | principal.resource.attribute.labels[target_name] | |
| resource.labels.target_type | principal.resource.attribute.labels[target_type] | |
| jsonPayload.vmInstanceName | principal.resource.name | Extracted projectororgfrom thelogNamelog field using the Grok pattern.If the jsonPayload.vmInstanceNamelog field value is not empty, then the//compute.googleapis.com/projects/%{projectororg}/zones/%{resource.labels.location}/instances/%{jsonPayload.vmInstanceName}field is mapped to theprincipal.resource.nameUDM field. | 
| logName | principal.resource.name | Extracted projectororgfrom thelogNamelog field using the Grok pattern. | 
| jsonPayload.vmInstanceIdString | principal.resource.id | If the jsonPayload.vmInstanceIdStringlog field value is not empty, then thejsonPayload.vmInstanceIdStringlog field is mapped to theprincipal.resource.idUDM field.Else, if the jsonPayload.vmInstanceIdlog field value is not empty, then thejsonPayload.vmInstanceIdlog field is mapped to theprincipal.resource.idUDM field. | 
| jsonPayload.vmInstanceId | principal.resource.id | If the jsonPayload.vmInstanceIdStringlog field value is not empty, then thejsonPayload.vmInstanceIdStringlog field is mapped to theprincipal.resource.idUDM field.Else, if the jsonPayload.vmInstanceIdlog field value is not empty, then thejsonPayload.vmInstanceIdlog field is mapped to theprincipal.resource.idUDM field. | 
| jsonPayload.vmInstanceIdString | principal.resource.product_object_id | If the jsonPayload.vmInstanceIdStringlog field value is not empty, then thejsonPayload.vmInstanceIdStringlog field is mapped to theprincipal.resource.product_object_idUDM field.Else, if the jsonPayload.vmInstanceIdlog field value is not empty, then thejsonPayload.vmInstanceIdlog field is mapped to theprincipal.resource.product_object_idUDM field. | 
| jsonPayload.vmInstanceId | principal.resource.product_object_id | If the jsonPayload.vmInstanceIdStringlog field value is not empty, then thejsonPayload.vmInstanceIdStringlog field is mapped to theprincipal.resource.product_object_idUDM field.Else, if the jsonPayload.vmInstanceIdlog field value is not empty, then thejsonPayload.vmInstanceIdlog field is mapped to theprincipal.resource.product_object_idUDM field. | 
| jsonPayload.vmProjectId | principal.cloud.project.name | If the jsonPayload.vmProjectIdlog field value is not empty, then thejsonPayload.vmProjectIdlog field is mapped to theprincipal.cloud.project.nameUDM field. | 
| resource.labels.project_id | principal.cloud.project.name | If the jsonPayload.vmProjectIdlog field value isempty, then theresource.labels.project_idlog field is mapped to theprincipal.cloud.project.nameUDM field. | 
| jsonPayload.vmProjectId | principal.resource_ancestors.name | |
| resource.labels.project_id | principal.resource_ancestors.name | |
| principal.resource_ancestors.resource_subtype | If the jsonPayload.vmProjectIdlog field value is not empty, then theprincipal.resource_ancestors.resource_subtypeUDM field is set toVirtual Machine Project.If the resource.labels.project_idlog field value is not empty, then theprincipal.resource_ancestors.resource_subtypeUDM field is set toProject. | |
| principal.resource_ancestors.resource_type | If the jsonPayload.vmProjectIdlog field value is not empty, then theprincipal.resource_ancestors.resource_typeUDM field is set toCLOUD_PROJECT.If the resource.labels.project_idlog field value is not empty, then theprincipal.resource_ancestors.resource_typeUDM field is set toCLOUD_PROJECT. | |
| resource.type | principal.resource.resource_subtype | |
| principal.resource.resource_type | The principal.resource.resource_typeUDM field is set toVIRTUAL_MACHINE. | |
| security_result.severity | If the severitylog field value contains one of the following values, then thesecurity_result.severityUDM field is set toINFORMATIONAL.
 severitylog field value is equal toNOTICE, then thesecurity_result.severityUDM field is set toLOW.Else, if the severitylog field value is equal toWARNING, then thesecurity_result.severityUDM field is set toMEDIUM.Else, if the severitylog field value is equal toERROR, then thesecurity_result.severityUDM field is set toERROR.Else, if the severitylog field value contains one of the following values, then thesecurity_result.severityUDM field is set toCRITICAL.
 severitylog field value is equal toDEFAULTor theseveritylog field value is not empty, then thesecurity_result.severityUDM field is set toUNKNOWN_SEVERITY. | |
| severity | security_result.severity_details | |
| jsonPayload.destinationIP | target.ip | |
| target.resource.attribute.cloud.environment | The target.resource.attribute.cloud.environmentUDM field is set toGOOGLE_CLOUD_PLATFORM. | 
What's next
Need more help? Get answers from Community members and Google SecOps professionals.