GitHub-Audit-Logs erfassen
Unterstützt in:
Google SecOps
SIEM
In diesem Dokument wird beschrieben, wie Sie GitHub-Audit-Logs mit Amazon S3 in Google Security Operations aufnehmen. Der Parser versucht, Daten aus dem Feld „message“ mit verschiedenen Grok-Mustern zu extrahieren. Dabei werden sowohl JSON- als auch Nicht-JSON-Formate verarbeitet. Anhand des extrahierten „process_type“ wird eine bestimmte Parsing-Logik mit grok, kv und anderen Filtern angewendet, um die Rohlogdaten dem Schema des Unified Data Model (UDM) zuzuordnen.
Hinweise
Prüfen Sie, ob folgende Voraussetzungen erfüllt sind:
- Google SecOps-Instanz.
- Privilegierter Zugriff auf den GitHub Enterprise Cloud-Mandanten mit Berechtigungen als Enterprise-Inhaber.
- Privilegierter Zugriff auf AWS (S3, IAM).
Voraussetzungen für GitHub Enterprise Cloud (Enterprise-Zugriff)
- Melden Sie sich in der Admin-Konsole für GitHub Enterprise Cloud an.
- Gehen Sie zu Unternehmenseinstellungen > Einstellungen > Audit-Log > Log-Streaming.
- Sie benötigen die Berechtigungen eines Enterprise-Inhabers, um das Streaming von Audit-Logs zu konfigurieren.
- Kopieren und speichern Sie die folgenden Details an einem sicheren Ort:
- Name von GitHub Enterprise
- Namen von Organisationen im Unternehmen
AWS S3-Bucket und Identity and Access Management für Google SecOps konfigurieren
- Erstellen Sie einen Amazon S3-Bucket. Folgen Sie dazu der Anleitung unter Bucket erstellen.
- Speichern Sie den Namen und die Region des Buckets zur späteren Verwendung (z. B.
github-audit-logs). - Erstellen Sie einen Nutzer gemäß dieser Anleitung: IAM-Nutzer erstellen.
- Wählen Sie den erstellten Nutzer aus.
- Wählen Sie den Tab Sicherheitsanmeldedaten aus.
- Klicken Sie im Bereich Zugriffsschlüssel auf Zugriffsschlüssel erstellen.
- Wählen Sie Drittanbieterdienst als Anwendungsfall aus.
- Klicken Sie auf Weiter.
- Optional: Fügen Sie ein Beschreibungstag hinzu.
- Klicken Sie auf Zugriffsschlüssel erstellen.
- Klicken Sie auf CSV-Datei herunterladen, um den Access Key (Zugriffsschlüssel) und den Secret Access Key (geheimer Zugriffsschlüssel) für die zukünftige Verwendung zu speichern.
- Klicken Sie auf Fertig.
IAM-Richtlinie für GitHub S3-Streaming konfigurieren
- Rufen Sie in der AWS-Konsole IAM > Richtlinien > Richtlinie erstellen > Tab „JSON“ auf.
- Kopieren Sie die folgende Richtlinie und fügen Sie sie ein.
Richtlinien-JSON (ersetzen Sie
github-audit-logs, wenn Sie einen anderen Bucket-Namen eingegeben haben):{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPutObjects", "Effect": "Allow", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::github-audit-logs/*" } ] }Klicken Sie auf Weiter > Richtlinie erstellen.
Geben Sie der Richtlinie den Namen
GitHubAuditStreamingPolicyund klicken Sie auf Richtlinie erstellen.Kehren Sie zum zuvor erstellten IAM-Nutzer zurück.
Wählen Sie den Tab Berechtigungen aus.
Klicken Sie auf Berechtigungen hinzufügen > Richtlinien direkt anhängen.
Suchen Sie nach
GitHubAuditStreamingPolicyund wählen Sie den Eintrag aus.Klicken Sie auf Weiter > Berechtigungen hinzufügen.
Streaming von GitHub Enterprise Cloud-Audit-Logs konfigurieren
- Melden Sie sich als Enterprise-Inhaber bei GitHub Enterprise Cloud an.
- Klicken Sie auf Ihr Profilbild und dann auf Enterprise-Einstellungen.
- Klicken Sie in der Seitenleiste des Unternehmenskontos auf Einstellungen > Audit-Log > Log-Streaming.
- Wählen Sie Stream konfigurieren und klicken Sie auf Amazon S3.
- Klicken Sie unter Authentifizierung auf Zugriffsschlüssel.
- Geben Sie die folgenden Konfigurationsdetails an:
- Region: Wählen Sie die Region des Buckets aus, z. B.
us-east-1. - Bucket: Geben Sie den Namen des Buckets ein, in den Sie streamen möchten (z. B.
github-audit-logs). - Zugriffsschlüssel-ID: Geben Sie die Zugriffsschlüssel-ID des IAM-Nutzers ein.
- Geheimer Schlüssel: Geben Sie Ihren geheimen Schlüssel des IAM-Nutzers ein.
- Region: Wählen Sie die Region des Buckets aus, z. B.
- Klicken Sie auf Endpunkt prüfen, um zu prüfen, ob GitHub eine Verbindung zum Amazon S3-Endpunkt herstellen und Daten darauf schreiben kann.
- Nachdem Sie den Endpunkt erfolgreich bestätigt haben, klicken Sie auf Speichern.
IAM-Nutzer mit Lesezugriff und Schlüssel für Google SecOps erstellen
- Rufen Sie die AWS-Konsole > IAM > Nutzer > Nutzer hinzufügen auf.
- Klicken Sie auf Nutzer hinzufügen.
- Geben Sie die folgenden Konfigurationsdetails an:
- Nutzer: Geben Sie
secops-readerein. - Zugriffstyp: Wählen Sie Zugriffsschlüssel – programmatischer Zugriff aus.
- Nutzer: Geben Sie
- Klicken Sie auf Nutzer erstellen.
- Hängen Sie die benutzerdefinierte Richtlinie mit minimalen Leseberechtigungen an: Nutzer > secops-reader > Berechtigungen > Berechtigungen hinzufügen > Richtlinien direkt anhängen > Richtlinie erstellen.
JSON:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::github-audit-logs/*" }, { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": "arn:aws:s3:::github-audit-logs" } ] }Name =
secops-reader-policy.Klicken Sie auf Richtlinie erstellen> suchen/auswählen> Weiter> Berechtigungen hinzufügen.
Erstellen Sie einen Zugriffsschlüssel für
secops-reader: Sicherheitsanmeldedaten > Zugriffsschlüssel > Zugriffsschlüssel erstellen >.CSVherunterladen (diese Werte werden in den Feed eingefügt).
Feed in Google SecOps konfigurieren, um GitHub-Logs aufzunehmen
- Rufen Sie die SIEM-Einstellungen > Feeds auf.
- Klicken Sie auf + Neuen Feed hinzufügen.
- Geben Sie im Feld Feedname einen Namen für den Feed ein, z. B.
GitHub audit logs. - Wählen Sie Amazon S3 V2 als Quelltyp aus.
- Wählen Sie GitHub als Logtyp aus.
- Klicken Sie auf Weiter.
- Geben Sie Werte für die folgenden Eingabeparameter an:
- S3-URI:
s3://github-audit-logs/ - Optionen zum Löschen von Quellen: Wählen Sie die gewünschte Option zum Löschen aus.
- Maximales Dateialter: Dateien einschließen, die in den letzten Tagen geändert wurden. Der Standardwert ist 180 Tage.
- Zugriffsschlüssel-ID: Der Nutzerzugriffsschlüssel mit Zugriff auf den S3-Bucket.
- Geheimer Zugriffsschlüssel: Der geheime Schlüssel des Nutzers mit Zugriff auf den S3-Bucket.
- Asset-Namespace: der Asset-Namespace.
- Aufnahmelabels: Das Label, das auf die Ereignisse aus diesem Feed angewendet wird.
- S3-URI:
- Klicken Sie auf Weiter.
- Prüfen Sie die neue Feedkonfiguration auf dem Bildschirm Abschließen und klicken Sie dann auf Senden.
Ereignistypen
In der folgenden Tabelle sind die Ereignistypen und die Bedingungen für die Ereignistypen aufgeführt:
| event_type | Conditions |
|---|---|
NETWORK_CONNECTION |
[has_target] == "true" && [has_principal] == "true" |
PROCESS_LAUNCH |
[has_principal] == "true" && [has_target_process] == "true" |
STATUS_UPDATE |
[has_principal] == "true" |
USER_LOGIN |
[raw][message] =~ "Authentication success" or [message] =~ "Authentication success" && ([has_target]== "true" || [has_target_user] == "true") |
USER_RESOURCE_CREATION |
[has_target_resource] == "true" && [has_principal_userid] == "true" && [action] in ["personal_access_token.create" ,"repository_vulnerability_alert.create"] |
USER_RESOURCE_DELETION |
[has_target_resource] == "true" && [has_principal_user] == "true" && [action] in ["hook.destroy" ,"protected_branch.destroy" ,"public_key.delete"] |
USER_RESOURCE_DELETION |
[has_target_resource] == "true" && [has_principal_userid] == "true" && [action] in [ "hook.destroy" ,"protected_branch.destroy" ,"public_key.delete"] |
USER_RESOURCE_UPDATE_CONTENT |
[has_target_resource] == "true" && [has_principal_userid] == "true" && [action] in [ "pull_request.merge" , "hook.events_changed"] |
USER_RESOURCE_UPDATE_PERMISSIONS |
[has_target_resource] == "true" && [has_principal_userid] == "true" && [action] in ["repo.update_actions_secret","protected_branch.update_pull_request_reviews_enforcement_level", "org.update_member" ,"protected_branch.update_admin_enforced" ,"protected_branch.update_required_status_checks_enforcement_level","org.integration_manager_removed" ,"repo.update_member", "repo.add_member"] |
USER_UNCATEGORIZED |
[has_principal_userid] == "true" |
UDM-Zuordnungstabelle
| Logfeld | UDM-Zuordnung | Anmerkungen |
|---|---|---|
above_lock_quota |
additional.fields |
|
above_warn_quota |
additional.fields |
|
ac_ms |
additional.fields |
|
accept |
additional.fields |
|
action |
metadata.product_event_type |
Für JSON-Logs. |
action |
security_result.summary |
Für Syslog-Protokolle. |
active |
target.resource.attribute.labels |
|
active_job_id |
additional.fields |
|
actor |
principal.user.userid |
|
actor_id |
principal.user.attribute.labels.value |
|
actor_ip |
principal.ip |
|
actor_is_agent |
additional.fields |
|
actor_is_bot |
principal.user.attribute.labels |
|
actor_location.country_code |
principal.location.country_or_region |
|
actor_session |
additional.fields |
|
additional_list |
additional.fields |
|
additional_string |
additional.fields |
|
after |
additional.fields |
|
alert_id |
security_result.detection_fields |
|
alert_number |
security_result.detection_fields |
|
alert_numbers |
additional.fields |
|
allow_deletions_enforcement_level |
additional.fields |
|
allow_force_pushes_enforcement_level |
additional.fields |
|
allow_private_repository_forking |
additional.fields |
|
application_name |
target.application |
|
aqueduct_job_id |
additional.fields |
|
auth_tries |
additional.fields |
|
babeld |
additional.fields |
|
banner |
additional.fields |
|
before |
additional.fields |
|
best_cipher |
additional.fields |
|
best_kex |
additional.fields |
|
best_mac |
additional.fields |
|
best_sigtype |
additional.fields |
|
Body |
security_result.description |
|
branch |
target.resource.attribute.labels |
|
branches |
target.resource.attribute.labels |
|
business |
additional.fields |
|
business_id |
additional.fields |
|
cactive |
additional.fields |
|
calling_workflow_refs |
target.resource.attribute.labels |
|
calling_workflow_shas |
target.resource.attribute.labels |
|
changes.body.from |
additional.fields |
|
charset |
additional.fields |
|
check_run.app |
additional.fields |
|
check_run.app.events |
additional.fields |
|
check_run.app.owner |
additional.fields |
|
check_run.check_suite.app.client_id |
additional.fields |
|
check_run.check_suite.app.created_at |
additional.fields |
|
check_run.check_suite.app.description |
additional.fields |
|
check_run.check_suite.app.events |
additional.fields |
|
check_run.check_suite.app.external_url |
additional.fields |
|
check_run.check_suite.app.html_url |
additional.fields |
|
check_run.check_suite.app.id |
additional.fields |
|
check_run.check_suite.app.name |
additional.fields |
|
check_run.check_suite.app.node_id |
additional.fields |
|
check_run.check_suite.app.slug |
additional.fields |
|
check_run.check_suite.app.updated_at |
additional.fields |
|
check_run.check_suite.conclusion |
additional.fields |
|
check_run.check_suite.id |
additional.fields |
|
check_run.check_suite.url |
additional.fields |
|
check_run.completed_at |
additional.fields |
|
check_run.conclusion |
additional.fields |
|
check_run.output |
additional.fields |
|
check_run.started_at |
additional.fields |
|
check_suite (alle Unterfelder) |
additional.fields |
|
check_suite.app (alle Unterfelder) |
additional.fields |
|
check_suite.app.events |
additional.fields |
|
check_suite.app.owner (alle Unterfelder) |
additional.fields |
|
check_suite.head_commit (alle Unterfelder) |
additional.fields |
|
cid |
additional.fields |
|
cipher |
network.tls.cipher |
|
client_id |
principal.user.attribute.labels |
|
cloning |
additional.fields |
|
code |
additional.fields |
|
CodeNamespace |
additional.fields |
|
comment (alle Unterfelder) |
additional.fields |
|
comment.performed_via_github_app (alle Unterfelder) |
additional.fields |
|
comment.performed_via_github_app.events |
additional.fields |
|
comment.reactions (alle Unterfelder) |
additional.fields |
|
commit.author |
principal.resource.attribute.labels |
|
commit.commit.author.date |
additional.fields |
|
commit.commit.author.email |
additional.fields |
|
commit.commit.author.name |
additional.fields |
|
commit.commit.tree.url |
additional.fields |
|
commit.commit.verification |
additional.fields |
|
commit.committer |
additional.fields |
|
commit.parents |
additional.fields |
|
commit.sha |
additional.fields |
|
commit.url |
additional.fields |
|
commit_oid |
additional.fields |
|
committer_date |
additional.fields |
|
completed_at |
vulns.vulnerabilities.scan_end_time |
|
config.content_typt |
target.resource.attribute.labels |
|
config.insecure_ssl |
target.resource.attribute.labels |
|
config.secret |
target.resource.attribute.labels |
|
config.url |
target.url |
|
considers.site.admin |
additional.fields |
|
content_type |
target.file.mime_type |
|
cr |
additional.fields |
|
create_protected |
additional.fields |
|
created_at |
metadata.event_timestamp |
Der Wert wird von UNIX-Millisekunden in einen Zeitstempel konvertiert. |
credential |
detection_fields |
|
ctotal |
additional.fields |
|
data._document_id |
metadata.product_log_id |
|
data.active_job_id |
additional.fields |
|
data.aqueduct_job_id |
additional.fields |
|
data.business |
target.administrative_domain |
|
data.business_id |
additional.fields |
|
data.cancelled_at |
extensions.vulns.vulnerabilities.scan_end_time |
Der Wert wird vom ISO8601-Format in einen Zeitstempel konvertiert. |
data.category_type |
security_result.category_details |
|
data.dn |
additional.fields |
|
data.email |
target.user.email_addresses |
|
data.entry_found |
additional.fields |
|
data.event |
target.resource.attribute.labels |
|
data.events |
security_result.about.labels.value |
|
data.head_branch |
target.resource.attribute.labels |
|
data.head_sha |
target.file.sha256 |
|
data.hook_id |
target.resource.product_object_id |
|
data.job |
target.application |
|
data.operation_type |
additional.fields |
|
data.started_at |
extensions.vulns.vulnerabilities.scan_start_time |
Der Wert wird vom ISO8601-Format in einen Zeitstempel konvertiert. |
data.team |
target.group.group_display_name |
|
data.trigger_id |
target.resource.attribute.labels |
|
data.uid |
additional.fields |
|
data.workflow_id |
target.resource.attribute.labels |
|
data.workflow_run_id |
target.resource.attribute.labels |
|
default_new_repo_branch |
additional.fields |
|
default_repo_visibility |
additional.fields |
|
default_repository_permission |
additional.fields |
|
degraded |
additional.fields |
|
dependency_scope |
additional.fields |
|
deployment.environment |
additional.fields |
|
disable_members_can_create_repositories |
additional.fields |
|
disable_members_can_delete_repositories |
additional.fields |
|
disable_user_org_creation |
additional.fields |
|
disk_info |
additional.fields |
|
disk_py_file |
additional.fields |
|
dismiss_stale_reviews_on_push |
additional.fields |
|
dotcom_contributions |
additional.fields |
|
dotcom_user_license_usage_upload |
additional.fields |
|
duration_ms |
additional.fields |
|
ecosystem |
additional.fields |
|
enforcement_level |
additional.fields |
|
enterprise |
principal.resource.attribute.labels |
|
enterprise.name |
additional.fields.value.string_value |
|
environment_name |
target.resource.attribute.labels |
|
error |
additional.fields |
|
external_id |
additional.fields |
|
external_identity_nameid |
target.user.email_addresses |
Wenn der Wert eine E-Mail-Adresse ist, wird er dem target.user.email_addresses-Array hinzugefügt. |
external_identity_nameid |
target.user.userid |
|
external_identity_username |
additional.fields |
Wird additional.fields zugeordnet, wenn es in target.user.user_display_name nicht ausgefüllt ist. |
external_identity_username |
target.user.user_display_name |
Wird zugeordnet, wenn sie in target.user.user_display_name ausgefüllt ist. |
features |
additional.fields |
|
filtered |
additional.fields |
|
filtered_request_body.query |
additional.fields |
|
fluentbit_pod_name |
additional.fields |
|
fp_sha256 |
additional.fields |
|
frontend |
additional.fields |
|
frontend_pid |
intermediary.process.pid |
|
frontend_ppid |
intermediary.process.parent_process.pid |
|
fs_host |
target.hostname |
|
fsc_ms |
additional.fields |
|
fully_qualified_domain_name |
additional.fields |
|
gh.sdk.name |
additional.fields |
|
gh.sdk.version |
additional.fields |
|
gh.timerd.timer.name |
additional.fields |
|
ghsa_id |
additional.fields |
|
git.maxobjectsize |
additional.fields |
|
git_dir_safe |
target.resource.attribute.labels |
|
github_event_after |
target.resource.attribute.labels |
|
github_event_before |
target.resource.attribute.labels |
|
github_event_compare |
target.resource.attribute.labels |
|
github_event_created |
target.resource.attribute.labels |
|
github_event_deleted |
target.resource.attribute.labels |
|
github_event_forced |
target.resource.attribute.labels |
|
github_event_head_commit_author_email |
target.resource.attribute.labels |
|
github_event_head_commit_author_name |
target.resource.attribute.labels |
|
github_event_head_commit_author_username |
target.resource.attribute.labels |
|
github_event_head_commit_committer_email |
target.resource.attribute.labels |
|
github_event_head_commit_committer_name |
target.resource.attribute.labels |
|
github_event_head_commit_committer_username |
target.resource.attribute.labels |
|
github_event_head_commit_distinct |
target.resource.attribute.labels |
|
github_event_head_commit_msg1 |
target.resource.attribute.labels |
|
github_event_head_commit_timestamp |
target.resource.attribute.labels |
|
github_event_pusher_email |
target.resource.attribute.labels |
|
github_event_pusher_name |
target.resource.attribute.labels |
|
github_event_ref |
target.resource.attribute.labels |
|
github_event_repository_has_projects |
target.resource.attributes.labels |
|
github_event_repository_master_branch |
target.resource.attribute.labels |
|
github_event_repository_organization |
target.resource.attribute.labels |
|
github_event_repository_owner_name |
target.resource.attribute.labels |
|
github_event_repository_stargazers |
target.resource.attribute.labels |
|
github_event_workflow_job_completed_at |
target.resource.attributes.labels |
|
gpv |
additional.fields |
|
handler_code |
additional.fields |
|
hashed_token |
network.session_id |
|
head_branch |
target.resource.attribute.labels |
|
head_sha |
target.file.sha256 |
|
healthy |
additional.fields |
|
hmac |
additional.fields |
|
hook_id |
target.resource.attribute.labels |
|
host.name |
principal.user.attribute.labels |
|
http_version |
network.application_protocol_version |
|
id |
metadata.product_log_id |
|
ignore_approvals_from_contributors |
additional.fields |
|
imode |
additional.fields |
|
imperfect |
additional.fields |
|
InstrumentationScope |
additional.fields |
|
integration_id |
additional.fields |
|
intel.flat |
additional.fields |
|
is_hosted_runner |
target.resource.attribute.labels |
|
issue (alle Unterfelder) |
additional.fields |
|
issue.pull_request (alle Unterfelder) |
additional.fields |
|
job_name |
target.resource.attribute.labels.value |
|
job_workflow_ref |
target.resource.attribute.labels.value |
|
job_workflow_sha |
target.resource.attribute.labels.value |
|
kafka_cluster |
additional.fields |
|
kex |
additional.fields |
|
keytype |
additional.fields |
|
kubernetes.container_image |
principal.resource.attribute.labels |
|
kubernetes.container_name |
principal.resource.attribute.labels |
|
kubernetes.host |
principal.resource.attribute.labels |
|
kubernetes.labels.app |
principal.resource.attribute.labels |
|
kubernetes.labels.chart |
principal.resource.attribute.labels |
|
kubernetes.labels.component |
principal.resource.attribute.labels |
|
kubernetes.labels.heritage |
principal.resource.attribute.labels |
|
kubernetes.labels.pod-template-hash |
principal.resource.attribute.labels |
|
kubernetes.labels.release |
principal.resource.attribute.labels |
|
kubernetes.labels.system |
principal.resource.attribute.labels |
|
kubernetes.namespace_name |
principal.resource.attribute.labels |
|
kubernetes.pod_ip |
principal.ip, principal.asset.ip |
|
kubernetes.pod_name |
principal.resource.attribute.labels |
|
last_state_change_at |
additional.fields |
|
last_state_change_reason |
additional.fields |
|
lat |
principal.location.region_coordinates.latitude |
|
ldap.debug_logging_enabled |
additional.fields |
|
level |
security_result.severity |
|
lfs_auth_scope |
additional.fields |
|
lfs_deploy_key_header |
additional.fields |
|
lfs_verify_reason |
additional.fields |
|
linear_history_requirement_enforcement_level |
additional.fields |
|
lock_allows_fetch_and_merge |
additional.fields |
|
lock_branch_enforcement_level |
additional.fields |
|
log_level |
security_result.severity |
|
log_source |
additional.fields |
|
log_source_file |
target.file.full_path |
|
logData.Count |
additional.fields |
|
logData.Metrics.* |
additional.fields |
Das Sternchen (*) gibt an, dass alle Unterfelder enthalten sind. |
logType |
additional.fields |
|
lon |
principal.location.region_coordinates.longitude |
|
loop |
additional.fields |
|
matched_policies |
security_result.detection_fields |
|
member |
target.user.attribute.labels |
|
merge_queue_enforcement_level |
additional.fields |
|
method |
additional.fields |
|
multi_repo |
security_result.detection_fields |
|
mysql_component |
additional.fields |
|
mysql_warning_code |
additional.fields |
|
name |
target.resource.attribute.labels |
|
non_integer_id |
additional.fields |
|
ns |
additional.fields |
|
number |
additional.fields |
|
oauth_application |
principal.application |
|
oauth_application_id |
principal.resource.attribute.labels |
|
oauth_party |
additional.fields |
|
offset |
additional.fields |
|
old_permissions |
additional.fields |
|
old_repo_permissions |
additional.fields |
|
org |
target.administrative_domain |
|
org_id |
additional.fields.value.string_value |
|
organization.url |
additional.fields |
|
original_user_agent |
additional.fields |
|
overridden_codes |
additional.fields |
|
owner |
principal.user.user_display_name |
|
owner_id |
principal.user.userid |
|
package |
additional.fields |
|
package_name |
target.application |
|
parent |
additional.fields |
|
parent_installation_id |
additional.fields |
|
partition |
additional.fields |
|
path_info |
additional.fields |
Dies ist die Zuordnung, wenn der Pfad bereits target.file.full_path zugeordnet wird. |
path_info |
target.file.full_path |
Dies ist die Zuordnung, wenn der Pfad nicht bereits target.file.full_path zugeordnet wird. |
pgroup |
additional.fields |
|
pk_ms |
additional.fields |
|
prin_ip |
principal.ip, principal.asset.ip |
|
prin_port |
principal.port |
|
prin_usr |
principal.user.userid |
|
pro_pid |
target.process.pid |
|
probe_fail |
additional.fields |
|
probe_ok |
additional.fields |
|
programmatic_access_type |
additional.fields.value.string_value |
|
pubkey_creator_id |
additional.fields |
|
pubkey_creator_login |
additional.fields |
|
pubkey_fingerprint |
additional.fields |
|
pubkey_id |
additional.fields |
|
pubkey_verifier_id |
additional.fields |
|
pubkey_verifier_login |
additional.fields |
|
public_repo |
additional.fields.value.string_value |
|
public_repo |
target.location.name |
|
publicly_leaked |
security_result.detection_fields |
|
pull_request.* |
additional.fields |
Das Sternchen (*) gibt an, dass alle Unterfelder enthalten sind. |
pull_request._links.comments.href |
additional.fields |
|
pull_request._links.commits.href |
additional.fields |
|
pull_request._links.html.href |
additional.fields |
|
pull_request._links.issue.href |
additional.fields |
|
pull_request._links.review_comment.href |
additional.fields |
|
pull_request._links.review_comments.href |
additional.fields |
|
pull_request._links.self.href |
additional.fields |
|
pull_request._links.statuses.href |
additional.fields |
|
pull_request.base.* |
additional.fields |
Das Sternchen (*) gibt an, dass alle Unterfelder enthalten sind. |
pull_request.base.repo.* |
additional.fields |
Das Sternchen (*) gibt an, dass alle Unterfelder enthalten sind. |
pull_request.base.repo.owner.* |
additional.fields |
Das Sternchen (*) gibt an, dass alle Unterfelder enthalten sind. |
pull_request.head.* |
additional.fields |
Das Sternchen (*) gibt an, dass alle Unterfelder enthalten sind. |
pull_request.head.owner.* |
additional.fields |
Das Sternchen (*) gibt an, dass alle Unterfelder enthalten sind. |
pull_request.head.repo.* |
additional.fields |
Das Sternchen (*) gibt an, dass alle Unterfelder enthalten sind. |
pull_request.head.user.* |
additional.fields |
Das Sternchen (*) gibt an, dass alle Unterfelder enthalten sind. |
pull_request.requested_reviewers.* |
additional.fields |
Das Sternchen (*) gibt an, dass alle Unterfelder enthalten sind. |
pull_request.requested_teams.* |
additional.fields |
Das Sternchen (*) gibt an, dass alle Unterfelder enthalten sind. |
pull_request.user. (und alle zugehörigen Unterfelder außer login) |
principal.user.attribute.labels |
|
pull_request.user.login |
principal.user.user_display_name |
|
pull_request_id |
target.resource.attribute.labels |
|
pull_request_title |
target.resource.attribute.labels |
|
query_string |
additional.fields.value.string_value |
|
queue_duration |
additional.fields |
|
quotas_enabled |
additional.fields |
|
rate_limit |
additional.fields |
|
rate_limit_family |
additional.fields |
|
rate_limit_key |
additional.fields |
|
rate_limit_remaining |
additional.fields.value.string_value |
|
rate_limit_reset |
additional.fields |
|
rate_limit_used |
additional.fields |
|
raw.at |
additional.fields |
|
raw.hashed_token |
network.session_id |
|
raw.token_type |
additional.fields |
|
raw.url |
target.url |
|
raw.user_agent |
network.http.user_agent, network.http.parsed_user_agent |
|
raw_login |
additional.fields |
|
read_only |
additional.fields |
|
readonly |
additional.fields |
|
reasons |
additional.fields |
|
ref |
target.resource.attribute.labels |
|
replicas |
additional.fields |
|
repo |
target.resource.name |
|
repo_id |
additional.fields.value.string_value |
|
repo_owner_login |
target.resource.attribute.labels |
|
repo_owner_type |
target.resource.attribute.labels |
|
repo_public |
additional.fields |
|
repository |
target.resource.attribute.labels |
|
repository.archive_url |
target.resource.attribute.labels |
|
repository.assignees_url |
target.resource.attribute.labels |
|
repository.blobs_url |
target.resource.attribute.labels |
|
repository.branches_url |
target.resource.attribute.labels |
|
repository.clone_url |
target.resource.attribute.labels |
|
repository.collaborators_url |
target.resource.attribute.labels |
|
repository.comments_url |
target.resource.attribute.labels |
|
repository.commits_url |
target.resource.attribute.labels |
|
repository.compare_url |
target.resource.attribute.labels |
|
repository.contents_url |
target.resource.attribute.labels |
|
repository.contributors_url |
target.resource.attribute.labels |
|
repository.created_at |
target.resource.attribute.labels |
|
repository.custom_properties. (und alle zugehörigen Unterfelder) |
target.resource.attribute.labels |
|
repository.deployments_url |
target.resource.attribute.labels |
|
repository.downloads_url |
target.resource.attribute.labels |
|
repository.events_url |
target.resource.attribute.labels |
|
repository.fork |
target.resource.attribute.labels |
|
repository.forks_url |
target.resource.attribute.labels |
|
repository.full_name |
target.resource.attribute.labels |
|
repository.git_commits_url |
target.resource.attribute.labels |
|
repository.git_refs_url |
target.resource.attribute.labels |
|
repository.git_tags_url |
target.resource.attribute.labels |
|
repository.git_url |
target.resource.attribute.labels |
|
repository.homepage |
target.resource.attributes.labels |
|
repository.hooks_url |
target.resource.attribute.labels |
|
repository.html_url |
target.resource.attribute.labels |
|
repository.id |
target.resource.attribute.labels |
|
repository.issue_comment_url |
target.resource.attribute.labels |
|
repository.issue_events_url |
target.resource.attribute.labels |
|
repository.issues_url |
target.resource.attribute.labels |
|
repository.keys_url |
target.resource.attribute.labels |
|
repository.labels_url |
target.resource.attribute.labels |
|
repository.languages_url |
target.resource.attribute.labels |
|
repository.license |
target.resource.attributes.labels |
|
repository.merges_url |
target.resource.attribute.labels |
|
repository.milestones_url |
target.resource.attribute.labels |
|
repository.mirror_url |
target.resource.attributes.labels |
|
repository.name |
target.resource.attribute.labels |
|
repository.node_id |
target.resource.attribute.labels |
|
repository.notifications_url |
target.resource.attribute.labels |
|
repository.open_issues_count |
target.resource.attribute.labels |
|
repository.owner.avatar_url |
target.resource.attribute.labels |
|
repository.owner.events_url |
target.resource.attribute.labels |
|
repository.owner.followers_url |
target.resource.attribute.labels |
|
repository.owner.following_url |
target.resource.attribute.labels |
|
repository.owner.gists_url |
target.resource.attribute.labels |
|
repository.owner.gravatar_id |
target.resource.attribute.labels |
|
repository.owner.html_url |
target.resource.attribute.labels |
|
repository.owner.id |
target.resource.attribute.labels |
|
repository.owner.node_id |
target.resource.attribute.labels |
|
repository.owner.organizations_url |
target.resource.attribute.labels |
|
repository.owner.received_events_url |
target.resource.attribute.labels |
|
repository.owner.repos_url |
target.resource.attribute.labels |
|
repository.owner.site_admin |
target.resource.attribute.labels |
|
repository.owner.starred_url |
target.resource.attribute.labels |
|
repository.owner.subscriptions_url |
target.resource.attribute.labels |
|
repository.owner.type |
target.resource.attribute.labels |
|
repository.owner.url |
target.resource.attribute.labels |
|
repository.owner.user_view_type |
target.resource.attribute.labels |
|
repository.private |
target.resource.attribute.labels |
|
repository.pulls_url |
target.resource.attribute.labels |
|
repository.pushed_at |
target.resource.attribute.labels |
|
repository.releases_url |
target.resource.attribute.labels |
|
repository.size |
target.resource.attribute.labels |
|
repository.ssh_url |
target.resource.attribute.labels |
|
repository.stargazers_url |
target.resource.attribute.labels |
|
repository.statuses_url |
target.resource.attribute.labels |
|
repository.subscribers_url |
target.resource.attribute.labels |
|
repository.subscription_url |
target.resource.attribute.labels |
|
repository.svn_url |
target.resource.attribute.labels |
|
repository.tags_url |
target.resource.attribute.labels |
|
repository.teams_url |
target.resource.attribute.labels |
|
repository.topics |
target.resource.attributes.labels |
|
repository.trees_url |
target.resource.attribute.labels |
|
repository.updated_at |
target.resource.attribute.labels |
|
repository.url |
target.resource.attribute.labels |
|
repository.visibility |
target.resource.attribute.labels |
|
repository_public |
target.resource.attribute.labels |
|
req_content_type |
target.file.mime_type |
|
request_access_security_header |
security_result.detection_fields |
|
request_auth |
additional.fields |
|
request_body |
additional.fields.value.string_value |
|
request_duration |
additional.fields |
|
request_host |
principal.ip, principal.asset.ip |
Wenn eine IP-Adresse vorhanden ist, wird die Zuordnung zu principal.ip vorgenommen (die vorhandene Zuordnung von principal.hostname bleibt erhalten). |
request_method |
network.http.method |
Der Wert wird in Großbuchstaben umgewandelt. |
requested_reviewers.* |
additional.fields |
Das Sternchen (*) gibt an, dass alle Unterfelder enthalten sind. |
require_code_owner_review |
additional.fields |
|
require_last_push_approval |
additional.fields |
|
required_approving_review_count |
additional.fields |
|
required_deployments_enforcement_level |
additional.fields |
|
required_review_thread_resolution_enforcement_level |
additional.fields |
|
rerun_type |
additional.fields |
|
res_type |
target.resource.resource_subtype |
|
response_time |
additional.fields |
|
review_id |
target.resource.attributes.labels |
|
route |
additional.fields.value.string_value |
|
rpc.jsonrpc.error_code |
network.http.response_code |
|
rpc.jsonrpc.error_message |
security_result.summary |
|
rule_suite_id |
security_result.rule_id |
|
run_attempt |
additional.fields |
|
run_number |
additional.fields |
|
runner_labels |
target.resource.attribute.labels |
|
runner_owner_type |
target.resource.attribute.labels |
|
runner_tenant_id |
target.resource.attribute.labels |
|
s3_tag |
additional.fields |
|
secret_type |
security_result.detection_fields |
|
secret_types |
security_result.detection_fields |
|
secrets_passed |
security_result.detection_fields |
|
sender.id |
src.user.product_object_id |
|
sender.login |
src.user.user_display_name |
|
sender.node_id |
src.asset_id |
|
sender.type |
src.user.title |
|
sender.url |
src.url |
|
service |
target.resource.name |
|
service.version |
additional.fields |
|
serviceName |
target.resource.name |
|
severity (falls hoch) |
security_result.severity |
|
SeverityText |
security_result.severity |
|
shallow |
additional.fields |
|
sign_in_verification_method |
security_result.detection_fields |
|
signature_requirement_enforcement_level |
additional.fields |
|
sigtype |
additional.fields |
|
source |
src.resource.name |
|
spec |
additional.fields |
|
sr |
additional.fields |
|
ss |
additional.fields |
|
started_at |
vulns.vulnerabilities.scan_start_time |
|
stateless |
additional.fields |
|
status_code |
network.http.response_code |
|
strict_required_status_checks_policy |
additional.fields |
|
subject.business.id |
target.resource.attribute.labels |
|
subject.owner.id |
additional.fields |
|
subject.owning_organization.id |
principal.group.product_object_id |
|
subject.repository.id |
target.resource.product_object_id |
|
subject.repository.internal |
target.resource.attribute.labels |
|
subject.repository.owner.id |
additional.fields |
|
subject.repository.public |
target.resource.attribute.labels |
|
subject.repository.writable |
target.resource.attribute.labels |
|
subject.type |
target.resource.attribute.labels |
|
synthetic_status |
additional.fields |
|
tar_application |
target.application |
|
telemetry.sdk.name |
additional.fields |
|
tenant_id |
target.resource.attribute.labels |
|
tid |
additional.fields |
|
time |
metadata.event_timestamp |
|
time_duration_ms |
additional.fields |
|
time_zone |
additional.fields |
|
timestamp |
metadata.event_timestamp |
|
tls_version |
network.tls.version |
|
token_id |
additional.fields.value.string_value |
|
token_scopes |
additional.fields.value.string_value |
|
topic |
additional.fields |
|
total |
additional.fields |
|
transport_protocol |
additional.fields |
|
transport_protocol_name |
network.application_protocol |
Der Wert wird in Großbuchstaben umgewandelt. |
ts |
metadata.event_timestamp |
Wenn process_type github_production ist. |
TTY |
additional.fields |
|
twirp_method |
additional.fields |
|
twirp_package |
additional.fields |
|
twirp_service |
additional.fields |
|
twirp_status |
network.http.response_code |
|
two_factor_type |
security_result.detection_fields |
|
type |
additional.fields |
|
unavailable |
additional.fields |
|
updated_at |
metadata.collected_timestamp |
|
url_path |
target.url |
|
usage_metrics |
additional.fields |
|
user |
target.user.userid |
|
user.id |
target.user.attr.labels |
Wenn actor.id vorhanden ist. |
user.id |
target.user.userid |
Wenn actor.id nicht vorhanden ist. |
user_agent |
network.http.parsed_user_agent |
Der Wert wird geparst. |
user_agent |
network.http.user_agent |
|
user_id |
target.user.userid |
|
user_operator_mode |
additional.fields |
|
user_programmatic_access_id |
additional.fields |
|
user_renaming_enabled |
additional.fields |
|
user_spammy |
additional.fields |
|
version |
metadata.product_version |
Diese Zuordnung umfasst JSON-Logs. |
visibility |
additional.fields |
|
vk_ms |
additional.fields |
|
vulnerability_id |
additional.fields |
|
vulnerable_version_range_id |
additional.fields |
|
workflow |
target.resource.attributes.labels |
|
workflow.name |
target.resource.attribute.labels |
|
workflow_id |
target.resource.attribute.labels |
|
workflow_job.head_branch |
security_result.detection_fields |
|
workflow_job.name |
target.resource.attributes.labels |
|
workflow_job.workflow_name |
security_result.detection_fields |
|
workflow_run.actor. (und alle zugehörigen Unterfelder mit Ausnahme des Felds login, das in jedem Unterfeld enthalten ist) |
principal.user.attribute.labels |
|
workflow_run.actor.login |
principal.user.userid |
|
workflow_run.artifacts_url |
target.resource.attributes.labels |
|
workflow_run.cancel_url |
target.resource.attributes.labels |
|
workflow_run.check_suite_id |
additional.fields |
|
workflow_run.check_suite_node_id |
additional.fields |
|
workflow_run.check_suite_url |
target.resource.attributes.labels |
|
workflow_run.conclusion |
target.resource.attribute.labels |
|
workflow_run.created_at |
metadata.event_timestamp |
|
workflow_run.display_title |
target.resource.attribute.labels |
|
workflow_run.event |
additional.fields.value.string_value |
|
workflow_run.event |
target.resource.attribute.labels |
|
workflow_run.head_branch |
target.resource.attribute.labels |
|
workflow_run.head_commit |
target.resource.attributes.labels |
|
workflow_run.head_repository |
additional.fields |
|
workflow_run.head_sha |
target.file.sha256 |
|
workflow_run.html_url |
target.resource.attribute.labels |
|
workflow_run.id |
target.resource.attribute.labels.value |
|
workflow_run.jobs_url |
target.resource.attributes.labels |
|
workflow_run.logs_url |
target.resource.attributes.labels |
|
workflow_run.name |
target.resource.name |
|
workflow_run.node_id |
target.resource.product_object_id |
|
workflow_run.path |
target.resource.attribute.labels |
|
workflow_run.previous_attempt_url |
target.resource.attributes.labels |
|
workflow_run.pull_requests |
about.resource.attribute.labels |
|
workflow_run.repository |
additional.fields |
|
workflow_run.rerun_url |
target.resource.attributes.labels |
|
workflow_run.run_attempt |
target.resource.attribute.labels |
|
workflow_run.run_number |
target.resource.attribute.labels |
|
workflow_run.run_started_at |
target.resource.attribute.labels |
|
workflow_run.status |
security_result.description |
|
workflow_run.triggering_actor |
additional.fields |
|
workflow_run.updated_at |
metadata.collected_timestamp |
|
workflow_run.url |
target.url |
|
workflow_run.workflow_id |
security_result.about.labels.value |
|
workflow_run.workflow_id |
target.resource.attribute.labels |
|
workflow_run.workflow_url |
target.resource.attributes.labels |
Referenz zu Release-Deltas
Am 8. Januar 2026 hat Google SecOps eine neue Version des GitHub-Parsers mit wesentlichen Änderungen veröffentlicht.
Delta der Zuordnung von Log-Feldern
In der folgenden Tabelle ist das Zuordnungsdelta für GitHub-Log-zu-UDM-Felder aufgeführt, die vor dem 8. Januar 2026 und danach verfügbar waren (in den Spalten Alte Zuordnung bzw. Aktuelle Zuordnung):
| Logfeld | Alte Zuordnung | Aktuelle Zuordnung |
|---|---|---|
action (für JSON-Logs) |
metadata.product_event_type, security_result.summary,security_result.detection_fields |
metadata.product_event_type |
action (für Syslog-Logs) |
additional.fields, security_result.summary |
security_result.summary |
business |
additional.fields, target.user.company_name |
additional.fields |
business_id |
target.resource.attribute.labels |
additional.fields |
data.email |
target.email |
target.user.email_addresses |
data.event |
security_result.about.labels |
target.resource.attribute.labels |
data.head_branch |
security_result.about.labels |
target.resource.attribute.labels |
data.hook_id |
target.resource.attribute.labels |
target.resource.product_object_id |
data.team |
target.user.group_identifiers |
target.group.group_display_name |
data.trigger_id |
security_result.about.labels |
target.resource.attribute.labels |
data.workflow_id |
security_result.about.labels |
target.resource.attribute.labels |
data.workflow_run_id |
security_result.about.labels |
target.resource.attribute.labels |
hashed_token |
additional.fields |
network.session_id |
hook_id (für JSON-Logs) |
additional.fields |
target.resource.attribute.labels |
name |
additional.fields |
target.resource.attribute.labels |
oauth_application_id |
additional.fields |
principal.resource.attribute.labels |
pull_request_id |
additional.fields |
target.resource.attribute.labels |
pull_request_title |
additional.fields |
target.resource.attribute.labels |
repository.archive_url |
additional.fields |
target.resource.attribute.labels |
repository.assignees_url |
additional.fields |
target.resource.attribute.labels |
repository.blobs_url |
additional.fields |
target.resource.attribute.labels |
repository.branches_url |
additional.fields |
target.resource.attribute.labels |
repository.clone_url |
additional.fields |
target.resource.attribute.labels |
repository.collaborators_url |
additional.fields |
target.resource.attribute.labels |
repository.comments_url |
additional.fields |
target.resource.attribute.labels |
repository.commits_url |
additional.fields |
target.resource.attribute.labels |
repository.compare_url |
additional.fields |
target.resource.attribute.labels |
repository.contents_url |
additional.fields |
target.resource.attribute.labels |
repository.contributors_url |
additional.fields |
target.resource.attribute.labels |
repository.created_at |
additional.fields |
target.resource.attribute.labels |
repository.deployments_url |
additional.fields |
target.resource.attribute.labels |
repository.downloads_url |
additional.fields |
target.resource.attribute.labels |
repository.events_url |
additional.fields |
target.resource.attribute.labels |
repository.fork |
additional.fields |
target.resource.attribute.labels |
repository.forks_url |
additional.fields |
target.resource.attribute.labels |
repository.full_name |
additional.fields |
target.resource.attribute.labels |
repository.git_commits_url |
additional.fields |
target.resource.attribute.labels |
repository.git_refs_url |
additional.fields |
target.resource.attribute.labels |
repository.git_tags_url |
additional.fields |
target.resource.attribute.labels |
repository.git_url |
additional.fields |
target.resource.attribute.labels |
repository.hooks_url |
additional.fields |
target.resource.attribute.labels |
repository.html_url |
additional.fields |
target.resource.attribute.labels |
repository.id |
additional |
target.resource.attribute.labels |
repository.issue_comment_url |
additional.fields |
target.resource.attribute.labels |
repository.issue_events_url |
additional.fields |
target.resource.attribute.labels |
repository.issues_url |
additional.fields |
target.resource.attribute.labels |
repository.keys_url |
additional.fields |
target.resource.attribute.labels |
repository.labels_url |
additional.fields |
target.resource.attribute.labels |
repository.languages_url |
additional.fields |
target.resource.attribute.labels |
repository.merges_url |
additional.fields |
target.resource.attribute.labels |
repository.milestones_url |
additional.fields |
target.resource.attribute.labels |
repository.name |
additional.fields |
target.resource.attribute.labels |
repository.node_id |
additional.fields |
target.resource.attribute.labels |
repository.notifications_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.avatar_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.events_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.followers_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.following_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.gists_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.gravatar_id |
additional.fields |
target.resource.attribute.labels |
repository.owner.html_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.id |
additional.fields |
target.resource.attribute.labels |
repository.owner.node_id |
additional.fields |
target.resource.attribute.labels |
repository.owner.organizations_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.received_events_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.repos_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.site_admin |
additional.fields |
target.resource.attribute.labels |
repository.owner.starred_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.subscriptions_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.type |
additional.fields |
target.resource.attribute.labels |
repository.owner.url |
additional.fields |
target.resource.attribute.labels |
repository.owner.user_view_type |
additional.fields |
target.resource.attribute.labels |
repository.private |
additional.fields |
target.resource.attribute.labels |
repository.pulls_url |
additional.fields |
target.resource.attribute.labels |
repository.pushed_at |
additional.fields |
target.resource.attribute.labels |
repository.releases_url |
additional.fields |
target.resource.attribute.labels |
repository.size |
additional.fields |
target.resource.attribute.labels |
repository.ssh_url |
additional.fields |
target.resource.attribute.labels |
repository.stargazers_url |
additional.fields |
target.resource.attribute.labels |
repository.statuses_url |
additional.fields |
target.resource.attribute.labels |
repository.subscribers_url |
additional.fields |
target.resource.attribute.labels |
repository.subscription_url |
additional.fields |
target.resource.attribute.labels |
repository.svn_url |
additional.fields |
target.resource.attribute.labels |
repository.tags_url |
additional.fields |
target.resource.attribute.labels |
repository.teams_url |
additional.fields |
target.resource.attribute.labels |
repository.trees_url |
additional.fields |
target.resource.attribute.labels |
repository.updated_at |
additional.fields |
target.resource.attribute.labels |
repository.url |
additional.fields |
target.resource.attribute.labels |
repository.visibility |
additional.fields |
target.resource.attribute.labels |
repository_public |
additional.fields |
target.resource.attribute.labels |
res_type |
target.resource.type |
target.resource.resource_subtype |
sender.id |
src.user.product_object_id, additional.fields |
src.user.product_object_id |
sender.login |
additional.fields, src.user.user_display_name |
src.user.user_display_name |
sender.node_id |
src.asset_id, additional.fields |
src.asset_id |
sender.type |
src.user.title, additional.fields |
src.user.title |
sender.url |
src.url, additional.fields |
src.url |
workflow.name |
security_result.about.labels |
target.resource.attribute.labels |
workflow_job.head_branch |
security_result.about.labels |
security_result.detection_fields |
workflow_job.workflow_name |
security_result.about.labels |
security_result.detection_fields |
workflow_run.event |
additional.fields |
target.resource.attribute.labels |
workflow_run.head_branch |
security_result.about.labels |
target.resource.attribute.labels |
workflow_run.workflow_id |
security_result.about.labels |
target.resource.attribute.labels |
Delta der Bedingungen für Ereignistypen
Die Bedingungen, die Google SecOps-Ereignistypen bestimmen, wurden in der Version vom 8. Januar 2026 geändert.
In der folgenden Tabelle sind die Ereignistypen und die aktuellen Bedingungen aufgeführt (die Bedingungen waren vor dem Release am 8. Januar 2026 anders):
| event_type | Conditions |
|---|---|
NETWORK_CONNECTION |
[has_target] == "true" && [has_principal] == "true" |
STATUS_UPDATE |
[has_principal] == "true" |
USER_RESOURCE_DELETION |
[has_target_resource] == "true" && [has_principal_user] == "true" && [action] in ["hook.destroy" ,"protected_branch.destroy" ,"public_key.delete"] |
USER_RESOURCE_UPDATE_CONTENT |
[has_target_resource] == "true" && [has_principal_userid] == "true" && [action] in [ "pull_request.merge" , "hook.events_changed"] |
USER_RESOURCE_UPDATE_PERMISSIONS |
[has_target_resource] == "true" && [has_principal_userid] == "true" && [action] in ["repo.update_actions_secret","protected_branch.update_pull_request_reviews_enforcement_level", "org.update_member" ,"protected_branch.update_admin_enforced" ,"protected_branch.update_required_status_checks_enforcement_level","org.integration_manager_removed" ,"repo.update_member", "repo.add_member"] |
Delta der Tastenbelegung
In der folgenden Tabelle ist das Delta für die Zuordnung von Schlüsseln in Rohlogfeldern zu Schlüsseln in UDM-Feldern aufgeführt, die vor dem 8. Januar 2026 und danach verfügbar gemacht wurden (in den Spalten Alter Schlüssel bzw. Aktueller Schlüssel):
| Schlüssel im Rohlog | Alter Schlüssel | Aktueller Schlüssel |
|---|---|---|
alert.secret_type_display_name |
secret_type_display_name |
alert_secret_type_display_name |
enterprise.name |
Enterprise Name |
enterprise_name |
hook_id |
Hook Id |
Hook_Id |
invitation.failed_at |
failed_at |
invitation_failed_at |
invitation.failed_reason |
failed_reason |
invitation_failed_reason |
invitation.invitation_source |
invitation_source |
invitation_invitation_source |
raw.failure_reason |
failure_reason |
raw_failure_reason |
raw.failure_type |
failure_type |
raw_failure_type |
raw.from |
from |
raw_from |
workflow_run.event |
event |
workflow_run_event |
workflow_run.head_branch |
Head Branch |
Head_Branch |
workflow_run.id |
workflow_run_id |
workflow_Run_id |
workflow_run.workflow_id |
Workflow Id |
Workflow_Id |
Benötigen Sie weitere Hilfe? Antworten von Community-Mitgliedern und Google SecOps-Experten erhalten