Collect Wiz logs

Supported in:

Google secops SIEM

This document explains how to ingest Wiz logs into Google Security Operations. The parser transforms Wiz JSON formatted logs into a Unified Data Model (UDM). It first initializes default values for UDM fields, then parses the JSON message, extracts relevant fields like user information, location, device details, and security outcomes.

Wiz is a cloud security platform that delivers agentless, end-to-end visibility and risk prioritization across Google Cloud, AWS, Azure, OCI, and Kubernetes environments.

Before you begin

Make sure you have the following prerequisites:

Google SecOps instance
Privileged access to Wiz

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File and save the file in a secure location.

Configure the integration in Wiz

Sign in to the Wiz web UI.
Go to the Connect to Wiz page.
Click Google SecOps (Chronicle).
Enter a name for the Google SecOps integration.
Select the Scope.
Enter your Google SecOps Customer ID.
Enter your Google SecOps instance endpoint address, which are listed in Regional Endpoints.

Note: Wiz uses the standard Google SecOps Ingestion API, not the Chronicle API ingestion methods.
Upload the Ingestion Authentication File.
Click Save.

Add an automation rule for Google Security Operations

Add an automation rule to push Wiz Issues or Detections to Google SecOps when specified criteria are met.

To add an automation rule, do the following:

On the Policies > Automation Rules page, click Add Rule.
Enter a short but meaningful Name.
Optional: Enter a longer Description.
Select a Scope.
Under Rule Conditions, select when the rule should be triggered:
- Issues trigger
- Detection trigger
Choose the Native data format.
- Native: this is the option that Google recommends. The Native data format is a Wiz schema that includes fields like category, trigger source, projects.
- OCSF: output events in the Open Cybersecurity Schema Framework format.
We recommend that you select the Include the Issue's evidence checkbox.
Optional: Under Labels, click Add.
IF: Click Add filter, then define the filter criteria. Repeat for each additional filter.
THEN: Do the following to trigger the Automated Platform Action for the automation rule:
1. Click Add action.
2. From the list of configured integrations, select the integrations that apply to the trigger you selected.
3. Optional: Modify the default Action Configuration. If the selected integration supports Action Configuration, you're able to:
  - Use an existing Action template by clicking Load from template, selecting an Action template, and then clicking Use template.
  - Modify the Action parameters.
4. Save your modifications by clicking Save as template, entering a Template name, selecting a Project Scope, and clicking Save.
5. Optional: Click Test to validate the Automation Rule using the selected integration and mock data.
6. Click Add Action.
7. Optional: Click Add Action again to add up to ten Actions.
We recommend that you go to the bottom of the page to preview past matches for the selected IF filters. Verify that the filter results match your expectations.

Note: The new automation rule won't run for all existing matches shown in the preview, only for future matches that meet the selected criteria. Using some filter conditions, like the IS NOT operator, won't generate a preview of matches.
Click Add Rule.

UDM mapping table

The following table applies to the WIZ_IO log type. For the OCSF log type, refer to Collect OCSF logs.

Log field	UDM mapping	Comment
`account.cloudPlatform`	`additional.fields` (key = "cloudAccount_cloudPlatform")	Inside for account in cloudAccounts loop
`account.externalId`	`target.cloud.project.id`	Inside for account in cloudAccounts loop
`account.id`	`target.resource.attribute.labels` (key = "cloudAccount_id")	Inside for account in cloudAccounts loop
`account.name`	`target.cloud.project.name`	Inside for account in cloudAccounts loop
`action`	`metadata.product_event_type`	If has_user == "true" and action == "Login": metadata.event_type is set to USER_LOGIN, extensions.auth.type is set to AUTHTYPE_UNSPECIFIED
`actionParameters.clientID`	`additional.fields` (key = "client ID")
`actionParameters.clientID`	`principal.group.product_object_id`
`actionParameters.groups`	`security_result.detection_fields` (key = "service_account_group")	Iterates through the array
`actionParameters.input.patch.portalVisitHistory.dateTime`	`additional.fields` (key = "dateTime {index}")	Iterated within the array.
`actionParameters.input.patch.portalVisitHistory.id`	`principal.resource.attribute.labels` (key = "id {index}")	Iterated within the array.
`actionParameters.input.patch.portalVisitHistory.name`	`principal.resource.attribute.labels` (key = "name {index}")	Iterated within the array.
`actionParameters.input.patch.portalVisitHistory.resourceName`	`principal.resource.attribute.labels` (key = "resourceName {index}")	Iterated within the array.
`actionParameters.input.patch.portalVisitHistory.resourceType`	`principal.resource.attribute.labels` (key = "resourceType {index}")	Iterated within the array.
`actionParameters.input.patch.portalVisitHistory.ruleType`	`principal.resource.attribute.labels` (key = "ruleType {index}")	Iterated within the array.
`actionParameters.input.patch.portalVisitHistory.type`	`additional.fields` (key = "type {index}")	Iterated within the array.
`actionParameters.name`	`target.user.user_display_name`
`actionParameters.products`	`security_result.detection_fields` (key = "service_account_product")	Iterates through the array, skipping empty or "*" values
`actionParameters.role`	`target.user.attribute.roles`
`actionParameters.scopes`	`security_result.detection_fields` (key = "service_account_scope")	Iterated, each scope added as a separate key-value pair.
`actionParameters.selection.preferences`	`additional.fields` (key = "Preferences")	Iterated, values are added as a list of strings.
`actionParameters.userEmail`	`target.user.email_addresses`
`actionParameters.userID`	`target.user.userid`
`actionParameters.userpoolID`	`additional.fields` (key = "UserPool ID")
`actionParameters.userPoolType`	`additional.fields` (key = "UserPool Type")
`actor.displayName`	`target.user.user_display_name`
`actor.id`	`target.user.userid`
`actors.externalId`	`intermediary.ip`, `intermediary.asset.ip`	Iterates through actors.
`actors.id`	`additional.fields` (key = "actor_id: %{index}")	Iterates through actors.
`actors.name`	`target.ip`, `target.asset.ip`	Iterates through actors.
`actors.type`	`target.resource.attribute.labels` (key = "actor_type: %{index}")	Iterates through actors.
`authenticationContext.authenticationProvider`	`security_result.detection_fields` (key = "authenticationProvider")	Merged into security_result.detection_fields.
`authenticationContext.credentialProvider`	`security_result.detection_fields` (key = "credentialProvider")	Merged into security_result.detection_fields.
`authenticationContext.credentialType`	`extensions.auth.mechanism`	Logic: "OTP" for SMS/EMAIL, "USERNAME_PASSWORD" for PASSWORD.
`authenticationContext.externalSessionId`	`network.parent_session_id`
`client.device`	`principal.asset.type`	Conditionally mapped based on regex.
`client.geographicalContext.city`	`principal.location.city`
`client.geographicalContext.country`	`principal.location.country_or_region`
`client.geographicalContext.geolocation.lat`	`principal.location.region_latitude`
`client.geographicalContext.geolocation.lon`	`principal.location.region_longitude`
`client.geographicalContext.postalCode`	`additional.fields` (key = "Postal code")
`client.geographicalContext.state`	`principal.location.state`
`client.ipAddress`	`principal.ip`, `principal.asset.ip`
`client.userAgent.browser`	`target.resource.attribute.labels` (key = "Browser")
`client.userAgent.os`	`principal.platform`	Mapped to LINUX, WINDOWS, or MAC.
`client.userAgent.rawUserAgent`	`network.http.user_agent`, `network.http.parsed_user_agent`
`control.description`	`security_result.detection_fields` (key = "control_description")
`control.id`	`security_result.detection_fields` (key = "control_id")
`control.IssueURL`	`security_result.url_back_to_product`
`control.name`	`security_result.detection_fields` (key = "control_name")
`control.resolutionRecommendation`	`security_result.detection_fields` (key = "control_resolution")
`control.risks`	`security_result.detection_fields` (key = "risk {i}")	Iterates through the array
`control.securitySubCategories.category.framework.name`	`security_result.detection_fields` (key = "framework_name")	Loop processes subcategories array.
`control.securitySubCategories.category.name`	`security_result.category_details`	Loop processes subcategories array.
`control.securitySubCategories.title`	`security_result.summary`	Loop processes subcategories array.
`control.severity`	`security_result.severity`	Conditionally sets HIGH, MEDIUM, or LOW.
`createdAt`	`metadata.event_timestamp`
`debugContext.debugData.behaviors`	`security_result.description`
`debugContext.debugData.deviceFingerprint`	`target.asset.asset_id`	Prepended with "device_finger_print:"
`debugContext.debugData.dtHash`	`security_result.detection_fields` (key = "dtHash")
`debugContext.debugData.factor`	`security_result.detection_fields` (key = "factor")
`debugContext.debugData.promptingPolicyTypes`	`security_result.detection_fields` (key = "promptingPolicyTypes")
`debugContext.debugData.requestUri`	`extensions.auth.auth_details`
`description`	`security_result.description`
`detection.actors.externalId`	`principal.user.userid`	iterating over detection.actors
`detection.actors.externalId`	`target.user.userid`	iterating over detection.actors
`detection.actors.id`	`principal.user.product_object_id`	iterating over detection.actors
`detection.actors.id`	`target.user.product_object_id`	iterating over detection.actors
`detection.actors.name`	`principal.user.user_display_name`	iterating over detection.actors
`detection.actors.name`	`target.user.user_display_name`	iterating over detection.actors
`detection.actors.nativeType`	`principal.user.attribute.labels` (key = "actor_nativeType {index}")	iterating over detection.actors
`detection.actors.nativeType`	`target.user.attribute.labels` (key = "primaryActor_nativeType {index}")	iterating over detection.actors
`detection.actors.type`	`security_result.detection_fields` (key = "actor_type {index}")	iterating over detection.actors
`detection.actors.type`	`security_result.detection_fields` (key = "primary_actor_type {index}")	iterating over detection.actors
`detection.cloudAccounts.cloudPlatform`	`additional.fields` (key = "detection_cloudAccount_cloudPlatform {i}")	Iterates through the array
`detection.cloudAccounts.externalId`	`additional.fields` (key = "detection_cloudAccount_externalId {i}")	Iterates through the array
`detection.cloudAccounts.id`	`additional.fields` (key = "detection_cloudAccount_id {i}")	Iterates through the array
`detection.cloudAccounts.name`	`additional.fields` (key = "detection_cloudAccount_name {i}")	Iterates through the array
`detection.cloudOrganizations`	`principal.resource.attribute.labels` (key = "detectioncloudOrganization{index}")
`detection.createdAt`	`additional.fields` (key = "detection_createdAt")
`detection.description`	`security_result.description`
`detection.detectionURL`	`security_result.url_back_to_product`
`detection.id`	`metadata.product_log_id`
`detection.mitreTactics`	`additional.fields` (key = "mitre_tactic {i}")	Iterates through the array
`detection.mitreTechniques`	`additional.fields` (key = "mitre_technique {i}")	Iterates through the array
`detection.primaryActor.actingAs.externalId`	`principal.resource.attribute.labels` (key = "detection_primaryActor_actingAs_externalId")
`detection.primaryActor.actingAs.id`	`principal.resource.attribute.labels` (key = "detection_primaryActor_actingAs_id")
`detection.primaryActor.actingAs.name`	`principal.resource.attribute.labels` (key = "detection_primaryActor_actingAs_name")
`detection.primaryActor.actingAs.providerUniqueId`	`principal.resource.attribute.labels` (key = "detection_primaryActor_actingAs_providerUniqueId")
`detection.primaryActor.actingAs.type`	`principal.resource.attribute.labels` (key = "detection_primaryActor_actingAs_type")
`detection.primaryResource.externalId`	`target.resource.product_object_id`
`detection.primaryResource.id`	`additional.fields` (key = "detection_primaryResource_id")
`detection.primaryResource.name`	`target.hostname`, `target.asset.hostname`
`detection.primaryResource.type`	`additional.fields` (key = "detection_primaryResource_type")
`detection.primaryResource.type`	`target.resource.resource_type`	Set to VIRTUAL_MACHINE if type matches criteria.
`detection.resources.cloudProviderURL`	`target.resource.attribute.labels` (key = "detection_resource_cloudProviderURL {i}")	Iterates through detection.resources array
`detection.resources.externalId`	`security_result.about.resource.attribute.labels` (key = "detection_resource_externalId {i}")	Iterates through detection.resources array
`detection.resources.id`	`security_result.about.resource.attribute.labels` (key = "detection_resource_id {i}")	Iterates through detection.resources array
`detection.resources.kubernetesCluster.externalId`	`target.resource.attribute.labels` (key = "kubernetesClusterexternalId{i}")	Iterates through detection.resources array
`detection.resources.kubernetesCluster.id`	`target.resource.attribute.labels` (key = "kubernetesClusterid{i}")	Iterates through detection.resources array
`detection.resources.kubernetesnamespace.id`	`additional.fields` (key = "kubernetesnamespaceid{i}")	Iterates through detection.resources array
`detection.resources.name`	`security_result.about.resource.attribute.labels` (key = "detection_resource_name {i}")	Iterates through detection.resources array
`detection.resources.nativeType`	`security_result.about.resource.attribute.labels` (key = "detection_resource_nativeType {i}")	Iterates through detection.resources array
`detection.resources.region`	`security_result.about.resource.attribute.labels` (key = "detection_resource_region {i}")	Iterates through detection.resources array
`detection.resources.status`	`target.resource.attribute.labels` (key = "detection_resource_status {i}")	Iterates through detection.resources array
`detection.resources.type`	`security_result.about.resource.attribute.labels` (key = "detection_resource_type {i}")	Iterates through detection.resources array
`detection.tdrId`	`additional.fields` (key = "detection_tdr_id")
`detection.tdrSource`	`additional.fields` (key = "detection_tdr_source")
`detection.threatId`	`security_result.threat_id`
`detection.threatURL`	`security_result.detection_fields` (key = "threatURL")
`detection.timeframe.end`	`metadata.collected_timestamp`
`detection.timeframe.start`	`metadata.event_timestamp`
`detection.title`	`security_result.rule_name`
`detection.triggeringEvents.actor.externalId`	`security_result.detection_fields` (key = "detection_triggeringEvent_actor_externalId {index}")	Iterates through triggeringEvents
`detection.triggeringEvents.actor.id`	`security_result.detection_fields` (key = "detection_triggeringEvent_actor_id {index}")	Iterates through triggeringEvents
`detection.triggeringEvents.actor.name`	`security_result.detection_fields` (key = "detection_triggeringEvent_actor_name {index}")	Iterates through triggeringEvents
`detection.triggeringEvents.actor.type`	`security_result.detection_fields` (key = "detection_triggeringEvent_actor_type {index}")	Iterates through triggeringEvents
`detection.triggeringEvents.actorIP`	`principal.ip` & `principal.asset.ip`	Iterates through triggeringEvents.
`detection.triggeringEvents.actorIP`	`principal.resource.attribute.labels` (key = "detection_triggeringEvent_actorIP {index}")	Iterates through triggeringEvents.
`detection.triggeringEvents.actorIPMeta.autonomousSystemNumber`	`additional.fields` (key = "detection_triggeringEvent_actorIPMeta_autonomousSystemNumber {index}")	Iterates through triggeringEvents
`detection.triggeringEvents.actorIPMeta.autonomousSystemOrganization`	`additional.fields` (key = "detection_triggeringEvent_actorIPMeta_autonomousSystemOrganization {index}")	Iterates through triggeringEvents
`detection.triggeringEvents.actorIPMeta.country`	`additional.fields` (key = "detection_triggeringEvent_actorIPMeta_country {index}")	Iterates through triggeringEvents
`detection.triggeringEvents.actorIPMeta.isForeign`	`additional.fields` (key = "detection_triggeringEvent_actorIPMeta_isForeign {index}")	Iterates through triggeringEvents
`detection.triggeringEvents.actorIPMeta.reputation`	`security_result.about.resource.attribute.labels` (key = "detection_triggeringEvent_actorIPMeta_reputation {index}")	Iterates through triggeringEvents
`detection.triggeringEvents.actorIPMeta.reputationSource`	`additional.fields` (key = "detection_triggeringEvent_actorIPMeta_reputationSource {index}")	Iterates through triggeringEvents
`detection.triggeringEvents.category`	`additional.fields` (key = "detection_triggeringEvent_category {index}")	Iterates through triggeringEvents
`detection.triggeringEvents.cloudPlatform`	`additional.fields` (key = "detection_triggeringEvent_cloudPlatform {index}")	Iterates through triggeringEvents
`detection.triggeringEvents.cloudProviderUrl`	`target.url`	Iterates through triggeringEvents
`detection.triggeringEvents.description`	`metadata.description`	Iterates through triggeringEvents
`detection.triggeringEvents.eventTime`	`additional.fields` (key = "detection_triggeringEvent_eventTime {index}")	Iterates through triggeringEvents
`detection.triggeringEvents.externalId`	`additional.fields` (key = "detection_triggeringEvent_externalId {index}")	Iterates through triggeringEvents
`detection.triggeringEvents.id`	`additional.fields` (key = "detection_triggeringEvent_id {index}")	Iterates through triggeringEvents
`detection.triggeringEvents.name`	`additional.fields` (key = "detection_triggeringEvent_name {index}")	Iterates through triggeringEvents
`detection.triggeringEvents.origin`	`additional.fields` (key = "detection_triggeringEvent_origin {index}")	Iterates through triggeringEvents
`detection.triggeringEvents.runtimeDetails.currentWorkingDirectory`	`additional.fields` (key = "detection_triggeringEvent_runtimeDetails_currentWorkingDirectory {index}")	Iterates through triggeringEvents
`detection.triggeringEvents.runtimeDetails.processTree[0].path`	`principal.process.file.full_path`	Iterates through triggeringEvents. Overwrites index 0/1 logic.
`detection.triggeringEvents.runtimeDetails.processTree[0].username`	`additional.fields` (key = "detection_triggeringEvent_runtimeDetails_username {index}")	Iterates through triggeringEvents.
`detection.triggeringEvents.runtimeDetails.processTree[1].hash`	`additional.fields` (key = "detection_triggeringEvent_runtimeDetails_hash {index}")	Iterates through triggeringEvents.
`detection.triggeringEvents.runtimeDetails.processTree[2].path`	`principal.process.parent_process.file.full_path`	Iterates through triggeringEvents
`detection.triggeringEvents.source`	`additional.fields` (key = "detection_triggeringEvent_source {index}")	Iterates through triggeringEvents
`detection.triggeringEvents.status`	`additional.fields` (key = "detection_triggeringEvent_status {index}")	Iterates through triggeringEvents
`detection.triggeringEvents[0].runtimeDetails.processTree[0].command`	`target.process.command_line`	Only for first triggeringEvent and first processTree element
`detection.triggeringEvents[0].runtimeDetails.processTree[0].hash`	`target.process.file.sha1`	Only for first triggeringEvent and first processTree element
`detection.triggeringEvents[0].runtimeDetails.processTree[0].path`	`target.process.file.full_path`	Only for first triggeringEvent and first processTree element
`detection.triggeringEvents[0].runtimeDetails.processTree[0].size`	`target.process.file.size`	Only for first triggeringEvent and first processTree element
`detection.triggeringEvents[0].runtimeDetails.processTree[0].username`	`principal.user.userid`	Only for first triggeringEvent and first processTree element
`detection.triggeringEvents[0].runtimeDetails.processTree[1].command`	`principal.process.command_line`	Only for first triggeringEvent and second processTree element.
`detection.triggeringEvents[0].runtimeDetails.processTree[1].hash`	`principal.process.file.sha1`	Only for first triggeringEvent and second processTree element.
`detection.triggeringEvents[0].runtimeDetails.processTree[1].path`	`principal.process.file.full_path`	Only for first triggeringEvent and second processTree element.
`detection.triggeringEvents[0].runtimeDetails.processTree[1].size`	`principal.process.file.size`	Only for first triggeringEvent and second processTree element.
`detection.triggeringEventsCount`	`additional.fields` (key = "triggering_events_count")
`DetectionURL`	`security_result.url_back_to_product`
`dueAt`	`additional.fields` (key = "due_at")
`entitySnapshot.cloudPlatform`	`principal.cloud.vpc.name`
`entitySnapshot.externalId`	`principal.group.product_object_id`
`entitySnapshot.id`	`principal.asset_id`
`entitySnapshot.name`	`principal.cloud.project.name`
`entitySnapshot.nativeType`	`principal.cloud.project.resource_subtype`
`entitySnapshot.providerId`	`principal.cloud.vpc.id`
`entitySnapshot.status`	`security_result.action_details`
`entitySnapshot.tags.io.cri-containerd.kind`	`target.resource.attribute.labels` (key = "Containerd Kind")
`entitySnapshot.tags.io.kubernetes.container.name`	`target.resource.attribute.labels` (key = "Container Name")
`entitySnapshot.tags.io.kubernetes.pod.name`	`target.resource.attribute.labels` (key = "Pod Name")
`entitySnapshot.tags.io.kubernetes.pod.namespace`	`principal.namespace`
`entitySnapshot.tags.io.kubernetes.pod.namespace`	`target.resource.attribute.labels` (key = "Pod Namespace")
`entitySnapshot.tags.io.kubernetes.pod.uid`	`target.resource.attribute.labels` (key = "Pod Id")
`entitySnapshot.tags.maintainer`	`target.resource.attribute.labels` (key = "Maintainer")
`entitySnapshot.type`	`principal.cloud.project.id`
`eventType`	`metadata.product_event_type`
`eventType` (specific values)	`extensions.auth.mechanism`	Merged with auth_type for login types.
`Hardcoded to "WIZ_IO"`	`metadata.product_name`
`Hardcoded to "WIZ_IO"`	`metadata.vendor_name`
`id`	`metadata.product_log_id`
`issue.created`	`metadata.event_timestamp`
`issue.id`	`metadata.product_log_id`
`issue.projects`	`additional.fields` (key = "issue_projects")
`issue.severity`	`Sets intermediate variable severity`	Sets to INFORMATIONAL if condition matches.
`issue.status`	`security_result.action_details`
`issue.status`	`security_result.action_details`	Mapped only if status is "OPEN"
`metadata_data.version`	`metadata.product_version`
`mitreTactics` (array element)	`additional.fields` (key = "mitre_tactic %{i}")	Iterates through the array.
`mitreTechniques` (array element)	`additional.fields` (key = "mitre_technique %{i}")	Iterates through the array.
`outcome.reason`	`security_result.category_details`
`outcome.result`	`security_result.action`	Indirect mapping to ALLOW, CHALLENGE, or BLOCK.
`primaryActor.actingAs`	`additional.fields` (key = "primaryActor_actingAs")
`primaryActor.email`	`additional.fields` (key = "primaryActor_email")
`primaryActor.externalId`	`principal.ip`, `principal.asset.ip`
`primaryActor.id`	`additional.fields` (key = "primaryActor_id")
`primaryActor.name`	`target.ip`, `target.asset.ip`
`primaryActor.nativeType`	`additional.fields` (key = "primaryActor_nativeType")
`primaryActor.providerUniqueId`	`additional.fields` (key = "primaryActor_providerUniqueId")
`primaryActor.type`	`principal.resource.type`
`primaryResource.cloudAccount.cloudPlatform`	`additional.fields` (key = "primaryResourceCloudPlatform")
`primaryResource.cloudAccount.externalId`	`target.cloud.project.id`
`primaryResource.cloudAccount.id`	`additional.fields` (key = "primaryResourceCloudAccountId")
`primaryResource.cloudAccount.name`	`target.cloud.project.name`
`primaryResource.cloudProviderURL`	`target.url`
`primaryResource.externalId`	`additional.fields` (key = "primaryResourceExternalId")
`primaryResource.id`	`target.resource.id`
`primaryResource.name`	`target.resource.name`
`primaryResource.nativeType`	`additional.fields` (key = "primaryResourceNativeType")
`primaryResource.region`	`target.asset.location.country_or_region`
`primaryResource.type`	`target.resource.type`
`process.command`	`target.resource.attribute.labels` (key = "processcommand{process_index}")
`process.container.externalId`	`target.resource.attribute.labels` (key = "containerexternalId{process_index}")
`process.container.id`	`target.resource.attribute.labels` (key = "process_containerid{process_index}")
`process.container.imageExternalId`	`target.resource.attribute.labels` (key = "containerimageExternalId{process_index}")
`process.container.imageId`	`target.resource.attribute.labels` (key = "containerimageId{process_index}")
`process.container.name`	`target.resource.attribute.labels` (key = "process_containername{process_index}")
`process.currentWorkingDirectory`	`target.resource.attribute.labels` (key = "currentWorkingDirectory_{process_index}")
`process.hash`	`target.resource.attribute.labels` (key = "processhash{process_index}")
`process.id`	`target.resource.attribute.labels` (key = "processid{process_index}")
`process.path`	`target.resource.attribute.labels` (key = "processpath{process_index}")
`process.size`	`target.process.file.size`
`process.userId`	`target.resource.attribute.labels` (key = "processuserId{process_index}")
`process.username`	`target.resource.attribute.labels` (key = "processusername{process_index}")
`requestId`	`metadata.product_log_id`
`resource.cloudAccount.cloudPlatform`	`additional.fields` (key = "cloudPlatform")	Part of object merged into repeated about field.
`resource.cloudAccount.externalId`	`additional.fields` (key = "cloudAccountExternalId")	Part of object merged into repeated about field.
`resource.cloudAccount.id`	`additional.fields` (key = "cloudAccountId")	Part of object merged into repeated about field.
`resource.cloudAccount.name`	`cloudAccountName`
`resource.cloudPlatform`	`additional.fields` (key = "resource_cloudPlatform")
`resource.cloudProviderURL`	`about.url`	Part of object merged into repeated about field.
`resource.cloudProviderURL`	`target.url`
`resource.externalId`	`additional.fields` (key = "externalId")	Part of object merged into repeated about field.
`resource.id`	`about.resource.product_object_id`	Part of object merged into repeated about field.
`resource.id`	`target.resource.id`
`resource.name`	`about.resource.name`	Part of object merged into repeated about field.
`resource.name`	`target.resource.name`
`resource.nativeType`	`about.resource.resource_subtype`	Part of object merged into repeated about field.
`resource.region`	`about.location.country_or_region`	Part of object merged into repeated about field.
`resource.region`	`target.asset.location.country_or_region`
`resource.region`	`target.location.country_or_region`
`resource.status`	`about.resource.attribute.labels` (key = "status")	Part of object merged into repeated about field.
`resource.status`	`target.resource.attribute.labels` (key = "status")
`resource.subscriptionId`	`target.cloud.project.id`
`resource.subscriptionName`	`target.cloud.project.name`
`resource.type`	`about.resource.type`	Part of object merged into repeated about field.
`resource.type`	`target.resource.type`
`serviceAccount.name`	`principal.application`	Only if action is "Report"
`sourceIP`	`principal.ip`, `principal.asset.ip`
`sourceRule.id`	`principal.user.userid`
`status`	`security_result.summary`
`statusChangedAt`	`additional.fields` (key = "status_changed_at")
`tdrId`	`security_result.detection_fields` (key = "tdrId")
`tdrSource`	`security_result.detection_fields` (key = "tdrSource")
`The detection.severity variable`	`security_result.severity`	Normalized (e.g., INFO -> LOW) then mapped.
`threat.actors.externalId`	`principal.user.email_addresses`	Iterates through threat.actors.
`threat.actors.id`	`principal.resource.attribute.labels` (key = "actor_id:%{index}")	Mapped for elements after first (index > 0).
`threat.actors.id`	`principal.resource.product_object_id`	Mapped for the first element (index 0).
`threat.actors.name`	`principal.user.email_addresses`	Iterates through threat.actors.
`threat.actors.nativeType`	`principal.resource.attribute.labels` (key = "actor_nativeType:%{index}")	Mapped for elements after first (index > 0).
`threat.actors.nativeType`	`principal.resource.resource_subtype`	Mapped for the first element (index 0).
`threat.actors.type`	`additional.fields` (key = "actor_type")	Iterates through threat.actors.
`threat.cloudAccounts`	`target.resource.attribute.labels` (key = "threat_cloudAccounts")
`threat.cloudOrganizations.cloudProvider`	`target.resource.attribute.labels` (key = "org_cloudProvider:%{index}")	Iterates through threat.cloudOrganizations.
`threat.cloudOrganizations.externalId`	`target.resource.attribute.labels` (key = "org_externalId:%{index}")	Iterates through threat.cloudOrganizations.
`threat.cloudOrganizations.id`	`target.resource.attribute.labels` (key = "org_id:%{index}")	Iterates through threat.cloudOrganizations.
`threat.cloudOrganizations.name`	`target.resource.attribute.labels` (key = "org_name:%{index}")	Iterates through threat.cloudOrganizations.
`threat.cloudPlatform`	`additional.fields` (key = "threat_cloudPlatform")
`threat.created`	`metadata.event_timestamp`
`threat.description`	`security_result.description`
`threat.detectionIds`	`additional.fields` (key = "detectionId")	Comma-separated string split into list.
`threat.id`	`metadata.product_log_id`
`threat.mitreTactics`	`additional.fields` (key = "tactic_vallabel{index}")	Iterates through the array.
`threat.mitreTechniques`	`additional.fields` (key = "technique_vallabel{i}")	Iterates through the array
`threat.notes`	`additional.fields` (key = "threat_notes")
`threat.projects`	`additional.fields` (key = "threat_projects")
`threat.resolutionNote`	`additional.fields` (key = "threat_resolutionNote")
`threat.resolvedAt`	`additional.fields` (key = "threat_resolvedAt")
`threat.resources.externalId`	`target.resource.attribute.labels` (key = "resource_externalId:%{index}")	Mapped for elements after first (index > 0).
`threat.resources.externalId`	`target.resource.product_object_id`	Mapped for the first element (index 0).
`threat.resources.id`	`target.resource.attribute.labels` (key = "resource_id:%{index}")	Iterates through threat.resources.
`threat.resources.name`	`target.resource.attribute.labels` (key = "resource_name:%{index}")	Mapped for elements after first (index > 0).
`threat.resources.name`	`target.resource.name`	Mapped for the first element (index 0).
`threat.resources.nativeType`	`target.resource.attribute.labels` (key = "resource_nativeType:%{index}")	Mapped for elements after first (index > 0).
`threat.resources.nativeType`	`target.resource.resource_subtype`	Mapped for the first element (index 0).
`threat.resources.type`	`additional.fields` (key = "resource_type")	Iterates through threat.resources.
`threat.severity`	`security_result.severity`	Indirectly normalized (e.g., INFO -> LOW).
`threat.status`	`security_result.action_details`
`threat.tdrNames`	`additional.fields` (key = "tdrName")	Comma-separated string split into list.
`threat.threatURL`	`security_result.url_back_to_product`
`threat.title`	`metadata.description`
`threat.updatedAt`	`additional.fields` (key = "threat_updatedAt")
`threatId`	`security_result.threat_id`
`threatURL`	`security_result.detection_fields` (key = "threatURL")
`timeframe.end`	`additional.fields` (key = "timeframe_end")
`timeframe.start`	`metadata.collected_timestamp`
`timestamp`	`metadata.event_timestamp`
`title`	`security_result.summary`
`trigger.changedBy`	`principal.user.product_object_id`
`trigger.ruleId`	`security_result.rule_id`
`trigger.ruleName`	`additional.fields` (key = "rule_name")
`trigger.source`	`metadata.product_event_type`
`trigger.type`	`additional.fields` (key = "trigger_type")
`trigger.updatedFields`	`additional.fields` (key = "updated_fields")
`triggeringEvents.actor.id`	`principal.user.userid`	Mapped within the triggeringEvents loop.
`triggeringEvents.actor.name`	`about.user.user_display_name`	Mapped within triggeringEvents loop; merged.
`triggeringEvents.actor.type`	`about.resource.type`	Mapped within triggeringEvents loop; merged.
`triggeringEvents.actorIP`	`observer.ip`	Mapped within the triggeringEvents loop.
`triggeringEvents.actorIPMeta.autonomousSystemNumber`	`principal.labels` (key = "actorIP_autonomousSystemNumber")	Mapped within the triggeringEvents loop.
`triggeringEvents.actorIPMeta.autonomousSystemOrganization`	`principal.labels` (key = "actorIP_autonomousSystemOrganization")	Mapped within the triggeringEvents loop.
`triggeringEvents.actorIPMeta.country`	`principal.asset.location.country_or_region`	Mapped within the triggeringEvents loop.
`triggeringEvents.actorIPMeta.isForeign`	`principal.labels` (key = "actorIP_isForeign")	Mapped within the triggeringEvents loop.
`triggeringEvents.actorIPMeta.reputation`	`principal.labels` (key = "actorIP_reputation")	Mapped within the triggeringEvents loop.
`triggeringEvents.actorIPMeta.reputationSource`	`principal.labels` (key = "actorIP_reputationSource")	Mapped within the triggeringEvents loop.
`triggeringEvents.category`	`about.resource.attribute.labels` (key = "triggeringEvent_category")	Mapped within triggeringEvents loop; merged.
`triggeringEvents.cloudPlatform`	`security_result.detection_fields` (key = "triggeringEvent_cloudPlatform")	Mapped within the triggeringEvents loop.
`triggeringEvents.cloudProviderUrltarget.url`	`Mapped within the triggeringEvents loop.`
`triggeringEvents.description`	`metadata.description`	Mapped within the triggeringEvents loop.
`triggeringEvents.eventTime`	`about.resource.attribute.labels` (key = "triggeringEvent_eventTime")	Mapped within triggeringEvents loop; merged.
`triggeringEvents.externalId`	`principal.resource.product_object_id`	Mapped within the triggeringEvents loop.
`triggeringEvents.id`	`metadata.product_log_id`	Mapped within the triggeringEvents loop.
`triggeringEvents.name`	`security_result.summary`	Mapped within the triggeringEvents loop.
`triggeringEvents.origin`	`about.resource.attribute.labels` (key = "triggeringEvent_origin")	Mapped within triggeringEvents loop; merged.
`triggeringEvents.resources.externalId`	`about.resource.attribute.labels` (key = "externalId")	Mapped within loops; merged into about array.
`triggeringEvents.resources.id`	`about.resource.product_object_id`	Mapped within loops; merged into about array.
`triggeringEvents.resources.name`	`about.resource.name`	Mapped within loops; merged into about array.
`triggeringEvents.resources.nativeType`	`about.resource.resource_subtype`	Mapped within loops; merged into about array.
`triggeringEvents.resources.region`	`about.location.country_or_region`	Mapped within loops; merged into about array.
`triggeringEvents.resources.type`	`about.resource.type`	Mapped within loops; merged into about array.
`triggeringEvents.source`	`additional.fields` (key = "triggeringEvent_source")	Mapped within the triggeringEvents loop.
`triggeringEvents.status`	`security_result.action_details`	Mapped within the triggeringEvents loop.
`triggeringEventsCount`	`additional.fields` (key = "triggeringEventsCount")
`type`	`metadata.product_event_type`
`updatedAt`	`additional.fields` (key = "updated_at")
`version`	`security_result.detection_fields` (key = "version")

Event mapping table

eventType from log	Old event_type	Current event_type
`if [eventType] == "user.session.end"`	`metadata.event_type`	`"USER_LOGOUT"`
`if [eventType] in ["user.authentication.auth_via_AD_agent" , "user.authentication.auth_via_LDAP_agent"]`	`metadata.event_type`	`STATUS_UPDATE`
`if [eventType] in ["user.authentication.auth_via_mfa", "user.authentication.sso", "user.session.start","user.session.access_admin_app"]`	`metadata.event_type`	`USER_LOGIN`
`if [has_principal] == "true"`	`metadata.event_type`	`"STATUS_UPDATE"`
`if [has_resource] == "true"`	`metadata.event_type`	`USER_RESOURCE_ACCESS`
`if [has_user] == "true"`	`metadata.event_type`	`USER_UNCATEGORIZED`
`if [has_user] == "true" and [action] == "Login"`	`metadata.event_type`	`"USER_LOGIN"`
`if [has_user] == "true" and [action] == "Login"`	`event.idm.read_only_udm.extensions.auth.type`	`"AUTHTYPE_UNSPECIFIED"`
`if [has_user] == "true" and [event][idm][read_only_udm][metadata][event_type] == "GENERIC_EVENT"`	`metadata.event_type`	`USER_UNCATEGORIZED`
`else`	`metadata.event_type`	`GENERIC_EVENT`

Need more help? Get answers from Community members and Google SecOps professionals.