Zscaler Webproxy 로그 수집

다음에서 지원:

이 문서에서는 Google Security Operations 피드를 설정하여 Zscaler Webproxy 로그를 내보내는 방법과 로그 필드가 Google SecOps 통합 데이터 모델 (UDM) 필드에 매핑되는 방식을 설명합니다.

자세한 내용은 Google SecOps에 데이터 수집 개요를 참고하세요.

일반적인 배포는 Google SecOps에 로그를 전송하도록 구성된 Zscaler Webproxy 및 Google SecOps Webhook 피드로 구성됩니다. 고객 배포마다 다를 수 있으며 더 복잡할 수도 있습니다.

배포에는 다음 구성요소가 포함됩니다.

  • Zscaler Webproxy: 로그를 수집하는 플랫폼입니다.

  • Google SecOps 피드: Zscaler Webproxy에서 로그를 가져오고 로그를 Google SecOps에 작성하는 Google SecOps 피드입니다.

  • Google SecOps: 로그를 보관하고 분석합니다.

수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다. 이 문서의 정보는 ZSCALER_WEBPROXY 수집 라벨이 있는 파서에 적용됩니다.

시작하기 전에

다음 기본 요건이 충족되었는지 확인합니다.

  • Zscaler Internet Access 콘솔에 대한 액세스 권한이 있어야 합니다. 자세한 내용은 보안 인터넷 및 SaaS 액세스 ZIA 도움말을 참고하세요.
  • Zscaler Webproxy 2024 이상
  • 배포 아키텍처의 모든 시스템은 UTC 시간대로 구성됩니다.
  • Google Security Operations에서 피드 설정을 완료하는 데 필요한 API 키입니다. 자세한 내용은 API 키 설정을 참고하세요.

피드 설정

Google SecOps 플랫폼에서 피드를 설정하는 방법은 두 가지입니다.

  • SIEM 설정 > 피드
  • 콘텐츠 허브 > 콘텐츠 팩

SIEM 설정 > 피드에서 피드 설정

이 제품군 내에서 다양한 로그 유형에 대해 여러 피드를 구성하려면 제품별 피드 구성을 참고하세요.

단일 피드를 구성하려면 다음 단계를 따르세요.

  1. SIEM 설정> 피드로 이동합니다.
  2. 새 피드 추가를 클릭합니다.
  3. 다음 페이지에서 단일 피드 구성을 클릭합니다.
  4. 피드 이름 필드에 피드 이름을 입력합니다(예: Zscaler Webproxy Logs).
  5. 소스 유형으로 웹훅을 선택합니다.
  6. 로그 유형으로 Zscaler를 선택합니다.
  7. 다음을 클릭합니다.
  8. 선택사항: 다음 입력 파라미터의 값을 입력합니다.
    1. 분할 구분 기호: 로그 줄을 구분하는 데 사용되는 구분 기호입니다. 구분자를 사용하지 않는 경우 비워 둡니다.
    2. 애셋 네임스페이스: 애셋 네임스페이스입니다.
    3. 수집 라벨: 이 피드의 이벤트에 적용할 라벨입니다.
  9. 다음을 클릭합니다.
  10. 새 피드 구성을 검토한 다음 제출을 클릭합니다.
  11. 보안 비밀 키 생성을 클릭하여 이 피드를 인증하기 위한 보안 비밀 키를 생성합니다.

콘텐츠 허브에서 피드 설정하기

다음 필드의 값을 지정합니다.

  • 분할 구분 기호: 로그 줄을 구분하는 데 사용되는 구분 기호입니다(예: \n).

고급 옵션

  • 피드 이름: 피드를 식별하는 미리 채워진 값입니다.
  • 소스 유형: Google SecOps로 로그를 수집하는 데 사용되는 방법입니다.
  • 애셋 네임스페이스: 애셋 네임스페이스입니다.
  • 수집 라벨: 이 피드의 이벤트에 적용된 라벨입니다.
  • 다음을 클릭합니다.
  • 확정 화면에서 피드 구성을 검토한 다음 제출을 클릭합니다.
  • 보안 비밀 키 생성을 클릭하여 이 피드를 인증하기 위한 보안 비밀 키를 생성합니다.

Zscaler Webproxy 설정

  1. Zscaler Internet Access 콘솔에서 Administration > Nanolog Streaming Service > Cloud NSS Feeds를 클릭한 다음 Add Cloud NSS Feed를 클릭합니다.
  2. Add Cloud NSS Feed 창이 표시됩니다. 클라우드 NSS 피드 추가 창에 세부정보를 입력합니다.
  3. 피드 이름 필드에 피드 이름을 입력합니다.
  4. NSS 유형에서 웹용 NSS를 선택합니다.
  5. 상태 목록에서 상태를 선택하여 NSS 피드를 활성화하거나 비활성화합니다.
  6. SIEM 비율 드롭다운의 값을 무제한으로 유지합니다. 라이선스 또는 기타 제약 조건으로 인해 출력 스트림을 억제하려면 값을 변경합니다.
  7. SIEM 유형 목록에서 기타를 선택합니다.
  8. OAuth 2.0 인증 목록에서 사용 중지됨을 선택합니다.
  9. 최대 배치 크기에 SIEM의 권장사항에 따른 개별 HTTP 요청 페이로드의 크기 제한을 입력합니다. 예: 512KB

  10. 다음 형식으로 Chronicle API 엔드포인트의 HTTPS URL을 API URL에 입력합니다.

      https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogs
    • CHRONICLE_REGION: Chronicle 인스턴스가 호스팅되는 리전입니다. 예: 미국
    • GOOGLE_PROJECT_NUMBER: BYOP 프로젝트 번호 C4에서 이 정보를 가져옵니다.
    • LOCATION: Chronicle 리전입니다. 예: 미국
    • CUSTOMER_ID: Chronicle 고객 ID입니다. C4에서 획득합니다.
    • FEED_ID: 새로 생성된 웹훅의 피드 UI에 표시되는 피드 ID
    • 샘플 API URL:
    https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs

  11. HTTP 헤더 추가를 클릭한 다음 다음 형식으로 HTTP 헤더를 추가합니다.

    • Header 1: Key1: X-goog-api-keyValue1: Google Cloud BYOP의 API 사용자 인증 정보에서 생성된 API 키입니다.
    • Header 2: Key2: X-Webhook-Access-KeyValue2: 웹훅의 'SECRET KEY'에서 생성된 API 보안 키입니다.

  12. 로그 유형 목록에서 웹 로그를 선택합니다.

  13. 피드 출력 유형 목록에서 JSON을 선택합니다.

  14. JSON 배열 표기법을 사용 중지합니다.

  15. 피드 이스케이프 문자, \ "로 설정합니다.

  16. 피드 출력 형식에 새 필드를 추가하려면 피드 출력 유형 목록에서 맞춤을 선택합니다.

  17. 피드 출력 형식을 복사하여 붙여넣고 새 필드를 추가합니다. 키 이름이 실제 필드 이름과 일치하는지 확인합니다.

  18. 다음은 기본 피드 출력 형식입니다.

      \{ "sourcetype" : "zscalernss-web", "event" : \{"datetime":"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}","reason":"%s{reason}","event_id":"%d{recordid}","protocol":"%s{proto}","action":"%s{action}","transactionsize":"%d{totalsize}","responsesize":"%d{respsize}","requestsize":"%d{reqsize}","urlcategory":"%s{urlcat}","serverip":"%s{sip}","requestmethod":"%s{reqmethod}","refererURL":"%s{ereferer}","useragent":"%s{eua}","product":"NSS","location":"%s{elocation}","ClientIP":"%s{cip}","status":"%s{respcode}","user":"%s{elogin}","url":"%s{eurl}","vendor":"Zscaler","hostname":"%s{ehost}","clientpublicIP":"%s{cintip}","threatcategory":"%s{malwarecat}","threatname":"%s{threatname}","filetype":"%s{filetype}","appname":"%s{appname}","app_status":"%s{app_status}","pagerisk":"%d{riskscore}","threatseverity":"%s{threatseverity}","department":"%s{edepartment}","urlsupercategory":"%s{urlsupercat}","appclass":"%s{appclass}","dlpengine":"%s{dlpeng}","urlclass":"%s{urlclass}","threatclass":"%s{malwareclass}","dlpdictionaries":"%s{dlpdict}","fileclass":"%s{fileclass}","bwthrottle":"%s{bwthrottle}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}","keyprotectiontype":"%s{keyprotectiontype}"\}\}

  19. 시간대 목록에서 출력 파일의 시간 필드에 사용할 시간대를 선택합니다. 기본적으로 시간대는 조직의 시간대로 설정됩니다.

  20. 구성된 설정을 검토합니다.

  21. 저장을 클릭하여 연결을 테스트합니다. 연결에 성공하면 녹색 체크표시와 함께 연결 테스트 성공: OK (200)이라는 메시지가 표시됩니다.

Google SecOps 피드에 대한 자세한 내용은 Google SecOps 피드 문서를 참고하세요. 각 피드 유형의 요구사항은 유형별 피드 구성을 참조하세요.

피드를 만들 때 문제가 발생하면 Google SecOps 지원팀에 문의하세요.

지원되는 Zscaler Webproxy 로그 형식

Zscaler Webproxy 파서는 JSON 형식의 로그를 지원합니다.

지원되는 Zscaler Webproxy 샘플 로그

  • JSON

      {
    "event": {
      "ClientIP": "198.51.100.0",
      "action": "Allowed",
      "appclass": "Sales and Marketing",
      "appname": "Trend Micro",
      "bwthrottle": "NO",
      "clientpublicIP": "198.51.100.1",
      "contenttype": "Other",
      "datetime": "2024-05-06 10:56:04",
      "department": "Mid-Continent%20Companies",
      "devicehostname": "dummyhostname",
      "deviceowner": "dummydeviceowner",
      "dlpdictionaries": "None",
      "dlpengine": "None",
      "event_id": "7365838693731467265",
      "fileclass": "None",
      "filetype": "None",
      "hostname": "dummyhostname.com",
      "keyprotectiontype": "N/A",
      "location": "Road%20Warrior",
      "pagerisk": "0",
      "product": "NSS",
      "protocol": "HTTP_PROXY",
      "reason": "Allowed",
      "refererURL": "None",
      "requestmethod": "CONNECT",
      "requestsize": "606",
      "responsesize": "65",
      "serverip": "198.51.10.2",
      "status": "200",
      "threatcategory": "None",
      "threatclass": "None",
      "threatname": "None",
      "threatseverity": "None",
      "transactionsize": "671",
      "unscannabletype": "None",
      "url": "dummyurl.com:443",
      "urlcategory": "SSL - DNI - Bypass",
      "urlclass": "Bandwidth Loss",
      "urlsupercategory": "User-defined",
      "user": "abc@xyz.com",
      "useragent": "dummyuseragent",
      "vendor": "Zscaler"
    },
    "sourcetype": "zscalernss-web"
  }

필드 매핑 참조

다음 표에는 ZSCALER_WEBPROXY 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field UDM mapping Logic
metadata.vendor_name The metadata.vendor_name UDM field is set to Zscaler.
metadata.event_type If the ClientIP log field value is not empty and the serverip log field value is not empty and the proto log field value contain one of the following values, then the metadata.event_type UDM field is set to NETWORK_HTTP.
  • HTTPS
  • HTTP
Else, if the ClientIP log field value is not empty and the serverip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION.

Else, if the user log field value is not empty or the deviceowner log field value is not empty, then the metadata.event_type UDM field is set to USER_UNCATEGORIZED.

Else, the metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Web Proxy.
sourcetype additional.fields[sourcetype]
datetime metadata.event_timestamp
tz additional.fields[tz]
ss additional.fields[ss]
mm additional.fields[mm]
hh additional.fields[hh]
dd additional.fields[dd]
mth additional.fields[mth]
yyyy additional.fields[yyyy]
mon additional.fields[mon]
day additional.fields[day]
department principal.user.department
b64dept principal.user.department
edepartment principal.user.department
user principal.user.email_addresses
user principal.user.userid The EMAILLOCALPART field is extracted from user log field using the Grok pattern, and the EMAILLOCALPART log field is mapped to the principal.user.userid UDM field.
b64login principal.user.email_addresses
elogin principal.user.email_addresses
ologin additional.fields[ologin]
cloudname principal.user.attribute.labels[cloudname]
company principal.user.company_name
throttlereqsize security_result.detection_fields[throttlereqsize]
throttlerespsize security_result.detection_fields[throttlerespsize]
bwthrottle security_result.detection_fields[bwthrottle]
security_result.category If the bwthrottle log field value is equal to Yes, then the security_result.category UDM field is set to POLICY_VIOLATION.
bwclassname security_result.detection_fields[bwclassname]
obwclassname security_result.detection_fields[obwclassname]
bwrulename security_result.rule_name
appname target.application
appclass target.security_result.detection_fields[appclass]
module target.security_result.detection_fields[module]
app_risk_score target.security_result.risk_score If the app_risk_score log field value matches the regular expression pattern [0-9]+, then the app_risk_score log field is mapped to the security_result.risk_score UDM field.
datacenter target.location.name
datacentercity target.location.city
datacentercountry target.location.country_or_region
dlpdictionaries security_result.detection_fields[dlpdictionaries]
odlpdict security_result.detection_fields[odlpdict]
dlpdicthitcount security_result.detection_fields[dlpdicthitcount]
dlpengine security_result.detection_fields[dlpengine]
odlpeng security_result.detection_fields[odlpeng]
dlpidentifier security_result.detection_fields[dlpidentifier]
dlpmd5 security_result.detection_fields[dlpmd5]
dlprulename security_result.rule_name
odlprulename security_result.detection_fields[odlprulename]
fileclass additional.fields[fileclass]
filetype target.file.file_type If the filetype log field value matches the regular expression (?i)(xlsx), then the target.file.file_type UDM field is set to FILE_TYPE_XLSX.
Else, if the filetype log field value matches the regular expression (?i)(xls), then the target.file.file_type UDM field is set to FILE_TYPE_XLS.
Else, if the filetype log field value matches the regular expression (?i)(cab), then the target.file.file_type UDM field is set to FILE_TYPE_CAB.
Else, if the filetype log field value matches the regular expression (?i)(pcapng|pcap|cap), then the target.file.file_type UDM field is set to FILE_TYPE_CAP.
Else, if the filetype log field value matches the regular expression (?i)(tar.gz|egg), then the target.file.file_type UDM field is set to FILE_TYPE_PYTHON_PKG.
Else, if the filetype log field value matches the regular expression (?i)(gzip|tgz|gz), then the target.file.file_type UDM field is set to FILE_TYPE_GZIP.
Else, if the filetype log field value matches the regular expression (?i)(zip), then the target.file.file_type UDM field is set to FILE_TYPE_ZIP.
Else, if the filetype log field value matches the regular expression (?i)(gif), then the target.file.file_type UDM field is set to FILE_TYPE_GIF.
Else, if the log message matches the regular expression (?i)(\\bdos\\b) AND the filetype log field value matches the regular expression (?i)(exe|com), then the target.file.file_type UDM field is set to FILE_TYPE_DOS_EXE.
Else, if the log message matches the regular expression (?i)(\\bne_exe\\b) AND the filetype log field value matches the regular expression (?i)(exe), then the target.file.file_type UDM field is set to FILE_TYPE_NE_EXE.
Else, if the filetype log field value matches the regular expression (?i)(exe), then the target.file.file_type UDM field is set to FILE_TYPE_PE_EXE.
Else, if the filetype log field value matches the regular expression (?i)(msi), then the target.file.file_type UDM field is set to FILE_TYPE_MSI.
Else, if the filetype log field value matches the regular expression (?i)(ocx|sys), then the target.file.file_type UDM field is set to FILE_TYPE_PE_DLL.
Else, if the filetype log field value matches the regular expression (?i)(pdf|(portable\\s*document\\s*format)), then the target.file.file_type UDM field is set to FILE_TYPE_PDF.
Else, if the filetype log field value matches the regular expression (?i)(docx), then the target.file.file_type UDM field is set to FILE_TYPE_DOCX.
Else, if the filetype log field value matches the regular expression (?i)(doc), then the target.file.file_type UDM field is set to FILE_TYPE_DOC.
Else, if the filetype log field value matches the regular expression (?i)(html|htm), then the target.file.file_type UDM field is set to FILE_TYPE_HTML.
Else, if the filetype log field value matches the regular expression (?i)(jar), then the target.file.file_type UDM field is set to FILE_TYPE_JAR.
Else, if the filetype log field value matches the regular expression (?i)(jpeg|jpg), then the target.file.file_type UDM field is set to FILE_TYPE_JPEG.
Else, if the filetype log field value matches the regular expression (?i)(mov), then the target.file.file_type UDM field is set to FILE_TYPE_MOV.
Else, if the filetype log field value matches the regular expression (?i)(mp3), then the target.file.file_type UDM field is set to FILE_TYPE_MP3.
Else, if the filetype log field value matches the regular expression (?i)(mp4), then the target.file.file_type UDM field is set to FILE_TYPE_MP4.
Else, if the filetype log field value matches the regular expression (?i)(png), then the target.file.file_type UDM field is set to FILE_TYPE_PNG.
Else, if the filetype log field value matches the regular expression (?i)(pptx), then the target.file.file_type UDM field is set to FILE_TYPE_PPTX.
Else, if the filetype log field value matches the regular expression (?i)(ppt), then the target.file.file_type UDM field is set to FILE_TYPE_PPT.
Else, if the filetype log field value matches the regular expression (?i)(rar), then the target.file.file_type UDM field is set to FILE_TYPE_RAR.
Else, if the filetype log field value matches the regular expression (?i)(ace), then the target.file.file_type UDM field is set to FILE_TYPE_ACE.
Else, if the filetype log field value matches the regular expression (?i)(apk|aar|dex), then the target.file.file_type UDM field is set to FILE_TYPE_ANDROID.
Else, if the filetype log field value matches the regular expression (?i)(plist), then the target.file.file_type UDM field is set to FILE_TYPE_APPLE_PLIST.
Else, if the filetype log field value matches the regular expression (?i)(applescript), then the target.file.file_type UDM field is set to FILE_TYPE_APPLESCRIPT.
Else, if the filetype log field value matches the regular expression (?i)(app), then the target.file.file_type UDM field is set to FILE_TYPE_APPLE.
Else, if the filetype log field value matches the regular expression (?i)(scpt), then the target.file.file_type UDM field is set to FILE_TYPE_APPLESCRIPT_COMPILED.
Else, if the filetype log field value matches the regular expression (?i)(arc), then the target.file.file_type UDM field is set to FILE_TYPE_ARC.
Else, if the filetype log field value matches the regular expression (?i)(arj), then the target.file.file_type UDM field is set to FILE_TYPE_ARJ.
Else, if the filetype log field value matches the regular expression (?i)(asd), then the target.file.file_type UDM field is set to FILE_TYPE_ASD.
Else, if the filetype log field value matches the regular expression (?i)(asf), then the target.file.file_type UDM field is set to FILE_TYPE_ASF.
Else, if the filetype log field value matches the regular expression (?i)(avi), then the target.file.file_type UDM field is set to FILE_TYPE_AVI.
Else, if the filetype log field value matches the regular expression (?i)(awk), then the target.file.file_type UDM field is set to FILE_TYPE_AWK.
Else, if the filetype log field value matches the regular expression (?i)(bmp), then the target.file.file_type UDM field is set to FILE_TYPE_BMP.
Else, if the filetype log field value matches the regular expression (?i)(dib), then the target.file.file_type UDM field is set to FILE_TYPE_DIB.
Else, if the filetype log field value matches the regular expression (?i)(bz2), then the target.file.file_type UDM field is set to FILE_TYPE_BZIP.
Else, if the filetype log field value matches the regular expression (?i)(chm), then the target.file.file_type UDM field is set to FILE_TYPE_CHM.
Else, if the filetype log field value matches the regular expression (?i)(cljc|cljs|clj), then the target.file.file_type UDM field is set to FILE_TYPE_CLJ.
Else, if the filetype log field value matches the regular expression (?i)(crt|cer), then the target.file.file_type UDM field is set to FILE_TYPE_CRT.
Else, if the filetype log field value matches the regular expression (?i)(crx), then the target.file.file_type UDM field is set to FILE_TYPE_CRX.
Else, if the filetype log field value matches the regular expression (?i)(csv), then the target.file.file_type UDM field is set to FILE_TYPE_CSV.
Else, if the filetype log field value matches the regular expression (?i)(deb), then the target.file.file_type UDM field is set to FILE_TYPE_DEB.
Else, if the filetype log field value matches the regular expression (?i)(dmg), then the target.file.file_type UDM field is set to FILE_TYPE_DMG.
Else, if the filetype log field value matches the regular expression (?i)(divx), then the target.file.file_type UDM field is set to FILE_TYPE_DIVX.
Else, if the filetype log field value matches the regular expression (?i)(com), then the target.file.file_type UDM field is set to FILE_TYPE_DOS_COM.
Else, if the filetype log field value matches the regular expression (?i)(dwg), then the target.file.file_type UDM field is set to FILE_TYPE_DWG.
Else, if the filetype log field value matches the regular expression (?i)(dxf), then the target.file.file_type UDM field is set to FILE_TYPE_DXF.
Else, if the filetype log field value matches the regular expression (?i)(dyalog), then the target.file.file_type UDM field is set to FILE_TYPE_DYALOG.
Else, if the filetype log field value matches the regular expression (?i)(dzip), then the target.file.file_type UDM field is set to FILE_TYPE_DZIP.
Else, if the filetype log field value matches the regular expression (?i)(epub|mobi|azw), then the target.file.file_type UDM field is set to FILE_TYPE_EBOOK.
Else, if the filetype log field value matches the regular expression (?i)(elf), then the target.file.file_type UDM field is set to FILE_TYPE_ELF.
Else, if the filetype log field value matches the regular expression (?i)(eml), then the target.file.file_type UDM field is set to FILE_TYPE_EMAIL_TYPE.
Else, if the filetype log field value matches the regular expression (?i)(emf), then the target.file.file_type UDM field is set to FILE_TYPE_EMF.
Else, if the filetype log field value matches the regular expression (?i)(eot), then the target.file.file_type UDM field is set to FILE_TYPE_EOT.
Else, if the filetype log field value matches the regular expression (?i)(eps), then the target.file.file_type UDM field is set to FILE_TYPE_EPS.
Else, if the filetype log field value matches the regular expression (?i)(flac), then the target.file.file_type UDM field is set to FILE_TYPE_FLAC.
Else, if the filetype log field value matches the regular expression (?i)(fla), then the target.file.file_type UDM field is set to FILE_TYPE_FLA.
Else, if the filetype log field value matches the regular expression (?i)(fli), then the target.file.file_type UDM field is set to FILE_TYPE_FLI.
Else, if the filetype log field value matches the regular expression (?i)(flc), then the target.file.file_type UDM field is set to FILE_TYPE_FLC.
Else, if the filetype log field value matches the regular expression (?i)(flv), then the target.file.file_type UDM field is set to FILE_TYPE_FLV.
Else, if the filetype log field value matches the regular expression (?i)(fpx), then the target.file.file_type UDM field is set to FILE_TYPE_FPX.
Else, if the filetype log field value matches the regular expression (?i)(xcf), then the target.file.file_type UDM field is set to FILE_TYPE_GIMP.
Else, if the filetype log field value matches the regular expression (?i)(go), then the target.file.file_type UDM field is set to FILE_TYPE_GOLANG.
Else, if the filetype log field value matches the regular expression (?i)(gul), then the target.file.file_type UDM field is set to FILE_TYPE_GUL.
Else, if the filetype log field value matches the regular expression (?i)(hwp), then the target.file.file_type UDM field is set to FILE_TYPE_HWP.
Else, if the filetype log field value matches the regular expression (?i)(ico), then the target.file.file_type UDM field is set to FILE_TYPE_ICO.
Else, if the filetype log field value matches the regular expression (?i)(indd|idml), then the target.file.file_type UDM field is set to FILE_TYPE_IN_DESIGN.
Else, if the filetype log field value matches the regular expression (?i)(ipa), then the target.file.file_type UDM field is set to FILE_TYPE_IPHONE.
Else, if the filetype log field value matches the regular expression (?i)(ips), then the target.file.file_type UDM field is set to FILE_TYPE_IPS.
Else, if the filetype log field value matches the regular expression (?i)(iso), then the target.file.file_type UDM field is set to FILE_TYPE_ISOIMAGE.
Else, if the filetype log field value matches the regular expression (?i)(java) AND the filetype log field value does NOT match the regular expression (?i)(javascript), then the target.file.file_type UDM field is set to FILE_TYPE_JAVA.
Else, if the filetype log field value matches the regular expression (?i)(class), then the target.file.file_type UDM field is set to FILE_TYPE_JAVA_BYTECODE.
Else, if the filetype log field value matches the regular expression (?i)(jmod), then the target.file.file_type UDM field is set to FILE_TYPE_JMOD.
Else, if the filetype log field value matches the regular expression (?i)(jng), then the target.file.file_type UDM field is set to FILE_TYPE_JNG.
Else, if the filetype log field value matches the regular expression (?i)(json), then the target.file.file_type UDM field is set to FILE_TYPE_JSON.
Else, if the filetype log field value matches the regular expression (?i)(js), then the target.file.file_type UDM field is set to FILE_TYPE_JAVASCRIPT.
Else, if the filetype log field value matches the regular expression (?i)(kgb), then the target.file.file_type UDM field is set to FILE_TYPE_KGB.
Else, if the filetype log field value matches the regular expression (?i)(tex), then the target.file.file_type UDM field is set to FILE_TYPE_LATEX.
Else, if the filetype log field value matches the regular expression (?i)(lzfse), then the target.file.file_type UDM field is set to FILE_TYPE_LZFSE.
Else, if the filetype log field value matches the regular expression (?i)(vmlinuz|ko), then the target.file.file_type UDM field is set to FILE_TYPE_LINUX_KERNEL.
Else, if the filetype log field value matches the regular expression (?i)(bundle|framework), then the target.file.file_type UDM field is set to FILE_TYPE_MACH_O.
Else, if the log message matches the regular expression (?i)(\\bmach\\b) AND the filetype log field value matches the regular expression (?i)(dylib|o), then the target.file.file_type UDM field is set to FILE_TYPE_MACH_O.
Else, if the filetype log field value matches the regular expression (?i)(so|initrd|vmlinux|pkg.tar.zst|ext4|ext3|ext2|swap), then the target.file.file_type UDM field is set to FILE_TYPE_LINUX.
Else, if the filetype log field value matches the regular expression (?i)(ini), then the target.file.file_type UDM field is set to FILE_TYPE_INI.
Else, if the log message matches the regular expression (?i)(\\blinux\\b) AND the filetype log field value matches the regular expression sfs, then the target.file.file_type UDM field is set to FILE_TYPE_LINUX.
Else, if the filetype log field value matches the regular expression (?i)(lnk), then the target.file.file_type UDM field is set to FILE_TYPE_LNK.
Else, if the filetype log field value matches the regular expression (?i)(m4), then the target.file.file_type UDM field is set to FILE_TYPE_M4.
Else, if the filetype log field value matches the regular expression (?i)(midi|mid), then the target.file.file_type UDM field is set to FILE_TYPE_MIDI.
Else, if the filetype log field value matches the regular expression (?i)(mkv), then the target.file.file_type UDM field is set to FILE_TYPE_MKV.
Else, if the filetype log field value matches the regular expression (?i)(mpg|mpeg), then the target.file.file_type UDM field is set to FILE_TYPE_MPEG.
Else, if the filetype log field value matches the regular expression (?i)(sz_), then the target.file.file_type UDM field is set to FILE_TYPE_MSCOMPRESS.
Else, if the filetype log field value matches the regular expression (?i)(dll), then the target.file.file_type UDM field is set to FILE_TYPE_NE_DLL.
Else, if the filetype log field value matches the regular expression (?i)(odg), then the target.file.file_type UDM field is set to FILE_TYPE_ODG.
Else, if the filetype log field value matches the regular expression (?i)(odp), then the target.file.file_type UDM field is set to FILE_TYPE_ODP.
Else, if the filetype log field value matches the regular expression (?i)(ods), then the target.file.file_type UDM field is set to FILE_TYPE_ODS.
Else, if the filetype log field value matches the regular expression (?i)(odt), then the target.file.file_type UDM field is set to FILE_TYPE_ODT.
Else, if the filetype log field value matches the regular expression (?i)(ogg|oga|ogv), then the target.file.file_type UDM field is set to FILE_TYPE_OGG.
Else, if the filetype log field value matches the regular expression (?i)(one) AND the filetype log field value does NOT match the regular expression (?i)(none), then the target.file.file_type UDM field is set to FILE_TYPE_ONE_NOTE.
Else, if the filetype log field value matches the regular expression (?i)(pst|ost), then the target.file.file_type UDM field is set to FILE_TYPE_OUTLOOK.
Else, if the log message matches the regular expression (?i)(\\boutlook\\b) AND the filetype log field value matches the regular expression (?i)(msg), then the target.file.file_type UDM field is set to FILE_TYPE_OUTLOOK.
Else, if the log message matches the regular expression (?i)(\\bemail\\b) AND the filetype log field value matches the regular expression (?i)(msg), then the target.file.file_type UDM field is set to FILE_TYPE_EMAIL_TYPE.
Else, if the filetype log field value matches the regular expression (?i)(prc), then the target.file.file_type UDM field is set to FILE_TYPE_PALMOS.
Else, if the filetype log field value matches the regular expression (?i)(pdb), then the target.file.file_type UDM field is set to FILE_TYPE_PDB.
Else, if the filetype log field value matches the regular expression (?i)(pem), then the target.file.file_type UDM field is set to FILE_TYPE_PEM.
Else, if the filetype log field value matches the regular expression (?i)(pgp|gpg|asc), then the target.file.file_type UDM field is set to FILE_TYPE_PGP.
Else, if the filetype log field value matches the regular expression (?i)(php), then the target.file.file_type UDM field is set to FILE_TYPE_PHP.
Else, if the filetype log field value matches the regular expression (?i)(pkg), then the target.file.file_type UDM field is set to FILE_TYPE_PKG.
Else, if the filetype log field value matches the regular expression (?i)(ps1|psm1), then the target.file.file_type UDM field is set to FILE_TYPE_POWERSHELL.
Else, if the filetype log field value matches the regular expression (?i)(ppsx), then the target.file.file_type UDM field is set to FILE_TYPE_PPSX.
Else, if the filetype log field value matches the regular expression (?i)(psd), then the target.file.file_type UDM field is set to FILE_TYPE_PSD.
Else, if the filetype log field value matches the regular expression (?i)(ps), then the target.file.file_type UDM field is set to FILE_TYPE_PS.
Else, if the filetype log field value matches the regular expression (?i)(pyc), then the target.file.file_type UDM field is set to FILE_TYPE_PYC.
Else, if the filetype log field value matches the regular expression (?i)(py|pyw), then the target.file.file_type UDM field is set to FILE_TYPE_PYTHON.
Else, if the filetype log field value matches the regular expression (?i)(whl), then the target.file.file_type UDM field is set to FILE_TYPE_PYTHON_WHL.
Else, if the filetype log field value matches the regular expression (?i)(qt), then the target.file.file_type UDM field is set to FILE_TYPE_QUICKTIME.
Else, if the filetype log field value matches the regular expression (?i)(rm|rmvb), then the target.file.file_type UDM field is set to FILE_TYPE_RM.
Else, if the filetype log field value matches the regular expression (?i)(rom|bin), then the target.file.file_type UDM field is set to FILE_TYPE_ROM.
Else, if the filetype log field value matches the regular expression (?i)(rpm), then the target.file.file_type UDM field is set to FILE_TYPE_RPM.
Else, if the filetype log field value matches the regular expression (?i)(rtf), then the target.file.file_type UDM field is set to FILE_TYPE_RTF.
Else, if the filetype log field value matches the regular expression (?i)(rb), then the target.file.file_type UDM field is set to FILE_TYPE_RUBY.
Else, if the filetype log field value matches the regular expression (?i)(rz), then the target.file.file_type UDM field is set to FILE_TYPE_RZIP.
Else, if the filetype log field value matches the regular expression (?i)(7z), then the target.file.file_type UDM field is set to FILE_TYPE_SEVENZIP.
Else, if the filetype log field value matches the regular expression (?i)(sgml|sgm), then the target.file.file_type UDM field is set to FILE_TYPE_SGML.
Else, if the filetype log field value matches the regular expression (?i)(bash|csh|zsh), then the target.file.file_type UDM field is set to FILE_TYPE_SHELLSCRIPT.
Else, if the filetype log field value matches the regular expression (?i)(sql), then the target.file.file_type UDM field is set to FILE_TYPE_SQL.
Else, if the filetype log field value matches the regular expression (?i)(sqfs|sfs), then the target.file.file_type UDM field is set to FILE_TYPE_SQUASHFS.
Else, if the filetype log field value matches the regular expression (?i)(svg), then the target.file.file_type UDM field is set to FILE_TYPE_SVG.
Else, if the filetype log field value matches the regular expression (?i)(swf), then the target.file.file_type UDM field is set to FILE_TYPE_SWF.
Else, if the filetype log field value matches the regular expression (?i)(sis|sisx), then the target.file.file_type UDM field is set to FILE_TYPE_SYMBIAN.
Else, if the filetype log field value matches the regular expression (?i)(3gp), then the target.file.file_type UDM field is set to FILE_TYPE_T3GP.
Else, if the filetype log field value matches the regular expression (?i)(tar), then the target.file.file_type UDM field is set to FILE_TYPE_TAR.
Else, if the filetype log field value matches the regular expression (?i)(tga), then the target.file.file_type UDM field is set to FILE_TYPE_TARGA.
Else, if the filetype log field value matches the regular expression (?i)(3ds|max), then the target.file.file_type UDM field is set to FILE_TYPE_THREEDS.
Else, if the filetype log field value matches the regular expression (?i)(tif|tiff), then the target.file.file_type UDM field is set to FILE_TYPE_TIFF.
Else, if the filetype log field value matches the regular expression (?i)(torrent), then the target.file.file_type UDM field is set to FILE_TYPE_TORRENT.
Else, if the filetype log field value matches the regular expression (?i)(ttf), then the target.file.file_type UDM field is set to FILE_TYPE_TTF.
Else, if the filetype log field value matches the regular expression (?i)(vba), then the target.file.file_type UDM field is set to FILE_TYPE_VBA.
Else, if the filetype log field value matches the regular expression (?i)(vhd|vhdx), then the target.file.file_type UDM field is set to FILE_TYPE_VHD.
Else, if the filetype log field value matches the regular expression (?i)(wav), then the target.file.file_type UDM field is set to FILE_TYPE_WAV.
Else, if the filetype log field value matches the regular expression (?i)(webm), then the target.file.file_type UDM field is set to FILE_TYPE_WEBM.
Else, if the filetype log field value matches the regular expression (?i)(webp), then the target.file.file_type UDM field is set to FILE_TYPE_WEBP.
Else, if the filetype log field value matches the regular expression (?i)(wer), then the target.file.file_type UDM field is set to FILE_TYPE_WER.
Else, if the filetype log field value matches the regular expression (?i)(wma), then the target.file.file_type UDM field is set to FILE_TYPE_WMA.
Else, if the filetype log field value matches the regular expression (?i)(wmv), then the target.file.file_type UDM field is set to FILE_TYPE_WMV.
Else, if the filetype log field value matches the regular expression (?i)(woff|woff2), then the target.file.file_type UDM field is set to FILE_TYPE_WOFF.
Else, if the filetype log field value matches the regular expression (?i)(xml), then the target.file.file_type UDM field is set to FILE_TYPE_XML.
Else, if the filetype log field value matches the regular expression (?i)(xpi), then the target.file.file_type UDM field is set to FILE_TYPE_XPI.
Else, if the filetype log field value matches the regular expression (?i)(xwd), then the target.file.file_type UDM field is set to FILE_TYPE_XWD.
Else, if the filetype log field value matches the regular expression (?i)(zst), then the target.file.file_type UDM field is set to FILE_TYPE_ZST.
Else, if the filetype log field value matches the regular expression (?i)(Makefile|makefile|mk), then the target.file.file_type UDM field is set to FILE_TYPE_MAKEFILE.
Else, if the filetype log field value matches the regular expression (?i)(zlib), then the target.file.file_type UDM field is set to FILE_TYPE_ZLIB.
Else, if the filetype log field value matches the regular expression (?i)(hqx), then the target.file.file_type UDM field is set to FILE_TYPE_MACINTOSH.
Else, if the filetype log field value matches the regular expression (?i)(hfs|dsk|toast), then the target.file.file_type UDM field is set to FILE_TYPE_MACINTOSH_HFS.
Else, if the filetype log field value matches the regular expression (?i)(bh|log|dat), then the target.file.file_type UDM field is set to FILE_TYPE_BLACKHOLE.
Else, if the log message matches the regular expression (?i)(\\bcookie\\b) AND the filetype log field value matches the regular expression (?i)(txt), then the target.file.file_type UDM field is set to FILE_TYPE_COOKIE.
Else, if the filetype log field value matches the regular expression (?i)(txt), then the target.file.file_type UDM field is set to FILE_TYPE_TEXT.
Else, if the filetype log field value matches the regular expression (?i)(docx|xlsx|pptx), then the target.file.file_type UDM field is set to FILE_TYPE_OOXML.
Else, if the filetype log field value matches the regular expression (?i)(odt|ods|odp|odg), then the target.file.file_type UDM field is set to FILE_TYPE_ODF.
Else, if the filetype log field value matches the regular expression (?i)(for|f90|f95), then the target.file.file_type UDM field is set to FILE_TYPE_FORTRAN.
Else, if the log message matches the regular expression (?i)(\\bwince\\b) AND the filetype log field value matches the regular expression (?i)(exe|cab|dll), then the target.file.file_type UDM field is set to FILE_TYPE_WINCE.
Else, if the log message matches the regular expression (?i)(\\bscript\\b) AND the filetype log field value matches the regular expression (?i)(py|js|pl|rb), then the target.file.file_type UDM field is set to FILE_TYPE_SCRIPT.
Else, if the log message matches the regular expression (?i)(\\bapplesingle\\b) AND the filetype log field value matches the regular expression (?i)(as|bin), then the target.file.file_type UDM field is set to FILE_TYPE_APPLESINGLE.
Else, if the log message matches the regular expression (?i)(\\bmacintosh\\b) AND the filetype log field value matches the regular expression (?i)(dylib|a), then the target.file.file_type UDM field is set to FILE_TYPE_MACINTOSH_LIB.
Else, if the log message matches the regular expression (?i)(\\bappledouble\\b) AND the filetype log field value matches the regular expression (?i)(ad|._), then the target.file.file_type UDM field is set to FILE_TYPE_APPLEDOUBLE.
Else, if the log message matches the regular expression (?i)(\\bobjetivec\\b) AND the filetype log field value matches the regular expression (?i)(m|mm|h), then the target.file.file_type UDM field is set to FILE_TYPE_OBJETIVEC.
Else, if the filetype log field value matches the regular expression (?i)(obj|lib), then the target.file.file_type UDM field is set to FILE_TYPE_COFF.
Else, if the log message matches the regular expression (?i)(\\bcpp\\b) AND the filetype log field value matches the regular expression (?i)(hpp|cpp|cc|cxx|h), then the target.file.file_type UDM field is set to FILE_TYPE_CPP.
Else, if the filetype log field value matches the regular expression (?i)(pas|pp), then the target.file.file_type UDM field is set to FILE_TYPE_PASCAL.
Else, if the filetype log field value matches the regular expression (?i)(pl|pm), then the target.file.file_type UDM field is set to FILE_TYPE_PERL.
Else, if the filetype log field value matches the regular expression (?i)\\bsh\\b, then the target.file.file_type UDM field is set to FILE_TYPE_SHELLSCRIPT.
Else, if the filetype log field value matches the regular expression (?i)\\bc\\b$, then the target.file.file_type UDM field is set to FILE_TYPE_C.
Else, if the filetype log field value matches the regular expression (?i)\\bn\\b$, then the target.file.file_type UDM field is set to FILE_TYPE_NEKO.
Else, if the filetype log field value matches the regular expression (?i)\\bf\\b, then the target.file.file_type UDM field is set to FILE_TYPE_FORTRAN.
Else, the UDM field additional.fields.key is set to file_type and the log field value filetype is mapped to the additional.fields.value UDM field, provided the filetype value is not empty.
filename target.file.full_path
b64filename target.file.full_path
efilename target.file.full_path
filesubtype additional.fields[filesubtype]
upload_fileclass additional.fields[upload_fileclass]
upload_filetype target.file.file_type If the filetype log field value is empty or equal to None and the upload_filetype log field value is not empty and not equal to None, then:
If the upload_filetype log field value matches the regular expression (?i)(xlsx), then the target.file.file_type UDM field is set to FILE_TYPE_XLSX.
Else, if the upload_filetype log field value matches the regular expression (?i)(xls), then the target.file.file_type UDM field is set to FILE_TYPE_XLS.
Else, if the upload_filetype log field value matches the regular expression (?i)(cab), then the target.file.file_type UDM field is set to FILE_TYPE_CAB.
Else, if the upload_filetype log field value matches the regular expression (?i)(pcapng|pcap|cap), then the target.file.file_type UDM field is set to FILE_TYPE_CAP.
Else, if the upload_filetype log field value matches the regular expression (?i)(tar.gz|egg), then the target.file.file_type UDM field is set to FILE_TYPE_PYTHON_PKG.
Else, if the upload_filetype log field value matches the regular expression (?i)(gzip|tgz|gz), then the target.file.file_type UDM field is set to FILE_TYPE_GZIP.
Else, if the upload_filetype log field value matches the regular expression (?i)(zip), then the target.file.file_type UDM field is set to FILE_TYPE_ZIP.
Else, if the upload_filetype log field value matches the regular expression (?i)(gif), then the target.file.file_type UDM field is set to FILE_TYPE_GIF.
Else, if the log message matches the regular expression (?i)(\\bdos\\b) AND the upload_filetype log field value matches the regular expression (?i)(exe|com), then the target.file.file_type UDM field is set to FILE_TYPE_DOS_EXE.
Else, if the log message matches the regular expression (?i)(\\bne_exe\\b) AND the upload_filetype log field value matches the regular expression (?i)(exe), then the target.file.file_type UDM field is set to FILE_TYPE_NE_EXE.
Else, if the upload_filetype log field value matches the regular expression (?i)(exe), then the target.file.file_type UDM field is set to FILE_TYPE_PE_EXE.
Else, if the upload_filetype log field value matches the regular expression (?i)(msi), then the target.file.file_type UDM field is set to FILE_TYPE_MSI.
Else, if the upload_filetype log field value matches the regular expression (?i)(ocx|sys), then the target.file.file_type UDM field is set to FILE_TYPE_PE_DLL.
Else, if the upload_filetype log field value matches the regular expression (?i)(pdf|(portable\\s*document\\s*format)), then the target.file.file_type UDM field is set to FILE_TYPE_PDF.
Else, if the upload_filetype log field value matches the regular expression (?i)(docx), then the target.file.file_type UDM field is set to FILE_TYPE_DOCX.
Else, if the upload_filetype log field value matches the regular expression (?i)(doc), then the target.file.file_type UDM field is set to FILE_TYPE_DOC.
Else, if the upload_filetype log field value matches the regular expression (?i)(html|htm), then the target.file.file_type UDM field is set to FILE_TYPE_HTML.
Else, if the upload_filetype log field value matches the regular expression (?i)(jar), then the target.file.file_type UDM field is set to FILE_TYPE_JAR.
Else, if the upload_filetype log field value matches the regular expression (?i)(jpeg|jpg), then the target.file.file_type UDM field is set to FILE_TYPE_JPEG.
Else, if the upload_filetype log field value matches the regular expression (?i)(mov), then the target.file.file_type UDM field is set to FILE_TYPE_MOV.
Else, if the upload_filetype log field value matches the regular expression (?i)(mp3), then the target.file.file_type UDM field is set to FILE_TYPE_MP3.
Else, if the upload_filetype log field value matches the regular expression (?i)(mp4), then the target.file.file_type UDM field is set to FILE_TYPE_MP4.
Else, if the upload_filetype log field value matches the regular expression (?i)(png), then the target.file.file_type UDM field is set to FILE_TYPE_PNG.
Else, if the upload_filetype log field value matches the regular expression (?i)(pptx), then the target.file.file_type UDM field is set to FILE_TYPE_PPTX.
Else, if the upload_filetype log field value matches the regular expression (?i)(ppt), then the target.file.file_type UDM field is set to FILE_TYPE_PPT.
Else, if the upload_filetype log field value matches the regular expression (?i)(rar), then the target.file.file_type UDM field is set to FILE_TYPE_RAR.
Else, if the upload_filetype log field value matches the regular expression (?i)(ace), then the target.file.file_type UDM field is set to FILE_TYPE_ACE.
Else, if the upload_filetype log field value matches the regular expression (?i)(apk|aar|dex), then the target.file.file_type UDM field is set to FILE_TYPE_ANDROID.
Else, if the upload_filetype log field value matches the regular expression (?i)(plist), then the target.file.file_type UDM field is set to FILE_TYPE_APPLE_PLIST.
Else, if the upload_filetype log field value matches the regular expression (?i)(applescript), then the target.file.file_type UDM field is set to FILE_TYPE_APPLESCRIPT.
Else, if the upload_filetype log field value matches the regular expression (?i)(app), then the target.file.file_type UDM field is set to FILE_TYPE_APPLE.
Else, if the upload_filetype log field value matches the regular expression (?i)(scpt), then the target.file.file_type UDM field is set to FILE_TYPE_APPLESCRIPT_COMPILED.
Else, if the upload_filetype log field value matches the regular expression (?i)(arc), then the target.file.file_type UDM field is set to FILE_TYPE_ARC.
Else, if the upload_filetype log field value matches the regular expression (?i)(arj), then the target.file.file_type UDM field is set to FILE_TYPE_ARJ.
Else, if the upload_filetype log field value matches the regular expression (?i)(asd), then the target.file.file_type UDM field is set to FILE_TYPE_ASD.
Else, if the upload_filetype log field value matches the regular expression (?i)(asf), then the target.file.file_type UDM field is set to FILE_TYPE_ASF.
Else, if the upload_filetype log field value matches the regular expression (?i)(avi), then the target.file.file_type UDM field is set to FILE_TYPE_AVI.
Else, if the upload_filetype log field value matches the regular expression (?i)(awk), then the target.file.file_type UDM field is set to FILE_TYPE_AWK.
Else, if the upload_filetype log field value matches the regular expression (?i)(bmp), then the target.file.file_type UDM field is set to FILE_TYPE_BMP.
Else, if the upload_filetype log field value matches the regular expression (?i)(dib), then the target.file.file_type UDM field is set to FILE_TYPE_DIB.
Else, if the upload_filetype log field value matches the regular expression (?i)(bz2), then the target.file.file_type UDM field is set to FILE_TYPE_BZIP.
Else, if the upload_filetype log field value matches the regular expression (?i)(chm), then the target.file.file_type UDM field is set to FILE_TYPE_CHM.
Else, if the upload_filetype log field value matches the regular expression (?i)(cljc|cljs|clj), then the target.file.file_type UDM field is set to FILE_TYPE_CLJ.
Else, if the upload_filetype log field value matches the regular expression (?i)(crt|cer), then the target.file.file_type UDM field is set to FILE_TYPE_CRT.
Else, if the upload_filetype log field value matches the regular expression (?i)(crx), then the target.file.file_type UDM field is set to FILE_TYPE_CRX.
Else, if the upload_filetype log field value matches the regular expression (?i)(csv), then the target.file.file_type UDM field is set to FILE_TYPE_CSV.
Else, if the upload_filetype log field value matches the regular expression (?i)(deb), then the target.file.file_type UDM field is set to FILE_TYPE_DEB.
Else, if the upload_filetype log field value matches the regular expression (?i)(dmg), then the target.file.file_type UDM field is set to FILE_TYPE_DMG.
Else, if the upload_filetype log field value matches the regular expression (?i)(divx), then the target.file.file_type UDM field is set to FILE_TYPE_DIVX.
Else, if the upload_filetype log field value matches the regular expression (?i)(com), then the target.file.file_type UDM field is set to FILE_TYPE_DOS_COM.
Else, if the upload_filetype log field value matches the regular expression (?i)(dwg), then the target.file.file_type UDM field is set to FILE_TYPE_DWG.
Else, if the upload_filetype log field value matches the regular expression (?i)(dxf), then the target.file.file_type UDM field is set to FILE_TYPE_DXF.
Else, if the upload_filetype log field value matches the regular expression (?i)(dyalog), then the target.file.file_type UDM field is set to FILE_TYPE_DYALOG.
Else, if the upload_filetype log field value matches the regular expression (?i)(dzip), then the target.file.file_type UDM field is set to FILE_TYPE_DZIP.
Else, if the upload_filetype log field value matches the regular expression (?i)(epub|mobi|azw), then the target.file.file_type UDM field is set to FILE_TYPE_EBOOK.
Else, if the upload_filetype log field value matches the regular expression (?i)(elf), then the target.file.file_type UDM field is set to FILE_TYPE_ELF.
Else, if the upload_filetype log field value matches the regular expression (?i)(eml), then the target.file.file_type UDM field is set to FILE_TYPE_EMAIL_TYPE.
Else, if the upload_filetype log field value matches the regular expression (?i)(emf), then the target.file.file_type UDM field is set to FILE_TYPE_EMF.
Else, if the upload_filetype log field value matches the regular expression (?i)(eot), then the target.file.file_type UDM field is set to FILE_TYPE_EOT.
Else, if the upload_filetype log field value matches the regular expression (?i)(eps), then the target.file.file_type UDM field is set to FILE_TYPE_EPS.
Else, if the upload_filetype log field value matches the regular expression (?i)(flac), then the target.file.file_type UDM field is set to FILE_TYPE_FLAC.
Else, if the upload_filetype log field value matches the regular expression (?i)(fla), then the target.file.file_type UDM field is set to FILE_TYPE_FLA.
Else, if the upload_filetype log field value matches the regular expression (?i)(fli), then the target.file.file_type UDM field is set to FILE_TYPE_FLI.
Else, if the upload_filetype log field value matches the regular expression (?i)(flc), then the target.file.file_type UDM field is set to FILE_TYPE_FLC.
Else, if the upload_filetype log field value matches the regular expression (?i)(flv), then the target.file.file_type UDM field is set to FILE_TYPE_FLV.
Else, if the upload_filetype log field value matches the regular expression (?i)(fpx), then the target.file.file_type UDM field is set to FILE_TYPE_FPX.
Else, if the upload_filetype log field value matches the regular expression (?i)(xcf), then the target.file.file_type UDM field is set to FILE_TYPE_GIMP.
Else, if the upload_filetype log field value matches the regular expression (?i)(go), then the target.file.file_type UDM field is set to FILE_TYPE_GOLANG.
Else, if the upload_filetype log field value matches the regular expression (?i)(gul), then the target.file.file_type UDM field is set to FILE_TYPE_GUL.
Else, if the upload_filetype log field value matches the regular expression (?i)(hwp), then the target.file.file_type UDM field is set to FILE_TYPE_HWP.
Else, if the upload_filetype log field value matches the regular expression (?i)(ico), then the target.file.file_type UDM field is set to FILE_TYPE_ICO.
Else, if the upload_filetype log field value matches the regular expression (?i)(indd|idml), then the target.file.file_type UDM field is set to FILE_TYPE_IN_DESIGN.
Else, if the upload_filetype log field value matches the regular expression (?i)(ipa), then the target.file.file_type UDM field is set to FILE_TYPE_IPHONE.
Else, if the upload_filetype log field value matches the regular expression (?i)(ips), then the target.file.file_type UDM field is set to FILE_TYPE_IPS.
Else, if the upload_filetype log field value matches the regular expression (?i)(iso), then the target.file.file_type UDM field is set to FILE_TYPE_ISOIMAGE.
Else, if the upload_filetype log field value matches the regular expression (?i)(java) AND the upload_filetype log field value does NOT match the regular expression (?i)(javascript), then the target.file.file_type UDM field is set to FILE_TYPE_JAVA.
Else, if the upload_filetype log field value matches the regular expression (?i)(class), then the target.file.file_type UDM field is set to FILE_TYPE_JAVA_BYTECODE.
Else, if the upload_filetype log field value matches the regular expression (?i)(jmod), then the target.file.file_type UDM field is set to FILE_TYPE_JMOD.
Else, if the upload_filetype log field value matches the regular expression (?i)(jng), then the target.file.file_type UDM field is set to FILE_TYPE_JNG.
Else, if the upload_filetype log field value matches the regular expression (?i)(json), then the target.file.file_type UDM field is set to FILE_TYPE_JSON.
Else, if the upload_filetype log field value matches the regular expression (?i)(js), then the target.file.file_type UDM field is set to FILE_TYPE_JAVASCRIPT.
Else, if the upload_filetype log field value matches the regular expression (?i)(kgb), then the target.file.file_type UDM field is set to FILE_TYPE_KGB.
Else, if the upload_filetype log field value matches the regular expression (?i)(tex), then the target.file.file_type UDM field is set to FILE_TYPE_LATEX.
Else, if the upload_filetype log field value matches the regular expression (?i)(lzfse), then the target.file.file_type UDM field is set to FILE_TYPE_LZFSE.
Else, if the upload_filetype log field value matches the regular expression (?i)(vmlinuz|ko), then the target.file.file_type UDM field is set to FILE_TYPE_LINUX_KERNEL.
Else, if the upload_filetype log field value matches the regular expression (?i)(bundle|framework), then the target.file.file_type UDM field is set to FILE_TYPE_MACH_O.
Else, if the log message matches the regular expression (?i)(\\bmach\\b) AND the upload_filetype log field value matches the regular expression (?i)(dylib|o), then the target.file.file_type UDM field is set to FILE_TYPE_MACH_O.
Else, if the upload_filetype log field value matches the regular expression (?i)(so|initrd|vmlinux|pkg.tar.zst|ext4|ext3|ext2|swap), then the target.file.file_type UDM field is set to FILE_TYPE_LINUX.
Else, if the upload_filetype log field value matches the regular expression (?i)(ini), then the target.file.file_type UDM field is set to FILE_TYPE_INI.
Else, if the log message matches the regular expression (?i)(\\blinux\\b) AND the upload_filetype log field value matches the regular expression sfs, then the target.file.file_type UDM field is set to FILE_TYPE_LINUX.
Else, if the upload_filetype log field value matches the regular expression (?i)(lnk), then the target.file.file_type UDM field is set to FILE_TYPE_LNK.
Else, if the upload_filetype log field value matches the regular expression (?i)(m4), then the target.file.file_type UDM field is set to FILE_TYPE_M4.
Else, if the upload_filetype log field value matches the regular expression (?i)(midi|mid), then the target.file.file_type UDM field is set to FILE_TYPE_MIDI.
Else, if the upload_filetype log field value matches the regular expression (?i)(mkv), then the target.file.file_type UDM field is set to FILE_TYPE_MKV.
Else, if the upload_filetype log field value matches the regular expression (?i)(mpg|mpeg), then the target.file.file_type UDM field is set to FILE_TYPE_MPEG.
Else, if the upload_filetype log field value matches the regular expression (?i)(sz_), then the target.file.file_type UDM field is set to FILE_TYPE_MSCOMPRESS.
Else, if the upload_filetype log field value matches the regular expression (?i)(dll), then the target.file.file_type UDM field is set to FILE_TYPE_NE_DLL.
Else, if the upload_filetype log field value matches the regular expression (?i)(odg), then the target.file.file_type UDM field is set to FILE_TYPE_ODG.
Else, if the upload_filetype log field value matches the regular expression (?i)(odp), then the target.file.file_type UDM field is set to FILE_TYPE_ODP.
Else, if the upload_filetype log field value matches the regular expression (?i)(ods), then the target.file.file_type UDM field is set to FILE_TYPE_ODS.
Else, if the upload_filetype log field value matches the regular expression (?i)(odt), then the target.file.file_type UDM field is set to FILE_TYPE_ODT.
Else, if the upload_filetype log field value matches the regular expression (?i)(ogg|oga|ogv), then the target.file.file_type UDM field is set to FILE_TYPE_OGG.
Else, if the upload_filetype log field value matches the regular expression (?i)(one) AND the upload_filetype log field value does NOT match the regular expression (?i)(none), then the target.file.file_type UDM field is set to FILE_TYPE_ONE_NOTE.
Else, if the upload_filetype log field value matches the regular expression (?i)(pst|ost), then the target.file.file_type UDM field is set to FILE_TYPE_OUTLOOK.
Else, if the log message matches the regular expression (?i)(\\boutlook\\b) AND the upload_filetype log field value matches the regular expression (?i)(msg), then the target.file.file_type UDM field is set to FILE_TYPE_OUTLOOK.
Else, if the log message matches the regular expression (?i)(\\bemail\\b) AND the upload_filetype log field value matches the regular expression (?i)(msg), then the target.file.file_type UDM field is set to FILE_TYPE_EMAIL_TYPE.
Else, if the upload_filetype log field value matches the regular expression (?i)(prc), then the target.file.file_type UDM field is set to FILE_TYPE_PALMOS.
Else, if the upload_filetype log field value matches the regular expression (?i)(pdb), then the target.file.file_type UDM field is set to FILE_TYPE_PDB.
Else, if the upload_filetype log field value matches the regular expression (?i)(pem), then the target.file.file_type UDM field is set to FILE_TYPE_PEM.
Else, if the upload_filetype log field value matches the regular expression (?i)(pgp|gpg|asc), then the target.file.file_type UDM field is set to FILE_TYPE_PGP.
Else, if the upload_filetype log field value matches the regular expression (?i)(php), then the target.file.file_type UDM field is set to FILE_TYPE_PHP.
Else, if the upload_filetype log field value matches the regular expression (?i)(pkg), then the target.file.file_type UDM field is set to FILE_TYPE_PKG.
Else, if the upload_filetype log field value matches the regular expression (?i)(ps1|psm1), then the target.file.file_type UDM field is set to FILE_TYPE_POWERSHELL.
Else, if the upload_filetype log field value matches the regular expression (?i)(ppsx), then the target.file.file_type UDM field is set to FILE_TYPE_PPSX.
Else, if the upload_filetype log field value matches the regular expression (?i)(psd), then the target.file.file_type UDM field is set to FILE_TYPE_PSD.
Else, if the upload_filetype log field value matches the regular expression (?i)(ps), then the target.file.file_type UDM field is set to FILE_TYPE_PS.
Else, if the upload_filetype log field value matches the regular expression (?i)(pyc), then the target.file.file_type UDM field is set to FILE_TYPE_PYC.
Else, if the upload_filetype log field value matches the regular expression (?i)(py|pyw), then the target.file.file_type UDM field is set to FILE_TYPE_PYTHON.
Else, if the upload_filetype log field value matches the regular expression (?i)(whl), then the target.file.file_type UDM field is set to FILE_TYPE_PYTHON_WHL.
Else, if the upload_filetype log field value matches the regular expression (?i)(qt), then the target.file.file_type UDM field is set to FILE_TYPE_QUICKTIME.
Else, if the upload_filetype log field value matches the regular expression (?i)(rm|rmvb), then the target.file.file_type UDM field is set to FILE_TYPE_RM.
Else, if the upload_filetype log field value matches the regular expression (?i)(rom|bin), then the target.file.file_type UDM field is set to FILE_TYPE_ROM.
Else, if the upload_filetype log field value matches the regular expression (?i)(rpm), then the target.file.file_type UDM field is set to FILE_TYPE_RPM.
Else, if the upload_filetype log field value matches the regular expression (?i)(rtf), then the target.file.file_type UDM field is set to FILE_TYPE_RTF.
Else, if the upload_filetype log field value matches the regular expression (?i)(rb), then the target.file.file_type UDM field is set to FILE_TYPE_RUBY.
Else, if the upload_filetype log field value matches the regular expression (?i)(rz), then the target.file.file_type UDM field is set to FILE_TYPE_RZIP.
Else, if the upload_filetype log field value matches the regular expression (?i)(7z), then the target.file.file_type UDM field is set to FILE_TYPE_SEVENZIP.
Else, if the upload_filetype log field value matches the regular expression (?i)(sgml|sgm), then the target.file.file_type UDM field is set to FILE_TYPE_SGML.
Else, if the upload_filetype log field value matches the regular expression (?i)(bash|csh|zsh), then the target.file.file_type UDM field is set to FILE_TYPE_SHELLSCRIPT.
Else, if the upload_filetype log field value matches the regular expression (?i)(sql), then the target.file.file_type UDM field is set to FILE_TYPE_SQL.
Else, if the upload_filetype log field value matches the regular expression (?i)(sqfs|sfs), then the target.file.file_type UDM field is set to FILE_TYPE_SQUASHFS.
Else, if the upload_filetype log field value matches the regular expression (?i)(svg), then the target.file.file_type UDM field is set to FILE_TYPE_SVG.
Else, if the upload_filetype log field value matches the regular expression (?i)(swf), then the target.file.file_type UDM field is set to FILE_TYPE_SWF.
Else, if the upload_filetype log field value matches the regular expression (?i)(sis|sisx), then the target.file.file_type UDM field is set to FILE_TYPE_SYMBIAN.
Else, if the upload_filetype log field value matches the regular expression (?i)(3gp), then the target.file.file_type UDM field is set to FILE_TYPE_T3GP.
Else, if the upload_filetype log field value matches the regular expression (?i)(tar), then the target.file.file_type UDM field is set to FILE_TYPE_TAR.
Else, if the upload_filetype log field value matches the regular expression (?i)(tga), then the target.file.file_type UDM field is set to FILE_TYPE_TARGA.
Else, if the upload_filetype log field value matches the regular expression (?i)(3ds|max), then the target.file.file_type UDM field is set to FILE_TYPE_THREEDS.
Else, if the upload_filetype log field value matches the regular expression (?i)(tif|tiff), then the target.file.file_type UDM field is set to FILE_TYPE_TIFF.
Else, if the upload_filetype log field value matches the regular expression (?i)(torrent), then the target.file.file_type UDM field is set to FILE_TYPE_TORRENT.
Else, if the upload_filetype log field value matches the regular expression (?i)(ttf), then the target.file.file_type UDM field is set to FILE_TYPE_TTF.
Else, if the upload_filetype log field value matches the regular expression (?i)(vba), then the target.file.file_type UDM field is set to FILE_TYPE_VBA.
Else, if the upload_filetype log field value matches the regular expression (?i)(vhd|vhdx), then the target.file.file_type UDM field is set to FILE_TYPE_VHD.
Else, if the upload_filetype log field value matches the regular expression (?i)(wav), then the target.file.file_type UDM field is set to FILE_TYPE_WAV.
Else, if the upload_filetype log field value matches the regular expression (?i)(webm), then the target.file.file_type UDM field is set to FILE_TYPE_WEBM.
Else, if the upload_filetype log field value matches the regular expression (?i)(webp), then the target.file.file_type UDM field is set to FILE_TYPE_WEBP.
Else, if the upload_filetype log field value matches the regular expression (?i)(wer), then the target.file.file_type UDM field is set to FILE_TYPE_WER.
Else, if the upload_filetype log field value matches the regular expression (?i)(wma), then the target.file.file_type UDM field is set to FILE_TYPE_WMA.
Else, if the upload_filetype log field value matches the regular expression (?i)(wmv), then the target.file.file_type UDM field is set to FILE_TYPE_WMV.
Else, if the upload_filetype log field value matches the regular expression (?i)(woff|woff2), then the target.file.file_type UDM field is set to FILE_TYPE_WOFF.
Else, if the upload_filetype log field value matches the regular expression (?i)(xml), then the target.file.file_type UDM field is set to FILE_TYPE_XML.
Else, if the upload_filetype log field value matches the regular expression (?i)(xpi), then the target.file.file_type UDM field is set to FILE_TYPE_XPI.
Else, if the upload_filetype log field value matches the regular expression (?i)(xwd), then the target.file.file_type UDM field is set to FILE_TYPE_XWD.
Else, if the upload_filetype log field value matches the regular expression (?i)(zst), then the target.file.file_type UDM field is set to FILE_TYPE_ZST.
Else, if the upload_filetype log field value matches the regular expression (?i)(Makefile|makefile|mk), then the target.file.file_type UDM field is set to FILE_TYPE_MAKEFILE.
Else, if the upload_filetype log field value matches the regular expression (?i)(zlib), then the target.file.file_type UDM field is set to FILE_TYPE_ZLIB.
Else, if the upload_filetype log field value matches the regular expression (?i)(hqx), then the target.file.file_type UDM field is set to FILE_TYPE_MACINTOSH.
Else, if the upload_filetype log field value matches the regular expression (?i)(hfs|dsk|toast), then the target.file.file_type UDM field is set to FILE_TYPE_MACINTOSH_HFS.
Else, if the upload_filetype log field value matches the regular expression (?i)(bh|log|dat), then the target.file.file_type UDM field is set to FILE_TYPE_BLACKHOLE.
Else, if the log message matches the regular expression (?i)(\\bcookie\\b) AND the upload_filetype log field value matches the regular expression (?i)(txt), then the target.file.file_type UDM field is set to FILE_TYPE_COOKIE.
Else, if the upload_filetype log field value matches the regular expression (?i)(txt), then the target.file.file_type UDM field is set to FILE_TYPE_TEXT.
Else, if the upload_filetype log field value matches the regular expression (?i)(docx|xlsx|pptx), then the target.file.file_type UDM field is set to FILE_TYPE_OOXML.
Else, if the upload_filetype log field value matches the regular expression (?i)(odt|ods|odp|odg), then the target.file.file_type UDM field is set to FILE_TYPE_ODF.
Else, if the upload_filetype log field value matches the regular expression (?i)(for|f90|f95), then the target.file.file_type UDM field is set to FILE_TYPE_FORTRAN.
Else, if the log message matches the regular expression (?i)(\\bwince\\b) AND the upload_filetype log field value matches the regular expression (?i)(exe|cab|dll), then the target.file.file_type UDM field is set to FILE_TYPE_WINCE.
Else, if the log message matches the regular expression (?i)(\\bscript\\b) AND the upload_filetype log field value matches the regular expression (?i)(py|js|pl|rb), then the target.file.file_type UDM field is set to FILE_TYPE_SCRIPT.
Else, if the log message matches the regular expression (?i)(\\bapplesingle\\b) AND the upload_filetype log field value matches the regular expression (?i)(as|bin), then the target.file.file_type UDM field is set to FILE_TYPE_APPLESINGLE.
Else, if the log message matches the regular expression (?i)(\\bmacintosh\\b) AND the upload_filetype log field value matches the regular expression (?i)(dylib|a), then the target.file.file_type UDM field is set to FILE_TYPE_MACINTOSH_LIB.
Else, if the log message matches the regular expression (?i)(\\bappledouble\\b) AND the upload_filetype log field value matches the regular expression (?i)(ad|._), then the target.file.file_type UDM field is set to FILE_TYPE_APPLEDOUBLE.
Else, if the log message matches the regular expression (?i)(\\bobjetivec\\b) AND the upload_filetype log field value matches the regular expression (?i)(m|mm|h), then the target.file.file_type UDM field is set to FILE_TYPE_OBJETIVEC.
Else, if the upload_filetype log field value matches the regular expression (?i)(obj|lib), then the target.file.file_type UDM field is set to FILE_TYPE_COFF.
Else, if the log message matches the regular expression (?i)(\\bcpp\\b) AND the upload_filetype log field value matches the regular expression (?i)(hpp|cpp|cc|cxx|h), then the target.file.file_type UDM field is set to FILE_TYPE_CPP.
Else, if the upload_filetype log field value matches the regular expression (?i)(pas|pp), then the target.file.file_type UDM field is set to FILE_TYPE_PASCAL.
Else, if the upload_filetype log field value matches the regular expression (?i)(pl|pm), then the target.file.file_type UDM field is set to FILE_TYPE_PERL.
Else, if the upload_filetype log field value matches the regular expression (?i)\\bsh\\b, then the target.file.file_type UDM field is set to FILE_TYPE_SHELLSCRIPT.
Else, if the upload_filetype log field value matches the regular expression (?i)\\bc\\b$, then the target.file.file_type UDM field is set to FILE_TYPE_C.
Else, if the upload_filetype log field value matches the regular expression (?i)\\bn\\b$, then the target.file.file_type UDM field is set to FILE_TYPE_NEKO.
Else, if the upload_filetype log field value matches the regular expression (?i)\\bf\\b, then the target.file.file_type UDM field is set to FILE_TYPE_FORTRAN.
Else, the UDM field additional.fields.key is set to file_type and the log field value upload_filetype is mapped to the additional.fields.value UDM field, provided the upload_filetype value is not empty.
upload_filename target.file.full_path If the filename log field value is equal to None and the upload_filename log field value is not equal to None, then the upload_filename log field is mapped to the target.file.full_path UDM field.
Else, if the filename log field value is not equal to None and the upload_filename log field value is not equal to None, then the upload_filename log field is mapped to the target.resource.attribute.labels[upload_filename] UDM field.
b64upload_filename target.file.full_path If the filename log field value is equal to None and the b64upload_filename log field value is not equal to None, then the b64upload_filename log field is mapped to the target.file.full_path UDM field.
Else, if the filename log field value is not equal to None and the b64upload_filename log field value is not equal to None, then the b64upload_filename log field is mapped to the target.resource.attribute.labels[upload_filename] UDM field.
eupload_filename target.file.full_path If the filename log field value is equal to None and the eupload_filename log field value is not equal to None, then the eupload_filename log field is mapped to the target.file.full_path UDM field.
Else, if the filename log field value is not equal to None and the eupload_filename log field value is not equal to None, then the eupload_filename log field is mapped to the target.resource.attribute.labels[upload_filename] UDM field.
upload_filesubtype additional.fields[upload_filesubtype]
upload_doctypename additional.fields[upload_doctypename]
unscannabletype security_result.detection_fields[unscannabletype]
rdr_rulename intermediary.security_result.rule_name
b64rdr_rulename intermediary.security_result.rule_name
intermediary.resource.resource_type If the rdr_rulename log field value is not empty, then the intermediary.resource.resource_type UDM field is set to GATEWAY.
ordr_rulename additional.fields[ordr_rulename]
fwd_type intermediary.resource.attribute.labels[fwd_type]
fwd_gw_name intermediary.resource.name
b64fwd_gw_name intermediary.resource.name
ofwd_gw_name security_result.detection_fields[ofwd_gw_name]
fwd_gw_ip intermediary.ip
zpa_app_seg_name additional.fields[zpa_app_seg_name]
b64zpa_app_seg_name additional.fields[zpa_app_seg_name]
ozpa_app_seg_name additional.fields[ozpa_app_seg_name]
reqdatasize additional.fields[reqdatasize]
reqhdrsize additional.fields[reqhdrsize]
requestsize network.sent_bytes
respdatasize additional.fields[respdatasize]
resphdrsize additional.fields[resphdrsize]
responsesize network.received_bytes
transactionsize additional.fields[transactionsize]
contenttype target.file.mime_type
df_hosthead security_result.detection_fields[df_hosthead]
df_hostname security_result.detection_fields[df_hostname]
hostname target.hostnametarget.asset.hostname
b64host target.hostnametarget.asset.hostname
ehost target.hostnametarget.asset.hostname
refererURL network.http.referral_url
b64referer network.http.referral_url
ereferer network.http.referral_url
erefererpath additional.fields[erefererpath]
refererhost additional.fields[refererhost]
erefererhost additional.fields[refererhost]
requestmethod network.http.method
reqversion additional.fields[reqversion]
status network.http.response_code
respversion additional.fields[respversion]
ua_token additional.fields[ua_token]
useragent network.http.user_agent
b64ua network.http.user_agent
eua network.http.user_agent
useragent network.http.parsed_user_agent
b64ua network.http.parsed_user_agent
eua network.http.parsed_user_agent
uaclass additional.fields[uaclass]
url target.url
b64url target.url
eurl target.url
eurlpath additional.fields[eurlpath]
mobappname additional.fields[mobappname]
b64mobappname additional.fields[mobappname]
emobappname additional.fields[mobappname]
mobappcat additional.fields[mobappcat]
mobdevtype additional.fields[mobdevtype]
clt_sport principal.port
ClientIP principal.ip
ocip security_result.detection_fields[ocip]
cpubip additional.fields[cpubip]
ocpubip additional.fields[ocpubip]
clientpublicIP principal.nat_ip
serverip target.ip
network.application_protocol If the protocol log field value contain one of the following values, then the network.application_protocol UDM field is set to HTTP.
  • HTTP
  • HTTP_PROXY
Else, if the protocol log field value contain one of the following values, then the network.application_protocol UDM field is set to HTTPS.
  • HTTPS
  • SSL
  • TUNNEL_SSL
  • DNSOVERHTTPS
  • TUNNEL
Else, the network.application_protocol UDM field is set to UNKNOWN_APPLICATION_PROTOCOL.
alpnprotocol additional.fields[alpnprotocol]
trafficredirectmethod intermediary.resource.attribute.labels[trafficredirectmethod]
location principal.location.name
elocation principal.location.name
userlocationname principal.location.name If the userlocationname log field value is not equal to None, then the userlocationname log field is mapped to the principal.location.name UDM field.
b64userlocationname principal.location.name
euserlocationname principal.location.name
rulelabel security_result.rule_name If the action log field value is equal to Blocked, then the rulelabel log field is mapped to the security_result.rule_name UDM field.
b64rulelabel security_result.rule_name
erulelabel security_result.rule_name
ruletype security_result.rule_type
reason security_result.description If the action log field value is equal to Blocked, then the reason log field is mapped to the security_result.description UDM field.
action security_result.action_details
security_result.action If the action log field value is equal to Allowed, then the security_result.action UDM field is set to ALLOW.

Else, if the action log field value is equal to Blocked, then the security_result.action UDM field is set to BLOCK.
urlfilterrulelabel security_result.rule_name
b64urlfilterrulelabel security_result.rule_name
eurlfilterrulelabel security_result.rule_name
ourlfilterrulelabel security_result.detection_fields[ourlfilterrulelabel]
apprulelabel target.security_result.rule_name
b64apprulelabel target.security_result.rule_name
oapprulelabel security_result.detection_fields[oapprulelabel]
bamd5 target.file.md5
sha256 target.file.sha256
ssldecrypted security_result.detection_fields[ssldecrypted]
externalspr security_result.about.artifact.last_https_certificate.extension.certificate_policies
keyprotectiontype security_result.about.artifact.last_https_certificate.extension.key_usage
clientsslcipher network.tls.client.supported_ciphers
clienttlsversion network.tls.version
clientsslsessreuse security_result.detection_fields[clientsslsessreuse]
cltsslfailreason security_result.detection_fields[cltsslfailreason]
cltsslfailcount security_result.detection_fields[cltsslfailcount]
srvsslcipher network.tls.cipher
srvtlsversion security_result.detection_fields[srvtlsversion]
srvocspresult security_result.detection_fields[srvocspresult]
srvcertchainvalpass security_result.detection_fields[srvcertchainvalpass]
srvwildcardcert security_result.detection_fields[srvwildcardcert]
serversslsessreuse security_result.detection_fields[server_ssl_sess_reuse]
srvcertvalidationtype security_result.detection_fields[srvcertvalidationtype]
srvcertvalidityperiod security_result.detection_fields[srvcertvalidityperiod]
is_ssluntrustedca security_result.detection_fields[is_ssluntrustedca]
is_sslselfsigned security_result.detection_fields[is_sslselfsigned]
is_sslexpiredca security_result.detection_fields[is_sslexpiredca]
pagerisk security_result.risk_score
security_result.severity If the pagerisk log field value is greater than or equal to 90 and the pagerisk log field value is less than or equal to 100, then the security_result.severity UDM field is set to CRITICAL.

If the pagerisk log field value is greater than or equal to 75 and the pagerisk log field value is less than or equal to 89, then the security_result.severity UDM field is set to HIGH.

If the pagerisk log field value is greater than or equal to 46 and the pagerisk log field value is less than or equal to 74, then the security_result.severity UDM field is set to MEDIUM.

If the pagerisk log field value is greater than or equal to 1 and the pagerisk log field value &is less than or equal to 45, then the security_result.severity UDM field is set to LOW.

If the pagerisk log field value is equal to 0, then the security_result.severity UDM field is set to NONE.
threatseverity security_result.severity_details If the pagerisk log field value is not empty and the threatseverity log field value is not empty, then the security_result.severity_details UDM field is set to %{pagerisk} - %{threatseverity}.

Else, if the threatseverity log field value is not empty, then the threatseverity log field is mapped to the security_result.severity_details UDM field.
activity additional.fields[activity]
is_dst_cntry_risky additional.fields[is_dst_cntry_risky]
is_src_cntry_risky additional.fields[is_src_cntry_risky]
prompt_req additional.fields[prompt_req]
srcip_country principal.ip_geo_artifact.location.country_or_region
pcapid security_result.about.file.full_path
all_dlprulenames security_result.rule_labels[all_dlprulenames]
other_dlprulenames security_result.rule_labels[other_dlprulenames]
trig_dlprulename security_result.rule_name
dstip_country target.ip_geo_artifact.location.country_or_region
srv_dport target.port
inst_level2_name target.resource_ancestors.name
inst_level3_name target.resource_ancestors.name
inst_level2_id target.resource_ancestors.product_object_id
inst_level3_id target.resource_ancestors.product_object_id
inst_level2_type target.resource_ancestors.resource_subtype
inst_level3_type target.resource_ancestors.resource_subtype
target.resource_ancestors.resource_type If the inst_level2_type log field value matches the regular expression pattern organization then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION.
Else, if inst_level2_type log field value matches the regular expression pattern service then, the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE.
Else, if inst_level2_type log field value matches the regular expression pattern policy then, the target.resource_ancestors.resource_type UDM field is set to ACCESS_POLICY.
Else, if inst_level2_type log field value matches the regular expression pattern project then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.
Else, if inst_level2_type log field value matches the regular expression pattern cluster then, the target.resource_ancestors.resource_type UDM field is set to CLUSTER.
Else, if inst_level2_type log field value matches the regular expression pattern container then, the target.resource_ancestors.resource_type UDM field is set to CONTAINER.
Else, if inst_level2_type log field value matches the regular expression pattern pod then, the target.resource_ancestors.resource_type UDM field is set to POD.
Else, if inst_level2_type log field value matches the regular expression pattern repository then, the target.resource_ancestors.resource_type UDM field is set to REPOSITORY.
If the inst_level3_type log field value matches the regular expression pattern organization then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION.
Else, if inst_level3_type log field value matches the regular expression pattern service then, the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE.
Else, if inst_level3_type log field value matches the regular expression pattern policy then, the target.resource_ancestors.resource_type UDM field is set to ACCESS_POLICY.
Else, if inst_level3_type log field value matches the regular expression pattern project then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.
Else, if inst_level3_type log field value matches the regular expression pattern cluster then, the target.resource_ancestors.resource_type UDM field is set to CLUSTER.
Else, if inst_level3_type log field value matches the regular expression pattern container then, the target.resource_ancestors.resource_type UDM field is set to CONTAINER.
Else, if inst_level3_type log field value matches the regular expression pattern pod then, the target.resource_ancestors.resource_type UDM field is set to POD.
Else, if inst_level3_type log field value matches the regular expression pattern repository then, the target.resource_ancestors.resource_type UDM field is set to REPOSITORY.
inst_level1_name target.resource.name
inst_level1_id target.resource.product_object_id
inst_level1_type target.resource.resource_subtype
target.resource.resource_type If the inst_level1_type log field value matches the regular expression pattern organization then, the target.resource.resource_type UDM field is set to CLOUD_ORGANIZATION.
Else, if inst_level1_type log field value matches the regular expression pattern service then, the target.resource.resource_type UDM field is set to BACKEND_SERVICE.
Else, if inst_level1_type log field value matches the regular expression pattern policy then, the target.resource.resource_type UDM field is set to ACCESS_POLICY.
Else, if inst_level1_type log field value matches the regular expression pattern project then, the target.resource.resource_type UDM field is set to CLOUD_PROJECT.
Else, if inst_level1_type log field value matches the regular expression pattern cluster then, the target.resource.resource_type UDM field is set to CLUSTER.
Else, if inst_level1_type log field value matches the regular expression pattern container then, the target.resource.resource_type UDM field is set to CONTAINER.
Else, if inst_level1_type log field value matches the regular expression pattern pod then, the target.resource.resource_type UDM field is set to POD.
Else, if inst_level1_type log field value matches the regular expression pattern repository then, the target.resource.resource_type UDM field is set to REPOSITORY.
app_status target.security_result.detection_fields[app_status]
threatname security_result.threat_name
b64threatname security_result.threat_name
threatcategory security_result.associations.name
threatclass security_result.associations.description
urlclass security_result.detection_fields[urlclass]
urlsupercategory security_result.category_details
urlcategory security_result.category_details
b64urlcat security_result.category_details
ourlcat security_result.detection_fields[ourlcat]
urlcatmethod security_result.detection_fields[urlcatmethod]
bypassed_traffic security_result.detection_fields[bypassed_traffic]
bypassed_etime security_result.detection_fields[bypassed_etime]
deviceappversion additional.fields[deviceappversion]
devicehostname principal.asset.hostname
odevicehostname security_result.detection_fields[odevicehostname]
devicemodel principal.asset.hardware.model
devicename principal.asset.asset_id
odevicename security_result.detection_fields[odevicename]
principal.asset.platform_software.platform If the deviceostype log field value matches the regular expression pattern (?i)iOS, then the principal.asset.platform_software.platform UDM field is set to IOS.

Else, if the deviceostype log field value matches the regular expression pattern (?i)Android, then the principal.asset.platform_software.platform UDM field is set to ANDROID.

Else, if the deviceostype log field value matches the regular expression pattern (?i)Windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.

Else, if the deviceostype log field value matches the regular expression pattern (?i)MAC, then the principal.asset.platform_software.platform UDM field is set to MAC.

Else, if the deviceostype log field value matches the regular expression pattern (?i)Other, then the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM.
deviceosversion principal.asset.software.version
deviceowner principal.asset.attribute.labels[deviceowner]
odeviceowner security_result.detection_fields[odeviceowner]
devicetype principal.asset.category
external_devid additional.fields[external_devid]
flow_type additional.fields[flow_type]
ztunnelversion additional.fields[ztunnelversion]
event_id metadata.product_log_id
productversion metadata.product_version
nsssvcip about.ip
eedone additional.fields[eedone]
ssl_rulename security_result.rule_name
client_tls_keyex_pqc_offers additional.fields[client_tls_keyex_pqc_offers]
client_tls_keyex_hybrid_offers additional.fields[client_tls_keyex_hybrid_offers]
client_tls_keyex_unknown_offers additional.fields[client_tls_keyex_unknown_offers]
client_tls_sig_pqc_offers additional.fields[client_tls_sig_pqc_offers]
client_tls_sig_non_pqc_offers additional.fields[client_tls_sig_non_pqc_offers]
client_tls_sig_hybrid_offers additional.fields[client_tls_sig_hybrid_offers]
client_tls_sig_unknown_offers additional.fields[client_tls_sig_unknown_offers]
client_tls_keyex_alg additional.fields[client_tls_keyex_alg]
client_tls_sig_alg additional.fields[client_tls_sig_alg]
server_tls_keyex_alg additional.fields[server_tls_keyex_alg]
server_tls_sig_alg additional.fields[server_tls_sig_alg]
time additional.fields[time]
ft_rulename security_result.rule_name
upload_doc_sub_type additional.fields[upload_doc_sub_type]
client_tls_keyex_non_pqc_offers additional.fields[client_tls_keyex_non_pqc_offers]

도움이 더 필요하신가요? 커뮤니티 회원 및 Google SecOps 전문가에게 문의하여 답변을 받으세요.