Hi all, I'm working on tuning that yaral rules gcp_cloudaudit/gcp_dns_modification.yaral   from the github repo. When I look at detection vs rules languages, the udm fields target.user.email_addresses isn't present in our procedural filtering.  the udm fields that lookalike the most has an email address, is  target.user.userid .

1. I want to know if target.user.email_addresses is still a valid field? if not, by which it's replaced.
2. Other question, our goal whould be to exclude all DNS operation made by  container-engine-robot.iam.gserviceaccount.com that is GKE managed SA by GCP. We are under the impression that SA is managed by google, and It would be tiny risk that Threat actor could take over this account. 
   

Thanks for your help,