Registros de contexto das funções do Google Cloud Run

Neste documento, descrevemos como os campos dos registros de contexto das funções do Google Cloud Run são mapeados para os campos do Modelo de dados unificado (UDM, na sigla em inglês) das Operações de segurança do Google.

Um rótulo de ingestão identifica o analisador que normaliza dados de registro brutos ao formato UDM estruturado. As informações neste documento se aplicam ao analisador com o rótulo de transferência GCP_CLOUD_FUNCTIONS_CONTEXT.

Para informações sobre outros analisadores de contexto compatíveis com o Google Security Operations, consulte Analisadores de contexto do Google Security Operations.

Referência do mapeamento de campo

Esta seção explica como o analisador das Operações de segurança do Google mapeia os campos de registros de contexto das funções do Google Cloud Run para os campos de UDM das Operações de segurança do Google.

Log field UDM mapping Logic
entity.relations.resource.resource_type The entity.relations.resource.resource_type UDM field is set to CLOUD_PROJECT.
entity.relations.resource.resource_subtype The entity.relations.resource.resource_subtype UDM field is set to project.
entity.relations.resource_ancestors.resource_type If the ancestor log field value matches the regular expression pattern organizations, then the entity.relations.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION.

Else, if the ancestor log field value matches the regular expression pattern folders, then the entity.relations.resource_ancestors.resource_type UDM field is set to STORAGE_OBJECT.
entity.relations.resource_ancestors.resource_subtype If the ancestor log field value matches the regular expression pattern organizations, then the entity.relations.resource_ancestors.resource_subtype UDM field is set to organizations.

Else, if the ancestor log field value matches the regular expression pattern folders, then the entity.relations.resource_ancestors.resource_subtype UDM field is set to folders.
entity.relations.relationship The entity.relations.relationship UDM field is set to MEMBER.
resource.parent, ancestors[] entity.relations.entity.resource.name If the resource.parent log field value is empty, then the ancestors.0 log field is mapped to the relations.entity.resource.name UDM field.
ancestors[] entity.relations.entity.resource_ancestors.name If the ancestor log field value is not a substring of resource.parent log field value, then the ancestors log field is mapped to the relations.entity.resource_ancestors.name UDM field.
entity.relations.entity_type The entity.relations.entity_type UDM field is set to RESOURCE.
entity.relations.direction The entity.relations.direction UDM field is set to UNIDIRECTIONAL.
entity.metadata.vendor_name The entity.metadata.vendor_name UDM field is set to Google Cloud Platform.
resource.version entity.metadata.product_version
entity.metadata.product_name The entity.metadata.product_name UDM field is set to GCP Cloud Functions.
entity.metadata.entity_type The entity.metadata.entity_type UDM field is set to RESOURCE.
resource.data.description entity.metadata.description
resource.data.serviceAccountEmail, resource.data.serviceConfig.serviceAccountEmail entity.entity.user.email_addresses
resource.data.httpsTrigger.url, resource.data.serviceConfig.uri entity.entity.url
resource.data.stateMessages.type entity.entity.threat.summary
resource.data.stateMessages.severity entity.entity.threat.product_severity
resource.data.stateMessages.message entity.entity.threat.description
entity.entity.resource.resource_type The entity.entity.resource.resource_type UDM field is set to BACKEND_SERVICE.
assetType entity.entity.resource.resource_subtype
resource.data.name entity.entity.resource.product_object_id
name entity.entity.resource.name
resource.data.updateTime entity.entity.resource.attribute.last_update_time
resource.data.network entity.entity.resource.attribute.labels[vpc_network]
resource.data.vpcConnector, resource.data.serviceConfig.vpcConnector entity.entity.resource.attribute.labels[vpc_connector]
resource.data.vpcConnectorEgressSettings, resource.data.serviceConfig.vpcConnectorEgressSettings entity.entity.resource.attribute.labels[vpc_connector_egress_settings]
resource.data.versionId entity.entity.resource.attribute.labels[version_id]
resource.data.timeout, resource.data.serviceConfig.timeoutSeconds entity.entity.resource.attribute.labels[timeout]
resource.data.buildConfig.source.storageSource.object entity.entity.resource.attribute.labels[storage_source_object]
resource.data.buildConfig.source.storageSource.generation entity.entity.resource.attribute.labels[storage_source_generation]
resource.data.buildConfig.source.storageSource.bucket entity.entity.resource.attribute.labels[storage_source_bucket]
resource.data.sourceUploadUrl entity.entity.resource.attribute.labels[source_upload_url]
resource.data.sourceToken entity.entity.resource.attribute.labels[source_token]
resource.data.sourceRepository.url entity.entity.resource.attribute.labels[source_repo_url]
resource.data.sourceRepository.deployedUrl entity.entity.resource.attribute.labels[source_repo_deployed_url]
resource.data.sourceArchiveUrl entity.entity.resource.attribute.labels[source_archive_url]
resource.data.serviceConfig.service entity.entity.resource.attribute.labels[service_config_service]
resource.data.serviceConfig.revision entity.entity.resource.attribute.labels[service_config_revision]
resource.data.serviceConfig.maxInstanceRequestConcurrency entity.entity.resource.attribute.labels[service_config_max_instance_request_concurrency]
resource.data.serviceConfig.availableCpu entity.entity.resource.attribute.labels[service_config_available_cpu]
resource.data.serviceConfig.allTrafficOnLatestRevision entity.entity.resource.attribute.labels[service_config_all_traffic_on_latest_revision]
resource.data.httpsTrigger.securityLevel, resource.data.serviceConfig.securityLevel entity.entity.resource.attribute.labels[security_level]
resource.data.secretVolumes.versions.version, resource.data.serviceConfig.secretVolumes.versions.version entity.entity.resource.attribute.labels[secret_vol_ver_version]
resource.data.secretVolumes.versions.path, resource.data.serviceConfig.secretVolumes.versions.path entity.entity.resource.attribute.labels[secret_vol_ver_path]
resource.data.secretVolumes.secret, resource.data.serviceConfig.secretVolumes.secret entity.entity.resource.attribute.labels[secret_vol_secret]
resource.data.secretVolumes.projectId, resource.data.serviceConfig.secretVolumes.projectId entity.entity.resource.attribute.labels[secret_vol_project_id]
resource.data.secretVolumes.mountPath, resource.data.serviceConfig.secretVolumes.mountPath entity.entity.resource.attribute.labels[secret_vol_mount_path]
resource.data.secretEnvironmentVariables.version, resource.data.serviceConfig.secretEnvironmentVariables.version entity.entity.resource.attribute.labels[secret_env_var_version]
resource.data.secretEnvironmentVariables.secret, resource.data.serviceConfig.secretEnvironmentVariables.secret entity.entity.resource.attribute.labels[secret_env_var_secret]
resource.data.secretEnvironmentVariables.projectId, resource.data.serviceConfig.secretEnvironmentVariables.projectId entity.entity.resource.attribute.labels[secret_env_var_project_id]
resource.data.secretEnvironmentVariables.key, resource.data.serviceConfig.secretEnvironmentVariables.key entity.entity.resource.attribute.labels[secret_env_var_key]
resource.data.runtime, resource.data.buildConfig.runtime entity.entity.resource.attribute.labels[runtime]
resource.data.buildConfig.sourceProvenance.resolvedStorageSource.object entity.entity.resource.attribute.labels[resolved_storage_source_object]
resource.data.buildConfig.sourceProvenance.resolvedStorageSource.generation entity.entity.resource.attribute.labels[resolved_storage_source_generation]
resource.data.buildConfig.sourceProvenance.resolvedStorageSource.bucket entity.entity.resource.attribute.labels[resolved_storage_source_bucket]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.tagName entity.entity.resource.attribute.labels[resolved_repo_source_tag_name]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.repoName entity.entity.resource.attribute.labels[resolved_repo_source_repo_name]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.projectId entity.entity.resource.attribute.labels[resolved_repo_source_project_id]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.invertRegex entity.entity.resource.attribute.labels[resolved_repo_source_invert_regex]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.dir entity.entity.resource.attribute.labels[resolved_repo_source_dir]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.commitSha entity.entity.resource.attribute.labels[resolved_repo_source_commit_sha]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.branchName entity.entity.resource.attribute.labels[resolved_repo_source_branch_name]
resource.data.buildConfig.source.repoSource.tagName entity.entity.resource.attribute.labels[repo_source_tag_name]
resource.data.buildConfig.source.repoSource.repoName entity.entity.resource.attribute.labels[repo_source_repo_name]
resource.data.buildConfig.source.repoSource.projectId entity.entity.resource.attribute.labels[repo_source_project_id]
resource.data.buildConfig.source.repoSource.invertRegex entity.entity.resource.attribute.labels[repo_source_invert_regex]
resource.data.buildConfig.source.repoSource.dir entity.entity.resource.attribute.labels[repo_source_dir]
resource.data.buildConfig.source.repoSource.commitSha entity.entity.resource.attribute.labels[repo_source_commit_sha]
resource.data.buildConfig.source.repoSource.branchName entity.entity.resource.attribute.labels[repo_source_branch_name]
resource.data.minInstances, resource.data.serviceConfig.minInstanceCount entity.entity.resource.attribute.labels[min_instance]
resource.data.maxInstances, resource.data.serviceConfig.maxInstanceCount entity.entity.resource.attribute.labels[max_instance]
resource.data.kmsKeyName entity.entity.resource.attribute.labels[kms_key_name]
resource.data.ingressSettings, resource.data.serviceConfig.ingressSettings entity.entity.resource.attribute.labels[ingress_settings]
resource.data.buildConfig.environmentVariables.GOOGLE_FUNCTION_SOURCE entity.entity.resource.attribute.labels[GOOGLE_FUNCTION_SOURCE]
resource.data.labels.goog-managed-by entity.entity.resource.attribute.labels[goog-managed-by]
resource.data.status, resource.data.state entity.entity.resource.attribute.labels[function_status]
resource.data.eventTrigger.trigger entity.entity.resource.attribute.labels[event_trigger_trigger]
resource.data.eventTrigger.triggerRegion entity.entity.resource.attribute.labels[event_trigger_trigger_reason]
resource.data.eventTrigger.service entity.entity.resource.attribute.labels[event_trigger_service]
resource.data.eventTrigger.serviceAccountEmail entity.entity.resource.attribute.labels[event_trigger_service_account_email]
resource.data.eventTrigger.retryPolicy entity.entity.resource.attribute.labels[event_trigger_retry_policy]
resource.data.eventTrigger.resource entity.entity.resource.attribute.labels[event_trigger_resource]
resource.data.eventTrigger.pubsubTopic entity.entity.resource.attribute.labels[event_trigger_pubsub_topic]
resource.data.eventTrigger.eventFilters.value entity.entity.resource.attribute.labels[event_trigger_evt_filter_value]
resource.data.eventTrigger.eventFilters.operator entity.entity.resource.attribute.labels[event_trigger_evt_filter_operator]
resource.data.eventTrigger.eventFilters.attribute entity.entity.resource.attribute.labels[event_trigger_evt_filter_attribute]
resource.data.eventTrigger.eventType entity.entity.resource.attribute.labels[event_trigger_event_type]
resource.data.eventTrigger.channel entity.entity.resource.attribute.labels[event_trigger_channel]
resource.data.environment entity.entity.resource.attribute.labels[environment]
resource.data.entryPoint, resource.data.buildConfig.entryPoint entity.entity.resource.attribute.labels[entry_point]
resource.data.dockerRepository, resource.data.buildConfig.dockerRepository entity.entity.resource.attribute.labels[docker_repository]
resource.data.dockerRegistry, resource.data.buildConfig.dockerRegistry entity.entity.resource.attribute.labels[docker_registry]
resource.discoveryName entity.entity.resource.attribute.labels[discovery_name]
resource.discoveryDocumentUri entity.entity.resource.attribute.labels[discovery_document_uri]
resource.data.labels.deployment-tool entity.entity.resource.attribute.labels[deployment_tool]
resource.data.buildWorkerPool, resource.data.buildConfig.workerPool entity.entity.resource.attribute.labels[build_worker_pool]
resource.data.buildName, resource.data.buildConfig.build entity.entity.resource.attribute.labels[build_name]
resource.data.buildId entity.entity.resource.attribute.labels[build_id]
resource.data.availableMemoryMb, resource.data.serviceConfig.availableMemory entity.entity.resource.attribute.labels[available_memory]
entity.entity.resource.attribute.cloud.environment The entity.entity.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM.
resource.data.environmentVariables.TAXII_VERSION, resource.data.serviceConfig.environmentVariables.TAXII_VERSION entity.enity.resource.attribute.labels[TAXII_VERSION]
resource.data.environmentVariables.TAXII_USERNAME, resource.data.serviceConfig.environmentVariables.TAXII_USERNAME entity.enity.resource.attribute.labels[TAXII_USERNAME]
resource.data.environmentVariables.TAXII_PASSWORD_SECRET_PATH, resource.data.serviceConfig.environmentVariables.TAXII_PASSWORD_SECRET_PATH entity.enity.resource.attribute.labels[TAXII_PASSWORD_SECRET_PATH]
resource.data.environmentVariables.TAXII_DISCOVERY_URL, resource.data.serviceConfig.environmentVariables.TAXII_DISCOVERY_URL entity.enity.resource.attribute.labels[TAXII_DISCOVERY_URL]
resource.data.environmentVariables.CHRONICLE_SERVICE_ACCOUNT, resource.data.serviceConfig.environmentVariables.CHRONICLE_SERVICE_ACCOUNT entity.enity.resource.attribute.labels[CHRONICLE_SERVICE_ACCOUNT]
resource.data.environmentVariables.CHRONICLE_CUSTOMER_ID, resource.data.serviceConfig.environmentVariables.CHRONICLE_CUSTOMER_ID entity.enity.resource.attribute.labels[CHRONICLE_CUSTOMER_ID]