Journaux de contexte des fonctions Google Cloud Run

Ce document décrit comment les champs des journaux de contexte des fonctions Google Cloud Run se mappent sur les champs du modèle de données unifié (UDM) de Google Security Operations.

Un libellé d'ingestion identifie l'analyseur qui normalise les données de journal brutes au format UDM structuré. Les informations de ce document s'appliquent à l'analyseur avec le libellé d'ingestion GCP_CLOUD_FUNCTIONS_CONTEXT.

Pour en savoir plus sur les autres analyseurs de contexte compatibles avec Google SecOps, consultez la section Analyseurs de contexte Google SecOps.

Formats de journaux de contexte de fonction Google Cloud Run compatibles

L'analyseur de journaux de contexte des fonctions Google Cloud Run accepte les journaux au format JSON.

Exemples de journaux de contexte de fonction Google Cloud Run compatibles

  • JSON :

    {
  "name": "//cloudfunctions.googleapis.com/projects/cspm-32817/locations/asia-south1/functions/GetNSPAAlertsFunction-asia-south1",
  "assetType": "cloudfunctions.googleapis.com/CloudFunction",
  "resource": {
    "version": "v1",
    "discoveryDocumentUri": "https://cloudfunctions.googleapis.com/$discovery/rest",
    "discoveryName": "CloudFunction",
    "parent": "//cloudresourcemanager.googleapis.com/projects/1063885730524",
    "data": {
      "availableMemoryMb": 256,
      "buildId": "843ffd9a-eab1-4022-8d0f-256e55d110d3",
      "buildName": "projects/1063885730524/locations/asia-south1/builds/843ffd9a-eab1-4022-8d0f-256e55d110d3",
      "dockerRegistry": "CONTAINER_REGISTRY",
      "entryPoint": "google_cloud_function_handler",
      "eventTrigger": {
        "eventType": "google.pubsub.topic.publish",
        "failurePolicy": {},
        "resource": "projects/cspm-32817/topics/GetNSPAAlerts-asia-south1",
        "service": "pubsub.googleapis.com"
      },
      "ingressSettings": "ALLOW_ALL",
      "labels": {
        "deployment-tool": "console-cloud"
      },
      "maxInstances": 3000,
      "name": "projects/cspm-32817/locations/asia-south1/functions/GetNSPAAlertsFunction-asia-south1",
      "runtime": "python37",
      "serviceAccountEmail": "dummy@user.com",
      "sourceArchiveUrl": "gs://cloudfunctionscrest/GetNetskopeSecurityPostureAssessmentFunction (2).zip",
      "status": "ACTIVE",
      "timeout": "300s",
      "updateTime": "2023-04-21T13:33:30.711Z",
      "versionId": "1"
    }
  },
  "ancestors": [
    "projects/1063885730524",
    "organizations/595779152576"
  ]
}

Référence de mappage de champ

Cette section explique comment l'analyseur Google SecOps mappe les champs des journaux de contexte des fonctions Google Cloud Run aux champs UDM de Google SecOps.

Log field UDM mapping Logic
entity.relations.resource.resource_type The entity.relations.resource.resource_type UDM field is set to CLOUD_PROJECT.
entity.relations.resource.resource_subtype The entity.relations.resource.resource_subtype UDM field is set to project.
entity.relations.resource_ancestors.resource_type If the ancestor log field value matches the regular expression pattern organizations, then the entity.relations.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION.

Else, if the ancestor log field value matches the regular expression pattern folders, then the entity.relations.resource_ancestors.resource_type UDM field is set to STORAGE_OBJECT.
entity.relations.resource_ancestors.resource_subtype If the ancestor log field value matches the regular expression pattern organizations, then the entity.relations.resource_ancestors.resource_subtype UDM field is set to organizations.

Else, if the ancestor log field value matches the regular expression pattern folders, then the entity.relations.resource_ancestors.resource_subtype UDM field is set to folders.
entity.relations.relationship The entity.relations.relationship UDM field is set to MEMBER.
resource.parent, ancestors[] entity.relations.entity.resource.name If the resource.parent log field value is empty, then the ancestors.0 log field is mapped to the relations.entity.resource.name UDM field.
ancestors[] entity.relations.entity.resource_ancestors.name If the ancestor log field value is not a substring of resource.parent log field value, then the ancestors log field is mapped to the relations.entity.resource_ancestors.name UDM field.
entity.relations.entity_type The entity.relations.entity_type UDM field is set to RESOURCE.
entity.relations.direction The entity.relations.direction UDM field is set to UNIDIRECTIONAL.
entity.metadata.vendor_name The entity.metadata.vendor_name UDM field is set to Google Cloud Platform.
resource.version entity.metadata.product_version
entity.metadata.product_name The entity.metadata.product_name UDM field is set to GCP Cloud Functions.
entity.metadata.entity_type The entity.metadata.entity_type UDM field is set to RESOURCE.
resource.data.description entity.metadata.description
resource.data.serviceAccountEmail, resource.data.serviceConfig.serviceAccountEmail entity.entity.user.email_addresses
resource.data.httpsTrigger.url, resource.data.serviceConfig.uri entity.entity.url
resource.data.stateMessages.type entity.entity.threat.summary
resource.data.stateMessages.severity entity.entity.threat.product_severity
resource.data.stateMessages.message entity.entity.threat.description
entity.entity.resource.resource_type The entity.entity.resource.resource_type UDM field is set to BACKEND_SERVICE.
assetType entity.entity.resource.resource_subtype
resource.data.name entity.entity.resource.product_object_id
name entity.entity.resource.name
resource.data.updateTime entity.entity.resource.attribute.last_update_time
resource.data.network entity.entity.resource.attribute.labels[vpc_network]
resource.data.vpcConnector, resource.data.serviceConfig.vpcConnector entity.entity.resource.attribute.labels[vpc_connector]
resource.data.vpcConnectorEgressSettings, resource.data.serviceConfig.vpcConnectorEgressSettings entity.entity.resource.attribute.labels[vpc_connector_egress_settings]
resource.data.versionId entity.entity.resource.attribute.labels[version_id]
resource.data.timeout, resource.data.serviceConfig.timeoutSeconds entity.entity.resource.attribute.labels[timeout]
resource.data.buildConfig.source.storageSource.object entity.entity.resource.attribute.labels[storage_source_object]
resource.data.buildConfig.source.storageSource.generation entity.entity.resource.attribute.labels[storage_source_generation]
resource.data.buildConfig.source.storageSource.bucket entity.entity.resource.attribute.labels[storage_source_bucket]
resource.data.sourceUploadUrl entity.entity.resource.attribute.labels[source_upload_url]
resource.data.sourceToken entity.entity.resource.attribute.labels[source_token]
resource.data.sourceRepository.url entity.entity.resource.attribute.labels[source_repo_url]
resource.data.sourceRepository.deployedUrl entity.entity.resource.attribute.labels[source_repo_deployed_url]
resource.data.sourceArchiveUrl entity.entity.resource.attribute.labels[source_archive_url]
resource.data.serviceConfig.service entity.entity.resource.attribute.labels[service_config_service]
resource.data.serviceConfig.revision entity.entity.resource.attribute.labels[service_config_revision]
resource.data.serviceConfig.maxInstanceRequestConcurrency entity.entity.resource.attribute.labels[service_config_max_instance_request_concurrency]
resource.data.serviceConfig.availableCpu entity.entity.resource.attribute.labels[service_config_available_cpu]
resource.data.serviceConfig.allTrafficOnLatestRevision entity.entity.resource.attribute.labels[service_config_all_traffic_on_latest_revision]
resource.data.httpsTrigger.securityLevel, resource.data.serviceConfig.securityLevel entity.entity.resource.attribute.labels[security_level]
resource.data.secretVolumes.versions.version, resource.data.serviceConfig.secretVolumes.versions.version entity.entity.resource.attribute.labels[secret_vol_ver_version]
resource.data.secretVolumes.versions.path, resource.data.serviceConfig.secretVolumes.versions.path entity.entity.resource.attribute.labels[secret_vol_ver_path]
resource.data.secretVolumes.secret, resource.data.serviceConfig.secretVolumes.secret entity.entity.resource.attribute.labels[secret_vol_secret]
resource.data.secretVolumes.projectId, resource.data.serviceConfig.secretVolumes.projectId entity.entity.resource.attribute.labels[secret_vol_project_id]
resource.data.secretVolumes.mountPath, resource.data.serviceConfig.secretVolumes.mountPath entity.entity.resource.attribute.labels[secret_vol_mount_path]
resource.data.secretEnvironmentVariables.version, resource.data.serviceConfig.secretEnvironmentVariables.version entity.entity.resource.attribute.labels[secret_env_var_version]
resource.data.secretEnvironmentVariables.secret, resource.data.serviceConfig.secretEnvironmentVariables.secret entity.entity.resource.attribute.labels[secret_env_var_secret]
resource.data.secretEnvironmentVariables.projectId, resource.data.serviceConfig.secretEnvironmentVariables.projectId entity.entity.resource.attribute.labels[secret_env_var_project_id]
resource.data.secretEnvironmentVariables.key, resource.data.serviceConfig.secretEnvironmentVariables.key entity.entity.resource.attribute.labels[secret_env_var_key]
resource.data.runtime, resource.data.buildConfig.runtime entity.entity.resource.attribute.labels[runtime]
resource.data.buildConfig.sourceProvenance.resolvedStorageSource.object entity.entity.resource.attribute.labels[resolved_storage_source_object]
resource.data.buildConfig.sourceProvenance.resolvedStorageSource.generation entity.entity.resource.attribute.labels[resolved_storage_source_generation]
resource.data.buildConfig.sourceProvenance.resolvedStorageSource.bucket entity.entity.resource.attribute.labels[resolved_storage_source_bucket]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.tagName entity.entity.resource.attribute.labels[resolved_repo_source_tag_name]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.repoName entity.entity.resource.attribute.labels[resolved_repo_source_repo_name]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.projectId entity.entity.resource.attribute.labels[resolved_repo_source_project_id]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.invertRegex entity.entity.resource.attribute.labels[resolved_repo_source_invert_regex]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.dir entity.entity.resource.attribute.labels[resolved_repo_source_dir]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.commitSha entity.entity.resource.attribute.labels[resolved_repo_source_commit_sha]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.branchName entity.entity.resource.attribute.labels[resolved_repo_source_branch_name]
resource.data.buildConfig.source.repoSource.tagName entity.entity.resource.attribute.labels[repo_source_tag_name]
resource.data.buildConfig.source.repoSource.repoName entity.entity.resource.attribute.labels[repo_source_repo_name]
resource.data.buildConfig.source.repoSource.projectId entity.entity.resource.attribute.labels[repo_source_project_id]
resource.data.buildConfig.source.repoSource.invertRegex entity.entity.resource.attribute.labels[repo_source_invert_regex]
resource.data.buildConfig.source.repoSource.dir entity.entity.resource.attribute.labels[repo_source_dir]
resource.data.buildConfig.source.repoSource.commitSha entity.entity.resource.attribute.labels[repo_source_commit_sha]
resource.data.buildConfig.source.repoSource.branchName entity.entity.resource.attribute.labels[repo_source_branch_name]
resource.data.minInstances, resource.data.serviceConfig.minInstanceCount entity.entity.resource.attribute.labels[min_instance]
resource.data.maxInstances, resource.data.serviceConfig.maxInstanceCount entity.entity.resource.attribute.labels[max_instance]
resource.data.kmsKeyName entity.entity.resource.attribute.labels[kms_key_name]
resource.data.ingressSettings, resource.data.serviceConfig.ingressSettings entity.entity.resource.attribute.labels[ingress_settings]
resource.data.buildConfig.environmentVariables.GOOGLE_FUNCTION_SOURCE entity.entity.resource.attribute.labels[GOOGLE_FUNCTION_SOURCE]
resource.data.labels.goog-managed-by entity.entity.resource.attribute.labels[goog-managed-by]
resource.data.status, resource.data.state entity.entity.resource.attribute.labels[function_status]
resource.data.eventTrigger.trigger entity.entity.resource.attribute.labels[event_trigger_trigger]
resource.data.eventTrigger.triggerRegion entity.entity.resource.attribute.labels[event_trigger_trigger_reason]
resource.data.eventTrigger.service entity.entity.resource.attribute.labels[event_trigger_service]
resource.data.eventTrigger.serviceAccountEmail entity.entity.resource.attribute.labels[event_trigger_service_account_email]
resource.data.eventTrigger.retryPolicy entity.entity.resource.attribute.labels[event_trigger_retry_policy]
resource.data.eventTrigger.resource entity.entity.resource.attribute.labels[event_trigger_resource]
resource.data.eventTrigger.pubsubTopic entity.entity.resource.attribute.labels[event_trigger_pubsub_topic]
resource.data.eventTrigger.eventFilters.value entity.entity.resource.attribute.labels[event_trigger_evt_filter_value]
resource.data.eventTrigger.eventFilters.operator entity.entity.resource.attribute.labels[event_trigger_evt_filter_operator]
resource.data.eventTrigger.eventFilters.attribute entity.entity.resource.attribute.labels[event_trigger_evt_filter_attribute]
resource.data.eventTrigger.eventType entity.entity.resource.attribute.labels[event_trigger_event_type]
resource.data.eventTrigger.channel entity.entity.resource.attribute.labels[event_trigger_channel]
resource.data.environment entity.entity.resource.attribute.labels[environment]
resource.data.entryPoint, resource.data.buildConfig.entryPoint entity.entity.resource.attribute.labels[entry_point]
resource.data.dockerRepository, resource.data.buildConfig.dockerRepository entity.entity.resource.attribute.labels[docker_repository]
resource.data.dockerRegistry, resource.data.buildConfig.dockerRegistry entity.entity.resource.attribute.labels[docker_registry]
resource.discoveryName entity.entity.resource.attribute.labels[discovery_name]
resource.discoveryDocumentUri entity.entity.resource.attribute.labels[discovery_document_uri]
resource.data.labels.deployment-tool entity.entity.resource.attribute.labels[deployment_tool]
resource.data.buildWorkerPool, resource.data.buildConfig.workerPool entity.entity.resource.attribute.labels[build_worker_pool]
resource.data.buildName, resource.data.buildConfig.build entity.entity.resource.attribute.labels[build_name]
resource.data.buildId entity.entity.resource.attribute.labels[build_id]
resource.data.availableMemoryMb, resource.data.serviceConfig.availableMemory entity.entity.resource.attribute.labels[available_memory]
entity.entity.resource.attribute.cloud.environment The entity.entity.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM.
resource.data.environmentVariables.TAXII_VERSION, resource.data.serviceConfig.environmentVariables.TAXII_VERSION entity.enity.resource.attribute.labels[TAXII_VERSION]
resource.data.environmentVariables.TAXII_USERNAME, resource.data.serviceConfig.environmentVariables.TAXII_USERNAME entity.enity.resource.attribute.labels[TAXII_USERNAME]
resource.data.environmentVariables.TAXII_PASSWORD_SECRET_PATH, resource.data.serviceConfig.environmentVariables.TAXII_PASSWORD_SECRET_PATH entity.enity.resource.attribute.labels[TAXII_PASSWORD_SECRET_PATH]
resource.data.environmentVariables.TAXII_DISCOVERY_URL, resource.data.serviceConfig.environmentVariables.TAXII_DISCOVERY_URL entity.enity.resource.attribute.labels[TAXII_DISCOVERY_URL]
resource.data.environmentVariables.CHRONICLE_SERVICE_ACCOUNT, resource.data.serviceConfig.environmentVariables.CHRONICLE_SERVICE_ACCOUNT entity.enity.resource.attribute.labels[CHRONICLE_SERVICE_ACCOUNT]
resource.data.environmentVariables.CHRONICLE_CUSTOMER_ID, resource.data.serviceConfig.environmentVariables.CHRONICLE_CUSTOMER_ID entity.enity.resource.attribute.labels[CHRONICLE_CUSTOMER_ID]