Google Cloud Run 함수 컨텍스트 로그

이 문서에서는 Google Cloud Run 함수 컨텍스트 로그 필드를 Google Security Operations 통합 데이터 모델(UDM) 필드에 매핑하는 방법을 설명합니다.

수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다. 이 문서의 정보는 GCP_CLOUD_FUNCTIONS_CONTEXT 수집 라벨이 있는 파서에 적용됩니다.

Google SecOps에서 지원하는 다른 컨텍스트 파서에 대한 자세한 내용은 Google SecOps 컨텍스트 파서를 참조하세요.

지원되는 Google Cloud Run 함수 컨텍스트 로그 로그 형식

Google Cloud Run 함수 컨텍스트 로그 파서는 JSON 형식의 로그를 지원합니다.

지원되는 Google Cloud Run 함수 컨텍스트 로그 샘플 로그

  • JSON:

    {
  "name": "//cloudfunctions.googleapis.com/projects/cspm-32817/locations/asia-south1/functions/GetNSPAAlertsFunction-asia-south1",
  "assetType": "cloudfunctions.googleapis.com/CloudFunction",
  "resource": {
    "version": "v1",
    "discoveryDocumentUri": "https://cloudfunctions.googleapis.com/$discovery/rest",
    "discoveryName": "CloudFunction",
    "parent": "//cloudresourcemanager.googleapis.com/projects/1063885730524",
    "data": {
      "availableMemoryMb": 256,
      "buildId": "843ffd9a-eab1-4022-8d0f-256e55d110d3",
      "buildName": "projects/1063885730524/locations/asia-south1/builds/843ffd9a-eab1-4022-8d0f-256e55d110d3",
      "dockerRegistry": "CONTAINER_REGISTRY",
      "entryPoint": "google_cloud_function_handler",
      "eventTrigger": {
        "eventType": "google.pubsub.topic.publish",
        "failurePolicy": {},
        "resource": "projects/cspm-32817/topics/GetNSPAAlerts-asia-south1",
        "service": "pubsub.googleapis.com"
      },
      "ingressSettings": "ALLOW_ALL",
      "labels": {
        "deployment-tool": "console-cloud"
      },
      "maxInstances": 3000,
      "name": "projects/cspm-32817/locations/asia-south1/functions/GetNSPAAlertsFunction-asia-south1",
      "runtime": "python37",
      "serviceAccountEmail": "dummy@user.com",
      "sourceArchiveUrl": "gs://cloudfunctionscrest/GetNetskopeSecurityPostureAssessmentFunction (2).zip",
      "status": "ACTIVE",
      "timeout": "300s",
      "updateTime": "2023-04-21T13:33:30.711Z",
      "versionId": "1"
    }
  },
  "ancestors": [
    "projects/1063885730524",
    "organizations/595779152576"
  ]
}

필드 매핑 참조

이 섹션에서는 Google SecOps 파서가 Google Cloud Run 함수 컨텍스트 로그 필드를 Google SecOps UDM 필드에 매핑하는 방법을 설명합니다.

Log field UDM mapping Logic
entity.relations.resource.resource_type The entity.relations.resource.resource_type UDM field is set to CLOUD_PROJECT.
entity.relations.resource.resource_subtype The entity.relations.resource.resource_subtype UDM field is set to project.
entity.relations.resource_ancestors.resource_type If the ancestor log field value matches the regular expression pattern organizations, then the entity.relations.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION.

Else, if the ancestor log field value matches the regular expression pattern folders, then the entity.relations.resource_ancestors.resource_type UDM field is set to STORAGE_OBJECT.
entity.relations.resource_ancestors.resource_subtype If the ancestor log field value matches the regular expression pattern organizations, then the entity.relations.resource_ancestors.resource_subtype UDM field is set to organizations.

Else, if the ancestor log field value matches the regular expression pattern folders, then the entity.relations.resource_ancestors.resource_subtype UDM field is set to folders.
entity.relations.relationship The entity.relations.relationship UDM field is set to MEMBER.
resource.parent, ancestors[] entity.relations.entity.resource.name If the resource.parent log field value is empty, then the ancestors.0 log field is mapped to the relations.entity.resource.name UDM field.
ancestors[] entity.relations.entity.resource_ancestors.name If the ancestor log field value is not a substring of resource.parent log field value, then the ancestors log field is mapped to the relations.entity.resource_ancestors.name UDM field.
entity.relations.entity_type The entity.relations.entity_type UDM field is set to RESOURCE.
entity.relations.direction The entity.relations.direction UDM field is set to UNIDIRECTIONAL.
entity.metadata.vendor_name The entity.metadata.vendor_name UDM field is set to Google Cloud Platform.
resource.version entity.metadata.product_version
entity.metadata.product_name The entity.metadata.product_name UDM field is set to GCP Cloud Functions.
entity.metadata.entity_type The entity.metadata.entity_type UDM field is set to RESOURCE.
resource.data.description entity.metadata.description
resource.data.serviceAccountEmail, resource.data.serviceConfig.serviceAccountEmail entity.entity.user.email_addresses
resource.data.httpsTrigger.url, resource.data.serviceConfig.uri entity.entity.url
resource.data.stateMessages.type entity.entity.threat.summary
resource.data.stateMessages.severity entity.entity.threat.product_severity
resource.data.stateMessages.message entity.entity.threat.description
entity.entity.resource.resource_type The entity.entity.resource.resource_type UDM field is set to BACKEND_SERVICE.
assetType entity.entity.resource.resource_subtype
resource.data.name entity.entity.resource.product_object_id
name entity.entity.resource.name
resource.data.updateTime entity.entity.resource.attribute.last_update_time
resource.data.network entity.entity.resource.attribute.labels[vpc_network]
resource.data.vpcConnector, resource.data.serviceConfig.vpcConnector entity.entity.resource.attribute.labels[vpc_connector]
resource.data.vpcConnectorEgressSettings, resource.data.serviceConfig.vpcConnectorEgressSettings entity.entity.resource.attribute.labels[vpc_connector_egress_settings]
resource.data.versionId entity.entity.resource.attribute.labels[version_id]
resource.data.timeout, resource.data.serviceConfig.timeoutSeconds entity.entity.resource.attribute.labels[timeout]
resource.data.buildConfig.source.storageSource.object entity.entity.resource.attribute.labels[storage_source_object]
resource.data.buildConfig.source.storageSource.generation entity.entity.resource.attribute.labels[storage_source_generation]
resource.data.buildConfig.source.storageSource.bucket entity.entity.resource.attribute.labels[storage_source_bucket]
resource.data.sourceUploadUrl entity.entity.resource.attribute.labels[source_upload_url]
resource.data.sourceToken entity.entity.resource.attribute.labels[source_token]
resource.data.sourceRepository.url entity.entity.resource.attribute.labels[source_repo_url]
resource.data.sourceRepository.deployedUrl entity.entity.resource.attribute.labels[source_repo_deployed_url]
resource.data.sourceArchiveUrl entity.entity.resource.attribute.labels[source_archive_url]
resource.data.serviceConfig.service entity.entity.resource.attribute.labels[service_config_service]
resource.data.serviceConfig.revision entity.entity.resource.attribute.labels[service_config_revision]
resource.data.serviceConfig.maxInstanceRequestConcurrency entity.entity.resource.attribute.labels[service_config_max_instance_request_concurrency]
resource.data.serviceConfig.availableCpu entity.entity.resource.attribute.labels[service_config_available_cpu]
resource.data.serviceConfig.allTrafficOnLatestRevision entity.entity.resource.attribute.labels[service_config_all_traffic_on_latest_revision]
resource.data.httpsTrigger.securityLevel, resource.data.serviceConfig.securityLevel entity.entity.resource.attribute.labels[security_level]
resource.data.secretVolumes.versions.version, resource.data.serviceConfig.secretVolumes.versions.version entity.entity.resource.attribute.labels[secret_vol_ver_version]
resource.data.secretVolumes.versions.path, resource.data.serviceConfig.secretVolumes.versions.path entity.entity.resource.attribute.labels[secret_vol_ver_path]
resource.data.secretVolumes.secret, resource.data.serviceConfig.secretVolumes.secret entity.entity.resource.attribute.labels[secret_vol_secret]
resource.data.secretVolumes.projectId, resource.data.serviceConfig.secretVolumes.projectId entity.entity.resource.attribute.labels[secret_vol_project_id]
resource.data.secretVolumes.mountPath, resource.data.serviceConfig.secretVolumes.mountPath entity.entity.resource.attribute.labels[secret_vol_mount_path]
resource.data.secretEnvironmentVariables.version, resource.data.serviceConfig.secretEnvironmentVariables.version entity.entity.resource.attribute.labels[secret_env_var_version]
resource.data.secretEnvironmentVariables.secret, resource.data.serviceConfig.secretEnvironmentVariables.secret entity.entity.resource.attribute.labels[secret_env_var_secret]
resource.data.secretEnvironmentVariables.projectId, resource.data.serviceConfig.secretEnvironmentVariables.projectId entity.entity.resource.attribute.labels[secret_env_var_project_id]
resource.data.secretEnvironmentVariables.key, resource.data.serviceConfig.secretEnvironmentVariables.key entity.entity.resource.attribute.labels[secret_env_var_key]
resource.data.runtime, resource.data.buildConfig.runtime entity.entity.resource.attribute.labels[runtime]
resource.data.buildConfig.sourceProvenance.resolvedStorageSource.object entity.entity.resource.attribute.labels[resolved_storage_source_object]
resource.data.buildConfig.sourceProvenance.resolvedStorageSource.generation entity.entity.resource.attribute.labels[resolved_storage_source_generation]
resource.data.buildConfig.sourceProvenance.resolvedStorageSource.bucket entity.entity.resource.attribute.labels[resolved_storage_source_bucket]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.tagName entity.entity.resource.attribute.labels[resolved_repo_source_tag_name]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.repoName entity.entity.resource.attribute.labels[resolved_repo_source_repo_name]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.projectId entity.entity.resource.attribute.labels[resolved_repo_source_project_id]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.invertRegex entity.entity.resource.attribute.labels[resolved_repo_source_invert_regex]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.dir entity.entity.resource.attribute.labels[resolved_repo_source_dir]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.commitSha entity.entity.resource.attribute.labels[resolved_repo_source_commit_sha]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.branchName entity.entity.resource.attribute.labels[resolved_repo_source_branch_name]
resource.data.buildConfig.source.repoSource.tagName entity.entity.resource.attribute.labels[repo_source_tag_name]
resource.data.buildConfig.source.repoSource.repoName entity.entity.resource.attribute.labels[repo_source_repo_name]
resource.data.buildConfig.source.repoSource.projectId entity.entity.resource.attribute.labels[repo_source_project_id]
resource.data.buildConfig.source.repoSource.invertRegex entity.entity.resource.attribute.labels[repo_source_invert_regex]
resource.data.buildConfig.source.repoSource.dir entity.entity.resource.attribute.labels[repo_source_dir]
resource.data.buildConfig.source.repoSource.commitSha entity.entity.resource.attribute.labels[repo_source_commit_sha]
resource.data.buildConfig.source.repoSource.branchName entity.entity.resource.attribute.labels[repo_source_branch_name]
resource.data.minInstances, resource.data.serviceConfig.minInstanceCount entity.entity.resource.attribute.labels[min_instance]
resource.data.maxInstances, resource.data.serviceConfig.maxInstanceCount entity.entity.resource.attribute.labels[max_instance]
resource.data.kmsKeyName entity.entity.resource.attribute.labels[kms_key_name]
resource.data.ingressSettings, resource.data.serviceConfig.ingressSettings entity.entity.resource.attribute.labels[ingress_settings]
resource.data.buildConfig.environmentVariables.GOOGLE_FUNCTION_SOURCE entity.entity.resource.attribute.labels[GOOGLE_FUNCTION_SOURCE]
resource.data.labels.goog-managed-by entity.entity.resource.attribute.labels[goog-managed-by]
resource.data.status, resource.data.state entity.entity.resource.attribute.labels[function_status]
resource.data.eventTrigger.trigger entity.entity.resource.attribute.labels[event_trigger_trigger]
resource.data.eventTrigger.triggerRegion entity.entity.resource.attribute.labels[event_trigger_trigger_reason]
resource.data.eventTrigger.service entity.entity.resource.attribute.labels[event_trigger_service]
resource.data.eventTrigger.serviceAccountEmail entity.entity.resource.attribute.labels[event_trigger_service_account_email]
resource.data.eventTrigger.retryPolicy entity.entity.resource.attribute.labels[event_trigger_retry_policy]
resource.data.eventTrigger.resource entity.entity.resource.attribute.labels[event_trigger_resource]
resource.data.eventTrigger.pubsubTopic entity.entity.resource.attribute.labels[event_trigger_pubsub_topic]
resource.data.eventTrigger.eventFilters.value entity.entity.resource.attribute.labels[event_trigger_evt_filter_value]
resource.data.eventTrigger.eventFilters.operator entity.entity.resource.attribute.labels[event_trigger_evt_filter_operator]
resource.data.eventTrigger.eventFilters.attribute entity.entity.resource.attribute.labels[event_trigger_evt_filter_attribute]
resource.data.eventTrigger.eventType entity.entity.resource.attribute.labels[event_trigger_event_type]
resource.data.eventTrigger.channel entity.entity.resource.attribute.labels[event_trigger_channel]
resource.data.environment entity.entity.resource.attribute.labels[environment]
resource.data.entryPoint, resource.data.buildConfig.entryPoint entity.entity.resource.attribute.labels[entry_point]
resource.data.dockerRepository, resource.data.buildConfig.dockerRepository entity.entity.resource.attribute.labels[docker_repository]
resource.data.dockerRegistry, resource.data.buildConfig.dockerRegistry entity.entity.resource.attribute.labels[docker_registry]
resource.discoveryName entity.entity.resource.attribute.labels[discovery_name]
resource.discoveryDocumentUri entity.entity.resource.attribute.labels[discovery_document_uri]
resource.data.labels.deployment-tool entity.entity.resource.attribute.labels[deployment_tool]
resource.data.buildWorkerPool, resource.data.buildConfig.workerPool entity.entity.resource.attribute.labels[build_worker_pool]
resource.data.buildName, resource.data.buildConfig.build entity.entity.resource.attribute.labels[build_name]
resource.data.buildId entity.entity.resource.attribute.labels[build_id]
resource.data.availableMemoryMb, resource.data.serviceConfig.availableMemory entity.entity.resource.attribute.labels[available_memory]
entity.entity.resource.attribute.cloud.environment The entity.entity.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM.
resource.data.environmentVariables.TAXII_VERSION, resource.data.serviceConfig.environmentVariables.TAXII_VERSION entity.enity.resource.attribute.labels[TAXII_VERSION]
resource.data.environmentVariables.TAXII_USERNAME, resource.data.serviceConfig.environmentVariables.TAXII_USERNAME entity.enity.resource.attribute.labels[TAXII_USERNAME]
resource.data.environmentVariables.TAXII_PASSWORD_SECRET_PATH, resource.data.serviceConfig.environmentVariables.TAXII_PASSWORD_SECRET_PATH entity.enity.resource.attribute.labels[TAXII_PASSWORD_SECRET_PATH]
resource.data.environmentVariables.TAXII_DISCOVERY_URL, resource.data.serviceConfig.environmentVariables.TAXII_DISCOVERY_URL entity.enity.resource.attribute.labels[TAXII_DISCOVERY_URL]
resource.data.environmentVariables.CHRONICLE_SERVICE_ACCOUNT, resource.data.serviceConfig.environmentVariables.CHRONICLE_SERVICE_ACCOUNT entity.enity.resource.attribute.labels[CHRONICLE_SERVICE_ACCOUNT]
resource.data.environmentVariables.CHRONICLE_CUSTOMER_ID, resource.data.serviceConfig.environmentVariables.CHRONICLE_CUSTOMER_ID entity.enity.resource.attribute.labels[CHRONICLE_CUSTOMER_ID]