Google Cloud Functions 上下文日志

本文档介绍了 Google Cloud Functions 上下文日志的字段如何映射到 Chronicle 统一数据模型 (UDM) 字段。

提取标签用于标识将原始日志数据标准化为结构化 UDM 格式的解析器。本文档中的信息适用于带有 GCP_CLOUD_FUNCTIONS_CONTEXT 提取标签的解析器。

如需了解 Chronicle 支持的其他上下文解析器,请参阅 Chronicle 上下文解析器

字段映射参考文档

本部分介绍 Chronicle 解析器如何将 Google Cloud Functions 上下文日志字段映射到 Chronicle UDM 字段。

Log field UDM mapping Logic
entity.relations.resource.resource_type The entity.relations.resource.resource_type UDM field is set to CLOUD_PROJECT.
entity.relations.resource.resource_subtype The entity.relations.resource.resource_subtype UDM field is set to project.
entity.relations.resource_ancestors.resource_type If the ancestor log field value matches the regular expression pattern organizations, then the entity.relations.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION.

Else, if the ancestor log field value matches the regular expression pattern folders, then the entity.relations.resource_ancestors.resource_type UDM field is set to STORAGE_OBJECT.
entity.relations.resource_ancestors.resource_subtype If the ancestor log field value matches the regular expression pattern organizations, then the entity.relations.resource_ancestors.resource_subtype UDM field is set to organizations.

Else, if the ancestor log field value matches the regular expression pattern folders, then the entity.relations.resource_ancestors.resource_subtype UDM field is set to folders.
entity.relations.relationship The entity.relations.relationship UDM field is set to MEMBER.
resource.parent, ancestors[] entity.relations.entity.resource.name If the resource.parent log field value is empty, then the ancestors.0 log field is mapped to the relations.entity.resource.name UDM field.
ancestors[] entity.relations.entity.resource_ancestors.name If the ancestor log field value is not a substring of resource.parent log field value, then the ancestors log field is mapped to the relations.entity.resource_ancestors.name UDM field.
entity.relations.entity_type The entity.relations.entity_type UDM field is set to RESOURCE.
entity.relations.direction The entity.relations.direction UDM field is set to UNIDIRECTIONAL.
entity.metadata.vendor_name The entity.metadata.vendor_name UDM field is set to Google Cloud Platform.
resource.version entity.metadata.product_version
entity.metadata.product_name The entity.metadata.product_name UDM field is set to GCP Cloud Functions.
entity.metadata.entity_type The entity.metadata.entity_type UDM field is set to RESOURCE.
resource.data.description entity.metadata.description
resource.data.serviceAccountEmail, resource.data.serviceConfig.serviceAccountEmail entity.entity.user.email_addresses
resource.data.httpsTrigger.url, resource.data.serviceConfig.uri entity.entity.url
resource.data.stateMessages.type entity.entity.threat.summary
resource.data.stateMessages.severity entity.entity.threat.product_severity
resource.data.stateMessages.message entity.entity.threat.description
entity.entity.resource.resource_type The entity.entity.resource.resource_type UDM field is set to BACKEND_SERVICE.
assetType entity.entity.resource.resource_subtype
resource.data.name entity.entity.resource.product_object_id
name entity.entity.resource.name
resource.data.updateTime entity.entity.resource.attribute.last_update_time
resource.data.network entity.entity.resource.attribute.labels[vpc_network]
resource.data.vpcConnector, resource.data.serviceConfig.vpcConnector entity.entity.resource.attribute.labels[vpc_connector]
resource.data.vpcConnectorEgressSettings, resource.data.serviceConfig.vpcConnectorEgressSettings entity.entity.resource.attribute.labels[vpc_connector_egress_settings]
resource.data.versionId entity.entity.resource.attribute.labels[version_id]
resource.data.timeout, resource.data.serviceConfig.timeoutSeconds entity.entity.resource.attribute.labels[timeout]
resource.data.buildConfig.source.storageSource.object entity.entity.resource.attribute.labels[storage_source_object]
resource.data.buildConfig.source.storageSource.generation entity.entity.resource.attribute.labels[storage_source_generation]
resource.data.buildConfig.source.storageSource.bucket entity.entity.resource.attribute.labels[storage_source_bucket]
resource.data.sourceUploadUrl entity.entity.resource.attribute.labels[source_upload_url]
resource.data.sourceToken entity.entity.resource.attribute.labels[source_token]
resource.data.sourceRepository.url entity.entity.resource.attribute.labels[source_repo_url]
resource.data.sourceRepository.deployedUrl entity.entity.resource.attribute.labels[source_repo_deployed_url]
resource.data.sourceArchiveUrl entity.entity.resource.attribute.labels[source_archive_url]
resource.data.serviceConfig.service entity.entity.resource.attribute.labels[service_config_service]
resource.data.serviceConfig.revision entity.entity.resource.attribute.labels[service_config_revision]
resource.data.serviceConfig.maxInstanceRequestConcurrency entity.entity.resource.attribute.labels[service_config_max_instance_request_concurrency]
resource.data.serviceConfig.availableCpu entity.entity.resource.attribute.labels[service_config_available_cpu]
resource.data.serviceConfig.allTrafficOnLatestRevision entity.entity.resource.attribute.labels[service_config_all_traffic_on_latest_revision]
resource.data.httpsTrigger.securityLevel, resource.data.serviceConfig.securityLevel entity.entity.resource.attribute.labels[security_level]
resource.data.secretVolumes.versions.version, resource.data.serviceConfig.secretVolumes.versions.version entity.entity.resource.attribute.labels[secret_vol_ver_version]
resource.data.secretVolumes.versions.path, resource.data.serviceConfig.secretVolumes.versions.path entity.entity.resource.attribute.labels[secret_vol_ver_path]
resource.data.secretVolumes.secret, resource.data.serviceConfig.secretVolumes.secret entity.entity.resource.attribute.labels[secret_vol_secret]
resource.data.secretVolumes.projectId, resource.data.serviceConfig.secretVolumes.projectId entity.entity.resource.attribute.labels[secret_vol_project_id]
resource.data.secretVolumes.mountPath, resource.data.serviceConfig.secretVolumes.mountPath entity.entity.resource.attribute.labels[secret_vol_mount_path]
resource.data.secretEnvironmentVariables.version, resource.data.serviceConfig.secretEnvironmentVariables.version entity.entity.resource.attribute.labels[secret_env_var_version]
resource.data.secretEnvironmentVariables.secret, resource.data.serviceConfig.secretEnvironmentVariables.secret entity.entity.resource.attribute.labels[secret_env_var_secret]
resource.data.secretEnvironmentVariables.projectId, resource.data.serviceConfig.secretEnvironmentVariables.projectId entity.entity.resource.attribute.labels[secret_env_var_project_id]
resource.data.secretEnvironmentVariables.key, resource.data.serviceConfig.secretEnvironmentVariables.key entity.entity.resource.attribute.labels[secret_env_var_key]
resource.data.runtime, resource.data.buildConfig.runtime entity.entity.resource.attribute.labels[runtime]
resource.data.buildConfig.sourceProvenance.resolvedStorageSource.object entity.entity.resource.attribute.labels[resolved_storage_source_object]
resource.data.buildConfig.sourceProvenance.resolvedStorageSource.generation entity.entity.resource.attribute.labels[resolved_storage_source_generation]
resource.data.buildConfig.sourceProvenance.resolvedStorageSource.bucket entity.entity.resource.attribute.labels[resolved_storage_source_bucket]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.tagName entity.entity.resource.attribute.labels[resolved_repo_source_tag_name]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.repoName entity.entity.resource.attribute.labels[resolved_repo_source_repo_name]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.projectId entity.entity.resource.attribute.labels[resolved_repo_source_project_id]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.invertRegex entity.entity.resource.attribute.labels[resolved_repo_source_invert_regex]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.dir entity.entity.resource.attribute.labels[resolved_repo_source_dir]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.commitSha entity.entity.resource.attribute.labels[resolved_repo_source_commit_sha]
resource.data.buildConfig.sourceProvenance.resolvedRepoSource.branchName entity.entity.resource.attribute.labels[resolved_repo_source_branch_name]
resource.data.buildConfig.source.repoSource.tagName entity.entity.resource.attribute.labels[repo_source_tag_name]
resource.data.buildConfig.source.repoSource.repoName entity.entity.resource.attribute.labels[repo_source_repo_name]
resource.data.buildConfig.source.repoSource.projectId entity.entity.resource.attribute.labels[repo_source_project_id]
resource.data.buildConfig.source.repoSource.invertRegex entity.entity.resource.attribute.labels[repo_source_invert_regex]
resource.data.buildConfig.source.repoSource.dir entity.entity.resource.attribute.labels[repo_source_dir]
resource.data.buildConfig.source.repoSource.commitSha entity.entity.resource.attribute.labels[repo_source_commit_sha]
resource.data.buildConfig.source.repoSource.branchName entity.entity.resource.attribute.labels[repo_source_branch_name]
resource.data.minInstances, resource.data.serviceConfig.minInstanceCount entity.entity.resource.attribute.labels[min_instance]
resource.data.maxInstances, resource.data.serviceConfig.maxInstanceCount entity.entity.resource.attribute.labels[max_instance]
resource.data.kmsKeyName entity.entity.resource.attribute.labels[kms_key_name]
resource.data.ingressSettings, resource.data.serviceConfig.ingressSettings entity.entity.resource.attribute.labels[ingress_settings]
resource.data.buildConfig.environmentVariables.GOOGLE_FUNCTION_SOURCE entity.entity.resource.attribute.labels[GOOGLE_FUNCTION_SOURCE]
resource.data.labels.goog-managed-by entity.entity.resource.attribute.labels[goog-managed-by]
resource.data.status, resource.data.state entity.entity.resource.attribute.labels[function_status]
resource.data.eventTrigger.trigger entity.entity.resource.attribute.labels[event_trigger_trigger]
resource.data.eventTrigger.triggerRegion entity.entity.resource.attribute.labels[event_trigger_trigger_reason]
resource.data.eventTrigger.service entity.entity.resource.attribute.labels[event_trigger_service]
resource.data.eventTrigger.serviceAccountEmail entity.entity.resource.attribute.labels[event_trigger_service_account_email]
resource.data.eventTrigger.retryPolicy entity.entity.resource.attribute.labels[event_trigger_retry_policy]
resource.data.eventTrigger.resource entity.entity.resource.attribute.labels[event_trigger_resource]
resource.data.eventTrigger.pubsubTopic entity.entity.resource.attribute.labels[event_trigger_pubsub_topic]
resource.data.eventTrigger.eventFilters.value entity.entity.resource.attribute.labels[event_trigger_evt_filter_value]
resource.data.eventTrigger.eventFilters.operator entity.entity.resource.attribute.labels[event_trigger_evt_filter_operator]
resource.data.eventTrigger.eventFilters.attribute entity.entity.resource.attribute.labels[event_trigger_evt_filter_attribute]
resource.data.eventTrigger.eventType entity.entity.resource.attribute.labels[event_trigger_event_type]
resource.data.eventTrigger.channel entity.entity.resource.attribute.labels[event_trigger_channel]
resource.data.environment entity.entity.resource.attribute.labels[environment]
resource.data.entryPoint, resource.data.buildConfig.entryPoint entity.entity.resource.attribute.labels[entry_point]
resource.data.dockerRepository, resource.data.buildConfig.dockerRepository entity.entity.resource.attribute.labels[docker_repository]
resource.data.dockerRegistry, resource.data.buildConfig.dockerRegistry entity.entity.resource.attribute.labels[docker_registry]
resource.discoveryName entity.entity.resource.attribute.labels[discovery_name]
resource.discoveryDocumentUri entity.entity.resource.attribute.labels[discovery_document_uri]
resource.data.labels.deployment-tool entity.entity.resource.attribute.labels[deployment_tool]
resource.data.buildWorkerPool, resource.data.buildConfig.workerPool entity.entity.resource.attribute.labels[build_worker_pool]
resource.data.buildName, resource.data.buildConfig.build entity.entity.resource.attribute.labels[build_name]
resource.data.buildId entity.entity.resource.attribute.labels[build_id]
resource.data.availableMemoryMb, resource.data.serviceConfig.availableMemory entity.entity.resource.attribute.labels[available_memory]
entity.entity.resource.attribute.cloud.environment The entity.entity.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM.
resource.data.environmentVariables.TAXII_VERSION, resource.data.serviceConfig.environmentVariables.TAXII_VERSION entity.enity.resource.attribute.labels[TAXII_VERSION]
resource.data.environmentVariables.TAXII_USERNAME, resource.data.serviceConfig.environmentVariables.TAXII_USERNAME entity.enity.resource.attribute.labels[TAXII_USERNAME]
resource.data.environmentVariables.TAXII_PASSWORD_SECRET_PATH, resource.data.serviceConfig.environmentVariables.TAXII_PASSWORD_SECRET_PATH entity.enity.resource.attribute.labels[TAXII_PASSWORD_SECRET_PATH]
resource.data.environmentVariables.TAXII_DISCOVERY_URL, resource.data.serviceConfig.environmentVariables.TAXII_DISCOVERY_URL entity.enity.resource.attribute.labels[TAXII_DISCOVERY_URL]
resource.data.environmentVariables.CHRONICLE_SERVICE_ACCOUNT, resource.data.serviceConfig.environmentVariables.CHRONICLE_SERVICE_ACCOUNT entity.enity.resource.attribute.labels[CHRONICLE_SERVICE_ACCOUNT]
resource.data.environmentVariables.CHRONICLE_CUSTOMER_ID, resource.data.serviceConfig.environmentVariables.CHRONICLE_CUSTOMER_ID entity.enity.resource.attribute.labels[CHRONICLE_CUSTOMER_ID]