Google Cloud IAM 上下文日志

本文档介绍了 Google Cloud Identity and Access Management 情境日志的字段如何映射到 Google 安全运营统一数据模型 (UDM) 字段。

注入标签标识将原始日志数据标准化为结构化 UDM 格式的解析器。本文档中的信息适用于解析器 提取值为 GCP_IAM_CONTEXT

如需了解 Google Security Operations 支持的其他上下文解析器,请参阅 Google Security Operations 上下文解析器

字段映射参考文档

本部分介绍 Google Security Operations 解析器如何将 Google Cloud Identity and Access Management 上下文字段映射到 Google Security Operations 统一数据模型 (UDM) 字段。

Log field UDM mapping Logic
resource.data.groupTitle entity.group.attribute.labels[group_title]
resource.data.groupName entity.group.group_display_name
resource.data.projectId entity.resource_ancestors.product_object_id
resource.data.name entity.resource_ancestors.product_object_id If the assetType log field value matches the regular expression pattern Role, then
Grok extracts prnt_id from the log field resource.data.name and maps it to the entity.resource_ancestors.product_object_id UDM field.

Else, if the assetType log field value matches the regular expression pattern ServiceAccountKey, then
Grok extracts project_id from the log field resource.data.name and maps it to the entity.resource_ancestors.product_object_id UDM field.
entity.resource_ancestors.resource_subtype If the assetType log field value matches the regular expression pattern Role and the resource.data.name log field value matches the regular expression pattern organizations, then the entity.resource_ancestors.resource_subtype UDM field is set to organizations.

Else, if the assetType log field value matches the regular expression pattern Role and the resource.data.name log field value matches the regular expression pattern projects, then the entity.resource_ancestors.resource_subtype UDM field is set to projects.

Else, if the assetType log field value matches the regular expression pattern ServiceAccount, then the entity.resource_ancestors.resource_type UDM field is set to projects.
entity.resource_ancestors.resource_type If the assetType log field value matches the regular expression pattern Role and the resource.data.name log field value matches the regular expression pattern organizations, then the entity.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION.

Else, if the assetType log field value matches the regular expression pattern Role and the resource.data.name log field value matches the regular expression pattern projects, then the entity.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.

Else, if the assetType log field value matches the regular expression pattern ServiceAccount, then the entity.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.
entity.resource.attribute.cloud.environment The entity.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM.
resource.data.deleted entity.resource.attribute.labels[deleted]
resource.data.disabled entity.resource.attribute.labels[disabled]
resource.discoveryDocumentUri entity.resource.attribute.labels[discovery_document_uri]
resource.discoveryName entity.resource.attribute.labels[discovery_name]
resource.data.etag entity.resource.attribute.labels[etag]
resource.data.name entity.resource.attribute.labels[resource_name]
resource.data.stage entity.resource.attribute.labels[stage]
resource.data.title entity.resource.attribute.labels[title]
resource.data.includedPermissions entity.resource.attribute.permissions.name
name entity.resource.name
resource.data.name entity.resource.product_object_id If the assetType log field value matches the regular expression pattern ServiceAccountKey, then
Grok extracts account_id from the log field resource.data.name and maps it to the entity.resource.product_object_id UDM field.
resource.data.name entity.resource.product_object_id If the assetType log field value matches the regular expression pattern Role, then
Grok extracts res_name from the log field resource.data.name and maps it to the entity.resource.product_object_id UDM field.
assetType entity.resource.resource_subtype
entity.resource.resource_type If the assetType log field value matches the regular expression pattern Role, then the entity.resource.resource_type UDM field is set to ACCESS_POLICY.

Else, if the assetType log field value matches the regular expression pattern ServiceAccount, then the entity.resource.resource_type UDM field is set to SERVICE_ACCOUNT.
entity.user.attribute.cloud.environment If the resource.discoveryName log field value is equal to ServiceAccount, then the entity.resource.resource_type UDM field is set to GOOGLE_CLOUD_PLATFORM.
resource.data.email entity.user.email_addresses
resource.data.email entity.user.userid
resource.data.oauth2ClientId entity.user.attribute.labels[oauth2_client_id]
resource.data.displayName entity.user.user_display_name
resource.data.uniqueId entity.user.product_object_id
resource.data.description metadata.description
metadata.entity_type If the assetType log field value matches the regular expression pattern Role, then the metadata.entity_type UDM field is set to RESOURCE.

Else, if the assetType log field value matches the regular expression pattern ServiceAccountKey, then the metadata.entity_type UDM field is set to RESOURCE.

Else, if the assetType log field value matches the regular expression pattern ServiceAccount, then the metadata.entity_type UDM field is set to USER.
metadata.product_name The metadata.product_name UDM field is set to Identity and Access Management.
resource.version metadata.product_version
metadata.vendor_name The metadata.vendor_name UDM field is set to Google.
relations.direction The relations.direction UDM field is set to UNIDIRECTIONAL.
relations.entity_type The relations.entity_type UDM field is set to RESOURCE.
resource.data.validAfterTime relations.entity.resource.attribute.creation_time
resource.data.keyAlgorithm relations.entity.resource.attribute.labels[key_algorithm]
resource.data.keyOrigin relations.entity.resource.attribute.labels[key_origin]
resource.data.keyType relations.entity.resource.attribute.labels[key_type]
resource.data.privateKeyData relations.entity.resource.attribute.labels[private_key_data]
resource.data.privateKeyType relations.entity.resource.attribute.labels[private_key_type]
resource.data.publicKeyData relations.entity.resource.attribute.labels[public_key_data]
resource.data.validBeforeTime relations.entity.resource.attribute.labels[valid_before_time]
ancestors relations.entity.resource.name
resource.parent relations.entity.resource.name
resource.parent relations.entity.resource.product_object_id Grok extracts id from the log field resource.parent and maps it to the relations.entity.resource.product_object_id UDM field.
resource.data.name relations.entity.resource.product_object_id If the assetType log field value matches the regular expression pattern ServiceAccountKey, then
Grok extracts key from the log field resource.data.name and maps it to the relations.entity.resource.product_object_id UDM field.
ancestors relations.entity.resource.product_object_id Grok extracts id from the log field ancestors and maps it to the relations.entity.resource.product_object_id UDM field.
ancestors relations.entity.resource.resource_subtype Grok extracts subtype from the log field ancestors and maps it to the relations.entity.resource.resource_subtype UDM field.
relations.entity.resource.resource_subtype If the assetType log field value matches the regular expression pattern ServiceAccountKey, then the relations.entity.resource.resource_subtype UDM field is set to keys.

If the resource.parent log field value matches the regular expression pattern organizations, then the relations.entity.resource.resource_subtype UDM field is set to organizations.

Else, if the resource.parent log field value matches the regular expression pattern projects, then the relations.entity.resource.resource_subtype UDM field is set to projects.

Else, if the resource.parent log field value matches the regular expression pattern folders, then the relations.entity.resource.resource_subtype UDM field is set to folders.
relations.entity.resource.resource_type If the assetType log field value matches the regular expression pattern ServiceAccountKey, then the relations.entity.resource.resource_type UDM field is set to STORAGE_OBJECT.

Else, if the resource.parent log field value matches the regular expression pattern organizations or the ancestors log field value matches the regular expression pattern organization, then the relations.entity.resource.resource_type UDM field is set to CLOUD_ORGANIZATION.

Else, if the resource.parent log field value matches the regular expression pattern projects or the ancestors log field value matches the regular expression pattern project, then the relations.entity.resource.resource_type UDM field is set to CLOUD_PROJECT.

Else, if the resource.parent log field value matches the regular expression pattern folders or the ancestors log field value matches the regular expression pattern folder, then the relations.entity.resource.resource_type UDM field is set to STORAGE_OBJECT.
relations.relationship If the assetType log field value matches the regular expression pattern ServiceAccountKey, then the relations.relationship UDM field is set to OWNS.

Else, the relations.relationship UDM field is set to MEMBER.