Google Cloud IAM 情境記錄
本文說明 Google Cloud 身分與存取權管理內容記錄的欄位如何對應至 Google Security Operations 統一資料模型 (UDM) 欄位。
擷取標籤會標示剖析器,將原始記錄資料正規化為具結構性的 UDM 格式。本文中的資訊適用於使用 GCP_IAM_CONTEXT
攝入標籤的剖析器。
如要瞭解 Google SecOps 支援的其他內容剖析器,請參閱「Google SecOps 內容剖析器」。
支援的 IAM 記錄格式
IAM 剖析器支援 JSON 格式的記錄。
支援的 IAM 範例記錄
- JSON:
none { "name": "//iam.googleapis.com/projects/project_id/serviceAccounts/service_account_id", "asset_type": "iam.googleapis.com/ServiceAccount", "resource": { "version": "v1", "discovery_document_uri": "https://dummy.domain.com/$discovery/rest", "discovery_name": "ServiceAccount", "parent": "//cloudresourcemanager.googleapis.com/projects/project_number", "data": { "displayName": "Compute Engine default service account", "email": "dummy-compute@developer.domain.com", "name": "projects/project_id/serviceAccounts/project_number-compute@developer.gserviceaccount.com", "oauth2ClientId": "service_account_id", "projectId": "project_id", "uniqueId": "service_account_id" } }, "AccessContextPolicy": null, "ancestors": [ "projects/project_number", "folders/folders_id_1", "folders/folders_id_2", "folders/folders_id_3", "organizations/organizations_id" ] }
欄位對應參考資料
本節說明 Google SecOps 剖析器如何將 Google Cloud 身分與存取權管理背景資訊欄位對應至 Google SecOps 統一資料模型 (UDM) 欄位。
Log field | UDM mapping | Logic |
---|---|---|
resource.data.groupTitle |
entity.group.attribute.labels[group_title] |
|
resource.data.groupName |
entity.group.group_display_name |
|
resource.data.projectId |
entity.resource_ancestors.product_object_id |
|
resource.data.name |
entity.resource_ancestors.product_object_id |
If the assetType log field value matches the regular expression pattern Role , then Grok extracts prnt_id from the log field resource.data.name and maps it to the entity.resource_ancestors.product_object_id UDM field.
Else, if the assetType log field value matches the regular expression pattern ServiceAccountKey , then Grok extracts project_id from the log field resource.data.name and maps it to the entity.resource_ancestors.product_object_id UDM field. |
|
entity.resource_ancestors.resource_subtype |
If the assetType log field value matches the regular expression pattern Role and the resource.data.name log field value matches the regular expression pattern organizations , then the entity.resource_ancestors.resource_subtype UDM field is set to organizations .Else, if the assetType log field value matches the regular expression pattern Role and the resource.data.name log field value matches the regular expression pattern projects , then the entity.resource_ancestors.resource_subtype UDM field is set to projects .Else, if the assetType log field value matches the regular expression pattern ServiceAccount , then the entity.resource_ancestors.resource_type UDM field is set to projects . |
|
entity.resource_ancestors.resource_type |
If the assetType log field value matches the regular expression pattern Role and the resource.data.name log field value matches the regular expression pattern organizations , then the entity.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION .Else, if the assetType log field value matches the regular expression pattern Role and the resource.data.name log field value matches the regular expression pattern projects , then the entity.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT .Else, if the assetType log field value matches the regular expression pattern ServiceAccount , then the entity.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT . |
|
entity.resource.attribute.cloud.environment |
The entity.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM . |
resource.data.deleted |
entity.resource.attribute.labels[deleted] |
|
resource.data.disabled |
entity.resource.attribute.labels[disabled] |
|
resource.discoveryDocumentUri |
entity.resource.attribute.labels[discovery_document_uri] |
|
resource.discoveryName |
entity.resource.attribute.labels[discovery_name] |
|
resource.data.etag |
entity.resource.attribute.labels[etag] |
|
resource.data.name |
entity.resource.attribute.labels[resource_name] |
|
resource.data.stage |
entity.resource.attribute.labels[stage] |
|
resource.data.title |
entity.resource.attribute.labels[title] |
|
resource.data.includedPermissions |
entity.resource.attribute.permissions.name |
|
name |
entity.resource.name |
|
resource.data.name |
entity.resource.product_object_id |
If the assetType log field value matches the regular expression pattern ServiceAccountKey , then Grok extracts account_id from the log field resource.data.name and maps it to the entity.resource.product_object_id UDM field. |
resource.data.name |
entity.resource.product_object_id |
If the assetType log field value matches the regular expression pattern Role , then Grok extracts res_name from the log field resource.data.name and maps it to the entity.resource.product_object_id UDM field. |
assetType |
entity.resource.resource_subtype |
|
|
entity.resource.resource_type |
If the assetType log field value matches the regular expression pattern Role , then the entity.resource.resource_type UDM field is set to ACCESS_POLICY .Else, if the assetType log field value matches the regular expression pattern ServiceAccount , then the entity.resource.resource_type UDM field is set to SERVICE_ACCOUNT . |
|
entity.user.attribute.cloud.environment |
If the resource.discoveryName log field value is equal to ServiceAccount , then the entity.resource.resource_type UDM field is set to GOOGLE_CLOUD_PLATFORM . |
resource.data.email |
entity.user.email_addresses |
|
resource.data.email |
entity.user.userid |
|
resource.data.oauth2ClientId |
entity.user.attribute.labels[oauth2_client_id] |
|
resource.data.displayName |
entity.user.user_display_name |
|
resource.data.uniqueId |
entity.user.product_object_id |
|
resource.data.description |
metadata.description |
|
|
metadata.entity_type |
If the assetType log field value matches the regular expression pattern Role , then the metadata.entity_type UDM field is set to RESOURCE .Else, if the assetType log field value matches the regular expression pattern ServiceAccountKey , then the metadata.entity_type UDM field is set to RESOURCE .Else, if the assetType log field value matches the regular expression pattern ServiceAccount , then the metadata.entity_type UDM field is set to USER . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Identity and Access Management . |
resource.version |
metadata.product_version |
|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google . |
|
relations.direction |
The relations.direction UDM field is set to UNIDIRECTIONAL . |
|
relations.entity_type |
The relations.entity_type UDM field is set to RESOURCE . |
resource.data.validAfterTime |
relations.entity.resource.attribute.creation_time |
|
resource.data.keyAlgorithm |
relations.entity.resource.attribute.labels[key_algorithm] |
|
resource.data.keyOrigin |
relations.entity.resource.attribute.labels[key_origin] |
|
resource.data.keyType |
relations.entity.resource.attribute.labels[key_type] |
|
resource.data.privateKeyData |
relations.entity.resource.attribute.labels[private_key_data] |
|
resource.data.privateKeyType |
relations.entity.resource.attribute.labels[private_key_type] |
|
resource.data.publicKeyData |
relations.entity.resource.attribute.labels[public_key_data] |
|
resource.data.validBeforeTime |
relations.entity.resource.attribute.labels[valid_before_time] |
|
ancestors |
relations.entity.resource.name |
|
resource.parent |
relations.entity.resource.name |
|
resource.parent |
relations.entity.resource.product_object_id |
Grok extracts id from the log field resource.parent and maps it to the relations.entity.resource.product_object_id UDM field. |
resource.data.name |
relations.entity.resource.product_object_id |
If the assetType log field value matches the regular expression pattern ServiceAccountKey , then Grok extracts key from the log field resource.data.name and maps it to the relations.entity.resource.product_object_id UDM field. |
ancestors |
relations.entity.resource.product_object_id |
Grok extracts id from the log field ancestors and maps it to the relations.entity.resource.product_object_id UDM field. |
ancestors |
relations.entity.resource.resource_subtype |
Grok extracts subtype from the log field ancestors and maps it to the relations.entity.resource.resource_subtype UDM field. |
|
relations.entity.resource.resource_subtype |
If the assetType log field value matches the regular expression pattern ServiceAccountKey , then the relations.entity.resource.resource_subtype UDM field is set to keys .If the resource.parent log field value matches the regular expression pattern organizations , then the relations.entity.resource.resource_subtype UDM field is set to organizations .Else, if the resource.parent log field value matches the regular expression pattern projects , then the relations.entity.resource.resource_subtype UDM field is set to projects .Else, if the resource.parent log field value matches the regular expression pattern folders , then the relations.entity.resource.resource_subtype UDM field is set to folders . |
|
relations.entity.resource.resource_type |
If the assetType log field value matches the regular expression pattern ServiceAccountKey , then the relations.entity.resource.resource_type UDM field is set to STORAGE_OBJECT .Else, if the resource.parent log field value matches the regular expression pattern organizations or the ancestors log field value matches the regular expression pattern organization , then the relations.entity.resource.resource_type UDM field is set to CLOUD_ORGANIZATION .Else, if the resource.parent log field value matches the regular expression pattern projects or the ancestors log field value matches the regular expression pattern project , then the relations.entity.resource.resource_type UDM field is set to CLOUD_PROJECT .Else, if the resource.parent log field value matches the regular expression pattern folders or the ancestors log field value matches the regular expression pattern folder , then the relations.entity.resource.resource_type UDM field is set to STORAGE_OBJECT . |
|
relations.relationship |
If the assetType log field value matches the regular expression pattern ServiceAccountKey , then the relations.relationship UDM field is set to OWNS .Else, the relations.relationship UDM field is set to MEMBER . |