Network Connectivity Center 컨텍스트 로그

이 문서에서는 Network Connectivity Center 컨텍스트 로그 필드를 Google Security Operations 통합 데이터 모델(UDM) 필드에 매핑하는 방법을 설명합니다.

수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다. 이 문서의 정보는 GCP_NETWORK_CONNECTIVITY_CONTEXT 수집 라벨이 있는 파서에 적용됩니다.

Google Security Operations에서 지원하는 다른 컨텍스트 파서에 대한 자세한 내용은 Google Security Operations 컨텍스트 파서를 참조하세요.

필드 매핑 참조

다음 표에서는 Google Security Operations 파서가 Network Connectivity Center 컨텍스트 로그 필드를 Google Security Operations 통합 데이터 모델(UDM) 필드에 매핑하는 방법을 설명합니다.

Log field UDM mapping Logic
entity.resource.attribute.cloud.environment The entity.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM.
entity.resource_ancestors.attribute.cloud.environment If the resource.data.network log field value is not empty, then the entity.resource_ancestors.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM.
entity.resource_ancestors.resource_type If the resource.data.network log field value is not empty, then the entity.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.
resource.data.createTime entity.resource.attribute.creation_time
resource.discoveryDocumentUri entity.resource.attribute.labels [discovery_document]
resource.discoveryName entity.resource.attribute.labels [discovery_name]
resource.data.ipCidrRange entity.resource.attribute.labels [ipcidrrange]
resource.data.overlaps entity.resource.attribute.labels [overlaps] If the resource.data.overlaps log field value is not empty, then the resource.data.overlaps log field is mapped to the entity.resource.attribute.labels.overlaps%{index} UDM field.
resource.data.peering entity.resource.attribute.labels [peering]
resource.data.prefixLength entity.resource.attribute.labels [prefix_length]
resource.data.description metadata.description
metadata.product_entity_id The obj_id is extracted from the Resource.data.name log field using Grok pattern, and the the obj_id log field value is not empty and the resource.data.uniqueId log field value is empty, then the obj_id log field is mapped to the entity.resource.product_object_id UDM field.
metadata.entity_type The metadata.entity_type UDM field is set to RESOURCE.
resource.data.locationId entity.location.name
resource.data.name entity.resource.attribute.labels [resource_name]
resource.data.state entity.resource.attribute.labels [resource_state]
resource.data.targetCidrRange entity.resource.attribute.labels [target_cidr_range] If the resource.data.targetCidrRange log field value is not empty, then the resource.data.targetCidrRange log field is mapped to the entity.resource.attribute.labels.target_cidrrange%{index} UDM field.
resource.data.usage entity.resource.attribute.labels [usage]
resource.data.updateTime entity.resource.attribute.last_update_time
name entity.resource.name
resource.data.network entity.resource_ancestors.name
resource.data.uniqueId entity.resource.product_object_id
assetType entity.resource.resource_subtype
entity.resource.resource_type The entity.resource.resource_type UDM field is set to DEVICE.
resource.version metadata.product_version
relations.direction If the ancestors log field value is not empty or the resource.data.hub log field value is not empty or the resource.data.users log field value is not empty or the resource.data.routingVpcs.uri log field value is not empty or the resource.data.linkedVpnTunnels.uris log field value is not empty or the resource.data.linkedInterconnectAttachments.uris log field value is not empty or the resource.data.linkedRouterApplianceInstances.instances.virtualMachine log field value is not empty or the resource.data.linkedRouterApplianceInstances.instances.ipAddress log field value is not empty, then the relations.direction UDM field is set to UNIDIRECTIONAL.
relations.entity_type If the ancestors log field value is not empty or the resource.data.hub log field value is not empty or the resource.data.users log field value is not empty or the resource.data.routingVpcs.uri log field value is not empty or the resource.data.linkedVpnTunnels.uris log field value is not empty or the resource.data.linkedInterconnectAttachments.uris log field value is not empty or the resource.data.linkedRouterApplianceInstances.instances.virtualMachine log field value is not empty or the resource.data.linkedRouterApplianceInstances.instances.ipAddress log field value is not empty, then the relations.entity_type UDM field is set to RESOURCE.
resource.data.linkedRouterApplianceInstances.instances.ipAddress relations.entity.ip
relations.entity.resource_ancestors.attribute.cloud.environment If the resource.parent log field value not contains the ancestors log field value or the resource.data.linkedVpnTunnels.vpcNetwork log field value is not empty or the resource.data.linkedInterconnectAttachments.vpcNetwork log field value is not empty or the resource.data.linkedRouterApplianceInstances.vpcNetwork log field value is not empty, then the relations.entity.resource_ancestors.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM.
ancestors relations.entity.resource_ancestors.name If the resource.parent log field value not contains the ancestors log field value or the resource.data.linkedVpnTunnels.vpcNetwork log field value is not empty or the resource.data.linkedInterconnectAttachments.vpcNetwork log field value is not empty or the resource.data.linkedRouterApplianceInstances.vpcNetwork log field value is not empty, then the ancestors log field is mapped to the relations.entity.resource_ancestors.name UDM field.
resource.data.linkedVpnTunnels.vpcNetwork relations.entity.resource_ancestors.name
resource.data.linkedInterconnectAttachments.vpcNetwork relations.entity.resource_ancestors.name
resource.data.linkedRouterApplianceInstances.vpcNetwork relations.entity.resource_ancestors.name
relations.entity.resource_ancestors.resource_type If the resource.parent log field value not contains the ancestors log field value or the resource.data.linkedVpnTunnels.vpcNetwork log field value is not empty or the resource.data.linkedInterconnectAttachments.vpcNetwork log field value is not empty or the resource.data.linkedRouterApplianceInstances.vpcNetwork log field value is not empty, then the relations.entity.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.
relations.entity.resource_ancestors.resource_subtype The res_type is extracted from the ancestors log field using a Grok pattern, and if the res_type log field value is not empty and the resource.parent log field value not contains the ancestors log field value, then the res_type log field is mapped to the relations.entity.resource_ancestors.resource_subtype UDM field.
relations.entity.resource.resource_subtype The res_type is extracted from the ancestors log field using a Grok pattern, and if the res_type log field value is not empty and the resource.parent log field value contains the ancestors log field value, then the res_type log field is mapped to the relations.entity.resource_ancestors.resource_subtype UDM field.

if the resource.data.hub log field value is not empty, then the relations.entity.resource.resource_subtype UDM field is set to HUB.
relations.entity.resource.attribute.cloud.environment If the resource.parent log field value contains the ancestors log field value or the resource.data.hub log field value is not empty or the resource.data.users log field value is not empty or the resource.data.routingVpcs.uri log field value is not empty or the resource.data.linkedVpnTunnels.uris log field value is not empty or the resource.data.linkedVpnTunnels.uris log field value is not empty or the resource.data.linkedInterconnectAttachments.uris log field value is not empty or the resource.data.linkedRouterApplianceInstances.instances.virtualMachine log field value is not empty or the resource.data.linkedRouterApplianceInstances.instances.ipAddress log field value is not empty, then the relations.entity.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM.
resource.data.linkedVpnTunnels.siteToSiteDataTransfer relations.entity.resource.attribute.labels [vpntunnel_sitetosite_data_transfer] If the resource.data.linkedVpnTunnels.siteToSiteDataTransfer log field value is not empty, then the resource.data.linkedVpnTunnels.siteToSiteDataTransfer log field is mapped to the relations.entity.resource.attribute.labels.value UDM field.
resource.data.linkedInterconnectAttachments.siteToSiteDataTransfer relations.entity.resource.attribute.labels [attachments_sitetosite_data_transfer] If the resource.data.linkedInterconnectAttachments.siteToSiteDataTransfer log field value is not empty, then the resource.data.linkedInterconnectAttachments.siteToSiteDataTransfer log field is mapped to the relations.entity.resource.attribute.labels.value UDM field.
resource.data.linkedRouterApplianceInstances.siteToSiteDataTransfer relations.entity.resource.attribute.labels [routerapplliances_sitetosite_data_transfer] If the resource.data.linkedRouterApplianceInstances.siteToSiteDataTransfer log field value is not empty, then the resource.data.linkedRouterApplianceInstances.siteToSiteDataTransfer log field is mapped to the relations.entity.resource.attribute.labels.value UDM field.
resource.data.hub relations.entity.resource.name If the resource.parent log field value contains the ancestors log field value, then the resource.parent log field is mapped to the relations.entity.resource.name UDM field.
resource.data.routingVpcs.uri relations.entity.resource.name
resource.data.linkedVpnTunnels.uris relations.entity.resource.name
resource.data.linkedInterconnectAttachments.uris relations.entity.resource.name
resource.data.linkedRouterApplianceInstances.instances.virtualMachine relations.entity.resource.name
resource.data.users relations.entity.resource.name
resource.parent relations.entity.resource.name
relations.entity.resource.resource_type If the resource.data.hub log field value is not empty or the resource.data.users log field value is not empty or the resource.data.linkedVpnTunnels.uris log field value is not empty or the resource.data.linkedInterconnectAttachments.uris log field value is not empty, then the relations.entity.resource.resource_type UDM field is set to DEVICE.

If the resource.parent log field value contains the ancestors log field value, then the relations.entity.resource.resource_type UDM field is set to CLOUD_PROJECT.

If the resource.data.routingVpcs.uri log field value is not empty, then the relations.entity.resource.resource_type UDM field is set to VPC_NETWORK.

If the resource.data.linkedRouterApplianceInstances.instances.virtualMachine log field value is not empty or the resource.data.linkedRouterApplianceInstances.instances.ipAddress log field value is not empty, then the relations.entity.resource.resource_type UDM field is set to VIRTUAL_MACHINE.
relations.relationship If the ancestors log field value is not empty or the resource.data.hub log field value is not empty or the resource.data.users log field value is not empty or the resource.data.routingVpcs.uri log field value is not empty or the resource.data.linkedVpnTunnels.uris log field value is not empty or the resource.data.linkedInterconnectAttachments.uris log field value is not empty or the resource.data.linkedRouterApplianceInstances.instances.virtualMachine log field value is not empty or the resource.data.linkedRouterApplianceInstances.instances.ipAddress log field value is not empty, then the relations.relationship UDM field is set to MEMBER.
resource.data.routingVpcs.requiredForNewSiteToSiteDataTransferSpokes relations.entity.resource.attribute.labels [required_for_new_site_to_site_data_transfer_spokes]