Resource Manager 컨텍스트 로그
이 문서에서는 Resource Manager 컨텍스트 로그의 필드를 Google Security Operations 통합 데이터 모델(UDM) 필드에 매핑하는 방법을 설명합니다.
수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다. 이 문서의 정보는 GCP_RESOURCE_MANAGER_CONTEXT 수집 라벨이 있는 파서에 적용됩니다.
Google Security Operations에서 지원하는 다른 컨텍스트 파서에 대한 자세한 내용은 Google Security Operations 컨텍스트 파서를 참조하세요.
필드 매핑 참조
다음 표에서는 Google Security Operations 파서가 Resource Manager 컨텍스트 로그 필드를 Google Security Operations 통합 데이터 모델(UDM) 필드에 매핑하는 방법을 설명합니다.
| Log field | UDM mapping | Logic |
|---|---|---|
resource.data.tagValueNamespacedName |
entity.namespace |
|
resource.data.namespacedName |
entity.namespace |
|
resource.data.createTime |
entity.resource.attribute.creation_time |
|
resource.data.updateTime |
entity.resource.attribute.last_update_time |
|
name |
entity.resource.name |
|
resource.data.name |
entity.resource.name |
|
resource.data.displayName |
entity.resource.product_object_id |
|
resource.data.projectId |
entity.resource.product_object_id |
|
|
entity.resource.resource_type |
If the assetType matches the regular expression pattern Project, then the entity.resource.resource_type UDM field is set to CLOUD_PROJECT.Else, if the assetType matches the regular expression pattern Organizations, then the entity.resource.resource_type UDM field is set to CLOUD_ORGANIZATION.Else, if the assetType matches the regular expression pattern Folder, then the entity.resource.resource_type UDM field is set to STORAGE_OBJECT.Else, the entity.resource.resource_type UDM field is set to SETTING. |
assetType |
entity.resource.resource_subtype |
|
resource.data.owner.directoryCustomerId |
entity.user.userid |
|
resource.data.directoryCustomerId |
entity.user.userid |
|
resource.data.description |
metadata.description |
|
|
metadata.entity_type |
The metadata.entity_type UDM field is set to RESOURCE. |
|
metadata.product_name |
The metadata.product_name UDM field is set to GCP Resource Manager. |
resource.version |
metadata.product_version |
|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform. |
|
relations.entity.resource_ancestors.attribute.cloud.environment |
If the ancestors log field value is not empty or the resource.parent log field value is not empty or the resource.data.parent.type log field value is not empty, then the relations.entity.resource_ancestors.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
ancestors |
relations.entity.resource_ancestors.name |
|
resource.data.parent.id |
relations.entity.resource_ancestors.product_object_id |
|
|
relations.entity.resource_ancestors.resource_type |
If the ancestors matches the regular expression pattern organizations, then the relations.entity.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION.Else, if the ancestors matches the regular expression pattern projects, then the relations.entity.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.Else, if the ancestors matches the regular expression pattern folder, then the relations.entity.resource_ancestors.resource_type UDM field is set to STORAGE_OBJECT. |
resource.data.parent.type |
relations.entity.resource_ancestors.resource_type |
If the resource.data.parent.type matches the regular expression pattern project, then the relations.entity.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.Else, if the resource.data.parent.type matches the regular expression pattern folder, then the relations.entity.resource_ancestors.resource_type UDM field is set to STORAGE_OBJECT.Else, if the resource.data.parent.type matches the regular expression pattern organization, then the relations.entity.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION.Else, if the resource.data.parent.type log field value is not empty, then the relations.entity.resource_ancestors.resource_type UDM field is set to SETTING. |
|
relations.entity.resource_ancestors.resource_subtype |
If the ancestors matches the regular expression pattern organizations, then the relations.entity.resource_ancestors.resource_subtype UDM field is set to organizations.Else, if the ancestors matches the regular expression pattern projects, then the relations.entity.resource_ancestors.resource_subtype UDM field is set to projects.Else, if the ancestors matches the regular expression pattern folder, then the relations.entity.resource_ancestors.resource_subtype UDM field is set to folders. |
resource.data.parent.type |
relations.entity.resource_ancestors.resource_subtype |
|
|
entity.resource.attribute.cloud.environment |
The entity.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
|
relations.entity_type |
The relations.entity_type UDM field is set to RESOURCE. |
|
relations.relationship |
The relations.relationship UDM field is set to MEMBER. |
|
relations.direction |
The relations.direction UDM field is set to UNIDIRECTIONAL. |
resource.parent |
relations.entity.resource.name |
|
resource.data.parent |
relations.entity.resource.name |
|
resource.data.labels |
entity.resource.attribute.labels.key/value |
|
resource.data.purposeData |
entity.resource.attribute.labels.key/value |
|
resource.discoveryDocumentUri |
entity.resource.attribute.labels[discovery_document] |
|
resource.discoveryName |
entity.resource.attribute.labels[discovery_name] |
|
resource.data.purpose |
entity.resource.attribute.labels[purpose] |
|
resource.data.deleteTime |
entity.resource.attribute.last_update_time |
|
resource.data.etag |
entity.resource.attribute.labels[resource_etag] |
|
resource.data.projectNumber |
entity.resource.attribute.labels[resource_project_number] |
|
resource.data.lifecycleState |
entity.resource.attribute.labels[resource_state] |
|
resource.data.state |
entity.resource.attribute.labels[resource_state] |
|
resource.data.tagValue |
entity.resource.attribute.labels[resource_tag_value] |
|
resource.data.shortName |
entity.resource.attribute.labels[short_name] |