Kontextlogs von Resource Manager
In diesem Dokument wird beschrieben, wie Felder von Resource Manager-Kontextlogs Felder für das einheitliche Datenmodell von Google Security Operations (UDM)
Ein Aufnahmelabel gibt den Parser an, der Logrohdaten normalisiert
in das strukturierte UDM-Format. Die Informationen in diesem Dokument gelten für den Parser
mit dem Aufnahmelabel GCP_RESOURCE_MANAGER_CONTEXT.
Informationen zu anderen Kontextparsern, die von Google Security Operations unterstützt werden, finden Sie unter Google Security Operations-Kontextparser.
Referenz für die Feldzuordnung
In der folgenden Tabelle wird erläutert, wie der Google Security Operations-Parser die Felder der Kontextprotokolle von Resource Manager den Feldern des Google Security Operations Unified Data Model (UDM) zuordnet.
| Log field | UDM mapping | Logic |
|---|---|---|
resource.data.tagValueNamespacedName |
entity.namespace |
|
resource.data.namespacedName |
entity.namespace |
|
resource.data.createTime |
entity.resource.attribute.creation_time |
|
resource.data.updateTime |
entity.resource.attribute.last_update_time |
|
name |
entity.resource.name |
|
resource.data.name |
entity.resource.name |
|
resource.data.displayName |
entity.resource.product_object_id |
|
resource.data.projectId |
entity.resource.product_object_id |
|
|
entity.resource.resource_type |
If the assetType matches the regular expression pattern Project, then the entity.resource.resource_type UDM field is set to CLOUD_PROJECT.Else, if the assetType matches the regular expression pattern Organizations, then the entity.resource.resource_type UDM field is set to CLOUD_ORGANIZATION.Else, if the assetType matches the regular expression pattern Folder, then the entity.resource.resource_type UDM field is set to STORAGE_OBJECT.Else, the entity.resource.resource_type UDM field is set to SETTING. |
assetType |
entity.resource.resource_subtype |
|
resource.data.owner.directoryCustomerId |
entity.user.userid |
|
resource.data.directoryCustomerId |
entity.user.userid |
|
resource.data.description |
metadata.description |
|
|
metadata.entity_type |
The metadata.entity_type UDM field is set to RESOURCE. |
|
metadata.product_name |
The metadata.product_name UDM field is set to GCP Resource Manager. |
resource.version |
metadata.product_version |
|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform. |
|
relations.entity.resource_ancestors.attribute.cloud.environment |
If the ancestors log field value is not empty or the resource.parent log field value is not empty or the resource.data.parent.type log field value is not empty, then the relations.entity.resource_ancestors.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
ancestors |
relations.entity.resource_ancestors.name |
|
resource.data.parent.id |
relations.entity.resource_ancestors.product_object_id |
|
|
relations.entity.resource_ancestors.resource_type |
If the ancestors matches the regular expression pattern organizations, then the relations.entity.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION.Else, if the ancestors matches the regular expression pattern projects, then the relations.entity.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.Else, if the ancestors matches the regular expression pattern folder, then the relations.entity.resource_ancestors.resource_type UDM field is set to STORAGE_OBJECT. |
resource.data.parent.type |
relations.entity.resource_ancestors.resource_type |
If the resource.data.parent.type matches the regular expression pattern project, then the relations.entity.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.Else, if the resource.data.parent.type matches the regular expression pattern folder, then the relations.entity.resource_ancestors.resource_type UDM field is set to STORAGE_OBJECT.Else, if the resource.data.parent.type matches the regular expression pattern organization, then the relations.entity.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION.Else, if the resource.data.parent.type log field value is not empty, then the relations.entity.resource_ancestors.resource_type UDM field is set to SETTING. |
|
relations.entity.resource_ancestors.resource_subtype |
If the ancestors matches the regular expression pattern organizations, then the relations.entity.resource_ancestors.resource_subtype UDM field is set to organizations.Else, if the ancestors matches the regular expression pattern projects, then the relations.entity.resource_ancestors.resource_subtype UDM field is set to projects.Else, if the ancestors matches the regular expression pattern folder, then the relations.entity.resource_ancestors.resource_subtype UDM field is set to folders. |
resource.data.parent.type |
relations.entity.resource_ancestors.resource_subtype |
|
|
entity.resource.attribute.cloud.environment |
The entity.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
|
relations.entity_type |
The relations.entity_type UDM field is set to RESOURCE. |
|
relations.relationship |
The relations.relationship UDM field is set to MEMBER. |
|
relations.direction |
The relations.direction UDM field is set to UNIDIRECTIONAL. |
resource.parent |
relations.entity.resource.name |
|
resource.data.parent |
relations.entity.resource.name |
|
resource.data.labels |
entity.resource.attribute.labels.key/value |
|
resource.data.purposeData |
entity.resource.attribute.labels.key/value |
|
resource.discoveryDocumentUri |
entity.resource.attribute.labels[discovery_document] |
|
resource.discoveryName |
entity.resource.attribute.labels[discovery_name] |
|
resource.data.purpose |
entity.resource.attribute.labels[purpose] |
|
resource.data.deleteTime |
entity.resource.attribute.last_update_time |
|
resource.data.etag |
entity.resource.attribute.labels[resource_etag] |
|
resource.data.projectNumber |
entity.resource.attribute.labels[resource_project_number] |
|
resource.data.lifecycleState |
entity.resource.attribute.labels[resource_state] |
|
resource.data.state |
entity.resource.attribute.labels[resource_state] |
|
resource.data.tagValue |
entity.resource.attribute.labels[resource_tag_value] |
|
resource.data.shortName |
entity.resource.attribute.labels[short_name] |