Resource Manager 上下文日志
本文档介绍了 Resource Manager 上下文日志字段如何映射到 Google 安全运营统一数据模型 (UDM) 字段。
提取标签用于标识将原始日志数据标准化的解析器
结构化 UDM 格式本文档中的信息适用于解析器
提取值为 GCP_RESOURCE_MANAGER_CONTEXT。
如需了解 Google Security Operations 支持的其他上下文解析器,请参阅 Google Security Operations 上下文解析器。
字段映射参考文档
下表说明了 Google Security Operations 解析器如何将 Resource Manager 上下文日志字段映射到 Google Security Operations 统一数据模型 (UDM) 字段。
| Log field | UDM mapping | Logic |
|---|---|---|
resource.data.tagValueNamespacedName |
entity.namespace |
|
resource.data.namespacedName |
entity.namespace |
|
resource.data.createTime |
entity.resource.attribute.creation_time |
|
resource.data.updateTime |
entity.resource.attribute.last_update_time |
|
name |
entity.resource.name |
|
resource.data.name |
entity.resource.name |
|
resource.data.displayName |
entity.resource.product_object_id |
|
resource.data.projectId |
entity.resource.product_object_id |
|
|
entity.resource.resource_type |
If the assetType matches the regular expression pattern Project, then the entity.resource.resource_type UDM field is set to CLOUD_PROJECT.Else, if the assetType matches the regular expression pattern Organizations, then the entity.resource.resource_type UDM field is set to CLOUD_ORGANIZATION.Else, if the assetType matches the regular expression pattern Folder, then the entity.resource.resource_type UDM field is set to STORAGE_OBJECT.Else, the entity.resource.resource_type UDM field is set to SETTING. |
assetType |
entity.resource.resource_subtype |
|
resource.data.owner.directoryCustomerId |
entity.user.userid |
|
resource.data.directoryCustomerId |
entity.user.userid |
|
resource.data.description |
metadata.description |
|
|
metadata.entity_type |
The metadata.entity_type UDM field is set to RESOURCE. |
|
metadata.product_name |
The metadata.product_name UDM field is set to GCP Resource Manager. |
resource.version |
metadata.product_version |
|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform. |
|
relations.entity.resource_ancestors.attribute.cloud.environment |
If the ancestors log field value is not empty or the resource.parent log field value is not empty or the resource.data.parent.type log field value is not empty, then the relations.entity.resource_ancestors.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
ancestors |
relations.entity.resource_ancestors.name |
|
resource.data.parent.id |
relations.entity.resource_ancestors.product_object_id |
|
|
relations.entity.resource_ancestors.resource_type |
If the ancestors matches the regular expression pattern organizations, then the relations.entity.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION.Else, if the ancestors matches the regular expression pattern projects, then the relations.entity.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.Else, if the ancestors matches the regular expression pattern folder, then the relations.entity.resource_ancestors.resource_type UDM field is set to STORAGE_OBJECT. |
resource.data.parent.type |
relations.entity.resource_ancestors.resource_type |
If the resource.data.parent.type matches the regular expression pattern project, then the relations.entity.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.Else, if the resource.data.parent.type matches the regular expression pattern folder, then the relations.entity.resource_ancestors.resource_type UDM field is set to STORAGE_OBJECT.Else, if the resource.data.parent.type matches the regular expression pattern organization, then the relations.entity.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION.Else, if the resource.data.parent.type log field value is not empty, then the relations.entity.resource_ancestors.resource_type UDM field is set to SETTING. |
|
relations.entity.resource_ancestors.resource_subtype |
If the ancestors matches the regular expression pattern organizations, then the relations.entity.resource_ancestors.resource_subtype UDM field is set to organizations.Else, if the ancestors matches the regular expression pattern projects, then the relations.entity.resource_ancestors.resource_subtype UDM field is set to projects.Else, if the ancestors matches the regular expression pattern folder, then the relations.entity.resource_ancestors.resource_subtype UDM field is set to folders. |
resource.data.parent.type |
relations.entity.resource_ancestors.resource_subtype |
|
|
entity.resource.attribute.cloud.environment |
The entity.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
|
relations.entity_type |
The relations.entity_type UDM field is set to RESOURCE. |
|
relations.relationship |
The relations.relationship UDM field is set to MEMBER. |
|
relations.direction |
The relations.direction UDM field is set to UNIDIRECTIONAL. |
resource.parent |
relations.entity.resource.name |
|
resource.data.parent |
relations.entity.resource.name |
|
resource.data.labels |
entity.resource.attribute.labels.key/value |
|
resource.data.purposeData |
entity.resource.attribute.labels.key/value |
|
resource.discoveryDocumentUri |
entity.resource.attribute.labels[discovery_document] |
|
resource.discoveryName |
entity.resource.attribute.labels[discovery_name] |
|
resource.data.purpose |
entity.resource.attribute.labels[purpose] |
|
resource.data.deleteTime |
entity.resource.attribute.last_update_time |
|
resource.data.etag |
entity.resource.attribute.labels[resource_etag] |
|
resource.data.projectNumber |
entity.resource.attribute.labels[resource_project_number] |
|
resource.data.lifecycleState |
entity.resource.attribute.labels[resource_state] |
|
resource.data.state |
entity.resource.attribute.labels[resource_state] |
|
resource.data.tagValue |
entity.resource.attribute.labels[resource_tag_value] |
|
resource.data.shortName |
entity.resource.attribute.labels[short_name] |