이 가이드에서는 Cloud Storage를 사용하여 Google Cloud IoT 로그를 Google Security Operations로 내보내는 방법을 설명합니다. 파서는 JSON 형식 로그에서 필드를 추출한 다음 이러한 필드를 Google SecOps UDM 스키마의 해당 필드에 매핑하여 궁극적으로 원시 로그 데이터를 보안 분석에 적합한 구조화된 형식으로 변환합니다.
스토리지 버킷 URI:gs://my-bucket/<value> 형식의 Google Cloud 스토리지 버킷 URL입니다.
소스 삭제 옵션: 환경설정에 따라 삭제 옵션을 선택합니다.
최대 파일 기간: 지난 일수 동안 수정된 파일을 포함합니다. 기본값은 180일입니다.
다음을 클릭합니다.
확정 화면에서 새 피드 구성을 검토한 다음 제출을 클릭합니다.
UDM 매핑 테이블
로그 필드
UDM 매핑
논리
insertId
metadata.product_log_id
insertId 필드에서 직접 매핑됩니다.
jsonPayload.eventType
metadata.product_event_type
jsonPayload.eventType 필드에서 직접 매핑됩니다.
jsonPayload.protocol
network.application_protocol
jsonPayload.protocol 필드에서 직접 매핑됩니다.
jsonPayload.serviceName
target.application
jsonPayload.serviceName 필드에서 직접 매핑됩니다.
jsonPayload.status.description
metadata.description
jsonPayload.status.description 필드에서 직접 매핑됩니다.
jsonPayload.status.message
security_result.description
jsonPayload.status.message 필드에서 직접 매핑됩니다.
labels.device_id
principal.asset_id
값은 labels.device_id 필드의 값과 연결된 Device ID:로 설정됩니다.
receiveTimestamp
metadata.event_timestamp
receiveTimestamp 필드에서 파싱되며 events.timestamp 및 metadata.event_timestamp를 모두 채우는 데 사용됩니다.
resource.labels.device_num_id
target.resource.product_object_id
resource.labels.device_num_id 필드에서 직접 매핑됩니다.
resource.labels.location
target.location.name
resource.labels.location 필드에서 직접 매핑됩니다.
resource.labels.project_id
target.resource.name
resource.labels.project_id 필드에서 직접 매핑됩니다.
resource.type
target.resource.resource_subtype
resource.type 필드에서 직접 매핑됩니다.
줄이는 것을
security_result.severity
다음 논리에 따라 severity 필드에서 매핑됩니다. - severity이 DEFAULT, DEBUG, INFO 또는 NOTICE인 경우 security_result.severity이 INFORMATIONAL로 설정됩니다. - severity이 WARNING 또는 ERROR인 경우 security_result.severity이 MEDIUM로 설정됩니다. - severity이 CRITICAL, ALERT 또는 EMERGENCY인 경우 security_result.severity이 HIGH로 설정됩니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[[["\u003cp\u003eThis guide details how to export Cloud IoT logs to Google Security Operations (SecOps) by using Cloud Storage, enabling security analysis through structured log data.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves creating a Google Cloud Storage bucket, configuring log export in Cloud IoT, and setting up a feed in Google SecOps to ingest the logs.\u003c/p\u003e\n"],["\u003cp\u003eBefore beginning, users must have a Google SecOps instance, active Cloud IoT setup, and privileged access to Google Cloud.\u003c/p\u003e\n"],["\u003cp\u003eCloud IoT log fields are extracted and mapped to corresponding fields in the Google SecOps Unified Data Model (UDM) schema for structured security analysis.\u003c/p\u003e\n"],["\u003cp\u003eThe feature to collect cloud IoT logs is supported in Google SecOps and is covered under the Pre-GA Offerings Terms, which may have limited support and could change.\u003c/p\u003e\n"]]],[],null,["# Collect Google Cloud IoT logs\n=============================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis guide explains how to export Google Cloud IoT logs to Google Security Operations using Cloud Storage. The parser extracts fields from JSON-formatted logs and then maps those fields to the corresponding fields in the Google SecOps UDM schema, ultimately transforming raw log data into a structured format suitable for security analysis.\n\nBefore You Begin\n----------------\n\nEnsure that you have the following prerequisites:\n\n- Google SecOps instance.\n- IoT is set up and active in your Google Cloud environment.\n- Privileged access to Google Cloud.\n\nCreate a Google Cloud Storage Bucket\n------------------------------------\n\n1. Sign in to the [Google Cloud console](https://console.cloud.google.com/).\n2. Go to the **Cloud Storage Buckets** page.\n\n [Go to Buckets](https://console.cloud.google.com/storage/browser)\n3. Click **Create**.\n\n4. On the **Create a bucket** page, enter your bucket information. After each of the following steps, click **Continue** to proceed to the next step:\n\n 1. In the **Get started** section, do the following:\n\n 1. Enter a unique name that meets the bucket name requirements; for example, **cloudiot-logs**.\n 2. To enable hierarchical namespace, click the expander arrow to expand the **Optimize for file oriented and data-intensive workloads** section, and then select **Enable Hierarchical namespace on this bucket**.\n\n | **Note:** You cannot enable hierarchical namespace in an existing bucket.\n 3. To add a bucket label, click the expander arrow to expand the **Labels** section.\n\n 4. Click **Add label**, and specify a key and a value for your label.\n\n 2. In the **Choose where to store your data** section, do the following:\n\n 1. Select a **Location type**.\n 2. Use the location type menu to select a **Location** where object data within your bucket will be permanently stored.\n\n | **Note:** If you select the **dual-region** location type, you can also choose to enable **turbo replication** by using the relevant checkbox.\n 3. To set up cross-bucket replication, expand the **Set up cross-bucket replication** section.\n\n 3. In the **Choose a storage class for your data** section, either select a **default storage class** for the bucket, or select **Autoclass** for automatic storage class management of your bucket's data.\n\n 4. In the **Choose how to control access to objects** section, select **not** to enforce **public access prevention** , and select an **access control model** for your bucket's objects.\n\n | **Note:** If public access prevention is already enforced by your project's organization policy, the **Prevent public access** checkbox is locked.\n 5. In the **Choose how to protect object data** section, do the following:\n\n 1. Select any of the options under **Data protection** that you want to set for your bucket.\n 2. To choose how your object data will be encrypted, click the expander arrow labeled **Data encryption** , and select a **Data encryption method**.\n5. Click **Create**.\n\n| **Note:** Be sure to provide your Google SecOps Service Account with permissions to **Read** or **Read \\& Write** to the newly created bucket.\n\nConfigure Log Export in Google Cloud IoT\n----------------------------------------\n\n1. Sign in to **Google Cloud** account using your privileged account.\n2. Search and select **Logging** in the search bar.\n3. In **Log Explorer** , filter the logs by choosing **Cloud IoT Core** and click **Apply**.\n4. Click **More Actions**.\n5. Click **Create Sink**.\n6. Provide the following configurations:\n 1. **Sink Details**: enter a name and description.\n 2. Click **Next**.\n 3. **Sink Destination** : select **Cloud Storage Bucket**.\n 4. **Cloud Storage Bucket**: select the bucket created earlier or create a new bucket.\n 5. Click **Next**.\n 6. **Choose Logs to include in Sink**: a default log is populated when you select an option in Cloud Storage Bucket.\n 7. Click **Next**.\n 8. Optional: **Choose Logs to filter out of Sink**: select the logs that you would like not to sink.\n7. Click **Create Sink**.\n\n8. In the **GCP console** , go to **Logging \\\u003e Log Router**.\n\n9. Click **Create Sink**.\n\nSet up feeds\n------------\n\nTo configure a feed, follow these steps:\n\n1. Go to **SIEM Settings** \\\u003e **Feeds**.\n2. Click **Add New Feed**.\n3. On the next page, click **Configure a single feed**.\n4. In the **Feed name** field, enter a name for the feed; for example, **GCP Cloud IoT Logs**.\n5. Select **Google Cloud Storage V2** as the **Source type**.\n6. Select **GCP Cloud IoT** as the **Log type**.\n7. Click **Get Service Account** as the **Chronicle Service Account**.\n8. Click **Next**.\n9. Specify values for the following input parameters:\n\n - **Storage Bucket URI** : Google Cloud storage bucket URL in **`gs://my-bucket/\u003cvalue\u003e`** format.\n - **Source deletion options**: select deletion option according to your preference.\n\n | **Note:** If you select the `Delete transferred files` or `Delete transferred files and empty directories` option, make sure that you granted appropriate permissions to the service account.\n - **Maximum File Age**: Includes files modified in the last number of days. Default is 180 days\n\n10. Click **Next**.\n\n11. Review your new feed configuration in the **Finalize** screen, and then click **Submit**.\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]