收集 Duo 活动日志
支持的平台:
Google SecOps
SIEM
本文档介绍了如何通过将以 Python 编写的注入脚本部署为 Cloud Run 函数来导出 Duo 活动日志并将其注入到 Google Security Operations,以及日志字段如何映射到 Google Security Operations 的 Unified Data Model (UDM) 字段。
如需了解详情,请参阅将数据提取到 Google 安全运营中心概览。
典型的部署包括 Duo 活动记录和作为 Cloud Run 函数部署的提取脚本,用于将日志发送到 Google Security Operations。每个客户部署都可能不同,并且可能更复杂。
该部署包含以下组件:
Duo 活动:您从中收集日志的平台。
Cloud Run 函数:作为 Cloud Run 函数部署的注入脚本,用于从 Duo 活动中注入日志并将其注入到 Google 安全运营。
Google Security Operations:保留和分析日志。
注入标签标识将原始日志数据标准化为结构化 UDM 格式的解析器。本文档中的信息适用于具有 DUO_ACTIVITY 注入标签的解析器。
准备工作
- 确保您有权访问 Duo 管理控制台。
- 确保您使用的是 Duo Admin API 2 版或更高版本。
配置 Duo 活动
- 以管理员身份登录 Duo 管理控制台。
- 依次点击应用 > 保护应用。
- 在“应用”列表中,依次点击“Admin API”> Protect,获取集成密钥、密钥和 API 主机名。
为 Google Security Operations 配置日志提取
- 创建一个部署目录来存储 Cloud Run 函数的文件。其中包含部署所需的所有文件。
- 将 Google 安全运营 GitHub 代码库中 Duo Activity 的 GitHub 子目录中的所有文件复制到此部署目录。
- 将 common 文件夹及其所有内容复制到部署目录。
- 修改
.env.yml文件以添加所有必需的环境变量。 - 在 Secret Manager 中配置标记为密钥的环境变量。如需详细了解如何创建 Secret,请参阅创建和访问 Secret。
- 将 Secret 的资源名称用作环境变量的值。
- 在 CHRONICLE_NAMESPACE 环境变量中输入值
DUO_ACTIVITY。 - 在源代码字段中,选择 ZIP 文件上传。
- 在目标存储桶字段中,点击浏览,以选择要在部署期间将源代码上传到的 Cloud Storage 存储桶。
- 在 ZIP 文件字段中,点击浏览,以选择要从本地文件系统上传的 ZIP 文件。函数源文件必须位于 ZIP 文件的根目录下。
- 点击部署。
如需了解详情,请参阅使用部署为 Cloud Run 函数的提取脚本。
字段映射参考文档
字段映射参考信息:事件标识符到事件类型
下表列出了DUO_ACTIVITY 日志类型及其对应的 UDM 事件类型。
| Event Identifier | Event Type | Security Category |
|---|---|---|
admin_activate_duo_push |
DEVICE_PROGRAM_DOWNLOAD |
|
admin_factor_restrictions |
RESOURCE_PERMISSIONS_CHANGE |
|
admin_login |
USER_UNCATEGORIZED |
|
admin_rectivates_duo_push |
DEVICE_PROGRAM_DOWNLOAD |
|
admin_reset_password |
USER_CHANGE_PASSWORD |
|
admin_send_reset_password_email |
EMAIL_TRANSACTION |
|
bypass_create |
RESOURCE_CREATION |
|
bypass_delete |
RESOURCE_DELETION |
|
bypass_view |
RESOURCE_READ |
|
deregister_devices |
USER_RESOURCE_DELETION |
|
device_change_enrollment_summary_notification_answered |
USER_COMMUNICATION |
|
device_change_enrollment_summary_notification_answered_notify_admin |
USER_COMMUNICATION |
|
device_change_enrollment_summary_notification_send |
USER_COMMUNICATION |
|
device_change_notification_answered |
USER_COMMUNICATION |
|
device_change_notification_answered_notify_admin |
USER_COMMUNICATION |
|
device_change_notification_create |
RESOURCE_CREATION |
|
device_change_notification_send |
USER_COMMUNICATION |
|
group_create |
GROUP_CREATION |
|
group_delete |
GROUP_DELETION |
|
group_update |
GROUP_MODIFICATION |
|
hardtoken_create |
RESOURCE_CREATION |
|
hardtoken_delete |
RESOURCE_DELETION |
|
hardtoken_resync |
RESOURCE_WRITTEN |
|
hardtoken_update |
RESOURCE_WRITTEN |
|
integration_create |
RESOURCE_CREATION |
|
integration_delete |
RESOURCE_DELETION |
|
integration_group_policy_add |
GROUP_UNCATEGORIZED |
|
integration_group_policy_remove |
GROUP_UNCATEGORIZED |
|
integration_policy_assign |
USER_UNCATEGORIZED |
|
integration_policy_unassign |
USER_UNCATEGORIZED |
|
integration_skey_bulk_view |
RESOURCE_READ |
|
integration_skey_view |
RESOURCE_READ |
|
integration_update |
RESOURCE_WRITTEN |
|
log_export_start |
USER_UNCATEGORIZED |
|
log_export_complete |
USER_UNCATEGORIZED |
|
log_export_failure |
USER_UNCATEGORIZED |
|
management_system_activate_device_cache |
DEVICE_CONFIG_UPDATE |
|
management_system_active_device_cache_add_devices |
RESOURCE_CREATION |
|
management_system_active_device_cache_delete_devices |
RESOURCE_DELETION |
|
management_system_active_device_cache_edit_devices |
RESOURCE_WRITTEN |
|
management_system_add_devices |
RESOURCE_CREATION |
|
management_system_create |
RESOURCE_CREATION |
|
management_system_delete |
RESOURCE_DELETION |
|
management_system_delete_devices |
RESOURCE_DELETION |
|
management_system_device_cache_add_devices |
RESOURCE_CREATION |
|
management_system_device_cache_create |
RESOURCE_CREATION |
|
management_system_device_cache_delete |
RESOURCE_DELETION |
|
management_system_device_cache_delete_devices |
RESOURCE_DELETION |
|
management_system_download_device_api_script |
DEVICE_PROGRAM_DOWNLOAD |
|
management_system_pkcs12_enrollment |
RESOURCE_CREATION |
|
management_system_sync_failure |
USER_UNCATEGORIZED |
|
management_system_sync_success |
USER_UNCATEGORIZED |
|
management_system_update |
USER_UNCATEGORIZED |
|
management_system_view_password |
RESOURCE_READ |
|
management_system_view_token |
RESOURCE_READ |
|
phone_activation_code_regenerated |
RESOURCE_CREATION |
|
phone_associate |
RESOURCE_CREATION |
|
phone_create |
RESOURCE_CREATION |
|
phone_delete |
RESOURCE_DELETION |
|
phone_disassociate |
RESOURCE_DELETION |
|
phone_new_sms_passcode |
RESOURCE_CREATION |
|
phone_update |
RESOURCE_WRITTEN |
|
policy_create |
RESOURCE_CREATION |
|
policy_delete |
RESOURCE_DELETION |
|
policy_update |
RESOURCE_WRITTEN |
|
u2ftoken_create |
RESOURCE_CREATION |
|
u2ftoken_delete |
RESOURCE_DELETION |
|
user_not_enrolled_lockout |
USER_CHANGE_PERMISSIONS |
|
user_adminapi_lockout |
USER_CHANGE_PERMISSIONS |
|
user_lockout_cleared |
USER_CHANGE_PERMISSIONS |
|
webauthncredential_create |
RESOURCE_CREATION |
|
webauthncredential_delete |
RESOURCE_DELETION |
|
webauthncredential_rename |
RESOURCE_WRITTEN |
|
字段映射参考:DUO_ACTIVITY
下表列出了 DUO_ACTIVITY 日志类型的日志字段及其对应的 UDM 字段。
| Log field | UDM mapping | Logic |
|---|---|---|
|
principal.platform |
If the access_device.os log field value matches the regular expression pattern (?i)Win, then the principal.platform UDM field is set to WINDOWS.Else, if the access_device.os log field value matches the regular expression pattern (?i)Lin, then the principal.platform UDM field is set to LINUX.Else, if the access_device.os log field value matches the regular expression pattern (?i)Mac, then the principal.platform UDM field is set to MAC.Else, if the access_device.os log field value matches the regular expression pattern (?i)ios, then the principal.platform UDM field is set to IOS.Else, if the access_device.os log field value matches the regular expression pattern (?i)Chrome, then the principal.platform UDM field is set to CHROME_OS.Else, if the access_device.os log field value matches the regular expression pattern (?i)Android, then the principal.platform UDM field is set to ANDROID.Else, the principal.platform UDM field is set to UNKNOWN_PLATFORM. |
access_device.os_version |
principal.platform_version |
|
access_device.ip.address |
principal.ip |
|
access_device.location.country |
principal.location.country_or_region |
|
access_device.location.state |
principal.location.state |
|
access_device.location.city |
principal.location.city |
|
access_device.browser |
principal.asset.attribute.labels[access_device_browser] |
|
access_device.browser_version |
principal.asset.attribute.labels[access_device_browser_version] |
|
ts |
metadata.event_timestamp |
|
activity_id |
metadata.product_log_id |
|
akey |
principal.asset.product_object_id |
|
outcome.result |
security_result.action_details |
|
application.key |
principal.resource.product_object_id |
|
application.name |
principal.application |
|
application.type |
principal.resource.resource_subtype |
|
action.details |
principal.user.attribute.labels[action_details] |
|
action.name |
metadata.product_event_type |
|
actor.key |
principal.user.userid |
|
actor.name |
principal.user.user_display_name |
|
actor.type |
principal.user.attribute.labels[actor_type] |
|
target.key |
target.asset.attribute.labels[target_key] |
|
target.name |
target.asset.hostname |
|
target.type |
target.asset.category |
|
target.details |
target.user.attribute.labels[target_details] |
|
old_target.key |
about.asset.attribute.labels[old_target_key] |
|
old_target.name |
about.asset.hostname |
|
old_target.type |
about.asset.category |
|
old_target.details |
about.user.attribute.labels[old_target_details] |
|
actor.details.created |
principal.user.first_seen_time |
|
actor.details.last_login |
principal.user.last_login_time |
|
actor.details.status |
principal.user.attribute.labels[status] |
|
actor.details.email |
principal.user.email_addresses |
|
actor.details.group.key |
principal.user.attribute.labels[actor_details_group_key] |
|
actor.details.group.name |
principal.user.attribute.labels[actor_details_group_name] |