收集 Duo 活动日志

支持的平台:

本文档介绍了如何通过将以 Python 编写的提取脚本部署为 Cloud Run 函数来导出 Duo 活动日志并将其提取到 Google 安全运营中心,以及日志字段如何映射到 Google SecOps 统一数据模型 (UDM) 字段。

如需了解详情,请参阅将数据提取到 Google SecOps 概览

典型的部署包括 Duo 活动记录和作为 Cloud Run 函数部署的提取脚本,用于将日志发送到 Google SecOps。每个客户部署都可能不同,并且可能更复杂。

该部署包含以下组件:

  • Duo 活动:您从中收集日志的平台。

  • Cloud Run 函数:作为 Cloud Run 函数部署的提取脚本,用于从 Duo 活动中提取日志并将其提取到 Google SecOps。

  • Google SecOps:保留和分析日志。

注意:注入标签标识将原始日志数据标准化为结构化 UDM 格式的解析器。本文档中的信息适用于具有 DUO_ACTIVITY 注入标签的解析器。

准备工作

  • 确保您有权访问 Duo 管理控制台。
  • 确保您使用的是 Duo Admin API 2 版或更高版本。

配置 Duo 活动

  1. 以管理员身份登录 Duo 管理控制台。如需了解详情,请参阅 Duo 管理控制台概览
  2. 依次点击应用 > 保护应用
  3. 在“应用”列表中,依次点击“Admin API”> Protect,获取集成密钥、密钥和 API 主机名。
  4. 选择要授予 Admin API 应用的所需权限。如需详细了解相应操作所需的权限,请参阅 Duo Admin API

为 Google SecOps 配置日志注入

  1. 创建一个部署目录来存储 Cloud Run 函数的文件。此目录将包含部署所需的所有文件。
  2. 将 Google SecOps GitHub 代码库中 Duo Activity 的 GitHub 子目录中的所有文件复制到此部署目录。
  3. 将 common 文件夹及其所有内容复制到部署目录。
  4. 修改 .env.yml 文件以添加所有必需的环境变量。
  5. 在 Secret Manager 中配置标记为Secret 的环境变量。如需详细了解如何创建 Secret,请参阅创建和访问 Secret
  6. 将 Secret 的资源名称用作环境变量的值。
  7. CHRONICLE_NAMESPACE 环境变量中输入值 DUO_ACTIVITY
  8. 源代码字段中,选择 ZIP 文件上传
  9. 目标存储分区字段中,点击浏览,以选择要在部署期间将源代码上传到的 Cloud Storage 存储分区。
  10. ZIP 文件字段中,点击浏览,以选择要从本地文件系统上传的 ZIP 文件。函数源文件必须位于 ZIP 文件的根目录下。
  11. 点击部署

如需了解详情,请参阅使用部署为 Cloud Run 函数的提取脚本

字段映射参考文档

字段映射参考信息:事件标识符到事件类型

下表列出了 DUO_ACTIVITY 日志类型及其对应的 UDM 事件类型。
Event Identifier Event Type Security Category
admin_activate_duo_push DEVICE_PROGRAM_DOWNLOAD
admin_factor_restrictions RESOURCE_PERMISSIONS_CHANGE
admin_login USER_UNCATEGORIZED
admin_rectivates_duo_push DEVICE_PROGRAM_DOWNLOAD
admin_reset_password USER_CHANGE_PASSWORD
admin_send_reset_password_email EMAIL_TRANSACTION
bypass_create RESOURCE_CREATION
bypass_delete RESOURCE_DELETION
bypass_view RESOURCE_READ
deregister_devices USER_RESOURCE_DELETION
device_change_enrollment_summary_notification_answered USER_COMMUNICATION
device_change_enrollment_summary_notification_answered_notify_admin USER_COMMUNICATION
device_change_enrollment_summary_notification_send USER_COMMUNICATION
device_change_notification_answered USER_COMMUNICATION
device_change_notification_answered_notify_admin USER_COMMUNICATION
device_change_notification_create RESOURCE_CREATION
device_change_notification_send USER_COMMUNICATION
group_create GROUP_CREATION
group_delete GROUP_DELETION
group_update GROUP_MODIFICATION
hardtoken_create RESOURCE_CREATION
hardtoken_delete RESOURCE_DELETION
hardtoken_resync RESOURCE_WRITTEN
hardtoken_update RESOURCE_WRITTEN
integration_create RESOURCE_CREATION
integration_delete RESOURCE_DELETION
integration_group_policy_add GROUP_UNCATEGORIZED
integration_group_policy_remove GROUP_UNCATEGORIZED
integration_policy_assign USER_UNCATEGORIZED
integration_policy_unassign USER_UNCATEGORIZED
integration_skey_bulk_view RESOURCE_READ
integration_skey_view RESOURCE_READ
integration_update RESOURCE_WRITTEN
log_export_start USER_UNCATEGORIZED
log_export_complete USER_UNCATEGORIZED
log_export_failure USER_UNCATEGORIZED
management_system_activate_device_cache DEVICE_CONFIG_UPDATE
management_system_active_device_cache_add_devices RESOURCE_CREATION
management_system_active_device_cache_delete_devices RESOURCE_DELETION
management_system_active_device_cache_edit_devices RESOURCE_WRITTEN
management_system_add_devices RESOURCE_CREATION
management_system_create RESOURCE_CREATION
management_system_delete RESOURCE_DELETION
management_system_delete_devices RESOURCE_DELETION
management_system_device_cache_add_devices RESOURCE_CREATION
management_system_device_cache_create RESOURCE_CREATION
management_system_device_cache_delete RESOURCE_DELETION
management_system_device_cache_delete_devices RESOURCE_DELETION
management_system_download_device_api_script DEVICE_PROGRAM_DOWNLOAD
management_system_pkcs12_enrollment RESOURCE_CREATION
management_system_sync_failure USER_UNCATEGORIZED
management_system_sync_success USER_UNCATEGORIZED
management_system_update USER_UNCATEGORIZED
management_system_view_password RESOURCE_READ
management_system_view_token RESOURCE_READ
phone_activation_code_regenerated RESOURCE_CREATION
phone_associate RESOURCE_CREATION
phone_create RESOURCE_CREATION
phone_delete RESOURCE_DELETION
phone_disassociate RESOURCE_DELETION
phone_new_sms_passcode RESOURCE_CREATION
phone_update RESOURCE_WRITTEN
policy_create RESOURCE_CREATION
policy_delete RESOURCE_DELETION
policy_update RESOURCE_WRITTEN
u2ftoken_create RESOURCE_CREATION
u2ftoken_delete RESOURCE_DELETION
user_not_enrolled_lockout USER_CHANGE_PERMISSIONS
user_adminapi_lockout USER_CHANGE_PERMISSIONS
user_lockout_cleared USER_CHANGE_PERMISSIONS
webauthncredential_create RESOURCE_CREATION
webauthncredential_delete RESOURCE_DELETION
webauthncredential_rename RESOURCE_WRITTEN

字段映射参考:DUO_ACTIVITY

下表列出了 DUO_ACTIVITY 日志类型的日志字段及其对应的 UDM 字段。

Log field UDM mapping Logic
principal.platform If the access_device.os log field value matches the regular expression pattern (?i)Win, then the principal.platform UDM field is set to WINDOWS.

Else, if the access_device.os log field value matches the regular expression pattern (?i)Lin, then the principal.platform UDM field is set to LINUX.

Else, if the access_device.os log field value matches the regular expression pattern (?i)Mac, then the principal.platform UDM field is set to MAC.

Else, if the access_device.os log field value matches the regular expression pattern (?i)ios, then the principal.platform UDM field is set to IOS.

Else, if the access_device.os log field value matches the regular expression pattern (?i)Chrome, then the principal.platform UDM field is set to CHROME_OS.

Else, if the access_device.os log field value matches the regular expression pattern (?i)Android, then the principal.platform UDM field is set to ANDROID.

Else, the principal.platform UDM field is set to UNKNOWN_PLATFORM.
access_device.os_version principal.platform_version
access_device.ip.address principal.ip
access_device.location.country principal.location.country_or_region
access_device.location.state principal.location.state
access_device.location.city principal.location.city
access_device.browser principal.asset.attribute.labels[access_device_browser]
access_device.browser_version principal.asset.attribute.labels[access_device_browser_version]
ts metadata.event_timestamp
activity_id metadata.product_log_id
akey principal.asset.product_object_id
outcome.result security_result.action_details
application.key principal.resource.product_object_id
application.name principal.application
application.type principal.resource.resource_subtype
action.details principal.user.attribute.labels[action_details]
action.name metadata.product_event_type
actor.key principal.user.userid
actor.name principal.user.user_display_name
actor.type principal.user.attribute.labels[actor_type]
target.key target.asset.attribute.labels[target_key]
target.name target.asset.hostname
target.type target.asset.category
target.details target.user.attribute.labels[target_details]
old_target.key about.asset.attribute.labels[old_target_key]
old_target.name about.asset.hostname
old_target.type about.asset.category
old_target.details about.user.attribute.labels[old_target_details]
actor.details.created principal.user.first_seen_time
actor.details.last_login principal.user.last_login_time
actor.details.status principal.user.attribute.labels[status]
actor.details.email principal.user.email_addresses
actor.details.group.key principal.user.attribute.labels[actor_details_group_key]
actor.details.group.name principal.user.attribute.labels[actor_details_group_name]

后续步骤

需要更多帮助?向社区成员和 Google SecOps 专业人士寻求解答。