收集 Duo 活動記錄
支援以下發布途徑:
Google secops
Siem
本文件說明如何部署以 Python 編寫的擷取指令碼做為 Cloud Run 函式,進而匯出 Duo 活動記錄並將這些記錄擷取至 Google Security Operations,以及如何將記錄欄位對應至 Google SecOps 統一資料模型 (UDM) 欄位。
詳情請參閱「將資料匯入 Google SecOps 總覽」。
一般部署作業包含 Duo 活動和以 Cloud Run 函式部署的擷取指令碼,用於將記錄傳送至 Google SecOps。每個客戶的部署作業可能有所不同,且可能更為複雜。
部署作業包含下列元件:
Duo 活動:您收集記錄的平台。
Cloud Run 函式:這項內容擷取指令碼會部署為 Cloud Run 函式,用於擷取 Duo 活動記錄,並將這些記錄擷取到 Google SecOps。
Google SecOps:保留並分析記錄檔。
注意:擷取標籤會標示剖析器,將原始記錄資料正規化為具結構性的 UDM 格式。本文中的資訊適用於使用 DUO_ACTIVITY 攝入標籤的剖析器。
事前準備
- 確認您可以存取 Duo 管理員面板。
- 請確認您使用的是 Duo Admin API 2 以上版本。
設定 Duo 活動
- 以管理員身分登入 Duo 管理控制台。詳情請參閱「Duo 管理員面板總覽」。
- 依序點選「應用程式」 >「保護應用程式」。
- 在「應用程式」清單中,依序按一下「Admin API」>「Protect」,即可取得整合金鑰、密鑰和 API 主機名稱。
- 選取要授予 Admin API 應用程式的必要權限。如要進一步瞭解各項作業所需的權限,請參閱 Duo Admin API。
設定 Google SecOps 的記錄擷取功能
- 建立部署目錄,用於儲存 Cloud Run 函式的檔案。這個目錄會包含部署作業所需的所有檔案。
- 從 Google SecOps GitHub 存放區的 Duo Activity GitHub 子目錄複製所有檔案,並複製到這個部署目錄。
- 將通用資料夾及其所有內容複製到部署目錄。
- 編輯
.env.yml檔案,新增所有必要的環境變數。 - 在 Secret Manager 中設定標示為「Secret」的環境變數。如要進一步瞭解如何建立密鑰,請參閱「建立及存取密鑰」一文。
- 請使用密鑰的資源名稱做為環境變數的值。
- 在 CHRONICLE_NAMESPACE 環境變數中輸入
DUO_ACTIVITY值。 - 在「Source code」欄位中,選取「ZIP Upload」。
- 在「目的地值區」欄位中,按一下「瀏覽」,選取要上傳原始碼的 Cloud Storage 值區,做為部署作業的一部分。
- 在「ZIP 檔案」欄位中,按一下「瀏覽」,從本機檔案系統中選取要上傳的 ZIP 檔案。函式來源檔案必須位於 ZIP 檔案的根目錄。
- 按一下 [Deploy] (部署)。
詳情請參閱「使用以 Cloud Run 函式部署的擷取指令碼」。
支援的 Duo 活動記錄格式
Duo 活動剖析器支援 JSON 格式的記錄。
支援的 Duo 活動範例記錄
JSON
{ "access_device": { "browser": "Chrome", "browser_version": "127.0.0.0", "ip": { "address": "198.51.100.0" }, "location": { "city": "Riverside", "country": "United States", "state": "California" }, "os": "Windows", "os_version": "10" }, "action": { "details": null, "name": "bypass_create" }, "activity_id": "188c068b-1ef4-4c0a-80cc-700ee9a08612", "actor": { "details": "{\\"created\\": \\"2022-09-15T17: 27: 31.000000+00: 00\\", \\"last_login\\": \\"2024-08-26T22: 48: 50.000000+00: 00\\", \\"email\\": \\"test@gmail.com\\", \\"status\\": null, \\"groups\\": null}", "key": "dummyuserid", "name": "test", "type": "admin" }, "akey": "DA06L58ASEO0DOKNXGXZ", "application": null, "old_target": null, "outcome": null, "target": { "details": "{\\"bkeys\\": [\\"DB8VPGAF6674GKS43FS9\\"], \\"count\\": 1, \\"valid_secs\\": 3600, \\"remaining_uses\\": 1, \\"auto_generated\\": true}", "key": "DU3H7GRU6UIENBKX5HRA", "name": "test", "type": "user_bypass" }, "ts": "2024-08-26T22:49:21.975784+00:00" }
欄位對應參考資料
欄位對應參考資料:事件 ID 與事件類型
下表列出DUO_ACTIVITY 記錄類型及其對應的 UDM 事件類型。| Event Identifier | Event Type | Security Category |
|---|---|---|
admin_activate_duo_push |
DEVICE_PROGRAM_DOWNLOAD |
|
admin_factor_restrictions |
RESOURCE_PERMISSIONS_CHANGE |
|
admin_login |
USER_UNCATEGORIZED |
|
admin_rectivates_duo_push |
DEVICE_PROGRAM_DOWNLOAD |
|
admin_reset_password |
USER_CHANGE_PASSWORD |
|
admin_send_reset_password_email |
EMAIL_TRANSACTION |
|
bypass_create |
RESOURCE_CREATION |
|
bypass_delete |
RESOURCE_DELETION |
|
bypass_view |
RESOURCE_READ |
|
deregister_devices |
USER_RESOURCE_DELETION |
|
device_change_enrollment_summary_notification_answered |
USER_COMMUNICATION |
|
device_change_enrollment_summary_notification_answered_notify_admin |
USER_COMMUNICATION |
|
device_change_enrollment_summary_notification_send |
USER_COMMUNICATION |
|
device_change_notification_answered |
USER_COMMUNICATION |
|
device_change_notification_answered_notify_admin |
USER_COMMUNICATION |
|
device_change_notification_create |
RESOURCE_CREATION |
|
device_change_notification_send |
USER_COMMUNICATION |
|
group_create |
GROUP_CREATION |
|
group_delete |
GROUP_DELETION |
|
group_update |
GROUP_MODIFICATION |
|
hardtoken_create |
RESOURCE_CREATION |
|
hardtoken_delete |
RESOURCE_DELETION |
|
hardtoken_resync |
RESOURCE_WRITTEN |
|
hardtoken_update |
RESOURCE_WRITTEN |
|
integration_create |
RESOURCE_CREATION |
|
integration_delete |
RESOURCE_DELETION |
|
integration_group_policy_add |
GROUP_UNCATEGORIZED |
|
integration_group_policy_remove |
GROUP_UNCATEGORIZED |
|
integration_policy_assign |
USER_UNCATEGORIZED |
|
integration_policy_unassign |
USER_UNCATEGORIZED |
|
integration_skey_bulk_view |
RESOURCE_READ |
|
integration_skey_view |
RESOURCE_READ |
|
integration_update |
RESOURCE_WRITTEN |
|
log_export_start |
USER_UNCATEGORIZED |
|
log_export_complete |
USER_UNCATEGORIZED |
|
log_export_failure |
USER_UNCATEGORIZED |
|
management_system_activate_device_cache |
DEVICE_CONFIG_UPDATE |
|
management_system_active_device_cache_add_devices |
RESOURCE_CREATION |
|
management_system_active_device_cache_delete_devices |
RESOURCE_DELETION |
|
management_system_active_device_cache_edit_devices |
RESOURCE_WRITTEN |
|
management_system_add_devices |
RESOURCE_CREATION |
|
management_system_create |
RESOURCE_CREATION |
|
management_system_delete |
RESOURCE_DELETION |
|
management_system_delete_devices |
RESOURCE_DELETION |
|
management_system_device_cache_add_devices |
RESOURCE_CREATION |
|
management_system_device_cache_create |
RESOURCE_CREATION |
|
management_system_device_cache_delete |
RESOURCE_DELETION |
|
management_system_device_cache_delete_devices |
RESOURCE_DELETION |
|
management_system_download_device_api_script |
DEVICE_PROGRAM_DOWNLOAD |
|
management_system_pkcs12_enrollment |
RESOURCE_CREATION |
|
management_system_sync_failure |
USER_UNCATEGORIZED |
|
management_system_sync_success |
USER_UNCATEGORIZED |
|
management_system_update |
USER_UNCATEGORIZED |
|
management_system_view_password |
RESOURCE_READ |
|
management_system_view_token |
RESOURCE_READ |
|
phone_activation_code_regenerated |
RESOURCE_CREATION |
|
phone_associate |
RESOURCE_CREATION |
|
phone_create |
RESOURCE_CREATION |
|
phone_delete |
RESOURCE_DELETION |
|
phone_disassociate |
RESOURCE_DELETION |
|
phone_new_sms_passcode |
RESOURCE_CREATION |
|
phone_update |
RESOURCE_WRITTEN |
|
policy_create |
RESOURCE_CREATION |
|
policy_delete |
RESOURCE_DELETION |
|
policy_update |
RESOURCE_WRITTEN |
|
u2ftoken_create |
RESOURCE_CREATION |
|
u2ftoken_delete |
RESOURCE_DELETION |
|
user_not_enrolled_lockout |
USER_CHANGE_PERMISSIONS |
|
user_adminapi_lockout |
USER_CHANGE_PERMISSIONS |
|
user_lockout_cleared |
USER_CHANGE_PERMISSIONS |
|
webauthncredential_create |
RESOURCE_CREATION |
|
webauthncredential_delete |
RESOURCE_DELETION |
|
webauthncredential_rename |
RESOURCE_WRITTEN |
|
欄位對應參考資料:DUO_ACTIVITY
下表列出 DUO_ACTIVITY 記錄類型的記錄欄位,以及對應的 UDM 欄位。
| Log field | UDM mapping | Logic |
|---|---|---|
|
principal.platform |
If the access_device.os log field value matches the regular expression pattern (?i)Win, then the principal.platform UDM field is set to WINDOWS.Else, if the access_device.os log field value matches the regular expression pattern (?i)Lin, then the principal.platform UDM field is set to LINUX.Else, if the access_device.os log field value matches the regular expression pattern (?i)Mac, then the principal.platform UDM field is set to MAC.Else, if the access_device.os log field value matches the regular expression pattern (?i)ios, then the principal.platform UDM field is set to IOS.Else, if the access_device.os log field value matches the regular expression pattern (?i)Chrome, then the principal.platform UDM field is set to CHROME_OS.Else, if the access_device.os log field value matches the regular expression pattern (?i)Android, then the principal.platform UDM field is set to ANDROID.Else, the principal.platform UDM field is set to UNKNOWN_PLATFORM. |
access_device.os_version |
principal.platform_version |
|
access_device.ip.address |
principal.ip |
|
access_device.location.country |
principal.location.country_or_region |
|
access_device.location.state |
principal.location.state |
|
access_device.location.city |
principal.location.city |
|
access_device.browser |
principal.asset.attribute.labels[access_device_browser] |
|
access_device.browser_version |
principal.asset.attribute.labels[access_device_browser_version] |
|
ts |
metadata.event_timestamp |
|
activity_id |
metadata.product_log_id |
|
akey |
principal.asset.product_object_id |
|
outcome.result |
security_result.action_details |
|
application.key |
principal.resource.product_object_id |
|
application.name |
principal.application |
|
application.type |
principal.resource.resource_subtype |
|
action.details |
principal.user.attribute.labels[action_details] |
|
action.name |
metadata.product_event_type |
|
actor.key |
principal.user.userid |
|
actor.name |
principal.user.user_display_name |
|
actor.type |
principal.user.attribute.labels[actor_type] |
|
target.key |
target.asset.attribute.labels[target_key] |
|
target.name |
target.asset.hostname |
|
target.type |
target.asset.category |
|
target.details |
target.user.attribute.labels[target_details] |
|
old_target.key |
about.asset.attribute.labels[old_target_key] |
|
old_target.name |
about.asset.hostname |
|
old_target.type |
about.asset.category |
|
old_target.details |
about.user.attribute.labels[old_target_details] |
|
actor.details.created |
principal.user.first_seen_time |
|
actor.details.last_login |
principal.user.last_login_time |
|
actor.details.status |
principal.user.attribute.labels[status] |
|
actor.details.email |
principal.user.email_addresses |
|
actor.details.group.key |
principal.user.attribute.labels[actor_details_group_key] |
|
actor.details.group.name |
principal.user.attribute.labels[actor_details_group_name] |
後續步驟
還有其他問題嗎?向社群成員和 Google SecOps 專家尋求解答。