Coletar registros do Cloud NAT

Compatível com:

Neste documento, descrevemos como coletar registros do Cloud NAT ativando a ingestão de telemetria do Google Cloud para as Operações de segurança do Google e como os campos de registro dos registros do Cloud NAT são mapeados para os campos do Modelo de dados unificado (UDM) das Operações de segurança do Google.

Para mais informações, consulte Ingestão de dados para as Operações de segurança do Google.

Uma implantação típica consiste em registros do Cloud NAT ativados para ingestão no Google Security Operations. Cada implantação do cliente pode ser diferente dessa representação e ser mais complexa.

A implantação contém os seguintes componentes:

  • Google Cloud: os serviços e produtos do Google Cloud em que você coleta registros.

  • Registros do Cloud NAT: os registros do Cloud NAT que são ativados para ingestão no Google Security Operations.

  • Operações de segurança do Google: as Operações de segurança do Google retém e analisa os registros do Cloud NAT.

Um rótulo de ingestão identifica o analisador que normaliza dados de registro brutos ao formato UDM estruturado. As informações contidas neste documento se aplicam ao analisador com o rótulo de ingestão GCP_CLOUD_NAT.

Antes de começar

  • Verifique se todos os sistemas na arquitetura de implantação estão configurados no fuso horário UTC.

Configurar o Google Cloud para ingerir registros do Cloud NAT

Para mais informações sobre a ingestão de registros no Google Security Operations, consulte Ingerir os registros do Google Cloud nas Operações de segurança do Google.

Em caso de problemas ao ingerir registros do Cloud NAT, entre em contato com o suporte das Operações de segurança do Google.

Referência de mapeamento de campo

Esta seção explica como o analisador das Operações de segurança do Google mapeia os campos do Cloud NAT para os campos do Modelo de dados unificado (UDM) das Operações de segurança do Google.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to GCP Cloud NAT.
metadata.vendor_name The metadata.vendor_name UDM field is set to Google Cloud Platform.
receiveTimestamp metadata.collected_timestamp
timestamp metadata.event_timestamp
logName security_result.category_details
insertId metadata.product_log_id
network.direction The network.direction UDM field is set to OUTBOUND.
network.ip_protocol If the jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ICMP.
  • 1
  • ICMP
  • ICMPV6
  • 58
  • 1.0
  • 58.0
Else, if the jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to IGMP.
  • 2
  • IGMP
  • 2.0
Else, if the jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to TCP.
  • 6
  • TCP
  • 6.0
Else, if the jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to UDP.
  • 17
  • UDP
  • 17.0
Else, if the jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to IP6IN4.
  • 41
  • IP6IN4
  • 41.0
Else, if the jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to GRE.
  • 47
  • GRE
  • 47.0
Else, if the jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ESP.
  • 50
  • ESP
  • 50.0
Else, if the jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to EIGRP.
  • 88
  • 88.0
Else, if the jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ETHERIP.
  • 97
  • 97.0
Else, if the jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to PIM.
  • 103
  • PIM
  • 103.0
Else, if the jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to VRRP.
  • 112
  • VRRP
  • 112.0
jsonPayload.connection.src_ip principal.ip
jsonPayload.connection.src_port principal.port
jsonPayload.connection.nat_ip principal.nat_ip
jsonPayload.connection.nat_port principal.nat_port
jsonPayload.vpc.project_id If the jsonPayload.vpc.project_id log field value is not empty, then the //{jsonPayload.vpc.project_id} log field is mapped to the UDM field.
intermediary.resource_ancestors.resource_type If the jsonPayload.vpc.project_id log field value is not empty, then the intermediary.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. If the jsonPayload.vpc.project_id log field value is not empty, then the UDM field is set to GOOGLE_CLOUD_PLATFORM.
intermediary.resource_ancestors.resource_type If the jsonPayload.vpc.vpc_name log field value is not empty or the jsonPayload.vpc.subnetwork_name log field value is not empty, then the intermediary.resource_ancestors.resource_type UDM field is set to VPC_NETWORK. If the jsonPayload.vpc.vpc_name log field value is not empty or the jsonPayload.vpc.subnetwork_name log field value is not empty, then the UDM field is set to GOOGLE_CLOUD_PLATFORM.
jsonPayload.vpc.subnetwork_name intermediary.resource_ancestors.attribute.labels [vpc_subnetwork_name]
intermediary.resource.resource_type If the jsonPayload.gateway_identifiers.gateway_name log field value is not empty or the resource.type log field value is not empty or the resource.labels.region log field value is not empty or the jsonPayload.gateway_identifiers.router_name log field value is not empty or the resource.labels.router_id log field value is not empty, then the intermediary.resource.resource_type UDM field is set to BACKEND_SERVICE.
resource.type intermediary.resource.resource_subtype
jsonPayload.gateway_identifiers.region If the jsonPayload.gateway_identifiers.gateway_name log field value is not empty or the resource.type log field value is not empty or the resource.labels.region log field value is not empty or the jsonPayload.gateway_identifiers.router_name log field value is not empty or the resource.labels.router_id log field value is not empty, then the UDM field is set to GOOGLE_CLOUD_PLATFORM.
jsonPayload.gateway_identifiers.router_name intermediary.resource.attribute.labels [gateway_identifiers_router_name]
resource.labels.router_id intermediary.resource.attribute.labels [resource_labels_router_id]
jsonPayload.endpoint.project_id If the jsonPayload.endpoint.project_id log field value is not empty, then the //{jsonPayload.endpoint.project_id} log field is mapped to the UDM field.
principal.resource_ancestors.resource_type If the jsonPayload.endpoint.project_id log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. If the jsonPayload.endpoint.project_id log field value is not empty, then the UDM field is set to GOOGLE_CLOUD_PLATFORM.
jsonPayload.endpoint.vm_name principal.hostname
jsonPayload.endpoint.vm_name principal.asset.hostname
principal.resource.resource_type If the jsonPayload.endpoint.vm_name log field value is not empty or the log field value is not empty, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE. If the jsonPayload.endpoint.vm_name log field value is not empty or the log field value is not empty, then the UDM field is set to GOOGLE_CLOUD_PLATFORM.
jsonPayload.connection.dest_ip target.ip
jsonPayload.connection.dest_port target.port target.location.country_or_region
jsonPayload.destination.geo_location.continent target.labels [destination_geo_location_continent] (deprecated)
jsonPayload.destination.geo_location.continent additional.fields [destination_geo_location_continent]
jsonPayload.destination.geo_location.asn network.asn
jsonPayload.destination.instance.project_id If the jsonPayload.destination.instance.project_id log field value is not empty, then the //{jsonPayload.destination.instance.project_id} log field is mapped to the UDM field.
target.resource_ancestors.resource_type If the jsonPayload.destination.instance.project_id log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. If the jsonPayload.destination.instance.project_id log field value is not empty, then the UDM field is set to GOOGLE_CLOUD_PLATFORM.
jsonPayload.destination.instance.vm_name target.hostname
jsonPayload.destination.instance.vm_name target.asset.hostname
target.resource.resource_type If the jsonPayload.destination.instance.vm_name log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE. If the jsonPayload.destination.instance.vm_name log field value is not empty, then the UDM field is set to GOOGLE_CLOUD_PLATFORM.
jsonPayload.destination.instance.region If the jsonPayload.destination.geo_location.region log field value is empty, then the jsonPayload.destination.instance.region log field is mapped to the UDM field.
security_result.action If the jsonPayload.allocation_status log field value is equal to OK, then the security_result.action UDM field is set to ALLOW.

Else, if the jsonPayload.allocation_status log field value is equal to DROPPED, then the security_result.action UDM field is set to BLOCK.
jsonPayload.allocation_status security_result.action_details
labels about.resource.attribute.labels
resource.labels.project_id about.resource.attribute.labels [resource_project_id] If the resource.labels.project_id log field value is not empty, then the //{resource.labels.project_id} log field is mapped to the about.resource.attribute.labels.resource_project_id UDM field.
resource.labels.gateway_name about.resource.attribute.labels [resource_gateway_name]

A seguir