Cloud NAT-Protokolle erfassen
Unterstützt in:
Google SecOps
SIEM
In diesem Dokument wird beschrieben, wie Sie Cloud NAT-Logs erfassen, indem Sie die Google Cloud Telemetrieaufnahme in Google Security Operations aktivieren. Außerdem wird erläutert, wie Protokollfelder von Cloud NAT-Logs in die Felder des Unified Data Model (UDM) von Google Security Operations zugeordnet werden.
Weitere Informationen finden Sie unter Datenaufnahme in Google Security Operations.
Eine typische Bereitstellung besteht aus Cloud NAT-Logs, die für die Aufnahme in Google Security Operations aktiviert sind. Jede Kundenimplementierung kann von dieser Darstellung abweichen und komplexer sein.
Die Bereitstellung umfasst die folgenden Komponenten:
Google Cloud: Die Google Cloud Dienste und Produkte, von denen Sie Protokolle erfassen.
Cloud NAT-Logs: Cloud NAT-Logs, die für die Aufnahme in Google Security Operations aktiviert sind.
Google Security Operations: Google Security Operations speichert und analysiert die Logs von Cloud NAT.
Mit einem Datenaufnahmelabel wird der Parser identifiziert, der Roh-Logdaten in das strukturierte UDM-Format normalisiert. Die Informationen in diesem Dokument beziehen sich auf den Parser mit dem Datenaufnahmelabel GCP_CLOUD_NAT.
Hinweise
- Alle Systeme in der Bereitstellungsarchitektur müssen in der Zeitzone UTC konfiguriert sein.
Google Cloud Cloud NAT-Logs aufnehmen
Weitere Informationen zum Aufnehmen von Logs in Google Security Operations finden Sie unter Logs in Google Security Operations aufnehmen Google Cloud .
Wenn beim Aufnehmen von Cloud NAT-Logs Probleme auftreten, wenden Sie sich an den Google Security Operations-Support.
Referenz für die Feldzuordnung
In diesem Abschnitt wird erläutert, wie der Google Security Operations-Parser Cloud NAT-Felder den UDM-Feldern (Unified Data Model) von Google Security Operations zuordnet.
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_CONNECTION. |
|
metadata.product_name |
The metadata.product_name UDM field is set to GCP Cloud NAT. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform. |
receiveTimestamp |
metadata.collected_timestamp |
|
timestamp |
metadata.event_timestamp |
|
logName |
security_result.category_details |
|
insertId |
metadata.product_log_id |
|
|
network.direction |
The network.direction UDM field is set to OUTBOUND. |
|
network.ip_protocol |
If the jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ICMP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to IGMP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to TCP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to UDP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to IP6IN4.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to GRE.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ESP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to EIGRP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ETHERIP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to PIM.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to VRRP.
|
jsonPayload.connection.src_ip |
principal.ip |
|
jsonPayload.connection.src_port |
principal.port |
|
jsonPayload.connection.nat_ip |
principal.nat_ip |
|
jsonPayload.connection.nat_port |
principal.nat_port |
|
jsonPayload.vpc.project_id |
intermediary.resource_ancestors.name |
If the jsonPayload.vpc.project_id log field value is not empty, then the //cloudresourcemanager.googleapis.com/projects/%{jsonPayload.vpc.project_id} log field is mapped to the intermediary.resource_ancestors.name UDM field. |
|
intermediary.resource_ancestors.resource_type |
If the jsonPayload.vpc.project_id log field value is not empty, then the intermediary.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. |
|
intermediary.resource_ancestors.attribute.cloud.environment |
If the jsonPayload.vpc.project_id log field value is not empty, then the intermediary.resource_ancestors.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.vpc.vpc_name |
intermediary.resource_ancestors.name |
|
|
intermediary.resource_ancestors.resource_type |
If the jsonPayload.vpc.vpc_name log field value is not empty or the jsonPayload.vpc.subnetwork_name log field value is not empty, then the intermediary.resource_ancestors.resource_type UDM field is set to VPC_NETWORK. |
|
intermediary.resource_ancestors.attribute.cloud.environment |
If the jsonPayload.vpc.vpc_name log field value is not empty or the jsonPayload.vpc.subnetwork_name log field value is not empty, then the intermediary.resource_ancestors.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.vpc.subnetwork_name |
intermediary.resource_ancestors.attribute.labels [vpc_subnetwork_name] |
|
jsonPayload.gateway_identifiers.gateway_name |
intermediary.resource.name |
|
|
intermediary.resource.resource_type |
If the jsonPayload.gateway_identifiers.gateway_name log field value is not empty or the resource.type log field value is not empty or the resource.labels.region log field value is not empty or the jsonPayload.gateway_identifiers.router_name log field value is not empty or the resource.labels.router_id log field value is not empty, then the intermediary.resource.resource_type UDM field is set to BACKEND_SERVICE. |
resource.type |
intermediary.resource.resource_subtype |
|
jsonPayload.gateway_identifiers.region |
intermediary.location.name |
|
|
intermediary.resource.attribute.cloud.environment |
If the jsonPayload.gateway_identifiers.gateway_name log field value is not empty or the resource.type log field value is not empty or the resource.labels.region log field value is not empty or the jsonPayload.gateway_identifiers.router_name log field value is not empty or the resource.labels.router_id log field value is not empty, then the intermediary.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
resource.labels.region |
intermediary.resource.attribute.cloud.availability_zone |
|
jsonPayload.gateway_identifiers.router_name |
intermediary.resource.attribute.labels [gateway_identifiers_router_name] |
|
resource.labels.router_id |
intermediary.resource.attribute.labels [resource_labels_router_id] |
|
jsonPayload.endpoint.project_id |
principal.resource_ancestors.name |
If the jsonPayload.endpoint.project_id log field value is not empty, then the //cloudresourcemanager.googleapis.com/projects/%{jsonPayload.endpoint.project_id} log field is mapped to the principal.resource_ancestors.name UDM field. |
|
principal.resource_ancestors.resource_type |
If the jsonPayload.endpoint.project_id log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. |
|
principal.resource_ancestors.attribute.cloud.environment |
If the jsonPayload.endpoint.project_id log field value is not empty, then the principal.resource_ancestors.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.endpoint.vm_name |
principal.hostname |
|
jsonPayload.endpoint.vm_name |
principal.asset.hostname |
|
jsonPayload.endpoint.vm_name |
principal.resource.name |
|
|
principal.resource.resource_type |
If the jsonPayload.endpoint.vm_name log field value is not empty or the jsonPayload.endpoint.zone log field value is not empty, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE. |
|
principal.resource.attribute.cloud.environment |
If the jsonPayload.endpoint.vm_name log field value is not empty or the jsonPayload.endpoint.zone log field value is not empty, then the principal.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.endpoint.zone |
principal.resource.attribute.cloud.availability_zone |
|
jsonPayload.endpoint.region |
principal.location.name |
|
jsonPayload.connection.dest_ip |
target.ip |
|
jsonPayload.connection.dest_port |
target.port |
|
jsonPayload.destination.geo_location.city |
target.location.city |
|
jsonPayload.destination.geo_location.country |
target.location.country_or_region |
|
jsonPayload.destination.geo_location.region |
target.location.name |
|
jsonPayload.destination.geo_location.continent |
target.labels [destination_geo_location_continent] (deprecated) |
|
jsonPayload.destination.geo_location.continent |
additional.fields [destination_geo_location_continent] |
|
jsonPayload.destination.geo_location.asn |
network.asn |
|
jsonPayload.destination.instance.project_id |
target.resource_ancestors.name |
If the jsonPayload.destination.instance.project_id log field value is not empty, then the //cloudresourcemanager.googleapis.com/projects/%{jsonPayload.destination.instance.project_id} log field is mapped to the target.resource_ancestors.name UDM field. |
|
target.resource_ancestors.resource_type |
If the jsonPayload.destination.instance.project_id log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. |
|
target.resource_ancestors.attribute.cloud.environment |
If the jsonPayload.destination.instance.project_id log field value is not empty, then the target.resource_ancestors.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.destination.instance.vm_name |
target.hostname |
|
jsonPayload.destination.instance.vm_name |
target.asset.hostname |
|
jsonPayload.destination.instance.vm_name |
target.resource.name |
|
|
target.resource.resource_type |
If the jsonPayload.destination.instance.vm_name log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE. |
|
target.resource.attribute.cloud.environment |
If the jsonPayload.destination.instance.vm_name log field value is not empty, then the target.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.destination.instance.zone |
target.resource.attribute.cloud.availability_zone |
|
jsonPayload.destination.instance.region |
target.location.name |
If the jsonPayload.destination.geo_location.region log field value is empty, then the jsonPayload.destination.instance.region log field is mapped to the target.location.name UDM field. |
|
security_result.action |
If the jsonPayload.allocation_status log field value is equal to OK, then the security_result.action UDM field is set to ALLOW.Else, if the jsonPayload.allocation_status log field value is equal to DROPPED, then the security_result.action UDM field is set to BLOCK. |
jsonPayload.allocation_status |
security_result.action_details |
|
labels |
about.resource.attribute.labels |
|
resource.labels.project_id |
about.resource.attribute.labels [resource_project_id] |
If the resource.labels.project_id log field value is not empty, then the //cloudresourcemanager.googleapis.com/projects/%{resource.labels.project_id} log field is mapped to the about.resource.attribute.labels.resource_project_id UDM field. |
resource.labels.gateway_name |
about.resource.attribute.labels [resource_gateway_name] |
Nächste Schritte
Benötigen Sie weitere Hilfe? Antworten von Community-Mitgliedern und Google SecOps-Experten erhalten