Cloud NAT ログを収集する
このドキュメントでは、Google Security Operations への Google Cloud テレメトリーの取り込みを有効にして Cloud NAT ログを収集する方法と、Cloud NAT ログのログ フィールドを Google Security Operations 統合データモデル(UDM)フィールドにマッピングする方法について説明します。
詳細については、Google Security Operations へのデータの取り込みの概要をご覧ください。
一般的なデプロイは、Google Security Operations への取り込みに対して有効になっている Cloud NAT ログで構成されています。お客様のデプロイはそれぞれこの表現とは異なる可能性があり、より複雑になることがあります。
デプロイには次のコンポーネントが含まれます。
Google Cloud: ログの収集元となる Google Cloud サービスとプロダクト。
Cloud NAT ログ: Google Security Operations への取り込みが有効になっている Cloud NAT ログ。
Google Security Operations: Google Security Operations は Cloud NAT のログを保持して分析します。
取り込みラベルによって、未加工のログデータを構造化 UDM 形式に正規化するパーサーが識別されます。このドキュメントの情報は、取り込みラベル GCP_CLOUD_NAT が付加されたパーサーに適用されます。
始める前に
- デプロイ アーキテクチャ内のすべてのシステムが、UTC タイムゾーンに構成されていることを確認します。
Cloud NAT ログを取り込むように Google Cloud を構成する
Google Security Operations にログを取り込む方法について詳しくは、Google Cloud ログを Google Security Operations に取り込むをご覧ください。
Cloud NAT ログを取り込むときに問題が発生した場合は、Google Security Operations サポートにお問い合わせください。
フィールド マッピング リファレンス
このセクションでは、Google Security Operations パーサーが Cloud NAT のコンテキスト フィールドを Google Security Operations の統合データモデル(UDM)フィールドにマッピングする方法について説明します。
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_CONNECTION. |
|
metadata.product_name |
The metadata.product_name UDM field is set to GCP Cloud NAT. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform. |
receiveTimestamp |
metadata.collected_timestamp |
|
timestamp |
metadata.event_timestamp |
|
logName |
security_result.category_details |
|
insertId |
metadata.product_log_id |
|
|
network.direction |
The network.direction UDM field is set to OUTBOUND. |
|
network.ip_protocol |
If the jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ICMP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to IGMP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to TCP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to UDP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to IP6IN4.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to GRE.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ESP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to EIGRP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ETHERIP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to PIM.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to VRRP.
|
jsonPayload.connection.src_ip |
principal.ip |
|
jsonPayload.connection.src_port |
principal.port |
|
jsonPayload.connection.nat_ip |
principal.nat_ip |
|
jsonPayload.connection.nat_port |
principal.nat_port |
|
jsonPayload.vpc.project_id |
intermediary.resource_ancestors.name |
If the jsonPayload.vpc.project_id log field value is not empty, then the //cloudresourcemanager.googleapis.com/projects/%{jsonPayload.vpc.project_id} log field is mapped to the intermediary.resource_ancestors.name UDM field. |
|
intermediary.resource_ancestors.resource_type |
If the jsonPayload.vpc.project_id log field value is not empty, then the intermediary.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. |
|
intermediary.resource_ancestors.attribute.cloud.environment |
If the jsonPayload.vpc.project_id log field value is not empty, then the intermediary.resource_ancestors.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.vpc.vpc_name |
intermediary.resource_ancestors.name |
|
|
intermediary.resource_ancestors.resource_type |
If the jsonPayload.vpc.vpc_name log field value is not empty or the jsonPayload.vpc.subnetwork_name log field value is not empty, then the intermediary.resource_ancestors.resource_type UDM field is set to VPC_NETWORK. |
|
intermediary.resource_ancestors.attribute.cloud.environment |
If the jsonPayload.vpc.vpc_name log field value is not empty or the jsonPayload.vpc.subnetwork_name log field value is not empty, then the intermediary.resource_ancestors.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.vpc.subnetwork_name |
intermediary.resource_ancestors.attribute.labels [vpc_subnetwork_name] |
|
jsonPayload.gateway_identifiers.gateway_name |
intermediary.resource.name |
|
|
intermediary.resource.resource_type |
If the jsonPayload.gateway_identifiers.gateway_name log field value is not empty or the resource.type log field value is not empty or the resource.labels.region log field value is not empty or the jsonPayload.gateway_identifiers.router_name log field value is not empty or the resource.labels.router_id log field value is not empty, then the intermediary.resource.resource_type UDM field is set to BACKEND_SERVICE. |
resource.type |
intermediary.resource.resource_subtype |
|
jsonPayload.gateway_identifiers.region |
intermediary.location.name |
|
|
intermediary.resource.attribute.cloud.environment |
If the jsonPayload.gateway_identifiers.gateway_name log field value is not empty or the resource.type log field value is not empty or the resource.labels.region log field value is not empty or the jsonPayload.gateway_identifiers.router_name log field value is not empty or the resource.labels.router_id log field value is not empty, then the intermediary.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
resource.labels.region |
intermediary.resource.attribute.cloud.availability_zone |
|
jsonPayload.gateway_identifiers.router_name |
intermediary.resource.attribute.labels [gateway_identifiers_router_name] |
|
resource.labels.router_id |
intermediary.resource.attribute.labels [resource_labels_router_id] |
|
jsonPayload.endpoint.project_id |
principal.resource_ancestors.name |
If the jsonPayload.endpoint.project_id log field value is not empty, then the //cloudresourcemanager.googleapis.com/projects/%{jsonPayload.endpoint.project_id} log field is mapped to the principal.resource_ancestors.name UDM field. |
|
principal.resource_ancestors.resource_type |
If the jsonPayload.endpoint.project_id log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. |
|
principal.resource_ancestors.attribute.cloud.environment |
If the jsonPayload.endpoint.project_id log field value is not empty, then the principal.resource_ancestors.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.endpoint.vm_name |
principal.hostname |
|
jsonPayload.endpoint.vm_name |
principal.asset.hostname |
|
jsonPayload.endpoint.vm_name |
principal.resource.name |
|
|
principal.resource.resource_type |
If the jsonPayload.endpoint.vm_name log field value is not empty or the jsonPayload.endpoint.zone log field value is not empty, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE. |
|
principal.resource.attribute.cloud.environment |
If the jsonPayload.endpoint.vm_name log field value is not empty or the jsonPayload.endpoint.zone log field value is not empty, then the principal.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.endpoint.zone |
principal.resource.attribute.cloud.availability_zone |
|
jsonPayload.endpoint.region |
principal.location.name |
|
jsonPayload.connection.dest_ip |
target.ip |
|
jsonPayload.connection.dest_port |
target.port |
|
jsonPayload.destination.geo_location.city |
target.location.city |
|
jsonPayload.destination.geo_location.country |
target.location.country_or_region |
|
jsonPayload.destination.geo_location.region |
target.location.name |
|
jsonPayload.destination.geo_location.continent |
target.labels [destination_geo_location_continent] (deprecated) |
|
jsonPayload.destination.geo_location.continent |
additional.fields [destination_geo_location_continent] |
|
jsonPayload.destination.geo_location.asn |
network.asn |
|
jsonPayload.destination.instance.project_id |
target.resource_ancestors.name |
If the jsonPayload.destination.instance.project_id log field value is not empty, then the //cloudresourcemanager.googleapis.com/projects/%{jsonPayload.destination.instance.project_id} log field is mapped to the target.resource_ancestors.name UDM field. |
|
target.resource_ancestors.resource_type |
If the jsonPayload.destination.instance.project_id log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. |
|
target.resource_ancestors.attribute.cloud.environment |
If the jsonPayload.destination.instance.project_id log field value is not empty, then the target.resource_ancestors.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.destination.instance.vm_name |
target.hostname |
|
jsonPayload.destination.instance.vm_name |
target.asset.hostname |
|
jsonPayload.destination.instance.vm_name |
target.resource.name |
|
|
target.resource.resource_type |
If the jsonPayload.destination.instance.vm_name log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE. |
|
target.resource.attribute.cloud.environment |
If the jsonPayload.destination.instance.vm_name log field value is not empty, then the target.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.destination.instance.zone |
target.resource.attribute.cloud.availability_zone |
|
jsonPayload.destination.instance.region |
target.location.name |
If the jsonPayload.destination.geo_location.region log field value is empty, then the jsonPayload.destination.instance.region log field is mapped to the target.location.name UDM field. |
|
security_result.action |
If the jsonPayload.allocation_status log field value is equal to OK, then the security_result.action UDM field is set to ALLOW.Else, if the jsonPayload.allocation_status log field value is equal to DROPPED, then the security_result.action UDM field is set to BLOCK. |
jsonPayload.allocation_status |
security_result.action_details |
|
labels |
about.resource.attribute.labels |
|
resource.labels.project_id |
about.resource.attribute.labels [resource_project_id] |
If the resource.labels.project_id log field value is not empty, then the //cloudresourcemanager.googleapis.com/projects/%{resource.labels.project_id} log field is mapped to the about.resource.attribute.labels.resource_project_id UDM field. |
resource.labels.gateway_name |
about.resource.attribute.labels [resource_gateway_name] |