Recopila registros de firewall de Google Cloud
En este documento, se describe cómo puedes recopilar registros del firewall de Google Cloud habilitando la Google Cloud transferencia de telemetría a Google Security Operations y cómo los campos de registro de los registros del firewall de Google Cloud se asignan a los campos del modelo de datos unificados (UDM) de Google Security Operations. En este documento, también se indica la versión compatible del firewall de Google Cloud.
Para obtener más información, consulta Transferencia de datos a Google Security Operations.
Una implementación típica consiste en registros del firewall de Google Cloud habilitados para la transferencia a Google Security Operations. Cada implementación de cliente puede diferir de esta representación y ser más compleja.
La implementación contiene los siguientes componentes:
Google Cloud: Los Google Cloud servicios y productos de los que recopilas registros.
Registros de firewall de Google Cloud: Son los registros de firewall de Google Cloud que están habilitados para la transferencia a Google Security Operations.
Google Security Operations: Google Security Operations retiene y analiza los registros del firewall de Google Cloud.
Una etiqueta de transferencia identifica el analizador que normaliza los datos de registro sin procesar al formato estructurado del UDM. La información de este documento se aplica al analizador
con la etiqueta de transferencia GCP_FIREWALL
Antes de comenzar
Asegúrate de usar la versión 1 del firewall de Google Cloud.
Asegúrate de que todos los sistemas de la arquitectura de implementación estén configurados en la zona horaria UTC.
Configura Google Cloud para transferir registros del firewall de Google Cloud
Para transferir los registros del firewall de Google Cloud a Google Security Operations, sigue los pasos que se indican en la página Cómo transferir Google Cloud registros a Google Security Operations.
Si tienes problemas cuando transfieres registros de Cloud Firewall, comunícate con el equipo de asistencia de Operaciones de seguridad de Google.
Referencia de la asignación de campos
En la siguiente tabla, se enumeran los campos de registro del tipo de registro GCP_FIREWALL
y sus campos de UDM correspondientes.
Log field | UDM mapping | Logic |
receiveTimestamp |
metadata.collected_timestamp |
timestamp |
metadata.event_timestamp |
logName |
metadata.product_event_type |
metadata.event_type |
If the jsonPayload.connection.src_ip log field value is not empty and the jsonPayload.connection.dest_ip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION .Else, if the jsonPayload.connection.src_ip log field value is not empty, then the metadata.event_type UDM field is set to STATUS_UNCATEGORIZED .Else, the metadata.event_type UDM field is set to GENERIC_EVENT . |
insertId |
metadata.product_log_id |
metadata.product_name |
The metadata.product_name UDM field is set to GCP Firewall . |
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform . |
jsonPayload.rule_details.direction |
network.direction |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the network.direction UDM field is set to OUTBOUND .Else, if the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the network.direction UDM field is set to INBOUND . |
jsonPayload.connection.protocol |
network.ip_protocol |
If the jsonPayload.connection.protocol log field value is equal to 6 , then the network.ip_protocol UDM field is set to TCP .If the jsonPayload.connection.protocol log field value is equal to 17 , then the network.ip_protocol UDM field is set to UDP .If the jsonPayload.connection.protocol log field value is equal to 1 , then the network.ip_protocol UDM field is set to ICMP .If the jsonPayload.connection.protocol log field value is equal to 2 , then the network.ip_protocol UDM field is set to IGMP . |
jsonPayload.connection.src_ip |
principal.ip |
jsonPayload.remote_location.continent |
principal.labels[remote_location_continent] (deprecated) |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.remote_location.continent log field is mapped to the principal.labels.remote_location_continent UDM field. |
jsonPayload.remote_location.continent |
additional.fields[remote_location_continent] |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.remote_location.continent log field is mapped to the additional.fields.remote_location_continent UDM field. | | |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the log field is mapped to the UDM field. | |
principal.location.country_or_region |
If the log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.remote_location.region log field is mapped to the principal.location.country_or_region UDM field. |
jsonPayload.remote_location.region |
principal.location.country_or_region |
If the log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.remote_location.region log field is mapped to the principal.location.country_or_region UDM field. |
jsonPayload.instance.region | |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.instance.region log field is mapped to the UDM field. |
jsonPayload.remote_instance.region | |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.remote_instance.region log field is mapped to the UDM field. |
jsonPayload.connection.src_port |
principal.port |
resource.labels.location | |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the resource.labels.location log field is mapped to the UDM field. |
jsonPayload.vpc.vpc_name | |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.vpc.vpc_name log field is mapped to the UDM field. |
jsonPayload.vpc.subnetwork_name | |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.vpc.subnetwork_name log field is mapped to the UDM field. |
jsonPayload.remote_vpc.vpc_name | |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.remote_vpc.vpc_name log field is mapped to the UDM field. |
jsonPayload.remote_vpc.subnetwork_name | |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.remote_vpc.subnetwork_name log field is mapped to the UDM field. |
jsonPayload.vpc.project_id |
principal.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.vpc.project_id log field is mapped to the principal.resource_ancestors.product_object_id UDM field. |
jsonPayload.remote_vpc.project_id |
principal.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.remote_vpc.project_id log field is mapped to the principal.resource_ancestors.product_object_id UDM field. |
resource.labels.subnetwork_id |
principal.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the resource.labels.subnetwork_id log field is mapped to the principal.resource_ancestors.product_object_id UDM field. |
resource.type |
principal.resource_ancestors.resource_subtype |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the resource.type log field is mapped to the principal.resource_ancestors.resource_subtype UDM field. |
principal.resource_ancestors.resource_type |
If the jsonPayload.vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the principal.resource_ancestors.resource_type UDM field is set to VPC_NETWORK .If the jsonPayload.vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT .If the jsonPayload.remote_vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the principal.resource_ancestors.resource_type UDM field is set to VPC_NETWORK .If the jsonPayload.remote_vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT . | | |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the log field is mapped to the UDM field. | | |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the log field is mapped to the UDM field. |
jsonPayload.instance.vm_name | |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.instance.vm_name log field is mapped to the UDM field. |
jsonPayload.remote_instance.vm_name | |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.remote_instance.vm_name log field is mapped to the UDM field. |
principal.resource.resource_type |
If the jsonPayload.instance.vm_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE .If the jsonPayload.remote_instance.vm_name log field value is not empty the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE . |
security_result.action |
If the jsonPayload.rule_details.disposition log field value is equal to ALLOWED , then the security_result.action UDM field is set to ALLOW .Else, if the jsonPayload.rule_details.disposition log field value is equal to DENIED , then the security_result.action UDM field is set to BLOCK . |
jsonPayload.disposition |
security_result.action_details |
jsonPayload.rule_details.reference |
security_result.description |
jsonPayload.rule_details.priority |
security_result.priority_details |
resource.labels.firewall_rule_id |
security_result.rule_id |
jsonPayload.rule_details.action |
security_result.rule_labels[rule_details_action] |
jsonPayload.rule_details.destination_address_groups |
security_result.rule_labels[rule_details_destination_address_groups] |
jsonPayload.rule_details.destination_fqdn |
security_result.rule_labels[rule_details_destination_fqdn] |
jsonPayload.rule_details.destination_range |
security_result.rule_labels[rule_details_destination_range] |
jsonPayload.rule_details.destination_region_code |
security_result.rule_labels[rule_details_destination_region_code] |
jsonPayload.rule_details.destination_threat_intelligence |
security_result.rule_labels[rule_details_destination_threat_intelligence] |
jsonPayload.rule_details.ip_port_info.ip_protocol |
security_result.rule_labels[rule_details_ip_port_info_ip_protocol] |
jsonPayload.rule_details.ip_port_info.port_range |
security_result.rule_labels[rule_details_ip_port_info_port_range] |
jsonPayload.rule_details.source_address_groups |
security_result.rule_labels[rule_details_source_address_groups] |
jsonPayload.rule_details.source_fqdn |
security_result.rule_labels[rule_details_source_fqdn] |
jsonPayload.rule_details.source_range |
security_result.rule_labels[rule_details_source_range] |
jsonPayload.rule_details.source_region_code |
security_result.rule_labels[rule_details_source_region_code] |
jsonPayload.rule_details.source_service_account |
security_result.rule_labels[rule_details_source_service_account] |
jsonPayload.rule_details.source_tag |
security_result.rule_labels[rule_details_source_tag] |
jsonPayload.rule_details.source_threat_intelligence |
security_result.rule_labels[rule_details_source_threat_intelligence] |
jsonPayload.rule_details.target_service_account |
security_result.rule_labels[rule_details_target_service_account] |
jsonPayload.rule_details.target_tag |
security_result.rule_labels[rule_details_target_tag] |
security_result.rule_name |
Extracted rule_name from jsonPayload.rule_details.reference using Grok pattern and mapped it to the security_result.rule_name UDM field. |
jsonPayload.connection.dest_ip |
target.ip |
jsonPayload.remote_location.continent |
target.labels[remote_location_continent] (deprecated) |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.remote_location.continent log field is mapped to the target.labels.remote_location_continent UDM field. |
jsonPayload.remote_location.continent |
additional.fields[remote_location_continent] |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.remote_location.continent log field is mapped to the additional.fields.remote_location_continent UDM field. | | |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the log field is mapped to the UDM field. | |
target.location.country_or_region |
If the log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.remote_location.region log field is mapped to the target.location.country_or_region UDM field. |
jsonPayload.remote_location.region |
target.location.country_or_region |
If the log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.remote_location.region log field is mapped to the target.location.country_or_region UDM field. |
jsonPayload.instance.region | |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.instance.region log field is mapped to the UDM field. |
jsonPayload.remote_instance.region | |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.remote_instance.region log field is mapped to the UDM field. |
jsonPayload.connection.dest_port |
target.port |
resource.labels.location | |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the resource.labels.location log field is mapped to the UDM field. |
jsonPayload.vpc.vpc_name | |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.vpc.vpc_name log field is mapped to the UDM field. |
jsonPayload.vpc.subnetwork_name | |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.vpc.subnetwork_name log field is mapped to the UDM field. |
jsonPayload.remote_vpc.vpc_name | |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.remote_vpc.vpc_name log field is mapped to the UDM field. |
jsonPayload.remote_vpc.subnetwork_name | |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.remote_vpc.subnetwork_name log field is mapped to the UDM field. |
jsonPayload.vpc.project_id |
target.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.vpc.project_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
jsonPayload.remote_vpc.project_id |
target.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.remote_vpc.project_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
resource.labels.subnetwork_id |
target.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the resource.labels.subnetwork_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
resource.type |
target.resource_ancestors.resource_subtype |
target.resource_ancestors.resource_type |
If the jsonPayload.remote_vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK .If the jsonPayload.remote_vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT .If the jsonPayload.vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK .If the jsonPayload.vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT . | | |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the log field is mapped to the UDM field. | | |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the log field is mapped to the UDM field. |
jsonPayload.instance.vm_name | |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.instance.vm_name log field is mapped to the target.resource.product_object_id UDM field. |
jsonPayload.remote_instance.vm_name | |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.remote_instance.vm_name log field is mapped to the UDM field. |
target.resource.resource_type |
If the jsonPayload.remote_instance.vm_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE .If the jsonPayload.instance.vm_name log field value is not empty the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE . |
¿Qué sigue?
¿Necesitas más ayuda? Obtén respuestas de miembros de la comunidad y profesionales de Google SecOps.