Google Cloud Firewall のログを収集する
このドキュメントでは、Google Security Operations への Google Cloud テレメトリーの取り込みを有効にして Google Cloud Firewall ログを収集する方法と、Google Cloud Firewall ログのログ フィールドを Google Security Operations 統合データモデル(UDM)フィールドにマッピングする方法について説明します。 また、サポートされている Google Cloud ファイアウォールのバージョンについても説明します。
詳細については、Google Security Operations へのデータの取り込みの概要をご覧ください。
一般的なデプロイは、Google Security Operations への取り込みに対して有効になっている Google Cloud Firewall ログで構成されています。お客様のデプロイはそれぞれこの表現とは異なる可能性があり、より複雑になることがあります。
デプロイには次のコンポーネントが含まれます。
Google Cloud: ログの収集元となる Google Cloud サービスとプロダクト。
Google Cloud Firewall のログ: Google Security Operations への取り込みに対して有効になっている Google Cloud Firewall のログ。
Google Security Operations: Google Security Operations は Google Cloud Firewall のログを保持して分析します。
取り込みラベルによって、未加工のログデータを構造化 UDM 形式に正規化するパーサーが識別されます。このドキュメントの情報は、取り込みラベル GCP_FIREWALL が付加されたパーサーに適用されます。
準備
Google Cloud Firewall バージョン 1 を使用していることを確認します。
デプロイ アーキテクチャ内のすべてのシステムが、UTC タイムゾーンに構成されていることを確認します。
Google Cloud Firewall ログを取り込むように Google Cloud を構成する
Google Cloud Firewall ログを Google Security Operations に取り込むには、Google Cloud ログを Google Security Operations に取り込むの手順に従います。
Google Cloud Firewall ログを取り込むときに問題が発生した場合は、Google Security Operations サポートにお問い合わせください。
フィールド マッピング リファレンス
次の表に、GCP_FIREWALL ログタイプのログ フィールドと、対応する UDM フィールドを示します。
| Log field | UDM mapping | Logic |
|---|---|---|
receiveTimestamp |
metadata.collected_timestamp |
|
timestamp |
metadata.event_timestamp |
|
logName |
metadata.product_event_type |
|
|
metadata.event_type |
If the jsonPayload.connection.src_ip log field value is not empty and the jsonPayload.connection.dest_ip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION.Else, if the jsonPayload.connection.src_ip log field value is not empty, then the metadata.event_type UDM field is set to STATUS_UNCATEGORIZED.Else, the metadata.event_type UDM field is set to GENERIC_EVENT. |
insertId |
metadata.product_log_id |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to GCP Firewall. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform. |
jsonPayload.rule_details.direction |
network.direction |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the network.direction UDM field is set to OUTBOUND.Else, if the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the network.direction UDM field is set to INBOUND. |
jsonPayload.connection.protocol |
network.ip_protocol |
If the jsonPayload.connection.protocol log field value is equal to 6, then the network.ip_protocol UDM field is set to TCP.If the jsonPayload.connection.protocol log field value is equal to 17, then the network.ip_protocol UDM field is set to UDP.If the jsonPayload.connection.protocol log field value is equal to 1, then the network.ip_protocol UDM field is set to ICMP.If the jsonPayload.connection.protocol log field value is equal to 2, then the network.ip_protocol UDM field is set to IGMP. |
jsonPayload.connection.src_ip |
principal.ip |
|
jsonPayload.remote_location.continent |
principal.labels[remote_location_continent] (deprecated) |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.continent log field is mapped to the principal.labels.remote_location_continent UDM field. |
jsonPayload.remote_location.continent |
additional.fields[remote_location_continent] |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.continent log field is mapped to the additional.fields.remote_location_continent UDM field. |
jsonPayload.remote_location.city |
principal.location.city |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.city log field is mapped to the principal.location.city UDM field. |
jsonPayload.remote_location.country |
principal.location.country_or_region |
If the jsonPayload.remote_location.country log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.country jsonPayload.remote_location.region log field is mapped to the principal.location.country_or_region UDM field. |
jsonPayload.remote_location.region |
principal.location.country_or_region |
If the jsonPayload.remote_location.country log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.country jsonPayload.remote_location.region log field is mapped to the principal.location.country_or_region UDM field. |
jsonPayload.instance.region |
principal.location.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.instance.region log field is mapped to the principal.location.name UDM field. |
jsonPayload.remote_instance.region |
principal.location.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_instance.region log field is mapped to the principal.location.name UDM field. |
jsonPayload.connection.src_port |
principal.port |
|
resource.labels.location |
principal.resource_ancestors.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the resource.labels.location log field is mapped to the principal.resource_ancestors.attribute.cloud.availability_zone UDM field. |
jsonPayload.vpc.vpc_name |
principal.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.vpc.vpc_name log field is mapped to the principal.resource_ancestors.name UDM field. |
jsonPayload.vpc.subnetwork_name |
principal.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.vpc.subnetwork_name log field is mapped to the principal.resource_ancestors.name UDM field. |
jsonPayload.remote_vpc.vpc_name |
principal.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_vpc.vpc_name log field is mapped to the principal.resource_ancestors.name UDM field. |
jsonPayload.remote_vpc.subnetwork_name |
principal.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_vpc.subnetwork_name log field is mapped to the principal.resource_ancestors.name UDM field. |
jsonPayload.vpc.project_id |
principal.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.vpc.project_id log field is mapped to the principal.resource_ancestors.product_object_id UDM field. |
jsonPayload.remote_vpc.project_id |
principal.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_vpc.project_id log field is mapped to the principal.resource_ancestors.product_object_id UDM field. |
resource.labels.subnetwork_id |
principal.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the resource.labels.subnetwork_id log field is mapped to the principal.resource_ancestors.product_object_id UDM field. |
resource.type |
principal.resource_ancestors.resource_subtype |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the resource.type log field is mapped to the principal.resource_ancestors.resource_subtype UDM field. |
|
principal.resource_ancestors.resource_type |
If the jsonPayload.vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the principal.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.If the jsonPayload.vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.If the jsonPayload.remote_vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the principal.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.If the jsonPayload.remote_vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. |
jsonPayload.instance.zone |
principal.resource.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.instance.zone log field is mapped to the principal.resource.attribute.cloud.availability_zone UDM field. |
jsonPayload.remote_instance.zone |
principal.resource.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_instance.zone log field is mapped to the principal.resource.attribute.cloud.availability_zone UDM field. |
jsonPayload.instance.vm_name |
principal.resource.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.instance.vm_name log field is mapped to the principal.resource.name UDM field. |
jsonPayload.remote_instance.vm_name |
principal.resource.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_instance.vm_name log field is mapped to the principal.resource.name UDM field. |
|
principal.resource.resource_type |
If the jsonPayload.instance.vm_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.remote_instance.vm_name log field value is not empty the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE. |
|
security_result.action |
If the jsonPayload.rule_details.disposition log field value is equal to ALLOWED, then the security_result.action UDM field is set to ALLOW.Else, if the jsonPayload.rule_details.disposition log field value is equal to DENIED, then the security_result.action UDM field is set to BLOCK. |
jsonPayload.disposition |
security_result.action_details |
|
jsonPayload.rule_details.reference |
security_result.description |
|
jsonPayload.rule_details.priority |
security_result.priority_details |
|
resource.labels.firewall_rule_id |
security_result.rule_id |
|
jsonPayload.rule_details.action |
security_result.rule_labels[rule_details_action] |
|
jsonPayload.rule_details.destination_address_groups |
security_result.rule_labels[rule_details_destination_address_groups] |
|
jsonPayload.rule_details.destination_fqdn |
security_result.rule_labels[rule_details_destination_fqdn] |
|
jsonPayload.rule_details.destination_range |
security_result.rule_labels[rule_details_destination_range] |
|
jsonPayload.rule_details.destination_region_code |
security_result.rule_labels[rule_details_destination_region_code] |
|
jsonPayload.rule_details.destination_threat_intelligence |
security_result.rule_labels[rule_details_destination_threat_intelligence] |
|
jsonPayload.rule_details.ip_port_info.ip_protocol |
security_result.rule_labels[rule_details_ip_port_info_ip_protocol] |
|
jsonPayload.rule_details.ip_port_info.port_range |
security_result.rule_labels[rule_details_ip_port_info_port_range] |
|
jsonPayload.rule_details.source_address_groups |
security_result.rule_labels[rule_details_source_address_groups] |
|
jsonPayload.rule_details.source_fqdn |
security_result.rule_labels[rule_details_source_fqdn] |
|
jsonPayload.rule_details.source_range |
security_result.rule_labels[rule_details_source_range] |
|
jsonPayload.rule_details.source_region_code |
security_result.rule_labels[rule_details_source_region_code] |
|
jsonPayload.rule_details.source_service_account |
security_result.rule_labels[rule_details_source_service_account] |
|
jsonPayload.rule_details.source_tag |
security_result.rule_labels[rule_details_source_tag] |
|
jsonPayload.rule_details.source_threat_intelligence |
security_result.rule_labels[rule_details_source_threat_intelligence] |
|
jsonPayload.rule_details.target_service_account |
security_result.rule_labels[rule_details_target_service_account] |
|
jsonPayload.rule_details.target_tag |
security_result.rule_labels[rule_details_target_tag] |
|
|
security_result.rule_name |
Extracted rule_name from jsonPayload.rule_details.reference using Grok pattern and mapped it to the security_result.rule_name UDM field. |
jsonPayload.connection.dest_ip |
target.ip |
|
jsonPayload.remote_location.continent |
target.labels[remote_location_continent] (deprecated) |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.continent log field is mapped to the target.labels.remote_location_continent UDM field. |
jsonPayload.remote_location.continent |
additional.fields[remote_location_continent] |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.continent log field is mapped to the additional.fields.remote_location_continent UDM field. |
jsonPayload.remote_location.city |
target.location.city |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.city log field is mapped to the target.location.city UDM field. |
jsonPayload.remote_location.country |
target.location.country_or_region |
If the jsonPayload.remote_location.country log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.country jsonPayload.remote_location.region log field is mapped to the target.location.country_or_region UDM field. |
jsonPayload.remote_location.region |
target.location.country_or_region |
If the jsonPayload.remote_location.country log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.country jsonPayload.remote_location.region log field is mapped to the target.location.country_or_region UDM field. |
jsonPayload.instance.region |
target.location.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.instance.region log field is mapped to the target.location.name UDM field. |
jsonPayload.remote_instance.region |
target.location.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_instance.region log field is mapped to the target.location.name UDM field. |
jsonPayload.connection.dest_port |
target.port |
|
resource.labels.location |
target.resource_ancestors.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the resource.labels.location log field is mapped to the target.resource_ancestors.attribute.cloud.availability_zone UDM field. |
jsonPayload.vpc.vpc_name |
target.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.vpc.vpc_name log field is mapped to the target.resource_ancestors.name UDM field. |
jsonPayload.vpc.subnetwork_name |
target.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.vpc.subnetwork_name log field is mapped to the target.resource_ancestors.name UDM field. |
jsonPayload.remote_vpc.vpc_name |
target.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_vpc.vpc_name log field is mapped to the target.resource_ancestors.name UDM field. |
jsonPayload.remote_vpc.subnetwork_name |
target.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_vpc.subnetwork_name log field is mapped to the target.resource_ancestors.name UDM field. |
jsonPayload.vpc.project_id |
target.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.vpc.project_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
jsonPayload.remote_vpc.project_id |
target.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_vpc.project_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
resource.labels.subnetwork_id |
target.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the resource.labels.subnetwork_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
resource.type |
target.resource_ancestors.resource_subtype |
|
|
target.resource_ancestors.resource_type |
If the jsonPayload.remote_vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.If the jsonPayload.remote_vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.If the jsonPayload.vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.If the jsonPayload.vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. |
jsonPayload.instance.zone |
target.resource.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.instance.zone log field is mapped to the target.resource.attribute.cloud.availability_zone UDM field. |
jsonPayload.remote_instance.zone |
target.resource.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_instance.zone log field is mapped to the target.resource.attribute.cloud.availability_zone UDM field. |
jsonPayload.instance.vm_name |
target.resource.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.instance.vm_name log field is mapped to the target.resource.product_object_id UDM field. |
jsonPayload.remote_instance.vm_name |
target.resource.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_instance.vm_name log field is mapped to the target.resource.name UDM field. |
|
target.resource.resource_type |
If the jsonPayload.remote_instance.vm_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.instance.vm_name log field value is not empty the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE. |