Collecter les journaux de pare-feu Google Cloud
Ce document explique comment collecter des journaux de pare-feu Google Cloud en activant l'ingestion de télémétrie de Google Cloud dans Google Security Operations et comment les champs de journaux des journaux de pare-feu Google Cloud sont mappés avec les champs de modèle de données unifié (UDM) Google Security Operations. Ce document liste également les versions compatibles du pare-feu Google Cloud.
Pour en savoir plus, consultez Ingestion de données dans Google Security Operations.
Un déploiement type comprend des journaux de pare-feu Google Cloud dont l'ingestion dans Google Security Operations est activée. Chaque déploiement client peut différer de cette représentation et être plus complexe.
Le déploiement contient les composants suivants:
Google Cloud: services et produits Google Cloud à partir desquels vous collectez des journaux.
Journaux de pare-feu Google Cloud: journaux de pare-feu Google Cloud dont l'ingestion dans Google Security Operations est activée.
Google Security Operations: Google Security Operations conserve et analyse les journaux du pare-feu Google Cloud.
Une étiquette d'ingestion identifie l'analyseur qui normalise les données de journaux brutes au format UDM structuré. Les informations de ce document s'appliquent à l'analyseur doté de l'étiquette d'ingestion GCP_FIREWALL
.
Avant de commencer
Assurez-vous d'utiliser le pare-feu Google Cloud version 1.
Assurez-vous que tous les systèmes de l'architecture de déploiement sont configurés dans le fuseau horaire UTC.
Configurer Google Cloud pour ingérer les journaux de pare-feu Google Cloud
Pour ingérer des journaux de pare-feu Google Cloud dans Google Security Operations, suivez la procédure décrite sur la page Ingérer les journaux Google Cloud dans Google Security Operations.
Si vous rencontrez des problèmes lors de l'ingestion des journaux de pare-feu Google Cloud, contactez l'assistance Google Security Operations.
Documentation de référence sur le mappage de champs
Le tableau suivant répertorie les champs de journal du type de journal GCP_FIREWALL
et les champs UDM correspondants.
Log field | UDM mapping | Logic |
---|---|---|
receiveTimestamp |
metadata.collected_timestamp |
|
timestamp |
metadata.event_timestamp |
|
logName |
metadata.product_event_type |
|
|
metadata.event_type |
If the jsonPayload.connection.src_ip log field value is not empty and the jsonPayload.connection.dest_ip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION .Else, if the jsonPayload.connection.src_ip log field value is not empty, then the metadata.event_type UDM field is set to STATUS_UNCATEGORIZED .Else, the metadata.event_type UDM field is set to GENERIC_EVENT . |
insertId |
metadata.product_log_id |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to GCP Firewall . |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform . |
jsonPayload.rule_details.direction |
network.direction |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the network.direction UDM field is set to OUTBOUND .Else, if the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the network.direction UDM field is set to INBOUND . |
jsonPayload.connection.protocol |
network.ip_protocol |
If the jsonPayload.connection.protocol log field value is equal to 6 , then the network.ip_protocol UDM field is set to TCP .If the jsonPayload.connection.protocol log field value is equal to 17 , then the network.ip_protocol UDM field is set to UDP .If the jsonPayload.connection.protocol log field value is equal to 1 , then the network.ip_protocol UDM field is set to ICMP .If the jsonPayload.connection.protocol log field value is equal to 2 , then the network.ip_protocol UDM field is set to IGMP . |
jsonPayload.connection.src_ip |
principal.ip |
|
jsonPayload.remote_location.continent |
principal.labels[remote_location_continent] (deprecated) |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.remote_location.continent log field is mapped to the principal.labels.remote_location_continent UDM field. |
jsonPayload.remote_location.continent |
additional.fields[remote_location_continent] |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.remote_location.continent log field is mapped to the additional.fields.remote_location_continent UDM field. |
jsonPayload.remote_location.city |
principal.location.city |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.remote_location.city log field is mapped to the principal.location.city UDM field. |
jsonPayload.remote_location.country |
principal.location.country_or_region |
If the jsonPayload.remote_location.country log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.remote_location.country jsonPayload.remote_location.region log field is mapped to the principal.location.country_or_region UDM field. |
jsonPayload.remote_location.region |
principal.location.country_or_region |
If the jsonPayload.remote_location.country log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.remote_location.country jsonPayload.remote_location.region log field is mapped to the principal.location.country_or_region UDM field. |
jsonPayload.instance.region |
principal.location.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.instance.region log field is mapped to the principal.location.name UDM field. |
jsonPayload.remote_instance.region |
principal.location.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.remote_instance.region log field is mapped to the principal.location.name UDM field. |
jsonPayload.connection.src_port |
principal.port |
|
resource.labels.location |
principal.resource_ancestors.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the resource.labels.location log field is mapped to the principal.resource_ancestors.attribute.cloud.availability_zone UDM field. |
jsonPayload.vpc.vpc_name |
principal.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.vpc.vpc_name log field is mapped to the principal.resource_ancestors.name UDM field. |
jsonPayload.vpc.subnetwork_name |
principal.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.vpc.subnetwork_name log field is mapped to the principal.resource_ancestors.name UDM field. |
jsonPayload.remote_vpc.vpc_name |
principal.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.remote_vpc.vpc_name log field is mapped to the principal.resource_ancestors.name UDM field. |
jsonPayload.remote_vpc.subnetwork_name |
principal.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.remote_vpc.subnetwork_name log field is mapped to the principal.resource_ancestors.name UDM field. |
jsonPayload.vpc.project_id |
principal.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.vpc.project_id log field is mapped to the principal.resource_ancestors.product_object_id UDM field. |
jsonPayload.remote_vpc.project_id |
principal.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.remote_vpc.project_id log field is mapped to the principal.resource_ancestors.product_object_id UDM field. |
resource.labels.subnetwork_id |
principal.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the resource.labels.subnetwork_id log field is mapped to the principal.resource_ancestors.product_object_id UDM field. |
resource.type |
principal.resource_ancestors.resource_subtype |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the resource.type log field is mapped to the principal.resource_ancestors.resource_subtype UDM field. |
|
principal.resource_ancestors.resource_type |
If the jsonPayload.vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the principal.resource_ancestors.resource_type UDM field is set to VPC_NETWORK .If the jsonPayload.vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT .If the jsonPayload.remote_vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the principal.resource_ancestors.resource_type UDM field is set to VPC_NETWORK .If the jsonPayload.remote_vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT . |
jsonPayload.instance.zone |
principal.resource.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.instance.zone log field is mapped to the principal.resource.attribute.cloud.availability_zone UDM field. |
jsonPayload.remote_instance.zone |
principal.resource.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.remote_instance.zone log field is mapped to the principal.resource.attribute.cloud.availability_zone UDM field. |
jsonPayload.instance.vm_name |
principal.resource.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.instance.vm_name log field is mapped to the principal.resource.name UDM field. |
jsonPayload.remote_instance.vm_name |
principal.resource.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.remote_instance.vm_name log field is mapped to the principal.resource.name UDM field. |
|
principal.resource.resource_type |
If the jsonPayload.instance.vm_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE .If the jsonPayload.remote_instance.vm_name log field value is not empty the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE . |
|
security_result.action |
If the jsonPayload.rule_details.disposition log field value is equal to ALLOWED , then the security_result.action UDM field is set to ALLOW .Else, if the jsonPayload.rule_details.disposition log field value is equal to DENIED , then the security_result.action UDM field is set to BLOCK . |
jsonPayload.disposition |
security_result.action_details |
|
jsonPayload.rule_details.reference |
security_result.description |
|
jsonPayload.rule_details.priority |
security_result.priority_details |
|
resource.labels.firewall_rule_id |
security_result.rule_id |
|
jsonPayload.rule_details.action |
security_result.rule_labels[rule_details_action] |
|
jsonPayload.rule_details.destination_address_groups |
security_result.rule_labels[rule_details_destination_address_groups] |
|
jsonPayload.rule_details.destination_fqdn |
security_result.rule_labels[rule_details_destination_fqdn] |
|
jsonPayload.rule_details.destination_range |
security_result.rule_labels[rule_details_destination_range] |
|
jsonPayload.rule_details.destination_region_code |
security_result.rule_labels[rule_details_destination_region_code] |
|
jsonPayload.rule_details.destination_threat_intelligence |
security_result.rule_labels[rule_details_destination_threat_intelligence] |
|
jsonPayload.rule_details.ip_port_info.ip_protocol |
security_result.rule_labels[rule_details_ip_port_info_ip_protocol] |
|
jsonPayload.rule_details.ip_port_info.port_range |
security_result.rule_labels[rule_details_ip_port_info_port_range] |
|
jsonPayload.rule_details.source_address_groups |
security_result.rule_labels[rule_details_source_address_groups] |
|
jsonPayload.rule_details.source_fqdn |
security_result.rule_labels[rule_details_source_fqdn] |
|
jsonPayload.rule_details.source_range |
security_result.rule_labels[rule_details_source_range] |
|
jsonPayload.rule_details.source_region_code |
security_result.rule_labels[rule_details_source_region_code] |
|
jsonPayload.rule_details.source_service_account |
security_result.rule_labels[rule_details_source_service_account] |
|
jsonPayload.rule_details.source_tag |
security_result.rule_labels[rule_details_source_tag] |
|
jsonPayload.rule_details.source_threat_intelligence |
security_result.rule_labels[rule_details_source_threat_intelligence] |
|
jsonPayload.rule_details.target_service_account |
security_result.rule_labels[rule_details_target_service_account] |
|
jsonPayload.rule_details.target_tag |
security_result.rule_labels[rule_details_target_tag] |
|
|
security_result.rule_name |
Extracted rule_name from jsonPayload.rule_details.reference using Grok pattern and mapped it to the security_result.rule_name UDM field. |
jsonPayload.connection.dest_ip |
target.ip |
|
jsonPayload.remote_location.continent |
target.labels[remote_location_continent] (deprecated) |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.remote_location.continent log field is mapped to the target.labels.remote_location_continent UDM field. |
jsonPayload.remote_location.continent |
additional.fields[remote_location_continent] |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.remote_location.continent log field is mapped to the additional.fields.remote_location_continent UDM field. |
jsonPayload.remote_location.city |
target.location.city |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.remote_location.city log field is mapped to the target.location.city UDM field. |
jsonPayload.remote_location.country |
target.location.country_or_region |
If the jsonPayload.remote_location.country log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.remote_location.country jsonPayload.remote_location.region log field is mapped to the target.location.country_or_region UDM field. |
jsonPayload.remote_location.region |
target.location.country_or_region |
If the jsonPayload.remote_location.country log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.remote_location.country jsonPayload.remote_location.region log field is mapped to the target.location.country_or_region UDM field. |
jsonPayload.instance.region |
target.location.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.instance.region log field is mapped to the target.location.name UDM field. |
jsonPayload.remote_instance.region |
target.location.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.remote_instance.region log field is mapped to the target.location.name UDM field. |
jsonPayload.connection.dest_port |
target.port |
|
resource.labels.location |
target.resource_ancestors.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the resource.labels.location log field is mapped to the target.resource_ancestors.attribute.cloud.availability_zone UDM field. |
jsonPayload.vpc.vpc_name |
target.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.vpc.vpc_name log field is mapped to the target.resource_ancestors.name UDM field. |
jsonPayload.vpc.subnetwork_name |
target.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.vpc.subnetwork_name log field is mapped to the target.resource_ancestors.name UDM field. |
jsonPayload.remote_vpc.vpc_name |
target.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.remote_vpc.vpc_name log field is mapped to the target.resource_ancestors.name UDM field. |
jsonPayload.remote_vpc.subnetwork_name |
target.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.remote_vpc.subnetwork_name log field is mapped to the target.resource_ancestors.name UDM field. |
jsonPayload.vpc.project_id |
target.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.vpc.project_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
jsonPayload.remote_vpc.project_id |
target.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.remote_vpc.project_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
resource.labels.subnetwork_id |
target.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the resource.labels.subnetwork_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
resource.type |
target.resource_ancestors.resource_subtype |
|
|
target.resource_ancestors.resource_type |
If the jsonPayload.remote_vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK .If the jsonPayload.remote_vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT .If the jsonPayload.vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK .If the jsonPayload.vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT . |
jsonPayload.instance.zone |
target.resource.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.instance.zone log field is mapped to the target.resource.attribute.cloud.availability_zone UDM field. |
jsonPayload.remote_instance.zone |
target.resource.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.remote_instance.zone log field is mapped to the target.resource.attribute.cloud.availability_zone UDM field. |
jsonPayload.instance.vm_name |
target.resource.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the jsonPayload.instance.vm_name log field is mapped to the target.resource.product_object_id UDM field. |
jsonPayload.remote_instance.vm_name |
target.resource.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the jsonPayload.remote_instance.vm_name log field is mapped to the target.resource.name UDM field. |
|
target.resource.resource_type |
If the jsonPayload.remote_instance.vm_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS , then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE .If the jsonPayload.instance.vm_name log field value is not empty the jsonPayload.rule_details.direction log field value is equal to INGRESS , then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE . |