Google Cloud 방화벽 로그 수집
이 문서에서는 Google Security Operations에 Google Cloud 원격 분석 수집을 사용 설정하여 Google Cloud 방화벽 로그를 수집하는 방법과 Google Cloud 방화벽 로그의 로그 필드가 Google Security Operations 통합 데이터 모델(UDM) 필드에 매핑되는 방식을 설명합니다. 이 문서에서는 지원되는 Google Cloud 방화벽 버전도 보여줍니다.
자세한 내용은 Google Security Operations에 데이터 수집을 참조하세요.
일반적인 배포는 Google Security Operations에 수집을 위해 사용 설정된 Google Cloud 방화벽 로그로 구성됩니다. 각 고객 배포는 이 표현과 다를 수 있고 더 복잡할 수 있습니다.
배포에는 다음 구성요소가 포함됩니다.
Google Cloud: 로그를 수집하는 Google Cloud 서비스 및 제품입니다.
Google Cloud 방화벽 로그: Google Security Operations에 수집을 위해 사용 설정된 Google Cloud 방화벽 로그입니다.
Google Security Operations: Google Security Operations는 Google Cloud 방화벽의 로그를 보관하고 분석합니다.
수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다. 이 문서의 정보는 GCP_FIREWALL 수집 라벨이 있는 파서에 적용됩니다.
시작하기 전에
Google Cloud 방화벽 버전 1을 사용 중인지 확인합니다.
배포 아키텍처의 모든 시스템이 UTC 시간대로 구성되었는지 확인합니다.
Google Cloud 방화벽 로그를 수집하도록 Google Cloud 구성
Google Cloud IDS 방화벽 로그를 Google Security Operations에 수집하려면 Google Security Operations에 Google Cloud 로그 수집 페이지의 단계를 수행합니다.
Google Cloud 방화벽 로그를 수집할 때 문제가 발생하면 Google Security Operations 지원팀에 문의하세요.
필드 매핑 참조
다음 표에는 GCP_FIREWALL 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
| Log field | UDM mapping | Logic |
|---|---|---|
receiveTimestamp |
metadata.collected_timestamp |
|
timestamp |
metadata.event_timestamp |
|
logName |
metadata.product_event_type |
|
|
metadata.event_type |
If the jsonPayload.connection.src_ip log field value is not empty and the jsonPayload.connection.dest_ip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION.Else, if the jsonPayload.connection.src_ip log field value is not empty, then the metadata.event_type UDM field is set to STATUS_UNCATEGORIZED.Else, the metadata.event_type UDM field is set to GENERIC_EVENT. |
insertId |
metadata.product_log_id |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to GCP Firewall. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform. |
jsonPayload.rule_details.direction |
network.direction |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the network.direction UDM field is set to OUTBOUND.Else, if the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the network.direction UDM field is set to INBOUND. |
jsonPayload.connection.protocol |
network.ip_protocol |
If the jsonPayload.connection.protocol log field value is equal to 6, then the network.ip_protocol UDM field is set to TCP.If the jsonPayload.connection.protocol log field value is equal to 17, then the network.ip_protocol UDM field is set to UDP.If the jsonPayload.connection.protocol log field value is equal to 1, then the network.ip_protocol UDM field is set to ICMP.If the jsonPayload.connection.protocol log field value is equal to 2, then the network.ip_protocol UDM field is set to IGMP. |
jsonPayload.connection.src_ip |
principal.ip |
|
jsonPayload.remote_location.continent |
principal.labels[remote_location_continent] (deprecated) |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.continent log field is mapped to the principal.labels.remote_location_continent UDM field. |
jsonPayload.remote_location.continent |
additional.fields[remote_location_continent] |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.continent log field is mapped to the additional.fields.remote_location_continent UDM field. |
jsonPayload.remote_location.city |
principal.location.city |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.city log field is mapped to the principal.location.city UDM field. |
jsonPayload.remote_location.country |
principal.location.country_or_region |
If the jsonPayload.remote_location.country log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.country jsonPayload.remote_location.region log field is mapped to the principal.location.country_or_region UDM field. |
jsonPayload.remote_location.region |
principal.location.country_or_region |
If the jsonPayload.remote_location.country log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.country jsonPayload.remote_location.region log field is mapped to the principal.location.country_or_region UDM field. |
jsonPayload.instance.region |
principal.location.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.instance.region log field is mapped to the principal.location.name UDM field. |
jsonPayload.remote_instance.region |
principal.location.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_instance.region log field is mapped to the principal.location.name UDM field. |
jsonPayload.connection.src_port |
principal.port |
|
resource.labels.location |
principal.resource_ancestors.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the resource.labels.location log field is mapped to the principal.resource_ancestors.attribute.cloud.availability_zone UDM field. |
jsonPayload.vpc.vpc_name |
principal.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.vpc.vpc_name log field is mapped to the principal.resource_ancestors.name UDM field. |
jsonPayload.vpc.subnetwork_name |
principal.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.vpc.subnetwork_name log field is mapped to the principal.resource_ancestors.name UDM field. |
jsonPayload.remote_vpc.vpc_name |
principal.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_vpc.vpc_name log field is mapped to the principal.resource_ancestors.name UDM field. |
jsonPayload.remote_vpc.subnetwork_name |
principal.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_vpc.subnetwork_name log field is mapped to the principal.resource_ancestors.name UDM field. |
jsonPayload.vpc.project_id |
principal.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.vpc.project_id log field is mapped to the principal.resource_ancestors.product_object_id UDM field. |
jsonPayload.remote_vpc.project_id |
principal.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_vpc.project_id log field is mapped to the principal.resource_ancestors.product_object_id UDM field. |
resource.labels.subnetwork_id |
principal.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the resource.labels.subnetwork_id log field is mapped to the principal.resource_ancestors.product_object_id UDM field. |
resource.type |
principal.resource_ancestors.resource_subtype |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the resource.type log field is mapped to the principal.resource_ancestors.resource_subtype UDM field. |
|
principal.resource_ancestors.resource_type |
If the jsonPayload.vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the principal.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.If the jsonPayload.vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.If the jsonPayload.remote_vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the principal.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.If the jsonPayload.remote_vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. |
jsonPayload.instance.zone |
principal.resource.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.instance.zone log field is mapped to the principal.resource.attribute.cloud.availability_zone UDM field. |
jsonPayload.remote_instance.zone |
principal.resource.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_instance.zone log field is mapped to the principal.resource.attribute.cloud.availability_zone UDM field. |
jsonPayload.instance.vm_name |
principal.resource.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.instance.vm_name log field is mapped to the principal.resource.name UDM field. |
jsonPayload.remote_instance.vm_name |
principal.resource.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_instance.vm_name log field is mapped to the principal.resource.name UDM field. |
|
principal.resource.resource_type |
If the jsonPayload.instance.vm_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.remote_instance.vm_name log field value is not empty the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE. |
|
security_result.action |
If the jsonPayload.rule_details.disposition log field value is equal to ALLOWED, then the security_result.action UDM field is set to ALLOW.Else, if the jsonPayload.rule_details.disposition log field value is equal to DENIED, then the security_result.action UDM field is set to BLOCK. |
jsonPayload.disposition |
security_result.action_details |
|
jsonPayload.rule_details.reference |
security_result.description |
|
jsonPayload.rule_details.priority |
security_result.priority_details |
|
resource.labels.firewall_rule_id |
security_result.rule_id |
|
jsonPayload.rule_details.action |
security_result.rule_labels[rule_details_action] |
|
jsonPayload.rule_details.destination_address_groups |
security_result.rule_labels[rule_details_destination_address_groups] |
|
jsonPayload.rule_details.destination_fqdn |
security_result.rule_labels[rule_details_destination_fqdn] |
|
jsonPayload.rule_details.destination_range |
security_result.rule_labels[rule_details_destination_range] |
|
jsonPayload.rule_details.destination_region_code |
security_result.rule_labels[rule_details_destination_region_code] |
|
jsonPayload.rule_details.destination_threat_intelligence |
security_result.rule_labels[rule_details_destination_threat_intelligence] |
|
jsonPayload.rule_details.ip_port_info.ip_protocol |
security_result.rule_labels[rule_details_ip_port_info_ip_protocol] |
|
jsonPayload.rule_details.ip_port_info.port_range |
security_result.rule_labels[rule_details_ip_port_info_port_range] |
|
jsonPayload.rule_details.source_address_groups |
security_result.rule_labels[rule_details_source_address_groups] |
|
jsonPayload.rule_details.source_fqdn |
security_result.rule_labels[rule_details_source_fqdn] |
|
jsonPayload.rule_details.source_range |
security_result.rule_labels[rule_details_source_range] |
|
jsonPayload.rule_details.source_region_code |
security_result.rule_labels[rule_details_source_region_code] |
|
jsonPayload.rule_details.source_service_account |
security_result.rule_labels[rule_details_source_service_account] |
|
jsonPayload.rule_details.source_tag |
security_result.rule_labels[rule_details_source_tag] |
|
jsonPayload.rule_details.source_threat_intelligence |
security_result.rule_labels[rule_details_source_threat_intelligence] |
|
jsonPayload.rule_details.target_service_account |
security_result.rule_labels[rule_details_target_service_account] |
|
jsonPayload.rule_details.target_tag |
security_result.rule_labels[rule_details_target_tag] |
|
|
security_result.rule_name |
Extracted rule_name from jsonPayload.rule_details.reference using Grok pattern and mapped it to the security_result.rule_name UDM field. |
jsonPayload.connection.dest_ip |
target.ip |
|
jsonPayload.remote_location.continent |
target.labels[remote_location_continent] (deprecated) |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.continent log field is mapped to the target.labels.remote_location_continent UDM field. |
jsonPayload.remote_location.continent |
additional.fields[remote_location_continent] |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.continent log field is mapped to the additional.fields.remote_location_continent UDM field. |
jsonPayload.remote_location.city |
target.location.city |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.city log field is mapped to the target.location.city UDM field. |
jsonPayload.remote_location.country |
target.location.country_or_region |
If the jsonPayload.remote_location.country log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.country jsonPayload.remote_location.region log field is mapped to the target.location.country_or_region UDM field. |
jsonPayload.remote_location.region |
target.location.country_or_region |
If the jsonPayload.remote_location.country log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.country jsonPayload.remote_location.region log field is mapped to the target.location.country_or_region UDM field. |
jsonPayload.instance.region |
target.location.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.instance.region log field is mapped to the target.location.name UDM field. |
jsonPayload.remote_instance.region |
target.location.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_instance.region log field is mapped to the target.location.name UDM field. |
jsonPayload.connection.dest_port |
target.port |
|
resource.labels.location |
target.resource_ancestors.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the resource.labels.location log field is mapped to the target.resource_ancestors.attribute.cloud.availability_zone UDM field. |
jsonPayload.vpc.vpc_name |
target.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.vpc.vpc_name log field is mapped to the target.resource_ancestors.name UDM field. |
jsonPayload.vpc.subnetwork_name |
target.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.vpc.subnetwork_name log field is mapped to the target.resource_ancestors.name UDM field. |
jsonPayload.remote_vpc.vpc_name |
target.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_vpc.vpc_name log field is mapped to the target.resource_ancestors.name UDM field. |
jsonPayload.remote_vpc.subnetwork_name |
target.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_vpc.subnetwork_name log field is mapped to the target.resource_ancestors.name UDM field. |
jsonPayload.vpc.project_id |
target.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.vpc.project_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
jsonPayload.remote_vpc.project_id |
target.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_vpc.project_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
resource.labels.subnetwork_id |
target.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the resource.labels.subnetwork_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
resource.type |
target.resource_ancestors.resource_subtype |
|
|
target.resource_ancestors.resource_type |
If the jsonPayload.remote_vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.If the jsonPayload.remote_vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.If the jsonPayload.vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.If the jsonPayload.vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. |
jsonPayload.instance.zone |
target.resource.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.instance.zone log field is mapped to the target.resource.attribute.cloud.availability_zone UDM field. |
jsonPayload.remote_instance.zone |
target.resource.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_instance.zone log field is mapped to the target.resource.attribute.cloud.availability_zone UDM field. |
jsonPayload.instance.vm_name |
target.resource.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.instance.vm_name log field is mapped to the target.resource.product_object_id UDM field. |
jsonPayload.remote_instance.vm_name |
target.resource.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_instance.vm_name log field is mapped to the target.resource.name UDM field. |
|
target.resource.resource_type |
If the jsonPayload.remote_instance.vm_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.instance.vm_name log field value is not empty the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE. |