Google Cloud-Firewall-Logs erfassen

In diesem Dokument wird beschrieben, wie Sie Google Cloud-Firewall-Logs erfassen, indem Sie die Telemetrieaufnahme von Google Cloud in Google Security Operations aktivieren. Außerdem wird erläutert, wie Protokollfelder von Google Cloud-Firewall-Logs den Feldern des Unified Data Model (UDM) von Google Security Operations zugeordnet werden. In diesem Dokument wird auch die unterstützte Google Cloud Firewall-Version aufgeführt.

Weitere Informationen finden Sie unter Datenaufnahme in Google Security Operations.

Eine typische Bereitstellung besteht aus Google Cloud-Firewall-Logs, die für die Aufnahme in Google Security Operations aktiviert sind. Jede Kundenimplementierung kann von dieser Darstellung abweichen und komplexer sein.

Die Bereitstellung umfasst die folgenden Komponenten:

  • Google Cloud: Die Google Cloud -Dienste und ‑Produkte, von denen Sie Protokolle erfassen.

  • Google Cloud-Firewall-Logs: Die Google Cloud-Firewall-Logs, die für die Aufnahme in Google Security Operations aktiviert sind.

  • Google Security Operations: Google Security Operations speichert und analysiert die Logs der Google Cloud-Firewall.

Mit einem Datenaufnahmelabel wird der Parser identifiziert, der Roh-Logdaten in das strukturierte UDM-Format normalisiert. Die Informationen in diesem Dokument beziehen sich auf den Parser mit dem Datenaufnahmelabel GCP_FIREWALL.


  • Achten Sie darauf, dass Sie die Google Cloud-Firewall-Version 1 verwenden.

  • Alle Systeme in der Bereitstellungsarchitektur müssen in der Zeitzone UTC konfiguriert sein.

Google Cloud für die Aufnahme von Google Cloud-Firewall-Logs konfigurieren

Wenn Sie Google Cloud-Firewall-Logs in Google Security Operations aufnehmen möchten, folgen Sie der Anleitung auf der Seite Google Cloud- Google Cloud- Logs in Google Security Operations aufnehmen.

Wenn beim Aufnehmen von Google Cloud-Firewall-Logs Probleme auftreten, wenden Sie sich an den Google Security Operations-Support.

Referenz für die Feldzuordnung

In der folgenden Tabelle sind die Protokollfelder des GCP_FIREWALL-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
receiveTimestamp metadata.collected_timestamp
timestamp metadata.event_timestamp
logName metadata.product_event_type
metadata.event_type If the jsonPayload.connection.src_ip log field value is not empty and the jsonPayload.connection.dest_ip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION.

Else, if the jsonPayload.connection.src_ip log field value is not empty, then the metadata.event_type UDM field is set to STATUS_UNCATEGORIZED.

Else, the metadata.event_type UDM field is set to GENERIC_EVENT.
insertId metadata.product_log_id
metadata.product_name The metadata.product_name UDM field is set to GCP Firewall.
metadata.vendor_name The metadata.vendor_name UDM field is set to Google Cloud Platform.
jsonPayload.rule_details.direction network.direction If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the network.direction UDM field is set to OUTBOUND.

Else, if the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the network.direction UDM field is set to INBOUND.
jsonPayload.connection.protocol network.ip_protocol If the jsonPayload.connection.protocol log field value is equal to 6, then the network.ip_protocol UDM field is set to TCP.

If the jsonPayload.connection.protocol log field value is equal to 17, then the network.ip_protocol UDM field is set to UDP.

If the jsonPayload.connection.protocol log field value is equal to 1, then the network.ip_protocol UDM field is set to ICMP.

If the jsonPayload.connection.protocol log field value is equal to 2, then the network.ip_protocol UDM field is set to IGMP.
jsonPayload.connection.src_ip principal.ip
jsonPayload.remote_location.continent principal.labels[remote_location_continent] (deprecated) If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.continent log field is mapped to the principal.labels.remote_location_continent UDM field.
jsonPayload.remote_location.continent additional.fields[remote_location_continent] If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.continent log field is mapped to the additional.fields.remote_location_continent UDM field. If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the log field is mapped to the UDM field. principal.location.country_or_region If the log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.region log field is mapped to the principal.location.country_or_region UDM field.
jsonPayload.remote_location.region principal.location.country_or_region If the log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.region log field is mapped to the principal.location.country_or_region UDM field.
jsonPayload.instance.region If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.instance.region log field is mapped to the UDM field.
jsonPayload.remote_instance.region If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_instance.region log field is mapped to the UDM field.
jsonPayload.connection.src_port principal.port
resource.labels.location If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the resource.labels.location log field is mapped to the UDM field.
jsonPayload.vpc.vpc_name If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.vpc.vpc_name log field is mapped to the UDM field.
jsonPayload.vpc.subnetwork_name If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.vpc.subnetwork_name log field is mapped to the UDM field.
jsonPayload.remote_vpc.vpc_name If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_vpc.vpc_name log field is mapped to the UDM field.
jsonPayload.remote_vpc.subnetwork_name If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_vpc.subnetwork_name log field is mapped to the UDM field.
jsonPayload.vpc.project_id principal.resource_ancestors.product_object_id If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.vpc.project_id log field is mapped to the principal.resource_ancestors.product_object_id UDM field.
jsonPayload.remote_vpc.project_id principal.resource_ancestors.product_object_id If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_vpc.project_id log field is mapped to the principal.resource_ancestors.product_object_id UDM field.
resource.labels.subnetwork_id principal.resource_ancestors.product_object_id If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the resource.labels.subnetwork_id log field is mapped to the principal.resource_ancestors.product_object_id UDM field.
resource.type principal.resource_ancestors.resource_subtype If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the resource.type log field is mapped to the principal.resource_ancestors.resource_subtype UDM field.
principal.resource_ancestors.resource_type If the jsonPayload.vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the principal.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

If the jsonPayload.vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.

If the jsonPayload.remote_vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the principal.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

If the jsonPayload.remote_vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the log field is mapped to the UDM field. If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the log field is mapped to the UDM field.
jsonPayload.instance.vm_name If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.instance.vm_name log field is mapped to the UDM field.
jsonPayload.remote_instance.vm_name If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_instance.vm_name log field is mapped to the UDM field.
principal.resource.resource_type If the jsonPayload.instance.vm_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

If the jsonPayload.remote_instance.vm_name log field value is not empty the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE.
security_result.action If the jsonPayload.rule_details.disposition log field value is equal to ALLOWED, then the security_result.action UDM field is set to ALLOW.

Else, if the jsonPayload.rule_details.disposition log field value is equal to DENIED, then the security_result.action UDM field is set to BLOCK.
jsonPayload.disposition security_result.action_details
jsonPayload.rule_details.reference security_result.description
jsonPayload.rule_details.priority security_result.priority_details
resource.labels.firewall_rule_id security_result.rule_id
jsonPayload.rule_details.action security_result.rule_labels[rule_details_action]
jsonPayload.rule_details.destination_address_groups security_result.rule_labels[rule_details_destination_address_groups]
jsonPayload.rule_details.destination_fqdn security_result.rule_labels[rule_details_destination_fqdn]
jsonPayload.rule_details.destination_range security_result.rule_labels[rule_details_destination_range]
jsonPayload.rule_details.destination_region_code security_result.rule_labels[rule_details_destination_region_code]
jsonPayload.rule_details.destination_threat_intelligence security_result.rule_labels[rule_details_destination_threat_intelligence]
jsonPayload.rule_details.ip_port_info.ip_protocol security_result.rule_labels[rule_details_ip_port_info_ip_protocol]
jsonPayload.rule_details.ip_port_info.port_range security_result.rule_labels[rule_details_ip_port_info_port_range]
jsonPayload.rule_details.source_address_groups security_result.rule_labels[rule_details_source_address_groups]
jsonPayload.rule_details.source_fqdn security_result.rule_labels[rule_details_source_fqdn]
jsonPayload.rule_details.source_range security_result.rule_labels[rule_details_source_range]
jsonPayload.rule_details.source_region_code security_result.rule_labels[rule_details_source_region_code]
jsonPayload.rule_details.source_service_account security_result.rule_labels[rule_details_source_service_account]
jsonPayload.rule_details.source_tag security_result.rule_labels[rule_details_source_tag]
jsonPayload.rule_details.source_threat_intelligence security_result.rule_labels[rule_details_source_threat_intelligence]
jsonPayload.rule_details.target_service_account security_result.rule_labels[rule_details_target_service_account]
jsonPayload.rule_details.target_tag security_result.rule_labels[rule_details_target_tag]
security_result.rule_name Extracted rule_name from jsonPayload.rule_details.reference using Grok pattern and mapped it to the security_result.rule_name UDM field.
jsonPayload.connection.dest_ip target.ip
jsonPayload.remote_location.continent target.labels[remote_location_continent] (deprecated) If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.continent log field is mapped to the target.labels.remote_location_continent UDM field.
jsonPayload.remote_location.continent additional.fields[remote_location_continent] If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.continent log field is mapped to the additional.fields.remote_location_continent UDM field. If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the log field is mapped to the UDM field. target.location.country_or_region If the log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.region log field is mapped to the target.location.country_or_region UDM field.
jsonPayload.remote_location.region target.location.country_or_region If the log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.region log field is mapped to the target.location.country_or_region UDM field.
jsonPayload.instance.region If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.instance.region log field is mapped to the UDM field.
jsonPayload.remote_instance.region If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_instance.region log field is mapped to the UDM field.
jsonPayload.connection.dest_port target.port
resource.labels.location If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the resource.labels.location log field is mapped to the UDM field.
jsonPayload.vpc.vpc_name If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.vpc.vpc_name log field is mapped to the UDM field.
jsonPayload.vpc.subnetwork_name If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.vpc.subnetwork_name log field is mapped to the UDM field.
jsonPayload.remote_vpc.vpc_name If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_vpc.vpc_name log field is mapped to the UDM field.
jsonPayload.remote_vpc.subnetwork_name If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_vpc.subnetwork_name log field is mapped to the UDM field.
jsonPayload.vpc.project_id target.resource_ancestors.product_object_id If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.vpc.project_id log field is mapped to the target.resource_ancestors.product_object_id UDM field.
jsonPayload.remote_vpc.project_id target.resource_ancestors.product_object_id If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_vpc.project_id log field is mapped to the target.resource_ancestors.product_object_id UDM field.
resource.labels.subnetwork_id target.resource_ancestors.product_object_id If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the resource.labels.subnetwork_id log field is mapped to the target.resource_ancestors.product_object_id UDM field.
resource.type target.resource_ancestors.resource_subtype
target.resource_ancestors.resource_type If the jsonPayload.remote_vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

If the jsonPayload.remote_vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.

If the jsonPayload.vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

If the jsonPayload.vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the log field is mapped to the UDM field. If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the log field is mapped to the UDM field.
jsonPayload.instance.vm_name If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.instance.vm_name log field is mapped to the target.resource.product_object_id UDM field.
jsonPayload.remote_instance.vm_name If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_instance.vm_name log field is mapped to the UDM field.
target.resource.resource_type If the jsonPayload.remote_instance.vm_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

If the jsonPayload.instance.vm_name log field value is not empty the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

