Google Cloud-Firewall-Logs erfassen
Unterstützt in:
Google SecOps
SIEM
In diesem Dokument wird beschrieben, wie Sie Google Cloud-Firewall-Logs erfassen, indem Sie die Google Cloud-Telemetrieaufnahme in Google Security Operations aktivieren. Außerdem wird erläutert, wie Protokollfelder von Google Cloud-Firewall-Logs den Feldern des Unified Data Model (UDM) von Google Security Operations zugeordnet werden. In diesem Dokument wird auch die unterstützte Google Cloud Firewall-Version aufgeführt.
Weitere Informationen finden Sie unter Datenaufnahme in Google Security Operations.
Eine typische Bereitstellung besteht aus Google Cloud Firewall-Logs, die für die Aufnahme in Google Security Operations aktiviert sind. Jede Kundenbereitstellung kann von dieser Darstellung abweichen und komplexer sein.
Die Bereitstellung umfasst die folgenden Komponenten:
Google Cloud: Die Google Cloud-Dienste und ‑Produkte, von denen Sie Protokolle erfassen.
Google Cloud-Firewall-Logs: Die Google Cloud-Firewall-Logs, die für die Aufnahme in Google Security Operations aktiviert sind.
Google Security Operations: Google Security Operations speichert und analysiert die Logs der Google Cloud-Firewall.
Mit einem Datenaufnahmelabel wird der Parser identifiziert, der Roh-Logdaten in das strukturierte UDM-Format normalisiert. Die Informationen in diesem Dokument gelten für den Parser
mit dem Aufnahmelabel GCP_FIREWALL.
Hinweise
Achten Sie darauf, dass Sie die Google Cloud-Firewall-Version 1 verwenden.
Alle Systeme in der Bereitstellungsarchitektur müssen in der Zeitzone UTC konfiguriert sein.
Google Cloud für die Aufnahme von Google Cloud-Firewalllogs konfigurieren
Wenn Sie Google Cloud-Firewall-Logs in Google Security Operations aufnehmen möchten, folgen Sie der Anleitung auf der Seite Google Cloud-Logs in Google Security Operations aufnehmen.
Wenn beim Aufnehmen von Google Cloud-Firewalllogs Probleme auftreten, wenden Sie sich an den Google Security Operations-Support.
Referenz für die Feldzuordnung
In der folgenden Tabelle sind die Protokollfelder des GCP_FIREWALL-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.
| Log field | UDM mapping | Logic |
|---|---|---|
receiveTimestamp |
metadata.collected_timestamp |
|
timestamp |
metadata.event_timestamp |
|
logName |
metadata.product_event_type |
|
|
metadata.event_type |
If the jsonPayload.connection.src_ip log field value is not empty and the jsonPayload.connection.dest_ip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION.Else, if the jsonPayload.connection.src_ip log field value is not empty, then the metadata.event_type UDM field is set to STATUS_UNCATEGORIZED.Else, the metadata.event_type UDM field is set to GENERIC_EVENT. |
insertId |
metadata.product_log_id |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to GCP Firewall. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform. |
jsonPayload.rule_details.direction |
network.direction |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the network.direction UDM field is set to OUTBOUND.Else, if the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the network.direction UDM field is set to INBOUND. |
jsonPayload.connection.protocol |
network.ip_protocol |
If the jsonPayload.connection.protocol log field value is equal to 6, then the network.ip_protocol UDM field is set to TCP.If the jsonPayload.connection.protocol log field value is equal to 17, then the network.ip_protocol UDM field is set to UDP.If the jsonPayload.connection.protocol log field value is equal to 1, then the network.ip_protocol UDM field is set to ICMP.If the jsonPayload.connection.protocol log field value is equal to 2, then the network.ip_protocol UDM field is set to IGMP. |
jsonPayload.connection.src_ip |
principal.ip |
|
jsonPayload.remote_location.continent |
principal.labels[remote_location_continent] (deprecated) |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.continent log field is mapped to the principal.labels.remote_location_continent UDM field. |
jsonPayload.remote_location.continent |
additional.fields[remote_location_continent] |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.continent log field is mapped to the additional.fields.remote_location_continent UDM field. |
jsonPayload.remote_location.city |
principal.location.city |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.city log field is mapped to the principal.location.city UDM field. |
jsonPayload.remote_location.country |
principal.location.country_or_region |
If the jsonPayload.remote_location.country log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.country jsonPayload.remote_location.region log field is mapped to the principal.location.country_or_region UDM field. |
jsonPayload.remote_location.region |
principal.location.country_or_region |
If the jsonPayload.remote_location.country log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.country jsonPayload.remote_location.region log field is mapped to the principal.location.country_or_region UDM field. |
jsonPayload.instance.region |
principal.location.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.instance.region log field is mapped to the principal.location.name UDM field. |
jsonPayload.remote_instance.region |
principal.location.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_instance.region log field is mapped to the principal.location.name UDM field. |
jsonPayload.connection.src_port |
principal.port |
|
resource.labels.location |
principal.resource_ancestors.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the resource.labels.location log field is mapped to the principal.resource_ancestors.attribute.cloud.availability_zone UDM field. |
jsonPayload.vpc.vpc_name |
principal.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.vpc.vpc_name log field is mapped to the principal.resource_ancestors.name UDM field. |
jsonPayload.vpc.subnetwork_name |
principal.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.vpc.subnetwork_name log field is mapped to the principal.resource_ancestors.name UDM field. |
jsonPayload.remote_vpc.vpc_name |
principal.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_vpc.vpc_name log field is mapped to the principal.resource_ancestors.name UDM field. |
jsonPayload.remote_vpc.subnetwork_name |
principal.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_vpc.subnetwork_name log field is mapped to the principal.resource_ancestors.name UDM field. |
jsonPayload.vpc.project_id |
principal.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.vpc.project_id log field is mapped to the principal.resource_ancestors.product_object_id UDM field. |
jsonPayload.remote_vpc.project_id |
principal.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_vpc.project_id log field is mapped to the principal.resource_ancestors.product_object_id UDM field. |
resource.labels.subnetwork_id |
principal.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the resource.labels.subnetwork_id log field is mapped to the principal.resource_ancestors.product_object_id UDM field. |
resource.type |
principal.resource_ancestors.resource_subtype |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the resource.type log field is mapped to the principal.resource_ancestors.resource_subtype UDM field. |
|
principal.resource_ancestors.resource_type |
If the jsonPayload.vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the principal.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.If the jsonPayload.vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.If the jsonPayload.remote_vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the principal.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.If the jsonPayload.remote_vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. |
jsonPayload.instance.zone |
principal.resource.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.instance.zone log field is mapped to the principal.resource.attribute.cloud.availability_zone UDM field. |
jsonPayload.remote_instance.zone |
principal.resource.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_instance.zone log field is mapped to the principal.resource.attribute.cloud.availability_zone UDM field. |
jsonPayload.instance.vm_name |
principal.resource.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.instance.vm_name log field is mapped to the principal.resource.name UDM field. |
jsonPayload.remote_instance.vm_name |
principal.resource.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_instance.vm_name log field is mapped to the principal.resource.name UDM field. |
|
principal.resource.resource_type |
If the jsonPayload.instance.vm_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.remote_instance.vm_name log field value is not empty the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE. |
|
security_result.action |
If the jsonPayload.rule_details.disposition log field value is equal to ALLOWED, then the security_result.action UDM field is set to ALLOW.Else, if the jsonPayload.rule_details.disposition log field value is equal to DENIED, then the security_result.action UDM field is set to BLOCK. |
jsonPayload.disposition |
security_result.action_details |
|
jsonPayload.rule_details.reference |
security_result.description |
|
jsonPayload.rule_details.priority |
security_result.priority_details |
|
resource.labels.firewall_rule_id |
security_result.rule_id |
|
jsonPayload.rule_details.action |
security_result.rule_labels[rule_details_action] |
|
jsonPayload.rule_details.destination_address_groups |
security_result.rule_labels[rule_details_destination_address_groups] |
|
jsonPayload.rule_details.destination_fqdn |
security_result.rule_labels[rule_details_destination_fqdn] |
|
jsonPayload.rule_details.destination_range |
security_result.rule_labels[rule_details_destination_range] |
|
jsonPayload.rule_details.destination_region_code |
security_result.rule_labels[rule_details_destination_region_code] |
|
jsonPayload.rule_details.destination_threat_intelligence |
security_result.rule_labels[rule_details_destination_threat_intelligence] |
|
jsonPayload.rule_details.ip_port_info.ip_protocol |
security_result.rule_labels[rule_details_ip_port_info_ip_protocol] |
|
jsonPayload.rule_details.ip_port_info.port_range |
security_result.rule_labels[rule_details_ip_port_info_port_range] |
|
jsonPayload.rule_details.source_address_groups |
security_result.rule_labels[rule_details_source_address_groups] |
|
jsonPayload.rule_details.source_fqdn |
security_result.rule_labels[rule_details_source_fqdn] |
|
jsonPayload.rule_details.source_range |
security_result.rule_labels[rule_details_source_range] |
|
jsonPayload.rule_details.source_region_code |
security_result.rule_labels[rule_details_source_region_code] |
|
jsonPayload.rule_details.source_service_account |
security_result.rule_labels[rule_details_source_service_account] |
|
jsonPayload.rule_details.source_tag |
security_result.rule_labels[rule_details_source_tag] |
|
jsonPayload.rule_details.source_threat_intelligence |
security_result.rule_labels[rule_details_source_threat_intelligence] |
|
jsonPayload.rule_details.target_service_account |
security_result.rule_labels[rule_details_target_service_account] |
|
jsonPayload.rule_details.target_tag |
security_result.rule_labels[rule_details_target_tag] |
|
|
security_result.rule_name |
Extracted rule_name from jsonPayload.rule_details.reference using Grok pattern and mapped it to the security_result.rule_name UDM field. |
jsonPayload.connection.dest_ip |
target.ip |
|
jsonPayload.remote_location.continent |
target.labels[remote_location_continent] (deprecated) |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.continent log field is mapped to the target.labels.remote_location_continent UDM field. |
jsonPayload.remote_location.continent |
additional.fields[remote_location_continent] |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.continent log field is mapped to the additional.fields.remote_location_continent UDM field. |
jsonPayload.remote_location.city |
target.location.city |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.city log field is mapped to the target.location.city UDM field. |
jsonPayload.remote_location.country |
target.location.country_or_region |
If the jsonPayload.remote_location.country log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.country jsonPayload.remote_location.region log field is mapped to the target.location.country_or_region UDM field. |
jsonPayload.remote_location.region |
target.location.country_or_region |
If the jsonPayload.remote_location.country log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.country jsonPayload.remote_location.region log field is mapped to the target.location.country_or_region UDM field. |
jsonPayload.instance.region |
target.location.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.instance.region log field is mapped to the target.location.name UDM field. |
jsonPayload.remote_instance.region |
target.location.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_instance.region log field is mapped to the target.location.name UDM field. |
jsonPayload.connection.dest_port |
target.port |
|
resource.labels.location |
target.resource_ancestors.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the resource.labels.location log field is mapped to the target.resource_ancestors.attribute.cloud.availability_zone UDM field. |
jsonPayload.vpc.vpc_name |
target.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.vpc.vpc_name log field is mapped to the target.resource_ancestors.name UDM field. |
jsonPayload.vpc.subnetwork_name |
target.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.vpc.subnetwork_name log field is mapped to the target.resource_ancestors.name UDM field. |
jsonPayload.remote_vpc.vpc_name |
target.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_vpc.vpc_name log field is mapped to the target.resource_ancestors.name UDM field. |
jsonPayload.remote_vpc.subnetwork_name |
target.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_vpc.subnetwork_name log field is mapped to the target.resource_ancestors.name UDM field. |
jsonPayload.vpc.project_id |
target.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.vpc.project_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
jsonPayload.remote_vpc.project_id |
target.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_vpc.project_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
resource.labels.subnetwork_id |
target.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the resource.labels.subnetwork_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
resource.type |
target.resource_ancestors.resource_subtype |
|
|
target.resource_ancestors.resource_type |
If the jsonPayload.remote_vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.If the jsonPayload.remote_vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.If the jsonPayload.vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.If the jsonPayload.vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. |
jsonPayload.instance.zone |
target.resource.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.instance.zone log field is mapped to the target.resource.attribute.cloud.availability_zone UDM field. |
jsonPayload.remote_instance.zone |
target.resource.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_instance.zone log field is mapped to the target.resource.attribute.cloud.availability_zone UDM field. |
jsonPayload.instance.vm_name |
target.resource.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.instance.vm_name log field is mapped to the target.resource.product_object_id UDM field. |
jsonPayload.remote_instance.vm_name |
target.resource.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_instance.vm_name log field is mapped to the target.resource.name UDM field. |
|
target.resource.resource_type |
If the jsonPayload.remote_instance.vm_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.instance.vm_name log field value is not empty the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE. |