Google Cloud-Firewalllogs erfassen
In diesem Dokument wird beschrieben, wie Sie Google Cloud Firewall-Logs erfassen können, indem Sie die Aufnahme von Google Cloud-Telemetriedaten in Google Security Operations aktivieren. Außerdem erfahren Sie, wie Logfelder der Logs der Google Cloud Firewall den Feldern des Google Security Operations Unified Data Model (UDM) zugeordnet werden. In diesem Dokument wird auch die unterstützte Google Cloud Firewall-Version aufgeführt.
Weitere Informationen finden Sie unter Datenaufnahme in Google Security Operations.
Eine typische Bereitstellung besteht aus Google Cloud Firewall-Logs, die für die Aufnahme in Google Security Operations aktiviert sind. Jede Kundenbereitstellung kann sich von dieser Darstellung unterscheiden und komplexer sein.
Die Bereitstellung enthält die folgenden Komponenten:
Google Cloud: Die Google Cloud-Dienste und -Produkte, für die Sie Logs erfassen.
Google Cloud Firewall-Logs: Die Google Cloud Firewall-Logs, die für die Aufnahme in Google Security Operations aktiviert sind.
Google Security Operations: Google Security Operations speichert und analysiert die Logs der Google Cloud Firewall.
Ein Aufnahmelabel identifiziert den Parser, der Log-Rohdaten in das strukturierte UDM-Format normalisiert. Die Informationen in diesem Dokument gelten für den Parser mit dem Aufnahmelabel GCP_FIREWALL.
Hinweise
Achten Sie darauf, dass Sie Google Cloud Firewall Version 1 verwenden.
Achten Sie darauf, dass alle Systeme in der Bereitstellungsarchitektur in der UTC-Zeitzone konfiguriert sind.
Google Cloud für die Aufnahme von Google Cloud-Firewalllogs konfigurieren
Folgen Sie der Anleitung auf der Seite Google Cloud-Logs in Google-Sicherheitsvorgänge aufnehmen, um Google Cloud-Firewalllogs in Google-Sicherheitsvorgänge aufzunehmen.
Wenn beim Aufnehmen von Google Cloud Firewall-Logs Probleme auftreten, wenden Sie sich an den Google Security Operations-Support.
Referenz zur Feldzuordnung
In der folgenden Tabelle sind die Logfelder des Logtyps GCP_FIREWALL und die entsprechenden UDM-Felder aufgeführt.
| Log field | UDM mapping | Logic |
|---|---|---|
receiveTimestamp |
metadata.collected_timestamp |
|
timestamp |
metadata.event_timestamp |
|
logName |
metadata.product_event_type |
|
|
metadata.event_type |
If the jsonPayload.connection.src_ip log field value is not empty and the jsonPayload.connection.dest_ip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION.Else, if the jsonPayload.connection.src_ip log field value is not empty, then the metadata.event_type UDM field is set to STATUS_UNCATEGORIZED.Else, the metadata.event_type UDM field is set to GENERIC_EVENT. |
insertId |
metadata.product_log_id |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to GCP Firewall. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform. |
jsonPayload.rule_details.direction |
network.direction |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the network.direction UDM field is set to OUTBOUND.Else, if the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the network.direction UDM field is set to INBOUND. |
jsonPayload.connection.protocol |
network.ip_protocol |
If the jsonPayload.connection.protocol log field value is equal to 6, then the network.ip_protocol UDM field is set to TCP.If the jsonPayload.connection.protocol log field value is equal to 17, then the network.ip_protocol UDM field is set to UDP.If the jsonPayload.connection.protocol log field value is equal to 1, then the network.ip_protocol UDM field is set to ICMP.If the jsonPayload.connection.protocol log field value is equal to 2, then the network.ip_protocol UDM field is set to IGMP. |
jsonPayload.connection.src_ip |
principal.ip |
|
jsonPayload.remote_location.continent |
principal.labels[remote_location_continent] (deprecated) |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.continent log field is mapped to the principal.labels.remote_location_continent UDM field. |
jsonPayload.remote_location.continent |
additional.fields[remote_location_continent] |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.continent log field is mapped to the additional.fields.remote_location_continent UDM field. |
jsonPayload.remote_location.city |
principal.location.city |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.city log field is mapped to the principal.location.city UDM field. |
jsonPayload.remote_location.country |
principal.location.country_or_region |
If the jsonPayload.remote_location.country log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.country jsonPayload.remote_location.region log field is mapped to the principal.location.country_or_region UDM field. |
jsonPayload.remote_location.region |
principal.location.country_or_region |
If the jsonPayload.remote_location.country log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_location.country jsonPayload.remote_location.region log field is mapped to the principal.location.country_or_region UDM field. |
jsonPayload.instance.region |
principal.location.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.instance.region log field is mapped to the principal.location.name UDM field. |
jsonPayload.remote_instance.region |
principal.location.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_instance.region log field is mapped to the principal.location.name UDM field. |
jsonPayload.connection.src_port |
principal.port |
|
resource.labels.location |
principal.resource_ancestors.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the resource.labels.location log field is mapped to the principal.resource_ancestors.attribute.cloud.availability_zone UDM field. |
jsonPayload.vpc.vpc_name |
principal.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.vpc.vpc_name log field is mapped to the principal.resource_ancestors.name UDM field. |
jsonPayload.vpc.subnetwork_name |
principal.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.vpc.subnetwork_name log field is mapped to the principal.resource_ancestors.name UDM field. |
jsonPayload.remote_vpc.vpc_name |
principal.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_vpc.vpc_name log field is mapped to the principal.resource_ancestors.name UDM field. |
jsonPayload.remote_vpc.subnetwork_name |
principal.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_vpc.subnetwork_name log field is mapped to the principal.resource_ancestors.name UDM field. |
jsonPayload.vpc.project_id |
principal.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.vpc.project_id log field is mapped to the principal.resource_ancestors.product_object_id UDM field. |
jsonPayload.remote_vpc.project_id |
principal.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_vpc.project_id log field is mapped to the principal.resource_ancestors.product_object_id UDM field. |
resource.labels.subnetwork_id |
principal.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the resource.labels.subnetwork_id log field is mapped to the principal.resource_ancestors.product_object_id UDM field. |
resource.type |
principal.resource_ancestors.resource_subtype |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the resource.type log field is mapped to the principal.resource_ancestors.resource_subtype UDM field. |
|
principal.resource_ancestors.resource_type |
If the jsonPayload.vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the principal.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.If the jsonPayload.vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.If the jsonPayload.remote_vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the principal.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.If the jsonPayload.remote_vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. |
jsonPayload.instance.zone |
principal.resource.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.instance.zone log field is mapped to the principal.resource.attribute.cloud.availability_zone UDM field. |
jsonPayload.remote_instance.zone |
principal.resource.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_instance.zone log field is mapped to the principal.resource.attribute.cloud.availability_zone UDM field. |
jsonPayload.instance.vm_name |
principal.resource.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.instance.vm_name log field is mapped to the principal.resource.name UDM field. |
jsonPayload.remote_instance.vm_name |
principal.resource.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.remote_instance.vm_name log field is mapped to the principal.resource.name UDM field. |
|
principal.resource.resource_type |
If the jsonPayload.instance.vm_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.remote_instance.vm_name log field value is not empty the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE. |
|
security_result.action |
If the jsonPayload.rule_details.disposition log field value is equal to ALLOWED, then the security_result.action UDM field is set to ALLOW.Else, if the jsonPayload.rule_details.disposition log field value is equal to DENIED, then the security_result.action UDM field is set to BLOCK. |
jsonPayload.disposition |
security_result.action_details |
|
jsonPayload.rule_details.reference |
security_result.description |
|
jsonPayload.rule_details.priority |
security_result.priority_details |
|
resource.labels.firewall_rule_id |
security_result.rule_id |
|
jsonPayload.rule_details.action |
security_result.rule_labels[rule_details_action] |
|
jsonPayload.rule_details.destination_address_groups |
security_result.rule_labels[rule_details_destination_address_groups] |
|
jsonPayload.rule_details.destination_fqdn |
security_result.rule_labels[rule_details_destination_fqdn] |
|
jsonPayload.rule_details.destination_range |
security_result.rule_labels[rule_details_destination_range] |
|
jsonPayload.rule_details.destination_region_code |
security_result.rule_labels[rule_details_destination_region_code] |
|
jsonPayload.rule_details.destination_threat_intelligence |
security_result.rule_labels[rule_details_destination_threat_intelligence] |
|
jsonPayload.rule_details.ip_port_info.ip_protocol |
security_result.rule_labels[rule_details_ip_port_info_ip_protocol] |
|
jsonPayload.rule_details.ip_port_info.port_range |
security_result.rule_labels[rule_details_ip_port_info_port_range] |
|
jsonPayload.rule_details.source_address_groups |
security_result.rule_labels[rule_details_source_address_groups] |
|
jsonPayload.rule_details.source_fqdn |
security_result.rule_labels[rule_details_source_fqdn] |
|
jsonPayload.rule_details.source_range |
security_result.rule_labels[rule_details_source_range] |
|
jsonPayload.rule_details.source_region_code |
security_result.rule_labels[rule_details_source_region_code] |
|
jsonPayload.rule_details.source_service_account |
security_result.rule_labels[rule_details_source_service_account] |
|
jsonPayload.rule_details.source_tag |
security_result.rule_labels[rule_details_source_tag] |
|
jsonPayload.rule_details.source_threat_intelligence |
security_result.rule_labels[rule_details_source_threat_intelligence] |
|
jsonPayload.rule_details.target_service_account |
security_result.rule_labels[rule_details_target_service_account] |
|
jsonPayload.rule_details.target_tag |
security_result.rule_labels[rule_details_target_tag] |
|
|
security_result.rule_name |
Extracted rule_name from jsonPayload.rule_details.reference using Grok pattern and mapped it to the security_result.rule_name UDM field. |
jsonPayload.connection.dest_ip |
target.ip |
|
jsonPayload.remote_location.continent |
target.labels[remote_location_continent] (deprecated) |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.continent log field is mapped to the target.labels.remote_location_continent UDM field. |
jsonPayload.remote_location.continent |
additional.fields[remote_location_continent] |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.continent log field is mapped to the additional.fields.remote_location_continent UDM field. |
jsonPayload.remote_location.city |
target.location.city |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.city log field is mapped to the target.location.city UDM field. |
jsonPayload.remote_location.country |
target.location.country_or_region |
If the jsonPayload.remote_location.country log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.country jsonPayload.remote_location.region log field is mapped to the target.location.country_or_region UDM field. |
jsonPayload.remote_location.region |
target.location.country_or_region |
If the jsonPayload.remote_location.country log field value is not empty or the jsonPayload.remote_location.region log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_location.country jsonPayload.remote_location.region log field is mapped to the target.location.country_or_region UDM field. |
jsonPayload.instance.region |
target.location.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.instance.region log field is mapped to the target.location.name UDM field. |
jsonPayload.remote_instance.region |
target.location.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_instance.region log field is mapped to the target.location.name UDM field. |
jsonPayload.connection.dest_port |
target.port |
|
resource.labels.location |
target.resource_ancestors.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the resource.labels.location log field is mapped to the target.resource_ancestors.attribute.cloud.availability_zone UDM field. |
jsonPayload.vpc.vpc_name |
target.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.vpc.vpc_name log field is mapped to the target.resource_ancestors.name UDM field. |
jsonPayload.vpc.subnetwork_name |
target.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.vpc.subnetwork_name log field is mapped to the target.resource_ancestors.name UDM field. |
jsonPayload.remote_vpc.vpc_name |
target.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_vpc.vpc_name log field is mapped to the target.resource_ancestors.name UDM field. |
jsonPayload.remote_vpc.subnetwork_name |
target.resource_ancestors.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_vpc.subnetwork_name log field is mapped to the target.resource_ancestors.name UDM field. |
jsonPayload.vpc.project_id |
target.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.vpc.project_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
jsonPayload.remote_vpc.project_id |
target.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_vpc.project_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
resource.labels.subnetwork_id |
target.resource_ancestors.product_object_id |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the resource.labels.subnetwork_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
resource.type |
target.resource_ancestors.resource_subtype |
|
|
target.resource_ancestors.resource_type |
If the jsonPayload.remote_vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.If the jsonPayload.remote_vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.If the jsonPayload.vpc.vpc_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.If the jsonPayload.vpc.project_id log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. |
jsonPayload.instance.zone |
target.resource.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.instance.zone log field is mapped to the target.resource.attribute.cloud.availability_zone UDM field. |
jsonPayload.remote_instance.zone |
target.resource.attribute.cloud.availability_zone |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_instance.zone log field is mapped to the target.resource.attribute.cloud.availability_zone UDM field. |
jsonPayload.instance.vm_name |
target.resource.name |
If the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the jsonPayload.instance.vm_name log field is mapped to the target.resource.product_object_id UDM field. |
jsonPayload.remote_instance.vm_name |
target.resource.name |
If the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the jsonPayload.remote_instance.vm_name log field is mapped to the target.resource.name UDM field. |
|
target.resource.resource_type |
If the jsonPayload.remote_instance.vm_name log field value is not empty and the jsonPayload.rule_details.direction log field value is equal to EGRESS, then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.instance.vm_name log field value is not empty the jsonPayload.rule_details.direction log field value is equal to INGRESS, then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE. |