Google Cloud IDS-Logs erfassen
In diesem Dokument wird beschrieben, wie Sie Google Cloud IDS-Logs erfassen können, indem Sie die Aufnahme von Google Cloud-Telemetriedaten in Chronicle aktivieren. Außerdem erfahren Sie, wie Logfelder von Google Cloud IDS-Logs den Feldern von Chronicle Unified Data Model (UDM) zugeordnet werden.
Weitere Informationen finden Sie unter Datenaufnahme in Chronicle.
Eine typische Bereitstellung besteht aus Google Cloud IDS-Logs, die für die Aufnahme in Chronicle aktiviert sind. Jede Kundenbereitstellung kann sich von dieser Darstellung unterscheiden und komplexer sein.
Die Bereitstellung enthält die folgenden Komponenten:
Google Cloud: Die Google Cloud-Dienste und -Produkte, für die Sie Logs erfassen.
Google Cloud IDS-Logs: Die Google Cloud IDS-Logs, die für die Aufnahme in Chronicle aktiviert sind.
Chronicle: Chronicle speichert und analysiert die Logs von Google Cloud IDS.
Ein Aufnahmelabel identifiziert den Parser, der die Log-Rohdaten in das strukturierte UDM-Format normalisiert. Die Informationen in diesem Dokument gelten für den Parser mit dem Aufnahmelabel GCP_IDS
.
Hinweise
- Achten Sie darauf, dass alle Systeme in der Bereitstellungsarchitektur in der UTC-Zeitzone konfiguriert sind.
Google Cloud für die Aufnahme von Google Cloud IDS-Logs konfigurieren
Führen Sie die Schritte auf der Seite Google Cloud-Logs in Chronicle aufnehmen aus, um Google Cloud IDS-Logs in Chronicle aufzunehmen.
Wenn beim Aufnehmen von Google Cloud IDS-Logs Probleme auftreten, wenden Sie sich an den Chronicle-Support.
Referenz zur Feldzuordnung
Referenz zur Feldzuordnung: GCP_IDS
In der folgenden Tabelle sind die Logfelder des Logtyps GCP_IDS
und die entsprechenden UDM-Felder aufgeführt.
Log field | UDM mapping | Logic |
---|---|---|
insertId |
metadata.product_log_id |
|
jsonPayload.alert_severity |
security_result.severity |
|
jsonPayload.alert_time |
metadata.event_timestamp |
|
jsonPayload.application |
principal.application |
If the jsonPayload.direction log field value is equal to server-to-client , then the jsonPayload.application log field is mapped to the principal.application UDM field. |
jsonPayload.application |
target.application |
If the jsonPayload.direction log field value is equal to client-to-server or the logName log field value matches the regular expression pattern traffic , then the jsonPayload.application log field is mapped to the target.application UDM field. |
jsonPayload.category |
security_result.category_details |
|
jsonPayload.cves |
extensions.vulns.vulnerabilities.cve_id |
If the jsonPayload.cves log field value is not empty, then the jsonPayload.cves log field is mapped to the extensions.vulns.vulnerabilities.cve_id UDM field. |
jsonPayload.destination_ip_address |
target.ip |
|
jsonPayload.destination_port |
target.port |
|
jsonPayload.details |
extensions.vulns.vulnerabilities.description |
If the jsonPayload.cves log field value is not empty, then the jsonPayload.details log field is mapped to the extensions.vulns.vulnerabilities.description UDM field. |
jsonPayload.direction |
network.direction |
If the jsonPayload.direction log field value is equal to client-to-server , then the network.direction UDM field is set to OUTBOUND .Else, if the jsonPayload.direction log field value is equal to server-to-client , then the network.direction UDM field is set to INBOUND . |
jsonPayload.elapsed_time |
network.session_duration.seconds |
|
jsonPayload.ip_protocol |
network.ip_protocol |
If the jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ICMP .
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to IGMP .
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to TCP .
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to UDP .
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to IP6IN4 .
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to GRE .
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ESP .
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to EIGRP .
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ETHERIP .
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to PIM .
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to VRRP .
|
jsonPayload.name |
security_result.threat_name |
|
jsonPayload.network |
target.resource.name |
If the jsonPayload.direction log field value is equal to client-to-server or the logName log field value matches the regular expression pattern traffic , then the jsonPayload.network log field is mapped to the target.resource.name UDM field. |
jsonPayload.network |
principal.resource.name |
If the jsonPayload.direction log field value is equal to server-to-client , then the jsonPayload.network log field is mapped to the principal.resource.name UDM field. |
|
target.resource.resource_type |
If the jsonPayload.direction log field value is equal to client-to-server or the logName log field value matches the regular expression pattern traffic , then the target.resource.resource_type UDM field is set to VPC_NETWORK . |
|
principal.resource.resource_type |
If the jsonPayload.direction log field value is equal to server-to-client , then the principal.resource.resource_type UDM field is set to VPC_NETWORK . |
jsonPayload.repeat_count |
security_result.detection_fields[repeat_count] |
|
jsonPayload.session_id |
network.session_id |
|
jsonPayload.source_ip_address |
principal.ip |
|
jsonPayload.source_port |
principal.port |
|
jsonPayload.start_time |
about.labels[start_time] |
|
jsonPayload.threat_id |
security_result.threat_id |
|
jsonPayload.total_bytes |
about.labels[total_bytes] |
|
jsonPayload.total_packets |
about.labels[total_packets] |
|
jsonPayload.type |
security_result.detection_fields[type] |
|
jsonPayload.uri_or_filename |
target.file.full_path |
|
logName |
security_result.category_details |
|
receiveTimestamp |
metadata.collected_timestamp |
|
resource.labels.id |
observer.resource.product_object_id |
|
resource.labels.location |
observer.location.name |
|
resource.labels.resource_container |
observer.resource.name |
|
resource.type |
observer.resource.resource_subtype |
|
timestamp |
metadata.event_timestamp |
If the logName log field value matches the regular expression pattern traffic , then the timestamp log field is mapped to the metadata.event_timestamp UDM field. |
|
observer.resource.resource_type |
The observer.resource.resource_type UDM field is set to CLOUD_PROJECT . |
|
observer.resource.attribute.cloud.environment |
The observer.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM . |
|
idm.is_alert |
If the jsonPayload.alert_severity log field value is equal to CRITICAL , then the idm.is_alert UDM field is set to true . |
|
idm.is_significant |
If the jsonPayload.alert_severity log field value is equal to CRITICAL , then the idm.is_significant UDM field is set to true . |
|
security_result.category |
If the jsonPayload.category log field value is equal to dos , then the security_result.category UDM field is set to NETWORK_DENIAL_OF_SERVICE .Else, if the jsonPayload.category log field value is equal to info-leak , then the security_result.category UDM field is set to NETWORK_SUSPICIOUS .Else, if the jsonPayload.category log field value is equal to protocol-anomaly , then the security_result.category UDM field is set to NETWORK_MALICIOUS .Else, if the jsonPayload.category log field value contains one of the following values, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS .
|
|
extensions.vulns.vulnerabilities.vendor |
if the jsonPayload.cves log field value is not empty, then the extensions.vulns.vulnerabilities.vendor UDM field is set to GCP_IDS . |
|
metadata.product_name |
The metadata.product_name UDM field is set to GCP_IDS . |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform . |
|
metadata.event_type |
If the jsonPayload.cves log field value is not empty, then the metadata.event_type UDM field is set to SCAN_VULN_NETWROK .Else, if the jsonPayload.source_ip_address log field value is not empty, then the metadata.event_type UDM field is set to SCAN_NETWORK .Else, the metadata.event_type UDM field is set to GENERIC_EVENT . |