Esta página se ha traducido con Cloud Translation API.

Recoger registros de Google Cloud IDS

En este documento se describe cómo puede recoger registros de Google Cloud IDS habilitando la Google Cloud ingestión de telemetría en Google Security Operations y cómo se asignan los campos de registro de Google Cloud IDS a los campos del modelo de datos unificado (UDM) de Google Security Operations.

Para obtener más información, consulta Ingestión de datos en Google Security Operations.

Un despliegue típico consiste en registros de Google Cloud IDS habilitados para la ingestión en Google Security Operations. Cada implementación de cliente puede ser diferente de esta representación y puede ser más compleja.

La implementación contiene los siguientes componentes:

Google Cloud: los Google Cloud servicios y productos de los que recoges registros.
Registros de Google Cloud IDS: los registros de Google Cloud IDS que se han habilitado para la ingesta en Google Security Operations.
Google Security Operations: Google Security Operations conserva y analiza los registros de Google Cloud IDS.

Una etiqueta de ingestión identifica el analizador que normaliza los datos de registro sin procesar en formato UDM estructurado. La información de este documento se aplica al analizador con la etiqueta de ingestión GCP_IDS.

Antes de empezar

Asegúrate de que todos los sistemas de la arquitectura de implementación estén configurados en la zona horaria UTC.

Configurar Google Cloud para ingerir registros de Google Cloud IDS

Para ingerir registros de Google Cloud IDS en Google Security Operations, sigue los pasos que se indican en la página Ingerir Google Cloud registros en Google Security Operations.

Si tienes problemas al ingerir registros de Google Cloud IDS, ponte en contacto con el equipo de Asistencia de Google Security Operations.

Formatos de registro admitidos de Google Cloud IDS

El analizador de Google Cloud IDS admite registros en formato JSON.

Registros de ejemplo de Google Cloud IDS admitidos

JSON:

{
  "insertId": "5cb7ac422679042bcd8f0a84700c23c0-1@a1",
  "jsonPayload": {
    "alert_severity": "INFORMATIONAL",
    "alert_time": "2021-09-08T12:10:19Z",
    "application": "ssl",
    "category": "protocol-anomaly",
    "destination_ip_address": "198.51.100.0",
    "destination_port": "443",
    "details": "This signature detects suspicious and non-RFC compliant SSL traffic on port 443. This could be associated with applications sending non SSL traffic using port 443 or indicate possible malicious activity.",
    "direction": "client-to-server",
    "ip_protocol": "tcp",
    "name": "Non-RFC Compliant SSL Traffic on Port 443",
    "network": "abcd-prod-pod111-shared",
    "repeat_count": "1",
    "session_id": "1457377",
    "source_ip_address": "198.51.100.0",
    "source_port": "62543",
    "threat_id": "56112",
    "type": "vulnerability",
    "uri_or_filename": ""
  },
  "logName": "projects/abcd-prod-mnop-pod555-infra/logs/ids.googleapis.com%2Fthreat",
  "receiveTimestamp": "2021-09-08T12:10:23.953458826Z",
  "resource": {
    "labels": {
      "id": "abcd-prod-mnop-pod555-cloudidsendpoint-info",
      "location": "us-central1-a",
      "resource_container": "projects/158110290042"
    },
    "type": "ids.googleapis.com/Endpoint"
  },
  "timestamp": "2021-09-08T12:10:19Z"
}

Referencia de asignación de campos

Referencia de asignación de campos: GCP_IDS

En la siguiente tabla se enumeran los campos de registro del tipo de registro GCP_IDS y sus campos de UDM correspondientes.

Log field	UDM mapping	Logic
`insertId`	`metadata.product_log_id`
`jsonPayload.alert_severity`	`security_result.severity`
`jsonPayload.alert_time`	`metadata.event_timestamp`
`jsonPayload.application`	`principal.application`	If the `jsonPayload.direction` log field value is equal to `server-to-client`, then the `jsonPayload.application` log field is mapped to the `principal.application` UDM field.
`jsonPayload.application`	`target.application`	If the `jsonPayload.direction` log field value is equal to `client-to-server` or the `logName` log field value matches the regular expression pattern `traffic`, then the `jsonPayload.application` log field is mapped to the `target.application` UDM field.
`jsonPayload.category`	`security_result.category_details`
`jsonPayload.cves`	`extensions.vulns.vulnerabilities.cve_id`	If the `jsonPayload.cves` log field value is not empty, then the `jsonPayload.cves` log field is mapped to the `extensions.vulns.vulnerabilities.cve_id` UDM field.
`jsonPayload.destination_ip_address`	`target.ip`
`jsonPayload.destination_port`	`target.port`
`jsonPayload.details`	`extensions.vulns.vulnerabilities.description`	If the `jsonPayload.cves` log field value is not empty, then the `jsonPayload.details` log field is mapped to the `extensions.vulns.vulnerabilities.description` UDM field.
`jsonPayload.direction`	`network.direction`	If the `jsonPayload.direction` log field value is equal to `client-to-server`, then the `network.direction` UDM field is set to `OUTBOUND`. Else, if the `jsonPayload.direction` log field value is equal to `server-to-client`, then the `network.direction` UDM field is set to `INBOUND`.
`jsonPayload.elapsed_time`	`network.session_duration.seconds`
`jsonPayload.ip_protocol`	`network.ip_protocol`	If the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `ICMP`. `1` `ICMP` `ICMPV6` `58` `1.0` `58.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `IGMP`. `2` `IGMP` `2.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `TCP`. `6` `TCP` `6.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `UDP`. `17` `UDP` `17.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `IP6IN4`. `41` `IP6IN4` `41.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `GRE`. `47` `GRE` `47.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `ESP`. `50` `ESP` `50.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `EIGRP`. `88` `EIGRP` `88.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `ETHERIP`. `97` `ETHERIP` `97.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `PIM`. `103` `PIM` `103.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `VRRP`. `112` `VRRP` `112.0`
`jsonPayload.name`	`security_result.threat_name`
`jsonPayload.network`	`target.resource.name`	If the `jsonPayload.direction` log field value is equal to `client-to-server` or the `logName` log field value matches the regular expression pattern `traffic`, then the `jsonPayload.network` log field is mapped to the `target.resource.name` UDM field.
`jsonPayload.network`	`principal.resource.name`	If the `jsonPayload.direction` log field value is equal to `server-to-client`, then the `jsonPayload.network` log field is mapped to the `principal.resource.name` UDM field.
	`target.resource.resource_type`	If the `jsonPayload.direction` log field value is equal to `client-to-server` or the `logName` log field value matches the regular expression pattern `traffic`, then the `target.resource.resource_type` UDM field is set to `VPC_NETWORK`.
	`principal.resource.resource_type`	If the `jsonPayload.direction` log field value is equal to `server-to-client`, then the `principal.resource.resource_type` UDM field is set to `VPC_NETWORK`.
`jsonPayload.repeat_count`	`security_result.detection_fields[repeat_count]`
`jsonPayload.session_id`	`network.session_id`
`jsonPayload.source_ip_address`	`principal.ip`
`jsonPayload.source_port`	`principal.port`
`jsonPayload.start_time`	`about.labels[start_time]` (deprecated)
`jsonPayload.start_time`	`additional.fields[start_time]`
`jsonPayload.threat_id`	`security_result.threat_id`
`jsonPayload.total_bytes`	`about.labels[total_bytes]` (deprecated)
`jsonPayload.total_bytes`	`additional.fields[total_bytes]`
`jsonPayload.total_packets`	`about.labels[total_packets]` (deprecated)
`jsonPayload.total_packets`	`additional.fields[total_packets]`
`jsonPayload.type`	`security_result.detection_fields[type]`
`jsonPayload.uri_or_filename`	`target.file.full_path`
`logName`	`security_result.category_details`
`receiveTimestamp`	`metadata.collected_timestamp`
`resource.labels.id`	`observer.resource.product_object_id`
`resource.labels.location`	`observer.location.name`
`resource.labels.resource_container`	`observer.resource.name`
`resource.type`	`observer.resource.resource_subtype`
`timestamp`	`metadata.event_timestamp`	If the `logName` log field value matches the regular expression pattern `traffic`, then the `timestamp` log field is mapped to the `metadata.event_timestamp` UDM field.
	`observer.resource.resource_type`	The `observer.resource.resource_type` UDM field is set to `CLOUD_PROJECT`.
	`observer.resource.attribute.cloud.environment`	The `observer.resource.attribute.cloud.environment` UDM field is set to `GOOGLE_CLOUD_PLATFORM`.
	`security_result.category`	If the `jsonPayload.category` log field value is equal to `dos`, then the `security_result.category` UDM field is set to `NETWORK_DENIAL_OF_SERVICE`. Else, if the `jsonPayload.category` log field value is equal to `info-leak`, then the `security_result.category` UDM field is set to `NETWORK_SUSPICIOUS`. Else, if the `jsonPayload.category` log field value is equal to `protocol-anomaly`, then the `security_result.category` UDM field is set to `NETWORK_MALICIOUS`. Else, if the `jsonPayload.category` log field value contains one of the following values, then the `security_result.category` UDM field is set to `SOFTWARE_MALICIOUS`. `backdoor` `spyware` `trojan`
	`extensions.vulns.vulnerabilities.vendor`	if the `jsonPayload.cves` log field value is not empty, then the `extensions.vulns.vulnerabilities.vendor` UDM field is set to `GCP_IDS`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `GCP_IDS`.
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `Google Cloud Platform`.
	`metadata.event_type`	If the `jsonPayload.cves` log field value is not empty, then the `metadata.event_type` UDM field is set to `SCAN_VULN_NETWROK`. Else, if the `jsonPayload.source_ip_address` log field value is not empty, then the `metadata.event_type` UDM field is set to `SCAN_NETWORK`. Else, the `metadata.event_type` UDM field is set to `GENERIC_EVENT`.

Siguientes pasos

Ingestión de datos en Google Security Operations

¿Necesitas más ayuda? Recibe respuestas de los miembros de la comunidad y de los profesionales de Google SecOps.