Google Cloud IDS ログを収集する
このドキュメントでは、Google Security Operations への Google Cloud テレメトリーの取り込みを有効にして Google Cloud DNS ログを収集する方法と、Google Cloud DNS ログのログフィールドが Google Security Operations の統合データモデル(UDM)フィールドにマッピングする方法について説明します。
詳細については、Google Security Operations へのデータの取り込みの概要をご覧ください。
一般的なデプロイは、Google Security Operations への取り込みが有効になっている Google Cloud IDS ログで構成されています。お客様のデプロイはそれぞれこの表現とは異なる可能性があり、より複雑になることがあります。
デプロイには次のコンポーネントが含まれます。
Google Cloud: ログの収集元となる Google Cloud のサービスとプロダクト。
Google Cloud IDS のログ: Google Security Operations への取り込みが有効になっている Google Cloud IDS のログ。
Google Security Operations: Google Security Operations が Google Cloud IDS のログを保持して分析します。
取り込みラベルによって、未加工のログデータを構造化 UDM 形式に正規化するパーサーが識別されます。このドキュメントの情報は、取り込みラベル GCP_IDS が付加されたパーサーに適用されます。
準備
- デプロイ アーキテクチャ内のすべてのシステムが、UTC タイムゾーンに構成されていることを確認します。
Google Cloud IDS ログを取り込むように Google Cloud を構成する
Google Cloud IDS ログを Google Security Operations に取り込むには、 Google Cloud のログを Google Security Operations に取り込むのページの手順に沿って操作します。
Google Cloud IDS ログを取り込むときに問題が発生した場合は、Google Security Operations サポートにお問い合わせください。
サポートされている Google Cloud IDS ログ形式
Google Cloud IDS パーサーは JSON 形式のログをサポートしています。
サポートされている Google Cloud IDS サンプルログ
JSON:
{ "insertId": "5cb7ac422679042bcd8f0a84700c23c0-1@a1", "jsonPayload": { "alert_severity": "INFORMATIONAL", "alert_time": "2021-09-08T12:10:19Z", "application": "ssl", "category": "protocol-anomaly", "destination_ip_address": "198.51.100.0", "destination_port": "443", "details": "This signature detects suspicious and non-RFC compliant SSL traffic on port 443. This could be associated with applications sending non SSL traffic using port 443 or indicate possible malicious activity.", "direction": "client-to-server", "ip_protocol": "tcp", "name": "Non-RFC Compliant SSL Traffic on Port 443", "network": "abcd-prod-pod111-shared", "repeat_count": "1", "session_id": "1457377", "source_ip_address": "198.51.100.0", "source_port": "62543", "threat_id": "56112", "type": "vulnerability", "uri_or_filename": "" }, "logName": "projects/abcd-prod-mnop-pod555-infra/logs/ids.googleapis.com%2Fthreat", "receiveTimestamp": "2021-09-08T12:10:23.953458826Z", "resource": { "labels": { "id": "abcd-prod-mnop-pod555-cloudidsendpoint-info", "location": "us-central1-a", "resource_container": "projects/158110290042" }, "type": "ids.googleapis.com/Endpoint" }, "timestamp": "2021-09-08T12:10:19Z" }
フィールド マッピング リファレンス
フィールド マッピング リファレンス: GCP_IDS
次の表に、GCP_IDS ログタイプのログ フィールドと、対応する UDM フィールドを示します。
| Log field | UDM mapping | Logic |
|---|---|---|
insertId |
metadata.product_log_id |
|
jsonPayload.alert_severity |
security_result.severity |
|
jsonPayload.alert_time |
metadata.event_timestamp |
|
jsonPayload.application |
principal.application |
If the jsonPayload.direction log field value is equal to server-to-client, then the jsonPayload.application log field is mapped to the principal.application UDM field. |
jsonPayload.application |
target.application |
If the jsonPayload.direction log field value is equal to client-to-server or the logName log field value matches the regular expression pattern traffic, then the jsonPayload.application log field is mapped to the target.application UDM field. |
jsonPayload.category |
security_result.category_details |
|
jsonPayload.cves |
extensions.vulns.vulnerabilities.cve_id |
If the jsonPayload.cves log field value is not empty, then the jsonPayload.cves log field is mapped to the extensions.vulns.vulnerabilities.cve_id UDM field. |
jsonPayload.destination_ip_address |
target.ip |
|
jsonPayload.destination_port |
target.port |
|
jsonPayload.details |
extensions.vulns.vulnerabilities.description |
If the jsonPayload.cves log field value is not empty, then the jsonPayload.details log field is mapped to the extensions.vulns.vulnerabilities.description UDM field. |
jsonPayload.direction |
network.direction |
If the jsonPayload.direction log field value is equal to client-to-server, then the network.direction UDM field is set to OUTBOUND.Else, if the jsonPayload.direction log field value is equal to server-to-client, then the network.direction UDM field is set to INBOUND. |
jsonPayload.elapsed_time |
network.session_duration.seconds |
|
jsonPayload.ip_protocol |
network.ip_protocol |
If the jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ICMP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to IGMP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to TCP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to UDP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to IP6IN4.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to GRE.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ESP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to EIGRP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ETHERIP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to PIM.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to VRRP.
|
jsonPayload.name |
security_result.threat_name |
|
jsonPayload.network |
target.resource.name |
If the jsonPayload.direction log field value is equal to client-to-server or the logName log field value matches the regular expression pattern traffic, then the jsonPayload.network log field is mapped to the target.resource.name UDM field. |
jsonPayload.network |
principal.resource.name |
If the jsonPayload.direction log field value is equal to server-to-client, then the jsonPayload.network log field is mapped to the principal.resource.name UDM field. |
|
target.resource.resource_type |
If the jsonPayload.direction log field value is equal to client-to-server or the logName log field value matches the regular expression pattern traffic, then the target.resource.resource_type UDM field is set to VPC_NETWORK. |
|
principal.resource.resource_type |
If the jsonPayload.direction log field value is equal to server-to-client, then the principal.resource.resource_type UDM field is set to VPC_NETWORK. |
jsonPayload.repeat_count |
security_result.detection_fields[repeat_count] |
|
jsonPayload.session_id |
network.session_id |
|
jsonPayload.source_ip_address |
principal.ip |
|
jsonPayload.source_port |
principal.port |
|
jsonPayload.start_time |
about.labels[start_time] (deprecated) |
|
jsonPayload.start_time |
additional.fields[start_time] |
|
jsonPayload.threat_id |
security_result.threat_id |
|
jsonPayload.total_bytes |
about.labels[total_bytes] (deprecated) |
|
jsonPayload.total_bytes |
additional.fields[total_bytes] |
|
jsonPayload.total_packets |
about.labels[total_packets] (deprecated) |
|
jsonPayload.total_packets |
additional.fields[total_packets] |
|
jsonPayload.type |
security_result.detection_fields[type] |
|
jsonPayload.uri_or_filename |
target.file.full_path |
|
logName |
security_result.category_details |
|
receiveTimestamp |
metadata.collected_timestamp |
|
resource.labels.id |
observer.resource.product_object_id |
|
resource.labels.location |
observer.location.name |
|
resource.labels.resource_container |
observer.resource.name |
|
resource.type |
observer.resource.resource_subtype |
|
timestamp |
metadata.event_timestamp |
If the logName log field value matches the regular expression pattern traffic, then the timestamp log field is mapped to the metadata.event_timestamp UDM field. |
|
observer.resource.resource_type |
The observer.resource.resource_type UDM field is set to CLOUD_PROJECT. |
|
observer.resource.attribute.cloud.environment |
The observer.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
|
security_result.category |
If the jsonPayload.category log field value is equal to dos, then the security_result.category UDM field is set to NETWORK_DENIAL_OF_SERVICE.Else, if the jsonPayload.category log field value is equal to info-leak, then the security_result.category UDM field is set to NETWORK_SUSPICIOUS.Else, if the jsonPayload.category log field value is equal to protocol-anomaly, then the security_result.category UDM field is set to NETWORK_MALICIOUS.Else, if the jsonPayload.category log field value contains one of the following values, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS.
|
|
extensions.vulns.vulnerabilities.vendor |
if the jsonPayload.cves log field value is not empty, then the extensions.vulns.vulnerabilities.vendor UDM field is set to GCP_IDS. |
|
metadata.product_name |
The metadata.product_name UDM field is set to GCP_IDS. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform. |
|
metadata.event_type |
If the jsonPayload.cves log field value is not empty, then the metadata.event_type UDM field is set to SCAN_VULN_NETWROK.Else, if the jsonPayload.source_ip_address log field value is not empty, then the metadata.event_type UDM field is set to SCAN_NETWORK.Else, the metadata.event_type UDM field is set to GENERIC_EVENT. |
次のステップ
さらにサポートが必要な場合 コミュニティ メンバーや Google SecOps のプロフェッショナルから回答を得ることができます。