이 문서에서는 Google Cloud를 사용하여 VPC 흐름 로그를 Google Security Operations로 내보내는 방법을 설명합니다. 파서는 로그를 기본 제공 JSON 형식에서 Google Security Operations UDM으로 변환합니다. 소스 및 대상 IP, 포트, 프로토콜, 전송된 바이트와 같은 관련 필드를 추출한 다음 네트워크 방향과 특수한 사례를 고려하여 Google SecOps에서 정확하게 표현할 수 있도록 해당 UDM 필드에 매핑합니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[[["\u003cp\u003eThis guide explains how to export Google Cloud VPC Flow Logs to Google Security Operations (SecOps) and map the logs to the Unified Data Model (UDM).\u003c/p\u003e\n"],["\u003cp\u003eThe process involves creating a Google Cloud Storage bucket, configuring log export from Google Cloud VPC Flow to the bucket, and setting up a feed in Google SecOps to ingest these logs.\u003c/p\u003e\n"],["\u003cp\u003eBefore starting, users need a Google SecOps instance, active VPC Flow in their Google Cloud environment, and privileged access to Google Cloud.\u003c/p\u003e\n"],["\u003cp\u003eThe UDM mapping table outlines how various fields from the Cloud VPC Flow Logs are transformed and mapped to specific UDM fields within Google Security Operations, covering details like IP addresses, ports, protocols, and more.\u003c/p\u003e\n"],["\u003cp\u003eThe mapping of various fields has been updated and enhanced multiple times, including changes in \u003ccode\u003eprincipal\u003c/code\u003e and \u003ccode\u003etarget\u003c/code\u003e fields, as well as adding mappings for details about \u003ccode\u003egke\u003c/code\u003e and \u003ccode\u003eresources\u003c/code\u003e from \u003ccode\u003ejsonPayload\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Collect VPC Flow Logs\n=====================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to export VPC Flow Logs to Google Security Operations using Google Cloud. The parser transforms the logs from their built-in JSON format into the Google Security Operations UDM. It extracts relevant fields like source and destination IP, port, protocol, and bytes sent, then maps them to corresponding UDM fields, taking into account network direction and special cases for accurate representation in Google SecOps.\n\nBefore You Begin\n----------------\n\nEnsure that you have the following prerequisites:\n\n- Google SecOps instance.\n- VPC Flow is set up and active in your Google Cloud environment.\n- Privileged access to Google Cloud.\n\nCreate a Google Cloud Storage Bucket\n------------------------------------\n\n1. Sign in to the [Google Cloud console](https://console.cloud.google.com/).\n2. Go to the **Cloud Storage Buckets** page.\n\n [Go to Buckets](https://console.cloud.google.com/storage/browser)\n3. Click **Create**.\n\n4. On the **Create a bucket** page, enter your bucket information. After each of the following steps, click **Continue** to proceed to the next step:\n\n 1. In the **Get started** section, do the following:\n\n 1. Enter a unique name that meets the bucket name requirements; for example, **vpcflow-logs**.\n 2. To enable hierarchical namespace, click the expander arrow to expand the **Optimize for file oriented and data-intensive workloads** section, and then select **Enable Hierarchical namespace on this bucket**.\n\n | **Note:** You cannot enable hierarchical namespace in an existing bucket.\n 3. To add a bucket label, click the expander arrow to expand the **Labels** section.\n\n 4. Click **Add label**, and specify a key and a value for your label.\n\n 2. In the **Choose where to store your data** section, do the following:\n\n 1. Select a **Location type**.\n 2. Use the location type menu to select a **Location** where object data within your bucket will be permanently stored.\n\n | **Note:** If you select the **dual-region** location type, you can also choose to enable **turbo replication** by using the relevant checkbox.\n 3. To set up cross-bucket replication, expand the **Set up cross-bucket replication** section.\n\n 3. In the **Choose a storage class for your data** section, either select a **default storage class** for the bucket, or select **Autoclass** for automatic storage class management of your bucket's data.\n\n 4. In the **Choose how to control access to objects** section, select **not** to enforce **public access prevention** , and select an **access control model** for your bucket's objects.\n\n | **Note:** If public access prevention is already enforced by your project's organization policy, the **Prevent public access** checkbox is locked.\n 5. In the Choose how to protect object data section, do the following:\n\n 1. Select any of the options under Data protection that you want to set for your bucket.\n 2. To choose how your object data will be encrypted, click the expander arrow labeled **Data encryption** , and select a **Data encryption method**.\n5. Click **Create**.\n\n| **Note:** Be sure to provide your Google SecOps Service Account with permissions to **Read** or **Read \\& Write** to the newly created bucket.\n\nConfigure Log Export in Google Cloud VPC Flow\n---------------------------------------------\n\n1. Sign in to **Google Cloud** account using your privileged account.\n2. On **Welcome** page, click **VPC Networks**.\n3. Click **Default** and a subnet page should appear.\n4. Select **all logs**.\n5. Click **Flow Logs \\\u003e Configure**.\n6. Select **Aggregation Interval** ; for example, **30 SEC**.\n7. Provide **Sample Rate** ; for example, **50%**.\n8. Click **Save**\n9. Search **Logging** in the search bar and click **Enter**.\n10. In **Log Explorer** , filter the logs by choosing **VPC_flows** in the **Log Name** and click **Apply**.\n11. Click **More Actions**.\n12. Click **Create Sink**.\n13. Provide the following configurations:\n 1. **Sink Details**: enter a name and description.\n 2. Click **Next**.\n 3. **Sink Destination** : select **Cloud Storage Bucket**.\n 4. **Cloud Storage Bucket**: select the bucket created earlier or create a new bucket.\n 5. Click **Next**.\n 6. **Choose Logs to include in Sink**: a default log is populated when you select an option in Cloud Storage Bucket.\n 7. Click **Next**.\n 8. Optional: **Choose Logs to filter out of Sink**: select the logs that you would like not to sink.\n14. Click **Create Sink**.\n\nSet up feeds\n------------\n\nThere are two different entry points to set up feeds in the\nGoogle SecOps platform:\n\n- **SIEM Settings \\\u003e Feeds \\\u003e Add New**\n- **Content Hub \\\u003e Content Packs \\\u003e Get Started**\n\nHow to set up the Google Cloud VPC Flow feed\n--------------------------------------------\n\n1. Click the **Google Cloud Compute platform** pack.\n2. Locate the **GCP VPC Flow Feed** logtype.\n3. Specify the values in the following fields.\n\n - **Source Type**: Amazon SQS V2\n - **Queue Name**: The SQS queue name to read from\n - **S3 URI** : The bucket URI.\n - `s3://your-log-bucket-name/`\n - Replace `your-log-bucket-name` with the actual name of your S3 bucket.\n - **Source deletion options**: Select the deletion option according to your ingestion preferences.\n\n | **Note:** If you select the `Delete transferred files` or `Delete transferred files and empty directories` option, make sure that you granted appropriate permissions to the service account.\n - **Maximum File Age**: Include files modified in the last number of days. Default is 180 days.\n\n - **SQS Queue Access Key ID**: An account access key that is a 20-character alphanumeric string.\n\n - **SQS Queue Secret Access Key**: An account access key that is a 40-character alphanumeric string.\n\n **Advanced options**\n - **Feed Name**: A prepopulated value that identifies the feed.\n - **Asset Namespace**: Namespace associated with the feed.\n - **Ingestion Labels**: Labels applied to all events from this feed.\n4. Click **Create feed**.\n\n| **Note:** The Content Hub is not available on the SIEM standalone platform. To upgrade, contact your Google SecOps representative.\n\nFor more information about configuring multiple feeds for different log types within this product family, see [Configure feeds by product](/chronicle/docs/ingestion/ingestion-entities/configure-multiple-feeds).\n\nSupported VPC Flow Logs log formats\n-----------------------------------\n\nThe VPC Flow Logs parser supports logs in JSON format.\n\nSupported VPC Flow Logs Sample Logs\n-----------------------------------\n\n- JSON\n\n {\n \"insertId\": \"1wjp1y9f8vc6y6\",\n \"jsonPayload\": {\n \"bytes_sent\": \"0\",\n \"connection\": {\n \"dest_ip\": \"198.51.100.0\",\n \"dest_port\": 32846,\n \"protocol\": 6,\n \"src_ip\": \"198.51.100.1\",\n \"src_port\": 443\n },\n \"dest_instance\": {\n \"project_id\": \"logging-259109\",\n \"region\": \"us-west2\",\n \"vm_name\": \"demisto-01\",\n \"zone\": \"us-west2-a\"\n },\n \"dest_vpc\": {\n \"project_id\": \"logging-259109\",\n \"subnetwork_name\": \"default\",\n \"vpc_name\": \"default\"\n },\n \"end_time\": \"2020-03-28T10:44:41.896734136Z\",\n \"packets_sent\": \"2\",\n \"reporter\": \"DEST\",\n \"start_time\": \"2020-03-28T10:44:41.896734136Z\"\n },\n \"logName\": \"projects/logging-259109/logs/compute.googleapis.com%2Fvpc_flows\",\n \"receiveTimestamp\": \"2020-03-28T10:44:50.112903743Z\",\n \"resource\": {\n \"labels\": {\n \"location\": \"us-west2-a\",\n \"project_id\": \"dummy_project_id\",\n \"subnetwork_id\": \"subnetwork_id\",\n \"subnetwork_name\": \"default\"\n },\n \"type\": \"gce_subnetwork\"\n },\n \"timestamp\": \"2020-03-28T10:44:50.112903743Z\"\n }\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]