Mengumpulkan Log aktivitas Duo
Dokumen ini menjelaskan cara mengekspor log Aktivitas Duo dan menyerapnya ke Google Security Operations dengan men-deploy skrip penyerapan yang ditulis dalam Python sebagai fungsi Cloud Run dan cara kolom log dipetakan ke kolom Unified Data Model (UDM) Google Security Operations.
Untuk mengetahui informasi selengkapnya, lihat Ringkasan penyerapan data ke Google Security Operations.
Deployment standar terdiri dari Aktivitas Duo dan skrip penyerapan yang di-deploy sebagai fungsi Cloud Run untuk mengirim log ke Google Security Operations. Setiap deployment pelanggan dapat berbeda dan mungkin lebih kompleks.
Deployment berisi komponen berikut:
Aktivitas Duo: Platform tempat Anda mengumpulkan log.
Fungsi Cloud Run: Skrip penyerapan yang di-deploy sebagai fungsi Cloud Run untuk mengambil log dari Aktivitas Duo dan menyerapnya ke dalam Google Security Operations.
Google Security Operations: Menyimpan dan menganalisis log.
Label penyerapan mengidentifikasi parser yang menormalisasi data log mentah ke format UDM terstruktur. Informasi dalam dokumen ini berlaku untuk parser dengan label transfer DUO_ACTIVITY
.
Sebelum memulai
- Pastikan Anda memiliki akses ke panel Admin Duo.
- Pastikan Anda menggunakan Duo Admin API versi 2 atau yang lebih baru.
Mengonfigurasi Aktivitas Duo
- Login ke panel Admin Duo sebagai administrator.
- Klik Applications > Protect an Application.
- Dalam daftar Aplikasi, klik Admin API > Protect untuk mendapatkan kunci integrasi, kunci rahasia, dan nama host API Anda.
Mengonfigurasi Proses Transfer Log untuk Google Security Operations
- Buat direktori deployment untuk menyimpan file untuk fungsi Cloud Run. File ini akan berisi semua file yang diperlukan untuk deployment.
- Salin semua file dari subdirektori GitHub Aktivitas Duo yang terletak di repositori GitHub Google Security Operations ke direktori deployment ini.
- Salin folder umum dan semua konten ke direktori deployment.
- Edit file
.env.yml
untuk menambahkan semua variabel lingkungan yang diperlukan. - Konfigurasikan variabel lingkungan yang ditandai sebagai Secret di Secret Manager. Untuk mengetahui informasi selengkapnya tentang cara membuat secret, lihat Membuat dan Mengakses secret.
- Gunakan nama resource secret sebagai nilai untuk variabel lingkungan.
- Masukkan nilai
DUO_ACTIVITY
di variabel lingkungan CHRONICLE_NAMESPACE. - Di kolom Kode sumber, pilih Upload ZIP.
- Di kolom Bucket tujuan, klik Telusuri untuk memilih bucket Cloud Storage yang akan menjadi tujuan upload kode sumber Anda sebagai bagian dari deployment.
- Di kolom ZIP file, klik Browse untuk memilih file ZIP yang akan diupload dari sistem file lokal Anda. File sumber fungsi Anda harus berada di root file ZIP.
- Klik Deploy.
Untuk mengetahui informasi selengkapnya, lihat Menggunakan skrip penyerapan yang di-deploy sebagai fungsi Cloud Run.
Referensi pemetaan kolom
Referensi pemetaan kolom: ID Peristiwa ke Jenis Peristiwa
Tabel berikut mencantumkan jenis logDUO_ACTIVITY
dan jenis peristiwa UDM yang sesuai.
Event Identifier | Event Type | Security Category |
---|---|---|
admin_activate_duo_push |
DEVICE_PROGRAM_DOWNLOAD |
|
admin_factor_restrictions |
RESOURCE_PERMISSIONS_CHANGE |
|
admin_login |
USER_UNCATEGORIZED |
|
admin_rectivates_duo_push |
DEVICE_PROGRAM_DOWNLOAD |
|
admin_reset_password |
USER_CHANGE_PASSWORD |
|
admin_send_reset_password_email |
EMAIL_TRANSACTION |
|
bypass_create |
RESOURCE_CREATION |
|
bypass_delete |
RESOURCE_DELETION |
|
bypass_view |
RESOURCE_READ |
|
deregister_devices |
USER_RESOURCE_DELETION |
|
device_change_enrollment_summary_notification_answered |
USER_COMMUNICATION |
|
device_change_enrollment_summary_notification_answered_notify_admin |
USER_COMMUNICATION |
|
device_change_enrollment_summary_notification_send |
USER_COMMUNICATION |
|
device_change_notification_answered |
USER_COMMUNICATION |
|
device_change_notification_answered_notify_admin |
USER_COMMUNICATION |
|
device_change_notification_create |
RESOURCE_CREATION |
|
device_change_notification_send |
USER_COMMUNICATION |
|
group_create |
GROUP_CREATION |
|
group_delete |
GROUP_DELETION |
|
group_update |
GROUP_MODIFICATION |
|
hardtoken_create |
RESOURCE_CREATION |
|
hardtoken_delete |
RESOURCE_DELETION |
|
hardtoken_resync |
RESOURCE_WRITTEN |
|
hardtoken_update |
RESOURCE_WRITTEN |
|
integration_create |
RESOURCE_CREATION |
|
integration_delete |
RESOURCE_DELETION |
|
integration_group_policy_add |
GROUP_UNCATEGORIZED |
|
integration_group_policy_remove |
GROUP_UNCATEGORIZED |
|
integration_policy_assign |
USER_UNCATEGORIZED |
|
integration_policy_unassign |
USER_UNCATEGORIZED |
|
integration_skey_bulk_view |
RESOURCE_READ |
|
integration_skey_view |
RESOURCE_READ |
|
integration_update |
RESOURCE_WRITTEN |
|
log_export_start |
USER_UNCATEGORIZED |
|
log_export_complete |
USER_UNCATEGORIZED |
|
log_export_failure |
USER_UNCATEGORIZED |
|
management_system_activate_device_cache |
DEVICE_CONFIG_UPDATE |
|
management_system_active_device_cache_add_devices |
RESOURCE_CREATION |
|
management_system_active_device_cache_delete_devices |
RESOURCE_DELETION |
|
management_system_active_device_cache_edit_devices |
RESOURCE_WRITTEN |
|
management_system_add_devices |
RESOURCE_CREATION |
|
management_system_create |
RESOURCE_CREATION |
|
management_system_delete |
RESOURCE_DELETION |
|
management_system_delete_devices |
RESOURCE_DELETION |
|
management_system_device_cache_add_devices |
RESOURCE_CREATION |
|
management_system_device_cache_create |
RESOURCE_CREATION |
|
management_system_device_cache_delete |
RESOURCE_DELETION |
|
management_system_device_cache_delete_devices |
RESOURCE_DELETION |
|
management_system_download_device_api_script |
DEVICE_PROGRAM_DOWNLOAD |
|
management_system_pkcs12_enrollment |
RESOURCE_CREATION |
|
management_system_sync_failure |
USER_UNCATEGORIZED |
|
management_system_sync_success |
USER_UNCATEGORIZED |
|
management_system_update |
USER_UNCATEGORIZED |
|
management_system_view_password |
RESOURCE_READ |
|
management_system_view_token |
RESOURCE_READ |
|
phone_activation_code_regenerated |
RESOURCE_CREATION |
|
phone_associate |
RESOURCE_CREATION |
|
phone_create |
RESOURCE_CREATION |
|
phone_delete |
RESOURCE_DELETION |
|
phone_disassociate |
RESOURCE_DELETION |
|
phone_new_sms_passcode |
RESOURCE_CREATION |
|
phone_update |
RESOURCE_WRITTEN |
|
policy_create |
RESOURCE_CREATION |
|
policy_delete |
RESOURCE_DELETION |
|
policy_update |
RESOURCE_WRITTEN |
|
u2ftoken_create |
RESOURCE_CREATION |
|
u2ftoken_delete |
RESOURCE_DELETION |
|
user_not_enrolled_lockout |
USER_CHANGE_PERMISSIONS |
|
user_adminapi_lockout |
USER_CHANGE_PERMISSIONS |
|
user_lockout_cleared |
USER_CHANGE_PERMISSIONS |
|
webauthncredential_create |
RESOURCE_CREATION |
|
webauthncredential_delete |
RESOURCE_DELETION |
|
webauthncredential_rename |
RESOURCE_WRITTEN |
|
Referensi pemetaan kolom: DUO_ACTIVITY
Tabel berikut mencantumkan kolom log dari jenis log DUO_ACTIVITY
dan kolom UDM yang sesuai.
Log field | UDM mapping | Logic |
---|---|---|
|
principal.platform |
If the access_device.os log field value matches the regular expression pattern (?i)Win , then the principal.platform UDM field is set to WINDOWS .Else, if the access_device.os log field value matches the regular expression pattern (?i)Lin , then the principal.platform UDM field is set to LINUX .Else, if the access_device.os log field value matches the regular expression pattern (?i)Mac , then the principal.platform UDM field is set to MAC .Else, if the access_device.os log field value matches the regular expression pattern (?i)ios , then the principal.platform UDM field is set to IOS .Else, if the access_device.os log field value matches the regular expression pattern (?i)Chrome , then the principal.platform UDM field is set to CHROME_OS .Else, if the access_device.os log field value matches the regular expression pattern (?i)Android , then the principal.platform UDM field is set to ANDROID .Else, the principal.platform UDM field is set to UNKNOWN_PLATFORM . |
access_device.os_version |
principal.platform_version |
|
access_device.ip.address |
principal.ip |
|
access_device.location.country |
principal.location.country_or_region |
|
access_device.location.state |
principal.location.state |
|
access_device.location.city |
principal.location.city |
|
access_device.browser |
principal.asset.attribute.labels[access_device_browser] |
|
access_device.browser_version |
principal.asset.attribute.labels[access_device_browser_version] |
|
ts |
metadata.event_timestamp |
|
activity_id |
metadata.product_log_id |
|
akey |
principal.asset.product_object_id |
|
outcome.result |
security_result.action_details |
|
application.key |
principal.resource.product_object_id |
|
application.name |
principal.application |
|
application.type |
principal.resource.resource_subtype |
|
action.details |
principal.user.attribute.labels[action_details] |
|
action.name |
metadata.product_event_type |
|
actor.key |
principal.user.userid |
|
actor.name |
principal.user.user_display_name |
|
actor.type |
principal.user.attribute.labels[actor_type] |
|
target.key |
target.asset.attribute.labels[target_key] |
|
target.name |
target.asset.hostname |
|
target.type |
target.asset.category |
|
target.details |
target.user.attribute.labels[target_details] |
|
old_target.key |
about.asset.attribute.labels[old_target_key] |
|
old_target.name |
about.asset.hostname |
|
old_target.type |
about.asset.category |
|
old_target.details |
about.user.attribute.labels[old_target_details] |
|
actor.details.created |
principal.user.first_seen_time |
|
actor.details.last_login |
principal.user.last_login_time |
|
actor.details.status |
principal.user.attribute.labels[status] |
|
actor.details.email |
principal.user.email_addresses |
|
actor.details.group.key |
principal.user.attribute.labels[actor_details_group_key] |
|
actor.details.group.name |
principal.user.attribute.labels[actor_details_group_name] |