收集 Duo 活动日志
支持的语言:
Google SecOps
SIEM
本文档介绍了如何通过部署以 Python 编写的注入脚本(作为 Cloud Run 函数)来导出 Duo 活动日志并将其注入到 Google Security Operations 中,以及日志字段如何映射到 Google SecOps Unified Data Model (UDM) 字段。
如需了解详情,请参阅 Google SecOps 数据提取概览。
典型部署包括 Duo 活动和部署为 Cloud Run 函数的提取脚本,用于将日志发送到 Google SecOps。每个客户部署都可能有所不同,并且可能更复杂。
部署包含以下组件:
Duo 活动:您从中收集日志的平台。
Cloud Run functions:部署为 Cloud Run functions 的注入脚本,用于从 Duo Activity 中注入日志并将其注入到 Google SecOps 中。
Google SecOps:保留并分析日志。
注意:注入标签用于标识将原始日志数据标准化为结构化 UDM 格式的解析器。本文档中的信息适用于具有 DUO_ACTIVITY 注入标签的解析器。
准备工作
- 确保您有权访问 Duo 管理面板。
- 确保您使用的是 Duo Admin API 版本 2 或更高版本。
配置 Duo 活动
- 以管理员身份登录 Duo 管理控制台。如需了解详情,请参阅 Duo 管理员控制台概览。
- 依次点击应用 > 保护应用。
- 在“应用”列表中,依次点击 Admin API > 保护,以获取集成密钥、密钥和 API 主机名。
- 选择要向 Admin API 应用授予的所需权限。如需详细了解相应操作所需的权限,请参阅 Duo Admin API。
为 Google SecOps 配置日志注入
- 创建一个部署目录来存储 Cloud Run functions 的文件。此目录将包含部署所需的所有文件。
- 将 Google SecOps GitHub 代码库中 Duo Activity 的 GitHub 子目录中的所有文件复制到此部署目录。
- 将通用文件夹及其所有内容复制到部署目录。
- 修改
.env.yml文件以添加所有必需的环境变量。 - 在 Secret Manager 中配置标记为 Secret 的环境变量。如需详细了解如何创建 Secret,请参阅创建和访问 Secret。
- 使用 Secret 的资源名称作为环境变量的值。
- 在 CHRONICLE_NAMESPACE 环境变量中输入值
DUO_ACTIVITY。 - 在源代码字段中,选择 ZIP 文件上传。
- 在目标存储桶字段中,点击浏览,以选择要在部署期间将源代码上传到的 Cloud Storage 存储桶。
- 在 ZIP 文件字段中,点击浏览,以选择要从本地文件系统上传的 ZIP 文件。函数源文件必须位于 ZIP 文件的根目录下。
- 点击部署。
如需了解详情,请参阅使用部署为 Cloud Run 函数的提取脚本。
支持的 Duo 活动日志格式
Duo 活动记录解析器支持 JSON 格式的日志。
支持的 Duo 活动示例日志
JSON
{ "access_device": { "browser": "Chrome", "browser_version": "127.0.0.0", "ip": { "address": "198.51.100.0" }, "location": { "city": "Riverside", "country": "United States", "state": "California" }, "os": "Windows", "os_version": "10" }, "action": { "details": null, "name": "bypass_create" }, "activity_id": "188c068b-1ef4-4c0a-80cc-700ee9a08612", "actor": { "details": "{\\"created\\": \\"2022-09-15T17: 27: 31.000000+00: 00\\", \\"last_login\\": \\"2024-08-26T22: 48: 50.000000+00: 00\\", \\"email\\": \\"test@gmail.com\\", \\"status\\": null, \\"groups\\": null}", "key": "dummyuserid", "name": "test", "type": "admin" }, "akey": "DA06L58ASEO0DOKNXGXZ", "application": null, "old_target": null, "outcome": null, "target": { "details": "{\\"bkeys\\": [\\"DB8VPGAF6674GKS43FS9\\"], \\"count\\": 1, \\"valid_secs\\": 3600, \\"remaining_uses\\": 1, \\"auto_generated\\": true}", "key": "DU3H7GRU6UIENBKX5HRA", "name": "test", "type": "user_bypass" }, "ts": "2024-08-26T22:49:21.975784+00:00" }
字段映射参考
字段映射参考信息:事件标识符到事件类型
下表列出了DUO_ACTIVITY 日志类型及其对应的 UDM 事件类型。
| Event Identifier | Event Type | Security Category |
|---|---|---|
admin_activate_duo_push |
DEVICE_PROGRAM_DOWNLOAD |
|
admin_factor_restrictions |
RESOURCE_PERMISSIONS_CHANGE |
|
admin_login |
USER_UNCATEGORIZED |
|
admin_rectivates_duo_push |
DEVICE_PROGRAM_DOWNLOAD |
|
admin_reset_password |
USER_CHANGE_PASSWORD |
|
admin_send_reset_password_email |
EMAIL_TRANSACTION |
|
bypass_create |
RESOURCE_CREATION |
|
bypass_delete |
RESOURCE_DELETION |
|
bypass_view |
RESOURCE_READ |
|
deregister_devices |
USER_RESOURCE_DELETION |
|
device_change_enrollment_summary_notification_answered |
USER_COMMUNICATION |
|
device_change_enrollment_summary_notification_answered_notify_admin |
USER_COMMUNICATION |
|
device_change_enrollment_summary_notification_send |
USER_COMMUNICATION |
|
device_change_notification_answered |
USER_COMMUNICATION |
|
device_change_notification_answered_notify_admin |
USER_COMMUNICATION |
|
device_change_notification_create |
RESOURCE_CREATION |
|
device_change_notification_send |
USER_COMMUNICATION |
|
group_create |
GROUP_CREATION |
|
group_delete |
GROUP_DELETION |
|
group_update |
GROUP_MODIFICATION |
|
hardtoken_create |
RESOURCE_CREATION |
|
hardtoken_delete |
RESOURCE_DELETION |
|
hardtoken_resync |
RESOURCE_WRITTEN |
|
hardtoken_update |
RESOURCE_WRITTEN |
|
integration_create |
RESOURCE_CREATION |
|
integration_delete |
RESOURCE_DELETION |
|
integration_group_policy_add |
GROUP_UNCATEGORIZED |
|
integration_group_policy_remove |
GROUP_UNCATEGORIZED |
|
integration_policy_assign |
USER_UNCATEGORIZED |
|
integration_policy_unassign |
USER_UNCATEGORIZED |
|
integration_skey_bulk_view |
RESOURCE_READ |
|
integration_skey_view |
RESOURCE_READ |
|
integration_update |
RESOURCE_WRITTEN |
|
log_export_start |
USER_UNCATEGORIZED |
|
log_export_complete |
USER_UNCATEGORIZED |
|
log_export_failure |
USER_UNCATEGORIZED |
|
management_system_activate_device_cache |
DEVICE_CONFIG_UPDATE |
|
management_system_active_device_cache_add_devices |
RESOURCE_CREATION |
|
management_system_active_device_cache_delete_devices |
RESOURCE_DELETION |
|
management_system_active_device_cache_edit_devices |
RESOURCE_WRITTEN |
|
management_system_add_devices |
RESOURCE_CREATION |
|
management_system_create |
RESOURCE_CREATION |
|
management_system_delete |
RESOURCE_DELETION |
|
management_system_delete_devices |
RESOURCE_DELETION |
|
management_system_device_cache_add_devices |
RESOURCE_CREATION |
|
management_system_device_cache_create |
RESOURCE_CREATION |
|
management_system_device_cache_delete |
RESOURCE_DELETION |
|
management_system_device_cache_delete_devices |
RESOURCE_DELETION |
|
management_system_download_device_api_script |
DEVICE_PROGRAM_DOWNLOAD |
|
management_system_pkcs12_enrollment |
RESOURCE_CREATION |
|
management_system_sync_failure |
USER_UNCATEGORIZED |
|
management_system_sync_success |
USER_UNCATEGORIZED |
|
management_system_update |
USER_UNCATEGORIZED |
|
management_system_view_password |
RESOURCE_READ |
|
management_system_view_token |
RESOURCE_READ |
|
phone_activation_code_regenerated |
RESOURCE_CREATION |
|
phone_associate |
RESOURCE_CREATION |
|
phone_create |
RESOURCE_CREATION |
|
phone_delete |
RESOURCE_DELETION |
|
phone_disassociate |
RESOURCE_DELETION |
|
phone_new_sms_passcode |
RESOURCE_CREATION |
|
phone_update |
RESOURCE_WRITTEN |
|
policy_create |
RESOURCE_CREATION |
|
policy_delete |
RESOURCE_DELETION |
|
policy_update |
RESOURCE_WRITTEN |
|
u2ftoken_create |
RESOURCE_CREATION |
|
u2ftoken_delete |
RESOURCE_DELETION |
|
user_not_enrolled_lockout |
USER_CHANGE_PERMISSIONS |
|
user_adminapi_lockout |
USER_CHANGE_PERMISSIONS |
|
user_lockout_cleared |
USER_CHANGE_PERMISSIONS |
|
webauthncredential_create |
RESOURCE_CREATION |
|
webauthncredential_delete |
RESOURCE_DELETION |
|
webauthncredential_rename |
RESOURCE_WRITTEN |
|
字段映射参考信息:DUO_ACTIVITY
下表列出了 DUO_ACTIVITY 日志类型的日志字段及其对应的 UDM 字段。
| Log field | UDM mapping | Logic |
|---|---|---|
|
principal.platform |
If the access_device.os log field value matches the regular expression pattern (?i)Win, then the principal.platform UDM field is set to WINDOWS.Else, if the access_device.os log field value matches the regular expression pattern (?i)Lin, then the principal.platform UDM field is set to LINUX.Else, if the access_device.os log field value matches the regular expression pattern (?i)Mac, then the principal.platform UDM field is set to MAC.Else, if the access_device.os log field value matches the regular expression pattern (?i)ios, then the principal.platform UDM field is set to IOS.Else, if the access_device.os log field value matches the regular expression pattern (?i)Chrome, then the principal.platform UDM field is set to CHROME_OS.Else, if the access_device.os log field value matches the regular expression pattern (?i)Android, then the principal.platform UDM field is set to ANDROID.Else, the principal.platform UDM field is set to UNKNOWN_PLATFORM. |
access_device.os_version |
principal.platform_version |
|
access_device.ip.address |
principal.ip |
|
access_device.location.country |
principal.location.country_or_region |
|
access_device.location.state |
principal.location.state |
|
access_device.location.city |
principal.location.city |
|
access_device.browser |
principal.asset.attribute.labels[access_device_browser] |
|
access_device.browser_version |
principal.asset.attribute.labels[access_device_browser_version] |
|
ts |
metadata.event_timestamp |
|
activity_id |
metadata.product_log_id |
|
akey |
principal.asset.product_object_id |
|
outcome.result |
security_result.action_details |
|
application.key |
principal.resource.product_object_id |
|
application.name |
principal.application |
|
application.type |
principal.resource.resource_subtype |
|
action.details |
principal.user.attribute.labels[action_details] |
|
action.name |
metadata.product_event_type |
|
actor.key |
principal.user.userid |
|
actor.name |
principal.user.user_display_name |
|
actor.type |
principal.user.attribute.labels[actor_type] |
|
target.key |
target.asset.attribute.labels[target_key] |
|
target.name |
target.asset.hostname |
|
target.type |
target.asset.category |
|
target.details |
target.user.attribute.labels[target_details] |
|
old_target.key |
about.asset.attribute.labels[old_target_key] |
|
old_target.name |
about.asset.hostname |
|
old_target.type |
about.asset.category |
|
old_target.details |
about.user.attribute.labels[old_target_details] |
|
actor.details.created |
principal.user.first_seen_time |
|
actor.details.last_login |
principal.user.last_login_time |
|
actor.details.status |
principal.user.attribute.labels[status] |
|
actor.details.email |
principal.user.email_addresses |
|
actor.details.group.key |
principal.user.attribute.labels[actor_details_group_key] |
|
actor.details.group.name |
principal.user.attribute.labels[actor_details_group_name] |
后续步骤
需要更多帮助?从社区成员和 Google SecOps 专业人士那里获得解答。