收集 Duo 活動記錄
支援的國家/地區:
Google SecOps
SIEM
本文說明如何部署以 Python 編寫的擷取指令碼做為 Cloud Run 函式,藉此匯出 Duo 活動記錄並擷取至 Google Security Operations,以及如何將記錄欄位對應至 Google SecOps 統一資料模型 (UDM) 欄位。
詳情請參閱「將資料擷取至 Google SecOps 總覽」。
一般部署作業包含 Duo 活動和擷取指令碼,這些指令碼會以 Cloud Run 函式形式部署,將記錄傳送至 Google SecOps。每個客戶的部署作業可能有所不同,也可能更複雜。
部署作業包含下列元件:
Duo 活動:收集記錄的平台。
Cloud Run 函式:部署為 Cloud Run 函式的擷取指令碼,可從 Duo 活動擷取記錄,並擷取至 Google SecOps。
Google SecOps:保留及分析記錄檔。
注意:擷取標籤會識別剖析器,該剖析器會將原始記錄資料正規化為具結構性的 UDM 格式。本文件中的資訊適用於具有 DUO_ACTIVITY 攝入標籤的剖析器。
事前準備
- 確認您有權存取 Duo 管理員面板。
- 確認您使用的是 Duo 管理 API 2 以上版本。
設定 Duo 活動
- 以管理員身分登入 Duo 管理面板。詳情請參閱「Duo 管理管理面板總覽」。
- 依序點選「應用程式」 >「保護應用程式」。
- 在「應用程式」清單中,依序點選「Admin API」>「保護」,即可取得整合金鑰、密鑰和 API 主機名稱。
- 選取要授予 Admin API 應用程式的必要權限。如要進一步瞭解各項作業所需的權限,請參閱 Duo Admin API。
設定 Google SecOps 的記錄擷取功能
- 建立部署目錄,用來儲存 Cloud Run 函式的檔案。這個目錄會包含部署作業所需的所有檔案。
- 將 Google SecOps GitHub 存放區中 Duo 活動的 GitHub 子目錄內所有檔案,複製到這個部署目錄。
- 將 common 資料夾和所有內容複製到部署目錄。
- 編輯
.env.yml檔案,加入所有必要的環境變數。 - 在 Secret Manager 中,設定標示為「Secret」的環境變數。如要進一步瞭解如何建立密鑰,請參閱「建立及存取密鑰」。
- 將密鑰的資源名稱做為環境變數的值。
- 在 CHRONICLE_NAMESPACE 環境變數中輸入
DUO_ACTIVITY值。 - 在「Source code」(原始碼) 欄位中,選取「ZIP Upload」(上傳 ZIP 檔)。
- 在「Destination bucket」(目的地值區) 欄位中,按一下「Browse」(瀏覽),選取要上傳原始碼的 Cloud Storage 值區,做為部署作業的一部分。
- 在「ZIP 檔案」欄位中,按一下「瀏覽」,從本機檔案系統選取要上傳的 ZIP 檔。函式來源檔案必須位於 zip 檔案的根目錄。
- 按一下 [Deploy] (部署)。
詳情請參閱「使用部署為 Cloud Run 函式的擷取指令碼」。
支援的 Duo 活動記錄格式
Duo 活動剖析器支援 JSON 格式的記錄。
支援的 Duo 活動記錄範例
JSON
{ "access_device": { "browser": "Chrome", "browser_version": "127.0.0.0", "ip": { "address": "198.51.100.0" }, "location": { "city": "Riverside", "country": "United States", "state": "California" }, "os": "Windows", "os_version": "10" }, "action": { "details": null, "name": "bypass_create" }, "activity_id": "188c068b-1ef4-4c0a-80cc-700ee9a08612", "actor": { "details": "{\\"created\\": \\"2022-09-15T17: 27: 31.000000+00: 00\\", \\"last_login\\": \\"2024-08-26T22: 48: 50.000000+00: 00\\", \\"email\\": \\"test@gmail.com\\", \\"status\\": null, \\"groups\\": null}", "key": "dummyuserid", "name": "test", "type": "admin" }, "akey": "DA06L58ASEO0DOKNXGXZ", "application": null, "old_target": null, "outcome": null, "target": { "details": "{\\"bkeys\\": [\\"DB8VPGAF6674GKS43FS9\\"], \\"count\\": 1, \\"valid_secs\\": 3600, \\"remaining_uses\\": 1, \\"auto_generated\\": true}", "key": "DU3H7GRU6UIENBKX5HRA", "name": "test", "type": "user_bypass" }, "ts": "2024-08-26T22:49:21.975784+00:00" }
欄位對應參考資料
欄位對應參照:事件 ID 對應至事件類型
下表列出DUO_ACTIVITY 記錄類型及其對應的 UDM 事件類型。
| Event Identifier | Event Type | Security Category |
|---|---|---|
admin_activate_duo_push |
DEVICE_PROGRAM_DOWNLOAD |
|
admin_factor_restrictions |
RESOURCE_PERMISSIONS_CHANGE |
|
admin_login |
USER_UNCATEGORIZED |
|
admin_rectivates_duo_push |
DEVICE_PROGRAM_DOWNLOAD |
|
admin_reset_password |
USER_CHANGE_PASSWORD |
|
admin_send_reset_password_email |
EMAIL_TRANSACTION |
|
bypass_create |
RESOURCE_CREATION |
|
bypass_delete |
RESOURCE_DELETION |
|
bypass_view |
RESOURCE_READ |
|
deregister_devices |
USER_RESOURCE_DELETION |
|
device_change_enrollment_summary_notification_answered |
USER_COMMUNICATION |
|
device_change_enrollment_summary_notification_answered_notify_admin |
USER_COMMUNICATION |
|
device_change_enrollment_summary_notification_send |
USER_COMMUNICATION |
|
device_change_notification_answered |
USER_COMMUNICATION |
|
device_change_notification_answered_notify_admin |
USER_COMMUNICATION |
|
device_change_notification_create |
RESOURCE_CREATION |
|
device_change_notification_send |
USER_COMMUNICATION |
|
group_create |
GROUP_CREATION |
|
group_delete |
GROUP_DELETION |
|
group_update |
GROUP_MODIFICATION |
|
hardtoken_create |
RESOURCE_CREATION |
|
hardtoken_delete |
RESOURCE_DELETION |
|
hardtoken_resync |
RESOURCE_WRITTEN |
|
hardtoken_update |
RESOURCE_WRITTEN |
|
integration_create |
RESOURCE_CREATION |
|
integration_delete |
RESOURCE_DELETION |
|
integration_group_policy_add |
GROUP_UNCATEGORIZED |
|
integration_group_policy_remove |
GROUP_UNCATEGORIZED |
|
integration_policy_assign |
USER_UNCATEGORIZED |
|
integration_policy_unassign |
USER_UNCATEGORIZED |
|
integration_skey_bulk_view |
RESOURCE_READ |
|
integration_skey_view |
RESOURCE_READ |
|
integration_update |
RESOURCE_WRITTEN |
|
log_export_start |
USER_UNCATEGORIZED |
|
log_export_complete |
USER_UNCATEGORIZED |
|
log_export_failure |
USER_UNCATEGORIZED |
|
management_system_activate_device_cache |
DEVICE_CONFIG_UPDATE |
|
management_system_active_device_cache_add_devices |
RESOURCE_CREATION |
|
management_system_active_device_cache_delete_devices |
RESOURCE_DELETION |
|
management_system_active_device_cache_edit_devices |
RESOURCE_WRITTEN |
|
management_system_add_devices |
RESOURCE_CREATION |
|
management_system_create |
RESOURCE_CREATION |
|
management_system_delete |
RESOURCE_DELETION |
|
management_system_delete_devices |
RESOURCE_DELETION |
|
management_system_device_cache_add_devices |
RESOURCE_CREATION |
|
management_system_device_cache_create |
RESOURCE_CREATION |
|
management_system_device_cache_delete |
RESOURCE_DELETION |
|
management_system_device_cache_delete_devices |
RESOURCE_DELETION |
|
management_system_download_device_api_script |
DEVICE_PROGRAM_DOWNLOAD |
|
management_system_pkcs12_enrollment |
RESOURCE_CREATION |
|
management_system_sync_failure |
USER_UNCATEGORIZED |
|
management_system_sync_success |
USER_UNCATEGORIZED |
|
management_system_update |
USER_UNCATEGORIZED |
|
management_system_view_password |
RESOURCE_READ |
|
management_system_view_token |
RESOURCE_READ |
|
phone_activation_code_regenerated |
RESOURCE_CREATION |
|
phone_associate |
RESOURCE_CREATION |
|
phone_create |
RESOURCE_CREATION |
|
phone_delete |
RESOURCE_DELETION |
|
phone_disassociate |
RESOURCE_DELETION |
|
phone_new_sms_passcode |
RESOURCE_CREATION |
|
phone_update |
RESOURCE_WRITTEN |
|
policy_create |
RESOURCE_CREATION |
|
policy_delete |
RESOURCE_DELETION |
|
policy_update |
RESOURCE_WRITTEN |
|
u2ftoken_create |
RESOURCE_CREATION |
|
u2ftoken_delete |
RESOURCE_DELETION |
|
user_not_enrolled_lockout |
USER_CHANGE_PERMISSIONS |
|
user_adminapi_lockout |
USER_CHANGE_PERMISSIONS |
|
user_lockout_cleared |
USER_CHANGE_PERMISSIONS |
|
webauthncredential_create |
RESOURCE_CREATION |
|
webauthncredential_delete |
RESOURCE_DELETION |
|
webauthncredential_rename |
RESOURCE_WRITTEN |
|
欄位對應參考資料:DUO_ACTIVITY
下表列出 DUO_ACTIVITY 記錄類型的記錄欄位,以及對應的 UDM 欄位。
| Log field | UDM mapping | Logic |
|---|---|---|
|
principal.platform |
If the access_device.os log field value matches the regular expression pattern (?i)Win, then the principal.platform UDM field is set to WINDOWS.Else, if the access_device.os log field value matches the regular expression pattern (?i)Lin, then the principal.platform UDM field is set to LINUX.Else, if the access_device.os log field value matches the regular expression pattern (?i)Mac, then the principal.platform UDM field is set to MAC.Else, if the access_device.os log field value matches the regular expression pattern (?i)ios, then the principal.platform UDM field is set to IOS.Else, if the access_device.os log field value matches the regular expression pattern (?i)Chrome, then the principal.platform UDM field is set to CHROME_OS.Else, if the access_device.os log field value matches the regular expression pattern (?i)Android, then the principal.platform UDM field is set to ANDROID.Else, the principal.platform UDM field is set to UNKNOWN_PLATFORM. |
access_device.os_version |
principal.platform_version |
|
access_device.ip.address |
principal.ip |
|
access_device.location.country |
principal.location.country_or_region |
|
access_device.location.state |
principal.location.state |
|
access_device.location.city |
principal.location.city |
|
access_device.browser |
principal.asset.attribute.labels[access_device_browser] |
|
access_device.browser_version |
principal.asset.attribute.labels[access_device_browser_version] |
|
ts |
metadata.event_timestamp |
|
activity_id |
metadata.product_log_id |
|
akey |
principal.asset.product_object_id |
|
outcome.result |
security_result.action_details |
|
application.key |
principal.resource.product_object_id |
|
application.name |
principal.application |
|
application.type |
principal.resource.resource_subtype |
|
action.details |
principal.user.attribute.labels[action_details] |
|
action.name |
metadata.product_event_type |
|
actor.key |
principal.user.userid |
|
actor.name |
principal.user.user_display_name |
|
actor.type |
principal.user.attribute.labels[actor_type] |
|
target.key |
target.asset.attribute.labels[target_key] |
|
target.name |
target.asset.hostname |
|
target.type |
target.asset.category |
|
target.details |
target.user.attribute.labels[target_details] |
|
old_target.key |
about.asset.attribute.labels[old_target_key] |
|
old_target.name |
about.asset.hostname |
|
old_target.type |
about.asset.category |
|
old_target.details |
about.user.attribute.labels[old_target_details] |
|
actor.details.created |
principal.user.first_seen_time |
|
actor.details.last_login |
principal.user.last_login_time |
|
actor.details.status |
principal.user.attribute.labels[status] |
|
actor.details.email |
principal.user.email_addresses |
|
actor.details.group.key |
principal.user.attribute.labels[actor_details_group_key] |
|
actor.details.group.name |
principal.user.attribute.labels[actor_details_group_name] |
後續步驟
還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。