Diese Seite wurde von der Cloud Translation API übersetzt.

Google Cloud IDS-Logs erfassen

In diesem Dokument wird beschrieben, wie Sie Google Cloud IDS-Logs erfassen können, indem Sie die Google Cloud Telemetrieaufnahme in Google Security Operations aktivieren. Außerdem wird beschrieben, wie Logfelder von Google Cloud IDS-Logs UDM-Feldern (Unified Data Model) von Google Security Operations zugeordnet werden.

Weitere Informationen finden Sie unter Datenaufnahme in Google Security Operations.

Eine typische Bereitstellung besteht aus Google Cloud IDS-Logs, die für die Aufnahme in Google Security Operations aktiviert sind. Die Bereitstellung bei jedem Kunden kann von dieser Darstellung abweichen und komplexer sein.

Die Bereitstellung enthält die folgenden Komponenten:

Google Cloud: Die Google Cloud Dienste und Produkte, aus denen Sie Logs erfassen.
Google Cloud IDS-Logs: Die Google Cloud IDS-Logs, die für die Aufnahme in Google Security Operations aktiviert sind.
Google Security Operations: Google Security Operations speichert und analysiert die Logs von Google Cloud IDS.

Ein Erfassungslabel identifiziert den Parser, der Logrohdaten in das strukturierte UDM-Format normalisiert. Die Informationen in diesem Dokument beziehen sich auf den Parser mit dem Aufnahme-Label GCP_IDS.

Hinweise

Achten Sie darauf, dass alle Systeme in der Bereitstellungsarchitektur in der UTC-Zeitzone konfiguriert sind.

Google Cloud für die Aufnahme von Google Cloud IDS-Logs konfigurieren

Wenn Sie Google Cloud IDS-Logs in Google Security Operations aufnehmen möchten, folgen Sie der Anleitung auf der Seite Google Cloud -Logs in Google Security Operations aufnehmen.

Wenn beim Erfassen von Google Cloud IDS-Logs Probleme auftreten, wenden Sie sich an den Google Security Operations-Support.

Unterstützte Google Cloud IDS-Logformate

Der Google Cloud IDS-Parser unterstützt Logs im JSON-Format.

Unterstützte Google Cloud IDS-Beispiellogs

JSON:

{
  "insertId": "5cb7ac422679042bcd8f0a84700c23c0-1@a1",
  "jsonPayload": {
    "alert_severity": "INFORMATIONAL",
    "alert_time": "2021-09-08T12:10:19Z",
    "application": "ssl",
    "category": "protocol-anomaly",
    "destination_ip_address": "198.51.100.0",
    "destination_port": "443",
    "details": "This signature detects suspicious and non-RFC compliant SSL traffic on port 443. This could be associated with applications sending non SSL traffic using port 443 or indicate possible malicious activity.",
    "direction": "client-to-server",
    "ip_protocol": "tcp",
    "name": "Non-RFC Compliant SSL Traffic on Port 443",
    "network": "abcd-prod-pod111-shared",
    "repeat_count": "1",
    "session_id": "1457377",
    "source_ip_address": "198.51.100.0",
    "source_port": "62543",
    "threat_id": "56112",
    "type": "vulnerability",
    "uri_or_filename": ""
  },
  "logName": "projects/abcd-prod-mnop-pod555-infra/logs/ids.googleapis.com%2Fthreat",
  "receiveTimestamp": "2021-09-08T12:10:23.953458826Z",
  "resource": {
    "labels": {
      "id": "abcd-prod-mnop-pod555-cloudidsendpoint-info",
      "location": "us-central1-a",
      "resource_container": "projects/158110290042"
    },
    "type": "ids.googleapis.com/Endpoint"
  },
  "timestamp": "2021-09-08T12:10:19Z"
}

Referenz zur Feldzuordnung

Referenz zur Feldzuordnung: GCP_IDS

In der folgenden Tabelle sind die Logfelder des Logtyps GCP_IDS und die entsprechenden UDM-Felder aufgeführt.

Log field	UDM mapping	Logic
`insertId`	`metadata.product_log_id`
`jsonPayload.alert_severity`	`security_result.severity`
`jsonPayload.alert_time`	`metadata.event_timestamp`
`jsonPayload.application`	`principal.application`	If the `jsonPayload.direction` log field value is equal to `server-to-client`, then the `jsonPayload.application` log field is mapped to the `principal.application` UDM field.
`jsonPayload.application`	`target.application`	If the `jsonPayload.direction` log field value is equal to `client-to-server` or the `logName` log field value matches the regular expression pattern `traffic`, then the `jsonPayload.application` log field is mapped to the `target.application` UDM field.
`jsonPayload.category`	`security_result.category_details`
`jsonPayload.cves`	`extensions.vulns.vulnerabilities.cve_id`	If the `jsonPayload.cves` log field value is not empty, then the `jsonPayload.cves` log field is mapped to the `extensions.vulns.vulnerabilities.cve_id` UDM field.
`jsonPayload.destination_ip_address`	`target.ip`
`jsonPayload.destination_port`	`target.port`
`jsonPayload.details`	`extensions.vulns.vulnerabilities.description`	If the `jsonPayload.cves` log field value is not empty, then the `jsonPayload.details` log field is mapped to the `extensions.vulns.vulnerabilities.description` UDM field.
`jsonPayload.direction`	`network.direction`	If the `jsonPayload.direction` log field value is equal to `client-to-server`, then the `network.direction` UDM field is set to `OUTBOUND`. Else, if the `jsonPayload.direction` log field value is equal to `server-to-client`, then the `network.direction` UDM field is set to `INBOUND`.
`jsonPayload.elapsed_time`	`network.session_duration.seconds`
`jsonPayload.ip_protocol`	`network.ip_protocol`	If the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `ICMP`. `1` `ICMP` `ICMPV6` `58` `1.0` `58.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `IGMP`. `2` `IGMP` `2.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `TCP`. `6` `TCP` `6.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `UDP`. `17` `UDP` `17.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `IP6IN4`. `41` `IP6IN4` `41.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `GRE`. `47` `GRE` `47.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `ESP`. `50` `ESP` `50.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `EIGRP`. `88` `EIGRP` `88.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `ETHERIP`. `97` `ETHERIP` `97.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `PIM`. `103` `PIM` `103.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `VRRP`. `112` `VRRP` `112.0`
`jsonPayload.name`	`security_result.threat_name`
`jsonPayload.network`	`target.resource.name`	If the `jsonPayload.direction` log field value is equal to `client-to-server` or the `logName` log field value matches the regular expression pattern `traffic`, then the `jsonPayload.network` log field is mapped to the `target.resource.name` UDM field.
`jsonPayload.network`	`principal.resource.name`	If the `jsonPayload.direction` log field value is equal to `server-to-client`, then the `jsonPayload.network` log field is mapped to the `principal.resource.name` UDM field.
	`target.resource.resource_type`	If the `jsonPayload.direction` log field value is equal to `client-to-server` or the `logName` log field value matches the regular expression pattern `traffic`, then the `target.resource.resource_type` UDM field is set to `VPC_NETWORK`.
	`principal.resource.resource_type`	If the `jsonPayload.direction` log field value is equal to `server-to-client`, then the `principal.resource.resource_type` UDM field is set to `VPC_NETWORK`.
`jsonPayload.repeat_count`	`security_result.detection_fields[repeat_count]`
`jsonPayload.session_id`	`network.session_id`
`jsonPayload.source_ip_address`	`principal.ip`
`jsonPayload.source_port`	`principal.port`
`jsonPayload.start_time`	`about.labels[start_time]` (deprecated)
`jsonPayload.start_time`	`additional.fields[start_time]`
`jsonPayload.threat_id`	`security_result.threat_id`
`jsonPayload.total_bytes`	`about.labels[total_bytes]` (deprecated)
`jsonPayload.total_bytes`	`additional.fields[total_bytes]`
`jsonPayload.total_packets`	`about.labels[total_packets]` (deprecated)
`jsonPayload.total_packets`	`additional.fields[total_packets]`
`jsonPayload.type`	`security_result.detection_fields[type]`
`jsonPayload.uri_or_filename`	`target.file.full_path`
`logName`	`security_result.category_details`
`receiveTimestamp`	`metadata.collected_timestamp`
`resource.labels.id`	`observer.resource.product_object_id`
`resource.labels.location`	`observer.location.name`
`resource.labels.resource_container`	`observer.resource.name`
`resource.type`	`observer.resource.resource_subtype`
`timestamp`	`metadata.event_timestamp`	If the `logName` log field value matches the regular expression pattern `traffic`, then the `timestamp` log field is mapped to the `metadata.event_timestamp` UDM field.
	`observer.resource.resource_type`	The `observer.resource.resource_type` UDM field is set to `CLOUD_PROJECT`.
	`observer.resource.attribute.cloud.environment`	The `observer.resource.attribute.cloud.environment` UDM field is set to `GOOGLE_CLOUD_PLATFORM`.
	`security_result.category`	If the `jsonPayload.category` log field value is equal to `dos`, then the `security_result.category` UDM field is set to `NETWORK_DENIAL_OF_SERVICE`. Else, if the `jsonPayload.category` log field value is equal to `info-leak`, then the `security_result.category` UDM field is set to `NETWORK_SUSPICIOUS`. Else, if the `jsonPayload.category` log field value is equal to `protocol-anomaly`, then the `security_result.category` UDM field is set to `NETWORK_MALICIOUS`. Else, if the `jsonPayload.category` log field value contains one of the following values, then the `security_result.category` UDM field is set to `SOFTWARE_MALICIOUS`. `backdoor` `spyware` `trojan`
	`extensions.vulns.vulnerabilities.vendor`	if the `jsonPayload.cves` log field value is not empty, then the `extensions.vulns.vulnerabilities.vendor` UDM field is set to `GCP_IDS`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `GCP_IDS`.
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `Google Cloud Platform`.
	`metadata.event_type`	If the `jsonPayload.cves` log field value is not empty, then the `metadata.event_type` UDM field is set to `SCAN_VULN_NETWROK`. Else, if the `jsonPayload.source_ip_address` log field value is not empty, then the `metadata.event_type` UDM field is set to `SCAN_NETWORK`. Else, the `metadata.event_type` UDM field is set to `GENERIC_EVENT`.

Nächste Schritte

Datenaufnahme in Google Security Operations

Benötigen Sie weitere Hilfe? Antworten von Community-Mitgliedern und Google SecOps-Experten erhalten