Cette page a été traduite par l'API Cloud Translation.

Collecter les journaux Google Cloud IDS

Ce document explique comment collecter les journaux Google Cloud IDS en activant l'ingestion de télémétrie dans Google Security Operations, et comment les champs de journaux Google Cloud IDS sont mappés aux champs du modèle de données unifié (UDM) Google Security Operations. Google Cloud

Pour en savoir plus, consultez Ingestion de données dans Google Security Operations.

Un déploiement type consiste à activer les journaux Google Cloud IDS pour l'ingestion dans Google Security Operations. Chaque déploiement client peut différer de cette représentation et être plus complexe.

Le déploiement contient les composants suivants :

Google Cloud : services et produits Google Cloud à partir desquels vous collectez les journaux.
Journaux Google Cloud IDS : journaux Google Cloud IDS activés pour l'ingestion dans Google Security Operations.
Google Security Operations : Google Security Operations conserve et analyse les journaux de Google Cloud IDS.

Un libellé d'ingestion identifie l'analyseur qui normalise les données de journaux brutes au format UDM structuré. Les informations de ce document s'appliquent au parseur avec le libellé d'ingestion GCP_IDS.

Avant de commencer

Assurez-vous que tous les systèmes de l'architecture de déploiement sont configurés dans le fuseau horaire UTC.

Configurer Google Cloud pour ingérer les journaux Google Cloud IDS

Pour ingérer les journaux Google Cloud IDS dans Google Security Operations, suivez les étapes de la page Ingérer les journaux Google Cloud dans Google Security Operations.

Si vous rencontrez des problèmes lors de l'ingestion des journaux Google Cloud IDS, contactez l'assistance Google Security Operations.

Formats de journaux Google Cloud IDS acceptés

L'analyseur Google Cloud IDS est compatible avec les journaux au format JSON.

Exemples de journaux Google Cloud IDS acceptés

JSON :

{
  "insertId": "5cb7ac422679042bcd8f0a84700c23c0-1@a1",
  "jsonPayload": {
    "alert_severity": "INFORMATIONAL",
    "alert_time": "2021-09-08T12:10:19Z",
    "application": "ssl",
    "category": "protocol-anomaly",
    "destination_ip_address": "198.51.100.0",
    "destination_port": "443",
    "details": "This signature detects suspicious and non-RFC compliant SSL traffic on port 443. This could be associated with applications sending non SSL traffic using port 443 or indicate possible malicious activity.",
    "direction": "client-to-server",
    "ip_protocol": "tcp",
    "name": "Non-RFC Compliant SSL Traffic on Port 443",
    "network": "abcd-prod-pod111-shared",
    "repeat_count": "1",
    "session_id": "1457377",
    "source_ip_address": "198.51.100.0",
    "source_port": "62543",
    "threat_id": "56112",
    "type": "vulnerability",
    "uri_or_filename": ""
  },
  "logName": "projects/abcd-prod-mnop-pod555-infra/logs/ids.googleapis.com%2Fthreat",
  "receiveTimestamp": "2021-09-08T12:10:23.953458826Z",
  "resource": {
    "labels": {
      "id": "abcd-prod-mnop-pod555-cloudidsendpoint-info",
      "location": "us-central1-a",
      "resource_container": "projects/158110290042"
    },
    "type": "ids.googleapis.com/Endpoint"
  },
  "timestamp": "2021-09-08T12:10:19Z"
}

Référence du mappage de champs

Référence du mappage de champ : GCP_IDS

Le tableau suivant liste les champs de journaux du type de journal GCP_IDS et les champs UDM correspondants.

Log field	UDM mapping	Logic
`insertId`	`metadata.product_log_id`
`jsonPayload.alert_severity`	`security_result.severity`
`jsonPayload.alert_time`	`metadata.event_timestamp`
`jsonPayload.application`	`principal.application`	If the `jsonPayload.direction` log field value is equal to `server-to-client`, then the `jsonPayload.application` log field is mapped to the `principal.application` UDM field.
`jsonPayload.application`	`target.application`	If the `jsonPayload.direction` log field value is equal to `client-to-server` or the `logName` log field value matches the regular expression pattern `traffic`, then the `jsonPayload.application` log field is mapped to the `target.application` UDM field.
`jsonPayload.category`	`security_result.category_details`
`jsonPayload.cves`	`extensions.vulns.vulnerabilities.cve_id`	If the `jsonPayload.cves` log field value is not empty, then the `jsonPayload.cves` log field is mapped to the `extensions.vulns.vulnerabilities.cve_id` UDM field.
`jsonPayload.destination_ip_address`	`target.ip`
`jsonPayload.destination_port`	`target.port`
`jsonPayload.details`	`extensions.vulns.vulnerabilities.description`	If the `jsonPayload.cves` log field value is not empty, then the `jsonPayload.details` log field is mapped to the `extensions.vulns.vulnerabilities.description` UDM field.
`jsonPayload.direction`	`network.direction`	If the `jsonPayload.direction` log field value is equal to `client-to-server`, then the `network.direction` UDM field is set to `OUTBOUND`. Else, if the `jsonPayload.direction` log field value is equal to `server-to-client`, then the `network.direction` UDM field is set to `INBOUND`.
`jsonPayload.elapsed_time`	`network.session_duration.seconds`
`jsonPayload.ip_protocol`	`network.ip_protocol`	If the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `ICMP`. `1` `ICMP` `ICMPV6` `58` `1.0` `58.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `IGMP`. `2` `IGMP` `2.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `TCP`. `6` `TCP` `6.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `UDP`. `17` `UDP` `17.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `IP6IN4`. `41` `IP6IN4` `41.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `GRE`. `47` `GRE` `47.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `ESP`. `50` `ESP` `50.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `EIGRP`. `88` `EIGRP` `88.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `ETHERIP`. `97` `ETHERIP` `97.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `PIM`. `103` `PIM` `103.0` Else, if the `jsonPayload.ip_protocol` log field value contains one of the following values, then the `network.ip_protocol` UDM field is set to `VRRP`. `112` `VRRP` `112.0`
`jsonPayload.name`	`security_result.threat_name`
`jsonPayload.network`	`target.resource.name`	If the `jsonPayload.direction` log field value is equal to `client-to-server` or the `logName` log field value matches the regular expression pattern `traffic`, then the `jsonPayload.network` log field is mapped to the `target.resource.name` UDM field.
`jsonPayload.network`	`principal.resource.name`	If the `jsonPayload.direction` log field value is equal to `server-to-client`, then the `jsonPayload.network` log field is mapped to the `principal.resource.name` UDM field.
	`target.resource.resource_type`	If the `jsonPayload.direction` log field value is equal to `client-to-server` or the `logName` log field value matches the regular expression pattern `traffic`, then the `target.resource.resource_type` UDM field is set to `VPC_NETWORK`.
	`principal.resource.resource_type`	If the `jsonPayload.direction` log field value is equal to `server-to-client`, then the `principal.resource.resource_type` UDM field is set to `VPC_NETWORK`.
`jsonPayload.repeat_count`	`security_result.detection_fields[repeat_count]`
`jsonPayload.session_id`	`network.session_id`
`jsonPayload.source_ip_address`	`principal.ip`
`jsonPayload.source_port`	`principal.port`
`jsonPayload.start_time`	`about.labels[start_time]` (deprecated)
`jsonPayload.start_time`	`additional.fields[start_time]`
`jsonPayload.threat_id`	`security_result.threat_id`
`jsonPayload.total_bytes`	`about.labels[total_bytes]` (deprecated)
`jsonPayload.total_bytes`	`additional.fields[total_bytes]`
`jsonPayload.total_packets`	`about.labels[total_packets]` (deprecated)
`jsonPayload.total_packets`	`additional.fields[total_packets]`
`jsonPayload.type`	`security_result.detection_fields[type]`
`jsonPayload.uri_or_filename`	`target.file.full_path`
`logName`	`security_result.category_details`
`receiveTimestamp`	`metadata.collected_timestamp`
`resource.labels.id`	`observer.resource.product_object_id`
`resource.labels.location`	`observer.location.name`
`resource.labels.resource_container`	`observer.resource.name`
`resource.type`	`observer.resource.resource_subtype`
`timestamp`	`metadata.event_timestamp`	If the `logName` log field value matches the regular expression pattern `traffic`, then the `timestamp` log field is mapped to the `metadata.event_timestamp` UDM field.
	`observer.resource.resource_type`	The `observer.resource.resource_type` UDM field is set to `CLOUD_PROJECT`.
	`observer.resource.attribute.cloud.environment`	The `observer.resource.attribute.cloud.environment` UDM field is set to `GOOGLE_CLOUD_PLATFORM`.
	`security_result.category`	If the `jsonPayload.category` log field value is equal to `dos`, then the `security_result.category` UDM field is set to `NETWORK_DENIAL_OF_SERVICE`. Else, if the `jsonPayload.category` log field value is equal to `info-leak`, then the `security_result.category` UDM field is set to `NETWORK_SUSPICIOUS`. Else, if the `jsonPayload.category` log field value is equal to `protocol-anomaly`, then the `security_result.category` UDM field is set to `NETWORK_MALICIOUS`. Else, if the `jsonPayload.category` log field value contains one of the following values, then the `security_result.category` UDM field is set to `SOFTWARE_MALICIOUS`. `backdoor` `spyware` `trojan`
	`extensions.vulns.vulnerabilities.vendor`	if the `jsonPayload.cves` log field value is not empty, then the `extensions.vulns.vulnerabilities.vendor` UDM field is set to `GCP_IDS`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `GCP_IDS`.
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `Google Cloud Platform`.
	`metadata.event_type`	If the `jsonPayload.cves` log field value is not empty, then the `metadata.event_type` UDM field is set to `SCAN_VULN_NETWROK`. Else, if the `jsonPayload.source_ip_address` log field value is not empty, then the `metadata.event_type` UDM field is set to `SCAN_NETWORK`. Else, the `metadata.event_type` UDM field is set to `GENERIC_EVENT`.

Étapes suivantes

Ingestion de données dans Google Security Operations

Vous avez encore besoin d'aide ? Obtenez des réponses de membres de la communauté et de professionnels Google SecOps.