Mengumpulkan log Google Cloud IDS
Dokumen ini menjelaskan cara mengumpulkan log IDS Google Cloud dengan mengaktifkan penyerapan telemetri ke Google Security Operations dan cara kolom log IDS Google Cloud dipetakan ke kolom Model Data Terpadu (UDM) Google Security Operations. Google Cloud
Untuk mengetahui informasi selengkapnya, lihat Penyerapan data ke Google Security Operations.
Deployment umum terdiri dari log IDS Google Cloud yang diaktifkan untuk penyerapan ke Google Security Operations. Setiap deployment pelanggan mungkin berbeda dari representasi ini dan mungkin lebih kompleks.
Deployment berisi komponen berikut:
Google Cloud: Layanan dan produk tempat Anda mengumpulkan log. Google Cloud
Log Google Cloud IDS: Log Google Cloud IDS yang diaktifkan untuk penyerapan ke Google Security Operations.
Google Security Operations: Google Security Operations menyimpan dan menganalisis log dari IDS Google Cloud.
Label penyerapan mengidentifikasi parser yang menormalisasi data log mentah ke format UDM terstruktur. Informasi dalam dokumen ini berlaku untuk parser
dengan label penyerapan GCP_IDS.
Sebelum memulai
- Pastikan semua sistem dalam arsitektur deployment dikonfigurasi dalam zona waktu UTC.
Mengonfigurasi Google Cloud untuk menyerap log Google Cloud IDS
Untuk menyerap log Google Cloud IDS ke Google Security Operations, ikuti langkah-langkah di halaman Menyerap log Google Cloud ke Google Security Operations.
Jika Anda mengalami masalah saat menyerap log Google Cloud IDS, hubungi dukungan Google Security Operations.
Format log Google Cloud IDS yang didukung
Parser Google Cloud IDS mendukung log dalam format JSON.
Contoh log Google Cloud IDS yang didukung
JSON:
{ "insertId": "5cb7ac422679042bcd8f0a84700c23c0-1@a1", "jsonPayload": { "alert_severity": "INFORMATIONAL", "alert_time": "2021-09-08T12:10:19Z", "application": "ssl", "category": "protocol-anomaly", "destination_ip_address": "198.51.100.0", "destination_port": "443", "details": "This signature detects suspicious and non-RFC compliant SSL traffic on port 443. This could be associated with applications sending non SSL traffic using port 443 or indicate possible malicious activity.", "direction": "client-to-server", "ip_protocol": "tcp", "name": "Non-RFC Compliant SSL Traffic on Port 443", "network": "abcd-prod-pod111-shared", "repeat_count": "1", "session_id": "1457377", "source_ip_address": "198.51.100.0", "source_port": "62543", "threat_id": "56112", "type": "vulnerability", "uri_or_filename": "" }, "logName": "projects/abcd-prod-mnop-pod555-infra/logs/ids.googleapis.com%2Fthreat", "receiveTimestamp": "2021-09-08T12:10:23.953458826Z", "resource": { "labels": { "id": "abcd-prod-mnop-pod555-cloudidsendpoint-info", "location": "us-central1-a", "resource_container": "projects/158110290042" }, "type": "ids.googleapis.com/Endpoint" }, "timestamp": "2021-09-08T12:10:19Z" }
Referensi pemetaan kolom
Referensi pemetaan kolom: GCP_IDS
Tabel berikut mencantumkan kolom log jenis log GCP_IDS dan kolom UDM yang sesuai.
| Log field | UDM mapping | Logic |
|---|---|---|
insertId |
metadata.product_log_id |
|
jsonPayload.alert_severity |
security_result.severity |
|
jsonPayload.alert_time |
metadata.event_timestamp |
|
jsonPayload.application |
principal.application |
If the jsonPayload.direction log field value is equal to server-to-client, then the jsonPayload.application log field is mapped to the principal.application UDM field. |
jsonPayload.application |
target.application |
If the jsonPayload.direction log field value is equal to client-to-server or the logName log field value matches the regular expression pattern traffic, then the jsonPayload.application log field is mapped to the target.application UDM field. |
jsonPayload.category |
security_result.category_details |
|
jsonPayload.cves |
extensions.vulns.vulnerabilities.cve_id |
If the jsonPayload.cves log field value is not empty, then the jsonPayload.cves log field is mapped to the extensions.vulns.vulnerabilities.cve_id UDM field. |
jsonPayload.destination_ip_address |
target.ip |
|
jsonPayload.destination_port |
target.port |
|
jsonPayload.details |
extensions.vulns.vulnerabilities.description |
If the jsonPayload.cves log field value is not empty, then the jsonPayload.details log field is mapped to the extensions.vulns.vulnerabilities.description UDM field. |
jsonPayload.direction |
network.direction |
If the jsonPayload.direction log field value is equal to client-to-server, then the network.direction UDM field is set to OUTBOUND.Else, if the jsonPayload.direction log field value is equal to server-to-client, then the network.direction UDM field is set to INBOUND. |
jsonPayload.elapsed_time |
network.session_duration.seconds |
|
jsonPayload.ip_protocol |
network.ip_protocol |
If the jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ICMP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to IGMP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to TCP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to UDP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to IP6IN4.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to GRE.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ESP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to EIGRP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ETHERIP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to PIM.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to VRRP.
|
jsonPayload.name |
security_result.threat_name |
|
jsonPayload.network |
target.resource.name |
If the jsonPayload.direction log field value is equal to client-to-server or the logName log field value matches the regular expression pattern traffic, then the jsonPayload.network log field is mapped to the target.resource.name UDM field. |
jsonPayload.network |
principal.resource.name |
If the jsonPayload.direction log field value is equal to server-to-client, then the jsonPayload.network log field is mapped to the principal.resource.name UDM field. |
|
target.resource.resource_type |
If the jsonPayload.direction log field value is equal to client-to-server or the logName log field value matches the regular expression pattern traffic, then the target.resource.resource_type UDM field is set to VPC_NETWORK. |
|
principal.resource.resource_type |
If the jsonPayload.direction log field value is equal to server-to-client, then the principal.resource.resource_type UDM field is set to VPC_NETWORK. |
jsonPayload.repeat_count |
security_result.detection_fields[repeat_count] |
|
jsonPayload.session_id |
network.session_id |
|
jsonPayload.source_ip_address |
principal.ip |
|
jsonPayload.source_port |
principal.port |
|
jsonPayload.start_time |
about.labels[start_time] (deprecated) |
|
jsonPayload.start_time |
additional.fields[start_time] |
|
jsonPayload.threat_id |
security_result.threat_id |
|
jsonPayload.total_bytes |
about.labels[total_bytes] (deprecated) |
|
jsonPayload.total_bytes |
additional.fields[total_bytes] |
|
jsonPayload.total_packets |
about.labels[total_packets] (deprecated) |
|
jsonPayload.total_packets |
additional.fields[total_packets] |
|
jsonPayload.type |
security_result.detection_fields[type] |
|
jsonPayload.uri_or_filename |
target.file.full_path |
|
logName |
security_result.category_details |
|
receiveTimestamp |
metadata.collected_timestamp |
|
resource.labels.id |
observer.resource.product_object_id |
|
resource.labels.location |
observer.location.name |
|
resource.labels.resource_container |
observer.resource.name |
|
resource.type |
observer.resource.resource_subtype |
|
timestamp |
metadata.event_timestamp |
If the logName log field value matches the regular expression pattern traffic, then the timestamp log field is mapped to the metadata.event_timestamp UDM field. |
|
observer.resource.resource_type |
The observer.resource.resource_type UDM field is set to CLOUD_PROJECT. |
|
observer.resource.attribute.cloud.environment |
The observer.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
|
security_result.category |
If the jsonPayload.category log field value is equal to dos, then the security_result.category UDM field is set to NETWORK_DENIAL_OF_SERVICE.Else, if the jsonPayload.category log field value is equal to info-leak, then the security_result.category UDM field is set to NETWORK_SUSPICIOUS.Else, if the jsonPayload.category log field value is equal to protocol-anomaly, then the security_result.category UDM field is set to NETWORK_MALICIOUS.Else, if the jsonPayload.category log field value contains one of the following values, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS.
|
|
extensions.vulns.vulnerabilities.vendor |
if the jsonPayload.cves log field value is not empty, then the extensions.vulns.vulnerabilities.vendor UDM field is set to GCP_IDS. |
|
metadata.product_name |
The metadata.product_name UDM field is set to GCP_IDS. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform. |
|
metadata.event_type |
If the jsonPayload.cves log field value is not empty, then the metadata.event_type UDM field is set to SCAN_VULN_NETWROK.Else, if the jsonPayload.source_ip_address log field value is not empty, then the metadata.event_type UDM field is set to SCAN_NETWORK.Else, the metadata.event_type UDM field is set to GENERIC_EVENT. |
Langkah berikutnya
Perlu bantuan lain? Dapatkan jawaban dari anggota Komunitas dan profesional Google SecOps.