收集 Google Cloud IDS 日志
本文档介绍了如何通过启用 Google Cloud 遥测数据提取来收集 Google Cloud IDS 日志,以及 Google Cloud IDS 日志的日志字段如何映射到 Google Security Operations Unified Data Model (UDM) 字段。
如需了解详情,请参阅将数据注入 Google Security Operations。
典型部署包括启用 Google Cloud IDS 日志以注入到 Google Security Operations。每个客户部署都可能与此表示法不同,并且可能更复杂。
部署包含以下组件:
Google Cloud:您要从中收集日志的服务和产品。 Google Cloud
Google Cloud IDS 日志:已启用以注入到 Google Security Operations 的 Google Cloud IDS 日志。
Google Security Operations:Google Security Operations 会保留并分析 Google Cloud IDS 中的日志。
注入标签用于标识将原始日志数据标准化为结构化 UDM 格式的解析器。本文档中的信息适用于具有 GCP_IDS 注入标签的解析器。
准备工作
- 确保部署架构中的所有系统都配置为使用世界协调时间 (UTC) 时区。
配置 Google Cloud 以注入 Google Cloud IDS 日志
如需将 Google Cloud IDS 日志注入到 Google Security Operations,请按照将 Google Cloud 日志注入到 Google Security Operations 页面上的步骤操作。
如果您在注入 Google Cloud IDS 日志时遇到问题,请与 Google Security Operations 支持团队联系。
支持的 Google Cloud IDS 日志格式
Google Cloud IDS 解析器支持 JSON 格式的日志。
支持的 Google Cloud IDS 示例日志
JSON:
{ "insertId": "5cb7ac422679042bcd8f0a84700c23c0-1@a1", "jsonPayload": { "alert_severity": "INFORMATIONAL", "alert_time": "2021-09-08T12:10:19Z", "application": "ssl", "category": "protocol-anomaly", "destination_ip_address": "198.51.100.0", "destination_port": "443", "details": "This signature detects suspicious and non-RFC compliant SSL traffic on port 443. This could be associated with applications sending non SSL traffic using port 443 or indicate possible malicious activity.", "direction": "client-to-server", "ip_protocol": "tcp", "name": "Non-RFC Compliant SSL Traffic on Port 443", "network": "abcd-prod-pod111-shared", "repeat_count": "1", "session_id": "1457377", "source_ip_address": "198.51.100.0", "source_port": "62543", "threat_id": "56112", "type": "vulnerability", "uri_or_filename": "" }, "logName": "projects/abcd-prod-mnop-pod555-infra/logs/ids.googleapis.com%2Fthreat", "receiveTimestamp": "2021-09-08T12:10:23.953458826Z", "resource": { "labels": { "id": "abcd-prod-mnop-pod555-cloudidsendpoint-info", "location": "us-central1-a", "resource_container": "projects/158110290042" }, "type": "ids.googleapis.com/Endpoint" }, "timestamp": "2021-09-08T12:10:19Z" }
字段映射参考
字段映射参考信息:GCP_IDS
下表列出了 GCP_IDS 日志类型的日志字段及其对应的 UDM 字段。
| Log field | UDM mapping | Logic |
|---|---|---|
insertId |
metadata.product_log_id |
|
jsonPayload.alert_severity |
security_result.severity |
|
jsonPayload.alert_time |
metadata.event_timestamp |
|
jsonPayload.application |
principal.application |
If the jsonPayload.direction log field value is equal to server-to-client, then the jsonPayload.application log field is mapped to the principal.application UDM field. |
jsonPayload.application |
target.application |
If the jsonPayload.direction log field value is equal to client-to-server or the logName log field value matches the regular expression pattern traffic, then the jsonPayload.application log field is mapped to the target.application UDM field. |
jsonPayload.category |
security_result.category_details |
|
jsonPayload.cves |
extensions.vulns.vulnerabilities.cve_id |
If the jsonPayload.cves log field value is not empty, then the jsonPayload.cves log field is mapped to the extensions.vulns.vulnerabilities.cve_id UDM field. |
jsonPayload.destination_ip_address |
target.ip |
|
jsonPayload.destination_port |
target.port |
|
jsonPayload.details |
extensions.vulns.vulnerabilities.description |
If the jsonPayload.cves log field value is not empty, then the jsonPayload.details log field is mapped to the extensions.vulns.vulnerabilities.description UDM field. |
jsonPayload.direction |
network.direction |
If the jsonPayload.direction log field value is equal to client-to-server, then the network.direction UDM field is set to OUTBOUND.Else, if the jsonPayload.direction log field value is equal to server-to-client, then the network.direction UDM field is set to INBOUND. |
jsonPayload.elapsed_time |
network.session_duration.seconds |
|
jsonPayload.ip_protocol |
network.ip_protocol |
If the jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ICMP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to IGMP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to TCP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to UDP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to IP6IN4.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to GRE.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ESP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to EIGRP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ETHERIP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to PIM.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to VRRP.
|
jsonPayload.name |
security_result.threat_name |
|
jsonPayload.network |
target.resource.name |
If the jsonPayload.direction log field value is equal to client-to-server or the logName log field value matches the regular expression pattern traffic, then the jsonPayload.network log field is mapped to the target.resource.name UDM field. |
jsonPayload.network |
principal.resource.name |
If the jsonPayload.direction log field value is equal to server-to-client, then the jsonPayload.network log field is mapped to the principal.resource.name UDM field. |
|
target.resource.resource_type |
If the jsonPayload.direction log field value is equal to client-to-server or the logName log field value matches the regular expression pattern traffic, then the target.resource.resource_type UDM field is set to VPC_NETWORK. |
|
principal.resource.resource_type |
If the jsonPayload.direction log field value is equal to server-to-client, then the principal.resource.resource_type UDM field is set to VPC_NETWORK. |
jsonPayload.repeat_count |
security_result.detection_fields[repeat_count] |
|
jsonPayload.session_id |
network.session_id |
|
jsonPayload.source_ip_address |
principal.ip |
|
jsonPayload.source_port |
principal.port |
|
jsonPayload.start_time |
about.labels[start_time] (deprecated) |
|
jsonPayload.start_time |
additional.fields[start_time] |
|
jsonPayload.threat_id |
security_result.threat_id |
|
jsonPayload.total_bytes |
about.labels[total_bytes] (deprecated) |
|
jsonPayload.total_bytes |
additional.fields[total_bytes] |
|
jsonPayload.total_packets |
about.labels[total_packets] (deprecated) |
|
jsonPayload.total_packets |
additional.fields[total_packets] |
|
jsonPayload.type |
security_result.detection_fields[type] |
|
jsonPayload.uri_or_filename |
target.file.full_path |
|
logName |
security_result.category_details |
|
receiveTimestamp |
metadata.collected_timestamp |
|
resource.labels.id |
observer.resource.product_object_id |
|
resource.labels.location |
observer.location.name |
|
resource.labels.resource_container |
observer.resource.name |
|
resource.type |
observer.resource.resource_subtype |
|
timestamp |
metadata.event_timestamp |
If the logName log field value matches the regular expression pattern traffic, then the timestamp log field is mapped to the metadata.event_timestamp UDM field. |
|
observer.resource.resource_type |
The observer.resource.resource_type UDM field is set to CLOUD_PROJECT. |
|
observer.resource.attribute.cloud.environment |
The observer.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
|
security_result.category |
If the jsonPayload.category log field value is equal to dos, then the security_result.category UDM field is set to NETWORK_DENIAL_OF_SERVICE.Else, if the jsonPayload.category log field value is equal to info-leak, then the security_result.category UDM field is set to NETWORK_SUSPICIOUS.Else, if the jsonPayload.category log field value is equal to protocol-anomaly, then the security_result.category UDM field is set to NETWORK_MALICIOUS.Else, if the jsonPayload.category log field value contains one of the following values, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS.
|
|
extensions.vulns.vulnerabilities.vendor |
if the jsonPayload.cves log field value is not empty, then the extensions.vulns.vulnerabilities.vendor UDM field is set to GCP_IDS. |
|
metadata.product_name |
The metadata.product_name UDM field is set to GCP_IDS. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform. |
|
metadata.event_type |
If the jsonPayload.cves log field value is not empty, then the metadata.event_type UDM field is set to SCAN_VULN_NETWROK.Else, if the jsonPayload.source_ip_address log field value is not empty, then the metadata.event_type UDM field is set to SCAN_NETWORK.Else, the metadata.event_type UDM field is set to GENERIC_EVENT. |
后续步骤
需要更多帮助?从社区成员和 Google SecOps 专业人士那里获得解答。