收集 Google Cloud IDS 記錄
本文說明如何啟用 Google Cloud 遙測資料擷取至 Google Security Operations,以收集 Google Cloud IDS 記錄,以及 Google Cloud IDS 記錄的記錄欄位如何對應至 Google Security Operations 統一資料模型 (UDM) 欄位。
詳情請參閱「將資料擷取至 Google Security Operations」。
一般部署作業會啟用 Google Cloud IDS 記錄,以便擷取至 Google Security Operations。每個客戶部署作業可能與此表示法不同,且可能更複雜。
部署作業包含下列元件:
Google Cloud:您要收集記錄的 Google Cloud 服務和產品。
Google Cloud IDS 記錄:已啟用擷取至 Google Security Operations 的 Google Cloud IDS 記錄。
Google Security Operations:Google Security Operations 會保留及分析 Google Cloud IDS 的記錄。
擷取標籤會識別剖析器,該剖析器會將原始記錄資料正規化為具結構性的 UDM 格式。本文中的資訊適用於具有 GCP_IDS 攝入標籤的剖析器。
事前準備
- 請確保部署架構中的所有系統都以世界標準時間設定。
設定 Google Cloud 擷取 Google Cloud IDS 記錄
如要將 Google Cloud IDS 記錄擷取至 Google Security Operations,請按照「將記錄擷取至 Google Security Operations Google Cloud 」頁面的步驟操作。
如果在擷取 Google Cloud IDS 記錄時遇到問題,請與 Google Security Operations 支援團隊聯絡。
支援的 Google Cloud IDS 記錄格式
Google Cloud IDS 剖析器支援 JSON 格式的記錄。
支援的 Google Cloud IDS 記錄檔範例
JSON:
{ "insertId": "5cb7ac422679042bcd8f0a84700c23c0-1@a1", "jsonPayload": { "alert_severity": "INFORMATIONAL", "alert_time": "2021-09-08T12:10:19Z", "application": "ssl", "category": "protocol-anomaly", "destination_ip_address": "198.51.100.0", "destination_port": "443", "details": "This signature detects suspicious and non-RFC compliant SSL traffic on port 443. This could be associated with applications sending non SSL traffic using port 443 or indicate possible malicious activity.", "direction": "client-to-server", "ip_protocol": "tcp", "name": "Non-RFC Compliant SSL Traffic on Port 443", "network": "abcd-prod-pod111-shared", "repeat_count": "1", "session_id": "1457377", "source_ip_address": "198.51.100.0", "source_port": "62543", "threat_id": "56112", "type": "vulnerability", "uri_or_filename": "" }, "logName": "projects/abcd-prod-mnop-pod555-infra/logs/ids.googleapis.com%2Fthreat", "receiveTimestamp": "2021-09-08T12:10:23.953458826Z", "resource": { "labels": { "id": "abcd-prod-mnop-pod555-cloudidsendpoint-info", "location": "us-central1-a", "resource_container": "projects/158110290042" }, "type": "ids.googleapis.com/Endpoint" }, "timestamp": "2021-09-08T12:10:19Z" }
欄位對應參考資料
欄位對應參考資料:GCP_IDS
下表列出 GCP_IDS 記錄類型的記錄欄位,以及對應的 UDM 欄位。
| Log field | UDM mapping | Logic |
|---|---|---|
insertId |
metadata.product_log_id |
|
jsonPayload.alert_severity |
security_result.severity |
|
jsonPayload.alert_time |
metadata.event_timestamp |
|
jsonPayload.application |
principal.application |
If the jsonPayload.direction log field value is equal to server-to-client, then the jsonPayload.application log field is mapped to the principal.application UDM field. |
jsonPayload.application |
target.application |
If the jsonPayload.direction log field value is equal to client-to-server or the logName log field value matches the regular expression pattern traffic, then the jsonPayload.application log field is mapped to the target.application UDM field. |
jsonPayload.category |
security_result.category_details |
|
jsonPayload.cves |
extensions.vulns.vulnerabilities.cve_id |
If the jsonPayload.cves log field value is not empty, then the jsonPayload.cves log field is mapped to the extensions.vulns.vulnerabilities.cve_id UDM field. |
jsonPayload.destination_ip_address |
target.ip |
|
jsonPayload.destination_port |
target.port |
|
jsonPayload.details |
extensions.vulns.vulnerabilities.description |
If the jsonPayload.cves log field value is not empty, then the jsonPayload.details log field is mapped to the extensions.vulns.vulnerabilities.description UDM field. |
jsonPayload.direction |
network.direction |
If the jsonPayload.direction log field value is equal to client-to-server, then the network.direction UDM field is set to OUTBOUND.Else, if the jsonPayload.direction log field value is equal to server-to-client, then the network.direction UDM field is set to INBOUND. |
jsonPayload.elapsed_time |
network.session_duration.seconds |
|
jsonPayload.ip_protocol |
network.ip_protocol |
If the jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ICMP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to IGMP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to TCP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to UDP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to IP6IN4.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to GRE.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ESP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to EIGRP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ETHERIP.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to PIM.
jsonPayload.ip_protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to VRRP.
|
jsonPayload.name |
security_result.threat_name |
|
jsonPayload.network |
target.resource.name |
If the jsonPayload.direction log field value is equal to client-to-server or the logName log field value matches the regular expression pattern traffic, then the jsonPayload.network log field is mapped to the target.resource.name UDM field. |
jsonPayload.network |
principal.resource.name |
If the jsonPayload.direction log field value is equal to server-to-client, then the jsonPayload.network log field is mapped to the principal.resource.name UDM field. |
|
target.resource.resource_type |
If the jsonPayload.direction log field value is equal to client-to-server or the logName log field value matches the regular expression pattern traffic, then the target.resource.resource_type UDM field is set to VPC_NETWORK. |
|
principal.resource.resource_type |
If the jsonPayload.direction log field value is equal to server-to-client, then the principal.resource.resource_type UDM field is set to VPC_NETWORK. |
jsonPayload.repeat_count |
security_result.detection_fields[repeat_count] |
|
jsonPayload.session_id |
network.session_id |
|
jsonPayload.source_ip_address |
principal.ip |
|
jsonPayload.source_port |
principal.port |
|
jsonPayload.start_time |
about.labels[start_time] (deprecated) |
|
jsonPayload.start_time |
additional.fields[start_time] |
|
jsonPayload.threat_id |
security_result.threat_id |
|
jsonPayload.total_bytes |
about.labels[total_bytes] (deprecated) |
|
jsonPayload.total_bytes |
additional.fields[total_bytes] |
|
jsonPayload.total_packets |
about.labels[total_packets] (deprecated) |
|
jsonPayload.total_packets |
additional.fields[total_packets] |
|
jsonPayload.type |
security_result.detection_fields[type] |
|
jsonPayload.uri_or_filename |
target.file.full_path |
|
logName |
security_result.category_details |
|
receiveTimestamp |
metadata.collected_timestamp |
|
resource.labels.id |
observer.resource.product_object_id |
|
resource.labels.location |
observer.location.name |
|
resource.labels.resource_container |
observer.resource.name |
|
resource.type |
observer.resource.resource_subtype |
|
timestamp |
metadata.event_timestamp |
If the logName log field value matches the regular expression pattern traffic, then the timestamp log field is mapped to the metadata.event_timestamp UDM field. |
|
observer.resource.resource_type |
The observer.resource.resource_type UDM field is set to CLOUD_PROJECT. |
|
observer.resource.attribute.cloud.environment |
The observer.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
|
security_result.category |
If the jsonPayload.category log field value is equal to dos, then the security_result.category UDM field is set to NETWORK_DENIAL_OF_SERVICE.Else, if the jsonPayload.category log field value is equal to info-leak, then the security_result.category UDM field is set to NETWORK_SUSPICIOUS.Else, if the jsonPayload.category log field value is equal to protocol-anomaly, then the security_result.category UDM field is set to NETWORK_MALICIOUS.Else, if the jsonPayload.category log field value contains one of the following values, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS.
|
|
extensions.vulns.vulnerabilities.vendor |
if the jsonPayload.cves log field value is not empty, then the extensions.vulns.vulnerabilities.vendor UDM field is set to GCP_IDS. |
|
metadata.product_name |
The metadata.product_name UDM field is set to GCP_IDS. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform. |
|
metadata.event_type |
If the jsonPayload.cves log field value is not empty, then the metadata.event_type UDM field is set to SCAN_VULN_NETWROK.Else, if the jsonPayload.source_ip_address log field value is not empty, then the metadata.event_type UDM field is set to SCAN_NETWORK.Else, the metadata.event_type UDM field is set to GENERIC_EVENT. |
後續步驟
還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。