收集 Google Cloud IAM 內容記錄
本文說明「身分與存取權管理」情境記錄的欄位如何對應至 Google Security Operations 整合式資料模型 (UDM) 欄位。 Google Cloud
擷取標籤會識別剖析器,該剖析器會將原始記錄資料正規化為具結構性的 UDM 格式。本文中的資訊適用於具有 GCP_IAM_CONTEXT 攝入標籤的剖析器。
如要瞭解 Google SecOps 支援的其他內容剖析器,請參閱「Google SecOps 內容剖析器」。
支援的 IAM 記錄格式
IAM 剖析器支援 JSON 格式的記錄。
支援的 IAM 記錄檔範例
- JSON:
none { "name": "//iam.googleapis.com/projects/project_id/serviceAccounts/service_account_id", "asset_type": "iam.googleapis.com/ServiceAccount", "resource": { "version": "v1", "discovery_document_uri": "https://dummy.domain.com/$discovery/rest", "discovery_name": "ServiceAccount", "parent": "//cloudresourcemanager.googleapis.com/projects/project_number", "data": { "displayName": "Compute Engine default service account", "email": "dummy-compute@developer.domain.com", "name": "projects/project_id/serviceAccounts/project_number-compute@developer.gserviceaccount.com", "oauth2ClientId": "service_account_id", "projectId": "project_id", "uniqueId": "service_account_id" } }, "AccessContextPolicy": null, "ancestors": [ "projects/project_number", "folders/folders_id_1", "folders/folders_id_2", "folders/folders_id_3", "organizations/organizations_id" ] }
欄位對應參考資料
本節說明 Google SecOps 剖析器如何將 Google Cloud 身分與存取權管理背景資訊欄位對應至 Google SecOps 統一資料模型 (UDM) 欄位。
| Log field | UDM mapping | Logic | 
|---|---|---|
| resource.data.groupTitle | entity.group.attribute.labels[group_title] | |
| resource.data.groupName | entity.group.group_display_name | |
| resource.data.projectId | entity.resource_ancestors.product_object_id | |
| resource.data.name | entity.resource_ancestors.product_object_id | If the assetTypelog field value matches the regular expression patternRole, thenGrok extracts prnt_idfrom the log fieldresource.data.nameand maps it to theentity.resource_ancestors.product_object_idUDM field.Else, if the assetTypelog field value matches the regular expression patternServiceAccountKey, thenGrok extracts project_idfrom the log fieldresource.data.nameand maps it to theentity.resource_ancestors.product_object_idUDM field. | 
|  | entity.resource_ancestors.resource_subtype | If the assetTypelog field value matches the regular expression patternRoleand theresource.data.namelog field value matches the regular expression patternorganizations, then theentity.resource_ancestors.resource_subtypeUDM field is set toorganizations.Else, if the assetTypelog field value matches the regular expression patternRoleand theresource.data.namelog field value matches the regular expression patternprojects, then theentity.resource_ancestors.resource_subtypeUDM field is set toprojects.Else, if the assetTypelog field value matches the regular expression patternServiceAccount, then theentity.resource_ancestors.resource_typeUDM field is set toprojects. | 
|  | entity.resource_ancestors.resource_type | If the assetTypelog field value matches the regular expression patternRoleand theresource.data.namelog field value matches the regular expression patternorganizations, then theentity.resource_ancestors.resource_typeUDM field is set toCLOUD_ORGANIZATION.Else, if the assetTypelog field value matches the regular expression patternRoleand theresource.data.namelog field value matches the regular expression patternprojects, then theentity.resource_ancestors.resource_typeUDM field is set toCLOUD_PROJECT.Else, if the assetTypelog field value matches the regular expression patternServiceAccount, then theentity.resource_ancestors.resource_typeUDM field is set toCLOUD_PROJECT. | 
|  | entity.resource.attribute.cloud.environment | The entity.resource.attribute.cloud.environmentUDM field is set toGOOGLE_CLOUD_PLATFORM. | 
| resource.data.deleted | entity.resource.attribute.labels[deleted] | |
| resource.data.disabled | entity.resource.attribute.labels[disabled] | |
| resource.discoveryDocumentUri | entity.resource.attribute.labels[discovery_document_uri] | |
| resource.discoveryName | entity.resource.attribute.labels[discovery_name] | |
| resource.data.etag | entity.resource.attribute.labels[etag] | |
| resource.data.name | entity.resource.attribute.labels[resource_name] | |
| resource.data.stage | entity.resource.attribute.labels[stage] | |
| resource.data.title | entity.resource.attribute.labels[title] | |
| resource.data.includedPermissions | entity.resource.attribute.permissions.name | |
| name | entity.resource.name | |
| resource.data.name | entity.resource.product_object_id | If the assetTypelog field value matches the regular expression patternServiceAccountKey, thenGrok extracts account_idfrom the log fieldresource.data.nameand maps it to theentity.resource.product_object_idUDM field. | 
| resource.data.name | entity.resource.product_object_id | If the assetTypelog field value matches the regular expression patternRole, thenGrok extracts res_namefrom the log fieldresource.data.nameand maps it to theentity.resource.product_object_idUDM field. | 
| assetType | entity.resource.resource_subtype | |
|  | entity.resource.resource_type | If the assetTypelog field value matches the regular expression patternRole, then theentity.resource.resource_typeUDM field is set toACCESS_POLICY.Else, if the assetTypelog field value matches the regular expression patternServiceAccount, then theentity.resource.resource_typeUDM field is set toSERVICE_ACCOUNT. | 
|  | entity.user.attribute.cloud.environment | If the resource.discoveryNamelog field value is equal toServiceAccount, then theentity.resource.resource_typeUDM field is set toGOOGLE_CLOUD_PLATFORM. | 
| resource.data.email | entity.user.email_addresses | |
| resource.data.email | entity.user.userid | |
| resource.data.oauth2ClientId | entity.user.attribute.labels[oauth2_client_id] | |
| resource.data.displayName | entity.user.user_display_name | |
| resource.data.uniqueId | entity.user.product_object_id | |
| resource.data.description | metadata.description | |
|  | metadata.entity_type | If the assetTypelog field value matches the regular expression patternRole, then themetadata.entity_typeUDM field is set toRESOURCE.Else, if the assetTypelog field value matches the regular expression patternServiceAccountKey, then themetadata.entity_typeUDM field is set toRESOURCE.Else, if the assetTypelog field value matches the regular expression patternServiceAccount, then themetadata.entity_typeUDM field is set toUSER. | 
|  | metadata.product_name | The metadata.product_nameUDM field is set toIdentity and Access Management. | 
| resource.version | metadata.product_version | |
|  | metadata.vendor_name | The metadata.vendor_nameUDM field is set toGoogle. | 
|  | relations.direction | The relations.directionUDM field is set toUNIDIRECTIONAL. | 
|  | relations.entity_type | The relations.entity_typeUDM field is set toRESOURCE. | 
| resource.data.validAfterTime | relations.entity.resource.attribute.creation_time | |
| resource.data.keyAlgorithm | relations.entity.resource.attribute.labels[key_algorithm] | |
| resource.data.keyOrigin | relations.entity.resource.attribute.labels[key_origin] | |
| resource.data.keyType | relations.entity.resource.attribute.labels[key_type] | |
| resource.data.privateKeyData | relations.entity.resource.attribute.labels[private_key_data] | |
| resource.data.privateKeyType | relations.entity.resource.attribute.labels[private_key_type] | |
| resource.data.publicKeyData | relations.entity.resource.attribute.labels[public_key_data] | |
| resource.data.validBeforeTime | relations.entity.resource.attribute.labels[valid_before_time] | |
| ancestors | relations.entity.resource.name | |
| resource.parent | relations.entity.resource.name | |
| resource.parent | relations.entity.resource.product_object_id | Grok extracts idfrom the log fieldresource.parentand maps it to therelations.entity.resource.product_object_idUDM field. | 
| resource.data.name | relations.entity.resource.product_object_id | If the assetTypelog field value matches the regular expression patternServiceAccountKey, thenGrok extracts keyfrom the log fieldresource.data.nameand maps it to therelations.entity.resource.product_object_idUDM field. | 
| ancestors | relations.entity.resource.product_object_id | Grok extracts idfrom the log fieldancestorsand maps it to therelations.entity.resource.product_object_idUDM field. | 
| ancestors | relations.entity.resource.resource_subtype | Grok extracts subtypefrom the log fieldancestorsand maps it to therelations.entity.resource.resource_subtypeUDM field. | 
|  | relations.entity.resource.resource_subtype | If the assetTypelog field value matches the regular expression patternServiceAccountKey, then therelations.entity.resource.resource_subtypeUDM field is set tokeys.If the resource.parentlog field value matches the regular expression patternorganizations, then therelations.entity.resource.resource_subtypeUDM field is set toorganizations.Else, if the resource.parentlog field value matches the regular expression patternprojects, then therelations.entity.resource.resource_subtypeUDM field is set toprojects.Else, if the resource.parentlog field value matches the regular expression patternfolders, then therelations.entity.resource.resource_subtypeUDM field is set tofolders. | 
|  | relations.entity.resource.resource_type | If the assetTypelog field value matches the regular expression patternServiceAccountKey, then therelations.entity.resource.resource_typeUDM field is set toSTORAGE_OBJECT.Else, if the resource.parentlog field value matches the regular expression patternorganizationsor theancestorslog field value matches the regular expression patternorganization, then therelations.entity.resource.resource_typeUDM field is set toCLOUD_ORGANIZATION.Else, if the resource.parentlog field value matches the regular expression patternprojectsor theancestorslog field value matches the regular expression patternproject, then therelations.entity.resource.resource_typeUDM field is set toCLOUD_PROJECT.Else, if the resource.parentlog field value matches the regular expression patternfoldersor theancestorslog field value matches the regular expression patternfolder, then therelations.entity.resource.resource_typeUDM field is set toSTORAGE_OBJECT. | 
|  | relations.relationship | If the assetTypelog field value matches the regular expression patternServiceAccountKey, then therelations.relationshipUDM field is set toOWNS.Else, the relations.relationshipUDM field is set toMEMBER. |