收集 Cloud SQL 環境記錄
本文說明 Cloud SQL 環境記錄的欄位如何對應至 Google Security Operations 整合式資料模型 (UDM) 欄位。
擷取標籤會識別剖析器,該剖析器會將原始記錄資料正規化為具結構性的 UDM 格式。本文中的資訊適用於具有 GCP_SQL_CONTEXT 攝入標籤的剖析器。
如要瞭解 Google SecOps 支援的其他內容剖析器,請參閱「Google SecOps 內容剖析器」。
支援的 Cloud SQL 記錄格式
Cloud SQL 剖析器支援 JSON 格式的記錄。
支援的 Cloud SQL 範例記錄
- JSON: - { "name": "//cloudsql.googleapis.com/projects/cloudsql-experiment-target/instances/target-exfil-mysql/backupRuns/1684933200000", "assetType": "dummy.googleapis.com/BackupRun", "resource": { "version": "v1beta4", "discoveryDocumentUri": "https://www.googleapis.com/discovery/v1/apis/sqladmin/v1beta4/rest", "discoveryName": "BackupRun", "parent": "//cloudsql.googleapis.com/projects/cloudsql-experiment-target/instances/target-exfil-mysql", "data": { "backupKind": "SNAPSHOT", "endTime": "2023-05-24T13:14:54.196Z", "enqueuedTime": "2023-05-24T13:13:32.856Z", "id": "1684933200000", "instance": "target-exfil-mysql", "kind": "sql#backupRun", "location": "us", "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/cloudsql-experiment-target/instances/target-exfil-mysql/backupRuns/1684933200000", "startTime": "2023-05-24T13:13:32.913Z", "status": "SUCCESSFUL", "type": "AUTOMATED", "windowStartTime": "2023-05-24T13:00:00Z" } }, "ancestors": [ "projects/687904117202", "organizations/299419016487" ] }
欄位對應參考資料
本節說明 Google SecOps 剖析器如何將 Cloud SQL 環境記錄的欄位對應至 Google SecOps 統合式資料模型 (UDM) 欄位。
| Log field | UDM mapping | Logic | 
|---|---|---|
| ancestors | relations.entity.resource_ancestors.name | If the resource.parentlog field value is not matched with the value ofancestorslog field, then theancestorslog field is mapped to therelations.entity.resource_ancestors.nameUDM field. | 
| assetType | entity.resource.resource_subtype | |
| name | entity.resource.name | |
| resource.data.availableMaintenanceVersions | entity.resource.attribute.labels[available_maintenance_versions] | |
| resource.data.backendType | entity.resource.attribute.labels[backend_type] | |
| resource.data.backupKind | entity.resource.attribute.labels[backup_kind] | |
| resource.data.connectionName | entity.resource.attribute.labels[connection_name] | |
| resource.data.createTime | entity.resource.attribute.creation_time | |
| resource.data.currentDiskSize | entity.resource.attribute.labels[current_disk_size] | |
| resource.data.databaseInstalledVersion | entity.resource.attribute.labels[database_installed_version] | |
| resource.data.databaseVersion | entity.resource.attribute.labels[database_version] | |
| resource.data.description | metadata.description | |
| resource.data.diskEncryptionConfiguration.kind | entity.resource.attribute.labels[disk_encryption_configuration_kind] | |
| resource.data.diskEncryptionConfiguration.kmsKeyName | entity.resource.attribute.labels[disk_encryption_configuration_kms_key_name] | |
| resource.data.diskEncryptionStatus.kind | entity.resource.attribute.labels[disk_encryption_status_kind] | |
| resource.data.diskEncryptionStatus.kmsKeyVersionName | entity.resource.attribute.labels[disk_encryption_configuration_kms_key_version_name | |
| resource.data.endTime | entity.resource.attribute.labels[end_time] | |
| resource.data.enqueuedTime | metadata.creation_timestamp | |
| resource.data.error.code | entity.resource.attribute.labels[error_code] | |
| resource.data.error.kind | entity.resource.attribute.labels[error_kind] | |
| resource.data.error.message | entity.resource.attribute.labels[error_message] | |
| resource.data.etag | entity.resource.attribute.labels[etag] | |
| resource.data.failoverReplica.available | entity.resource.attribute.labels[failover_replica_available] | |
| resource.data.failoverReplica.name | entity.resource.attribute.labels[failover_replica_name] | |
| resource.data.gceZone | entity.resource.attribute.cloud.availability_zone | |
| resource.data.id | metadata.product_entity_id | |
| resource.data.instance | entity.resource.attribute.labels[instance] | |
| resource.data.instanceType | entity.resource.attribute.labels[instance_type] | |
| resource.data.ipAddresses.ipAddress | entity.ip | |
| resource.data.ipAddresses.timeToRetire | entity.labels[ip_addresses_time_to_retire] | |
| resource.data.ipAddresses.type | entity.labels[ip_addresses_type] | |
| resource.data.ipv6Address | entity.ip | |
| resource.data.kind | entity.resource.attribute.labels[kind] | |
| resource.data.location | entity.location.name | |
| resource.data.maintenanceVersion | entity.resource.attribute.labels[maintenance_version] | |
| resource.data.masterInstanceName | entity.resource.attribute.labels[master_instance_name] | |
| resource.data.maxDiskSize | entity.resource.attribute.labels[max_disk_size] | |
| resource.data.name | entity.resource.attribute.labels[resource_name] | |
| resource.data.onPremisesConfiguration.caCertificate | entity.resource.attribute.labels[on_pem_conf_ca_certificate] | |
| resource.data.onPremisesConfiguration.clientCertificate | entity.resource.attribute.labels[on_pem_conf_client_certificate] | |
| resource.data.onPremisesConfiguration.clientKey | entity.resource.attribute.labels[on_pem_conf_client_key] | |
| resource.data.onPremisesConfiguration.dumpFilePath | entity.resource.attribute.labels[on_pem_conf_dump_file_path] | |
| resource.data.onPremisesConfiguration.hostPort | entity.resource.attribute.labels[on_pem_conf_host_port] | |
| resource.data.onPremisesConfiguration.kind | entity.resource.attribute.labels[on_pem_conf_kind] | |
| resource.data.onPremisesConfiguration.password | entity.resource.attribute.labels[on_pem_conf_password] | |
| resource.data.onPremisesConfiguration.sourceInstance.name | relations.entity.resource.name | |
| resource.data.onPremisesConfiguration.sourceInstance.project | relations.entity.resource.product_object_id | |
| resource.data.onPremisesConfiguration.sourceInstance.region | relations.entity.location.country_or_region | |
| resource.data.onPremisesConfiguration.username | entity.resource.attribute.labels[on_pem_conf_username] | |
| resource.data.outOfDiskReport.sqlMinRecommendedIncreaseSizeGb | entity.resource.attribute.labels[out_of_disk_report_sql_min_recommended_increase_size_gb] | |
| resource.data.outOfDiskReport.sqlOutOfDiskState | entity.resource.attribute.labels[out_of_disk_report_sql_out_of_disk_state] | |
| resource.data.project | entity.resource.product_object_id | |
| resource.data.region | entity.location.country_or_region | |
| resource.data.replicaConfiguration.failoverTarget | entity.resource.attribute.labels[replica_conf_fail_over_target] | |
| resource.data.replicaConfiguration.kind | entity.resource.attribute.labels[replica_conf_kind] | |
| resource.data.replicaConfiguration.mysqlReplicaConfiguration.caCertificate | entity.resource.attribute.labels[replica_conf_my_sql_replica_conf_ca_certificate] | |
| resource.data.replicaConfiguration.mysqlReplicaConfiguration.clientCertificate | entity.resource.attribute.labels[replica_conf_my_sql_replica_conf_client_certificate] | |
| resource.data.replicaConfiguration.mysqlReplicaConfiguration.clientKey | entity.resource.attribute.labels[replica_conf_my_sql_replica_conf_client_key] | |
| resource.data.replicaConfiguration.mysqlReplicaConfiguration.connectRetryInterval | entity.resource.attribute.labels[replica_conf_my_sql_replica_conf_connect_retry_interval] | |
| resource.data.replicaConfiguration.mysqlReplicaConfiguration.dumpFilePath | entity.resource.attribute.labels[replica_conf_my_sql_replica_conf_dump_file_path] | |
| resource.data.replicaConfiguration.mysqlReplicaConfiguration.kind | entity.resource.attribute.labels[replica_conf_my_sql_replica_conf_kind] | |
| resource.data.replicaConfiguration.mysqlReplicaConfiguration.masterHeartbeatPeriod | entity.resource.attribute.labels[replica_conf_my_sql_replica_conf_master_heart_beat_period] | |
| resource.data.replicaConfiguration.mysqlReplicaConfiguration.password | entity.resource.attribute.labels[replica_conf_my_sql_replica_conf_password] | |
| resource.data.replicaConfiguration.mysqlReplicaConfiguration.sslCipher | entity.resource.attribute.labels[replica_conf_my_sql_replica_conf_ssl_cipher] | |
| resource.data.replicaConfiguration.mysqlReplicaConfiguration.username | entity.resource.attribute.labels[replica_conf_my_sql_replica_conf_username] | |
| resource.data.replicaConfiguration.mysqlReplicaConfiguration.verifyServerCertificate | entity.resource.attribute.labels[replica_conf_my_sql_replica_conf_verify_server_certificate] | |
| resource.data.replicaNames | entity.resource.attribute.labels[replica_names] | |
| resource.data.rootPassword | entity.resource.attribute.labels[root_password] | |
| resource.data.satisfiesPzs | entity.resource.attribute.labels[satisfies_pzs] | |
| resource.data.scheduledMaintenance.canDefer | entity.resource.attribute.labels[schedule_maintenance_can_defer] | |
| resource.data.scheduledMaintenance.canReschedule | entity.resource.attribute.labels[schedule_maintenance_can_reschedule] | |
| resource.data.scheduledMaintenance.scheduleDeadlineTime | entity.resource.attribute.labels[schedule_maintenance_deadline_time] | |
| resource.data.scheduledMaintenance.startTime | entity.resource.attribute.labels[schedule_maintenance_start_time] | |
| resource.data.secondaryGceZone | entity.resource.attribute.labels[secondary_gce_zone] | |
| resource.data.selfLink | entity.url | |
| resource.data.serverCaCert.cert | entity.resource.attribute.labels[server_ca_cert_cert] | |
| resource.data.serverCaCert.certSerialNumber | entity.network.tls.server.certificate.serial | |
| resource.data.serverCaCert.commonName | entity.network.tls.server.certificate.subject | |
| resource.data.serverCaCert.createTime | entity.network.tls.server.certificate.not_before | |
| resource.data.serverCaCert.expirationTime | entity.network.tls.server.certificate.not_after | |
| resource.data.serverCaCert.instance | entity.resource.attribute.labels[server_ca_cert_instance] | |
| resource.data.serverCaCert.kind | entity.resource.attribute.labels[server_ca_cert_kind] | |
| resource.data.serverCaCert.selfLink | entity.resource.attribute.labels[server_ca_cert_self_link] | |
| resource.data.serverCaCert.sha1Fingerprint | entity.network.tls.server.certificate.sha1 | |
| resource.data.serviceAccountEmailAddress | entity.user.email_addresses | |
| resource.data.settings.activationPolicy | entity.resource.attribute.labels[settings_activation_policy] | |
| resource.data.settings.activeDirectoryConfig.domain | entity.resource.attribute.labels[settings_active_directory_config_domain] | |
| resource.data.settings.activeDirectoryConfig.kind | entity.resource.attribute.labels[settings_active_directory_config_kind] | |
| resource.data.settings.authorizedGaeApplications | entity.resource.attribute.labels[settings_authorized_gae_applications] | |
| resource.data.settings.availabilityType | entity.resource.attribute.labels[settings_availability_type] | |
| resource.data.settings.backupConfiguration.backupRetentionSettings.retainedBackups | entity.resource.attribute.labels[settings_backup_conf_backup_retention_settings_retained_backups] | |
| resource.data.settings.backupConfiguration.backupRetentionSettings.retentionUnit | entity.resource.attribute.labels[settings_backup_conf_backup_retention_settings_retention_unit] | |
| resource.data.settings.backupConfiguration.binaryLogEnabled | entity.resource.attribute.labels[settings_backup_conf_binary_log_enabled] | |
| resource.data.settings.backupConfiguration.enabled | entity.resource.attribute.labels[settings_backup_conf_enabled] | |
| resource.data.settings.backupConfiguration.kind | entity.resource.attribute.labels[settings_backup_conf_kind] | |
| resource.data.settings.backupConfiguration.location | entity.resource.attribute.labels[settings_backup_conf_location] | |
| resource.data.settings.backupConfiguration.pointInTimeRecoveryEnabled | entity.resource.attribute.labels[settings_backup_conf_point_in_time_recovery_enabled] | |
| resource.data.settings.backupConfiguration.replicationLogArchivingEnabled | entity.resource.attribute.labels[settings_backup_conf_replication_log_archiving_enabled] | |
| resource.data.settings.backupConfiguration.startTime | entity.resource.attribute.labels[settings_backup_conf_start_time] | |
| resource.data.settings.backupConfiguration.transactionLogRetentionDays | entity.resource.attribute.labels[settings_backup_conf_transaction_log_retention_days] | |
| resource.data.settings.collation | entity.resource.attribute.labels[settings_collation] | |
| resource.data.settings.connectorEnforcement | entity.resource.attribute.labels[settings_connector_enforcement] | |
| resource.data.settings.crashSafeReplicationEnabled | entity.resource.attribute.labels[settings_crash_safe_replication_enabled] | |
| resource.data.settings.databaseFlags.name | entity.resource.attribute.labels[settings_database_flags_name] | |
| resource.data.settings.databaseFlags.value | entity.resource.attribute.labels[settings_database_flags_value] | |
| resource.data.settings.databaseReplicationEnabled | entity.resource.attribute.labels[settings_database_replication_enabled] | |
| resource.data.settings.dataDiskSizeGb | entity.resource.attribute.labels[settings_data_disk_size_gb] | |
| resource.data.settings.dataDiskType | entity.resource.attribute.labels[settings_data_disk_type] | |
| resource.data.settings.deletionProtectionEnabled | entity.resource.attribute.labels[settings_deletion_protection_enabled] | |
| resource.data.settings.denyMaintenancePeriods.endDate | entity.resource.attribute.labels[settings_deny_maintenance_periods_end_date] | |
| resource.data.settings.denyMaintenancePeriods.startDate | entity.resource.attribute.labels[settings_deny_maintenance_periods_start_date] | |
| resource.data.settings.denyMaintenancePeriods.time | entity.resource.attribute.labels[settings_deny_maintenance_periods_time] | |
| resource.data.settings.insightsConfig.queryInsightsEnabled | entity.resource.attribute.labels[settings_insights_config_query_insights_enabled] | |
| resource.data.settings.insightsConfig.queryPlansPerMinute | entity.resource.attribute.labels[settings_insights_config_query_plans_per_minute] | |
| resource.data.settings.insightsConfig.queryStringLength | entity.resource.attribute.labels[settings_insights_config_query_string_length] | |
| resource.data.settings.insightsConfig.recordApplicationTags | entity.resource.attribute.labels[settings_insights_config_record_application_tags] | |
| resource.data.settings.insightsConfig.recordClientAddress | entity.resource.attribute.labels[settings_insights_config_record_client_address] | |
| resource.data.settings.ipConfiguration.allocatedIpRange | entity.resource.attribute.labels[settings_ip_configuration_allocated_ip_range] | |
| resource.data.settings.ipConfiguration.authorizedNetworks.expirationTime | entity.resource.attribute.labels[settings_ip_configuration_authorized_networks_expiration_time] | |
| resource.data.settings.ipConfiguration.authorizedNetworks.kind | entity.resource.attribute.labels[settings_ip_configuration_authorized_networks_kind] | |
| resource.data.settings.ipConfiguration.authorizedNetworks.name | entity.resource.attribute.labels[settings_ip_configuration_authorized_networks_name] | |
| resource.data.settings.ipConfiguration.authorizedNetworks.value | entity.resource.attribute.labels[settings_ip_configuration_authorized_networks_value] | |
| resource.data.settings.ipConfiguration.ipv4Enabled | entity.resource.attribute.labels[settings_ip_configuration_ipv4_enabled] | |
| resource.data.settings.ipConfiguration.privateNetwork | entity.resource.attribute.labels[settings_ip_configuration_private_network] | |
| resource.data.settings.ipConfiguration.requireSsl | entity.resource.attribute.labels[settings_ip_configuration_require_ssl] | |
| resource.data.settings.kind | entity.resource.attribute.labels[settings_kind] | |
| resource.data.settings.locationPreference.followGaeApplication | entity.resource.attribute.labels[settings_location_preference_follow_gae_application] | |
| resource.data.settings.locationPreference.kind | entity.resource.attribute.labels[settings_location_preference_kind] | |
| resource.data.settings.locationPreference.secondaryZone | entity.resource.attribute.labels[settings_location_preference_secondary_zone] | |
| resource.data.settings.locationPreference.zone | entity.resource.attribute.labels[settings_location_preference_zone] | |
| resource.data.settings.maintenanceWindow.day | entity.resource.attribute.labels[settings_maintenance_window_day] | |
| resource.data.settings.maintenanceWindow.hour | entity.resource.attribute.labels[settings_maintenance_window_hour] | |
| resource.data.settings.maintenanceWindow.kind | entity.resource.attribute.labels[settings_maintenance_window_kind] | |
| resource.data.settings.maintenanceWindow.updateTrack | entity.resource.attribute.labels[settings_maintenance_window_update_track] | |
| resource.data.settings.passwordValidationPolicy.complexity | entity.resource.attribute.labels[settings_password_validation_policy_complexity] | |
| resource.data.settings.passwordValidationPolicy.disallowUsernameSubstring | entity.resource.attribute.labels[settings_password_validation_policy_disallow_username_substring] | |
| resource.data.settings.passwordValidationPolicy.enablePasswordPolicy | entity.resource.attribute.labels[settings_password_validation_policy_enable_password_policy] | |
| resource.data.settings.passwordValidationPolicy.minLength | entity.resource.attribute.labels[settings_password_validation_policy_min_length] | |
| resource.data.settings.passwordValidationPolicy.passwordChangeInterval | entity.resource.attribute.labels[settings_password_validation_policy_password_change_interval] | |
| resource.data.settings.passwordValidationPolicy.reuseInterval | entity.resource.attribute.labels[settings_password_validation_policy_reuse_interval] | |
| resource.data.settings.pricingPlan | entity.resource.attribute.labels[settings_pricing_plan] | |
| resource.data.settings.replicationType | entity.resource.attribute.labels[settings_replication_type] | |
| resource.data.settings.settingsVersion | entity.resource.attribute.labels[settings_version] | |
| resource.data.settings.sqlServerAuditConfig.bucket | entity.resource.attribute.labels[settings_sql_server_audit_config_bucket] | |
| resource.data.settings.sqlServerAuditConfig.kind | entity.resource.attribute.labels[settings_sql_server_audit_config_kind] | |
| resource.data.settings.sqlServerAuditConfig.retentionInterval | entity.resource.attribute.labels[settings_sql_server_audit_config_retention_interval] | |
| resource.data.settings.sqlServerAuditConfig.uploadInterval | entity.resource.attribute.labels[settings_sql_server_audit_config_upload_interval] | |
| resource.data.settings.storageAutoResize | entity.resource.attribute.labels[storage_auto_resize] | |
| resource.data.settings.storageAutoResizeLimit | entity.resource.attribute.labels[storage_auto_resize_limit] | |
| resource.data.settings.tier | entity.resource.attribute.labels[tier] | |
| resource.data.settings.timeZone | entity.resource.attribute.labels[time_zone] | |
| resource.data.settings.userLabels | entity.resource.attribute.labels[user_labels] | |
| resource.data.startTime | entity.resource.attribute.labels[start_time] | |
| resource.data.state | entity.resource.attribute.labels[state] | |
| resource.data.status | entity.resource.attribute.labels[status] | |
| resource.data.suspensionReason | entity.resource.attribute.labels[suspension_reason] | |
| resource.data.timeZone | entity.resource.attribute.labels[time_zone] | |
| resource.data.type | entity.resource.attribute.labels[type] | |
| resource.data.windowStartTime | entity.resource.attribute.labels[window_start_time] | |
| resource.discoveryDocumentUri | entity.resource.attribute.labels[discovery_document] | |
| resource.discoveryName | entity.resource.attribute.labels[discovery_name] | |
| resource.parent, ancestors[] | relations.entity.resource.name | If the resource.parentlog field value is empty, then theancestors.0log field is mapped to therelations.entity.resource.nameUDM field. | 
| resource.version | metadata.product_version | |
|  | entity.resource.resource_type | The entity.resource.resource_typeUDM field is set toDATABASE. | 
|  | metadata.entity_type | If the assetTypelog field value matches the regular expression pattern(BackupRun or instances), then themetadata.entity_typeUDM field is set toRESOURCE. | 
|  | metadata.product_name | The metadata.product_nameUDM field is set toGCP SQL. | 
|  | metadata.vendor_name | The metadata.vendor_nameUDM field is set toGoogle Cloud Platform. | 
|  | relations.entity_type | If the resource.data.onPremisesConfiguration.sourceInstance.namelog field value is not empty, then therelations.entity_typeUDM field is set toRESOURCE. | 
|  | relations.relationship | If the resource.data.onPremisesConfiguration.sourceInstance.name,resource.data.onPremisesConfiguration.sourceInstance.region, orresource.data.onPremisesConfiguration.sourceInstance.projectvalue is not empty, then therelations.entity.relationshipUDM field is set toMEMBER.If the ancestorlog field value matches the regular expression patternorganizationsor theancestorlog field value matches the regular expression patternfolders, then therelations.relationshipUDM field is set toMEMBER. | 
|  | relations.entity.resource_ancestors.resource_subtype | If the ancestorslog field value matches the regular expression patternorganizations, then therelations.entity.resource_ancestors.resource_subtypeUDM field is set toorganizations.Else, if the ancestorslog field value matches the regular expression patternfolders, then therelations.entity.resource_ancestors.resource_subtypeUDM field is set tofolders. | 
|  | relations.entity.resource_ancestors.resource_type | The relations.entity.resource_ancestors.resource_typeUDM field is set toCLOUD_ORGANIZATION. |