收集 Cisco ISE 記錄
支援的國家/地區:
Google SecOps
SIEM
本文說明如何使用 Bindplane,將 Cisco ISE 記錄擷取至 Google Security Operations。
剖析器會從 Cisco ISE 系統記錄和 CSV 格式的記錄檔中擷取欄位。剖析器會使用 grok 和/或 kv 剖析記錄訊息,然後將這些值對應至統合式資料模型 (UDM)。此外,也會為事件來源和類型設定預設中繼資料值。
事前準備
請確認您已完成下列事前準備事項:
- Google SecOps 執行個體
- Windows Server 2016 以上版本,或搭載
systemd的 Linux 主機 - 如果透過 Proxy 執行,請確保防火牆通訊埠已根據 Bindplane 代理程式需求開啟
- Cisco ISE 管理入口網站的特殊存取權
取得 Google SecOps 擷取驗證檔案
- 登入 Google SecOps 控制台。
- 依序前往「SIEM 設定」>「收集代理程式」。
- 下載擷取驗證檔案。將檔案安全地儲存在要安裝 Bindplane 的系統上。
取得 Google SecOps 客戶 ID
- 登入 Google SecOps 控制台。
- 依序前往「SIEM 設定」>「設定檔」。
- 複製並儲存「機構詳細資料」專區中的客戶 ID。
安裝 Bindplane 代理程式
請按照下列操作說明,在 Windows 或 Linux 作業系統上安裝 Bindplane 代理程式。
Windows 安裝
- 以管理員身分開啟「命令提示字元」或「PowerShell」。
執行下列指令:
msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet等待安裝完成。
執行下列指令來驗證安裝:
sc query observiq-otel-collector
服務應顯示為「RUNNING」(執行中)。
Linux 安裝
- 開啟具有根層級或 sudo 權限的終端機。
執行下列指令:
sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh等待安裝完成。
執行下列指令來驗證安裝:
sudo systemctl status observiq-otel-collector
服務應顯示為啟用 (執行中)。
其他安裝資源
如需其他安裝選項和疑難排解資訊,請參閱 Bindplane 代理程式安裝指南。
設定 Bindplane 代理程式,擷取系統記錄檔並傳送至 Google SecOps
找出設定檔
Linux:
sudo nano /etc/bindplane-agent/config.yamlWindows:
notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"
編輯設定檔
將
config.yaml的所有內容替換為下列設定:receivers: udplog: listen_address: "0.0.0.0:514" exporters: chronicle/chronicle_w_labels: compression: gzip creds_file_path: '/path/to/ingestion-authentication-file.json' customer_id: 'YOUR_CUSTOMER_ID' endpoint: malachiteingestion-pa.googleapis.com log_type: 'CISCO_ISE' raw_log_field: body ingestion_labels: service: pipelines: logs/source0__chronicle_w_labels-0: receivers: - udplog exporters: - chronicle/chronicle_w_labels
設定參數
替換下列預留位置:
接收器設定:
udplog:使用udplog進行 UDP 系統記錄,或使用tcplog進行 TCP 系統記錄0.0.0.0:要接聽的 IP 位址 (0.0.0.0可接聽所有介面)514:要接聽的通訊埠號碼 (標準系統記錄通訊埠)
匯出工具設定:
creds_file_path:擷取驗證檔案的完整路徑:- Linux:
/etc/bindplane-agent/ingestion-auth.json - Windows:
C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- Linux:
YOUR_CUSTOMER_ID:從「取得客戶 ID」一節取得的客戶 IDendpoint:區域端點網址:- 美國:
malachiteingestion-pa.googleapis.com - 歐洲:
europe-malachiteingestion-pa.googleapis.com - 亞洲:
asia-southeast1-malachiteingestion-pa.googleapis.com - 如需完整清單,請參閱「區域端點」
- 美國:
log_type:記錄類型,與 Chronicle 中顯示的完全相同 (CISCO_ISE)
儲存設定檔
- 編輯完成後,請儲存檔案:
- Linux:依序按下
Ctrl+O、Enter和Ctrl+X - Windows:依序點選「檔案」>「儲存」
- Linux:依序按下
重新啟動 Bindplane 代理程式,以套用變更
如要在 Linux 中重新啟動 Bindplane 代理程式,請執行下列指令:
sudo systemctl restart observiq-otel-collector確認服務正在執行:
sudo systemctl status observiq-otel-collector檢查記錄中是否有錯誤:
sudo journalctl -u observiq-otel-collector -f
如要在 Windows 中重新啟動 Bindplane 代理程式,請選擇下列任一做法:
以管理員身分開啟命令提示字元或 PowerShell:
net stop observiq-otel-collector && net start observiq-otel-collector服務控制台:
- 按下
Win+R鍵,輸入services.msc,然後按下 Enter 鍵。 - 找出 observIQ OpenTelemetry Collector。
按一下滑鼠右鍵,然後選取「重新啟動」。
確認服務正在執行:
sc query observiq-otel-collector檢查記錄中是否有錯誤:
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
- 按下
在 Cisco ISE 上設定 Syslog 轉送
- 登入 Cisco ISE Administration 入口網站。
- 依序前往「Administration」(管理) >「System」(系統) >「Logging」(記錄) >「Remote Logging Targets」(遠端記錄目標)。
- 按一下「新增」,建立新的遠端記錄目標。
- 請提供下列設定詳細資料:
- 名稱:輸入描述性名稱 (例如
Google-SecOps-Bindplane)。 - 說明:輸入說明 (選填)。
- IP 位址:輸入 Bindplane 代理程式主機的 IP 位址。
- 「Port」(通訊埠):輸入
514。 - 設施代碼:選取 LOCAL6 (或偏好的設施)。
- 長度上限:輸入
8192(或支援的最大值)。 - 在系統記錄訊息中加入警報:勾選是否要加入警報。
- 名稱:輸入描述性名稱 (例如
- 按一下 [儲存]。
- 依序前往「Administration」>「System」>「Logging」>「Logging Categories」。
- 選取要轉送的每個記錄類別,然後按一下「編輯」:
- AAA 稽核
- AAA 診斷
- 會計
- 管理員稽核
- 狀態和用戶端佈建稽核
- Profiler
- 系統診斷
- 在「Targets」(目標) 部分,將遠端記錄目標
Google-SecOps-Bindplane從「Available」(可用) 移至「Selected」(已選取)。 - 按一下 [儲存]。
- 檢查 Bindplane 代理程式記錄,確認系統記錄訊息是否已傳送。
UDM 對應表
| 記錄欄位 | UDM 對應 | 備註 |
|---|---|---|
| AAA_Event | security_result.detection_fields | |
| AAA_Security_Result.detection_fields | aaa_service | |
| ac-user-agent | network.http.user_agent | |
| Acct-Authentic | security_result.detection_fields | |
| Acct-Delay-Time | security_result.detection_fields | |
| Acct-Input-Octets | security_result.detection_fields | |
| Acct-Input-Packets | security_result.detection_fields | |
| Acct-Output-Octets | security_result.detection_fields | |
| Acct-Output-Packets | security_result.detection_fields | |
| Acct-Session-Id | sec_result.detection_fields、additional.fields | |
| Acct-Session-Time | security_result.detection_fields | |
| Acct-Status-Type | security_result.detection_fields | |
| Acct-Terminate-Cause | security_result.detection_fields | |
| AcctReply-Status | security_result.detection_fields | |
| AcctRequest-Flags | security_result.detection_fields | |
| ACS_CiscoSecure_Defined_ACL | security_result.detection_fields | |
| AcsSessionID | sec_result.detection_fields、additional.fields | |
| 動作 | security_result.action_details | |
| action_details | security_result.action_details | |
| ActiveSessionCount | security_result.detection_fields | |
| ad_identifier | about.hostname | |
| ad_join_point | principal.administrative_domain | |
| ad_operating_system | principal.platform | |
| AD-Account-Name | principal.user.userid、target.hostname | |
| AD 網域 | principal.group.group_display_name | |
| AD-Domain-Controller | target.administrative_domain | |
| AD-Error-Details | security_result.description | |
| AD-Forest | target.resource.attribute.labels | |
| AD-Groups-Names | principal.user.group_identifiers | |
| AD-Host-Candidate-Identities | sec_result.detection_fields | |
| AD-IP-Address | target.ip、target.asset.ip | |
| AD-Log-Id | sec_result.detection_fields | |
| AD-Site | target.location.name | |
| AD-Srv-Query | security_result.detection_fields | |
| AD-Srv-Record | security_result.detection_fields | |
| AD-User-Candidate-Identities | principal.user.attribute.labels | |
| AD-User-DNS-Domain | network.dns_domain | |
| AD-User-Join-Point | target.hostname、target.asset.hostname | |
| AD-User-NetBios-Name | principal.user.attribute.labels | |
| AD-User-Qualified-Name | principal.user.email_addresses | |
| AD-User-Resolved-DNs | principal.user.attribute.labels | |
| AD-User-Resolved-Identities | sec_result.detection_fields、principal.user.userid | |
| AD-User-Resolved-Identities | ||
| AD-User-SamAccount-Name | principal.user.attribute.labels | |
| 管理員 | principal.user.userid | |
| AdminInterface | principal.user.attribute.labels | |
| AdminIPAddress | principal.ip | |
| AdminName | principal.user.userid | |
| affected-dn | target.resource.nametarget.resource.attribute.labels、target.resource.resource_type | target.resource.resource_type => "USER" |
| Airespace-Wlan-Id | additional.fields | |
| allowEasyWiredSession | sec_result.detection_fields、additional.fields | |
| AMInstalled | security_result.detection_fields | |
| assetDeviceType | principal.resource.name | |
| assetIncidentScore | security_result.detection_fields | |
| Audit_session_id | sec_result.detection_fields | |
| AuditSessionId | sec_result.detection_fields | |
| Authen-Reply-Status | security_result.detection_fields | |
| AuthenticationIdentityStore | sec_result.detection_fields、additional.fields | |
| AuthenticationMethod | security_result.detection_fields | |
| AuthenticationResult | security_result.action | |
| AuthenticationStatus | security_result.action、security_result.action_details | |
| Author-Reply-Status | additional.fields | |
| AuthorizationFailureReason | security_result.detection_fields | |
| AuthorizationPolicyMatchedRule | security_result.rule_name | |
| av-pair-severity | security_result.detection_fields | |
| BYODRegistration | sec_result.detection_fields | |
| CacheUpdateTime | security_result.detection_fields | |
| Called-Station-ID | security_result.detection_fields、target.ip、target.mac | |
| Calling-Station-ID | security_result.detection_fields、principal.ip、principal.mac | |
| cdpCacheAddressType | security_result.detection_fields | |
| cdpCacheVersion | security_result.detection_fields | |
| cdpUndefined28 | security_result.detection_fields | |
| change-set | additional.fields | |
| Chargeable-User-Identity | principal.user.attribute.labels | |
| cisco-av-pair | additional.fields、security_result.detection_fields | |
| CiscoIOS | security_result.detection_fields | |
| 類別 | sec_result.detection_fields | |
| client_type | additional.fields | |
| client-iif-id | security_result.detection_fields | |
| ClientLatency | security_result.detection_fields、additional.fields | |
| CmdSet | target.process.command_line | |
| coa-push | security_result.detection_fields | |
| CoAClientInstanceDestinationIPAddress | target.ip、target.asset.ip | |
| coaReason | security_result.detection_fields | |
| coaSourceComponent | security_result.detection_fields | |
| coaType | security_result.detection_fields | |
| 元件 | security_result.detection_fields | |
| ConfigChangeData | security_result.detection_fields | |
| ConfigVersionId | sec_result.detection_fields、additional.fields | |
| connect-progress | security_result.detection_fields | |
| ConnectionStatus | sec_result.detection_fields | |
| ConnectionStatus=Failed | security_result.action ="BLOCK" | |
| Constructeurs | principal.asset.hardware.manufacturer | |
| counters_kvp | event.idm.read_only_udm.target.asset.attribute.labels | |
| CPMSessionID | security_result.detection_fields、additional.fields、network.session_id | |
| CreateTime | event.idm.read_only_udm.principal.asset.attribute.creation_time | |
| cts_security_group_tag | security_result.detection_fields | |
| cts-pac-opaque | security_result.detection_fields | |
| 日期時間 | metadata.event_timestamp | |
| days_to_expiry | security_result.detection_fields | |
| DeltaRadiusRequestCount | security_result.detection_fields | |
| DeltaTacacsRequestCount | security_result.detection_fields | |
| 說明 | security_result.detection_fields | |
| DestinationIPAddress | target.ip、target.asset.ip | |
| DestinationIPAddress | target.ip、target.asset.ip | |
| DestinationPort | target.port | |
| DetailedInfo | sec_result.description | |
| Device_IP_Address | principal.ip、principal.asset.ip | |
| device-mac | principal.mac | |
| device-platform | principal.platform | |
| device-platform-version | principal.platform_version | |
| device-public-mac | principal.mac | |
| device-type | principal.asset.hardware.model | |
| device-uid | principal.resource.product_object_id | |
| device-uid-global | principal.asset.product_object_id | |
| DeviceIPAddress | principal.ip、target.ip、intermediary.ip | |
| DevicePort | principal.port、target.port、intermediary.port | |
| DeviceRegistrationStatus | sec_result.detection_fields | |
| dhcp-class-identifier | security_result.detection_fields | |
| dhcp-parameter-request-list | additional.fields | |
| Domaines | additional.fields | |
| DoReplicate | security_result.detection_fields | |
| DTLSSupport | security_result.detection_fields | |
| EAP-Key-Name | additional.fields | |
| EapTunnel | additional.fields | |
| EmailAddress | principal.user.email_addresses | |
| EnableFlag | additional.fields | |
| EnableSingleConnect | security_result.detection_fields | |
| End-of-LLDPDU | security_result.detection_fields | |
| 端點 ID | principal.mac、principal.asset.mac | |
| EndpointCertainityMetric | sec_result.detection_fields | |
| EndpointIdentityGroup | principal.group.group_display_name | |
| EndpointIPAddress | principal.asset.ip | |
| EndPointMACAddress | principal.mac、principal.asset.mac | |
| EndPointMatchedProfile | security_result.about.labels、additional.fields | |
| EndpointNADAddress | sec_result.detection_fields | |
| EndpointOUI | sec_result.detection_fields | |
| EndpointPolicy | principal.asset.platform_software.platform_version、security_result.detection_fields | |
| EndPointPolicyID | security_result.detection_fields | |
| EndPointProfilerServer | target.hostname | |
| EndpointProperty | sec_result.detection_fields | |
| EndPointSource | target.resource.attribute.labels | |
| EndpointSourceEvent | sec_result.detection_fields | |
| EndpointUserAgent | network.http.user_agent | |
| EndPointVersion | security_result.detection_fields | |
| epid | security_result.detection_fields | |
| 錯誤訊息 | additional.fields | |
| 事件 | additional.fields | |
| extended_key_usage_oid | additional.fields | |
| external_groups | additional.fields | |
| FailureFlag | security_result.detection_fields | |
| FailureReason | sec_result.detection_fields、additional.fields | |
| FeedService | security_result.detection_fields | |
| FirstCollection | event.idm.read_only_udm.principal.asset.first_discover_time | |
| foreign_ip | intermediary.ip | |
| FQSubjectName | security_result.detection_fields | |
| Framed-MTU | additional.fields | |
| Framed-Protocol | sec_result.detection_fields | |
| FramedIPAddress | security_result.detection_fields | |
| group_name | principal.group.group_display_name | |
| 標頭旗標 | security_result.detection_fields | |
| HostIdentityGroup | additional.fields | |
| IdentityAccessRestricted | security_result.detection_fields | |
| IdentityGroup | principal.group.group_display_name | |
| IdentityGroupID | principal.group.product_object_id | |
| IdentityPolicyMatchedRule | sec_result.about.labels、additional.fields | |
| IdentitySelectionMatchedRule | sec_result.detection_fields | |
| Idle-Timeout | security_result.detection_fields | |
| idletime | security_result.detection_fields | |
| IMEI | target.asset.product_object_id | |
| inacl_rule | security_result.detection_fields | |
| intermediary_hostname | intermediary.hostname | |
| ionTimeStamp | security_result.detection_fields | |
| ios-version | principal.asset.software.version | |
| ip_inacl_rule | security_result.detection_fields | |
| ip_source_ip | principal.ip、principal.asset.ip | |
| IpAddress | principal.ip、principal.asset.ip | |
| IPSEC | additional.fields | |
| ise_port | principal.port、intermediary.port | |
| ISELocalAddress | intermediary.ip、principal.ip | |
| ISEModuleName | sec_result.detection_fields | |
| ISEPolicySetName | target.resource.name | |
| ISEServiceName | sec_result.detection_fields | |
| IsMachineAuthentication | security_result.detection_fields | |
| IsMachineIdentity | security_result.detection_fields | |
| IsRegistered | security_result.detection_fields | |
| 核發單位 | about.labels | |
| IsThirdPartyDeviceFlow | sec_result.detection_fields、additional.fields | |
| key_usage | additional.fields | |
| LastActivity | event.idm.read_only_udm.principal.asset.last_discover_time | |
| LastNmapScanTime | sec_result.detection_fields | |
| LicenseType | additional.fields | |
| lldpManAddress | security_result.detection_fields | |
| lldpPortDescription | security_result.detection_fields | |
| lldpPortId | security_result.detection_fields | |
| lldpSystemCapabilitiesMap | security_result.detection_fields | |
| lldpSystemDescription | security_result.detection_fields | |
| lldpTimeToLive | security_result.detection_fields | |
| lldpUndefined127 | security_result.detection_fields | |
| localport | principal.port | |
| 位置 | principal.location.country_or_region、target.location.country_or_region、security_result.detection_fields | |
| 記錄 ID | metadata.product_log_id | |
| logstash.ingest.host | intermediary.hostname | |
| logstash.ingest.timestamp | metadata.ingested_timestamp | |
| logstash.irm_environment | additional.fields | |
| logstash.irm_region | additional.fields | |
| logstash.irm_site | additional.fields | |
| logstash.process.host | intermediary.hostname | |
| logstash.process.timestamp | metadata.collected_timestamp | |
| MAC | principal.mac | |
| mac_UserName | principal.mac | |
| MacAddress | principal.mac | |
| MajorVersion | security_result.detection_fields | |
| 製造商 | target.asset.hardware.manufacturer | |
| MatchedPolicy | security_result.detection_fields | |
| MatchedPolicyID | security_result.rule_id | |
| MDMFailureReason | sec_result.detection_fields | |
| MDMServerName | metadata.product_name | |
| mDNS | security_result.detection_fields | |
| 訊息 | security_result.description | |
| MFCInfoEndpointType | principal.asset.asset_type、principal.asset.attribute.labels | |
| MinorVersion | security_result.detection_fields | |
| MisconfiguredClientFixReason | security_result.detection_fields | |
| 型號 | target.asset.hardware.model | |
| Model_Name | principal.asset.attribute.labels | |
| msg_class | metadata.description | |
| msg_sev | security_result.severity、sec_result.severity_details | |
| msg_text | metadata.description、security_result.severity、sec_result.severity_details、security_result.action | |
| msg_text | security_result.action | |
| NAD 位址 | principal.ip | |
| NADAddress | intermediary.ip | |
| 名稱 | principal.group.group_identifiers | |
| nas_ip_address | principal.nat_ip | |
| NAS-Identifier | principal.labels | |
| NAS-IP-Address | principal.nat_ip、principal.ip | |
| NAS-Port | principal.port、principal.labels | |
| nas-update | security_result.detection_fields | |
| NASIdentifier | security_result.detection_fields、principal.labels | |
| NASPort | principal.nat_port (如果有效) 或 security_result.detection_fields、principal.labels | |
| NASPortId | security_result.detection_fields、principal.labels | |
| NASPortType | security_result.detection_fields、principal.labels | |
| 網路裝置名稱 | target.hostname、target.asset.hostname | |
| network_adapter | target.resource.name | |
| network_application_protocol_result | network.application_protocol | |
| NetworkDeviceGroups | sec_result.detection_fields | |
| NetworkDeviceGroups_IPSEC | additional.fields | |
| NetworkDeviceProfileId | principal.asset.asset_id | |
| NetworkDeviceProfileName | principal.asset.attribute.labels | |
| NmapScanCount | security_result.detection_fields | |
| ntp_server_1 | target.ip、target.asset.ip | |
| ntp_server_2 | target.ip、target.asset.ip | |
| ntp_server_3 | target.ip、target.asset.ip | |
| ObjectInternalID | security_result.detection_fields | |
| ObjectName | security_result.about.labels | |
| ObjectType | security_result.labout.abels、additional.fields | |
| operating-system-result | target.asset.platform_software.platform_version | target.platform = WINDOWS |
| OperatingSystem | target.asset.platform_software.platform_version | |
| OperationMessageText | sec_result.detection_fields | |
| OperationMessageText | about.labels | |
| OUI | security_result.detection_fields | |
| pad | security_result.detection_fields | |
| PeerAddress | target.mac、target.asset.mac | |
| PeerName | target.hostname、target.asset.hostname | |
| PhoneNumber | principal.user.phone_numbers | |
| platform-version | principal.platform_version | |
| PolicyVersion | security_result.detection_fields | |
| 通訊埠 | principal.port、target.port | |
| Portal_Name | additional.fields | |
| PortalName | target.url | |
| PortalUser | principal.user.userid | |
| PortalUser_GuestSponsor | principal.user.attribute.labels | |
| PortalUser_GuestType | principal.user.attribute.labels | |
| PostureApplicable | security_result.detection_fields | |
| PostureAssessmentStatus | sec_result.detection_fields、additional.fields | |
| PostureExpiry | sec_result.detection_fields | |
| PostureStatus | sec_result.detection_fields | |
| principal_hostname | principal.hostname | |
| principal_ip | principal.ip、principal.asset.ip | |
| profile-name | security_result.detection_fields | |
| ProfilerServer | sec_result.detection_fields | |
| 通訊協定 | security_result.detection_fields | |
| r_ip_or_host | observer.ip、observer.hostname、intermediary.hostname、intermediary.ip | |
| r_seg_num | metadata.product_log_id | |
| RadiusFlowType | security_result.about.labels、additional.fields | |
| RadiusPacketType | security_result.detection_fields | |
| received_b | network.received_bytes | |
| RegisterStatus | security_result.rule_name | |
| RegistrationTimeStamp | sec_result.detection_fields | |
| RemoteAddress | principal.ip、principal.asset.ip | |
| RequestLatency | sec_result.detection_fields、additional.fields | |
| RequestResponseTypes | security_result.detection_fields | |
| ResponseTime | sec_result.detection_fields | |
| SelectedAccessService | sec_result.detection_fields、additional.fields | |
| SelectedAuthenticationIdentityStores | security_result.detection_fields | |
| SelectedAuthorizationProfiles | sec_result.detection_fields、additional.fields | |
| SelectedShellProfile | additional.fields | |
| sent_b | network.sent_bytes | |
| sequence_num | metadata.product_log_id | |
| Sequence-Number | security_result.detection_fields | |
| serial_number | about.labels、network.tls.server.certificate.serial | |
| server_label | principal.asset.attribute.labels | |
| Service-Type | sec_result.detection_fields、additional.fields | |
| session-id | network.session_id | |
| Session-Timeout | network.session_duration | |
| shell_role | principal.user.attribute.roles.name | |
| ShutdownReason | security_result.detection_fields | |
| SkipProfiling | security_result.detection_fields | |
| software_version | principal.asset.platform_software.platform_version | |
| 來源 | principal.ip、principal.hostname | |
| source_ip | src.ip | |
| source_port | src.port | |
| SSID | additional.fields | |
| start_time | security_result.first_discovered_time | |
| StaticAssignment | security_result.detection_fields | |
| StaticGroupAssignment | sec_result.detection_fields | |
| 步驟 | additional.fields | |
| StepData | about.hostname、additional.fields | |
| StepLatency | additional.fields | |
| stop_time | security_result.last_discovered_time | |
| 主旨 | about.labels | |
| subject_alt_name | about.labels | |
| subscriber_command | security_result.detection_fields | |
| syslog_host | principal.ip、principal.asset.ip | |
| SysStatsCpuCount | target.asset.hardware.cpu_number_cores | |
| SysStatsProcessMemoryMB | target.asset.hardware.ram | |
| SysStatsUtilizationDiskIO | target.asset.attribute.labels | |
| SysStatsUtilizationDiskSpace | target.asset.attribute.labels | |
| SysStatsUtilizationLoadAvg | target.asset.attribute.labels | |
| SystemDomain | principal.asset.network_domain | |
| SystemName | principal.hostname、principal.hostname | |
| SystemUser | principal.user.userid | |
| SystemUserDomain | principal.administrative_domain | |
| target_email | target.user.email_addresses | |
| target_group_identifiers | target.user.group_identifiers | |
| target_hostname | target.hostname | |
| target_ip | target.ip、target.asset.ip | |
| target_port | target.port | |
| target_user | target.user.userid | |
| target.resource.resource_type | DEVICE | |
| task_id | additional.fields | |
| TaskId | security_result.detection_fields | |
| Template_Name | additional.fields | |
| Termination-Action | security_result.detection_fields | |
| threshold_value | additional.fields | |
| TimeToProfile | sec_result.detection_fields | |
| TLSCipher | network.tls.cipher | |
| TLSVersion | network.tls.version | |
| total_certainty_factor | sec_result.detection_fields | |
| TotalAuthenLatency | security_result.detection_fields、additional.fields | |
| TotalFailedTime | sec_result.detection_fields | |
| Tunnel-Client-Endpoint | sec_result.detection_fields | |
| 類型 | additional.fields | |
| undefined-151 | additional.fields | |
| UniqueConnectionIdentifier | sec_result.detection_fields | |
| UpdateTime | sec_result.detection_fields | |
| url-redirect | target.url | |
| url-redirect-acl | security_result.detection_fields | |
| UseCase | sec_result.detection_fields | |
| used_space_value | additional.fields | |
| 使用者 | principal.user.userid | |
| 使用者 | principal.user.userid | |
| user_display_name | principal.user.user_display_name | |
| User-AD-Last-Fetch-Time | principal.user.attribute.labels | |
| 使用者代理程式 | network.http.user_agent、network.http.parsed_user_agent | |
| User-Fetch-Email | sec_result.detection_fields | |
| User-Fetch-Last-Name | principal.user.last_name | |
| User-Fetch-LocalityName | sec_result.detection_fields | |
| User-Fetch-StateOrProvinceName | sec_result.detection_fields | |
| User-Name | target.user.userid | |
| UserAccountControl | principal.user.attribute.labels | |
| UserAgreementStatus | security_result.detection_fields | |
| 使用者名稱 | target.user.userid | |
| UserType | principal.user.attribute.labels | |
| UseSingleConnect | security_result.detection_fields | |
| vlan-id | security_result.detection_fields | |
| principal.resource.resource_type | 靜態對應至裝置。 |
還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。