Mengumpulkan log Pemberitahuan Dataminr

Didukung di:

Dokumen ini menjelaskan cara menyerap log Dataminr Alerts ke Google Security Operations menggunakan Google Cloud Storage V2, fungsi Cloud Run, dan Cloud Scheduler.

Dataminr Pulse memberikan kecerdasan real-time yang didukung AI dari lebih dari 500.000 sumber data publik global, termasuk deep web dan dark web. Platform ini memberikan peringatan dini tentang ancaman siber, kerentanan, serangan ransomware, pelanggaran data, dan risiko digital yang muncul dan memengaruhi organisasi Anda dan pihak ketiga. Dataminr Pulse API menggunakan autentikasi Kredensial Klien OAuth 2.0 dan penomoran halaman berbasis kursor untuk mengambil pemberitahuan.

Sebelum memulai

Pastikan Anda memiliki prasyarat berikut:

  • Instance Google SecOps
  • Project Google Cloud dengan API berikut diaktifkan:
    • Cloud Storage API
    • Cloud Run Functions API
    • Cloud Scheduler API
    • Cloud Pub/Sub API
  • Izin untuk membuat dan mengelola bucket GCS, fungsi Cloud Run, topik Pub/Sub, dan tugas Cloud Scheduler
  • Izin untuk mengelola kebijakan IAM di bucket GCS
  • Akun Dataminr Pulse yang aktif dengan akses API diaktifkan
  • Kredensial Dataminr Pulse API (Client ID dan Client Secret)
  • Setidaknya satu Daftar Pemberitahuan Dataminr Pulse yang dikonfigurasi di akun Dataminr Anda

Membuat bucket Google Cloud Storage

  1. Buka Konsol Google Cloud.
  2. Pilih project Anda atau buat project baru.
  3. Di menu navigasi, buka Cloud Storage > Buckets.
  4. Klik Create bucket.
  5. Berikan detail konfigurasi berikut:

    Setelan Nilai
    Beri nama bucket Anda Masukkan nama yang unik secara global (misalnya, dataminr-alert-logs)
    Location type Pilih berdasarkan kebutuhan Anda (Region, Dual-region, Multi-region)
    Location Pilih lokasi (misalnya, us-central1)
    Kelas penyimpanan Standar (direkomendasikan untuk log yang sering diakses)
    Access control Seragam (direkomendasikan)
    Alat perlindungan Opsional: Aktifkan pembuatan versi objek atau kebijakan retensi
  6. Klik Create.

Mengumpulkan kredensial Dataminr

Agar fungsi Cloud Run dapat mengambil data pemberitahuan, Anda memerlukan kredensial API dengan autentikasi kredensial klien OAuth 2.0 dari perwakilan akun Dataminr Anda.

Mendapatkan kredensial API

  1. Hubungi perwakilan akun atau tim dukungan Dataminr Anda untuk meminta akses API.
  2. Berikan informasi berikut:
    • Nama organisasi Anda
    • Kasus penggunaan: Integrasi dengan Google Chronicle SIEM
    • Akses yang diperlukan: Dataminr Pulse API untuk Risiko Cyber
  3. Dataminr menyediakan kredensial API dan memberi Anda:

    • Client ID: ID klien OAuth 2.0 unik Anda
    • Rahasia Klien: Kunci rahasia klien OAuth 2.0 Anda

Verifikasi kredensial API

  • Untuk memverifikasi bahwa kredensial Anda berfungsi, jalankan perintah berikut:

    curl -X POST https://gateway.dataminr.com/auth/2/token \
      -H "Content-Type: application/x-www-form-urlencoded" \
      -d "client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=api_key"
    

    Respons yang berhasil akan menampilkan objek JSON yang berisi kolom access_token:

    {
      "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI...",
      "token_type": "Bearer",
      "expire": 3600
    }
    

Mengumpulkan ID daftar pemberitahuan

  1. Login ke aplikasi web Dataminr Pulse di https://app.dataminr.com.
  2. Buka Daftar Peringatan (daftar pantauan) yang telah Anda konfigurasi.
  3. Catat ID Daftar Pemberitahuan yang ingin Anda masukkan ke Google SecOps.

Buat akun layanan untuk fungsi Cloud Run

  1. Di Konsol Google Cloud, buka IAM & Admin > Service Accounts.
  2. Klik Create Service Account.
  3. Berikan detail konfigurasi berikut:
    • Nama akun layanan: Masukkan dataminr-alert-collector
    • Deskripsi akun layanan: Masukkan Service account for Dataminr Alerts Cloud Run function to write alert data to GCS
  4. Klik Create and Continue.
  5. Di bagian Berikan akun layanan ini akses ke project, tambahkan peran berikut:
    1. Klik Select a role, lalu cari dan pilih Storage Object Admin.
    2. Klik Add Another Role, lalu telusuri dan pilih Cloud Run Invoker.
  6. Klik Lanjutkan.
  7. Klik Done.

Memberikan izin IAM pada bucket GCS

  1. Buka Cloud Storage > Buckets.
  2. Klik nama Bucket Anda (misalnya, dataminr-alert-logs).
  3. Buka tab Izin.
  4. Klik Grant access.
  5. Berikan detail konfigurasi berikut:
    • Tambahkan prinsipal: Masukkan email akun layanan (misalnya, dataminr-alert-collector@PROJECT_ID.iam.gserviceaccount.com).
    • Tetapkan peran: Pilih Storage Object Admin.
  6. Klik Simpan.

Membuat topik Pub/Sub

Topik Pub/Sub memicu fungsi Cloud Run saat pesan dipublikasikan oleh Cloud Scheduler.

  1. Di Konsol Google Cloud, buka Pub/Sub > Topics.
  2. Klik Buat Topik.
  3. Berikan detail konfigurasi berikut:
    • ID Topik: Masukkan dataminr-alert-trigger
    • Tambahkan langganan default: Biarkan dicentang
  4. Klik Create.

Membuat fungsi Cloud Run

  1. Di Konsol Google Cloud, buka Cloud Run functions.
  2. Klik Create function.
  3. Berikan detail konfigurasi berikut:

    Setelan Nilai
    Lingkungan Generasi ke-2
    Nama fungsi dataminr-alert-collector
    Region Pilih region yang sama dengan bucket GCS Anda
    Jenis pemicu Cloud Pub/Sub
    Topik Pub/Sub dataminr-alert-trigger
    Memori yang dialokasikan 512 MiB
    Waktu tunggu 540 detik
    Akun layanan runtime dataminr-alert-collector
  4. Klik Berikutnya.

  5. Tetapkan Runtime ke Python 3.12.

  6. Tetapkan Entry point ke main.

  7. Di file requirements.txt, tambahkan dependensi berikut:

    functions-framework==3.*
    google-cloud-storage==2.*
    requests==2.*
    
  8. Di file main.py, tempelkan kode berikut:

    import functions_framework
    import json
    import os
    import logging
    import time
    from datetime import datetime, timedelta, timezone
    from google.cloud import storage
    import requests
    
    logger = logging.getLogger(__name__)
    logger.setLevel(logging.INFO)
    
    storage_client = storage.Client()
    
    TOKEN_URL = "https://gateway.dataminr.com/auth/2/token"
    ALERTS_URL = "https://gateway.dataminr.com/api/3/alerts"
    
    def _get_access_token(client_id: str, client_secret: str) -> str:
        """Obtain an OAuth 2.0 access token from Dataminr."""
        payload = {
            "client_id": client_id,
            "client_secret": client_secret,
            "grant_type": "api_key",
        }
        headers = {"Content-Type": "application/x-www-form-urlencoded"}
        resp = requests.post(TOKEN_URL, data=payload, headers=headers, timeout=30)
        resp.raise_for_status()
        token_data = resp.json()
        access_token = token_data.get("access_token")
        if not access_token:
            raise ValueError("No access_token in token response")
        logger.info("Successfully obtained Dataminr access token.")
        return access_token
    
    def _load_state(bucket_name: str, state_key: str) -> dict:
        """Load the last cursor (alertId) from GCS."""
        try:
            bucket = storage_client.bucket(bucket_name)
            blob = bucket.blob(state_key)
            if blob.exists():
                data = json.loads(blob.download_as_text())
                logger.info(f"Loaded state: {data}")
                return data
        except Exception as e:
            logger.warning(f"State read error: {e}")
        logger.info("No previous state found.")
        return {}
    
    def _save_state(bucket_name: str, state_key: str, state: dict) -> None:
        """Save the cursor state to GCS."""
        bucket = storage_client.bucket(bucket_name)
        blob = bucket.blob(state_key)
        blob.upload_from_string(
            json.dumps(state), content_type="application/json"
        )
        logger.info(f"Saved state: {state}")
    
    def _fetch_alerts(
        access_token: str,
        alert_lists: str,
        page_size: int,
        cursor: str = None,
    ) -> tuple:
        """Fetch a page of alerts from the Dataminr Pulse API."""
        headers = {
            "Authorization": f"Bearer {access_token}",
            "Accept": "application/json",
        }
        params = {
            "lists": alert_lists,
            "num": page_size,
        }
        if cursor:
            params["from"] = cursor
    
        resp = requests.get(
            ALERTS_URL, headers=headers, params=params, timeout=60
        )
    
        # Handle rate limiting via response headers
        rate_remaining = resp.headers.get("x-ratelimit-remaining")
        rate_reset = resp.headers.get("x-ratelimit-reset")
    
        if resp.status_code == 429:
            reset_time = int(rate_reset) if rate_reset else 60
            wait_seconds = max(reset_time - int(time.time()), 1)
            logger.warning(
                f"Rate limited. Waiting {wait_seconds}s before retry."
            )
            time.sleep(wait_seconds)
            resp = requests.get(
                ALERTS_URL, headers=headers, params=params, timeout=60
            )
    
        resp.raise_for_status()
    
        if rate_remaining is not None:
            logger.info(
                f"Rate limit remaining: {rate_remaining}, reset: {rate_reset}"
            )
    
        data = resp.json()
        alerts = data if isinstance(data, list) else data.get("data", [])
        return alerts
    
    @functions_framework.cloud_event
    def main(cloud_event):
        """Cloud Run function entry point triggered by Pub/Sub."""
        bucket_name = os.environ["GCS_BUCKET"]
        prefix = os.environ.get("GCS_PREFIX", "dataminr_alerts")
        state_key = os.environ.get("STATE_KEY", "dataminr_state/cursor.json")
        client_id = os.environ["CLIENT_ID"]
        client_secret = os.environ["CLIENT_SECRET"]
        alert_lists = os.environ["ALERT_LISTS"]
        max_records = int(os.environ.get("MAX_RECORDS", "1000"))
        page_size = min(int(os.environ.get("PAGE_SIZE", "40")), 40)
        lookback_hours = int(os.environ.get("LOOKBACK_HOURS", "24"))
    
        try:
            access_token = _get_access_token(client_id, client_secret)
            state = _load_state(bucket_name, state_key)
            cursor = state.get("last_cursor")
            is_first_run = cursor is None
    
            all_alerts = []
            total_fetched = 0
            pages_fetched = 0
    
            while total_fetched < max_records:
                logger.info(
                    f"Fetching page {pages_fetched + 1} (cursor: {cursor})..."
                )
                alerts = _fetch_alerts(
                    access_token, alert_lists, page_size, cursor=cursor
                )
    
                if not alerts:
                    logger.info("No more alerts returned. Stopping pagination.")
                    break
    
                # Filter by lookback window on first run (no prior cursor)
                if is_first_run:
                    cutoff_ms = int(
                        (
                            datetime.now(timezone.utc)
                            - timedelta(hours=lookback_hours)
                        ).timestamp()
                        * 1000
                    )
                    alerts = [
                        a for a in alerts if a.get("eventTime", 0) >= cutoff_ms
                    ]
    
                all_alerts.extend(alerts)
                total_fetched += len(alerts)
                pages_fetched += 1
    
                # Update cursor to the last alertId in this page
                last_alert = alerts[-1] if alerts else None
                if last_alert and "alertId" in last_alert:
                    cursor = last_alert["alertId"]
                else:
                    break
    
                # Stop if we received fewer alerts than requested
                if len(alerts) < page_size:
                    logger.info("Received partial page. Stopping pagination.")
                    break
    
            logger.info(
                f"Collected {len(all_alerts)} alerts across {pages_fetched} pages."
            )
    
            if not all_alerts:
                logger.info("No new alerts to write.")
                return "No new alerts", 200
    
            # Write alerts as NDJSON to GCS
            now_str = datetime.now(timezone.utc).strftime("%Y%m%dT%H%M%SZ")
            blob_path = f"{prefix}/{now_str}.ndjson"
            ndjson_body = "\n".join(
                json.dumps(alert, separators=(",", ":")) for alert in all_alerts
            )
    
            bucket = storage_client.bucket(bucket_name)
            blob = bucket.blob(blob_path)
            blob.upload_from_string(
                ndjson_body, content_type="application/x-ndjson"
            )
    
            _save_state(
                bucket_name,
                state_key,
                {
                    "last_cursor": cursor,
                    "last_run": datetime.now(timezone.utc).isoformat(),
                },
            )
    
            msg = (
                f"Wrote {len(all_alerts)} alerts to "
                f"gs://{bucket_name}/{blob_path}"
            )
            logger.info(msg)
            return msg, 200
    
        except Exception as e:
            logger.error(f"Error collecting Dataminr alerts: {e}")
            raise
    
  9. Klik Deploy.

  10. Tunggu hingga fungsi di-deploy. Status akan berubah menjadi tanda centang hijau saat deployment selesai.

Mengonfigurasi variabel lingkungan

  1. Setelah fungsi di-deploy, buka Cloud Run Functions > dataminr-alert-collector.
  2. Klik Edit dan deploy revisi baru.
  3. Klik tab Variables and Secrets (atau luaskan Runtime, build, connections and security settings untuk generasi ke-1).
  4. Tambahkan variabel lingkungan berikut:

    Kunci Nilai contoh
    GCS_BUCKET dataminr-alert-logs
    GCS_PREFIX dataminr_alerts
    STATE_KEY dataminr_state/cursor.json
    CLIENT_ID Client ID OAuth 2.0 Dataminr Anda
    CLIENT_SECRET Rahasia Klien OAuth 2.0 Dataminr Anda
    ALERT_LISTS ID daftar pemberitahuan Dataminr yang dipisahkan koma
    MAX_RECORDS 1000
    PAGE_SIZE 40
    LOOKBACK_HOURS 24
  5. Klik Deploy.

Buat tugas Cloud Scheduler

Cloud Scheduler memublikasikan pesan ke topik Pub/Sub sesuai jadwal, yang memicu fungsi Cloud Run untuk melakukan polling Dataminr Pulse guna mendapatkan pemberitahuan baru.

  1. Di Konsol Google Cloud, buka Cloud Scheduler.
  2. Klik Create Job.
  3. Berikan detail konfigurasi berikut:

    Setelan Nilai
    Nama dataminr-alert-poll
    Region Pilih region yang sama dengan fungsi Anda
    Frekuensi */5 * * * * (setiap 5 menit)
    Zona Waktu Pilih zona waktu Anda (misalnya, UTC)
  4. Klik Lanjutkan.

  5. Di bagian Konfigurasi eksekusi:

    • Jenis target: Pilih Pub/Sub
    • Topik: Pilih dataminr-alert-trigger
    • Isi pesan: Masukkan {"poll": true}
  6. Klik Create.

Memverifikasi fungsi Cloud Run

  1. Di Cloud Scheduler, cari tugas dataminr-alert-poll.
  2. Klik Jalankan Paksa untuk memicu eksekusi langsung.
  3. Buka Cloud Run Functions > dataminr-alert-collector > Logs.
  4. Pastikan fungsi berhasil dieksekusi dengan memeriksa entri log seperti:

    Successfully obtained Dataminr access token.
    Fetching page 1 (cursor: None)...
    Collected 35 alerts across 1 pages.
    Wrote 35 alerts to gs://dataminr-alert-logs/dataminr_alerts/20250115T103000Z.ndjson
    
  5. Buka Cloud Storage > Buckets > dataminr-alert-logs.

  6. Buka awalan dataminr_alerts/.

  7. Verifikasi bahwa file NDJSON sedang dibuat dengan data pemberitahuan Dataminr.

Mengambil akun layanan Google SecOps dan mengonfigurasi feed

Google SecOps menggunakan akun layanan unik untuk membaca data dari bucket GCS Anda. Anda harus memberi akun layanan ini akses ke bucket Anda.

Dapatkan email akun layanan

  1. Buka Setelan SIEM > Feed.
  2. Klik Tambahkan Feed Baru.
  3. Klik Konfigurasi satu feed.
  4. Di kolom Nama feed, masukkan nama untuk Feed (misalnya, Dataminr Alerts).
  5. Pilih Google Cloud Storage V2 sebagai Source type.
  6. Pilih Dataminr Alerts sebagai Jenis log.
  7. Klik Get Service Account.
  8. Email akun layanan yang unik akan ditampilkan, misalnya:

    chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.com
    
  9. Salin alamat email ini untuk digunakan di bagian berikutnya.

  10. Klik Berikutnya.

  11. Tentukan nilai untuk parameter input berikut:

    • URL bucket penyimpanan: Masukkan URI bucket GCS dengan jalur awalan:

      gs://dataminr-alert-logs/dataminr_alerts/
      
    • Opsi penghapusan sumber: Pilih opsi penghapusan sesuai preferensi Anda:

      • Jangan pernah: Tidak pernah menghapus file apa pun setelah transfer (direkomendasikan untuk pengujian).
      • Hapus file yang ditransfer: Menghapus file setelah transfer berhasil.
      • Hapus file yang ditransfer dan direktori kosong: Menghapus file dan direktori kosong setelah transfer berhasil.

    • Usia File Maksimum: Menyertakan file yang dimodifikasi dalam beberapa hari terakhir (defaultnya adalah 180 hari).

    • Namespace aset: namespace aset.

    • Label penyerapan: Label yang akan diterapkan ke peristiwa dari feed ini (misalnya, DATAMINR_ALERT).

  12. Klik Berikutnya.

  13. Tinjau konfigurasi feed baru Anda di layar Selesaikan, lalu klik Kirim.

Memberikan izin IAM ke akun layanan Google SecOps

Akun layanan Google SecOps memerlukan peran Storage Object Viewer di bucket GCS Anda.

  1. Buka Cloud Storage > Buckets.
  2. Klik nama Bucket Anda (misalnya, dataminr-alert-logs).
  3. Buka tab Izin.
  4. Klik Grant access.
  5. Berikan detail konfigurasi berikut:
    • Add principals: Tempel email akun layanan Google SecOps.
    • Tetapkan peran: Pilih Storage Object Viewer.
  6. Klik Simpan.

Tabel pemetaan UDM

Kolom Log Pemetaan UDM Logika
alertId metadata.product_log_id Nilai disalin secara langsung
alertType.color about.labels.alertType_color Nilai disalin secara langsung
alertType.id about.labels.alertType_id Nilai disalin secara langsung
alertType.name about.labels.alertType_name Nilai disalin secara langsung
availableRelatedAlerts about.labels.availableRelatedAlerts Dikonversi ke string
teks metadata.description Nilai disalin secara langsung
cat.name security_result.category_details Nilai disalin secara langsung
cat.id security_result.detection_fields.categories_id Nilai disalin secara langsung
cat.idStr security_result.detection_fields.categories_idStr Nilai disalin secara langsung
cat.path security_result.detection_fields.categories_path Nilai disalin secara langsung
cat.requested security_result.detection_fields.categories_requested Nilai disalin secara langsung
cat.retired security_result.detection_fields.categories_retired Dikonversi ke string
cat.topicType about.labels.categories_topicType Nilai disalin secara langsung
cat.name security_result.category Disetel ke POLICY_VIOLATION jika cat.name == "Cybersecurity - Policy"; NETWORK_MALICIOUS jika in ["Cybersecurity - Threats & Vulnerabilities", "Cybersecurity - Crime & Malicious Activity", "Threats & Precautions", "Threats"]; NETWORK_SUSPICIOUS jika =~ "Cybersecurity"; MAIL_PHISHING jika =~ "Email and Web Servers"; DATA_EXFILTRATION jika =~ "Data Exposure and Breaches"; POLICY_VIOLATION jika =~ "Government, Policy, & Political Affairs"; PHISHING jika =~ "(Malware
comp.dm_bucket.name security_result.about.resource.attribute.labels.dmbucket%{bucket.id} Nilai disalin secara langsung
comp.dm_sector.name security_result.about.resource.attribute.labels.dmsector%{sector.id} Nilai disalin secara langsung
comp.id security_result.about.resource.attribute.labels.companies_id Nilai disalin secara langsung
comp.idStr security_result.about.resource.attribute.labels.companies_idStr Nilai disalin secara langsung
comp.locations.city security_result.about.location.city Nilai dari loc.city jika loc_index == 0
comp.locations.country, comp.locations.state.symbol security_result.about.location.country_or_region Digabungkan sebagai %{loc.country} - %{loc.state.symbol} jika loc_index == 0 dan keduanya tidak kosong
comp.locations.postalCode security_result.about.resource.attribute.labels.locations_postalCode Nilai disalin langsung jika loc_index == 0 dan tidak kosong
comp.locations.state.name security_result.about.location.state Nilai disalin langsung jika loc_index == 0
comp.locations.city about.labels.loc_%{loc_index}_city Nilai disalin langsung jika loc_index != 0 dan tidak kosong
comp.locations.country, comp.locations.state.symbol about.labels.loc_%{loc_index}_country_or_region Digabungkan sebagai %{loc.country} - %{loc.state.symbol} jika loc_index != 0 dan keduanya tidak kosong
comp.locations.postalCode securityresult.about.resource.attribute.labels.locations%{loc_index}_postalCode Nilai disalin langsung jika loc_index != 0 dan tidak kosong
comp.locations.state.name about.labels.loc_%{loc_index}_state_name Nilai disalin langsung jika loc_index != 0 dan tidak kosong
comp.name security_result.about.resource.name Nilai disalin secara langsung
comp.requested security_result.about.resource.attribute.labels.companies_requested Nilai disalin secara langsung
comp.retired security_result.about.resource.attribute.labels.companies_retired Dikonversi ke string
comp.ticker security_result.about.resource.attribute.labels.companies_ticker Nilai disalin secara langsung
comp.topicType security_result.about.resource.attribute.labels.companies_topicType Nilai disalin secara langsung
eventLocation.coordinates.0 principal.location.region_coordinates.latitude Nilai disalin secara langsung
eventLocation.coordinates.1 principal.location.region_coordinates.longitude Nilai disalin secara langsung
eventLocation.name principal.location.name Nilai disalin secara langsung
eventLocation.places principal.labels.location_places Bergabung dari array dengan pemisah koma
eventLocation.probability principal.labels.eventLocation_probability Dikonversi ke string
eventLocation.radius principal.labels.eventLocation_radius Dikonversi ke string
eventMapLargeURL principal.labels.eventMapLargeURL Nilai disalin secara langsung
eventMapSmallURL principal.labels.eventMapSmallURL Nilai disalin secara langsung
eventTime @timestamp Dikonversi dari epoch ms menjadi stempel waktu
eventVolume about.labels.eventVolume Dikonversi ke string
expandAlertURL metadata.url_back_to_product Nilai disalin secara langsung
expandMapURL principal.labels.expandMapURL Nilai disalin secara langsung
headerColor about.labels.headerColor Nilai disalin secara langsung
headerLabel about.labels.headerLabel Nilai disalin secara langsung
metadata.cyber.addresses.ip principal.ip Diekstrak menggunakan pola grok jika index == 0
metadata.cyber.addresses.port principal.port Nilai disalin langsung jika indeks == 0, dikonversi menjadi bilangan bulat
metadata.cyber.addresses.port principal.labels.addresses_%{index}_port Nilai disalin langsung jika indeks != 0
metadata.cyber.addresses.version principal.labels.metadata_cyberaddresses%{index}_version Nilai disalin secara langsung
metadata.cyber.asns network.asn Nilai disalin langsung jika indeks == 0
metadata.cyber.asns about.labels.metadatacyber%{index}_asn Nilai disalin langsung jika indeks != 0
metadata.cyber.hashValues.value security_result.about.file.sha1 Nilai disalin langsung jika type == SHA1, huruf kecil
metadata.cyber.hashValues.value security_result.about.file.sha256 Nilai disalin secara langsung jika jenis == SHA256, huruf kecil
metadata.cyber.malwares security_result.associations.name Nilai disalin secara langsung
metadata.cyber.malwares security_result.associations.type Disetel ke MALWARE
metadata.cyber.orgs network.organization_name Nilai disalin langsung jika indeks == 0
metadata.cyber.orgs about.labels.metadatacyber%{index}_orgs Nilai disalin langsung jika indeks != 0
metadata.cyber.products principal.application Nilai disalin langsung jika indeks == 0
metadata.cyber.products principal.labels.metadata_cyberproducts%{index} Nilai disalin langsung jika indeks != 0
metadata.cyber.threats security_result.threat_name Nilai disalin langsung jika indeks == 0
metadata.cyber.threats security_result.about.labels.metadata_cyberthreats%{index} Nilai disalin langsung jika indeks != 0
metadata.cyber.URLs security_result.about.url Nilai disalin langsung jika indeks == 0
metadata.cyber.URLs securityresult.about.labels.url%{index} Nilai disalin langsung jika indeks != 0
metadata.cyber.malwares.0 security_result.category Ditetapkan ke SOFTWARE_MALICIOUS jika ada
metadata.cyber.vulnerabilities.cvss extensions.vulns.vulnerabilities.cvss_base_score Nilai disalin secara langsung
metadata.cyber.vulnerabilities.exploitPocLinks extensions.vulns.vulnerabilities.cve_description Digabungkan dari array dengan pemisah " n"
metadata.cyber.vulnerabilities.id extensions.vulns.vulnerabilities.cve_id Nilai disalin secara langsung
metadata.cyber.vulnerabilities.products.productName extensions.vulns.vulnerabilities.about.application Nilai disalin langsung jika indeks == 0
metadata.cyber.vulnerabilities.products.productVendor extensions.vulns.vulnerabilities.vendor Nilai disalin langsung jika indeks == 0
metadata.cyber.vulnerabilities.products.productVersion extensions.vulns.vulnerabilities.about.platform_version Nilai disalin langsung jika indeks == 0, spasi dihapus
metadata.cyber.vulnerabilities.products.productName extensions.vulns.vulnerabilities.about.labels.productName_%{index} Nilai disalin langsung jika indeks != 0
metadata.cyber.vulnerabilities.products.productVendor extensions.vulns.vulnerabilities.about.labels.productVendor_%{index} Nilai disalin langsung jika indeks != 0
metadata.cyber.vulnerabilities.products.productVersion extensions.vulns.vulnerabilities.about.labels.productVersion_%{index} Nilai disalin langsung jika indeks != 0, spasi dihapus
parentAlertId about.labels.parentAlertId Nilai disalin secara langsung
post.languages.lang target.labels.post_languageslang%{index} Nilai disalin secara langsung
post.languages.position target.labels.post_languagesposition%{index} Dikonversi ke string
post.link target.labels.post_link Nilai disalin secara langsung
post.media.link principal.resource.name Nilai disalin langsung jika indeks == 0
post.media.description target.resource.attribute.labels.post_media_description Nilai disalin langsung jika indeks == 0
post.media.display_url target.resource.attribute.labels.post_media_display_url Nilai disalin langsung jika indeks == 0
post.media.isSafe target.resource.attribute.labels.post_media_isSafe Dikonversi menjadi string jika index == 0
post.media.media_url target.resource.attribute.labels.post_media_media_url Nilai disalin langsung jika indeks == 0
post.media.sizes.large.h target.resource.attribute.labels.post_media_sizes_large_h Dikonversi menjadi string jika index == 0
post.media.sizes.large.resize target.resource.attribute.labels.post_media_sizes_large_resize Nilai disalin langsung jika indeks == 0
post.media.sizes.large.w target.resource.attribute.labels.post_media_sizes_large_w Dikonversi menjadi string jika index == 0
post.media.sizes.medium.h target.resource.attribute.labels.post_media_sizes_medium_h Dikonversi menjadi string jika index == 0
post.media.sizes.medium.resize target.resource.attribute.labels.post_media_sizes_medium_resize Nilai disalin langsung jika indeks == 0
post.media.sizes.medium.w target.resource.attribute.labels.post_media_sizes_medium_w Dikonversi menjadi string jika index == 0
post.media.sizes.small.h target.resource.attribute.labels.post_media_sizes_small_h Dikonversi menjadi string jika index == 0
post.media.sizes.small.resize target.resource.attribute.labels.post_media_sizes_small_resize Nilai disalin langsung jika indeks == 0
post.media.sizes.small.w target.resource.attribute.labels.post_media_sizes_small_w Dikonversi menjadi string jika index == 0
post.media.sizes.thumb.h target.resource.attribute.labels.post_media_sizes_thumb_h Dikonversi menjadi string jika index == 0
post.media.sizes.thumb.resize target.resource.attribute.labels.post_media_sizes_thumb_resize Nilai disalin langsung jika indeks == 0
post.media.sizes.thumb.w target.resource.attribute.labels.post_media_sizes_thumb_w Dikonversi menjadi string jika index == 0
post.media.source target.resource.attribute.labels.post_media_source Nilai disalin langsung jika indeks == 0
post.media.thumbnail target.resource.attribute.labels.post_media_thumbnail Nilai disalin langsung jika indeks == 0
post.media.title target.resource.attribute.labels.post_media_title Nilai disalin langsung jika indeks == 0
post.media.url target.resource.attribute.labels.post_media_url Nilai disalin langsung jika indeks == 0
post.media.video_info.duration_millis target.resource.attribute.labels.post_media_video_info_duration_millis Dikonversi menjadi string jika index == 0
post.media.video_info.aspect_ratio target.resource.attribute.labels.post_media_video_info_aspect_ratio Digabungkan sebagai %{med.video_info.aspect_ratio.0}, %{med.video_info.aspect_ratio.1} jika index == 0
post.media.video_info.variants.bitrate target.resource.attribute.labels.post_media_video_info_variantsbitrate%{var_index} Dikonversi ke string
post.media.video_info.variants.content_type target.resource.attribute.labels.post_media_video_info_variants_contenttype%{var_index} Nilai disalin secara langsung
post.media.video_info.variants.url target.resource.attribute.labels.post_media_video_info_variantsurl%{var_index} Nilai disalin secara langsung
post.media.type principal.resource.resource_subtype Nilai disalin langsung jika indeks == 0
post.media.link about.resource.name Nilai disalin langsung jika indeks != 0
post.media.description about.resource.attribute.labels.post_media_description Nilai disalin langsung jika indeks != 0
post.media.display_url about.resource.attribute.labels.post_media_display_url Nilai disalin langsung jika indeks != 0
post.media.isSafe about.resource.attribute.labels.post_media_isSafe Dikonversi menjadi string jika indeks != 0
post.media.media_url about.resource.attribute.labels.post_media_media_url Nilai disalin langsung jika indeks != 0
post.media.sizes.large.h about.resource.attribute.labels.post_media_sizes_large_h Dikonversi menjadi string jika indeks != 0
post.media.sizes.large.resize about.resource.attribute.labels.post_media_sizes_large_resize Nilai disalin langsung jika indeks != 0
post.media.sizes.large.w about.resource.attribute.labels.post_media_sizes_large_w Dikonversi menjadi string jika indeks != 0
post.media.sizes.medium.h about.resource.attribute.labels.post_media_sizes_medium_h Dikonversi menjadi string jika indeks != 0
post.media.sizes.medium.resize about.resource.attribute.labels.post_media_sizes_medium_resize Nilai disalin langsung jika indeks != 0
post.media.sizes.medium.w about.resource.attribute.labels.post_media_sizes_medium_w Dikonversi menjadi string jika indeks != 0
post.media.sizes.small.h about.resource.attribute.labels.post_media_sizes_small_h Dikonversi menjadi string jika indeks != 0
post.media.sizes.small.resize about.resource.attribute.labels.post_media_sizes_small_resize Nilai disalin langsung jika indeks != 0
post.media.sizes.small.w about.resource.attribute.labels.post_media_sizes_small_w Dikonversi menjadi string jika indeks != 0
post.media.sizes.thumb.h about.resource.attribute.labels.post_media_sizes_thumb_h Dikonversi menjadi string jika indeks != 0
post.media.sizes.thumb.resize about.resource.attribute.labels.post_media_sizes_thumb_resize Nilai disalin langsung jika indeks != 0
post.media.sizes.thumb.w about.resource.attribute.labels.post_media_sizes_thumb_w Dikonversi menjadi string jika indeks != 0
post.media.source about.resource.attribute.labels.post_media_source Nilai disalin langsung jika indeks != 0
post.media.thumbnail about.resource.attribute.labels.post_media_thumbnail Nilai disalin langsung jika indeks != 0
post.media.title about.resource.attribute.labels.post_media_title Nilai disalin langsung jika indeks != 0
post.media.url about.resource.attribute.labels.post_media_url Nilai disalin langsung jika indeks != 0
post.media.video_info.duration_millis about.resource.attribute.labels.post_media_video_info_duration_millis Dikonversi menjadi string jika indeks != 0
post.media.video_info.aspect_ratio about.resource.attribute.labels.post_media_video_info_aspect_ratio Digabungkan sebagai %{med.video_info.aspect_ratio.0}, %{med.video_info.aspect_ratio.1} jika indeks != 0
post.media.video_info.variants.bitrate about.resource.attribute.labels.post_media_video_info_variantsbitrate%{var_index} Dikonversi ke string
post.media.video_info.variants.content_type about.resource.attribute.labels.post_media_video_info_variants_contenttype%{var_index} Nilai disalin secara langsung
post.media.video_info.variants.url about.resource.attribute.labels.post_media_video_info_variantsurl%{var_index} Nilai disalin secara langsung
post.media.type about.resource.resource_subtype Nilai disalin langsung jika indeks != 0
post.translatedText target.labels.post_translatedText Nilai disalin secara langsung
post.text target.labels.post_text Nilai disalin secara langsung
post.timestamp target.resource.attribute.creation_time Dikonversi dari epoch ms menjadi stempel waktu
publisherCategory.color target.labels.publisherCategory_color Nilai disalin secara langsung
publisherCategory.name target.labels.publisherCategory_name Nilai disalin secara langsung
publisherCategory.shortName target.labels.publisherCategory_shortName Nilai disalin secara langsung
relatedTerms.url principal.labels.relatedTerms_%{terms.text} Nilai disalin secara langsung
relatedTermsQueryURL principal.labels.relatedTermsQueryURL Nilai disalin secara langsung
sect.id about.labels.sectors_id Nilai disalin secara langsung
sect.idStr about.labels.sectors_idStr Nilai disalin secara langsung
sect.name about.labels.sectors_name Nilai disalin secara langsung
sect.retired about.labels.sectors_retired Dikonversi ke string
sect.topicType about.labels.sectors_topicType Nilai disalin secara langsung
source.channels.0 principal.application Nilai disalin secara langsung
source.displayName principal.user.user_display_name Nilai disalin secara langsung
source.link principal.url Nilai disalin secara langsung
source.verified principal.labels.source_verified Dikonversi ke string
subCaption.bullets.content about.labels.subCaption_bullets_content Nilai disalin secara langsung
subCaption.bullets.media about.labels.subCaption_bullets_media Nilai disalin secara langsung
subCaption.bullets.source about.labels.subCaption_bullets_source Nilai disalin secara langsung
watchlist.id about.labels.watchlistsMatchedByType_id Nilai disalin secara langsung
watchlist.externalTopicIds about.labels.watchlistsMatchedByType_externalTopicIds Bergabung dari array dengan pemisah koma
watchlist.name about.labels.watchlistsMatchedByType_name Nilai disalin secara langsung
watchlist.type about.labels.watchlistsMatchedByType_type Nilai disalin secara langsung
watchlist.userProperties.omnilist about.labels.watchlistsMatchedByType_userProperties_omnilist Nilai disalin secara langsung
watchlist.userProperties.uiListType about.labels.watchlistsMatchedByType_userProperties_uiListType Nilai disalin secara langsung
watchlist.userProperties.watchlistColor about.labels.watchlistsMatchedByType_userProperties_watchlistColor Nilai disalin secara langsung
watchlist.locationGroups.locations.id about.labels.watchlistsMatchedByTypelocationGroups%{lg_i}_locationsid%{loc_i} Nilai disalin secara langsung
watchlist.locationGroups.locations.lng about.labels.watchlistsMatchedByTypelocationGroups%{lg_i}_locationslng%{loc_i} Dikonversi menjadi string jika lg_i != 0 atau loc_i != 0
watchlist.locationGroups.locations.lat about.labels.watchlistsMatchedByTypelocationGroups%{lg_i}_locationslat%{loc_i} Dikonversi menjadi string jika lg_i != 0 atau loc_i != 0
watchlist.locationGroups.locations.name about.labels.watchlistsMatchedByTypelocationGroups%{lg_i}_locationsname%{loc_i} Nilai disalin secara langsung jika lg_i != 0 atau loc_i != 0
watchlist.locationGroups.id about.labels.watchlistsMatchedByType_locationGroupsid%{lg_i} Nilai disalin secara langsung
watchlist.locationGroups.name about.labels.watchlistsMatchedByType_locationGroupsname%{lg_i} Nilai disalin secara langsung
watchlist.locationGroups.locations.lng about.location.region_coordinates.longitude Nilai disalin langsung jika lg_i == 0 dan loc_i == 0
watchlist.locationGroups.locations.lat about.location.region_coordinates.latitude Nilai disalin langsung jika lg_i == 0 dan loc_i == 0
watchlist.locationGroups.locations.name about.location.name Nilai disalin langsung jika lg_i == 0 dan loc_i == 0
source.entityName principal.hostname Nilai disalin secara langsung
metadata.event_type Disetel ke "GENERIC_EVENT"; diubah menjadi "SCAN_HOST" jika principal_ip atau principal.hostname tidak kosong

Perlu bantuan lain? Dapatkan jawaban dari anggota Komunitas dan profesional Google SecOps.