Mengumpulkan log Pemberitahuan Dataminr
Didukung di:
Google SecOps
SIEM
Dokumen ini menjelaskan cara menyerap log Dataminr Alerts ke Google Security Operations menggunakan Google Cloud Storage V2, fungsi Cloud Run, dan Cloud Scheduler.
Dataminr Pulse memberikan kecerdasan real-time yang didukung AI dari lebih dari 500.000 sumber data publik global, termasuk deep web dan dark web. Platform ini memberikan peringatan dini tentang ancaman siber, kerentanan, serangan ransomware, pelanggaran data, dan risiko digital yang muncul dan memengaruhi organisasi Anda dan pihak ketiga. Dataminr Pulse API menggunakan autentikasi Kredensial Klien OAuth 2.0 dan penomoran halaman berbasis kursor untuk mengambil pemberitahuan.
Sebelum memulai
Pastikan Anda memiliki prasyarat berikut:
- Instance Google SecOps
- Project Google Cloud dengan API berikut diaktifkan:
- Cloud Storage API
- Cloud Run Functions API
- Cloud Scheduler API
- Cloud Pub/Sub API
- Izin untuk membuat dan mengelola bucket GCS, fungsi Cloud Run, topik Pub/Sub, dan tugas Cloud Scheduler
- Izin untuk mengelola kebijakan IAM di bucket GCS
- Akun Dataminr Pulse yang aktif dengan akses API diaktifkan
- Kredensial Dataminr Pulse API (Client ID dan Client Secret)
- Setidaknya satu Daftar Pemberitahuan Dataminr Pulse yang dikonfigurasi di akun Dataminr Anda
Membuat bucket Google Cloud Storage
- Buka Konsol Google Cloud.
- Pilih project Anda atau buat project baru.
- Di menu navigasi, buka Cloud Storage > Buckets.
- Klik Create bucket.
Berikan detail konfigurasi berikut:
Setelan Nilai Beri nama bucket Anda Masukkan nama yang unik secara global (misalnya, dataminr-alert-logs)Location type Pilih berdasarkan kebutuhan Anda (Region, Dual-region, Multi-region) Location Pilih lokasi (misalnya, us-central1)Kelas penyimpanan Standar (direkomendasikan untuk log yang sering diakses) Access control Seragam (direkomendasikan) Alat perlindungan Opsional: Aktifkan pembuatan versi objek atau kebijakan retensi Klik Create.
Mengumpulkan kredensial Dataminr
Agar fungsi Cloud Run dapat mengambil data pemberitahuan, Anda memerlukan kredensial API dengan autentikasi kredensial klien OAuth 2.0 dari perwakilan akun Dataminr Anda.
Mendapatkan kredensial API
- Hubungi perwakilan akun atau tim dukungan Dataminr Anda untuk meminta akses API.
- Berikan informasi berikut:
- Nama organisasi Anda
- Kasus penggunaan: Integrasi dengan Google Chronicle SIEM
- Akses yang diperlukan: Dataminr Pulse API untuk Risiko Cyber
Dataminr menyediakan kredensial API dan memberi Anda:
- Client ID: ID klien OAuth 2.0 unik Anda
- Rahasia Klien: Kunci rahasia klien OAuth 2.0 Anda
Verifikasi kredensial API
Untuk memverifikasi bahwa kredensial Anda berfungsi, jalankan perintah berikut:
curl -X POST https://gateway.dataminr.com/auth/2/token \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=api_key"Respons yang berhasil akan menampilkan objek JSON yang berisi kolom
access_token:{ "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI...", "token_type": "Bearer", "expire": 3600 }
Mengumpulkan ID daftar pemberitahuan
- Login ke aplikasi web Dataminr Pulse di
https://app.dataminr.com. - Buka Daftar Peringatan (daftar pantauan) yang telah Anda konfigurasi.
Catat ID Daftar Pemberitahuan yang ingin Anda masukkan ke Google SecOps.
Buat akun layanan untuk fungsi Cloud Run
- Di Konsol Google Cloud, buka IAM & Admin > Service Accounts.
- Klik Create Service Account.
- Berikan detail konfigurasi berikut:
- Nama akun layanan: Masukkan
dataminr-alert-collector - Deskripsi akun layanan: Masukkan
Service account for Dataminr Alerts Cloud Run function to write alert data to GCS
- Nama akun layanan: Masukkan
- Klik Create and Continue.
- Di bagian Berikan akun layanan ini akses ke project, tambahkan peran berikut:
- Klik Select a role, lalu cari dan pilih Storage Object Admin.
- Klik Add Another Role, lalu telusuri dan pilih Cloud Run Invoker.
- Klik Lanjutkan.
- Klik Done.
Memberikan izin IAM pada bucket GCS
- Buka Cloud Storage > Buckets.
- Klik nama Bucket Anda (misalnya,
dataminr-alert-logs). - Buka tab Izin.
- Klik Grant access.
- Berikan detail konfigurasi berikut:
- Tambahkan prinsipal: Masukkan email akun layanan (misalnya,
dataminr-alert-collector@PROJECT_ID.iam.gserviceaccount.com). - Tetapkan peran: Pilih Storage Object Admin.
- Tambahkan prinsipal: Masukkan email akun layanan (misalnya,
- Klik Simpan.
Membuat topik Pub/Sub
Topik Pub/Sub memicu fungsi Cloud Run saat pesan dipublikasikan oleh Cloud Scheduler.
- Di Konsol Google Cloud, buka Pub/Sub > Topics.
- Klik Buat Topik.
- Berikan detail konfigurasi berikut:
- ID Topik: Masukkan
dataminr-alert-trigger - Tambahkan langganan default: Biarkan dicentang
- ID Topik: Masukkan
- Klik Create.
Membuat fungsi Cloud Run
- Di Konsol Google Cloud, buka Cloud Run functions.
- Klik Create function.
Berikan detail konfigurasi berikut:
Setelan Nilai Lingkungan Generasi ke-2 Nama fungsi dataminr-alert-collectorRegion Pilih region yang sama dengan bucket GCS Anda Jenis pemicu Cloud Pub/Sub Topik Pub/Sub dataminr-alert-triggerMemori yang dialokasikan 512 MiB Waktu tunggu 540 detik Akun layanan runtime dataminr-alert-collectorKlik Berikutnya.
Tetapkan Runtime ke Python 3.12.
Tetapkan Entry point ke
main.Di file
requirements.txt, tambahkan dependensi berikut:functions-framework==3.* google-cloud-storage==2.* requests==2.*Di file
main.py, tempelkan kode berikut:import functions_framework import json import os import logging import time from datetime import datetime, timedelta, timezone from google.cloud import storage import requests logger = logging.getLogger(__name__) logger.setLevel(logging.INFO) storage_client = storage.Client() TOKEN_URL = "https://gateway.dataminr.com/auth/2/token" ALERTS_URL = "https://gateway.dataminr.com/api/3/alerts" def _get_access_token(client_id: str, client_secret: str) -> str: """Obtain an OAuth 2.0 access token from Dataminr.""" payload = { "client_id": client_id, "client_secret": client_secret, "grant_type": "api_key", } headers = {"Content-Type": "application/x-www-form-urlencoded"} resp = requests.post(TOKEN_URL, data=payload, headers=headers, timeout=30) resp.raise_for_status() token_data = resp.json() access_token = token_data.get("access_token") if not access_token: raise ValueError("No access_token in token response") logger.info("Successfully obtained Dataminr access token.") return access_token def _load_state(bucket_name: str, state_key: str) -> dict: """Load the last cursor (alertId) from GCS.""" try: bucket = storage_client.bucket(bucket_name) blob = bucket.blob(state_key) if blob.exists(): data = json.loads(blob.download_as_text()) logger.info(f"Loaded state: {data}") return data except Exception as e: logger.warning(f"State read error: {e}") logger.info("No previous state found.") return {} def _save_state(bucket_name: str, state_key: str, state: dict) -> None: """Save the cursor state to GCS.""" bucket = storage_client.bucket(bucket_name) blob = bucket.blob(state_key) blob.upload_from_string( json.dumps(state), content_type="application/json" ) logger.info(f"Saved state: {state}") def _fetch_alerts( access_token: str, alert_lists: str, page_size: int, cursor: str = None, ) -> tuple: """Fetch a page of alerts from the Dataminr Pulse API.""" headers = { "Authorization": f"Bearer {access_token}", "Accept": "application/json", } params = { "lists": alert_lists, "num": page_size, } if cursor: params["from"] = cursor resp = requests.get( ALERTS_URL, headers=headers, params=params, timeout=60 ) # Handle rate limiting via response headers rate_remaining = resp.headers.get("x-ratelimit-remaining") rate_reset = resp.headers.get("x-ratelimit-reset") if resp.status_code == 429: reset_time = int(rate_reset) if rate_reset else 60 wait_seconds = max(reset_time - int(time.time()), 1) logger.warning( f"Rate limited. Waiting {wait_seconds}s before retry." ) time.sleep(wait_seconds) resp = requests.get( ALERTS_URL, headers=headers, params=params, timeout=60 ) resp.raise_for_status() if rate_remaining is not None: logger.info( f"Rate limit remaining: {rate_remaining}, reset: {rate_reset}" ) data = resp.json() alerts = data if isinstance(data, list) else data.get("data", []) return alerts @functions_framework.cloud_event def main(cloud_event): """Cloud Run function entry point triggered by Pub/Sub.""" bucket_name = os.environ["GCS_BUCKET"] prefix = os.environ.get("GCS_PREFIX", "dataminr_alerts") state_key = os.environ.get("STATE_KEY", "dataminr_state/cursor.json") client_id = os.environ["CLIENT_ID"] client_secret = os.environ["CLIENT_SECRET"] alert_lists = os.environ["ALERT_LISTS"] max_records = int(os.environ.get("MAX_RECORDS", "1000")) page_size = min(int(os.environ.get("PAGE_SIZE", "40")), 40) lookback_hours = int(os.environ.get("LOOKBACK_HOURS", "24")) try: access_token = _get_access_token(client_id, client_secret) state = _load_state(bucket_name, state_key) cursor = state.get("last_cursor") is_first_run = cursor is None all_alerts = [] total_fetched = 0 pages_fetched = 0 while total_fetched < max_records: logger.info( f"Fetching page {pages_fetched + 1} (cursor: {cursor})..." ) alerts = _fetch_alerts( access_token, alert_lists, page_size, cursor=cursor ) if not alerts: logger.info("No more alerts returned. Stopping pagination.") break # Filter by lookback window on first run (no prior cursor) if is_first_run: cutoff_ms = int( ( datetime.now(timezone.utc) - timedelta(hours=lookback_hours) ).timestamp() * 1000 ) alerts = [ a for a in alerts if a.get("eventTime", 0) >= cutoff_ms ] all_alerts.extend(alerts) total_fetched += len(alerts) pages_fetched += 1 # Update cursor to the last alertId in this page last_alert = alerts[-1] if alerts else None if last_alert and "alertId" in last_alert: cursor = last_alert["alertId"] else: break # Stop if we received fewer alerts than requested if len(alerts) < page_size: logger.info("Received partial page. Stopping pagination.") break logger.info( f"Collected {len(all_alerts)} alerts across {pages_fetched} pages." ) if not all_alerts: logger.info("No new alerts to write.") return "No new alerts", 200 # Write alerts as NDJSON to GCS now_str = datetime.now(timezone.utc).strftime("%Y%m%dT%H%M%SZ") blob_path = f"{prefix}/{now_str}.ndjson" ndjson_body = "\n".join( json.dumps(alert, separators=(",", ":")) for alert in all_alerts ) bucket = storage_client.bucket(bucket_name) blob = bucket.blob(blob_path) blob.upload_from_string( ndjson_body, content_type="application/x-ndjson" ) _save_state( bucket_name, state_key, { "last_cursor": cursor, "last_run": datetime.now(timezone.utc).isoformat(), }, ) msg = ( f"Wrote {len(all_alerts)} alerts to " f"gs://{bucket_name}/{blob_path}" ) logger.info(msg) return msg, 200 except Exception as e: logger.error(f"Error collecting Dataminr alerts: {e}") raiseKlik Deploy.
Tunggu hingga fungsi di-deploy. Status akan berubah menjadi tanda centang hijau saat deployment selesai.
Mengonfigurasi variabel lingkungan
- Setelah fungsi di-deploy, buka Cloud Run Functions > dataminr-alert-collector.
- Klik Edit dan deploy revisi baru.
- Klik tab Variables and Secrets (atau luaskan Runtime, build, connections and security settings untuk generasi ke-1).
Tambahkan variabel lingkungan berikut:
Kunci Nilai contoh GCS_BUCKETdataminr-alert-logsGCS_PREFIXdataminr_alertsSTATE_KEYdataminr_state/cursor.jsonCLIENT_IDClient ID OAuth 2.0 Dataminr Anda CLIENT_SECRETRahasia Klien OAuth 2.0 Dataminr Anda ALERT_LISTSID daftar pemberitahuan Dataminr yang dipisahkan koma MAX_RECORDS1000PAGE_SIZE40LOOKBACK_HOURS24Klik Deploy.
Buat tugas Cloud Scheduler
Cloud Scheduler memublikasikan pesan ke topik Pub/Sub sesuai jadwal, yang memicu fungsi Cloud Run untuk melakukan polling Dataminr Pulse guna mendapatkan pemberitahuan baru.
- Di Konsol Google Cloud, buka Cloud Scheduler.
- Klik Create Job.
Berikan detail konfigurasi berikut:
Setelan Nilai Nama dataminr-alert-pollRegion Pilih region yang sama dengan fungsi Anda Frekuensi */5 * * * *(setiap 5 menit)Zona Waktu Pilih zona waktu Anda (misalnya, UTC)Klik Lanjutkan.
Di bagian Konfigurasi eksekusi:
- Jenis target: Pilih Pub/Sub
- Topik: Pilih
dataminr-alert-trigger - Isi pesan: Masukkan
{"poll": true}
Klik Create.
Memverifikasi fungsi Cloud Run
- Di Cloud Scheduler, cari tugas
dataminr-alert-poll. - Klik Jalankan Paksa untuk memicu eksekusi langsung.
- Buka Cloud Run Functions > dataminr-alert-collector > Logs.
Pastikan fungsi berhasil dieksekusi dengan memeriksa entri log seperti:
Successfully obtained Dataminr access token. Fetching page 1 (cursor: None)... Collected 35 alerts across 1 pages. Wrote 35 alerts to gs://dataminr-alert-logs/dataminr_alerts/20250115T103000Z.ndjsonBuka Cloud Storage > Buckets > dataminr-alert-logs.
Buka awalan
dataminr_alerts/.Verifikasi bahwa file NDJSON sedang dibuat dengan data pemberitahuan Dataminr.
Mengambil akun layanan Google SecOps dan mengonfigurasi feed
Google SecOps menggunakan akun layanan unik untuk membaca data dari bucket GCS Anda. Anda harus memberi akun layanan ini akses ke bucket Anda.
Dapatkan email akun layanan
- Buka Setelan SIEM > Feed.
- Klik Tambahkan Feed Baru.
- Klik Konfigurasi satu feed.
- Di kolom Nama feed, masukkan nama untuk Feed (misalnya,
Dataminr Alerts). - Pilih Google Cloud Storage V2 sebagai Source type.
- Pilih Dataminr Alerts sebagai Jenis log.
- Klik Get Service Account.
Email akun layanan yang unik akan ditampilkan, misalnya:
chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.comSalin alamat email ini untuk digunakan di bagian berikutnya.
Klik Berikutnya.
Tentukan nilai untuk parameter input berikut:
URL bucket penyimpanan: Masukkan URI bucket GCS dengan jalur awalan:
gs://dataminr-alert-logs/dataminr_alerts/Opsi penghapusan sumber: Pilih opsi penghapusan sesuai preferensi Anda:
- Jangan pernah: Tidak pernah menghapus file apa pun setelah transfer (direkomendasikan untuk pengujian).
- Hapus file yang ditransfer: Menghapus file setelah transfer berhasil.
Hapus file yang ditransfer dan direktori kosong: Menghapus file dan direktori kosong setelah transfer berhasil.
Usia File Maksimum: Menyertakan file yang dimodifikasi dalam beberapa hari terakhir (defaultnya adalah 180 hari).
Namespace aset: namespace aset.
Label penyerapan: Label yang akan diterapkan ke peristiwa dari feed ini (misalnya,
DATAMINR_ALERT).
Klik Berikutnya.
Tinjau konfigurasi feed baru Anda di layar Selesaikan, lalu klik Kirim.
Memberikan izin IAM ke akun layanan Google SecOps
Akun layanan Google SecOps memerlukan peran Storage Object Viewer di bucket GCS Anda.
- Buka Cloud Storage > Buckets.
- Klik nama Bucket Anda (misalnya,
dataminr-alert-logs). - Buka tab Izin.
- Klik Grant access.
- Berikan detail konfigurasi berikut:
- Add principals: Tempel email akun layanan Google SecOps.
- Tetapkan peran: Pilih Storage Object Viewer.
Klik Simpan.
Tabel pemetaan UDM
| Kolom Log | Pemetaan UDM | Logika |
|---|---|---|
| alertId | metadata.product_log_id | Nilai disalin secara langsung |
| alertType.color | about.labels.alertType_color | Nilai disalin secara langsung |
| alertType.id | about.labels.alertType_id | Nilai disalin secara langsung |
| alertType.name | about.labels.alertType_name | Nilai disalin secara langsung |
| availableRelatedAlerts | about.labels.availableRelatedAlerts | Dikonversi ke string |
| teks | metadata.description | Nilai disalin secara langsung |
| cat.name | security_result.category_details | Nilai disalin secara langsung |
| cat.id | security_result.detection_fields.categories_id | Nilai disalin secara langsung |
| cat.idStr | security_result.detection_fields.categories_idStr | Nilai disalin secara langsung |
| cat.path | security_result.detection_fields.categories_path | Nilai disalin secara langsung |
| cat.requested | security_result.detection_fields.categories_requested | Nilai disalin secara langsung |
| cat.retired | security_result.detection_fields.categories_retired | Dikonversi ke string |
| cat.topicType | about.labels.categories_topicType | Nilai disalin secara langsung |
| cat.name | security_result.category | Disetel ke POLICY_VIOLATION jika cat.name == "Cybersecurity - Policy"; NETWORK_MALICIOUS jika in ["Cybersecurity - Threats & Vulnerabilities", "Cybersecurity - Crime & Malicious Activity", "Threats & Precautions", "Threats"]; NETWORK_SUSPICIOUS jika =~ "Cybersecurity"; MAIL_PHISHING jika =~ "Email and Web Servers"; DATA_EXFILTRATION jika =~ "Data Exposure and Breaches"; POLICY_VIOLATION jika =~ "Government, Policy, & Political Affairs"; PHISHING jika =~ "(Malware |
| comp.dm_bucket.name | security_result.about.resource.attribute.labels.dmbucket%{bucket.id} | Nilai disalin secara langsung |
| comp.dm_sector.name | security_result.about.resource.attribute.labels.dmsector%{sector.id} | Nilai disalin secara langsung |
| comp.id | security_result.about.resource.attribute.labels.companies_id | Nilai disalin secara langsung |
| comp.idStr | security_result.about.resource.attribute.labels.companies_idStr | Nilai disalin secara langsung |
| comp.locations.city | security_result.about.location.city | Nilai dari loc.city jika loc_index == 0 |
| comp.locations.country, comp.locations.state.symbol | security_result.about.location.country_or_region | Digabungkan sebagai %{loc.country} - %{loc.state.symbol} jika loc_index == 0 dan keduanya tidak kosong |
| comp.locations.postalCode | security_result.about.resource.attribute.labels.locations_postalCode | Nilai disalin langsung jika loc_index == 0 dan tidak kosong |
| comp.locations.state.name | security_result.about.location.state | Nilai disalin langsung jika loc_index == 0 |
| comp.locations.city | about.labels.loc_%{loc_index}_city | Nilai disalin langsung jika loc_index != 0 dan tidak kosong |
| comp.locations.country, comp.locations.state.symbol | about.labels.loc_%{loc_index}_country_or_region | Digabungkan sebagai %{loc.country} - %{loc.state.symbol} jika loc_index != 0 dan keduanya tidak kosong |
| comp.locations.postalCode | securityresult.about.resource.attribute.labels.locations%{loc_index}_postalCode | Nilai disalin langsung jika loc_index != 0 dan tidak kosong |
| comp.locations.state.name | about.labels.loc_%{loc_index}_state_name | Nilai disalin langsung jika loc_index != 0 dan tidak kosong |
| comp.name | security_result.about.resource.name | Nilai disalin secara langsung |
| comp.requested | security_result.about.resource.attribute.labels.companies_requested | Nilai disalin secara langsung |
| comp.retired | security_result.about.resource.attribute.labels.companies_retired | Dikonversi ke string |
| comp.ticker | security_result.about.resource.attribute.labels.companies_ticker | Nilai disalin secara langsung |
| comp.topicType | security_result.about.resource.attribute.labels.companies_topicType | Nilai disalin secara langsung |
| eventLocation.coordinates.0 | principal.location.region_coordinates.latitude | Nilai disalin secara langsung |
| eventLocation.coordinates.1 | principal.location.region_coordinates.longitude | Nilai disalin secara langsung |
| eventLocation.name | principal.location.name | Nilai disalin secara langsung |
| eventLocation.places | principal.labels.location_places | Bergabung dari array dengan pemisah koma |
| eventLocation.probability | principal.labels.eventLocation_probability | Dikonversi ke string |
| eventLocation.radius | principal.labels.eventLocation_radius | Dikonversi ke string |
| eventMapLargeURL | principal.labels.eventMapLargeURL | Nilai disalin secara langsung |
| eventMapSmallURL | principal.labels.eventMapSmallURL | Nilai disalin secara langsung |
| eventTime | @timestamp | Dikonversi dari epoch ms menjadi stempel waktu |
| eventVolume | about.labels.eventVolume | Dikonversi ke string |
| expandAlertURL | metadata.url_back_to_product | Nilai disalin secara langsung |
| expandMapURL | principal.labels.expandMapURL | Nilai disalin secara langsung |
| headerColor | about.labels.headerColor | Nilai disalin secara langsung |
| headerLabel | about.labels.headerLabel | Nilai disalin secara langsung |
| metadata.cyber.addresses.ip | principal.ip | Diekstrak menggunakan pola grok jika index == 0 |
| metadata.cyber.addresses.port | principal.port | Nilai disalin langsung jika indeks == 0, dikonversi menjadi bilangan bulat |
| metadata.cyber.addresses.port | principal.labels.addresses_%{index}_port | Nilai disalin langsung jika indeks != 0 |
| metadata.cyber.addresses.version | principal.labels.metadata_cyberaddresses%{index}_version | Nilai disalin secara langsung |
| metadata.cyber.asns | network.asn | Nilai disalin langsung jika indeks == 0 |
| metadata.cyber.asns | about.labels.metadatacyber%{index}_asn | Nilai disalin langsung jika indeks != 0 |
| metadata.cyber.hashValues.value | security_result.about.file.sha1 | Nilai disalin langsung jika type == SHA1, huruf kecil |
| metadata.cyber.hashValues.value | security_result.about.file.sha256 | Nilai disalin secara langsung jika jenis == SHA256, huruf kecil |
| metadata.cyber.malwares | security_result.associations.name | Nilai disalin secara langsung |
| metadata.cyber.malwares | security_result.associations.type | Disetel ke MALWARE |
| metadata.cyber.orgs | network.organization_name | Nilai disalin langsung jika indeks == 0 |
| metadata.cyber.orgs | about.labels.metadatacyber%{index}_orgs | Nilai disalin langsung jika indeks != 0 |
| metadata.cyber.products | principal.application | Nilai disalin langsung jika indeks == 0 |
| metadata.cyber.products | principal.labels.metadata_cyberproducts%{index} | Nilai disalin langsung jika indeks != 0 |
| metadata.cyber.threats | security_result.threat_name | Nilai disalin langsung jika indeks == 0 |
| metadata.cyber.threats | security_result.about.labels.metadata_cyberthreats%{index} | Nilai disalin langsung jika indeks != 0 |
| metadata.cyber.URLs | security_result.about.url | Nilai disalin langsung jika indeks == 0 |
| metadata.cyber.URLs | securityresult.about.labels.url%{index} | Nilai disalin langsung jika indeks != 0 |
| metadata.cyber.malwares.0 | security_result.category | Ditetapkan ke SOFTWARE_MALICIOUS jika ada |
| metadata.cyber.vulnerabilities.cvss | extensions.vulns.vulnerabilities.cvss_base_score | Nilai disalin secara langsung |
| metadata.cyber.vulnerabilities.exploitPocLinks | extensions.vulns.vulnerabilities.cve_description | Digabungkan dari array dengan pemisah " n" |
| metadata.cyber.vulnerabilities.id | extensions.vulns.vulnerabilities.cve_id | Nilai disalin secara langsung |
| metadata.cyber.vulnerabilities.products.productName | extensions.vulns.vulnerabilities.about.application | Nilai disalin langsung jika indeks == 0 |
| metadata.cyber.vulnerabilities.products.productVendor | extensions.vulns.vulnerabilities.vendor | Nilai disalin langsung jika indeks == 0 |
| metadata.cyber.vulnerabilities.products.productVersion | extensions.vulns.vulnerabilities.about.platform_version | Nilai disalin langsung jika indeks == 0, spasi dihapus |
| metadata.cyber.vulnerabilities.products.productName | extensions.vulns.vulnerabilities.about.labels.productName_%{index} | Nilai disalin langsung jika indeks != 0 |
| metadata.cyber.vulnerabilities.products.productVendor | extensions.vulns.vulnerabilities.about.labels.productVendor_%{index} | Nilai disalin langsung jika indeks != 0 |
| metadata.cyber.vulnerabilities.products.productVersion | extensions.vulns.vulnerabilities.about.labels.productVersion_%{index} | Nilai disalin langsung jika indeks != 0, spasi dihapus |
| parentAlertId | about.labels.parentAlertId | Nilai disalin secara langsung |
| post.languages.lang | target.labels.post_languageslang%{index} | Nilai disalin secara langsung |
| post.languages.position | target.labels.post_languagesposition%{index} | Dikonversi ke string |
| post.link | target.labels.post_link | Nilai disalin secara langsung |
| post.media.link | principal.resource.name | Nilai disalin langsung jika indeks == 0 |
| post.media.description | target.resource.attribute.labels.post_media_description | Nilai disalin langsung jika indeks == 0 |
| post.media.display_url | target.resource.attribute.labels.post_media_display_url | Nilai disalin langsung jika indeks == 0 |
| post.media.isSafe | target.resource.attribute.labels.post_media_isSafe | Dikonversi menjadi string jika index == 0 |
| post.media.media_url | target.resource.attribute.labels.post_media_media_url | Nilai disalin langsung jika indeks == 0 |
| post.media.sizes.large.h | target.resource.attribute.labels.post_media_sizes_large_h | Dikonversi menjadi string jika index == 0 |
| post.media.sizes.large.resize | target.resource.attribute.labels.post_media_sizes_large_resize | Nilai disalin langsung jika indeks == 0 |
| post.media.sizes.large.w | target.resource.attribute.labels.post_media_sizes_large_w | Dikonversi menjadi string jika index == 0 |
| post.media.sizes.medium.h | target.resource.attribute.labels.post_media_sizes_medium_h | Dikonversi menjadi string jika index == 0 |
| post.media.sizes.medium.resize | target.resource.attribute.labels.post_media_sizes_medium_resize | Nilai disalin langsung jika indeks == 0 |
| post.media.sizes.medium.w | target.resource.attribute.labels.post_media_sizes_medium_w | Dikonversi menjadi string jika index == 0 |
| post.media.sizes.small.h | target.resource.attribute.labels.post_media_sizes_small_h | Dikonversi menjadi string jika index == 0 |
| post.media.sizes.small.resize | target.resource.attribute.labels.post_media_sizes_small_resize | Nilai disalin langsung jika indeks == 0 |
| post.media.sizes.small.w | target.resource.attribute.labels.post_media_sizes_small_w | Dikonversi menjadi string jika index == 0 |
| post.media.sizes.thumb.h | target.resource.attribute.labels.post_media_sizes_thumb_h | Dikonversi menjadi string jika index == 0 |
| post.media.sizes.thumb.resize | target.resource.attribute.labels.post_media_sizes_thumb_resize | Nilai disalin langsung jika indeks == 0 |
| post.media.sizes.thumb.w | target.resource.attribute.labels.post_media_sizes_thumb_w | Dikonversi menjadi string jika index == 0 |
| post.media.source | target.resource.attribute.labels.post_media_source | Nilai disalin langsung jika indeks == 0 |
| post.media.thumbnail | target.resource.attribute.labels.post_media_thumbnail | Nilai disalin langsung jika indeks == 0 |
| post.media.title | target.resource.attribute.labels.post_media_title | Nilai disalin langsung jika indeks == 0 |
| post.media.url | target.resource.attribute.labels.post_media_url | Nilai disalin langsung jika indeks == 0 |
| post.media.video_info.duration_millis | target.resource.attribute.labels.post_media_video_info_duration_millis | Dikonversi menjadi string jika index == 0 |
| post.media.video_info.aspect_ratio | target.resource.attribute.labels.post_media_video_info_aspect_ratio | Digabungkan sebagai %{med.video_info.aspect_ratio.0}, %{med.video_info.aspect_ratio.1} jika index == 0 |
| post.media.video_info.variants.bitrate | target.resource.attribute.labels.post_media_video_info_variantsbitrate%{var_index} | Dikonversi ke string |
| post.media.video_info.variants.content_type | target.resource.attribute.labels.post_media_video_info_variants_contenttype%{var_index} | Nilai disalin secara langsung |
| post.media.video_info.variants.url | target.resource.attribute.labels.post_media_video_info_variantsurl%{var_index} | Nilai disalin secara langsung |
| post.media.type | principal.resource.resource_subtype | Nilai disalin langsung jika indeks == 0 |
| post.media.link | about.resource.name | Nilai disalin langsung jika indeks != 0 |
| post.media.description | about.resource.attribute.labels.post_media_description | Nilai disalin langsung jika indeks != 0 |
| post.media.display_url | about.resource.attribute.labels.post_media_display_url | Nilai disalin langsung jika indeks != 0 |
| post.media.isSafe | about.resource.attribute.labels.post_media_isSafe | Dikonversi menjadi string jika indeks != 0 |
| post.media.media_url | about.resource.attribute.labels.post_media_media_url | Nilai disalin langsung jika indeks != 0 |
| post.media.sizes.large.h | about.resource.attribute.labels.post_media_sizes_large_h | Dikonversi menjadi string jika indeks != 0 |
| post.media.sizes.large.resize | about.resource.attribute.labels.post_media_sizes_large_resize | Nilai disalin langsung jika indeks != 0 |
| post.media.sizes.large.w | about.resource.attribute.labels.post_media_sizes_large_w | Dikonversi menjadi string jika indeks != 0 |
| post.media.sizes.medium.h | about.resource.attribute.labels.post_media_sizes_medium_h | Dikonversi menjadi string jika indeks != 0 |
| post.media.sizes.medium.resize | about.resource.attribute.labels.post_media_sizes_medium_resize | Nilai disalin langsung jika indeks != 0 |
| post.media.sizes.medium.w | about.resource.attribute.labels.post_media_sizes_medium_w | Dikonversi menjadi string jika indeks != 0 |
| post.media.sizes.small.h | about.resource.attribute.labels.post_media_sizes_small_h | Dikonversi menjadi string jika indeks != 0 |
| post.media.sizes.small.resize | about.resource.attribute.labels.post_media_sizes_small_resize | Nilai disalin langsung jika indeks != 0 |
| post.media.sizes.small.w | about.resource.attribute.labels.post_media_sizes_small_w | Dikonversi menjadi string jika indeks != 0 |
| post.media.sizes.thumb.h | about.resource.attribute.labels.post_media_sizes_thumb_h | Dikonversi menjadi string jika indeks != 0 |
| post.media.sizes.thumb.resize | about.resource.attribute.labels.post_media_sizes_thumb_resize | Nilai disalin langsung jika indeks != 0 |
| post.media.sizes.thumb.w | about.resource.attribute.labels.post_media_sizes_thumb_w | Dikonversi menjadi string jika indeks != 0 |
| post.media.source | about.resource.attribute.labels.post_media_source | Nilai disalin langsung jika indeks != 0 |
| post.media.thumbnail | about.resource.attribute.labels.post_media_thumbnail | Nilai disalin langsung jika indeks != 0 |
| post.media.title | about.resource.attribute.labels.post_media_title | Nilai disalin langsung jika indeks != 0 |
| post.media.url | about.resource.attribute.labels.post_media_url | Nilai disalin langsung jika indeks != 0 |
| post.media.video_info.duration_millis | about.resource.attribute.labels.post_media_video_info_duration_millis | Dikonversi menjadi string jika indeks != 0 |
| post.media.video_info.aspect_ratio | about.resource.attribute.labels.post_media_video_info_aspect_ratio | Digabungkan sebagai %{med.video_info.aspect_ratio.0}, %{med.video_info.aspect_ratio.1} jika indeks != 0 |
| post.media.video_info.variants.bitrate | about.resource.attribute.labels.post_media_video_info_variantsbitrate%{var_index} | Dikonversi ke string |
| post.media.video_info.variants.content_type | about.resource.attribute.labels.post_media_video_info_variants_contenttype%{var_index} | Nilai disalin secara langsung |
| post.media.video_info.variants.url | about.resource.attribute.labels.post_media_video_info_variantsurl%{var_index} | Nilai disalin secara langsung |
| post.media.type | about.resource.resource_subtype | Nilai disalin langsung jika indeks != 0 |
| post.translatedText | target.labels.post_translatedText | Nilai disalin secara langsung |
| post.text | target.labels.post_text | Nilai disalin secara langsung |
| post.timestamp | target.resource.attribute.creation_time | Dikonversi dari epoch ms menjadi stempel waktu |
| publisherCategory.color | target.labels.publisherCategory_color | Nilai disalin secara langsung |
| publisherCategory.name | target.labels.publisherCategory_name | Nilai disalin secara langsung |
| publisherCategory.shortName | target.labels.publisherCategory_shortName | Nilai disalin secara langsung |
| relatedTerms.url | principal.labels.relatedTerms_%{terms.text} | Nilai disalin secara langsung |
| relatedTermsQueryURL | principal.labels.relatedTermsQueryURL | Nilai disalin secara langsung |
| sect.id | about.labels.sectors_id | Nilai disalin secara langsung |
| sect.idStr | about.labels.sectors_idStr | Nilai disalin secara langsung |
| sect.name | about.labels.sectors_name | Nilai disalin secara langsung |
| sect.retired | about.labels.sectors_retired | Dikonversi ke string |
| sect.topicType | about.labels.sectors_topicType | Nilai disalin secara langsung |
| source.channels.0 | principal.application | Nilai disalin secara langsung |
| source.displayName | principal.user.user_display_name | Nilai disalin secara langsung |
| source.link | principal.url | Nilai disalin secara langsung |
| source.verified | principal.labels.source_verified | Dikonversi ke string |
| subCaption.bullets.content | about.labels.subCaption_bullets_content | Nilai disalin secara langsung |
| subCaption.bullets.media | about.labels.subCaption_bullets_media | Nilai disalin secara langsung |
| subCaption.bullets.source | about.labels.subCaption_bullets_source | Nilai disalin secara langsung |
| watchlist.id | about.labels.watchlistsMatchedByType_id | Nilai disalin secara langsung |
| watchlist.externalTopicIds | about.labels.watchlistsMatchedByType_externalTopicIds | Bergabung dari array dengan pemisah koma |
| watchlist.name | about.labels.watchlistsMatchedByType_name | Nilai disalin secara langsung |
| watchlist.type | about.labels.watchlistsMatchedByType_type | Nilai disalin secara langsung |
| watchlist.userProperties.omnilist | about.labels.watchlistsMatchedByType_userProperties_omnilist | Nilai disalin secara langsung |
| watchlist.userProperties.uiListType | about.labels.watchlistsMatchedByType_userProperties_uiListType | Nilai disalin secara langsung |
| watchlist.userProperties.watchlistColor | about.labels.watchlistsMatchedByType_userProperties_watchlistColor | Nilai disalin secara langsung |
| watchlist.locationGroups.locations.id | about.labels.watchlistsMatchedByTypelocationGroups%{lg_i}_locationsid%{loc_i} | Nilai disalin secara langsung |
| watchlist.locationGroups.locations.lng | about.labels.watchlistsMatchedByTypelocationGroups%{lg_i}_locationslng%{loc_i} | Dikonversi menjadi string jika lg_i != 0 atau loc_i != 0 |
| watchlist.locationGroups.locations.lat | about.labels.watchlistsMatchedByTypelocationGroups%{lg_i}_locationslat%{loc_i} | Dikonversi menjadi string jika lg_i != 0 atau loc_i != 0 |
| watchlist.locationGroups.locations.name | about.labels.watchlistsMatchedByTypelocationGroups%{lg_i}_locationsname%{loc_i} | Nilai disalin secara langsung jika lg_i != 0 atau loc_i != 0 |
| watchlist.locationGroups.id | about.labels.watchlistsMatchedByType_locationGroupsid%{lg_i} | Nilai disalin secara langsung |
| watchlist.locationGroups.name | about.labels.watchlistsMatchedByType_locationGroupsname%{lg_i} | Nilai disalin secara langsung |
| watchlist.locationGroups.locations.lng | about.location.region_coordinates.longitude | Nilai disalin langsung jika lg_i == 0 dan loc_i == 0 |
| watchlist.locationGroups.locations.lat | about.location.region_coordinates.latitude | Nilai disalin langsung jika lg_i == 0 dan loc_i == 0 |
| watchlist.locationGroups.locations.name | about.location.name | Nilai disalin langsung jika lg_i == 0 dan loc_i == 0 |
| source.entityName | principal.hostname | Nilai disalin secara langsung |
| metadata.event_type | Disetel ke "GENERIC_EVENT"; diubah menjadi "SCAN_HOST" jika principal_ip atau principal.hostname tidak kosong |
Perlu bantuan lain? Dapatkan jawaban dari anggota Komunitas dan profesional Google SecOps.