收集 Google Cloud IDS 記錄
本文說明如何啟用 Google Cloud 遙測資料擷取至 Google Security Operations,以收集 Google Cloud IDS 記錄,以及 Google Cloud IDS 記錄的記錄欄位如何對應至 Google Security Operations 統一資料模型 (UDM) 欄位。
詳情請參閱「將資料擷取至 Google Security Operations」。
一般部署作業會啟用 Google Cloud IDS 記錄,以便擷取至 Google Security Operations。每個客戶部署作業可能與此表示法不同,且可能更複雜。
部署作業包含下列元件:
- Google Cloud:您要收集記錄的 Google Cloud 服務和產品。 
- Google Cloud IDS 記錄:已啟用擷取至 Google Security Operations 的 Google Cloud IDS 記錄。 
- Google Security Operations:Google Security Operations 會保留及分析 Google Cloud IDS 的記錄。 
擷取標籤會識別剖析器,該剖析器會將原始記錄資料正規化為具結構性的 UDM 格式。本文中的資訊適用於具有 GCP_IDS 攝入標籤的剖析器。
事前準備
- 請確保部署架構中的所有系統都以世界標準時間設定。
設定 Google Cloud 擷取 Google Cloud IDS 記錄
如要將 Google Cloud IDS 記錄擷取至 Google Security Operations,請按照「將記錄擷取至 Google Security Operations Google Cloud 」頁面的步驟操作。
如果在擷取 Google Cloud IDS 記錄時遇到問題,請與 Google Security Operations 支援團隊聯絡。
支援的 Google Cloud IDS 記錄格式
Google Cloud IDS 剖析器支援 JSON 格式的記錄。
支援的 Google Cloud IDS 記錄檔範例
- JSON: - { "insertId": "5cb7ac422679042bcd8f0a84700c23c0-1@a1", "jsonPayload": { "alert_severity": "INFORMATIONAL", "alert_time": "2021-09-08T12:10:19Z", "application": "ssl", "category": "protocol-anomaly", "destination_ip_address": "198.51.100.0", "destination_port": "443", "details": "This signature detects suspicious and non-RFC compliant SSL traffic on port 443. This could be associated with applications sending non SSL traffic using port 443 or indicate possible malicious activity.", "direction": "client-to-server", "ip_protocol": "tcp", "name": "Non-RFC Compliant SSL Traffic on Port 443", "network": "abcd-prod-pod111-shared", "repeat_count": "1", "session_id": "1457377", "source_ip_address": "198.51.100.0", "source_port": "62543", "threat_id": "56112", "type": "vulnerability", "uri_or_filename": "" }, "logName": "projects/abcd-prod-mnop-pod555-infra/logs/ids.googleapis.com%2Fthreat", "receiveTimestamp": "2021-09-08T12:10:23.953458826Z", "resource": { "labels": { "id": "abcd-prod-mnop-pod555-cloudidsendpoint-info", "location": "us-central1-a", "resource_container": "projects/158110290042" }, "type": "ids.googleapis.com/Endpoint" }, "timestamp": "2021-09-08T12:10:19Z" }
欄位對應參考資料
欄位對應參考資料:GCP_IDS
下表列出 GCP_IDS 記錄類型的記錄欄位,以及對應的 UDM 欄位。
| Log field | UDM mapping | Logic | 
|---|---|---|
| insertId | metadata.product_log_id | |
| jsonPayload.alert_severity | security_result.severity | |
| jsonPayload.alert_time | metadata.event_timestamp | |
| jsonPayload.application | principal.application | If the jsonPayload.directionlog field value is equal toserver-to-client, then thejsonPayload.applicationlog field is mapped to theprincipal.applicationUDM field. | 
| jsonPayload.application | target.application | If the jsonPayload.directionlog field value is equal toclient-to-serveror thelogNamelog field value matches the regular expression patterntraffic, then thejsonPayload.applicationlog field is mapped to thetarget.applicationUDM field. | 
| jsonPayload.category | security_result.category_details | |
| jsonPayload.cves | extensions.vulns.vulnerabilities.cve_id | If the jsonPayload.cveslog field value is not empty, then thejsonPayload.cveslog field is mapped to theextensions.vulns.vulnerabilities.cve_idUDM field. | 
| jsonPayload.destination_ip_address | target.ip | |
| jsonPayload.destination_port | target.port | |
| jsonPayload.details | extensions.vulns.vulnerabilities.description | If the jsonPayload.cveslog field value is not empty, then thejsonPayload.detailslog field is mapped to theextensions.vulns.vulnerabilities.descriptionUDM field. | 
| jsonPayload.direction | network.direction | If the jsonPayload.directionlog field value is equal toclient-to-server, then thenetwork.directionUDM field is set toOUTBOUND.Else, if the jsonPayload.directionlog field value is equal toserver-to-client, then thenetwork.directionUDM field is set toINBOUND. | 
| jsonPayload.elapsed_time | network.session_duration.seconds | |
| jsonPayload.ip_protocol | network.ip_protocol | If the jsonPayload.ip_protocollog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toICMP.
 jsonPayload.ip_protocollog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toIGMP.
 jsonPayload.ip_protocollog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toTCP.
 jsonPayload.ip_protocollog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toUDP.
 jsonPayload.ip_protocollog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toIP6IN4.
 jsonPayload.ip_protocollog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toGRE.
 jsonPayload.ip_protocollog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toESP.
 jsonPayload.ip_protocollog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toEIGRP.
 jsonPayload.ip_protocollog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toETHERIP.
 jsonPayload.ip_protocollog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toPIM.
 jsonPayload.ip_protocollog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toVRRP.
  | 
| jsonPayload.name | security_result.threat_name | |
| jsonPayload.network | target.resource.name | If the jsonPayload.directionlog field value is equal toclient-to-serveror thelogNamelog field value matches the regular expression patterntraffic, then thejsonPayload.networklog field is mapped to thetarget.resource.nameUDM field. | 
| jsonPayload.network | principal.resource.name | If the jsonPayload.directionlog field value is equal toserver-to-client, then thejsonPayload.networklog field is mapped to theprincipal.resource.nameUDM field. | 
|  | target.resource.resource_type | If the jsonPayload.directionlog field value is equal toclient-to-serveror thelogNamelog field value matches the regular expression patterntraffic, then thetarget.resource.resource_typeUDM field is set toVPC_NETWORK. | 
|  | principal.resource.resource_type | If the jsonPayload.directionlog field value is equal toserver-to-client, then theprincipal.resource.resource_typeUDM field is set toVPC_NETWORK. | 
| jsonPayload.repeat_count | security_result.detection_fields[repeat_count] | |
| jsonPayload.session_id | network.session_id | |
| jsonPayload.source_ip_address | principal.ip | |
| jsonPayload.source_port | principal.port | |
| jsonPayload.start_time | about.labels[start_time](deprecated) | |
| jsonPayload.start_time | additional.fields[start_time] | |
| jsonPayload.threat_id | security_result.threat_id | |
| jsonPayload.total_bytes | about.labels[total_bytes](deprecated) | |
| jsonPayload.total_bytes | additional.fields[total_bytes] | |
| jsonPayload.total_packets | about.labels[total_packets](deprecated) | |
| jsonPayload.total_packets | additional.fields[total_packets] | |
| jsonPayload.type | security_result.detection_fields[type] | |
| jsonPayload.uri_or_filename | target.file.full_path | |
| logName | security_result.category_details | |
| receiveTimestamp | metadata.collected_timestamp | |
| resource.labels.id | observer.resource.product_object_id | |
| resource.labels.location | observer.location.name | |
| resource.labels.resource_container | observer.resource.name | |
| resource.type | observer.resource.resource_subtype | |
| timestamp | metadata.event_timestamp | If the logNamelog field value matches the regular expression patterntraffic, then thetimestamplog field is mapped to themetadata.event_timestampUDM field. | 
|  | observer.resource.resource_type | The observer.resource.resource_typeUDM field is set toCLOUD_PROJECT. | 
|  | observer.resource.attribute.cloud.environment | The observer.resource.attribute.cloud.environmentUDM field is set toGOOGLE_CLOUD_PLATFORM. | 
|  | security_result.category | If the jsonPayload.categorylog field value is equal todos, then thesecurity_result.categoryUDM field is set toNETWORK_DENIAL_OF_SERVICE.Else, if the jsonPayload.categorylog field value is equal toinfo-leak, then thesecurity_result.categoryUDM field is set toNETWORK_SUSPICIOUS.Else, if the jsonPayload.categorylog field value is equal toprotocol-anomaly, then thesecurity_result.categoryUDM field is set toNETWORK_MALICIOUS.Else, if the jsonPayload.categorylog field value contains one of the following values, then thesecurity_result.categoryUDM field is set toSOFTWARE_MALICIOUS.
  | 
|  | extensions.vulns.vulnerabilities.vendor | if the jsonPayload.cveslog field value is not empty, then theextensions.vulns.vulnerabilities.vendorUDM field is set toGCP_IDS. | 
|  | metadata.product_name | The metadata.product_nameUDM field is set toGCP_IDS. | 
|  | metadata.vendor_name | The metadata.vendor_nameUDM field is set toGoogle Cloud Platform. | 
|  | metadata.event_type | If the jsonPayload.cveslog field value is not empty, then themetadata.event_typeUDM field is set toSCAN_VULN_NETWROK.Else, if the jsonPayload.source_ip_addresslog field value is not empty, then themetadata.event_typeUDM field is set toSCAN_NETWORK.Else, the metadata.event_typeUDM field is set toGENERIC_EVENT. | 
後續步驟
還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。