Mengumpulkan log FortiCNAPP (sebelumnya Lacework)
Didukung di:
Google SecOps
SIEM
Dokumen ini menjelaskan cara menyerap log FortiCNAPP (sebelumnya dikenal sebagai Lacework) ke Google Security Operations menggunakan Google Cloud Storage V2.
FortiCNAPP adalah platform perlindungan aplikasi berbasis cloud (CNAPP) yang menyediakan pengelolaan postur keamanan cloud, perlindungan workload, dan deteksi ancaman di seluruh lingkungan multi-cloud. Lacework menghasilkan pemberitahuan, temuan kepatuhan, dan log audit yang dapat dikumpulkan melalui Lacework REST API.
Sebelum memulai
Pastikan Anda memiliki prasyarat berikut:
- Instance Google SecOps
- Project GCP dengan Cloud Storage API diaktifkan
- Izin untuk membuat dan mengelola bucket GCS
- Izin untuk mengelola kebijakan IAM di bucket GCS
- Izin untuk membuat layanan Cloud Run, topik Pub/Sub, dan tugas Cloud Scheduler
- Akses istimewa ke konsol FortiCNAPP (sebelumnya Lacework) dengan izin admin
- Akun Lacework dengan akses kunci API diaktifkan
Membuat bucket Google Cloud Storage
- Buka Konsol Google Cloud.
- Pilih project Anda atau buat project baru.
- Di menu navigasi, buka Cloud Storage > Buckets.
Klik Create bucket.
Berikan detail konfigurasi berikut:
Setelan Nilai Beri nama bucket Anda Masukkan nama yang unik secara global (misalnya, lacework-logs)Location type Pilih berdasarkan kebutuhan Anda (Region, Dual-region, Multi-region) Location Pilih lokasi (misalnya, us-central1)Kelas penyimpanan Standar (direkomendasikan untuk log yang sering diakses) Access control Seragam (direkomendasikan) Alat perlindungan Opsional: Aktifkan pembuatan versi objek atau kebijakan retensi Klik Create.
Mengumpulkan kredensial API FortiCNAPP (sebelumnya Lacework)
Buat kunci API
- Login ke konsol Lacework Anda.
- Buka Settings > Configuration > API Keys.
- Klik + Tambahkan Baru.
- Masukkan nama untuk kunci API (misalnya,
Google SecOps Integration). - Masukkan deskripsi secara opsional.
Klik Simpan.
Salin dan simpan detail berikut di tempat yang aman:
- ID Kunci: ID kunci API yang dibuat
- Secret: Rahasia API yang dibuat (hanya ditampilkan sekali)
Catat URL akun Lacework Anda dari kolom URL browser.
- Format:
https://<ACCOUNT>.lacework.net - Contoh: Jika URL konsol Lacework Anda adalah
https://acme.lacework.net, nama akun Anda adalahacme
- Format:
Verifikasi izin
Untuk memverifikasi bahwa akun memiliki izin yang diperlukan:
- Login ke konsol Lacework.
- Buka Settings > Configuration > API Keys.
- Jika Anda dapat melihat halaman Kunci API dan membuat kunci, berarti Anda memiliki izin yang diperlukan.
- Jika Anda tidak dapat melihat opsi ini, hubungi administrator Anda untuk memberikan akses tingkat admin.
Menguji akses API
Uji kredensial Anda sebelum melanjutkan integrasi:
# Replace with your actual credentials LW_ACCOUNT="your-account-name" LW_KEY_ID="your-api-key-id" LW_SECRET="your-api-secret" # Get a temporary access token TOKEN=$(curl -s -X POST "https://${LW_ACCOUNT}.lacework.net/api/v2/access/tokens" \ -H "X-LW-UAKS: ${LW_SECRET}" \ -H "Content-Type: application/json" \ -d "{\"keyId\": \"${LW_KEY_ID}\", \"expiryTime\": 3600}" | python3 -c "import sys,json; print(json.load(sys.stdin).get('token',''))") # Test API access - list alerts curl -v -H "Authorization: Bearer ${TOKEN}" \ "https://${LW_ACCOUNT}.lacework.net/api/v2/Alerts?startTime=$(date -u -v-1d +%Y-%m-%dT%H:%M:%SZ)&endTime=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
Buat akun layanan untuk Cloud Run Function
Fungsi Cloud Run memerlukan akun layanan dengan izin untuk menulis ke bucket GCS dan dipanggil oleh Pub/Sub.
Membuat akun layanan
- Di GCP Console, buka IAM & Admin > Service Accounts.
Klik Create Service Account.
Berikan detail konfigurasi berikut:
- Nama akun layanan: Masukkan
lacework-logs-collector-sa - Deskripsi akun layanan: Masukkan
Service account for Cloud Run function to collect FortiCNAPP (formerly Lacework) logs
- Nama akun layanan: Masukkan
Klik Create and Continue.
Di bagian Grant this service account access to project, tambahkan peran berikut:
- Klik Pilih peran.
- Telusuri dan pilih Storage Object Admin.
- Klik + Add another role.
- Telusuri dan pilih Cloud Run Invoker.
- Klik + Add another role.
- Telusuri dan pilih Cloud Functions Invoker.
Klik Lanjutkan.
Klik Done.
Peran ini diperlukan untuk:
- Storage Object Admin: Menulis log ke bucket GCS dan mengelola file status
- Cloud Run Invoker: Mengizinkan Pub/Sub memanggil fungsi
- Cloud Functions Invoker: Mengizinkan pemanggilan fungsi
Memberikan izin IAM pada bucket GCS
Beri akun layanan izin tulis di bucket GCS:
- Buka Cloud Storage > Buckets.
- Klik nama bucket Anda (misalnya,
lacework-logs). - Buka tab Izin.
Klik Grant access.
Berikan detail konfigurasi berikut:
- Tambahkan prinsipal: Masukkan email akun layanan (misalnya,
lacework-logs-collector-sa@PROJECT_ID.iam.gserviceaccount.com) - Tetapkan peran: Pilih Storage Object Admin
- Tambahkan prinsipal: Masukkan email akun layanan (misalnya,
Klik Simpan.
Membuat topik Pub/Sub
Buat topik Pub/Sub yang akan dipublikasikan oleh Cloud Scheduler dan akan dilanggan oleh fungsi Cloud Run.
- Di Konsol GCP, buka Pub/Sub > Topics.
Klik Create topic.
Berikan detail konfigurasi berikut:
- ID Topik: Masukkan
lacework-logs-trigger - Biarkan setelan lainnya menggunakan setelan default
- ID Topik: Masukkan
Klik Create.
Membuat fungsi Cloud Run untuk mengumpulkan log
Fungsi Cloud Run akan dipicu oleh pesan Pub/Sub dari Cloud Scheduler untuk mengambil log dari FortiCNAPP (sebelumnya Lacework) API dan menuliskannya ke GCS.
- Di GCP Console, buka Cloud Run.
- Klik Create service.
Pilih Function (gunakan editor inline untuk membuat fungsi).
Di bagian Konfigurasi, berikan detail konfigurasi berikut:
Setelan Nilai Nama layanan lacework-logs-collectorRegion Pilih region yang cocok dengan bucket GCS Anda (misalnya, us-central1)Runtime Pilih Python 3.12 atau yang lebih baru Di bagian Pemicu (opsional):
- Klik + Tambahkan pemicu.
- Pilih Cloud Pub/Sub.
- Di Select a Cloud Pub/Sub topic, pilih topik
lacework-logs-trigger. - Klik Simpan.
Di bagian Authentication:
- Pilih Wajibkan autentikasi.
- Periksa Identity and Access Management (IAM).
Scroll ke bawah dan luaskan Containers, Networking, Security.
Buka tab Security:
- Akun layanan: Pilih akun layanan
lacework-logs-collector-sa.
- Akun layanan: Pilih akun layanan
Buka tab Containers:
- Klik Variables & Secrets.
- Klik + Tambahkan variabel untuk setiap variabel lingkungan:
Nama Variabel Nilai Contoh Deskripsi GCS_BUCKETlacework-logsNama bucket GCS GCS_PREFIXlaceworkAwalan untuk file log STATE_KEYlacework/state.jsonJalur file status LW_ACCOUNTacmeNama akun Lacework LW_KEY_IDyour-api-key-idID kunci API Lacework LW_SECRETyour-api-secretRahasia API Lacework MAX_RECORDS5000Jumlah maksimum data per proses PAGE_SIZE500Catatan per halaman LOOKBACK_HOURS24Periode lihat balik awal Di bagian Variables & Secrets, scroll ke bawah ke Requests:
- Waktu tunggu permintaan: Masukkan
600detik (10 menit)
- Waktu tunggu permintaan: Masukkan
Buka tab Setelan:
- Di bagian Materi:
- Memori: Pilih 512 MiB atau yang lebih tinggi
- CPU: Pilih 1
- Di bagian Materi:
Di bagian Penskalaan revisi:
- Jumlah minimum instance: Masukkan
0 - Maximum number of instances: Masukkan
100(atau sesuaikan berdasarkan perkiraan beban)
- Jumlah minimum instance: Masukkan
Klik Create.
Tunggu hingga layanan dibuat (1-2 menit).
Setelah layanan dibuat, editor kode inline akan terbuka secara otomatis.
Menambahkan kode fungsi
- Masukkan main di kolom Entry point.
Di editor kode inline, buat dua file:
main.py:
import functions_framework from google.cloud import storage import json import os import urllib3 from datetime import datetime, timezone, timedelta import time # Initialize HTTP client with timeouts http = urllib3.PoolManager( timeout=urllib3.Timeout(connect=5.0, read=30.0), retries=False, ) # Initialize Storage client storage_client = storage.Client() # Environment variables GCS_BUCKET = os.environ.get('GCS_BUCKET') GCS_PREFIX = os.environ.get('GCS_PREFIX', 'lacework') STATE_KEY = os.environ.get('STATE_KEY', 'lacework/state.json') LW_ACCOUNT = os.environ.get('LW_ACCOUNT') LW_KEY_ID = os.environ.get('LW_KEY_ID') LW_SECRET = os.environ.get('LW_SECRET') MAX_RECORDS = int(os.environ.get('MAX_RECORDS', '5000')) PAGE_SIZE = int(os.environ.get('PAGE_SIZE', '500')) LOOKBACK_HOURS = int(os.environ.get('LOOKBACK_HOURS', '24')) # Lacework API base URL API_BASE_TEMPLATE = 'https://{account}.lacework.net/api/v2' # Log endpoints to fetch ENDPOINTS = [ {'name': 'alerts', 'path': '/Alerts', 'time_field': 'startTime', 'results_key': 'data'}, {'name': 'audit_logs', 'path': '/AuditLogs', 'time_field': 'createdTime', 'results_key': 'data'}, ] def get_access_token(api_base: str, key_id: str, secret: str) -> str: """Get a temporary access token from Lacework API.""" token_url = f"{api_base}/access/tokens" body = json.dumps({ 'keyId': key_id, 'expiryTime': 3600 }).encode('utf-8') headers = { 'X-LW-UAKS': secret, 'Content-Type': 'application/json', } response = http.request('POST', token_url, body=body, headers=headers) if response.status != 201: raise Exception(f"Failed to get access token: HTTP {response.status} - {response.data.decode('utf-8')}") token_data = json.loads(response.data.decode('utf-8')) return token_data['token'] @functions_framework.cloud_event def main(cloud_event): """ Cloud Run function triggered by Pub/Sub to fetch FortiCNAPP (formerly Lacework) logs and write to GCS. Args: cloud_event: CloudEvent object containing Pub/Sub message """ if not all([GCS_BUCKET, LW_ACCOUNT, LW_KEY_ID, LW_SECRET]): print('Error: Missing required environment variables') return try: bucket = storage_client.bucket(GCS_BUCKET) api_base = API_BASE_TEMPLATE.format(account=LW_ACCOUNT) # Get access token token = get_access_token(api_base, LW_KEY_ID, LW_SECRET) print("Successfully obtained access token") # Load state state = load_state(bucket, STATE_KEY) # Determine time window now = datetime.now(timezone.utc) all_records = [] for endpoint in ENDPOINTS: ep_name = endpoint['name'] last_time_str = None if isinstance(state, dict) and state.get(f"last_{ep_name}_time"): try: last_time = parse_datetime(state[f"last_{ep_name}_time"]) # Overlap by 2 minutes to catch any delayed events last_time = last_time - timedelta(minutes=2) last_time_str = last_time.strftime('%Y-%m-%dT%H:%M:%SZ') except Exception as e: print(f"Warning: Could not parse last_{ep_name}_time: {e}") if last_time_str is None: last_time = now - timedelta(hours=LOOKBACK_HOURS) last_time_str = last_time.strftime('%Y-%m-%dT%H:%M:%SZ') end_time_str = now.strftime('%Y-%m-%dT%H:%M:%SZ') print(f"Fetching {ep_name} from {last_time_str} to {end_time_str}") records, newest_event_time = fetch_logs( api_base=api_base, token=token, endpoint=endpoint, start_time=last_time_str, end_time=end_time_str, page_size=PAGE_SIZE, max_records=MAX_RECORDS, ) # Tag records with endpoint type for record in records: record['_lw_log_type'] = ep_name all_records.extend(records) # Update state for this endpoint if newest_event_time: state[f"last_{ep_name}_time"] = newest_event_time else: state[f"last_{ep_name}_time"] = end_time_str print(f"Fetched {len(records)} {ep_name} records") if not all_records: print("No new log records found.") save_state(bucket, STATE_KEY, state) return # Write to GCS as NDJSON timestamp = now.strftime('%Y%m%d_%H%M%S') object_key = f"{GCS_PREFIX}/logs_{timestamp}.ndjson" blob = bucket.blob(object_key) ndjson = '\n'.join([json.dumps(record, ensure_ascii=False) for record in all_records]) + '\n' blob.upload_from_string(ndjson, content_type='application/x-ndjson') print(f"Wrote {len(all_records)} records to gs://{GCS_BUCKET}/{object_key}") # Save state save_state(bucket, STATE_KEY, state) print(f"Successfully processed {len(all_records)} records") except Exception as e: print(f'Error processing logs: {str(e)}') raise def parse_datetime(value: str) -> datetime: """Parse ISO datetime string to datetime object.""" if value.endswith("Z"): value = value[:-1] + "+00:00" return datetime.fromisoformat(value) def load_state(bucket, key): """Load state from GCS.""" try: blob = bucket.blob(key) if blob.exists(): state_data = blob.download_as_text() return json.loads(state_data) except Exception as e: print(f"Warning: Could not load state: {e}") return {} def save_state(bucket, key, state: dict): """Save the state to GCS state file.""" try: blob = bucket.blob(key) blob.upload_from_string( json.dumps(state, indent=2), content_type='application/json' ) print(f"Saved state: {json.dumps(state)}") except Exception as e: print(f"Warning: Could not save state: {e}") def fetch_logs(api_base: str, token: str, endpoint: dict, start_time: str, end_time: str, page_size: int, max_records: int): """ Fetch logs from Lacework API with pagination and rate limiting. Args: api_base: API base URL token: Bearer access token endpoint: Endpoint configuration dict start_time: Start time in ISO format end_time: End time in ISO format page_size: Number of records per page max_records: Maximum total records to fetch Returns: Tuple of (records list, newest_event_time ISO string) """ headers = { 'Authorization': f'Bearer {token}', 'Accept': 'application/json', 'Content-Type': 'application/json', 'User-Agent': 'GoogleSecOps-LaceworkCollector/1.0' } ep_path = endpoint['path'] time_field = endpoint['time_field'] results_key = endpoint['results_key'] records = [] newest_time = None page_num = 0 backoff = 1.0 next_page = None while True: page_num += 1 if len(records) >= max_records: print(f"Reached max_records limit ({max_records}) for {endpoint['name']}") break # Build request URL if next_page: url = next_page else: url = f"{api_base}{ep_path}?startTime={start_time}&endTime={end_time}" try: response = http.request('GET', url, headers=headers) # Handle rate limiting with exponential backoff if response.status == 429: retry_after = int(response.headers.get('Retry-After', str(int(backoff)))) print(f"Rate limited (429). Retrying after {retry_after}s...") time.sleep(retry_after) backoff = min(backoff * 2, 30.0) continue backoff = 1.0 if response.status != 200: print(f"HTTP Error: {response.status}") response_text = response.data.decode('utf-8') print(f"Response body: {response_text}") return [], None data = json.loads(response.data.decode('utf-8')) page_results = data.get(results_key, []) if not page_results: print(f"No more results (empty page) for {endpoint['name']}") break print(f"Page {page_num}: Retrieved {len(page_results)} {endpoint['name']} events") records.extend(page_results) # Track newest event time for event in page_results: try: event_time = event.get(time_field) if event_time: if newest_time is None or parse_datetime(event_time) > parse_datetime(newest_time): newest_time = event_time except Exception as e: print(f"Warning: Could not parse event time: {e}") # Check for next page via paging object paging = data.get('paging', {}) next_page_url = paging.get('urls', {}).get('nextPage') if not next_page_url: print(f"No more pages for {endpoint['name']}") break next_page = next_page_url except Exception as e: print(f"Error fetching {endpoint['name']} logs: {e}") return [], None print(f"Retrieved {len(records)} total {endpoint['name']} records from {page_num} pages") return records, newest_timerequirements.txt:
functions-framework==3.* google-cloud-storage==2.* urllib3>=2.0.0
Klik Deploy untuk menyimpan dan men-deploy fungsi.
Tunggu hingga deployment selesai (2-3 menit).
Buat tugas Cloud Scheduler
Cloud Scheduler akan memublikasikan pesan ke topik Pub/Sub secara berkala, sehingga memicu fungsi Cloud Run.
- Di GCP Console, buka Cloud Scheduler.
Klik Create Job.
Berikan detail konfigurasi berikut:
Setelan Nilai Nama lacework-logs-collector-hourlyRegion Pilih region yang sama dengan fungsi Cloud Run Frekuensi 0 * * * *(setiap jam, tepat pada waktunya)Zona Waktu Pilih zona waktu (UTC direkomendasikan) Jenis target Pub/Sub Topik Pilih topik lacework-logs-triggerIsi pesan {}(objek JSON kosong)Klik Create.
Opsi frekuensi jadwal
Pilih frekuensi berdasarkan volume log dan persyaratan latensi:
| Frekuensi | Ekspresi Cron | Kasus Penggunaan |
|---|---|---|
| Setiap 5 menit | */5 * * * * |
Volume tinggi, latensi rendah |
| Setiap 15 menit | */15 * * * * |
Volume sedang |
| Setiap jam | 0 * * * * |
Standar (direkomendasikan) |
| Setiap 6 jam | 0 */6 * * * |
Volume rendah, pemrosesan batch |
| Harian | 0 0 * * * |
Pengumpulan data historis |
Menguji integrasi
- Di konsol Cloud Scheduler, temukan tugas Anda.
- Klik Force run untuk memicu tugas secara manual.
- Tunggu beberapa detik.
- Buka Cloud Run > Services.
- Klik
lacework-logs-collector. - Klik tab Logs.
Pastikan fungsi berhasil dieksekusi. Cari:
Successfully obtained access token Fetching alerts from YYYY-MM-DDTHH:MM:SSZ to YYYY-MM-DDTHH:MM:SSZ Page 1: Retrieved X alerts events Fetched X alerts records Fetching audit_logs from YYYY-MM-DDTHH:MM:SSZ to YYYY-MM-DDTHH:MM:SSZ Page 1: Retrieved X audit_logs events Fetched X audit_logs records Wrote X records to gs://lacework-logs/lacework/logs_YYYYMMDD_HHMMSS.ndjson Successfully processed X recordsBuka Cloud Storage > Buckets.
Klik nama bucket Anda (
lacework-logs).Buka folder
lacework/.Pastikan file
.ndjsonbaru dibuat dengan stempel waktu saat ini.
Jika Anda melihat error dalam log:
- HTTP 401: Periksa kredensial API di variabel lingkungan atau token mungkin sudah tidak berlaku
- HTTP 403: Verifikasi bahwa kunci API memiliki izin yang diperlukan di konsol Lacework
- HTTP 429: Pembatasan kecepatan - fungsi akan otomatis mencoba lagi dengan penundaan
- Variabel lingkungan tidak ada: Periksa apakah semua variabel yang diperlukan telah ditetapkan
Mengonfigurasi feed di Google SecOps untuk menyerap log FortiCNAPP (sebelumnya Lacework)
- Buka Setelan SIEM > Feed.
- Klik Tambahkan Feed Baru.
- Klik Konfigurasi satu feed.
- Di kolom Nama feed, masukkan nama untuk feed (misalnya,
Lacework Logs). - Pilih Google Cloud Storage V2 sebagai Source type.
- Pilih Lacework Cloud Security sebagai Jenis log.
Klik Get Service Account. Email akun layanan yang unik akan ditampilkan, misalnya:
chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.comSalin alamat email ini.
Klik Berikutnya.
Tentukan nilai untuk parameter input berikut:
URL bucket penyimpanan: Masukkan URI bucket GCS dengan jalur awalan:
gs://lacework-logs/lacework/- Ganti:
lacework-logs: Nama bucket GCS Anda.lacework: Awalan/jalur folder opsional tempat log disimpan (biarkan kosong untuk root).
- Ganti:
Opsi penghapusan sumber: Pilih opsi penghapusan sesuai preferensi Anda:
- Jangan pernah: Tidak pernah menghapus file apa pun setelah transfer (direkomendasikan untuk pengujian).
- Hapus file yang ditransfer: Menghapus file setelah transfer berhasil.
Hapus file yang ditransfer dan direktori kosong: Menghapus file dan direktori kosong setelah transfer berhasil.
Usia File Maksimum: Menyertakan file yang diubah dalam beberapa hari terakhir (defaultnya adalah 180 hari)
Namespace aset: Namespace aset
Label penyerapan: Label yang akan diterapkan ke peristiwa dari feed ini
Klik Berikutnya.
Tinjau konfigurasi feed baru Anda di layar Selesaikan, lalu klik Kirim.
Memberikan izin IAM ke akun layanan Google SecOps
Akun layanan Google SecOps memerlukan peran Storage Object Viewer di bucket GCS Anda.
- Buka Cloud Storage > Buckets.
- Klik nama bucket Anda.
- Buka tab Izin.
Klik Grant access.
Berikan detail konfigurasi berikut:
- Add principals: Tempel email akun layanan Google SecOps
- Tetapkan peran: Pilih Storage Object Viewer
Klik Simpan.
Log Contoh Lacework Cloud Security yang Didukung
Informasi Agen atau Mesin (Inventaris Host)
{ "AGENT_VERSION": "6.7.6-4ce73a7b", "CREATED_TIME": "Thu, 03 Nov 2022 02:09:36 -0700", "HOSTNAME": "host-agent-1", "IP_ADDR": "10.0.0.1", "LAST_UPDATE": "Wed, 18 Oct 2023 17:59:09 -0700", "MID": 6516601498285932156, "MODE": "ebpf", "OS": "Linux", "STATUS": "ACTIVE", "TAGS": { "Account": "999999999999", "AmiId": "ami-00000000000000000", "ExternalIp": "203.0.113.10", "Hostname": "internal-host-1.zone.compute.internal", "InstanceId": "i-00000000000000000", "InternalIp": "172.16.1.10", "LwTokenShort": "DUMMYTOKENABCD123456", "Name": "proxy-DMZ-app-1", "ResourceType": "proxy-machines", "SubnetId": "subnet-00000000000000000", "VmInstanceType": "t3.small", "VmProvider": "AWS", "VpcId": "vpc-00000000000000000", "Zone": "us-west-2a", "arch": "amd64", "falconx.io/application": "proxy-machines", "falconx.io/environment": "prod", "falconx.io/project": "edge", "falconx.io/team": "edge", "os": "linux" } }Metadata atau Integritas File
{ "CREATED_TIME": "Wed, 18 Oct 2023 17:02:01 -0700", "FILEDATA_HASH": "DUMMYHASH582C741AD91CA817B4718DEAA4E8A83C0B9D92E2", "FILE_PATH": "/usr/local/bin/secure_config", "MID": 7371220731851617371, "MTIME": "Fri, 25 Aug 2023 13:03:09 -0700", "SIZE": 8078 }Penilaian Kerentanan Host
{ "CVE_PROPS": { "description": "DOCUMENTATION: The MITRE CVE dictionary describes this issue as: " "This CVE ID has been rejected or withdrawn by its CVE Numbering " "Authority for the following reason: This CVE ID has been rejected " "or withdrawn by its CVE Numbering Authority.", "link": "https://vendor.example.com/security/cve/CVE-2021-47472", "metadata": null }, "CVE_RISK_INFO": { "HOST_COUNT": 1249, "IMAGE_COUNT": 0, "PKG_COUNT": 0, "SEVERITY_LEVEL": 2, "score": 0.5154245281584533 }, "CVE_RISK_SCORE": 3.77, "END_TIME": "2024-09-04 07:00:00.000", "EVAL_CTX": { "collector_type": "Agent", "exception_props": [], "hostname": "vuln-host-1.example.net" }, "EVAL_GUID": "3dc61df780e3b722aa59b0ffcac85683", "FEATURE_KEY": { "name": "kernel-headers", "namespace": "centos:7", "package_active": 1, "package_path": "", "version_installed": "0:3.10.0-1160.119.1.el7.tuxcare.els2" }, "MACHINE_TAGS": { "Account": "999999999999", "AmiId": "ami-00000000000000000", "ExternalIp": "203.0.113.10", "Hostname": "ip-172-16-1-10.example-prod.aws.featurespace.net", "InternalIp": "10.0.0.1", "LwTokenShort": "DUMMYTOKENABCD123456", "VmProvider": "AWS", "VpcId": "vpc-00000000000000000", "os": "linux" }, "MID": 5746003737030963813, "PACKAGE_STATUS": "ACTIVE", "REGION": "eu-west-2", "RISK_SCORE": 10, "SEVERITY": "Low", "START_TIME": "2024-09-04 06:00:00.000", "STATUS": "Exception", "VULN_ID": "CVE-2021-47472" }Kepatuhan Konfigurasi Cloud (Audit)
{ "ACCOUNT": { "AccountId": "999999999999", "Account_Alias": "" }, "EVAL_TYPE": "LW_SA", "ID": "lacework-global-87", "REASON": "Default security group does not restrict traffic", "RECOMMENDATION": "Ensure the default security group of every Virtual Private Cloud (VPC) restricts all traffic", "REGION": "eu-north-1", "REPORT_TIME": "2024-11-10 18:00:00.000", "RESOURCE_ID": "arn:aws:ec2:eu-west-1:999999999999:security-group/sg-00000000000000000", "SECTION": "", "SEVERITY": "High", "STATUS": "NonCompliant" }Kueri atau Resolusi DNS
{ "CREATED_TIME": "2024-11-06 05:14:44.329", "DNS_SERVER_IP": "10.0.0.53", "FQDN": "data-service-prod-1234567890.s3.eu-west-2.amazonaws.com", "HOST_IP_ADDR": "172.16.1.20", "MID": 8843985456817096491, "TTL": 5 }Penilaian Kerentanan Image
{ "CVE_PROPS": null, "EVAL_CTX": { "collector_type": "Agentless", "image_info": { "digest": "sha256:52d5cb782dad7a8a03c8bd1b285bbd32bdbfa8fcc435614bb1e6ceefcf26ae1d", "id": "sha256:31427c44cac7ab632d541181073bbd46a964e4ed38d087d8a47f60bb66eef4df", "registry": "999999999999.dkr.ecr.eu-west-1.amazonaws.com", "repo": "amazon/aws-network-policy-agent" } }, "EVAL_GUID": "3a17a74f0a65eed2bddd2d37bb02e6af", "FEATURE_KEY": { "name": "perl-threads", "namespace": "amzn:2", "version": "1.87-4.amzn2.0.2" }, "FIX_INFO": { "fix_available": 0, "fixed_version": "" }, "IMAGE_ID": "sha256:31427c44cac7ab632d541181073bbd46a964e4ed38d087d8a47f60bb66eef4df", "IMAGE_RISK_INFO": { "factors": [ "cve", "reachability" ], "factors_breakdown": { "cve_counts": { "Critical": 0, "High": 21, "Medium": 73 }, "internet_reachability": "Unknown" } }, "IMAGE_RISK_SCORE": 6.4, "PACKAGE_STATUS": "NO_AGENT_AVAILABLE", "RISK_SCORE": 6.4, "START_TIME": "2024-11-05 19:05:03.553", "STATUS": "GOOD" }Ringkasan Traffic atau Koneksi Jaringan
{ "DST_ENTITY_ID": { "hostname": "service-A.region.amazonaws.com", "ip_internal": 0, "port": 443, "protocol": "TCP" }, "DST_ENTITY_TYPE": "DnsSep", "DST_IN_BYTES": 0, "DST_OUT_BYTES": 0, "ENDPOINT_DETAILS": [ { "dst_ip_addr": "203.0.113.10", "dst_port": 443, "protocol": "TCP", "src_ip_addr": "192.168.1.10" }, { "dst_ip_addr": "198.51.100.5", "dst_port": 443, "protocol": "TCP", "src_ip_addr": "192.168.1.10" } ], "END_TIME": "2024-11-05 21:00:00.000", "NUM_CONNS": 4, "SRC_ENTITY_ID": { "mid": 2080882850610892909, "pid_hash": 744766973756676842 }, "SRC_ENTITY_TYPE": "Process", "SRC_IN_BYTES": 25028, "SRC_OUT_BYTES": 11962, "START_TIME": "2024-11-05 20:00:00.000" }Informasi atau Pembaruan Paket
{ "ARCH": "x86_64", "CREATED_TIME": "2024-11-08 01:28:30.566", "MID": 4172267319977985370, "PACKAGE_NAME": "grub2", "VERSION": "2:2.02-0.87.0.2.el7.el7.centos.14.tuxcare.els2" }Aktivitas Proses Container
{ "CONTAINER_ID": "4853339865add970f72213ec5d76ff51d1308c61a7680cc23c8de20c38c0a8e1", "END_TIME": "2024-11-08 02:00:00.000", "FILE_PATH": "/app/grpc-health-probe", "MID": 3708952045169222383, "PID": 177267, "POD_NAME": "kubernetes-pod-abc", "PPID": 177257, "PROCESS_START_TIME": "2024-11-08 01:43:29.960", "START_TIME": "2024-11-08 01:00:00.000", "UID": 0, "USERNAME": "serviceuser" }Peringatan atau Peristiwa Umum (CloudTrail)
{ "EVENT_ID": "413328", "EVENT_NAME": "Unauthorized API Call", "EVENT_TYPE": "CloudTrailDefaultAlert", "SUMMARY": " For account: 999999999999 (and 22 more) : event Unauthorized API Call from a username other " "than whitelisted ones. Replaces lacework-global-29 occurred 3772 times by user " "UDM-PRINCIPAL-ID:UDM-SERVICE-ROLE (and 167 more) ", "START_TIME": "07 Feb 2025 12:00 GMT", "EVENT_CATEGORY": "Aws", "LINK": "https://security.example.net/ui/alert/12345/details", "ACCOUNT": "UDM_ACCOUNT", "SOURCE": "CloudTrail", "subject": { "srcEvent": { "event": { "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:sts::999999999999:assumed-role/UDM-SERVICE-ROLE-IngestionApiRole/UDM-SERVICE-PRINCIPAL " "is not authorized to perform: kinesis:ListShards on resource: " "arn:aws:kinesis:us-east-1:999999999999:stream/ingestion-qa-rel-fraud-review-Stream " "because no identity-based policy allows the kinesis:ListShards action", "eventName": "ListShards", "eventSource": "kinesis.amazonaws.com", "eventTime": "2025-02-07T12:00:24Z", "recipientAccountId": "999999999999", "sourceIPAddress": "firehose.amazonaws.com", "userIdentity": { "accessKeyId": "ACCESSKEYIDDUMMY", "accountId": "999999999999", "arn": "arn:aws:sts::999999999999:assumed-role/UDM-SERVICE-ROLE-IngestionApiRole/UDM-SERVICE-PRINCIPAL", "sessionContext": { "sessionIssuer": { "accountId": "999999999999", "arn": "arn:aws:iam::999999999999:role/UDM-SERVICE-ROLE-IngestionApiRole", "principalId": "PRINCIPALIDDUMMY", "userName": "UDM-SERVICE-ROLE-IngestionApiRole" } } }, "vpcEndpointId": "vpce-00000000000000000" }, "principalId": "PRINCIPALIDDUMMY:UDM-SERVICE-PRINCIPAL", "recipientAccountId": "999999999999", "sourceIPAddress": "firehose.amazonaws.com", "userIdentityName": "UDM-SERVICE-ROLE-IngestionApiRole" } } }
Tabel pemetaan UDM
| Kolom Log | Pemetaan UDM | Logika |
|---|---|---|
| alertId | metadata.product_log_id | Nilai disalin secara langsung |
| alertName | security_result.rule_name | Nilai disalin secara langsung |
| tingkat keseriusan, | security_result.severity | Dipetakan ke tingkat keparahan UDM |
| status | security_result.summary | Nilai disalin secara langsung |
| alertType | security_result.category_details | Nilai disalin secara langsung |
| startTime | metadata.event_timestamp | Diuraikan sebagai stempel waktu ISO 8601 |
| endTime | additional.fields | Disimpan sebagai label end_time |
| alertInfo.description | security_result.description | Nilai disalin secara langsung |
| alertInfo.subject | metadata.description | Nilai disalin secara langsung |
| entityMap.Machine.hostname | principal.hostname | Nilai disalin secara langsung |
| entityMap.Machine.externalIp | principal.ip | Nilai disalin secara langsung |
| entityMap.User.username | principal.user.userid | Nilai disalin secara langsung |
| entityMap.Region.region | principal.location.name | Nilai disalin secara langsung |
| entityMap.CT_User.accountId | principal.user.product_object_id | Nilai disalin secara langsung |
Perlu bantuan lain? Dapatkan jawaban dari anggota Komunitas dan profesional Google SecOps.