Mappings: GCP IDS
Input | Value |
---|---|
Vendor | |
Product | Google Cloud Platform |
Log Format | JSON |
Event ID Regex Pattern | ^threat\-.* |
Output | Value |
---|---|
Vendor | |
Product | Google Cloud Platform |
Record Type | Network |
Cloud SIEM Schema Field | Original Record Key | Notes |
---|---|---|
action | message.data.jsonPayload.category | |
application | message.data.jsonPayload.application | |
cloud_provider | None | The static text GCP is populated in this schema field. |
cloud_region | message.data.jsonPayload.instance.region | |
cloud_zone | message.data.jsonPayload.instance.zone | |
description | message.data.jsonPayload.details | |
dstDevice_ip | message.data.jsonPayload.destination_ip_address | |
dstPort | message.data.jsonPayload.destination.port | |
ipProtocol | message.data.jsonPayload.ip.protocol | |
normalizedResource | None | The static text network is populated in this schema field. |
normalizedSeverity | message.data.jsonPayload.alert_severity | This is a lookup field. More info to come in the catalog later... |
severity | message.data.jsonPayload.alert_severity | |
srcDevice_ip | message.data.jsonPayload.source_ip_address | |
srcPort | message.data.jsonPayload.source_port | |
threat_name | message.data.jsonPayload.name | |
threat_ruleType | None | The static text direct is populated in this schema field. |
threat_signalName | message.data.jsonPayload.details | |
timestamp | message.data.timestamp | We expect the orginal record value of message.data.timestamp is in the format yyyy-MM-dd'T'HH:mm:ss |