Mappings: GCP IDS
| Input | Value |
|---|---|
| Vendor | |
| Product | Google Cloud Platform |
| Log Format | JSON |
| Event ID Regex Pattern | ^threat\-.* |
| Output | Value |
|---|---|
| Vendor | |
| Product | Google Cloud Platform |
| Record Type | Network |
| Cloud SIEM Schema Field | Original Record Key | Notes |
|---|---|---|
| action | message.data.jsonPayload.category | |
| application | message.data.jsonPayload.application | |
| cloud_provider | None | The static text GCP is populated in this schema field. |
| cloud_region | message.data.jsonPayload.instance.region | |
| cloud_zone | message.data.jsonPayload.instance.zone | |
| description | message.data.jsonPayload.details | |
| dstDevice_ip | message.data.jsonPayload.destination_ip_address | |
| dstPort | message.data.jsonPayload.destination.port | |
| ipProtocol | message.data.jsonPayload.ip.protocol | |
| normalizedResource | None | The static text network is populated in this schema field. |
| normalizedSeverity | message.data.jsonPayload.alert_severity | This is a lookup field. More info to come in the catalog later... |
| severity | message.data.jsonPayload.alert_severity | |
| srcDevice_ip | message.data.jsonPayload.source_ip_address | |
| srcPort | message.data.jsonPayload.source_port | |
| threat_name | message.data.jsonPayload.name | |
| threat_ruleType | None | The static text direct is populated in this schema field. |
| threat_signalName | message.data.jsonPayload.details | |
| timestamp | message.data.timestamp | We expect the orginal record value of message.data.timestamp is in the format yyyy-MM-dd'T'HH:mm:ss |