Collect Google Cloud Run functions context logs

This document describes how fields of Google Cloud Run functions context logs map to Google Security Operations Unified Data Model (UDM) fields.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the GCP_CLOUD_FUNCTIONS_CONTEXT ingestion label.

For information about other context parsers that Google SecOps supports, see Google SecOps context parsers .

Supported Google Cloud Run functions context logs log formats

The Google Cloud Run functions context logs parser supports logs in JSON format.

Supported Google Cloud Run functions context logs sample logs

JSON:

 {
  "name": "//cloudfunctions.googleapis.com/projects/cspm-32817/locations/asia-south1/functions/GetNSPAAlertsFunction-asia-south1",
  "assetType": "cloudfunctions.googleapis.com/CloudFunction",
  "resource": {
    "version": "v1",
    "discoveryDocumentUri": "https://cloudfunctions.googleapis.com/$discovery/rest",
    "discoveryName": "CloudFunction",
    "parent": "//cloudresourcemanager.googleapis.com/projects/1063885730524",
    "data": {
      "availableMemoryMb": 256,
      "buildId": "843ffd9a-eab1-4022-8d0f-256e55d110d3",
      "buildName": "projects/1063885730524/locations/asia-south1/builds/843ffd9a-eab1-4022-8d0f-256e55d110d3",
      "dockerRegistry": "CONTAINER_REGISTRY",
      "entryPoint": "google_cloud_function_handler",
      "eventTrigger": {
        "eventType": "google.pubsub.topic.publish",
        "failurePolicy": {},
        "resource": "projects/cspm-32817/topics/GetNSPAAlerts-asia-south1",
        "service": "pubsub.googleapis.com"
      },
      "ingressSettings": "ALLOW_ALL",
      "labels": {
        "deployment-tool": "console-cloud"
      },
      "maxInstances": 3000,
      "name": "projects/cspm-32817/locations/asia-south1/functions/GetNSPAAlertsFunction-asia-south1",
      "runtime": "python37",
      "serviceAccountEmail": "dummy@user.com",
      "sourceArchiveUrl": "gs://cloudfunctionscrest/GetNetskopeSecurityPostureAssessmentFunction (2).zip",
      "status": "ACTIVE",
      "timeout": "300s",
      "updateTime": "2023-04-21T13:33:30.711Z",
      "versionId": "1"
    }
  },
  "ancestors": [
    "projects/1063885730524",
    "organizations/595779152576"
  ]
}

Field mapping reference

This section explains how the Google SecOps parser maps Google Cloud Run functions context logs fields to Google SecOps UDM fields.

Log field	UDM mapping	Logic
	`entity.relations.resource.resource_type`	The `entity.relations.resource.resource_type` UDM field is set to `CLOUD_PROJECT` .
	`entity.relations.resource.resource_subtype`	The `entity.relations.resource.resource_subtype` UDM field is set to `project` .
	`entity.relations.resource_ancestors.resource_type`	If the `ancestor` log field value matches the regular expression pattern `organizations` , then the `entity.relations.resource_ancestors.resource_type` UDM field is set to `CLOUD_ORGANIZATION` . Else, if the `ancestor` log field value matches the regular expression pattern `folders` , then the `entity.relations.resource_ancestors.resource_type` UDM field is set to `STORAGE_OBJECT` .
	`entity.relations.resource_ancestors.resource_subtype`	If the `ancestor` log field value matches the regular expression pattern `organizations` , then the `entity.relations.resource_ancestors.resource_subtype` UDM field is set to `organizations` . Else, if the `ancestor` log field value matches the regular expression pattern `folders` , then the `entity.relations.resource_ancestors.resource_subtype` UDM field is set to `folders` .
	`entity.relations.relationship`	The `entity.relations.relationship` UDM field is set to `MEMBER` .
`resource.parent, ancestors[]`	`entity.relations.entity.resource.name`	If the `resource.parent` log field value is empty, then the `ancestors.0` log field is mapped to the `relations.entity.resource.name` UDM field.
`ancestors[]`	`entity.relations.entity.resource_ancestors.name`	If the `ancestor` log field value is not a substring of `resource.parent` log field value, then the `ancestors` log field is mapped to the `relations.entity.resource_ancestors.name` UDM field.
	`entity.relations.entity_type`	The `entity.relations.entity_type` UDM field is set to `RESOURCE` .
	`entity.relations.direction`	The `entity.relations.direction` UDM field is set to `UNIDIRECTIONAL` .
	`entity.metadata.vendor_name`	The `entity.metadata.vendor_name` UDM field is set to `Google Cloud Platform` .
`resource.version`	`entity.metadata.product_version`
	`entity.metadata.product_name`	The `entity.metadata.product_name` UDM field is set to `GCP Cloud Functions` .
	`entity.metadata.entity_type`	The `entity.metadata.entity_type` UDM field is set to `RESOURCE` .
`resource.data.description`	`entity.metadata.description`
`resource.data.serviceAccountEmail, resource.data.serviceConfig.serviceAccountEmail`	`entity.entity.user.email_addresses`
`resource.data.httpsTrigger.url, resource.data.serviceConfig.uri`	`entity.entity.url`
`resource.data.stateMessages.type`	`entity.entity.threat.summary`
`resource.data.stateMessages.severity`	`entity.entity.threat.product_severity`
`resource.data.stateMessages.message`	`entity.entity.threat.description`
	`entity.entity.resource.resource_type`	The `entity.entity.resource.resource_type` UDM field is set to `BACKEND_SERVICE` .
`assetType`	`entity.entity.resource.resource_subtype`
`resource.data.name`	`entity.entity.resource.product_object_id`
`name`	`entity.entity.resource.name`
`resource.data.updateTime`	`entity.entity.resource.attribute.last_update_time`
`resource.data.network`	`entity.entity.resource.attribute.labels[vpc_network]`
`resource.data.vpcConnector, resource.data.serviceConfig.vpcConnector`	`entity.entity.resource.attribute.labels[vpc_connector]`
`resource.data.vpcConnectorEgressSettings, resource.data.serviceConfig.vpcConnectorEgressSettings`	`entity.entity.resource.attribute.labels[vpc_connector_egress_settings]`
`resource.data.versionId`	`entity.entity.resource.attribute.labels[version_id]`
`resource.data.timeout, resource.data.serviceConfig.timeoutSeconds`	`entity.entity.resource.attribute.labels[timeout]`
`resource.data.buildConfig.source.storageSource.object`	`entity.entity.resource.attribute.labels[storage_source_object]`
`resource.data.buildConfig.source.storageSource.generation`	`entity.entity.resource.attribute.labels[storage_source_generation]`
`resource.data.buildConfig.source.storageSource.bucket`	`entity.entity.resource.attribute.labels[storage_source_bucket]`
`resource.data.sourceUploadUrl`	`entity.entity.resource.attribute.labels[source_upload_url]`
`resource.data.sourceToken`	`entity.entity.resource.attribute.labels[source_token]`
`resource.data.sourceRepository.url`	`entity.entity.resource.attribute.labels[source_repo_url]`
`resource.data.sourceRepository.deployedUrl`	`entity.entity.resource.attribute.labels[source_repo_deployed_url]`
`resource.data.sourceArchiveUrl`	`entity.entity.resource.attribute.labels[source_archive_url]`
`resource.data.serviceConfig.service`	`entity.entity.resource.attribute.labels[service_config_service]`
`resource.data.serviceConfig.revision`	`entity.entity.resource.attribute.labels[service_config_revision]`
`resource.data.serviceConfig.maxInstanceRequestConcurrency`	`entity.entity.resource.attribute.labels[service_config_max_instance_request_concurrency]`
`resource.data.serviceConfig.availableCpu`	`entity.entity.resource.attribute.labels[service_config_available_cpu]`
`resource.data.serviceConfig.allTrafficOnLatestRevision`	`entity.entity.resource.attribute.labels[service_config_all_traffic_on_latest_revision]`
`resource.data.httpsTrigger.securityLevel, resource.data.serviceConfig.securityLevel`	`entity.entity.resource.attribute.labels[security_level]`
`resource.data.secretVolumes.versions.version, resource.data.serviceConfig.secretVolumes.versions.version`	`entity.entity.resource.attribute.labels[secret_vol_ver_version]`
`resource.data.secretVolumes.versions.path, resource.data.serviceConfig.secretVolumes.versions.path`	`entity.entity.resource.attribute.labels[secret_vol_ver_path]`
`resource.data.secretVolumes.secret, resource.data.serviceConfig.secretVolumes.secret`	`entity.entity.resource.attribute.labels[secret_vol_secret]`
`resource.data.secretVolumes.projectId, resource.data.serviceConfig.secretVolumes.projectId`	`entity.entity.resource.attribute.labels[secret_vol_project_id]`
`resource.data.secretVolumes.mountPath, resource.data.serviceConfig.secretVolumes.mountPath`	`entity.entity.resource.attribute.labels[secret_vol_mount_path]`
`resource.data.secretEnvironmentVariables.version, resource.data.serviceConfig.secretEnvironmentVariables.version`	`entity.entity.resource.attribute.labels[secret_env_var_version]`
`resource.data.secretEnvironmentVariables.secret, resource.data.serviceConfig.secretEnvironmentVariables.secret`	`entity.entity.resource.attribute.labels[secret_env_var_secret]`
`resource.data.secretEnvironmentVariables.projectId, resource.data.serviceConfig.secretEnvironmentVariables.projectId`	`entity.entity.resource.attribute.labels[secret_env_var_project_id]`
`resource.data.secretEnvironmentVariables.key, resource.data.serviceConfig.secretEnvironmentVariables.key`	`entity.entity.resource.attribute.labels[secret_env_var_key]`
`resource.data.runtime, resource.data.buildConfig.runtime`	`entity.entity.resource.attribute.labels[runtime]`
`resource.data.buildConfig.sourceProvenance.resolvedStorageSource.object`	`entity.entity.resource.attribute.labels[resolved_storage_source_object]`
`resource.data.buildConfig.sourceProvenance.resolvedStorageSource.generation`	`entity.entity.resource.attribute.labels[resolved_storage_source_generation]`
`resource.data.buildConfig.sourceProvenance.resolvedStorageSource.bucket`	`entity.entity.resource.attribute.labels[resolved_storage_source_bucket]`
`resource.data.buildConfig.sourceProvenance.resolvedRepoSource.tagName`	`entity.entity.resource.attribute.labels[resolved_repo_source_tag_name]`
`resource.data.buildConfig.sourceProvenance.resolvedRepoSource.repoName`	`entity.entity.resource.attribute.labels[resolved_repo_source_repo_name]`
`resource.data.buildConfig.sourceProvenance.resolvedRepoSource.projectId`	`entity.entity.resource.attribute.labels[resolved_repo_source_project_id]`
`resource.data.buildConfig.sourceProvenance.resolvedRepoSource.invertRegex`	`entity.entity.resource.attribute.labels[resolved_repo_source_invert_regex]`
`resource.data.buildConfig.sourceProvenance.resolvedRepoSource.dir`	`entity.entity.resource.attribute.labels[resolved_repo_source_dir]`
`resource.data.buildConfig.sourceProvenance.resolvedRepoSource.commitSha`	`entity.entity.resource.attribute.labels[resolved_repo_source_commit_sha]`
`resource.data.buildConfig.sourceProvenance.resolvedRepoSource.branchName`	`entity.entity.resource.attribute.labels[resolved_repo_source_branch_name]`
`resource.data.buildConfig.source.repoSource.tagName`	`entity.entity.resource.attribute.labels[repo_source_tag_name]`
`resource.data.buildConfig.source.repoSource.repoName`	`entity.entity.resource.attribute.labels[repo_source_repo_name]`
`resource.data.buildConfig.source.repoSource.projectId`	`entity.entity.resource.attribute.labels[repo_source_project_id]`
`resource.data.buildConfig.source.repoSource.invertRegex`	`entity.entity.resource.attribute.labels[repo_source_invert_regex]`
`resource.data.buildConfig.source.repoSource.dir`	`entity.entity.resource.attribute.labels[repo_source_dir]`
`resource.data.buildConfig.source.repoSource.commitSha`	`entity.entity.resource.attribute.labels[repo_source_commit_sha]`
`resource.data.buildConfig.source.repoSource.branchName`	`entity.entity.resource.attribute.labels[repo_source_branch_name]`
`resource.data.minInstances, resource.data.serviceConfig.minInstanceCount`	`entity.entity.resource.attribute.labels[min_instance]`
`resource.data.maxInstances, resource.data.serviceConfig.maxInstanceCount`	`entity.entity.resource.attribute.labels[max_instance]`
`resource.data.kmsKeyName`	`entity.entity.resource.attribute.labels[kms_key_name]`
`resource.data.ingressSettings, resource.data.serviceConfig.ingressSettings`	`entity.entity.resource.attribute.labels[ingress_settings]`
`resource.data.buildConfig.environmentVariables.GOOGLE_FUNCTION_SOURCE`	`entity.entity.resource.attribute.labels[GOOGLE_FUNCTION_SOURCE]`
`resource.data.labels.goog-managed-by`	`entity.entity.resource.attribute.labels[goog-managed-by]`
`resource.data.status, resource.data.state`	`entity.entity.resource.attribute.labels[function_status]`
`resource.data.eventTrigger.trigger`	`entity.entity.resource.attribute.labels[event_trigger_trigger]`
`resource.data.eventTrigger.triggerRegion`	`entity.entity.resource.attribute.labels[event_trigger_trigger_reason]`
`resource.data.eventTrigger.service`	`entity.entity.resource.attribute.labels[event_trigger_service]`
`resource.data.eventTrigger.serviceAccountEmail`	`entity.entity.resource.attribute.labels[event_trigger_service_account_email]`
`resource.data.eventTrigger.retryPolicy`	`entity.entity.resource.attribute.labels[event_trigger_retry_policy]`
`resource.data.eventTrigger.resource`	`entity.entity.resource.attribute.labels[event_trigger_resource]`
`resource.data.eventTrigger.pubsubTopic`	`entity.entity.resource.attribute.labels[event_trigger_pubsub_topic]`
`resource.data.eventTrigger.eventFilters.value`	`entity.entity.resource.attribute.labels[event_trigger_evt_filter_value]`
`resource.data.eventTrigger.eventFilters.operator`	`entity.entity.resource.attribute.labels[event_trigger_evt_filter_operator]`
`resource.data.eventTrigger.eventFilters.attribute`	`entity.entity.resource.attribute.labels[event_trigger_evt_filter_attribute]`
`resource.data.eventTrigger.eventType`	`entity.entity.resource.attribute.labels[event_trigger_event_type]`
`resource.data.eventTrigger.channel`	`entity.entity.resource.attribute.labels[event_trigger_channel]`
`resource.data.environment`	`entity.entity.resource.attribute.labels[environment]`
`resource.data.entryPoint, resource.data.buildConfig.entryPoint`	`entity.entity.resource.attribute.labels[entry_point]`
`resource.data.dockerRepository, resource.data.buildConfig.dockerRepository`	`entity.entity.resource.attribute.labels[docker_repository]`
`resource.data.dockerRegistry, resource.data.buildConfig.dockerRegistry`	`entity.entity.resource.attribute.labels[docker_registry]`
`resource.discoveryName`	`entity.entity.resource.attribute.labels[discovery_name]`
`resource.discoveryDocumentUri`	`entity.entity.resource.attribute.labels[discovery_document_uri]`
`resource.data.labels.deployment-tool`	`entity.entity.resource.attribute.labels[deployment_tool]`
`resource.data.buildWorkerPool, resource.data.buildConfig.workerPool`	`entity.entity.resource.attribute.labels[build_worker_pool]`
`resource.data.buildName, resource.data.buildConfig.build`	`entity.entity.resource.attribute.labels[build_name]`
`resource.data.buildId`	`entity.entity.resource.attribute.labels[build_id]`
`resource.data.availableMemoryMb, resource.data.serviceConfig.availableMemory`	`entity.entity.resource.attribute.labels[available_memory]`
	`entity.entity.resource.attribute.cloud.environment`	The `entity.entity.resource.attribute.cloud.environment` UDM field is set to `GOOGLE_CLOUD_PLATFORM` .
`resource.data.environmentVariables.TAXII_VERSION, resource.data.serviceConfig.environmentVariables.TAXII_VERSION`	`entity.enity.resource.attribute.labels[TAXII_VERSION]`
`resource.data.environmentVariables.TAXII_USERNAME, resource.data.serviceConfig.environmentVariables.TAXII_USERNAME`	`entity.enity.resource.attribute.labels[TAXII_USERNAME]`
`resource.data.environmentVariables.TAXII_PASSWORD_SECRET_PATH, resource.data.serviceConfig.environmentVariables.TAXII_PASSWORD_SECRET_PATH`	`entity.enity.resource.attribute.labels[TAXII_PASSWORD_SECRET_PATH]`
`resource.data.environmentVariables.TAXII_DISCOVERY_URL, resource.data.serviceConfig.environmentVariables.TAXII_DISCOVERY_URL`	`entity.enity.resource.attribute.labels[TAXII_DISCOVERY_URL]`
`resource.data.environmentVariables.CHRONICLE_SERVICE_ACCOUNT, resource.data.serviceConfig.environmentVariables.CHRONICLE_SERVICE_ACCOUNT`	`entity.enity.resource.attribute.labels[CHRONICLE_SERVICE_ACCOUNT]`
`resource.data.environmentVariables.CHRONICLE_CUSTOMER_ID, resource.data.serviceConfig.environmentVariables.CHRONICLE_CUSTOMER_ID`	`entity.enity.resource.attribute.labels[CHRONICLE_CUSTOMER_ID]`