...
Log Type | Ingestion label | Preferred Logging Protocol - Format | Log Collection Method | N/AData Source |
|---|---|---|---|---|
Security Command Center Threat | GCP_SECURITYCENTER_THREAT | API Prop Vendor API - JSONC2C | Direct Ingestion | https://cloud.google.com/chronicle/docs/ingestion/cloud/ingest-gcp-logs#exporting_findings_to |
Device Configuration
Before you can ingest your Google Cloud data into your Chronicle instance, you must complete the following steps:
Contact your Chronicle representative Adaptive MxDR on-boarding engineer and obtain the one-time access code you need to ingest your GCP telemetry.
Grant the following IAM roles required for you to access the Chronicle section:
Chronicle Service Admin (
roles/chroniclesm.admin): IAM role for performing all activities.Chronicle Service Viewer (
roles/chroniclesm.viewer): IAM role to only view the state of ingestion.Security Center Admin Editor (
roles/securitycenter.adminEditor): Required to enable the ingestion of Cloud Asset Metadata.
...
Navigate to the Chronicle page for the Google Cloud console.
Go to the Chronicle pageEnter your one-time access code in the 1-time Chronicle access code.
Select I consent to the terms and conditions of Chronicle's usage of my Google Cloud data.
Click Connect Chronicle. Your Google Cloud data is now going to be sent to Chronicle.
...
...
Once Google cloud connected to Chronicle, you need to enable Google Cloud Logging, see below screenshot.
...
click Save.
...
Your Google Cloud data is now going to be sent to Chronicle.
To Enable GCP logs
Under Security Tab, navigate to Detections and Controls > Google SecOps
...
Select the project which Security Command Center logs you want to monitor.
...
Enable Security Command Center Premium Findings
Integration Parameters
The integration feed details are not required as service is sending data directly to the chronicle. Please refer device configuration.