| Table of Contents | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
Please follow the steps below to enable raw log telemetry.
Pre-Requisite:
Please create Cloud Storage Bucket.
Chronicle Service Account which will be provided by Adaptive MXDR Team.
Configure VPC flow logs:
Login to Google Cloud account using credentials.
On Welcome page, click VPC Network
...
In Sink Details, enter Name & Description and click Next. (For example, test_gcp_vcp_flows & GCP Flows)
In Sink Destination, in Select sink service, select Cloud Storage Bucket and in Cloud Storage Bucket, select bucket which you have created as mentioned in pre-requisite.
In Choose Logs to include in Sink, a default log is populated once you select an option in Cloud Storage Bucket and click Next.
(Optional) In Choose Logs to filter out of Sink, choose the logs that you would like not to sink
Click Create Sink. All logs will be sinked and stored in Cloud Storage Bucket
...
In order to ingest VPC logs into Chronicle, you must copy gsutil URL from the configuration of a storage bucket and paste it in the Input parameters of Chronicle Feeds.
...
Configuring a feed in Chronicle Instance:
From your Chronicle instance page, select Settings.
2.Click Feeds where you can find the data feeds that you have configured as well as the default feeds that the Google provided.
Click ADD NEW.
In ADD FEED > Set Properties, select SOURCE TYPE as Google Cloud Storage.
Select the Log Type as GCP VPC Flow.
In Chronicle Service Account, click on GET A SERVICE ACCOUNT. It will create a service account for you.
Click Next.
8.In Input Parameters, paste the gsutil URL that you copied from configuration of a storage bucket.
Click Next.
In Finalize, click Submit.
...
Viewing VPC logs in Cloud Storage Bucket:
To view the VPC logs that are synchronized in cloud storage bucket, first you must grant the Chronicle access. You must add the email address of Chronicle Service Account to the permissions of the relevant Google Cloud Storage object(s). You must also perform the following actions from the Cloud Storage section in the Google Cloud Console.
To grant read permission to a specific file, you can "Edit access" on that file and grant the above email "Reader" access to Chronicle Service Account. This can only be done if you have not enabled uniform bucket-level access.
If you configure the feed to delete source files (see below for how to do this), you must add the above email Chronicle Service Account as a principle on your bucket and grant it the IAM role of Storage Object Admin.
To grant read permission to multiple files you must grant access at the bucket level. Specifically, you must add the above email Chronicle Service Account as a principle to your storage bucket and grant it the IAM role of Storage Object Viewer.
...
Mention CHRONICLE SERVICE ACCOUNT provided by Adaptive MXDR team in New Principals.
In Role, select Storage Object Viewer.
Click Save. A
gsutil URLis generated for a storage bucket that you have enabled permissions
In order to ingest VPC logs into Chronicle, you must copy
gsutil URLfrom the configuration tab of a storage bucket and paste it in the Input parameters of Chronicle Feeds.
...
Integration Parameters
Property | Default Value | Description |
|---|---|---|
STORAGE BUKCET URI | N/A | The URI which corresponds to the Google Cloud Storage bucket. The format is the same format used by |
URI IS A | N/A | The type of object indicated by
|
SOURCE DELETION OPTION | N/A | Whether to delete source files after they have been transferred to Google Security Operations. This reduces storage costs. Valid values are:
|