Google Cloud VPC Flow

Owned by Aparna Rr
Last updated: Nov 20, 2024
5 min read

About The Device

VPC Flow Logs records a sample of network flows sent from and received by VM instances. These logs can be used for network monitoring, forensics, real-time security analysis, and expense optimization.

You can view flow logs in Cloud Logging, and you can export logs to any destination that Cloud Logging export supports. 

Device Information

 Entity

Particulars

 Entity

Particulars

Vendor Name

Google

Product Name

Cloud VPC Flow

Type of Device

Cloud

Collection Method

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log Collection Method

Data Source

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log Collection Method

Data Source

VPC Flow Logs

 GCP_VPC_FLOW

(Raw log telemetry)

Prop Vendor API - JSON

 C2C - Storage

https://cloud.google.com/chronicle/docs/reference/feed-management-api#gc-storage

Device Configuration

Please follow the steps below to enable raw log telemetry.

Pre-Requisite:

  1. Please create Cloud Storage Bucket.

  2. Chronicle Service Account which will be provided by Adaptive MXDR Team.

Configure VPC flow logs:

  1. Login to Google Cloud account using credentials.

  2. On Welcome page, click VPC Network

3.In VPC networks, click Default.

  1. In Subnets, select all logs and click Flow Logs > Configure.

5.Select Aggregation Interval and enter Sample Rate. (For example, enter 50%)

6.Click Save.
After saving, VPC logs start flowing into Chronicle

  1. Next, search Logging in the search bar at the top and click Enter. By default, it navigates you to Log Explorer.

  2. In Log Explorer, you can see all logs that come from multiple sources. Filter the logs by choosing VPC_flows in Log Name and click Apply.
    All VPC logs are sorted out in the page

9.Click More Actions and select Create Sink.

  1. In Logs Router screen, in Create logs Routing Sink window, fill the following details:

  • In Sink Details, enter Name & Description and click Next. (For example, test_gcp_vcp_flows & GCP Flows)

  • In Sink Destination, in Select sink service, select Cloud Storage Bucket and in Cloud Storage Bucket, select bucket which you have created as mentioned in pre-requisite.

  • In Choose Logs to include in Sink, a default log is populated once you select an option in Cloud Storage Bucket and click Next.

  • (Optional) In Choose Logs to filter out of Sink, choose the logs that you would like not to sink

  • Click Create Sink. All logs will be sinked and stored in Cloud Storage Bucket

Viewing VPC logs in Cloud Storage Bucket:

To view the VPC logs that are synchronized in cloud storage bucket, first you must grant the Chronicle access. You must add the email address of Chronicle Service Account to the permissions of the relevant Google Cloud Storage object(s). You must also perform the following actions from the Cloud Storage section in the Google Cloud Console.

  • To grant read permission to a specific file, you can "Edit access" on that file and grant "Reader" access to Chronicle Service Account. This can only be done if you have not enabled uniform bucket-level access.

  • If you configure the feed to delete source files (see below for how to do this), you must add Chronicle Service Account as a principle on your bucket and grant it the IAM role of Storage Object Admin.

  • To grant read permission to multiple files you must grant access at the bucket level. Specifically, you must add Chronicle Service Account as a principle to your storage bucket and grant it the IAM role of Storage Object Viewer.

To enable permission to multiple files in a single bucket at a time, following steps help you achieve it.

  1. Click on the bucket that you would like enable permissions.

  1. In Permissions, click ADD

  1. Mention CHRONICLE SERVICE ACCOUNT provided by Adaptive MXDR team in New Principals.

  2. In Role, select Storage Object Viewer.

  3. Click Save. A gsutil URL is generated for a storage bucket that you have enabled permissions

 

  1. In order to ingest VPC logs into Chronicle, you must copy gsutil URL from the configuration tab of a storage bucket and paste it in the Input parameters of Chronicle Feeds.

 

Integration Parameters

Property

Default Value

Description

Property

Default Value

Description

 STORAGE BUKCET URI

 N/A

 The URI which corresponds to the Google Cloud Storage bucket. The format is the same format used by gsutil to specify a resource.

URI IS A

N/A

The type of object indicated by bucketUri. Valid values are:

  • FILES: The URI points to a single file which will be ingested with each execution of the feed.

  • FOLDERS: The URI points to a directory. All files contained within the directory will be ingested with each execution of the feed.

  • FOLDERS_RECURSIVE: The URI points to a directory. All files and directories contains within the indicated directory will be ingested, including all files and directories within those directories, and so on.

SOURCE DELETION OPTION

N/A

Whether to delete source files after they have been transferred to Google Security Operations. This reduces storage costs. Valid values are:

  • SOURCE_DELETION_NEVER: Never delete files from the source.

  • SOURCE_DELETION_ON_SUCCESS:Delete files and empty directories from the source after successful ingestion.

  • SOURCE_DELETION_ON_SUCCESS_FILES_ONLY:Delete files from the source after successful ingestion.

About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.

About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.