Feed management user guide

Overview and prerequisites

Google Security Operations feed management lets you create and manage data feeds to your Google Security Operations account. The feed management UI is built on the feed management API. See the Feed management API documentation for additional information.

Each data feed has its own set of prerequisites that must be completed prior to setting up the feed in Google Security Operations. These prerequisites are outlined in the Feed configuration by type section of the Feed management API documentation. Search for the data feed type you need to setup and follow the instructions provided.

Delete Source Files

As mentioned in the Overview section, different types of feeds have different prerequisites.

For several feed types, including Cloud Storage, there is a field in the Add new or Edit feed workflow labeled SOURCE DELETION OPTION. This menu has three options:

Never delete files
Delete transferred files and empty directories
Delete transferred files

Options 2 and 3 involve deletions: one for files and one for files AND any empty directories. If you select either of those options, you need to add the permissions specific to your feed type, which can be found in the Feed configuration by type section of the Feed management API documentation.

This option lets you delete an object out of the storage system after you have transferred it. Feeds always remember which objects (or files) they have transferred and never transfer the same file twice (unless it has been updated), but you have to set this option if you want the system to delete the source object after it has been (successfully) transferred.

Microsoft Azure Blob Storage doesn't support deletion of source files. The following source deletion options mustn't be used with Microsoft Azure Blob Storage source type:

Delete transferred files and empty directories
Delete transferred files

When you create a feed with Microsoft Azure Blob Storage source, select only the Never delete files option.

Creating and Editing Feeds

To access the Feed management interface, do the following steps:

In the navigation bar, click Settings.
Under Settings, click Feeds.

The data feeds listed on this page include all the feeds Google has configured for your account in addition to the feeds you have configured.

Add a feed

To add a feed to your Google Security Operations account, complete the following steps. Be sure to complete the prerequisites for the data feed type you plan to add prior to attempting to add a new feed here. See the Overview and prerequisites section for more information.

You can add up to five feeds for each log type.

Click Add New. The Add feed window is displayed.
Add a feed name.
Note: New feeds require a feed name. Existing feeds will show [Not Configured] on the Feeds page.
Select Source type from the menu. The source type is the mechanism by which you intend to bring data into Google Security Operations. You can select from the following feed source types:
- Amazon Data Firehose
- Amazon S3
- Amazon SQS
- Google Cloud Pub/Sub Push
- Google Cloud Storage
- HTTP(S) Files (non-API)
- Microsoft Azure Blob Storage
- Third party API
- Webhook
Note: For Amazon SQS, make sure you enable the permissions for Google Security Operations to be able to delete the Amazon SQS queue messages.
Select the Log Type from the menu. The logs available vary depending on which source type you selected previously. Click Next.

If you select Google Cloud Storage as the source type, use the Get service account option to get a unique service account. In this document, see Google Cloud Storage feed setup example.
Specify the parameters needed from the Input Parameters tab. The options presented here vary depending on the source and log type selected on the Set Properties tab. Hold the pointer over the question icon for each field to get additional information on what you need to provide.
(Optional) You can specify a namespace here. For more information about namespaces, see the asset namespace documentation.
Click Next.
Review your new feed configuration from the Finalize tab. Click Submit when you are ready. Google Security Operations completes a validation check of the new feed. If the feed passes the check, a name is generated for the feed, it is submitted to Google Security Operations, and Google Security Operations begins to attempt to fetch data.

Figure 4. Finalize Feed Request

Set up a Google Cloud Pub/Sub push feed

To set up a Google Cloud Pub/Sub push feed, do the following:

Create a Google Cloud Pub/Sub push feed.
Specify the endpoint URL in a Pub/Sub subscription.

Create a Google Cloud Pub/Sub push feed

From the Google Security Operations menu, select Settings, and then click Feeds.
Click Add new.
In the Feed name field, enter a name for the feed.
In the Source Type list, select Google Cloud Pub/Sub Push.
Select the Log type. For example, to create a feed for Open Cybersecurity Schema Framework, select Open Cybersecurity Schema Framework (OCSF) as the Log type.
Click Next.
Optional: Specify values for the following input parameters:
- Split delimiter: the delimiter that is used to separate log lines, such as \n.
- Asset namespace: the asset namespace.
- Ingestion labels: the label to be applied to the events from this feed.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.
From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need this endpoint URL to create a push subscription in Pub/Sub.
To disable the feed, click the Feed Enabled toggle. The feed is enabled by default.
Click Done.

Specify the endpoint URL

After you create a Google Cloud Pub/Sub push feed, in Pub/Sub, create a push subscription, specify the HTTPS endpoint, and enable authentication.

Create a push subscription in Pub/Sub. For more information about how to create a push subscription, see Create push subscriptions.
Specify the endpoint URL, which is available in the Google Cloud Pub/Sub push feed.
Select Enable authentication, and select a service account.

Set up an Amazon Data Firehose feed

To set up an Amazon Data Firehose feed, do the following:

Create an Amazon Data Firehose feed and copy the endpoint URL and secret key.
Create an API key to authenticate to Google Security Operations. You can also reuse your existing API key to authenticate to Google Security Operations.
Specify the endpoint URL in Amazon Data Firehose.

Create an Amazon Data Firehose feed

From the Google Security Operations menu, select Settings, and then click Feeds.
Click Add new.
In the Feed name field, enter a name for the feed.
In the Source Type list, select Amazon Data Firehose.
Select the Log type. For example, to create a feed for Open Cybersecurity Schema Framework, select Open Cybersecurity Schema Framework (OCSF) as the Log type.
Click Next.
Optional: Specify values for the following input parameters:
- Split delimiter: the delimiter that is used to separate log lines, such as \n.
- Asset namespace: the asset namespace.
- Ingestion labels: the label to be applied to the events from this feed.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.
Click Generate Secret Key to generate a secret key to authenticate this feed.
Copy and store the secret key as you cannot view this secret again. You can generate a new secret key again, but regeneration of the secret key makes the previous secret key obsolete.
From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need this endpoint URL when you specify the destination settings for your delivery stream in Amazon Data Firehose.
To disable the feed, click the Feed Enabled toggle. The feed is enabled by default.
Click Done.

Create an API key for the Amazon Data Firehose feed

Go to the Google Cloud console Credentials page.
Click Create credentials, and then select API key.
Restrict the API key access to the Google Security Operations API.

Specify the endpoint URL

In Amazon Data Firehose, specify the HTTPS endpoint and access key.

Append the API key to the feed endpoint URL and specify this URL as the HTTP endpoint URL in the following format:
```
  ENDPOINT_URL?key=API_KEY
```
Replace the following:
- ENDPOINT_URL: the feed endpoint URL.
- API_KEY: the API key to authenticate to Google Security Operations.
For the access key, specify the secret key that you obtained when you created the Amazon Data Firehose feed.

Set up an HTTPS webhook feed

To set up an HTTPS webhook feed, do the following:

Create an HTTPS webhook feed and copy the endpoint URL and secret key.
Create an API key that is specified with the endpoint URL. You can also reuse your existing API key to authenticate to Google Security Operations.
Specify the endpoint URL in your application.

Create an HTTPS webhook feed

From the Google Security Operations menu, select Settings, and then click Feeds.
Click Add new.
In the Feed name field, enter a name for the feed.
In the Source Type list, select Webhook.
Select the Log type. For example, to create a feed for Open Cybersecurity Schema Framework, select Open Cybersecurity Schema Framework (OCSF) as the Log type.
Click Next.
Optional: Specify values for the following input parameters:
- Split delimiter: the delimiter that is used to separate log lines, such as \n.
- Asset namespace: the asset namespace.
- Ingestion labels: the label to be applied to the events from this feed.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.
Click Generate Secret Key to generate a secret key to authenticate this feed.
Copy and store the secret key as you cannot view this secret again. You can generate a new secret key again, but regeneration of the secret key makes the previous secret key obsolete.
From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in your client application.
To disable the feed, click the Feed Enabled toggle. The feed is enabled by default.
Click Done.

Create an API key for the webhook feed

Go to the Google Cloud console Credentials page.
Click Create credentials, and then select API key.
Restrict the API key access to the Google Security Operations API.

Specify the endpoint URL

In your client application, specify the HTTPS endpoint, which is available in the webhook feed.
Enable authentication by specifying the API key and secret key as part of the custom header in the following format:

X-goog-api-key = API_KEY

X-Webhook-Access-Key = SECRET

We recommend that you specify the API key as a header instead of specifying it in the URL. If your webhook client doesn't support custom headers, you can specify the API key and secret key by using query parameters in the following format:
```
  ENDPOINT_URL?key=API_KEY&secret=SECRET
```
Replace the following:
- ENDPOINT_URL: the feed endpoint URL.
- API_KEY: the API key to authenticate to Google Security Operations.
- SECRET: the secret key that you generated to authenticate the feed.

Google Cloud Storage feed setup example

From the Google Security Operations menu, select Settings, and then click Feeds.
Click Add New.
Select Google Cloud Storage for Source Type.
Select the Log type. For example, to create a feed for Google Kubernetes Engine audit logs, select Google Kubernetes Engine audit logs as the Log Type.
Click Get service account. Google Security Operations provides a unique service account that Google Security Operations uses to ingest data.
Configure access for the service account to access the Cloud Storage objects. In this document, see Grant access to the Google Security Operations service account.
Click Next.
Based on the Cloud Storage configuration that you created, specify values for the following fields:
- Storage bucket URI
- URI is a
- Source deletion option
Click Next and then click Submit.

Grant access to the Google Security Operations service account

In the Google Cloud console, go to the Cloud Storage Buckets page.

Go to Buckets
Grant access to the service account to the relevant Cloud Storage objects.
- To grant read permission to a specific file, complete the following steps:
  1. Select the file and click Edit access.
  2. Click Add principal.
  3. In the New principals field, enter the name of the Google Security Operations service account.
  4. Assign a role that contains the read permission to the Google Security Operations service account. For example, Storage Object Viewer (roles/storage.objectViewer). This can only be done if you have not enabled uniform bucket-level access.
  5. Click Save.
- To grant read permission to multiple files, you must grant access at the bucket level. You must add the Google Security Operations service account as a principal to your storage bucket and grant it the IAM Storage Object Viewer (roles/storage.objectViewer) role.
  
  If you configure the feed to delete source files, you must add the Google Security Operations service account asa principal on your bucket and grant it the IAM Storage Object Admin (roles/storage.objectAdmin) role.

Configure VPC Service Controls

If VPC Service Controls is enabled, an ingress rule is required to provide access to the Cloud Storage bucket.

The following Cloud Storage methods must be allowed in the ingress rule:

google.storage.objects.list. Required for a single file feed.
google.storage.objects.get. Required for feeds that require directory or subdirectory access.
google.storage.objects.delete. Required for feeds that require deletion of the source file.

Sample ingress rule

- ingressFrom:
  identities:
    - serviceAccount:8911409095528497-0-account@partnercontent.gserviceaccount.com
  sources:
  - accessLevel: "*"
  ingressTo:
  operations:
  - serviceName: storage.googleapis.com
    methodSelectors:
    - method: google.storage.objects.list
    - method: google.storage.objects.get
    - method: google.storage.objects.delete
  resources:
  - projects/PROJECT_ID

Feed status

You can monitor the status of the feed from the initial Feeds page. Feeds can have the following statuses:

Active—Feed is configured and ready to ingest data into your Google Security Operations account.
InProgress—Google Security Operations is now attempting to pull data from the configured third party.
Completed—Data successfully retrieved by this feed.
Archived—Disabled feed.
Failed—Feed is failing to successfully fetch data. This is likely due to a configuration issue. Click the question to display the configuration error. Once you have corrected the error and resubmitted the feed, return to the Feeds page to determine whether or not the feed is now working.

Note: The Last succeeded on column on the Feeds page shows the last time data was fetched successfully by that feed. For a new feed, this field is blank. It might take approximately 5-10 minutes for a new feed to populate as Google Security Operations takes some time to process the data. Some feeds, such as Amazon SQS, could take longer than that. For feeds that never succeeded in the past, this field stays blank.

Edit feeds

From the Feeds page, you can edit an existing feed:

Hold the pointer over an existing feed and click more_vert in the right column.
Click Edit Feed. You can now alter the input parameters for the feed and resubmit it to Google Security Operations. Google Security Operations will attempt to use the edited feed.

Note: Existing feeds show [Not Configured] as a feed name on the Feeds page. Edit the feed to add a feed name.

Enable and disable feeds

In the Status column, enabled feeds are labeled as Active, InProgress, Completed, or Failed. Disabled fields are labeled as Archived. For a description, see the feed status.

From the Feeds page, you can enable or disable any of the existing feeds:

Hold the pointer over an existing feed and click more_vert in the right column.
To enable a feed, click the Enable Feed toggle.
To disable a feed, click the Disable Feed toggle. The feed is now labeled as Archived.

Note: When you disable a feed, it prevents new data from being added to the ingestion queue. Existing transfers (active or throttled) continue until finished. To stop data ingestion immediately, delete the feed.

Delete feeds

From the Feeds page, you can also delete an existing feed:

Hold the pointer over an existing feed and click more_vert in the right column.
Click Delete Feed. The DELETE FEED window opens. To permanently delete the feed, click Yes, delete it.

Note: When you delete a feed, no new data will be ingested. There may be data already in the queue that will still be processed.

Control the rate of ingestion

When the data ingestion rate for a tenant reaches a certain threshold, Google Security Operations restricts the rate of ingestion for new data feeds to prevent a source with a high ingestion rate from affecting the ingestion rate of another data source.

The feeds that ingest data at a rate higher than the threshold are restricted, resulting in delayed ingestion. When the rate of feed ingestion is restricted, excess data is queued to be ingested, so there is a delay but no data is lost.

The ingestion volume and tenant's usage history determine the threshold. If the rate of ingestion does not deviate greatly, then there is no effect on the ingestion rate.

Troubleshooting

From the Feeds page, you can view details such as source type, log type, feed ID, and status of the existing feeds:

Hold the pointer over an existing feed and click more_vert in the right column.
Click View Feed. A dialog appears showing the feed details. For a failed feed, you can find error details under Details > Status.

For a failed feed, the details include the cause of the error and steps to fix it. The following table describes the error messages that you might encounter when working with data feeds.

Error Code	Cause	Troubleshooting
`ACCESS_DENIED`	The authentication account provided in the feed configuration lacks required permissions.	Verify the authentication account provided in the feed configuration has required permissions. Refer to the feeds documentation for the necessary permissions.
`ACCESS_TOO_FREQUENT`	The feed failed because there were too many attempts to reach the source.	Contact Google Security Operations support.
`CONNECTION_DROPPED`	A connection to the source was established, but the connection closed before the feed was complete.	This error is transient and application will retry the request. If the issue persists, contact support.
`CONNECTION_FAILED`	The application can't connect to the source IP address and port.	Check the following: The source is available. A firewall isn't blocking the connection. The IP address associated with the server is correct. If the problem continues, contact Google Security Operations support.
`DNS_ERROR`	The source hostname can't be resolved.	The server hostname may be spelled incorrectly. Check the URL and verify the spelling.
`FILE_FAILED`	A connection to the source was established, but there was a problem with the file or resource.	Check the following: The file isn't corrupt. The file-level permissions are correct. If the problem continues, contact Google Security Operations support.
`FILE_NOT_FOUND`	A connection to the source was established, but the file or resource can't be found.	Check the following: The file exists on the source. Appropriate users have access to the file. If the problem continues, contact Google Security Operations support.
`GATEWAY_ERROR`	API returned a gateway error to the call made by Google Security Operations.	Verify the source details of the feed. The application will retry the request.
`INTERNAL_ERROR`	Unable to ingest data due to an internal error.	If the problem continues, contact Google Security Operations support.
`INVALID_ARGUMENT`	A connection to the source was established, but the feed failed because of invalid arguments.	Check the feed configuration. Refer to the feeds documentation to learn more about setting up feeds. If the problem continues, contact Google Security Operations support.
`INVALID_FEED_CONFIG`	The feed configuration contains invalid values.	Review the feed configuration for incorrect settings. Refer to the feeds documentation for correct syntax.
`INVALID_REMOTE_RESPONSE`	A connection to the source was established, but the response was incorrect.	Check the feed configuration. Learn more about setting up feeds. If the problem continues, contact Google Security Operations support.
`LOGIN_FAILED`	A connection to the source was established, but credentials were incorrect or missing.	Re-enter the credentials for the source to confirm they're correct.
`NO_RESPONSE`	A connection to the source was established, but the source didn't respond.	Make sure the source can support requests from Google Security Operations. If the problem continues, contact Google Security Operations support.
`PERMISSION_DENIED`	A connection to the source was established, but there was a problem with authorization.	Verify required accesses and permissions are added.
`REMOTE_SERVER_ERROR`	A connection to the source was established, but the source didn't respond with data.	Make sure the source is available and is responding with data. If the problem continues, contact Google Security Operations support.
`REMOTE_SERVER_REPORTED_BAD_REQUEST`	A connection to the source was established, but the source rejected the request.	Check the feed configuration. Refer to the feeds documentation for more details. If the problem continues, contact Google Security Operations support.
`SOCKET_READ_TIMEOUT`	A connection to the source was established, but the connection timed out before the data transfer was complete.	This error is transient and application will retry the request. If the issue persists, contact Google Security Operations support.
`TOO_MANY_ERRORS`	The feed timed out because because it encountered multiple errors from the source.	Contact Google Security Operations support.
`TRANSIENT_INTERNAL_ERROR`	Feed encountered temporary internal error.	This error is transient and application will retry the request. If the issue persists, contact Google Security Operations support.
`UNSAFE_CONNECTION`	The application failed to make a connection because the IP address was restricted.	This error is transient and Google Security Operations will retry the request. If the issue persists, contact Google Security Operations support.
`HTTP_400`	The feed failed because of an invalid request.	Check the feed configuration. Learn more about setting up feeds. If the problem continues, contact Google Security Operations support.
`HTTP_403`	A connection to the source was established, but there was a problem with authorization.	Verify required accesses and permissions are added.
`HTTP_404`	A connection to the source was established, but the file or resource can't be found.	Check the following: The file exists on the source. Appropriate users have access to the file. If the problem continues, contact Google Security Operations support.
`HTTP_429`	The feed timed out because there were too many attempts to reach the source.	Contact Google Security Operations support.
`HTTP_500`	A connection to the source was established, but the source didn't respond with data.	Make sure the source is available and is responding with data. If the problem continues, contact Google Security Operations support.
`HTTP_502`	Feed encountered a gateway error.	This error is transient and application will retry the request. If the issue persists, contact Google Security Operations support.
`HTTP_504`	Google Security Operations can't connect to the source IP address and port.	This error is transient and application will retry the request. Check the following: The source is available. A firewall isn't blocking the connection. The IP address associated with the server is correct. If the problem continues, contact Google Security Operations support.