Ingest GCP Logs to Chronicle

This page shows how to enable and disable the ingestion of your GCP telemetry into Chronicle. Chronicle enables you to store, search and examine the aggregated security information for your enterprise going back for months or longer.

Before you begin

Before you can ingest your GCP telemetry into your Chronicle account, you must complete the following steps:

  1. Contact your Chronicle representative and obtain the one-time access code you need to ingest your GCP telemetry.

  2. Grant the IAM roles required for you to access the Chronicle section:

    • Chronicle Service Admin IAM role for performing all activities.
    • Chronicle Service Viewer IAM role to only view the state of ingestion.

Granting IAM Roles

You can grant the required IAM roles using either the Google Cloud console or using the gcloud CLI.

To grant IAM roles using Google Cloud console, complete the following steps:

  1. Log on to the GCP Organization you want to connect to and navigate to the IAM screen using Products > IAM & Admin > IAM.
  2. From the IAM screen, select the user and click Edit Member.

  3. In the Edit Permissions screen, click Add Another Role and search for Chronicle to find the IAM roles.

  4. Once you have assigned the roles, click Save.

To grant IAM roles using the Google Cloud CLI, complete the following steps:

  1. Ensure you are logged into the correct organization. Verify this by running the gcloud init command.
  2. To grant the admin IAM role from the gCloud tool, run the following command:

    $ gcloud organizations add-iam-policy-binding <ORGANIZATION_ID> --member user:<USER_EMAIL> --role roles/chroniclesm.admin

  3. To grant the viewer IAM role from the gCloud tool, run the following command:

    $ gcloud organizations add-iam-policy-binding <ORGANIZATION_ID> --member user:<USER_EMAIL> --role roles/chroniclesm.viewer

Enabling GCP Telemetry Ingestion

To enable GCP telemetry ingestion into your Chronicle account, complete the following steps:

  1. Navigate to the Chronicle page for the Google Cloud console.
    Go to the Chronicle page

  2. Enter your one-time access code in the 1-time Chronicle access code field.

  3. Check the box labeled I consent to the terms and conditions of Chronicle's usage of my Google Cloud data.

  4. Click Connect Chronicle.

    Connect Chronicle page.

Your GCP telemetry is now going to be sent to Chronicle. You can use Chronicle's analysis features to investigate any security related issues. The sections that follow describe ways to adjust the types of GCP telemetry that are going to be sent to Chronicle

Exporting Google Cloud Logs to Chronicle

You can export the following types of Google Cloud logs to your Chronicle account:

  • GCP_CLOUDAUDIT:
    • log_id("cloudaudit.googleapis.com/activity") (exported by the default filter)
    • log_id("cloudaudit.googleapis.com/system_event") (exported by the default filter)
    • log_id("cloudaudit.googleapis.com/data_access")
    • log_id("cloudaudit.googleapis.com/policy")
    • log_id("cloudaudit.googleapis.com/access_transparency")
  • GCP_CLOUD_NAT:
    • log_id("compute.googleapis.com/nat_flows")
  • GCP_DNS:
    • log_id("dns.googleapis.com/dns_queries") (exported by the default filter)
  • GCP_FIREWALL:
    • log_id("compute.googleapis.com/firewall")

To export your Google Cloud logs to Chronicle, set the Export Cloud logs to Chronicle toggle to enabled. All of the Google Cloud log types listed above will be exported to your Chronicle account.

Export Google Cloud Logs.

Export Filter Settings

By default, your Cloud Audit logs (admin activity and system event) and Cloud DNS logs are sent to your Chronicle account. However, you can customize the export filter to include or exclude specific types of logs. The export filter is based on the Google logging query language.

To define a custom filter for your logs, complete the following steps:

  1. Define your filter by creating a customer filter for your logs using the logging query language. The following documentation describes how to define this type of filter: https://cloud.google.com/logging/docs/view/logging-query-language

  2. Navigate to the Logs Explorer using the link provided on the EXPORT FILTER SETTINGS tab, copy your new query into the Query field and click Run Query to test it.

Export Filter Settings tab

Export Filter Settings tab

Complete the following steps from the Export Filter Settings tab:

  1. When the filter is ready, click the edit icon and paste the filter to the Export filter field on the EXPORT FILTER SETTINGS tab.

  2. Click Save Custom Filter. Your new custom filter works against all new logs exported to your Chronicle account.

  3. You can reset the export filter to the default version by clicking Reset to Default. Be sure to save a copy of your customer filter first.

Export Filter Examples

The following export filter examples illustrate how you can include or exclude certain types of logs from being exported to your Chronicle account.

Export Filter Example 1: Include additional log types

The following export filter exports data access logs in addition to the default logs:

log_id("dns.googleapis.com/dns_queries") OR
log_id("cloudaudit.googleapis.com/activity") OR
log_id("cloudaudit.googleapis.com/system_event") OR
log_id("cloudaudit.googleapis.com/data_access")

Export Filter Example 2: Include additional logs from a specific project

The following export filter exports data access logs from a specific project, in addition to the default logs:

log_id("dns.googleapis.com/dns_queries") OR
log_id("cloudaudit.googleapis.com/activity") OR
log_id("cloudaudit.googleapis.com/system_event") OR
logName = "projects/my-project-id/logs/cloudaudit.googleapis.com%2Fdata_access"

Export Filter Example 3: Include additional logs from a specific folder

The following export filter exports data access logs from a specific folder, in addition to the default logs:

log_id("dns.googleapis.com/dns_queries") OR
log_id("cloudaudit.googleapis.com/activity") OR
log_id("cloudaudit.googleapis.com/system_event") OR
logName = "folders/my-folder-id/logs/cloudaudit.googleapis.com%2Fdata_access"

Export Filter Example 4: Exclude logs from a specific project

The following export filter exports the default logs from the entire GCP organization with the exception of a specific project:

(log_id("dns.googleapis.com/dns_queries") OR
log_id("cloudaudit.googleapis.com/activity") OR
log_id("cloudaudit.googleapis.com/system_event")) AND
(NOT logName =~ "^projects/my-project-id/logs/.*$")

Exporting Google Cloud Asset Metadata to Chronicle

You can export your Google Cloud Asset metadata to Chronicle. This asset metadata is drawn from your Google Cloud Asset Inventory and consists of information about your assets, resources, and identities including the following:

  • Environment
  • Location
  • Zone
  • Hardware models
  • Access control relationships between resources and identities

The following are the specific types of Google Cloud Asset metadata that will be exported to your Chronicle account:

  • GCP_BIGQUERY_CONTEXT
  • GCP_COMPUTE_CONTEXT
  • GCP_IAM_CONTEXT
  • GCP_IAM_ANALYSIS
  • GCP_STORAGE_CONTEXT

The following are some examples of Google Cloud Asset metadata:

  • Application name—Google-iamSample/0.1
  • Project name—projects/my-project

To export your Google Cloud Asset metadata to Chronicle, set the Export Cloud Asset Metadata to Chronicle toggle to enabled.

Enable Cloud Asset Metadata.

The asset metadata surfaces in Chronicle from the log sources GCP IAM Context and GCP IAM Analysis.

Exporting Security Command Center findings to Chronicle

You can export the following SCC Premium Event Threat Detection (ETD) findings to Chronicle:

  • Malware: Bad IP
  • Malware: Bad Domain
  • Persistence: IAM Anomalous Grant
  • Bruteforce: SSH
  • Exfiltration: BigQuery Data Exfiltration

For more information about ETD, see here.

To export your SCC Premium ETD findings to Chronicle, set the Export Security Command Center Premium Findings to Chronicle toggle to enabled.

Enable Security Command Center Premium Findings.

Disabling GCP Telemetry Ingestion

  1. Check the box labeled I want to disconnect Chronicle and stop sending Google Cloud Logs into Chronicle.

  2. Click Disconnect Chronicle.

    Disconnect Chronicle.

Troubleshooting

  • If the relationships between resources and identities are missing from your Chronicle system, set the Export Cloud logs to Chronicle toggle to disabled and then to enabled again.
  • The asset metadata are periodically ingested into Chronicle. Allow several hours for changes to be visible at the Chronicle UI and APIs.

What's next

  • Open your Chronicle account using the customer specific URL provided by your Chronicle representative.
  • Learn more about Chronicle.