Use ingestion scripts deployed as Cloud Run functions

Supported in:

Google Security Operations has provided a set of ingestion scripts, written in Python, that are intended to be deployed as Cloud Run functions. These scripts enable you to ingest data from the following log sources, listed by name and log type.

  • Armis Google Security Operations Integration
  • Aruba Central (ARUBA_CENTRAL)
  • Azure Event Hub (configurable log type)
  • Box (BOX)
  • Citrix Cloud audit logs (CITRIX_MONITOR)
  • Citrix session metadata (CITRIX_SESSION_METADATA)
  • Cloud Storage (configurable log type)
  • Duo Activity (DUO_ACTIVITY)
  • Duo Admin (DUO_ADMIN)
  • MISP (MISP_IOC)
  • OneLogin (ONELOGIN_SSO)
  • OneLogin user context (ONELOGIN_USER_CONTEXT)
  • Proofpoint (configurable log type)
  • Pub/Sub (configurable log type)
  • Slack audit logs (SLACK_AUDIT)
  • STIX/TAXII threat intelligence (STIX)
  • Tenable.io (TENABLE_IO)
  • Trend Micro Cloud App Security (configurable log type)
  • Trend Micro Vision One audit logs (TREND_MICRO_VISION_AUDIT)

These scripts are located in the Google Security Operations GitHub repository.

Known limitation: When these scripts are used in a stateless environment such as Cloud Run functions, they may not send all logs to Google Security Operations because they lack checkpoint functionality. Google Security Operations has tested the scripts with the Python 3.9 runtime.

Before you begin

Read the following resources that provide context and background information that enable you to use the Google Security Operations ingestion scripts effectively.

Assemble the files for a single log type

Each sub-directory in Google Security Operations GitHub contains files that ingest data for a single Google Security Operations log type. The script connects to a single source device and then sends raw logs to Google Security Operations using the Ingestion API. We recommend that you deploy each log type as a separate Cloud Run function. Access the scripts in the Google Security Operations GitHub repository. Each sub-directory in GitHub contains the following files specific to the log type it ingests.

  • main.py is the ingestion script specific to the log type. It connects to the source device and ingests data to Google Security Operations.
  • .env.yml stores configuration required by the Python script and is specific to the deployment. You modify this file to set configuration parameters required by the ingestion script.
  • README.md provides information about configuration parameters.
  • Requirements.txt defines the dependencies required by the ingestion script. In addition, the common folder contains utility functions that all ingestion scripts depend on.

Perform the following steps to assemble the files that ingest data for a single log type:

  1. Create a deployment directory to store the files for the Cloud Run function. This will contain all files needed for the deployment.
  2. Copy all files from the GitHub sub-directory of the selected log type, for example OneLogin User Context, to this deployment directory.
  3. Copy the common folder and all contents to the deployment directory.
  4. The contents of the directory will look similar to the following:

    one_login_user
    ├─common
    │  ├─__init__.py
    │  ├─auth.py
    │  ├─env_constants.py
    │  ├─ingest.py
    │  ├─status.py
    │  └─utils.py
    ├─env.yml
    ├─main.py
    └─requirements.txt
    

Configure the scripts

  1. Launch a Cloud Shell session.
  2. Connect with SSH to a Google Cloud Linux VM. See Connect to Linux VMs using Google tools.
  3. Upload the ingestion scripts by clicking More > Upload or Download to move your files or folders to or from Cloud Shell.

    Files and folders can only be uploaded to and downloaded from your home directory. For more options to transfer files between Cloud Shell and your local workstation, see [Upload and download files and folders from Cloud Shell](/shell/docs/uploading-and-downloading-files#upload_and_download_files_and_folders.

  4. Edit the .env.yml file for the function and populate the required environment variables. The following table lists runtime environment variables common to all ingestion scripts.

    Variable name Description Required Default Secret
    CHRONICLE_CUSTOMER_ID Google Security Operations customer ID. Yes None No
    CHRONICLE_REGION Google Security Operations region. Yes us
    Other valid values: asia-northeast1, asia-south1, asia-southeast1, australia-southeast1, europe, europe-west2, europe-west3, europe-west6, europe-west12, me-central1, me-central2, me-west1, and northamerica-northeast2.
    No
    CHRONICLE_SERVICE_ACCOUNT Contents of the Google Security Operations service account JSON file. Yes None Yes
    CHRONICLE_NAMESPACE The namespace that the Google Security Operations logs are labeled with. For information about Google Security Operations namespaces, see Work with asset namespaces. No None No

  5. Each script requires environment variables specific to the script. See Configuration parameters by log type for details about the environment variables required by each log type.

Environment variables marked as Secret = Yes must be configured as secrets in Secret Manager. See Secret Manager pricing for information on the cost of using Secret Manager.

See Creating and accessing secrets for detailed instructions.

After the secrets are created in Secret Manager, use the secret resource name as the value for environment variables. For example: projects/{project_id}/secrets/{secret_id}/versions/{version_id}, where {project_id}, {secret_id}, and {version_id} are specific to your environment.

Set up a scheduler or trigger

All scripts, except Pub/Sub, are implemented to collect the data at periodic intervals from a source device. You must set up a trigger using Cloud Scheduler to fetch data over time. The ingestion script for Pub/Sub continuously monitors the Pub/Sub subscription. For more information, see Running services on a schedule and Using Pub/Sub to trigger a Cloud Run function.

Deploy the Cloud Run function

  1. Launch a Cloud Shell session.
  2. Connect via SSH to a Google Cloud Linux VM. See Connect to Linux VMs using Google tools.
  3. Change to the directory where you copied ingestion scripts.
  4. Execute the following command to deploy the Cloud Run function.

    gcloud functions deploy <FUNCTION NAME> --service-account <SERVICE_ACCOUNT_EMAIL> --entry-point main --trigger-http --runtime python39 --env-vars-file .env.yml

    Replace <FUNCTION_NAME> with the name you define for the Cloud Run function.

    Replace <SERVICE_ACCOUNT_EMAIL> with the email address of the service account you want your Cloud Run function to use. account you want your Cloud Run function to use.

    If you don't change directory to the location of the files, make sure to use the --source option to specify the location of the deployment scripts.

    The service account running your Cloud Run function must have the Cloud Functions Invoker (roles/cloudfunctions.invoker) and Secret Manager Secret Accessor (roles/secretmanager.secretAccessor) roles.

View runtime logs

The ingestion scripts print runtime messages to stdout. Cloud Run functions provides a mechanism to view log messages. For more information, see the Cloud Functions information about Viewing runtime logs.

Configuration parameters by log type

Armis Google Security Operations Integration

This script collects the data using API calls from the Armis platform for different types of events like alerts, activities, devices, and vulnerabilities. The collected data is ingested into Google Security Operations and parsed by the corresponding parsers.

Script flow

Following is the flow of the script:

  1. Verify environment variables.

  2. Deploy the script to Cloud Run functions.

  3. Collect data using the ingestion script.

  4. Ingest collected data into Google Security Operations.

  5. Parse collected data through corresponding parsers in Google Security Operations.

Use a script to collect and ingest data into Google Security Operations

  1. Verify environment variables.

    Variable Description Required Default Secret
    CHRONICLE_CUSTOMER_ID Google Security Operations customer ID. Yes - No
    CHRONICLE_REGION Google Security Operations region. Yes US Yes
    CHRONICLE_SERVICE_ACCOUNT Contents of the Google Security Operations service account JSON file. Yes - Yes
    CHRONICLE_NAMESPACE The namespace that the Google Security Operations logs are labeled with. No - No
    POLL_INTERVAL Frequency interval at which the function executes to get additional Frequency interval at which the function executes to get additional log data (in minutes). This duration must be the same as the Cloud Scheduler job interval. Yes 10 No
    ARMIS_SERVER_URL Server URL of Armis platform. Yes - No
    ARMIS_API_SECRET_KEY Secret key required to authenticate. Yes - Yes
    HTTPS_PROXY Proxy server URL. No - No
    CHRONICLE_DATA_TYPE Google Security Operations data type to push data into the Google Security Operations. Yes - No
  2. Set up the directory.

    Create a new directory for the Cloud Run functions deployment and add to it a common directory and the contents of the ingestion script (armis).

  3. Set the required runtime environment variables.

    Define the required environment variables in the .env.yml file.

  4. Use secrets.

    Environment variables marked as secret must be configured as secrets in the Secret Manager. For more information on how to create secrets, see Create a secret.

    After creating the secrets in Secret Manager, use the secret's resource name as the value for environment variables. For example:

    CHRONICLE_SERVICE_ACCOUNT: projects/{project_id}/secrets/{secret_id}/versions/{version_id}

  5. Configure the namespace.

    Set the CHRONICLE_NAMESPACE environment variable to configure the namespace. The Google Security Operations logs are ingested into the namespace.

  6. Deploy the Cloud Run functions.

    Run the following command from inside the previously created directory to deploy the cloud function. gcloud functions deploy <FUNCTION NAME> --gen2 --entry-point main --trigger-http --runtime python39 --env-vars-file .env.yml

  7. Cloud Run functions default specifications.

    Variable Default Description
    Memory 256 MB None None
    Timedout 60 seconds None None
    Region us-central1 None None
    Minimum Instances 0 None None
    Maximum Instances 100 None None

    For more information on how to configure these variables, see Configure Cloud Run functions.

  8. Fetch historical data.

    To fetch historical data and continue collecting real-time data:

    1. Configure the POLL_INTERVAL environment variable in minutes for which the historical data needs to be fetched.
    2. Trigger the function using a scheduler or manually by running the command in Google Cloud CLI after configuring Cloud Run functions.

Aruba Central

This script fetches audit logs from the Aruba Central platform and ingests them into Google Security Operations with the ARUBA_CENTRAL log type. For information about how the library can be used, see the pycentral Python SDK.

Define the following environment variables in the .env.yml file.

Variable Description Default Secret
CHRONICLE_CUSTOMER_ID Google Security Operations instance customer ID. None No
CHRONICLE_REGION Google Security Operations instance region. us
Other valid values: asia-northeast1, asia-south1, asia-southeast1, australia-southeast1, europe, europe-west2, europe-west3, europe-west6, europe-west12, me-central1, me-central2, me-west1, and northamerica-northeast2.
No
CHRONICLE_SERVICE_ACCOUNT Path to the secret in Secret Manager that stores the Google Security Operations service account JSON file. None Yes
CHRONICLE_NAMESPACE The namespace that the Google Security Operations logs are labeled with. For information about Google Security Operations namespaces, see Work with asset namespaces. None No
POLL_INTERVAL Frequency interval at which the function executes to get additional log data (in minutes). This duration must be the same as the Cloud Scheduler job interval. 10 No
ARUBA_CLIENT_ID Aruba Central API gateway client ID. None No
ARUBA_CLIENT_SECRET_SECRET_PATH Aruba Central API gateway client secret. None Yes
ARUBA_USERNAME Username of Aruba Central platform. None No
ARUBA_PASSWORD_SECRET_PATH Password of Aruba Central platform. None Yes
ARUBA_BASE_URL Base URL of Aruba Central API gateway. None No
ARUBA_CUSTOMER_ID Customer ID of Aruba Central platform. None No

Azure Event Hub

Unlike other ingestion scripts, this script uses Azure functions to fetch events from Azure Event Hub. An Azure function triggers itself whenever a new event is added into a bucket, and each event is gradually ingested into Google Security Operations.

Steps to deploy Azure functions:

  1. Download the data connector file named Azure_eventhub_API_function_app.json from the repository.
  2. Sign in to your Microsoft Azure portal.
  3. Navigate to Microsoft Sentinel > Select your workspace from the list > Select Data Connector in the configuration section, and do the following:
  4. Click the Deploy to Azure button to deploy your function, and follow the steps mentioned on the same page.
  5. Select the preferred Subscription, Resource group, and Location and provide the required values.
  6. Click Review + Create.
  7. Click Create to deploy.

Box

This script gets details about events that happen within Box and ingests them into Google Security Operations with the BOX log type. The data provide insights into CRUD operations on objects in the Box environment. For information about Box events, see the Box events API.

Define the following environment variables in the .env.yml file. For more information about the Box Client ID, Client Secret, and Subject ID, see Client Credentials Grant .

Variable name Description Default Value Secret
CHRONICLE_CUSTOMER_ID Google Security Operations instance customer ID. None No
POLL_INTERVAL Frequency interval at which the function executes to get additional log data (in minutes). This duration must be the same as the Cloud Scheduler job interval. 5 No
CHRONICLE_REGION Google Security Operations instance region. us
Other valid values: asia-northeast1, asia-south1, asia-southeast1, australia-southeast1, europe, europe-west2, europe-west3, europe-west6, europe-west12, me-central1, me-central2, me-west1, and northamerica-northeast2.
No
CHRONICLE_SERVICE_ACCOUNT Path to the secret in Secret Manager that stores the Google Security Operations service account JSON file. None Yes
BOX_CLIENT_ID Client ID of Box platform, available in Box developer console. None No
BOX_CLIENT_SECRET Path to the secret in Secret Manager that stores the client secret of Box platform used for authentication. None Yes
BOX_SUBJECT_ID Box User ID or Enterprise ID. None No
CHRONICLE_NAMESPACE The namespace that the Google Security Operations logs are labeled with. For information about Google Security Operations namespaces, see Work with asset namespaces. None No

Citrix Cloud audit logs

This script collects Citrix Cloud audit logs and ingests them into Google Security Operations with the CITRIX_MONITOR log type. These logs help identify activities performed in the Citrix Cloud environment by providing information about what changed, who changed it, when it was changed, and so forth. For more information, see the Citrix Cloud SystemLog API.

Define the following environment variables in the .env.yml file. For information about Citrix Client IDs and Client Secrets, see Getting started with Citrix APIs.

Variable name Description Default Value Secret
CHRONICLE_CUSTOMER_ID Google Security Operations instance customer ID. None No
CHRONICLE_REGION Google Security Operations instance region. us
Other valid values: asia-northeast1, asia-south1, asia-southeast1, australia-southeast1, europe, europe-west2, europe-west3, europe-west6, europe-west12, me-central1, me-central2, me-west1, and northamerica-northeast2.
No
CHRONICLE_SERVICE_ACCOUNT Path to the secret in Secret Manager that stores the Google Security Operations service account JSON file. None Yes
CITRIX_CLIENT_ID Citrix API Client ID. None No
CITRIX_CLIENT_SECRET Path to the secret in Secret Manager that stores the Citrix API Client Secret used for authentication. None Yes
CITRIX_CUSTOMER_ID Citrix CustomerID. None No
POLL_INTERVAL Frequency interval at which additional log data is collected (in minutes). This duration must be the same as the Cloud Scheduler job interval. 30 No
URL_DOMAIN Citrix Cloud Endpoint. None No
CHRONICLE_NAMESPACE The namespace that the Google Security Operations logs are labeled with. For information about Google Security Operations namespaces, see Work with asset namespaces. None No

Citrix session metadata

This script collects Citrix session metadata from Citrix environments and ingests it into Google Security Operations with the CITRIX_MONITOR log type. The data includes user login details, session duration, session creation time, session ending time, and other metadata related to session. For more information, see the Citrix Monitor Service API.

Define the following environment variables in the .env.yml file. For information about Citrix Client IDs and Client Secrets, see Getting started with Citrix APIs.

Variable name Description Default Value Secret
CHRONICLE_CUSTOMER_ID Google Security Operations instance customer ID. None No
CHRONICLE_REGION Google Security Operations instance region. us
Other valid values: asia-northeast1, asia-south1, asia-southeast1, australia-southeast1, europe, europe-west2, europe-west3, europe-west6, europe-west12, me-central1, me-central2, me-west1, and northamerica-northeast2.
No
CHRONICLE_SERVICE_ACCOUNT Path to the secret in Secret Manager that stores the Google Security Operations service account JSON file. None Yes
URL_DOMAIN Citrix URL domain. None No
CITRIX_CLIENT_ID Citrix Client ID. None No
CITRIX_CLIENT_SECRET Path to the secret in Secret Manager that stores the Citrix Client Secret used for authentication. None Yes
CITRIX_CUSTOMER_ID Citrix customer ID. None No
POLL_INTERVAL Frequency interval at which the function executes to get additional log data (in minutes). This duration must be the same as the Cloud Scheduler job interval. 30 No
CHRONICLE_NAMESPACE The namespace that the Google Security Operations logs are labeled with. For information about Google Security Operations namespaces, see Work with asset namespaces. None No

Cloud Storage

This script fetches system logs from Cloud Storage and ingests them into Google Security Operations with a configurable value for the log type. For details, see the Google Cloud Python client library.

Define the following environment variables in the .env.yml file. Google Cloud has security-relevant logs from which some log types are not exportable directly to Google Security Operations. For more information, see Security logs analytics.

Variable Description Default Secret
CHRONICLE_CUSTOMER_ID Google Security Operations instance customer ID. None No
CHRONICLE_REGION Google Security Operations instance region. us
Other valid values: asia-northeast1, asia-south1, asia-southeast1, australia-southeast1, europe, europe-west2, europe-west3, europe-west6, europe-west12, me-central1, me-central2, me-west1, and northamerica-northeast2.
No
CHRONICLE_SERVICE_ACCOUNT Path to the secret in Secret Manager that stores the Google Security Operations service account JSON file. None Yes
CHRONICLE_NAMESPACE The namespace that the Google Security Operations logs are labeled with. For information about Google Security Operations namespaces, see Work with asset namespaces. None No
POLL_INTERVAL Frequency interval at which the function executes to get additional log data (in minutes). This duration must be the same as the Cloud Scheduler job interval. 60 No
GCS_BUCKET_NAME Name of the Cloud Storage bucket from which to fetch the data. None No
GCP_SERVICE_ACCOUNT_SECRET_PATH Path to the secret in Secret Manager that stores the Google Cloud Service Account JSON file. None Yes
CHRONICLE_DATA_TYPE Log type to push data into the Google Security Operations instance. None No

Duo Activity

This script fetches Duo Activity logs from Duo Admin and ingests them into Google Security Operations with the DUO_ACTIVITY log type. For more information, see the Duo Admin API.

Define the following environment variables in the .env.yml file.

Variable name Description Default Value Secret
CHRONICLE_CUSTOMER_ID Google Security Operations instance customer ID. None No
CHRONICLE_REGION Google Security Operations instance region. us
Other valid values: asia-northeast1, asia-south1, asia-southeast1, australia-southeast1, europe, europe-west2, europe-west3, europe-west6, europe-west12, me-central1, me-central2, me-west1, and northamerica-northeast2.
No
CHRONICLE_SERVICE_ACCOUNT Path to the secret in Secret Manager that stores the Google Security Operations service account JSON file. None Yes
BACKSTORY_API_V1_URL The URL path of Duo Security API. For more information about downloading JSON file that contains the DUO Admin API integration key, see Duo Admin documentation. None Yes
DUO_SECRET_KEY The DUO secret key required to fetch logs from the DUO API. See Duo Admin documentation for instructions about downloading the JSON file that contains the Duo Admin API integration key, Duo Admin API secret key, and the Duo Admin API hostname.
None Yes
DUO_INTEGRATION_KEY The DUO integration key required to fetch logs from the DUO API. See Duo Admin documentation for instructions about downloading the JSON file that contains the Duo Admin API integration key, Duo Admin API secret key, and the Duo Admin API hostname.
None Yes
LOG_FETCH_DURATION The duration for which the logs are fetched. 1 No
CHECKPOINT_FILE_PATH The path of file where the checkpoint timestamp of last ingested log is stored. checkpoint.json No
CHRONICLE_NAMESPACE The namespace that the Google Security Operations logs are labeled with. For information about Google Security Operations namespaces, see Work with asset namespaces. None No

Duo Admin

The script gets events from Duo Admin related to CRUD operations performed on various objects such as user account and security. The events are ingested into Google Security Operations with the DUO_ADMIN log type. For more information, see the Duo Admin API.

Define the following environment variables in the .env.yml file.

Variable name Description Default Value Secret
CHRONICLE_CUSTOMER_ID Google Security Operations instance customer ID. None No
CHRONICLE_REGION Google Security Operations instance region. us
Other valid values: asia-northeast1, asia-south1, asia-southeast1, australia-southeast1, europe, europe-west2, europe-west3, europe-west6, europe-west12, me-central1, me-central2, me-west1, and northamerica-northeast2.
No
CHRONICLE_SERVICE_ACCOUNT Path to the secret in Secret Manager that stores the Google Security Operations service account JSON file. None Yes
POLL_INTERVAL Frequency interval at which the function executes to get additional log data (in minutes). This duration must be the same as the Cloud Scheduler job interval. None No
DUO_API_DETAILS Path to the secret in Secret Manager that stores the Duo account JSON file. This contains the Duo Admin API integration key, Duo Admin API secret key, and the Duo Admin API hostname. For example:
{ "ikey": "abcd123", "skey": "def345", "api_host": "abc-123" }
See Duo Admin documentation for instructions about downloading the JSON file.
None Yes
CHRONICLE_NAMESPACE The namespace that the Google Security Operations logs are labeled with. For information about Google Security Operations namespaces, see Work with asset namespaces. None No

MISP

This script fetches threat relation information from MISP, an open source threat intelligence and sharing platform, and ingests it into Google Security Operations with the MISP_IOC log type. For more information, see the MISP Events API.

Define the following environment variables in the .env.yml file.

Variable Description Default Value Secret
CHRONICLE_CUSTOMER_ID Google Security Operations instance customer ID. None No
POLL_INTERVAL Frequency interval at which the function executes to get additional log data (in minutes). This duration must be the same as the Cloud Scheduler job interval. 5 No
CHRONICLE_REGION Google Security Operations instance region. us
Other valid values: asia-northeast1, asia-south1, asia-southeast1, australia-southeast1, europe, europe-west2, europe-west3, europe-west6, europe-west12, me-central1, me-central2, me-west1, and northamerica-northeast2.
No
CHRONICLE_SERVICE_ACCOUNT Path to the secret in Secret Manager that stores the Google Security Operations service account JSON file. None Yes
ORG_NAME Organization name for filtering events. None No
API_KEY Path to the secret in Secret Manager that stores the API key for used authentication. None Yes
TARGET_SERVER The IP address of the MISP instance that you created. None No
CHRONICLE_NAMESPACE The namespace that the Google Security Operations logs are labeled with. For information about Google Security Operations namespaces, see Work with asset namespaces. None No

OneLogin Events

This script gets events from a OneLogin environment and ingests them into Google Security Operations with the ONELOGIN_SSO log type. These events provide information such as operations on user accounts. For more information, see the OneLogin Events API .

Define the following environment variables in the .env.yml file. For information about OneLogin Client IDs and Client Secrets, see Working with API Credentials.

Variable name Description Default Value Secret
CHRONICLE_CUSTOMER_ID Google Security Operations instance customer ID. None No
POLL_INTERVAL Frequency interval at which the function executes to get additional log data (in minutes). This duration must be the same as the Cloud Scheduler job interval. 5 No
CHRONICLE_REGION Google Security Operations instance region. us
Other valid values: asia-northeast1, asia-south1, asia-southeast1, australia-southeast1, europe, europe-west2, europe-west3, europe-west6, europe-west12, me-central1, me-central2, me-west1, and northamerica-northeast2.
No
CHRONICLE_SERVICE_ACCOUNT Path to the secret in Secret Manager that stores the Google Security Operations service account JSON file. None Yes
CLIENT_ID Client ID of OneLogin platform. None No
CLIENT_SECRET Path to the secret in Secret Manager that stores the client secret of OneLogin platform used for authentication. None Yes
TOKEN_ENDPOINT The URL to request an Access Token. https://api.us.onelogin.com/auth/oauth2/v2/token No
CHRONICLE_NAMESPACE The namespace that the Google Security Operations logs are labeled with. For information about Google Security Operations namespaces, see Work with asset namespaces. None No

OneLogin user context

This script gets data related to user accounts from a OneLogin environment and ingests it into Google Security Operations with the ONELOGIN_USER_CONTEXT log type. For more information, see the OneLogin User API .

Define the following environment variables in the .env.yml file. For information about OneLogin Client IDs and Client Secrets, see Working with API Credentials.

Variable name Description Default Value Secret
CHRONICLE_CUSTOMER_ID Google Security Operations instance customer ID. None No
POLL_INTERVAL Frequency interval at which the function executes to get additional log data (in minutes). This duration must be the same as the Cloud Scheduler job interval. 30 No
CHRONICLE_REGION Google Security Operations instance region. us
Other valid values: asia-northeast1, asia-south1, asia-southeast1, australia-southeast1, europe, europe-west2, europe-west3, europe-west6, europe-west12, me-central1, me-central2, me-west1, and northamerica-northeast2.
No
CHRONICLE_SERVICE_ACCOUNT Path to the secret in Secret Manager that stores the Google Security Operations service account JSON file. None Yes
CLIENT_ID Client ID of OneLogin platform. None No
CLIENT_SECRET Path to the secret in Secret Manager that stores the client secret of OneLogin platform used for authentication. None Yes
TOKEN_ENDPOINT The URL to request an Access Token. https://api.us.onelogin.com/auth/oauth2/v2/token No
CHRONICLE_NAMESPACE The namespace that the Google Security Operations logs are labeled with. For information about Google Security Operations namespaces, see Work with asset namespaces. None No

Proofpoint

This script fetches data on users targeted by attacks from a particular organization within a given time period and ingests that data into Google Security Operations. For information about the API used, see the People API.

Define the following environment variables in the .env.yml file. For details about getting the Proofpoint service principal and Proofpoint secret, see the Providing proofpoint TAP credentials to Arctic Wolf configuration guide.

Variable Description Default Secret
CHRONICLE_CUSTOMER_ID Google Security Operations instance customer ID. None No
CHRONICLE_REGION Google Security Operations instance region. us
Other valid values: asia-northeast1, asia-south1, asia-southeast1, australia-southeast1, europe, europe-west2, europe-west3, europe-west6, europe-west12, me-central1, me-central2, me-west1, and northamerica-northeast2.
No
CHRONICLE_SERVICE_ACCOUNT Path to the secret in Secret Manager that stores the Google Security Operations service account JSON file. None Yes
CHRONICLE_NAMESPACE The namespace that the Google Security Operations logs are labeled with. For information about Google Security Operations namespaces, see Work with asset namespaces. None No
POLL_INTERVAL Frequency interval at which the function executes to get additional log data (in minutes). This duration must be the same as the Cloud Scheduler job interval. 360 No
CHRONICLE_DATA_TYPE Log type to push data into the Google Security Operations instance. None No
PROOFPOINT_SERVER_URL Base URL of Proofpoint Server API gateway. None No
PROOFPOINT_SERVICE_PRINCIPLE Username of Proofpoint platform. This is typically the service principal. None No
PROOFPOINT_SECRET Path of the Secret Manager with the version, where the password of Proofpoint platform is stored. None Yes
PROOFPOINT_RETRIEVAL_RANGE Number indicating from how many days the data should be retrieved. Accepted values are 14, 30, and 90. None No

Pub/Sub

This script collects messages from Pub/Sub subscriptions and ingests the data to Google Security Operations. It continuously monitors the subscription gateway and ingests newer messages when they appear. For more information, see the following documents:

This ingestion script requires that you set variables in both the .env.yml file and the Cloud Scheduler job.

  • Define the following environment variables in the .env.yml file.

    Variable name Description Default Value Secret
    CHRONICLE_CUSTOMER_ID Google Security Operations instance customer ID. None No
    CHRONICLE_REGION Google Security Operations instance region. us
    Other valid values: asia-northeast1, asia-south1, asia-southeast1, australia-southeast1, europe, europe-west2, europe-west3, europe-west6, europe-west12, me-central1, me-central2, me-west1, and northamerica-northeast2.
    No
    CHRONICLE_SERVICE_ACCOUNT Path to the secret in Secret Manager that stores the Google Security Operations service account JSON file. None Yes
    CHRONICLE_NAMESPACE The namespace that the Google Security Operations logs are labeled with. For information about Google Security Operations namespaces, see Work with Asset Namespaces. None No
  • Set the following variables in the Cloud Scheduler Message body field as a JSON formatted string. See creating the Cloud Scheduler for more information about the Message body field.

    Variable name Description Default Value Secret
    PROJECT_ID Pub/Sub project ID. See creating and managing projects for information about the project Id. None No
    SUBSCRIPTION_ID Pub/Sub Subscription ID. None No
    CHRONICLE_DATA_TYPE Ingestion label for the log type provided while pushing data to Google Security Operations. See Supported default parsers for a list of supported log types. None No

    Here is an example JSON formatted string for the Message body field.

    { "PROJECT_ID":"projectid-0000","SUBSCRIPTION_ID":"subscription-id","CHRONICLE_DATA_TYPE":"SQUID_PROXY"}
    

Slack audit logs

This script gets audit logs from a Slack Enterprise Grid organization and ingests them into Google Security Operations with the SLACK_AUDIT log type. For more information, see Slack Audit Logs API.

Define the following environment variables in the .env.yml file.

Variable name Description Default Value Secret
CHRONICLE_CUSTOMER_ID Google Security Operations instance customer ID. None No
CHRONICLE_REGION Google Security Operations instance region. us
Other valid values: asia-northeast1, asia-south1, asia-southeast1, australia-southeast1, europe, europe-west2, europe-west3, europe-west6, europe-west12, me-central1, me-central2, me-west1, and northamerica-northeast2.
No
CHRONICLE_SERVICE_ACCOUNT Path to the secret in Secret Manager that stores the Google Security Operations service account JSON file. None Yes
POLL_INTERVAL Frequency interval at which the function executes to get additional log data (in minutes). This duration must be the same as the Cloud Scheduler job interval. 5 No
SLACK_ADMIN_TOKEN Path to the secret in Secret Manager that stores the Slack Authentication token.
None
Yes
CHRONICLE_NAMESPACE The namespace that the Google Security Operations logs are labeled with. For information about Google Security Operations namespaces, see Work with asset namespaces. None No

STIX/TAXII

This script pulls indicators from STIX/TAXII server and ingests them into Google Security Operations. For more information refer to the STIX/TAXII API documentation. Define the following environment variables in .env.yml file.

Variable Name Description Default Secret
CHRONICLE_CUSTOMER_ID Google Security Operations instance customer ID. None No
CHRONICLE_REGION Google Security Operations instance region. us
Other valid values: asia-northeast1, asia-south1, asia-southeast1, australia-southeast1, europe, europe-west2, europe-west3, europe-west6, europe-west12, me-central1, me-central2, me-west1, and northamerica-northeast2.
No
CHRONICLE_SERVICE_ACCOUNT Path to the secret in Secret Manager that stores the Google Security Operations service account JSON file. None Yes
POLL_INTERVAL Frequency interval (in minutes) at which the function executes. This duration must be same as the Cloud Scheduler job. 60 No
TAXII_VERSION The STIX/TAXII version to use. Possible options are 1.1, 2.0, 2.1 None No
TAXII_DISCOVERY_URL Discovery URL of TAXII server. None No
TAXII_COLLECTION_NAMES Collections (CSV) from which to fetch the data. Leave empty to fetch data from all of the collections. None No
TAXII_USERNAME Username required for authentication, if any. None No
TAXII_PASSWORD_SECRET_PATH Password required for authentication, if any. None Yes

Tenable.io

This script fetches asset and vulnerability data from the Tenable.io platform and ingests it into Google Security Operations with the TENABLE_IO log type. For information about the library used, see the pyTenable Python SDK.

Define the following environment variables in the .env.yml file. For details about asset and vulnerability data, see the Tenable.io API: Export assets and Export vulnerabilities.

Variable Description Default Secret
CHRONICLE_CUSTOMER_ID Google Security Operations instance customer ID. None No
CHRONICLE_REGION Google Security Operations instance region. us
Other valid values: asia-northeast1, asia-south1, asia-southeast1, australia-southeast1, europe, europe-west2, europe-west3, europe-west6, europe-west12, me-central1, me-central2, me-west1, and northamerica-northeast2.
No
CHRONICLE_SERVICE_ACCOUNT Path to the secret in Secret Manager that stores the Google Security Operations service account JSON file. None Yes
CHRONICLE_NAMESPACE The namespace that the Google Security Operations logs are labeled with. For information about Google Security Operations namespaces, see Work with asset namespaces. None No
POLL_INTERVAL Frequency interval at which the function executes to get additional log data (in minutes). This duration must be the same as the Cloud Scheduler job interval. 360 No
TENABLE_ACCESS_KEY The access key used for authentication. None No
TENABLE_SECRET_KEY_PATH Path of the Google Secret Manager with the version, where the password for Tenable Server is stored. None Yes
TENABLE_DATA_TYPE Type of data to ingest in Google Security Operations. Possible Values: ASSETS, VULNERABILITIES. ASSETS, VULNERABILITIES No
TENABLE_VULNERABILITY The state of the vulnerabilities you want the export to include. Possible values: `OPEN`, `REOPENED`, and `FIXED`. OPEN, REOPENED No

Trend Micro Cloud App Security

This script fetches security logs from the Trend Micro platform and ingests them into Google Security Operations. For information about the API used, see the security logs API. Define the following environment variables in the .env.yml file.

Variable Description Default Secret
CHRONICLE_CUSTOMER_ID Google Security Operations instance customer ID. None No
CHRONICLE_REGION Google Security Operations instance region. us
Other valid values: asia-northeast1, asia-south1, asia-southeast1, australia-southeast1, europe, europe-west2, europe-west3, europe-west6, europe-west12, me-central1, me-central2, me-west1, and northamerica-northeast2.
No
CHRONICLE_SERVICE_ACCOUNT Path to the secret in Secret Manager that stores the Google Security Operations service account JSON file. None Yes
CHRONICLE_NAMESPACE The namespace that the Google Security Operations logs are labeled with. For information about Google Security Operations namespaces, see Work with asset namespaces. None No
POLL_INTERVAL Frequency interval at which the function executes to get additional log data (in minutes). This duration must be the same as the Cloud Scheduler job interval. 10 No
CHRONICLE_DATA_TYPE Log type to push data into the Google Security Operations instance. None No
TREND_MICRO_AUTHENTICATION_TOKEN Path of the Google Secret Manager with the version, where the authentication token for Trend Micro Server is stored. None Yes
TREND_MICRO_SERVICE_URL Service URL of the Cloud App Security service. None No
TREND_MICRO_SERVICE The name of the protected service, whose logs to retrieve. Supports comma-separated values. Possible values: exchange, sharepoint, onedrive, dropbox, box, googledrive, gmail, teams, exchangeserver, salesforce_sandbox, salesforce_production, teams_chat. exchange, sharepoint, onedrive, dropbox, box, googledrive, gmail, teams, exchangeserver, salesforce_sandbox, salesforce_production, teams_chat No
TREND_MICRO_EVENT The type of the security event, whose logs to retrieve. Supports comma-separated values. Possible values: securityrisk, virtualanalyzer, ransomware, dlp. securityrisk, virtualanalyzer, ransomware, dlp No

Trend Micro Vision One

This script retrieves the audit logs of Trend Micro Vision One and ingests them into the Google Security Operations with the log type TREND_MICRO_VISION_AUDIT. For information about the API used, see the audit logs API. Define the following environment variables in the .env.yml file.

Variable Description Default Secret
CHRONICLE_CUSTOMER_ID Google Security Operations instance customer ID. None No
CHRONICLE_REGION Google Security Operations instance region. us
Other valid values: asia-northeast1, asia-south1, asia-southeast1, australia-southeast1, europe, europe-west2, europe-west3, europe-west6, europe-west12, me-central1, me-central2, me-west1, and northamerica-northeast2.
No
CHRONICLE_SERVICE_ACCOUNT Path to the secret in Secret Manager that stores the Google Security Operations service account JSON file. None Yes
CHRONICLE_NAMESPACE The namespace that the Google Security Operations logs are labeled with. For information about Google Security Operations namespaces, see Work with asset namespaces. None No
POLL_INTERVAL Frequency interval at which the function executes to get additional log data (in minutes). This duration must be the same as the Cloud Scheduler job interval. 10 No
TREND_MICRO_AUTHENTICATION_TOKEN Path of the Google Secret Manager with the version, where the authentication token for Trend Micro Server is stored. None Yes
TREND_MICRO_DOMAIN Trend Micro Vision One region where the service endpoint is located. None No