Ingest GCP logs in Chronicle

Before you can ingest your GCP telemetry into your Chronicle account, you must complete the following steps:

• • Contact your Chronicle representative and obtain the one-time access code you need to ingest your GCP telemetry.
  • Grant the IAM roles required for you to access the Chronicle section.
  • Chronicle Service Admin IAM role for performing all activities.
  • Chronicle Service Viewer IAM role to only view the state of ingestion.

Granting IAM Roles

• You can grant the required IAM roles using either the Google Cloud console or using the gcloud CLI.
• To grant IAM roles using Google Cloud console, complete the following steps:
• Log on to the GCP Organization you want to connect to and navigate to the IAM screen using Products > IAM & Admin > IAM.
• From the IAM screen, select the user and click Edit Member.
• Note: If you are not in the Organization view of IAM, the Edit Member button is disabled and you need to navigate to the organization's IAM screen.
• In the Edit Permissions screen, click Add Another Role and search for Chronicle to find the IAM roles.
• Once you have assigned the roles, click Save.
• To grant IAM roles using the Google Cloud CLI, complete the following steps:
• Ensure you are logged into the correct organization. Verify this by running the gcloud init command.
• To grant the admin IAM role from the gCloud tool, run the following command:
  • $ gcloud organizations add-iam-policy-binding <ORGANIZATION_ID> --member user:<USER_EMAIL> --role roles/chroniclesm.admin
• To grant the viewer IAM role from the gCloud tool, run the following command:
  • $ gcloud organizations add-iam-policy-binding <ORGANIZATION_ID> --member user:<USER_EMAIL> --role roles/chroniclesm.viewer

Enabling GCP Telemetry Ingestion

• To enable GCP telemetry ingestion into your Chronicle account, complete the following steps:
• Navigate to the Chronicle page for the Google Cloud console. Go to the Chronicle page
• Enter your one-time access code in the 1-time Chronicle access code field.
• Check the box labeled I consent to the terms and conditions of Chronicle's usage of my Google Cloud data.
• Click Connect Chronicle.
• Need to send an email requesting Chronicle access key for google support.

• Your GCP telemetry is now going to be sent to Chronicle. You can use Chronicle's analysis features to investigate any security related issues. The sections that follow describe ways to adjust the types of GCP telemetry that are going to be sent to Chronicle.

Exporting Google Cloud Logs to Chronicle

You can export the following types of Google Cloud logs to your Chronicle account:
Note: However you configure your export filters, you can only export the following Google Cloud logs.

• GCP_CLOUDAUDIT:
  • log_id("cloudaudit.googleapis.com/activity") (exported by the default filter)
  • log_id("cloudaudit.googleapis.com/system_event") (exported by the default filter)\
  • log_id("cloudaudit.googleapis.com/policy")
  • log_id("cloudaudit.googleapis.com/access_transparency")
• GCP_CLOUD_NAT:
  • log_id("compute.googleapis.com/nat_flows")
• GCP_DNS:
  • log_id("dns.googleapis.com/dns_queries") (exported by the default filter)
• GCP_FIREWALL:
  • log_id("compute.googleapis.com/firewall")

To export your Google Cloud logs to Chronicle, set the Google Cloud logs toggle to enabled. All of the Google Cloud log types listed above will be exported to your Chronicle account.