Skip to content

GCP GCS

Chronicle has the ability to pull logs from GCP GCS.

Creating a GCP GCS Bucket

  1. GCP has great information online about how to create new GCS Buckets. Feel free to follow this GCP Guide.

Access Configuration

  1. Send the following to CYDERES when completed

  2. CYDERES will use the information handed over to provision a Pubsub topic, a collector, and a service account and provide you with the service accounts email and topic name. This service account will be used to access the bucket. We also give you access to push messages to our Pubsub topic, which will be used to send bucket events

  3. Feel free to follow this GCP Guide on how to add a service account to your GCS bucket. The permissions that are required are Storage Legacy Bucket Reader (roles/storage.legacyBucketReader) and Storage Object Viewer (roles/storage.objectViewer)
  4. After giving permissions to our service account, the last step is to setup events to go to our Pubsub topic.

    • Use this guide to understand the command to run to enable notifications: Command Guide
    • We need only one event type to go us to process logs from your storage bucket and that is OBJECT_FINALIZE, however if this is only managed by automation you may also add OBJECT_METADATA_UPDATE to enable ease of reprocessing should the need arise. Docs to reference
    • Example of the command above to run gsutil notification create -s -t projects/cyderes-prod/topics/(TOPIC PROVIDED BY CYDERES) -f json -e OBJECT_FINALIZE gs://(YOUR BUCKET NAME)