Skip to content

Cloud Storage

Chronicle has the ability to pull logs from GCP Cloud Storage to ingest into Chronicle

Log Ingestion

When using our GCP Cloud Storage integration, please note that only logs generated after the integration setup will be automatically ingested. For older logs existing prior to the setup, you will need to manually trigger notifications for ingestion. This means that logs generated post-integration will be seamlessly ingested, while any pre-existing older logs require manual notification activation for ingestion.

Cyderes Object Storage Best Practices

Best Practices

Creating a GCP Cloud Storage Bucket

  1. Create a new Cloud Storage bucket for the Cloud Storage bucket logs to be stored in. A pre-existing Cloud Storage bucket may be used. GCP Guide.

Access Configuration

  1. Provide the following information to Cyderes for implementation:

    Note: The cloud storage project service account Cyderes requires should have the following format: service-1234567890@gs-project-accounts.iam.gserviceaccount.com

  2. Cyderes will use the information to provision a PubSub topic and a service account. Cyderes will then provide the service account email (if no service account was provided to access the bucket) and the PubSub topic name to be used in the next steps.

  3. If a service account was provided to Cyderes, this step can be skipped. Grant permissions to retrieve objects from the Cloud Storage bucket to the Cyderes provided service account by following this GCP Guide. The required permissions are Storage Legacy Bucket Reader (roles/storage.legacyBucketReader) and Storage Object Viewer (roles/storage.objectViewer).

  4. Set up events to go to the Cyderes-owned PubSub topic:

    • Use this guide to understand the command to run to enable notifications: Command Guide
    • The OBJECT_FINALIZE event type is needed for Cyderes to process logs from the storage bucket. If this is only managed by automation, the OBJECT_METADATA_UPDATE may be added to enable ease of reprocessing should the need arise. Docs to reference.
    • Example command from above: run gsutil notification create -s -t projects/cyderes-prod/topics/(TOPIC PROVIDED BY Cyderes) -f json -e OBJECT_FINALIZE gs://(YOUR BUCKET NAME)