Google Cloud Platform collector
Configuration requirements
To run this collector, there are some configurations detailed below that you need to take into account.
Configuration | Details |
---|---|
GCP console access |
|
Permissions |
|
Logging services | The following features have been configured:
|
Enable SCC |
|
Credentials |
|
More information
Refer to the Vendor setup section to know more about these configurations.
Overview
This collector lets you build, deploy and scale applications, websites, and services on the same infrastructure as Google. It also provides the possibility to integrate the Google Cloud Platform (GCP) with the Devo platform making it easy to query and analyze GCP event data. You can view it in the pre-configures Activeboards or you can customize it.
Devo’s GPC collector also enables to retrieve data stored in the GPC via Google Cloud APIs such as audit logs, Security Command Center findings, networking, load balance, and more available via Pub/Sub into Devo to query, correlate, analyze and visualize to enable Enterprise IT and Cybersecurity teams to take the most impactful decisions at the petabyte scale.
Devo collector features
Feature | Details |
---|---|
Allow parallel downloading ( |
|
Running environments |
|
Populated Devo events |
|
Flattening preprocessing |
|
For more information on how the events are parsed, visit our page.
Data sources
Data source | Description | API endpoint | Collector service name | Devo table | Available from release |
---|---|---|---|---|---|
Logging (formerly StackDrive) | Cloud logging allows you to store, search, analyze, monitor, and alert on logging data and events from Google Cloud and Amazon Web Services. |
|
|
This service allows you to select two different autodispatcher system. This is the structure for the one based on
This service allows you to select two different autodispatcher system. This is the structure for the one based on |
|
Security Command Center Findings | Security Command Center is a Google Cloud’s centralized vulnerability and threat reporting service. |
|
|
|
|
Vendor setup
To enable the collection in the vendor setup, there are some minimal requirements to follow:
GCP console access: You should have credentials to access the GCP console.
Owner or Administrator permissions within the GCP console.
Enable the Logging service
Here you will find how to enable the Logging service (formerly Stackdriver)
Logging Service Overview
GCP centralizes all the monitoring information from all services in the cloud catalog that is inside the service named after Logging.
Some information is enabled by default and free of charge. Other information, that in case of activating its generation, will concur some costs, so it must be enabled manually. In both cases, the generated information (messages) will arrive at the Logging service.
The Logging service has different ways of exporting the information stored and structured in messages. In this case, it’s being used by another GPC service called PubSub, basically, this service will contain a topic object that will receive a filtered set of messages from the Logging service, then the GPC collector will retrieve all those messages from the topic object using a subscription (in the pull mode).
To facilitate the retrieve is recommended to split the source message using different topic objects, you can split it by resource type, region, project ID, and so on:
Configuration of the Logging service
Here you will find which features you need to configure to receive events from both services:
GCP Project: You need to have a GPC Project in the console to be able to receive data.
Service account: The Service account is a Google service that allows.
GCP Pub/Sub: It is the queue from which the events will be downloaded, it is necessary to create a Topic and a Subscription.
Sink (optional): The sink is a filter to receive only the type of events that you want.
Here you will find the steps to configure each feature:
Enable the Security Command Center Service (SCC)
Events can be retrieved differently depending on the source:
SCC Audit logs: Events obtained through the Logging service.
SCC Findings: Events obtained from external services.
Enable the Security Command Center (SCC) Audit logs
The events will be obtained through the centralized Logging service. Refer to the Configuration of the Logging service section to know how to configure it.
Here you will find the steps to filter this type of event:
| Action | Steps |
---|---|---|
1 | Activate Security Command Center service | In order to receive this type of event, it is necessary to have the Security Command Center service activated. Refer to the Security Command Center Quickstart video from the Google guide. |
2 | Setting up a new topic | Refer to the Configuration of the Logging section to know how to do it. |
3 | Setting up a Pub/Sub | Refer to the Configuration of the Logging section to know how to do it. |
4 | Setting up a sink | Refer to the Configuration of the Logging section to know how to do it. |
Enable the Security Command Center (SCC) Findings
These events are obtained from the Security Command Center service and are injected directly into the Pub/Sub without going through the Logging service.
| Action | Steps |
---|---|---|
1 | Configure Identity and Access Management (IAM) roles. | Refer to the official Google guide in which additional configurations are described. |
2 | Activate the Security Command Center API. | |
3 | Setting up a Pub/Sub topic. | |
4 | Creating a Notification configuration. |
Minimum configuration required for basic pulling
Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.
Setting | Details |
---|---|
| This param allows you to assign a custom name for identifying the environment of the infrastructure. |
| The name of the GCP project. Refer to the Configuration of the Logging service section to know got to get this value. |
| The service account credentials in |
| The ID of the Pub/Sub subscription. Refer to the Configuration of the Logging service section to know got to get this value. |
Accepted authentication methods
Depending on how did you obtain the credentials, you will have to either fill or delete the following properties on the JSON credentials
configuration block.
| Authentication method | Project ID | Base64 credentials | File credentials | Available on |
---|---|---|---|---|---|
1 | Service account with Base64. | Required | Required |
|
|
2 | Service account with the file credentials. | Required |
| Required |
|
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
Collector services detail
This section is intended to explain how to proceed with specific actions for services.
Custom Service
This is the only service that GCP has. Multiple custom services can be created to ingest data from different pub/sub sinks, however, the only data sources supported by this collector are:
Logging events: The previous sections Running the data collector explain how to configure a Logging service but more custom logging services can be created with different Pub/Sub filters.
SCC findings events: This service is also a custom service configured with data coming from a source external to the Logging service.
Devo categorization and destination
The following table shows the Devo tables and the tags to which the events are ingested based on each data source:
Data Source | Devo tables | Devo tag | Details |
---|---|---|---|
Logging service |
|
| This is an autocalculated default tag structure to which the events that come from the Logging service are sent. These events are of type LogEntry. This tag structure is based on the following message fields:
|
|
| This is an autocalculated default to which the events that come from the Logging service are sent. These events are of type MonitoredResource. This tag structure is based on the following message fields:
| |
|
| If the user adds a custom tag all events will be sent to that custom tag. | |
|
| All events that are not in | |
SCC findings |
|
| This is the recommended value for |
|
| You also can define a different tag for these events, but bare in mind that only |
Events service
Collector operations
This section is intended to explain how to proceed with specific operations of this collector.
Change log for v1.x.x
Release | Released on | Release type | Details | Recommendations |
---|---|---|---|---|
| Mar 1, 2022 | IMPROVEMENT | Improvements:
|
|
| Mar 8, 2022 | IMPROVEMENT | Improvements:
|
|
| Apr 12, 2022 | IMPROVEMENT VULNS
| Improvements:
Vulnerabilities mitigated:
|
|
| May 23, 2022 | IMPROVEMENT | Improvements:
|
|
| Jun 1, 2022 | IMPROVEMENT | Improvements:
|
|
|
| IMPROVEMENTSBUG FIXING | Improvements:
Bug Fixing:
|
|
|
| - | - | - |