Document toolboxDocument toolbox

Google Cloud Platform collector

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Jan 10, 2022Version comment
3 min read

Service description

The Google Cloud Platform (GCP) collector, leverages the GCP Pub/Sub service to retrieve event data from your GCP account and ingest it into Devo where it is the immediately searchable via the Devo web application and API.

Setup

Set up log forwarding in GCP

1. Log in to your GCP account.

2. From the GCP menu select Logging -> Logs Router.

3. Select CREATE SINK.

4. Provide a name and description for the Sink and select NEXT.

5. Select Cloud Pub/Sub topic as the Sink destination.

6. Select an existing Topic to sink or create a new one using the CREATE A TOPIC button in the dropdown list. Select NEXT.

7. Optionally build an inclusion filter to choose which logs are included in the Sink and therefore ingested into Devo. Select NEXT.

8. Optionally build an exclusion filter to choose which logs are not included in the Sink and therefore not ingested into Devo. Select CREATE SINK.

9. The Sink is created.

Create a Pub/Sub topic subscription

1. While logged in to your GCP account, navigate to the Pub/Sub -> Topics menu.

2. Locate the topic created in the previous step and select Create Subscription from the more actions menu found as 3 vertical dots at the end of table row.

3. Enter a unique ID for the subscription.

4. Select Pull as the Delivery type.

5. Optionally review and configure any other desired settings.

6. Select CREATE.

7. The subscription is created.

8. Make a note of the Subscription ID. You will need to provide this value when enabling the GCP collector in your Devo domain.

Create a GCP Service Account

Create a GCP Service Account

1. While logged in to your GCP account, navigate to the IAM 7 Admon -> Service Accounts menu.

2. Select CREATE SERVICE ACCOUNT.

3. Enter a Service account name and description and select CREATE AND CONTINUE.

4. Add the Pub/Sub -> Pub/Sub Subscriber role in the Grant this service account access to a project section.

5. Select CONTINUE and then DONE.

6. The service account is created.

7. Locate the newly created service account on the Service account list page and select Manage keys from the Actions menu found as 3 vertical dots at the end of table row.

8. Select ADD KEY -> Create new key.

9. Select JSON as the Key type.

10. Select CREATE.

11. The key is created and automatically downloaded to your computer.

12. Keep the downloaded JSON key file. You will need to provide the file when enabling the GCP collector in your Devo domain.

Enable the GCP Collector in your Devo domain

The Devo GCP collector is provided as a Devo managed service. To have the collector enabled on your Devo

domain:

1. Contact Devo support.

2. Provide the Subscription ID of the GCP Pub/Sub Topic that GCP events are being sinked to and the JSON key file created for your service account.

3. Devo support will enable the collector on your behalf.

Searching GCP data using Devo Data search

When data is ingested from GCP into Devo it is made available in the cloud.gcp table. Depending on the data being sinked to your GCP Pub/SUb Topic you might also find data in the following child tables:

  • cloud.gcp.cloudaudit.activity: includes all events created from GCP activities
  • cloud.gcp.cloudaudit.system_events: includes all system events detected in your GCP account
  • cloud.gcp.ids.threat: includes all threat detections from the GCP Cloud IDS feature

To start searching across your ingested GCP data:

1. Log in to your Devo domain.

2. Open the Data search menu.

3. In the finder select the table you want to query, for example, cloud.gcp.cloudaudit.activity.

4. The Data search page loads and displays all events ingested in the last 24 hours.

5. Use Data search features to explore the data.