Google Cloud Platform collector
Service description
The Google Cloud Platform (GCP) collector, leverages the GCP Pub/Sub service to retrieve event data from your GCP account and ingest it into Devo where it is the immediately searchable via the Devo web application and API.
Setup
Set up log forwarding in GCP
1. Log in to your GCP account.
2. From the GCP menu select Logging -> Logs Router.
3. Select CREATE SINK.
4. Provide a name and description for the Sink and select NEXT.
5. Select Cloud Pub/Sub
topic as the Sink destination.
6. Select an existing Topic to sink or create a new one using the CREATE A TOPIC
button in the dropdown list. Select NEXT.
7. Optionally build an inclusion filter to choose which logs are included in the Sink and therefore ingested into Devo. Select NEXT.
8. Optionally build an exclusion filter to choose which logs are not included in the Sink and therefore not ingested into Devo. Select CREATE SINK.
9. The Sink is created.
Create a Pub/Sub topic subscription
1. While logged in to your GCP account, navigate to the Pub/Sub -> Topics
menu.
2. Locate the topic created in the previous step and select Create Subscription
from the more actions menu found as 3 vertical dots at the end of table row.
3. Enter a unique ID for the subscription.
4. Select Pull
as the Delivery type.
5. Optionally review and configure any other desired settings.
6. Select CREATE
.
7. The subscription is created.
8. Make a note of the Subscription ID
. You will need to provide this value when enabling the GCP collector in your Devo domain.
Create a GCP Service Account
Create a GCP Service Account
1. While logged in to your GCP account, navigate to the IAM 7 Admon -> Service Accounts
menu.
2. Select CREATE SERVICE ACCOUNT
.
3. Enter a Service account name and description and select CREATE AND CONTINUE
.
4. Add the Pub/Sub -> Pub/Sub Subscriber
role in the Grant this service account access to a project
section.
5. Select CONTINUE
and then DONE
.
6. The service account is created.
7. Locate the newly created service account on the Service account list page and select Manage keys
from the Actions
menu found as 3 vertical dots at the end of table row.
8. Select ADD KEY -> Create new key
.
9. Select JSON
as the Key type.
10. Select CREATE
.
11. The key is created and automatically downloaded to your computer.
12. Keep the downloaded JSON key file. You will need to provide the file when enabling the GCP collector in your Devo domain.
Enable the GCP Collector in your Devo domain
The Devo GCP collector is provided as a Devo managed service. To have the collector enabled on your Devo
domain:
1. Contact Devo support.
2. Provide the Subscription ID of the GCP Pub/Sub Topic that GCP events are being sinked to and the JSON key file created for your service account.
3. Devo support will enable the collector on your behalf.
Searching GCP data using Devo Data search
When data is ingested from GCP into Devo it is made available in the cloud.gcp
table. Depending on the data being sinked to your GCP Pub/SUb Topic you might also find data in the following child tables:
cloud.gcp.cloudaudit.activity
: includes all events created from GCP activitiescloud.gcp.cloudaudit.system_events
: includes all system events detected in your GCP accountcloud.gcp.ids.threat
: includes all threat detections from the GCP Cloud IDS feature
To start searching across your ingested GCP data:
1. Log in to your Devo domain.
2. Open the Data search menu.
3. In the finder select the table you want to query, for example, cloud.gcp.cloudaudit.activity
.
4. The Data search page loads and displays all events ingested in the last 24 hours.
5. Use Data search features to explore the data.