I cannot find any documentation saying how to do this. Any guidance would be appreciated on a step-by-step on this.
Solved
No idea how integration of a user list from GCP happens in SIEM
+5- Bronze 5
Best answer by dnehoda
HI NC2,
It seems there's two different things going on here but for ingestion of GCP logs it's fairly simple.
https://cloud.google.com/chronicle/docs/ingestion/cloud/ingest-gcp-logs
Here's your documentation for SCC logging to SecOps.
The user access is based on a couple items and how you are using the platform. Do you have an IDP (ie. Okta, Azure)? Your project ID would be required and IDP info would need to be configured and setup. What are you using to access this today?
+5- Bronze 5
Direct Ingestion through Google Cloud Platform, Automatically can ingest logging data from Cloud Audit Logs and SCC. Not sure how this step-by-step looks like, or if it's a simple button press. I don't know how to get a list from this data on the SIEM, and a list of authorized users on the platform. linked to a list on the SIEM. I also don't know the specifics about the menu of ingesting data, or what needs to happen to enable Direct Ingestion.
+16HI NC2,
It seems there's two different things going on here but for ingestion of GCP logs it's fairly simple.
https://cloud.google.com/chronicle/docs/ingestion/cloud/ingest-gcp-logs
Here's your documentation for SCC logging to SecOps.
The user access is based on a couple items and how you are using the platform. Do you have an IDP (ie. Okta, Azure)? Your project ID would be required and IDP info would need to be configured and setup. What are you using to access this today?
+16HI NC2,
It seems there's two different things going on here but for ingestion of GCP logs it's fairly simple.
https://cloud.google.com/chronicle/docs/ingestion/cloud/ingest-gcp-logs
Here's your documentation for SCC logging to SecOps.
The user access is based on a couple items and how you are using the platform. Do you have an IDP (ie. Okta, Azure)? Your project ID would be required and IDP info would need to be configured and setup. What are you using to access this today?
Permissions to configure a third-party identity provider
If you use a third-party identity provider, you will configure Workforce Identity Federation and a workforce identity pool.
There's various options but for an IDP to carry over you'd need to work with your GCP team and Workspace team.
https://cloud.google.com/chronicle/docs/onboard - everything you require is underneath this area.
+5- Bronze 5
This makes more sense, thank you.
To put into context: i'm a beginner trying to learn how to use SecOps.
I guess my question was how can i actually learn how to do it, and do this integration from IDP list to SIEM. I feel like the documentation only goes so far to tell you how, if you already know what you are looking at. But given some of these features have never been shown visually through a video / demo, that is fairly difficult. The best analogy I could have, is as a beginner, for me: it's like trying to build a door with only text instructions on how to do so, but to have a good door, you need to be able to visually fit it in the doorframe, see how it should look, and what each step of the process looks like throughout the process. I have went through the skillboost/demo lab and there's no demonstration to learn this skill of integration of IDP list to SIEM. The demo goes over creating YARA-L rules, but no playbook creation at all. The skillboost goes over creating a SOAR response, but lacks some of the features that come with the real product you'll need to integrate with, and actually use the product with. I don't currently use any IDP, just a beginner trying to learn the capabilities/how to, before I start to work with it. A tutorial would help a lot for the following:
Tutorials for:
ingestion of GCP logs into the SIEM, what logs are being provided there, what would a sample environment look like both on GCP's side and SecOps side.
Ingestion of SCC logs into the SIEM/SOAR, then making an alert based on it and a playbook response to it, demonstrating the capability of SCC logs and what it is capable of finding as examples.
Configuring Workforce Identity Federation and an identity pool with another org, or with Google's provided IDP list as well.
Tutorials on these would help me a lot. There is a variety of other things that would be helpful too to learn the platform, I feel as though some core features / knowledge is left out, and the only way you can learn how to: is by having the product already and learning through experience.
+16This makes more sense, thank you.
To put into context: i'm a beginner trying to learn how to use SecOps.
I guess my question was how can i actually learn how to do it, and do this integration from IDP list to SIEM. I feel like the documentation only goes so far to tell you how, if you already know what you are looking at. But given some of these features have never been shown visually through a video / demo, that is fairly difficult. The best analogy I could have, is as a beginner, for me: it's like trying to build a door with only text instructions on how to do so, but to have a good door, you need to be able to visually fit it in the doorframe, see how it should look, and what each step of the process looks like throughout the process. I have went through the skillboost/demo lab and there's no demonstration to learn this skill of integration of IDP list to SIEM. The demo goes over creating YARA-L rules, but no playbook creation at all. The skillboost goes over creating a SOAR response, but lacks some of the features that come with the real product you'll need to integrate with, and actually use the product with. I don't currently use any IDP, just a beginner trying to learn the capabilities/how to, before I start to work with it. A tutorial would help a lot for the following:
Tutorials for:
ingestion of GCP logs into the SIEM, what logs are being provided there, what would a sample environment look like both on GCP's side and SecOps side.
Ingestion of SCC logs into the SIEM/SOAR, then making an alert based on it and a playbook response to it, demonstrating the capability of SCC logs and what it is capable of finding as examples.
Configuring Workforce Identity Federation and an identity pool with another org, or with Google's provided IDP list as well.
Tutorials on these would help me a lot. There is a variety of other things that would be helpful too to learn the platform, I feel as though some core features / knowledge is left out, and the only way you can learn how to: is by having the product already and learning through experience.
Sounds like you and your team could use a workshop of sorts but without knowing your secops package etc. I dont know if thats available to you. Those are great suggestions and will certainly relay the messaging. Video tutorials would be great for some basics.
Here's a great article on getting setup on OKTA and Workspace Identity Federation.
https://medium.com/@thatsiemguy/linking-okta-to-chronicle-secops-platform-c88ca530a515
Another one on Native Auth
https://medium.com/@thatsiemguy/native-google-authentication-in-google-cloud-secops-f997f242dd03
Another one for Azure -
https://medium.com/@thatsiemguy/linking-azure-idp-to-chronicle-secops-platform-ba649660d5fb
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.