I have a question:
When Ingesting from GCS buckets using feeds management UI, it mentions that chronicle doesn’t need authentication for the bucket because it has internal user, is this user a global user or specific to that cloud account? Can i ingest arbitrary bucket i don’t own but know the address to without authentication as unstructured logs and be able to view some bucket contents in chronicle?
Page 1 / 1
I’m happy to give you a bucket and see!
EDIT: Obviously I will need to clear this internally
Super interesting actually, I see no reason why this wont work if the bucket owner is an existing chronicle customer (and has allowlisted the global service account that reads buckets:
8911409095528497-0-account@partnercontent.gserviceaccount.com
)
. This could lead to some crazy information disclosure if you can enum clients and buckets
Yeah thats what i thought, If i have the public address of a bucket i don’t own, and then maybe i know that the owner is a Chronicle customer or by coincidence they are a Chronicle customer, i should be able to add it via feeds management.
I don’t have Chronicle SIEM access, Picked up the logic from the SIEM fundamentals course. But
@ion_
@galpolak12
if you end up validating this theory please also let me know if its completely bananas
, that would be great.
@ion_
Ever got around testing that logic?
According to
this
, it looks like the prerequisite setup is universal to all chronicle SIEM customers who want to setup bucket feeds, So if i know the bucket URL of any other valid customer who has this setup then it should work unless there is additional auth logic
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.