Table of Contents

Below you'll find a table of contents for the Configure Data Ingest journey.

• Table of Contents
• Prerequisites
• Actions
• Install & Configure Forwarders
• Data Enrichment w/ External Data Feeds
• Configure GCP Log Ingest
• Customize Parsers

Data Ingest is the core of Google SecOps. SecOps ingests raw log data, alerts, and other information. Ingested information is normalized and indexed for rapid search, then context enriched with data available from other ingested sources including threat intelligence feeds. Configuring data ingest is the first step in preparing SecOps to correlate security events for your SecOps team. Google's industry leading SecOps indexing, context enrichment, and search will enable your SecOps analysts to respond rapidly with a comprehensive view of threats and events.

Prerequisites

• Entitlement for SecOps SIEM on the account and project.

Actions

 Install & Configure Forwarders

Forwarders and collectors are two primary components of SecOps data ingest model. These allow for the collection and normalization of data from various sources.

Show More

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

• New or existing SecOps SIEM deployment

Steps

1. Add a new forwarder | Docs

   1. In Chronicle UI, Application Menu > Settings > Forwarders

   2. Add New Forwarder

   3. Configure Forwarder appropriately, following linked documentation.

2. Add a new Collector, selecting the forwarder from the previous step | Docs

   1. The Add Collector window should appear

   2. Note: You can add one or more collectors to an existing forwarder

   3. Select log type, namespaces, labels, and any other details relevant to your environment

Relevant Links

• 1: https://cloud.google.com/chronicle/docs/install/forwarder-management-configurations#add-forwarders
• 2: https://cloud.google.com/chronicle/docs/install/forwarder-management-configurations#add-collectors

Data Enrichment w/ External Data Feeds

External data feeds allow SecOps to ingest relevant security information from various sources and utilize it as additional context.

Show More

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

• New or existing SecOps SIEM deployment
• Feed-specific prerequisites

Steps

1. Click Settings > Feeds.

2. Click Add New.

3. Choose your Source Type and Log Type, click Next.

4. Fill out the Input Parameters tab, the content required in the tab will vary depending on the Source Type you've chosen in the previous step.

5. Validate everything in the Finalize section, then click Submit.

Relevant Links

• All Steps: https://cloud.google.com/chronicle/docs/administration/feed-management#creating_and_editing_feeds

Configure GCP Log Ingest

Your Google Cloud Project will be generating log data in many different formats, ingesting them into Chronicle will help you provide more contextual data for your Google Cloud Project while making them available to SecOps search.

Show More

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

• New or existing SecOps SIEM deployment

Steps

1. Contact your Customer Engineer (CE) to obtain the one-time access code you need to ingest your Google Cloud data.

2. Grant the following IAM roles required for you to access the Chronicle section.

   1. Chronicle Service Admin (roles/chroniclesm.admin)

   2. Chronicle Service Viewer (roles/chroniclesm.viewer)

   3. Security Center Admin Editor (roles/securitycenter.adminEditor)

3. If you plan to enable Cloud Asset Metadata, you must also enable either the Security Command Center Standard tier or Security Command Center Premium tier on Google Cloud.

Relevant Links

• All Steps: https://cloud.google.com/chronicle/docs/ingestion/cloud/ingest-gcp-logs#before_you_begin

Customize Parsers

SecOps SIEM uses parsers to normalize raw logs into a common format in SecOps SIEM.