LinkedIn
Twitter
2 ACCEPTED SOLUTIONS
Changes to VPC configuration should all be recorded in the cloudaudit activity log, this log is included in the default log export filter but is easy to accidentally overwrite when making changes.
Check to make sure your export filter includes `log_id("cloudaudit.googleapis.com/activity")`, as long as that is included you should see VPC/firewall/subnet create/delete/modify events for your GCP org in SecOps with the UDM search `
metadata.log_type = "GCP_CLOUDAUDIT" AND metadata.product_name = "Google Compute Engine"`
If you don't see events for VPC changes (that were completed after the SecOps export filter was configured) you can use LogsExplorer from the GCP console to help determine where the issue is.
If you don't see events for VPC changes (that were completed after the SecOps export filter was configured) you can use LogsExplorer from the GCP console to help determine where the issue is.
https://console.cloud.google.com/logs/query and run a query To for `log_id("cloudaudit.googleapis.com/activity")`
If you see log entries for your VPC changes but they aren't showing up in Secops it will indicate there is a problem with your export filter, check https://console.cloud.google.com/security/chronicle/settings/ingestion and look for issues with your query, you can also copy/paste the query from the ingestion page to log explorer to test the filter.
Note: Logical operators AND/OR/NOT must be upper case to function properly, but will not produce a syntax error when lowercase. This is the most common error I see with export filters.
Yes those are included. When trying to improve queries to narrow down your results the trick is usually finding the right UDM fields to filter. If you don't already have a lot of experience with UDM the best way to find which fields include that info is using the 'udm lookup' function at the bottom of the search box and to search for the distinct value. This will search against all the fields in your SecOps tenant and help you find where your data is being parsed.
In this example I can see that compute.networks.insert is being parsed into the metadata.product_event_type field. So we can extend UDM search from the earlier response with a regex for your method names against that field, and you should see just those events.
metadata.log_type = "GCP_CLOUDAUDIT" AND metadata.product_name = "Google Compute Engine" and metadata.product_event_type=/compute\.networks\.(insert|patch|delete)/
Depending on the quality/volume of your results and how often you'll need to search for these events you can either stop there or continue to refine and improve by looking at the udm fields of your results to find different fields that might be better to filter on.
Changes to VPC configuration should all be recorded in the cloudaudit activity log, this log is included in the default log export filter but is easy to accidentally overwrite when making changes.
Check to make sure your export filter includes `log_id("cloudaudit.googleapis.com/activity")`, as long as that is included you should see VPC/firewall/subnet create/delete/modify events for your GCP org in SecOps with the UDM search `
metadata.log_type = "GCP_CLOUDAUDIT" AND metadata.product_name = "Google Compute Engine"`
If you don't see events for VPC changes (that were completed after the SecOps export filter was configured) you can use LogsExplorer from the GCP console to help determine where the issue is.
If you don't see events for VPC changes (that were completed after the SecOps export filter was configured) you can use LogsExplorer from the GCP console to help determine where the issue is.
https://console.cloud.google.com/logs/query and run a query To for `log_id("cloudaudit.googleapis.com/activity")`
If you see log entries for your VPC changes but they aren't showing up in Secops it will indicate there is a problem with your export filter, check https://console.cloud.google.com/security/chronicle/settings/ingestion and look for issues with your query, you can also copy/paste the query from the ingestion page to log explorer to test the filter.
Note: Logical operators AND/OR/NOT must be upper case to function properly, but will not produce a syntax error when lowercase. This is the most common error I see with export filters.
Yes those are included. When trying to improve queries to narrow down your results the trick is usually finding the right UDM fields to filter. If you don't already have a lot of experience with UDM the best way to find which fields include that info is using the 'udm lookup' function at the bottom of the search box and to search for the distinct value. This will search against all the fields in your SecOps tenant and help you find where your data is being parsed.
In this example I can see that compute.networks.insert is being parsed into the metadata.product_event_type field. So we can extend UDM search from the earlier response with a regex for your method names against that field, and you should see just those events.
metadata.log_type = "GCP_CLOUDAUDIT" AND metadata.product_name = "Google Compute Engine" and metadata.product_event_type=/compute\.networks\.(insert|patch|delete)/
Depending on the quality/volume of your results and how often you'll need to search for these events you can either stop there or continue to refine and improve by looking at the udm fields of your results to find different fields that might be better to filter on.
