This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Security Community is upgrading platforms!

Read more and check out our FAQ
Log in to ask a question

How to ensure log ingestion to only one specific log type in google secops log ingestion API

Posted on 08-08-2024 04:22 PM
Zorghost
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello everyone,

If I provide access to the log ingestion API in chronicle, how can I make sure that an external application can only ingest logs to a specific log type and cannot tamper with the integrity of other log types ?

I am currently exploring a lead related to IAM conditions, can this be a viable solution ?

Solved Solved
0 1 286
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
JeremyLand
Staff
Reply posted on --/--/---- --:-- AM

The ingestion API does not allow for that granularity of control, any api key with write access can write to any logtype. 

You should be able to achieve the desired result using a HTTPS webhook feed.  When you initially configure the webhook you create an API key and secret that can only be used with that feed, and specify the logtype to be used for all data received.  You can also apply ingestion labels there to ensure data from that feed can be distinguished from other data with the same logtype if it is ingested via a different route.

https://cloud.google.com/chronicle/docs/administration/feed-management#setup-webhook

View solution in original post

Jump to Solution
1 REPLY 1

Posted on --/--/---- --:-- AM
JeremyLand
Staff
Reply posted on --/--/---- --:-- AM

The ingestion API does not allow for that granularity of control, any api key with write access can write to any logtype. 

You should be able to achieve the desired result using a HTTPS webhook feed.  When you initially configure the webhook you create an API key and secret that can only be used with that feed, and specify the logtype to be used for all data received.  You can also apply ingestion labels there to ensure data from that feed can be distinguished from other data with the same logtype if it is ingested via a different route.

https://cloud.google.com/chronicle/docs/administration/feed-management#setup-webhook

Jump to Solution
Top Solution Authors
View all