This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Security Community will be in read-only mode July 16 - July 22 as we migrate platforms. 

Read more and check out our FAQ
Log in to ask a question

Ingesting from GCS buckets using feeds management UI

Posted on 05-21-2023 05:07 AM
Donald_Munengiw
New Member
Reply posted on --/--/---- --:-- AM

I have a question:
When Ingesting from GCS buckets using feeds management UI, it mentions that chronicle doesn’t need authentication for the bucket because it has internal user, is this user a global user or specific to that cloud account? Can i ingest arbitrary bucket i don’t own but know the address to without authentication as unstructured logs and be able to view some bucket contents in chronicle?

0 2 131
0 Likes
Reply
2 REPLIES 2

Posted on --/--/---- --:-- AM
Dmitry_Sarakeev
Staff
Reply posted on --/--/---- --:-- AM

hi @Donald_Munengiw , this is a SIEM, not a SOAR question, it would be better to ask it in the specific chat)

0 Likes
Reply

Posted on --/--/---- --:-- AM
Alex_Glowacki
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi Donald,

If the bucket is public, then yes you would be able to connect to that GCS Bucket and configure the feed to ingest. However, it would be best practice on the GCS Bucket owner to supply permission restrictions on the bucket such that only authenticated users can access this bucket. If you would like your Chronicle tenant to connect to a bucket with restricted access, then a member with the appropriate permissions in a project where that GCS Bucket exists would need to add the principal service account in Google Cloud IAM with Chronicle's ingest API service account, then give it read access to that GCS bucket. Hope this answers your question.

0 Likes
Reply
Top Solution Authors
View all