Collect Cloud Identity Devices logs

Supported in:

Google secops Siem

This guide will explain how to export Cloud Identity Devices logs into Google Security Operations using Cloud Storage. The parser extracts fields from JSON logs, transforms specific fields like deviceType and dates, and maps them to the UDM, creating an asset_entity representing the device and enriching it with hardware and metadata information.

Before You Begin

Ensure that you have the following prerequisites:

Google Cloud Identity is enabled in your Google Cloud project.
Google SecOps instance.
Privileged access to Google Cloud Identity and Cloud Logging.

Create a Cloud Storage bucket

Sign in to the Google Cloud console.
Go to the Cloud Storage Buckets page.

Go to Buckets
Click Create.
On the Create a bucket page, enter your bucket information. After each of the following steps, click Continue to proceed to the next step:
1. In the Get started section, do the following:
  1. Enter a unique name that meets the bucket name requirements; for example, gcp-cloudidentity-devices-logs.
  2. To enable hierarchical namespace, click the expander arrow to expand the Optimize for file oriented and data-intensive workloads section, and then select Enable Hierarchical namespace on this bucket.
    
    Note: You cannot enable hierarchical namespace on an existing bucket.
  3. To add a bucket label, click the expander arrow to expand the Labels section.
  4. Click Add label, and specify a key and a value for your label.
2. In the Choose where to store your data section, do the following:
  1. Select a Location type.
  2. Use the location type menu to select a Location where object data within your bucket will be permanently stored.
    
    Note: If you select the dual-region location type, you can also choose to enable turbo replication by using the relevant checkbox.
  3. To set up cross-bucket replication, expand the Set up cross-bucket replication section.
3. In the Choose a storage class for your data section, either select a default storage class for the bucket, or select Autoclass for automatic storage class management of your bucket's data.
4. In the Choose how to control access to objects section, clear Enforce public access prevention, and select an Access control model for your bucket's objects.
  
  Note: If public access prevention is already enforced by your project's organization policy, the Enforce public access prevention on this bucket checkbox is locked.
5. In the Choose how to protect object data section, do the following:
  1. Select any of the options under Data protection that you want to set for your bucket.
  2. To choose how your object data will be encrypted, click the expander arrow labeled Data encryption, and select a data encryption method.
Click Create.

ConfigureCloud Identity Devices Logs Export

Sign in to the Google Cloud console.
Go to Logging > Log Router.
Click Create Sink.
Provide the following configuration parameters:
- Sink Name: enter a meaningful name; for example, cloud-identity-devices-logs-sink.
- Sink Destination: select Cloud Storage Storage and enter the URI for your bucket; for example, gs://gcp-cloudidentity-devices-logs.
- Log Filter:
```
logName="projects/<your-project-id>/logs/cloudaudit.googleapis.com%2Factivity"
resource.type="cloud_identity_device"
```
- Set Export Options: include all log entries.
Click Create.

Configure permissions for Cloud Storage

Go to IAM & Admin > IAM.
Locate the Cloud Logging service account.
Grant the roles/storage.admin on the bucket.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

SIEM Settings > Feeds
Content Hub > Content Packs

Set up feeds from SIEM Settings > Feeds

To configure a feed, follow these steps:

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed name field, enter a name for the feed; for example, GCP Cloud Identity Devices Logs.
Select Third party API as the Source type.
Select GCP Cloud Identity Devices as the Log type.
Click Next.
Specify values for the following input parameters:
- OAuth JWT endpoint: endpoint to retrieve the OAuth JSON web token.
- JWT claims issuer: usually the client ID.
- JWT claims subject: usually an email address.
- JWT claims audience: JWT claims audience.
- RSA private key: enter in PEM format.
- API version: API version to be used for fetching device info. Value should be one of v1, v1beta1, or vx. If no version is specified, v1 is used.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.

Set up feeds from the Content Hub

Specify values for the following fields:

Storage Bucket URI: Cloud Storage bucket URL; for example, gs://gcp-cloudidentity-devices-logs.
URI Is A: select Directory which includes subdirectories.
Source deletion options: select the deletion option according to your preference.

Note: If you select the Delete transferred files or Delete transferred files and empty directories option, make sure that you granted appropriate permissions to the service account.

Advanced options

Feed Name: A prepopulated value that identifies the feed.
Source Type: Method used to collect logs into Google SecOps.
Asset Namespace: Namespace associated with the feed.
Ingestion Labels: Labels applied to all events from this feed.

UDM Mapping Table

Log Field	UDM Mapping	Logic
`createTime`	`entity.metadata.creation_timestamp`	The value of `createTime` is parsed as a timestamp and mapped.
`deviceId`	`entity.entity.asset.asset_id`	Directly mapped.
`deviceType`	`entity.entity.asset.platform_software.platform`	Mapped to `MAC` if the original value is `MAC_OS` or `IOS`. Mapped to `WINDOWS`, `MAC`, or `LINUX` if the original value matches. Otherwise, set to `UNKNOWN_PLATFORM`.
`encryptionState`	`entity.entity.asset.attribute.labels.key`	Value is set to `encryptionState`. Used as part of a label.
`encryptionState`	`entity.entity.asset.attribute.labels.value`	Directly mapped. Used as part of a label.
`lastSyncTime`	`entity.entity.asset.system_last_update_time`	The value of `lastSyncTime` is parsed as a timestamp and mapped.
`managementState`	`entity.entity.asset.attribute.labels.key`	Value is set to `managementState`. Used as part of a label.
`managementState`	`entity.entity.asset.attribute.labels.value`	Directly mapped. Used as part of a label.
`model`	`entity.entity.asset.hardware.model`	Directly mapped.
`name`	`entity.entity.asset.product_object_id`	The portion after `devices/` is extracted and mapped.
`name`	`entity.entity.resource.name`	Directly mapped.
`osVersion`	`entity.entity.asset.platform_software.platform_version`	Directly mapped.
`securityPatchTime`	`entity.entity.asset.attribute.labels.key`	Value is set to `securityPatchTime`. Used as part of a label.
`securityPatchTime`	`entity.entity.asset.attribute.labels.value`	Directly mapped. Used as part of a label.
`serialNumber`	`entity.entity.asset.hardware.serial_number`	Directly mapped. Copied from the top-level `create_time` field in the raw log. Value is set to `ASSET`. Value is set to `GCP Cloud Identity Devices`. Value is set to `Google Cloud Platform`. Copied from the top-level `create_time` field in the raw log.

Changes

2022-03-27

Mapped resource.name to the long unique resource name name.

2022-04-13

Newly created parser.

Need more help? Get answers from Community members and Google SecOps professionals.