This Twingate parser extracts fields from Twingate VPN JSON logs, normalizes them, and maps them to the Unified Data Model (UDM). It handles various event types, including connection details, user information, resource access, and intermediary relays, enriching the data with metadata like vendor and product information.
Before you begin
Ensure that you have the following prerequisites:
Google SecOps instance.
Privileged access to AWS IAM and S3.
Configure Amazon S3 bucket
Create Amazon S3 bucket following this user guide: Creating a bucket
Click Download .csv file for save the Access Key and Secret Access Key for future reference.
Click Done.
Select Permissions tab.
Click Add permissions in section Permissions policies.
Select Add permissions.
Select Attach policies directly.
Search for AmazonS3FullAccess policy.
Select the policy.
Click Next.
Click Add permissions.
Configure Twingate sync with Amazon S3
Go to the Twingate Admin Console.
Go to Settings>Reports.
Click Sync to S3 Bucket.
Configure the S3 Sync:
Bucket Name: Provide the name of your S3 bucket.
Access Key ID: Enter the Access Key.
Secret Access Key: Enter the Secret Key.
Click Start Syncing.
Set up feeds
To configure a feed, follow these steps:
Go to SIEM Settings>Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed name field, enter a name for the feed; for example, Twingate Logs.
Select Amazon S3 as the Source type.
Select Twingate as the Log type.
Click Next.
Specify values for the following input parameters:
Region: the region where the Amazon S3 bucket is located.
S3 URI: the bucket URI.
s3:/BUCKET_NAME
Replace the following:
BUCKET_NAME: the name of the bucket.
URI is a: select Directory.
Source deletion options: select deletion option according to your preference.
Access Key ID: the User access key with access to the s3 bucket.
Secret Access Key: the User secret key with access to the s3 bucket.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.
Field mapping reference
This parser transforms raw Twingate logs in JSON format into UDM. It normalizes the data and extracts relevant information, mapping it to corresponding UDM fields.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis document provides instructions for collecting and parsing Twingate VPN logs within Google SecOps, utilizing the provided parser to extract and normalize data into the Unified Data Model (UDM).\u003c/p\u003e\n"],["\u003cp\u003eThe process involves configuring an Amazon S3 bucket, creating an AWS user with appropriate permissions, setting up Twingate to sync logs to the S3 bucket, and configuring a feed in Google SecOps to ingest the logs.\u003c/p\u003e\n"],["\u003cp\u003eThe Twingate parser extracts data fields such as connection details, user information, resource access, and intermediary relays from Twingate JSON logs and maps them to corresponding UDM fields for analysis.\u003c/p\u003e\n"],["\u003cp\u003eThe document outlines the specific steps for creating an S3 bucket, a user, and configuring permissions to ensure the user has the necessary access for log synchronization, further detailed with the specific UDM field mapping logic of the parser.\u003c/p\u003e\n"],["\u003cp\u003eThe document includes a comprehensive field mapping table that details how each Twingate log field is mapped to its corresponding UDM field, including the specific logic used for data transformation.\u003c/p\u003e\n"]]],[],null,["# Collect Twingate VPN logs\n=========================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nOverview\n--------\n\nThis Twingate parser extracts fields from Twingate VPN JSON logs, normalizes them, and maps them to the Unified Data Model (UDM). It handles various event types, including connection details, user information, resource access, and intermediary relays, enriching the data with metadata like vendor and product information.\n\nBefore you begin\n----------------\n\nEnsure that you have the following prerequisites:\n\n- Google SecOps instance.\n- Privileged access to AWS IAM and S3.\n\nConfigure Amazon S3 bucket\n--------------------------\n\n1. Create **Amazon S3 bucket** following this user guide: [Creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-bucket.html)\n2. Save bucket **Name** and **Region** for future reference.\n3. Create a **User** following this user guide: [Creating an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console).\n\n | **Note:** Grant your AWS user access to the corresponding bucket. See the [AWS User Guide (Access)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html#walkthrough-grant-user1-permissions). Ensure the user has **s3:ListBucket** and **s3:PutObject** listed in their policy.\n4. Select the created **User**.\n\n5. Select **Security credentials** tab.\n\n6. Click **Create Access Key** in section **Access Keys**.\n\n7. Select **Third-party service** as **Use case**.\n\n8. Click **Next**.\n\n9. Optional: add description tag.\n\n10. Click **Create access key**.\n\n11. Click **Download .csv file** for save the **Access Key** and **Secret Access Key** for future reference.\n\n12. Click **Done**.\n\n13. Select **Permissions** tab.\n\n14. Click **Add permissions** in section **Permissions policies**.\n\n15. Select **Add permissions**.\n\n16. Select **Attach policies directly**.\n\n17. Search for **AmazonS3FullAccess** policy.\n\n18. Select the policy.\n\n19. Click **Next**.\n\n20. Click **Add permissions**.\n\nConfigure Twingate sync with Amazon S3\n--------------------------------------\n\n1. Go to the Twingate Admin Console.\n2. Go to **Settings** \\\u003e **Reports**.\n3. Click **Sync to S3 Bucket**.\n4. Configure the S3 Sync:\n\n - **Bucket Name**: Provide the name of your S3 bucket.\n\n | **Note:** S3 bucket needs to have public access **enabled**.\n - **Access Key ID**: Enter the Access Key.\n\n - **Secret Access Key**: Enter the Secret Key.\n\n5. Click **Start Syncing**.\n\nSet up feeds\n------------\n\nTo configure a feed, follow these steps:\n\n1. Go to **SIEM Settings** \\\u003e **Feeds**.\n2. Click **Add New Feed**.\n3. On the next page, click **Configure a single feed**.\n4. In the **Feed name** field, enter a name for the feed; for example, **Twingate Logs**.\n5. Select **Amazon S3** as the **Source type**.\n6. Select **Twingate** as the **Log type**.\n7. Click **Next**.\n8. Specify values for the following input parameters:\n\n - **Region**: the region where the Amazon S3 bucket is located.\n - **S3 URI** : the bucket URI. `s3:/BUCKET_NAME` Replace the following:\n - `BUCKET_NAME`: the name of the bucket.\n - **URI is a** : select **Directory**.\n - **Source deletion options**: select deletion option according to your preference.\n\n | **Note:** If you select the **Delete transferred files** or **Delete transferred files and empty directories** option, make sure that you granted appropriate permissions to the service account.\n - **Access Key ID**: the User access key with access to the s3 bucket.\n - **Secret Access Key**: the User secret key with access to the s3 bucket.\n9. Click **Next**.\n\n10. Review your new feed configuration in the **Finalize screen** , and then click **Submit**.\n\nField mapping reference\n-----------------------\n\nThis parser transforms raw Twingate logs in JSON format into UDM. It normalizes the data and extracts relevant information, mapping it to corresponding UDM fields.\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
