This document explains how to export VPC Flow Logs to Google Security Operations using Google Cloud. The parser transforms the logs from their built-in JSON format into the Google Security Operations UDM. It extracts relevant fields like source and destination IP, port, protocol, and bytes sent, then maps them to corresponding UDM fields, taking into account network direction and special cases for accurate representation in Google SecOps.
Before You Begin
Ensure that you have the following prerequisites:
Google SecOps instance.
VPC Flow is set up and active in your Google Cloud environment.
On the Create a bucket page, enter your bucket information. After each of the following steps, click Continue to proceed to the next step:
In the Get started section, do the following:
Enter a unique name that meets the bucket name requirements; for example, vpcflow-logs.
To enable hierarchical namespace, click the expander arrow to expand the Optimize for file oriented and data-intensive workloads section, and then select Enable Hierarchical namespace on this bucket.
To add a bucket label, click the expander arrow to expand the Labels section.
Click Add label, and specify a key and a value for your label.
In the Choose where to store your data section, do the following:
Select a Location type.
Use the location type menu to select a Location where object data within your bucket will be permanently stored.
To set up cross-bucket replication, expand the Set up cross-bucket replication section.
In the Choose a storage class for your data section, either select a default storage class for the bucket, or select Autoclass for automatic storage class management of your bucket's data.
In the Choose how to control access to objects section, select not to enforce public access prevention, and select an access control model for your bucket's objects.
In the Choose how to protect object data section, do the following:
Select any of the options under Data protection that you want to set for your bucket.
To choose how your object data will be encrypted, click the expander arrow labeled Data encryption, and select a Data encryption method.
Click Create.
Configure Log Export in Google Cloud VPC Flow
Sign in to Google Cloud account using your privileged account.
On Welcome page, click VPC Networks.
Click Default and a subnet page should appear.
Select all logs.
Click Flow Logs > Configure.
Select Aggregation Interval; for example, 30 SEC.
Provide Sample Rate; for example, 50%.
Click Save
Search Logging in the search bar and click Enter.
In Log Explorer, filter the logs by choosing VPC_flows in the Log Name and click Apply.
Click More Actions.
Click Create Sink.
Provide the following configurations:
Sink Details: enter a name and description.
Click Next.
Sink Destination: select Cloud Storage Bucket.
Cloud Storage Bucket: select the bucket created earlier or create a new bucket.
Click Next.
Choose Logs to include in Sink: a default log is populated when you select an option in Cloud Storage Bucket.
Click Next.
Optional: Choose Logs to filter out of Sink: select the logs that you would like not to sink.
Click Create Sink.
Set up feeds
There are two different entry points to set up feeds in the
Google SecOps platform:
SIEM Settings > Feeds > Add New
Content Hub > Content Packs > Get Started
How to set up the Google Cloud VPC Flow feed
Click the Google Cloud Compute platform pack.
Locate the GCP VPC Flow Feed logtype.
Specify the values in the following fields.
Source Type: Amazon SQS V2
Queue Name: The SQS queue name to read from
S3 URI: The bucket URI.
s3://your-log-bucket-name/
Replace your-log-bucket-name with the actual name of your S3 bucket.
Source deletion options: Select the deletion option according to your ingestion preferences.
Maximum File Age: Include files modified in the last number of days. Default is 180 days.
SQS Queue Access Key ID: An account access key that is a 20-character alphanumeric string.
SQS Queue Secret Access Key: An account access key that is a 40-character alphanumeric string.
Advanced options
Feed Name: A prepopulated value that identifies the feed.
Asset Namespace: Namespace associated with the feed.
Ingestion Labels: Labels applied to all events from this feed.
Click Create feed.
For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product.
Supported VPC Flow Logs log formats
The VPC Flow Logs parser supports logs in JSON format.
Direct mapping when network.direction is OUTBOUND. Mapped from principal.ip when network.direction is INBOUND.
connection.dest_port
target.port
Converted to integer if greater than -1.
connection.protocol
network.ip_protocol
Converted to string, then mapped to integer. Based on the integer value, mapped to IP protocol name (e.g., TCP, UDP, ICMP).
connection.src_ip
principal.ip
Direct mapping.
connection.src_port
principal.port
Converted to integer.
dest_instance.region
target.location.name
Direct mapping.
dest_instance.vm_name
target.asset.hostname
Direct mapping.
dest_location.city
target.location.city
Direct mapping.
dest_location.country
target.location.country_or_region
Direct mapping.
dest_location.region
target.location.state
Direct mapping.
dest_vpc.project_id
target.namespace
Used with dest_vpc.vpc_name to form the target.namespace.
dest_vpc.vpc_name
target.namespace
Used with dest_vpc.project_id to form the target.namespace.
insertId
metadata.product_log_id
Direct mapping.
jsonPayload.bytes_sent
network.sent_bytes
Renamed to network.sent_bytes and converted to uinteger.
jsonPayload.packets_sent
network.sent_packets
Converted to integer.
labels.tunnel_id
additional.fields
Merged into additional.fields with the key Tunnel Id and type string_value.
logName
security_result.category_details
Direct mapping.
resource.labels.project_id
target.resource.name
Used to construct the target.resource.name with the format //cloudresourcemanager.googleapis.com/projects/{resource.labels.project_id}.
resource.labels.region
target.location.country_or_region
Direct mapping.
resource.labels.subnetwork_id
target.user.attribute.labels
Merged into target.user.attribute.labels with the key subnetwork_id.
resource.type
metadata.product_event_type
Direct mapping.
severity
security_result.severity
Mapped to LOW if the value is DEBUG.
src_gke_details.cluster.cluster_location
principal.resource.attribute.labels
Merged into principal.resource.attribute.labels with the key cluster_location.
src_gke_details.cluster.cluster_name
principal.resource.attribute.labels
Merged into principal.resource.attribute.labels with the key cluster_name.
src_gke_details.pod.pod_name
principal.resource.attribute.labels
Merged into principal.resource.attribute.labels with the key pod_name.
src_gke_details.pod.pod_namespace
principal.resource.attribute.labels
Merged into principal.resource.attribute.labels with the key pod_namespace.
src_instance.region
principal.location.name
Direct mapping.
src_instance.vm_name
principal.asset.hostname
Direct mapping.
src_location.city
principal.location.city
Direct mapping.
src_location.country
principal.location.country_or_region
Direct mapping.
src_location.region
principal.location.state
Direct mapping.
src_vpc.project_id
principal.namespace
Used with src_vpc.vpc_name to form the principal.namespace.
src_vpc.vpc_name
principal.namespace
Used with src_vpc.project_id to form the principal.namespace.
textPayload
additional.fields
Merged into additional.fields with the key Textpayload and type string_value.
timestamp
metadata.event_timestamp
Used to populate event_timestamp if jsonPayload.end_time is empty.
metadata.description
A description of the network flow, including the reporter (SRC or DEST) and the direction (INBOUND or OUTBOUND), is generated based on the 'reporter' field.
metadata.event_type
Set to NETWORK_CONNECTION for VPC flow logs and USER_RESOURCE_ACCESS for other log types.
metadata.log_type
Set to GCP_VPC_FLOW.
metadata.product_name
Set to GCP VPC Flow Logs.
metadata.product_version
Set to 1.0.
metadata.vendor_name
Set to Google Cloud.
network.direction
Determined based on the target.port. If the port is a well-known or reserved port, it's considered INBOUND; otherwise, it's considered OUTBOUND.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide explains how to export Google Cloud VPC Flow Logs to Google Security Operations (SecOps) and map the logs to the Unified Data Model (UDM).\u003c/p\u003e\n"],["\u003cp\u003eThe process involves creating a Google Cloud Storage bucket, configuring log export from Google Cloud VPC Flow to the bucket, and setting up a feed in Google SecOps to ingest these logs.\u003c/p\u003e\n"],["\u003cp\u003eBefore starting, users need a Google SecOps instance, active VPC Flow in their Google Cloud environment, and privileged access to Google Cloud.\u003c/p\u003e\n"],["\u003cp\u003eThe UDM mapping table outlines how various fields from the Cloud VPC Flow Logs are transformed and mapped to specific UDM fields within Google Security Operations, covering details like IP addresses, ports, protocols, and more.\u003c/p\u003e\n"],["\u003cp\u003eThe mapping of various fields has been updated and enhanced multiple times, including changes in \u003ccode\u003eprincipal\u003c/code\u003e and \u003ccode\u003etarget\u003c/code\u003e fields, as well as adding mappings for details about \u003ccode\u003egke\u003c/code\u003e and \u003ccode\u003eresources\u003c/code\u003e from \u003ccode\u003ejsonPayload\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Collect VPC Flow Logs\n=====================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to export VPC Flow Logs to Google Security Operations using Google Cloud. The parser transforms the logs from their built-in JSON format into the Google Security Operations UDM. It extracts relevant fields like source and destination IP, port, protocol, and bytes sent, then maps them to corresponding UDM fields, taking into account network direction and special cases for accurate representation in Google SecOps.\n\nBefore You Begin\n----------------\n\nEnsure that you have the following prerequisites:\n\n- Google SecOps instance.\n- VPC Flow is set up and active in your Google Cloud environment.\n- Privileged access to Google Cloud.\n\nCreate a Google Cloud Storage Bucket\n------------------------------------\n\n1. Sign in to the [Google Cloud console](https://console.cloud.google.com/).\n2. Go to the **Cloud Storage Buckets** page.\n\n [Go to Buckets](https://console.cloud.google.com/storage/browser)\n3. Click **Create**.\n\n4. On the **Create a bucket** page, enter your bucket information. After each of the following steps, click **Continue** to proceed to the next step:\n\n 1. In the **Get started** section, do the following:\n\n 1. Enter a unique name that meets the bucket name requirements; for example, **vpcflow-logs**.\n 2. To enable hierarchical namespace, click the expander arrow to expand the **Optimize for file oriented and data-intensive workloads** section, and then select **Enable Hierarchical namespace on this bucket**.\n\n | **Note:** You cannot enable hierarchical namespace in an existing bucket.\n 3. To add a bucket label, click the expander arrow to expand the **Labels** section.\n\n 4. Click **Add label**, and specify a key and a value for your label.\n\n 2. In the **Choose where to store your data** section, do the following:\n\n 1. Select a **Location type**.\n 2. Use the location type menu to select a **Location** where object data within your bucket will be permanently stored.\n\n | **Note:** If you select the **dual-region** location type, you can also choose to enable **turbo replication** by using the relevant checkbox.\n 3. To set up cross-bucket replication, expand the **Set up cross-bucket replication** section.\n\n 3. In the **Choose a storage class for your data** section, either select a **default storage class** for the bucket, or select **Autoclass** for automatic storage class management of your bucket's data.\n\n 4. In the **Choose how to control access to objects** section, select **not** to enforce **public access prevention** , and select an **access control model** for your bucket's objects.\n\n | **Note:** If public access prevention is already enforced by your project's organization policy, the **Prevent public access** checkbox is locked.\n 5. In the Choose how to protect object data section, do the following:\n\n 1. Select any of the options under Data protection that you want to set for your bucket.\n 2. To choose how your object data will be encrypted, click the expander arrow labeled **Data encryption** , and select a **Data encryption method**.\n5. Click **Create**.\n\n| **Note:** Be sure to provide your Google SecOps Service Account with permissions to **Read** or **Read \\& Write** to the newly created bucket.\n\nConfigure Log Export in Google Cloud VPC Flow\n---------------------------------------------\n\n1. Sign in to **Google Cloud** account using your privileged account.\n2. On **Welcome** page, click **VPC Networks**.\n3. Click **Default** and a subnet page should appear.\n4. Select **all logs**.\n5. Click **Flow Logs \\\u003e Configure**.\n6. Select **Aggregation Interval** ; for example, **30 SEC**.\n7. Provide **Sample Rate** ; for example, **50%**.\n8. Click **Save**\n9. Search **Logging** in the search bar and click **Enter**.\n10. In **Log Explorer** , filter the logs by choosing **VPC_flows** in the **Log Name** and click **Apply**.\n11. Click **More Actions**.\n12. Click **Create Sink**.\n13. Provide the following configurations:\n 1. **Sink Details**: enter a name and description.\n 2. Click **Next**.\n 3. **Sink Destination** : select **Cloud Storage Bucket**.\n 4. **Cloud Storage Bucket**: select the bucket created earlier or create a new bucket.\n 5. Click **Next**.\n 6. **Choose Logs to include in Sink**: a default log is populated when you select an option in Cloud Storage Bucket.\n 7. Click **Next**.\n 8. Optional: **Choose Logs to filter out of Sink**: select the logs that you would like not to sink.\n14. Click **Create Sink**.\n\nSet up feeds\n------------\n\nThere are two different entry points to set up feeds in the\nGoogle SecOps platform:\n\n- **SIEM Settings \\\u003e Feeds \\\u003e Add New**\n- **Content Hub \\\u003e Content Packs \\\u003e Get Started**\n\nHow to set up the Google Cloud VPC Flow feed\n--------------------------------------------\n\n1. Click the **Google Cloud Compute platform** pack.\n2. Locate the **GCP VPC Flow Feed** logtype.\n3. Specify the values in the following fields.\n\n - **Source Type**: Amazon SQS V2\n - **Queue Name**: The SQS queue name to read from\n - **S3 URI** : The bucket URI.\n - `s3://your-log-bucket-name/`\n - Replace `your-log-bucket-name` with the actual name of your S3 bucket.\n - **Source deletion options**: Select the deletion option according to your ingestion preferences.\n\n | **Note:** If you select the `Delete transferred files` or `Delete transferred files and empty directories` option, make sure that you granted appropriate permissions to the service account.\n - **Maximum File Age**: Include files modified in the last number of days. Default is 180 days.\n\n - **SQS Queue Access Key ID**: An account access key that is a 20-character alphanumeric string.\n\n - **SQS Queue Secret Access Key**: An account access key that is a 40-character alphanumeric string.\n\n **Advanced options**\n - **Feed Name**: A prepopulated value that identifies the feed.\n - **Asset Namespace**: Namespace associated with the feed.\n - **Ingestion Labels**: Labels applied to all events from this feed.\n4. Click **Create feed**.\n\n| **Note:** The Content Hub is not available on the SIEM standalone platform. To upgrade, contact your Google SecOps representative.\n\nFor more information about configuring multiple feeds for different log types within this product family, see [Configure feeds by product](/chronicle/docs/ingestion/ingestion-entities/configure-multiple-feeds).\n\nSupported VPC Flow Logs log formats\n-----------------------------------\n\nThe VPC Flow Logs parser supports logs in JSON format.\n\nSupported VPC Flow Logs Sample Logs\n-----------------------------------\n\n- JSON\n\n {\n \"insertId\": \"1wjp1y9f8vc6y6\",\n \"jsonPayload\": {\n \"bytes_sent\": \"0\",\n \"connection\": {\n \"dest_ip\": \"198.51.100.0\",\n \"dest_port\": 32846,\n \"protocol\": 6,\n \"src_ip\": \"198.51.100.1\",\n \"src_port\": 443\n },\n \"dest_instance\": {\n \"project_id\": \"logging-259109\",\n \"region\": \"us-west2\",\n \"vm_name\": \"demisto-01\",\n \"zone\": \"us-west2-a\"\n },\n \"dest_vpc\": {\n \"project_id\": \"logging-259109\",\n \"subnetwork_name\": \"default\",\n \"vpc_name\": \"default\"\n },\n \"end_time\": \"2020-03-28T10:44:41.896734136Z\",\n \"packets_sent\": \"2\",\n \"reporter\": \"DEST\",\n \"start_time\": \"2020-03-28T10:44:41.896734136Z\"\n },\n \"logName\": \"projects/logging-259109/logs/compute.googleapis.com%2Fvpc_flows\",\n \"receiveTimestamp\": \"2020-03-28T10:44:50.112903743Z\",\n \"resource\": {\n \"labels\": {\n \"location\": \"us-west2-a\",\n \"project_id\": \"dummy_project_id\",\n \"subnetwork_id\": \"subnetwork_id\",\n \"subnetwork_name\": \"default\"\n },\n \"type\": \"gce_subnetwork\"\n },\n \"timestamp\": \"2020-03-28T10:44:50.112903743Z\"\n }\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
