Configure feeds by product

Supported in:

Before you begin

If you are using IAM custom roles, you need to do the following:

  1. Go to IAM & Admin > Roles.
  2. Select the existing custom role and click Edit Role.
  3. Click Add permissions.
  4. Enter the following:
    • chronicle.feedPacks.get
    • chronicle.feedPacks.list
  5. Click Save.

Configure log feeds

To enable effective threat detection and investigation, Google Security Operations relies on structured log ingestion. Properly configuring log feeds makes sure that relevant data is normalized and made available for correlation, alerting, and analysis.

This document explains how to set up and manage log feeds within Google SecOps. You can configure multiple feeds per product family according to the log type. Log types identified by Google as a baseline, are marked as required.

The platform provides setup instructions, required procedures, and explanations of configuration parameters. Some parameters are predefined to simplify the configuration process. For example, you can create multiple feeds under both required and optional log types within a product, such as CrowdStrike Falcon:

Access the multiple feeds configuration page

There are two ways to reach the multiple feeds configuration screen:

  • Content Hub > Content Packs
  • Settings > Feeds

Configure the feed for CrowdStrike EDR

Follow these steps to configure a log feed for CrowdStrike EDR.

  1. From Settings > Feeds, click Add New Feed
    1. Click the CrowdStrike Falcon product:.
    2. Select CrowdStrike EDR log type.
  2. Alternatively, from Content Hub > Content Packs, click the CrowdStrike Falcon product:
    1. Click Get Started.
    2. Select CrowdStrike EDR log type.

  3. Specify values for the following fields:

    Field Description
    Source Type Amazon SQS
    Region The AWS S3 region associated with the URI.
    Queue Name The SQS queue name to read from.
    Account Number The SQS account number.
    Source Deletion Option Indicates whether to delete files and directories after the transfer.
    Queue Access Key ID A 20-character alphanumeric access key for the account, such as AKIAOSFOODNN7EXAMPLE.
    Queue Secret Access Key A 40-character alphanumeric secret access key for the account, such as, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.

  4. Optional: Configure the following parameters:

    • Feed Name: prepopulated unique name for the feed.
    • Asset namespace: namespace associated with the feed.
    • Ingestion labels: labels applied to the events from this feed.

  5. Click Create Feed.

You can repeat this process to create additional feeds for the same log type. You can also configure feeds for other available log types directly from this page. When finished, go to the Feed Management page to view a detailed summary of all configured log types.

Need more help? Get answers from Community members and Google SecOps professionals.