The Google Cloud Platform provides Infrastructure as a Service, Platform as a Service and Server less computing environments.
The Google Cloud Platform services deliver audit logging to help answer the question of "who did what, where and when?" Google Cloud Audit Logs are captured by Google StackDriver, which provides powerful monitoring, logging, and diagnostics; equipping users with insight into the health, performance, and availability of cloud-powered applications. These insights enable users to find and fix issues faster and is natively integrated with Google Cloud Platform. For more information please visit the following links:
GCP: https://cloud.google.com/
Stackdriver: https://cloud.google.com/stackdriver/
Cloud Audit Logs: https://cloud.google.com/logging/docs/audit/
The logs from StackDriver can be imported into the RSA NetWitness Platform using the RSA NetWitness Google Cloud plugin. This plugin pulls logs from StackDriver via a Google Cloud Pub/Sub subscription.
Below is a basic flow diagram that outlines how the logs flow into the RSA NetWitness Platform:
Here are a few example use-cases that can provide insights into the capabilities of the Google Cloud Platform, using the Google Cloud Audit Logs:
- Resource creation, update or deletion.
- Addition of a user to a new IAM role.
- Access to sensitive Data and Resources.
Starting from NetWitness Platform version 11.5, GCP Plugin has added support for raw json events. Once this is enabled in the UI this plugin can capture any event type present in Google Stackdriver and not just audit events. These events are parsed using the gcp json parser. It is recommended that customers start using the gcp parser.
To take advantage of this new capability within RSA NetWitness, please visit the link below and search for the terms below in RSA Live.
Configuration Guide: Google Cloud Platform Event Source Configuration Guide
Collector Package on RSA Live: "Google Cloud Log Collector Configuration"
Parser on RSA Live: CEF, gcp
