Overview
To view Google Cloud Audit logs through the Logsign Unified SecOps Platform product, you will need to perform some configurations.
First, enter the link you have for Google Cloud Audit. You are expected to be an authorized user who can access the management panel and take actions.
Prerequisites
- Logsign Unified SecOps Platform 6.4.21+ versions support this integration.
Configure On Google Cloud Audit
We access the interface with a user with Administrator authorization.
Create a project or select an existing project for which you want to pull Google Cloud Audit Logs.
You will need the project ID, so write it down.
Go to Google Cloud Console and navigate to APIs & Services > Library.
Search for the Cloud Logging API and enable it.
This is the API you need to access Audit Logs.
You can write any name you want in this field.
Go to IAM & Admin > Service Accounts.
Create a new service account
Name: Give your service account a descriptive name (for example, auditapi).
Role: Give your service account the Logs Viewer role, or Logs Admin if more extensive access is required. This is required to provide access to audit logs.
Select Manage Keys from the Actions menu next to the service account you created.
Create a new key and download it in JSON format. This JSON file will be used for authentication when calling the API.
We can start adding resources based on the information written in the file we downloaded.
Log into Logsign Unified SecOps Platform and then click on the Settings option in the top menu. In the window that opens, click on ‘Data Collection’ on the left side to view the sources you have added to Logsign Unified SecOps Platform. Click on the ’ + Device ’ option on the right side to begin the process of adding a source.
Based on the information in the JSON file, you can fill this field and continue with the resource addition steps.
Then, you can also observe audit logs in Logsign USO and carry out studies based on these incoming logs.