Collect Cloud Next Generation Firewall logs

Supported in:

Google secops SIEM

This document explains how to export and ingest Cloud NGFW logs into Google Security Operations using Google Cloud. The parser extracts fields from Google Cloud Firewall logs, transforms and maps them to the UDM. It handles various log fields, including connection details, threat information, rule details, and network information, performing data type conversions, renaming, and conditional logic based on the action and direction fields to populate the UDM model correctly.

Before you begin

Ensure that you have the following prerequisites:

Google SecOps instance.
Cloud NGFW is active and configured in your Google Cloud environment.
Privileged access to Google Cloud and appropriate permissions to access Cloud NGFW logs.

Create a Cloud Storage bucket

Sign in to the Google Cloud console .
Go to the Cloud Storage Bucketspage.

Go to Buckets
Click Create.
On the Create a bucketpage, enter your bucket information. After each of the following steps, click Continueto proceed to the next step:
1. In the Get startedsection, do the following:
  1. Enter a unique name that meets the bucket name requirements; for example, gcp-ngfw-logs.
  2. To enable hierarchical namespace, click the expander arrow to expand the Optimize for file oriented and data-intensive workloadssection, and then select Enable Hierarchical namespace on this bucket.
    
    Note: You cannot enable hierarchical namespace on an existing bucket.
  3. To add a bucket label, click the expander arrow to expand the Labelssection.
  4. Click Add label, and specify a key and a value for your label.
2. In the Choose where to store your datasection, do the following:
  1. Select a Location type.
  2. Use the location type menu to select a Locationwhere object data within your bucket will be permanently stored.
    
    Note: If you select the dual-regionlocation type, you can also choose to enable turbo replicationby using the relevant checkbox.
  3. To set up cross-bucket replication, expand the Set up cross-bucket replicationsection.
3. In the Choose a storage class for your datasection, either select a default storage classfor the bucket, or select Autoclassfor automatic storage class management of your bucket's data.
4. In the Choose how to control access to objectssection, select notto enforce public access prevention, and select an access control modelfor your bucket's objects.
  
  Note: If public access prevention is already enforced by your project's organization policy, the Prevent public accesscheckbox is locked.
5. In the Choose how to protect object datasection, do the following:
  1. Select any of the options under Data protectionthat you want to set for your bucket.
  2. To choose how your object data will be encrypted, click the expander arrow labeled Data encryption, and select a Data encryption method.
Click Create.

Configure Cloud NGFW logs export

Sign in to the Google Cloud console .
Go to Logging > Log Router.
Click Create Sink.
Provide the following configuration parameters:
- Sink Name: enter a meaningful name; for example, NGFW-Export-Sink .
- Sink Destination: select Google Cloud Storageand enter the URI for your bucket; for example, gs://gcp-ngfw-logs .
- Log Filter:
```
  logName 
 = 
 "projects/<your-project-id>/logs/gcp-firewall" 
 
```
Click Create.

Configure permissions for Cloud Storage

Go to IAM & Admin > IAM.
Locate the Cloud Loggingservice account.
Grant the roles/storage.adminon the bucket.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

SIEM Settings > Feeds > Add New
Content Hub > Content Packs > Get Started

How to set up the Google Cloud NGFW Enterprise feed

Click the Google Cloud Compute platformpack.
Locate the GCP NGFW Enterpriselog type.
Click Next.
Specify values for the following fields:
- Source Type: Google Cloud Storage V2
- Storage Bucket URI: Google Cloud storage bucket URL; for example, gs://gcp-ngfw-logs .
- Source deletion options: select the deletion option according to your preference.
  
  Note: If you select the Delete transferred files or Delete transferred files and empty directories option, make sure that you granted appropriate permissions to the service account.
- Maximum file age: Include files modified within the last number of days. Default is 180 days.
Click Get a Service Accountnext to the Chronicle Service Accountfield.

Advanced options
- Feed Name: A prepopulated value that identifies the feed.
- Asset Namespace: Namespace associated with the feed .
- Ingestion Labels: Labels applied to all events from this feed.
Click Create feed.

For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product .

UDM Mapping Table

Need more help? Get answers from Community members and Google SecOps professionals.

Log Field	UDM Mapping	Logic
`insertId`	`metadata.product_log_id`	Directly mapped from the `insertId` field.
`jsonPayload.action`	`security_result.action_details`	Directly mapped from the `jsonPayload.action` field.
`jsonPayload.connection.clientIp`	`principal.asset.ip`	Directly mapped from the `jsonPayload.connection.clientIp` field.
`jsonPayload.connection.clientIp`	`principal.ip`	Directly mapped from the `jsonPayload.connection.clientIp` field.
`jsonPayload.connection.clientPort`	`principal.port`	Directly mapped from the `jsonPayload.connection.clientPort` field and converted to integer.
`jsonPayload.connection.protocol`	`network.ip_protocol`	Mapped from `jsonPayload.connection.protocol` . If the value is `tcp` , the UDM field is set to `TCP` . Similar logic applies for `udp` , `icmp` , and `igmp` .
`jsonPayload.connection.serverIp`	`target.asset.ip`	Directly mapped from the `jsonPayload.connection.serverIp` field.
`jsonPayload.connection.serverIp`	`target.ip`	Directly mapped from the `jsonPayload.connection.serverIp` field.
`jsonPayload.connection.serverPort`	`target.port`	Directly mapped from the `jsonPayload.connection.serverPort` field and converted to integer.
`jsonPayload.interceptVpc.projectId`	`security_result.rule_labels`	Mapped from `jsonPayload.interceptVpc.projectId` with key `rule_details_projectId` .
`jsonPayload.interceptVpc.vpc`	`security_result.rule_labels`	Mapped from `jsonPayload.interceptVpc.vpc` with key `rule_details_vpc_network` .
`jsonPayload.securityProfileGroupDetails.securityProfileGroupId`	`security_result.rule_labels`	Mapped from `jsonPayload.securityProfileGroupDetails.securityProfileGroupId` with key `rule_details_security_profile_group` .
`jsonPayload.securityProfileGroupDetails.securityProfileGroupId`	`security_result.rule_labels`	Mapped from `jsonPayload.securityProfileGroupDetails.securityProfileGroupId` with key `rule_details_securityProfileGroupDetails_id` .
`jsonPayload.threatDetails.category`	`security_result.rule_labels`	Mapped from `jsonPayload.threatDetails.category` with key `rule_details_category` .
`jsonPayload.threatDetails.direction`	`security_result.rule_labels`	Mapped from `jsonPayload.threatDetails.direction` with key `rule_details_direction` .
`jsonPayload.threatDetails.id`	`security_result.threat_id`	Directly mapped from the `jsonPayload.threatDetails.id` field.
`jsonPayload.threatDetails.severity`	`security_result.severity`	Mapped from `jsonPayload.threatDetails.severity` . If the value is `CRITICAL` , the UDM field is set to `CRITICAL` . Similar logic applies for `HIGH` , `MEDIUM` , `LOW` , and `INFO` .
`jsonPayload.threatDetails.threat`	`security_result.threat_name`	Directly mapped from the `jsonPayload.threatDetails.threat` field.
`jsonPayload.threatDetails.type`	`security_result.rule_labels`	Mapped from `jsonPayload.threatDetails.type` with key `rule_details_threat_type` .
`jsonPayload.threatDetails.uriOrFilename`	`security_result.rule_labels`	Mapped from `jsonPayload.threatDetails.uriOrFilename` with key `rule_details_uriOrFilename` .
`logName`	`metadata.product_event_type`	Directly mapped from the `logName` field.
`metadata.collected_timestamp`	`metadata.collected_timestamp`	Directly mapped from the `receiveTimestamp` field and parsed using the specified date format.
`metadata.event_type`	`metadata.event_type`	Set to `NETWORK_CONNECTION` if both `principal_ip` and `target_ip` are present. Set to `STATUS_UNCATEGORIZED` if only `principal_ip` is present. Otherwise, set to `GENERIC_EVENT` .
`metadata.product_name`	`metadata.product_name`	Hardcoded to `GCP Firewall` .
`metadata.vendor_name`	`metadata.vendor_name`	Hardcoded to `Google Cloud Platform` .
`receiveTimestamp`	`metadata.collected_timestamp`	Directly mapped from the `receiveTimestamp` field.
`security_result.action`	`security_result.action`	Derived from the `jsonPayload.action` field. Mapped to `ALLOW` , `BLOCK` , or `UNKNOWN_ACTION` based on the value of `jsonPayload.action` .
`timestamp`	`metadata.event_timestamp`	Directly mapped from the `timestamp` field.
`timestamp`	`timestamp`	Directly mapped from the `timestamp` field.