Console
    Contact Us Start free

    Collect Cloud Identity Device Users logs

    Supported in:

    This document explains how to export Cloud Identity Device Users logs into Google Security Operations using Cloud Storage. The parser first extracts data from JSON formatted Cloud Identity Device Users logs and transforms the timestamp to the standardized format. Then, it maps specific fields from the raw log data to the corresponding fields in the unified data model (UDM) for user entities, their relationships to assets, and additional user attributes like management and password states.

    Before you begin

    Make sure you have the following prerequisites:

    • Google Cloud Identity is enabled in your Google Cloud project.
    • Google SecOps instance.
    • Privileged access to Google Cloud Identity and Cloud Logging.

    Create a Cloud Storage bucket

    1. Sign in to the Google Cloud console .

    2. Go to the Cloud Storage Bucketspage.

      Go to Buckets

    3. Click Create.

    4. On the Create a bucketpage, enter your bucket information. After each of the following steps, click Continueto proceed to the next step:

      1. In the Get startedsection, do the following:

        1. Enter a unique name that meets the bucket name requirements; for example, gcp-cloudidentity-users-logs.

        2. To enable hierarchical namespace, click the expander arrow to expand the Optimize for file oriented and data-intensive workloadssection, and then select Enable Hierarchical namespace on this bucket.

        3. To add a bucket label, click the expander arrow to expand the Labelssection.

        4. Click Add label, and specify a key and a value for your label.

      2. In the Choose where to store your datasection, do the following:

        1. Select a Location type.

        2. Use the location type menu to select a Locationwhere object data within your bucket will be permanently stored.

        3. To set up cross-bucket replication, expand the Set up cross-bucket replicationsection.

      3. In the Choose a storage class for your datasection, either select a default storage classfor the bucket, or select Autoclassfor automatic storage class management of your bucket's data.

      4. In the Choose how to control access to objectssection, clear Enforce public access prevention, and select an Access controlmodel for your bucket's objects.

      5. In the Choose how to protect object datasection, do the following:

        1. Select any of the options under Data protectionthat you want to set for your bucket.
        2. To choose how your object data will be encrypted, click the expander arrow labeled Data encryption, and select a data encryption method.

    5. Click Create.

    Configure Cloud Identity Device Users logs export

    1. Sign in to the Google Cloud console .
    2. Go to Logging > Log Router.
    3. Click Create Sink.

    4. Provide the following configuration parameters:

      • Sink Name: enter a meaningful name; for example, Cloudidentity-Users-Sink .
      • Sink Destination: select Cloud Storage Storageand enter the URI for your bucket; for example, gs://gcp-cloudidentity-users-logs .

      • Log Filter:

          logName 
 = 
 "projects/<your-project-id>/logs/cloudaudit.googleapis.com%2Factivity" 
resource.type = 
 "cloud_identity_user"

      • Set Export Options: include all log entries.

    5. Click Create.

    Configure permissions for Cloud Storage

    1. Go to IAM & Admin > IAM.
    2. Locate the Cloud Loggingservice account.
    3. Grant the roles/storage.adminon the bucket.

    Set up feeds

    There are two different entry points to set up feeds in the Google SecOps platform:

    • SIEM Settings > Feeds > Add New
    • Content Hub > Content Packs > Get Started

    How to set up the Google Cloud Identity Device Users feed

    1. Click the Google Cloud Compute platformpack.
    2. Locate the Google Cloud Identity Device Userslog type and click Add new feed.
    3. Specify values for the following fields:
      • Source Type: Third party API
      • OAuth JWT endpoint: endpoint to retrieve the OAuth JSON web token (JWT).
      • JWT claims issuer: usually the client ID.
      • JWT claims subject: usually an email address.
      • JWT claims audience: JWT claims audience.
      • RSA private key: enter in PEM format.

    Advanced options

    • Feed Name: A prepopulated value that identifies the feed.
    • Asset Namespace: Namespace associated with the feed.
    • Ingestion Labels: Labels applied to all events from this feed.
    1. Click Create feed.

    For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product .

    UDM Mapping Table

    Log Field UDM Mapping Logic
    collection_time.nanos
    		 timestamp.nanos Directly mapped from the log field. Represents the event timestamp in nanoseconds.
    collection_time.seconds
    		 timestamp.seconds Directly mapped from the log field. Represents the event timestamp in seconds.
    createTime
    		 entity.metadata.creation_timestamp Directly mapped from the log field after being parsed by the date filter. Represents the creation timestamp of the user.
    managementState
    		 entity.additional.fields.value.string_value Directly mapped from the log field. Represents the management state of the user.
    name
    		 entity.entity.resource.name Directly mapped from the log field. Represents the full resource name of the device user.
    passwordState
    		 entity.additional.fields.value.string_value Directly mapped from the log field. Represents the password state of the user. This field is only mapped if the passwordState field exists in the raw log.
    userEmail
    		 entity.entity.user.email_addresses Directly mapped from the log field. Represents the email address of the user.
    		entity.additional.fields.key Set to a constant value Management State within the parser. This field is used to provide context to the managementState value.
    		entity.additional.fields.key Set to a constant value Password State within the parser. This field is used to provide context to the passwordState value and is only present if passwordState exists in the raw log.
    		entity.entity.user.product_object_id Extracted from the name field using the grok filter, capturing the deviceuser_id portion. Represents the unique identifier of the device user.
    		entity.metadata.collected_timestamp.nanos Copied from collection_time.nanos . Represents the timestamp when the log was collected.
    		entity.metadata.collected_timestamp.seconds Copied from collection_time.seconds . Represents the timestamp when the log was collected.
    		entity.metadata.entity_type Set to a constant value USER within the parser.
    		entity.metadata.product_name Set to a constant value GCP Cloud Identity Device Users within the parser.
    		entity.metadata.vendor_name Set to a constant value Google Cloud Platform within the parser.
    		relations.entity.asset.product_object_id Extracted from the name field using the grok filter, capturing the device_id portion. Represents the unique identifier of the device.
    		relations.entity_type Set to a constant value ASSET within the parser.
    		relations.relationship Set to a constant value MEMBER within the parser.

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: