Collect Static IP asset context data logs
This document explains how to ingest Static IP asset context data into Google Security Operations using Google Cloud Storage V2.
Static IP is an asset context data type that maps static IP addresses to hostnames and asset metadata. By ingesting this data, you enrich events in Google SecOps with additional context about network assets, enabling more accurate correlation, investigation, and alerting. Because this data is typically maintained in on-premise systems or exported as flat files, you must upload the files to a Google Cloud Storage (GCS) bucket, and then configure a Google SecOps feed to ingest them.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- A Google Cloud project with Cloud Storage API enabled
- Permissions to create and manage GCS buckets
- Permissions to manage IAM policies on GCS buckets
- Static IP asset data exported as a structured file (for example, CSV or JSON)
- Access to the system or directory where the Static IP data files are stored
Create a Google Cloud Storage bucket
- Go to the Google Cloud Console.
- Select your project or create a new one.
- In the navigation menu, go to Cloud Storage > Buckets.
- Click Create bucket.
Provide the following configuration details:
Setting Value Name your bucket Enter a globally unique name (for example, asset-static-ip-data)Location type Choose based on your needs (Region, Dual-region, Multi-region) Location Select the location closest to your Google SecOps instance (for example, us-central1)Storage class Standard (recommended for frequently accessed data) Access control Uniform (recommended) Protection tools Optional: Enable object versioning or retention policy Click Create.
Configure an automated export of Static IP data to GCS
Static IP asset context data is typically maintained as flat files (CSV, JSON) on an internal system such as an IP address management (IPAM) platform, a CMDB, or a network inventory database. To keep the data in GCS current, configure an automated export pipeline using one of the following approaches.
Option 1: Cloud Scheduler with Cloud Build (recommended)
Use Cloud Build triggered by Cloud Scheduler to run a containerized export job on a schedule. This approach requires no persistent VM and uses Google-managed infrastructure.
Create a service account for the export job:
- In the GCP Console, go to IAM & Admin > Service Accounts.
- Click Create Service Account.
- Provide the following configuration details:
- Service account name: Enter
static-ip-export-sa - Service account description: Enter
Service account for automated Static IP data export to GCS
- Service account name: Enter
- Click Create and Continue.
- Add the following roles:
- Storage Object Admin (to write files to GCS)
- Cloud Build Editor (to run Cloud Build jobs)
- Click Done.
Create a Cloud Build configuration file (
cloudbuild.yaml):steps: - name: 'gcr.io/cloud-builders/gcloud' entrypoint: 'bash' args: - '-c' - | apt-get update && apt-get install -y curl jq # Export Static IP data from your source system # Replace with the actual command for your environment # Example: query IPAM API, export from CMDB, or generate from network scan curl -s -H "Authorization: Bearer $${API_TOKEN}" \ "https://your-ipam-system.example.com/api/v1/static-ips" \ -o /workspace/static_ip_data.json # Upload to GCS gcloud storage cp /workspace/static_ip_data.json \ gs://${_BUCKET_NAME}/static-ip/static_ip_$(date -u +%Y%m%d_%H%M%S).json substitutions: _BUCKET_NAME: 'asset-static-ip-data'Create a Cloud Scheduler job to trigger the build:
- In the GCP Console, go to Cloud Scheduler.
- Click Create Job.
Provide the following configuration details:
Setting Value Name static-ip-export-dailyRegion Select the same region as your GCS bucket Frequency 0 2 * * *(daily at 2:00 AM UTC)Timezone UTC (recommended) Target type HTTP URL https://cloudbuild.googleapis.com/v1/projects/YOUR_PROJECT_ID/buildsHTTP method POST Auth header Add OAuth token Service account static-ip-export-sa@YOUR_PROJECT_ID.iam.gserviceaccount.comClick Create.
Option 2: Storage Transfer Service (for on-premise file systems)
If the Static IP data is stored on an on-premise file system, use Google Cloud Storage Transfer Service with a Transfer Agent.
- In the GCP Console, go to Storage Transfer Service.
- Click Create transfer job.
- Select POSIX filesystem as the source.
- Follow the instructions to install the Storage Transfer Agent on a machine with access to the Static IP data files.
Configure the transfer job:
Setting Value Source directory Path to the directory containing Static IP data files Destination bucket asset-static-ip-dataDestination path static-ip/Schedule Set a recurring schedule (for example, daily) Click Create.
Retrieve the Google SecOps service account
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- Click Configure a single feed.
- In the Feed name field, enter a name for the feed (for example,
Static IP Asset Data). - Select Google Cloud Storage V2 as the Source type.
- Select Static IP as the Log type.
- Click Get Service Account.
A unique service account email will be displayed, for example:
chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.comCopy the email address for use in the next step.
Grant IAM permissions to the Google SecOps service account
The Google SecOps service account needs the Storage Object Viewer role on your GCS bucket.
- Go to Cloud Storage > Buckets.
- Click on your bucket name (for example,
asset-static-ip-data). - Go to the Permissions tab.
- Click Grant access.
- Provide the following configuration details:
- Add principals: Paste the Google SecOps service account email (for example,
chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.com). - Assign roles: Select Storage Object Viewer.
- Add principals: Paste the Google SecOps service account email (for example,
Click Save.
Configure the Google SecOps feed
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- Click Configure a single feed.
- In the Feed name field, enter a name for the feed (for example,
Static IP Asset Data). - Select Google Cloud Storage V2 as the Source type.
- Select Static IP as the Log type.
- Click Next.
Specify values for the following input parameters:
Storage bucket URL: Enter the GCS bucket URI:
gs://asset-static-ip-data/static-ip/- Replace
asset-static-ip-datawith your GCS bucket name. - Replace
static-ipwith your configured prefix path.
- Replace
Source deletion option: Select the deletion option according to your preference:
- Never: Never deletes any files after transfers (recommended for testing).
- Delete transferred files: Deletes files after successful transfer.
Delete transferred files and empty directories: Deletes files and empty directories after successful transfer.
Maximum File Age: Include files modified in the last number of days (default is 180 days).
Asset namespace: The asset namespace.
Ingestion labels: The label to be applied to the events from this feed.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
date |
metadata.event_timestamp |
Parsed as RFC3339 |
client_mac |
network.dhcp.chaddr |
Directly mapped |
client_hostname |
network.dhcp.client_hostname |
Directly mapped |
client_ip |
network.dhcp.yiaddr |
Directly mapped |
client_hostname |
principal.hostname |
Directly mapped |
client_ip |
principal.ip |
Merged |
client_mac |
principal.mac |
Merged |
| N/A | metadata.event_type |
Constant: NETWORK_DHCP |
| N/A | metadata.product_name |
Constant: PCAP DHCP |
| N/A | network.application_protocol |
Constant: DHCP |
| N/A | network.dhcp.type |
Constant: ACK |
Need more help? Get answers from Community members and Google SecOps professionals.