Collect Google Cloud Network Connectivity Center logs

Supported in:

Google secops SIEM

This document explains how to ingest Google Cloud Network Connectivity Center logs to Google Security Operations using Google Cloud Storage V2.

Network Connectivity Center is an orchestration framework that simplifies network connectivity among spoke resources that are connected to a central management resource called a hub. Network Connectivity Center enables connecting different enterprise networks together that are outside of Google Cloud by leveraging Google's network.

Before you begin

Ensure that you have the following prerequisites:

A Google SecOps instance
Google Cloud project with Cloud Storage API enabled
Permissions to create and manage GCS buckets
Permissions to manage IAM policies on GCS buckets
Permissions to create and manage Cloud Logging sinks
Network Connectivity Center resources configured in your Google Cloud project

Create Google Cloud Storage bucket

Go to the Google Cloud Console.
Select your project or create a new one.
In the navigation menu, go to Cloud Storage > Buckets.
Click Create bucket.

Provide the following configuration details:

Setting	Value
Name your bucket	Enter a globally unique name (for example, `ncc-logs-bucket`)
Location type	Choose based on your needs (Region, Dual-region, Multi-region)
Location	Select the location (for example, `us-central1`)
Storage class	Standard (recommended for frequently accessed logs)
Access control	Uniform (recommended)
Protection tools	Optional: Enable object versioning or retention policy

Click Create.

Configure Cloud Logging to export Network Connectivity Center logs to GCS

Logging stores Network Connectivity Center logs for only 30 days. If you want to keep your logs for a longer period, you must route them.

In the Google Cloud Console, go to Logging > Logs Router.
Click Create sink.
Provide the following configuration details:
- Sink name: Enter a descriptive name (for example, ncc-chronicle-export).
- Sink description: Optional description.
Click Next.
In the Select sink service section:
- Sink service: Select Cloud Storage bucket.
- Select Cloud Storage bucket: Select the bucket (for example, ncc-logs-bucket) from the list.
Click Next.
In the Choose logs to include in sink section, enter a filter query:
```
protoPayload.serviceName="networkconnectivity.googleapis.com"
```
Click Next.
Review the configuration and click Create sink.

Note: The sink's writer identity (a service account) is automatically granted the necessary permissions to write to the Cloud Storage bucket when using the console. If you create the sink using the gcloud CLI, you may need to grant permissions manually.

Retrieve the Google SecOps service account

Google SecOps uses a unique service account to read data from your GCS bucket. You must grant this service account access to your bucket.

Configure a feed in Google SecOps to ingest GCP Network Connectivity Center logs

Go to SIEM Settings > Feeds.
Click Add New Feed.
Click Configure a single feed.
In the Feed name field, enter a name for the feed (for example, Google Cloud Network Connectivity Center Logs).
Select Google Cloud Storage V2 as the Source type.
Select GCP_NETWORK_CONNECTIVITY_CONTEXT as the Log type.
Click Get Service Account. A unique service account email will be displayed, for example:
```
chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.com
```
Copy this email address for use in the next step.

Note: Each Google SecOps instance has a unique service account. Don't use service accounts from other documentation or examples.
Click Next.
Specify values for the following input parameters:
- Storage bucket URL: Enter the GCS bucket URI with the prefix path:
```
gs://ncc-logs-bucket/
```
  - Replace:
    - ncc-logs-bucket: Your GCS bucket name.
Note: When you route logs to a Cloud Storage bucket, Logging writes a set of files to the bucket. The files are organized in directory hierarchies by log type and date. Cloud Logging will create subdirectories automatically based on the log type and date. Always include the trailing slash (/) at the end of the URI.
- Source deletion option: Select the deletion option according to your preference:
  - Never: Never deletes any files after transfers (recommended for testing).
  - Delete transferred files: Deletes files after successful transfer.
  - Delete transferred files and empty directories: Deletes files and empty directories after successful transfer.
    
    Note: If you select a deletion option, the service account must have Storage Object Admin role instead of Storage Object Viewer. Update IAM permissions accordingly.
- Maximum File Age: Include files modified in the last number of days. Default is 180 days.
- Asset namespace: The asset namespace.
- Ingestion labels: The label to be applied to the events from this feed.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.

Grant IAM permissions to the Google SecOps service account

The Google SecOps service account needs Storage Object Viewer role on your GCS bucket.

Go to Cloud Storage > Buckets.
Click the bucket name (for example, ncc-logs-bucket).
Go to the Permissions tab.
Click Grant access.
Provide the following configuration details:
- Add principals: Paste the Google SecOps service account email.
- Assign roles: Select Storage Object Viewer.
Click Save.

UDM mapping table

Log Field	UDM Mapping	Logic
resource.data.createTime	entity.resource.attribute.creation_time	Timestamp when the resource was created
resource.data.updateTime	entity.resource.attribute.last_update_time	Timestamp when the resource was last updated
temp_discovery_document, temp_discovery_name, temp_ipcidr_range, temp_overlaps, temp_peer, temp_prefix_length, temp_resource_name, temp_resource_state, temp_target_cidr_range, temp_usage, temp_labels, temp_label	entity.resource.attribute.labels	Key-value pairs of additional resource attributes
resource.data.description	metadata.description	Description of the entity
resource.data.locationId	entity.location.name	Name of the location
name, val.uri, resource.data.hub, val, val.virtualMachine, resource.parent, val	entity.resource.name	Name of the resource
temp_main_ancestor, tmp_ancestor_name	entity.resource_ancestors	List of ancestor resources
resource.data.uniqueId, obj_id	entity.resource.product_object_id	Unique identifier for the resource in the product
assetType, HUB	entity.resource.resource_subtype	Subtype of the resource
DEVICE, VPC_NETWORK, VIRTUAL_MACHINE, CLOUD_PROJECT	entity.resource.resource_type	Type of the resource
GOOGLE_CLOUD_PLATFORM	entity.resource.attribute.cloud.environment	Cloud environment (e.g., GOOGLE_CLOUD_PLATFORM)
reouting_vpc_relation, temp_hub_relation, linked_vpc_tunnel_relation, linked_attachments_relation, router_relation, anceator_relation, user_relations	entity.relations	Relationships to other entities
resource.version	metadata.product_version	Version of the product that generated the event

Need more help? Get answers from Community members and Google SecOps professionals.