VPC Flow
Overview
This documentation outlines the configuration process for Google Cloud Platform (GCP) VPC Flow Logs to transfer data to AlphaSOC for analysis. Through this integration, the network telemetry collected by GCP VPC Flow Logs can be used for security monitoring and threat detection.
To enable log data tranfsers:
- Enable VPC Flow Logs in your GCP environment.
- Export logs to Google Cloud Storage (GCS).
- Transfer data from GCS to AlphaSOC. For details, refer to Configuring GCS for submitting data.
Enabling VPC Flow Logs
In the VPC networks dashboard, select the subnet for which you want to enable flow logs.
Edit the subnet details as shown below.
In the Configure logs section, set aggregation interval to 5 sec and sample rate to 100 sec.
Exporting Logs to GCS
Note: This part requires an existing GCS bucket. Please ensure you have created a storage bucket in GCS before proceeding with the sink configuration.
Create a sink in Logs Router dashboard with the following details:
- GCS bucket as the sink destination.
- Inclusion filter:
logName="projects/{{PROJECT_ID}}/logs/compute.googleapis.com%2Fvpc_flows" AND jsonPayload.reporter="SRC"
Replace {{PROJECT_ID}} with the ID of your GCS project.