Configure Log Collection Using Templates

Role Availability Read-Only Investigator Analyst Manager

For your USM Anywhere Sensor to receive logs from your Google Cloud Platform (GCP) environment, you must have an export sink to define which logs are exported, a topic to receive those logs, and a subscription to deliver those exported logs to the sensor. The easiest way to create and configure all of these disparate pieces is by using the templates AT&T Cybersecurity provides.

See Manually Create a Cloud Pub/Sub Topic or Manually Create and Configure an Export Sink if you would like to perform these steps manually rather than using these templates.

Important: Because these templates are deployed using the Google Cloud Deployment Manager, you must ensure that both the user executing the deployment and the service account associated with the Cloud Deployment Manager have the required permissions:

  • The user executing the deployment must be assigned the role "Deployment Manager Editor" for the project in which they will perform the deployment.
  • The service account for the Cloud Deployment Manager must have the "Logging Admin" and "Pub/Sub Admin" roles for the project or organization from which you will be exporting logs.

To configure log collection using templates

  1. Download the template files from AT&T Cybersecurity:

  2. Create a Type Registry to deploy the templates by going to the Type Registry page under your Cloud Deployment Manager.
  3. Click Add Composite Type.
  4. Import the templates you previously downloaded.

  5. Provide the following information:

    • Deployment name: A name for this deployment
    • source_id: The identification (ID) of the project exporting these logs.

    Use the provided deployment manager template files to make enabling Pub/Sub log collection easy.

  6. If you are executing this deployment at the project level, use the list to select the log types to export.

    Note: See the Log Export Filters table to see how these log queries are formatted.

  7. (Optional.) Specify the name of an existing topic to use instead of creating a new one.
  8. If you choose to use an existing topic, you must ensure that you grant the Writer Identity service account "Pub/Sub Publisher" permissions.

  9. Click Deploy.

    You can verify that your topic and subscription have been created by checking the Topics page under Pub/Sub.

  10. In USM Anywhere, go to your GCP Sensor under Data Sources > Sensors or the Google Cloud Platform Log Collection app under Data Sources > AlienApps > Available Apps.
  11. On the Log Subscriptions tab, click Enable to enable the subscription you just created.