Ahtesham Patel

Now Available: RSA NetWitness Logs Integration with Google Cloud Platform

Blog Post created by Ahtesham Patel Employee on Jul 17, 2018

The Google Cloud Platform provides Infrastructure as a Service, Platform as a Service and Server less computing environments.


The Google Cloud Platform services deliver audit logging to help answer the question of "who did what, where and when?" Google Cloud Audit Logs are captured by Google StackDriver, which provides powerful monitoring, logging, and diagnostics; equipping users with insight into the health, performance, and availability of cloud-powered applications. These insights enable users to find and fix issues faster and is natively integrated with Google Cloud Platform. For more information please visit the following links:

GCP: https://cloud.google.com/

Stackdriver: https://cloud.google.com/stackdriver/

Cloud Audit Logs: https://cloud.google.com/logging/docs/audit/


The logs from StackDriver can be imported into the RSA NetWitness Platform using the RSA NetWitness Google Cloud plugin. This plugin pulls logs from StackDriver via a Google Cloud Pub/Sub subscription.


Below is a basic flow diagram that outlines how the logs flow into the RSA NetWitness Platform:



Here are a few example use-cases that can provide insights into the capabilities of the Google Cloud Platform, using the Google Cloud Audit Logs:


  1. Resource creation, update or deletion.
  2. Addition of a user to a new IAM role.
  3. Access to sensitive Data and Resources.


To take advantage of this new capability within RSA NetWitness, please visit the link below and search for the terms below in RSA Live.



Configuration Guide:  Google Cloud Platform Event Source Configuration Guide

Collector Package on RSA Live: "Google Cloud Log Collector Configuration"

Parser on RSA Live: CEF