Overview
Many organizations now operate some or all of their infrastructure in a cloud compute platform such as Google Cloud Platform (GCP). The proprietary nature of cloud compute platforms combined with the Internet-imposed need for secure connectivity means common on-prem logging protocols like syslog can't be used, and each cloud platform integration mechanism is proprietary and different. Despite the differences, cloud environments are an extension of an organization's infrastructure; logs should be ingested into the SIEM for monitoring, analysis and reporting to help maintain the organization's security posture.
FortiSIEM provides a monitoring solution for cloud, hybrid cloud, and on-prem environments. FortiSIEM can monitor your GCP environment alongside other supported cloud environments, plus on-prem environments, all in a one place. Some example use cases include:
- Build flexible dashboards to display relevant information from across your IT estate in your SOC
- Monitor, analyze, and alert on events across cloud and on-prem systems, all in one easy to use interface
- Manage incidents from cloud and on-prem systems in one place
FortiSIEM's ability to combine multiple log sources across different architectures and environments simplifies security and performance monitoring, log aggregation, alerting, reporting, and incident investigation.
Types of Logs in a Cloud Architecture
There are several sources of logs in a cloud architecture that may be of interest to a SIEM user. Be sure to take a full inventory of your cloud assets to ensure you build a comprehensive visibility solution. These might include:
- Audit logs from the cloud platform. In GCP these logs are routed to a pub/sub topic to which the SIEM can subscribe to get the logs. This use case is the subject of this blog; read on for more...
- OS and application logs from virtual machines running in the cloud platform. This includes regular Windows or Linux server logs, and the logs from applications running on them. These are collected via agents and/or collectors in a similar way to an on-prem solution. Check the FortiSIEM External Systems Configuration Guide and FortiSIEM agent documentation for more information on this use case, and to see if your applications are supported.
- Application specific logs from cloud native services. This includes logs from Google Workspace, Microsoft Office 365, or other cloud-native applications. The logs from these services are application and vendor specific. They might have their own log API, or route logs to a topic or log bucket in the cloud platform. Check the FortiSIEM External Systems Configuration Guide to see if your cloud-native application is supported, and if so how the logs can be collected.
Google Cloud Platform Audit Log Routing
Ingesting GCP audit logs into FortiSIEM is a multi-step process.
- Enable the pub/sub API in GCP
- Define an audit policy that meets your logging needs
- Configure a topic to which the audit logs can be routed
- Configure a sink to route the audit logs to the topic
- Configure the subscription that will allow FortiSIEM to connect to the topic and ingest the logs
- Configure a service account that can be used by FortiSIEM to access the subscription
The configuration is described in the FortiSIEM External Systems Configuration Guide at https://docs.fortinet.com/document/fortisiem/7.1.4/external-systems-configuration-guide/239057/googl... . Additional information can be found in the Google GCP logging documentation at https://cloud.google.com/logging/docs .
Out of the box GCP Rules and Reports for GCP
FortiSIEM can ingest a wide range of events from GCP. Events can be analyzed using the fortiSIEM analytics page:
FortiSIEM includes preconfigured event types, rules, reports, and a dashboard for monitoring GCP. Included rules and reports cover GCP cloud firewall rule creation and deletion; IAM custom role creation and deletion; service account creation and deletion; VPC network route creation and deletion; and more. Check the External Systems Configuration Guide or the FortiSIEM GUI for the full list of available rules and reports.
Custom Use Cases
Custom use cases can be built from the ingested logs by configuring custom rules, reports, and dashboards that reference the event types or event type groups that are ingested from GCP. FortiSIEM's flexible reporting and dashboard features allow custom dashboards to be built with ease. This custom dashboard shows a range of informative GCP firewall information:
The next custom dashboard shows various types of virtual machine activity that could affect security and/or hosting costs, including changing virtual machine type, starting virtual machines, and setting network tag:
Troubleshooting Cloud Discovery
FortiSIEM can monitor the Google Cloud API from the Supervisor node or a Collector node in small deployments. In larger deployments all monitoring should be performed from Collector nodes, leaving the Supervisor dedicated to cluster management tasks and running the user GUI.
Before configuring Google Cloud monitoring from FortiSIEM, check that the API is available from the node that will perform the monitoring. This includes:
- Basic IP connectivity
- DNS resolution of the API URL
- Unobstructed SSL/TLS connectivity between the node and the Google API
Common causes of failed cloud API discoveries include:
- A firewall between the FortiSIEM node and the Google API endpoint blocking traffic
- FortiSIEM configured to use an internal DNS server that cannot resolve the API name
- An SSL inspection device between the FortiSIEM node and Google API endpoint breaking the SSL connection with an untrusted certificate causing the SSL connection to fail.
Summary
FortiSIEM is a single platform that monitors infrastructure, endpoint, on-prem and cloud environments. It provides a single point of logging, alerting, analytics, and reporting features for hundreds of security and compliance use cases. Operations are simplified and the organization's ability to detect, investigate, and respond to security incidents are improved.
FortiSIEM can monitor popular cloud compute platforms including Google Cloud Platform (GCP), Microsoft Azure, and Amazon Web Services (AWS). These platforms are monitored from a FortiSIEM node using the relevant API and log collection mechanism for the platform in use. For details of all of the platforms that FortiSIEM supports out of the box integrations refer to the External Systems Configuration Guide, available at https://docs.fortinet.com/product/fortisiem
