Chronicle SecOps Suite - Cloud Functions
The aim of this website is to provide informations, links and resources to provide Customers and Partners some tools and utilities for their Chronicle SecOps environment
chronicle-silent-entities-cf: The reason why
Our security Partners and Customers requested multiple times to get notifications about silent servers not ingesting logs anymore into Chronicle. This is still today not possible in Chronicle since silent log notification through Cloud Monitoring is able to provide only DATA_LABELS of the ingestion sources, not entity details such as hostnames or ip.
As a Partner Engineer, I come across the idea to build a way to easily get a list of systems that are not sending logs anymore to Chronicle SIEM since some specified amount of time.
Here you'll find a cloud function that can check and generate an updated list of servers that are not sending logs anymore since a certain number of seconds (number of seconds is provided as a parameter while calling the function). The trigger to launch cloud function is a simple HTTP connection to a specific endpoint.
Oreste Dimaggio - Global Partner Engineer - Security
Installation and Usage
Before you begin
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Make sure that billing is enabled for your Google Cloud project.
Enable the Cloud Functions, Cloud Build, and Artifact Registry APIs.
Enable the APIsCreate a new service account. Send it to your Chronicle Customer Engineer/Partner Engineer (Standalone/Non-BYOP) or if your Chronicle instance in BYOP mode, assign following roles to the service account:
Install the Google Cloud CLI.
To initialize the gcloud CLI, run the following command:
gcloud init
If you already have the gcloud CLI installed, update it by running the following command:
gcloud components update
Preparing the application
Allow constraints/iam.allowedPolicyMemberDomains in your organization policy
download the sample as a zip file and extract it.
Change to the directory that contains the Cloud Functions sample code:
cd chronicle-silent-entities-cf
Check SQL queries in index.js and leave them as is or modify them as you prefer
Deploying the function
Check function source file (index.js). SQL query is pointing to a sample chronicle datalake. Please change it to yours.
To deploy the function with an HTTP trigger, run the following command in the directory that contains the sample code:
gcloud functions deploy nodejs-chronicle-silent-entities-cf --gen2 --runtime=nodejs20 --region=REGION --source=. --entry-point=chronicleSilentEntities --trigger-http --allow-unauthenticated
Ensure to select right region (--region parameter) before deploying it.
Triggering the function
When the function has been deployed, take note of the uri property or find it using the following command:
gcloud functions describe nodejs-chronicle-silent-entities-cf --gen2 --region=REGION --format="value(serviceConfig.uri)"
Visit this URI in your browser. You can specify parameters to the URL:
Number of seconds since last event
Maximum number of hosts
Sample install
orestedimaggio@bypo:~/source/chronicle-notifier$ cd chronicle-silent-entities-cf/
orestedimaggio@bypo:~/source/chronicle-notifier/chronicle-silent-entities-cf$ gcloud functions deploy nodejs-chronicle-silent-entities-cf --gen2 --runtime=nodejs20 --region=europe-west8 --source=. --entry-point=chronicleSilentEntities --trigger-http --allow-unauthenticated
Preparing function...done.
X Updating function (may take a while)...
[Build] Logs are available at [https://console.cloud.google.com/cloud-build/builds;region=europe-west8/47ffa593-ad32-48b9-8433-9776d72bde5a?project=654707583637]
[Service]
. [ArtifactRegistry]
. [Healthcheck]
. [Triggercheck]
Completed with warnings:
[WARNING] *** Improve build performance by generating and committing package-lock.json.
[INFO] A new revision will be deployed serving with 100% traffic.
You can view your function in the Cloud Console here: https://console.cloud.google.com/functions/details/europe-west8/nodejs-chronicle-silent-entities-cf?project=chronicle-orestedimaggio
buildConfig:
build: projects/654707583637/locations/europe-west8/builds/47ffa593-ad32-48b9-8433-9776d72bde5a
dockerRegistry: ARTIFACT_REGISTRY
entryPoint: chronicleSilentEntities
runtime: nodejs20
source:
storageSource:
bucket: gcf-v2-sources-654707583637-europe-west8
generation: '1700206955111880'
object: nodejs-chronicle-silent-entities-cf/function-source.zip
sourceProvenance:
resolvedStorageSource:
bucket: gcf-v2-sources-654707583637-europe-west8
generation: '1700206955111880'
object: nodejs-chronicle-silent-entities-cf/function-source.zip
environment: GEN_2
labels:
deployment-tool: cli-gcloud
name: projects/chronicle-orestedimaggio/locations/europe-west8/functions/nodejs-chronicle-silent-entities-cf
serviceConfig:
allTrafficOnLatestRevision: true
availableCpu: '0.1666'
availableMemory: 256M
ingressSettings: ALLOW_ALL
maxInstanceCount: 100
maxInstanceRequestConcurrency: 1
revision: nodejs-chronicle-silent-entities-cf-00007-bom
service: projects/chronicle-orestedimaggio/locations/europe-west8/services/nodejs-chronicle-silent-entities-cf
serviceAccountEmail: chronicle-bigquery@chronicle-orestedimaggio.iam.gserviceaccount.com
timeoutSeconds: 60
uri: https://nodejs-chronicle-silent-entities-cf-onmbsqrwka-oc.a.run.app
state: ACTIVE
updateTime: '2023-11-17T07:43:42.369032120Z'
url: https://europe-west8-chronicle-orestedimaggio.cloudfunctions.net/nodejs-chronicle-silent-entities-cf
Sample HTTP Request and results
Http Parameters:
sec_late - Number of seconds since the last log line in the platform
limit_count - Maximum number of results in the results
# curl -X POST https://europe-west8-chronicle-orestedimaggio.cloudfunctions.net/nodejs-chronicle-silent-entities-cf -d "sec_late=300&limit_count=100"
Output:
<host1>
<host2>
<host3>
<host4>
<host5>
....etc....