- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Datadog Cloud SIEM applies detection rules to all processed logs in Datadog to detect threats, like a targeted attack, a threat intel listed IP communicating with your systems, or an insecure resource modification. The threats are surfaced as Security Signals in the Security Signals Explorer for triaging.
Use Google Cloud Dataflow and the Datadog template to forward logs from your Google Cloud services to Datadog. This guide walks you through the following steps so that you can start detecting threats with your Google Cloud audit logs:
Collecting Google Cloud logs with a Pub/Sub Push subscription is in the process of being deprecated for the following reasons:
Documentation for the Push subscription is only maintained for troubleshooting or modifying legacy setups. Use a Pull subscription with the Datadog Dataflow template to forward your Google Cloud logs to Datadog instead.
If a new Google Cloud service is added, it inherits your default audit configuration.
To ensure that Data Access audit logs are captured for new Google Cloud services, modify your default audit configuration:
export-audit-logs-to-datadog
.Create an additional topic and default subscription to handle any log messages rejected by the Datadog API. This topic is used when you set up the Dataflow job later.
Warning: Pub/subs are subject to Google Cloud quotas and limitations. If the number of logs you have is higher than those limitations, Datadog recommends you split your logs over several topics. See Monitor the Log Forwarding for information on how to set up a monitor to notify when you are close to those limits.
Datadog recommends creating a secret in Secret Manager with your valid Datadog API key value. This secret is used when you set up the Dataflow job later.
The default behavior for Dataflow pipeline workers is to use your project’s Compute Engine default service account, which grants permissions to all resources in the project. If you are forwarding logs from a production environment, create a custom worker service account with only the necessary roles and permissions, and assign this service account to your Dataflow pipeline workers.
Note: If you are not creating a custom service account for the Dataflow pipeline workers, ensure that the default Compute Engine service account has the required permissions below.
Role | Path | Description |
---|---|---|
Dataflow Admin | roles/dataflow.admin | Allow this service account to perform Dataflow administrative tasks |
Dataflow Worker | roles/dataflow.worker | Allow this service account to perform Dataflow job operations |
Pub/Sub Viewer | roles/pubsub.viewer | Allow this service account to view messages from the Pub/Sub subscription with your Google Cloud logs |
Pub/Sub Subscriber | roles/pubsub.subscriber | Allow this service account to consume messages from the Pub/Sub subscription with your Google Cloud logs |
Pub/Sub Publisher | roles/pubsub.publisher | Allow this service account to publish failed messages to a separate subscription, which allows for analysis or resending the logs |
Secret Manager Secret Accessor | roles/secretmanager.secretAccessor | Allow this service account to access the Datadog API key in Secret Manager |
Storage Object Admin | roles/storage.objectAdmin | Allow this service account to read and write to the Cloud Storage bucket specified for staging files |
Note: You can create multiple exports from Google Cloud Logging to the same Pub/Sub topic with different sinks.
https://
SECRET_MANAGER
in the Source of the API key passed field.Source of API key passed
to KMS
.Google Cloud KMS key for the API key
to your Cloud KMS key ID.Logs API Key
to the encrypted API key.Source of API key passed
set to PLAINTEXT
with Logs API Key
set to the plaintext API key.See new logging events delivered to the Cloud Pub/Sub topic in the Datadog Log Explorer.
Cloud SIEM applies out-of-the-box detection rules to all processed logs, including the Google Cloud audit logs you have just set up. When a threat is detected with a detection rule, a Security Signal is generated and can be viewed in the Security Signals Explorer.
추가 유용한 문서, 링크 및 기사: