I have GCP VPC Flows in Elasticsearch but what is the easiest way to integrate them into the SIEM? I see net flow integrations available for other sources but not GCP. I'm using the Google Cloud Module for Filebeat currently. My cluster is self-managed.
Even if someone could steer me in a direction that would be helpful.
Thanks!
The flows from the googlecloud/vpcflow module in Filebeat will show up in the SIEM app on the Network tab. If you want to filter it down so that it's only showing flows data from the module then add in event.dataset:googlecloud.vpcflow to the KQL filter bar.
Ahh! That makes sense. I was confused because Filebeat shows zero in the Overview, but you are right. It is there.
Thanks Andrew. By the way, your webinar demonstration of setting up SIEM is very helpful.
Eric
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.