Configure Google Security Command Center logs for the Splunk Add-on for Google Cloud Platform

Configure the HTTP Event Collector (HEC) to ingest Google Security Command Center logs.

• Configure HEC from datainputs in your Splunk deployment and provide google:gcp:security:alerts sourcetype.

To Configure Google Security Command Center logs for the Splunk Add-on for Google Cloud Platform, do the following:

1. Create the Pub/Sub Topics. Navigate to Pub/Sub in your project and create two topics:
   1. A primary topic to hold messages to be delivered.
   2. A secondary, dead-letter topic, to store undeliverable messages when Dataflow cannot stream to the HTTP Event Collector (HEC). For example, a misconfigured HEC SSL certificate, disabled HEC token, or message processing error by Dataflow.
2. Create your subscription to query both topics created in the last step.
   • Enter any name for your subscription
   • Select the Pub/Sub primary topic created in the previous step
   • Leave the rest of the values default or customize to your organization’s preference
   • Repeat the same steps for your dead-letter topic
3. In the Google Cloud console, go to the Security Command Center Findings page.
4. Export the logs to your Google Cloud Pub/Sub by providing filters in query parameter if any. See the Create a continuous export to Pub/Sub topic in the Export Security Command Center data documentation.
5. Create a Dataflow pipeline in Google Console. See the Pub/Sub to Splunk template topic in the Google-provided templates documentation.
   • Select Pub/Sub to Splunk in Dataflow template.
   • Select Pub/Sub input subscription, created in previous steps.
   • Provide Splunk HEC URL.
   • Select output deadletter Pub/Sub topic, created in previous steps.
   • Provide HEC Authentication token, created in previous steps.
6. Enter any additional settings pertinent to your organization.
7. Run job.
8. Check the Security Command Center logs in your Splunk deployment under this google:gcp:security:alerts sourcetype.