How to dynamically correlate Google Cloud Compute Engine instance network traffic using Chronicle

  • nginx-production-2j3l (10.10.10.1)
  • nginx-production-6kj1 (10.10.10.2)
  • nginx-production-93k3 (10.10.10.3)
  • nginx-production-9gka (10.10.10.4)
  • nginx-production-1j48 (10.10.10.5)
  • nginx-production-84j3 (10.10.10.6)
  • 2020–05–29T14:00:00Z,RENEW,192.168.1.1,nginx-production-9gka,AABBCC123456
  • 2020–05–29T15:00:00Z,RENEW,192.168.1.1,nginx-production-1j48,AABBCC234567
  • 2020–05–29T16:00:00Z,RENEW,192.168.1.1,nginx-production-84j3,AABBCC345678
  • Jump1, us-central1-a, n1-standard-2, 10.128.0.27, RUNNING
  1. Run gcloud to get a list of all current hostnames and IP addresses
  2. For every IP, check if we’ve seen the IP before:
  • If yes, ensure you have an updated hostname and keep the same MAC address
  • If not, add the new IP and hostname, with a random MAC as a new host
Example of auto-correlated logs in Chronicle
Second example of auto-correlated logs in Chronicle

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

[4k-HD]▷鬼滅之刃劇場版 無限列車篇 線上看完整版ZH(Kimetsu no Yaiba: Mugen Ressha-Hen, (2020-HD)在线观看完整版本- 高清电影

Cross-functional teams in digital product development

Semantic HTML and Accessibility.

How to Ace the Developer Interview

Backpressure In Project Reactor

The Top 6 Free Redis Memory Analysis Tools

Power of Algorithm

Grafana Plugins Weekly (Jan 17, 2022)

Grafana Plugins Weekly

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chronicle

Chronicle

More from Medium

Security Analyst Diaries: Detecting GCP CIS control violations with native GCP Cloud Audit Logging…

Shooting Up: On-Prem to Cloud — Detecting “AADConnect” Creds Dump

Practical Detection-as-Code

MITRE ATT&CK Defender: Introduction to ATT&CK for CTI