Enable Flow Logs for GCP Organization
Create and configure a sink to export the flow logs for your GCP organization.
Prisma Cloud uses the traffic data in flow logs for your GCP organization or folder resource hierarchy to detect network threats such as cryptomining, data exfiltration, and host compromises. Before Prisma Cloud can analyze your flow log data, you must create a sink to export the flow logs to a Cloud Storage bucket. To configure a sink for your entire GCP organization or folder, use the gcloud command line tool.
Enabling flow logs will incur high network egress costs. Prisma Cloud strongly recommends that you enable Flow Logs Compression on GCP to significantly reduce the network egress costs associated with sending uncompressed GCP logs to the Prisma Cloud infrastructure.
- Enable flow logs for each of your VPCs in each project of your organization that you want Prisma Cloud to monitor.
- Gather the following information from your GCP account:
- Cloud Storage bucket name
- Organization ID
- Download and install the Google Cloud SDK.During the SDK install, you must log in to your GCP account. This account must have these three permissions enabled at the organization level:
- Billing Account Administrator
- Logging Administrator
- Organization Administrator
- Run this command to create a service account needed to configure the sink for your Cloud Storage bucket but replace theBucket-namewith your Cloud Storage bucket name andOrganization IDwith your organization ID.Or you can also configure a sink using the GCP console as described in Step 3 of Enable Flow Logs for GCP Project$ gcloud logging sinks create <sink-name> storage.googleapis.com/<bucket-name> --include-children --organization=<organization-id> --log-filter="resource.type="gce_subnetwork" AND logName:"logs/compute.googleapis.com%2Fvpc_flows""
If you are onboarding a GCP folder, you must have the Folder Viewer role and can use the command$ gcloud logging sinks create <sink-name> storage.googleapis.com/<bucket-name> --include-children --folder=<folder-id> --log-filter="resource.type="gce_subnetwork" AND logName:"logs/compute.googleapis.com%2Fvpc_flows""to create a service account needed to configure the sink for your Cloud Storage bucket.Grant the service account permission to access your Cloud Storage bucket.- Select and select your Cloud Storage bucket.
- Select .
- Add the service account email address forMembers, select and selectAdd.
Add the name of Cloud Storage bucket you created above inFlow Logs Storage Bucketwhen you onboarded your GCP organization.(Optional) Enable Flow Logs Compression on GCP.Enable flow logs compression on Prisma Cloud to automate the compression of flow logs using the Google Cloud Dataflow service. When enabled, the compressed logs are stored to the same Storage bucket as your flow logs and mitigates the network egress costs associated with sending uncompressed GCP logs to the Prisma Cloud infrastructure.Navigate toInvestigate, replace the name with your GCP cloud account name, and enter the following network query:network from vpc.flow_record where source.publicnetwork IN ('Internet IPs', 'Suspicious IPs') AND bytes > 0This query allows you to list all network traffic from the Internet or from Suspicious IP addresses with over 0 bytes of data transferred to a network interface on any resource on any cloud environment.
