Cloud Storage (GCS) Source

Onboarding GCS as a Data Transport log source in the Panther Console

Overview

Panther supports configuring Google Cloud Storage (GCS) as a Data Transport to pull log data directly from GCS buckets, write rules, and run queries on this processed data. Panther uses to be notified of new data in your bucket that is ready to be consumed.

Panther can authenticate against your source using Google Cloud or a .

Data can be sent compressed (or uncompressed). Learn more about compression specifications in .

How to set up a GCS log source in Panther

Step 1: Begin creating the GCS source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
In the upper-right corner, click Create New.
Click the Custom Log Formats tile.
On the Google Cloud Storage tile, click Start.
On the Basic Info page, fill in the fields:
- Name: Enter a descriptive name for the GCS log source.
- Prefixes & Schemas: Define combinations of prefixes, schemas, and exclusion filters, according the structure of your data storage in GCS.
  - To attach one or more schemas to all data in the bucket, leave the GCS Prefix field blank. This will create a wildcard (*) prefix.
Click Setup.
On the Log Format page, select the of the incoming logs:
- Auto
- Lines
- JSON
- JSON Array
Click Continue.

Step 2: Create required Google Cloud Platform (GCP) infrastructure

Before creating GCP infrastructure, you'll need to decide:

The creation method: You can use Terraform to create the infrastructure, or create it manually in the GCP console—see the sub-tabs within each top-level tab below.

Workload Identity Federation authentication is in open beta starting with Panther version 1.112, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

To create GCP infrastructure using Terraform (authenticating with a service account):

Click Terraform Template to download the Terraform template.
Fill out the fields in the panther.tfvars file with your configuration.
- Set authentication_method to "service_account".
Initialize a working directory containing Terraform configuration files and run terraform init.
Copy the corresponding Terraform Command provided and run it in your CLI.
Generate a JSON key file by copying the gcloud Command provided, replacing the value for your service account email address, and running it in your CLI.
- You can find the service account email in the output of the Terraform Command.

To create the GCP infrastructure components manually (authenticating with a service account):

In your Google Cloud console, determine which bucket Panther will pull logs from.
- You can create a topic using the gcloud CLI tool with the following command format: gcloud pubsub topics create $TOPIC_ID
- You can create a notification using the gcloud CLI tool with the following command format: gsutil notification create -t $TOPIC_NAME -e OBJECT_FINALIZE -f json gs://$BUCKET_NAME
- Note: Panther only requires the OBJECT_FINALIZE type.
This subscription should not be used by any other service or source.
- You can create a subscription using the gcloud CLI tool with the following command format: gcloud pubsub subscriptions create $SUBSCRIPTION_ID --topic $TOPIC_ID --topic-project $PROJECT_ID
```
gcloud iam service-accounts create SA-NAME \
    --description="DESCRIPTION" \
    --display-name="DISPLAY_NAME"
```
- Make sure to take note of the account email address, as Panther will use this to access the infrastructure created for this GCS integration.
Assign the required IAM roles to the account.
- The following permissions are required for the project where the Pub/Sub subscription and topic lives:
  Permissions required
  Role
  Scope
  storage.objects.get
  storage.objects.list
  roles/storage.objectViewer
  bucket-name
  pubsub.subscriptions.consume
  roles/pubsub.subscriber
  subscription-name
  pubsub.subscriptions.get
  roles/pubsub.viewer
  subscription-name
  monitoring.timeSeries.list
  roles/monitoring.viewer
  project
  - Note: You can create the permissions using the gcloud CLI tool:
    gcloud projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:$SERVICE_ACCOUNT_EMAIL" --role="roles/storage.objectViewer"
    gcloud projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:$SERVICE_ACCOUNT_EMAIL" --role="roles/pubsub.subscriber"
    gcloud projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:$SERVICE_ACCOUNT_EMAIL" --role="roles/pubsub.viewer"
    gcloud projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:$SERVICE_ACCOUNT_EMAIL" --role="roles/monitoring.viewer"
- To create a JSON key file using the gcloud CLI tool, run the following command format: gcloud iam service-accounts keys create $KEYFILE_PATH --iam-account=$SERVICE_ACCOUNT_EMAIL
- Alternatively, you can run the above command in GCP's terminal instead of locally.
  1. Click the 3 dots icon menu in the top right, then click Download.
  2. Click the folder icon for Browse.
  3. Navigate to the key file and select it, then click Download.

To create the GCP infrastructure components using Terraform (authenticating with Workload Identity Federation):

Click Terraform Template to download the Terraform template.
Fill out the fields in the panther.tfvars file with your configuration.
- Set authentication_method to "workload_identity_federation".
- Provide values for panther_workload_identity_pool_id, panther_workload_identity_pool_provider_id, and panther_aws_account_id.
Initialize a working directory containing Terraform configuration files and run terraform init.
Copy the corresponding Terraform Command provided and run it in your CLI.
Generate a credential configuration file for the pool by copying the gcloud Command provided, replacing the value for the project number, pool ID, and provider ID, and running it in your CLI.
- You can find the project number, the pool ID and the provider ID in the output of the Terraform Command.

To create the GCP infrastructure components manually (authenticating with Workload Identity Federation):

In your Google Cloud console, determine which bucket Panther will pull logs from.
- You can create a topic using the gcloud CLI tool with the following command format: gcloud pubsub topics create $TOPIC_ID
- You can create a notification using the gcloud CLI tool with the following command format: gsutil notification create -t $TOPIC_NAME -e OBJECT_FINALIZE -f json gs://$BUCKET_NAME
- Note: Panther only requires the OBJECT_FINALIZE type.
This subscription should not be used by any other service or source.
- You can create a subscription using the gcloud CLI tool with the following command format: gcloud pubsub subscriptions create $SUBSCRIPTION_ID --topic $TOPIC_ID --topic-project $PROJECT_ID
1. - Google
    AWS
    google.subject
    assertion.arn.extract('arn:aws:sts::{account_id}:')+":"+assertion.arn.extract('assumed-role/{role_and_session}').extract('/{session}')
    attribute.account
    assertion.account
Assign the required IAM roles to the account.
- The following permissions are required for the project where the Pub/Sub subscription and topic lives:
  Permissions required
  Role
  Scope
  storage.objects.get
  storage.objects.list
  roles/storage.objectViewer
  bucket-name
  pubsub.subscriptions.consume
  roles/pubsub.subscriber
  subscription-name
  pubsub.subscriptions.get
  roles/pubsub.viewer
  subscription-name
  monitoring.timeSeries.list
  roles/monitoring.viewer
  project
  - Note: You can create the permissions using the gcloud CLI tool, where the $PRINCIPAL_ID may be something like: principalSet://iam.googleapis.com/projects/<THE_ACTUAL_GOOGLE_PROJECT_NUMBER>/locations/global/workloadIdentityPools/<THE_ACTUAL_POOL_ID>/attribute.account/<THE_ACTUAL_PANTHER_AWS_ACCOUNT_ID>
    gcloud projects add-iam-policy-binding $PROJECT_ID --member="$PRINCIPAL_ID" --role="roles/storage.objectViewer"
    gcloud projects add-iam-policy-binding $PROJECT_ID --member="$PRINCIPAL_ID" --role="roles/pubsub.subscriber"
    gcloud projects add-iam-policy-binding $PROJECT_ID --member="$PRINCIPAL_ID" --role="roles/pubsub.viewer"
    gcloud projects add-iam-policy-binding $PROJECT_ID --member="$PRINCIPAL_ID" --role="roles/monitoring.viewer"
- To generate a credential configuration file using the gcloud CLI tool, use the following command format: gcloud iam workload-identity-pools create-cred-config projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$PROVIDER_ID --aws --output-file=config.json

Step 3: Provide credential file and configuration values to Panther

Under Provide pulling configuration & JSON Keyfile, upload your JSON key file.
Click Setup. You will be directed to a success screen:
- If you have not done so already, click Attach or Infer Schemas to attach one or more schemas to the source.
- The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.