This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
I have a question:
When Ingesting from GCS buckets using feeds management UI, it mentions that chronicle doesn’t need authentication for the bucket because it has internal user, is this user a global user or specific to that cloud account? Can i ingest arbitrary bucket i don’t own but know the address to without authentication as unstructured logs and be able to view some bucket contents in chronicle?
Super interesting actually, I see no reason why this wont work if the bucket owner is an existing chronicle customer (and has allowlisted the global service account that reads buckets:
8911409095528497-0-account@partnercontent.gserviceaccount.com)
. This could lead to some crazy information disclosure if you can enum clients and buckets
Yeah thats what i thought, If i have the public address of a bucket i don’t own, and then maybe i know that the owner is a Chronicle customer or by coincidence they are a Chronicle customer, i should be able to add it via feeds management.
I don’t have Chronicle SIEM access, Picked up the logic from the SIEM fundamentals course. But
@Ion_Todd@Gal_Polak1
if you end up validating this theory please also let me know if its completely bananas
, that would be great.
According to
this
, it looks like the prerequisite setup is universal to all chronicle SIEM customers who want to setup bucket feeds, So if i know the bucket URL of any other valid customer who has this setup then it should work unless there is additional auth logic
LinkedIn
Twitter
