GCP Pub/Sub Audit Logs Data Connector does not support Workload Identity Federation Best Practices

[jamiltorres]

Describe the bug Encountered an issue where the Azure Sentinel connector expects the WIF Pool, Service Account, and pub/sub topic to all be in the same project in Google Cloud Platform (GCP), because using the ui we only setup one project id and number[1]. However, following GCP best practices for WIF[3], we are advised to centralize WIF pools to a single project and create Service Accounts in the project that holds the resources, in this case, the pub/sub topic[2].

To Reproduce Steps to reproduce the behavior:

1. Go to gcp console and create two projects
2. In the Project A create the wif follow this guide [4]
3. Project B create the pubsub topic, the sa and the subscription
4. In project B assing roles first the Pubsub viewer and second the Worload identity user to the pool in Project A
5. Go to the sentinel collector ui in azure and fill the form

PD:

• When I fill the form with the Project A info I got this error [5]
• When I fill the form with the Project B info I got this error [6]

Expected behavior

Adjustments to the Azure Sentinel connector to accommodate GCP best practices for WIF, allowing to fill one project for the wif and other for the pubsub subscription

Challenge: Changing our WIF architecture in Google is not preferable. Seeking a resolution that allows us to maintain alignment with GCP best practices without compromising the functionality of the Azure Sentinel connector

Screenshots [1]

Additional context [2] https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#use-service-accounts-in-same-project [3] https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#dedicated-project [4] https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform [5] {"code":"BadRequest","message":"Connectivity check failed: Status code:GCPB40013, Message: The Workload Identity Pool ID AZURE_SENTINEL_TENANT_ID does not exist or has been disabled/delete"} [6] {"code":"BadRequest","message":"Connectivity check failed: Status code:GCPB40404, Message: The subscription does not exist - projects/Project-b/subscriptions/logstash."}

Please review and provide insights on how we can address this issue without compromising the established WIF architecture in Google.

[github-actions[bot]]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[v-muuppugund]

Hi @jamiltorres , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 04Jan2024. Thanks!

[v-muuppugund]

Hi @jamiltorres ,yesterday i am unable to replicate the issue as don't have access to the account as need to link cards with my personal account and gone through initial analysis,need some more time to replicate the issue,will update you by 09/01/2024

[v-sudkharat]

Hi @jamiltorres, due to access limitations, our team is still working on repro this issue, we will get back to you by - 15 Jan 2024. Thanks!

[v-muuppugund]

Hi @jamiltorres ,I have add my card details and created account ,replicating the issue,will get back to you with an update

[PacketBeta]

@v-muuppugund thanks for consistent responses! Can you clarify part of your last message. Are you still working on replicating the issue or have you been able to reproduce it in your environment? If you have issues with reproducing, we'd be happy to jump on a screen share and go through our setup.

When should we expect the next update?

Thanks!

[v-muuppugund]

@v-muuppugund thanks for consistent responses! Can you clarify part of your last message. Are you still working on replicating the issue or have you been able to reproduce it in your environment? If you have issues with reproducing, we'd be happy to jump on a screen share and go through our setup.

When should we expect the next update?

Thanks!

Hi @PacketBeta ,I am working on replicating the issue and working on it as don't have account credentials as need to link card details,I have done it now and working on it,if needed will ask for meeting,Thanks

[v-muuppugund]

Hi @PacketBeta/ @jamiltorres I have created projects in Google cloud followed the steps for configurations and working on data ingestion, working on replicating issue from end,will update you ,if its taking time,will ask for a meeting, so we can discuss further,need to set up my self so can do code changes and test after issue replication.

[v-muuppugund]

Hi @PacketBeta / @jamiltorres ,I followed the above steps and i am not getting the same error and its a different error ,Please find below screen shot for references and cross verifying the permissions in GCP ,already given permissions specified in the link.

[TeeBaks]

Hello @v-muuppugund,

Using the GCP manual set up option detailed in https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform , I am also encountering the same issue: "code":"BadRequest","message":"Connectivity check failed: Status code:GCPB40013, Message: The Workload Identity Pool ID AZURE_SENTINEL_TENANT_ID does not exist or has been disabled/delete"}

Could you help expedite action on the resolution or advise of an alternative approach to ingest GCP logs into Microsoft Sentinel? Thanks

[v-muuppugund]

Hi @PacketBeta / @jamiltorres / @TeeBaks , facing some issues in data connector loading from yesterday so unable to test the updated gcp configurations, will update you.

[v-muuppugund]

Hi @PacketBeta / @jamiltorres / @TeeBaks ,still facing some issues in content hub from this connector,once connector is loading from content hub will test the updated configuration,will update you

[v-muuppugund]

Hi @PacketBeta / @jamiltorres / @TeeBaks , Earlier we had issues with content hub and now we are facing issue with ARM template and completed changes on ARM template fix and once testing done will update you

[v-muuppugund]

Hi @PacketBeta / @jamiltorres / @TeeBaks ,Fixed the template issues and working on testing it

[v-muuppugund]

Hi @PacketBeta / @jamiltorres / @TeeBaks ,Fixed the template issues and working on testing it

@18f-rfleming FYI,WIll update you on this issue.

[v-muuppugund]

Hi @PacketBeta / @jamiltorres / @TeeBaks / @18f-rfleming , still need some time for testing the changes on this issue and having issue,will update you

[v-muuppugund]

Hi @PacketBeta / @jamiltorres / @TeeBaks / @18f-rfleming, I am facing an issue while testing with template,working on it,will update you

[18f-rfleming]

Hello. Do you have any additional information on this issue?

From: Murali Krishna Dev Uppugunduri @.> Date: Wednesday, March 27, 2024 at 10:37 PM To: Azure/Azure-Sentinel @.> Cc: Rich Fleming @.>, Mention @.> Subject: Re: [Azure/Azure-Sentinel] GCP Pub/Sub Audit Logs Data Connector does not support Workload Identity Federation Best Practices (Issue #9687) Hi @PacketBeta / @jamiltorres / @TeeBaks / @18f-rfleming, I am facing an issue while testing with template,working on it,will update you — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization.

ZjQcmQRYFpfptBannerEnd

Hi @PacketBetahttps://urldefense.com/v3/__https:/github.com/PacketBeta__;!!HPR1fWVfVgYu-HbDXw!eYlrMxte5Bny9my9YCHeQjO74kkQ47Z8OopDOl1lZKFhiQWY7InOU6f1gsFsBaXLriCBiAsvndon7AospNPJr4D-2fP8Wlg$ / @jamiltorreshttps://urldefense.com/v3/__https:/github.com/jamiltorres__;!!HPR1fWVfVgYu-HbDXw!eYlrMxte5Bny9my9YCHeQjO74kkQ47Z8OopDOl1lZKFhiQWY7InOU6f1gsFsBaXLriCBiAsvndon7AospNPJr4D-XqAzGZ4$ / @TeeBakshttps://urldefense.com/v3/__https:/github.com/TeeBaks__;!!HPR1fWVfVgYu-HbDXw!eYlrMxte5Bny9my9YCHeQjO74kkQ47Z8OopDOl1lZKFhiQWY7InOU6f1gsFsBaXLriCBiAsvndon7AospNPJr4D-66GQKMY$ / @18f-rfleminghttps://urldefense.com/v3/__https:/github.com/18f-rfleming__;!!HPR1fWVfVgYu-HbDXw!eYlrMxte5Bny9my9YCHeQjO74kkQ47Z8OopDOl1lZKFhiQWY7InOU6f1gsFsBaXLriCBiAsvndon7AospNPJr4D-tq0OPJk$, I am facing an issue while testing with template,working on it,will update you

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/Azure/Azure-Sentinel/issues/9687*issuecomment-2024294847__;Iw!!HPR1fWVfVgYu-HbDXw!eYlrMxte5Bny9my9YCHeQjO74kkQ47Z8OopDOl1lZKFhiQWY7InOU6f1gsFsBaXLriCBiAsvndon7AospNPJr4D-RaQWXTA$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BGPGDZJXLE2JXI4IEZH6AZTY2N66NAVCNFSM6AAAAABBFVVHVCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRUGI4TIOBUG4__;!!HPR1fWVfVgYu-HbDXw!eYlrMxte5Bny9my9YCHeQjO74kkQ47Z8OopDOl1lZKFhiQWY7InOU6f1gsFsBaXLriCBiAsvndon7AospNPJr4D-_V9Y0to$. You are receiving this because you were mentioned.Message ID: @.***>

[v-muuppugund]

Hello. Do you have any additional information on this issue? From: Murali Krishna Dev Uppugunduri @.> Date: Wednesday, March 27, 2024 at 10:37 PM To: Azure/Azure-Sentinel @.> Cc: Rich Fleming @.>, Mention @.> Subject: Re: [Azure/Azure-Sentinel] GCP Pub/Sub Audit Logs Data Connector does not support Workload Identity Federation Best Practices (Issue #9687) Hi @PacketBeta / @jamiltorres / @TeeBaks / @18f-rfleming, I am facing an issue while testing with template,working on it,will update you — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. ZjQcmQRYFpfptBannerEnd Hi @PacketBetahttps://urldefense.com/v3/__https:/github.com/PacketBeta__;!!HPR1fWVfVgYu-HbDXw!eYlrMxte5Bny9my9YCHeQjO74kkQ47Z8OopDOl1lZKFhiQWY7InOU6f1gsFsBaXLriCBiAsvndon7AospNPJr4D-2fP8Wlg$ / @jamiltorreshttps://urldefense.com/v3/__https:/github.com/jamiltorres__;!!HPR1fWVfVgYu-HbDXw!eYlrMxte5Bny9my9YCHeQjO74kkQ47Z8OopDOl1lZKFhiQWY7InOU6f1gsFsBaXLriCBiAsvndon7AospNPJr4D-XqAzGZ4$ / @TeeBakshttps://urldefense.com/v3/__https:/github.com/TeeBaks__;!!HPR1fWVfVgYu-HbDXw!eYlrMxte5Bny9my9YCHeQjO74kkQ47Z8OopDOl1lZKFhiQWY7InOU6f1gsFsBaXLriCBiAsvndon7AospNPJr4D-66GQKMY$ / @18f-rfleminghttps://urldefense.com/v3/__https:/github.com/18f-rfleming__;!!HPR1fWVfVgYu-HbDXw!eYlrMxte5Bny9my9YCHeQjO74kkQ47Z8OopDOl1lZKFhiQWY7InOU6f1gsFsBaXLriCBiAsvndon7AospNPJr4D-tq0OPJk$, I am facing an issue while testing with template,working on it,will update you — Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/Azure/Azure-Sentinel/issues/9687*issuecomment-2024294847__;Iw!!HPR1fWVfVgYu-HbDXw!eYlrMxte5Bny9my9YCHeQjO74kkQ47Z8OopDOl1lZKFhiQWY7InOU6f1gsFsBaXLriCBiAsvndon7AospNPJr4D-RaQWXTA$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BGPGDZJXLE2JXI4IEZH6AZTY2N66NAVCNFSM6AAAAABBFVVHVCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRUGI4TIOBUG4__;!!HPR1fWVfVgYu-HbDXw!eYlrMxte5Bny9my9YCHeQjO74kkQ47Z8OopDOl1lZKFhiQWY7InOU6f1gsFsBaXLriCBiAsvndon7AospNPJr4D-_V9Y0to$. You are receiving this because you were mentioned.Message ID: @.***>

Hi @18f-rfleming ,Apologies for the delayed response,I am on leave yesterday, issue is while doing deployment ,please find below screen shot for reference team reached yesterday with backend support team and will update you

[v-muuppugund]

Hi @PacketBeta / @jamiltorres / @TeeBaks / @18f-rfleming , we are facing content hub issue,earlier issue has been fixed by backend team on monday i.e. 8/4/2024,will update you,so unable to test and proceed further on actual issue.

[v-muuppugund]

Hi @PacketBeta / @jamiltorres / @TeeBaks / @18f-rfleming , we are facing content hub issue,earlier issue has been fixed by backend team on monday i.e. 8/4/2024,will update you,so unable to test and proceed further on actual issue.

Hi @PacketBeta / @jamiltorres / @TeeBaks / @18f-rfleming ,still we are facing issue in content hub and working with concerned team on this backend issue and its not actual issue,will update you,please find below screen shot for reference

[v-muuppugund]

Hi @PacketBeta / @jamiltorres / @TeeBaks / @18f-rfleming , we are facing content hub issue,earlier issue has been fixed by backend team on monday i.e. 8/4/2024,will update you,so unable to test and proceed further on actual issue.

Hi @PacketBeta / @jamiltorres / @TeeBaks / @18f-rfleming ,still we are facing another issue in content hub and working with concerned team on this backend issue and its not actual issue,will update you,please find below screen shot for reference

[v-muuppugund]

Hi @PacketBeta / @jamiltorres / @TeeBaks / @18f-rfleming. We can do alternatively for this issue from data connector side ,please find below screen shots for reference

Could you please use the following scripts for assigning permissions to projects and we need to change in the below scripts for existing project else we can use it directly Step1: https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPInitialAuthenticationSetup/GCPInitialAuthenticationSetup.tf

Step 2: https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPAuditLogsSetup/GCPAuditLogsSetup.tf Use the project details and credentials got from step 1 and step 2 use it in data connector Finally logs are ingested in work space

Please let me know if any issues

[18f-rfleming]

Hello. Please remove @18f-rfleming from these mentions. I’m not experiencing any problems with GCP data connectors.

Thank you.

From: Murali Krishna Dev Uppugunduri @.> Date: Thursday, April 18, 2024 at 4:39 AM To: Azure/Azure-Sentinel @.> Cc: Rich Fleming @.>, Mention @.> Subject: Re: [Azure/Azure-Sentinel] GCP Pub/Sub Audit Logs Data Connector does not support Workload Identity Federation Best Practices (Issue #9687) Hi @PacketBeta / @jamiltorres / @TeeBaks / @18f-rfleming. We can do alternatively for this issue from data connector side ,please find below screen shots for reference image. png (view on web) Could you please use the following scripts for assigning ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization.

ZjQcmQRYFpfptBannerEnd

Hi @PacketBetahttps://urldefense.com/v3/__https:/github.com/PacketBeta__;!!HPR1fWVfVgYu-HbDXw!ccATGo7ej4OMY_CE0WEKBrKfB8addKU3nMWbYx2orvm03mCDuequ6Yk0pwi_eS-xI9ceEYEXNzVBD_iMqi0BuEtBzSckrdw$ / @jamiltorreshttps://urldefense.com/v3/__https:/github.com/jamiltorres__;!!HPR1fWVfVgYu-HbDXw!ccATGo7ej4OMY_CE0WEKBrKfB8addKU3nMWbYx2orvm03mCDuequ6Yk0pwi_eS-xI9ceEYEXNzVBD_iMqi0BuEtBQPATCnw$ / @TeeBakshttps://urldefense.com/v3/__https:/github.com/TeeBaks__;!!HPR1fWVfVgYu-HbDXw!ccATGo7ej4OMY_CE0WEKBrKfB8addKU3nMWbYx2orvm03mCDuequ6Yk0pwi_eS-xI9ceEYEXNzVBD_iMqi0BuEtBOsk-El4$ / @18f-rfleminghttps://urldefense.com/v3/__https:/github.com/18f-rfleming__;!!HPR1fWVfVgYu-HbDXw!ccATGo7ej4OMY_CE0WEKBrKfB8addKU3nMWbYx2orvm03mCDuequ6Yk0pwi_eS-xI9ceEYEXNzVBD_iMqi0BuEtBGlAvyx8$. We can do alternatively for this issue from data connector side ,please find below screen shots for reference image.png (view on web)https://urldefense.com/v3/__https:/github.com/Azure/Azure-Sentinel/assets/139563098/066d8388-45da-4ee8-a928-fed192af85ae__;!!HPR1fWVfVgYu-HbDXw!ccATGo7ej4OMY_CE0WEKBrKfB8addKU3nMWbYx2orvm03mCDuequ6Yk0pwi_eS-xI9ceEYEXNzVBD_iMqi0BuEtBFeDFKbA$

Could you please use the following scripts for assigning permissions to projects and we need to change in the below scripts for existing project else we can use it directly Step1: https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPInitialAuthenticationSetup/GCPInitialAuthenticationSetup.tfhttps://urldefense.com/v3/__https:/github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPInitialAuthenticationSetup/GCPInitialAuthenticationSetup.tf__;!!HPR1fWVfVgYu-HbDXw!ccATGo7ej4OMY_CE0WEKBrKfB8addKU3nMWbYx2orvm03mCDuequ6Yk0pwi_eS-xI9ceEYEXNzVBD_iMqi0BuEtBB_MvJj0$

Step 2: https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPAuditLogsSetup/GCPAuditLogsSetup.tfhttps://urldefense.com/v3/__https:/github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPAuditLogsSetup/GCPAuditLogsSetup.tf__;!!HPR1fWVfVgYu-HbDXw!ccATGo7ej4OMY_CE0WEKBrKfB8addKU3nMWbYx2orvm03mCDuequ6Yk0pwi_eS-xI9ceEYEXNzVBD_iMqi0BuEtBPoHhCLI$ Use the project details and credentials got from step 1 and step 2 use it in data connector Finally logs are ingested in work space image.png (view on web)https://urldefense.com/v3/__https:/github.com/Azure/Azure-Sentinel/assets/139563098/aec92ad5-cd21-4f14-b324-963f56f8a0c5__;!!HPR1fWVfVgYu-HbDXw!ccATGo7ej4OMY_CE0WEKBrKfB8addKU3nMWbYx2orvm03mCDuequ6Yk0pwi_eS-xI9ceEYEXNzVBD_iMqi0BuEtBG_hi2z8$

Please let me know if any issues

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/Azure/Azure-Sentinel/issues/9687*issuecomment-2063335515__;Iw!!HPR1fWVfVgYu-HbDXw!ccATGo7ej4OMY_CE0WEKBrKfB8addKU3nMWbYx2orvm03mCDuequ6Yk0pwi_eS-xI9ceEYEXNzVBD_iMqi0BuEtB5fa0DXY$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BGPGDZJZUZUITSBDRNBT4H3Y56BCLAVCNFSM6AAAAABBFVVHVCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANRTGMZTKNJRGU__;!!HPR1fWVfVgYu-HbDXw!ccATGo7ej4OMY_CE0WEKBrKfB8addKU3nMWbYx2orvm03mCDuequ6Yk0pwi_eS-xI9ceEYEXNzVBD_iMqi0BuEtBargjDwc$. You are receiving this because you were mentioned.Message ID: @.***>

[v-muuppugund]

Hello. Please remove @18f-rfleming from these mentions. I’m not experiencing any problems with GCP data connectors. Thank you. From: Murali Krishna Dev Uppugunduri @.> Date: Thursday, April 18, 2024 at 4:39 AM To: Azure/Azure-Sentinel @.> Cc: Rich Fleming @.>, Mention @.> Subject: Re: [Azure/Azure-Sentinel] GCP Pub/Sub Audit Logs Data Connector does not support Workload Identity Federation Best Practices (Issue #9687) Hi @PacketBeta / @jamiltorres / @TeeBaks / @18f-rfleming. We can do alternatively for this issue from data connector side ,please find below screen shots for reference image. png (view on web) Could you please use the following scripts for assigning ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. ZjQcmQRYFpfptBannerEnd Hi @PacketBetahttps://urldefense.com/v3/__https:/github.com/PacketBeta__;!!HPR1fWVfVgYu-HbDXw!ccATGo7ej4OMY_CE0WEKBrKfB8addKU3nMWbYx2orvm03mCDuequ6Yk0pwi_eS-xI9ceEYEXNzVBD_iMqi0BuEtBzSckrdw$ / @jamiltorreshttps://urldefense.com/v3/__https:/github.com/jamiltorres__;!!HPR1fWVfVgYu-HbDXw!ccATGo7ej4OMY_CE0WEKBrKfB8addKU3nMWbYx2orvm03mCDuequ6Yk0pwi_eS-xI9ceEYEXNzVBD_iMqi0BuEtBQPATCnw$ / @TeeBakshttps://urldefense.com/v3/__https:/github.com/TeeBaks__;!!HPR1fWVfVgYu-HbDXw!ccATGo7ej4OMY_CE0WEKBrKfB8addKU3nMWbYx2orvm03mCDuequ6Yk0pwi_eS-xI9ceEYEXNzVBD_iMqi0BuEtBOsk-El4$ / @18f-rfleminghttps://urldefense.com/v3/__https:/github.com/18f-rfleming__;!!HPR1fWVfVgYu-HbDXw!ccATGo7ej4OMY_CE0WEKBrKfB8addKU3nMWbYx2orvm03mCDuequ6Yk0pwi_eS-xI9ceEYEXNzVBD_iMqi0BuEtBGlAvyx8$. We can do alternatively for this issue from data connector side ,please find below screen shots for reference image.png (view on web)https://urldefense.com/v3/__https:/github.com/Azure/Azure-Sentinel/assets/139563098/066d8388-45da-4ee8-a928-fed192af85ae__;!!HPR1fWVfVgYu-HbDXw!ccATGo7ej4OMY_CE0WEKBrKfB8addKU3nMWbYx2orvm03mCDuequ6Yk0pwi_eS-xI9ceEYEXNzVBD_iMqi0BuEtBFeDFKbA$ Could you please use the following scripts for assigning permissions to projects and we need to change in the below scripts for existing project else we can use it directly Step1: https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPInitialAuthenticationSetup/GCPInitialAuthenticationSetup.tfhttps://urldefense.com/v3/__https:/github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPInitialAuthenticationSetup/GCPInitialAuthenticationSetup.tf__;!!HPR1fWVfVgYu-HbDXw!ccATGo7ej4OMY_CE0WEKBrKfB8addKU3nMWbYx2orvm03mCDuequ6Yk0pwi_eS-xI9ceEYEXNzVBD_iMqi0BuEtBB_MvJj0$ Step 2: https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPAuditLogsSetup/GCPAuditLogsSetup.tfhttps://urldefense.com/v3/__https:/github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPAuditLogsSetup/GCPAuditLogsSetup.tf__;!!HPR1fWVfVgYu-HbDXw!ccATGo7ej4OMY_CE0WEKBrKfB8addKU3nMWbYx2orvm03mCDuequ6Yk0pwi_eS-xI9ceEYEXNzVBD_iMqi0BuEtBPoHhCLI$ Use the project details and credentials got from step 1 and step 2 use it in data connector Finally logs are ingested in work space image.png (view on web)https://urldefense.com/v3/__https:/github.com/Azure/Azure-Sentinel/assets/139563098/aec92ad5-cd21-4f14-b324-963f56f8a0c5__;!!HPR1fWVfVgYu-HbDXw!ccATGo7ej4OMY_CE0WEKBrKfB8addKU3nMWbYx2orvm03mCDuequ6Yk0pwi_eS-xI9ceEYEXNzVBD_iMqi0BuEtBG_hi2z8$ Please let me know if any issues — Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/Azure/Azure-Sentinel/issues/9687*issuecomment-2063335515__;Iw!!HPR1fWVfVgYu-HbDXw!ccATGo7ej4OMY_CE0WEKBrKfB8addKU3nMWbYx2orvm03mCDuequ6Yk0pwi_eS-xI9ceEYEXNzVBD_iMqi0BuEtB5fa0DXY$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BGPGDZJZUZUITSBDRNBT4H3Y56BCLAVCNFSM6AAAAABBFVVHVCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANRTGMZTKNJRGU__;!!HPR1fWVfVgYu-HbDXw!ccATGo7ej4OMY_CE0WEKBrKfB8addKU3nMWbYx2orvm03mCDuequ6Yk0pwi_eS-xI9ceEYEXNzVBD_iMqi0BuEtBargjDwc$. You are receiving this because you were mentioned.Message ID: @.***>

Sure @18f-rfleming,As discussed earlier in one of the call reg issue added.

[v-muuppugund]

Hi @PacketBeta / @jamiltorres / @TeeBaks , As the issue is resolved, we are closing your issue (https://github.com/Azure/Azure-Sentinel/issues/9687). If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation!