Dashboard to show log consumption per project

keso

Hey, is there a way to know what is the current log consumption per project? This post shows per type [1] but Im not really sure how to filter more to know the log consumption per project. Thank you!

[1] https://medium.com/@thatsiemguy/creating-an-asset-dashboard-in-chronicle-siem-3d6642e7edbb

James_E

@keso What do you mean "per project"? Are you talking about GCP Project or something else?

keso

Yes, per GCP project.

James_E

Do you currently have a way to make a distinction between which log types are coming from which GCP project? Meaning, are the logs being labeled or are there already fields within each event that tells you which GCP project that event came from?

keso

Yes, there is. There are several labels in the UDM Event that contain the information of the project where it came from. To mention a few:

target.cloud.project.name

target.resource.name

principal.asset.attribute.cloud.project.name

keso

I'm close, Im able to get the UDM count per project but not the "Total Size Bytes" per GCP project.

When editing a Title in the dashboards:

In "Ingestion Metrics" it is not possible to filter by project but it has the "Total Size Bytes" Metric.

In "UDM" it is possible to use any of the variables from before (such as target.cloud.project.name) but it does not have the "Total Size Bytes" Metric. A lot of metric (such as count) but not the "Total Size Bytes GiB"

keso

Do you have any idea how to do it @James_E ? 🙏

keso

Could someone help here? 🙏