Naver Cloud Platform (NCP) Integration
Overview
This integration collects cloud activity logs, VPC flow logs, ACG (firewall) events, and database audit logs from Naver Cloud Platform. NCP holds 25-30% of the Korean cloud market and has G-Cloud certification.
Authentication: HMAC-SHA256 signature
API Gateway: https://ncloud.apigw.ntruss.com/
Prerequisites
- A KYRA MDR Collector installed and running (Installation Guide)
- NCP console access with API key permissions
- Access Key and Secret Key from NCP portal
Configuration
Option 1: Cloud Activity Tracer API
Cloud Activity Tracer records all API calls made to your NCP account.
- Log in to the NCP Console
- Navigate to Management > Cloud Activity Tracer
- Enable activity logging
- Provide your NCP Access Key and Secret Key to KYRA MDR during integration setup
API Request Example
# NCP API requires HMAC-SHA256 signature for authentication# Set your credentialsACCESS_KEY="your-access-key"SECRET_KEY="your-secret-key"TIMESTAMP=$(echo $(($(date +%s)*1000)))METHOD="GET"URI="/cloudactivitytracer/v2/activities"
# Generate the HMAC-SHA256 signatureSIGNATURE_INPUT="${METHOD} ${URI}\n${TIMESTAMP}\n${ACCESS_KEY}"SIGNATURE=$(echo -ne "$SIGNATURE_INPUT" | openssl dgst -sha256 -hmac "$SECRET_KEY" -binary | base64)
# Query recent cloud activitiescurl -s -X GET \ "https://ncloud.apigw.ntruss.com${URI}?startTime=$(date -d '1 hour ago' +%s)000&endTime=${TIMESTAMP}" \ -H "x-ncp-apigw-timestamp: ${TIMESTAMP}" \ -H "x-ncp-iam-access-key: ${ACCESS_KEY}" \ -H "x-ncp-apigw-signature-v2: ${SIGNATURE}" \ -H "Content-Type: application/json" | jq .# Example: Query VPC subnet activitiesURI="/cloudactivitytracer/v2/activities"curl -s -X GET \ "https://ncloud.apigw.ntruss.com${URI}?startTime=1700000000000&endTime=1700086400000&actionName=createSubnet" \ -H "x-ncp-apigw-timestamp: ${TIMESTAMP}" \ -H "x-ncp-iam-access-key: ${ACCESS_KEY}" \ -H "x-ncp-apigw-signature-v2: ${SIGNATURE}" | jq '.activities[] | {actionName, sourceIp, userName, eventTime}'Option 2: Cloud Log Analytics (CLA)
CLA aggregates VPC flow logs, server logs, load balancer logs, and Cloud DB logs.
- Enable CLA in the NCP console
- Configure log collection targets (VPC Flow, Server, LB, Cloud DB)
- Set up external forwarding to the KYRA Collector
CLA Forwarding Configuration
# rsyslog config on CLA forwarding target# Receive CLA forwarded logsmodule(load="imtcp")input(type="imtcp" port="514")
# Tag and forward to KYRA Collectorif $fromhost-ip == '<NCP_CLA_SOURCE_IP>' then { action(type="omfwd" target="<KYRA_COLLECTOR_IP>" port="514" protocol="tcp" template="RSYSLOG_SyslogProtocol23Format" )}Option 3: VM Syslog
For individual Linux/Windows VMs, use standard syslog agents to forward logs directly to the KYRA Collector. See the Linux Syslog or Windows integration guides.
Collected Log Types
| Log Type | Security Use | Priority |
|---|---|---|
| Cloud Activity Tracer | API audit trail, unauthorized actions | Critical |
| VPC Flow Logs | Network traffic monitoring | High |
| ACG (firewall) logs | Security group rule violations | High |
| Load Balancer access | Application access patterns | Medium |
| Cloud DB audit | Database access auditing (ISMS-P) | Critical |
| SSL VPN logs | Remote access monitoring | High |
| Object Storage access | Data access tracking | Medium |
Troubleshooting
API Authentication Errors
- Verify the Access Key and Secret Key are correct
- Ensure the API key has the required permissions for Cloud Activity Tracer
- Check that the system clock is synchronized (HMAC signatures are time-sensitive)
Missing Flow Logs
- Ensure VPC Flow Logs are enabled for the target VPC
- Verify CLA is configured to collect the desired log sources
For additional help, contact kyra@seekerslab.com.