Help Documentation

Cloud Detection and Response

Google Cloud Platform Monitoring

Updated Sep 27, 2023

Configure Google Cloud Platform monitoring

You can enable Arctic Wolf® security monitoring for your Google Cloud Platform® (GCP) environment. After you complete this configuration, Arctic Wolf monitors the security findings and audit logs from your GCP environment through the Security Command Center (SCC) and cloud audit logs.

Requirements

Steps

Repeat this series of tasks for each Google Cloud Platform organization that you want Arctic Wolf to monitor:

  1. Configure GCP SCC
  2. (Optional) Enable Data Access audit logging
  3. Create a project
  4. Enable APIs
  5. Create a service account
  6. Create a topic
  7. Create the main and replay subscriptions
  8. Create a cloud audit log sink
  9. Provide credentials to Arctic Wolf

Step 1: Configure GCP Security Command Center

  1. Sign in to the Google Cloud Console with administrator credentials.

  2. From the Navigation menu, select Security > Security Command Center.

  3. Select the Organization that you want to configure services for.

  4. Click Settings.

  5. Expand the Advanced Settings pane and confirm that Security Health Analytics is enabled for all folders and projects that you want Arctic Wolf to monitor.

  6. (Optional) Enable other services for folders and projects that you want Arctic Wolf to monitor, depending on your subscription tier, including:

    • Security Health Analytics — Standard and premium tiers

    • Web Security Scanner — Standard and premium tiers

      Note: The Google Cloud Console only allows users with premium subscriptions to enable this service.

    • Event Threat Detection — Premium tier

    • Container Threat Detection — Premium tier

Step 2: Enable Data Access audit logging

This is an optional step.

GCP includes these default cloud audit logs:

You may choose to enable Data Access audit logging to obtain more detailed logging of GCP services at the read level. For example, if you have a GCP storage bucket with sensitive information, you may want to enable Data Access audit logging to report on read and write actions to the storage bucket. Without Data Access audit logging, you only receive reports on GCP storage bucket creation and deletion.

Note: Changing any of the default cloud audit log settings, such as enabling Data Access audit logging, may increase costs associated with storing these logs and exporting them to Arctic Wolf. See Google Cloud's operations suite pricing for more information.

  1. Sign in to the Google Cloud Console with administrator credentials.

  2. In the Select from menu, Select from menu, select the Organization that you want to configure Data Access audit logging for.

  3. From the Navigation menu, select IAM & Admin > Audit Logs.

  4. If the Info Panel is not displayed, click SHOW INFO PANEL.

  5. Enable Data Access audit logging:

    1. Select the services that you want to configure audit logs for.

      Tip: The same audit log configurations are made to all selected services. If you want specific services to have different audit log configurations, you must select each service and configure its audit logs separately.

    2. In the Info Panel, select the appropriate options to configure the type of information gathered in the audit logs for the previously selected services:

      • Admin-read — Records operations that read metadata or configuration information.
      • Admin-write — Record operations that write metadata and configuration information.

        Note: By default, this option is enabled and cannot be disabled.

      • Data-read — Records operations that read user-provided data.
      • Data-write — Records operations that write user-provided data.

    3. Select Save to save the audit log configuration.

  6. (Optional) Repeat the previous step to configure audit logging for other services.

Step 3: Create a project

  1. If you have not already done so, sign in to the Google Cloud Console using administrator credentials.

  2. In the Select from menu, Select from menu, select the organization that you want Arctic Wolf to monitor. Then, select NEW PROJECT.

  3. On the New Project page, complete these steps:

    • Project name — Enter a short, descriptive name, such as Arctic Wolf Monitoring.
    • Project ID — (Optional) To edit the Project ID, under Project name, select the Edit option. Then, replace the automatically generated value with the unique identifier that you prefer.
    • Organization — Make sure that the selected option is the organization that you want Arctic Wolf to monitor.
    • Location — (Optional) Select BROWSE to view potential locations for your project within the folder structure. Then, choose a location.

    Tip: You can select a parent organization or folder that is different from the organization that you want to monitor.

  4. Copy the Project ID somewhere safe for use later.

  5. Click CREATE to create the new project.

Step 4: Enable APIs

  1. If you have not already done so, sign in to the Google Cloud Console with administrator credentials.

  2. From the main menu, select APIs & Services > Library.

  3. Enable the SCC API in the project:

    1. In the search field, type Security Command Center API.
    2. In the search results, click Security Command Center API.
    3. Click ENABLE.

  4. Enable the Cloud Pub/Sub API in the project:

    1. In the search field, type Cloud Pub/Sub API.
    2. In the search results, click Cloud Pub/Sub API.
    3. Click ENABLE.

Step 5: Create a service account

  1. If you have not already done so, sign in to the Google Cloud Console with administrator credentials.

  2. In the Select from menu, Select from menu, verify that these items are selected:

    • The organization that you want Arctic Wolf to monitor.
    • The project that you created previously, such as Arctic Wolf Monitoring.

  3. From the main menu, select IAM & Admin > Service Accounts.

  4. Click + CREATE SERVICE ACCOUNT.

  5. In the Service account details section, complete these steps:

    • Service account name — Enter a short, descriptive name, such as arctic-wolf-service-account.

    • Service account ID — (Optional) Enter a unique ID for the service account, such as arcticwolfmonitoring.

      Tip: A unique value is automatically generated when you specify a service account name.

    • Service account description — (Optional) Enter a description for the service account, such as Used for Arctic Wolf monitoring.

  6. Click DONE.

  7. Grant roles to the new service account at the organization level in Cloud Shell:

    1. Click Activate Cloud Shell Activate Cloud Shell.

      Note: If the Cloud Shell terminal asks you to confirm or authorize an action after running a command, click AUTHORIZE. Otherwise, the command fails.

    2. In the Cloud Shell terminal, run this command:

    gcloud organizations list

    1. In the results, identify the corresponding ID for your organization, and record this value to provide to Arctic Wolf in Provide credentials to Arctic Wolf.

    2. Run this command to grant the new service account the role to view SCC findings, where <organization_id> is the organization ID identified in the previous step and <service_account_email> is the email address of the service account that you created:

      Tip: The service account email address is listed on the Service Accounts page, and is formatted as <service_account_id>@<project_id>.iam.gserviceaccount.com.

      gcloud organizations add-iam-policy-binding <organization_id> --member='serviceAccount:<service_account_email>' --role='roles/securitycenter.findingsViewer'

    3. Run this command to grant the new service account the role to view SCC assets, where <organization_id> is the organization ID identified in the previous step and <service_account_email> is the email address of the service account that you created:

      Tip: The service account email address is listed on the Service Accounts page, and is formatted as <service_account_id>@<project_id>.iam.gserviceaccount.com.

      gcloud organizations add-iam-policy-binding <organization_id> --member='serviceAccount:<service_account_email>' --role='roles/securitycenter.assetsViewer'

  8. Find the service account that you created for the Arctic Wolf monitoring service.

  9. Complete these steps:

    1. Expand the Actions menu for the service account, and click Manage keys.
    2. Select ADD KEY > Create new key.
    3. In the dialog box, click JSON for the key type.
    4. Click CREATE. The JSON file containing the service account credentials automatically downloads to your computer.

  10. Record the name and filepath of the JSON download for later.

Step 6: Create a topic

  1. If you have not already done so, sign in to the Google Cloud Console with administrator credentials.

  2. In the Select from menu, Select from menu, select the Organization that you want to monitor and the project created in Create a project, such as arcticwolfmonitoring-project.

  3. From the Navigation menu, select Pub/Sub > Topics.

  4. Click +CREATE TOPIC.

  5. In the Create a topic dialog:

    • In the Topic ID field, enter a name for the topic, for example,export-topic.
    • Clear all checkboxes.

  6. Click CREATE TOPIC.

Step 7: Create the main and replay subscriptions

Repeat these steps to create both the main subscription and replay subscriptions.

  1. If you have not already done so, sign in to the Google Cloud Console with administrator credentials.

  2. In the Select from menu, Select from menu, select the Organization that you want to monitor and the project created in Create a project, such as arcticwolfmonitoring-project.

  3. From the Navigation menu, click Subscriptions to create the main and replay subscriptions.

  4. Click +CREATE SUBSCRIPTION to create the appropriate subscription.

  5. On the Create subscription page, complete these steps:

    Note: Create the main subscription first, and then the replay subscription, with these settings. Subscription-specific settings are labeled.

    • Subscription ID — Enter a name for the subscription, based on the subscription type, and record this name to provide to Arctic Wolf in Provide credentials to Arctic Wolf.

      • Main subscriptionexport-topic-main-subscription
      • Replay subscriptionexport-topic-replay-subscription

    • Select a Cloud Pub/Sub topic — Select the topic that you just created in Create a topic, such as projects/PROJECT-ID/topics/export-topic, where PROJECT-ID is the ID of the project created in Create a project.

    • Delivery type — Select Pull.

    • Message retention duration — Select the appropriate settings, based on the subscription type:

      • Main subscription — Accept the default value of 7 days.
      • Replay subscription — Accept the default value of 7 days and select Retain acknowledged messages.

    • Expiration period — Select Never expire.

    • Acknowledgement deadline — Enter 60 seconds.

    • Subscription filter — Leave this option blank.

    • Exactly once delivery — Leave this option blank.

    • Message ordering — Leave this option blank.

    • Dead lettering — Leave this option blank.

    • Retry policy — Accept the default value of Retry immediately.

  6. Click CREATE.

  7. If the Info Panel is not displayed, click SHOW INFO PANEL.

  8. In the Permissions tab on the Info Panel, click +ADD PRINCIPAL.

  9. In the Add principals to "export-topic-main-subscription" or Add principals to "export-topic-replay-subscription" dialog:

    • New principals — Enter the service account email address created in Create a service account, similar to arcticwolfmonitoring-sa@arcticwolfmonitoring-project.iam.gserviceaccount.com.
    • Select a role — Select Pub/Sub > Pub/Sub Subscriber.

  10. Click SAVE.

Step 8: Create a cloud audit log sink

A cloud audit log sink routes cloud audit logs from the GCP organization, project, folder, or billing account to the Pub/Sub export topic, which then forwards the cloud audit log messages to Arctic Wolf.

You must create a log sink for each resource that you want Arctic Wolf to monitor. However, we do not recommend creating a log sink at the organization level due to the increased costs.

Note: There may be costs associated with storing these logs and exporting them to Arctic Wolf through the topic created in Create a topic. See Google Cloud's operations suite pricing for more information.

  1. If you have not already done so, sign in to the Google Cloud Console with administrator credentials.

  2. In the Select from menu, Select from menu, select the project created in Create a project, such as arcticwolfmonitoring-project.

  3. Click Activate Cloud Shell Activate Cloud Shell.

  4. In the Cloud Shell terminal, run this command to create the log sink for the relevant resource, where:

    • <resource_name> — The name of the organization, folder, project, or billing account.
    • <project_id> — The project that you created in Create a project, such as arcticwolfmonitoring-project.
    • <resource_type> — One of organization, project, folder, or billing-account.
    • <resource_id> — The ID of the organization, project, folder, or billing account.

    Note: If you are creating a log sink for a project, remove --include-children from the command. This option only applies to organizations, folders, and billing accounts.

    gcloud logging sinks create <resource_name>-log-sink pubsub.googleapis.com/projects/<project_id>/topics/export-topic --<resource_type>=<resource_id> --include-children --log-filter="logName:logs/cloudaudit.googleapis.com"

  5. Record the log sink service account email address displayed in the command output, similar to x#####-####@gcp-sa-logging.iam.gserviceaccount.com.

  6. From the Navigation menu, select Pub/Sub > Topics.

  7. In the list of topics, select the topic created in Create a topic, such as export-topic.

  8. If the Info Panel is not displayed, click SHOW INFO PANEL.

  9. In the Permissions tab on the Info Panel, click +ADD PRINCIPAL.

  10. In the Add principals to "export-topic" dialog, complete these steps:

    • New principals — Enter the log sink service account email address from step 5, similar to x#####-####@gcp-sa-logging.iam.gserviceaccount.com.
    • Select a role — Select Pub/Sub > Pub/Sub Publisher.

  11. Click SAVE.

Step 9: Provide credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.

  2. In the menu bar, click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, from the Account Type list, select Cloud Detection and Response.

  5. From the list of cloud services, select Google Cloud Platform.

  6. On the Add Account page, complete these steps:

    1. Account Name — Enter a unique and descriptive name for the account.
    2. In the Project ID field, enter the project ID from Create a project.
    3. In the JSON Credential File section, click Choose File, and then upload the JSON credential file from Create a service account.
    4. In the Organization ID field, enter the organization ID from Create a service account.
    5. In the Subscription ID to read for normal operations field, enter the main subscription ID from Create the main and replay subscriptions.
    6. In the Subscription ID to read for replay operations field, enter the replay subscription ID from Create the main and replay subscriptions.
    7. Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.

  7. Click Test and Submit Credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

See also