Google Cloud Platform Monitoring

Updated Jan 31, 2024

Configure Google Cloud Platform for Arctic Wolf monitoring

You can configure GCP® to send the necessary logs to Arctic Wolf® for security monitoring.

Requirements

Steps

For each GCP organization that you want Arctic Wolf to monitor, complete these steps:

  1. Configure GCP SCC.
  2. (Optional) Enable Data Access audit logs.
  3. Create a project.
  4. Enable APIs.
  5. Create a service account.
  6. Create a topic.
  7. Create the main and replay subscriptions.
  8. Create a cloud audit log sink
  9. Provide your Google Cloud Platform credentials to Arctic Wolf.

Step 1: Configure GCP Security Command Center

  1. Sign in to the Google Cloud Console with administrator permissions.

  2. In the navigation menu, click Security > Security Command Center.

  3. Select the organization that you want to configure services for.

  4. Click Settings.

  5. Expand the Advanced Settings pane and verify that Security Health Analytics is enabled for all folders and projects that you want Arctic Wolf to monitor.

  6. (Optional) Enable additional services for folders and projects that you want Arctic Wolf to monitor. The availability of these services depends on your subscription tier:

    • Security Health Analytics — Available to customers with standard and premium subscription tiers.

    • Web Security Scanner — Available to customers with standard and premium subscription tiers.

      Note: The Google Cloud Console® only allows users with premium subscriptions to enable this service.

    • Event Threat Detection — Available to customers with a premium subscription tier.

    • Container Threat Detection — Available to customers with a premium subscription tier.

Step 2: Enable Data Access audit logging

This step is optional.

GCP includes these default cloud audit logs:

You can enable Data Access audit logging to get more detailed logging of GCP services at the read level. For example, if you have a GCP storage bucket with sensitive information, you can enable Data Access audit logging to report on read and write actions to the storage bucket. Without Data Access audit logging, you only receive reports on GCP storage bucket creation and deletion.

Note: Changing any of the default cloud audit log settings, for example enabling Data Access audit logging, could increase costs associated with storing these logs and exporting them to Arctic Wolf. See Google Cloud's operations suite pricing for more information.

For each service that requires audit logging, complete these steps:

  1. Sign in to the Google Cloud Console with administrator permissions.

  2. In the Select from menu, Select from menu, select the organization that you want to configure Data Access audit logging for.

  3. In the navigation menu, click IAM & Admin > Audit Logs.

  4. If the Info Panel is not displayed, click SHOW INFO PANEL.

  5. Select the services you want to configure audit logs for.

    Tip: The same audit log configurations are made to all selected services. If you want specific services to have different audit log configurations, you must select each service and configure its audit logs separately.

  6. In the Info Panel, select the appropriate options to configure the type of information gathered in the audit logs for the previously selected services:

    • Admin-read — Records operations that read metadata or configuration information.
    • Admin-write — Records operations that write metadata and configuration information.

      Note: By default, this option is enabled and cannot be disabled.

    • Data-read — Records operations that read user-provided data.
    • Data-write — Records operations that write user-provided data.
  7. Click Save.

Step 3: Create a project

  1. Sign in to the Google Cloud Console with administrator permissions.

  2. In the Select from menu, Select from menu, select the organization that you want Arctic Wolf to monitor, and then click NEW PROJECT.

  3. On the New Project page, configure these settings:

    • Project name — Enter a short, descriptive name. For example, Arctic Wolf Monitoring.
    • Project ID — (Optional) To edit the Project ID, in the Project name field, select the Edit option, and then replace the automatically generated value with a unique identifier.
    • Organization — Make sure that the selected option is the organization you want Arctic Wolf to monitor.
    • Location — (Optional) Select BROWSE, and then select a location.

    Tip: You can select a parent organization or folder that is different from the organization that you want to monitor.

  4. Copy the Project ID, and then save it in a safe, encrypted location. You will provide it to Arctic Wolf later.

  5. Click CREATE.

Step 4: Enable APIs

  1. Sign in to the Google Cloud Console with administrator permissions.

  2. In the main menu, click APIs & Services > Library.

  3. Enable the SCC API in the project:

    1. In the search field, enter Security Command Center API.
    2. In the search results, click Security Command Center API.
    3. Click ENABLE.
  4. Enable the Cloud Pub/Sub API in the project:

    1. In the search field, enter Cloud Pub/Sub API.
    2. In the search results, click Cloud Pub/Sub API.
    3. Click ENABLE.

Step 5: Create a service account

  1. Sign in to the Google Cloud Console with administrator permissions.

  2. In the Select from menu, Select from menu, verify that these items are selected:

    • The organization that you want Arctic Wolf to monitor.
    • The project that you created previously. For example, Arctic Wolf Monitoring.
  3. In the navigation menu, click IAM & Admin > Service Accounts.

  4. Click + CREATE SERVICE ACCOUNT.

  5. In the Service account details section, configure these settings:

    • Service account name — Enter a short, descriptive name. For example, arctic-wolf-service-account.

    • Service account ID — (Optional) Enter a unique ID for the service account. For example, arcticwolfmonitoring.

      Tip: A unique value is automatically generated when you specify a service account name.

    • Service account description — (Optional) Enter a description for the service account. For example, Used for Arctic Wolf monitoring.

  6. Click CREATE AND CONTINUE.

  7. Grant roles to the new service account at the organization level:

    1. Click Activate Cloud Shell Activate Cloud Shell.

      Note: If the Cloud Shell terminal asks you to confirm or authorize an action after running a command, click AUTHORIZE. Otherwise, the command fails.

    2. Run this command:

      gcloud organizations list
    3. In the results, find and copy the corresponding ID for your organization, and then save it in a safe, encrypted location. You will provide it to Arctic Wolf later.

    4. Run this command to grant the new service account the role to view SCC findings:

      gcloud organizations add-iam-policy-binding <organization_id> --member=
      'serviceAccount:<service_account_email>' --role='roles/securitycenter.findingsViewer'

      Where:

      • <organization_id> is the organization ID identified in the previous step.
      • <service_account_email> is the email address of the service account that you created.

      Tip: The service account email address is listed on the Service Accounts page, and is formatted as <service_account_id>@<project_id>.iam.gserviceaccount.com.

    5. Run this command to grant the new service account the role to view SCC assets:

      gcloud organizations add-iam-policy-binding <organization_id> --member=
      'serviceAccount:<service_account_email>' --role='roles/securitycenter.assetsViewer'

      Where:

      • <organization_id> is the organization ID identified in the previous step.
      • <service_account_email> is the email address of the service account that you created.

      Tip: The service account email address is listed on the Service Accounts page, and is formatted as <service_account_id>@<project_id>.iam.gserviceaccount.com.

  8. On the Service Accounts page, for the service account that you created, complete these steps:

    1. Click Actions > Manage keys.

    2. In the ADD KEY list, select Create new key.

    3. In the dialog, select the JSON option.

    4. Click CREATE.

      The JSON file containing the service account credentials automatically downloads to your computer.

  9. Copy the JSON file name and path to a safe, encrypted location. You will provide it to Arctic Wolf later.

Step 6: Create a topic

  1. Sign in to the Google Cloud Console with administrator permissions.

  2. In the Select from menu, Select from menu, select the organization that you want to monitor and the project created in Create a project. For example, arcticwolfmonitoring-project.

  3. In the navigation menu, click Pub/Sub > Topics.

  4. Click +CREATE TOPIC.

  5. In the Create a topic dialog:

    • In the Topic ID field, enter a name for the topic. For example,export-topic.
    • Clear all checkboxes.
  6. Click CREATE TOPIC.

Step 7: Create the main and replay subscriptions

For the main subscription and the replay subscriptions, complete these steps:

  1. Sign in to the Google Cloud Console with administrator permissions.

  2. In the Select from menu, Select from menu, select the organization that you want to monitor and the project created in Create a project. For example, arcticwolfmonitoring-project.

  3. In the navigation menu, click Subscriptions to create the main and replay subscriptions.

  4. Click +CREATE SUBSCRIPTION to create the appropriate subscription.

  5. On the Create subscription page, configure these settings:

    Note: Create the main subscription first, and then the replay subscription, with these settings. Subscription-specific settings are labeled.

    • Subscription ID — Enter a name for the subscription, based on the subscription type. Store this name in a secure location to provide to Arctic Wolf in Provide credentials to Arctic Wolf.

      • Main subscriptionexport-topic-main-subscription
      • Replay subscriptionexport-topic-replay-subscription
    • Select a Cloud Pub/Sub topic — Select the topic that you created in Create a topic. For example, projects/<project_id>/topics/export-topic, where <project_id> is the ID of the project created in Create a project.

    • Delivery type — Click Pull.

    • Message retention duration — Configure the appropriate settings based on the subscription type:

      • Main subscription — Accept the default value of 7 days.
      • Replay subscription — Accept the default value of 7 days, and then select Retain acknowledged messages.
    • Expiration period — Select Never expire.

    • Acknowledgement deadline — Enter 60 seconds.

    • Subscription filter — Keep this empty.

    • Exactly once delivery — Keep this empty.

    • Message ordering — Keep this empty.

    • Dead lettering — Keep this empty.

    • Retry policy — Accept the default value of Retry immediately.

  6. Click CREATE.

  7. If the Info Panel is not displayed, click SHOW INFO PANEL.

  8. On the Permissions tab on the Info Panel, click +ADD PRINCIPAL.

  9. In the Add principals to "export-topic-main-subscription" or Add principals to "export-topic-replay-subscription" dialog, configure these settings:

  1. Click SAVE.

Step 8: Create a cloud audit log sink

A cloud audit log sink routes cloud audit logs from the GCP organization, project, folder, or billing account to the Pub/Sub export topic, which then forwards the cloud audit log messages to Arctic Wolf.

Note: You must create a log sink for each resource that you want Arctic Wolf to monitor. However, Arctic Wolf does not recommend creating a log sink at the organization level because of the increased costs. There could be costs associated with storing these logs and exporting them to Arctic Wolf through the topic created in Create a topic. See Google Cloud's operations suite pricing for more information.

  1. Sign in to the Google Cloud Console with administrator permissions.

  2. In the Select from menu, Select from menu, select the project created in Create a project. For example, arcticwolfmonitoring-project.

  3. Click Activate Cloud Shell Activate Cloud Shell.

  4. In the Cloud Shell terminal, run this command to create the log sink for the relevant resource:

    gcloud logging sinks create <resource_name>-log-sink pubsub.googleapis.com/projects/<project_id>/topics/export-topic --<resource_type>=<resource_id> --include-children --log-filter="logName:logs/cloudaudit.googleapis.com"

    Where:

    • <resource_name> is the name of the organization, folder, project, or billing account.
    • <project_id> is the project that you created in Create a project. For example, arcticwolfmonitoring-project.
    • <resource_type> is one of organization, project, folder, or billing-account.
    • <resource_id> is the ID of the organization, project, folder, or billing account.

    Note: If you are creating a log sink for a project, remove --include-children from the command. This option only applies to organizations, folders, and billing accounts.

  5. Record the log sink service account email address displayed in the command output, similar to x#####-####@gcp-sa-logging.iam.gserviceaccount.com.

  6. In the navigation menu, select Pub/Sub > Topics.

  7. In the list of topics, select the topic created in Create a topic. For example, export-topic.

  8. If the Info Panel is not displayed, click SHOW INFO PANEL.

  9. On the Permissions tab on the Info Panel, click +ADD PRINCIPAL.

  10. In the Add principals to "export-topic" dialog, configure these settings:

    • New principals — Enter the log sink service account email address from Create a service account, similar to x#####-####@gcp-sa-logging.iam.gserviceaccount.com.
    • Select a role — Click Pub/Sub > Pub/Sub Publisher.
  11. Click SAVE.

Step 9: Provide your Google Cloud Platform credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, in the Account Type list, select Cloud Detection and Response.

  5. In the Cloud Services list, select Google Cloud Platform.

  6. On the Add Account page, configure these settings:

  7. Click Test and submit credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

See also