Overview
Before you begin
Configure Google Cloud Platform Monitoring
Configure GCP SCC
Enable Data Access audit logging
Create a project
Create a service account
Create a topic
Create the main and replay subscriptions
Create a cloud audit log sink
Provide credentials to Arctic Wolf

Overview Direct link to this section

This document describes how to configure your Google Cloud Platform (GCP) environment for Arctic Wolf® to monitor. After you complete this configuration, Arctic Wolf monitors the security findings and audit logs from your GCP environment through the Security Command Center (SCC) and cloud audit logs.

As part of this configuration, you must provide the following information for your GCP environment to Arctic Wolf using the Arctic Wolf Portal:

Organization ID
Project ID
.json credential file
Main subscription ID
Replay subscription ID

Note: If you have multiple GCP organizations that you want Arctic Wolf to monitor, you must perform all procedures for each GCP organization.

Before you begin Direct link to this section

To configure your GCP environment for monitoring, you must have:

A user account granted the Organization Administrator and Security Center Admin roles for the organization that you want to monitor.
A user account granted the Owner, Logging Admin, or Logging Writer role on the relevant organization, project, folder, or billing account that you want to monitor, to create an associated log sink.

Configure Google Cloud Platform Monitoring Direct link to this section

Complete these procedures in order for each Google Cloud Platform tenant that you want Arctic Wolf to monitor:

Configure GCP SCC
(Optional) Enable Data Access audit logging
Create a project
Create a service account
Create a topic
Create the main and replay subscriptions
Create a cloud audit log sink
Provide credentials to Arctic Wolf

Configure GCP SCC Direct link to this section

To configure GCP SCC:

Sign in to the Google Cloud Console with administrator credentials.
From the Navigation menu, select Security > Security Command Center.
Select the Organization you want to configure the services for.
Select Settings.
Expand the Advanced Settings pane and confirm that Security Health Analytics is enabled for all folders and/or projects that you want Arctic Wolf to monitor.
(Optional) Enable other services for folders and projects that you want Arctic Wolf to monitor, depending on your subscription tier, including:
- Security Health Analytics — Standard and premium tiers
- Web Security Scanner — Standard and premium tiers
  
  Note: The Google documentation lists this service as available for standard and premium tiers, but the Google Cloud Console only allows users with premium subscriptions to enable this service. Currently, you must have a premium subscription to enable this service.
- Event Threat Detection — Premium tier
- Container Threat Detection — Premium tier
If you want to enable Data Access audit logging, proceed to Enable Data Access audit logging, otherwise proceed to Create a project.

Enable Data Access audit logging Direct link to this section

GCP includes these default cloud audit logs:

Admin Activity audit logs
System Event audit logs
Policy Denied audit logs

You may choose to enable Data Access audit logging to obtain more detailed logging of GCP services at the read level. For example, if you have a GCP storage bucket with sensitive information, you may want to enable Data Access audit logging to report on read and write actions to the storage bucket. Without Data Access audit logging, you only receive reports on GCP storage bucket creation and deletion.

Note: This is an optional configuration.

To enable Data Access audit logging:

Note: Changing any of the default cloud audit log settings, such as enabling Data Access audit logging, may increase costs associated with storing these logs and exporting them to Arctic Wolf. See Google Cloud's operations suite pricing in the Google Cloud documentation for more information about pricing.

Sign in to the Google Cloud Console with administrator credentials.
In the Select from menu, , select the Organization that you want to configure Data Access audit logging for.
From the Navigation menu, select IAM & Admin > Audit Logs.
If the Info Panel is not displayed, select SHOW INFO PANEL.
Enable Data Access audit logging:
1. Select the services that you want to configure audit logs for.
  
  Tip: The same audit log configurations are made to all selected services. If you want specific services to have different audit log configurations, you must select each service and configure its audit logs separately.
2. In the Info Panel, select the appropriate options to configure the type of information gathered in the audit logs for the previously selected services:
  - Admin-read — Records operations that read metadata or configuration information.
  - Admin-write — Record operations that write metadata and configuration information.
    
    Note: By default, this option is enabled and cannot be disabled.
  - Data-read — Records operations that read user-provided data.
  - Data-write — Records operations that write user-provided data.
3. Select Save to save the audit log configuration.
(Optional) Repeat the previous step to configure audit logging for other services.
Proceed to Create a project.

Create a project Direct link to this section

To create a project to contain all of the resources that Arctic Wolf requires to monitor your GCP environment:

Sign in to the Google Cloud Console using administrator credentials.
In the Select from menu, , select the organization that you want Arctic Wolf to monitor. Then, select NEW PROJECT.
On the New Project page, enter apppropriate values for the following:
- Project name — Enter a short, descriptive name, such as Arctic Wolf Monitoring.
- Project ID — To view the Project ID, select the Edit option under Project name. Then, modify the auto-generated value as desired.
  
  Note: Record the project ID for later, when you complete the instructions in Provide credentials to Arctic Wolf.
- Organization — Verify that the selected option is the organization that you want Arctic Wolf to monitor.
- Location — (Optional) Select BROWSE to view potential locations for your project within the folder structure. Then, choose a location.
Tip: You can select a parent organization or folder that is different from the organization that you want to monitor.
Select CREATE to create the new project.
From the main menu, select APIs & Services > Library.
Enable the SCC API in the project:
1. Type Security Command Center API in the API search box.
2. Select the Security Command Center API entry in the search results.
3. Select ENABLE to enable this API in the project.
Enable the Cloud Pub/Sub API in the project:
1. Type Cloud Pub/Sub API in the API search box.
2. Select the Cloud Pub/Sub API entry in the search results.
3. Select ENABLE to enable this API in the project.
Proceed to Create a service account.

Create a service account Direct link to this section

To create a service account for Arctic Wolf to use when monitoring your GCP environment:

Sign in to the Google Cloud Console with administrator credentials.
In the Select from menu, , verify that the following are selected:
- The organization that you want Arctic Wolf to monitor.
- The project that you created in Create a project, such as Arctic Wolf Monitoring.
From the main menu, select IAM & Admin > Service Accounts.
Select + CREATE SERVICE ACCOUNT.
In the Service account details section, enter apppropriate values for the following:
- Service account name — Enter a short, descriptive name, such as arctic-wolf-service-account.
- Service account ID — (Optional) Enter a unique ID for the service account, such as arcticwolfmonitoring.
  
  Tip: A unique value is automatically generated when you specify a service account name.
- Service account description — (Optional) Enter a description for the service account, such as Used for Arctic Wolf monitoring.
Select CREATE AND CONTINUE.
In the Grant this service account access to project (optional) section:
1. Leave the Select a role box blank.
2. Select CONTINUE.
In the Grant users access to this service account (optional) section:
1. Leave all fields blank.
2. Select DONE.
Grant roles to the new service account at the organization level in Cloud Shell:
1. Select Activate Cloud Shell, .
  
  Note: If the Cloud Shell terminal asks you to confirm or authorize an action after running a command, select Yes. Otherwise, the command fails.
2. In the Cloud Shell terminal, run gcloud organizations list and identify the corresponding ID for your organization. Record this value to provide to Arctic Wolf in Provide credentials to Arctic Wolf.
3. Run the following command to grant the new service account the role to view SCC findings, where ORGANIZATION-ID is the organization ID identified in the previous step and SERVICE-ACCOUNT-EMAIL is the email address of the service account that you created.
  
  Tip: The service account email address is listed on the Service Accounts page, and is formatted as SERVICE-ACCOUNT-ID@PROJECT-ID.iam.gserviceaccount.com.
```
gcloud organizations add-iam-policy-binding <ORGANIZATION-ID> --member='serviceAccount:<SERVICE-ACCOUNT-EMAIL>' --role='roles/securitycenter.findingsViewer'
```
4. Run the following command to grant the new service account the role to view SCC assets, where ORGANIZATION-ID is the organization ID identified in the previous step and SERVICE-ACCOUNT-EMAIL is the email address of the service account that you created.
  
  Tip: The service account email address is listed on the Service Accounts page, and is formatted as SERVICE-ACCOUNT-ID@PROJECT-ID.iam.gserviceaccount.com.
```
gcloud organizations add-iam-policy-binding <ORGANIZATION-ID> --member='serviceAccount:<SERVICE-ACCOUNT-EMAIL>' --role='roles/securitycenter.assetsViewer'
```
Find the service account that you created for the Arctic Wolf monitoring service. Then:
1. Expand the Actions menu for the service account, and select Manage keys.
2. Select ADD KEY > Create new key.
3. In the dialog box, select JSON for the key type.
4. Select CREATE. The .json file containing the service account credentials automatically downloads to your computer.
Record the name and filepath of the .json download for later, when you complete the instructions in Provide credentials to Arctic Wolf.
Proceed to Create a topic.

Create a topic Direct link to this section

To create a topic that messages are pushed to:

Sign in to the Google Cloud Console with administrator credentials.
In the Select from menu, , select the Organization that you want to monitor and the project created in Create a project, such as arcticwolfmonitoring-project.
From the Navigation menu, select Pub/Sub > Topics.
Select +CREATE TOPIC.
In the Create a topic dialog box:
- Topic ID — Enter a name for the topic, such as export-topic.
- Clear all checkboxes.
Select CREATE TOPIC.
Proceed to Create the main and replay subscriptions.

Create the main and replay subscriptions Direct link to this section

For the Arctic Wolf service account to receive messages from the topic created in Create a topic, you must create two subscriptions, the main subscription and replay subscriptions:

Sign in to the Google Cloud Console with administrator credentials.
In the Select from menu, , select the Organization that you want to monitor and the project created in Create a project, such as arcticwolfmonitoring-project.
From the Navigation menu, select Subscriptions to create the main and replay subscriptions.
Select +CREATE SUBSCRIPTION to create the appropriate subscription.
In the Create subscription page:

Note: Create the main subscription first, and then the replay subscription, with the settings outlined below. Subscription-specific settings are clearly labeled.
- Subscription ID — Enter a name for the subscription, based on the subscription type, and record this name to provide to Arctic Wolf in Provide credentials to Arctic Wolf.
  - Main subscription — export-topic-main-subscription
  - Replay subscription — export-topic-replay-subscription
- Select a Cloud Pub/Sub topic — Select the topic that you just created in Create a topic, such as projects/PROJECT-ID/topics/export-topic, where PROJECT-ID is the ID of the project created in Create a project.
- Delivery type — Select Pull.
- Message retention duration — Select the appropriate settings, based on the subscription type:
  - Main subscription — Accept the default value of 7 days.
  - Replay subscription — Accept the default value of 7 days and select Retain acknowledged messages.
- Expiration period — Select Never expire.
- Acknowledgement deadline — Enter 60 seconds.
- Subscription filter — Leave this option blank.
- Exactly once delivery — Leave this option blank.
- Message ordering — Leave this option blank.
- Dead lettering — Leave this option blank.
- Retry policy — Accept the default value of Retry immediately.
Select CREATE.
If the Info Panel on the resulting subscription page is not displayed, select SHOW INFO PANEL.
In the Permissions tab on the Info Panel, select +ADD PRINCIPAL.
In the Add principals to "export-topic-main-subscription" or Add principals to "export-topic-replay-subscription" dialog:
- New principals — Enter the service account email address created in Create a service account, similar to arcticwolfmonitoring-sa@arcticwolfmonitoring-project.iam.gserviceaccount.com.
- Select a role — Select Pub/Sub > Pub/Sub Subscriber.
Select SAVE.
Repeat the above steps to create the replay subscription.
Proceed to Create a cloud audit log sink.

Create a cloud audit log sink Direct link to this section

A cloud audit log sink routes cloud audit logs from the GCP organization, project, folder, or billing account to the Pub/Sub export topic, which then forwards the cloud audit log messages to Arctic Wolf. To create a cloud audit log sink for a resource:

Notes:

There may be costs associated with storing these logs and exporting them to Arctic Wolf through the topic created in Create a topic. See Google Cloud's operations suite pricing in the Google Cloud documentation for more information about pricing.
You must create a log sink for each resource that you want Arctic Wolf to monitor. However, we do not recommend creating a log sink at the organization level due to the increased costs.

Sign in to the Google Cloud Console with administrator credentials.
In the Select from menu, , select the project created in Create a project, such as arcticwolfmonitoring-project.
Select Activate Cloud Shell, .
In the Cloud Shell terminal, run the following command to create the log sink for the relevant resource, where:
- RESOURCE-NAME — The name of the organization, folder, project, or billing account.
- RESOURCE-TYPE — One of organization, project, folder, or billing-account
- RESOURCE-ID — The ID of the organization, project, folder, or billing account.
Note: If you are Create a log sink for a project, remove --include-children from the command. This option only applies to organizations, folders, and billing accounts.
```
gcloud logging sinks create <RESOURCE-NAME>-log-sink pubsub.googleapis.com/projects/arcticwolfmonitoring-project/topics/export-topic --<RESOURCE-TYPE>=<RESOURCE-ID> --include-children --log-filter="logName:logs/cloudaudit.googleapis.com"
```
Record the log sink service account email address displayed in the command output, similar to x#####-####@gcp-sa-logging.iam.gserviceaccount.com.
From the Navigation menu, select Pub/Sub > Topics.
In the list of topics, select the topic created in Create a topic, such as export-topic.
If the Info Panel is not displayed, select SHOW INFO PANEL.
In the Permissions tab on the Info Panel, select +ADD PRINCIPAL.
In the Add principals to "export-topic" dialog:
- New principals — Enter the log sink service account email address from step 5, similar to x#####-####@gcp-sa-logging.iam.gserviceaccount.com.
- Select a role — Select Pub/Sub > Pub/Sub Publisher.
Select SAVE.
Proceed to Provide credentials to Arctic Wolf.

Provide credentials to Arctic Wolf Direct link to this section

To provide your GCP credentials to Arctic Wolf:

Sign in to the Arctic Wolf Portal.
Select Connected Accounts in the banner menu to open the Connected Accounts page.
Select +Add Account to open the Add Account form.
Select Cloud Threat Detection as the Account Type.
Select Google Cloud Platform from the list of cloud services and fill in the form:
- Account Name — Enter a descriptive name for the credentials.
- Project ID — Enter the project ID recorded in Create a project.
- JSON Credential File — Upload the .json credential file recorded in Create a service account.
- Organization ID — Enter the organization ID recorded in Create a service account.
- Main Subscription ID — Enter the main subscription ID recorded in Create the main and replay subscriptions.
- Replay Subscription ID — Enter the replay subscription ID recorded in Create the main and replay subscriptions.
Select Submit to CST.
When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.
Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.

Configuring Google Cloud Platform Monitoring

Configuration Guide