1. Sign in to the Google Cloud Console with administrator permissions.
2. In the navigation menu, click Security.
3. In the Security Command Center navigation menu, click Settings.
4. Select the organization that you want to configure services for.
5. In the Security Health Analytics section, click Manage settings.
6. Make sure that Security Health Analytics is enabled for all folders and projects that you want Arctic Wolf to monitor.
   CAUTION: If your organization uses the legacy version of Security Command Center, you must migrate your organization from the legacy version to a standard or premium subscription tier so that you can integrate with Arctic Wolf.
7. Optional: Enable additional services for folders and projects that you want Arctic Wolf to monitor. The availability of these services depends on your subscription tier:
   • Web Security Scanner — Available to customers with standard and premium subscription tiers.
     Note:

     The Google Cloud console® only allows users with premium subscriptions to enable this service.

   • Event Threat Detection — Available to customers with a premium subscription tier.
   • Container Threat Detection — Available to customers with a premium subscription tier.

This step is optional.

1. Sign in to the Google Cloud Console with administrator permissions.
2. In the Open project picker menu, , select the organization that you want to configure Data Access audit logging for.
3. In the navigation menu, click IAM & Admin > Audit Logs.
4. If the Info Panel is not displayed, click Show info panel.
5. Select the services you want to configure audit logs for.
   Tip:

   The same audit log configurations are made to all selected services. If you want specific services to have different audit log configurations, you must select each service and configure its audit logs separately.

6. In the Info Panel, select the appropriate options to configure the type of information gathered in the audit logs for the previously selected services:
   • Admin-read — Records operations that read metadata or configuration information.
   • Admin-write — Records operations that write metadata and configuration information.
     Note:

     By default, this option is enabled and cannot be disabled.

   • Data-read — Records operations that read user-provided data.
   • Data-write — Records operations that write user-provided data.
7. Click Save.

1. Sign in to the Google Cloud Console with administrator permissions.
2. In the Open project picker menu, , select the organization that you want Arctic Wolf to monitor, and then click New project.
3. On the New Project page, configure these settings:
   • Project name — Enter a short, descriptive name. For example, Arctic Wolf Monitoring.
   • Project ID — (Optional) To edit the Project ID, in the Project name field, select the Edit option, and then replace the automatically generated value with a unique identifier.
   • Organization — Make sure that the selected option is the organization you want Arctic Wolf to monitor.
   • Location — (Optional) Select Browse, and then select a location.
     Tip:

     You can select a parent organization or folder that is different from the organization that you want to monitor.

4. Copy the Project ID, and then save it in a safe, encrypted location. You will provide it to Arctic Wolf later.
5. Click Create.

1. Sign in to the Google Cloud Console with administrator permissions.
2. In the main menu, click APIs & Services > Library.
3. Enable the SCC API in the project:
   1. In the search field, enter Security Command Center API.
   2. In the search results, click Security Command Center API.
   3. Click Enable.
4. Enable the Cloud Pub/Sub API in the project:
   1. In the search field, enter Cloud Pub/Sub API.
   2. In the search results, click Cloud Pub/Sub API.
   3. Click Enable.

1. Sign in to the Google Cloud Console with administrator permissions.
2. In the Open project picker menu, , verify that these items are selected:
   • The organization that you want Arctic Wolf to monitor.
   • The project that you created previously. For example, Arctic Wolf Monitoring.
3. In the navigation menu, click IAM & Admin > Service Accounts.
4. Click + Create service account.
5. In the Create service account section, configure these settings:
   • Service account name — Enter a short, descriptive name. For example, arctic-wolf-service-account.
   • Service account ID — (Optional) Enter a unique ID for the service account. For example, arcticwolfmonitoring.
     Tip:

     A unique value is automatically generated when you specify a service account name.

   • Service account description — (Optional) Enter a description for the service account. For example, Used for Arctic Wolf monitoring.
6. Click Create and continue.
7. Grant roles to the new service account at the organization level:
   1. Click Activate Cloud Shell.
   2. Run this command:
      SHELLCopy

      gcloud organizations list

      gcloud organizations list

      Note:

      If the Cloud Shell terminal asks you to confirm or authorize an action after running a command, click AUTHORIZE. Otherwise, the command fails.

   3. In the results, find and copy the corresponding ID for your organization, and then save it in a safe, encrypted location to provide to Arctic Wolf later.
   4. Run this command to grant the new service account the role to view SCC findings:
      SHELLCopy

      gcloud organizations add-iam-policy-binding <organization_id> --member='serviceAccount:<service_account_email>' --role='roles/securitycenter.findingsViewer' --condition=None

      gcloud organizations add-iam-policy-binding <organization_id> --member='serviceAccount:<service_account_email>' --role='roles/securitycenter.findingsViewer' --condition=None

      Where:

      • organization_id is the organization ID identified in the previous step.
      • service_account_email is the email address of the service account that you created.

      Tip:

      The service account email address is listed on the Service Accounts page and is formatted as service_account_id@ project_id.iam.gserviceaccount.com.

   5. Run this command to grant the new service account the role to view SCC assets:
      SHELLCopy

      gcloud organizations add-iam-policy-binding <organization_id> --member='serviceAccount:<service_account_email>' --role='roles/securitycenter.assetsViewer' --condition=None

      gcloud organizations add-iam-policy-binding <organization_id> --member='serviceAccount:<service_account_email>' --role='roles/securitycenter.assetsViewer' --condition=None

      Where:

      • organization_id is the organization ID identified previously.
      • service_account_email is the email address of the service account that you created.
8. On the Service Accounts page, for the service account that you created, complete these steps:
   1. Click Actions > Manage keys.
   2. In the Add key list, select Create new key.
      Note: If you receive an error similar to Service account key creation is disabled, you must ask an administrator with the Organization Policy Administrator role to disable the iam.disableServiceAccountKeyCreation constraint. For more information, see Create and delete service account keys.
   3. In the dialog, select the JSON option.
   4. Click Create.

      The JSON file containing the service account credentials automatically downloads to your computer.

9. Copy the JSON filename and path to a safe, encrypted location to provide to Arctic Wolf later.

1. Sign in to the Google Cloud Console with administrator permissions.
2. In the Open project picker menu, , select the organization that you want to monitor and the project created in Create a project. For example, arcticwolfmonitoring-project.
3. In the navigation menu, click Pub/Sub > Topics.
4. Click + Create topic.
5. In the Create topic dialog:
   • In the Topic ID field, enter a name for the topic. For example, export-topic.
   • Clear all checkboxes.
6. Click Create.

For the main subscription and the replay subscriptions, complete these steps:

1. Sign in to the Google Cloud Console with administrator permissions.
2. In the Open project picker menu, , select the organization that you want to monitor and the project created in Create a project. For example, arcticwolfmonitoring-project.
3. In the navigation menu, click Pub/Sub > Subscriptions to create the main and replay subscriptions.
4. Click + Create subscription to create the appropriate subscription.
5. On the Create subscription page, configure these settings:
   Note:

   Create the main subscription first, and then the replay subscription, with these settings. Subscription-specific settings are labeled.

   • Subscription ID — Enter a name for the subscription, based on the subscription type. Store this name in a secure location to provide to Arctic Wolf in Provide Google Cloud Platform credentials to Arctic Wolf.
     • Main subscription — export-topic-main-subscription
     • Replay subscription — export-topic-replay-subscription
   • Select a Cloud Pub/Sub topic — Select the topic that you created in Create a topic. For example, projects/project_id/topics/export-topic, where project_id is the ID of the project created in Create a project.
   • Delivery type — Click Pull.
   • Message retention duration — Configure the appropriate settings based on the subscription type:
     • Main subscription — Keep the default value of 7 days.
     • Replay subscription — Keep the default value of 7 days, and then select Retain acknowledged messages.
   • Expiration period — Select an expiry date that aligns with your needs.
   • Acknowledgement deadline — Enter 60 seconds.
   • Subscription filter — Keep this empty.
   • Exactly once delivery — Keep this empty.
   • Message ordering — Keep this empty.
   • Dead lettering — Keep this empty.
   • Retry policy — Keep the default value of Retry immediately.
6. Click Create.
7. If the Info Panel is not displayed, click Show info panel.
8. On the Permissions tab on the Info Panel, click + Add principal.
9. In the Add principals to "export-topic-main-subscription" or Add principals to "export-topic-replay-subscription" dialog, configure these settings:
   • New principals — Enter the service account email address created in Create a service account, similar to arcticwolfmonitoring-sa@arcticwolfmonitoring-project.iam.gserviceaccount.com.
   • Select a role — Click Pub/Sub > Pub/Sub Subscriber.
10. Click Save.

A cloud audit log sink routes cloud audit logs from the GCP organization, project, folder, or billing account to the Pub/Sub export topic, which then forwards the cloud audit log messages to Arctic Wolf.

1. Sign in to the Google Cloud Console with administrator permissions.
2. In the Open project picker menu, , select the project created in Create a project. For example, arcticwolfmonitoring-project.
3. Click Activate Cloud Shell.
4. In the Cloud Shell terminal, run this command to create the log sink for the relevant resource:
   SHELLCopy

   gcloud logging sinks create <resource_name>-log-sink pubsub.googleapis.com/projects/<project_id>/topics/export-topic --<resource_type>=<resource_id> --include-children --log-filter="logName:logs/cloudaudit.googleapis.com"

   gcloud logging sinks create <resource_name>-log-sink pubsub.googleapis.com/projects/<project_id>/topics/export-topic --<resource_type>=<resource_id> --include-children --log-filter="logName:logs/cloudaudit.googleapis.com"

   Where:

   • resource_name is the name of the organization, folder, project, or billing account.
   • project_id is the project that you created in Create a project. For example, arcticwolfmonitoring-project.
   • resource_type is one of organization, project, folder, or billing-account.
   • resource_id is the ID of the organization, project, folder, or billing account.

   Note:

   If you are creating a log sink for a project, remove --include-children from the command. This option only applies to organizations, folders, and billing accounts.

5. Record the log sink service account email address displayed in the command output, similar to x#####-####@gcp-sa-logging.iam.gserviceaccount.com.
6. In the navigation menu, select Pub/Sub > Topics.
7. In the list of topics, select the topic created in Create a topic. For example, export-topic.
8. If the Info Panel is not displayed, click Show info panel.
9. On the Permissions tab on the Info Panel, click + Add principal.
10. In the Add principals to "export-topic" dialog, configure these settings:
    • New principals — Enter the log sink service account email address from Create a service account, similar to x#####-####@gcp-sa-logging.iam.gserviceaccount.com.
    • Select a role — Click Pub/Sub > Pub/Sub Publisher.
11. Click Save.

1. Sign in to the Arctic Wolf Unified Portal.
2. In the navigation menu, click Data Collection > Cloud Sensors.
3. Click Add Account +.
4. On the Add Account page, click Google Cloud Platform.
5. Configure these settings:

   • Account Name — Enter a unique and descriptive name for the account.

   • Project ID — Enter the project ID from Create a project.
   • JSON Credential File section — Click Choose File, and then upload the JSON credential file created in Create a service account.
   • Organization ID — Enter the organization ID from Create a service account.
   • Subscription ID to read for normal operations — Enter the main subscription ID from Create the main and replay subscriptions.
   • Subscription ID to read for replay operations — Enter the replay subscription ID from Create the main and replay subscriptions.

   • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

6. Click Test and submit credentials.