Skip to content

Google Cloud Platform Integration GuideπŸ”—

The following instructions are for configuring an integration of Google Cloud Platform (GCP) to facilitate log ingestion into Secureworks® Taegis™ XDR. XDR receives logs from GCP via the Pub/Sub messaging service.

Supported Google Cloud Platform Log TypesπŸ”—

Before You BeginπŸ”—

Ensure the following prerequisites are met before proceeding:

  • An active Google Cloud account with an administrator role
  • A Google Cloud Project

Important

This guide assumes these prerequisite steps are complete before beginning setup.

Data Provided from IntegrationsπŸ”—

Normalized Data Out-of-the-Box Detections Vendor-Specific Detections
Google Cloud Platform CloudAudit Netflow Thirdparty

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configure Log Forwarding Using the GCP Web InterfaceπŸ”—

Create Pub/Sub TopicπŸ”—

  1. Navigate to Pub/Sub > Topics and select Create Topic.

    Create Pub/Sub Topic

  2. Enter a Topic ID, then select Create.

    Enter Pub/Sub Topic ID

Create Pub/Sub SubscriptionπŸ”—

  1. Navigate to Pub/Sub > Subscriptions and select Create Subscription.

    Create Pub/Sub Subscription

  2. Enter a Subscription ID and select the topic created in Step 2.

    Enter Pub/Sub Subscription ID

  3. Set the Acknowledgement deadline to 300 seconds and select Create.

    Enter Pub/Sub Subscription Acknowledgement Deadline

Create SinkπŸ”—

Tip

To collect organization- and folder-level logs, follow the vendor documentation to create aggregated sinks.

  1. Navigate to Logging > Log router and select Create Sink.

    Create Sink

  2. From Sink details, enter a Sink name and description, then select Next.

    Add Sink Details

  3. From Sink destination, select Cloud Pub/Sub topic as the sink service, then select the Pub/Sub topic created in Step 2.

    Select Sink Service Type and Pub/Sub Topic

    Note

    See Select Logs to Send to XDR to create inclusion filters that determine which logs are sent to the sink.

  4. Select Create sink.

Create a Service Account with Permissions to Read from the Pub/Sub TopicπŸ”—

  1. Navigate to IAM & Admin > Service Accounts and select Create Service Account.

    Create a Service Account

  2. Enter a Service account name and description. Copy the Service account ID email address for use in a subsequent step and select Done.

    Enter Service Account Details

  3. Navigate to Pub/Sub > Subscriptions and select Edit for the subscription created in Step 5.

    Edit Pub/Sub Subscription

  4. Select Add Principal.

    Add Principal

  5. Enter the service account email copied in Step 11 in the New principals field, and then select the Pub/Sub Subscriber Role.

    Grant Access

  6. Select Save.

Grant Monitoring Permission for the Service AccountπŸ”—

Create a Custom Role on GCPπŸ”—

  1. Navigate to IAM & Admin > Roles. Click on Create Role.

  2. Fill in the required details:

  • Title (any descriptive string)
  • ID (any descriptive string)

  • Select General Availability as the Role launch stage

    Add Role Permissions

  1. Select Add Permissions.

  2. Select the monitoring.timeSeries.list permission from the list of permissions.

    Add Monitoring Role Permission

  3. Click the Add button.

    Create Monitoring Role

  4. Click the Create button to complete creation of the Role.

Add the Custom Role to the Service AccountπŸ”—

Note

Customers with an existing GCP integration do not need to generate a new service account and key for the service account. The custom role can be granted to an existing service account.

  1. Navigate to IAM & Admin > IAM.

    Grant Monitoring Role

  2. Click on Grant Access.

  3. In the New principals text box, enter the service account email created previously in the Create a Service Account with Permissions to Read from the Pub/Sub Topic section.

    Click the Role drop-down and select β€œCustom” and then select the custom role created in the above step.

    Grant Role to Service Account

  4. Click Save.

Create a Service Account KeyπŸ”—

  1. Open the Service account created in the preceding section and navigate to the Keys tab.

    Service Account Key

  2. Select Add Key, choose the JSON type, and then select Create. Save the key in a secure location for use in Step 30.

    Create Private Key

Complete the Integration in XDRπŸ”—

  1. Log in to XDR and navigate to Integrations → Cloud APIs.

  2. Select Add an Integration from the top of the page.

    Add an Integration

  3. From the Optimized tab, select Google Cloud and enter the following in the configuration panel:

  • Taegis Integration Name — Any user-friendly name to uniquely identify this integration
  • Project ID — The GCP Project ID
  • Subscription ID — The GCP Subscription ID

  • Upload the JSON key generated in Step 27

    Add Google Cloud Platform Integration

Select Logs to Send to XDRπŸ”—

Reference the Google Cloud resource hierarchy to form the log inclusion filters.

Google Cloud Resource Hierarchy

To select the logs to be sent to XDR, refer to the Create Sink section and update the inclusion filter using the following Cloud Audit Logs, VPC Flow Logs, Google Kubernetes Engine (GKE) Dataplane V2, and Security Command Center Findings sections.

Cloud Audit LogsπŸ”—

For more information on Cloud Audit Logs, see the Google documentation.

ConfigurationπŸ”—

  1. In the Google Cloud console, navigate to IAM & Admin > Audit Logs. Select the services for which Data Access audit logs should be enabled.

    Data Access Audit Logs

  2. Create an inclusion filter to determine which logs are sent to the Pub/Sub topic. Refer to the following table to assist in the building of the inclusion filter for Cloud Audit logs.

    Admin Activity Data Access System Event Policy Denied
    Projects
    projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity
    projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access
    projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fsystem_event
    projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fpolicy
    Folders
    folders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Factivity
    folders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Fdata_access
    folders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Fsystem_event
    folders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Fpolicy
    Organization
    organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Factivity
    organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fdata_access
    organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fsystem_event
    organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fpolicy

VPC Flow LogsπŸ”—

For more information on VPC Flow Logs, see the Google documentation.

ConsiderationsπŸ”—

  • VPC Flow logs can be enabled/disabled on a subnet level.

  • When enabled on a subnet, logs will be collected for all the virtual machines within that subnet.

  • Both the inbound and outbound network traffic will be sampled for log generation for TCP, UDP, ICMP, ESP, and GRE protocols. To learn more about sampling, see the Google documentation.

ConfigurationπŸ”—

  1. In the Google Cloud console, navigate to VPC Network > VPC Networks, select the network for which you would like to enable VPC Flow Logs, and then select the Subnets tab.

    VPC Flows Logs

  2. On the subnet for which VPC Flow Logs are to be enabled, enter Edit mode. Under the Flow Logs section, select On.

    Enable VPC Flows Logs

  3. To route Flow Logs to the Log Router Sink created in the Create Sink section, edit the Sink and then update the Inclusion Filter.

    Route VPC Flows Logs

    Example Inclusion Filter:

    logName="projects/gcp-dataflow-poc/logs/compute.googleapis.com%2Fvpc_flows"

Google Kubernetes Engine (GKE) Dataplane V2πŸ”—

For more information on GKE Dataplane V2, see the Google documentation.

ConfigurationπŸ”—

  1. Refer to the Google documentation to create a GKE cluster.

    Important

    GKE Dataplane V2 can only be enabled when creating a new cluster.

  2. Refer to the Google documentation to enable network policy logging.

  3. To route Flow Logs to the Log Router Sink created in the Create Sink section, edit the Sink and then update the Inclusion Filter.

    Route VPC Flows Logs

    Example Inclusion Filter:

    logName="projects/gcp-dataflow-poc/logs/policy-action"

Security Command Center FindingsπŸ”—

For more information on Security Command Center, see the Google documentation.

ConfigurationπŸ”—
  1. Security Command Center can be activated at the Organization and Project levels.
Organization LevelπŸ”—

Refer to the Google documentation to activate Security Command Center for an organization.

Project LevelπŸ”—

Refer to the Google documentation to activate Security Command Center for a project.

  1. In the Google Cloud console, navigate to Security > Security Command Center > Overview and select Edit Settings.

    Edit SCC Settings

  2. Select the Continuous exports tab.

  3. Select Create Pub/Sub Export. Enter a user-friendly name and then select the Pub/Sub topic created in the Create Pub/Sub Topic section.

  4. Select Save.