This article explains how to connect GCP to Expel Workbench.
-
A Google Cloud Platform admin account.
-
GCloud command-line tool installed.
-
A Google Workspace connector added to your Workbench account.
Important
Make sure you elevate yourself to admin in Google Cloud Platform before you start these steps.
Step 1: Create a Google Cloud Platform project
Create a project and call it expel-integration. Use it to host the rest of the integration’s resources.
Step 2: Create a service account
-
Login to the GCP console and navigate to the expel-integration project.
-
From the navigation menu, go to IAM & Admin > Service Accounts.
-
Create a new service account and fill in the details.
-
Service account name: expel-gcp-integration
-
Service account ID: [auto-filled]
-
Service account description: used by Expel
-
-
Grant the service account Pub/Sub Subscriber and BigQuery Job User permissions.
-
Generate a JSON private key and download it.
Step 3: Create cloud asset custom role and add to service account
Note
Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.
-
Open Google Cloud Platform.
-
Make sure you are under the Organization and not a project.
-
Navigate to IAM & Admin > Roles.
-
Click Create Role.
-
Fill in the Title, Description, and ID.
-
Click Add Permissions.
-
Add these to the requested permissions, then click Add:
-
cloudasset.assets.listResource
-
cloudasset.assets.listIamPolicy
-
cloudasset.assets.listOrgPolicy
-
cloudasset.assets.listAccessPolicy
-
cloudasset.assets.listOSInventories
-
-
After you are done adding permissions, click Create.
-
The next step is adding the Service Account with the Role to IAM. You might need to log out and back in to see the new role as an option.
-
Verify you are still under the Organization and not a project.
-
Navigate to IAM & Admin > IAM.
-
Click Add.
-
Paste in the Service Account Email (expel-gcp-integration@expel-integration.iam.gserviceaccount.com if following this guide's nomenclature) as the new Principal.
Step 4: Configure a PubSub topic and subscription
Configuring a PubSub topic and subscription creates a middle-man for the sink and Expel receiving alerts. WIthout this step, Expel Workbench can't receive alerts from Google Cloud.
-
Navigate to Pub/Sub > Topics.
-
Create a new topic.
-
Topic ID: expel-integration-topic
-
Select Add a default subscription. This creates a subscription that you change in the next step.
Make note of the full topic name because we use it later. It has the format:
projects/[project-id]/topics/expel-integration-topic
-
-
Navigate to Pub/Sub > Subscriptions.* The expel-integration-topic-sub subscription created in the last step appears in your list of subscriptions.
Change the Acknowledgement deadline to 600 seconds and keep the default values for the rest of the options.
Make note of the full subscription name because we use it later. It looks like this: projects/[project-id]/subscriptions/expel-integration-topic-sub
Step 5: Create the aggregated organization log sinks
Note
Organization sinks can’t be created from the Google Cloud console https://cloud.google.com/logging/docs/export/aggregated_sinks so we use the gcloud command-line tool.
-
Login to GCP.
$ gcloud auth login
-
List the organizations and take note of the org ID.
$ gcloud organizations list
-
Create the pub/sub org sink.
-
Use this command to filter activity logs:
$ gcloud logging sinks create expel-org-sink-pubsub pubsub.googleapis.com/projects/[project-id]/topics/expel-integration-topic --include-children --organization=[org-id] --log-filter="logName=~\"cloudaudit\.googleapis\.com\%2Factivity\" AND protoPayload.serviceName!=\"k8s\.io\""
-
This automatically creates a new service account which must be granted Pub/Sub Publisher permissions on the integration’s topic.
Created [https://logging.googleapis.com/v2/organizations/000000000000/sinks/expel-org-sink].
Remember to grant 'serviceAccount:o278854420484-586207@gcp-sa-logging.iam. gserviceaccount.com' the Pub/Sub Publisher role on the topic.
More information about sinks can be found at https://cloud.google.com/logging/docs/export/configure_export_v2
-
-
From the console, navigate to PubSub > Topics > expel-integration-topic. Use the Permissions tab to add the service account created above as a member.
Step 6: Enable Event Threat Detection (optional)
Event Threat Detection is a service offered by Google Cloud Platform at an additional cost. If you do not use this service, skip this step. To learn more about Event Threat Detection, go to: https://cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview#log_types.
Linking Event Threat Detection with the Expel Workbench is a two-part process. You must create continuous exports for cloud logging and then create a sink.
Create continuous exports for cloud logging
-
Go to the Security Command Center page in the GCP console.
-
Go to Settings and click Continuous Exports.
-
Verify Cloud Logging Export status is set to active.
-
Click Cloud Logging Export and verify Log findings to Cloud logging is enabled.
-
For Logging project, select the project from Step 1.
Create a sink for Event Threat Detection
-
Go to log router.
-
Create a new sink.
-
Name it ETD.
-
Description: Monitor Event Threat Detection for Expel.
-
Sink Destination: select the Pub/Sub topic created in Step 4 of this procedure.
-
Choose logs to include in sink:
resource.type="threat_detector"
. The screen should look something like this: -
Click Create Sink.
-
From the Console, navigate to PubSub > Topics > expel-integration-topic. Use the Permissions tab to verify the service account created above is added with the role of Pub/Sub Publisher.
Step 7: Register Google Cloud Platform in Workbench
Note
Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.
-
Login to https://workbench.expel.io.
-
Navigate to Organization Settings, then Security Devices.
-
At the top of the page, click + Add Security Device.
-
Search for and select Google Cloud Platform.
-
Fill in the Connection Settings as follows:
-
Auth JSON: the JSON key from Step 2.
-
Subscription Name: the full PubSub subscription name from Step 4.
-
Organization ID: the GCP Organization ID from Step 3.
-
Note
Don’t forget to register your Google Workspace connector using the Expel Google Workspace onboarding docs. This is essential, even if you are not a Google Workspace customer. Google tracks OAuth 2.0 token grants for Google Cloud Platform in the Google Workspace Admin Audit Logs.
Comments
3 comments
Link to Google's documentation for (optional) step 5 appears to have moved. Link now lands at homepage for Google's Security Centre documentation portal.
Hi Andrew!
Thank you for bringing this to our attention! We'll look into it right away. Have a great day and keep those comments and suggestions coming!
--Scott
UPDATE: We changed the link in Step 5 to go directly to Event Threat Detection in Google's security documentation.
Please sign in to leave a comment.