Skip to main content
 

This article helps you connect your GCP installation to the Expel Workbench.

Create a GCP Project

Create a Service Account

Create cloud asset custom role and add to service account

Configure Pub/Sub

Create an aggregated org sink

Enable Event Threat Detection (optional)

Register Google Cloud Platform in Expel Workbench

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

  • A Google Cloud Platform admin account.

  • GCloud command-line tool installed.

  • A Google Workspace connector added to your Workbench account.

Step 1: Create a Google Cloud Platform project

Create a project and call it expel-integration. Use it to host the rest of the integration’s resources.

Step 2: Create a service account

  1. Login to the GCP console and navigate to the expel-integration project.

  2. From the navigation menu, go to IAM & Admin > Service Accounts.

    Screen_Shot_2021-03-05_at_12.17.46_PM.png
  3. Create a new service account and fill in the details.

    • Service account name: expel-gcp-integration

    • Service account ID: [auto-filled]

    • Service account description: used by Expel

      Screen_Shot_2021-03-05_at_12.18.28_PM.png
  4. Grant the service account Pub/Sub Subscriber and BigQuery Job User permissions.

    Screen_Shot_2021-03-05_at_12.18.55_PM.png
  5. Generate a JSON private key and download it.

    Screen_Shot_2021-03-05_at_12.19.23_PM.png

Step 3: Create cloud asset custom role and add to service account

  1. Open Google Cloud Platform.

  2. Make sure you are under the Organization and not a project.

  3. Navigate to IAM & Admin > Roles.

  4. Click Create Role.

    GCP_Step3_4.png
  5. Fill in the Title, Description, and ID.

  6. Click Add Permissions.

    GCP_Step3_6.png
  7. Add these to the requested permissions, then click Add:

    • cloudasset.assets.listResource

    • cloudasset.assets.listIamPolicy

    • cloudasset.assets.listOrgPolicy

    • cloudasset.assets.listAccessPolicy

    • cloudasset.assets.listOSInventories

    GCP_Step3_7.png
  8. After you are done adding permissions, click Create.

    GCP_Step3_8.png
  9. The next step is adding the Service Account with the Role to IAM. You might need to log out and back in to see the new role as an option.

  10. Verify you are still under the Organization and not a project.

  11. Navigate to IAM & Admin > IAM.

  12. Click Add.

    GCP_Step3_12.png
  13. Paste in the Service Account Email (expel-gcp-integration@expel-integration.iam.gserviceaccount.com if following this guide's nomenclature) as the new Principal.

    GCP_Step3_13.png

Step 4: Configure a PubSub topic and subscription

  1. Navigate to Pub/Sub > Topics.

    Screen_Shot_2021-03-05_at_12.19.50_PM.png
  2. Create a new topic

    • Topic ID: expel-integration-topic

      Screen Shot 2021-06-23 at 12.10.55 PM.png
    • Keep Add a default subscription selected. This creates a subscription that you change in the next step.

      Make note of the full topic name because we use it later. It has the format:

      projects/[project-id]/topics/expel-integration-topic

  3. Navigate to Pub/Sub > Subscriptions.* The "expel-integration-topic-sub" subscription created in the last step appears in your list of subscriptions.

    Change the Acknowledgement deadline to 600 seconds and keep the default values for the rest of the options.

    Screen_Shot_2021-03-05_at_12.21.06_PM.png

Make note of the full subscription name becauseGoogle Cloud Platform we use it later. It has the following format: projects/[project-id]/subscriptions/expel-integration-topic-sub

Step 5: Create the aggregated organization log sinks

Note

Organization sinks can’t be created from the Google Cloud console https://cloud.google.com/logging/docs/export/aggregated_sinks so we use the gcloud command-line tool.

  1. Login to GCP.

    $ gcloud auth login
  2. List the organizations and take note of the org ID.

    $ gcloud organizations list
  3. Create the pub/sub org sink.

    • Use this command to filter activity logs:

      $ gcloud logging sinks create expel-org-sink-pubsub pubsub.googleapis.com/projects/[project-id]/topics/expel-integration-topic --include-children --organization=[org-id] --log-filter="logName=~\"cloudaudit\.googleapis\.com\%2Factivity\" AND protoPayload.serviceName!=\"k8s\.io\""
    • This automatically creates a new service account which must be granted Pub/Sub Publisher permissions on the integration’s topic.

      Created [https://logging.googleapis.com/v2/organizations/000000000000/sinks/expel-org-sink].

      Remember to grant 'serviceAccount:o278854420484-586207@gcp-sa-logging.iam. gserviceaccount.com' the Pub/Sub Publisher role on the topic.

      More information about sinks can be found at https://cloud.google.com/logging/docs/export/configure_export_v2

  4. From the console, navigate to PubSub > Topics > expel-integration-topic. Use the Permissions tab to add the service account created above as a member.

    Screen_Shot_2021-03-05_at_12.21.41_PM.png
    Screen_Shot_2021-03-05_at_12.22.16_PM.png

Step 6: Enable Event Threat Detection (optional)

Event Threat Detection is a service offered by Google Cloud Platform at an additional cost. If you do not use this service, skip this step. To learn more about Event Threat Detection, go to: https://cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview#log_types.

Linking Event Threat Detection with the Expel Workbench is a two-part process. You must create continuous exports for cloud logging and then create a sink.

Create continuous exports for cloud logging

  1. Go to the Security Command Center Findings page in the GCP console.

  2. Go to Findings.

  3. In the Filter field, select the attributes, properties, or security marks you want to use to filter findings and enter desired variables. A blank filter is evaluated as a wildcard and all findings are exported. For more information on finding properties, see Using the Security Command Center dashboard.

  4. Click Export, and then, under Continuous, click Pub/Sub.

  5. Review your filter to ensure it's correct and, if necessary, return to the Findings page to modify it.

  6. Under Continuous export name, enter a name for the export.

  7. Under Continuous export description, enter a description for the export.

  8. Under Export to, select the project created in Step 1 of this procedure. If you need help, see Creating continuous exports.

    continuous_exports__1_.png

Create a sink for Event Threat Detection

  1. Go to log router.

  2. Create a new sink.

  3. Name it ETD.

  4. Description: Monitor Event Threat Detection for Expel.

  5. Sink Destination: Select the Pub/Sub topic created in Step 4 of this procedure.

  6. Choose logs to include in sink: resource.type="threat_detector". The screen should look something like this:

    Screen_Shot_2022-08-23_at_3_52_22_PM.png
  7. Click Create Sink.

  8. From the Console, navigate to PubSub > Topics > expel-integration-topic. Use the Permissions tab to verify the service account created above is added with the role of Pub/Sub Publisher.

Step 7: Register Google Cloud Platform in Workbench

  1. Login to https://workbench.expel.io.

  2. Navigate to Settings, then Security Devices.

  3. At the top of the page, click Add Security Device.

    Button_WB_add_security_device.png
  4. Search for and select Google Cloud Platform.

  5. Fill in the Connection Settings as follows:

    • Auth JSON: the JSON key from Step 2.

    • Subscription Name: the full PubSub subscription name from Step 4.

    • Organization ID: the GCP Organization ID from Step 3.

Note

Don’t forget to register your Google Workspace connector using the Expel Google Workspace onboarding docs. This is essential, even if you are not a Google Workspace customer. Google tracks OAuth 2.0 token grants for Google Cloud Platform in the Google Workspace Admin Audit Logs.

Comments

3 comments

  • Andrew Waite

    Link to Google's documentation for (optional) step 5 appears to have moved. Link now lands at homepage for Google's Security Centre documentation portal.

    0
  • Scott Dewbre

    Hi Andrew! 

    Thank you for bringing this to our attention! We'll look into it right away. Have a great day and keep those comments and suggestions coming!

    --Scott

    0
  • Scott Dewbre

    UPDATE: We changed the link in Step 5 to go directly to Event Threat Detection in Google's security documentation.

    0

Please sign in to leave a comment.