1. Expel Support Center
  2. Connect your technology
  3. Cloud integrations

Google Cloud Platform setup for Workbench

  • Updated

This article explains how to connect GCP to Expel Workbench.

In this article

Before you start

  • A Google Cloud Platform admin account.

  • GCloud command-line tool installed.

  • A Google Workspace connector added to your Workbench account.

Important

Make sure you elevate yourself to admin in Google Cloud Platform before you start these steps.

Step 1: Create a Google Cloud Platform project

Create a project and call it expel-integration. Use it to host the rest of the integration’s resources.

Step 2: Create a service account

  1. Login to the GCP console and navigate to the expel-integration project.

  2. From the navigation menu, go to IAM & Admin > Service Accounts.

  3. Create a new service account and fill in the details.

    • Service account name: expel-gcp-integration

    • Service account ID: [auto-filled]

    • Service account description: used by Expel

  4. Grant the service account Pub/Sub Subscriber and BigQuery Job User permissions.

  5. Generate a JSON private key and download it.

Step 3: Create cloud asset custom role and add to service account

Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech.

Note

Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. Open Google Cloud Platform.

  2. Make sure you are under the Organization and not a project.

  3. Navigate to IAM & Admin > Roles.

  4. Click Create Role.

  5. Fill in the Title, Description, and ID.

  6. Click Add Permissions.

  7. Add these to the requested permissions, then click Add:

    • cloudasset.assets.listResource

    • cloudasset.assets.listIamPolicy

    • cloudasset.assets.listOrgPolicy

    • cloudasset.assets.listAccessPolicy

    • cloudasset.assets.listOSInventories

  8. After you are done adding permissions, click Create.

  9. The next step is adding the Service Account with the Role to IAM. You might need to log out and back in to see the new role as an option.

  10. Verify you are still under the Organization and not a project.

  11. Navigate to IAM & Admin > IAM.

  12. Click Add.

  13. Paste in the Service Account Email (expel-gcp-integration@expel-integration.iam.gserviceaccount.com if following this guide's nomenclature) as the new Principal.

Step 4: Configure a PubSub topic and subscription

Configuring a PubSub topic and subscription creates a middle-man for the sink and Expel receiving alerts. WIthout this step, Expel Workbench can't receive alerts from Google Cloud.

  1. Navigate to Pub/Sub > Topics.

  2. Create a new topic.

    • Topic ID: expel-integration-topic

    • Select Add a default subscription. This creates a subscription that you change in the next step.

      Make note of the full topic name because we use it later. It has the format:

      projects/[project-id]/topics/expel-integration-topic

  3. Navigate to Pub/Sub > Subscriptions.* The expel-integration-topic-sub subscription created in the last step appears in your list of subscriptions.

    Change the Acknowledgement deadline to 600 seconds and keep the default values for the rest of the options.

Make note of the full subscription name because we use it later. It looks like this: projects/[project-id]/subscriptions/expel-integration-topic-sub

Step 5: Create the aggregated organization log sinks

Note

Organization sinks can’t be created from the Google Cloud console https://cloud.google.com/logging/docs/export/aggregated_sinks so we use the gcloud command-line tool.

  1. Login to GCP.

    $ gcloud auth login

  2. List the organizations and take note of the org ID.

    $ gcloud organizations list

  3. Create the pub/sub org sink.

    • Use this command to filter activity logs:

      $ gcloud logging sinks create expel-org-sink-pubsub pubsub.googleapis.com/projects/[project-id]/topics/expel-integration-topic --include-children --organization=[org-id] --log-filter="logName=~\"cloudaudit\.googleapis\.com\%2Factivity\" AND protoPayload.serviceName!=\"k8s\.io\""

    • This automatically creates a new service account which must be granted Pub/Sub Publisher permissions on the integration’s topic.

      Created [https://logging.googleapis.com/v2/organizations/000000000000/sinks/expel-org-sink].

      Remember to grant 'serviceAccount:o278854420484-586207@gcp-sa-logging.iam. gserviceaccount.com' the Pub/Sub Publisher role on the topic.

      More information about sinks can be found at https://cloud.google.com/logging/docs/export/configure_export_v2

  4. From the console, navigate to PubSub > Topics > expel-integration-topic. Use the Permissions tab to add the service account created above as a member.

Step 6: Enable Event Threat Detection (optional)

Event Threat Detection is a service offered by Google Cloud Platform at an additional cost. If you do not use this service, skip this step. To learn more about Event Threat Detection, go to: https://cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview#log_types.

Linking Event Threat Detection with the Expel Workbench is a two-part process. You must create continuous exports for cloud logging and then create a sink.

Create continuous exports for cloud logging

  1. Go to the Security Command Center page in the GCP console.

  2. Go to Settings and click Continuous Exports.

  3. Verify Cloud Logging Export status is set to active.

  4. Click Cloud Logging Export and verify Log findings to Cloud logging is enabled.

  5. For Logging project, select the project from Step 1.

  6. Click Save.

Create a sink for Event Threat Detection

  1. Go to log router.

  2. Create a new sink.

  3. Name it ETD.

  4. Description: Monitor Event Threat Detection for Expel.

  5. Sink Destination: select the Pub/Sub topic created in Step 4 of this procedure.

  6. Choose logs to include in sink: resource.type="threat_detector". The screen should look something like this:

  7. Click Create Sink.

  8. From the Console, navigate to PubSub > Topics > expel-integration-topic. Use the Permissions tab to verify the service account created above is added with the role of Pub/Sub Publisher.

Step 7: Register Google Cloud Platform in Workbench

Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.

Note

Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. Login to https://workbench.expel.io.

  2. Navigate to Organization Settings, then Security Devices.

  3. At the top of the page, click + Add Security Device.

  4. Search for and select Google Cloud Platform.

  5. Fill in the Connection Settings as follows:

    • Auth JSON: the JSON key from Step 2.

    • Subscription Name: the full PubSub subscription name from Step 4.

    • Organization ID: the GCP Organization ID from Step 3.

  6. Click Save.

You can see if the device is healthy on the Security Devices page. It may take a few minutes to see the device listed as healthy.

To check if alerts are coming through, navigate to the Alerts Analysis page. Scroll to the device you want to check and click View alerts. Switch to grid view, then check the list for device alerts. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Note

Don’t forget to register your Google Workspace connector using the Expel Google Workspace onboarding docs. This is essential, even if you are not a Google Workspace customer. Google tracks OAuth 2.0 token grants for Google Cloud Platform in the Google Workspace Admin Audit Logs.

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

  • Was this article helpful?

  • 2 out of 2 found this helpful

Related articles