1. Expel Support Center
  2. Connect your technology
  3. Cloud integrations

Google Cloud Platform setup for Workbench

Sharon Burton
  • Updated

This article helps you connect your GCP installation to the Expel Workbench.

Create a GCP Project

Create a Service Account

Create cloud asset custom role and add to service account

Configure Pub/Sub

Create an aggregated org sink

Enable Event Threat Detection (optional)

Register Google Cloud Platform in Expel Workbench

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

Before you start

  • A Google Cloud Platform admin account.

  • GCloud command-line tool installed.

  • A Google Workspace connector added to your Workbench account.

Step 1: Create a Google Cloud Platform project

Create a project and call it expel-integration. Use it to host the rest of the integration’s resources.

Step 2: Create a service account

  1. Login to the GCP console and navigate to the expel-integration project.

  2. From the navigation menu, go to IAM & Admin > Service Accounts.

    Screen_Shot_2021-03-05_at_12.17.46_PM.png

  3. Create a new service account and fill in the details.

    • Service account name: expel-gcp-integration

    • Service account ID: [auto-filled]

    • Service account description: used by Expel

      Screen_Shot_2021-03-05_at_12.18.28_PM.png

  4. Grant the service account Pub/Sub Subscriber and BigQuery Job User permissions.

    Screen_Shot_2021-03-05_at_12.18.55_PM.png

  5. Generate a JSON private key and download it.

    Screen_Shot_2021-03-05_at_12.19.23_PM.png

Step 3: Create cloud asset custom role and add to service account

  1. Open Google Cloud Platform.

  2. Make sure you are under the Organization and not a project.

  3. Navigate to IAM & Admin > Roles.

  4. Click Create Role.

    GCP_Step3_4.png

  5. Fill in the Title, Description, and ID.

  6. Click Add Permissions.

    GCP_Step3_6.png

  7. Add these to the requested permissions, then click Add:

    • cloudasset.assets.listResource

    • cloudasset.assets.listIamPolicy

    • cloudasset.assets.listOrgPolicy

    • cloudasset.assets.listAccessPolicy

    • cloudasset.assets.listOSInventories

    GCP_Step3_7.png

  8. After you are done adding permissions, click Create.

    GCP_Step3_8.png

  9. The next step is adding the Service Account with the Role to IAM. You might need to log out and back in to see the new role as an option.

  10. Verify you are still under the Organization and not a project.

  11. Navigate to IAM & Admin > IAM.

  12. Click Add.

    GCP_Step3_12.png

  13. Paste in the Service Account Email (expel-gcp-integration@expel-integration.iam.gserviceaccount.com if following this guide's nomenclature) as the new Principal.

    GCP_Step3_13.png

Step 4: Configure a PubSub topic and subscription

  1. Navigate to Pub/Sub > Topics.

    Screen_Shot_2021-03-05_at_12.19.50_PM.png

  2. Create a new topic

    • Topic ID: expel-integration-topic

      Screen Shot 2021-06-23 at 12.10.55 PM.png

    • Select Add a default subscription. This creates a subscription that you change in the next step.

      Make note of the full topic name because we use it later. It has the format:

      projects/[project-id]/topics/expel-integration-topic

  3. Navigate to Pub/Sub > Subscriptions.* The "expel-integration-topic-sub" subscription created in the last step appears in your list of subscriptions.

    Change the Acknowledgement deadline to 600 seconds and keep the default values for the rest of the options.

    Screen_Shot_2021-03-05_at_12.21.06_PM.png

Make note of the full subscription name because we use it later. It looks like this: projects/[project-id]/subscriptions/expel-integration-topic-sub

Step 5: Create the aggregated organization log sinks

Note

Organization sinks can’t be created from the Google Cloud console https://cloud.google.com/logging/docs/export/aggregated_sinks so we use the gcloud command-line tool.

  1. Login to GCP.

    $ gcloud auth login

  2. List the organizations and take note of the org ID.

    $ gcloud organizations list

  3. Create the pub/sub org sink.

    • Use this command to filter activity logs:

      $ gcloud logging sinks create expel-org-sink-pubsub pubsub.googleapis.com/projects/[project-id]/topics/expel-integration-topic --include-children --organization=[org-id] --log-filter="logName=~\"cloudaudit\.googleapis\.com\%2Factivity\" AND protoPayload.serviceName!=\"k8s\.io\""

    • This automatically creates a new service account which must be granted Pub/Sub Publisher permissions on the integration’s topic.

      Created [https://logging.googleapis.com/v2/organizations/000000000000/sinks/expel-org-sink].

      Remember to grant 'serviceAccount:o278854420484-586207@gcp-sa-logging.iam. gserviceaccount.com' the Pub/Sub Publisher role on the topic.

      More information about sinks can be found at https://cloud.google.com/logging/docs/export/configure_export_v2

  4. From the console, navigate to PubSub > Topics > expel-integration-topic. Use the Permissions tab to add the service account created above as a member.

    Screen_Shot_2021-03-05_at_12.21.41_PM.png
    Screen_Shot_2021-03-05_at_12.22.16_PM.png

Step 6: Enable Event Threat Detection (optional)

Event Threat Detection is a service offered by Google Cloud Platform at an additional cost. If you do not use this service, skip this step. To learn more about Event Threat Detection, go to: https://cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview#log_types.

Linking Event Threat Detection with the Expel Workbench is a two-part process. You must create continuous exports for cloud logging and then create a sink.

Create continuous exports for cloud logging

  1. Go to the Security Command Center page in the GCP console.

  2. Go to Settings and click Continuous Exports.

    googlecloud.png

  3. Verify Cloud Logging Export status is set to active.

  4. Click Cloud Logging Export and verify Log findings to Cloud logging is enabled.

    googlecloud1.png

  5. For Logging project, select the project from Step 1.

  6. Click Save.

Create a sink for Event Threat Detection

  1. Go to log router.

  2. Create a new sink.

  3. Name it ETD.

  4. Description: Monitor Event Threat Detection for Wazuh.

  5. Sink Destination: Select the Pub/Sub topic created in Step 4 of this procedure.

  6. Choose logs to include in sink: resource.type="threat_detector". The screen should look something like this:

    Google_Cloud_Sink.png

  7. Click Create Sink.

  8. From the Console, navigate to PubSub > Topics > expel-integration-topic. Use the Permissions tab to verify the service account created above is added with the role of Pub/Sub Publisher.

Step 7: Register Google Cloud Platform in Workbench

Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.

  1. Login to https://workbench.expel.io.

  2. Navigate to Settings, then Security Devices.

  3. At the top of the page, click Add Security Device.

    Button_WB_add_security_device.png

  4. Search for and select Google Cloud Platform.

  5. Fill in the Connection Settings as follows:

    • Auth JSON: the JSON key from Step 2.

    • Subscription Name: the full PubSub subscription name from Step 4.

    • Organization ID: the GCP Organization ID from Step 3.

  6. Click Save.

To check if alerts are coming through, navigate to Alerts on the console page. Click the icon in the upper right to switch to grid view, then check the list for device alerts.

Note

Don’t forget to register your Google Workspace connector using the Expel Google Workspace onboarding docs. This is essential, even if you are not a Google Workspace customer. Google tracks OAuth 2.0 token grants for Google Cloud Platform in the Google Workspace Admin Audit Logs.

  • Was this article helpful?

  • 2 out of 2 found this helpful

Related articles