This article helps you connect your GCP installation to the Expel Workbench.

Create a GCP Project

Create a Service Account

Create cloud asset custom role and add to service account

Configure Pub/Sub

Create an aggregated org sink

Enable Event Threat Detection (optional)

Register Google Cloud Platform in Expel Workbench


This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

  • A Google Cloud Platform admin account.

  • GCloud command-line tool installed.

  • A Google Workspace connector added to your Workbench account.

Step 1: Create a Google Cloud Platform project

Create a project and call it expel-integration. Use it to host the rest of the integration’s resources.

Step 2: Create a service account

  1. Login to the GCP console and navigate to the expel-integration project.

  2. From the navigation menu, go to IAM & Admin > Service Accounts.

  3. Create a new service account and fill in the details.

    • Service account name: expel-gcp-integration

    • Service account ID: [auto-filled]

    • Service account description: used by Expel

  4. Grant the service account Pub/Sub Subscriber and BigQuery Job User permissions.

  5. Generate a JSON private key and download it.


Step 3: Create cloud asset custom role and add to service account

  1. Open Google Cloud Platform.

  2. Make sure you are under the Organization and not a project.

  3. Navigate to IAM & Admin > Roles.

  4. Click Create Role.

  5. Fill in the Title, Description, and ID.

  6. Click Add Permissions.

  7. Add these to the requested permissions, then click Add:

    • cloudasset.assets.listResource

    • cloudasset.assets.listIamPolicy

    • cloudasset.assets.listOrgPolicy

    • cloudasset.assets.listAccessPolicy

    • cloudasset.assets.listOSInventories

  8. After you are done adding permissions, click Create.

  9. The next step is adding the Service Account with the Role to IAM. You might need to log out and back in to see the new role as an option.

  10. Verify you are still under the Organization and not a project.

  11. Navigate to IAM & Admin > IAM.

  12. Click Add.

  13. Paste in the Service Account Email ( if following this guide's nomenclature) as the new Principal.


Step 4: Configure a PubSub topic and subscription

  1. Navigate to Pub/Sub > Topics.

  2. Create a new topic

    • Topic ID: expel-integration-topic

      Screen Shot 2021-06-23 at 12.10.55 PM.png
    • Select Add a default subscription. This creates a subscription that you change in the next step.

      Make note of the full topic name because we use it later. It has the format:


  3. Navigate to Pub/Sub > Subscriptions.* The "expel-integration-topic-sub" subscription created in the last step appears in your list of subscriptions.

    Change the Acknowledgement deadline to 600 seconds and keep the default values for the rest of the options.


Make note of the full subscription name because we use it later. It looks like this: projects/[project-id]/subscriptions/expel-integration-topic-sub

Step 5: Create the aggregated organization log sinks


Organization sinks can’t be created from the Google Cloud console so we use the gcloud command-line tool.

  1. Login to GCP.

    $ gcloud auth login
  2. List the organizations and take note of the org ID.

    $ gcloud organizations list
  3. Create the pub/sub org sink.

    • Use this command to filter activity logs:

      $ gcloud logging sinks create expel-org-sink-pubsub[project-id]/topics/expel-integration-topic --include-children --organization=[org-id] --log-filter="logName=~\"cloudaudit\.googleapis\.com\%2Factivity\" AND protoPayload.serviceName!=\"k8s\.io\""
    • This automatically creates a new service account which must be granted Pub/Sub Publisher permissions on the integration’s topic.

      Created [].

      Remember to grant 'serviceAccount:o278854420484-586207@gcp-sa-logging.iam.' the Pub/Sub Publisher role on the topic.

      More information about sinks can be found at

  4. From the console, navigate to PubSub > Topics > expel-integration-topic. Use the Permissions tab to add the service account created above as a member.


Step 6: Enable Event Threat Detection (optional)

Event Threat Detection is a service offered by Google Cloud Platform at an additional cost. If you do not use this service, skip this step. To learn more about Event Threat Detection, go to:

Linking Event Threat Detection with the Expel Workbench is a two-part process. You must create continuous exports for cloud logging and then create a sink.

Create continuous exports for cloud logging

  1. Go to the Security Command Center page in the GCP console.

  2. Go to Settings and click Continuous Exports.

  3. Verify Cloud Logging Export status is set to active.

  4. Click Cloud Logging Export and verify Log findings to Cloud logging is enabled.

  5. For Logging project, select the project from Step 1.

Create a sink for Event Threat Detection

  1. Go to log router.

  2. Create a new sink.

  3. Name it ETD.

  4. Description: Monitor Event Threat Detection for Wazuh.

  5. Sink Destination: Select the Pub/Sub topic created in Step 4 of this procedure.

  6. Choose logs to include in sink: resource.type="threat_detector". The screen should look something like this:

  7. Click Create Sink.

  8. From the Console, navigate to PubSub > Topics > expel-integration-topic. Use the Permissions tab to verify the service account created above is added with the role of Pub/Sub Publisher.

Step 7: Register Google Cloud Platform in Workbench

  1. Login to

  2. Navigate to Settings, then Security Devices.

  3. At the top of the page, click Add Security Device.

  4. Search for and select Google Cloud Platform.

  5. Fill in the Connection Settings as follows:

    • Auth JSON: the JSON key from Step 2.

    • Subscription Name: the full PubSub subscription name from Step 4.

    • Organization ID: the GCP Organization ID from Step 3.


Don’t forget to register your Google Workspace connector using the Expel Google Workspace onboarding docs. This is essential, even if you are not a Google Workspace customer. Google tracks OAuth 2.0 token grants for Google Cloud Platform in the Google Workspace Admin Audit Logs.