www.expel.io

Google Cloud Platform getting

started guideVersion 1.0

August 13, 2020

www.expel.io2

What’s in this guide?

1. Create a GCP Project

2. Create a Service Account

3. Configure Pub/Sub

4. Create an aggregated org sink

5. Enable Event Threat Detection (optional)

6. Add Organization Configurations

7. Register GCP in Expel Workbench™

Prerequisites

1. A GCP admin account

2. Gcloud command-line tool installed

3. A Gsuite connector added to your workbench account

Step 1 — Create a GCP project

Create a project and call it “expel-integration” and use it to host the rest of the integration’s resources.

Step 2 — Create a service account

A. Login to the GCP console and navigate to the expel-integration project

B. From the navigation menu, go to IAM & Admin > Service Accounts

www.expel.io3

Figure 1

C. Create a new service account and fill in the details

Service account name: expel-gcp-integration

Service account ID: [auto filled]

Service account description: used by expel

Figure 2

www.expel.io4

D. Grant the service account Pub/Sub Subscriber permission

Figure 3

E. Generate a JSON private key and download it

Figure 4

www.expel.io5

Step 3 — Configure a PubSub topic and subscription

A. Navigate to Pub/Sub > Topics

Figure 5

B. Create a new topic and choose Google-managed key

Topic ID: expel-integration-topic

Figure 6

Take note of the full topic name since we’ll use it later. It has the following format: projects/[project-name]/topics/expel-integration-topic

www.expel.io6

C. Navigate to Pub/Sub > Subscriptions, create a new subscription, and use the following settings:■ Subscription ID: expel-integration-subscription■ Select a Cloud Pub/Sub topic: expel-integration-topic■ Delivery Type: Pull■ Subscription expiration: 31 days■ Acknowledgment deadline: 600 seconds■ Message retention duration: 7 days■ Uncheck Retain acknowledged messages

Figure 7

Take note of the full subscription name since we’ll use it later. It has the following format: projects/[project-name]/subscriptions/expel-integration-subscription

www.expel.io7

Step 4 — Create the aggregated organization log sinks

Note: organization sinks can’t be created from the Google cloud console https://cloud.google.com/logging/docs/export/aggregated_sinks so we’ll use the gcloud command-line tool

A. Login to gcp

$ gcloud auth login

B. List the organizations and take note of the org ID

$ gcloud organizations list

C. Create the pub/sub org sink

If your organization plans to use the Event Threat Detection service, use this command:

$ gcloud logging sinks create expel-org-sink-pubsub pubsub.googleapis.com/projects/[project-name]/topics/expel-integration-topic --include-children --organization=[org-id] --log-filter=”logName=~\”cloudaudit\.googleapis\.com\%2Factivity\” OR resource.type=\”threat_detector\” AND protoPayload.serviceName!=\”k8s\.io\””

If your organization does not plan to use the Event Threat Detection service, use this command:

$ gcloud logging sinks create expel-org-sink-pubsub pubsub.googleapis.com/projects/[project-name]/topics/expel-integration-topic --include-children --organization=[org-id] --log-filter=”logName=~\”cloudaudit\.googleapis\.com\%2Factivity\” AND protoPayload.serviceName!=\”k8s\.io\””

This automatically creates a new service account which must be granted Pub/Sub Publisher permissions on the integration’s topic.

Created [https://logging.googleapis.com/v2/organizations/000000000000/sinks/expel-org-sink].

Please remember to grant `serviceAccount:o278854420484-586207@gcp-sa-logging.iam.gserviceaccount.com` the Pub/Sub Publisher role on the topic.

More information about sinks can be found at https://cloud.google.com/logging/docs/export/configure_export

www.expel.io8

D. From the console, Navigate to PubSub > Topics > expel-integration-topic

Use the permissions tab give the service account created in 4.3 PubSub Publisher permissions

Figure 8

Figure 9

www.expel.io9

Step 5 — Enable event threat detection (optional)

Reference: https://cloud.google.com/event-threat-detection/docs/quickstart-etd-console

Note: There is an additional cost from GCP to enable this service.

Step 6 — Register GCP in Workbench

A. Login to https://workbench.expel.io

B. Navigate to Settings, then Security Devices

C. At the top right of the page, select Add New Device

D. Search for and select GCP

E. Fill in the Connection Settings as follows:

a. Auth JSON: the JSON key from step 1.5

b. Subscription Name: the full PubSub subscription name from step 3.2

F. Click Save

After a few minutes (this may take as long as 15 minutes), refresh the Security Devices page and you should see your device reporting as Healthy. If there is an issue, the status will be Unhealthy and there will be a message with more detail on the source of the problem.

Note: Don’t forget to register your GSuite connector using Expel’s GSuite onboarding docs. This is essential, even if you are not a GSuite customer. Google tracks OAuth 2.0 token grants for GCP in the GSuite Admin Audit Logs.

Step 7 — Add Organization Configurations

Organization configurations for GCP help us to tailor our service and detections to the needs of our unique customers. This is especially important if customers use an infrastructure as code solution to administer their GCP environment. To do so, in Workbench, click on Settings, then My Organization, and finally click on the CONFIGURATION tab.

Cloud Apps/Cloud Infrastructure ConfigurationIn the search box type “gcp”. Customers who have only purchased Cloud Infrastructure security monitoring for GCP (not including GSuite), should check the “GCP only customer” configuration and save.

www.expel.io10

Figure 10

In the search box type “gcp”. Customers who have purchased both Cloud Infrastructure and Cloud Apps security monitoring should leave the “GCP only customer” configuration unchecked.

Figure 11

That’s it! Give yourself a pat on the back — you’re done!If you have any issues, concerns, questions or feedback,

please don’t hesitate to contact Expel at devicehealth@expel.io.

www.expel.io11

Appendix A: Data access log support in BigQuery

Data Access audit logs generate log events from the resource interaction plane of GCP. This would include event logging of requests to GCP resources such as object read/write operations, to answer questions such as “Who accessed file data in a storage bucket?” Expel does not offer monitoring and detection support for Data Access audit logs; however, Expel will use these logs to support alert triage and investigations.

To generate these logs, GCP customers must enable them, please review Google’s pricing reference for more information. Note: these logs can be voluminous, especially if resources are being accessed by the public or other high-volume situations. Make sure you thoroughly understand the cost impact before enabling Data Access audit logs.

Prerequisites

1. GCP Org getting started guide completed

2. Gcloud command-line tool installed

Step 1 — Configure BigQuery

A. Navigate to BigQuery in the “expel-integration” project and create a new dataset.

Figure 1

www.expel.io12

■ Dataset ID: expel_integration_dataset■ Data location: Default■ Default Table Expiration: 30 days■ Encryption: Google-managed key

B. From the dataset settings click on SHARE DATASET, and grant the “expel-gcp-integration” service account (created in step 2 of the GCP onboarding guide) the BigQuery Data Viewer and BigQuery User roles.

Figure 2

Step 2 — Create the BigQuery org sink

Note: organization sinks can’t be created from the Google cloud console https://cloud.google.com/logging/docs/export/aggregated_sinks so we’ll use the gcloud command-line tool

A. Login to gcp $ gcloud auth login

B. List the organizations and take note of the org ID $ gcloud organizations list

www.expel.io13

C. Create the BigQuery org sink:

If your organization plans to use Event Threat Detection service, use this command:

$ gcloud logging sinks create expel-org-sink-bigquery bigquery.googleapis.com/projects/[project-name]/datasets/expel_integration_dataset --include-children --organization=[org-id] --log-filter=”logName=~\”cloudaudit\.googleapis\.com\%2Fdata_access\” OR resource.type=\”threat_detector\””

If your organization does not plan to use the Event Threat Detection service, use this command:

$ gcloud logging sinks create expel-org-sink-bigquery bigquery.googleapis.com/projects/[project-name]/datasets/expel_integration_dataset --include-children --organization=[org-id] --log-filter=”logName=~\”cloudaudit\.googleapis\.com\%2Fdata_access\””

This automatically creates a new service account which must be granted BigQuery Data Editor in the expel_integration_dataset in the console.

Figure 3

www.expel.io14

Step 3 — Enable data access logs

Admin Activity audit logs are enabled by default in GCP. During your initial onboarding your organization was configured to send Admin Activity audit logs and Event Threat Detection alerts to Expel for monitoring and security detection support. Data Access audit logs are not enabled by default in GCP and have a cost in order to do so.

Reference: https://cloud.google.com/logging/docs/audit/understanding-audit-logs https://cloud.google.com/logging/docs/audit/configure-data-access

Default Configuration OptionA default audit log configuration can be set at the organization IAM so all new folders and projects inherit the configuration. This will save you from administrative hassle down the road.

Cost Conscious OptionIf you only want to collect Data Access audit logs from projects with particularly sensitive data or perhaps just production projects, you can configure audit logs in any IAM and IAM inheritance will apply configuration as necessary. For example, if your organization has a production project with very sensitive client data stored in Cloud Storage, you may consider only enabling the Google Cloud Storage Data Access audit logs in that particular project and leave it turned off in all of the other projects.

Enabling the Logs by ServiceFrom the IAM console, click on “Audit Logs.” Each service API can be enabled or disabled from this table. These are some of the services you may consider enabling:

■ Cloud Billing API■ Cloud Build API■ Cloud Functions API■ Cloud Key Management Service (KMS) API■ Cloud Logging API■ Cloud Memorystore for Redis API■ Cloud Pub/Sub API■ Cloud Resource Manager API■ Cloud SQL■ Compute Engine API■ Google App Engine Admin API■ Google Cloud Deployment Manager V2 API

www.expel.io15

■ Google Cloud Storage■ Identity and Access Management (IAM) API■ Secret Manager API

Figure 4

Note: Some services are prone to generate large volumes of log data (such as Kubernetes, Compute Engine API and Google Cloud Storage) which may significantly affect cost.

Select your audit logging preference, and select Save.

Figure 5

As new projects are created and services are enabled by users, audit logging configuration should be inherited in IAM appropriately and data will be recorded to your BigQuery table.