Skip to main content

The Google Cloud Platform sensor

The Google Cloud Platform sensor collects and processes audit information related to Google Cloud resources.

This section guides you through adding an XDR sensor that retrieves Google Cloud events in GravityZone Control Center.

Important

This integration requires a Google Cloud Pub/Sub subscription, which may incur additional costs.

Prerequisites

To complete the prerequisites, you must first decide on the scope of data being sent to GravityZone. You can set up the sensor to collect data from one Google Cloud project or from your entire Google Cloud organization. Careful consideration should be taken when choosing the second option, as it may result in higher resource usage and costs.

Collecting data from a Google Cloud project

Before setting up the Google Cloud Platform sensor, make sure you complete these steps:

  1. Create a project in the Google Cloud console. If you already have one you can use for this purpose, skip this step.

  2. In this project, create a Pub/Sub topic with the default settings.

  3. On the topic's details page, scroll down to the Subscriptions tab and copy the Subscription ID. This information is required for the sensor configuration process in GravityZone Control Center.

  4. Create a log routing sink associated with the previously created topic.

    1. Type Log router in the search bar at the top of the page, then click the corresponding Logging > Log router page result.

    2. Click Create sink.

    3. In the Sink details section, add a name and a description, and click Next.

    4. In the Sink destination section, select the Cloud Pub/Sub topic service and the topic you have previously created. Click Next.

      gcp_sink_destination_cp_312684_en.png

    5. Click Create sink.

  5. Configure the Pub/Sub topic with the Pub/Sub Publisher role.

    1. Type Log router in the search bar at the top of the page, then click the corresponding Logging > Log router page result.

    2. In the Log router sinks dashboard, click the inline menu for your newly created sink and select View sink details.

      gcp_log_router_menu_cp_312684_en.png

    3. Copy the value of the Writer identity field, starting after serviceAccount:.

      gcp_log_router_writer_identity_cp_312684_en.png

    4. Type Topics in the search bar at the top of the page, then click the corresponding Pub/Sub > Topics page result.

    5. In the Topics dashboard, click the inline menu for the previously created topic and select View permissions.

      gcp_topics_view_permissions_cp_312684_en.png

    6. In the right-side panel, click Add principal.

    7. In the New principals field, add the Writer identity value you have copied at step c.

    8. For the Role field, choose Pub/Sub Publisher.

      gcp_permissions_cp_312684_en.png

    9. Click Save.

  6. Create an IAM service account configured with the Pub/Sub Subscriber role.

    1. Type Service Accounts in the search bar at the top of the page, then click the corresponding IAM & Admin > Service Accounts page result.

    2. In the Service accounts section, click Create service account.

    3. In the Service account details section, add a name for your service account.

      The Service account ID is generated automatically.

    4. Click Create and continue.

    5. In the Grant this service account access to the project section, select the Pub/Sub Subscriber role.

      gcp_subscriber_role_cp_312684_en.png

    6. Click Continue.

    7. Click Done.

      You will be redirected to the Service accounts dashboard.

  7. Export the service account key in JSON format.

    1. In the Service accounts dashboard, click the inline menu for your service account and select Manage keys.

      gcp_manage_keys_cp_312684_en.png

    2. In the Add key menu, select Create new key.

      gcp_create_new_key_cp_312684_en.png

    3. Keep the default settings and click Create.

      gcp_export_key_cp_312684_en.png

      This action downloads the JSON file required for the sensor configuration process in GravityZone Control Center.

Collecting data from a Google Cloud organization

Important

This procedure requires that you have the Logging Admin role assigned.

Before setting up the Google Cloud Platform sensor in GravityZone, make sure sure you complete these steps:

  1. In the Google Cloud console, create a project in your organization. If you already have one you can use for this purpose, skip this step.

  2. In this project, create a Pub/Sub topic with the default settings.

  3. On the topic's details page, scroll down to the Subscriptions tab and copy the Subscription ID. This information is required for the sensor configuration process in GravityZone Control Center.

  4. At the top of the topic's details page, click the Copy to clipboard button. The full Topic name is required for the next step.

    gcp_topic_name_cp_330655_en.png

  5. Create a log routing sink associated with the previously created topic.

    1. Select your organization from the drop-down menu next to the Google Cloud logo.

    2. Type Log router in the search bar at the top of the page, then click the corresponding Logging > Log router page result.

    3. Click Create sink.

    4. In the Sink details section, add a name and a description, and click Next.

    5. In the Sink destination section, select the Cloud Pub/Sub topic service.

    6. Click inside the Select Cloud Pub/Sub topic field and select the Use a Cloud Pub/Sub topic in a project option. The field will autocomplete with a path template.

      gcp_sink_destination_organization_cp_330655_en.png

    7. In the Sink destination field, delete the all information after pubsub.googleapis.com/ and add the information you copied at step 4.

      gcp_sink_destination_path_organization_cp_330655_en.png

    8. Click Next.

    9. In the Choose logs to include in sink section, select the Include logs ingested by this organization and all child resources option.

      gcp_sink_choose_logs_cp_330655_en.png

    10. Click Next and then Create sink.

  6. Configure the Pub/Sub topic with the Pub/Sub Publisher role.

    1. Type Log router in the search bar at the top of the page, then click the corresponding Logging > Log router page result.

    2. In the Log router sinks dashboard, click the inline menu for your newly created log routing sink and select View sink details.

      gcp_log_router_menu_cp_312684_en.png

    3. Copy the value of the Writer Identity field, starting after serviceAccount:.

      gcp_log_router_writer_identity_cp_312684_en.png

    4. Type Topics in the search bar at the top of the page, then click the corresponding Pub/Sub > Topics page result.

    5. Select your Google Cloud project.

    6. In the Topics dashboard, click the inline menu for the topic you created at step 2 and select View permissions.

      gcp_topics_view_permissions_cp_312684_en.png

    7. In the right-side panel, verify that the value you copied at step 6c is displayed in the Role/Principal section. If it is, move to step 7. If it is not listed there, follow the steps below.

      gcp_permissions_organization_cp_330655_en.png

    8. Click the Add principal button.

    9. In the New principals field, add the Writer Identity value you copied in step c.

      gcp_permissions_cp_312684_en.png

    10. For the Role field, choose Pub/Sub Publisher.

    11. Click Save.

  7. Create an IAM service account configured with the Pub/Sub Subscriber role.

    1. Type Service Accounts in the search bar at the top of the page, then click the corresponding IAM & Admin > Service Accounts page result.

    2. In the Service accounts section, click Create Service Account.

    3. In the Service account details section, add a name for your service account.

      The Service account ID is generated automatically.

    4. Click Create and continue.

    5. In the Grant this service account access to the project section, select the Pub/Sub Subscriber role.

      gcp_subscriber_role_cp_312684_en.png

    6. Click Continue.

    7. Click Done.

      You will be redirected to the Service accounts dashboard.

  8. Export the service account key in JSON format.

    1. In the Service accounts dashboard, click the inline menu for your service account and select Manage keys.

      gcp_manage_keys_cp_312684_en.png

    2. In the Add key menu, select Create new key.

      gcp_create_new_key_cp_312684_en.png

    3. Keep the default settings and click Create.

      gcp_export_key_cp_312684_en.png

      This action downloads the JSON file required for the sensor configuration process in GravityZone Control Center.

Setting up the Google Cloud Platform sensor

To configure the Google Cloud Platform sensor, follow these steps:

  1. In the Configuration > Sensors Management page, select Add new to integrate a new sensor.

  2. Select the Google Cloud Platform sensor and click Integrate.

    gcp-sensor-select-sensor_312683_en.png

  3. On the Check Requirements page, confirm that the prerequisite steps have been completed.

  4. Name the integration and provide the necessary Google Cloud Platform details.

    1. In the Topic subscription ID field, add the subscription ID you copied at step 3 of the Prerequisites procedure.

    2. In the Service account details section, import the document you downloaded at the last step of the Prerequisites procedure.

  5. Select Test connectivity.

  6. Select Add sensor.

    The new integration will be available in the Sensors Management grid.

In this section: