The Google Cloud Platform sensor integration

The Google Cloud Platform sensor collects and processes audit information related to Google Cloud resources.

Important

This integration requires a Google Cloud Pub/Sub subscription, which may incur additional costs.

Google Cloud Platform sensor prerequisites

To complete the prerequisites, you must first decide on the scope of data being sent to GravityZone. You can set up the sensor to collect data from one Google Cloud project per sensor integration or from your entire Google Cloud organization. Careful consideration should be taken when choosing the second option, as it may result in higher resource usage and costs.

Collecting data from a Google Cloud project

Before setting up the Google Cloud Platform sensor, make sure sure you complete these steps in the Google Cloud console:

Create a Google Cloud Platform project. If you already have one you can use for this purpose, skip this step.
1. Go to the Google Cloud console.
2. Click the Select a project button, next to the Google Cloud logo.
3. Click the New project button in the upper-right corner of the window.
4. Name your project and click Create.
Create a Pub/Sub topic set up with a default subscription.
1. In the left-side menu, expand the More products section, scroll to the Analytics section and go to Pub/Sub > Topics.
2. In the Topics section, click Create topic.
3. In the Topic ID field, add a name for your topic and click Create. Keep the default settings.
  You will be redirected to the topic's details page.
4. Scroll down to the Subscriptions tab and copy the subscription ID. It is required information for the sensor configuration process in GravityZone Control Center.
Create a Log router sink associated with the newly created topic.
1. In the left-side menu, expand the More products section, scroll to the Operations section and go to Logging > Log router.
2. In the Log router sinks section, click Create sink.
3. In the Sink details section, add a name and a description, and click Next.
4. In the Sink destination section, select the Cloud Pub/Sub topic service and the topic you have previously created.
5. Click Create sink.
Configure the Pub/Sub topic with the Pub/Sub Publisher role.
1. In the left-side menu, click Log router.
2. In the Log router sinks dashboard, click the inline menu for your newly created router sink and select View sink details.
3. Copy the value of the Writer Identity field, starting after serviceAccount:.
4. In the left-side menu, scroll to the Analytics section and go to Pub/Sub > Topics.
5. In the Topics dashboard, click the inline menu for the topic you created in step 2 and select View permissions.
6. In the right-side panel, click Add principal.
7. In the New principals field, add the Writer Identity value you copied in step c.
8. For the Role field, choose Pub/Sub Publisher.
9. Click Save.
Create an IAM service account configured with the Pub/Sub Subscriber role.
1. In the left-side menu, expand the More products section and go to IAM and admin > Service accounts.
2. In the Service accounts section, click Create Service Account.
3. In the Service account details section, add a name for your service account.
  The Service account ID is generated automatically.
4. Click Create and continue.
5. In the Grant this service account access to the project section, select the Pub/Sub Subscriber role.
6. Click Continue.
7. Click Done.
  You will be redirected to the Service accounts dashboard.
Export the service account key in JSON format.
1. In the Service accounts dashboard, click the inline menu for your service account and select Manage keys.
2. In the Add key menu, select Create new key.
3. Keep the default settings and click Create.
  This action downloads the JSON file required for the sensor configuration process in GravityZone Control Center.

Collecting data from a Google Cloud organization

To be able to successfully follow this procedure, make sure you first have the Logging Admin role assigned to your account.

Before setting up the Google Cloud Platform sensor in GravityZone, make sure sure you complete these steps in the Google Cloud console:

Select your organization and create a Google Cloud Platform project, if you do not already have one available for this purpose.
1. Go to the Google Cloud console.
2. Click the Select a project button, next to the Google Cloud logo.
3. In the new window, click on your organization name.
4. To create a project, click your organization name, next to the Google Cloud logo.
  If you already have a project you can use, you can skip to step 2.
5. In the new window, click the New project button in the upper-right corner.
6. Name your project and select your organization.
7. Click Create.
Create a Pub/Sub topic set up with a default subscription.
1. In the left-side menu, expand the More products section, scroll to the Analytics section and go to Pub/Sub > Topics.
2. In the Topics section, select your project.
3. Click the Create topic button.
4. In the Topic ID field, add a name for your topic and click Create. Keep the default settings.
  You will be redirected to the topic's details page.
5. Scroll down to the Subscriptions tab and copy the subscription ID. It is required information for the sensor configuration process in GravityZone Control Center.
6. At the top of the page, click the Copy to clipboard button. The full topic name is required for step 3.
Create a Log router sink associated with the newly created topic.
1. Select the organization from the drop-down menu next to the Google Cloud logo.
2. In the left-side menu, expand the More products section, scroll to the Operations section and go to Logging > Log router.
3. In the Log router sinks section, click Create sink.
4. In the Sink details section, add a name and a description, and click Next.
5. In the Sink destination section, select the Cloud Pub/Sub topic service.
6. Click inside the Select Cloud Pub/Sub topic field and select the Use a Cloud Pub/Sub topic in a project option. The field will autocomplete with a path template.
7. In the Sink destination field, delete the all information after pubsub.googleapis.com/ and add the information you copied at step 2f.
8. Click Next.
9. In the Choose logs to include in sink section, select the Include logs ingested by this organization and all child resources option.
10. Click Next and then Create sink.
Configure the Pub/Sub topic with the Pub/Sub Publisher role.
1. In the left-side menu, click Log router.
2. In the Log router sinks dashboard, click the inline menu for your newly created router sink and select View sink details.
3. Copy the value of the Writer Identity field, starting after serviceAccount:.
4. In the left-side menu, scroll to the Analytics section and go to Pub/Sub > Topics.
5. Select your Google Cloud project.
6. In the Topics dashboard, click the inline menu for the topic you created in step 2 and select View permissions.
7. In the right-side panel, check to make sure the value you copied in step 4c is displayed in the Role/Principal section. If it is, move to step 5. If it is not listed there, follow the steps below.
8. Click the Add principal button.
9. In the New principals field, add the Writer Identity value you copied in step c.
10. For the Role field, choose Pub/Sub Publisher.
11. Click Save.
Create an IAM service account configured with the Pub/Sub Subscriber role.
1. In the left-side menu, expand the More products section and go to IAM and admin > Service accounts.
2. Select your project.
3. In the Service accounts section, click Create Service Account.
4. In the Service account details section, add a name for your service account.
  The Service account ID is generated automatically.
5. Click Create and continue.
6. In the Grant this service account access to the project section, select the Pub/Sub Subscriber role.
7. Click Continue.
8. Click Done.
  You will be redirected to the Service accounts dashboard.
Export the service account key in JSON format.
1. In the Service accounts dashboard, click the inline menu for your service account and select Manage keys.
2. In the Add key menu, select Create new key.
3. Keep the default settings and click Create.
  This action downloads the JSON file required for the sensor configuration process in GravityZone Control Center.

Setting up the Google Cloud Platform sensor

To configure the Google Cloud Platform sensor, follow these steps:

In the Configuration > Sensors Management page, select Add new to integrate a new sensor.
Select the company where you want to deploy the sensor.
Select the Google Cloud Platform sensor and click Integrate.
On the Check Requirements page, confirm that the prerequisite steps have been completed.
Name the integration and provide the necessary Google Cloud Platform details.
1. In the Topic subscription ID field, add the subscription ID you copied at step 2 of the Prerequisites procedure.
2. In the Service account details section, import the document you downloaded at step 6 of the Prerequisites procedure.
Select Test connectivity.
Select Add sensor.
The new integration will be available in the Sensors Management grid.

In this section: