Cloud Integrations
      Back to home
      1. Help Center
      2. Cloud Integrations

      Google Cloud Platform

      AgileBlue's Cerulean AI SecOpes platform can monitor your GCP environment be accessing logs exported to a Google Pub/Sub topic sink.

      Overview

      AgileBlue can collect and parses Google Cloud data such as Audit Logs, VPC Flow Logs, Firewall Rules Logs, and Cloud DNS Logs by pulling from a Google Pub/Sub topic sink. First, you'll need to export this data from Cloud Logging. A walkthrough on how to complete your portion of this integration can be found below.

      NOTE: Your organization must hold a cloud monitoring subscription with AgileBlue in order to complete this integration.

      Create Your Service Account

      In order to configure this integration, your organization will need to create a Service Account with a Role as well as a Service Account Key in order to access data on your GCP project.

      Your team can follow this guide from Google in order to create the Service Account.

      Additionally, this guide is helpful for ensuring you are utilizing best practices for securing your service accounts.

      When creating the account, create a custom role that has the following privileges, which are required for the integration:

      • compute.instances.list (only required for GCP Compute instance metadata collection)
      • monitoring.metricDescriptors.list
      • monitoring.timeSeries.list
      • pubsub.subscriptions.consume
      • pubsub.subscriptions.create (if you are creating the subscription yourself, you may omit this privilege)
      • pubsub.subscriptions.get
      • pubsub.topics.attachSubscription (if you are creating the subscription yourself, you may omit this privilege)

      Once this custom role has been created, assign it to your Service Account.

      Service Account Credentials

      With the Service Account created, we'll now need a Service Account Key.
      1. Click on the Service Account you created in the previous section
      2. Navigate to Keys and click Add key
      3. Select Create new key
        1. The type should be JSON
      4. Download the private key generated in the previous step and store it securely (this file cannot be recovered if it is lost)

      Integration Settings & Resources

      With the Service Account created and the Service Account Key ready to go, this section will detail the additional settings and services to be created, including the following resources:

      • Log Sink
      • Pub/Sub Topic
      • Subscription

      We recommend creating a separate Pub/Sub topic for each log type AgileBlue will be ingesting, allowing them to be parsed and stored correctly. The steps below provide an example for configuration for Audit Logs, and the same process can be followed for other log types.

      1. After logging in to the Google Cloud Console, select Logging > Log Router > Create Sink
      2. Enter a sink name and description of your choosing
        1. We recommend a name and description that indicates the applicable log type and references AgileBlue
      3. Under Sink destination, click on Cloud Pub/Sub topic as the sink service
      4. Select n Create a topic
        1. When you reach this step, please note the topic name, which will need to be provided back to AgileBlue
      5. Access the topic created in the prior step and create a subscription for it
      6. Note the Subscription ID and Subscription name, which will need to be provided to AgileBlue
      7. Navigate to the section that reads Choose logs to include in sink and, for the purposes of this example, add the following in the Inclusion filter (this will include all audit logs) 
        1. logName:"cloudaudit.googleapis.com"

      As noted, the above steps provide an example specifically for Audit Logs. You will be able to create a filter expression for any log types you plan to forward to AgileBlue via this integration. Some additional example filters can be found below:

      #
      # VPC Flow: logs for specific subnet
      #
      resource.type="gce_subnetwork" AND
      log_id("compute.googleapis.com/vpc_flows") AND
      resource.labels.subnetwork_name"=[SUBNET_NAME]"
      #
      # Audit: Google Compute Engine firewall rule deletion
      #
      resource.type="gce_firewall_rule" AND
      log_id("cloudaudit.googleapis.com/activity") AND
      protoPayload.methodName:"firewalls.delete"
      #
      # DNS: all DNS queries
      #
      resource.type="dns_query"
      #
      # Firewall: logs for a given country
      #
      resource.type="gce_subnetwork" AND
      log_id("compute.googleapis.com/firewall") AND
      jsonPayload.remote_location.country=[COUNTRY_ISO_ALPHA_3]

       

      Submitting Sensitive Data

      The final step is to submit these sensitive details to AgileBlue. Once ready, please email support@agileblue.com and a specialist will send back an encrypted message. You will be able to respond to that message with the following information:

        1. The JSON file created in the Service Account Credentials section
        2. Project ID
        3. Each individual Topic name and corresponding subscription name

      Need Help?

      AgileBlue is always here to support you and ensure you are 100% successful. If there are any issues with the installation or if you have any questions, please reach out to AgileBlue Support.

      Email: support@agileblue.com 
      Phone: (216) 606-9400      🚨