This is the third part of the multi-cloud security & posture management series. The earlier ones can be found from:
- Part 1 – Security Monitoring and Posture Management in Multi-Cloud Scenario – Overview
- Part 2 – Multi-Cloud Security Monitoring – Part 2: Amazon Web Services
Background
Even though, there are multiple cloud service providers in this blog series I concentrate the big three ones, Microsoft, Amazon & Google. Most of the enterprises I work with have span their solutions and workloads to multiple clouds and it’s important to have bird eye view in one location in to make security monitoring and security posture management (CSPM) efficient.
In this blog post I cover Google Cloud Platform (GCP) ‘Metrics’ & ‘IAM’ integrations to Azure Sentinel and Google Cloud Platform admin audit logs integration to Microsoft Cloud App Security (MCAS).
Ingesting Data from Google Cloud
The Grand Connector List
Microsoft is frequently updating the Azure Sentinel grand connector list that contains the following connectors to Google. All of these are based on ‘Logstash’ connector and from the links in the table below you can find detailed instructions how you can implement these connectors.
| Vendor | Products | Connector Type | Instructions |
| GCP | Cloud Storage | Logstash | See Plug-in. Use to get events stored in GCP Cloud Storage, not for Cloud Storage own audit events. |
| GCP | Pub/Sub | Logstash | See Plug-in. Use to get events sent using Pub/Sub, not for Pub/Sub own audit events. |
| GCP | Stackdriver | Logstash Custom | Through GCP Cloud Storage or GCP Pub/Sub as described above. Using GCP Cloud Function. See here. |
Azure Sentinel Solutions
Besides that, Azure Sentinel has built-in data connectors for ‘Google Workspace’ and also from new Solutions gallery you can find connectors for:
- Google Cloud Platform (GCP) DNS
- Google Cloud Platform IAM
- Google Cloud Platform Cloud Monitoring
Generally, Azure Sentinel solutions are 3rd party solutions offered through Azure Sentinel powered by Azure Marketplace. These GCP solutions are provided by Microsoft and, when installed:
- Custom data connector connector is installed
- Data tables created to Log Analytics (GCP_MONITORING_CL, GCP_IAM_CL & GCP_DNS_CL)
- Parsers installed to Log Analytics that transforms the ingested data into Azure Sentinel normalized format.
- GCP_IAM & GPC_Monitor
Parsers are built as KQL user-defined functions that transform data in existing tables, such as GPC_Monitoring_CL, & GPC_IAM_CL in this case, into the normalized schema. Once the parser is saved as a workspace function, it can be used like any Azure Sentinel table.
Google Cloud Platform Cloud Monitoring in Azure Sentinel
For GCP Cloud Monitoring Azure Sentinel solution can be used. When installing the solution(s) pay attention to the following topics:
- Create Google Service Account with necessary permissions – guide
- Google metrics (if metrics are ingested) needs to be defined properly to the Azure Function – guide
- Google resource names needs to be defined properly to Azure Function – guide
Service Account
In GCP side, you need to create service account for establishing the integration. This dedicated service account is used for authentication in data ingestion so consider that as a sensitive account. This dedicated service account is used for authentication in data ingestion so consider that as a sensitive account which key should be rotated in regular basis (link to Google document – keep service account keys safe).
General best practice is that one (1) GCP project would be dedicated for different integration service accounts. Possible integration in this security monitoring & CSPM scenario are Azure Sentinel, Azure Security Center and Cloud App Security. For all of these you need dedicated service account in GCP side.
Even though, from technical point of view it’s possible to use same account for all the integration I wouldn’t recommend doing so. In my demo environment I created dedicated project “GCP Integrations’ where I have three (3) service accounts for aforementioned security solutions.
In GCP, you can use ‘master” account for integrations if needed. In this scenario he service account is created to one dedicated project and then added to the organizational level where it’s inherited to all underlying projects.
When creating service account for Azure Sentinel pay attention to granted roles. Bare minimum is ‘Monitoring Services Viewer’. This dedicated account is first created at project level and then added to the organization level where it’s inherited for all projects (if that’s the ultimate goal).
Google Cloud Platform Metrics (In Public Preview)
The Google Cloud Platform Cloud Monitoring data connector provides the capability to ingest GCP Monitoring metrics into Azure Sentinel using the GCP Monitoring API. If you want to ingest metrics data from GCP refer these documentations to define metrics – Introduction to the Cloud Monitoring API & Google Cloud Metrics.
Useful Metrics
| Namespace | Metric | Filter | Grouping | Description | Alarm Policy |
| networksecurity | https/request_count | blocked=true | backend_target_name | Monitor number of blocked HTTPS requests per backend | Increase in blocked HTTPS requests is a potential indication of anomalous behavior or misconfiguration |
| loadbalancing | https/backend_request_count | response_code_class > 200 | response_code_class | Monitor number of HTTPS requests that fails because of HTTP response code classes 400 & 500 | Increase in blocked HTTPS requests is a potential indication of anomalous behavior or |
Azure Function Settings for GPC Metrics
When deploying the solution pay attention to the following settings:
- GCP_Credentials_File_Content – GPC Service Account key
- GCP_Metrics – All metrics you want to ingest from GCP needs to be defined here
- GCP_Project_Id – Projects IDs which you want to monitor
- LogAnalyticsUri – URI for your Log Analytics workspace
- Shared_Key – Log Analytics primary key
- Workspace Id – Log Analytics workspace id
Best practice is to use securely store workspace and API authorization keys or tokens in Azure Key Vault (Log Analytics key & service account key). Azure Key Vault provides a secure mechanism to store and retrieve key values. In my demo environment I saved everything directly to the Azure Function.
Verifying Connection
After Azure Sentinel solution is deployed and Azure Function configured you can enjoy the data flow and start building your own KQL magic because there isn’t a single GCP related analytics rule out of the box at the time of writing.
KQL for GCP Monitor Data
Below are a few examples for playing with GCP Monitor data.
/ Not reporting VMs
// VMs that have not reported a heartbeat in the last 5 minutes.
GCP_MONITOR
| where TimeGenerated > ago(24h)
| summarize LastCall = max(TimeGenerated) by MetricLabelsInstanceName, ResourceLabelsInstanceId, ResourceLabelsProjectId
| where LastCall < ago(5m)
Google Cloud Platform IAM Solution (In Public Preview)
The Google Cloud Platform Identity and Access Management (IAM) data connector provides the capability to ingest GCP IAM logs into Azure Sentinel using the GCP Logging API. GCP IAM is found from Azure Sentinel Solutions gallery and it creates custom data connector and data parser during deployment to Azure Sentinel. Actual data is ingested in help of Azure Function.
Azure Function Settings for GPC IAM
When deploying the solution pay attention to the following settings:
- GCP_Credentials_File_Content – GCP Service Account key
- LogAnalyticsUri – URI for your Log Analytics workspace
- Resource_Names – Monitored resource names (organization / project / resource)
- Shared_Key – Log Analytics primary key
- Workspace Id – Log Analytics workspace id
Best practice is to use securely store workspace and API authorization keys or tokens in Azure Key Vault (Log Analytics key & service account key). Azure Key Vault provides a secure mechanism to store and retrieve key values. In my demo environment I saved everything directly to the Azure Function.
Verifying Connection
When configuration is in place (Azure Function) GCP IAM data is found from GCP_IAM_CL table and data parser ‘GCP_IAM’ can be used (installed during data connector deployment) to build KQL queries.
KQL for GCP IAM Data
Below are a few examples for playing with GCP IAM data.
//Service Account Created
GCP_IAM
| where PayloadMethodname == "google.iam.admin.v1.CreateServiceAccount"
|extend PayloadAuthorizationinfo
| project EventEndTime, ResourceType, ResourceLabelsEmailId,PayloadRequestServiceAccountDisplayName, ResourceLabelsProjectId, PayloadAuthenticationinfoPrincipalsubject, PayloadServicename
//Service Account Key Created
GCP_IAM
| where PayloadMethodname contains "CreateServiceAccountKey"
| project EventEndTime, PayloadResourcename, PayloadRequestType,PayloadResponseType, PayloadAuthenticationinfoPrincipalemail, PayloadResponseName
|sort by EventEndTime desc
GCP_IAM
| where PayloadMethodname contains "DeleteServiceAccountKey"
| project EventEndTime, PayloadResourcename, PayloadRequestType,PayloadResponseType, PayloadAuthenticationinfoPrincipalemail, PayloadResponseName
|sort by EventEndTime desc
GCP_IAM
| where PayloadMethodname contains "SetIamPolicy"
| project EventEndTime, PayloadResourcename, PayloadRequestType,PayloadResponseType, PayloadAuthenticationinfoPrincipalemail, PayloadResponseName
|sort by EventEndTime desc
Microsoft Cloud App Security (MCAS)
MCAS has native app connector for Google Cloud Platform (GCP) & Google Workspace (G-Suite) which means that you can integrate GCP directly with APIs to provide even greater visibility what’s happening inside GCP environment.
Microsoft Cloud App Security leverages the APIs provided by the cloud provider. All communication between Cloud App Security and connected apps is encrypted using HTTPS. Each service has its own framework and API limitations such as throttling, API limits, dynamic time-shifting API windows, and others.
For the integration it’s recommended to use dedicated GCP project as mentioned before. To establish the integration you will need the following permissions to GCP side:
- IAM and Admin edit – Organization level
- Project creation and edit
Possible integrations:
- Security auditing: This connection gives you visibility into and control over GCP app use.
- Security configuration: This connection gives you fundamental security recommendations based on the Center for Internet Security (CIS) benchmark for GCP.
Detailed instructions of pre-requisites and how to establish the integration can be found from docs.microsoft.com. When adding GCP platform navigate to “App Connectors” and fill necessary details required by the MCAS wizard to get Google Cloud Platform connected to MCAS instance.
Cloud Security Posture Management (CSPM)
If you want to have Cloud Security Posture Management (CSPM) data ingested to MCAS it can be done from ‘App Connectors – Security Configuration Apps’ blade. Detailed instructions – Connect GCP security configuration to MCAS.
Even though security posture management gives crucial information from the environment configuration state the MCAS feature is overlapping with Azure Security Center “Cloud Security Posture Management – CSPM”. In my opinion, this integration is not needed in most of the environments / clients I work with. My recommendation is to use Azure Security Center instead which gives better visibility for CSPM than MCAS. There might be some use cases that I’m not aware of where this integration could be useful.
Verifying Connection
From App Connectors you can find config for both, GCP Cloud Audit logs and & Security configuration where you can verify the connection status, and change settings if needed.
When connection is established you can find the raw data from GCP in MCAS Activity log. MCAS has built-in rules for GPC that I highly recommend to enable. From the last picture you can see an alert generated by MCAS based on changes to GCP engine resources.
Caveats
- For Azure Sentinel there is native connector only for Google Workspace (G-Suite) and not for Google Cloud Platform (GCP). Azure Sentinel Solutions offers a way to ingest data from GCP but at least for now, there isn’t any built-in analytics or hunting rules for GCP available.
- There isn’t native solution available for ingesting GCP Security Command Center findings to Azure Sentinel. That would require to build custom connector for this purpose and requires Premium license in GCP side.
- The Cloud App Security auditing connection only imports Admin Activity audit logs; Data Access and System Event audit logs are not imported.
References
GCP Event Threat Detection Rules
Sam's Corner 
Hello, thank you very much for the post.
I still can’t connect it to GCP, I have doubts about the format in which you configured the parameters:
I placed them like this:
GCP_CREDENTIALS_FILE_CONTENT: {“type”:”service….}
GCP_METRICS: compute.google…….
GCP_PROJECT_ID: projects/idProject
logAnalyticsUri: https://fasfaas.ods.opinsights.azure.com
SHARED_KEY:dnhsadfas……..
WORKSPACE:ID: fasfaas……
Could you help me to see if any of the parameters are placed in the wrong way?
Thanks
Could you please send me the error details by email (samilamppu@hotmail.com)?