Skip to main content

Google Cloud Platform

Overview

Login Authentication Event Note

Authentication events related to accessing the Google Cloud Platform (GCP) console are sent through Google Workspace (formerly called GSuite) by Google for centralized login activity.

Filtering Note

Due to the high volume of information and rate limitations in the API collection method enforced by Google, the following list of event actions are excluded from the data collection. These events are primarily related to read/list operations that are heavy in volume, causing unwanted noise in the environment.

  • io.k8s.admissionregistration.v1beta1.mutatingwebhookconfigurations.list
  • io.k8s.extensions.v1beta1.deployments.get
  • io.k8s.core.v1.pods.get
  • io.k8s.core.v1.secrets.get
  • io.k8s.core.v1.nodes.proxy.get
  • io.k8s.core.v1.pods.list
  • io.k8s.core.v1.serviceaccounts.get
  • io.k8s.core.v1.configmaps.get
  • io.k8s.core.v1.componentstatuses.list
  • io.k8s.core.v1.endpoints.get
  • io.k8s.core.v1.services.get
  • io.k8s.core.v1.nodes.list
  • io.k8s.core.v1.persistentvolumeclaims.get
  • io.k8s.core.v1.persistentvolumes.get
  • io.k8s.get
  • io.k8s.batch.v1.jobs.list
  • io.k8s.extensions.v1beta1.deployments.scale.get
  • io.k8s.metrics.v1beta1.pods.list
  • v1.compute.instanceGroupManagers.get
  • v1.compute.instances.get

Prerequisites

Before this service connector can be enabled, the following information about your Google account will need to be gathered:

  • Organization ID: This is a 13-character numerical string.
  • Service Account Key File: This is a JSON file downloaded when a service account key is created.
  • The Email Address for the Service Account: The email address associated with the service account that you will create. Additionally, permissions will need to be set to provide access to the log resources.
warning

It is recommended that only one service account be used per project. This will result in a unique set of service credentials for each GCP service connector in the portal. Sharing service accounts between multiple projects may cause the API collection to reach Google quota limits.

The following procedures describe how to enable the necessary permissions, gather the required account items, and create the GCP service connector.

Getting the Organization ID in GCP

  1. To get Organization ID, follow the steps in this GCP procedure: Getting your organization resource ID.
  2. Record the 13-character Organization ID. You will need it in a subsequent procedure.

Creating the Service Account in GCP

To create a service account, which is required to get the Service Account Key File, follow the steps in this GCP procedure: Create a service account.

As you complete the linked procedure, enter information as follows.

  • When you reach the step prompting you to Grant this service account access to a project, click the Select a role box, then hover over Logging on the left side of the window, and then click Private Logs Viewer on the right side of the window. You can then continue to the end of the procedure without completing any other optional steps.

Getting the Service Account Key File and Email Address

  1. To get the Service Account Key File, follow the steps in this GCP procedure: Create a service account key.
  2. Save the downloaded JSON file in a secure location. You will need it in a subsequent procedure.
  3. Record the email address for the service account. You will need it in a subsequent procedure. The email address can be found on the DETAILS tab for the service account.

Adding Permissions for the Service Account at the Organization Level

To allow the created service account to pull all logs from the organization, permissions will need to be added to the account.

  1. Access the Manage resources page in GCP.
  2. Ensure that you are logged in at the organization level.
  3. In the table, select the checkbox in the row for the organization containing the project with the new service connector.
  4. If an information pane is not visible on the right side of the page, select the SHOW INFO PANEL button in the upper-right corner of the page to display it.
  5. In the right pane, in the PERMISSIONS tab, select the ADD PRINCIPAL button.
    The Grant access to window appears.
  6. In the New principals box, enter the email address for the service account, which you recorded in the previous procedure.
  7. Click the Select a role box, then hover over Logging on the left side of the window, and then click Private Logs Viewer on the right side of the window.
  8. Click SAVE.
    The permissions are added.
note

If there is more than one organization to be monitored, repeat these steps for each other organization.

Creating the GCP Service Connector

Creating the GCP Credentials

GCP credentials must be set up before creating the service connector.

  1. In ActiveEye, in the left pane, click Admin, and then click Service Connectors.
    The Service Connectors page appears.
    The Service Connectors page
  2. In the upper-right corner of the page, click Manage connectors credentials.
    The Connector Credentials page appears.
    The Connector Credentials page
  3. In the upper-left corner of the page, click Add Credential.
    The Add Connector Credentials page appears.
  4. In the Connector Type list, select GCP.
    The GCP Credentials section appears.
  5. In the Display Name box, enter a unique name that allows you to distinguish it from other credentials.
  6. In the User ID box, enter the email address for the service account.
  7. In the Private Key box, enter the full content of the Service Account Key JSON file.
    8. warning

    Entering an incorrect value will prevent or disrupt the flow of data.

  8. Click Add.
    The GCP credentials are created.

Creating the GCP Service Connector

With the credentials set up, the GCP service connector can be created.

  1. In ActiveEye, in the left pane, click Admin, and then click Service Connectors.
    The Service Connectors page appears.
    The Service Connectors page
  2. In the upper-left corner of the page, click Add Connector.
    A list of service connectors appears.
    The list of service connectors
  3. Scroll down to the CLOUD INFRASTRUCTURE section, and then, in the Google Cloud subsection, click the Add Connection button.
    The Add Connector Account page appears.
  4. In the Display Name box, enter a unique name.
  5. In the Resources box, enter information to connect the ActiveEye service connector to either the GCP project that contains the service account created in the previous procedure, or to the organization containing that project. To do so, enter the resource type and ID separated by a forward slash, as seen in these examples:
    • projects/[PROJECT_ID]
      (e.g., projects/ExampleID)
    • organizations/[ORGANIZATION_ID]
      (e.g., organizations/ExampleID)
    6. note

    There is a limit of one resource definition per GCP service connector. To monitor multiple resources, you will need to create multiple GCP service connectors.

  6. In the Credential Set list, select the name of the previously created GCP credentials.
  7. Optionally, modify the priority level in the Priority box. Raising or lowering the priority will increase or decrease the visibility of alerts related to this service connector.
  8. If you do not want data ingestion to begin immediately once cloud accounts have been configured, clear the Enable Account checkbox. Otherwise, leave the checkbox selected.
  9. Click Add.
    The GCP service connector is created, and the page is refreshed. Depending on the frequency of the events, you should see data begin to appear. To check the latest events, select INVESTIGATE in the right pane, and then select Event Count Summary.