Link Google SecOps to Google Cloud services
Google SecOps depends on Google Cloud services for certain capabilities, such as authentication. This document describes how to configure a Google SecOps instance to bind to these Google Cloud services. It provides information for users who are configuring a new Google SecOps instance and those who are migrating an existing Google SecOps instance.
Before you begin
Before you configure a Google SecOps instance with Google Cloud services, you must do the following:
Create a Google Cloud project and enable the Chronicle API. See Configure a Google Cloud project for Google SecOps for more information.
Configure an SSO provider for the Google SecOps instance.
You can use Cloud Identity, Google Workspace, or a third-party identity provider. If you use a third-party identity provider, perform the steps in Configure a third-party identity provider for Google Security Operations.
If you use Cloud Identity, Google Workspace, see Configure a Google Cloud identity provider.
Make sure you have the permissions to perform the steps in this document. For information about required permissions for each phase of the onboarding process, see Required roles.
Complete one of the following sections depending on whether you are a new or an existing customer.
If you want to bind a Google Security Operations instance created for a managed security service provider (MSSPs), contact your Google SecOps Customer Engineer for help. The configuration requires assistance from a Google Security Operations representative.
After you complete the steps to bind the Google Cloud project to Google SecOps, you can examine the Google Cloud project data in Google SecOps, letting you to closely monitor your project for any type of security compromise.
Migrate an existing Google SecOps instance
The following sections describes how to migrate an existing Google SecOps instance so that it is bound to a Google Cloud project and uses IAM to manage feature access control.
Bind to a project and workforce provider
The following procedure describes how to connect an existing Google SecOps instance with a Google Cloud project and configure SSO using IAM workforce identity federation services.
Sign in to Google SecOps.
In the navigation bar, select Settings > SIEM Settings.
Click Google Cloud Platform.
Enter the Google Cloud project ID to link the project to the Google SecOps instance.
Click Generate Link.
Click Connect to Google Cloud Platform. The Google Cloud console opens. If you entered an incorrect Google Cloud project ID in the Google SecOps application, return to the Google Cloud Platform page in Google SecOps and enter the correct project ID.
From Google Cloud console, go to Security > Google SecOps.
Verify the service account that was created for the Google Cloud project.
Under Configure single sign-on, select one of the following options based on which identity provider you use to manage user and group access to Google SecOps:
If you are using Cloud Identity or Google Workspace, select Google Cloud Identity.
If you are using a third-party identity provider, select Workforce Identity Federation, and then select the workforce provider you want to use. You set this up when configuring workforce identity federation.
If you selected Workforce Identity Federation, right-click the Test SSO setup link, and then open it in a private or incognito window.
- If you see a login screen, then SSO setup is successful.
- If you don't see a login screen, check the configuration of the third-party identity provider. See Configure a third-party identity provider for Google SecOps.
Continue with the next section: Migrate existing permissions to IAM.
Migrate existing permissions to IAM
After you migrate an existing Google SecOps instance, you can use auto-generated commands to migrate existing permissions and roles to IAM. Google SecOps creates these commands using your pre-migration Feature RBAC access control configuration. When run, they create new IAM policies equivalent to your existing configuration, as defined in Google SecOps under the SIEM Settings > Users and Groups page.
After you run these commands, you can't revert back to the previous Feature RBAC access control feature. If you encounter an issue, contact Technical Support.
- In Google Cloud console, go to Security > Google SecOps > Access management tab.
- Under Migrate role bindings, you will see a set of auto-generated Google Cloud CLI commands.
- Review and verify that the commands create the expected permissions. For information about Google SecOps roles and permissions, see How IAM permissions map to each Feature RBAC role.
- Launch a Cloud Shell session.
- Copy the auto-generated commands, and then paste and run them in the gcloud CLI.
- After you execute all commands, click Verify Access. If successful, you will see the message Access verified on the Google SecOps Access Management. Otherwise, you will see the message Access denied. This may take 1-2 minutes to appear.
- To complete the migration, return to the Security > Google SecOps > Access management tab, and then click Enable IAM.
- Verify that you can access Google SecOps as a user with the
Chronicle API Admin role.
- Sign in to Google SecOps as a user with the Chronicle API Admin predefined role. See Sign in to Google Security Operations for more information.
- Open the Application menu > Settings > Users & Groups page. You should see the message: To manage users and groups, go to Identity Access Management (IAM) in the Google Cloud console. Learn more about managing users and groups.
- Sign in to the Google SecOps as a user with a different role. See Sign in to Google SecOps for more information.
- Verify that available features in the application match the permissions defined in IAM.
Configure a new Google SecOps instance
The following procedure describes how to set up a new Google SecOps instance for the first time, after configuring the Google Cloud project and IAM workforce identity federation services to link to Google SecOps.
If you are a new Google SecOps customer, complete the following steps:
Create a Google Cloud project and enable the Google SecOps API. See Configure a Google Cloud project for Google SecOps for more information.
Provide your Google SecOps Customer Engineer with the project ID you plan to bind to the Google SecOps instance. After Google SecOps Customer Engineer initiates the process, you receive a confirmation email.
Open the Google Cloud console, and then select the Google Cloud project that you provided in the previous step.
Go to Security > Google SecOps.
If you have not enabled the Google SecOps API, you will see a Getting Started button. Click the Getting Started button and then complete the guided steps to enable the Google SecOps API.
In the Company Information section, enter your company information, and then click Next.
Review the service account information, and then click Next. Google SecOps creates a service account in the project and sets the required roles and permissions.
Select one of the following options based on the identity provider you use to manage user and group access to Google Security Operations:
If you are using Cloud Identity or Google Workspace, select the Google Cloud Identity option.
If you are using a third-party identity provider, select the workforce provider you want to use. You set this up when configuring workforce identity federation.
Under Input your IDP Admin Groups here, enter the common name for one or more IdP groups that include administrators who configure user access to SOAR-related features. You identified and created these groups when you defined user attributes and groups in the IdP.
Expand the Terms of Service. If you agree to the terms, click Start setup.
It may take up to 15 minutes for the Google Security Operations instance to be provisioned. You will receive a notification after the instance is successfully provisioned. If the setup fails, contact your Google Cloud customer representative.
If you selected Google Cloud Identity, make sure to grant a Google Security Operations role to users and groups using IAM so that users can sign in to Google Security Operations. Perform this step using the Google Security Operations-bound Google Cloud project you created earlier.
The following command grants the Chronicle API Viewer (
roles/chronicle.viewer
) role to a single user using thegcloud
.To use the Google Cloud console, see Grant a single role.
gcloud projects add-iam-policy-binding PROJECT_ID \ --role roles/chronicle.viewer \ --member='EMAIL_ALIAS"
Replace the following:
PROJECT_ID
: with the project ID of the Google Security Operations-bound project you configured in Configure a Google Cloud project for Google Security Operations. See Creating and managing projects for a description of fields that identify a project.EMAIL_ALIAS
: an individual users email, for exampleuser:alice@example.com
.
For examples of how to grants roles to other members, such as a group or domain, see gcloud projects add-iam-policy-binding and Principal identifiers reference documentation.
Change single sign on (SSO) configuration
The following sections describe how to change identity providers:
- Change the third-party identity provider
- Migrate from a third-party identity provider to Cloud Identity
Change the third-party identity provider
Set up the new third-party identity provider and workforce identity pool.
In Google SecOps, under Settings > SOAR settings > Advanced > IDP group mapping, change the IdP group mapping to reference groups in the new identity provider.
Complete the following steps to change the SSO configuration for Google SecOps:
Open the Google Cloud console, and then select the Google Cloud project that is bound to Google SecOps.
Go to Security > Google SecOps.
On the Overview page, click the Single Sign-On tab. This page displays the identity providers you configured when Configuring a third-party identity provider for Google SecOps.
Use the Single Sign-On menu to change SSO providers.
Right-click the Test SSO setup link, and then open a private or incognito window.
- If you see a login screen, then SSO setup is successful. Continue with the next step.
- If you don't see a login screen, check the configuration of the third-party identity provider. See Configure a third-party identity provider for Google SecOps.
Return to Google Cloud console, click the Security > Google SecOps > Overview page, and then click the Single Sign-On tab.
Click Save at the bottom of the page to update the new provider.
Check that you can sign in to Google SecOps.
Migrate from third-party identity provider to Cloud Identity
Complete the following steps to change the SSO configuration from using a third-party identity provider to Google Cloud Identity:
- Make sure you configure either Cloud Identity or Google Workspace as the identity provider.
- Grant the predefined Chronicle IAM roles and permissions to users and groups in the Google SecOps-bound project.
In Google SecOps, under Settings > SOAR settings > Advanced > IDP group mapping, change the IdP group mapping to reference groups in the new identity provider.
Open the Google Cloud console, and then select the Google Cloud project that is bound to Google SecOps.
Go to Security > Chronicle SecOps.
On the Overview page, click the Single Sign-On tab. This page displays the identity providers you configured when Configuring a third-party identity provider for Google SecOps.
Select the Google Cloud Identity checkbox.
Right-click the Test SSO setup link, and then open a private or incognito window.
- If you see a login screen, then SSO setup is successful. Continue with the next step.
- If you don't see a login screen, check the configuration of the identity provider.
Return to Google Cloud console, and then click Security > Chronicle SecOps > Overview page > Single Sign-On tab.
Click Save at the bottom of the page to update the new provider.
Check that you can sign in to Google SecOps.