Google Cloud Armor

This document provides guidance to help you configure and integrate Google Cloud Armor with Google Security Operations.

Prerequisites

Make sure that you complete all the prerequisite steps before configuring the integration.

Create and configure the IAM role

In the Google Cloud console, go to the IAM Roles page.

Go to IAM Roles
Click Create role to create a custom role with permissions required for the integration.
For a new custom role, provide the Title, Description, and a unique ID.
Set the Role Launch Stage to General Availability.
Add the following permissions to the created role:
- compute.backendBuckets.setSecurityPolicy
- compute.backendServices.setSecurityPolicy
- compute.regionBackendServices.setSecurityPolicy
- compute.regionSecurityPolicies.create
- compute.regionSecurityPolicies.get
- compute.regionSecurityPolicies.list
- compute.regionSecurityPolicies.update
- compute.securityPolicies.create
- compute.securityPolicies.get
- compute.securityPolicies.list
- compute.securityPolicies.update
Click Create.

Create a service account

To create a service account, follow the procedure for creating a service account.

Important: Make sure to grant your custom IAM role to the service account under Grant this service account access to project.
After you have created a service account, download it as a JSON file. You need to provide the content of a downloaded JSON file when configuring the integration parameters.

To use the Workload Identity Federation for GKE email address instead of the service account JSON file content, assign the Service Account Token Creator role to the service account that you use in the integration.

Integrate Google Cloud Armor with Google SecOps

To configure the integration, use the following parameters:

Parameters
`API Root`	Required API root of the Google Cloud Armor service. Default value is `https://compute.googleapis.com/compute/v1/`.
`Project ID`	Optional Project ID to use for the Google Cloud Armor integration. If no value is provided, the project ID is extracted from the JSON file content provided in the User Service Account parameter.
`Workload Identity Email`	Optional Client email address of your service account. You can configure either this parameter or the User Service Account parameter. To impersonate service accounts with the Workload Identity Federation for GKE email address, grant the `Service Account Token Creator` role to your service account. For more details about workload identities and how to work with them, see Identities for workloads.
`User Service Account`	Optional Content of the service account JSON file that you use for the Google Cloud Armor service. Provide a full content of the service account JSON file. You can configure either this parameter or the Workload Identity Email parameter.
`Verify SSL`	Optional If selected, the parameter verifies that the SSL certificate for the connection to the Google Cloud Armor service is valid. Selected by default.

Actions

Some actions require no input parameters.

Add a Rule to a Security Policy

Add a new rule to the security policy in the Google Cloud Armor service.

Entities

This action doesn't run on entities.

Action inputs

To configure the action, use the following parameters:

Parameters

Parameters
`Policy Name`	Required Security policy name to add a new rule to.
`Region`	Optional Region for the policy to add the rule in. If no value is provided, the rule is added to the global-level security policy.
`Rule JSON`	Required JSON definition of the rule to add. For more information about adding a rule to a policy, see Method: securityPolicies.addRule.

Policy Name

Required

Security policy name to add a new rule to.

Region

Optional

Region for the policy to add the rule in.

If no value is provided, the rule is added to the global-level security policy.

Rule JSON

Required

JSON definition of the rule to add.

For more information about adding a rule to a policy, see Method: securityPolicies.addRule.

Action outputs

Action output type
Case wall attachment	N/A
Case wall link	N/A
Case wall table	N/A
Enrichment table	N/A
JSON result	Available
Script result	Available

Script result

Script result name	Value
is_success	True or False

JSON result

{
   "kind": "compute#securityPolicy",
   "id": "ID",
   "creationTimestamp": "2024-04-14T05:39:05.798-07:00",
   "name": "example",
   "description": "Test for integration",
   "rules": [
       {
           "kind": "compute#securityPolicyRule",
           "description": "test",
           "priority": 100,
           "match": {
               "versionedExpr": "SRC_IPS_V1",
               "config": {
                   "srcIpRanges": [
                       "*"
                   ]
               }
           },
           "action": "allow",
           "preview": false
       },
       {
           "kind": "compute#securityPolicyRule",
           "description": "Default rule, higher priority overrides it",
           "priority": 2147483647,
           "match": {
               "versionedExpr": "SRC_IPS_V1",
               "config": {
                   "srcIpRanges": [
                       "*"
                   ]
               }
           },
           "action": "allow",
           "preview": false
       }
   ],
   "fingerprint": "A3hq2ZQYxj8=",
   "selfLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_NAME/regions/northamerica-northeast1/securityPolicies/example",
   "type": "CLOUD_ARMOR",
   "labelFingerprint": "42WmSpB8rSM=",
   "region": "https://www.googleapis.com/compute/v1/projects/PROJECT_NAME/regions/northamerica-northeast1"
}

Case wall

This action provides the following output messages:

Output message Message description

Successfully added a new rule to the security policy! Action succeeded.

Output message	Message description
`Successfully added a new rule to the security policy!`	Action succeeded.
`Error executing action "Add a Rule to a Security Policy". Reason: ERROR_REASON`	Action failed. Check the connection to the server, input parameters, credentials, region name, the content of the JSON file, or a policy name.

Error executing action "Add a Rule to a Security Policy".
      Reason: ERROR_REASON

Action failed.

Check the connection to the server, input parameters, credentials, region name, the content of the JSON file, or a policy name.

Create a Security Policy

Create a security policy in the Google Cloud Armor service.

Entities

This action doesn't run on entities.

Action inputs

To configure the action, use the following parameters:

Parameters

Parameters
`Region`	Optional The region to create a policy in. If no value is provided, the global-level security policy is created.
`Policy JSON`	Required The JSON definition of the policy to create. For more information about policies, see REST Resource: securityPolicies.

Region

Optional

The region to create a policy in.

If no value is provided, the global-level security policy is created.

Policy JSON

Required

The JSON definition of the policy to create.

For more information about policies, see REST Resource: securityPolicies.

Action outputs

Action output type
Case wall attachment	N/A
Case wall link	N/A
Case wall table	N/A
Enrichment table	N/A
JSON result	Available
Script result	Available

Script result

Script result name	Value
is_success	True or False

JSON result

{
   "kind": "compute#securityPolicy",
   "id": "ID",
   "creationTimestamp": "2024-04-14T05:39:05.798-07:00",
   "name": "example",
   "description": "Test for integration",
   "rules": [
       {
           "kind": "compute#securityPolicyRule",
           "description": "test",
           "priority": 100,
           "match": {
               "versionedExpr": "SRC_IPS_V1",
               "config": {
                   "srcIpRanges": [
                       "*"
                   ]
               }
           },
           "action": "allow",
           "preview": false
       },
       {
           "kind": "compute#securityPolicyRule",
           "description": "Default rule, higher priority overrides it",
           "priority": 2147483647,
           "match": {
               "versionedExpr": "SRC_IPS_V1",
               "config": {
                   "srcIpRanges": [
                       "*"
                   ]
               }
           },
           "action": "allow",
           "preview": false
       }
   ],
   "fingerprint": "A3hq2ZQYxj8=",
   "selfLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_NAME/regions/northamerica-northeast1/securityPolicies/example",
   "type": "CLOUD_ARMOR",
   "labelFingerprint": "42WmSpB8rSM=",
   "region": "https://www.googleapis.com/compute/v1/projects/PROJECT_NAME/regions/northamerica-northeast1"
}

Case wall

This action provides the following output messages:

Output message Message description

Successfully created a new security policy! Action succeeded.

Output message	Message description
`Successfully created a new security policy!`	Action succeeded.
`Error executing action "Create a Security Policy". Reason: ERROR_REASON`	Action failed. Check the connection to the server, input parameters, credentials, region name, or the content of a JSON file.

Error executing action "Create a Security Policy". Reason:
      ERROR_REASON

Action failed.

Check the connection to the server, input parameters, credentials, region name, or the content of a JSON file.

Ping

Test connectivity to the Google Cloud Armor service with parameters provided at the integration configuration page.

Entities

This action doesn't run on entities.

Action inputs

N/A

Action outputs

Action output type
Case wall attachment	N/A
Case wall link	N/A
Case wall table	N/A
Enrichment table	N/A
JSON result	N/A
Script result	Available

Script result

Script result name	Value
is_success	True or False

Case wall

This action provides the following output messages:

Output message Message description

Successfully connected to the Google Cloud Armor service with the provided connection parameters! Action succeeded.

Output message	Message description
`Successfully connected to the Google Cloud Armor service with the provided connection parameters!`	Action succeeded.
`Failed to connect to the Google Cloud Armor service! Error is ERROR_REASON`	Action failed. Check the connection to the server, input parameters, or credentials.

Failed to connect to the Google Cloud Armor service! Error is
      ERROR_REASON

Action failed.

Check the connection to the server, input parameters, or credentials.

Update a Security Policy

Update the existing security policy in the Google Cloud Armor service.

This action cannot update rules in a policy. To add a rule to the related policy, use the Add a Rule to a Security Policy action.

Entities

This action doesn't run on entities.

Action inputs

To configure the action, use the following parameters:

Parameters

Parameters
`Policy Name`	Required Security policy name to add a new rule to.
`Region`	Optional Region for the updated policy. If no value is provided, the global-level security policy is created.
`Rule JSON`	Required JSON definition of the policy to update. For more information about the policy updates, see Method: securityPolicies.patch . You cannot update rules with this action. To add a rule to a policy, use the Add a Rule to a Security Policy action.

Policy Name

Required

Security policy name to add a new rule to.

Region

Optional

Region for the updated policy.

If no value is provided, the global-level security policy is created.

Rule JSON

Required

JSON definition of the policy to update.

For more information about the policy updates, see Method: securityPolicies.patch .

You cannot update rules with this action. To add a rule to a policy, use the Add a Rule to a Security Policy action.

Action outputs

Action output type
Case wall attachment	N/A
Case wall link	N/A
Case wall table	N/A
Enrichment table	N/A
JSON result	Available
Script result	Available

Script result

Script result name	Value
is_success	True or False

JSON result

{
   "kind": "compute#securityPolicy",
   "id": "ID",
   "creationTimestamp": "2024-04-14T05:39:05.798-07:00",
   "name": "example",
   "description": "Test for integration",
   "rules": [
       {
           "kind": "compute#securityPolicyRule",
           "description": "test",
           "priority": 100,
           "match": {
               "versionedExpr": "SRC_IPS_V1",
               "config": {
                   "srcIpRanges": [
                       "*"
                   ]
               }
           },
           "action": "allow",
           "preview": false
       },
       {
           "kind": "compute#securityPolicyRule",
           "description": "Default rule, higher priority overrides it",
           "priority": 2147483647,
           "match": {
               "versionedExpr": "SRC_IPS_V1",
               "config": {
                   "srcIpRanges": [
                       "*"
                   ]
               }
           },
           "action": "allow",
           "preview": false
       }
   ],
   "fingerprint": "A3hq2ZQYxj8=",
   "selfLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_NAME/regions/northamerica-northeast1/securityPolicies/example",
   "type": "CLOUD_ARMOR",
   "labelFingerprint": "42WmSpB8rSM=",
   "region": "https://www.googleapis.com/compute/v1/projects/PROJECT_NAME/regions/northamerica-northeast1"
}

Case wall

This action provides the following output messages:

Output message Message description

Successfully added comment to the identity protection detection with ID DETECTION_ID in CrowdStrike Action succeeded.

Output message	Message description
`Successfully added comment to the identity protection detection with ID DETECTION_ID in CrowdStrike`	Action succeeded.
`Error executing action "Update a Security Policy". Reason: ERROR_REASON`	Action failed. Check the connection to the server, input parameters, or credentials.

Error executing action "Update a Security Policy". Reason:
      ERROR_REASON

Action failed.

Check the connection to the server, input parameters, or credentials.