Google Cloud Policy Intelligence

This document provides guidance to help you configure and integrate Policy Intelligence with the SOAR module of Google Security Operations.

Integration version: 3.0

Use cases

  • Automated policy violation remediation: Use the Google SecOps capabilities to automatically remediate issues by applying the correct configuration—for example, when Policy Intelligence detects a misconfigured firewall rule that violates your company policy. Remediating the policy violation helps ensure continuous compliance and reduces the risk of security breaches.

  • Prioritized incident response: Use the Google SecOps capabilities to prioritize incident response efforts while focusing on high-risk assets and minimizing potential damage.

  • Proactive security posture improvement: Use the Google SecOps capabilities to recommend proactive security posture improvements, such as implementing stricter access controls or deploying additional security tools.

  • Automated security audit preparation: Use the Google SecOps capabilities to automatically compile the Policy Intelligence reports into a digestible format for security audits, simplifying compliance reporting and reducing manual effort.

  • Threat hunting and investigation: Use the Google SecOps capabilities to initiate automated threat hunting workflows, investigate potential threats, and accelerate incident response every time when Policy Intelligence identifies unusual resource configurations that might indicate malicious activity.

Endpoints

The integration interacts with the single activities:query endpoint within the Policy Intelligence API using different parameters for different actions. The following is an example of an endpoint for the integration:

https://policyintelligence.googleapis.com/v1/projects/PROJECT_ID/locations/global/activityTypes/serviceAccountLastAuthentication/activities:query

Before you begin

To use the integration, you need a Google Cloud service account. You can use an existing service account or create a new one.

Create a service account

For guidance on creating a service account, see Create service accounts.

If you use a service account to authenticate to Google Cloud, create a service account key in JSON and provide the content of the downloaded JSON file when configuring the integration parameters.

For security reasons, we recommend using Workload Identity Federation for GKE email addresses instead of a service account key. For more information about the workload identities, see Identities for workloads.

Create and configure the IAM role

To configure the roles and permissions that the Policy Intelligence requires, see Required roles and permissions.

To create and configure the IAM role that is required for the Policy Intelligence integration, complete the following steps:

  1. In the Google Cloud console, go to the IAM Roles page.

    Go to IAM Roles

  2. Click Create role to create a custom role with permissions required for the integration.

  3. For a new custom role, provide the Title, Description, and a unique ID.

  4. Set the Role Launch Stage to General Availability.

  5. Add the following permission to the created role:

    • policyanalyzer.serviceAccountLastAuthenticationActivities.query

  6. Click Create.

Integrate Policy Intelligence with Google SecOps

The integration requires the following parameters:

Parameters Description
API Root Required

The API root of the Policy Intelligence instance.

The default value is https://policyanalyzer.googleapis.com.

Organization ID Optional

The organization ID to use in the Policy Intelligence integration.
User's Service Account Required

The content of the service account key JSON file.

You can configure either this parameter, or the Workload Identity Email parameter.

To configure this parameter, provide the full content of the service account key JSON file that you have downloaded when creating a service account.
Quota Project ID Optional

The Google Cloud project ID that you use for Google Cloud APIs and billing. This parameter requires you to grant the Service Usage Consumer role to your service account.

If you set no value for this parameter, the integration retrieves the project ID from your Google Cloud service account.
Workload Identity Email Optional

The client email address of your service account.

You can configure either this parameter or the User's Service Account parameter.

If you set this parameter, configure the Quota Project ID parameter.

To impersonate service accounts with the Workload Identity Federation for GKE email address, grant the Service Account Token Creator role to your service account. For more details about workload identities and how to work with them, see Identities for workloads.
Verify SSL Required

If selected, the integration verifies that the SSL certificate for connecting to the Policy Intelligence server is valid.

Selected by default.

For instructions about configuring an integration in Google SecOps, see Configure integrations.

You can make changes at a later stage if needed. After you configure an integration instance, you can use it in playbooks. For more information about configuring and supporting multiple instances, see Supporting multiple instances.

Actions

The Google Policy Intelligence integration includes the following actions:

Ping

Use the Ping action to test connectivity to Policy Intelligence.

This action doesn't run on entities.

Action inputs

None.

Action outputs

The Ping action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Not available
Output messages Available
Script result Available
Output messages

On a Case Wall, the Ping action provides the following output messages:

Output message Message description
Successfully connected to the Google Cloud Policy Intelligence server with the provided connection parameters! Action succeeded.
Failed to connect to the Google Cloud Policy Intelligence server!

Action failed.

Check the connection to the server, input parameters, or credentials.
Script result

The following table describes the values for the script result output when using the Ping action:

Script result name Value
is_success True or False

Search Service Account Activity

Use the Search Service Account Activity action to search for an activity related to service accounts in Policy Intelligence.

This action doesn't run on entities.

Action inputs

The Search Service Account Activity action requires the following parameters:

Parameters Description
Project ID Optional

The name of the project to search for the service account activities in.

If you provide no value, the action extracts the project ID from the integration configuration.
Service Account Resource Name Required

A comma-separated list which contains the resource names of the service accounts used to retrieve activities.
Max Activities To Return Required

The number of activities to return for a service account.

The maximum number is 1000.

By default, the action returns 50 activities.

Action outputs

The Search Service Account Activity action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
JSON result

The following example describes the JSON result output received when using the Search Service Account Activity action:

[
  {
    "Entity": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT@ENTITY_ID",
    "EntityResult": [
      {
        "fullResourceName": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT@ENTITY_ID",
        "activityType": "serviceAccountLastAuthentication",
        "observationPeriod": {
          "startTime": "2023-05-23T07:00:00Z",
          "endTime": "2023-08-20T07:00:00Z"
        },
        "activity": {
          "lastAuthenticatedTime": "2023-08-20T07:00:00Z",
          "serviceAccount": {
            "serviceAccountId": "SERVICE_ACCOUNT_ID",
            "projectNumber": "PROJECT_NUMBER",
            "fullResourceName": "//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT@ENTITY_ID"
          }
        }
      }
    ]
  }
]
Output messages

On a Case Wall, the Search Service Account Activity action provides the following output messages:

Output message Message description

Successfully found activity for the following service accounts in Google Cloud Policy Intelligence: SERVICE_ACCOUNTS

No activity was found for the following service accounts in Google Cloud Policy Intelligence: SERVICE_ACCOUNTS

No activity was found for the provided service accounts in Google Cloud Policy Intelligence

 Action succeeded.
Error executing action "Search Service Account Activity". Reason: ERROR_REASON

Action failed.

Check the connection to the server, input parameters, or credentials.
Script result

The following table describes the values for the script result output when using the Search Service Account Activity action:

Script result name Value
is_success True or False