Google Cloud Policy Intelligence
This document provides guidance to help you configure and integrate Google Cloud Policy Intelligence with Google Security Operations SOAR.
Prerequisites
Create and configure the IAM role
In the Google Cloud console, go to the IAM Roles page.
Click Create role to create a custom role with permissions required for the integration.
For a new custom role, provide the Title, Description, and a unique ID.
Set the Role Launch Stage to General Availability.
Add the following permission to the created role:
policyanalyzer.serviceAccountLastAuthenticationActivities.query
Click Create.
Create a service account
To create a service account, follow the procedure for creating a service account.
After you have created a service account, download it as a JSON file. You need to provide the downloaded JSON file when configuring the integration parameters.
Integrate Google Cloud Policy Intelligence with Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration inputs
To configure the integration, use the following parameters:
| Parameters | |
|---|---|
| API Root | Required
API root of the Google Cloud Policy Intelligence instance. Default value is |
| Organization ID | Optional
Organization ID that should be used in the Google Cloud Policy Intelligence integration. |
| User's Service Account | Required
Service account of the Google Cloud Policy Intelligence instance. Make sure to provide the full content of the service account JSON file that you have downloaded when creating a service account. |
| Verify SSL | Required
When checked, the parameter verifies if the SSL certificate for connecting to the Google Cloud Policy Intelligence server is valid. Checked by default. |
Actions
Ping
Test connectivity to Google Cloud Policy Intelligence with parameters provided at the integration configuration page in the Google Security Operations SOAR Marketplace tab.
Entities
The action does not run on entities.
Action inputs
N/A
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | N/A |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully connected to the Google Cloud Policy Intelligence server with the provided connection parameters! | Connection established successfully. |
| Failed to connect to the Google Cloud Policy Intelligence server! | The action returned an error. |
Search service account activity
Search activity related to service accounts in Google Cloud Policy Intelligence.
Entities
The action does not run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
| Service Account Resource Name | Required
Specifies a comma-separated list containing resource names of service accounts for which you fetch activity. |
| Max Activities To Return | Required
Specifies how many activities to return per service account. The max number is 1000. By default, the action returns 50 activities. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
[
{
"Entity": "//iam.googleapis.com/projects/chronicle-demo-env/serviceAccounts/cdir-scc-service-account@chronicle-demo-env.iam.gserviceaccount.com",
"EntityResult": [
{
"fullResourceName": "//iam.googleapis.com/projects/chronicle-demo-env/serviceAccounts/cdir-scc-service-account@chronicle-demo-env.iam.gserviceaccount.com",
"activityType": "serviceAccountLastAuthentication",
"observationPeriod": {
"startTime": "2023-05-23T07:00:00Z",
"endTime": "2023-08-20T07:00:00Z"
},
"activity": {
"lastAuthenticatedTime": "2023-08-20T07:00:00Z",
"serviceAccount": {
"serviceAccountId": "100969641053678159314",
"projectNumber": "105111850896",
"fullResourceName": "//iam.googleapis.com/projects/chronicle-demo-env/serviceAccounts/cdir-scc-service-account@chronicle-demo-env.iam.gserviceaccount.com"
}
}
}
]
}
]
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully found activity for the following service accounts in Google Cloud Policy Intelligence: SERVICE_ACCOUNTS |
Action is successful. |
No activity was found for the following service accounts in Google Cloud Policy Intelligence: SERVICE_ACCOUNTS |
The action could not find data for selected service accounts. |
| No activity was found for the provided service accounts in Google Cloud Policy Intelligence | The action could not find data for any of the listed service accounts. |
Error executing action "Search Service Account Activity". Reason: ERROR_REASON |
The action returned an error. Check connection to the server, input parameters, or credentials. |
| Error executing action "Search Service Account Activity". Reason: "Start Time" should be provided, when "Custom" is selected in "Time Frame" parameter. | The action returned an error. Make sure to provide a |