Skip to main content

Cloud ConnectorsExabeam Cloud Connectors Configuration Guide

Table of Contents

Google Cloud Platform (GCP) Cloud Connector

Prerequisites to Configure the Google Cloud Platform (GCP) Connector

Before you configure the Google Cloud Platform (GCP) connector you must complete the following prerequisites:

  • GCP Cloud Connector Types

  • Ensure that the https://*.cloud.google.com service is open for communication with the Exabeam Cloud Connector platform.

  • Obtain the service credentials JSON file

  • Configure Google Cloud Platform Security Center

  • Ensure that you have the administrative rights to configure GCP

  • For the cloud connector versions 2.5.116 and later, enable the CloudResource manager by accessing https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=PROJECT_ID_HERE You can enable the CloudResource manager for each GCP project you want Exabeam cloud connector to monitor. Enabling CloudResource manager allows the cloud connector to query the projects Stackdriver Sinks to collect data.

GCP Cloud Connector Types

The Cloud Connector that you need to set up is dependent on the data sources and anticipated behavior of your deployment. Review the following information to ensure you choose the appropriate Cloud Connector:

Cloud Connector

Considerations

Google Cloud Platform (GCP) Cloud Connector

  • Supported data sourcesStackDriver Admin Activities and StackDriver Data Access Logs

  • Behavior – The Cloud Connector will automatically discover all StackDriver projects that the provided credentials have access to, which will be represented by endpoints per project. You must then enable the endpoints you want to ingest. Endpoint example: Stackdriver - [projectid: my-project ; name: my-name]

  • When to use – Use this connector if the aggregated EPS from the GCP sinks is both less than 1K and less than 50 sinks will be used to collect the data.

  • Installation – Install the GCP Cloud Connector according to the instructions and enable the required projects that you want to ingest.

Google Cloud Pub/Sub Cloud Connector

  • Supported data sources – Any Google service that can forward events to Google Pub/Sub.

  • Behavior – The Cloud Connector will ingest from the Pub/Sub configured.

  • When to use – Use this connector if the aggregated EPS from the GCP sinks exceeds 1K or is more than 50 sinks will be used to collect the data.

  • Installation – Configure a logging sink that exports its data to Pub/Sub. You can segment the different services to different Pub/Subs or combine them together according to your ingestion needs. Continue to Configure the Google Cloud Pub/Sub Cloud Connector to ingest from the relevant Pub/Sub(s).

Obtain the Service Credentials JSON File

The GCP APIs are authenticated via a service account. You must obtain the service credentials JSON with the API key that you can use while configuring the GCP connector.

To obtain the service credentials JSON file:

  1. Enable the stack driver API via:     https://console.cloud.google.com/apis/api/logging.googleapis.com/overview?project=<GCP project-to-monitor>

    Note

    The project where the service account is set up must grant permissions to other projects that contain Sinks with the data.

  2. To create the service account key, in the Google cloud console, navigate to the APIs & Services > Credentials.

  3. In the Credentials section, click Create Credentials then click Service account.

  4. Specify the account name and description.

  5. Select the roles Logs Viewer and Private Logs Viewer.

  6. Click DONE.

  7. On the Service Accounts list page, click the name of the account that you created.

  8. Navigate to Keys > Add Key > Create New Key.

  9. In the Key type section, select JSON.

  10. Click Create. A JSON file is downloaded. For more information see the Google Cloud documentation.

  11. Save the JSON file at a secure location to use while configuring the GCP connector. Copy the JSON file contents.

Configure the GCP Security Command Center

The Google Security Command Center (SCC) API provides access to temporal views of assets and findings within an organization.

Note

Cloud connector’s SCC monitoring feature is available in Exabeam version 2.4.89 and later.

To enable the API to allow the cloud connector to collect logs from SCC and allow the service account to access the API to pull alerts:

  1. Follow the steps to set up the environment variables. Enable the GCP Security Command Center (SCC) for the project that you want to monitor by clicking https://console.cloud.google.com/apis/library/securitycenter.googleapis.com.

  2. To obtain the organization ID that you want to monitor, on the Google Cloud console, select a project, then select the organization you want, and then click Settings. The Settings page displays the organization ID of your organization. Note the value for the organization ID of the organization for which you want to enable SCC monitoring. For example, 300000000008.

Configure the Google Cloud Platform (GCP) Cloud Connector

Google Cloud Platform (GCP) offers a suite of cloud services that provides Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) services. GCP enables organizations to utilize the required services on Google hardware. GCP enables developers to build, deploy, and test applications on Google’s infrastructure. For more information visit their website.

The following table displays audit source API and security events supported by the connector.

Audit Source: API

Service or Module Covered

Event Included

Stackdriver/Admin Activities

App Engine

Events related to admin activities in the App Engine PAAS service

BigQuery

Events related to administrative activities in the BigQuery service

Cloud Dataflow

Events related to administrative activities in the Cloud Dataflow service

Cloud Dataproc

Events related to administrative activities in the Cloud Dataproc service

Cloud DNS

Events related to administrative activities in the Cloud DNS service

Cloud Identity and Access Management (IAM)

Events related to administrative activities in the Cloud IAM service

Cloud Key Management System (KMS)

Events related to administrative activities in the Cloud KMS service

Cloud Resource Manager

Events related to administrative activities in the Cloud Resource Manager service

Cloud SQL

Events related to administrative activities in the Cloud SQL service

Cloud Storage

Events related to administrative activities in the Cloud Storage service

Google Compute Engine (GCE)

Events related to administrative activities in the GCE service

Compute Engine Serial Port Access

Events related to administrative activities in the Compute Engine Serial Port Access service

Google Service Management

Events related to administrative activities in the Google Service Management service

Stackdriver/Data Access Logs

BigQuery

Events related to data access in the BigQuery service

Cloud Dataproc

Events related to data access in the Cloud Dataproc service

Cloud DNS

Events related to data access in the Cloud DNS service

Cloud Identity and Access Management (IAM)

Events related to administrative activities in the Cloud IAM service

Cloud Key Management System (KMS)

Events related to administrative activities in the Cloud KMS service

Cloud SQL

Events related to admin activities in the Cloud SQL service

Cloud Storage

Events related to administrative activities in the Cloud Storage service

Google Compute Engine (GCE)

Events related to administrative activities in the GCE service

Google Service Management

Events related to admin activities in the Google Service Management service

Table 15. Audit source API and security events supported by the connector


To configure the Google Cloud Platform (GCP) connector to import data into the Exabeam Cloud Connector platform:

  1. Complete the Prerequisites to Configure the Google Cloud Platform (GCP) Connector.

  2. Log in to the Exabeam Cloud Connectors platform with your registered credentials.

  3. Navigate to Settings > Accounts > Add Account.

  4. Click Select Service to Add, then select Google Cloud Platform from the list.

  5. In the Accounts section, enter the required information. Required fields are indicated with a red bar.

    1. Account Name – Specify a name for the Google Cloud Platform connector. For example, Google Cloud Platform_Cloud Services

    2. (Optional) Description – Describe the Google Cloud Platform. For example, GCP suit of cloud services that provides Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) services.

    3. Service-Credentials-json – Paste the JSON file contents that you obtained while completing prerequisites.

    4. Organization IDs – Paste the organization ID that you obtained while completing prerequisites.

  6. To confirm that the Exabeam Cloud Connector platform communicates with the service, click Test Connection.

  7. Click Done to save your changes. The cloud connector is now set up on the Exabeam Cloud Connector platform.

  8. To ensure that the connector is ready to send and collect data, Start the connector and check that the status shows OK.