Configure a Google Cloud project for Google SecOps
During the onboarding process, your Google SecOps representative will work with you to bind your Google SecOps instance to a Google Cloud project within a Google Cloud organization that you own.
The project creates a control layer for you to enable, inspect, and manage access to audit logs generated in Google SecOps written to Cloud Audit Logs, create custom ingestion outage alerts using Cloud Monitoring, and store exported historical data. You can set up permissions in the project to grant it access to Chronicle APIs, allowing Google SecOps to read and write data to the project.
In Google SecOps, the established control layer created by your Google Cloud project stores sensitive security telemetry, so we recommend provisioning a new Google Cloud project. You may also choose to bind Google SecOps to an existing project, but be aware of how associated existing permissions and restrictions may impact their Google SecOps experience.
The project is where customer-specific data are stored. You set up permissions in the project so that the project can access Google Security Operations APIs and Google Security Operations can read and write data to the project.
There is a 1:1 relationship between a Google SecOps instance and a Google Cloud project. You choose a single project that will bind with Google SecOps. If you have multiple organizations, select one organization in which to create this project. You cannot bind Google SecOps to multiple projects.
If you have a Google Cloud Organization, but have not yet created a project to bind to Google SecOps, perform the steps in Create a project.
To identify which project is bound to your Google SecOps instance, we recommend that you use the following pattern for the project name:
<customer-frontend-path>-chronicle
where <customer-frontend-path> is your customer-specific identifier and is used in the URL to access your Google SecOps instance. See Log in to Chronicle for an example. Your Google SecOps representative can provide this value.
Enable the Chronicle API in the project.
- Select the project that you created in the previous step.
- Navigate to APIs & Services > Library
- Search for "Chronicle API".
Select Chronicle API, and then click Enable.
For more detail, see Enabling an API in your Google Cloud project.
Configure Essential Contacts to receive targeted notifications from Google Cloud. For more information, see Managing contacts for notifications.
You may notice that a new service account has an IAM permission grant on the project. The service account name follows the pattern
service-PROJECT_NUMBER@gcp-sa-chronicle.iam.gserviceaccount.com,where
PROJECT_NUMBERis unique to the project. This service account has the role "Chronicle Service Agent".The service account exists in a project maintained by Google SecOps. You can see this permission grant by navigating to the IAM page of your Google Cloud project, and then selecting the Include Google-provided role grants checkbox in the upper right-hand corner.
If you don'o't see the new service account, check that the Include Google-provided role grants button is enabled on the IAM page.
What's next
After completing the steps in this document, perform the following:
- Apply security and compliance controls to the project to satisfy your business use case and organization policies. For more information about how to do this, see the Assured Workloads documentation. Compliance restrictions associated with your Google Cloud organization or required by projects are not be applied by default.
- Integrate Google SecOps with either Cloud identity or a third-party identity provider.
- Enable Google SecOps audit logging by following the steps in Google Security Operations audit logging information. Google SecOps will write Data Access audit logs and Admin Activity audit logs to the project. You cannot disable Data Access logging using Google Cloud console. If you want to disable Data Access logging, contact your Google SecOps representative, who can disable this for you.