Console
    Contact Us Start free

    Link a Google SecOps instance to Google Cloud services

    Supported in:

    A Google Security Operations instance depends on Google Cloud services for certain key capabilities, such as authentication.

    This document explains how to configure your instance to link to these services, whether you're setting up a new deployment or migrating an existing Google SecOps instance.

    Before you begin

    Before you configure a Google SecOps instance with Google Cloud services, you must do the following:

    • Verify permissions. Ensure you have the necessary permissions to complete the steps in this document. For information about required permissions for each phase of the onboarding process, see Required roles and permissions .

    • Choose your project setup: You can either create a new Google Cloud project for your Google SecOps instance or link it to an existing Google Cloud project.

      To create a new Google Cloud project and enable the Chronicle API, follow the steps in Create a Google Cloud project .

    • Configure an SSO provider for the Google SecOps instance: You can use Cloud Identity, Google Workspace, or a third-party identity provider (IdP), as follows:

    To link a Google SecOps instance created for a Manage Security Services Provider (MSSP), contact your Google SecOps representative. Setup requires assistance from a Google SecOps representative.

    After linking a Google SecOps instance to a Google Cloud project, the Google SecOps instance is now ready for further configuration. You can now examine ingested data and monitor the project for potential security threats.

    Configure a new Google SecOps instance

    Linking your new instance to a project enables authentication and monitoring features, including:

    • Cloud Identity integration for accessing a range of Google Cloud services, such as authentication, Identity and Access Management, Cloud Monitoring, and Cloud Audit Logs.

    • IAM and Workforce Identity Federation support for authenticating with your existing third-party IdP.

    To link a Google SecOps instance to a Google Cloud project, perform these steps:

    1. After your organization signs the Google SecOps customer contract, the onboarding SME receives an onboarding invitation email with an activation link. The activation link is valid for one-time use only.

      In the onboarding invitation email, click the Go to Google Cloudactivation link to open the Link SecOps to a projectpage.

    2. Click Select a projectto open the Select a resourcepage.

    3. On the Select a resourcepage, select a Google Cloud project to link your new Google SecOps instance. There are two options:

    4. After you select a project, the system enables the Add contactsbutton, and the Add essential contactssection displays the Essential contactstable. This table shows notification Categoriesand the Emailaddress of the contact assigned to each.

      Assign a contact person to at least the following four mandatory notification categories: technical, security, legal, and billing.

      Assign a contact to one or more notification categories as follows:

      1. To open the Edit contactwindow, click Add contactor click edit Editin a notification category with an existing contact.

      2. Enter the contact person's Emailaddress, and select one or more notification Categories.

      3. Click Save.

    5. Click Next.

      The system checks whether the Chronicle API is enabled. If enabled, the Onboardingpage displays the pre-filled onboarding information and runs the deployment process. This process can take up to 15 minutes to complete.

      When the deployment completes successfully, you receive a notification. If the deployment fails, contact Google SecOps Support .

    6. Verify that the deployment is correct as follows:

      • To view instance information, go to https://console.cloud.google.com/security/chronicle/settings.

      • To update any information, contact Google SecOps Support .

    Select an existing project

    1. On the Select a resourcepage, select your Organizationfrom the list.

      The page displays a list of the Google Cloud projects and folders.

      • These belong to the same organization as the Google SecOps instance, and they have the same billing account.

      • If a project or folder has a warning Warningicon next to it, you cannot select it. Hold the pointer over the icon to view the reason, for example: missing permissions or billing mismatch.

    2. Select a project based on the following criteria:

      • Criteria for linking an instance to a Google Cloud project:

        • The Google Cloud project must not already be linked to another Google SecOps instance.

        • You have the required IAM permissions to access and work with the project, see Permissions to add a Google Cloud project .

        • For a compliance controlled tenant (instance), the project must be in an Assured Workloads folder. See Workforce Identity Federation for details.

          A compliance controlled tenant (instance) conforms to one of the following compliance control standards: FedRAMP, FedRAMP_MODERATE, HIPAA, PCI_DSS, FedRAMP_HIGH, IL4, IL5, CMEK_V1, or DRZ_ADVANCED.

      • To select a Google Cloud project for a compliance controlled tenant (instance):

        1. Select an Assured Workloads folder to open it.
        2. Inside the Assured Workloads folder, click the name of a Google Cloud project to open the Link SecOps to a projectpage.
        3. Complete the configuration described in Configure the IdP .

      • To select a Google Cloud project for a non-compliance controlled tenant (instance):

        1. Click the name of a valid Google Cloud project to open the Link SecOps to a projectpage.

        2. On the Link SecOps to a projectpage, select a different project, if needed. To do so, you click the project to display the Select a resourcepage again.

    3. Click Nextto link your Google SecOps instance to the selected project, and open the Deploymentpage.

      The Deploymentpage displays the final details of your instance and service and requires your consent before performing the final ddx. The page consists of sections displaying pre-filled, non-editable fields. Only a Google representative can change these details.

      Review the details in each of the following sections. Click Nextto move to the next section:

      1. Instance details

        The page displays instance details set in your contract, for example company, region, package tier, and data retention duration.

        Click Nextto display the next section.

      2. Review service account

        The page displays details of the service account to be created.

        Click Nextto display the next section.

      3. Configure single sign-on (SSO)

        Choose a configured SSO provider. Select one of the following options based on the identity provider you use to manage user and group access to Google SecOps:

        • Google Cloud Identity:

          Select this if you are using Cloud Identity or Google Workspace.

        • Workforce Identity Federation:

          If you are using a third-party identity provider, select your workforce providerfrom the list.

          If you don't see your identity provider listed, configure your provider, and then select your provider from the list. For details, see Configure a third-party identity provider .

          Click Nextto display the next section.

      4. Terms of service

        1. Select the I agree to...checkbox to agree to the terms.
        2. Click Start setupto deploy your Google SecOps instance, according to the displayed details.

    4. Click here to continue to the Nextstep.

    Migrate an existing Google SecOps instance

    The following sections explain how to migrate an existing Google SecOps instance to link it to a Google Cloud project and use IAM for feature access control.

    Link to a project and workforce provider

    The following procedure describes how to connect an existing Google SecOps instance with a Google Cloud project and configure SSO using IAM Workforce Identity Federation services.

    1. Sign in to Google SecOps.

    2. Select Settings > SIEM Settings.

    3. Click Google Cloud Platform.

    4. Enter the Google Cloud project ID to link the project to the Google SecOps instance.

    5. Click Generate Link.

    6. Click Connect to Google Cloud Platform. The Google Cloud console opens. If you enter an incorrect Google Cloud project ID in the Google SecOps application, return to the Google Cloud Platformpage in Google SecOps and enter the correct project ID.

    7. On the Google Cloud console, go to Security > Google SecOps.

    8. Verify the service account that the system created for the Google Cloud project.

    9. Under Configure single sign-on, select one of the following options based on which identity provider you use to manage user and group access to Google SecOps:

      • If you are using Cloud Identity or Google Workspace, select Google Cloud Identity.

      • If you are using a third-party identity provider, select Workforce Identity Federation, and then select the workforce provider you want to use. You set this up when configuring workforce identity federation .

    10. If you select Workforce Identity Federation, right-click the Test SSO setuplink, and then open it in a private or incognito window.

    11. Continue with the next section: Migrate existing permissions to IAM .

    Migrate existing permissions to IAM

    After you migrate an existing Google SecOps instance , you can use auto-generated commands to migrate existing permissions and roles to IAM. Google SecOps creates these commands using your pre-migration Feature RBAC access control configuration. When run, they create new IAM policies equivalent to your existing configuration, as defined in Google SecOps under the SIEM Settings> Users and Groupspage.

    After you run these commands, you can't revert back to the previous Feature RBAC access control feature. If you encounter an issue, contact Google SecOps Technical Support .

    1. On the Google Cloud console, go to Security> Google SecOps> Access managementtab.
    2. Under Migrate role bindings, you will see a set of auto-generated Google Cloud CLI commands.
    3. Review and verify that the commands create the expected permissions. For information about Google SecOps roles and permissions, see How IAM permissions map to each Feature RBAC role .
    4. Launch a Cloud Shell session.
    5. Copy the auto-generated commands, then paste and run them in the gcloud CLI.
    6. After you execute all commands, click Verify Access. If successful, you see the message Access verifiedon the Google SecOps Access Management. Otherwise, you see the message Access denied. This may take 1-2 minutes to appear.
    7. To complete the migration, return to the Security> Google SecOps> Access managementtab, and then click Enable IAM.
    8. Verify that you can access Google SecOps as a user with the Chronicle API Admin role.
      1. Sign in to Google SecOps as a user with the Chronicle API Admin predefined role. For more details, see Sign in to Google SecOps .
      2. Open the SIEM Settings > Users & Groupspage. You should see the message: To manage users and groups, go to Identity Access Management (IAM)in the Google Cloud console. Learn more about managing users and groups.
    9. Sign in to Google SecOps as a user with a different role. For more details, see Sign in to Google SecOps .
    10. Verify that available features in the application match the permissions defined in IAM.

    Change SSO configuration

    The following sections describe how to change identity providers:

    Change the third-party identity provider

    1. Set up the new third-party identity provider and workforce identity pool .

    2. In Google SecOps, under Settings> SOAR settings> Advanced> IDP group mapping, change the IdP group mapping to reference groups in the new identity provider.

    Update SSO settings

    Complete the following steps to change the SSO configuration for Google SecOps:

    1. Open the Google Cloud console, and then select the Google Cloud project that is bound to Google SecOps.

    2. Go to Security > Google SecOps.

    3. On the Overviewpage, click the Single Sign-Ontab. This page displays the IdPs you configured when Configuring a third-party identity provider for Google SecOps .

    4. Use the Single Sign-Onmenu to change SSO providers.

    5. Right-click the Test SSO setuplink, and then open a private or incognito window.

    6. Return to Google Cloud console, click the Security > Google SecOps > Overviewpage, and then click the Single Sign-Ontab.

    7. Click Saveat the bottom of the page to update the new provider.

    8. Verify that you can sign in to Google SecOps.

    Migrate from third-party identity provider to Cloud Identity

    Complete the following steps to change the SSO configuration from using a third-party identity provider to Google Cloud Identity:

    1. Make sure you configure either Cloud Identity or Google Workspace as the identity provider.
    2. Grant the predefined Chronicle IAM roles and custom roles to users and groups in the Google SecOps-bound project.
    3. Grant the Chronicle SOAR Adminrole to the relevant users or groups.

    4. In Google SecOps, under Settings> SOAR settings> Advanced> IDP group mapping, add the Chronicle SOAR Admin. For more information, see IdP group mapping .

    5. Open the Google Cloud console, and then select the Google Cloud project that is bound to Google SecOps.

    6. Go to Security > Chronicle SecOps.

    7. On the Overviewpage, click the Single Sign-Ontab. This page displays the IdPs you configured when Configuring a third-party identity provider for Google SecOps .

    8. Select the Google Cloud Identitycheckbox.

    9. Right-click the Test SSO setuplink, and then open a private or incognito window.

      • If you see a login screen, then SSO setup is successful. Continue with the next step.
      • If you don't see a login screen, check the configuration of the identity provider.

    10. Return to Google Cloud console, and then click Security > Chronicle SecOps> Overviewpage > Single Sign-Ontab.

    11. Click Saveat the bottom of the page to update the new provider.

    12. Verify that you can sign in to Google SecOps.

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: