Google Cloud Platform Integration

Note: This integration requires Cisco XDR Advantage licensing tier.

Cisco XDR consumes network traffic data, including Virtual Private Cloud (VPC) flow logs, from your Google Cloud Platform (GCP) public cloud network. It then performs dynamic entity modeling by running analytics on that data to detect threats and indicators of compromise. Cisco XDR consumes VPC flow logs directly from your GCP account using across-account IAM service account with the proper permissions.

Once the JSON credentials have been uploaded, the Credentials page will open. This page displays the uploaded GCP Credentials and the Monitoring Status of the configured projects.

The Permissions page displays the Google Compute Engine permissions, which are used to identify instances, network interfaces, regions, security groups, and more to inform our algorithms, and the Resource Manager permissions, which are used to list projects when collecting flows from multiple projects without using GCP Pub/Sub (i.e., with the Logging API).

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Third-Party tab and navigate to the Google Cloud Platform integration.

  3. Click the plus sign (+) in the lower-right corner of the card. The Google Cloud Platform integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Google Cloud Platform integration in Cisco XDR.

After you configure the integration, enable flow logging in your GCP deployment per subnet before making them available for ingestion by Cisco XDR. Then, enable the Stackdriver Monitoring API to gather various GCP metrics.

  1. In your GCP console, select VPC network.
  2. Select a subnet.
  3. Click Edit.
  4. Select On from Flow logs.
  5. Click Save. Repeat steps 1-4 for each additional subnet you want to enable flow logging.

Note: Cisco XDR uses this permission for the GCP Cloud Function Invocation Spike alert and to monitor the health and status of the integration.

  1. In your GCP console, select the Cloud project for which you want to enable the API, and then go to the APIs & Services page.
  2. Click Enable APIs and Service.
  3. In the search field, enter Monitoring, then select Stackdriver Monitoring API.
  4. Click Enable if the API is not enabled.
  5. Click Save.

You can configure a Pub/Sub topic and subscription to guarantee transmission of your flow data in a high-throughput environment. GCP Pub/Sub collection is ideal if your VCP flow data exceeds the logging read limits imposed by GCP and is highly recommended for large GCP deployments.

To check if your environment is exceeding GCP logging limits with an existing log-based GCP integration:

  1. Log in to https://console.cloud.google.com/apis/api/logging.googleapis.com/quotas.
  2. Select your project.
  3. Search for Quota exceeded errors count (1 min) - Read requests per minute. If you exceed the quota, see Creating a GCP Pub/Sub Subscription for more information on configuring Pub/Sub.

If your GCP deployment has high traffic throughput, we recommend that you configure Pub/Sub for flow log data delivery. To configure Pub/Sub for flow log data ingestion, obtain your primary project ID, create a log export sink, then create a Pub/Sub subscription for the topic.

  1. In your GCP console, select IAM & Admin > Manage Resources.
  2. Select your primary project, and copy the Project ID.
  3. Paste the Project ID into a text editor.
  1. In your GCP console, select Logging > Log Router.
  2. Click Create Sink.
  3. Enter a Sink name and Sink description.
  4. Click Next.
  5. In the Select sink service drop-down, select Cloud Pub/Sub topic.
  6. In the Select a Cloud Pub/Sub topic drop-down, click Create a topic.
  7. Enter vpc_flows-topic in the Topic ID field, then click Create.

  8. Click Next.

  9. In the Build Inclusion filter field, copy and paste the following, where MY_PROJECT_NAME is your Project ID:

     resource.type="gce_subnetwork"
logName="projects/MY_PROJECT_NAME/logs/compute.googleapis.com%2Fvpc_flows"

  10. Click Next.

  11. Click Create Sink.

  1. In your GCP console, select Pub/Sub > Topics.
  2. Click the (Options) icon for the vpc_flows-topic to open the menu, and select Create subscription.

  3. In the Subscription ID field, enter xdr_subscription.

  4. Select the Pull Delivery Type.

  5. In the Message Retention Duration field, enter 2 hours.

  6. Uncheck the Retain acknowledged messages check box.
  7. In the Acknowledgment Deadline field, enter 600 seconds.

  8. Retain all other default values.

  9. Click Create.

We also provide monitoring for GCP Stackdriver audit logs. To configure the collection, complete the following steps:

Note: For all of the following commands, replace MY_PROJECT_ID with the GCP project ID.

  1. Open the Google Cloud Shell with a user account that has permissions to collect logs and publish to Pub/Sub.

  2. In the cloud console, create a Pub/Sub Topic, using the following command:
    gcloud pubsub topics create xdr-watchlist-topic --project=MY_PROJECT_ID

  3. Create a Pub/Sub Subscription using the following command:
    gcloud pubsub subscriptions create xdr-watchlist-subscription --project=MY_PROJECT_ID \
    --ack-deadline=600 --topic=xdr-watchlist-topic --topic-project=MY_PROJECT_ID

  4. Create a Logging Sink to collect GCP logs, using the following command:
    gcloud logging sinks create xdr-watchlist-sink \
    pubsub.googleapis.com/projects/MY_PROJECT_ID/topics/xdr-watchlist-topic \
    --log-filter="severity>=INFO AND (logName:\"logs/cloudaudit.googleapis.com%2Factivity\" OR logName:\"logs/cloudaudit.googleapis.com%2Fdata_access\")"

  5. You will see a reminder to grant the service account permissions to use Pub/Sub Publisher. Use the service account provided in the message as YOUR_SERVICE_ACCOUNT in the following command:
    gcloud pubsub topics add-iam-policy-binding xdr-watchlist-topic \
    --member='serviceAccount:YOUR_SERVICE_ACCOUNT' \
    --role='roles/pubsub.publisher'

  6. Wait until you see Updated IAM policy for topic [xdr-watchlist-topic], this indicates that the logging collection is complete.

    Note: If a Topic was not found error message and email is shown, you can ignore it. For more information, review the GCP issue details.

To verify and view Google Cloud Platform data in Secure Cloud Analytics (now part of Cisco XDR):

  1. Log in to Secure Cloud Analytics.

  2. In the navigation menu, choose Settings > Sensors.

  3. Scroll to the GCP Sensors section to verify Secure Cloud Analytics is receiving data from Google Cloud Platform. Hover over the sensor card to see the entire integration ID.

  4. In the navigation menu, choose Investigate > Event Viewer.

  5. The Session Traffic tab provides the detailed telemetry collected by your sensors. In the Cloud_Account column, filter on the GCP sensor ID to see the data from the integration displayed in the table.

You can perform the following tasks after you integrate Google Cloud Platform with Cisco XDR:

  • Assets - View devices as reported by Google Cloud Platform. For more information, see Devices.