Google Cloud SCC Plugin for Log Shipper
Google Cloud SCC Plugin for Log Shipper
This document explains how to configure your Google Cloud SCC plugin with the Log Shipper module of the Netskope Cloud Exchange platform. This integration allows ingestion of Netskope alerts and events into your Goggle Cloud SCC tenant in JSON format.
Prerequisites
To complete this configuration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
- A Netskope Cloud Exchange tenant with the Log Shipper module already configured.
- Google Cloud Platform credentials with specified roles on a particular project.
- Connectivity to the following host: Google Cloud SCC (https://console.cloud.google.com/)
Note
Verify your Google Cloud SCC instance permissions are secure and not set up for open public access. Only allow access to your cloud storage instance from your Cloud Exchange Host and any other addresses that need access.
CE Version Compatibility
Netskope CE v4.2.0, v5.0.1
Google Cloud SCC Plugin Support
Google Cloud SCC plugin is used to ingest all the Alert and Events in JSON format.
Alerts Support |
Yes |
Event Support |
Yes |
WebTx Support |
NA |
Permissions
The following permissions are required for the service account at the organization level.
- Security Center Source Editor
- Security Center Findings Editor
- Resource Manager get projects (Role: Browser)
API Details
This plugin uses Python libraries to authenticate with the Google Cloud API.
- Library: Google Authentication library for Python (google-auth).
- Usage: Google Authentication library for Python (google-auth) to authenticate to Google APIs.
Create a new session with credentials
self.gcp_scope = ["https://www.googleapis.com/auth/cloud-platform"] self.creds = ( service_account.Credentials.from_service_account_info( json.loads(self.configuration["key_file"]) ) ) scoped = self.creds.with_scopes(self.gcp_scope) self.gcp_session = request.AuthorizedSession(scoped) self.gcp_session.proxies = self.proxy
Google Cloud GET API Request
response = self.gcp_session.get( url, headers=headers, params=params )
Google Cloud POST API Request
response = self.gcp_session.post( url, params=param, json=data, headers=headers )
Resource Manager API
API Endpoint | Method | Use Case |
---|---|---|
/v1/projects/{projectId} | GET | Retrieves the Project identified by the specified projectId. |
The Base URL https://cloudresourcemanager.googleapis.com is the same for all Resource Manager APIs.
Get Project
API Endpoint: <Base URL>/v1/projects/{projectId}
Method: GET
Sample API Response:
{ "projectNumber": "", "projectId": "", "lifecycleState": "ACTIVE", "name": "projectName", "createTime": "2024-04-04T10:01:07.553347Z", "parent": { "type": "organization", "id": "" } }
Security Command Center APIs
API Endpoint | Method | Use Case |
---|---|---|
/v1/organizations/{organizationId}/sources/{sourceId}/findings | GET | Lists an organization or source’s findings. |
/v1/organizations/{organizationId}/sources/{sourceId}/findings | POST | Creates a finding. The corresponding source must exist for finding creation to succeed. |
/v1/organizations{organizationId}/sources/{sourceId} | GET | Get a source. |
/v1/organizations/{organizationId}/sources/{sourceId} | POST | Creates a source. |
The Base URL https://securitycenter.googleapis.com is the same for all Security Command Center APIs.
List Findings
API endpoint: <Base URL>/v1/organizations/{organizationId}/sources/{sourceId}/findings
Method: GET
Sample API Response:
{ "listFindingsResults": [ { "finding": { "name": "organizations//sources//findings/00087f8800a911ef94c60242c0a8f104", "parent": "organizations//sources/", "resourceName": "//cloudresourcemanager.googleapis.com/projects/", "state": "ACTIVE", "category": "ctep", "externalUri": "https://drive.google.com/open?id=14WLyjF82rGg", "sourceProperties": { "cci": "29", "timestamp": "1713791120", "url": "https://drive.google.com/open?id=14WLyjF82rGg", "alert_type": "ctep", "tenant_name": "CLS" }, "securityMarks": { "name": "organizations//sources//findings/00087f8800a911ef94c60242c0a8f104/securityMarks" }, "eventTime": "2024-04-22T13:05:20Z", "createTime": "2024-04-22T13:05:34.141Z", "canonicalName": "projects//sources//findings/00087f8800a911ef94c60242c0a8f104", "mute": "MUTED", "muteUpdateTime": "2024-04-22T13:05:35.371Z", "muteInitiator": "Muted by mute rule organizations//muteConfigs/rule8", "contacts": { "security": { "contacts": [ { "email": "systems@abc.com" } ] }, "technical": { "contacts": [ { "email": "systems@abc.com" } ] } }, "parentDisplayName": "test" }, "resource": { "name": "//cloudresourcemanager.googleapis.com/projects/", "projectName": "//cloudresourcemanager.googleapis.com/projects/", "projectDisplayName": "", "parentName": "//cloudresourcemanager.googleapis.com/organizations/", "parentDisplayName": "abc.com", "type": "google.cloud.resourcemanager.Project", "displayName": "", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "organization": "organizations/", "service": "cloudresourcemanager.googleapis.com", "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/", "displayName": "" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/" } ] }, "resourcePathString": "organizations//projects/" } } ], "readTime": "2024-04-22T13:31:00.144Z", "nextPageToken": "CsoD3cy7qgAx8Qqf…", "totalSize": 22210 }
Create Finding
API endpoint: <Base URL>/v1/organizations/{organizationId}/sources/{sourceId}/findings
Method: POST
Body:
{ "name": "/findings/00087f8800a911ef94c60242c0a8f104", "parent": "", "resourceName": "//cloudresourcemanager.googleapis.com/projects/", "state": "ACTIVE", "category": "ctep", "eventTime": "2024-04-10T07:19:30Z", "createTime": "2024-04-10T07:19:31.208001Z", … }
Sample API Response:
{ "name": "organizations//sources//findings/00087f8800a911ef94c60242c0a8f104", "parent": "organizations//sources/", "resourceName": "//cloudresourcemanager.googleapis.com/projects/", "state": "ACTIVE", "category": "ctep", "securityMarks": { "name": "organizations//sources//findings/00087f8800a911ef94c60242c0a8f104/securityMarks" }, "eventTime": "2024-04-10T07:19:30Z", "createTime": "2024-04-22T05:46:05.439Z", "canonicalName": "projects//sources//locations/global/findings/00087f8800a911ef94c60242c0a8f104", "mute": "MUTED", "muteUpdateTime": "2024-04-22T05:46:06.580Z", "muteInitiator": "Muted by mute rule organizations//muteConfigs/rule8", "contacts": { "security": { "contacts": [ { "email": "systems@crestdatasys.com" } ] }, "technical": { "contacts": [ { "email": "systems@crestdatasys.com" } ] } }, "parentDisplayName": "test" }
Get a Source
API endpoint: <Base URL>/v1/organizations{organizationId}/sources/{sourceId}
Method: GET
Sample API Response:
{ "name": "organizations//sources/", "displayName": "Source Name", "description": "Source description" }
Create a Source
API Endpoint: <Base URL>/v1/organizations{organizationId}/sources/{sourceId}
Method: POST
Body:
{ "name": "Name of source", "displayName": "Unique name of the source", "description": "Description of the source" }
Sample API Response:
{ "name": "organizations/<org_id>/sources/<source_id>", "displayName": "Unique source Name", "description": "Source description" }
User Agent
Netskope-ce-5.0.1-cls-google-cloud-scc-v2.1.0
Workflow
- Create a Google Cloud SCC service account.
- Configure the Google Cloud SCC Plugin.
- Configure the Log Shipper Business Rules for Google Cloud SCC.
- Configure Log Shipper SIEM Mappings for Google Cloud SCC.
- Validate the Google Cloud SCC plugin.
Click play to watch a video.
- Log in to Google Cloud Platform at https://console.cloud.google.com/.
- Go to IAM & Admin > Service Accounts.
- Click + Create Service Account.
- Enter a Service account name and Service account description, and then click Create and Continue.
- Add the required permissions.
- Click Continue.
- Click Done.
- Click the 3 dots under Action.
- Click Manage Keys.
- Click Add Key and then click Create new key.
- Select JSON and click Create to download the key to your local device.
- Go to https://cloud.google.com/security-command-center/docs/reference/rest/v1beta1/organizations.sources/create
- Click Try It. Enter Parent and Request Body data, check Google OAuth 2.0 and API Key, and then click Execute.
- Note the Saved Source ID specified in name in the response.
- In Cloud Exchange, go to Settings > Plugins.
- Search for and select the Google Cloud SCC box to open the plugin creation pages.
- Enter a Configuration Name, and make sure the default Google Cloud SCC mapping file is selected.
- Disable the toggle button to transform the logs in order to ingest the data in JSON format.
- Click Next.
- Enter values for these parameters:
- Organization ID: Organization ID of GCP in which data will be ingested.
- Source ID: Organization ID of GCP in which data will be ingested.
- Key File: Service Account Key file of GCP.
- Click Save. Your plugin will appear on the Cloud Log Shipper > Plugins page.
- Go to Log Shipper > Business Rules.
- By default, there’s a business rule that filters all alerts and events. If you want to filter out any specific types of alerts or events, click Create New Rule and configure a new business rule by adding a rule name and selecting filters.
- Click Save.
- Go to Log Shipper > SIEM Mappings and click Add SIEM Mapping.
- Select a Source Configuration, Business Rule, and Destination Configuration.
- Click Save.
Validate the Google Cloud SCC Plugin
Validate the Pull
To validate the pulling of Events and Alerts from the Netskope tenant:
Go to Logging in Cloud Exchange and search for the pulled logs.
Validate the Push
To validate the push in Cloud Exchange, go to Logging and search for ingested Events, Alerts with the filter message contains ingested. The ingested logs will be filtered.
To validate the push in Google Cloud SCC:
- Log in to Google Cloud Platform.
- Click Findings.
- Select Show inactive and Show muted.
- Click on any Event or Alert.
- Click Source Properties.
- Another way to check is click JSON and under Source Properties, you can find the data.
Troubleshooting
If you encounter difficulties while upgrading the Google Cloud SCC plugin
Despite having all parameters and clicking the save button, an error may occur, possibly due to the toggle for transforming the logs being enabled, instead of being disabled.
What to do:
- Go to Log Shipper > Plugins page.
- Edit the Google Cloud SCC plugin and disable the toggle to transform logs.
- Click Save.
- Enable the plugin.