Google Cloud SCC Plugin for Log Shipper

Google Cloud SCC Plugin for Log Shipper

This document explains how to configure your Google Cloud SCC plugin with the Log Shipper module of the Netskope Cloud Exchange platform. This integration allows ingestion of Netskope alerts and events into your Goggle Cloud SCC tenant in JSON format.

Prerequisites

To complete this configuration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
  • A Netskope Cloud Exchange tenant with the Log Shipper module already configured.
  • Google Cloud Platform credentials with specified roles on a particular project.
  • Connectivity to the following host: Google Cloud SCC (https://console.cloud.google.com/)

Note

Verify your Google Cloud SCC instance permissions are secure and not set up for open public access. Only allow access to your cloud storage instance from your Cloud Exchange Host and any other addresses that need access.

CE Version Compatibility

Netskope CE v4.2.0, v5.0.1

Google Cloud SCC Plugin Support

Google Cloud SCC plugin is used to ingest all the Alert and Events in JSON format.

Alerts Support

Yes
Event Support

Yes

WebTx Support

NA

Permissions

The following permissions are required for the service account at the organization level.

  • Security Center Source Editor
  • Security Center Findings Editor
  • Resource Manager get projects (Role: Browser)
API Details

This plugin uses Python libraries to authenticate with the Google Cloud API.

  • Library: Google Authentication library for Python (google-auth).
  • Usage: Google Authentication library for Python (google-auth) to authenticate to Google APIs.

Create a new session with credentials

self.gcp_scope = ["https://www.googleapis.com/auth/cloud-platform"]

self.creds = (
                service_account.Credentials.from_service_account_info(
                    json.loads(self.configuration["key_file"])
                )
            )
scoped = self.creds.with_scopes(self.gcp_scope)
self.gcp_session = request.AuthorizedSession(scoped)
self.gcp_session.proxies = self.proxy

Google Cloud GET API Request

response = self.gcp_session.get(
                url,
                headers=headers,
                params=params
)

Google Cloud POST API Request

response = self.gcp_session.post(
               url,
               params=param,
               json=data,
               headers=headers
)
Resource Manager API
API Endpoint Method Use Case
/v1/projects/{projectId} GET Retrieves the Project identified by the specified projectId.

The Base URL https://cloudresourcemanager.googleapis.com is the same for all Resource Manager APIs.

Get Project

API Endpoint: <Base URL>/v1/projects/{projectId}
Method: GET
Sample API Response:

{
  "projectNumber": "",
  "projectId": "",
  "lifecycleState": "ACTIVE",
  "name": "projectName",
  "createTime": "2024-04-04T10:01:07.553347Z",
  "parent": {
    "type": "organization",
    "id": ""
  }
}
Security Command Center APIs
API Endpoint Method Use Case
/v1/organizations/{organizationId}/sources/{sourceId}/findings GET Lists an organization or source’s findings.
/v1/organizations/{organizationId}/sources/{sourceId}/findings POST Creates a finding. The corresponding source must exist for finding creation to succeed.
/v1/organizations{organizationId}/sources/{sourceId} GET Get a source.
/v1/organizations/{organizationId}/sources/{sourceId} POST Creates a source.

The Base URL https://securitycenter.googleapis.com is the same for all Security Command Center APIs.

List Findings

API endpoint: <Base URL>/v1/organizations/{organizationId}/sources/{sourceId}/findings
Method: GET
Sample API Response:

{
  "listFindingsResults": [
    {
      "finding": {
        "name": "organizations//sources//findings/00087f8800a911ef94c60242c0a8f104",
        "parent": "organizations//sources/",
        "resourceName": "//cloudresourcemanager.googleapis.com/projects/",
        "state": "ACTIVE",
        "category": "ctep",
        "externalUri": "https://drive.google.com/open?id=14WLyjF82rGg",
        "sourceProperties": {
          "cci": "29",
          "timestamp": "1713791120",
          "url": "https://drive.google.com/open?id=14WLyjF82rGg",
          "alert_type": "ctep",
          "tenant_name": "CLS"
        },
        "securityMarks": {
          "name": "organizations//sources//findings/00087f8800a911ef94c60242c0a8f104/securityMarks"
        },
        "eventTime": "2024-04-22T13:05:20Z",
        "createTime": "2024-04-22T13:05:34.141Z",
        "canonicalName": "projects//sources//findings/00087f8800a911ef94c60242c0a8f104",
        "mute": "MUTED",
        "muteUpdateTime": "2024-04-22T13:05:35.371Z",
        "muteInitiator": "Muted by mute rule organizations//muteConfigs/rule8",
        "contacts": {
          "security": {
            "contacts": [
              {
                "email": "systems@abc.com"
              }
            ]
          },
          "technical": {
            "contacts": [
              {
                "email": "systems@abc.com"
              }
            ]
          }
        },
        "parentDisplayName": "test"
      },
      "resource": {
        "name": "//cloudresourcemanager.googleapis.com/projects/",
        "projectName": "//cloudresourcemanager.googleapis.com/projects/",
        "projectDisplayName": "",
        "parentName": "//cloudresourcemanager.googleapis.com/organizations/",
        "parentDisplayName": "abc.com",
        "type": "google.cloud.resourcemanager.Project",
        "displayName": "",
        "cloudProvider": "GOOGLE_CLOUD_PLATFORM",
        "organization": "organizations/",
        "service": "cloudresourcemanager.googleapis.com",
        "resourcePath": {
          "nodes": [
            {
              "nodeType": "GCP_PROJECT",
              "id": "projects/",
              "displayName": ""
            },
            {
              "nodeType": "GCP_ORGANIZATION",
              "id": "organizations/"
            }
          ]
        },
        "resourcePathString": "organizations//projects/"
      }
    }
  ],
  "readTime": "2024-04-22T13:31:00.144Z",
  "nextPageToken": "CsoD3cy7qgAx8Qqf…",
  "totalSize": 22210
}
Create Finding

API endpoint: <Base URL>/v1/organizations/{organizationId}/sources/{sourceId}/findings
Method: POST
Body:

{
  "name": "/findings/00087f8800a911ef94c60242c0a8f104",
  "parent": "",
  "resourceName": "//cloudresourcemanager.googleapis.com/projects/",
  "state": "ACTIVE",
  "category": "ctep",
  "eventTime": "2024-04-10T07:19:30Z",
  "createTime": "2024-04-10T07:19:31.208001Z",
   …
}

Sample API Response:

{
  "name": "organizations//sources//findings/00087f8800a911ef94c60242c0a8f104",
  "parent": "organizations//sources/",
  "resourceName": "//cloudresourcemanager.googleapis.com/projects/",
  "state": "ACTIVE",
  "category": "ctep",
  "securityMarks": {
    "name": "organizations//sources//findings/00087f8800a911ef94c60242c0a8f104/securityMarks"
  },
  "eventTime": "2024-04-10T07:19:30Z",
  "createTime": "2024-04-22T05:46:05.439Z",
  "canonicalName": "projects//sources//locations/global/findings/00087f8800a911ef94c60242c0a8f104",
  "mute": "MUTED",
  "muteUpdateTime": "2024-04-22T05:46:06.580Z",
  "muteInitiator": "Muted by mute rule organizations//muteConfigs/rule8",
  "contacts": {
    "security": {
      "contacts": [
        {
          "email": "systems@crestdatasys.com"
        }
      ]
    },
    "technical": {
      "contacts": [
        {
          "email": "systems@crestdatasys.com"
        }
      ]
    }
  },
  "parentDisplayName": "test"
}
Get a Source

API endpoint: <Base URL>/v1/organizations{organizationId}/sources/{sourceId}
Method: GET
Sample API Response:

{
  "name": "organizations//sources/",
  "displayName": "Source Name",
  "description": "Source description"
}
Create a Source

API Endpoint: <Base URL>/v1/organizations{organizationId}/sources/{sourceId}
Method: POST
Body:

{
  "name": "Name of source",
  "displayName": "Unique name of the source",
  "description": "Description of the source"
}

Sample API Response:

{
  "name": "organizations/<org_id>/sources/<source_id>",
  "displayName": "Unique source Name",
  "description": "Source description"
}
User Agent

Netskope-ce-5.0.1-cls-google-cloud-scc-v2.1.0

Workflow

  1. Create a Google Cloud SCC service account.
  2. Configure the Google Cloud SCC Plugin.
  3. Configure the Log Shipper Business Rules for Google Cloud SCC.
  4. Configure Log Shipper SIEM Mappings for Google Cloud SCC.
  5. Validate the Google Cloud SCC plugin.

Click play to watch a video.

 

Create a Google Cloud SCC Service Account

  1. Log in to Google Cloud Platform at https://console.cloud.google.com/.
  2. Go to IAM & Admin > Service Accounts.
  3. Click + Create Service Account.
  4. Enter a Service account name and Service account description, and then click Create and Continue.
  5. Add the required permissions.
  6. Click Continue.
  7. Click Done.
  8. Click the 3 dots under Action.
  9. Click Manage Keys.
  10. Click Add Key and then click Create new key.
  11. Select JSON and click Create to download the key to your local device.
  12. Go to https://cloud.google.com/security-command-center/docs/reference/rest/v1beta1/organizations.sources/create
  13. Click Try It. Enter Parent and Request Body data, check Google OAuth 2.0 and API Key, and then click Execute.
  14. Note the Saved Source ID specified in name in the response.

Configure the Google Cloud SCC Plugin

  1. In Cloud Exchange, go to Settings > Plugins.
  2. Search for and select the Google Cloud SCC box to open the plugin creation pages.
  3. Enter a Configuration Name, and make sure the default Google Cloud SCC mapping file is selected.
  4. Disable the toggle button to transform the logs in order to ingest the data in JSON format.
  5. Click Next.
  6. Enter values for these parameters:
    • Organization ID: Organization ID of GCP in which data will be ingested.
    • Source ID: Organization ID of GCP in which data will be ingested.
    • Key File: Service Account Key file of GCP.
  7. Click Save. Your plugin will appear on the Cloud Log Shipper > Plugins page.

Configure the Log Shipper Business Rules for Google Cloud SCC

  1. Go to Log Shipper > Business Rules.
    image18.png
  2. By default, there’s a business rule that filters all alerts and events. If you want to filter out any specific types of alerts or events, click Create New Rule and configure a new business rule by adding a rule name and selecting filters.
    image19.png
  3. Click Save.

Configure Log Shipper SIEM Mappings for Google Cloud SCC

  1. Go to Log Shipper > SIEM Mappings and click Add SIEM Mapping.
    image21.png
  2. Select a Source Configuration, Business Rule, and Destination Configuration.
  3. Click Save.

Validate the Google Cloud SCC Plugin

Validate the Pull

To validate the pulling of Events and Alerts from the Netskope tenant:
Go to Logging in Cloud Exchange and search for the pulled logs.

Validate the Push

To validate the push in Cloud Exchange, go to Logging and search for ingested Events, Alerts with the filter message contains ingested. The ingested logs will be filtered.


To validate the push in Google Cloud SCC:

  1. Log in to Google Cloud Platform.
  2. Click Findings.
  3. Select Show inactive and Show muted.


  4. Click on any Event or Alert.
  5. Click Source Properties.
  6. Another way to check is click JSON and under Source Properties, you can find the data.

Troubleshooting

If you encounter difficulties while upgrading the Google Cloud SCC plugin

Despite having all parameters and clicking the save button, an error may occur, possibly due to the toggle for transforming the logs being enabled, instead of being disabled.

What to do:

  1. Go to Log Shipper > Plugins page.
  2. Edit the Google Cloud SCC plugin and disable the toggle to transform logs.
  3. Click Save.
  4. Enable the plugin.
Share this Doc

Google Cloud SCC Plugin for Log Shipper

Or copy link

In this topic ...