Configure a Google Cloud project for Google SecOps

During the onboarding process, your Google SecOps representative works with you to bind your Google SecOps instance to a Google Cloud project within a Google Cloud organization that you own.

Using the steps in this document, you create a project in a Google Cloud organization that you own and enable the Chronicle API.

This project creates a control layer for you to enable, inspect, and manage access to audit logs generated in Google SecOps written to Cloud Audit Logs, create custom ingestion outage alerts using Cloud Monitoring, and store exported historical data. You can set up permissions in the project to grant it access to Chronicle APIs, allowing Google SecOps to read and write data to the project.

Because the established control layer created by your Google Cloud project stores sensitive security telemetry, we recommend provisioning a new Google Cloud project specifically for Google Security Operations. You may also choose to bind Google SecOps to an existing project, but be aware of how associated existing permissions and restrictions may impact their Google SecOps experience.

There is a one-to-one relationship between a Google SecOps instance and a Google Cloud project. You choose a single project that binds to Google SecOps. If you have multiple organizations, select one organization where you create this project. You cannot bind Google SecOps to multiple projects.

Before you begin

Make sure you have the permissions to perform the steps in this document. For information about required permissions for each phase of the onboarding process, see Required roles.

Create and configure a Google Cloud project

The following section describes the steps to create a project for Google Security Operations SIEM. For more information, see Create a project.

  1. Select the organization where you want to create a project.

  2. Click Create Project.

  3. In the New Project window, do the following:

    • Enter a project name.

      To help identify which project is bound to your Google SecOps instance, we recommend that you use the following pattern for the project name:


      Replace CUSTOMER_FRONTEND_PATH with your customer-specific identifier used in the URL to access your Google SecOps instance. See Log in to Google SecOps for an example. Your Google SecOps representative can provide this value.

    • Select a billing account.

    • Enter the parent organization.

    • In the Location field, click Browse, and then select the organization or folder where you want the project to be located.

  4. Enable the Chronicle API in the project.

    1. Select the project that you created in the previous step.
    2. Navigate to APIs & Services > Library
    3. Search for Chronicle API.
    4. Select Chronicle API, and then click Enable.

      For more detail, see Enabling an API in your Google Cloud project.

  5. Configure Essential Contacts to receive targeted notifications from Google Cloud. For more information, see Managing contacts for notifications.

    You may notice that a new service account has an IAM permission grant on the project. The service account name follows the pattern, where PROJECT_NUMBER is unique to the project. This service account has the role "Chronicle Service Agent".

    The service account exists in a project maintained by Google SecOps. You can see this permission grant by navigating to the IAM page of your Google Cloud project, and then selecting the Include Google-provided role grants checkbox in the upper right-hand corner.

    If you don't see the new service account, check that the Include Google-provided role grants button is enabled on the IAM page.

What's next

After completing the steps in this document, perform the following:

  • Apply security and compliance controls to the project to satisfy your business use case and organization policies. For more information about how to do this, see Assured Workloads documentation. Compliance restrictions associated with your Google Cloud organization or required by projects are not applied by default.

    If you enabled Access Transparency in your organization, Google SecOps writes Access Transparency logs when any Google personnel access customer content that supports SIEM features. You can find more information about enabling Access Transparency and viewing Access Transparency logs.

  • Configure a third-party identity provider for Google Security Operations.

  • Enable Google SecOps audit logging. Google SecOps writes Data Access audit logs and Admin Activity audit logs to the project. You cannot disable Data Access logging using Google Cloud console. If you want to disable Data Access logging, contact your Google SecOps representative, who can disable this for you.