Configure a Google Cloud project for Google SecOps

A Google Cloud project acts as a control layer for the linked Google SecOps instance. It stores customer-specific data such as security telemetry, audit logs, ingestion alerts, and other sensitive instance-level information.

The following sections describe how to configure your Google Cloud project.

Prerequisites

Each new Google SecOps instance should be linked to a single Google Cloud project. You can either link to an existing Google Cloud project or create a new one, depending on your organizational setup and requirements:

• We recommend creating a new, dedicated Google Cloud project for each Google SecOps instance. This approach helps isolate sensitive security telemetry and audit data specific to the Google SecOps instance.

  To create a new Google Cloud project, see Create a Google Cloud project.

• If you link your Google SecOps instance to an existing Google Cloud project, review any existing permissions and restrictions that could affect the instance's behavior or access.

  For details, see Grant permissions to the Google SecOps instance.

Configure a Google Cloud project

The following sections describe how to enable the Chronicle API in the Google Cloud project and configure Essential Contacts.

Enable the Chronicle API in the Google Cloud project

To allow the Google SecOps instance to read from and write to the linked Google Cloud project, do the following:

1. Go to the Manage resources page in the Google Cloud console.

   Go to the Manage Resources page

2. At the top, click the Project picker and select your Organization resource.
3. Select the newly created project.
4. Go to APIs & Services.
5. Click + ENABLE APIS AND SERVICES.
6. Search for Chronicle API and select it.
7. Click Enable to enable the Chronicle API for the project.

For more detail, see Enabling an API in your Google Cloud project.

Configure Essential Contacts

Configure Essential Contacts to receive targeted notifications from Google Cloud. Perform the steps in Managing contacts for notifications.

New service account in your project

A new service account is added to your project. The service account is managed by Google SecOps and has following attributes:

• The service account naming pattern is as follows, where the PROJECT_NUMBER is unique to the project:

  service-PROJECT_NUMBER@gcp-sa-chronicle.iam.gserviceaccount.com

• The account has the Chronicle Service Agent role.

• An IAM permission is granted to the project.

  To see details of the IAM permission, do the following:

  1. Go to the IAM page of your Google Cloud project.

  2. At the top right, select the Include Google-provided role grants checkbox.

     If you don't see the new service account, check that the Include Google-provided role grants button is enabled on the IAM page.

What's next

After completing the steps in this document, perform the following:

• Apply security and compliance controls to the project to satisfy your business use case and organization policies. For more information about how to do this, see the Assured Workloads documentation.

• Integrate your Google SecOps instance with an Identity Provider (IdP), either Cloud identity or a third-party identity provider.

• The Google Cloud project serves as a control layer for you to do the following:

  • Enable, inspect, and manage access to audit logs generated by Google SecOps and stored in Cloud Audit Logs.
  • Set up custom ingestion outage alerts using Cloud Monitoring.
  • Store exported historical data.

  Enable Google SecOps audit logging by following the steps in Google Security Operations audit logging information. Google SecOps writes Data Access and Admin Activity logs to the project.

Need more help? Get answers from Community members and Google SecOps professionals.