Google Cloud Armor

This document provides guidance to help you configure and integrate Google Cloud Armor with Google Security Operations.

Prerequisites

Make sure that you complete all the prerequisite steps before configuring the integration.

Create and configure the IAM role

  1. In the Google Cloud console, go to the IAM Roles page.

    Go to IAM Roles

  2. Click Create role to create a custom role with permissions required for the integration.

  3. For a new custom role, provide the Title, Description, and a unique ID.

  4. Set the Role Launch Stage to General Availability.

  5. Add the following permissions to the created role:

    • compute.backendBuckets.setSecurityPolicy
    • compute.backendServices.setSecurityPolicy
    • compute.regionBackendServices.setSecurityPolicy
    • compute.regionSecurityPolicies.create
    • compute.regionSecurityPolicies.get
    • compute.regionSecurityPolicies.list
    • compute.regionSecurityPolicies.update
    • compute.securityPolicies.create
    • compute.securityPolicies.get
    • compute.securityPolicies.list
    • compute.securityPolicies.update
  6. Click Create.

Create a service account

  1. To create a service account, follow the procedure for creating a service account.

  2. After you have created a service account, download it as a JSON file. You need to provide the content of a downloaded JSON file when configuring the integration parameters.

    To use the Workload Identity Federation for GKE email address instead of the service account JSON file content, assign the Service Account Token Creator role to the service account that you use in the integration.

Integrate Google Cloud Armor with Google SecOps

To configure the integration, use the following parameters:

Parameters
API Root Required

API root of the Google Cloud Armor service.

Default value is https://compute.googleapis.com/compute/v1/.

Project ID Optional

Project ID to use for the Google Cloud Armor integration. If no value is provided, the project ID is extracted from the JSON file content provided in the User Service Account parameter.

Workload Identity Email Optional

Client email address of your service account.

You can configure either this parameter or the User Service Account parameter.

To impersonate service accounts with the Workload Identity Federation for GKE email address, grant the `Service Account Token Creator` role to your service account. For more details about workload identities and how to work with them, see Identities for workloads.

User Service Account Optional

Content of the service account JSON file that you use for the Google Cloud Armor service.

Provide a full content of the service account JSON file.

You can configure either this parameter or the Workload Identity Email parameter.

Verify SSL Optional

If selected, the parameter verifies that the SSL certificate for the connection to the Google Cloud Armor service is valid.

Selected by default.

Actions

Some actions require no input parameters.

Add a Rule to a Security Policy

Add a new rule to the security policy in the Google Cloud Armor service.

Entities

This action doesn't run on entities.

Action inputs

To configure the action, use the following parameters:

Parameters
Policy Name Required

Security policy name to add a new rule to.

Region Optional

Region for the policy to add the rule in.

If no value is provided, the rule is added to the global-level security policy.

Rule JSON Required

JSON definition of the rule to add.

For more information about adding a rule to a policy, see Method: securityPolicies.addRule.

Action outputs

Action output type
Case wall attachment N/A
Case wall link N/A
Case wall table N/A
Enrichment table N/A
JSON result Available
Script result Available
Script result
Script result name Value
is_success True or False
JSON result
{
   "kind": "compute#securityPolicy",
   "id": "ID",
   "creationTimestamp": "2024-04-14T05:39:05.798-07:00",
   "name": "example",
   "description": "Test for integration",
   "rules": [
       {
           "kind": "compute#securityPolicyRule",
           "description": "test",
           "priority": 100,
           "match": {
               "versionedExpr": "SRC_IPS_V1",
               "config": {
                   "srcIpRanges": [
                       "*"
                   ]
               }
           },
           "action": "allow",
           "preview": false
       },
       {
           "kind": "compute#securityPolicyRule",
           "description": "Default rule, higher priority overrides it",
           "priority": 2147483647,
           "match": {
               "versionedExpr": "SRC_IPS_V1",
               "config": {
                   "srcIpRanges": [
                       "*"
                   ]
               }
           },
           "action": "allow",
           "preview": false
       }
   ],
   "fingerprint": "A3hq2ZQYxj8=",
   "selfLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_NAME/regions/northamerica-northeast1/securityPolicies/example",
   "type": "CLOUD_ARMOR",
   "labelFingerprint": "42WmSpB8rSM=",
   "region": "https://www.googleapis.com/compute/v1/projects/PROJECT_NAME/regions/northamerica-northeast1"
}
Case wall

This action provides the following output messages:

Output message Message description
Successfully added a new rule to the security policy! Action succeeded.
Error executing action "Add a Rule to a Security Policy". Reason: ERROR_REASON

Action failed.

Check the connection to the server, input parameters, credentials, region name, the content of the JSON file, or a policy name.

Create a Security Policy

Create a security policy in the Google Cloud Armor service.

Entities

This action doesn't run on entities.

Action inputs

To configure the action, use the following parameters:

Parameters
Region Optional

The region to create a policy in.

If no value is provided, the global-level security policy is created.

Policy JSON Required

The JSON definition of the policy to create.

For more information about policies, see REST Resource: securityPolicies.

Action outputs

Action output type
Case wall attachment N/A
Case wall link N/A
Case wall table N/A
Enrichment table N/A
JSON result Available
Script result Available
Script result
Script result name Value
is_success True or False
JSON result
{
   "kind": "compute#securityPolicy",
   "id": "ID",
   "creationTimestamp": "2024-04-14T05:39:05.798-07:00",
   "name": "example",
   "description": "Test for integration",
   "rules": [
       {
           "kind": "compute#securityPolicyRule",
           "description": "test",
           "priority": 100,
           "match": {
               "versionedExpr": "SRC_IPS_V1",
               "config": {
                   "srcIpRanges": [
                       "*"
                   ]
               }
           },
           "action": "allow",
           "preview": false
       },
       {
           "kind": "compute#securityPolicyRule",
           "description": "Default rule, higher priority overrides it",
           "priority": 2147483647,
           "match": {
               "versionedExpr": "SRC_IPS_V1",
               "config": {
                   "srcIpRanges": [
                       "*"
                   ]
               }
           },
           "action": "allow",
           "preview": false
       }
   ],
   "fingerprint": "A3hq2ZQYxj8=",
   "selfLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_NAME/regions/northamerica-northeast1/securityPolicies/example",
   "type": "CLOUD_ARMOR",
   "labelFingerprint": "42WmSpB8rSM=",
   "region": "https://www.googleapis.com/compute/v1/projects/PROJECT_NAME/regions/northamerica-northeast1"
}
Case wall

This action provides the following output messages:

Output message Message description
Successfully created a new security policy! Action succeeded.
Error executing action "Create a Security Policy". Reason: ERROR_REASON

Action failed.

Check the connection to the server, input parameters, credentials, region name, or the content of a JSON file.

Ping

Test connectivity to the Google Cloud Armor service with parameters provided at the integration configuration page.

Entities

This action doesn't run on entities.

Action inputs

N/A

Action outputs

Action output type
Case wall attachment N/A
Case wall link N/A
Case wall table N/A
Enrichment table N/A
JSON result N/A
Script result Available
Script result
Script result name Value
is_success True or False
Case wall

This action provides the following output messages:

Output message Message description
Successfully connected to the Google Cloud Armor service with the provided connection parameters! Action succeeded.
Failed to connect to the Google Cloud Armor service! Error is ERROR_REASON

Action failed.

Check the connection to the server, input parameters, or credentials.

Update a Security Policy

Update the existing security policy in the Google Cloud Armor service.

This action cannot update rules in a policy. To add a rule to the related policy, use the Add a Rule to a Security Policy action.

Entities

This action doesn't run on entities.

Action inputs

To configure the action, use the following parameters:

Parameters
Policy Name Required

Security policy name to add a new rule to.

Region Optional

Region for the updated policy.

If no value is provided, the global-level security policy is created.

Rule JSON Required

JSON definition of the policy to update.

For more information about the policy updates, see Method: securityPolicies.patch .

You cannot update rules with this action. To add a rule to a policy, use the Add a Rule to a Security Policy action.

Action outputs

Action output type
Case wall attachment N/A
Case wall link N/A
Case wall table N/A
Enrichment table N/A
JSON result Available
Script result Available
Script result
Script result name Value
is_success True or False
JSON result
{
   "kind": "compute#securityPolicy",
   "id": "ID",
   "creationTimestamp": "2024-04-14T05:39:05.798-07:00",
   "name": "example",
   "description": "Test for integration",
   "rules": [
       {
           "kind": "compute#securityPolicyRule",
           "description": "test",
           "priority": 100,
           "match": {
               "versionedExpr": "SRC_IPS_V1",
               "config": {
                   "srcIpRanges": [
                       "*"
                   ]
               }
           },
           "action": "allow",
           "preview": false
       },
       {
           "kind": "compute#securityPolicyRule",
           "description": "Default rule, higher priority overrides it",
           "priority": 2147483647,
           "match": {
               "versionedExpr": "SRC_IPS_V1",
               "config": {
                   "srcIpRanges": [
                       "*"
                   ]
               }
           },
           "action": "allow",
           "preview": false
       }
   ],
   "fingerprint": "A3hq2ZQYxj8=",
   "selfLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_NAME/regions/northamerica-northeast1/securityPolicies/example",
   "type": "CLOUD_ARMOR",
   "labelFingerprint": "42WmSpB8rSM=",
   "region": "https://www.googleapis.com/compute/v1/projects/PROJECT_NAME/regions/northamerica-northeast1"
}
Case wall

This action provides the following output messages:

Output message Message description
Successfully added comment to the identity protection detection with ID DETECTION_ID in CrowdStrike Action succeeded.
Error executing action "Update a Security Policy". Reason: ERROR_REASON

Action failed.

Check the connection to the server, input parameters, or credentials.