Link a Google SecOps instance to Google Cloud services

Supported in:

Google secops SIEM

A Google Security Operations instance depends on Google Cloud services for certain key capabilities, such as authentication.

This document explains how to configure your instance to link to these services, whether you're setting up a new deployment or migrating an existing Google SecOps instance.

Before you begin

Before you configure a Google SecOps instance with Google Cloud services, you must do the following:

Verify permissions. Ensure you have the necessary permissions to complete the steps in this document. For information about required permissions for each phase of the onboarding process, see Required roles and permissions.
Choose your project setup: You can either create a new Google Cloud project for your Google SecOps instance or link it to an existing Google Cloud project.

To create a new Google Cloud project and enable the Chronicle API, follow the steps in Create a Google Cloud project.
Configure an SSO provider for the Google SecOps instance: You can use Cloud Identity, Google Workspace, or a third-party identity provider (IdP), as follows:
- If you use a third-party IdP, perform the steps in
  
  Configure a third-party identity provider for Google SecOps.
- If you use Cloud Identity or Google Workspace, perform the steps in
  
  Configure a Google Cloud identity provider for Google SecOps.

To link a Google SecOps instance created for a Manage Security Services Provider (MSSP), contact your Google SecOps representative. Setup requires assistance from a Google SecOps representative.

After linking a Google SecOps instance to a Google Cloud project, the Google SecOps instance is now ready for further configuration. You can now examine ingested data and monitor the project for potential security threats.

Configure a new Google SecOps instance

Linking your new instance to a project enables authentication and monitoring features, including:

Cloud Identity integration for accessing a range of Google Cloud services, such as authentication, Identity and Access Management, Cloud Monitoring, and Cloud Audit Logs.
IAM and Workforce Identity Federation support for authenticating with your existing third-party IdP.

To link a Google SecOps instance to a Google Cloud project, perform these steps:

After your organization signs the Google SecOps customer contract, the onboarding SME receives an onboarding invitation email with an activation link. The activation link is valid for one-time use only.

In the onboarding invitation email, click the Go to Google Cloud activation link to open the Link SecOps to a project page.
Click Select a project to open the Select a resource page.
On the Select a resource page, select a Google Cloud project to link your new Google SecOps instance. There are two options:
- Option 1: Create a new Google Cloud project:
  
  Click New Project, and follow the steps described in Create a Google Cloud project.
- Option 2: Select an existing project from the list:
  
  Follow the steps described in Select an existing project.
After you select a project, the system enables the Add contacts button, and the Add essential contacts section displays the Essential contacts table. This table shows notification Categories and the Email address of the contact assigned to each.

Assign a contact person to at least the following four mandatory notification categories: technical, security, legal, and billing.

Assign a contact to one or more notification categories as follows:
1. To open the Edit contact window, click Add contact or click edit Edit in a notification category with an existing contact.
2. Enter the contact person's Email address, and select one or more notification Categories.
3. Click Save.
Click Next.

The system checks whether the Chronicle API is enabled. If enabled, the Onboarding page displays the pre-filled onboarding information and runs the deployment process. This process can take up to 15 minutes to complete.

When the deployment completes successfully, you receive a notification. If the deployment fails, contact Google SecOps Support.
Verify that the deployment is correct as follows:
- To view instance information, go to https://console.cloud.google.com/security/chronicle/settings.
- To update any information, contact Google SecOps Support.

Select an existing project

On the Select a resource page, select your Organization from the list.

The page displays a list of the Google Cloud projects and folders.
- These belong to the same organization as the Google SecOps instance, and they have the same billing account.
- If a project or folder has a warning Warning icon next to it, you cannot select it. Hold the pointer over the icon to view the reason, for example: missing permissions or billing mismatch.
Select a project based on the following criteria:
- Criteria for linking an instance to a Google Cloud project:
  - The Google Cloud project must not already be linked to another Google SecOps instance.
  - You have the required IAM permissions to access and work with the project, see Permissions to add a Google Cloud project.
  - For a compliance controlled tenant (instance), the project must be in an Assured Workloads folder. See Workforce Identity Federation for details.
    
    A compliance controlled tenant (instance) conforms to one of the following compliance control standards: FedRAMP, FedRAMP_MODERATE, HIPAA, PCI_DSS, FedRAMP_HIGH, IL4, IL5, CMEK_V1, or DRZ_ADVANCED.
- To select a Google Cloud project for a compliance controlled tenant (instance):
  1. Select an Assured Workloads folder to open it.
  2. Inside the Assured Workloads folder, click the name of a Google Cloud project to open the Link SecOps to a project page.
  3. Complete the configuration described in Configure the IdP.
- To select a Google Cloud project for a non-compliance controlled tenant (instance):
  1. Click the name of a valid Google Cloud project to open the Link SecOps to a project page.
  2. On the Link SecOps to a project page, select a different project, if needed. To do so, you click the project to display the Select a resource page again.
Click Next to link your Google SecOps instance to the selected project, and open the Deployment page.

The Deployment page displays the final details of your instance and service and requires your consent before performing the final ddx. The page consists of sections displaying pre-filled, non-editable fields. Only a Google representative can change these details.

Review the details in each of the following sections. Click Next to move to the next section:
1. Instance details
  
  The page displays instance details set in your contract, for example company, region, package tier, and data retention duration.
  
  Click Next to display the next section.
2. Review service account
  
  The page displays details of the service account to be created.
  
  Click Next to display the next section.
3. Configure single sign-on (SSO)
  
  Choose a configured SSO provider. Select one of the following options based on the identity provider you use to manage user and group access to Google SecOps:
  - Google Cloud Identity:
    
    Select this if you are using Cloud Identity or Google Workspace.
  - Workforce Identity Federation:
    
    If you are using a third-party identity provider, select your workforce provider from the list.
    
    If you don't see your identity provider listed, configure your provider, and then select your provider from the list. For details, see Configure a third-party identity provider.
    
    Click Next to display the next section.
4. Terms of service
  1. Select the I agree to... checkbox to agree to the terms.
  2. Click Start setup to deploy your Google SecOps instance, according to the displayed details.
Click here to continue to the Next step.

Migrate an existing Google SecOps instance

To migrate an existing Google SecOps instance, link it to a Google Cloud project, migrate legacy authentication to Google Cloud, and use IAM for feature access control, follow the Migrate legacy SIEM Infra to Google Cloud guide.

Change SSO configuration

The following sections describe how to change identity providers:

Change the third-party identity provider
Migrate from a third-party identity provider to Cloud Identity

Change the third-party identity provider

Set up the new third-party identity provider and workforce identity pool.
In Google SecOps, under Settings > SOAR settings > Advanced > IDP group mapping, change the IdP group mapping to reference groups in the new identity provider.

Important: If you don't change this configuration before changing the identity provider in the following steps, you get an HTTP 403 error when accessing Google SecOps. If this happens, contact Google SecOps Support.

Update SSO settings

Complete the following steps to change the SSO configuration for Google SecOps:

Open the Google Cloud console, and then select the Google Cloud project that is bound to Google SecOps.
Go to Security > Google SecOps.
On the Overview page, click the Single Sign-On tab. This page displays the IdPs you configured when Configuring a third-party identity provider for Google SecOps.
Use the Single Sign-On menu to change SSO providers.
Right-click the Test SSO setup link, and then open a private or incognito window.
- If you see a login screen, then SSO setup is successful. Continue with the next step.
- If you don't see a login screen, check the configuration of the third-party identity provider. See Configure a third-party identity provider for Google SecOps.
Return to Google Cloud console, click the Security > Google SecOps > Overview page, and then click the Single Sign-On tab.
Click Save at the bottom of the page to update the new provider.
Verify that you can sign in to Google SecOps.

Migrate from third-party identity provider to Cloud Identity

Complete the following steps to change the SSO configuration from using a third-party identity provider to Google Cloud Identity:

Make sure you configure either Cloud Identity or Google Workspace as the identity provider.
Grant the predefined Chronicle IAM roles and custom roles to users and groups in the Google SecOps-bound project.
Grant the Chronicle SOAR Admin role to the relevant users or groups.
In Google SecOps, under Settings > SOAR settings > Advanced > IDP group mapping, add the Chronicle SOAR Admin. For more information, see IdP group mapping.

Important: You must update this configuration before changing the IdP in the following steps. Skipping this step results in an HTTP 403 error when accessing Google SecOps. If you encounter this error, contact Google SecOps Support.
Open the Google Cloud console, and then select the Google Cloud project that is bound to Google SecOps.
Go to Security > Chronicle SecOps.
On the Overview page, click the Single Sign-On tab. This page displays the IdPs you configured when Configuring a third-party identity provider for Google SecOps.
Select the Google Cloud Identity checkbox.
Right-click the Test SSO setup link, and then open a private or incognito window.
- If you see a login screen, then SSO setup is successful. Continue with the next step.
- If you don't see a login screen, check the configuration of the identity provider.
Return to Google Cloud console, and then click Security > Chronicle SecOps > Overview page > Single Sign-On tab.
Click Save at the bottom of the page to update the new provider.
Verify that you can sign in to Google SecOps.

Need more help? Get answers from Community members and Google SecOps professionals.