Accenture MDR Quick Start Guide for Google Cloud Security Command Center
- Dinesh Murugaiyan
- KM (Unlicensed)
This quick start guide will help Accenture MDR customers configure Google Cloud Security Command Center to allow log collection from the Log Collection Platform (LCP).
The document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
LCP | Google Cloud | 443(https) | Default port |
Configuring Google Cloud Security Command Center
Pre-requisite :
Continuous Exports, available to Security Command Center Premium customers, that automatically export new findings to Pub/Sub
Create a service account and grant IAM roles
The following steps use the Google Cloud console. For other methods see the links at the end of this section.
In the same project in which you create your Pub/Sub topics, use the Service Accounts page in the Google Cloud console to create a service account. For instructions, see Creating and managing service accounts.
Grant the service account the following role:
Pub/Sub Editor (roles/pubsub.editor)
3. Copy the name of the service account that you just created.
4. Use the project selector in the Google Cloud console to switch to the organization level.
5. On the IAM page for the organization, click Add to add the service account as a principal in the organization. The Add principals dialog opens.
In the New principals field, paste the name of the service account.
Use the Role field to grant the following IAM roles to the service account:
1. Security Center Admin Editor (roles/securitycenter.adminViewer)
2. Security Center Notification Configurations Editor (roles/securitycenter.notificationConfigEditor)
3. Organization Viewer (roles/resourcemanager.organizationViewer)
4. Cloud Asset Viewer (roles/cloudasset.viewer)Click Save. The security account appears on the Permissions tab of the IAM page under View by principals. The roles you granted are listed in the Role column. The service account with the roles granted to it at the organization level are inherited by all projects in the organization.
For more information about creating service accounts and granting roles, see the following topics:
Granting, changing, and revoking access to resources
Configure notifications
1. Set up finding notifications as follows:
a. Enable the Security Command Center API.
b. Create a filter to export desired findings and assets.
c. Create four Pub/Sub topics for findings, resources, audit logs, and assets. The notificationConfig must use the Pub/Sub topic you create for findings.
2. Enable the Cloud Asset API for your project.
3. Create feeds for your assets. You must create two feeds in the same Pub/Sub topic, one for your resources and another for your Identity and Access Management (IAM) policies.
a. The Pub/Sub topic for assets must be different than the one used for findings.
b. For the feed for your resources, use the following filter: content-type=resource.
c, For the IAM policies feed, you must use the following filter: content-type=iam-policy --asset-types="cloudresourcemanager.googleapis.com/Project".
You will need your organization ID, project ID, and Pub/Sub subscription IDs to configure Sensor.
LCP Configuration Parameters
Table 1-2: The Google Cloud Security Command Center event collector (Custom – 5044) properties to be configured by MDR are shown in the table.
Property | Default Value | Description |
Project ID |
| From the project_id field in the JSON downloaded above |
Private Key |
| From the private_key field in the JSON downloaded above Configure the private key as below example: -----BEGIN PRIVATE KEY-----\n<ACTUAL KEY WITHOUT ANY SPECIAL CHARACTERS>\n-----END PRIVATE KEY-----
NOTE:
1)Special characters are like (\n, \s, \r, \n\r, \r\n, space, enter) remove if any of these found in key
3)Complete key should be one line and not multiple lines. |
Client Email |
| From the client_email field in the JSON downloaded above |
Client ID |
| From the project_id field in the JSON downloaded above |
Subscription Name |
| Name of the subscription created in the log configuration steps above |
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.