Connect Google Cloud Platform to Microsoft Cloud App Security (Preview)

Applies to: Microsoft Cloud App Security

This article provides instructions for connecting Microsoft Cloud App Security to your existing Google Cloud Platform (GCP) account using the connector APIs. This connection gives you visibility into and control over GCP use.

Note

The instructions for connecting your GCP environment follow Google’s recommendations for consuming aggregated logs. The integration leverages Google StackDriver and will consume additional resources that might impact your billing. The consumed resources are:

Currently, Cloud App Security only imports Admin Activity audit logs; Data Access and System Event audit logs are not imported. For more information about GCP logs, see Cloud Audit Logs.

We recommend that you use a dedicated project for the integration and restrict access to the project to maintain stable integration and prevent deletions/modifications of the setup process. Also, if your GCP instance is part of an G Suite instance already connected to Cloud App Security, we recommend following the For a GCP instance that is part of a connected G Suite organization steps when you add the GCP connection details.

Prerequisites

The integrating GCP user must have the following permissions:

  • IAM and Admin edit – Organization level
  • Project creation and edit

Configure Google Cloud Platform

  • Sign in to your GCP portal using your integrating GCP user account.

Create a dedicated project

Create a dedicated project in GCP under your organization to enable integration isolation and stability

  1. Click Create Project to start a new.

  2. In the New project screen, name your project and click Create.

    Screenshot showing GCP create project dialog

Enable the Pub/Sub API

  1. Switch to the dedicated project.
  2. Go to the Pub/Sub tab. A service activation message should appear.

Create a dedicated service account for the integration

  1. Under IAM & admin, click Service accounts.

  2. Click CREATE SERVICE ACCOUNT to create a dedicated service account.

  3. Enter an account name, and then click Create.

  4. Specify the Role as Pub/Sub Admin and then click Save.

    Screenshot showing GCP add IAM role

  5. Copy the Email value, you'll need this later.

    Screenshot showing GCP service account dialog

  6. Under IAM & admin, click IAM.

    1. Switch to organization level.

    2. Click ADD.

    3. In the New members box, paste the Email value you copied earlier.

    4. Specify the Role as Logs Configuration Writer and then click Save.

      Screenshot showing add member dialog

Create a private key for the dedicated service account

  1. Switch to project level.

  2. Under IAM & admin, click Service accounts.

  3. Open the dedicated service account and click Edit.

  4. Click CREATE KEY.

  5. In the Create private key screen, select JSON, and then click CREATE.

    Screenshot showing create private key dialog

    Note

    You'll need the JSON file that is downloaded to your machine later.

Retrieve your Organization ID

Make a note of your Organization ID, you'll need this later. For more information, see Getting your organization ID. Screenshot showing organization ID dialog

Configure Cloud App Security

  • In the Cloud App Security portal, click Investigate and then Connected apps.

Add the GCP connection details

To provide the GCP connection details, under App connectors, do one of the following:

For a GCP instance that is not part of a connected G Suite organization

  1. Click the plus sign followed by Google Cloud Platform.

    Screenshot showing add GCP menu

  2. In the pop-up, provide a name for the connector, and then click Connect Google Cloud Platform.

  3. On the Google Cloud Platform page, do the following:

    1. In the Organization ID box, enter the organization you made a note of earlier.
    2. In the Private key file box, browse to the JSON file you downloaded earlier.
    3. Click Connect Google Cloud Platform.

    Note

    We recommended that you connect your G Suite instance to get unified user management and governance. This is the recommended even if you do not use any G Suite products and the GCP users are managed via the G Suite user management system.

For a GCP instance that is part of a connected G Suite organization

  1. In the list of connected instances, at the end of row in which the G Suite connector appears, click the three dots and then click Add Google Cloud Platform.

  2. On the Google Cloud Platform page, do the following:

    1. In the Organization ID box, enter the organization you made a note of earlier.
    2. In the Private key file box, browse to the JSON file you downloaded earlier.
    3. Click Connect Google Cloud Platform.

    Note

    This enables unified user management and governance via the G Suite user identity realm.

Test the connection

Make sure the connection succeeded by clicking Test API.

Testing may take a couple of minutes. When it's finished, you get a Success or Failure notification. After receiving a success notice, click Done.

Aggregated export sink

Disabling aggregated export sink is currently only possible via Google Cloud Shell.

To disable aggregated export sink

Step Script For more information
1. Start a Google Cloud Shell session. Using Cloud Shell
2. Set the current project. gcloud config set project {PROJECT_ID} gcloud config set
3. List the organization-level sinks. gcloud logging sinks list --organization={ORGANIZATION_ID} gcloud logging sinks list
4. Delete the relevant sink. gcloud logging sinks delete {SINK_NAME} --organization={ORGANIZATION_ID} gcloud logging sinks delete

Next steps

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.