Edit

Connect Google Cloud Platform to Microsoft Defender for Cloud Apps

  • Article
  • 8 minutes to read

Note

Microsoft Defender for Cloud Apps (previously known as Microsoft Cloud App Security) is now part of Microsoft 365 Defender. The Microsoft 365 Defender portal allows security admins to perform their security tasks in one location. This will simplify workflows, and add the functionality of the other Microsoft 365 Defender services. Microsoft 365 Defender will be the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure. For more information about these changes, see Microsoft Defender for Cloud Apps in Microsoft 365 Defender.

Note

Cloud Security Posture Management (CSPM) is now supported in Microsoft Defender for Cloud. Once Microsoft Defender for Cloud Apps fully converges with the Microsoft 365 Defender portal, CSPM will only be available in the new Microsoft Defender for Cloud page.

This article provides instructions for connecting Microsoft Defender for Cloud Apps to your existing Google Cloud Platform (GCP) account using the connector APIs. This connection gives you visibility into and control over GCP use. For information about how Defender for Cloud Apps protects GCP, see Protect GCP.

We recommend that you use a dedicated project for the integration and restrict access to the project to maintain stable integration and prevent deletions/modifications of the setup process.

Prerequisites

The integrating GCP user must have the following permissions:

  • IAM and Admin edit – Organization level
  • Project creation and edit

You can connect one or both of the following GCP to Defender for Cloud Apps connections:

  • Security auditing: This connection gives you visibility into and control over GCP app use.
  • Security configuration: This connection gives you fundamental security recommendations based on the Center for Internet Security (CIS) benchmark for GCP.

Since you can add either or both of the connections, the steps in this article are written as independent instructions. If you have already added one of the connections, where relevant edit the existing configurations.

How to connect GCP security auditing to Defender for Cloud Apps

Connecting GCP security auditing gives you visibility into and control over GCP app use.

Follow these steps to connect GCP Security auditing to Defender for Cloud Apps.

Configure Google Cloud Platform

Note

The instructions for connecting your GCP environment for auditing follow Google's recommendations for consuming aggregated logs. The integration leverages Google StackDriver and will consume additional resources that might impact your billing. The consumed resources are:

The Defender for Cloud Apps auditing connection only imports Admin Activity audit logs; Data Access and System Event audit logs are not imported. For more information about GCP logs, see Cloud Audit Logs.

Create a dedicated project

Create a dedicated project in GCP under your organization to enable integration isolation and stability

  1. Sign in to your GCP portal using your integrating GCP user account.

  2. Select Create Project to start a new project.

  3. In the New project screen, name your project and select Create.

    Screenshot showing GCP create project dialog.

Enable required APIs

  1. Switch to the dedicated project.

  2. Go to the Library tab.

  3. Search for and select Cloud Logging API, and then on the API page, select ENABLE.

  4. Search for and select Cloud Pub/Sub API, and then on the API page, select ENABLE.

    Note

    Make sure that you do not select Pub/Sub Lite API.

Create a dedicated service account for the security auditing integration

  1. Under IAM & admin, select Service accounts.

  2. Select CREATE SERVICE ACCOUNT to create a dedicated service account.

  3. Enter an account name, and then select Create.

  4. Specify the Role as Pub/Sub Admin and then select Save.

    Screenshot showing GCP add IAM role.

  5. Copy the Email value, you'll need this later.

    Screenshot showing GCP service account dialog.

  6. Under IAM & admin, select IAM.

    1. Switch to organization level.

    2. Select ADD.

    3. In the New members box, paste the Email value you copied earlier.

    4. Specify the Role as Logs Configuration Writer and then select Save.

      Screenshot showing add member dialog.

Create a private key for the dedicated service account

  1. Switch to project level.

  2. Under IAM & admin, select Service accounts.

  3. Open the dedicated service account and select Edit.

  4. Select CREATE KEY.

  5. In the Create private key screen, select JSON, and then select CREATE.

    Screenshot showing create private key dialog.

    Note

    You'll need the JSON file that is downloaded to your device later.

Retrieve your Organization ID

Make a note of your Organization ID, you'll need this later. For more information, see Getting your organization ID.

Screenshot showing organization ID dialog.

Connect Google Cloud Platform auditing to Defender for Cloud Apps

Add the GCP connection details

  1. In the Defender for Cloud Apps portal, select Investigate and then Connected apps.

  2. In the App connectors page, to provide the GCP connector credentials, do one of the following:

    Note

    We recommended that you connect your Google Workspace instance to get unified user management and governance. This is the recommended even if you do not use any Google Workspace products and the GCP users are managed via the Google Workspace user management system.

    For a new connector

    1. Select the plus sign (+) followed by Google Cloud Platform.

      connect GCP.

    2. In the pop-up, provide a name for the connector, and then select Connect Google Cloud Platform.

      GCP connector name.

    3. In the Project details page, do the following, and then select Connect Google Cloud Platform.

      1. In the Organization ID box, enter the organization you made a note of earlier.
      2. In the Private key file box, browse to the JSON file you downloaded earlier.

      Connect GCP app security auditing for new connector.

    For an existing connector

    1. In the list of connectors, on the row in which the GCP connector appears, select Connect security auditing.

      Screenshot of the Connected Apps page, showing edit Security Auditing link.

    2. In the Project details page, do the following, and then select Connect Google Cloud Platform.

      1. In the Organization ID box, enter the organization you made a note of earlier.
      2. In the Private key file box, browse to the JSON file you downloaded earlier.

      Connect GCP app security auditing for existing connector.

  3. Select Test API to make sure the connection succeeded.

    Testing may take a couple of minutes. When it's finished, you get a success or failure notification. After receiving a success notice, select Done.

    Note

    Defender for Cloud Apps will create an aggregated export sink (organization level), a Pub/Sub topic and Pub/Sub subscription using the integration service account in the integration project.

    Aggregated export sink is used to aggregate logs across the GCP organization and the Pub/Sub topic created is used as the destination. Defender for Cloud Apps subscribes to this topic through the Pub/Sub subscription created to retrieve the admin activity logs across the GCP organization.

If you have any problems connecting the app, see Troubleshooting App Connectors.

How to connect GCP security configuration to Defender for Cloud Apps

Connecting GCP security configuration gives you insights into fundamental security recommendations based on the Center for Internet Security (CIS) benchmark for GCP.

Follow these steps to connect GCP security configuration to Defender for Cloud Apps.

Set up GCP Security Command Center with Security Health Analytics

  1. Set up Security Command Center.

  2. Enable GCP Security Health Analytics.

  3. Verify that there is data flowing to the Security Command Center.

    Note

    • The instructions for connecting your GCP environment for security configuration follow Google's recommendations for consuming security configuration recommendations. The integration leverages Google Security Command Center and will consume additional resources that might impact your billing.
    • When you first enable Security Health Analytics, it may take several hours for data to be available.

Enable Security Command Center API

  1. In Cloud Console API Library, select the project you want to connect to Defender for Cloud Apps.
  2. In the API Library, search for and select the "Security Command Center API".
  3. In the API page, select ENABLE.

Create a dedicated service account for the security configuration integration

  1. In GCP Security Command Center, select the project you want to connect to Defender for Cloud Apps.

  2. Under IAM & admin, select Service accounts.

  3. Select CREATE SERVICE ACCOUNT to create a dedicated service account.

  4. Enter an account name, and then select Create.

  5. Specify the Role as Security Center Admin Viewer and then select Save.

    Screenshot showing add GCP menu item for Security Center Admin Viewer.

  6. Copy the Email value, you'll need this later.

    Screenshot showing copy GCP service account.

  7. Under IAM & admin, select IAM.

    1. Switch to organization level.

    2. Select ADD.

    3. In the New members box, paste the Email value you copied earlier.

    4. Specify the Role as Security Center Admin Viewer and then select Save.

      Screenshot showing add member to project dialog.

Create private key for the dedicated service account

  1. Switch to project level.

  2. Under IAM & admin, select Service accounts.

  3. Open the dedicated service account and select Edit.

  4. Select CREATE KEY.

  5. In the Create private key screen, select JSON, and then select CREATE.

    Screenshot showing create private key for dedicated service account dialog.

    Note

    You'll need the JSON file that is downloaded to your device later.

Retrieve the Organization ID

Make a note of your Organization ID, you'll need this later. For more information, see Getting your organization ID. Screenshot showing organization ID dialog.

Connect Google Cloud Platform security configuration to Defender for Cloud Apps

  1. In Defender for Cloud Apps, select Investigate, and then select Connected apps.

  2. In the Security configuration apps tab, select the plus button, and then select Google Cloud Platform.

    Screenshot showing add GCP menu option.

  3. In the Instance name page, choose the instance type, and then select Next.

    • For an existing connector, choose the relevant instance.

      GCP instance selection.

    • For a new connector, provide a name for the instance.

      GCP new connector name.

  4. In the Project details page, do the following, and then select Next.

    1. In the Organization ID box, enter the organization you made a note of earlier.
    2. In the Private key file box, browse to the JSON file you downloaded earlier.

    Add GCP project details.

  5. In the Finished page, make sure the connection succeeded, and then select Finished.

If you have any problems connecting the app, see Troubleshooting App Connectors.

Next steps

Control cloud apps with policies

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.