Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Integrating Google Cloud Platform (GCP) Cloud Logging with Microsoft Defender for Cloud allows you to ingest activity logs from GCP, enhancing your ability to monitor, detect, and respond to security events across your Google Cloud environments. You can configure log ingestion either at the project level or centrally at the organization level. Data streamed from GCP Pub/Sub provides the necessary context for Cloud Infrastructure Entitlement Management (CIEM) in Defender for Cloud, dependent on the log activity, calculated risk-based recommendations, security posture insights, and attack path analysis.
How GCP logging ingestion works
Once configured, Defender for Cloud ingests and analyzes activity logs from Google Cloud to discover cloud identity and permissions insights, and CIEM recommendations.
Google Cloud records activity logs (including Admin Activity and Data Access logs) in Cloud Logging. Logs are exported to the configured Pub/Sub topic using a Cloud Logging sink. The Pub/Sub subscription streams log messages to Defender for Cloud when new logs arrive.
Defender for Cloud pulls the logs from Pub/Sub, processes the activity events, and provides identity and permission insights as well as CIEM posture recommendations. Access between GCP and Defender for Cloud is secured via Google Cloud IAM roles and service accounts to ensure least-privilege operation.
Optionally, if IAM Recommender is enabled in your GCP environment, Defender for Cloud leverages its insights to enhance the accuracy of CIEM recommendations by identifying inactive and over-privileged roles.
Deploy GCP Cloud Logging ingestion
Select the deployment scenario that meets your requirement:
Project-Level: Configure log ingestion for individual GCP projects.
Organization-Level: Centralize log ingestion across all projects within a GCP organization.
Deployment steps
To configure GCP Cloud Logging:
Sign in to the Azure portal.
Search for and select Microsoft Defender for Cloud.
Go to Environment settings.
Select the relevant GCP connector.
Select Settings under the Monitoring coverage column.
Toggle the switches to On selecting one of the following methods:
Create a new GCP Cloud Logging configuration and provide a Pub/Sub subscription name.
Important
Selecting this option will incur additional cost. Learn more about GCP Cloud Logging pricing
Use your existing Cloud Logging configuration by manually providing your existing Pub/Sub subscription name.
Note
Access configuration for GCP can be completed using either GCP Cloud Shell or Terraform, depending on your organization’s deployment workflows.
Select Save.
Continue from step 8 of the Connect your GCP project instructions.
Review and generate the GCP connector to complete log ingestion onboarding into Defender for Cloud.
