Google Cloud Platform (GCP) Integration

​

Overview

​

Supported GCP Services

• Cloud Logging (formerly Stackdriver) - Centralized logging service
• Compute Engine - Virtual machine instances
• Cloud Storage - Object storage events
• Cloud DNS - DNS query and response logs
• Cloud SQL - Database instance activities
• Cloud Load Balancing - Load balancer logs
• VPC Flow Logs - Network traffic monitoring
• Cloud Audit Logs - Administrative activity logs
• Security Command Center - Security findings
• Cloud IAM - Identity and access management

​

Key Features

• Real-time event collection via GCP API
• Multi-project monitoring support
• Multi-region event aggregation
• Pub/Sub-based event streaming
• Automatic log parsing and enrichment
• Pre-built dashboards and visualizations

​

Data Source Configuration

const GOOGLE_CLOUD_GROUP_KEY = 'wazuh.integration.name';
const GOOGLE_CLOUD_GROUP_VALUE = 'gcp';

​

Event Fields

• data.gcp.jsonPayload.authAnswer - DNS authentication response
• data.gcp.jsonPayload.vmInstanceName - VM instance name
• data.gcp.jsonPayload.vmInstanceId - VM instance identifier
• data.gcp.jsonPayload.responseCode - HTTP response code
• data.gcp.jsonPayload.queryName - DNS query name
• data.gcp.resource.labels.project_id - GCP project ID
• data.gcp.resource.type - Resource type
• data.gcp.resource.labels.location - Resource location/region
• data.gcp.resource.labels.source_type - Event source type

• plugins/main/public/components/overview/google-cloud/dashboards/dashboard_panels.ts:112
• plugins/main/common/dashboards/dashboard-definitions/overview/google-cloud/vis-states.ts:102

​

Setup and Configuration

​

Prerequisites

• Google Cloud Platform account
• GCP project with appropriate APIs enabled
• Wazuh manager with GCP module enabled
• Service account with required permissions
• Pub/Sub topic for log streaming (recommended)

​

Configuration Steps

1. Create Service Account
   • Navigate to IAM & Admin > Service Accounts
   • Create a new service account for Wazuh
   • Grant appropriate permissions
   • Download JSON key file
2. Enable Required APIs
   gcloud services enable logging.googleapis.com
   gcloud services enable pubsub.googleapis.com
   gcloud services enable compute.googleapis.com
   gcloud services enable cloudresourcemanager.googleapis.com
   
3. Configure Required Permissions Assign these roles to the service account:
   • roles/logging.viewer - View logs
   • roles/pubsub.subscriber - Subscribe to Pub/Sub topics
   • roles/storage.objectViewer - View Cloud Storage objects (if needed)
4. Set Up Pub/Sub (Recommended)
   # Create Pub/Sub topic
   gcloud pubsub topics create wazuh-gcp-logs
   
   # Create subscription
   gcloud pubsub subscriptions create wazuh-gcp-sub \
     --topic=wazuh-gcp-logs
   
   # Create log sink
   gcloud logging sinks create wazuh-sink \
     pubsub.googleapis.com/projects/PROJECT_ID/topics/wazuh-gcp-logs
   
5. Configure Wazuh Manager Edit /var/ossec/etc/ossec.conf:
   <wodle name="gcp-pubsub">
     <disabled>no</disabled>
     <pull_on_start>yes</pull_on_start>
     <interval>10m</interval>
     <project_id>your-project-id</project_id>
     <subscription_name>wazuh-gcp-sub</subscription_name>
     <credentials_file>/path/to/credentials.json</credentials_file>
   </wodle>
   
6. Verify Configuration
   • Restart Wazuh manager
   • Check logs at /var/ossec/logs/ossec.log
   • Verify events appear in dashboard

​

Dashboard Visualizations

​

Overview Dashboard

• Events Over Time by Auth Answer - Timeline showing DNS authentication results
• Top VM Instances - Most active virtual machine instances
• Response Codes Distribution - HTTP response code breakdown
• Top Projects - Events by GCP project
• Resource Types - Distribution across GCP resource types
• Geographic Distribution - Events by location/region
• DNS Query Analysis - Most frequent DNS queries

• plugins/main/public/components/overview/google-cloud/dashboards/dashboard_panels.ts:4
• plugins/main/common/dashboards/dashboard-definitions/overview/google-cloud/vis-states.ts:184

​

Filtering Events

wazuh.integration.name: "gcp"

• By project: data.gcp.resource.labels.project_id: "my-project"
• By resource type: data.gcp.resource.type: "gce_instance"
• By location: data.gcp.resource.labels.location: "us-central1"
• By VM instance: data.gcp.jsonPayload.vmInstanceName: "instance-1"

​

Use Cases

​

Cloud Security Monitoring

• Track unauthorized access attempts
• Monitor VM instance lifecycle events
• Detect suspicious API calls
• Identify unusual network patterns
• Track service account activities

​

Compliance and Auditing

• Administrative activity tracking
• Data access logging
• Configuration change monitoring
• Resource creation and deletion audit
• User authentication verification

​

Infrastructure Monitoring

• VM instance performance tracking
• Network traffic analysis
• DNS query monitoring
• Load balancer health checks
• Storage access patterns

​

Threat Detection

• Anomalous authentication attempts
• Privilege escalation detection
• Data exfiltration indicators
• Malicious DNS queries
• Cryptocurrency mining detection

​

Event Analysis

​

DNS Security Events

• Monitor DNS query patterns via data.gcp.jsonPayload.queryName
• Track authentication responses via data.gcp.jsonPayload.authAnswer
• Identify potential DNS tunneling
• Detect domain generation algorithms (DGA)

​

VM Instance Security

• Track instance creation and deletion
• Monitor SSH access attempts
• Identify unauthorized instance modifications
• Detect compromised instances

​

Network Security

• VPC Flow Logs analysis
• Load balancer traffic patterns
• Firewall rule violations
• DDoS attack detection

​

Troubleshooting

​

No Events Appearing

• Verify service account credentials are valid
• Check JSON key file path is correct
• Ensure required APIs are enabled
• Verify Pub/Sub subscription exists
• Check IAM permissions are sufficient
• Review Wazuh logs for errors

​

Missing Events from Specific Services

• Confirm logging is enabled for the service
• Verify log sink is configured correctly
• Check log filters in GCP Console
• Ensure Pub/Sub topic receives messages

​

Subscription Issues

• Verify subscription is not paused
• Check message retention settings
• Monitor subscription backlog
• Adjust acknowledgment deadline if needed

​

Performance Optimization

• Adjust polling intervals
• Configure log filtering at source
• Use message batching
• Optimize Pub/Sub settings
• Scale Wazuh manager resources

​

Security Best Practices

1. Use Service Accounts - Dedicated service accounts for integration
2. Principle of Least Privilege - Grant minimum required permissions
3. Rotate Keys - Regular service account key rotation
4. Enable Audit Logging - Monitor integration activities
5. Secure Credentials - Store JSON keys securely
6. Use VPC Service Controls - Restrict API access
7. Monitor Costs - Track Pub/Sub and API usage

​

Advanced Configuration

​

Multiple Projects

<wodle name="gcp-pubsub">
  <disabled>no</disabled>
  <project_id>project-1</project_id>
  <subscription_name>wazuh-sub-1</subscription_name>
  <credentials_file>/path/to/creds-1.json</credentials_file>
</wodle>

<wodle name="gcp-pubsub">
  <disabled>no</disabled>
  <project_id>project-2</project_id>
  <subscription_name>wazuh-sub-2</subscription_name>
  <credentials_file>/path/to/creds-2.json</credentials_file>
</wodle>

​

Log Filtering

gcloud logging sinks create wazuh-security-sink \
  pubsub.googleapis.com/projects/PROJECT_ID/topics/wazuh-gcp-logs \
  --log-filter='severity >= ERROR OR \
    protoPayload.methodName:"delete" OR \
    protoPayload.methodName:"setIamPolicy"'

​

Related Resources

• Cloud Integrations Overview
• AWS Integration
• Office 365 Integration
• Threat Hunting