Onboarding or migrating a Google Security Operations instance

Google Security Operations links to a customer-supplied Google Cloud project to integrate more closely with Google Cloud services, such as Identity and Access Management, Cloud Monitoring, and Cloud Audit Logs. Customers can use IAM and workforce identity federation to authenticate using their existing identity provider.

The following documents guide you through the process to onboard a new Google Security Operations instance or migrate an existing Google Security Operations instance.

Required roles

The following sections describe the permissions you need for each phase of the onboarding process, mentioned in the previous section.

Configure a Google Cloud project for Google Security Operations

To complete the steps in Configure a Google Cloud project for Google Security Operations, you need the following IAM permissions.

If you have the Project Creator (resourcemanager.projects.create permission at the organization level, then no additional permissions are required to create a project and enable the Chronicle API.

If you do not have this permission, you need the following permissions at the project level:

Configure an identity provider

You can use Cloud Identity, Google Workspace, or a third-party identity provider (such a Okta or Azure AD) to manage users, groups, and authentication.

Permissions to configure Cloud Identity or Google Workspace

If you are using Cloud Identity, you must have the roles and permissions described in Manage access to projects, folders, and organizations.

If you are using Google Workspace, you must have a Cloud Identity administrator account and be able to sign into the Admin console.

See Configure Google Cloud identity provider for more information about using Cloud Identity or Google Workspace as the identity provider.

Permissions to configure a third-party identity provider

If you use a third-party identity provider, you will configure Workforce Identity Federation and a workforce identity pool.

To complete the steps in Configure a third-party identity provider for Google Security Operations, you need the following IAM permissions.

Project Editor permissions to the Google Security Operations-bound project you created previously.
IAM Workforce Pool Admin (roles/iam.workforcePoolAdmin) permission at the organization level.

Use the following command as an example to set the roles/iam.workforcePoolAdmin role:
```
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
--member "user:USER_EMAIL" \
--role roles/iam.workforcePoolAdmin
```
Replace the following:
- ORGANIZATION_ID: the numeric organization ID.
- USER_EMAIL: the admin user's email address.

For more information, see Configure a third-party identity provider.

Link a Google Security Operations instance to Google Cloud services

To complete the steps in Link Google Security Operations to Google Cloud services, you need the same permissions defined in the Configure a Google Cloud project for Google Security Operations section.

If you plan to migrate an existing Google SecOps instance, you need permissions to access Google SecOps. For a list of predefined roles, see Google SecOps predefined roles in IAM

Configure feature access control using IAM

To complete the steps in Configure feature access control using IAM, you need the following IAM permission at the project level to grant and modify the project's IAM role bindings:

Project IAM Admin (roles/resourcemanager.projectIamAdmin)

See Assign roles to users and groups for an example of how to do this.

If you plan to migrate an existing Google Security Operations instance to IAM, you need the same permissions defined in the Configure a third-party identity provider Google Security Operations section.

Configure data access control

To configure data RBAC for users, you require the Chronicle API Admin (roles/chronicle.admin) and Role Viewer (roles/iam.roleViewer) roles. To assign the scopes to users, you require the Project IAM Admin (roles/resourcemanager.projectIamAdmin) or Security Admin (roles/iam.securityAdmin) role.

If you don't have the required roles, assign the roles in IAM.

Google Security Operations advanced capabilities requirements

The following table lists Google Security Operations advanced capabilities and their dependencies on a customer-provided Google Cloud project and Google workforce identity federation.

Capability	Google Cloud foundation	Requires Google Cloud project?	Requires IAM integration?
Cloud Audit Logs: administrative activities	Cloud Audit Logs	Yes	Yes
Cloud Audit Logs: data access	Cloud Audit Logs	Yes	Yes
Cloud Billing: online subscription or pay-as-you-go	Cloud Billing	Yes	No
Google Security Operations APIs: general access, mint and manage credentials using third-party IdP	Google Cloud APIs	Yes	Yes
Google Security Operations APIs: general access, mint and manage credentials using Cloud Identity	Google Cloud APIs, Cloud Identity	Yes	Yes
Compliant controls: CMEK	Cloud Key Management Service or Cloud External Key Manager	Yes	No
Compliant controls: FedRAMP High or above	Assured Workloads	Yes	Yes
Compliant controls: Organization Policy Service	Organization Policy Service	Yes	No
Compliant controls: VPC Service Controls	VPC Service Controls	Yes	No
Contact management: legal disclosures	Essential Contacts	Yes	No
Health monitoring: ingestion pipeline outages	Cloud Monitoring	Yes	No
Ingestion: webhook, Pub/Sub, Azure Event Hub, Amazon Kinesis Data Firehose	Identity and Access Management	Yes	No
Role-based access controls: data	Identity and Access Management	Yes	Yes
Role-based access controls: features or resources	Identity and Access Management	Yes	Yes
Support access: case submission, tracking	Cloud Customer Care	Yes	No
Unified SecOps authentication	Google workforce identity federation	No	Yes