Google Cloud Armor

Overview

Google Cloud Armor helps protect Google Cloud deployments from multiple types of threats, including distributed denial-of-service (DDoS) attacks and application attacks like cross-site scripting (XSS) and SQL injection (SQLi).

Armor’s Managed Protection is the managed application protection service that helps protect web applications and services from distributed DDoS attacks and other threats from the internet. Managed Protection features always-on protections for load balancers, and gives access to WAF rules.

Google Cloud Armor is integrated automatically with Security Command Center and exports two findings to the Security Command Center dashboard: Allowed Traffic Spike and Increasing Deny Ratio.

Enable this integration along with the Google Cloud Security Command Center Integration to visualize DDoS threats to your Google Cloud environment in Datadog. With this integration, Datadog collects important security events from your Google Cloud network security configurations and metrics from Google Cloud Armor.

This integration delivers insight into the user activity of changes to cloud resources and every request evaluated by a security policy - from audit logs to request logs.

Setup

Installation

  1. Before you start, ensure the following APIs are enabled for the projects you want to collect Google Cloud Armor events for:
  1. Since Google Cloud Armor events are streamlined as findings to Google Security Command Center, make sure Google Cloud Armor is enabled in the Security Command Center at your Google Cloud console. For more information, see Configuring Security Command Center.

  2. Next, enable the collection of security findings on the main Google Cloud Platform integration.

Configuration

To collect Google Cloud Armor metrics, configure the main Google Cloud integration.

To collect Google Cloud Armor events, you need to add the Security Center Findings Viewer role to the service account. Install the Google Cloud Security Command Center integration, and enable collection of security findings on the main Google Cloud integration.

To set up logs forwarding from your Google Cloud environment to Datadog, see the Log Collection section.

Audit logs can be forwarded through standard log forwarding. These audit logs use the Google Cloud resource types gce_backend_service and network_security_policy. To include only audit logs, use filters such as protoPayload.@type="type.googleapis.com/google.cloud.audit.AuditLog" while creating the log sink.

Request logs can be forwarded through standard log forwarding. These logs are automatically collected in Google Cloud Load Balancing logs. Use filters such as jsonPayload.enforcedSecurityPolicy.outcome="DENY" while creating the log sink to view requests denied by a security policy.

Data Collected

Metrics

gcp.networksecurity.dos.ingress_bytes_count
(count)
The total number of bytes received, broken down by drop status (allowed or dropped).
Shown as byte
gcp.networksecurity.dos.ingress_packets_count
(count)
The total number of packets received, broken down by drop status (allowed or dropped).
Shown as packet
gcp.networksecurity.firewall_endpoint.received_bytes_count
(count)
Total firewall endpoint received bytes.
Shown as byte
gcp.networksecurity.firewall_endpoint.received_packets_count
(count)
Total firewall endpoint received packets.
Shown as packet
gcp.networksecurity.firewall_endpoint.sent_bytes_count
(count)
Total firewall endpoint sent bytes.
Shown as byte
gcp.networksecurity.firewall_endpoint.sent_packets_count
(count)
Total firewall endpoint sent packets.
Shown as packet
gcp.networksecurity.firewall_endpoint.threats_count
(count)
Total firewall endpoint detected threats.
gcp.networksecurity.https.previewed_request_count
(count)
Queries that would be affected by rules currently in the 'preview' mode, if those rules were to be made non-preview.
Shown as request
gcp.networksecurity.https.request_count
(count)
Actual number of queries affected by policy enforcement on queries.
Shown as request
gcp.networksecurity.l3.external.packet_count
(count)
Estimated number of packets by matching rule and enforcement action.
Shown as packet
gcp.networksecurity.l3.external.preview_packet_count
(count)
Estimated number of packets that would be affected by rule currently in preview mode, if that rule were to be made non-preview.
Shown as packet
gcp.networksecurity.tcp_ssl_proxy.new_connection_count
(count)
New connections affected by policy enforcement.
Shown as connection
gcp.networksecurity.tcp_ssl_proxy.previewed_new_connection_count
(count)
New connections that would be affected by rules currently in the 'preview' mode, if those rules were to be made non-preview.
Shown as connection

Service Checks

The Google Cloud Armor integration does not include any service checks.

Events

The Google Cloud Armor integration does not include any events.

Troubleshooting

Need help? Contact Datadog support.

Further Reading

Additional helpful documentation, links, and articles: