This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project,
feel free to reach out to us!Overview
Google Cloud Armor helps protect Google Cloud deployments from multiple types of threats, including distributed denial-of-service (DDoS) attacks and application attacks like cross-site scripting (XSS) and SQL injection (SQLi).
Armor’s Managed Protection is the managed application protection service that helps protect web applications and services from distributed DDoS attacks and other threats from the internet. Managed Protection features always-on protections for load balancers, and gives access to WAF rules.
Google Cloud Armor is integrated automatically with Security Command Center and exports two findings to the Security Command Center dashboard: Allowed Traffic Spike and Increasing Deny Ratio.
Enable this integration along with the Google Cloud Security Command Center Integration to visualize DDoS threats to your Google Cloud environment in Datadog. With this integration, Datadog collects important security events from your Google Cloud network security configurations and metrics from Google Cloud Armor.
This integration delivers insight into the user activity of changes to cloud resources and every request evaluated by a security policy - from audit logs to request logs.
Setup
Installation
- Before you start, ensure the following APIs are enabled for the projects you want to collect Google Cloud Armor events for:
Since Google Cloud Armor events are streamlined as findings to Google Security Command Center, make sure Google Cloud Armor is enabled in the Security Command Center at your Google Cloud console. For more information, see Configuring Security Command Center.
Next, enable the collection of security findings on the main Google Cloud Platform integration.
Configuration
To collect Google Cloud Armor metrics, configure the main Google Cloud integration.
To collect Google Cloud Armor events, you need to add the Security Center Findings Viewer role to the service account.
Install the Google Cloud Security Command Center integration, and enable collection of security findings on the main Google Cloud integration.
To set up logs forwarding from your Google Cloud environment to Datadog, see the Log Collection section.
Audit logs can be forwarded through standard log forwarding. These audit logs use the Google Cloud
resource types gce_backend_service
and network_security_policy
. To include only audit logs,
use filters such as protoPayload.@type="type.googleapis.com/google.cloud.audit.AuditLog"
while
creating the log sink.
Request logs can be forwarded through standard log forwarding. These logs are automatically collected
in Google Cloud Load Balancing logs. Use filters such as
jsonPayload.enforcedSecurityPolicy.outcome="DENY"
while creating the log sink to view requests
denied by a security policy.
Data Collected
Metrics
gcp.networksecurity.dos.ingress_bytes_count (count) | The total number of bytes received, broken down by drop status (allowed or dropped). Shown as byte |
gcp.networksecurity.dos.ingress_packets_count (count) | The total number of packets received, broken down by drop status (allowed or dropped). Shown as packet |
gcp.networksecurity.firewall_endpoint.received_bytes_count (count) | Total firewall endpoint received bytes. Shown as byte |
gcp.networksecurity.firewall_endpoint.received_packets_count (count) | Total firewall endpoint received packets. Shown as packet |
gcp.networksecurity.firewall_endpoint.sent_bytes_count (count) | Total firewall endpoint sent bytes. Shown as byte |
gcp.networksecurity.firewall_endpoint.sent_packets_count (count) | Total firewall endpoint sent packets. Shown as packet |
gcp.networksecurity.firewall_endpoint.threats_count (count) | Total firewall endpoint detected threats. |
gcp.networksecurity.https.previewed_request_count (count) | Queries that would be affected by rules currently in the 'preview' mode, if those rules were to be made non-preview. Shown as request |
gcp.networksecurity.https.request_count (count) | Actual number of queries affected by policy enforcement on queries. Shown as request |
gcp.networksecurity.l3.external.packet_count (count) | Estimated number of packets by matching rule and enforcement action. Shown as packet |
gcp.networksecurity.l3.external.preview_packet_count (count) | Estimated number of packets that would be affected by rule currently in preview mode, if that rule were to be made non-preview. Shown as packet |
gcp.networksecurity.tcp_ssl_proxy.new_connection_count (count) | New connections affected by policy enforcement. Shown as connection |
gcp.networksecurity.tcp_ssl_proxy.previewed_new_connection_count (count) | New connections that would be affected by rules currently in the 'preview' mode, if those rules were to be made non-preview. Shown as connection |
Service Checks
The Google Cloud Armor integration does not include any service checks.
Events
The Google Cloud Armor integration does not include any events.
Troubleshooting
Need help? Contact Datadog support.
Further Reading
Additional helpful documentation, links, and articles: