SOLVED

How to Troubleshoot GCP integration

Respected Contributor

Yesterday, We connected a GCP org to Defender for Cloud, Security Posture shows the organization and 50 projects but the score is N/A and all of them show 0 of 0. How can I troubleshoot to see what is preventing the recommendations from being performed and reported?

16 Replies
Hi Dean,
Assuming you have followed our guidance and configured everything correctly on both sides, it may take up to 6 hours before you can see any assessment results in MDC. We run data sync and assessments for each connector several times a day. We are also working on significantly reducing this interval and provide near real time assessment.
If you are still experiencing issue after 6h+ after initial setup, please contact our support .

https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-gcp?pivots=env-settings

Thanks, we attempted to follow that guidance, but it is incomplete. It does not define the roles and permissions that are required so we had to do some troubleshooting. I don't know if that caused the issues, but it has been about 18 hours. The Inventory page does not show any resources from GCP, but the Security Posture pages does show the organization and projects.
Do you mean regular Azure Support or something else?
best response confirmed by Dean Gross (Respected Contributor)
Solution
Yes, regular support. Thank you for your feedback.

@Stanislav Belov these instructions Connect Google Cloud Platform to Defender for Cloud Apps | Microsoft Docs have prerequisites that are not listed in the MDC instructions, specifically, that the Security Command Center needs to be enabled in GCP, is this also a requirement for connecting GCP to MDC?

This was a requirement for our first version of the connector (Classic). The new experience does not have dependencies on either AWS Security Hub or GCP Command Center.
Thanks, I was hoping that was the cause of my problem, but apparently something else is the issue. I can't open a support ticket because my tenant is managed through our CSP program and we don't have support set up with ourselves :)
I have opened a ticket and this is not something that they have any experience with. They are trying to find the right people to help. It would be good if the support team could get trained on new features before they are made available. I don't mind troubleshooting but after seeing demos showing how easy this was supposed to be I'm somewhat disappointed
This is a wrong article Dean. We are talking about Defender for Cloud here :)
Hey Dean, have you added a standard to the connector for the GCP org? The GCP Default standard has to be assigned for Secure Score recommendations to appear.

To assign the GCP Default standard, follow the steps below:
1. Navigate to environment settings
2. Select the relevant connector for the GCP org
3. Select ‘Standards’
4. Select ‘Add’ -> ‘Standard’
5. Choose the GCP Default standard from the drop-down menu
6. Select ‘Save’

@Lara_Goldstein yes, I did that 

DeanGross_0-1653591570529.png

This is what I see in the Security Posture 

DeanGross_1-1653591613640.png

 

@Dean Gross, can you verify that all the GCP resources were created as expected in the GCP project?

  1. WorkloadIdentityPoolId
  2. WorkloadIdentityProviderId
  3. ServiceAccountEmail

Lara_Goldstein_0-1653592591646.png

 

@Lara_Goldstein that account seems to be ok the check marks are green 

DeanGross_0-1653593738769.png

 

Thanks, I accidently pasted in the wrong link, I meant to ask you about https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-gcp?pivots=classic-conn.... which had many prerequisites that don't appear to still be required for the new environment settings approach.
I am tempted to delete the Environment settings in Azure and start over but I'm concerned that there will be resources in GCP that won't get cleaned up and cause future problems. Is there a way to remove those? or is this a bad idea?
I don't advise deleting it yet since the resources in GCP won't be deleted. Have you noticed any difference after the weekend?
no change, I am still not getting any data for the resources.