NOTE: this guide is for configuring an integration to Google Security Operations using the chronicle compatibility APIs. See the Google Security Operations setup guide for information on configuring Google SecOps for access using customer managed keys.
This guide walks you through gaining access to Google Developer Service Account credentials and gathering the configuration needed to create a Google Chronicle SIEM integration. This provider uses the older Backstory and Malachite APIs with Google-provided credentials.
Deprecation notice: Google recommends the newer Chronicle API over the Backstory and Ingestion APIs used by this provider. See Google's API overview and deprecation schedule for details. If you can create your own service accounts in a Google Cloud project, use the Google Security Operations provider instead.
Before you begin, you will need:
- A Google Chronicle instance provisioned for your organization
- Communication open with your Google Security Operations representative
- Your representative will provide you with JSON credential files for the APIs described below
You will need credentials for the Search API. The service account needed to access the API resides in a Google-managed cloud account. Your Google Security Operations representative will provide you with a JSON file containing the necessary values. Note the client_email, client_id, and private_key, storing them in a safe location.
You will need credentials for the Ingestion API. The service account needed to access the API resides in a Google-managed cloud account. Your Google Security Operations representative will provide you with a JSON file containing the necessary values. Note the client_email, client_id, and private_key, storing them in a safe location.
You will also need your Chronicle Customer ID. Your Google Security Operations representative can provide this, or you can find it in the Chronicle console under Settings → SIEM Settings.
These credentials are used for writing events into your Chronicle instance. If this integration does not ingest events through Synqly, you can skip this step and omit the ingestion credential from your integration configuration.
Create your integration by supplying all of the required and any desired optional values.
Search URL (Optional) Leave this blank to use the default Backstory URL. If you are using an alternate or special deployment of the Google API, find the correct URL for your deployment. This is the root URL without any paths included. For example https://backstory.googleapis.com.
Search Credential: Token URL (Optional) Leave this blank to use the default Google token URL: https://oauth2.googleapis.com/token
Search Credential: Client Email The client_email value from the Search API credential file (step 1).
Search Credential: Client ID The client_id value from the Search API credential file (step 1).
Search Credential: Secret The private_key value from the Search API credential file (step 1). This is the full PEM-encoded private key string. The field is labeled "Secret" because it uses a shared OAuth credential type, but for Google service accounts this value is always the private key.
Ingestion URL (Optional) Leave this blank to use the default Malachite URL. If you are using an alternate or special deployment of the Google API, find the correct URL for your deployment. This is the root URL without any paths included. For example https://malachiteingestion-pa.googleapis.com.
Ingestion Credential: Token URL (Optional) Leave this blank to use the default Google token URL: https://oauth2.googleapis.com/token
Ingestion Credential: Client Email The client_email value from the Ingestion API credential file (step 2).
Ingestion Credential: Client ID The client_id value from the Ingestion API credential file (step 2).
Ingestion Credential: Secret The private_key value from the Ingestion API credential file (step 2). This is the full PEM-encoded private key string. The field is labeled "Secret" because it uses a shared OAuth credential type, but for Google service accounts this value is always the private key.
Customer ID (Optional) The Chronicle Customer ID gathered in step 2. Required if writing events.