NOTE: this guide is for configuring an integration to Google Security Operations using the newer APIs allowing customer defined credentials. See the Chronicle setup guide for information on configuring SecOps using the chronicle compatibility APIs.
This guide walks you through setting up a custom role and gathering the information required to connect your Google Security Operations instance as a SIEM with Synqly. Before you begin make sure you have a Google Security Operations instance provisioned in a Workspace project.
Gather your Security Operations values
1. Sign in to Google Cloud Console
Sign in to your Google Cloud console with an account that has access to view Google Security Operations information.
First, note the current project ID. You can find it by opening the project picker at the top left and filtering or finding your project in the list. Note the 'ID' value in a safe location.
2. Find your Google Security Operations information
From the search bar, navigate to "Google SecOps". On the Overview page, expand the 'Instance Details' section. This reveals the needed values for your Security Operations instance. Record your Customer ID and region to a safe location.
3. (Optional) Create a limited permissions role
Synqly highly suggests creating a custom role to limit the permissions of the service account used to access Google Security Operations data. However you can opt to skip this step. For access to all features, the only built-in role with the needed permissions is the 'Chronicle API Admin' role.
Follow the Google documentation to create a new role in the IAM application. Give the role a title, description, and ID. Set the role to 'General Availability'.
When adding permissions for the role, locate and add:
chronicle.events.import(can be omitted if not using event ingestion)chronicle.events.udmSearchchronicle.logTypes.list
Note: This list may expand as synqly adds features to the Google Security Operations SIEM connector.
4. Create a Service Account
Follow the Google documentation to create a new Service Account. When assigning permission for the service account, assign the role from step 3 or the "Chronicle API Admin role if you skipped step 3.
There is no need to assign additional users or admins to the service account unless desired.
Finally, create a service account key. This key contains the values needed to successfully authenticate with Google. From your key file, note the Client ID, Client Email, and Private Key values in a safe location.
Configure the Integration
Create your integration by supplying all of the required and any desired optional values.
Credential: Token URL (Optional) Leave this blank to use the default google token URL: https://oauth2.googleapis.com/token
Credential: Client Email This is the client_email value gathered in step 4.
Credential: Client ID This is the client_id value gathered in step 4.
Credential: Client Secret This is the private_key value gathered in step 4.
Customer ID This is the Customer ID gathered in step 2
Region This is the Region string gathered in step 2
Project ID This is the GCP project ID, gathered in step 1
URL (Optional) In the majority of cases this field should be left blank. Only set this is if you are targeting a non-standard instance of the Google Cloud Platform. By default Synqly will construct your region-specific API URL. If you are supplying a custom value, this is the root URL without any paths included. For example https://us-chronicle.googleapis.com.