This guide walks you through enabling the required API, creating a least-privilege custom role, and gathering the information required to connect your Google Security Operations instance as a SIEM with Synqly. Before you begin make sure you have a Google Security Operations instance provisioned in a Google Cloud project.
Before starting, ensure the Chronicle API is enabled on your Google Cloud project. Without it, the IAM permissions used in this guide will not appear in the role editor.
- In the Google Cloud Console, go to APIs & Services → Library.
- Search for Chronicle API.
- Click Enable.
Sign in to your Google Cloud Console with an account that has access to view Google Security Operations information.
First, note the current project ID. You can find it by opening the project picker at the top left and filtering or finding your project in the list. Note the ID value in a safe location.
From the console search bar, navigate to Google SecOps. On the Overview page, expand the Instance Details section. This reveals the needed values for your Security Operations instance. Record your Customer ID and Region to a safe location.
Synqly strongly recommends creating a custom role to limit the permissions of the service account used to access Google Security Operations data. You can skip this step and use the built-in Chronicle API Admin role instead, but that grants far more access than Synqly requires.
Follow the Google documentation to create a custom role in the IAM application. Give the role a title, description, and ID. Set the launch stage to General Availability.
When adding permissions for the role, locate and add:
chronicle.events.import(can be omitted if not using event ingestion)chronicle.events.udmSearchchronicle.logTypes.listchronicle.legacies.legacySearchDetectionschronicle.legacies.legacyGetDetection
Note: This list may expand as Synqly adds features to the Google Security Operations SIEM connector.
Follow the Google documentation to create a new service account. When assigning a role, select the custom role from step 3, or the Chronicle API Admin role if you skipped step 3.
There is no need to assign additional users or admins to the service account unless desired.
Finally, create a service account key. This key is a JSON file containing the values needed to authenticate with Google. From your key file, note the Client ID (client_id), Client Email (client_email), and Private Key (private_key) values in a safe location.
Create your integration by supplying all of the required and any desired optional values.
Credential: Token URL (Optional) Leave this blank to use the default Google token URL: https://oauth2.googleapis.com/token
Credential: Client Email The client_email value from your service account key file (step 4).
Credential: Client ID The client_id value from your service account key file (step 4).
Credential: Secret The private_key value from your service account key file (step 4). This is the full PEM-encoded private key string. The field is labeled "Secret" because it uses a shared OAuth credential type, but for Google service accounts this value is always the private key.
Customer ID The Customer ID gathered in step 2.
Region The Region string gathered in step 2 (typically us or eu).
Project ID The GCP project ID gathered in step 1.
URL (Optional) In the majority of cases this field should be left blank. Synqly constructs your region-specific API URL automatically. Only set this if you are targeting a non-standard instance of the Google Cloud Platform. If supplying a custom value, provide the root URL without any paths — for example https://us-chronicle.googleapis.com.