Introduction
Resolution Intelligence Cloud enables organizations to bring their own Chronicle SecOps instance credentials to set up or link their Chronicle SecOps instance accounts at the tenant level. When selecting "Bring Your Own Chronicle (BYOC)" during setup, you must integrate your Chronicle SecOps instance with Resolution Intelligence Cloud manually.
This guide outlines the steps required to configure your Chronicle SecOps instance and enable CMS features, allowing you to:
- Publish detection rules, log source monitors, reference lists, and parsers from Resolution Intelligence Cloud to Chronicle SecOps.
- Fetch detections from Chronicle SecOps to Resolution Intelligence Cloud.
Prerequisites
Ensure you have the following credentials and information ready before beginning:
- Required permissions for keys to enable CMS features
The following permissions are necessary for keys to enable CMS features and support various tasks:
Key |
Feature |
Permissions Required |
Backstory |
Parser Management (To create, edit, fetch, and delete parsers) |
CRUD operations for parsers |
Reference lists (To create, edit, fetch, and delete reference lists) |
CRUD operations for reference lists | |
Detection Rules (To create, edit, fetch, and delete detection rules) |
CRUD operations for detection rules | |
Fetch detections (To fetch detection from Chronicle) |
read detection | |
ASE alert ingestion to Chronicle (To send ASE alerts to Chronicle) |
create log entry | |
Fetch Additional UDM Events for Threat Models |
udm search | |
Ingestion |
Threat Feed (To create, delete, update and retrieve IOCs) |
CRUD operations for threat feed |
ASE Alert ingestion to Chronicle (To send ASE alerts to Chronicle) |
create log entry | |
Behavioral model alerts (To send Behavior model alerts to Chronicle) |
create log entry | |
Log source monitor (To send alerts to Chronicle when silent log sources are detected) |
create log entry | |
BigQuery |
ASE (To query and find entities as part of ASE asset discovery) |
bigquery.dataviewer, bigquery.jobuser |
Behavioral model queries (To query data for creating Behavior model) |
BigQuery Data Viewer, BigQuery Job User, Storage Object Viewer | |
Entities (To fetch Entities to Resolution Intelligence Cloud) |
bigquery.dataViewer | |
Log source monitor (To fetch log sources from BigQuery) |
bigquery.dataViewer | |
Threat Model Entity Prevalence Check (Threat Model Entity Prevalence Check) |
bigquery.dataViewer | |
Admin |
Grant BigQuery UI Access (Chronicle instance big query access) |
Update BigQuery access |
2. Instance ID - This is a unique identifier for each Chronicle SecOps instance. Refer here to retrieve your instance ID.
3. Customer Code - A unique code provided to each customer utilizing their own Chronicle SecOps instance.
4. Backstory Key - Essential for enabling CMS features such as parsers, reference lists, and detection rules, and for fetching detections from Chronicle SecOps. View sample Backstory key here.
5. Ingestion Key - Required for sending Indicators of Compromise (IOCs), ASE alerts, behavior model alerts, and log source monitors to Chronicle SecOps. View sample Ingestion key here.
User Roles Required
To successfully set up the Chronicle SecOps instance, ensure you have one of the following roles:
- Global Admin
- Owner
- Manager
- Configuration Manager
Steps to Link Your Chronicle SecOps Instance
1. Access Configuration Settings
- Click the gear icon at the top
2. Navigate to Integrations
- In the Configurations section, go to Data Ingestion.
- Select Integrations to access the Integrations page.
- Locate the Chronicle SecOps tile and click to open.
- Click Enable to begin setup.
3. Establish connection to Chronicle and set up the Chronicle SecOps Instance
- Click the Chronicle Instance Setup section to access the setup page.
This action opens the Chronicle Instance Setup page. Note that SSO integration and Chronicle instance setup are separate processes. Entering the instance URL on the Chronicle Instance Setup page initiates authentication, while uploading keys enables CMS features. If SSO integration has already been configured with the instance URL for authentication in the SSO Integration section, the instance URL field on the Chronicle Instance Setup page becomes non-editable.
2. Enter the following information:
-
- Instance URL: Provide the Chronicle Instance URL to access the Chronicle Instance. In case, you have already configured SSO integration, then the instance URL is populated automatically from the SSO Integration page.
- Chronicle SecOps Instance ID: Enter the unique ID of your instance.
- Customer Code: Provide the unique code associated with your organization.
- Google Project Name (optional): If relevant, enter the name of your Google project.
4. Upload the following keys:
In the Chronicle SecOps Keys section, upload the appropriate key files in .json or base64-encoded .txt format for each key type as follows:
- Backstory Key (mandatory): This key is required to enable CMS functionalities such as detection rules, reference lists, and parsers, and to fetch detections from Chronicle SecOps.
{
"type": "service_account",
"project_id": "chronicle-qach""private_key_id": "4c7757c5c58b962434657698234567""private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBmweoifjwoefkdsjcnsmcnskfihkerjfnk\EFJEINFEKJNFKEWDLWEKFIERFNKMDLCEWOFIEWLKFKDWJNFIERUHFJBEWKDCNWEIFNWEJFKNEWJFKNEWK\NEWFHEWJBFCEDCNIWENFWENCSJDQIdiwehdewndiewnmwecnoweUIHNhihiIIOHIHUKJoiuinublVUIboUGeZD1CGjA3/NiV9XvWzGug==\n-----END PRIVATE KEY-----\n",
"client_email": "qach-bk/backstory-1674793337@chronicle-qach.iam.gserviceaccount.com",
"client_id": "106339086403r3rr32132132"
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/qach-bk-3434717%40chronicle-qach.gserviceaccount.com"
}
- Ingestion Key (mandatory): Use this key to send IOCs, ASE alerts, behavior model alerts, and log source monitors to Chronicle SecOps.
{
"type": "service_account",
"project_id": "chronicle-qach"
"private_key_id": "4c7757c5c58b962434657698234567"
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBmweoifjwoefkdsjcnsmcnskfihkerjfnk\EFJEINFEKJNFKEWDLWEKFIERFNKMDLCEWOFIEWLKFKDWJNFIERUHFJBEWKDCNWEIFNWEJFKNEWJFKNEWK\NEWFHEWJBFCEDCNIWENFWENCSJDQIdiwehdewndiewnmwecnoweUIHNhihiIIOHIHUKJoiuinublVUIboUGeZD1CGjA3/NiV9XvWzGug==\n-----END PRIVATE KEY-----\n",
"client_email": "qach-ing/ingestion-1674793337@chronicle-qach.iam.gserviceaccount.com",
"client_id": "106339086403r3rr32132132""auth_uri": "https://accounts.google.com/o/oauth2/auth","token_uri": "https://oauth2.googleapis.com/token","auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/qach-ing/ingestion-434717%40chronicle-qach.gserviceaccount.com"}
- Big Query Key (optional): This key enables access to query data within Chronicle SecOps. For guidance, refer to a sample key configuration.
{
"type": "service_account",
"project_id": "chronicle-qach"
"private_key_id": "4c7757c5c58b962434657698234567"
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBmweoifjwoefkdsjcnsmcnskfihkerjfnk\EFJEINFEKJNFKEWDLWEKFIERFNKMDLCEWOFIEWLKFKDWJNFIERUHFJBEWKDCNWEIFNWEJFKNEWJFKNEWK\NEWFHEWJBFCEDCNIWENFWENCSJDQIdiwehdewndiewnmwecnoweUIHNhihiIIOHIHUKJoiuinublVUIboUGeZD1CGjA3/NiV9XvWzGug==\n-----END PRIVATE KEY-----\n",
"client_email": "qach-bqe/bigquery export/bigquery-1674793337@chronicle-qach.iam.gserviceaccount.com",
"client_id": "106339086403r3rr32132132"
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/qach-bqe/bigquery export/bigquery-222217%40chronicle-qach.gserviceaccount.com"
}
- Forwarder Key (optional): This key must be in .conf format and is used for sending logs from the customer environment to the Chronicle SecOps instance.
output:
url: malachiteingestion-pa.googleapis.com:443
identity:
identity:
collector_id: "COLLECTOR_ID" \
customer_id: "CUSTOMER_ID" \
secret_key: |
{
"type": "service_account",
"project_id": "PROJECT_ID" \,
"private_key_id": "PRIVATE_KEY_ID" \,
"private_key": "-----BEGIN PRIVATE KEY-----\ "PRIVATE_KEY" \n-----END PRIVATE KEY-----\n",
"client_email": "CLIENT_EMAIL" \,
"client_id": "CLIENT_ID" \,
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/
malachite-test-1%40malachite-test.iam.gserviceaccount.com"
}
collectors:
- syslog:
common:
enabled: true
data_type: "WINDOWS_DHCP"
data_hint:
batch_n_seconds: 10
batch_n_bytes: 1048576
tcp_address: 0.0.0.0:10514
udp_address: 0.0.0.0:10514
connection_timeout_sec: 60
tcp_buffer_size: 524288
- syslog:
common:
enabled: true
data_type: "WINDOWS_DNS"
data_hint:
batch_n_seconds: 10
batch_n_bytes: 1048576
tcp_address: 0.0.0.0:10515
connection_timeout_sec: 60
certificate: "../forwarder/inputs/testdata/localhost.pem"
certificate_key: "../forwarder/inputs/testdata/localhost.key"
tcp_buffer_size: 524288
- Admin Key (optional): This key allows role mapping and BigQuery access for additional administrative functionalities.
{
"type": "service_account",
"project_id": "chronicle-qach"
"private_key_id": "4c7757c5c58b962434657698234567"
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBmweoifjwoefkdsjcnsmcnskfihkerjfnk\EFJEINFEKJNFKEWDLWEKFIERFNKMDLCEWOFIEWLKFKDWJNFIERUHFJBEWKDCNWEIFNWEJFKNEWJFKNEWK\NEWFHEWJBFCEDCNIWENFWENCSJDQIdiwehdewndiewnmwecnoweUIHNhihiIIOHIHUKJoiuinublVUIboUGeZD1CGjA3/NiV9XvWzGug==\n-----END PRIVATE KEY-----\n",
"client_email":"pbgbj-admin-1687431114@malachite-",
"client_id": "106339086403r3rr32132132"
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/qach-bk-3434717%40chronicle-qach.gserviceaccount.com"
}
5. Submit the details
After providing all required and optional keys, click Submit to complete the Chronicle SecOps instance setup.
Monitoring Configuration Progress
While the configuration of your Chronicle SecOps instance is in progress, you can monitor the activity in real-time to ensure each step is successfully completed.
Your Chronicle SecOps instance should now be linked to Resolution Intelligence Cloud, allowing for seamless integration and synchronization of detection rules, log source monitors, reference lists, and other CMS features.
For any further assistance, please refer to following support articles:
Once the instance is created, you can enable additional security modules or replace existing keys using the edit option. Simply return to the Edit Chronicle Instance Setup page, make the necessary changes, and save the updated keys. To upload new keys or replace existing Chronicle keys, refer to Editing Chronicle SecOps Instance Details article.
Getting an Instance ID from Chronicle UI
To get your Instance ID,
- Login to your Google Chronicle account using valid credentials.
- At the top right corner, navigate to Settings --> Profile.
- Under Organization details, copy Customer ID and paste it in the Chronicle Instance ID field.
Comments
0 comments
Please sign in to leave a comment.