Setup Chronicle Instance

  • Updated

    Important: Google Chronicle licenses from Netenrich are available on Foundation, Analytics, and Resolutions plans.

    Chronicle is a cloud service, built as a specialized layer on top of core Google infrastructure, designed to privately retain, analyze, and search the massive amounts of security and network telemetry they generate. Chronicle normalizes, indexes, correlates, and analyzes the data to provide instant analysis and context on risky activity.

    Chronicle enables you to examine the aggregated security information for your enterprise going back for months or longer. Use Chronicle to search across all the domains accessed within your enterprise. You can narrow your search to any specific asset, domain, or IP address to determine if any compromise has taken place.

    Resolution Intelligence Cloud is a cloud-native data analytics platform for managing security and digital operations, with the scale and speed of Google Chronicle SIEM built in. It ingests all data across security and operations, identifies incidents and pre-incident situations, ranks them by business risk, and correlates extensive context for proactive, fast resolution.

    Scope

    This document will help you setup and/or link your Chronicle instance to your tenants in Resolution Intelligence Cloud.

    Chronicle Setup in Multitenancy

    Resolution Intelligence Cloud empowers you to configure Chronicle instance for domain, organization and their tenants in a hierarchical manner. Multitenancy in our Resolution Intelligence Cloud is a process where you can have multiple tenants under one or more organizations which are a part of several domains.

    Here you can setup Chronicle instance in two ways.

    • Bring Your Own Chronicle: You can use this option at organizations or tenants level. If you choose to use this option while setting up your account, you will have to integrate your Chronicle instance with Resolution Intelligence Cloud manually for your tenants.
    • Use Netenrich Chronicle Credentials (EMBED): By default, a Chronicle instance is enabled and you can use this instance for your tenants while setting up them if you choose to use a Google Chronicle license from Netenrich.

    Configuring Chronicle Instance for Tenants

    Permissions Required

    The users with following roles can setup the Chronicle instance.

    • Global Admin
    • Owner
    • User with Manager role
    • Configuration Manager

    To integrate your Chronicle instance,

    1. Navigate to Configurations --> Integrations
    2. Search for “Chronicle” in the search bar
    3. Click the Chronicle tile and click Add --> Add Integration
      A form appears with required credential details

    For Tenants with their own Chronicle Instance (BYOC)

    Resolution Intelligence Cloud allows you to use your own Chronicle instance credentials to setup your account at each tenant level. If you choose Bring Your Own Chronicle while setting up your account, you will have to integrate your Chronicle instance with Resolution Intelligence Cloud manually.

    Prerequisites

    • Chronicle Instance URL  - Each Chronicle instance consists of a specific URL (for example, https://xxxx.backstory.chronicle.security).
    • Chronicle Instance ID  - Each Chronicle instance consists of a unique ID. Refer here to get your instance ID.
    • Backstory Key  - helps to modify instance details. For sample configuration, refer to this sample key. 
    • Ingestion Key  - allows the data to be ingested into Chronicle. For sample configuration, refer to this sample key.
    • Big Query Key - allows to search and query the data available in Chronicle. For sample configuration, refer to this sample key. 
    • Forwarder Key - sends logs from the customer environment to the Chronicle instance. For sample configuration, refer to this sample key.
    • Admin Key - allows you to map the roles and enables big query access. For sample configuration, refer to this sample key.

    Note: Standard file format for Backstory, Ingestion, and Big Query key is .json format and for Forwarder key is .conf format. However, you can import .json keys in .txt file encoded with base64.

    Linking a Chronicle Instance for your tenant

    1. In the Chronicle Instance URL field, enter a required URL (for example, https://xxxx.backstory.chronicle.security)
    2. In Chronicle Instance ID field, enter a unique ID
    3. Choose the .json file or .txt file encoded with base64 format next to the following keys
      To distinguish the difference among these keys by identifying the specific terms in the respective key formats as shown below.
      • Backstory Key
        Your sample query looks like:
        {
        "type": "service_account",
        "project_id": "chronicle-qach"
        "private_key_id": "4c7757c5c58b962434657698234567"
        "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBmweoifjwoefkdsjcnsmcnskfihkerjfnk\EFJEINFEKJNFKEWDLWEKFIERFNKMDLCEWOFIEWLKFKDWJNFIERUHFJBEWKDCNWEIFNWEJFKNEWJFKNEWK\NEWFHEWJBFCEDCNIWENFWENCSJDQIdiwehdewndiewnmwecnoweUIHNhihiIIOHIHUKJoiuinublVUIboUGeZD1CGjA3/NiV9XvWzGug==\n-----END PRIVATE KEY-----\n",
        "client_email": "qach-bk/backstory-1674793337@chronicle-qach.iam.gserviceaccount.com",
        "client_id": "106339086403r3rr32132132"
        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
        "token_uri": "https://oauth2.googleapis.com/token",
        "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
        "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/qach-bk-3434717%40chronicle-qach.gserviceaccount.com"
        }
      • Ingestion Key
        Your sample query looks like:
         {
        "type": "service_account",
        "project_id": "chronicle-qach"
        "private_key_id": "4c7757c5c58b962434657698234567"
        "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBmweoifjwoefkdsjcnsmcnskfihkerjfnk\EFJEINFEKJNFKEWDLWEKFIERFNKMDLCEWOFIEWLKFKDWJNFIERUHFJBEWKDCNWEIFNWEJFKNEWJFKNEWK\NEWFHEWJBFCEDCNIWENFWENCSJDQIdiwehdewndiewnmwecnoweUIHNhihiIIOHIHUKJoiuinublVUIboUGeZD1CGjA3/NiV9XvWzGug==\n-----END PRIVATE KEY-----\n",
        "client_email": "qach-ing/ingestion-1674793337@chronicle-qach.iam.gserviceaccount.com",
        "client_id": "106339086403r3rr32132132""auth_uri": "https://accounts.google.com/o/oauth2/auth","token_uri": "https://oauth2.googleapis.com/token","auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/qach-ing/ingestion-434717%40chronicle-qach.gserviceaccount.com"}
      • Big Query Key
        Your sample query looks like:
        {
        "type": "service_account",
        "project_id": "chronicle-qach"
        "private_key_id": "4c7757c5c58b962434657698234567"
        "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBmweoifjwoefkdsjcnsmcnskfihkerjfnk\EFJEINFEKJNFKEWDLWEKFIERFNKMDLCEWOFIEWLKFKDWJNFIERUHFJBEWKDCNWEIFNWEJFKNEWJFKNEWK\NEWFHEWJBFCEDCNIWENFWENCSJDQIdiwehdewndiewnmwecnoweUIHNhihiIIOHIHUKJoiuinublVUIboUGeZD1CGjA3/NiV9XvWzGug==\n-----END PRIVATE KEY-----\n",
        "client_email": "qach-bqe/bigquery export/bigquery-1674793337@chronicle-qach.iam.gserviceaccount.com",
        "client_id": "106339086403r3rr32132132"
        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
        "token_uri": "https://oauth2.googleapis.com/token",
        "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
        "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/qach-bqe/bigquery export/bigquery-222217%40chronicle-qach.gserviceaccount.com"
        }
      • Forwarder Key: This key should be in .conf format to send the logs from the customer environment to the Chronicle instance. 
        Your forwarder key looks like: 
        output:
  url: malachiteingestion-pa.googleapis.com:443
  identity:
    identity:
    collector_id: "COLLECTOR_ID" \
    customer_id: "CUSTOMER_ID" \
    secret_key: |
      {
        "type": "service_account",
        "project_id": "PROJECT_ID" \,
        "private_key_id": "PRIVATE_KEY_ID" \,
        "private_key": "-----BEGIN PRIVATE KEY-----\ "PRIVATE_KEY" \n-----END PRIVATE KEY-----\n",
        "client_email": "CLIENT_EMAIL" \,
        "client_id": "CLIENT_ID" \,
        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
        "token_uri": "https://oauth2.googleapis.com/token",
        "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
        "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/
                 malachite-test-1%40malachite-test.iam.gserviceaccount.com"
      }

collectors:
  - syslog:
      common:
        enabled: true
        data_type: "WINDOWS_DHCP"
        data_hint:
        batch_n_seconds: 10
        batch_n_bytes: 1048576
      tcp_address: 0.0.0.0:10514
      udp_address: 0.0.0.0:10514
      connection_timeout_sec: 60
      tcp_buffer_size: 524288
  - syslog:
      common:
        enabled: true
        data_type: "WINDOWS_DNS"
        data_hint:
        batch_n_seconds: 10
        batch_n_bytes: 1048576
      tcp_address: 0.0.0.0:10515
      connection_timeout_sec: 60
      certificate: "../forwarder/inputs/testdata/localhost.pem"
      certificate_key: "../forwarder/inputs/testdata/localhost.key"
      tcp_buffer_size: 524288
      • Admin Key: allows you to map the roles and enables big query access.
        Your Admin key looks like:
        {
        "type": "service_account",
        "project_id": "chronicle-qach"
        "private_key_id": "4c7757c5c58b962434657698234567"
        "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBmweoifjwoefkdsjcnsmcnskfihkerjfnk\EFJEINFEKJNFKEWDLWEKFIERFNKMDLCEWOFIEWLKFKDWJNFIERUHFJBEWKDCNWEIFNWEJFKNEWJFKNEWK\NEWFHEWJBFCEDCNIWENFWENCSJDQIdiwehdewndiewnmwecnoweUIHNhihiIIOHIHUKJoiuinublVUIboUGeZD1CGjA3/NiV9XvWzGug==\n-----END PRIVATE KEY-----\n",
        "client_email":"pbgbj-admin-1687431114@malachite-",
        "client_id": "106339086403r3rr32132132"
        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
        "token_uri": "https://oauth2.googleapis.com/token",
        "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
        "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/qach-bk-3434717%40chronicle-qach.gserviceaccount.com"
        }

    4. Click Link Chronicle Instance
    A message appears "Your Chronicle instance has been added successfully" after 5 to 10 minutes

    Key Permissions

    The following key permissions are required to perform multiple operations such as Feed management, Parser Management, Rule management, List Management, Detections, Access control, Big Query access, and Ingestion APIs.

    Backstory Permission
    With Backstory key, you can use the following APIs to perform several operations on top of your security data.

    1.Feed Management API

    GET https://backstory.googleapis.com/v1/feeds

    Refer Feed Management Guide

    2. Parser Management API

    List Parsers

    GET https://backstory.googleapis.com/v1/tools/cbnParsers

    Refer GitHub - chronicle/cbn-tool: Command line tool to interact with Chronicle's Config Based Normalizer (CBN) APIs.

    3. Rule Management API

    List Rules

    GET https://backstory.googleapis.com/v2/detect/rules

    Refer Rule management

    4. Reference List Management

    List Reference lists

    GET https://backstory.googleapis.com/v2/lists

    Refer Reference Lists

    5. Access Control

    List Roles

    GET https://backstory.googleapis.com/v1/roles

    Refer Access Control

    6. Detections

    List detections

    GET https://backstory.googleapis.com/v2/detect/rules/-/detections

    Refer Detections

    7. Big Query Access

    Use the following roles to get big query permissions to read the big query table data.

      • roles/bigquery.dataViewer
      • roles/bigquery.jobUser
      • roles/storage.objectViewer

    Refer Big Query API clients

    8. Ingestion API

    List multiple log types

    GET https://malachiteingestion-pa.googleapis.com/v2/logtypes

    Refer Ingestion API

    Getting Chronicle Instance ID

    To get your Instance ID,

    1. Login to your Google Chronicle account using valid credentials
    2. At the top right corner, navigate to Settings --> Profile
    3. Under Organization details, copy Customer ID and paste it in the Chronicle Instance ID field

    For Tenants with Netenrich - Chronicle Instance and/or Inherit from Organization

    If you are a user at Tenant level and purchased a plan (Foundation, Analytics, and Resolutions) from Netenrich. You are allowed to use Netenrich license and/or inherit Chronicle instance from Organization to setup your Chronicle instance.

    If you choose to use Netenrich Chronicle license or Inherit from Organization, a page appears where you click Add Instance button. After 5 or 6 minutes, an instance URL is generated and appears on your screen. 

    Note : Contact Google Chronicle Customer Engineer to get BigQuery, Backstory, Forwarder and Ingestion keys

    Picture3.png

    Once the Chronicle instance is enabled, you can access the Chronicle instance from either of the following ways.

    • Click at the top of your home page (or)
    • Navigate to Insights --> Security --> Threat Hunting

    and the available Chronicle assets will be synced to your account.

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.