This article describes the prerequisites, types of licenses, and procedures required to setup a Chronicle instance at domain, organization, and tenant levels in the Resolution Intelligence Cloud.
Chronicle is a cloud service built as a specialized layer on top of core Google infrastructure to privately retain, analyse, and search massive amounts of security and network telemetry data they generate. Chronicle normalizes, indexes, correlates, and analyses the data to provide instant analysis and context on risky activities.
Chronicle enables you to examine the aggregated security information for your enterprise collected for months or longer. You can use Chronicle to search across all the domains accessed within your enterprise. You can also narrow your search to any specific asset, domain, or IP address to determine if any compromise has taken place.
Resolution Intelligence Cloud is a cloud-native data analytics platform for managing security and digital operations, with the scale and speed of Google Chronicle SIEM built in. It ingests all data across security and operations, identifies incidents and pre-incident situations, ranks them by business risk, and correlates extensive context for proactive, fast resolution.
Chronicle Setup in Multitenancy
Resolution Intelligence Cloud empowers you to configure Chronicle instances at any level of the hierarchy—domains, organizations, and their tenants.
At Domain Level
You can setup a chronicle instance in two ways:
Netenrich Embed
By default, a Chronicle instance is enabled while setting up your account if you choose to use a Google Chronicle license from Netenrich.
BYOC
Configure your own Chronicle license that you got from the Google team. Once the setup is completed, you can add organizations or tenants and inherit your license to them.
Configuring your own Chronicle Instance
Prerequisites
- Google Chronicle license with credentials
Permissions Required
The users with the following roles can set up the Chronicle instance:
- Global Admin
- Owner
- User with Manager role
- Configuration Manager
To setup an instance using your own Chronicle license,
- Click the gear icon at the top (or) hover over breadcrumb icon at the top left corner.
- In the bottom of the left menu, click Configurations.
- In the left menu, under Data Ingestion, click Integrations.
You will be redirected to the integrations page. - Locate and click the Chronicle tile.
- Click Add Keys.
- Upload Google Developer Service Account credentials in JSON or .txt format in the field.
- Click Save.
A message appears “Your Chronicle instance is configured successfully.”
At Organization Level
You can setup a Chronicle instance in two ways, mainly:
Netenrich Embed
By default, a Chronicle instance is enabled while setting up your account if you choose to use a Google Chronicle license from Netenrich.
BYOC
You can setup a chronicle instance in two ways:
- Configure your own Chronicle license that you got from the Google team. (or)
- Inherit from the parent level: you can inherit Chronicle credentials from your domain. Once the setup is completed, you can add tenants and inherit your license to them.
Inheriting Chronicle credentials from Parent
Prerequisites
- Enable Chronicle instances at the domain level.
To inherit Chronicle credentials,
- Click the gear icon at the top (or) hover over breadcrumb icon at the top left corner.
- In the bottom of the left menu, click Configurations.
- In the left menu, under Data Ingestion, click Integrations.
You will be redirected to the integrations page. - Locate and click the Chronicle tile.
- Click Choose Type --> Inherit from Parent.
A message appears “Chronicle credentials are inherited from your parent.”
At Tenant Level
You can setup a Chronicle instance in two ways, mainly:
Netenrich Embed
By default, a Chronicle instance is enabled while setting up your account if you choose to use a Google Chronicle license from Netenrich.
BYOC
You can set up a Chronicle instance in three ways:
- Link Instance: configure your own Chronicle license that you got from the Google team. (or)
- Enable Instance: use Chronicle credentials from your domain or organization. (or)
- Obtain access to tenants’ Chronicle instances: integrate the Chronicle instance of a tenant and generate an SAML file. This file is shared with the Google team to obtain access to the respective tenant's Chronicle instance.
Linking Chronicle Instance
Resolution Intelligence Cloud allows you to use your own Chronicle instance credentials to set up your account at the tenant level. If you choose Bring Your Own Chronicle while setting up your account, you will have to integrate your Chronicle instance with Resolution Intelligence Cloud manually.
Prerequisites
- Chronicle Instance ID - Each Chronicle instance consists of a unique ID. Refer here to get your instance ID.
- Customer Code - A unique code for each customer who enables a Chronicle instance on their own.
- Chronicle Instance URL - Each Chronicle instance consists of a specific URL (for example, https://xxxx.backstory.chronicle.security).
- Backstory Key - helps to modify instance details. For sample configuration, refer to this sample key.
- Ingestion Key - allows the data to be ingested into Chronicle. For sample configuration, refer to this sample key.
- Big Query Key - allows to search and query the data available in Chronicle. For sample configuration, refer to this sample key.
- Forwarder Key - sends logs from the customer environment to the Chronicle instance. For sample configuration, refer to this sample key.
- Admin Key - allows you to map the roles and enables big query access. For sample configuration, refer to this sample key.
Note: Standard file format for Backstory, Ingestion, and Big Query key is .json format and for Forwarder key is .conf format. However, you can import .json keys in .txt file encoded with base64.
Permissions required in Chronicle
The following key permissions are required to perform multiple operations: feed management, Parser Management, Rule management, List Management, Detections, Access control, Big Query access, and Ingestion APIs.
Backstory Permission
With Backstory key, you can use the following APIs to perform several operations on top of your security data.
1.Feed Management API
GET https://backstory.googleapis.com/v1/feeds
Refer Feed Management Guide
2. Parser Management API
List Parsers
GET https://backstory.googleapis.com/v1/tools/cbnParsers
Refer GitHub - chronicle/cbn-tool: Command line tool to interact with Chronicle's Config Based Normalizer (CBN) APIs.
3. Rule Management API
List Rules
GET https://backstory.googleapis.com/v2/detect/rules
Refer Rule management
4. Reference List Management
List Reference lists
GET https://backstory.googleapis.com/v2/lists
Refer Reference Lists
5. Access Control
List Roles
GET
https://backstory.googleapis.com/v1/roles
Refer Access Control
6. Detections
List detections
GET https://backstory.googleapis.com/v2/detect/rules/-/detections
Refer Detections
7. Big Query Access
Use the following roles to get big query permissions to read the big query table data:
-
roles/bigquery.dataViewer
roles/bigquery.jobUser
roles/storage.objectViewer
Refer Big Query API clients
8. Ingestion API
List multiple log types
GET
https://malachiteingestion-pa.googleapis.com/v2/logtypes
Refer Ingestion API
Permissions required in Resolution Intelligence Cloud
The users with the following roles can set up the Chronicle instance:
- Global Admin
- Owner
- User with Manager role
- Configuration Manager
To link an instance using your own Chronicle credentials,
- Click the gear icon at the top (or) hover over breadcrumb icon at the top left corner.
- In the bottom of the left menu, click Configurations.
- In the left menu, under Data Ingestion, click Integrations.
You will be redirected to the integrations page. - Locate and click the Chronicle tile.
- Click Enable.
A form opens. - In Chronicle Instance ID field, enter a unique ID.
- In Customer Code field, enter a unique ID that belongs to your organization.
- In the Chronicle Instance URL field, enter the required URL (for example, https://xxxx.backstory.chronicle.security)
- Choose the .json file or .txt file encoded with base64 format next to the following keys:
To distinguish the difference among these keys, identify the specific terms in the respective key formats, as shown below.- Backstory Key
Your sample query looks like this:{
"type": "service_account",
"project_id": "chronicle-qach""private_key_id": "4c7757c5c58b962434657698234567""private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBmweoifjwoefkdsjcnsmcnskfihkerjfnk\EFJEINFEKJNFKEWDLWEKFIERFNKMDLCEWOFIEWLKFKDWJNFIERUHFJBEWKDCNWEIFNWEJFKNEWJFKNEWK\NEWFHEWJBFCEDCNIWENFWENCSJDQIdiwehdewndiewnmwecnoweUIHNhihiIIOHIHUKJoiuinublVUIboUGeZD1CGjA3/NiV9XvWzGug==\n-----END PRIVATE KEY-----\n",
"client_email": "qach-bk/backstory-1674793337@chronicle-qach.iam.gserviceaccount.com",
"client_id": "106339086403r3rr32132132"
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/qach-bk-3434717%40chronicle-qach.gserviceaccount.com"
} - Ingestion Key
Your sample query looks like this:
{
"type": "service_account",
"project_id": "chronicle-qach"
"private_key_id": "4c7757c5c58b962434657698234567"
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBmweoifjwoefkdsjcnsmcnskfihkerjfnk\EFJEINFEKJNFKEWDLWEKFIERFNKMDLCEWOFIEWLKFKDWJNFIERUHFJBEWKDCNWEIFNWEJFKNEWJFKNEWK\NEWFHEWJBFCEDCNIWENFWENCSJDQIdiwehdewndiewnmwecnoweUIHNhihiIIOHIHUKJoiuinublVUIboUGeZD1CGjA3/NiV9XvWzGug==\n-----END PRIVATE KEY-----\n",
"client_email": "qach-ing/ingestion-1674793337@chronicle-qach.iam.gserviceaccount.com",
"client_id": "106339086403r3rr32132132""auth_uri": "https://accounts.google.com/o/oauth2/auth","token_uri": "https://oauth2.googleapis.com/token","auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/qach-ing/ingestion-434717%40chronicle-qach.gserviceaccount.com"} - Big Query Key
Your sample query looks like this:{"type": "service_account",
"project_id": "chronicle-qach"
"private_key_id": "4c7757c5c58b962434657698234567"
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBmweoifjwoefkdsjcnsmcnskfihkerjfnk\EFJEINFEKJNFKEWDLWEKFIERFNKMDLCEWOFIEWLKFKDWJNFIERUHFJBEWKDCNWEIFNWEJFKNEWJFKNEWK\NEWFHEWJBFCEDCNIWENFWENCSJDQIdiwehdewndiewnmwecnoweUIHNhihiIIOHIHUKJoiuinublVUIboUGeZD1CGjA3/NiV9XvWzGug==\n-----END PRIVATE KEY-----\n",
"client_email": "qach-bqe/bigquery export/bigquery-1674793337@chronicle-qach.iam.gserviceaccount.com",
"client_id": "106339086403r3rr32132132"
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/qach-bqe/bigquery export/bigquery-222217%40chronicle-qach.gserviceaccount.com"
} - Forwarder Key: This key should be in .conf format to send the logs from the customer environment to the Chronicle instance.
Your forwarder key looks like this:
- Backstory Key
output: url: malachiteingestion-pa.googleapis.com:443 identity: identity: collector_id: "COLLECTOR_ID" \ customer_id: "CUSTOMER_ID" \ secret_key: | { "type": "service_account", "project_id": "PROJECT_ID" \, "private_key_id": "PRIVATE_KEY_ID" \, "private_key": "-----BEGIN PRIVATE KEY-----\ "PRIVATE_KEY" \n-----END PRIVATE KEY-----\n", "client_email": "CLIENT_EMAIL" \, "client_id": "CLIENT_ID" \, "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/
malachite-test-1%40malachite-test.iam.gserviceaccount.com" } collectors: - syslog: common: enabled: true data_type: "WINDOWS_DHCP" data_hint: batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10514 udp_address: 0.0.0.0:10514 connection_timeout_sec: 60 tcp_buffer_size: 524288 - syslog: common: enabled: true data_type: "WINDOWS_DNS" data_hint: batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10515 connection_timeout_sec: 60 certificate: "../forwarder/inputs/testdata/localhost.pem" certificate_key: "../forwarder/inputs/testdata/localhost.key" tcp_buffer_size: 524288
- Admin Key: allows you to map the roles and enables big query access.
Your Admin key looks like:{
"type": "service_account",
"project_id": "chronicle-qach"
"private_key_id": "4c7757c5c58b962434657698234567"
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBmweoifjwoefkdsjcnsmcnskfihkerjfnk\EFJEINFEKJNFKEWDLWEKFIERFNKMDLCEWOFIEWLKFKDWJNFIERUHFJBEWKDCNWEIFNWEJFKNEWJFKNEWK\NEWFHEWJBFCEDCNIWENFWENCSJDQIdiwehdewndiewnmwecnoweUIHNhihiIIOHIHUKJoiuinublVUIboUGeZD1CGjA3/NiV9XvWzGug==\n-----END PRIVATE KEY-----\n",
"client_email":"pbgbj-admin-1687431114@malachite-",
"client_id": "106339086403r3rr32132132"
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/qach-bk-3434717%40chronicle-qach.gserviceaccount.com"
}
10. Click Submit.
A message appears "Your Chronicle instance has been added successfully."
Getting an Instance ID from Chronicle UI
To get your Instance ID,
- Login to your Google Chronicle account using valid credentials.
- At the top right corner, navigate to Settings --> Profile.
- Under Organization details, copy Customer ID and paste it in the Chronicle Instance ID field.
Enabling Chronicle Instance
If you are a tenant and have purchased an appropriate plan from Netenrich, you can enable the Chronicle instance using the following procedure:
Prerequisites
- Enable Chronicle instances at the domain or organization level.
Permissions required in Resolution Intelligence Cloud
The users with the following roles can set up the Chronicle instance:
- Global Admin
- Owner
- User with Manager role
- Configuration Manager
To enable an instance from domain or organization,
- Click the gear icon at the top (or) hover over breadcrumb icon at the top left corner.
- In the bottom of the left menu, click Configurations.
- In the left menu, under Data Ingestion, click Integrations.
You will be navigated to the integrations page. - Locate and click Chronicle tile.
- Click Enable.
A message says "Google Chronicle has been enabled" appears and a job log is shown on the screen.
Obtaining access to tenant's Chronicle instance
Resolution Intelligence Cloud enables you to integrate the Chronicle instance of a tenant and generate a SAML file. This file is shared with the Google team to obtain access to the respective tenant's Chronicle instance. Once access is granted, the SOC team can begin monitoring and safeguarding the tenant's assets in Chronicle.
Prerequisites
- Chronicle Instance URL - Each Chronicle instance consists of a specific URL (for example, https://xxxx.backstory.chronicle.security).
- GCP Project Name (Optional) – The name of the GCP project.
Once you click Enable at the top right of the Chronicle screen, a message "Google Chronicle has been enabled" appears.
Generating an SAML file to obtain access to tenants' Chronicle Instance
- Provide the Chronicle instance URL of the tenant and the GCP project name in the respective fields.
2. Click Submit to see the download SAML option, from which you can download the SAML file.
3. Review the Chronicle instance details of the tenant and click Download SAML.
Share this SAML file with the Google team to obtain access to the tenant’s instance.
Once the Chronicle instance is enabled, the Chronicle assets will be synced to your account, and you can access them using the below procedure.
- Hover over the breadcrumb icon at the top left corner.
- In the left menu, under Security, click Threat Hunting.
You will be redirected to your Chronicle account.
How can we help?
Comments
0 comments
Please sign in to leave a comment.