Learn more on how you setup your first Chronicle instance using your own licensed Chronicle credentials or Netenrich (EMBED) instance credentials.
Important: Google Chronicle licenses from Netenrich are available on Foundation, Analytics, and Resolutions plans.
Chronicle is a cloud service, built as a specialized layer on top of core Google infrastructure, designed to privately retain, analyze, and search the massive amounts of security and network telemetry they generate. Chronicle normalizes, indexes, correlates, and analyzes the data to provide instant analysis and context on risky activity.
Chronicle enables you to examine the aggregated security information for your enterprise going back for months or longer. Use Chronicle to search across all the domains accessed within your enterprise. You can narrow your search to any specific asset, domain, or IP address to determine if any compromise has taken place.
Resolution Intelligence Cloud is a cloud-native data analytics platform for managing security and digital operations, with the scale and speed of Google Chronicle SIEM built in.
It ingests all data across security and operations, identifies incidents and pre-incident situations, ranks them by business risk, and correlates extensive context for proactive, fast resolution.
Scope
This document will help you setup and/or link your Chronicle instance to your tenants in Resolution Intelligence Cloud.
Prerequisites
- Backstory Key - helps to modify instance details
- Ingestion Key - allows the data to be ingested into Chronicle
- Big Query Key - allows to search and query the data available in Chronicle
- Forwarder Key - send logs from the customer environment to the Chronicle instance
Note 1 : All keys must be in .txt or JSON format to link your instance successfully
Note 2 : Contact Google Chronicle Customer Engineer to get BigQuery, Backstory, Forwarder and Ingestion keys.
Chronicle Setup in Multitenancy
Resolution Intelligence Cloud empowers you to configure Chronicle instance for domain, organization and their tenants in a hierarchical manner.
Multitenancy in our Resolution Intelligence Cloud is a process where you can have multiple tenants under one or more organizations which are a part of several domains.
Here you can setup Chronicle instance in two ways.
- Use Netenrich Chronicle Credentials (EMBED): By default, a Chronicle instance is enabled and you can use this instance for your tenants while setting up them if you choose to use a Google Chronicle license from Netenrich.
- Bring Your Own Chronicle: You can use this option at organizations or tenants level. If you choose to use this option while setting up your account, you will have to integrate your Chronicle instance with Resolution Intelligence Cloud manually for your tenants.
Configuring Chronicle Instance for Tenants
Permissions Required
The users with following roles can setup the Chronicle instance.
- Global Admin
- Super Admin
- Manager role
- Configuration Manager
Once the Chronicle instance is enabled from the any of the scenarios listed below, you can access the Chronicle instance from either of the following ways.
- Click
at the top of your home page (or)
- Navigate to Insights --> Security --> Threat Hunting
For Tenants with Netenrich - Chronicle Instance and/or Inherit from Organization
If you are a user at Tenant level and purchased a plan (Foundation, Analytics, and Resolutions) from Netenrich. You are allowed to use Netenrich license and/or inherit Chronicle instance from Organization to setup your Chronicle instance.
If you choose to use Netenrich Chronicle license or Inherit from Organization, a page appears where you click Add Instance button. After 5 or 6 minutes, an instance URL is generated and appears on your screen.
For Tenants with their own Chronicle Instance (BYOC)
Resolution Intelligence Cloud allows you to use your own Chronicle instance credentials to setup your account at each tenant level. If you choose Bring Your Own Chronicle while setting up your account, you will have to integrate your Chronicle instance with Resolution Intelligence Cloud manually.
Key Permissions
The following key permissions are required to perform multiple operations such as Feed management, Parser Management, Rule management, List Management, Detections, Access control, Big Query access, and Ingestion APIs.
Backstory Permission
With Backstory key, you can use the following APIs to perform several operations on top of your security data.
Feed Management API
https://backstory.googleapis.com/v1/feeds
Refer Feed Management Guide
Parser Management API
List Parsers
https://backstory.googleapis.com/v1/tools/cbnParsers
Refer GitHub - chronicle/cbn-tool: Command line tool to interact with Chronicle's Config Based Normalizer (CBN) APIs.
Rule Management API
List Rules
https://backstory.googleapis.com/v2/detect/rules
Refer Rule management
Reference List Management
List Reference lists
https://backstory.googleapis.com/v2/lists
Refer Reference Lists
Access Control
List Roles
GET https://backstory.googleapis.com/v1/roles
Refer Access Control
Detections
List detections
https://backstory.googleapis.com/v2/detect/rules/-/detections
Refer Detections
Big Query Access
Use the following roles to get big query permissions to read the big query table data.
roles/bigquery.dataViewer
roles/bigquery.jobUser
roles/storage.objectViewer
Refer Big Query API clients
Ingestion API
List multiple log types
GET https://malachiteingestion-pa.googleapis.com/v2/logtypes
Refer Ingestion API
To integrate your Chronicle instance,
- Navigate to Configurations --> Integrations
- Search for “Chronicle” in the search bar
- Click on Chronicle tile and click Add --> Add Integration
A form appears with required credential details - In the Chronicle Instance URL field, enter a required URL
- Choose suitable files next to the following fields
- Backstory Key
Your sample query looks like:{
"type": "service_account",
"project_id": "chronicle-qach"
"private_key_id": "4c7757c5c58b962434657698234567"
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBmweoifjwoefkdsjcnsmcnskfihkerjfnk\EFJEINFEKJNFKEWDLWEKFIERFNKMDLCEWOFIEWLKFKDWJNFIERUHFJBEWKDCNWEIFNWEJFKNEWJFKNEWK\NEWFHEWJBFCEDCNIWENFWENCSJDQIdiwehdewndiewnmwecnoweUIHNhihiIIOHIHUKJoiuinublVUIboUGeZD1CGjA3/NiV9XvWzGug==\n-----END PRIVATE KEY-----\n",
"client_email": "qach-bk-1674793337@chronicle-qach.iam.gserviceaccount.com",
"client_id": "106339086403r3rr32132132"
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/qach-bk-3434717%40chronicle-qach.gserviceaccount.com"
} - Ingestion Key
Your sample query looks like:
{"type": "service_account",
"project_id": "chronicle-qach"
"private_key_id": "4c7757c5c58b962434657698234567"
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBmweoifjwoefkdsjcnsmcnskfihkerjfnk\EFJEINFEKJNFKEWDLWEKFIERFNKMDLCEWOFIEWLKFKDWJNFIERUHFJBEWKDCNWEIFNWEJFKNEWJFKNEWK\NEWFHEWJBFCEDCNIWENFWENCSJDQIdiwehdewndiewnmwecnoweUIHNhihiIIOHIHUKJoiuinublVUIboUGeZD1CGjA3/NiV9XvWzGug==\n-----END PRIVATE KEY-----\n",
"client_email": "qach-ing-1674793337@chronicle-qach.iam.gserviceaccount.com",
"client_id": "106339086403r3rr32132132""auth_uri": "https://accounts.google.com/o/oauth2/auth","token_uri": "https://oauth2.googleapis.com/token","auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/qach-ing-434717%40chronicle-qach.gserviceaccount.com"} - Big Query Key
Your sample query looks like:{
"type": "service_account",
"project_id": "chronicle-qach"
"private_key_id": "4c7757c5c58b962434657698234567"
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBmweoifjwoefkdsjcnsmcnskfihkerjfnk\EFJEINFEKJNFKEWDLWEKFIERFNKMDLCEWOFIEWLKFKDWJNFIERUHFJBEWKDCNWEIFNWEJFKNEWJFKNEWK\NEWFHEWJBFCEDCNIWENFWENCSJDQIdiwehdewndiewnmwecnoweUIHNhihiIIOHIHUKJoiuinublVUIboUGeZD1CGjA3/NiV9XvWzGug==\n-----END PRIVATE KEY-----\n",
"client_email": "qach-bqe-1674793337@chronicle-qach.iam.gserviceaccount.com",
"client_id": "106339086403r3rr32132132"
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/qach-bqe-222217%40chronicle-qach.gserviceaccount.com"
} - Forwarder Key
Note: All keys must be in .txt or JSON format to link your instance successfully
- Backstory Key
6. Click Link Chronicle Instance
A message appears "Your Chronicle instance has been added successfully" after 5 to 10 minutes
After you have configured Chronicle instance, all available Chronicle assets will be synced to your account.
Comments
0 comments
Please sign in to leave a comment.