Setup Chronicle Instance

  • Updated
In this article:

    Learn more on how you setup your first Chronicle instance using your own licensed Chronicle credentials or Netenrich (EMBED) instance credentials.

    Important: Google Chronicle licenses from Netenrich are available on Foundation, Analytics, and Resolutions plans.

    Chronicle is a cloud service, built as a specialized layer on top of core Google infrastructure, designed to privately retain, analyze, and search the massive amounts of security and network telemetry they generate. Chronicle normalizes, indexes, correlates, and analyzes the data to provide instant analysis and context on risky activity.

    Chronicle enables you to examine the aggregated security information for your enterprise going back for months or longer. Use Chronicle to search across all the domains accessed within your enterprise. You can narrow your search to any specific asset, domain, or IP address to determine if any compromise has taken place.

    Resolution Intelligence Cloud is a cloud-native data analytics platform for managing security and digital operations, with the scale and speed of Google Chronicle SIEM built in.

    It ingests all data across security and operations, identifies incidents and pre-incident situations, ranks them by business risk, and correlates extensive context for proactive, fast resolution.

    Scope

    This document will help you setup and/or link your Chronicle instance to your tenants in Resolution Intelligence Cloud.

    Prerequisites

    • Backstory Key - helps to modify instance details
    • Ingestion Key - allows the data to be ingested into Chronicle
    • Big Query Key - allows to search and query the data available in Chronicle
    • Forwarder Key - send logs from the customer environment to the Chronicle instance
      Note 1 : All keys must be in .txt or JSON format to link your instance successfully
      Note 2 : Contact Google Chronicle Customer Engineer to get BigQuery, Backstory, Forwarder and Ingestion keys.

    Chronicle Setup in Multitenancy

    Resolution Intelligence Cloud empowers you to configure Chronicle instance for domain, organization and their tenants in a hierarchical manner. 

    Multitenancy in our Resolution Intelligence Cloud is a process where you can have multiple tenants under one or more organizations which are a part of several domains.

    Here you can setup Chronicle instance in two ways.

    • Use Netenrich Chronicle Credentials (EMBED): By default, a Chronicle instance is enabled and you can use this instance for your tenants while setting up them if you choose to use a Google Chronicle license from Netenrich.
    • Bring Your Own Chronicle: You can use this option at organizations or tenants level. If you choose to use this option while setting up your account, you will have to integrate your Chronicle instance with Resolution Intelligence Cloud manually for your tenants.

    Configuring Chronicle Instance for Tenants

    Permissions Required

    The users with following roles can setup the Chronicle instance.

    • Global Admin
    • Super Admin
    • Manager role
    • Configuration Manager

    Once the Chronicle instance is enabled from the any of the scenarios listed below, you can access the Chronicle instance from either of the following ways.

    • Click at the top of your home page (or)
    • Navigate to Insights --> Security --> Threat Hunting

    For Tenants with Netenrich - Chronicle Instance and/or Inherit from Organization

    If you are a user at Tenant level and purchased a plan (Foundation, Analytics, and Resolutions) from Netenrich. You are allowed to use Netenrich license and/or inherit Chronicle instance from Organization to setup your Chronicle instance.

    If you choose to use Netenrich Chronicle license or Inherit from Organization, a page appears where you click Add Instance button. After 5 or 6 minutes, an instance URL is generated and appears on your screen. 

    Picture3.png

    For Tenants with their own Chronicle Instance (BYOC)

    Resolution Intelligence Cloud allows you to use your own Chronicle instance credentials to setup your account at each tenant level. If you choose Bring Your Own Chronicle while setting up your account, you will have to integrate your Chronicle instance with Resolution Intelligence Cloud manually.

    Key Permissions

    The following key permissions are required to perform multiple operations such as Feed management, Parser Management, Rule management, List Management, Detections, Access control, Big Query access, and Ingestion APIs.

    Backstory Permission
    With Backstory key, you can use the following APIs to perform several operations on top of your security data.

    Feed Management API

    https://backstory.googleapis.com/v1/feeds

    Refer Feed Management Guide

    Parser Management API

    List Parsers

    https://backstory.googleapis.com/v1/tools/cbnParsers

    Refer GitHub - chronicle/cbn-tool: Command line tool to interact with Chronicle's Config Based Normalizer (CBN) APIs.

    Rule Management API

    List Rules

    https://backstory.googleapis.com/v2/detect/rules

    Refer Rule management

    Reference List Management

    List Reference lists

    https://backstory.googleapis.com/v2/lists

    Refer Reference Lists

    Access Control

    List Roles

    GET https://backstory.googleapis.com/v1/roles

    Refer Access Control

    Detections

    List detections

    https://backstory.googleapis.com/v2/detect/rules/-/detections

    Refer Detections

    Big Query Access

    Use the following roles to get big query permissions to read the big query table data.

    • roles/bigquery.dataViewer
    • roles/bigquery.jobUser
    • roles/storage.objectViewer

    Refer Big Query API clients

    Ingestion API

    List multiple log types

    GET https://malachiteingestion-pa.googleapis.com/v2/logtypes

    Refer Ingestion API

    To integrate your Chronicle instance,

    1. Navigate to Configurations --> Integrations
    2. Search for “Chronicle” in the search bar
    3. Click on Chronicle tile and click Add --> Add Integration
      A form appears with required credential details
    4. In the Chronicle Instance URL field, enter a required URL
    5. Choose suitable files next to the following fields
      • Backstory Key
        Your sample query looks like: 
        {
        "type": "service_account",
        "project_id": "chronicle-qach"
        "private_key_id": "4c7757c5c58b962434657698234567"
        "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBmweoifjwoefkdsjcnsmcnskfihkerjfnk\EFJEINFEKJNFKEWDLWEKFIERFNKMDLCEWOFIEWLKFKDWJNFIERUHFJBEWKDCNWEIFNWEJFKNEWJFKNEWK\NEWFHEWJBFCEDCNIWENFWENCSJDQIdiwehdewndiewnmwecnoweUIHNhihiIIOHIHUKJoiuinublVUIboUGeZD1CGjA3/NiV9XvWzGug==\n-----END PRIVATE KEY-----\n",
        "client_email": "qach-bk-1674793337@chronicle-qach.iam.gserviceaccount.com",
        "client_id": "106339086403r3rr32132132"
        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
        "token_uri": "https://oauth2.googleapis.com/token",
        "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
        "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/qach-bk-3434717%40chronicle-qach.gserviceaccount.com"
        }
      • Ingestion Key
        Your sample query looks like:
         
        {"type": "service_account",
        "project_id": "chronicle-qach"
        "private_key_id": "4c7757c5c58b962434657698234567"
        "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBmweoifjwoefkdsjcnsmcnskfihkerjfnk\EFJEINFEKJNFKEWDLWEKFIERFNKMDLCEWOFIEWLKFKDWJNFIERUHFJBEWKDCNWEIFNWEJFKNEWJFKNEWK\NEWFHEWJBFCEDCNIWENFWENCSJDQIdiwehdewndiewnmwecnoweUIHNhihiIIOHIHUKJoiuinublVUIboUGeZD1CGjA3/NiV9XvWzGug==\n-----END PRIVATE KEY-----\n",
        "client_email": "qach-ing-1674793337@chronicle-qach.iam.gserviceaccount.com",
        "client_id": "106339086403r3rr32132132""auth_uri": "https://accounts.google.com/o/oauth2/auth","token_uri": "https://oauth2.googleapis.com/token","auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/qach-ing-434717%40chronicle-qach.gserviceaccount.com"}
      • Big Query Key
        Your sample query looks like: 
        {
        "type": "service_account",
        "project_id": "chronicle-qach"
        "private_key_id": "4c7757c5c58b962434657698234567"
        "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBmweoifjwoefkdsjcnsmcnskfihkerjfnk\EFJEINFEKJNFKEWDLWEKFIERFNKMDLCEWOFIEWLKFKDWJNFIERUHFJBEWKDCNWEIFNWEJFKNEWJFKNEWK\NEWFHEWJBFCEDCNIWENFWENCSJDQIdiwehdewndiewnmwecnoweUIHNhihiIIOHIHUKJoiuinublVUIboUGeZD1CGjA3/NiV9XvWzGug==\n-----END PRIVATE KEY-----\n",
        "client_email": "qach-bqe-1674793337@chronicle-qach.iam.gserviceaccount.com",
        "client_id": "106339086403r3rr32132132"
        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
        "token_uri": "https://oauth2.googleapis.com/token",
        "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
        "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/qach-bqe-222217%40chronicle-qach.gserviceaccount.com"
        }
      • Forwarder Key
        Note: All keys must be in .txt or JSON format to link your instance successfully

    6. Click Link Chronicle Instance
    A message appears "Your Chronicle instance has been added successfully" after 5 to 10 minutes

    Picture4.png

    After you have configured Chronicle instance, all available Chronicle assets will be synced to your account.

     

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.