Google Chronicle SecOps
Overview
Google Chronicle SecOps is a Security Information and Event Management (SIEM) platform designed to help organizations efficiently detect, investigate, and respond to security threats. Built on Google's scalable infrastructure, Chronicle SecOps integrates advanced threat intelligence, machine learning, and centralized security data analysis to provide deep insights and faster incident resolution.
By integrating Entitle with Chronicle SecOps, you can significantly strengthen your organization's security posture and protect sensitive data related to permissions and entitlements.
Forwarding Entitle audit logs to Chronicle SecOps:
- Enhances security monitoring:Â Gain comprehensive visibility into all permission and entitlement changes within Entitle, allowing for real-time monitoring and threat detection.
- Improves threat detection:Â Leverage Chronicle SecOps's advanced threat intelligence and machine learning capabilities to identify suspicious activities, such as unauthorized access attempts, privilege escalations, and anomalous entitlement modifications.
- Meets compliance requirements:Â Maintain a robust audit trail of all Entitle activities for compliance with industry regulations (e.g., GDPR, SOX, HIPAA) and internal security policies.
- Streamlines investigations:Â Accelerate security investigations by analyzing Entitle logs alongside other security data sources within Chronicle SecOps, enabling faster incident response and remediation.
Prerequisites
- Admin permissions in the Entitle tenant.
- API Keys Admin (
roles/serviceusage.apiKeysAdmin
) on your Chronicle Project. - Admin permission in Chronicle.
Create a Chronicle Feed
-
Log in to Chronicle.
-
Navigate to Settings > SIEM Settings > Feeds.
-
Click Add new, and fill out using the below details:
-
Feed name:Â Beyondcorp Entitle
-
Source type:Â Webhook
-
Log type:Â BeyondTrust
-
-
Click Next.
-
You can skip Input Parameters.
-
Click Next, and Submit.
-
A page displays the following message - Attention: A secret key is needed to complete feed setup. Do not close this window as it is needed for the next step in this guide.
-
On the Attention message page, click on Details and copy the Endpoint Information. You will need this later on in this guide.
Create Chronicle Credentials
-
On the Secret Key tab, click Generate secret key.
-
Copy the secret key and keep it for later in the following format:
X-Webhook-Access-Key=<key from window>
Create GCP Credentials
-
Navigate to the GCP project you are using to house Chronicle.
-
Click Settings > SIEM Settings.
-
On the home page, it will say GCP Project ID. In this project, navigate to APIs and services > Credentials.
-
Click + Create Credentials on the top-left of the page.
-
Once a randomly generated credential is made, click the ellipses icon (…) on the right-hand side and select Edit API key.
-
Set the Name to Beyondcorp Entitle.
-
Under API restrictions set the API to Chronicle API.
-
Click Ok and Save.
-
Once returned to the main menu, click Show Key and keep it alongside the secret key you previously copied, in the following format:
X-goog-api-key=<key from GCP>
Below is a formatted example of the Secret Key and the API Key you should have:
X-Webhook-Access-Key=b3022395dea87f5dae12d45e2413f747863ec8333e54319faa0d240c53e85c19 X-goog-api-key=yBShXnMzYVOWGujPcA5o5rGPSoWFAaY9bvMF88Q6lRqHWSluHAal
Create audit log webhook in Entitle
-
Create a new file on your Integrated development environment calledÂ
headers.json
, in the following format:{ "X-Webhook-Access-Key": "<key from window>", "X-goog-api-key": "<key from GCP>" } **EXAMPLE FILE** { "X-Webhook-Access-Key": "b3022395dea87f5dae12d45e2413f747863ec8333e54319faa0d240c53e85c19", "X-goog-api-key": "yBShXnMzYVOWGujPcA5o5rGPSoWFAaY9bvMF88Q6lRqHWSluHAal" }
-
Log in to Entitle and navigate to the Org settings page.
-
Scroll down to the Audit Logs Webhooks section. To add an Audit Log Webhook, click the + Add button on the right corner.
-
In the Webhook URL section, insert the URL provided by Chronicle from the Create Chronicle Feed step in this guide.
-
In the Headers section, insert the JSON file you created.
-
Leave the Additional Audit Log Parameters section empty.
-
Click Save.
Updated 8 days ago