You already know Google Chronicle is a great SIEM. It can help you identify and respond to security threats, and it can give you a comprehensive view of your security posture. But did you know that by integrating Chrome Enterprise with Google Chronicle, you can get even more out of your security investment, and you don't have to pay a penny for it? Now I have your attention. Let's look at Chrome Enterprise and see how it can boost your security visibility.
This is the first part of a multi-part blog series on how to integrate Chrome Enterprise with Google Chronicle. In this part, we will discuss how to integrate Chrome Enterprise with Google Chronicle to boost your security visibility. In future parts, we will explore other use cases for this integration, such as identifying and responding to security threats, and getting a comprehensive view of your security posture.
Google Chrome is the most popular web browser in the world without a question. More than two billion people already use Google Chrome for work and play. But what many don't know is that Chrome can also be used as a powerful security tool. With Chrome’s cloud-based management tool you can control how Chrome is used on your devices regardless of the OS and gather security insights about your fleet.
Let's see some of the benefits of using Chrome Enterprise Management:
The beautiful part of all the things mentioned above is that they can be done without additional cost. You can accomplish all of them without having to reinstall Chrome since you can bring user-installed instances of Chrome under management seamlessly.
On top of the no cost features of Chrome Enterprise Management, let's talk about how you can import Chrome Enterprise data into Chronicle to improve your visibility.
As a prerequisite to leverage Chrome integrations into Chronicle, you will need to enroll Chrome into the Admin Console in order to access reporting information. Enrolling browsers is very easy. For help getting started, the Beyond Browsing YouTube playlist is a fantastic resource. You can also contact our team here.
If you prefer to read technical documentation, you can read the Chrome Browser Cloud Management guide or follow the step-by-step guides in your Google Admin Console.
After you have completed the Chrome Browser Cloud Management setup and enrolled your endpoints, Chrome events will be collected. The data is logged in the Google Admin console under Reporting > Audit and investigation > Chrome log events.
Here are some of the events that were captured:
Event value |
Description |
Malware transfer |
The content uploaded or downloaded by the user is considered to be malicious, dangerous, or unwanted. |
Extension install |
A browser extension was installed, either by user action or by the administrator. |
Password changed |
The user resets their password for the first signed in user account. |
Password reuse |
The user has entered a password into a URL that’s not included in the list of allowed enterprise login URLs. |
Unsafe site visit |
The URL visited by the user is considered to be deceptive or malicious based on Google Safe browsing |
For more information on all Chrome events, please see the Google support documentation:
https://support.google.com/a/answer/9393909.
A connector is a way to connect Google Admin Console to other systems, including Chronicle. To set up the Chronicle connector, you will need to contact your Google Customer Engineer or request an Ingestion API key from Google Chronicle support. Once you have your Ingestion API keys, we can start configuring Chrome Enterprise to send logs to Chronicle where they will be normalized, enriched, and indexed. All data in Chronicle, by default, is searchable for a year.
To configure Chrome Enterprise to send logs to Chronicle, you can follow the instructions below.
After you apply the policy in Chrome Browser Cloud Management, alerts from managed browsers will be sent to Chronicle. The ingested events include fields such as accessed domain, downloaded file hash, and username. You can find each of these in Chronicle with the methods below:
In this blog post, we explored how Chrome Browser Cloud Management and Google Chronicle can be integrated to boost your security visibility. We highlighted the advantages of adopting Chrome Enterprise such as central management and visibility across operating systems, user management, control over extensions, and reporting. Following that, we guided through the steps to set up the integration between Chrome Enterprise and Google Chronicle. In our next blog post, we will show some examples of how Chrome event data can be used to create rules and investigate security incidents.