This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

-Google Chronicle- Integration

Posted on 10-30-2024 06:16 AM
keso
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hey, when configuring the Google Chronicle Integration, the system requires a "User's Service Account". Please, where I can export it from? If I leave it empty (to use the default) the test fails ๐Ÿ˜ž (or how can I grant the necessary permissions? )

The documentation [1] says:

"Service account of the Google SecOps SIEM instance. Copy the entire service account JSON file."

keso_0-1730294090708.png

[1] https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/google-chronicle

 

Thank you!!

Solved Solved
0 5 1,115
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
ajohnson
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

The "service account" for the SIEM connector in SOAR is the Backstory API key that can be found in GCP secrets for the project hosting the SecOps instance. 

ajohnson_0-1730326066292.png

Additionally, if are are trying to set up the integration to ingest alerts/detections from SIEM, you will need to setup a SOAR connector instead of an integration. 
legacy SIEM/SOAR: 
Settings > Ingestion > Connectors 
Unified SecOps: 
Settings > SOAR Settings > ingestion > Connectors 
ref: https://cloud.google.com/chronicle/docs/soar/respond/start-developing/my-first-connector

View solution in original post

Jump to Solution
5 REPLIES 5

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

well first off - just want to clarify here - it looks like you are working on SOAR yet posted in the SIEM channel.  Ill assume you are talking SOAR becuase the screenshot is a SOAR integration. 

This should have been delivered to you on setup.  However, if you do not have that available, you can reach out to your customer engineer or create a support case in which they can get you what you need.  

I do not believe the proper access can be created through the service account on the GCP customer side.  I may be wrong here but I believe you need the former backstory SA account for this integration.  

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
keso
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hey dnhoda, my bad, yes, it is a SOAR integration. I will create a support case and contact the customer engineer. Thank you!  

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ajohnson
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

The "service account" for the SIEM connector in SOAR is the Backstory API key that can be found in GCP secrets for the project hosting the SecOps instance. 

ajohnson_0-1730326066292.png

Additionally, if are are trying to set up the integration to ingest alerts/detections from SIEM, you will need to setup a SOAR connector instead of an integration. 
legacy SIEM/SOAR: 
Settings > Ingestion > Connectors 
Unified SecOps: 
Settings > SOAR Settings > ingestion > Connectors 
ref: https://cloud.google.com/chronicle/docs/soar/respond/start-developing/my-first-connector

Jump to Solution

Posted on --/--/---- --:-- AM
dnehoda
Staff
In response to ajohnson
Reply posted on --/--/---- --:-- AM
Oh I just thought of another way to get it. If you don't have GCP access
and have collection agent enabled - I believe the auth file there under
SIEM settings / collection agent is the same file
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dlove40
Bronze 5
Bronze 5
In response to dnehoda
Reply posted on --/--/---- --:-- AM

I believe that one is the ingestion API, not the backstory API.

Jump to Solution
Top Solution Authors
View all