Google Chronicle SIEM

introduction this guide tells you how to authenticate the google chronicle siem connector in swimlane using oauth 2 0 service account authentication you will create a google cloud project, configure a service account, assign required permissions, collect required identifiers, and configure the connector in swimlane prerequisites google chronicle access requirements you must have permissions to access google cloud console create and manage gcp projects enable apis and services create and manage service accounts assign iam roles and permissions configure domain wide delegation (if required) required credentials during setup, you will collect service account json key (base64 encoded) api base url (chronicle endpoint) scope gcp project id scopes the following scope is required for chronicle api access https //www googleapis com/auth/chronicle backstory https //www googleapis com/auth/chronicle backstory google chronicle setup take the following steps to create a gcp project navigate to https //console cloud google com/ https //console cloud google com/ click the project selector dropdown click new project enter a project name click create take the following steps to enable chronicle api navigate to apis & services → library search for chronicle api click enable take the following steps to create a service account navigate to iam & admin → service accounts click create service account enter name id description click create and continue take the following steps to assign roles in the grant this service account access step assign one of the following roles chronicle api admin chronicle api reader click continue , then done take the following steps to generate json key open the created service account navigate to the keys tab click add key → create new key select json format click create download and securely store the json file take the following steps to configure api scopes navigate to https //admin google com go to security → api controls click manage domain wide delegation click add new enter client id (from service account) scope https //www googleapis com/auth/chronicle backstory click authorize api endpoint urls region endpoint us multi region https //backstory googleapis com/ https //backstory googleapis com/ europe https //europe backstory googleapis com/ https //europe backstory googleapis com/ asia https //asia southeast1 backstory googleapis com/ https //asia southeast1 backstory googleapis com/ australia https //australia southeast1 backstory googleapis com/ https //asia southeast1 backstory googleapis com/ connector configuration in swimlane log in to turbine from the left hand navigation pane, click orchestration and click assets asset homepage opens click the plus icon to open the configure your connector asset window select google chronicle siem from the asset type list fill in the asset settings and asset input as shown configuration – oauth 2 0 service account field description required/optional b64 service info base64 encoded json service account key required url chronicle api base url required scopes api scope (chronicle backstory) required verify ssl enable/disable ssl verification optional http proxy optional proxy configuration optional fields with marks are required troubleshooting if authentication fails ensure the json key file is valid and correctly encoded verify the chronicle api is enabled confirm the service account has correct roles check the scope is correctly configured ensure domain wide delegation is authorised verify the correct regional endpoint is used you have successfully authenticated the google chronicle siem connector in swimlane sources google chronicle api documentation https //cloud google com/chronicle/docs https //cloud google com/chronicle/docs google cloud service account documentation https //cloud google com/iam/docs/service accounts https //cloud google com/iam/docs/service accounts