Jump to Content
Chrome Enterprise

Extending Chrome Enterprise security reporting to Palo Alto Networks Cortex XDR

July 27, 2023
https://storage.googleapis.com/gweb-cloudblog-publish/images/19694_ConnectorPartners_BlogHeader_Paloalt.max-2600x2600.png
Fletcher Oliver

Chrome Enterprise Customer Engineer

Extending Chrome Enterprise security reporting to Palo Alto Networks Cortex XDR

Security insights are essential for a secure enterprise browsing solution. By integrating your chosen security reporting solution with Chrome Enterprise, IT and security teams can gain a comprehensive view of the potential threats users face on the web and make data-driven decisions in their security journey.

The Chrome Enterprise and Palo Alto Networks Cortex XDR integration is now available in the Google Admin console in Chrome Browser Cloud Management. This integration has been validated by Chrome Enterprise Recommended, a program created to help enterprises find technologies that make working on the web and in the cloud even better. 

With this integration, organizations can easily send browser insights from managed Chrome browsers to Palo Alto Networks Cortex XDR for further analysis. In addition, customers can use these insights to create remediation rules and actions with Cortex XSIAM for an automated, end-to-end remediation experience for their browsers. For more information, see the XSIAM content pack here. 

Available Security Events

  • Malware transfer

  • Password changed

  • Unapproved password reuse

  • Unsafe site visit

  • Log-in events

  • Password breaches 

  • Extension installs

  • Crash events 

  • Content transfer*

  • Content unscanned*

  • Sensitive data transfer*


Enrolling machines in Chrome Browser Cloud Management

Getting started is easy. The first step is to set up Chrome Browser Cloud Management for your organization. This tool allows organizations to manage Chrome browsers from a single cloud-based Admin console across Windows, Mac, Linux, Android, and iOS at no additional cost. It is also the same console where IT teams can manage Chrome OS.

Once Chrome Browser Cloud Management is set up, you can turn on the integration with Cortex XDR to send critical security events for further investigation. You do not need to be fully managing the browser to do this.

Check out this guide for steps on how to enroll your devices. Once you are done, or if you already have Chrome Browser Cloud Management in place, move to the steps below. 

Set up in Palo Alto Networks Cortex XDR

  1. Log into Palo Alto Networks Cortex XDR at https://cortex-gateway.paloaltonetworks.com

  2. Under Settings > Configurations > Custom Collectors , click the Add Instance button (or click on an instance of a HTTP log collector) to create a new repository or select an existing one that you want to send Chrome browser security events to. 

  3. When you create a new repository, you need to give it a name, select JSON as Log Format, set the Compression as uncompressed and enter the Vendor and Product names. (Note: If you don’t enter in a Vendor or Product, Cortex XDR will label the dataset as “unknown_unknown_raw”.)

  4. Click Save & Generate Token and copy the token that is generated. You will need to enter this into the admin console in the next step.

https://storage.googleapis.com/gweb-cloudblog-publish/images/1.max-600x600.jpeg

Set up in Chrome Browser Cloud Management

  1. Log in to the Google Admin console at admin.google.com and select the organizational unit that contains the enrolled Chrome browsers that you want to send security events to Palo Alto Networks Cortex XDR.

  2. Navigate to Devices > Chrome > Users and browsers. Add a filter for “event reporting”.

  3. Under Browser reporting > Event reporting, select Enable event reporting. Under the additional settings, you can specify which events you want to send to Palo Alto Networks Cortex XDR.

  4. Now that the events are turned on, click on the blue hyperlink called Reporting connector provider configurations” to take you to the connector provider configurations, or it can be found under Devices > Chrome > Connectors.

  5. Click the New Provider Configuration button and select Palo Alto Networks as the provider.

  6. Enter the configuration name that you want this connector to display as in the Google Admin console.

  7. Enter the host name of your Palo Alto Networks instance and the ingest token value from step 4 of the last section

    • You can find your instance URL under Settings > Configurations > Data Collection > Custom Collectors and select the collector that you just created

    • Click the three dots and select Copy API URL

    • Remove the ‘https://’ and anything after the ‘.com’ to use as the hostname in the admin console. E.g.  https://chrome.xdr.us.paloaltonetworks.com/logs/v1/event

  8. Press the Add Configuration to save.

  9. Select the Organizational Unit that has reporting events enabled and select the Chrome Palo Alto Networks connector that was created in the previous step and hit Save.

You can also download the setup guide here or watch the step-by-step setup video below: 

https://storage.googleapis.com/gweb-cloudblog-publish/images/Screenshot_2023-07-25_at_5.55.59_PM.max-2200x2200.png

Chrome's integration work with Palo Alto Networks is just one example of how Google is supporting Palo Alto Networks customers. Last year, we announced an expanded partnership that brings together BeyondCorp Enterprise from Google Cloud and Prisma® Access from Palo Alto Networks. This integration offers hybrid users a secure enterprise browsing experience and enables zero trust access to applications from unmanaged devices through Chrome.

Our commitment to help businesses work safer on the web remains constant. See why Chrome is the most trusted enterprise browser here

*Available through BeyondCorp Enterprise


Posted in