Chrome Enterprise

Security insights from Chrome browser delivered with Splunk

June 7, 2022

https://storage.googleapis.com/gweb-cloudblog-publish/images/blog2880pxby1200px1980_x_888px_live_area.max-2600x2600.png

Fletcher Oliver

Chrome Enterprise Customer Engineer

Security insights from Chrome browser delivered with Splunk

Two weeks ago, we announced the Chrome Enterprise Connectors Framework, enabling plug-and-play integrations with industry-leading security solutions and platforms. Together with our security partners, this new framework will help organizations work toward a Zero Trust model to keep their corporate data and users secure.

With enterprise security being our shared top priority, Splunk, the data platform leader for security and observability, and Chrome have partnered on a new integration to collect, analyze, and extract insights from security events, including password changes, unapproved password reuse, data exfiltration, unsafe site visits, and malware transfer events within managed Chrome browsers. This allows organizations to see this critical web security information alongside their other key security data, empowering their IT and security teams to make better-informed security decisions. This feature is supported by the Google Chrome Add-on for Splunk available for Splunk Cloud Platform and Splunk Enterprise.

Enrolling machines in Chrome Browser Cloud Management

Getting started is easy. The first step is to make sure Chrome Browser Cloud Management is set up for your organization. This tool helps manage Chrome browser from a single, cloud-based Admin console, across Windows, Mac, Linux, and mobile devices at no additional cost. Setting up is simple. Check out this guide for steps on how to enroll your devices.

Once you have your machines enrolled in Chrome Browser Cloud management, you can easily set up the Splunk integration.

Setup in Splunk

In order to get set up, you will first log into your Splunk instance to add the Google Chrome add-on for Splunk. You will set up an HTTP Event Collectors (or HEC) and choose google:chrome:json for the source type. Copy the token value shown; you’ll need it for later.

https://storage.googleapis.com/gweb-cloudblog-publish/original_images/blog_gif_1.gif

Setup in Chrome Browser Cloud Management

Log into your Google Admin console at admin.google.com to set up the integration in Chrome Browser Cloud Management. You will enable the security events reporting by going to Devices > Chrome > Users and browsers and searching for “Chrome Enterprise connectors.” Select “Allow selected events” under “Security events reporting.” Optionally, you can disable certain events from being sent by going into “Additional Settings.”

https://storage.googleapis.com/gweb-cloudblog-publish/original_images/blog_gif_2.gif

Now that the events are turned on, click the blue link in the description of “Security event reporting” to go to the connector provider configurations (you can also find it under Devices > Chrome > Connectors.) Click the new provider configuration button and select Splunk. Enter the configuration name that you want this connector to display as in Google Admin console. Enter the domain name of your Splunk instance and the token id generated from the HEC Splunk creation and select add configuration to save. All you have to do is select the Organizational Unit in which the reporting events are turned on, select the Chrome Splunk connector that was just created and hit save. Your integration is all set!