Link Chronicle to Google Cloud services

Chronicle depends on Google Cloud services for certain capabilities, such as authentication. This document describes how to configure a Chronicle instance to bind to these Google Cloud services. It provides information for users who are configuring a new Chronicle instance and those who are migrating an existing Chronicle instance.

Before you begin

Before you configure a Chronicle instance with Google Cloud services, you must do the following:

• Create a Google Cloud project and enable the Chronicle API. See Configure a Google Cloud project for Chronicle for more information.

• Configure an SSO provider for the Chronicle instance. See Configure a third-party identity provider for Chronicle.

• Make sure you have the permissions to perform the steps in this document. For information about required permissions for each phase of the onboarding process, see Required roles.

Complete one of the following sections depending on whether you are a new or an existing customer.

If you want to bind a Chronicle instance created for a managed security service provider (MSSPs), contact your Chronicle Customer Engineer for help. The configuration requires assistance from a Chronicle representative.

Migrate an existing Chronicle instance

The following procedure describes how to connect an existing Chronicle instance with a Google Cloud project and configure SSO using IAM workforce identity federation services.

1. Sign in to Chronicle.

2. In the navigation bar, select Settings > SIEM Settings.

3. Click Google Cloud Platform.

4. Enter the Google Cloud project ID to link the project to the Chronicle instance.

5. Click Generate Link.

6. Click Connect to Google Cloud Platform. The Google Cloud console opens. If you entered an incorrect Google Cloud project ID in the Chronicle application, return to the Google Cloud Platform page in Chronicle and enter the correct project ID.

7. From Google Cloud console, go to Security > Chronicle SecOps.

8. Verify the service account that was created for the Google Cloud project.

9. Select the workforce provider you want to use for the Chronicle instance. You set this up when configuring workforce identity federation.

10. Right-click the Test SSO setup link, and then open it in a private or incognito window.

    • If you see a login screen, then SSO setup is successful.
    • If you don't see a login screen, check the configuration of the third-party identity provider. See Configure a third-party identity provider for Chronicle.

After you complete these steps to bind the Google Cloud project to Chronicle, you can examine the Google Cloud project data in Chronicle, letting you to closely monitor your project for any type of security compromise.

Configure a new Chronicle instance

The following procedure describes how to set up a new Chronicle instance for the first time, after configuring the Google Cloud project and IAM workforce identity federation services to link to Chronicle.

If you are a new Chronicle customer, complete the following steps:

1. Create a Google Cloud project and enable the Chronicle API. See Configure a Google Cloud project for Chronicle for more information.

2. Provide your Chronicle Customer Engineer with the project ID you plan to bind to the Chronicle instance. After Chronicle Customer Engineer initiates the process, you receive a confirmation email.

3. Open the Google Cloud console, and then select the Google Cloud project that you provided in the previous step.

4. Go to Security > Chronicle SecOps.

5. If you have not enabled the Chronicle API, you will see a Getting Started button. Click the Getting Started button and then complete the guided steps to enable the Chronicle API.

6. In the Company Information section, enter your company information, and then click Next.

7. Review the service account information, and then click Next. Chronicle creates a service account in the project and sets the required roles and permissions.

8. Select the workforce provider, and then click Next. You created the workforce provider when you configured workforce identity federation.

9. Expand the Terms of Service. If you agree to the terms, click Start setup.

   It may take up to 15 minutes for the Chronicle instance to be provisioned. You will receive a notification after the instance is successfully provisioned. If the setup fails, contact your Google Cloud customer representative.

Change single sign on (SSO) configuration

Complete the following steps to change the SSO configuration for Chronicle:

1. Open the Google Cloud console, and then select the Google Cloud project that is bound to Chronicle.

2. Go to Security > Chronicle SecOps.

3. On the Overview page, click the Single Sign-On tab. This page displays the identity providers you configured when Configuring a third-party identity provider for Chronicle.

4. Use the Single Sign-On menu to change SSO providers.

5. Right-click the Test SSO setup link, and then open a private or incognito window.

   • If you see a login screen, then SSO setup is successful. Continue with the next step.
   • If you don't see a login screen, check the configuration of the third-party identity provider. See Configure a third-party identity provider for Chronicle.

6. Return to Google Cloud console, and then click Security > Chronicle SecOps > Overview page > Single Sign-On tab.

7. Click Save at the bottom of the page to update the new provider.

8. Check that you can sign in to Chronicle.