Configure a Google Cloud project for Chronicle

During the onboarding process, your Chronicle representative works with you to bind your Chronicle instance to a Google Cloud project within a Google Cloud organization that you own.

Using the steps in this document, you create a project in a Google Cloud organization that you own and enable the Chronicle API.

This project creates a control layer for you to enable, inspect, and manage access to audit logs generated in Chronicle written to Cloud Audit Logs, create custom ingestion outage alerts using Cloud Monitoring, and store exported historical data. You can set up permissions in the project to grant it access to Chronicle APIs, allowing Chronicle to read and write data to the project.

Because the established control layer created by your Google Cloud project stores sensitive security telemetry, we recommend provisioning a new Google Cloud project specifically for Chronicle. You may also choose to bind Chronicle to an existing project, but be aware of how associated existing permissions and restrictions may impact their Chronicle experience.

There is a one-to-one relationship between a Chronicle instance and a Google Cloud project. You choose a single project that binds to Chronicle. If you have multiple organizations, select one organization where you create this project. You cannot bind Chronicle to multiple projects.

Before you begin

Make sure you have the permissions to perform the steps in this document. For information about required permissions for each phase of the onboarding process, see Required roles.

Create and configure a Google Cloud project

The following section describes the steps to create a project for Chronicle SIEM. For more information, see Create a project.

  1. Select the organization where you want to create a project.

  2. Click Create Project.

  3. In the New Project window, do the following:

    • Enter a project name.

      To help identify which project is bound to your Chronicle instance, we recommend that you use the following pattern for the project name:

      `CUSTOMER_FRONTEND_PATH-chronicle`
      

      Replace CUSTOMER_FRONTEND_PATH with your customer-specific identifier used in the URL to access your Chronicle instance. See Log in to Chronicle for an example. Your Chronicle representative can provide this value.

    • Select a billing account.

    • Enter the parent organization.

    • In the Location field, click Browse, and then select the organization or folder where you want the project to be located.

  4. Enable the Chronicle API in the project.

    1. Select the project that you created in the previous step.
    2. Navigate to APIs & Services > Library
    3. Search for Chronicle API.
    4. Select Chronicle API, and then click Enable.

      Search for Chronicle API

      For more detail, see Enabling an API in your Google Cloud project.

  5. Configure Essential Contacts to receive targeted notifications from Google Cloud. For more information, see Managing contacts for notifications.

    You may notice that a new service account has an IAM permission grant on the project. The service account name follows the pattern service-PROJECT_NUMBER@gcp-sa-chronicle.iam.gserviceaccount.com,

    where PROJECT_NUMBER is unique to the project. This service account has the role "Chronicle Service Agent".

    The service account exists in a project maintained by Chronicle. You can see this permission grant by navigating to the IAM page of your Google Cloud project, and then selecting the Include Google-provided role grants checkbox in the upper right-hand corner.

    If you don't see the new service account, check that the Include Google-provided role grants button is enabled on the IAM page.

What's next

After completing the steps in this document, perform the following:

  • Apply security and compliance controls to the project to satisfy your business use case and organization policies. For more information about how to do this, see Assured Workloads documentation. Compliance restrictions associated with your Google Cloud organization or required by projects are not applied by default.
  • Configure a third-party identity provider for Chronicle.
  • Enable Chronicle audit logging. Chronicle writes Data Access audit logs and Admin Activity audit logs to the project. You cannot disable Data Access logging using Google Cloud console. If you want to disable Data Access logging, contact your Chronicle representative, who can disable this for you.