Ingest BeyondCorp Enterprise data to Chronicle

This page explains how you can connect your organization to Chronicle, enable Identity-Aware Proxy (IAP) API, and set up feeds to ingest the following data to Chronicle.

Before you begin

Before you set up feeds to ingest BeyondCorp Enterprise data, complete the following tasks:

Enable the Cloud Identity API and create a service account

  1. In the Google Cloud console, select the Google Cloud project for which you want to enable the API, and then go to the APIs & Services page:

    Go to APIs & Services

  2. Click Enable APIs and Services.

  3. Search for "Cloud Identity API".

  4. In the search results, click Cloud Identity API.

  5. Click Enable.

  6. Create a service account:

    1. In the Google Cloud console, select IAM & Admin > Service Accounts.
    2. Click on Create service account.
    3. On the Create service account page, enter a name for the service account.
    4. Click Done.
  7. Click on the service account that you created.

  8. Copy and save the ID that appears in the Unique ID field. You use this ID when you create a domain-wide delegation.

  9. Select the Keys tab.

  10. Click Add key > Create new key.

  11. Select JSON as the Key type.

  12. Click Create.

  13. Copy and save the JSON key. You use this key when you set up feeds.

For more information, see Enable the Cloud Identity API and create a service account to authenticate the API.

Create a domain-wide delegation

To control API access for the service account using domain-wide delegation, do the following:

  1. From the Google Admin console Home page, select Security > Access and Data Controls > API Controls.
  2. Select Domain-wide delegation > Manage Domain-Wide Delegation.
  3. Click Add new.
  4. Enter the service account client ID. The service account client ID is the unique ID that you obtained when you created a service account.
  5. In OAuth scopes, enter https://www.googleapis.com/auth/cloud-identity.devices.readonly.
  6. Click Authorize.

For more information, see Control API access with domain-wide delegation

Create a user for impersonation

  1. From the Google Admin console Home page, select Directory > Users.
  2. To add a new user, do the following:
    1. Click Add new user.
    2. Enter a name for the user.
    3. Enter the email address associated with the user.
    4. Click Create, and then click Done.
  3. To create a new role and assign a privilege, do the following:
    1. Click on the newly created user name.
    2. Click Admin roles and privileges.
    3. Click Create custom role.
    4. Click Create new role.
    5. Enter a name for the role.
    6. Select Services > Mobile Devices Management, and then select the Manage Devices and Setting privilege.
    7. Click Continue.
  4. To assign the role to the user, do the following:
    1. Click Assign Users.
    2. Navigate to the newly created user and click Assign Role.

Set up feeds to ingest BeyondCorp Enterprise logs

  1. Click the Application menu icon, and select the Settings option.

    Settings

  2. Navigate to the Feeds page. The data feeds listed on this page include all the feeds Chronicle has configured for your account in addition to the feeds you have configured.

    For more details, see the Feed Management user guide.

  3. On the Feeds page, click Add new. The Add new window appears.

  4. In the Source type list, select Third party API.

  5. In the Log type list, select either GCP Cloud Identity Devices or GCP Cloud Identity Device Users.

  6. Click Next.

  7. On the Input parameters tab, specify the following details:

    • OAuth JWT endpoint. Enter https://oauth2.googleapis.com/token.
    • JWT claims issuer. Specify <insert_service_account@project.iam.gserviceaccount.com>. This is the service account you created in the section Enable the Cloud Identity API and create a service account.
    • JWT claims subject. Enter the email of the user that you created in the section Create a user for impersonation.
    • JWT claims audience. Enter https://oauth2.googleapis.com/token.
    • RSA private key. Enter the JSON key that was created when you created a service account to authenticate the API.
    • API version. Optional. You can leave this field blank.
  8. Click Next.

  9. On the Finalize tab, review the values that you entered and then click Submit.