1. Expel Help Center
  2. Connect Your Technology
  3. D-J Integrations
  4. Google

Google Security Operations (SecOps) Setup for Workbench

This guide helps you set up the Google SecOps security device in Workbench.

Scope and Limitations

When choosing to set up this integration, remember the following:

  • We only poll for the alert events themselves (custom and curated), and not the raw events/logs that you may be sending to your SecOps instance.

Prerequisites

  1. You must have already onboarded a Google SecOps instance. If you need help with this step, see Onboard a Google SecOps Instance.
  2. You must know which instance your Google cloud project is linked to, as you will need to create the Expel service account and grant console access within that project.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

  1. Enable the Chronicle API in Google
  2. Create the Service Account for Expel
  3. Grant Console Access in Google
  4. Obtain Necessary Cloud Project Details
  5. Add Google Security Operations (Google SecOps) as a Security Device in Workbench
  6. Troubleshooting

Step 1: Enable the Chronicle API in Google

You must first enable the Chronicle API for your chosen GCP project, or verify that it is already enabled. Remember that you must have already configured a GoogleSecOps instance and linked it to a GCP project. 

  1. Log in to the Google Cloud console.
  2. Go to https://console.cloud.google/apis/library/chronicle.googleapis.com to view the Chronicle API.
  3. If your GCP project (linked to the Google SecOps instance) is not already selected, locate and select it .
  4. Look for an Enabled message. If the API is not enabled for the project, use the Manage button to enable it.

Step 2: Create the Service Account for Expel

You must create a service account to enable view-only access to your environment.

  1. Still in the Google Cloud console, make sure you are in the correct project.
  2. In the main menu, navigate to IAM & Admin > Service Accounts.
  3. Select Create service account.
  4. Enter the service account details:
    • Service account name - enter an account name for Expel (example: Expel-SecOps).
    • Service account ID - leave as is.
    • Service account description - optional; you can enter a description like "Used by Expel" if you wish.
  5. Select Create and continue.
  6. In Permissions, assign the Chronicle API Viewer role (this is a built-in role that provides us with read-only access to your SecOps environment).
  7. Select Continue.
  8. Leave the Principals with access fields blank.
  9. Select Done.
  10. Locate the new account in the list (it will not yet have a Key ID), click the three dots in the Actions column, then select Manage keys.
  11. Select Add key, then select Create new key.
  12. Select JSON as the key type.
  13. Select Create. A JSON file will be automatically downloaded to your machine, which you will need in a future step.
  14. Close the window.

Step 3: Grant Console Access in Google

In lieu of following these steps, you could also create a separate account in your environment that has the Chronicle API Viewer role assigned (this option may be preferable if you already created an account for Expel to provide console access for other integrations). If you go this route instead of following the steps below, make sure you retain the username, password, and (if applicable) the two-factor secret key. You will need them when you set up the security device in Workbench. Why do we need console access?

  1. Still in the Google Cloud console, navigate to IAM & Admin > IAM.
  2. Select Grant access.
  3. Enter "expel_analyst@expel.io" as the principal name.
  4. Assign the Chronicle API Viewer role.
  5. Select Save.

Step 4: Obtain Necessary Cloud Project Details

You will need this information to successfully set up the security device in Workbench.

  1. Still in the Google Cloud console, access the Google SecOps console (find it at Security > Detections and Controls > Google SecOps). Make sure you know (or copy and save) your unique console URL, as you will need it in the next section.
  2. In the main menu, navigate to Settings > SIEM settings.
  3. In the Profile tab, copy and save these two details for use in the next section:
    • GCP Project ID (copy the hyperlinked value itself; do not click on the hyperlink)
    • Customer ID (this will be used as the Instance ID in Workbench)

Step 5: Add Google Security Operations (Google SecOps) as a Security Device in Workbench

Before you begin, make sure you have the JSON file that was downloaded to your machine in Step 2, the Google SecOps console URL and two Profile details from Step 4, and your regional endpoint.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices. If you have multiple organizations, you must select the appropriate organization name from the list.
  3. Select Add Security Device.
  4. In the search box, enter “Google” and then select the Google Security Operations (Google SecOps) integration.
  5. Complete the fields as follows:
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName SecOps”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Server credentials JSON - enter the contents of the JSON file that was downloaded to your machine during Step 2.
    • Regional endpoints - select your regional endpoint (the U.S. multi-region endpoint is https://backstory.googleapis.com)
    • Project ID - enter the GCP Project ID you saved in Step 4.
    • Location - enter the Chronicle server location (for most users, this would simply be "us" or "eu")
    • Instance ID - enter the Customer ID you saved in Step 4.
    • Select Save.
  6. Select Set up now (recommended) from the console access dropdown. Why do we need console access?
  7. Complete the fields as follows:
    • Console URL - enter your unique Google SecOps console URL. Example: https://abcde.backstory.chronicle.security/
    • Username - enter "expel_analyst@expel.io", or enter your selected username if you chose to grant console access in your environment rather than following the steps in Step 3.
    • Password - leave blank if the username is expel_analyst@expel.io, or enter the selected password if you chose to grant console access in your environment rather than following the steps in Step 3.
    • Two-factor secret key - leave blank, or enter an applicable 2FA key if you chose to grant console access in your environment rather than following the steps in Step 3.
  8. Select Save.
  9. Your device should be created successfully within a few seconds. A few reminders:
    • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
    • To check on the status, select the downward arrow for your device in the first column and choose View details.
    • Polling will happen first; data will be received after that. You must refresh the page to see updates.
    • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.
    • To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Troubleshooting

If your device is not healthy after saving:

  • Make sure you copied the full JSON contents into the device details and that there are no extra spaces or characters in the text box.
  • Make sure you entered the Expel username and password (if applicable) correctly.
  • Verify that your SecOps console URL is correct, and that your 2FA key (if applicable) is still working properly.

Related articles