Skip to content

Interpres Application - Google SecOps

  • Type: SIEM/Data Lake
  • Vendor: Google

This app integrates with Google SecOps to get Detections, Alerts and Telemetry.

Vendor setup

For Standard and Enterprise customers 1. Enable Data export under Settings -> SIEM Settings -> Data export. It might add extra costs to the project. We only need the ingestion_metrics table, it doesn't appear in the list but once export is enable it's exported by default 2. Enable Backstory API access in the project and add this Role to a Service Account to access detections and alerts. Available through the customer management API using the getCustomer Endpoint - roles/chronicle.viewer (or add permissions to list alerts and rules) 3. Created on the GCP linked project. Enable BigQuery API access in the project and add these Roles to a Service Account to access BigQuery data - roles/bigquery.jobUser - roles/bigquery.dataViewer

For Enterprise Plus customers 1. Enable Backstory API access in the project and add this Role to a Service Account to access detections and alerts. Available through the customer management API using the getCustomer Endpoint - roles/chronicle.viewer (or add permissions to list alerts and rules) 2. Enable BigQuery API access in the project and add these Roles to a Service Account to access BigQuery data. Available through the customer management API using the getCustomer Endpoint - roles/bigquery.jobUser - roles/bigquery.dataViewer

App Configuration

App Parameters:

  • Base URL: SecOps API base URL (i.e: https://backstory.googleapis.com)

  • Credentials: The entire contents of the Google Cloud OAuth2 credential.json file

  • BigQuery Credentials: The entire contents of the Google Cloud OAuth2 credential.json file, used for BigQuery access

  • BigQuery Project Name: Project name that contains the table datalake.ingestion_metrics

App Validation

Check there is connectivity (green light) in the integration created.

Implemented Actions

  • Get Detections: Gets latest version of rules.

  • Get Alerts: Gets the latest asset-based and user-based alerts.

  • Get Available Telemetry: Queries BigQuery ingestion_metrics and returns a list of telemetry identifiers with their current status.