Interpres Application - Google SecOps
- Type: SIEM/Data Lake
- Vendor: Google
This app integrates with Google SecOps to get Detections, Alerts and Telemetry.
Vendor setup
Enable Chronicle API access
- Under the Project Menu -> Enabled APIs & services
- In the top bar search for Chronicle API
- If the API is not enabled for the project, use the Manage button to enable it
For Standard and Enterprise customers
-
Enable Data export under Settings -> SIEM Settings -> Data export. It might add extra costs to the project. Only the ingestion_metrics table is required; although it does not appear in the list, it is exported by default
-
Contact Google support to create a Service Account to access detections and alerts
roles/chronicle.viewer(or add permissions to list alerts and rules)
-
Contact Google support to create a Service Account with these roles to access BigQuery data on the linked GCP project
roles/bigquery.jobUserroles/bigquery.dataViewer
For Enterprise Plus customers
-
Contact Google support to create a Service Account to access detections and alerts
roles/chronicle.viewer(or add permissions to list alerts and rules)
-
Contact Google support to create a Service Account with these roles to access BigQuery data
roles/bigquery.jobUserroles/bigquery.dataViewer
App Configuration
App Parameters:
-
Base URL: SecOps API base URL (i.e: https://backstory.googleapis.com)
-
Credentials: The entire contents of the Google Cloud OAuth2 credential.json file
-
BigQuery Credentials: The entire contents of the Google Cloud OAuth2 credential.json file, used for BigQuery access
-
BigQuery Project Name: Project name that contains the table
datalake.ingestion_metrics
App Validation
Check there is connectivity (green light) in the integration created.
Implemented Actions
-
Get Detections: Gets latest version of rules.
-
Get Alerts: Gets the latest asset-based and user-based alerts.
-
Get Available Telemetry: Queries BigQuery
ingestion_metricsand returns a list of telemetry identifiers with their current status.