# Google Security Operations (Chronicle)

### Overview

Keeper supports event streaming into Google Security Operations, formerly known as Google Chronicle. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.

{% stepper %}
{% step %}

### Create an API Key

* Go to the Google Cloud console and select the project associated to your Google Security Operations (Chronicle) environment.
* Select **APIs & Services** > **Credentials** and **create a new Credential** > **API Key**.
* After creating the API key, edit the key and apply restrictions. 
* Ensure that the API key is restricted to "**Chronicle API**" capabilities only.
* Save this `API key` for step 3 below.

<figure><img src="/files/aNuNTgWIBmaG6reFmYVF" alt=""><figcaption><p>API Key</p></figcaption></figure>
{% endstep %}

{% step %}

### Create a Feed

From your Google Security Operations tenant:

* Go to **Settings** > **Feeds** > **Add Feed**
* Select Source Type of "Webhook" and then select Log Type of "Keeper Enterprise Security"
* Select **Next** and then **Submit**.
* When prompted, generate the `Secret Key` and save it for the step 3.
* Also, copy the `Feed Endpoint` and save this for step 3.

<figure><img src="/files/UbLPO6Mow54F6qThnSp0" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/ctbOU36c9K2sOoHD078d" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/Qmz2qaNdY8x55seIbzMQ" alt=""><figcaption><p>Feed Secret Key</p></figcaption></figure>

<figure><img src="/files/Nyhsc1TzJVhiicBbbJ67" alt=""><figcaption><p>Endpoint Information</p></figcaption></figure>
{% endstep %}

{% step %}

### Activate Integration

* From the **Keeper Admin Console**, go to **Reporting & Alerts** > **External Logging**
* Select **Google Security Operations**
* Provide `API Key` from step 1, `Feed Endpoint` and `Feed Secret Key` from Step 2.
* Click **Test** and then **Save**.

<figure><img src="/files/uBrWtMo6woCvBw9EWtA1" alt=""><figcaption><p>Admin Console Settings</p></figcaption></figure>
{% endstep %}
{% endstepper %}

### Setup Complete!

When SIEM logs are sent from Keeper to Google, the data will begin to populate within 15 minutes.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/enterprise-guide/event-reporting/google-security-operations-chronicle.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.