Google Security Operations (Chronicle)

Integrating Keeper SIEM push to Google Security Operations (formerly Chronicle)

Overview

Keeper supports event streaming into Google Security Operations, formerly known as Google Chronicle. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.

1

Create an API Key

  • Go to the Google Cloud console and select the project associated to your Google Security Operations (Chronicle) environment.

  • Select APIs & Services > Credentials and create a new Credential > API Key.

  • After creating the API key, edit the key and apply restrictions.

  • Ensure that the API key is restricted to "Chronicle API" capabilities only.

  • Save this API key for step 3 below.

API Key
2

Create a Feed

From your Google Security Operations tenant:

  • Go to Settings > Feeds > Add Feed

  • Select Source Type of "Webhook" and then select Log Type of "Keeper Enterprise Security"

  • Select Next and then Submit.

  • When prompted, generate the Secret Key and save it for the step 3.

  • Also, copy the Feed Endpoint and save this for step 3.

Feed Secret Key
Endpoint Information
3

Activate Integration

  • From the Keeper Admin Console, go to Reporting & Alerts > External Logging

  • Select Google Security Operations

  • Provide API Key from step 1, Feed Endpoint and Feed Secret Key from Step 2.

  • Click Test and then Save.

Admin Console Settings

Setup Complete!

When SIEM logs are sent from Keeper to Google, the data will begin to populate within 15 minutes.

PreviousExabeam (LogRhythm)NextLogz.io

Last updated

Was this helpful?