1 of 1

Google Security Operations (Chronicle)

Integrating Keeper SIEM push to Google Security Operations (formerly Chronicle)

Overview

Keeper supports event streaming into Google Security Operations, formerly known as Google Chronicle. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.

Create an API Key

Go to the Google Cloud console and select the project associated to your Google Security Operations (Chronicle) environment.
Select APIs & Services > Credentials and create a new Credential > API Key.
After creating the API key, edit the key and apply restrictions.
Ensure that the API key is restricted to "Chronicle API" capabilities only.
Save this API key for step 3 below.

Create a Feed

From your Google Security Operations tenant:

Go to Settings > Feeds > Add Feed
Select Source Type of "Webhook" and then select Log Type of "Keeper Enterprise Security"
Select Next and then Submit.
When prompted, generate the Secret Key and save it for the step 3.
Also, copy the Feed Endpoint and save this for step 3.

Activate Integration

From the Keeper Admin Console, go to Reporting & Alerts > External Logging
Select Google Security Operations
Provide API Key from step 1, Feed Endpoint and Feed Secret Key from Step 2.
Click Test and then Save.

Setup Complete!

When SIEM logs are sent from Keeper to Google, the data will begin to populate within 15 minutes.