This document explains how you can connect your organization to Google Security Operations, enable the
Identity-Aware Proxy (IAP) API, and set up feeds to ingest the following data to
Google Security Operations. The feeds include Chrome Enterprise Premium content specific to IAP and context access aware data.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Collect Chrome Enterprise Premium Context Access Aware Data\n===========================================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how you can connect your organization to Google Security Operations, enable the\nIdentity-Aware Proxy (IAP) API, and set up feeds to ingest the following data to\nGoogle Security Operations. The feeds include Chrome Enterprise Premium content specific to IAP and context access aware data.\n\n- [Google Cloud Logs](/chronicle/docs/ingestion/cloud/ingest-gcp-logs)\n- [Cloud Identity Devices](/identity/docs/reference/rest/v1/devices)\n- [Cloud Identity Device Users](/identity/docs/reference/rest/v1/devices.deviceUsers)\n\nBefore you begin\n----------------\n\nBefore you set up feeds to ingest Chrome Enterprise Premium data, complete the following tasks:\n\n- Connect your Google Cloud organization to Google Security Operations by completing the following sections:\n 1. [Enable telemetry ingestion to Google Security Operations](/chronicle/docs/ingestion/cloud/ingest-gcp-logs#enabling_gcp_telemetry_ingestion).\n 2. [Enable the export of Google Cloud logs to Google Security Operations](/chronicle/docs/ingestion/cloud/ingest-gcp-logs#exporting_google_cloud_logs_to_chronicle).\n- Enable the Cloud Identity API and create a service account to authenticate the API.\n- Create a domain-wide delegation.\n- Create a user for impersonation.\n\n### Enable the Cloud Identity API and create a service account\n\n1. In the Google Cloud console, select the Google Cloud project for\n which you want to enable the API, and then go to the **APIs \\& Services**\n page:\n\n [Go to **APIs \\& Services**](https://console.cloud.google.com/apis/dashboard)\n2. Click **Enable APIs and Services**.\n\n3. Search for \"Cloud Identity API\".\n\n4. In the search results, click **Cloud Identity API**.\n\n5. Click **Enable**.\n\n6. Create a service account:\n\n 1. In the Google Cloud console, select **IAM \\& Admin \\\u003e Service Accounts**.\n 2. Click **Create service account**.\n 3. On the **Create service account page**, enter a name for the service account.\n 4. Click **Done**.\n7. Select the service account that you created.\n\n8. Copy and save the ID that appears in the **Unique ID** field. You use this ID\n when you create a domain-wide delegation.\n\n9. Select the **Keys** tab.\n\n10. Click **Add key \\\u003e Create new key**.\n\n11. Select **JSON** as the **Key type**.\n\n12. Click **Create**.\n\n13. Copy and save the JSON key. You use this key when you set up feeds.\n\nFor more information, see [Enable the Cloud Identity API and create a service account to authenticate the\nAPI](/identity/docs/how-to/setup-devices#enabling_the_api_and_setting_up_credentials).\n\n### Create a domain-wide delegation\n\nTo control API access for the service account using domain-wide delegation, do\nthe following:\n\n1. From the Google Admin console Home page, select **Security \\\u003e Access\n and Data Controls \\\u003e API Controls**.\n2. Select **Domain-wide delegation \\\u003e Manage Domain-Wide Delegation**.\n3. Click **Add new**.\n4. Enter the service account client ID. The service account client ID is the unique ID that you obtained when you created a service account.\n5. In **OAuth scopes** , enter `https://www.googleapis.com/auth/cloud-identity.devices.readonly`.\n6. Click **Authorize**.\n\nFor more information, see [Control API access with domain-wide delegation](https://support.google.com/a/answer/162106#zippy=%2Cset-up-domain-wide-delegation-for-a-client)\n\n### Create a user for impersonation\n\n1. From the Google Admin console Home page, select **Directory \\\u003e Users**.\n2. To add a new user, do the following:\n 1. Click **Add new user**.\n 2. Enter a name for the user.\n 3. Enter the email address associated with the user.\n 4. Click **Create** , and then click **Done**.\n3. To create a new role and assign a privilege, do the following:\n 1. Select the newly created username.\n 2. Click **Admin roles and privileges**.\n 3. Click **Create custom role**.\n 4. Click **Create new role**.\n 5. Enter a name for the role.\n 6. Select **Services \\\u003e Mobile Devices Management** , and then select the **Manage Devices and Setting** privilege.\n 7. Click **Continue**.\n4. To assign the role to the user, do the following:\n 1. Click **Assign Users**.\n 2. Navigate to the newly created user and click **Assign Role**.\n\nSet up feeds\n------------\n\nTo configure a feed, follow these steps:\n\n1. Go to **SIEM Settings** \\\u003e **Feeds**.\n2. Click **Add New Feed**.\n3. On the next page, click **Configure a single feed**.\n4. Enter a unique name for the **Field name** (for example, **Chrome Enterprise Premium logs**).\n5. Select **Third party API** as the **Source type**.\n6. In the **Log type** list, select either **GCP Cloud Identity Devices** or **GCP Cloud Identity Device Users**.\n7. Click **Next**.\n8. On the **Input parameters** tab, specify the following details:\n\n | **Note:** The options that appear on the **Input parameters** tab depend on the source and log type that you specified on the **Set Properties** tab.\n - **OAuth JWT endpoint** . Enter `https://oauth2.googleapis.com/token`.\n - **JWT claims issuer** . Specify \\\u003cinsert_service_account@project.iam.gserviceaccount.com\\\u003e. This is the service account you created in the section [Enable the Cloud Identity API and create a service account](#enable-iap).\n - **JWT claims subject** . Enter the email of the user that you created in the section [Create a user for impersonation](#user-impersonation).\n - **JWT claims audience** . Enter `https://oauth2.googleapis.com/token`.\n - **RSA private key**. Enter the JSON key that was created when you created a service account to authenticate the API.\n - **API version**. Optional. You can leave this field blank.\n9. Click **Next**.\n\n10. On the **Finalize** tab, review the values that you entered and then click **Submit**.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
