Ingest Chrome Enterprise Premium data to Google Security Operations

This page explains how you can connect your organization to Google Security Operations, enable Identity-Aware Proxy (IAP) API, and set up feeds to ingest the following data to Google Security Operations.

• Google Cloud Logs
• Cloud Identity Devices
• Cloud Identity Device Users

Before you begin

Before you set up feeds to ingest Chrome Enterprise Premium data, complete the following tasks:

• Connect your Google Cloud organization to Google Security Operations by completing the following sections:
  1. Enable telemetry ingestion to Google Security Operations.
  2. Enable the export of Google Cloud logs to Google Security Operations.
• Enable the Cloud Identity API and create a service account to authenticate the API.
• Create a domain-wide delegation.
• Create a user for impersonation.

Enable the Cloud Identity API and create a service account

1. In the Google Cloud console, select the Google Cloud project for which you want to enable the API, and then go to the APIs & Services page:

   Go to APIs & Services

2. Click Enable APIs and Services.

3. Search for "Cloud Identity API".

4. In the search results, click Cloud Identity API.

5. Click Enable.

6. Create a service account:

   1. In the Google Cloud console, select IAM & Admin > Service Accounts.
   2. Click Create service account.
   3. On the Create service account page, enter a name for the service account.
   4. Click Done.

7. Select the service account that you created.

8. Copy and save the ID that appears in the Unique ID field. You use this ID when you create a domain-wide delegation.

9. Select the Keys tab.

10. Click Add key > Create new key.

11. Select JSON as the Key type.

12. Click Create.

13. Copy and save the JSON key. You use this key when you set up feeds.

For more information, see Enable the Cloud Identity API and create a service account to authenticate the API.

Create a domain-wide delegation

To control API access for the service account using domain-wide delegation, do the following:

1. From the Google Admin console Home page, select Security > Access and Data Controls > API Controls.
2. Select Domain-wide delegation > Manage Domain-Wide Delegation.
3. Click Add new.
4. Enter the service account client ID. The service account client ID is the unique ID that you obtained when you created a service account.
5. In OAuth scopes, enter https://www.googleapis.com/auth/cloud-identity.devices.readonly.
6. Click Authorize.

For more information, see Control API access with domain-wide delegation

Create a user for impersonation

1. From the Google Admin console Home page, select Directory > Users.
2. To add a new user, do the following:
   1. Click Add new user.
   2. Enter a name for the user.
   3. Enter the email address associated with the user.
   4. Click Create, and then click Done.
3. To create a new role and assign a privilege, do the following:
   1. Select the newly created username.
   2. Click Admin roles and privileges.
   3. Click Create custom role.
   4. Click Create new role.
   5. Enter a name for the role.
   6. Select Services > Mobile Devices Management, and then select the Manage Devices and Setting privilege.
   7. Click Continue.
4. To assign the role to the user, do the following:
   1. Click Assign Users.
   2. Navigate to the newly created user and click Assign Role.

Set up feeds to ingest Chrome Enterprise Premium logs

1. Go to SIEM Settings > Feeds.
2. Click Add New.
3. Enter a unique name for the Field name.
4. Select Third party API as the Source type.
5. In the Log type list, select either GCP Cloud Identity Devices or GCP Cloud Identity Device Users.
6. Click Next.

7. On the Input parameters tab, specify the following details:

   • OAuth JWT endpoint. Enter https://oauth2.googleapis.com/token.
   • JWT claims issuer. Specify <insert_service_account@project.iam.gserviceaccount.com>. This is the service account you created in the section Enable the Cloud Identity API and create a service account.
   • JWT claims subject. Enter the email of the user that you created in the section Create a user for impersonation.
   • JWT claims audience. Enter https://oauth2.googleapis.com/token.
   • RSA private key. Enter the JSON key that was created when you created a service account to authenticate the API.
   • API version. Optional. You can leave this field blank.

8. Click Next.

9. On the Finalize tab, review the values that you entered and then click Submit.