Google Chronicle, part of Google SecOps, is a powerful tool for security data analysis at organizations regardless of size. Using the platform effectively, however, requires configuring the important step: ingesting security data.
This guide will cover the critical steps for using Google SecOps and properly structuring data ingestion to ensure you get the most out of the platform.
Introduction to Google Chronicle
Google SecOps, is a specialized layer built on top of Google's cloud infrastructure. It's meant to help enterprises retain, analyze, and search large amounts of security and network telemetry.
Google Chronicle is designed to normalize, index, correlate, and analyze security data. The goal is to offer instant analysis and necessary context on risks in the data. Using this analysis, Google SecOps can detect threats and investigate the scope (and root cause) of those issues. It can also offer remediation with prebuilt integrations that include enterprise workflows, incident response, and orchestration.
The end goal of Google SecOps is to streamline the ability of users to action the security data that they collect through threat detection and root-cause analysis. Ultimately, using the data presented in Google SecOps helps companies make sense of the information in their systems and improve their security.
Netenrich, a recognized Google SecOps partner offers a bootcamp on ingesting hybrid cloud data into Google SecOps to educate security practitioners on how they can maximize their investment.
investment. The bootcamp is built on Netenrich deployments and Google's best practices, and designed to provide actionable skills, frameworks, and templates to optimize the security operations stack of companies at any size using Google SecOps.
Security teams looking to make better use of Chronicle's capabilities would do well to participate in the bootcamp to learn more.
Prerequisites for Google SecOps Data Ingestion
There are a few key prerequisites to data ingestion:
- Define your data sources: Identify and understand the data sources that you're going to ingest into Google SecOps. This could be cloud workloads, APIs, endpoints, network telemetry, and more. Once these are defined, you'll be able to get a better sense of the data you need to ingest into the platform.
- Understand data volume and velocity: High data volumes can complicate the ingestion process. So can data that is generated at a fast pace and needs to be ingested at a similar cadence. Understanding how much data is generated and how fast it will need to be ingested will help you account for both.
- Ensure data quality: Data validation and cleansing processes are a key part of data ingestion. Implementing these ensures data accuracy and reliability.
Prior to data ingestion, you will also need to consider how to handle data validation, cleansing, and Extract, Transform, Load processes. Lastly, you should also have an idea of what sort of latency is acceptable for ingestion. Real-time ingestion requires different tactics than batch processing.
Setting Up Data Ingestion
Setting up data ingestion is the first step in preparing Google SecOps to correlate events for the SecOps team. To do that effectively, you need to set up the process for data ingestion. This includes a combination of leveraging forwarders, ingestion APIs, and configuring connectors with tools like a SOAR or SIEM.
Using Forwarders
Forwarders are components that collect log data and forward it to your SecOps instance. They're deployed as Docker containers on physical and virtual machines. To use a Forwarder in Chronicle, install and configure it using a container, and use the right settings to forward logs to your Google SecOps instance.
Utilizing Ingestion APIs
The Chronicle ingestion API is a RESTful API with a JSON payload that's configurable to ingest UDM events and unstructured logs. To use the API, you need to get a Google Developer Services account API credential from Google to enable you to set up connections with the API.
Once that's received, you can connect the ingestion API and have UDM events automatically imported into Google Chronicle/SecOps. This helps with limiting issues in the ingestion configuration process.
Use the Bindplane Agent
The Bindplane collection agent is open source, based on the OpenTelemetry Collector. It collects logs from a variety of sources, such as Microsoft Windows event logs, and sends them to Google SecOps. These collectors can be centrally managed from the Bindplane management console, which enables SecOps teams to track the collectors deployed throughout the organization.
Monitoring and Troubleshooting
Google Chronicle offers strong capabilities around monitoring and troubleshooting, especially for security incidents. This includes collecting and analyzing logs, using rules for threat detection, investigating alerts, and automating responses through playbooks. Using these features means that your security team can gain visibility into their environment.
Monitoring in Google SecOps can also mean investigating whether logs are being ingested properly for analysis or APIs are collecting properly. This involves tracking potential issues in the implementation and any errors in data collection, which could interfere with later analysis.
Troubleshooting SecOps issues means ensuring that everything is configured and tuned properly. This can be easily done even with managed services, ensuring that everything is correct. With this done, organizations can ensure that they are tracking security data effectively in Chronicle and making the most of their security telemetry.
To understand how best to leverage hybrid cloud data and ingest it into Chronicle, make sure you check out Netenrich's Google SecOps 101 virtual bootcamp.