Chronicle Plugin for Log Shipper

Google Chronicle Plugin for Log Shipper

This document explains how to configure your Chronicle integration with the Log Shipper module of the Netskope Cloud Exchange platform. This integration allows pushing alerts and events from Netskope to the Chronicle platform.

Prerequisites

To complete this configuration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances)
  • A Netskope Cloud Exchange tenant with the Log Shipper module already configured.
  • A Chronicle account. Obtain your Chronicle Base URL and Service Account Key, and Customer ID from your Chronicle representative before proceeding.
  • Connectivity to the following hosts, one of these selected Regional URLs:
    • USA: https://malachiteingestion-pa.googleapis.com/
    • EU: https://europe-malachiteingestion-pa.googleapis.com/
    • ASIA: https://asia-southeast1-malachiteingestion-pa.googleapis.com/
    • Other Custom URLs you have.
  • Get the Chronicle service account JSON. Reach out to the chronicle team to get a service account with the following scopes: https://www.googleapis.com/auth/malachite-ingestion.

Note

Verify your Chronicle instance permissions are secure and not set up for open public access. Only allow access to your cloud storage instance from your Cloud Exchange Host and any other addresses that need access.

Workflow

  1. Configure the Chronicle Plugin.
  2. Configure Log Shipper Business Rules for Chronicle.
  3. Configure Log Shipper SIEM Mappings for Chronicle.
  4. Validate the Chronicle plugin.

Click play to watch a video.

 

Configure the Chronicle Plugin

  1. In Cloud Exchange, go to Settings > Plugins.
  2. Search for and select the Chronicle v202 (CLS) box to open the plugin creation pages.
    CLS-Chronicle.png
  3. Enter a Configuration Name.
  4. Select a valid Mapping (Default Mappings for all plugins are available). If the Transform option is enabled, raw logs will be transformed using selected mapping file; otherwise, raw logs will be sent to SIEM. The ingestion may be affected if the SIEM does not accept raw logs format.

    Click Next.

  5. Select Region, enter your Service Account Key (which is provided to you by your Chronicle representative), and Customer ID. If the selected region is Custom Region, then ONLY enter your Custom Region’s URL.
  6. Click Save.

Configure Log Shipper Business Rules for Chronicle

  1. Go to Log Shipper > Business Rules.
    image4.png
  2. Click Create New Rule.
    image5.png
  3. Enter a Rule Name and select the filters to use.
  4. Click Save.
    image6.png

Configure Log Shipper SIEM Mappings for Chronicle

  1. GoLog Shipper > SIEM Mappings and click Add SIEM Mapping.
  2. Select a Source Configuration, Business Rule, and Destination Configuration.
    image7.png
  3. Click Save

Validate the Chronicle Plugin

To validate the plugin workflow, you can check from Netskope Cloud Exchange and from Chronicle Platform.

Validate in Netskope Cloud Exchange

Go to Logging.

image8.png

Validate in Chronicle

  1. Log in to the Chronicle Platform to view data.
    image9.png
  2. Enter a keyword that you want to search for (in this case, an application) to search for ingested logs.
    image10.png
  3. Click Search.
    image11.png
  4. Click Row Log Search.
    image12.png
  5. Set Start Time (UTC) and End Time (UTC) accordingly. (You can also select both times by reference (like 1 minute, 2 hours, 1 day). Click Search.
    image13.png
  6. Click the adjacent icon to see details of the log.
    image14.png
  7. Then you see the ingested data.
    image15.png

Troubleshooting

If you received an error displayed in below screenshot after upgrading the core version, then try one of these steps:

CLS-Chronicle7.png
  1. Remove justification_type and justification_reason from all the events/alerts.

    or

  2. Use Default Mapping ( >= v1.0.4) file.
Share this Doc

Chronicle Plugin for Log Shipper

Or copy link

In this topic ...