Google Chronicle is a cloud-native SIEM platform that helps organizations detect, investigate, and respond to security threats by ingesting and analyzing large amounts of security data in real time.
Some of the pre-made steps available for Torq's Google Chronicle integration are:
Generate Google Chronicle Token
Get Event
Get Log
List Alerts
List Asset Aliases
List Assets
List Events
List IOC Details
List IOCs
List User Aliases
Run UDM search
As always, if you don't see a step you need, you can create your own steps using Torq's custom step builder and share them within your workspace or organization.
Request API Authentication from Google's Service Representative
To use Google Chronicle steps in Torq, you must contact your Google Security Operations representative for API authentication credentials.
Request from your representative the appropriate credentials.
Per Google's documentation, you must provide the following scope to your representative:
https://www.googleapis.com/auth/chronicle-backstory
Your Google Security Operations representative will provide credentials as a JSON file. The credentials will be for a Service Account specifically created for you to access your Chronicle instance.
Create a Google Chronicle Integration in Torq
In Torq, go to Build > Integrations > Steps > Google Cloud Platform (GCP) and click Add.
Give the integration a unique and meaningful name (such as Google Chronicle).
Upload the JSON file sent to you by your Google Security Operations representative.
Click Add.
