Integrate with Google SecOps

In this topic, you will learn how to send Portnox™ Cloud alerts to Google SecOps.

Important:
This guide assumes that Google SecOps is already configured and that you have a suitable Google Cloud project. Integration with Portnox Cloud requires credentials generated via both the Google SecOps and Google Cloud web consoles. To configure these platforms, please refer to the official Google documentation.

Create an API key in Google Cloud console

In this section, you will create an API key in Google Cloud console, which is required for integration between Portnox Cloud and Google SecOps.

  1. Open your Google Cloud console and select the project that you use with Google SecOps.
  2. In the left-hand menu, select the APIs & Services > Credentials option.

  3. In the top bar, click on the Create credentials button and then select the API key option.

  4. In the Create API key pane:
    1. In the Name field, enter the name for this API key.

      In this example, we used the name google_secops, but you can use any name you like.

    2. In the Select API restrictions field, select the Chronicle API and Service Usage API options.

    3. Click on the Create button to create the API key.
  5. In the API key created pane, click on the  ⧉  icon to copy the API key to the clipboard. Then, paste the key into a temporary text file – you will need it later to configure Portnox Cloud.

    Note:
    You can also copy the API key later by clicking on the Show key option in the API Keys table in the Credentials pane.

Create a Portnox CEF feed in Google SecOps

In this section, you will create a Portnox CEF feed in Google SecOps that will receive the data from Portnox Cloud.

  1. Open your Google SecOps console.
  2. In the left-hand menu, select the Settings > SIEM Settings option.

  3. In the left-hand menu of the SIEM Settings pane, select the Feeds option.

  4. In the top bar, on the right-hand side, click on the ADD NEW FEED button.

  5. On the Collect Data with Feeds screen, click on the Configure a single feed button.

  6. In the ADD FEED wizard:
    1. In the FEED NAME field, enter the name for this feed.

      In this example, we used the name Portnox Cloud, but you can use any name you like.

    2. In the SOURCE TYPE field, select the Webhook option.
    3. In the LOG TYPE field, type the word portnox, and then select the Portnox CEF option.
    4. Click on the NEXT button to proceed to the next wizard step.

    5. In the Input Parameters step, do not change any values, and click on the NEXT button.
    6. In the Finalize step, click on the SUBMIT button.
  7. In the feed configuration window (its name is the same as the name of the feed):
    1. In the SECRET KEY tab (opened by default after submitting the feed), click on the Generate Secret Key button.

    2. Hover your mouse cursor over the Secret Key field to show the  ⧉  button, and then click on the  ⧉  button to copy the secret key. Then, paste the key into a temporary text file – you will need it later to configure Portnox Cloud.

    3. Click on the DETAILS tab, hover your mouse cursor over the Endpoint information field to show the  ⧉  button, and then click on the  ⧉  button to copy the HTTPS endpoint value. Then, paste the HTTPS endpoint value into a temporary text file – you will need it later to configure Portnox Cloud.

Result: Your Google SecOps feed is ready to receive data from Portnox Cloud.

Configure Portnox Cloud

In this section, you will learn how to configure Portnox™ Cloud to send alert data to the Google SecOps feed using the Google Cloud API key.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand menu, click on the Integration Services > SIEM INTEGRATION SERVICE option.

  3. Create a new SIEM integration with Google SecOps.
    1. In the SIEM integration service section, click on the Add a new SIEM integration link.

      The New SIEM integration section opens.

    2. In the Integration type field, select the Google SecOps option.

    3. In the Name field, enter the name for the new integration.

      In this example, we used the name Google SecOps but you can use any name you like.

    4. In the Status field, select the Enabled option.

    5. In the HTTPS endpoint field, paste the HTTPS endpoint that you copied from the Google SecOps feed configuration and saved in a temporary text file.

    6. In the API Key field, paste the API key that you copied from the Google Cloud API key configuration and saved in a temporary text file.

    7. In the Access Secret field, paste the secret key that you copied from the Google SecOps configuration and saved in a temporary text file.

    8. Optional: Modify or turn off the health check frequency.

      We recommend keeping the default values.

    9. Optional: If you want to send each alert separately instead of merging related alerts together, activate the Unmerge alerts checkbox.
    10. Click on the Save button to add the integration.

    11. Optional: Test the configuration by clicking on the Test button.

  4. Optional: To configure the types of alerts sent to your SIEM solution, see the following topic: Portnox Cloud alerts.
    Note:
    To learn more about the content and format of alert messages sent to SIEM solutions, see the following topic: Format and content of alert information for SIEM.

    You can also send all of the Portnox Cloud activity log (activities performed by administrators in Portnox Cloud) to your SIEM solution. To do this, go to Troubleshooting > ACTIVITY LOG > Log Settings, activate the Activity log switch, and click on the Save button.

Result: Google SecOps is receiving alerts from Portnox Cloud.

You can confirm the integration, for example, by running the following query in Investigation > SIEM Search:

metadata.vendor_name = "PORTNOX_CEF"