Forwarding to Google Chronicle

Google Chronicle is a cloud service, built as a specialized layer on top of core Google infrastructure, designed for enterprises to privately retain, analyze, and search the massive amounts of security and network telemetry they generate. Chronicle normalizes, indexes, correlates, and analyzes the data to provide instant analysis and context on risky activity.

Prerequisites

Event forwards originate from region-specific IPs. For the full list of outbound IPs by region, see SaaS Regions and IP Ranges. Update your firewall and allow inbound requests from these IP addresses to enable Sysdig to handle event forwarding.

Google Chronicle v2 now uses JSON format, which Sysdig does currently support. Contact Google Chronicle customer support to request a v1 API key.

Configure Standard Integration

To forward event data to Chronicle:

  1. Log in to Sysdig Secure as Admin and go to Profile > Settings > Event Forwarding.
  2. Click +Add Integration and choose Chronicle from the drop-down menu.
  3. Configure the required options:
  • Integration Name: Define an integration name.
  • API Key: JSON format is currently not supported. Contact Google Chronicle customer support to request a v1 API key.
  • Data to Send: Select from the drop-down the types of Sysdig data that should be forwarded. The available list depends on the Sysdig features and products you have enabled.
  • Toggle the enable switch as necessary. Remember that you will need to “Test Integration” with the button below before enabling the integration.
  1. Click Save.

Configure Agent Local Forwarding

Review the configuration steps and use the following parameters for this integration.

TypeAttributeRequired?TypeAllowed valuesDefaultDescription
CHRONICLEapiKeyyesstringThe Chronicle v1 API key
CHRONICLEregionnostringus, europe, asia-southeast1usThe target region