The seamless integration between Nebula and Google Chronicle SIEM enables system administrators to effortlessly import comprehensive data from Nebula into the Google Chronicle SIEM platform. This allows for a thorough analysis of Nebula's detection capabilities and the identification of potentially suspicious activities within the Google Chronicle SIEM platform. Follow the instructions in this article to enable the integration.
Generate Google Chronicle SIEM Feed Credentials
First, we must generate the Webhook URL and Webhook Secret within Google Chronicle SIEM. Later, we will enter these into Nebula.
- In Google SecOps, go to Settings > SIEM Settings > Feeds.
- Click Add New.
- Configure the following fields:
- Feed Name: Malwarebytes
- Source Type: Webhook
- Log Type: Malwarebytes EDR
- Click Next.
- Click Next.
- Click Submit.
- Go to the Details tab.
- Copy the URL under Endpoint Information and store it for later.
- Go to the Secret Key tab.
- Click Generate Secret Key.
- Copy the Secret Key and store it for a later.
Note: The secret key is no longer visible once you close this window.
- Click Done.
Generate Google Cloud Product API Key
The Nebula integration with Google Chronicle SIEM requires a Google Cloud Product (GCP) API Key.
- In Google Cloud Project, go to API & Services > Credentials.
- Select Create Credentials > API Key.
- Copy the API Key and store for later.
- In the pop-up, click Edit API key.
- Select Restrict Key.
- In the drop-down menu, select Chronicle API.
Note: If Chronicle API is missing from the drop-down menu, see Configure a Google Cloud project for Google SecOps. - Click Save.
For more information, see Setting up API keys.
Configure Chronicle SIEM and Nebula to ingest logs
Now that you have the API credentials, you can proceed to configure the integration in Nebula.
- In Nebula, go to the Integrate page.
- Locate Google Chronicle SIEM and click Configure.
- Enter the following fields:
- Webhook URL: URL copied from the Endpoint Information field of the Google Chronicle SIEM Feed Details page.
- Webhook Secret: API Secret obtained from the Google Chronicle SIEM Feed Details page.
- GCP API Key: API Key obtained from Google Cloud.
- Click Save.
After completing those steps, Google Chronicle SIEM is now able to ingest Nebula logs. Learn how to Search data using the Nebula integration with Google Chronicle SIEM.
Return to the Nebula integration with Google Chronicle SIEM section.