Google Chronicle | Ingesting entities into Chronicle#

To have Chronicle automatically ingest Intelligence Center data, you have to:

  1. Create an outgoing feed in Intelligence Center

  2. Configure the connector in Chronicle

Create an outgoing feed in Intelligence Center#

  1. In Intelligence Center, in the left navigation bar, go to Data configuration Data configuration icon > Outgoing feeds.

  2. In the top-left corner of the view, select the Plus plus icon in the top-left corner of the page.

  3. Under Outgoing feed name, enter a name for the feed.

  4. From the Datasets dropdown, select the datasets you’d like to send to Google Chronicle.

  5. From the Update strategy dropdown, select Append.

  6. From the Transport type dropdown, select HTTP download.

  7. From the Content type dropdown, select EclecticIQ Observables CSV.

  8. Under Transport configuration, check the Public checkbox or select one or more groups from the Authorized groups dropdown.
    If you are using an automation user as defined in our documentation on creating API tokens make sure you choose a group that user belongs to under Authorized groups.

  9. Under Schedule, define a schedule for the outgoing feed to run on.

  10. (Optional) Configure the advanced options if needed.

  11. Select Save.

Once the outgoing feed has been created, open it. From its URL, note the feed ID, i.e. the number at the end of the URL after outgoing-feeds?detail=.

Select Run now to ensure the feed correctly packages the Observables from the datasets you selected for it.

Configure the Connector in Chronicle.#

  1. In Chronicle, in the left navigation bar, go to Settings Settings.

  2. In the left Settings menu, expand the Ingestion dropdown.

  3. Select Connectors.

  4. In the top-left corner of the screen, next to Connectors select the Plus plus icon.

  5. From the Connector dropdown, select the EclecticIQ - Feed Connector.

  6. Select Create.

  7. If you have multiple Chronicle environments, select one from the Environment dropdown.

  8. For Run Every choose a frequency that aligns with the schedule the outgoing feed you just configured runs on.

  9. For API Token, enter the API token you created for the Chronicle integration.

  10. For EclecticIQ URL, enter the URL of your Intelligence Center instance.

  11. For Outgoing Feed ID, enter the feed ID you noted after the creation of the outgoing feed in Intelligence Center.

  12. Select Save.

The connection enabling the ingestion of Intelligence Center Observables into Chronicle is now set up.

You can test the connection by going to the Testing tab and selecting Run connector once. If you ran the outgoing feed after you set it up or it has run automatically according to its Execution schedule

Next step: automate enrichment

With ingestion setup, you can automate the enrichment of intelligence in Chronicle.