The Integration guide is intended to help administrators understand the process of ingesting security signals from Google services, specifically Google Chrome, into Okta ITP using Google SecOps. This guide will walk through the necessary configurations to collect, analyze, and respond to security events originating from managed Chrome browsers.


NOTE: Though the document focuses on integrating Chrome signals into Okta ITP, the connection between Google SecOps and Okta can be expanded to include any Google service. Please refer to the last section of this document to see how this solution can be extended for your use case. 

Prerequisite: 

This system uses several critical components. Please make sure you have the following components ready when you begin the integration 

• Google Admin Accounts: Central control for managing Google services and users, configuring settings, and enforcing policies. 

• Chrome Enterprise (managed browser): Centrally managed Chrome browser allowing IT administrators to control policies, extensions, and updates for browsing.

• Okta Tenant (ITP enabled) is a dedicated instance of Okta with Identity Threat Protection (ITP) enabled. 

Google Cloud Account (Google SecOps): Access to GCP services, and configured the security operations (SecOps) service to respond to security threats within the Google ecosystem.

Enable Chrome managed browser reporting 

Access the Google Admin console, 

1. Open your web browser and navigate to admin.google.com, and log in with your administrator credentials
2. Go to the Devices section in the left-hand navigation pane and click on it. 
3. Select Chrome from the dropdown options. 
4. Find User & Browser Settings on the right-hand panel.

5. Enable Managed Browser cloud reporting within the browser reporting section by clicking on the Managed browser reporting.

6. Select Enable managed browser cloud reporting in the section.

Once enabled, reporting data like security events will appear in your Google Admin console for all managed Chrome instances.

You can change the managed browser reporting upload frequency; security events are transmitted in real-time. Go to the Event Reporting section in Browser reporting:

To enable event reporting:

1. Navigate to the Event Reporting section.
2. Select Enable event reporting.
3. Within Additional settings, choose All Types for events.
4. Ensure the following optional event types are checked with a URL pattern of "\*":
   • Login
   • Password Breach
5. Additionally, confirm that Extension telemetry reports is checked.

Configure Chronicle connector 

The Chronicle connector ingests Chrome browser log data into Google Chronicle SIEM, enabling centralized visibility of user activity, security events, and browser telemetry.

1. Go to Devices, expand the Chrome section, and click on Connectors. 

2. Then, click +New Provider Configuration, choose Google SecOps Operations, and click Setup.

Configure Google SecOps setup: 

1. Enter the configuration name. 
2. Use the API key shared by your administrator or Google customer engineer.
3. Use the host name based on the Google SecOps regional endpoint. 
4. Click Test connection to check the connectivity. 
5. Select all events or pick and choose which events you want to share with Google SecOps. 
6. Click Add configuration to save the connector.

7. To confirm the connection, click Test Connection. A Connection successful message will appear upon validation.

8. After adding the configuration, navigate to Organizational Units. Check the Reporting connector checkbox for Google Security Operations, then click Save.

Until here, we have successfully configured the managed browser and event reporting, including specific events like login and password breaches in Chrome. We have also integrated the Google SecOps connector to transmit Chrome signals. This setup involved configuring the connector with an API key and hostname, testing the connection, and selecting the relevant events to be shared with Google SecOps.

How Google SecOps Works

Google SecOps, formerly Google Chronicle Security Operations, is a security platform that unifies SIEM and SOAR capabilities. It helps security teams detect, investigate, and respond to cyber threats at scale. By ingesting vast amounts of security telemetry, Google SecOps normalizes and analyzes the data, providing analysts with instant context on risky activity.

Google SecOps ingests and processes large volumes of security data from various sources, including Chrome, Workspace, and GCP. This data is normalized using a Universal Data Model (UDM), which converts diverse log formats into a single, standardized schema, facilitating easier correlation and analysis of information from disparate sources.

The platform's core functions include:

• Data Collection: gathers security telemetry through integrations.
• Threat Detection: Detection engine with built-in and custom rules to identify known and potential threats.
• Investigation: Analyse the aggregated data to investigate the scope and cause of a threat.

Response: Automated workflows and playbooks to quickly respond to and remediate security incidents.

High-Level Concepts 

Rules: Google SecOps rules, written in YARA-L, define conditions that trigger threat detections in security data. These rules can detect malware or unusual logins, based on single or multiple events 

SIEM (Security Information and Event Management): A centralized security data collection and analysis. Benefits include massive scalability, sub-second search speeds, and improved data correlation via UDM.

SOAR (Security Orchestration, Automation, and Response): Integrated with SIEM, Google SecOps SOAR automates incident response. It orchestrates security tools, automates tasks with "playbooks" (predefined workflows), and speeds up threat response. The SIEM and SOAR integration creates a seamless threat management lifecycle.

Configure Google SecOps

To create a rule in Google SecOps:

1. Log in to the Google SecOps Console.
2. Click on the top-left corner.
3. Select the Detection tab.
4. Select Rules and Detections under the detection use case.

5. Click on the Rules Editor and click NEW to create a new rule.

6. Once you hit NEW, you will see a new rule editor open. As part of the editor, copy and paste the following rule for catching the Chrome events:

   // This rule is designed to detect and alert security events generated // by Google Chrome Management. These events are indicators of
   // user activity that could lead to a compromise user identity
   
   
   rule alert_chrome_management_bad_events {
     meta:
       author = "Google SecOps Gemini"
        // A brief, human-readable description of the rule's purpose.
       description = "Chrome Management bad events"
       // The severity of the alert, helping prioritize investigations.
       severity = "MEDIUM"
     
       // The 'events' section defines the log data we are looking for.
       // We use the '$e' variable to represent a single log event.
     events:
        // This line uses a regular expression to match specific event types.
        $e.metadata.product_event_type = /badNavigationEvent|contentTransferEvent|passwordReuseEvent|browserExtensbionInstallEvent|dangerousDownloadEvent/ nocase
       // We narrow down the events to only those from the Google vendor.
       $e.metadata.vendor_name = "Google"
       // And finally, we specify the exact product log source.
       $e.metadata.product_name = "Chrome Management"
       
     // The 'outcome' section defines the data points we want to extract from the
     // matched events and include in the final detection.
     outcome:
       // Capture the general event type.
       $event_type = $e.metadata.event_type
       // Capture the specific product event type that triggered the rule.
       $product_event_type = $e.metadata.product_event_type
       // Identify the user associated with the event. This is crucial for investigations.
       $user = $e.principal.user.userid
       // Assign a static risk score to the detection. This can be used in SOAR playbooks
       // to trigger specific automated actions.
       $risk_score = 8
       
     // The 'condition' section is where you define the logic for triggering the rule.
     condition:
       // The condition is met if a single event ($e) matches all the criteria
       // defined in the 'events' section.
       $e
   }

7. Once the rule is created, enable Live Rule and Alerting in the Rules Editor section.

This rule identifies alerts within Google SecOps and automatically generates a corresponding case in the Google SecOps SOAR service.

You would also notice the SOAR Case created in Google SecOps’s SOAR search dashboard.

Okta integration in Google SecOps

The Okta connector for Google SecOps (Chronicle SOAR) strengthens security orchestration by integrating security findings with the Okta ecosystem. This integration enables automated response playbooks, and Okta Actions further extend and customize security flows. This feature allows for the addition of fine-grained logic or integrations at runtime, thereby enhancing security measures.

1. To integrate your Okta tenant with Google SecOps, begin by adding the Okta Integration.
2. Next, navigate to Responses and select Integration Setup.

3. In the top right corner, click the + and add the Okta instance.

NOTE: Once the integration is added, make sure you are using version 9.0, as it will include the latest Okta ITP changes. 

Follow the instructions from Configure Okta to work with Google Security Operations to fill in all configuration parameters for Okta integration.

At the end of the setup, your Okta integration configuration should look like:

4. Create an SSF receiver for Signals from Google SecOps. 

Setting Google as the ITP Transmitter in Okta

1. In the Okta Admin Console, navigate to Security and then click on Device Integrations.

2. Establish a stream for receiving shared signals from Google SecOps. 

Okta Identity Threat Protection (ITP) needs a JWKS URL to securely validate threat signals from external security providers. The external provider signs a JSON Web Token (JWT) containing threat data using a private key. Okta ITP fetches the corresponding public key from the JWKS URL to verify the JWT's signature. This cryptographic validation ensures the authenticity and integrity of the incoming threat signals.

3. Once you have obtained the JWK and Issuer URLs, input the information and select Create.

We have successfully configured Chrome events to Google SecOps and prepared both the Okta receiver and Google SecOps for connection to Okta. The next step is to create a SOAR playbook. This playbook will be designed to capture alerts from cases created in Google SecOps and forward events to Okta.

Google SecOps SOAR Playbook

1. Go to the Playbook section of Google SecOps and click on Playbook.

2. Click + to create a new playbook, keep the default option, and hit Create.  

3. Within the Playbook, create a Custom Alert by dragging the Custom Trigger Card onto the playbook. Then, click the small pencil icon on the custom trigger to edit the rule.

4. Generate the custom trigger.

5. Configure the following parameters and then click Save:

   • [Event.event_metadata_productName] = Chrome Management

   • [Alert.Name] = ALERT_CHROME_MANAGEMENT_BAD_EVENTS

   This rule activates a custom alert in the playbook, notifying Okta Integration of a pre-tagged 'bad event' originating from Chrome Management.

6. Next, navigate to the Action tab. Expand the Okta section and select the Send ITP Signals to Okta card to add an Okta Action.

7. To configure the Okta ITP Action Card, double-click it. Upon opening, you will see default values that are for reference only. Replace these with the correct parameter values and save your changes.

8. Enter the Playbook name and hit Save to save the playbook.

Testing Scenario

As detailed in the rules section, Google SecOps can detect malicious navigation attempts (visits to suspicious sites) or browser extension installation events (installing Chrome extensions on a managed Chrome browser). Such incidents will generate a case in the SOAR Case dashboard.

Select the case ID that was generated based on your action, and you will notice the case details:

When you select the Okta ITP Action of the playbook, you will notice the Chrome event was successfully shared with Okta.  

To verify that the event was shared with Okta, examine the Okta System logs. You should find log events originating from Google SecOps within Okta's syslog.

Conclusion

This guide outlines a strong integration solution to improve an organization's security. It connects Google Chrome's security data with Okta Identity Threat Protection (ITP) using Google SecOps.

Using managed Chrome browser reports and a detailed Google SecOps setup, organizations can monitor security events. Google SecOps rules, along with its SIEM and SOAR features, help security teams find, investigate, and respond to cyber threats.
The Okta integration in Google SecOps, which includes a SOAR playbook that sends ITP signals to Okta, ensures that important Chrome security events are not just found but also acted on in an organized and automated way. This full approach provides strong protection against identity-based threats, offering better threat information and quicker incident response across Google products. 

Enhancement  

This document focuses on integrating Chrome signals into Okta ITP, but the connection between Google SecOps and Okta can be expanded to include any Google service. The "Send Signals to the ITP" action card within Google SecOps can be incorporated into any playbook designed in Google SecOps. These playbooks can then be linked to alerts or signals originating from the Google ecosystem.

Enhanced Security Posture: Integrating Google Services with Google SecOps and Okta ITP

This document outlines the process for integrating various Google services with Google SecOps for centralized security monitoring and leveraging Okta ITP (Identity Threat Protection) for automated response and identity-driven insights. Combining these powerful platforms enables organizations to achieve a more comprehensive and proactive security posture.

To enable robust reporting of security events and activity from Google services into Google SecOps:

1. Configure Google SecOps Connectors for Seamless Data Ingestion: The initial step involves establishing a connection with Google SecOps for each Google service you wish to monitor. For instance, you might configure connectors for Google Workspace, Google Cloud Platform (GCP). A significant advantage is that many Google services offer out-of-the-box connectivity with Google SecOps, significantly simplifying the setup process and accelerating time to value. These connectors are responsible for ingesting logs, alerts, and other security telemetry from the designated Google services into the Google SecOps platform for analysis.

2. Define Granular Rules in Google SecOps for Actionable Event Detection: Once data is flowing into Google SecOps, the next crucial step is to define specific and actionable rules. These rules are designed to identify and capture security events from your chosen Google services. For example, you might create rules to detect unusual login attempts, privilege escalation, or data exfiltration attempts. When a predefined condition is met, these rules will automatically generate alerts and create detailed cases within Google SecOps, providing a centralized view of potential threats.

3. Automate Incident Response with Playbooks and Okta ITP Integration: To streamline and accelerate incident response, these generated cases should be intelligently attached to pre-configured playbooks within Google SecOps. These playbooks represent automated workflows designed to handle specific types of security incidents. A key component of these playbooks, especially for identity-related threats, is the inclusion of an Okta Action card. This card enables the playbook to send relevant Okta ITP events directly to your Okta system logs. This integration allows for real-time communication between Google SecOps and Okta, facilitating actions such as suspicious user activity. 

This highly effective integration pattern can be applied to multiple Google services, providing a unified and comprehensive security monitoring and response framework across your entire Google ecosystem.