> ## Documentation Index > Fetch the complete documentation index at: https://docs.rad.security/llms.txt > Use this file to discover all available pages before exploring further. # Google Security Operations > Configure Google Security Operations (Chronicle) SIEM integration with RAD Security for unified threat intelligence. # Google Security Operations Integration Setup This guide walks you through enabling the required API, creating a least-privilege custom role, and gathering the information required to connect your Google Security Operations instance as a SIEM with RAD Security. Google Security Operations (formerly Chronicle) provides cloud-native threat detection, investigation, and response at scale, with deep integration into the Google Cloud ecosystem. ## Prerequisites Before you begin, ensure you have: * A [Google Security Operations instance provisioned](https://cloud.google.com/chronicle/docs/onboard) in a Google Cloud project * Access to the Google Cloud Console with permissions to enable APIs, create custom IAM roles, and create service accounts * Access to a RAD Security workspace with integration permissions **Chronicle API Required:** The Chronicle API must be enabled on your Google Cloud project before creating the custom role. Without it, the IAM permissions used in this guide will not appear in the role editor. *** ## Understanding Integration Components The Google Security Operations integration uses a Google Cloud service account authenticated with a JSON key: **Purpose:** Limit the service account to only the permissions RAD Security needs **Use Case:** Follow the principle of least privilege when granting access to your Security Operations data **Alternative:** The built-in **Chronicle API Admin** role works but grants far more access than required **Purpose:** Authenticate RAD Security to your Google Security Operations instance **Use Case:** Provide a non-user identity that can be rotated and audited independently **Authentication:** OAuth 2.0 service account with a downloaded JSON key file *** ## Step 1: Enable the Chronicle API Sign in to the [Google Cloud Console](https://console.cloud.google.com) with an account that has permission to enable APIs on your project. Navigate to **APIs & Services → Library**. Search for **Chronicle API** in the library. Click **Enable**. Wait for the API to finish enabling before continuing. *** ## Step 2: Gather your Security Operations values Open the project picker at the top left of the Google Cloud Console. Filter or find your project in the list and copy the **ID** value to a safe location. The Project ID is distinct from the project name and project number. Make sure you copy the ID. From the console search bar, navigate to **Google SecOps**. On the Overview page, expand the **Instance Details** section. Record the following values to a safe location: * **Customer ID** * **Region** (typically `us` or `eu`) *** ## Step 3: Create a Limited Permissions Role You can skip this step and use the built-in **Chronicle API Admin** role instead, but that grants far more access than RAD Security requires. Follow the Google documentation to [create a custom role](https://cloud.google.com/iam/docs/creating-custom-roles#creating) in the IAM application. Provide the following values: | Field | Value | | --------------------- | -------------------------------------------------------- | | **Title** | A descriptive title (e.g., "RAD Security SecOps Reader") | | **Description** | A short description of the role's purpose | | **ID** | A unique role ID | | **Role launch stage** | General Availability | Locate and add the following permissions: | Permission | Required | | ------------------------------------------- | ----------------------------- | | `chronicle.events.import` | Only if using event ingestion | | `chronicle.events.udmSearch` | Yes | | `chronicle.logTypes.list` | Yes | | `chronicle.legacies.legacySearchDetections` | Yes | | `chronicle.legacies.legacyGetDetection` | Yes | This list may expand as RAD Security adds features to the Google Security Operations connector. Click **Create** to save the custom role. *** ## Step 4: Create a Service Account Follow the Google documentation to [create a new service account](https://cloud.google.com/iam/docs/service-accounts-create#creating). When prompted to assign a role, select either: * The custom role created in Step 3 (recommended), or * The built-in **Chronicle API Admin** role There is no need to assign additional users or admins to the service account unless desired. Follow the Google documentation to [create a service account key](https://cloud.google.com/iam/docs/keys-create-delete#iam-service-account-keys-create-console). This downloads a JSON file containing the values needed to authenticate with Google. From your downloaded key file, record the following values to a safe location: * **Client ID** (`client_id`) * **Client Email** (`client_email`) * **Private Key** (`private_key`) **Store the key file securely.** Anyone with access to this file can authenticate as the service account. Treat it like a password and store it in a secrets vault. *** ## Step 5: Configure in RAD Security Navigate to your RAD Security workspace and configure the Google Security Operations integration with the following parameters: | Parameter | Required | Description | Example | | ----------------- | -------- | --------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | **Client ID** | Yes | The `client_id` value from your service account key file (Step 4) | `123456789012345678901` | | **Client Secret** | Yes | The `private_key` value from your service account key file (Step 4) | `-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n` | | **Client Email** | Yes | The `client_email` value from your service account key file (Step 4) | `rad-security@my-project.iam.gserviceaccount.com` | | **Customer ID** | Yes | The Customer ID gathered in Step 2 | `01234567-89ab-cdef-0123-456789abcdef` | | **Project ID** | Yes | The GCP Project ID gathered in Step 2 | `my-secops-project` | | **Region** | No | The Region gathered in Step 2 | `us` or `eu` | | **Base URL** | No | Leave blank in most cases — RAD Security constructs the region-specific API URL automatically | `https://us-chronicle.googleapis.com` | | **Token URL** | No | Leave blank to use the default Google OAuth 2.0 token endpoint | `https://oauth2.googleapis.com/token` | **About the Client Secret field:** For Google service accounts, the Client Secret value is the full PEM-encoded `private_key` string from your downloaded key file — not a typical OAuth client secret. Include the `-----BEGIN PRIVATE KEY-----` / `-----END PRIVATE KEY-----` delimiters and embedded newlines exactly as they appear in the file. **Custom Base URL:** Only set the Base URL field if you are targeting a non-standard instance of the Google Cloud Platform. If supplying a custom value, provide the root URL without any paths — for example `https://us-chronicle.googleapis.com`. *** ## Verify Integration After completing the setup, verify your integration is working: ### Verify Query Capability 1. Run a test query from RAD Security 2. Verify Google Security Operations data appears correctly 3. Check that results are properly formatted ### Verify Data Ingestion If you enabled event ingestion (`chronicle.events.import`): 1. Trigger a test event in RAD Security 2. Search for the event in Google Security Operations 3. Verify the event appears with correct UDM formatting Your Google Security Operations integration is now configured! RAD Security can query and forward events to your Security Operations instance based on your configuration. ## What Data is Synced RAD Security can query the following: * UDM events and search results * Detections from legacy detection rules * Available log types in your instance * Historical security telemetry RAD Security can forward the following when event ingestion is enabled: * Runtime security events * Container and cloud activity * Policy violations * Threat detections * Incident data * Custom security events ## Use Cases Correlate Google Security Operations telemetry with RAD Security's runtime insights for comprehensive threat detection. Detect threats that span Google Cloud, endpoints, and containerized infrastructure using unified data sources. Pivot from RAD Security runtime context into Google Security Operations' investigation tools. Use Google Security Operations as a central SIEM for all security events including container and cloud workloads. ## Troubleshooting **Possible causes:** * Chronicle API not enabled on the project * Wrong project selected in the console **Solution:** * Confirm you are working in the correct Google Cloud project * Re-enable the Chronicle API under **APIs & Services → Library** * Wait a few minutes after enabling before reopening the role editor **Possible causes:** * Client Email, Client ID, or Client Secret copied incorrectly * Service account key was deleted or rotated * Service account is missing the required role * Newline characters stripped from the Client Secret (private key) **Solution:** * Verify all three credential values come from the same key file * Ensure the Client Secret includes the `-----BEGIN PRIVATE KEY-----` and `-----END PRIVATE KEY-----` lines and embedded newlines * Confirm the service account still has the custom role or **Chronicle API Admin** assigned * Generate a new service account key if needed **Possible causes:** * Custom role missing one or more required permissions * Service account assigned a different role * Project ID mismatch **Solution:** * Verify the custom role includes `chronicle.events.udmSearch`, `chronicle.logTypes.list`, `chronicle.legacies.legacySearchDetections`, and `chronicle.legacies.legacyGetDetection` * Confirm the Project ID configured in RAD Security matches the project where the service account lives * Re-bind the role to the service account if it was removed **Possible causes:** * `chronicle.events.import` permission missing * Region mismatch * Customer ID incorrect **Solution:** * Add `chronicle.events.import` to the custom role * Verify the Region (`us`, `eu`, etc.) matches your Security Operations instance * Re-check the Customer ID from **Instance Details** **Possible causes:** * Wrong Region value supplied * Custom URL pointing to the wrong region **Solution:** * Confirm the Region from the **Instance Details** page in Google SecOps * Leave the URL field blank unless you have a specific reason to override it * If overriding, supply the root URL only — for example `https://us-chronicle.googleapis.com` ## Security Best Practices Prefer the least-privilege custom role over the built-in Chronicle API Admin role. Periodically rotate service account keys as part of normal security hygiene. Store the JSON key file in a secrets vault. Never commit it to source control. Use a service account dedicated to RAD Security rather than sharing one across integrations. Review service account activity in Google Cloud audit logs to detect anomalous behavior. Periodically review service accounts and remove any that are no longer in use. ## Additional Resources Official Google documentation for provisioning a Security Operations instance Google documentation for creating custom IAM roles Google documentation for creating service accounts Google documentation for generating service account keys ## Next Steps Explore other SIEM integration options Learn what runtime events are sent to your SIEM Understand how threats are detected and classified Configure alert rules to forward to your SIEM