Google Chronicle Integration
Forward database audit events to Google Chronicle Security Operations. Leverage Chronicle's petabyte-scale analytics and YARA-L rules for advanced threat detection.
UDM Format
Events mapped to Chronicle's Unified Data Model for consistent threat detection.
YARA-L Rules
Create detection rules using Chronicle's powerful YARA-L query language.
Entity Graphs
Visualize relationships between database users, IPs, and assets for investigation.
Configuration Reference
1 Connection Settings
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| name | string | Yes | - | A unique name for this SIEM connection (e.g., "chronicle-prod") |
| provider | select | Yes | chronicle | SIEM provider - select "Google Chronicle" |
| enabled | boolean | No | true | Enable or disable event forwarding |
| ingestion_api_url | string | Yes | - | Chronicle ingestion API endpoint (e.g., "https://malachiteingestion-pa.googleapis.com") |
| service_account_json | password | Yes | - | Google Cloud service account JSON key with Chronicle API access |
2 Chronicle-Specific Settings
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| customer_id | string | Yes | - | Chronicle customer ID (UUID format) |
| log_type | string | No | DBAUDIT | Chronicle log type identifier |
| namespace | string | No | - | Optional namespace for multi-tenant environments |
| labels | object | No | - | Additional labels to attach to events (e.g., {"env": "production"}) |
3 Event Filtering
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| event_types | multiselect | No | all | Event types to forward: audit_events, alerts, ai_detections, policy_violations, classification_findings |
| severity_filter | multiselect | No | all | Filter by severity: critical, warning, info |
| database_filter | array | No | - | Limit to specific databases (empty = all databases) |
4 Batching & Reliability
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| batch_size | number | No | 100 | Number of events per batch (1-1000) |
| flush_interval_seconds | number | No | 30 | Maximum time between flushes (5-300 seconds) |
| retry_attempts | number | No | 3 | Number of retry attempts on failure |
Setup Instructions
1
Create Service Account
Create a Google Cloud service account with Chronicle API access.
# Create service account for Chronicle integration
gcloud iam service-accounts create dbaudit-chronicle \
--display-name="DB Audit Chronicle Integration"
# Grant Chronicle ingestion permissions
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:dbaudit-chronicle@PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/chronicle.editor"
# Create and download JSON key
gcloud iam service-accounts keys create dbaudit-chronicle-key.json \
--iam-account=dbaudit-chronicle@PROJECT_ID.iam.gserviceaccount.com
# The JSON key file will look like:
{
"type": "service_account",
"project_id": "your-project-id",
"private_key_id": "key-id",
"private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
"client_email": "dbaudit-chronicle@project.iam.gserviceaccount.com",
"client_id": "123456789",
...
}
Security Note: Store the service account JSON key securely. Never commit it to version control.
2
Get Chronicle Customer ID
Find your Chronicle customer ID in the Chronicle console settings.
- Log in to Chronicle console
- Navigate to Settings → SIEM Settings
- Copy your Customer ID (UUID format)
3
Test Connection
Verify the service account can access the Chronicle ingestion API.
# Test Chronicle ingestion API
# First, get access token using service account
ACCESS_TOKEN=$(gcloud auth print-access-token \
--impersonate-service-account=dbaudit-chronicle@PROJECT_ID.iam.gserviceaccount.com)
# Test ingestion endpoint
curl -X POST "https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"customerId": "YOUR_CUSTOMER_ID",
"logType": "DBAUDIT",
"entries": [
{"logText": "{\"test\": \"event from dbaudit\"}"}
]
}'
# Expected response: empty on success (HTTP 200)
4
Configure in DB Audit
Add the Google Chronicle integration in the DB Audit dashboard.
- Navigate to Integrations → SIEM in DB Audit
- Click Add SIEM Integration
- Select Google Chronicle as the provider
- Paste the service account JSON key
- Enter your Chronicle customer ID
- Select event types to forward
- Test the connection and save
5
Create Detection Rules (Optional)
Create YARA-L rules to detect suspicious database activity.
// YARA-L Rule - Suspicious Database Data Access
// Detection → Rules → Create Rule
rule dbaudit_suspicious_data_exfiltration {
meta:
author = "DB Audit"
description = "Detects queries returning large amounts of potentially sensitive data"
severity = "HIGH"
events:
$e.metadata.vendor_name = "DBaudit"
$e.metadata.event_type = "USER_RESOURCE_ACCESS"
$e.additional.fields["rows_affected"] > 10000
$e.additional.fields["contains_pii"] = "true"
condition:
$e
}
// YARA-L Rule - Failed Database Authentication
rule dbaudit_auth_brute_force {
meta:
author = "DB Audit"
description = "Detects multiple failed authentication attempts from same IP"
severity = "MEDIUM"
events:
$e.metadata.vendor_name = "DBaudit"
$e.metadata.event_type = "USER_LOGIN"
$e.security_result.action = "BLOCK"
match:
$e.principal.ip over 10m
condition:
#e > 5
}
// YARA-L Rule - Unusual Database Access Hours
rule dbaudit_off_hours_access {
meta:
author = "DB Audit"
description = "Detects database access outside business hours"
severity = "LOW"
events:
$e.metadata.vendor_name = "DBaudit"
$e.metadata.event_type = "USER_RESOURCE_ACCESS"
condition:
$e and (
timestamp.get_hour($e.metadata.event_timestamp) < 6 or
timestamp.get_hour($e.metadata.event_timestamp) > 22
)
}
Event Format (UDM)
Events are transformed to Chronicle's Unified Data Model (UDM) format for consistent analysis.
{
"metadata": {
"event_timestamp": "2024-01-15T10:30:45.123Z",
"event_type": "USER_RESOURCE_ACCESS",
"vendor_name": "DBaudit",
"product_name": "Database Audit",
"log_type": "DBAUDIT"
},
"principal": {
"user": {
"userid": "app_user",
"user_display_name": "Application User"
},
"ip": "10.0.1.50",
"application": "backend-api"
},
"target": {
"resource": {
"name": "customers",
"resource_type": "DATABASE_TABLE",
"attribute": {
"labels": {
"schema": "public",
"database": "production-postgres"
}
}
}
},
"security_result": {
"severity": "MEDIUM",
"category": "DATA_ACCESS",
"summary": "SELECT query on customers table"
},
"additional": {
"fields": {
"db_type": "postgresql",
"rows_affected": "1500",
"contains_pii": "true",
"data_types": "email,phone"
}
}
}
Sample Chronicle Searches
Use these search queries to analyze DB Audit events in Chronicle.
// Chronicle Search - All DB Audit events
metadata.vendor_name = "DBaudit"
// Filter by severity
metadata.vendor_name = "DBaudit" AND security_result.severity = "HIGH"
// Find large data access
metadata.vendor_name = "DBaudit"
AND additional.fields["rows_affected"] > 10000
// User activity search
metadata.vendor_name = "DBaudit"
AND principal.user.userid = "specific_user"
// Failed authentication attempts
metadata.vendor_name = "DBaudit"
AND metadata.event_type = "USER_LOGIN"
AND security_result.action = "BLOCK"
// PII access monitoring
metadata.vendor_name = "DBaudit"
AND additional.fields["contains_pii"] = "true"
// Entity graph search - find all events for IP
graph.entity.ip = "10.0.1.50"
Troubleshooting
Authentication failed (401/403)
Verify the service account has Chronicle editor role. Check that the JSON key is valid and not expired.
Customer ID not found
Ensure the customer ID is in UUID format. Verify the ID matches your Chronicle instance.
Events not appearing in Chronicle
Events may take a few minutes to be indexed. Verify the log type matches what Chronicle expects.
UDM parsing errors
Check the Chronicle data ingestion logs for parsing errors. Ensure the event structure matches UDM schema.
Ready to Integrate with Google Chronicle?
Start forwarding database audit events to Chronicle in minutes.