GCP SecOps (Chronicle)

The Observo AI GCP SecOps (Chronicle) destination enables forwarding of security and network telemetry data to Google Cloud's Security Operations (Chronicle) platform in JSON format, supporting unstructured log ingestion for advanced threat detection and analysis with secure authentication via service account credentials.

Purpose

The Observo AI GCP SecOps (Chronicle) destination enables users to send security and network telemetry data to Google Cloud's Security Operations (Chronicle) platform for advanced analysis and threat detection. It supports the unstructured endpoint, allowing flexible integration with SecOps’s (Chronicle) security analytics capabilities.

Prerequisites

Before configuring the GCP Chronicle destination in Observo AI, ensure the following requirements are met:

Google Cloud Project:
- A Google Cloud project must be created and linked to your GCP SecOps (Chronicle) instance. It’s recommended to use a dedicated project for isolation, but an existing project can be used if permissions are correctly configured (Create a Google Cloud Project).
- The Chronicle API must be enabled in the project (Enable Chronicle API).
- Configure Essential Contacts for notifications to receive updates from Google Cloud (Manage Notification Contacts).
Authentication:
- Set up authentication using either Google Cloud Identity or a third-party Identity Provider (IdP) (Configure Cloud Identity, Configure Third-Party IdP).
- Obtain a service account JSON key file with the "Chronicle Service Agent" role to authenticate Observo AI with GCP Chronicle. (Service Agents)
GCP SecOps (Chronicle) Instance:
- Ensure your GCP SecOps (Chronicle) instance is active and accessible for data ingestion.

Integration

To configure GCP Chronicle as a destination in Observo AI, follow these steps:

Log in to Observo AI:
- Navigate to Destinations Tab
- Click on “Add Destinations” button and select “Create New”
- Choose “GCP Chronicle” from the list of available destinations to begin configuration.
General Settings:
- Name: Add a unique identifier such as gcp-chronicle-1
- Description (Optional): Add description
- Chronicle UUID: Enter the custom UUID of the Chronicle instance.
- Chronicle Log Type: Enter the ingestion label for your log source such as PAN_FIREWALL for Palo Alto Firewall logs. A full list of supported SecOps parsers can be found here.
  Examples
  WINDOWS_DNS
  SYSLOG + KV
- Region: Select the regional endpoint for your GCP Chronicle instance
  Select the Region:
  US region
  EU region
  APAC region
- API Key (Optional): Enter your API key. Either an API key, or a path to a service account credentials JSON file can be specified. If both are unset, the GOOGLE_APPLICATION_CREDENTIALS environment variable is checked for a filename. If no filename is named, an attempt is made to fetch an instance service account for the compute instance the program is running on. If this is not on a GCE instance, then you must define it with an API key or service account credentials JSON file.
- Credentials Path (Optional): Path to your SecOps credential JSON file. Use the upload option to add the credentials for your SecOps instance. This can be downloaded from your SecOps instance > Settings > SIEM Settings > Collection Agents > and download the Integration Authentication File.
  Example
  /my/path/credentials.json
- Endpoint (Optional): The endpoint to send data to.
  Example
  http://localhost:3100
Encoding:
- Encoding Codec: The codec to use for encoding events. Default: JSON Encoding.
  Options
  Sub-Options
  JSON Encoding
  Pretty JSON (False): Format JSON with indentation and line breaks for better readability. Encoding Avro Schema (Optional): The Avro schema. Example: { "type": "record", "name": "log", "fields": [{ "name": "message", "type": "string" }] } Fields to exclude from serialization (Add): Transformations to prepare an event for serialization. List of fields that are excluded from the encoded event. Example: message.payload Encoding Metric Tag Values (Select): Controls how metric tag values are encoded. - Tag values will be exposed as single strings (default) - Tags exposed as arrays of strings Note: When set to single, only the last non-bare value of tags will be displayed with the metric. When set to full, all metric tags will be exposed as separate assignments. Encoding Timestamp Format (Select): - RFC 3339 timestamp: Formats timestamps as RFC 3339 strings. (default) - Unix timestamp (Float): Formats timestamps as Unix epoch values in floating point. - Unix timestamp (Milliseconds): Formats timestamps as Unix epoch values in milliseconds. - Unix timestamp (Nanoseconds): Formats timestamps as Unix epoch values in nanoseconds. - Unix timestamp (Microseconds): Formats timestamps as Unix epoch values in microseconds. - Unix timestamp: Formats timestamps as Unix epoch values
  logfmt Encoding
  Encoding Avro Schema (Optional): The Avro schema. Example: { "type": "record", "name": "log", "fields": [{ "name": "message", "type": "string" }] } Fields to exclude from serialization (Add): Transformations to prepare an event for serialization. List of fields that are excluded from the encoded event. Example: message.payload Encoding Metric Tag Values (Select): Controls how metric tag values are encoded. - Tag values will be exposed as single strings (default) - Tags exposed as arrays of strings Note: When set to single, only the last non-bare value of tags will be displayed with the metric. When set to full, all metric tags will be exposed as separate assignments. Encoding Timestamp Format (Select): - RFC 3339 timestamp: Formats timestamps as RFC 3339 strings. (default) - Unix timestamp (Float): Formats timestamps as Unix epoch values in floating point. - Unix timestamp (Milliseconds): Formats timestamps as Unix epoch values in milliseconds. - Unix timestamp (Nanoseconds): Formats timestamps as Unix epoch values in nanoseconds. - Unix timestamp (Microseconds): Formats timestamps as Unix epoch values in microseconds. - Unix timestamp: Formats timestamps as Unix epoch values
  Apache Avro Encoding
  Avro Schema: Specify the Apache Avro schema definition for serializing events. Example: { "type": "record", "name": "log", "fields": [{ "name": "message", "type": "string" }] } Encoding Avro Schema (Optional): The Avro schema. Example: { "type": "record", "name": "log", "fields": [{ "name": "message", "type": "string" }] } Fields to exclude from serialization (Add): Transformations to prepare an event for serialization. List of fields that are excluded from the encoded event. Example: message.payload Encoding Metric Tag Values (Select): Controls how metric tag values are encoded. - Tag values will be exposed as single strings (default) - Tags exposed as arrays of strings Note: When set to single, only the last non-bare value of tags will be displayed with the metric. When set to full, all metric tags will be exposed as separate assignments. Encoding Timestamp Format (Select): - RFC 3339 timestamp: Formats timestamps as RFC 3339 strings. (default) - Unix timestamp (Float): Formats timestamps as Unix epoch values in floating point. - Unix timestamp (Milliseconds): Formats timestamps as Unix epoch values in milliseconds. - Unix timestamp (Nanoseconds): Formats timestamps as Unix epoch values in nanoseconds. - Unix timestamp (Microseconds): Formats timestamps as Unix epoch values in microseconds. - Unix timestamp: Formats timestamps as Unix epoch values
  Newline Delimited JSON Encoding
  Encoding Avro Schema (Optional): The Avro schema. Example: { "type": "record", "name": "log", "fields": [{ "name": "message", "type": "string" }] } Fields to exclude from serialization (Add): Transformations to prepare an event for serialization. List of fields that are excluded from the encoded event. Example: message.payload Encoding Metric Tag Values (Select): Controls how metric tag values are encoded. - Tag values will be exposed as single strings (Default) - Tags exposed as arrays of strings Note: When set to single, only the last non-bare value of tags will be displayed with the metric. When set to full, all metric tags will be exposed as separate assignments. Encoding Timestamp Format (Select): - RFC 3339 timestamp: Formats timestamps as RFC 3339 strings. (default) - Unix timestamp (Float): Formats timestamps as Unix epoch values in floating point. - Unix timestamp (Milliseconds): Formats timestamps as Unix epoch values in milliseconds. - Unix timestamp (Nanoseconds): Formats timestamps as Unix epoch values in nanoseconds. - Unix timestamp (Microseconds): Formats timestamps as Unix epoch values in microseconds. - Unix timestamp: Formats timestamps as Unix epoch values
  No encoding
  Encoding Avro Schema (Optional): The Avro schema. Example: { "type": "record", "name": "log", "fields": [{ "name": "message", "type": "string" }] } Fields to exclude from serialization (Add): Transformations to prepare an event for serialization. List of fields that are excluded from the encoded event. Example: message.payload Encoding Metric Tag Values (Select): Controls how metric tag values are encoded. - Tag values will be exposed as single strings (default) - Tags exposed as arrays of strings Note: When set to single, only the last non-bare value of tags will be displayed with the metric. When set to full, all metric tags will be exposed as separate assignments. Encoding Timestamp Format (Select): - RFC 3339 timestamp: Formats timestamps as RFC 3339 strings. (default) - Unix timestamp (Float): Formats timestamps as Unix epoch values in floating point. - Unix timestamp (Milliseconds): Formats timestamps as Unix epoch values in milliseconds. - Unix timestamp (Nanoseconds): Formats timestamps as Unix epoch values in nanoseconds. - Unix timestamp (Microseconds): Formats timestamps as Unix epoch values in microseconds. - Unix timestamp: Formats timestamps as Unix epoch values
  Plain text encoding
  Encoding Avro Schema (Optional): The Avro schema. Example: { "type": "record", "name": "log", "fields": [{ "name": "message", "type": "string" }] } Fields to exclude from serialization (Add): Transformations to prepare an event for serialization. List of fields that are excluded from the encoded event. Example: message.payload Encoding Metric Tag Values (Select): Controls how metric tag values are encoded. - Tag values will be exposed as single strings (default) - Tags exposed as arrays of strings Note: When set to single, only the last non-bare value of tags will be displayed with the metric. When set to full, all metric tags will be exposed as separate assignments. Encoding Timestamp Format (Select): - RFC 3339 timestamp: Formats timestamps as RFC 3339 strings. (default) - Unix timestamp (Float): Formats timestamps as Unix epoch values in floating point. - Unix timestamp (Milliseconds): Formats timestamps as Unix epoch values in milliseconds. - Unix timestamp (Nanoseconds): Formats timestamps as Unix epoch values in nanoseconds. - Unix timestamp (Microseconds): Formats timestamps as Unix epoch values in microseconds. - Unix timestamp: Formats timestamps as Unix epoch values
  Parquet
  Include Raw Log (False): Capture the complete log message as an additional field(observo_record) apart from the given schema. Examples: In addition to the Parquet schema, there will be a field named "observo_record" in the Parquet file. Parquet Schema: Enter parquet schema for encoding. Examples: message root { optional binary stream; optional binary time; optional group kubernetes { optional binary pod_name; optional binary pod_id; optional binary docker_id; optional binary container_hash; optional binary container_image; optional group labels { optional binary pod-template-hash; } } } Encoding Avro Schema (Optional): The Avro schema. Example: { "type": "record", "name": "log", "fields": [{ "name": "message", "type": "string" }] } Fields to exclude from serialization (Add): Transformations to prepare an event for serialization. List of fields that are excluded from the encoded event. Example: message.payload Encoding Metric Tag Values (Select): Controls how metric tag values are encoded. - Tag values will be exposed as single strings (default) - Tags exposed as arrays of strings Note: When set to single, only the last non-bare value of tags will be displayed with the metric. When set to full, all metric tags will be exposed as separate assignments. Encoding Timestamp Format (Select): - RFC 3339 timestamp: Formats timestamps as RFC 3339 strings. (default) - Unix timestamp (Float): Formats timestamps as Unix epoch values in floating point. - Unix timestamp (Milliseconds): Formats timestamps as Unix epoch values in milliseconds. - Unix timestamp (Nanoseconds): Formats timestamps as Unix epoch values in nanoseconds. - Unix timestamp (Microseconds): Formats timestamps as Unix epoch values in microseconds. - Unix timestamp: Formats timestamps as Unix epoch values
  Common Event Format (CEF)
  CEF Device Event Class ID: Provide a unique identifier for categorizing the type of event (maximum 1023 characters). Example: login-failure CEF Device Product: Specify the product name that generated the event (maximum 63 characters). Example: Log Analyzer CEF Device Vendor: Specify the vendor name that produced the event (maximum 63 characters). Example: Observo CEF Device Version: Specify the version of the product that generated the event (maximum 31 characters). Example: 1.0.0 CEF Extensions (Add): Define custom key-value pairs for additional event data fields in CEF format. CEF Name: Provide a human-readable description of the event (maximum 512 characters). Example: cef.name CEF Severity: Indicate the importance of the event with a value from 0 (lowest) to 10 (highest). Example: 5 CEF Version (Select): Specify which version of the CEF specification to use for formatting. - CEF specification version 0.1 - CEF specification version 1.x Encoding Avro Schema (Optional): The Avro schema. Example: { "type": "record", "name": "log", "fields": [{ "name": "message", "type": "string" }] } Fields to exclude from serialization (Add): Transformations to prepare an event for serialization. List of fields that are excluded from the encoded event. Example: message.payload Encoding Metric Tag Values (Select): Controls how metric tag values are encoded. - Tag values will be exposed as single strings (default) - Tags exposed as arrays of strings Note: When set to single, only the last non-bare value of tags will be displayed with the metric. When set to full, all metric tags will be exposed as separate assignments. Encoding Timestamp Format (Select): - RFC 3339 timestamp: Formats timestamps as RFC 3339 strings. (default) - Unix timestamp (Float): Formats timestamps as Unix epoch values in floating point. - Unix timestamp (Milliseconds): Formats timestamps as Unix epoch values in milliseconds. - Unix timestamp (Nanoseconds): Formats timestamps as Unix epoch values in nanoseconds. - Unix timestamp (Microseconds): Formats timestamps as Unix epoch values in microseconds. - Unix timestamp: Formats timestamps as Unix epoch values
  CSV Format
  CSV Fields (Add): Specify the field names to include as columns in the CSV output and their order. Examples: - timestamp - host - message CSV Buffer Capacity (Optional): Set the internal buffer size (in bytes) used when writing CSV data. Example: 8192 CSV Delimitier (Optional): Set the character that separates fields in the CSV output. Example: , Enable Double Quote Escapes (True): When enabled, quotes in field data are escaped by doubling them. When disabled, an escape character is used instead. CSV Escape Character (Optional): Set the character used to escape quotes when double_quote is disabled. Example: <br> CSV Quote Character (Optional): Set the character used for quoting fields in the CSV output. Example: " CSV Quoting Style (Optional): Control when field values should be wrapped in quote characters. Options: - Always quot all fields - Quote only when necessary - Never use quotes - Quote all non-numeric fields Encoding Avro Schema (Optional): The Avro schema. Example: { "type": "record", "name": "log", "fields": [{ "name": "message", "type": "string" }] } Fields to exclude from serialization (Add): Transformations to prepare an event for serialization. List of fields that are excluded from the encoded event. Example: message.payload Encoding Metric Tag Values (Select): Controls how metric tag values are encoded. - Tag values will be exposed as single strings (default) - Tags exposed as arrays of strings Note: When set to single, only the last non-bare value of tags will be displayed with the metric. When set to full, all metric tags will be exposed as separate assignments. Encoding Timestamp Format (Select): - RFC 3339 timestamp: Formats timestamps as RFC 3339 strings. (default) - Unix timestamp (Float): Formats timestamps as Unix epoch values in floating point. - Unix timestamp (Milliseconds): Formats timestamps as Unix epoch values in milliseconds. - Unix timestamp (Nanoseconds): Formats timestamps as Unix epoch values in nanoseconds. - Unix timestamp (Microseconds): Formats timestamps as Unix epoch values in microseconds. - Unix timestamp: Formats timestamps as Unix epoch values
  Protocol Buffers
  Protobuf Message Type: Specify the fully qualified message type name for Protobuf serialization. Example: package.Message Protobuf Descriptor File: Specify the path to the compiled protobuf descriptor file (.desc). Example: /path/to/descriptor.desc Encoding Avro Schema (Optional): The Avro schema. Example: { "type": "record", "name": "log", "fields": [{ "name": "message", "type": "string" }] } Fields to exclude from serialization (Add): Transformations to prepare an event for serialization. List of fields that are excluded from the encoded event. Example: message.payload Encoding Metric Tag Values (Select): Controls how metric tag values are encoded. - Tag values will be exposed as single strings (default) - Tags exposed as arrays of strings Note: When set to single, only the last non-bare value of tags will be displayed with the metric. When set to full, all metric tags will be exposed as separate assignments. Encoding Timestamp Format (Select): - RFC 3339 timestamp: Formats timestamps as RFC 3339 strings. (default) - Unix timestamp (Float): Formats timestamps as Unix epoch values in floating point. - Unix timestamp (Milliseconds): Formats timestamps as Unix epoch values in milliseconds. - Unix timestamp (Nanoseconds): Formats timestamps as Unix epoch values in nanoseconds. - Unix timestamp (Microseconds): Formats timestamps as Unix epoch values in microseconds. - Unix timestamp: Formats timestamps as Unix epoch values
  Graylog Extended Log Format (GELF)
  Encoding Avro Schema (Optional): The Avro schema. Example: { "type": "record", "name": "log", "fields": [{ "name": "message", "type": "string" }] } Fields to exclude from serialization (Add): Transformations to prepare an event for serialization. List of fields that are excluded from the encoded event. Example: message.payload Encoding Metric Tag Values (Select): Controls how metric tag values are encoded. - Tag values will be exposed as single strings (default) - Tags exposed as arrays of strings Note: When set to single, only the last non-bare value of tags will be displayed with the metric. When set to full, all metric tags will be exposed as separate assignments. Encoding Timestamp Format (Select): - RFC 3339 timestamp: Formats timestamps as RFC 3339 strings. (default) - Unix timestamp (Float): Formats timestamps as Unix epoch values in floating point. - Unix timestamp (Milliseconds): Formats timestamps as Unix epoch values in milliseconds. - Unix timestamp (Nanoseconds): Formats timestamps as Unix epoch values in nanoseconds. - Unix timestamp (Microseconds): Formats timestamps as Unix epoch values in microseconds. - Unix timestamp: Formats timestamps as Unix epoch values
Request Configuration:
- Request Concurrency: Configuration for outbound request concurrency. Default: Adaptive concurrency.
  Options
  Description
  Adaptive concurrency
  Adjusts parallelism based on system load
  A fixed concurrency of 1
  Processes one task at a time only
- Request Rate Limit Duration Secs: The time window used for the rate_limit_num option. Default: 1.
- Request Rate Limit Num: The maximum number of requests allowed within the rate_limit_duration_secs time window.
- Request Retry Attempts: The maximum number of retries to make for failed requests. The default, represents an infinite number of retries. Default: Unlimited.
- Request Retry Initial Backoff Secs: The amount of time to wait in seconds before attempting the first retry for a failed request. After the first retry has failed, the fibonacci sequence will be used to select future backoffs. Default: 1.
- Request Retry Max Duration Secs: The maximum amount of time to wait between retries. Default: 3600.
- Request Timeout Secs: The time a request waits before being aborted. It is recommended that this value is not lowered below the service’s internal timeout, as this could create orphaned requests, and duplicate data downstream. Default: 60.
TLS Configuration (Optional):
- TLS CA: Provide the CA certificate in PEM format.
- TLS Certificate: Provide the client certificate in PEM format.
- TLS Key: Provide the private key in PEM format.
- TLS Key Passphrase: If the key is encrypted, provide the passphrase.
- Verify Certificate (False): Enables certificate verification.
- Certificates must be valid in terms of not being expired, and being issued by a trusted issuer. This verification operates in a hierarchical manner, checking validity of the certificate, the issuer of that certificate and so on until reaching a root certificate. Relevant for both incoming and outgoing connections. Do NOT set this to false unless you understand the risks of not verifying the validity of certificates.
- Verify Hostname: Enables hostname verification. If enabled, the hostname used to connect to the remote host must be present in the TLS certificate presented by the remote host, either as the Common Name or as an entry in the Subject Alternative Name extension. Only relevant for outgoing connections. Do NOT set this to false unless you understand the risks of not verifying the remote hostname.
Batching Requirements:
- Batch Timeout Seconds (Increment as needed): The maximum age of a batch before it is flushed. Default: 1
- Batch Max Bytes (Increment as needed): The maximum size of a batch that will be processed by a sink. This is based on the uncompressed size of the batched events, before they are serialized / compressed.
- Batch Max Events (Increment as needed): The maximum size of a batch before it is flushed.
Advanced Settings (Optional):
- Enable Proxy (False): Defines whether to use a proxy to connect to New Relic. If set to true, the proxy settings must be configured. If enabled:
  - Proxy HTTP Endpoint: Specify the HTTP proxy endpoint.
    Example
    http://proxy.example.com:8080
  - Proxy HTTPS Endpoint: Specify the HTTPS proxy endpoint.
    Example
    https://proxy.example.com:8080
  - Proxy Bypass List (Add as needed): Hosts to avoid connecting through the proxy.
    Example
    https://proxy.example.com:8080
Save and Test Configuration:
- Save the configuration settings.
- Test the connection to verify that Observo AI can successfully send data to GCP Chronicle.

Example Scenarios

SecureNet MSSP, a fictitious Managed Security Service Provider (MSSP), delivers advanced threat detection and incident response services to its clients across various industries. To enhance its security analytics capabilities, SecureNet aims to send security telemetry data, including firewall logs and network intrusion alerts in JSON format, to Google Cloud's Security Operations (Chronicle) platform via Observo AI. The data is ingested into a Chronicle instance within a dedicated Google Cloud project, securenet-project-2025, using a service account with the "Chronicle Service Agent" role for secure authentication. The configuration below outlines the steps to set up the GCP Chronicle destination in Observo AI, adhering to the required fields specified in the Integration section of the provided document, enabling SecureNet to perform real-time threat analysis and compliance monitoring.

Standard GCP Chronicle Logs Destination Destination Setup

Here is a standard GCP Chronicle Logs Destination configuration example. Only the required sections and their associated field updates are displayed in the table below:

General Settings

Field

Value

Description

Name

securenet-chronicle

Unique identifier for the Chronicle destination

Description

Send firewall and intrusion logs to GCP Chronicle for SecureNet

Optional description of the destination

Chronicle UUID

123e4567-e89b-12d3-a456-426614174000

Custom UUID of the Chronicle instance

Chronicle Log Type

PAN_FIREWALL

Ingestion label for Palo Alto Firewall logs

Region

US region

Regional endpoint for the Chronicle instance

Api Key

None

Uses service account credentials instead

Credentials Path

/opt/observo/credentials/securenet-chronicle.json

Path to the Chronicle service account JSON key file

Endpoint

https://chronicle.googleapis.com

Endpoint for sending data to Chronicle

Encoding

Field

Value

Description

Encoding Codec

JSON Encoding

Encodes events in JSON format

Pretty JSON

True

Formats JSON with indentation for readability

Encoding Avro Schema

{ "type": "record", "name": "log", "fields": [{ "name": "message", "type": "string" }, { "name": "timestamp", "type": "string" }, { "name": "source_ip", "type": "string" }, { "name": "threat_level", "type": "string" }] }

Avro schema for structured log serialization

Encoding Metric Tag Values

Single

Exposes metric tag values as single strings

Encoding Timestamp Format

RFC3339

Formats timestamps in RFC3339 format

Request Configuration

Field

Value

Description

Request Concurrency

Adaptive concurrency

Adjusts parallelism based on system load

Request Rate Limit Duration Secs

Time window for rate limiting

Request Rate Limit Num

500

Maximum requests within the time window

Request Retry Attempts

Maximum retries for failed requests

Request Retry Initial Backoff Secs

Initial wait time before first retry

Request Retry Max Duration Secs

3600

Maximum wait time between retries

Request Timeout Secs

Time before aborting a request

TLS Configuration

Field

Value

Description

TLS CA

/opt/observo/certs/ca.crt

Path to CA certificate for server verification

TLS Certificate

/opt/observo/certs/securenet.crt

Path to client certificate for authentication

TLS Key

/opt/observo/certs/securenet.key

Path to private key for authentication

TLS Key Passphrase

SecureNet2025

Passphrase to unlock the encrypted key file

Verify Certificate

True

Enables certificate verification

Verify Hostname

True

Verifies hostname in the TLS certificate

Batching Configuration

Field

Value

Description

Batch Timeout Seconds

Maximum age of a batch before flushing

Batch Max Bytes

5242880

Maximum batch size (5MB) before flushing

Batch Max Events

500

Maximum number of events in a batch

Advanced Settings

Field

Value

Description

Enable Proxy

False

Disables proxy usage for direct connection

Proxy HTTP Endpoint

None

Not used as proxy is disabled

Proxy HTTPS Endpoint

None

Not used as proxy is disabled

Proxy Bypass List

None

Not used as proxy is disabled

Additional Configuration

Save and Test: Save the configuration and send sample firewall log data to the Chronicle instance. Verify data ingestion in the Observo AI Analytics tab and confirm receipt in the Chronicle platform to ensure successful setup.

Outcome

With this configuration, SecureNet MSSP successfully sends firewall logs and intrusion alerts to GCP Chronicle via Observo AI, enabling real-time threat detection, incident response, and compliance monitoring, thereby enhancing its security services for clients across multiple industries.

Troubleshooting

If you encounter issues with the GCP Chronicle destination, use the following steps to diagnose and resolve them:

Verify you have the correct SecOps credentials JSON file.
Check Connection Status:
- In the Observo AI interface, verify the destination’s connection status to confirm it is active.
Review Logs:
- Check Observo AI logs for errors or warnings related to data transmission to GCP Chronicle.
- Validate Data Format and API Version
- Confirm that the selected data format (Unstructured or UDM) and API version (V1 or V2) are compatible with your Chronicle instance.
Proxy Configuration:
- If using a proxy for HTTP/S requests, ensure it is correctly configured (Proxy Configuration).
Test Data Flow:
- Send sample data and verify it reaches GCP Chronicle.
Monitor Data Volume:
- Use the Analytics tab in the targeted Observo AI pipeline to monitor data volume and ensure expected throughput

Issue

Possible Cause

Resolution

Data not reaching SecOps (Chronicle)

Incorrect service account credentials

Verify the JSON key file and permissions

Connection errors

API not enabled or wrong region

Enable Chronicle API and confirm region

Parsing errors

Incorrect data format

Ensure correct format (Unstructured/UDM)

Slow data transfer

Backpressure or rate limiting

Check backpressure settings and retry policies

Resources

For additional guidance and detailed information, refer to the following resources:

PreviousGoogle Cloud Platform NextGCP Cloud Storage

Last updated 4 months ago

Was this helpful?