Palo Alto Networks Cortex XDR/XSIAM integration with Google Chrome Browser

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L1 Bithead
No ratings

Palo Alto Networks, a leading cybersecurity company, has recently partnered with Chrome Enterprise, Google's business-focused solution for Chrome devices. This integration aims to enhance IT infrastructure management, improve application security, and streamline user access. By combining the capabilities of Palo Alto Networks' solutions with Chrome Enterprise's robust features, organizations can achieve a safer workforce and a more efficient enterprise environment.

 

The integration between Palo Alto Networks and Chrome Enterprise represents a significant advancement in IT infrastructure management and security. By enabling centralized device management, enhancing security visibility, and providing a seamless user experience, this partnership empowers enterprises to protect their workforce and data more effectively. With the Connectors Framework and Reporting Connectors, security investigations become more efficient, enabling proactive threat detection and automated incident response. As organizations embrace the Chrome Enterprise Connection program, they can leverage the power of Palo Alto Networks' solutions to strengthen their security posture and streamline operations in an ever-evolving threat landscape.

 

Centralized IT Infrastructure Management

 

Through this partnership, customers gain the ability to centrally manage their IT infrastructure endpoints. Managed devices, including MacOS, Linux, Windows, iOS, and Android, can be seamlessly integrated with Palo Alto Networks' XDR agent installation. Additionally, unmanaged devices can leverage this integration by ingesting Google Chrome into the XDR management console for enhanced security management. This centralization simplifies device management and ensures consistent security measures across the organization.

 

Enhanced Security for Workforce and World

 

The partnership between Palo Alto Networks and Chrome Enterprise significantly contributes to creating a safer workforce and world. With central management capabilities for enterprise devices, organizations gain full control and visibility over managed devices. Furthermore, unmanaged devices benefit from increased security visibility, which encompasses various aspects such as Chrome Browser extension installations, malware downloads, malicious website visits, and data leakage. By proactively addressing these security threats, businesses can better protect their employees and sensitive information.

 

Improved Employee Experience for Chrome Enterprise Customers

 

For enterprises enrolled in the Chrome Enterprise Recommended program, the partnership delivers an enhanced employee experience. The integration enables seamless utilization of Google Chrome Enterprise security features, providing end-users with transparent protection against potential threats. Simultaneously, the integration allows for centralized management through a single console, simplifying security measures and ensuring consistent adherence to security protocols.

 

Connectors Framework and Reporting Connectors

 

The announcement of the Connectors Framework and Reporting Connectors was driven by an increase in security investigations. These two features play a crucial role in today's security landscape by consolidating all alerts into a unified view, granting Security Operations Center (SOC) teams complete visibility across all devices, irrespective of whether agents are installed. Leveraging the integration of Palo Alto Networks' XSOAR and XSIAM, security teams can automate playbooks to remediate security events promptly. For instance, upon detecting multiple suspicious actions from a user, such as visiting malicious websites or attempting unauthorized data uploads, the system can automatically sign out the user, reset their password, and prompt re-validation.

 

How to Set up Chrome Enterprise Connectors in Cortex:

 

  1. Log into your Palo Alto Networks Cortex instance at https://cortex-gateway.paloaltonetworks.com
  2. Under Settings > Configurations > Custom Collectors, click the Add Instance button (or click on an instance of a HTTP log collector) to create a new repository or select an existing one that you want to send Chrome browser security events to. 
  3. When you create a new repository, you need to give it a name, select JSON as Log Format, set the Compression as uncompressed, and enter the Vendor and Product names.Danielma911_0-1689867108511.jpeg

     

Note: If you don’t enter a Vendor or Product, Cortex XDR will label the dataset as “unknown_unknown_raw”. 

 

4. Click Save & Generate Token and copy the token that is generated. You will need to enter this into the admin console in the following section.

 

For more information, you can refer to the Cortex Help Center: Set up an HTTP Log Collector to Receive Logs:

 

  • Log in to the Google Admin console at admin.google.com and select the organizational unit that contains the enrolled browsers from which you want to send security events to Palo Alto Networks.
  • Navigate to Devices>Chrome>Users and Browsers. Add a filter for “event reporting”.
  • Under Browser reporting>Event reporting, select Enable event reporting

 

Under the additional settings, you can specify which events you want to send to Palo Alto Networks Cortex XDR.

 

  • Now that the events are turned on, click on the blue hyperlink called “Reporting connector provider configurations” to take you to the connector provider configurations, or it can be found under Devices>Chrome>Connectors.
  • Click the New Provider Configuration button and select Palo Alto Networks as the provider.
  • Enter the configuration name that you want this connector to display as in the Google Admin console.
  • Enter the hostname of your Palo Alto Networks instance and the ingest token value from step 4 of the last section
  • You can find your instance URL under Settings>Configurations>Data Collection>Custom Collectors and select the collector that you just created
  • Click the three dots and select Copy API URL
  • Remove the ‘https://’ and anything after the ‘.com’ to use as the hostname in the admin console
    e.g.  https://chrome.xdr.us.paloaltonetworks.com/logs/v1/event

 

Press the Add Configuration to save.

 

Select the Organizational Unit that has reporting events enabled and select the Chrome Palo Alto Networks connector that was created in the previous step and hit Save.

 

After the integration, you can get logs/alerts from the Chrome Browser in the XDR/XSIAM console. 

Generate incidents based on Correlation Rules

 

Danielma911_1-1689867109877.png

 

Dashboard for Chrome-related security alerts.

 

Danielma911_2-1689867109463.png

 

Automate and remediate incidents/alerts with playbooks if you using XSIAM or Cortex XSOAR.

 

Danielma911_3-1689867108877.png

 

Rate this article:
Comments
L0 Member

To use this functionality, it seems to be necessary to have the Cortex XDR Pro per GB license. Wouldn't it be possible to use Cortex XDR Per endpoint?

 

I'm thinking about the BeyondCorp/Chrome Enterprise + Cortex XDR integration, which is an integration based on the number of endpoints.

L1 Bithead

Yes, it would need per GB license. 

  • 6386 Views
  • 2 comments
  • 2 Likes
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎07-21-2023 10:41 AM
Updated by: