Integrating Zoho Vault with Google Security Operations (Chronicle)

Integrating Zoho Vault with Google Security Operations (Chronicle)

Overview  

Zoho Vault integrates with Google Security Operations (formerly Google Chronicle) to enable real-time event streaming. Once configured, new events appear in your Google SecOps environment almost immediately, giving your security team up-to-date visibility into vault activity.

Setup instructions  

Create an API Key in Google Cloud

  1. Go to the Google Cloud Console and select the project linked to your Google SecOps environment.
  2. Navigate to APIs & Services, then select Credentials.
  3. Click Create Credential and choose API Key.
  4. Once the key has been created, click Edit on the key to apply usage restrictions.
  5. Restrict the API key to Chronicle API capabilities only. This limits the key's scope and improves security.
  6. Copy and save this API key you will need it in Step 4.

Create a Custom Log Type in Google SecOps

You need to define a new Log Type in Google SecOps so that it can correctly identify and categorize events coming from Zoho Vault.
  1. In your Google SecOps tenant, go to Settings, then SIEM Settings.
  2. Under Available Log Types, click Request a Log Type.
  3. Fill in the following details:
    1. Vendor/Product Name: ZohoVault
    2. Log Type Name: ZOHOVAULT

Create a Feed 

A feed acts as the receiving endpoint for log data sent by Zoho Vault. You will set up a Webhook-based feed tied to the log type you just created.
  1. In your Google SecOps tenant, go to Settings, then SIEM Settings, and select Feeds.
  2. Click Add New Feed.
  3. Set the Source Type to Webhook, then select ZOHOVAULT as the Log Type.
  4. Click Next, review the settings, and click Submit.
  5. When prompted, click Generate Secret Key. Copy and save the Feed Endpoint and Feed Secret Key for use in in the next step.

Configuring Google SecOps in Zoho Vault

With the API key, secret key, and feed endpoint ready, you can now complete the setup on the Zoho Vault side to begin streaming logs.
  1. Log in to your Zoho Vault account as a super admin.
  2. Go to Settings and select SIEM Integration.
  3. Under the Google SecOps section, click Edit Configurations.
  4. Enter the following details in the respective fields:
    1. Feed Endpoint: The endpoint URL copied in Step 3
    2. Feed Secret Key: The secret key generated in Step 3
    3. API Key: The API key created in Step 1
    4. Protocol: HTTPS
  5. Click Save Configuration to activate the integration.
Once saved, Zoho Vault will begin streaming event logs to your Google SecOps environment in real time.

Search for and Verify Logs in Google SecOps 

After the integration is active, you can verify that logs are flowing correctly by running a search in Google SecOps.
  1. In your Google SecOps tenant, navigate to Investigation, then select SIEM Search.
  2. In the search bar, enter the following query to filter for Zoho Vault events: metadata.log_type="ZOHOVAULT_CUSTOM"
  3. Review the results to confirm that Zoho Vault events are appearing as expected.