Configure Chrome Enterprise Connectors for Google Security Operations

For administrators, signed up for Chrome Enterprise Premium, who manage Chrome policies from the Google Admin console.

As a Google Workspace administrator, you can ensure that Chrome Enterprise Premium (CEP) is optimally configured to send valuable security data to your Google Security Operations (SecOps) instance.

Integrating CEP with SecOps allows your security team to gain deep visibility into browser-related threats and activities. Chrome can send a rich stream of events and analysis results to SecOps, turning on:

• Enhanced threat detection for malware, phishing, and risky user actions
• Deeper incident investigations with browser context
• Monitoring for data security and potential exfiltration

To achieve this, Chrome uses Chrome Enterprise Connectors. These connectors act as bridges between Chrome browser and various security services, including SecOps and CEP's own data loss prevention (DLP) capabilities.

Turn on the integration

When you first turn on the SecOps integration in the Google Admin console, a connection is made between your Google Workspace environment and your SecOps instance, and specific settings are applied to get data flowing to SecOps:

• Real-time URL check—This setting is automatically turned on for you.
• Event reporting—This setting is turned on and all event types are turned on, including extension telemetry and URL navigation events. If you have existing settings for Login and Password Breach events, they are left as-is.
• Content analysis—We check the settings for your upload, download, file transfer, bulk text, and print connectors.
  • If a connector is unset, we’ll automatically switch it to Chrome Enterprise Premium and turn on sensitive data and malware scanning on all URLs.
  • If a connector is set to Chrome Enterprise Premium, we’ll preserve your settings but warn you if you have URL restrictions that could keep some data from reaching SecOps.
  • If a connector uses a third-party provider, we won’t make any changes, but you’ll be warned that you need to use Chrome Enterprise Premium for the events to reach SecOps.

Configure recommended settings for optimal data flow

We suggest that Chrome Enterprise admins and security admins jointly review the configuration for each Chrome Enterprise Connector.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to  Menu  Devices > Chrome > Settings. The User & browser settings page opens by default.

   Requires having the Mobile Device Management administrator privilege.

   If you signed up for Chrome Enterprise Core, go to Menu  Chrome browser > Settings.

3. At the side, select the top-level organizational unit.
4. Select the browser event types that are sent to SecOps:
   1. Go to Browser reporting.
   2. Click Event reporting.
   3. Select Enable event reporting.
   4. Click Additional settings.
   5. For Default event types, select All types.
   6. Click Save.
5. Control how Chrome analyzes content for malware and sensitive data:
   1. Go to Chrome Enterprise Connectors.
   2. For each content analysis setting—Upload content analysis, Download content analysis, File transfer content analysis, Bulk text content analysis, and Print content analysis, do the following:
      1. Select Chrome Enterprise Premium as the service API to be used by Chrome.
      2. Click Additional settings.
      3. Under Check for sensitive data, set Mode to On by default, except for the following URL patterns. For optimal SecOps visibility, we recommend that you leave the URL pattern field blank. Specifying URL exceptions prevents analysis and reporting for those URLs.
      4. (Applies only to Upload content analysis, Download content analysis, File transfer content analysis) Under Check for malware, set Mode to On by default, except for the following URL patterns. For optimal SecOps visibility, we recommend that you leave the URL pattern field blank. Specifying URL exceptions prevents analysis and reporting for those URLs.
      5. Click Save.
6. Identify potentially unsafe URLs through real-time URL validation:
   1. Go to Chrome Enterprise Connectors.
   2. Click Real time URL check.
   3. Select Chrome Enterprise Premium.
   4. Click Save.

Summary table of recommended connector settings

Warnings you might encounter

If your existing connector settings prevent data from reaching SecOps, you'll see a warning in the Admin console.

Set ‘Chrome Enterprise Premium’ as the service provider

This warning appears if a connector is currently set to use a third-party provider, such as Symantec Endpoint DLP or Trellix, instead of Chrome Enterprise Premium.

To resolve:

1. Click the connector name in the warning message to open the settings page.
2. Change the service provider to Chrome Enterprise Premium.
3. Configure the analysis settings as described in Configure settings for data flow above.

Set connectors ‘on by default’ and remove URL limits

This warning appears if a connector is set to Chrome Enterprise Premium, but the configuration restricts data collection. This happens if, under Check for sensitive data:

• Mode is set to Off by default, except for the following URL patterns
• Mode is set to On by default, except for the following URL patterns and URL patterns are entered that exclude specific sites from analysis.

To resolve:

1. Click the connector name in the warning message to open the settings page.
2. Set Mode to On by default, except for the following URL patterns.
3. Clear the URL pattern field to ensure all traffic is analyzed and reported to SecOps.

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.