Collect Island Enterprise Browser logs

Supported in:

Google secops SIEM

This document explains how to configure Island Enterprise Browser to push logs to Google Security Operations using webhooks.

Island Enterprise Browser is a Chromium-based enterprise browser designed to enhance corporate security and IT governance. It enables organizations to control and monitor how users interact with web applications, providing fine-grained policy control over every facet of browser activity including copy, paste, download, upload, and screenshot capture. Island delivers complete visibility, governance, and compliance for critical SaaS and internal web applications while supporting built-in safe browsing, web filtering, exploit prevention, and Zero Trust network access.

Before you begin

Make sure that you have the following prerequisites:

A Google SecOps instance
Island Enterprise Browser supports webhook-based SIEM log delivery via HTTPS
Access to Google Cloud Console (for API key creation)
Access to the Island Management Console with administrator permissions (Full Admin or System Admin role)

Create webhook feed in Google SecOps

Create the feed

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed name field, enter a name for the feed (for example, Island Enterprise Browser Logs).
Select Webhook as the Source type.
Select Island Enterprise Browser as the Log type.
Click Next.
Specify values for the following input parameters:
- Split delimiter (optional): Enter \n to split NDJSON events by newline
- Asset namespace: The asset namespace
- Ingestion labels: The label to be applied to the events from this feed
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.

Generate and save secret key

After creating the feed, you must generate a secret key for authentication:

On the feed details page, click Generate Secret Key.
A dialog displays the secret key.
Copy and save the secret key securely.

Important: The secret key is displayed only once and cannot be retrieved later. If you lose it, you must generate a new secret key.

Get the feed endpoint URL

Go to the Details tab of the feed.
In the Endpoint Information section, copy the Feed endpoint URL.

The URL format is:

https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate

https://<REGION>-malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate

Save this URL for the next steps.
Click Done.

Create Google Cloud API key

Chronicle requires an API key for authentication. Create a restricted API key in the Google Cloud Console.

Create the API key

Go to the Google Cloud Console Credentials page.
Select your project (the project associated with your Chronicle instance).
Click Create credentials > API key.
An API key is created and displayed in a dialog.
Click Edit API key to restrict the key.

Restrict the API key

In the API key settings page:
- Name: Enter a descriptive name (for example, Chronicle Webhook API Key - Island)
Under API restrictions:
1. Select Restrict key.
2. In the Select APIs dropdown, search for and select Google SecOps API (or Chronicle API).
Click Save.
Copy the API key value from the API key field at the top of the page.
Save the API key securely.

Configure Island Enterprise Browser webhook

Construct the webhook URL

Combine the Chronicle endpoint URL and API key:

<ENDPOINT_URL>?key=<API_KEY>&secret=<SECRET_KEY>

Example:

https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=AIzaSyD...&secret=abcd1234...

Create the SIEM integration in Island Management Console

Sign in to the Island Management Console as an administrator (Full Admin or System Admin).
Navigate to Modules > Platform Settings > System Settings > Integrations > SIEM.
Click Setup for the Generic SIEM Integration.
The Generic SIEM Integration Settings drawer is displayed.
In the Authentication Type field, select HTTPS.
In the Server URL field, paste the complete webhook URL constructed in the previous step (the Chronicle endpoint URL with the API key and secret key appended as query parameters).
Click Check Connection to confirm the connection to the configured endpoint.
Click Create Integration.
If the integration is successful, the Up and Running status is displayed below the Settings button for the Generic SIEM Integration.

Generate a SIEM API key (alternative method)

If the Generic SIEM Integration requires an API key for authentication instead of HTTPS URL parameters, generate one as follows:

Sign in to the Island Management Console as an administrator.
Navigate to Modules > Platform Settings > System Settings > Integrations > SIEM.
Click Setup for the Generic SIEM Integration.
Click Generate API Key to create a new key.
The Create a New API Key Integration drawer is displayed, showing the generated API key.
Copy the API Key to your clipboard and save it securely.
Click Close.

Important: The API key is displayed only once during generation. Copy and save it immediately.

Required permissions

The Island Management Console account used to configure the SIEM integration must have one of the following roles:

Role	Description
Full Admin	Full administrative access to the Island Management Console
System Admin	System-level administrative access with permissions to manage integrations

Authentication methods reference

Chronicle webhook feeds support multiple authentication methods. Choose the method that your vendor supports.

Method 1: Custom headers (Recommended)

If your vendor supports custom HTTP headers, use this method for better security.

Request format:

POST <ENDPOINT_URL> HTTP/1.1
Content-Type: application/json
x-goog-chronicle-auth: <API_KEY>
x-chronicle-auth: <SECRET_KEY>

{
        "event": "data",
        "timestamp": "2025-01-15T10:30:00Z"
}

Advantages:

API key and secret not visible in URL
More secure (headers not logged in web server access logs)
Preferred method when vendor supports it

Method 2: Query parameters

If your vendor does not support custom headers, append credentials to the URL.

URL format:

<ENDPOINT_URL>?key=<API_KEY>&secret=<SECRET_KEY>

Example:

https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=AIzaSyD...&secret=abcd1234...

Request format:

POST <ENDPOINT_URL>?key=<API_KEY>&secret=<SECRET_KEY> HTTP/1.1
Content-Type: application/json

{
        "event": "data",
        "timestamp": "2025-01-15T10:30:00Z"
}

Disadvantages:

Credentials visible in URL
May be logged in web server access logs
Less secure than headers

Method 3: Hybrid (URL + Header)

Some configurations use API key in URL and secret key in header.

Request format:

POST <ENDPOINT_URL>?key=<API_KEY> HTTP/1.1
Content-Type: application/json
x-chronicle-auth: <SECRET_KEY>

{
        "event": "data",
        "timestamp": "2025-01-15T10:30:00Z"
}

Authentication header names

Chronicle accepts the following header names for authentication:

For API key:

x-goog-chronicle-auth (recommended)
X-Goog-Chronicle-Auth (case-insensitive)

For secret key:

x-chronicle-auth (recommended)
X-Chronicle-Auth (case-insensitive)

Webhook limits and best practices

Request limits

Limit	Value
Max request size	4 MB
Max QPS (queries per second)	15,000
Request timeout	30 seconds
Retry behavior	Automatic with exponential backoff

Regional API endpoints

Island Enterprise Browser uses different Management Console URLs based on your region:

Region	Management Console URL	API Base URL
US	`https://management.island.io`	`https://management.island.io/api/external/v1/`
EU	`https://eu.management.island.io`	`https://eu.management.island.io/api/external/v1/`

Use the Management Console URL that corresponds to your Island Enterprise Browser tenant region.

UDM mapping table

The following table lists the log fields of the ISLAND_BROWSER log type and their corresponding UDM fields.

Log field	UDM mapping
`timestamp`	`metadata.event_timestamp`
`id`	`metadata.product_log_id`
`type`	`metadata.product_event_type`
`email`	`principal.user.email_addresses`
`user_id`	`principal.user.userid`
`user_name`	`principal.user.user_display_name`
`source_ip`	`principal.ip`, `principal.asset.ip`
`public_ip`	`principal.ip`, `principal.asset.ip`
`machine_name`	`principal.hostname`, `principal.asset.hostname`
`machine_id`	`principal.asset.asset_id`
`os_platform`	`principal.asset.platform_software.platform`
`country`	`principal.location.country_or_region`
`region`	`principal.location.state`
`top_level_url`	`target.url`
`saas_application_name`	`target.application`
`saas_application_id`	`target.resource.id`
`rule_id`	`security_result.rule_id`
`rule_name`	`security_result.rule_name`
`verdict`	`security_result.action_details`
`verdict_reason`	`security_result.description`
`url_web_reputation`	`security_result.confidence_score`
`saas_application_category`	`security_result.category_details`
`client_event_id`	`network.session_id`
`version`	`metadata.product_version`
`window_id`	`principal.resource.id`
`frame_url`	`about.url`
`device_id`	`principal.asset.attribute.labels`
`os_user_name`	`principal.asset.attribute.labels`
`tab_id`	`security_result.detection_fields`
`signature`	`security_result.detection_fields`
`compatibility_mode`	`additional.fields`
`processed_date`	`additional.fields`
`country_code`	`additional.fields`
`is_island_private_access`	`additional.fields`
`url_web_categories`	`additional.fields`
`origin`	`additional.fields`
`tenant_id`	`additional.fields`
`matched_user_group`	`principal.group.group_display_name`
`matched_device_posture.domain`	`principal.domain.name`

Need more help? Get answers from Community members and Google SecOps professionals.