Chronicle SOAR Integration Guide

  • Updated
Table of Contents:

This article covers how to seamlessly integrate Chronicle SOAR with Resolution Intelligence Cloud. Follow our step-by-step guide for easy enablement.

Integration with Chronicle SOAR (formerly Siemplify) empowers the security team to defend against threats from the external environment using threat intelligence. Threat intelligence is obtained by gathering and analyzing quality data from multiple resources.

Once a threat is detected and turned into an ActOn in the Resolution Intelligence Cloud, it pushes into the Chronicle SOAR portal.

How it works

Security ActOn Life Cycle in Chronicle SOAR:

ActOns → Threat Centric Case Creation → Playbook Execution → Context-Driven Investigation → Response → Business Intelligence

Chronicle SOAR integration is a bi-directional integration in which events are ingested into the Resolution Intelligence Cloud as signals. The AIOps correlation engine in the Resolution Intelligence Cloud correlates similar signals and pushes them as ActOns to the Chronicle SOAR platform, where these are treated as Cases using a webhook. These cases are associated with predefined playbooks in the Chronicle SOAR platform, and updates are sent back to ActOns if any changes take place through an API. The predefined playbooks are updated with contextual information about a case, such as scoring, evidence, and assets to take further action.

Prerequisites

You should have 

  • Active account and Admin privileges in Resolution Intelligence Cloud
  • An existing Chronicle SOAR instance and valid credentials 
  • A prior Chronicle integration with Resolution Intelligence Cloud
  • API keys from Chronicle SOAR. Refer to this section to get API keys.

Attributes Mapping 

The following attributes are mapped between Chronicle SOAR and Resolution Intelligence Cloud.

 Chronicle SOAR (Cases)

 Resolution Intelligence Cloud (ActOns)

 Description
 Case Name  ActOn Subject Title or Name 
 Description   Summary Comprehended details

 Events

 Signals

 Type of signals correlated 
 Entities  Assets Type of assets or entities from which signals are generated 

 Status

  • Open
  • Closed

 Status

  • New
  • Closed
 A state to which the ActOn or Case belongs 
 Priority  Priority

A state of urgency. Possible priorities could be High, Medium, and Low


Enabling Chronicle SOAR Integration 

In Resolution Intelligence Cloud

Step 1: Setting up Integration

Roles Required:

  • Owner
  • Global Admin
  • A user with manager role
  • Configuration Manager

To set up integration,

  1. Click  the gear icon at the top (or) hover over  icon at the top left corner.

  2. In the bottom of the left menu, click Configurations.

  3. In the left menu, under Data Ingestion, click Integrations.
    You will be navigated to the available integrations page.

  4. Locate and click the Chronicle SOAR tile.
  5. Click Add --> Add New Integration if you would prefer to enable a new integration. Otherwise, click Apply Organization Defaults to get the inbound and outbound properties from your organization or domains if you are at the tenant level.
    Both authentication and tenant mapping will be enabled.
  6. Under Configurations, click Authentication.
    You will be navigated to an authentication page where you enter the following details:

i. Under the Inbound section:

    • In Authentication type, select JSON Web Token (JWT) from the drop-down list.
    • In Token Source, an existing URL will be selected automatically.

ii. Under the Outbound section:

    • In Base URL, enter your Chronicle SOAR instance URL.
    • In Key, provide API secret key that is generated from your Chronicle SOAR instance web interface. Refer to the Generating API Key in the Chronicle SOAR Instance for more details.
    • In the Case View URL field, enter the Chronicle SOAR case view URL. When an Acton is created as a case in SOAR, an external ID is generated on the ActOns page of Resolution Intelligence Cloud. Clicking this external ID hyperlink will redirect the user to the case view page of the configured SOAR, allowing them to investigate the alert.

7. Click Save. 
An inbound URL and a consumer token will be generated. Copy and paste them in the parameters section of the Chronicle SOAR integration portal.

Step 2: Mapping Tenants

To map tenant(s) to your Chronicle SOAR integration,

  1. Click Add Mapping at the top right corner, or click Bulk Add and select Import CSV file to import multiple tenants with the respective Chronicle SOAR environments.
  2. In the Add Mapping wizard, under Tenant Name, select your tenant from the drop-down menu.
  3. Under Environment, select a relevant environment in Chronicle SOAR to which you prefer to link your tenant from the drop-down menu.
  4. Click Add Row, if you would prefer to add more instances, and repeat the same steps from 2 to 3.
  5. Click Save.
    The integration will be mapped to your desired tenants.

Deleting Tenant Mapping

You have mapped multiple tenants, but you feel that some tenants are no longer needed. You can remove those tenants from the current mapping using the Delete button.

To remove tenant mapping,

  1. Locate the tenant that you would prefer to remove mapping.
  2. Click three dots right next to the tenant.
  3. Click Delete from the drop-down menu.
  4. Click Yes to remove it.

Downloading and Importing a Tenant Mapping list

You can download the existing tenant mappings to your local drive in a csv format and modify any tenant name and its relevant Chronicle SOAR environment, then bulk upload the amended list to map your Chronicle SOAR integration.

You can only view and perform bulk import at the organization level. 

To download and import a CSV file,

  1. After you have configured the integration, click Tenant Mapping.
  2. Navigate to Bulk Add --> Download CSV template.
    A template is downloaded into your local drive.
  3. First, you will need to fill the csv file with a valid tenant name, mapping status and project key.
  4. Click Bulk Add --> Import CSV file.
    A dialog box appears. 
  5. Click Import CSV and select your tenant mapping file from local drive.
  6. Click Open.
    A message appears on your screen.
  7. Click Yes to continue.
    A Mapping CSV file will be added to tenant list.

Step 3: Adding Outbound Policies

If you would prefer to restrict pushing specific ActOns to the Chronicle SOAR platform, then refer to this article for more information.

Generating API Key in Chronicle SOAR Portal

  1. Log in to your Chronicle SOAR instance using valid credentials.
  2. From the Home page, click Picture21.png at the top right corner and click Settings from the drop-down menu.
  3. Click Advanced --> API Keys in the left navigation menu.
  4. Click Picture22.png at top right corner of the API Keys screen.
    A window opens.
  5. Give the application a suitable name.
  6. In Permissions Group, select Admins from the drop-down menu.
  7. In SOC Role, select @Administrator from the drop-down menu.
  8. Click Save.
    An API key will be generated automatically after saving the API key instance.
    Copy and paste this API key in the Outbound section of Chronicle SOAR integration in Resolution Intelligence Cloud.

In Chronicle SOAR Portal

  1. Log in to your Chronicle SOAR instance using valid credentials.
  2. From the Home page, click the marketplace  icon at the top right corner.
  3. Search for "Resolution Intelligence Cloud" in search bar.
  4. Click the Install icon located below the app.
    The Resolution Intelligence Cloud app will be installed in your Chronicle instance.
    Alternatively, you can contact Resolution Intelligence Cloud support to get the zip file and then import this zip file onto the SOAR using the Import Package option.

5. Click the Picture21.png icon at the top right corner.

6. From the drop-down menu, click Integrations Setup.

7. Click the icon at the top right corner.
An Add Instance dialog opens.

8. By default, the environment is set to Shared instances. 

9. In Integrations field, search and select "Resolution Intelligence Cloud."

10. Click Save.

11. Configure these details in the Resolution Intelligence Cloud-Configure Instance dialog:

      • Instance name is defaulted
      • Add Description (Optional).
      • Under Parameters,
        • In ri_inbound_webhook field, enter an Inbound URL generated from the step 7.
        • In token field, enter the Consumer token generated from the step 7.
        • In the Environment field, you must manually enter the environment in which the Chronicle instance must run. Only after specifying the environment, the tickets will be sent to Resolution Intelligence Cloud. Please ensure that the environment you provide matches the one mapped to a tenant in Resolution Intelligence Cloud.

12. Click Save.

Related articles

Comments

0 comments

Please sign in to leave a comment.