Chronicle SOAR Integration Guide

  • Updated

    Integration with Chronicle SOAR (formerly Siemplify) empowers the security team to defend against threats from the external environment using threat intelligence by detecting anomalies in data produced from multiple resources. 

    With the plans available in this page, you can push ActOns into the Chronicle SOAR portal once they are generated in the Resolutions Intelligence Cloud.

    How it works

    Security ActOn Life Cycle in Chronicle SOAR:

    ActOns → Threat Centric Case Creation → Playbook Execution → Context-Driven Investigation → Response → Business Intelligence

    Chronicle SOAR integration is a bi-directional integration in which events are ingested into the Resolution Intelligence Cloud as signals. The AI Ops correlation engine in the Resolution Intelligence Cloud correlates similar signals and pushes them as ActOns to the Chronicle SOAR platform where these are treated as Cases using a webhook. These cases are associated with predefined playbooks in the Chronicle SOAR platform and updates are sent back to ActOns if any changes take place through an API. The predefined playbooks are updated with contextual information about a Case such as scoring, evidence, and assets to take further actions.

    Prerequisites

    You should have 

    • Active account and Admin privileges in Resolution Intelligence Cloud
    • An existing Chronicle SOAR instance and valid credentials 
    • A prior Chronicle integration with Resolution Intelligence Cloud 

    Attributes Mapping 

    The following attributes are mapped between Chronicle SOAR and Resolution Intelligence Cloud.

     Chronicle SOAR (Cases)

     Resolution Intelligence Cloud (ActOns)

     Description
     Case Name  ActOn Subject Title or Name 
     Description   Summary Comprehended details

     Events

     Signals

    		 Type of signals correlated 
     Entities  Assets Type of assets or entities from which signals are generated 

     Status

    • Open
    • Closed

     Status

    • New
    • Closed
    		 A state to which the ActOn or Case belongs 
     Priority  Priority

    A state of urgency. Possible priorities could be High, Medium, and Low


    Enabling Chronicle SOAR Integration 

    In Resolution Intelligence Cloud

    Roles Required:

    • Owner
    • Global Admin
    • A user with manager role
    • Configuration Manager

    To set up integration,

    1. Click  the gear icon at the top (or) hover over  icon at the top left corner.

    2. In the bottom of the left menu, click Configurations.

    3. In the left menu, under Data Ingestion, click Integrations.
      You will be navigated to the available integrations page.

    4. Locate and click Chronicle SOAR tile.
    5. Click the Add --> Add New Integration if you would prefer to enable a new integration. Otherwise, click Inherit from Parent to get the inbound and outbound properties from your organization or domains if you are at tenant level.
      The authentication and tenant mapping will be enabled.
    6. Under Configurations, click the Authentication. 
      You will be navigated to an authencation page where you enter the following details.

    i. Under the Inbound section:

      • In Authentication type, select JSON Web Token (JWT) from the dropdown list.
      • In Token source, an existing URL will be selected automatically.

    ii. Under the Outbound section:

    7. Click Save. 
    An Inbound URL and a consumer token will be generated. Copy and paste them in the parameters section of Chronicle SOAR integration portal.

    Mapping Tenants

    To map tenant(s) to your Chronicle SOAR integration,

    1. Click Add Mapping at the top right corner or click Bulk Add and select Import CSV file to import multiple tenants with the respective Chronicle SOAR environments.
    2. In the Add Mapping wizard, under Tenant Name, select your tenant from the dropdown menu.
    3. Under Environment, select a relevant environment in Chronicle SOAR to which you prefer to link your tenant from the dropdown menu.
    4. Click Add Row, if you would prefer to add more instances and repeat the same steps from 2 to 3.
    5. Click Save.
      The integration will be mapped to your desired tenants.

    Deleting Tenant Mapping

    You have mapped multiple tenants, but you feel that some tenants are no longer needed. You can remove those tenants from the current mapping using a Delete button.

    To remove tenant mapping,

    1. Locate the tenant that you would prefer to remove mapping.
    2. Click three dots right next to the tenant.
    3. Click Delete from the dropdown menu.
    4. Click Yes to remove it.

    Adding Outbound Policies

    Refer to this article for more details.

    Downloading and Importing a Tenant Mapping list

    You can download the existing tenant mappings to your local drive in a csv format and modify any tenant name and its relevant Chronicle SOAR environment, then bulk upload the amended list to map your Chronicle SOAR integration.

    To download and import a CSV file,

    1. After you have configured the integration, click Tenant Mapping.
    2. Navigate to Bulk Add --> Download CSV template.
      A template is downloaded into your local drive.
    3. First, you will need to fill the csv file with a valid tenant name, mapping status and project key.
    4. Click Bulk Add --> Import CSV file.
      A dialog box appears. 
    5. Click Import CSV and select your tenant mapping file from local drive.
    6. Click Open.
      A message appears on your screen.
    7. Click Yes to continue.
      A Mapping CSV file will be added to tenant list.

    mceclip3.png

    Generating API Key in Chronicle SOAR Portal

    1. Login to your Chronicle SOAR instance using valid credentials.
    2. From the Home page, click Picture21.png at the top right corner and click Settings from the dropdown menu.
    3. Click Advanced --> API Keys in the left navigation menu.
    4. Click Picture22.png at top right corner of API Keys screen.
      A window opens.
    5. Give the application a suitable name.
    6. In Permissions Group, select Admins from the dropdown menu.
    7. In SOC Role, select @Administrator from the dropdown menu. 
    8. Click Save.
      An API key will be generated automatically after saving the API key instance.
      Copy and paste this API key in the Outbound section of Chronicle SOAR integration in Resolution Intelligence Cloud.

    In Chronicle SOAR Portal

    1. Login to your Chronicle SOAR instance using valid credentials.
    2. From the Home page, click the marketplace  icon at the top right corner.
    3. Search for "Resolution Intelligence Cloud" in search bar.
    4. Click the Install icon located below the app.
      Resolution Intelligence Cloud app will be installed in your Chronicle instance.
    5. Click the Picture21.png icon at the top right corner.
    6. From the dropdown menu, click Integrations.
    7. Click the icon at the top right corner.
      A dialog box opens.
    8. In Integrations field, search and select "Resolution Intelligence Cloud."
      A dialog box opens.
    9. Add Description (Optional).
    10. Under Parameters,
      • In ri_inbound_webhook field, enter an Inbound URL generated from the step 7.
      • In token field, enter the Consumer token generated from the step 7.
    11. Click Save.

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.