Integration with Chronicle SOAR (formerly Siemplify) empowers the security team to defend against threats from the external environment using threat intelligence by detecting anomalies in data produced from multiple resources.
With the plans available in this page, you can push ActOns into the Chronicle SOAR portal once they are generated in the Resolutions Intelligence Cloud.
How it works
Security ActOn Life Cycle in Chronicle SOAR:
ActOns → Threat Centric Case Creation → Playbook Execution → Context-Driven Investigation → Response → Business Intelligence
Chronicle SOAR integration is a bi-directional integration in which events are ingested into the Resolution Intelligence Cloud as signals. The AI Ops correlation engine in the Resolution Intelligence Cloud correlates similar signals and pushes them as ActOns to the Chronicle SOAR platform where these are treated as Cases using a webhook. These cases are associated with predefined playbooks in the Chronicle SOAR platform and updates are sent back to ActOns if any changes take place through an API. The predefined playbooks are updated with contextual information about a Case such as scoring, evidence, and assets to take further actions.
Prerequisites
You should have
- Active account and Admin privileges in Resolution Intelligence Cloud
- An existing Chronicle SOAR instance and valid credentials
- A prior Chronicle integration with Resolution Intelligence Cloud
Attributes Mapping
The following attributes are mapped between Chronicle SOAR and Resolution Intelligence Cloud.
Chronicle SOAR (Cases) |
Resolution Intelligence Cloud (ActOns) |
Description |
Case Name | ActOn Subject | Title or Name |
Description | Summary | Comprehended details |
Events |
Signals |
Type of signals correlated |
Entities | Assets | Type of assets or entities from which signals are generated |
Status
|
Status
|
A state to which the ActOn or Case belongs |
Priority | Priority |
A state of urgency. Possible priorities could be High, Medium, and Low |
Enabling Chronicle SOAR Integration
In Resolution Intelligence Cloud
Roles Required:
- Owner
- Global Admin
- A user with manager role
- Configuration Manager
To set up integration,
-
Click
the gear icon at the top (or) hover over
icon at the top left corner.
-
In the bottom of the left menu, click Configurations.
-
In the left menu, under Data Ingestion, click Integrations.
You will be navigated to the available integrations page. - Locate and click Chronicle SOAR tile.
- Click the Add --> Add New Integration if you would prefer to enable a new integration. Otherwise, click Inherit from Parent to get the inbound and outbound properties from your organization or domains if you are at tenant level.
The authentication and tenant mapping will be enabled. - Under Configurations, click the Authentication.
You will be navigated to an authencation page where you enter the following details.
i. Under the Inbound section:
-
- In Authentication type, select JSON Web Token (JWT) from the dropdown list.
- In Token source, an existing URL will be selected automatically.
ii. Under the Outbound section:
-
- In Base URL, enter your Chronicle SOAR instance URL.
- In Key, provide API secret key that is generated from your Chronicle SOAR instance web interface. Refer Generating API Key in Chronicle SOAR Instance for more details.
7. Click Save.
An Inbound URL and a consumer token will be generated. Copy and paste them in the parameters section of Chronicle SOAR integration portal.
Mapping Tenants
To map tenant(s) to your Chronicle SOAR integration,
- Click Add Mapping at the top right corner or click Bulk Add and select Import CSV file to import multiple tenants with the respective Chronicle SOAR environments.
- In the Add Mapping wizard, under Tenant Name, select your tenant from the dropdown menu.
- Under Environment, select a relevant environment in Chronicle SOAR to which you prefer to link your tenant from the dropdown menu.
- Click Add Row, if you would prefer to add more instances and repeat the same steps from 2 to 3.
- Click Save.
The integration will be mapped to your desired tenants.
Deleting Tenant Mapping
You have mapped multiple tenants, but you feel that some tenants are no longer needed. You can remove those tenants from the current mapping using a Delete button.
To remove tenant mapping,
- Locate the tenant that you would prefer to remove mapping.
- Click
three dots right next to the tenant.
- Click Delete from the dropdown menu.
- Click Yes to remove it.
Adding Outbound Policies
Refer to this article for more details.
Downloading and Importing a Tenant Mapping list
You can download the existing tenant mappings to your local drive in a csv format and modify any tenant name and its relevant Chronicle SOAR environment, then bulk upload the amended list to map your Chronicle SOAR integration.
To download and import a CSV file,
- After you have configured the integration, click Tenant Mapping.
- Navigate to Bulk Add --> Download CSV template.
A template is downloaded into your local drive. - First, you will need to fill the csv file with a valid tenant name, mapping status and project key.
- Click Bulk Add --> Import CSV file.
A dialog box appears. - Click Import CSV and select your tenant mapping file from local drive.
- Click Open.
A message appears on your screen. - Click Yes to continue.
A Mapping CSV file will be added to tenant list.
Generating API Key in Chronicle SOAR Portal
- Login to your Chronicle SOAR instance using valid credentials.
- From the Home page, click
at the top right corner and click Settings from the dropdown menu.
- Click Advanced --> API Keys in the left navigation menu.
- Click
at top right corner of API Keys screen.
A window opens. - Give the application a suitable name.
- In Permissions Group, select Admins from the dropdown menu.
- In SOC Role, select @Administrator from the dropdown menu.
- Click Save.
An API key will be generated automatically after saving the API key instance.
Copy and paste this API key in the Outbound section of Chronicle SOAR integration in Resolution Intelligence Cloud.
In Chronicle SOAR Portal
- Login to your Chronicle SOAR instance using valid credentials.
- From the Home page, click the marketplace
icon at the top right corner.
- Search for "Resolution Intelligence Cloud" in search bar.
- Click the Install
icon located below the app.
Resolution Intelligence Cloud app will be installed in your Chronicle instance. - Click the
icon at the top right corner.
- From the dropdown menu, click Integrations.
- Click the
icon at the top right corner.
A dialog box opens. - In Integrations field, search and select "Resolution Intelligence Cloud."
A dialog box opens. - Add Description (Optional).
- Under Parameters,
- Click Save.
Comments
0 comments
Please sign in to leave a comment.