To avail this integration, subscribe to Resolutions plan after you have registered with Resolution Intelligence Cloud. Visit this page for more details on available plans.
With Resolutions plan, you will be able to push ActOns into Chronicle SOAR portal once they are generated in Resolutions Intelligence Cloud.
Integration with Chronicle SOAR (formerly Siemplify) empowers security team to defend threats from external environment using threat intelligence by detecting anamolies in data produced from the different resources. This integration collects, analyzes data to detect patterns automatically and correlates the anomalies in the form of signals and push them as ActOns.
Chronicle SOAR is an independent provider of Security, Orchestration, Automation and Response (SOAR) that would help you integrate Chronicle events with Chronicle SOAR.
Prerequisites
You should have
- Active account and Admin privileges in Resolution Intelligence Cloud
- Existing Chronicle SOAR instance and valid credentials
- A prior Chronicle integration with Resolution Intelligence Cloud
How it works
This integration is a two-way integration in which signals flow from one platform to other seamlessly and get back updates in order to make the security support team more efficient and productive. Resolution Intelligence uses a webhook to send event or ActOn data to Chronicle SOAR where these events are treated as Cases, a connector to update the event information if any modifications are done to any ActOn in Resolution Intelligence and associate predefined playbooks to make this integration work successfully. This integration uses another entity called REST APIs that are helpful to create as well as update Cases in Chronicle SOAR tool.
Attributes Mapping
The following attributes are mapped between Chronicle SOAR and Resolution Intelligence.
|
Chronicle SOAR |
Resolution Intelligence |
Description |
|
TicketId |
NetenrichTicketId |
ActOn ID |
|
Priority |
Priority |
Priority of ActOn |
|
Title |
Subject |
Actual subject of ActOn |
|
rawPayloadTypeId |
typeId |
Used to identify ActOn type |
|
rawPayloadTypeName |
typeName |
Used to identify ActOn name |
|
rawPayloadCreatedDate |
createdDate |
Date on which an ActOn is generated |
|
rawPayloadAlertsCount |
alertsCount |
Total number alerts correlated in an ActOn |
|
rawPayloadIntegrations |
integrations |
Integration details: Integration ID, Tenant ID etc. |
|
rawPayloadStatus |
status |
State of an ActOn |
|
rawPayloadAlerts |
alerts |
Actual Entities |
Enabling Chronicle SOAR Integration
In Resolution Intelligence
- From the Resolution Intelligence platform interface, navigate to Configurations --> Integrations --> Chronicle SOAR tile and click Enable integration toggle switch
- If you enable Inherit from Parent toggle, the inbound and out bound properties derive from the organization integrations
- In Inbound section:
- In Authentication type, select JSON Web Token (JWT)from the dropdown and
- In Token source, select URL from the dropdown menu. A web URL and consumer token will be generated automatically.
4. In Outbound section:
- In Notification Type, select REST API
- In Base URL, provide your Chronicle SOAR instance URL
- In Authentication, select API Key
- In Key, provide API secret key that is generated from your Chronicle SOAR instance web interface. Refer Generating API Key in Chronicle SOAR for more details
- Click Validate and Save.
5. Additional Properties: These properties help you customize your Chronicle SOAR environment which suit to your requirements. A default environment is enabled after a successful integration.
To modify default environment,
- In Key, select Environment
- In Value, enter a name that belongs to the Environment
- Click Save
Generating API Key in Chronicle SOAR Instance
- Login to your Chronicle SOAR instance using valid credentials
- From the Home page, click
at top right corner of your screen and click Settings from dropdown menu
- Click Advanced --> API Keys in the sitemap at left of screen
- Click
at top right corner of API Keys screen. A window appears
- Give the application a suitable name
- In Permissions Group, select Admins from dropdown menu
- In SOC Role, select @Administrator from dropdown menu
- Click Save
- API key will be generated automatically after saving API key instance. Copy and paste this API key in Outbound section of Chronicle SOAR integration in Resolution Intelligence.
Comments
0 comments
Please sign in to leave a comment.