Security Operations SOAR: Step 3 - Utilize Chronic...

jstoner · 3 weeks ago

Feeling overwhelmed by siloed security tools and manual threat response processes? You're not alone. The Google Chronicle SOAR Marketplace offers a solution to your overwhelm. Imagine a central hub where you can access a wealth of pre-built integrations, community-developed playbooks, and powerful analytics - all designed to streamline your Security Operations Center (SOC) workflows and supercharge your incident response. Stop reinventing the wheel and tap into the collective expertise of the security community. The Marketplace empowers you to seamlessly connect SecOps SOAR with leading security tools, automate repetitive tasks with pre-built playbooks, and gain invaluable insights from comprehensive dashboards. This collaborative environment fosters innovation, saves valuable time, and allows your SOC team to focus on what matters most - effectively combating cyber threats.

Prerequisites

Entitlement for SecOps SOAR on the account and project
Administrative permissions to Chronicle SOAR
Administrative Access for any 3rd party applications that will be integrated with Chronicle SOAR via the Marketplace

Actions

Marketplace Integrations

The Marketplace allows you to install company integrations, integrations published by the community, as well as custom integrations you have built in the IDE. The Marketplace also contains a repository for predefined Use Cases, Power Ups that enhance Playbook capabilities, and Analytics that provide valuable insights.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

Administrative permissions to Chronicle SOAR

Steps

In the Chronicle UI, click on the Marketplace icon in the top right, then click on Integrations.
Search through the Integrations and click the down arrow icon to install the integration.
Once the integration is installed, navigate to the main section that integration targets.
1. For instance, you may need to navigate to SOAR Settings > Connectors if the integration is a connector.
Click the Gear icon next to the integration you need to configure.

Relevant Links

Prerequisites See the Relevant Links section for more documentation regarding the prerequisites. Administrative permissions to Chronicle SOAR Steps In the Chronicle UI, click on the Marketplace icon in the top right, then click on Integrations. Search through the Integrations and click the down arrow icon to install the integration. Once the integration is installed, navigate to the main section that integration targets. For instance, you may need to navigate to SOAR Settings > Connectors if the integration is a connector. Click the Gear icon next to the integration you need to configure. Relevant Links All Steps: https://cloud.google.com/chronicle/docs/soar/respond/start-developing/chronicle-soar-integration-marketplace 3-4: https://cloud.google.com/chronicle/docs/soar/respond/integrations-setup/configure-integrations

Marketplace Use-Cases

Chronicle Marketplace is home to many useful things, including Use Cases. Use Cases are a great way to utilize pre-built Chronicle SOAR integrations, playbooks, etc. - all provided by the community, without you needing to understand the backend data modeling and filtering.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

Administrative permissions to Chronicle SOAR

Steps

Define the Use-case | Docs
1. Write a description of the security threat you are solving with the use case.
2. Define what kind of alert will be handled and what is the detection product that generates it.
Draw an incident response, orchestration, or automation process, to handle this alert. | Docs
Prepare Use Case Alerts | Docs
1. Create a custom Alert / Event according to a real data case.
2. Generate sample security alerts / events from a detection tool to simulate the use case.
3. Go to Cases > click “+” Plus > Simulate Cases.
Extract Entities (Map & Model the data) | Docs
1. Run the Zero to Hero test case.
2. In the Cases tab, click to open the Mail case, select Events tab.
3. Click on the Gear icon on the right of the Alert to open the Event Configuration screen.
4. On the top left corner, click on the word Mail in the hierarchy.
5. Assign the Visual Family that most represents the data.
6. Switch to Mapping and map the Entity Fields.
Build a Playbook. | Docs
Write a Guide. | Docs
Publish the Use Case. | Docs

Relevant Links

Prerequisites See the Relevant Links section for more documentation regarding the prerequisites. Administrative permissions to Chronicle SOAR Steps Define the Use-case | Docs Write a description of the security threat you are solving with the use case. Define what kind of alert will be handled and what is the detection product that generates it. Draw an incident response, orchestration, or automation process, to handle this alert. | Docs Prepare Use Case Alerts | Docs Create a custom Alert / Event according to a real data case. Generate sample security alerts / events from a detection tool to simulate the use case. Go to Cases > click “+” Plus > Simulate Cases. Extract Entities (Map & Model the data) | Docs Run the Zero to Hero test case. In the Cases tab, click to open the Mail case, select Events tab. Click on the Gear icon on the right of the Alert to open the Event Configuration screen. On the top left corner, click on the word Mail in the hierarchy. Assign the Visual Family that most represents the data. Switch to Mapping and map the Entity Fields. Build a Playbook. | Docs Write a Guide. | Docs Publish the Use Case. | Docs Relevant Links All Steps: https://cloud.google.com/chronicle/docs/soar/respond/start-developing/my-first-use-case 1: https://cloud.google.com/chronicle/docs/soar/respond/start-developing/my-first-use-case#1.-define-the-use-case 2: https://cloud.google.com/chronicle/docs/soar/respond/start-developing/my-first-use-case#2.-prepare-use-case-alerts 3: https://cloud.google.com/chronicle/docs/soar/respond/start-developing/my-first-use-case#3.-extract-entities-map-model-the-data 4: https://cloud.google.com/chronicle/docs/soar/respond/start-developing/my-first-use-case#4.-build-a-playbook 5: https://cloud.google.com/chronicle/docs/soar/respond/start-developing/my-first-automation 6: https://cloud.google.com/chronicle/docs/soar/respond/start-developing/my-first-use-case#5.-write-a-guide 7: https://cloud.google.com/chronicle/docs/soar/respond/start-developing/my-first-use-case#6.-publish-the-use-case

Marketplace Power-Ups

Power Ups are tools included in the Chronicle Marketplace that enhance your ability to automate processes for more efficient playbooks.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

Administrative permissions to Chronicle SOAR

Steps

Power-ups do not need anyu special configuration as they are in-house Chronicle actions.
New power-ups will be pushed to the Chronicle Marketplace all the time.
Click on the Read More in each power up to see what they contain.

Relevant Links

All Steps: https://cloud.google.com/chronicle/docs/soar/marketplace/using-the-marketplace#power-ups

Prerequisites See the Relevant Links section for more documentation regarding the prerequisites. Administrative permissions to Chronicle SOAR Steps Power-ups do not need anyu special configuration as they are in-house Chronicle actions. New power-ups will be pushed to the Chronicle Marketplace all the time. Click on the Read More in each power up to see what they contain. Relevant Links All Steps: https://cloud.google.com/chronicle/docs/soar/marketplace/using-the-marketplace#power-ups

Next Steps: Security Operations SOAR: Step 4 - Custom Integrations