Security Operations SOAR: Step 4 - Custom Integrat...

jstoner · 3 weeks ago

Imagine connecting any security tool or service your organization relies on, regardless of platform or API availability. Custom integrations empower you to tailor SOAR to your specific needs, automating even the most niche workflows. Whether it's ingesting data from a custom SIEM or triggering actions in a proprietary vulnerability scanner, the possibilities are endless. Gain an edge on evolving threats by building integrations that seamlessly extend SOAR's reach and optimize your incident response processes. Don't let limitations hinder your security - unlock the full potential of your security ecosystem with custom integrations in Google Chronicle SOAR.

Prerequisites

Entitlement for SecOps SOAR on the account and project
Administrative permissions to Chronicle SOAR
Administrative Access for any 3rd party applications that will be integrated with Chronicle SOAR

Actions

IDE Usage

The Integrated Development Environment (IDE) is a framework for viewing, editing, and testing code. It allows you to both view the code of commercial integrations and to create custom integrations from scratch or by duplicating commercial integrations code.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

Administrative permissions to Chronicle SOAR

Steps

Navigate to Response > IDE.
Choose what you would like to develop: integrations, connectors, actions, jobs, or managers.

Relevant Links

All Steps: https://cloud.google.com/chronicle/docs/soar/respond/ide/using-the-ide

Prerequisites See the Relevant Links section for more documentation regarding the prerequisites. Administrative permissions to Chronicle SOAR Steps Navigate to Response > IDE. Choose what you would like to develop: integrations, connectors, actions, jobs, or managers. Relevant Links All Steps: https://cloud.google.com/chronicle/docs/soar/respond/ide/using-the-ide

Custom Integrations

SecOps users can create custom integrations inside the IDE with the same structure as commercial integrations. The custom integrations will appear in the Chronicle Marketplace and can be configured for different environments so they can be used in playbooks, manual actions and remote agents. They can also be imported and exported as with other IDE items.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

Administrative permissions to Chronicle SOAR

Steps

In the left navigation, nagivate to Response > IDE.
Click Create New Item and select Integration.
Enter a name and click Create.

Relevant Links

All Steps: https://cloud.google.com/chronicle/docs/soar/respond/ide/building-a-custom-integration

Prerequisites See the Relevant Links section for more documentation regarding the prerequisites. Administrative permissions to Chronicle SOAR Steps In the left navigation, nagivate to Response > IDE. Click Create New Item and select Integration. Enter a name and click Create. Relevant Links All Steps: https://cloud.google.com/chronicle/docs/soar/respond/ide/building-a-custom-integration

Custom Actions

SecOps SOAR's custom integrations go beyond pre-built options, enabling you to connect any security tool or service, regardless of compatibility. This lets you automate your specific workflows, even for niche tools or processes. Whether it's ingesting data from a custom SIEM or triggering actions in a proprietary scanner, you can tailor SOAR to your unique needs.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

Administrative permissions to Chronicle SOAR

Steps

In the left navigation, nagivate to Response > IDE.
Click Create New Item and select Action.
Enter a name and select the Integration. Click Create.

Relevant Links

All Steps: https://cloud.google.com/chronicle/docs/soar/respond/ide/creating-a-custom-action

Prerequisites See the Relevant Links section for more documentation regarding the prerequisites. Administrative permissions to Chronicle SOAR Steps In the left navigation, nagivate to Response > IDE. Click Create New Item and select Action. Enter a name and select the Integration. Click Create. Relevant Links All Steps: https://cloud.google.com/chronicle/docs/soar/respond/ide/creating-a-custom-action

Write Jobs

The Jobs Scheduler page contains default Chronicle jobs, as well as jobs that are created in the IDE and are essentially scripts that can be scheduled to run periodically.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

Administrative permissions to Chronicle SOAR

Steps

First, create the job in the IDE. Refer to Using the IDE for more details.
In the left navigation, navigation to Response > Jobs Scheduler. The Jobs Scheduler page is displayed.
Select Create New Job.
Select the job you created in the IDE and click Save.
Enter the scheduler information for when the script should run.
Make sure to click Save.
You can also choose to run the script immediately by clicking Run Now.

Relevant Links

All Steps: https://cloud.google.com/chronicle/docs/soar/respond/jobs-scheduler/writing-jobs

Prerequisites See the Relevant Links section for more documentation regarding the prerequisites. Administrative permissions to Chronicle SOAR Steps First, create the job in the IDE. Refer to Using the IDE for more details. In the left navigation, navigation to Response > Jobs Scheduler. The Jobs Scheduler page is displayed. Select Create New Job. Select the job you created in the IDE and click Save. Enter the scheduler information for when the script should run. Make sure to click Save. You can also choose to run the script immediately by clicking Run Now. Relevant Links All Steps: https://cloud.google.com/chronicle/docs/soar/respond/jobs-scheduler/writing-jobs

Next Steps: Security Operations SOAR: Step 5 - Incident Manager