Eyeglass Solutions Publication

Google Security Operations (SecOps) (Chronicle) SOAR Zero Trust Integration

Home

Overview

Customers using Google Security Operations (SecOps) (Chronicle) SOAR solution can now leverage a native integration that can be installed and configured directly from the Google Security Operations (SecOps) (Chronicle) marketplace. Customers can augment the capabilities of Google Security Operations (SecOps) (Chronicle) SOAR with threat intelligence and Cyber Storage capabilities of Superna Security Edition.

Support Statement

NOTE: This documentation is provided "as is" without support for 3rd party software. The level of support for this integration guide is best effort without any SLA on response time. No 3rd party product support can be provided by Superna directly. 3rd party components require support contracts.

Limitations

None

Solution Overview

Superna Zero Trust Integration allows customers to install the Superna Zero trust playbooks from the Chronicle marketplace and run playbooks from Chronicle incidents.

Advanced Zero Trust Capabilities

The playbooks provide the following use cases:
1. Snapshot critical NAS data
2. Lockout a user from NAS storage
3. Unlock a user from NAS storage that was previously locked out.

What is Google Security Operations (SecOps) (Chronicle) SOAR?

Chronicle SOAR is a cloud service, built as a specialized layer on top of core Google infrastructure, designed for enterprises to privately retain, analyze, and search the massive amounts of security and network telemetry they generate.

Integration Architecture

A close-up of a web page

Description automatically generated

Solution Configuration in Google Security Operations (SecOps) (Chronicle) SOAR and Defender Zero Trust

Prerequisites

Installed Security Edition
Eyeglass OS appliance version 15.5
1. cat /etc/os-release
License key for the Zero Trust API
Google Security Operations (SecOps) (Chronicle) SOAR

Configuration in Google Security Operations (SecOps) (Chronicle) SOAR

Login to Google Security Operations (SecOps) (Chronicle)
1. To import the integration from source files, download the integration zip file and use the import package option. Only use this method OR the marketplace method not both installation methods.
  1. Open IDE tab within the Responses menu
  4. Select the zip file downloaded in the steps above.
  5. done, NOTE: Skip the marketplace method if you followed these steps.
NOTE: Only use this option if you did not follow definition import method. Open the Marketplace
1. Search for Superna
3. Click the gear to install into your account.
4. You will need the ip address of the eyeglass VM and an api token created from the admin desktop  Main menu  Superna Eyeglass API menu
6. Enter a description, select run remotely and select the agent that will be used to proxy API calls to the Eyeglass VM. NOTE: The remote agent must already be installed and registered with the Chronicle portal.
7. Once installed into your portal, 3 playbooks will become available.
8. done

How to test the Integration with Google Security Operations (SecOps) (Chronicle) SOAR

To test the integration follow these steps/
The integration uses a ping validation that uses the remote agent to issue an Eyeglass health check api that validates the ip address and api token are correct. It will also validate that the remote agent can reach the VM and no firewall is blocking access.
The ping test function can be executed as follows.
Using the marketplace integration gear box, then click the test remotely button, you should get a green check mark.
2. If you get a red X hover over the x to get the error code for support to assist with root cause.
3. Most common issues:
  1. Firewall between the remote agent and the eyeglass VM
  2. Incorrect eyeglass IP address
  3. Invalid api token

How to use the Playbooks within an Incident

For an incident select actions and filter on Superna
2. Select a playbook to execute
3. The lockout and unlock playbooks require a user name to be input with format domain\username or username@<DNS AD domain FQDN>