Google Chronicle SOAR: Platform Fundamentals and Overview

Platform Fundamentals

SOAR stands for Security Orchestration Automation and Response, and its primary function is to gather data and security alerts from different sources. SOAR integrates technologies for orchestration, threat intelligence, and incident response, enabling businesses to consolidate security alerts from various sources. Chronicle’s SOAR platform enhances collaboration between people, processes, and technology, facilitating quicker alert processing and decision-making. The platform features robust alert grouping, allowing analysts to view entire incidents, not just isolated alerts, and offers tools like ontology mapping for better visualization and playbooks for automation. It serves as a comprehensive workbench for security operations centers, complete with extensive reporting capabilities.

Chronicle SOAR Terms

Alert: Correlated events received by Chronicle SOAR.
Integration: Package of actions, connectors, and jobs for a specific product or service.
Connector: Part of integration. Chronicle SOAR component responsible for alert ingestion.
Action: Part of integration. Executes an API call to an external product or service.
Case: Container that stores all important investigation information consumed by a connector including events, alerts, notes, tasks, entities, and artifacts.
Entity: Alert main object of interest (i.e. hostname, username, source IP, etc.)
Artifact: Alert secondary object of interest (i.e. file path, file hash)
Event: Connector consumed data that are aggregated into alerts and can be leveraged within playbooks to automate workflows.
Job: Part of integration. Acts as a scheduler and allows for a health check, sync.
Playbook: Workflow of actions or blocks, executed following a trigger.
Block: Sub-playbook with input and output parameters. Nested throughout various playbooks.
Trigger: Action that starts the playbook.

Architecture

Chronicle SOAR includes a robust data ingestion workflow with various connectors, allowing for the integration of data which in turn facilitates alert and case creation. Workflows can be applied to these through the playbook layer. The platform stores all data securely and makes it fully searchable. For environments where the Chronicle SOAR server has no direct access, remote agents enable execution of necessary actions. The application layer supports thorough investigation and documentation, with the results being easily reported through detailed dashboards. Being a SaaS solution built on Kubernetes in Google Cloud Platform (GCP), it ensures high availability, security, and scalability, with customer data housed in GCP’s fully isolated and highly available databases. Chronicle SOAR is committed to data security and complies with industry standards.

Explanation of Terms:

• Kubernetes: An open-source platform designed to automate deploying, scaling, and operating application containers.
• GCP (Google Cloud Platform): A suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products.
• SOAR (Security Orchestration, Automation, and Response): A set of software solutions and tools that allow companies to streamline security operations in three key areas: orchestration, automation, and response.
• SaaS (Software as a Service): A software distribution model in which applications are hosted by a vendor or service provider and made available to customers over the internet.
• RDS (Relational Database Service): A cloud database service that makes it easier to set up, operate, and scale a relational database in the cloud.
• Availability Zones: Locations within data centers where cloud services can run from physically separate, independent infrastructure.

Knowledge Check Questions:

1. What is the main function of Chronicle SOAR?

| Answer: Chronicle SOAR is a platform designed to assist security analysts in managing and collaborating on deep investigative cases, automating workflows, and providing comprehensive reporting and dashboarding capabilities.

2. How does Chronicle SOAR ensure the security and availability of customer data?

| Answer: Chronicle SOAR is built on Kubernetes and hosted on GCP, providing a single-tenant, cloud-native solution with data stored in isolated RDS database instances that run across multiple GCP availability zones, ensuring high availability and security.

3. What is the role of Kubernetes in Chronicle SOAR?

| Answer: Kubernetes is used as a platform within GCP to deploy, manage, and scale the Chronicle SOAR services, ensuring that the solution can efficiently handle workload demands and maintain service availability.

4. Can Chronicle SOAR work with isolated environments, and if so, how?

| Answer: Yes, Chronicle SOAR can operate within isolated environments using remote agents that allow actions to be executed where the SOAR server doesn’t have native access.

5. Why is Chronicle SOAR considered a SaaS solution?

| Answer: Chronicle SOAR is considered a SaaS solution because it is a cloud-based service provided over the internet, which abstracts the underlying infrastructure and maintenance concerns from the end user, offering a ready-to-use security platform.

6. What is the role of a connector in Chronicle SOAR?

| Answer: In Chronicle SOAR, a connector is a component that is responsible for ingesting alerts from different sources into the system.

7. How does an action differ from a connector within Chronicle SOAR’s integrations?

| Answer: An action is a part of the integration that executes an API call to an external product or service, while a connector is responsible for alert ingestion.

8. Define what a case is in the context of Chronicle SOAR.

| Answer: A case in Chronicle SOAR is a container that holds all relevant information for an investigation, such as events, alerts, notes, tasks, entities, and artifacts.

9. In Chronicle SOAR, what is an entity, and how does it differ from an artifact?

| Answer: An entity is the main object of interest in an alert (like a hostname or IP address), whereas an artifact is a secondary object of interest (such as a file path or hash).

10. What is the purpose of a job in Chronicle SOAR’s integration framework?

| Answer: In Chronicle SOAR’s integration framework, a job acts as a scheduler that can perform regular health checks and synchronization tasks.

11. Explain what a playbook does in Chronicle SOAR.

| Answer: A playbook in Chronicle SOAR is a workflow consisting of actions or blocks that are executed in response to a specific trigger to automate security workflows.

12. How is a block used within a playbook in Chronicle SOAR?

| Answer: A block is a sub-playbook within Chronicle SOAR that has its own input and output parameters and can be nested within various playbooks to perform specific functions.

13. What initiates the execution of a playbook in Chronicle SOAR?

| Answer: A playbook in Chronicle SOAR is initiated by a trigger, which is an event or condition that starts the automated workflow.

14. What is the significance of event correlation in the context of alerts received by Chronicle SOAR?

| Answer: Event correlation in Chronicle SOAR refers to the process of combining different events to identify and generate meaningful alerts, which are then used for further investigation and response.

15. Can you identify the main components of Chronicle SOAR’s integration and their respective functions?

| Answer: The main components of Chronicle SOAR’s integration include actions (execute API calls), connectors (responsible for alert ingestion), and jobs (perform scheduling and health checks). Together, they form a package that integrates with specific products or services to automate and streamline security operations.

Platform Overview

Let’s review the main section of the Chronicle SOAR platform.

Fig. 1. My Cases, Homepage tab

In the analytics homepage, my cases home tab, we can see those cases assigned to the analyst or the role they belong to. On the right-side, we can further see the details of the alert, or jump straight into the case.

Fig. 2. Pending Actions tab

In this tab, the analyst can continue the execution of the workflow. The analyst can view the case or respond directly to the question.

Fig. 3. My Tasks tab

To keep track of the tasks that the analyst created or the ones that are assigned to them. The analyst can view the task or mark them as complete when done.

Fig. 4. Requests tab

Enables any user on the platform to fill a template with requests for specific tasks of execution.

Fig. 5. Workspace tab

Here the analyst can store links, files, and contact information relevant to the investigation.

Fig. 6. Announcements

Shared RSS feed amongst all the users in the platform, allowing a SOC Manager to share information with their team quickly.

Fig. 7. Dashboard Menu

Dashboards in Chronicle SOAR showcase real-time high-level metrics regarding SOC Operations. We can share dashboards with others or save them as reports template.

Fig. 8. Cases Menu

This is where the analysts will spend most of their time triaging alerts and managing cases.

Fig. 9. Playbooks Menu

Here, analysts can manage existing playbooks and blocks within the platform on this page, and create them from scratch.

Fig. 10. Search Menu

The analyst has a view of all the open and closed alerts in the platform. Search bar, filtering, and multiselection to perform bulk operations on the selected cases.

Fig. 11. Reports Menu

Perform reports and advanced reports that can be generated on demand and sent via e-mail. Advanced reports are very detailed and granular reports.

Fig. 12. Incident Manager Menu

Open incidents classified by severity, and add members to participate in the incident resolution. In the workstation tab, we can audit all the comments and actions from all the users to see our progress of the specific incident resolution.