Google SecOps

Google SecOps is an SIEM integration. SIEM integrations are used to perform analysis of any SIEM generated alerts, and/or to use generated data as part of investigation analysis. They are optional, but enabling more integrations enhances Dropzone analysis.

Dropzone integrates with Google SecOps to investigate different security alerts across many of Google's security products.

Integration Overview

To enable these integrations you will perform the following actions:

Identify your service account address
Grant IAM access to the Dropzone service account
Obtain your Google Account Details
Enable the Alert and Data sources

Identify your service account email address

To obtain the email address of your Dropzone service account, do the following:

Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, navigate to Settings > Integrations

Click "Available"

In the Search bar, search Google SecOps, then click "Configure"

Copy the "SERVICE ACCOUNT EMAIL" field for use in the Google Console interface

Grant IAM Access to Dropzone AI

Navigate to the Google Console page of the project your SecOps instance is in
In the upper left hand corner, open the navigation menu

Navigate to IAM & Admin > IAM

Under "View by principals," click "Grant Access"

To be able to complete this step, you will need the resourcemanager.projects.setIamPolicy permission.

Under "New principals," input the email address you copied earlier from the Dropzone UI "SERVICE ACCOUNT EMAIL"

Click "Select a role"

Search the "Chronicle API Viewer" role, then click it

Click "Save"

Obtain Account Details

To obtain your Instance Name, do the following:

Return to the Google Console page of the project your SecOps instance is in
In the upper left hand corner, open the navigation menu

Navigate to Security > Detection and Controls > Google SecOps

In the Google SecOps page, click the carrot next to "Instance Details"

Copy the Customer ID shown for use later in the Dropzone UI where it is called "Instance Name"

To obtain your Project ID, do the following:

In the upper left, click on the project icon

Using the search bar, locate the project your SecOps instance is in
Under "ID," copy the ID value shown for use later in the Dropzone UI where it is called "Project ID"

SOAR Details

If you want Dropzone to be able to investigate cases, you will need to generate a SOAR API Key and locate your SOAR Instance Hostname

To generate your SOAR API Key, do the following:

As an admin, log into your Google SecOps instance
In the left sidebar, navigate to Settings > SOAR Settings

Navigate to Advanced > API Keys

In the upper right corner, click the + icon

Name the API Key something memorable, such as Dropzone AI
Next to "Permission Group," assign the API Key the Managed User permission

In the SOC Role section, select your desired SOC role
Copy the API Key, then click "Save"

Click "Yes"

To obtain your SOAR Instance Hostname, do the following:

In the left sidebar, navigate to Ingestion > Webhook

Click the + icon

Name the Webhook something memorable, such as Dropzone AI
Click "Save"

Next to "Webhook URL," copy the SOAR Instance Hostname, eg https://my-hostname/v1alpha/projects

Enable Google SecOps

To enable the Data Source integration, you will need the following information:

Dropzone Field

Source

Instance Name

The "Customer ID" value you copied earlier

Project ID

The "Project ID" value you copied earlier

To enable the Data Source integration, do the following:

Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, navigate to Settings > Integrations

Click "Available"

In the Search bar, search Google SecOps, then click "Configure"

Under the Data Source heading, input the Instance Name and Project ID

Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

PreviousGoogle GCP NextGoogle Workspace

Last updated 4 days ago

Was this helpful?