WebsiteTest Drive

Google SecOps

Google SecOps is an SIEM integration. SIEM integrations are used to perform analysis of any SIEM generated alerts, and/or to use generated data as part of investigation analysis. They are optional, but enabling more integrations enhances Dropzone analysis.

Dropzone integrates with Google SecOps to investigate different security alerts across many of Google's security products.

Integration Overview

To enable these integrations you will perform the following actions:

  • Identify your service account address

  • Grant IAM access to the Dropzone service account

  • Obtain your Google Account Details

  • Enable the Alert and Data sources

Identify your service account email address

To obtain the email address of your Dropzone service account, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

  • In the bottom left hand corner, navigate to Settings > Integrations

Integrations Dropdown

  • Click "Available"

Click Available

  • In the Search bar, search Google SecOps, then click "Configure"

The Google SecOps Tile

  • Copy the "SERVICE ACCOUNT EMAIL" field for use in the Google Console interface

Copy the service account email

Grant IAM Access to Dropzone AI

  • Navigate to the Google Console page of the project your SecOps instance is in

  • In the upper left hand corner, open the navigation menu

Open the navigation menu

  • Navigate to IAM & Admin > IAM

Navigate to IAM

  • Under "View by principals," click "Grant Access"

To be able to complete this step, you will need the resourcemanager.projects.setIamPolicy permission.

Click "Grant Access"

  • Under "New principals," input the email address you copied earlier from the Dropzone UI "SERVICE ACCOUNT EMAIL"

Input the email address from the Dropzone UI Service Account Email

  • Click "Select a role"

Click "Select a role"

  • Search the "Chronicle API Viewer" role, then click it

Assign the Chronicle API Viewer role

  • Click "Save"

Click "Save"

Obtain Account Details

To obtain your Instance Name, do the following:

  • Return to the Google Console page of the project your SecOps instance is in

  • In the upper left hand corner, open the navigation menu

Open the navigation menu

  • Navigate to Security > Detection and Controls > Google SecOps

Navigate to Google SecOps

  • In the Google SecOps page, click the carrot next to "Instance Details"

Reveal the Instance Details

  • Copy the Customer ID shown for use later in the Dropzone UI where it is called "Instance Name"

Copy the Instance Name

To obtain your Project ID, do the following:

  • In the upper left, click on the project icon

Click the project icon

  • Using the search bar, locate the project your SecOps instance is in

  • Under "ID," copy the ID value shown for use later in the Dropzone UI where it is called "Project ID"

Copy the Project ID

SOAR Details

If you wish for Dropzone to be able to investigate cases, you will need to generate a SOAR API Key and locate your SOAR Instance Hostname

To generate your SOAR API Key, do the following:

  • As an admin, log into your Google SecOps instance

  • In the left sidebar, navigate to Settings > SOAR Settings

Navigate to SOAR Settings

  • Navigate to Advanced > API Keys

Navigate to API Keys

  • In the upper right corner, click the + icon

Add API Key

  • Name the API Key something memorable, such as Dropzone AI

  • Next to "Permission Group," assign the API Key the Managed User permission

Select Managed User

  • In the SOC Role section, select your desired SOC role

  • Copy the API Key, then click "Save"

Copy the API Key

  • Click "Yes"

Copy the API Key

To obtain your SOAR Instance Hostname, do the following:

  • In the left sidebar, navigate to Ingestion > Webhook

Navigate to Webhook

  • Click the + icon

Add new Webhook

  • Name the Webhook something memorable, such as Dropzone AI

  • Click "Save"

Click Save

  • Next to "Webhook URL," copy the SOAR Instance Hostname, eg https://my-hostname/v1alpha/projects

Copy the SOAR Instance Hostname

Enable The Dropzone Data Source Integration

To enable the Data Source integration, you will need the following information:

Dropzone Field
Source

Instance Name

The "Customer ID" value you copied earlier

Project ID

The "Project ID" value you copied earlier

To enable the Data Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

  • In the bottom left hand corner, navigate to Settings > Integrations

Integrations Dropdown

  • Click "Available"

Click Available

  • In the Search bar, search Google SecOps, then click "Configure"

The Google SecOps Tile

  • Under the Data Source heading, input the Instance Name and Project ID

The Google SecOps Data Source Configuration

  • Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

Enable The Dropzone Alert Source Integration

To enable the Alert Source integration, you will need the following information:

Dropzone Field
Source

Instance Name

The "Customer ID" value you copied earlier

Project ID

The "Project ID" value you copied earlier

SOAR API Key

The "SOAR API Key" value you copied earlier

SOAR Instance Hostname

The "SOAR Instance Hostname" value you copied earlier

The SOAR API Key and SOAR Instance Hostname are only necessary if you wish to enable Dropzone to investigate cases.

To enable the Alert Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

  • In the bottom left hand corner, navigate to Settings > Integrations

Integrations Dropdown

  • Click "Available"

Click Available

  • In the Search bar, search Google SecOps, then click "Configure"

The Google SecOps Tile

  • Under the Alert Source heading, input the Instance Name and Project ID

The Google SecOps Alert Source Configuration (pt 1)

  • To enable Dropzone to investigate alerts, check the box labeled "Enable alerts." If you wish to enable Dropzone to filter by priority, check the box labeled "Enable priority filtering," then check the priority levels you wish for Dropzone to ingest

The Google SecOps Alert Source Configuration (pt 2)

  • To enable Dropzone to investigate cases, check the box labeled "Enable cases"

  • Input your SOAR API Key and SOAR Instance Hostname

The Google SecOps Alert Source Configuration (pt 3)

  • If you wish to only include certain stages in Dropzone investigation, check the box labeled "Enabled stage filtering," then check the stages you wish for Dropzone to ingest

The Google SecOps Alert Source Configuration (pt 5)

  • If you wish to enable priority filtering, check the box labeled "Enable priority filtering," then check the priority levels you wish for Dropzone to ingest

The Google SecOps Alert Source Configuration (pt 6)

  • Input your desired Poll interval and lookback

  • Click "Test & Save" to finish

Click "Test & Save" to finish

If you have any errors, engage your Dropzone AI support representative.

PreviousGoogle GCPNextGoogle Workspace

Last updated

Was this helpful?