Google Chronicle | Enrich Entities#
There are two ways of enriching cases in Google Chronicle:
Automatic enrichment#
In Google Chronicle, you configure automation through playbooks. Playbooks are sequences of checks and actions consisting of:
A trigger defining when a playbook will run.
A number of actions carried out during the playbook run.
An if-then-else flow that checks conditions and defines the outcomes of the flow,
possibly carrying out final actions.
Create a playbook#
To create a playbook for automatic enrichment:
In Chronicle SOAR, in the left navigation bar, go to Response > Playbooks.
In the top-left corner, select +.
In the modal that opens:
Make sure Playbook is selected for Type.
Select a folder from the Choose Folder dropdown (or leave it on Default).
Make sure the Choose environment checkbox is selected.
Select an environment for the second dropdown (or leave it on Default Environment).
Select Create.
Select New playbook next to the green toggle in the top-left corner to enter a new name for the playbook (clicking elsewhere on the screen to stop editing when done).
Select + Open Step Selection.
From the Triggers tab on the left-hand side, drag the Product name option over to the box labeled Drag a trigger over here in the center of the screen.
Select the yellow Product name block in the center of the screen.
Select the Choose parameter field and select the name you entered while setting up your Intelligence Center integration instance.
Select Save.
From the Actions tab on the left-hand side, expand the EclecticIQ section and drag the Enrich Entities option over to the box labeled Drag a step over here. in the center of the screen.
From the Flow tab on the left-hand side, drag the Condition option over to the box labeled Drag a step over here in the center of the screen.
Select the purple Condition_1 block in the center of the screen.
Under Parameters select the [] icon.
In the modal that opens, expand the Playbook section and select EclecticIQ_Enrich Entities1.JsonResult.
Select the blue [EclecticIQ_Enrich Entities1.JsonResult] text.
Under Add Functions, select count and then select Insert.
From the dropdown showing = to the right of the field you just configured, select > Greater Than.
In the rightmost field, enter “0”.
Select Save.
From the Actions tab on the left-hand side, expand the Siemplify section and drag the Case Tag option over to the top box labeled Drag a step over here (connected to the 1. Branch line) in the center of the screen.
Select the blue Siemplify_Case_Tag_# box you just dragged in.
In the Tag field enter “SuccessfulEIQEnrichment” or a different tag of your choosing.
Select Save.
(Optional) If you have set up or would like to set up playbooks to automatically send entities to Intelligence Center and add a tag to the case to signify this (see next step), you might want to add a step that removes that tag at this point in the playbook, so that if the re-export fails, the case will not have the tag signifying successful export anymore. To do this:
From the Actions tab on the left-hand side, expand the Siemplify section and drag the Remove Tag option over to the top box labeled Drag a step over here (connected to the 1. Branch line) in the center of the screen.
Select the blue Siemplify_Remove_Tag_# box you just dragged in.
In the Tag field enter “SuccessfullySentToEIQ” or the different tag you chose or would like to set.
Select Save.
(Optional) If you want to send succesfully enriched entities from Chronicle to your Intelligence Center:
From the Actions tab on the left-hand side, expand the EclecticIQ section and drag the Send Entities to EclecticIQ option over to the top box labeled Drag a step over here (connected to the 1. Branch line) in the center of the screen.
Select the step you just dragged in for advanced configuration.
From the Actions tab on the left-hand side, expand the Siemplify section and drag the Case Tag option over to the top box labeled Drag a step over here (connected to the 1. Branch line) in the center of the screen.
Select the right-most blue Siemplify_Case Tag_# box in the center of the screen.
In the Tag field enter “SuccessfullySentToEIQ” or a different tag of your choosing. option over to the top box labeled Drag a step over here.
From the Actions tab on the left-hand side, expand the Siemplify section and drag the Case Tag option over to the box labeled Drag a step over here (connected to the ELSE line) in the center of the screen.
Select the bottom blue Siemplify_Case Tag_# box in the center of the screen.
In the Tag field enter “FailedEIQEnrichment” or a different tag of your choosing.
Select Save.
This playbook will ensure that all cases ingested through the outgoing feed from the Intelligence Center get automatically enriched.
Chronicle playbook documentation
You can create other playbooks to respond to different triggers or have different outcomes.
For more in-depth configuration options, see Google Chronicle’s playbook documentation.
Manual enrichment#
To manually trigger enrichtment of Google Chronicle cases:
In Chronicle, for the left navigation bar, select Cases.
Open the case you’d like to enrich.
From the right-hand side, select the Manual action button (cogwheel with a playbutton icon).
Expand the EclecticIQ dropdown and select Enrich Entities.
From the Choose Instance dropdown, select your Intelligence Center instance.
Select Execute.
Do this for every case you’d like to enrich.
Sending entities to Intelligence Center
If you need to, you can send intelligence back to Intelligence Center.