Google Chronicle | Send Entities to Intelligence Center#

There are two ways of sending entities from Google Chronicle to Intelligence Center:

See the type mapping to learn which Chronicle entities are mapped to Intelligence Center observable types.

Automatically send entities#

In Google Chronicle, you configure automation through playbooks. Playbooks are sequences of checks and actions consisting of:

  • A trigger defining when a playbook will run.

  • A number of actions carried out during the playbook run.

  • An if-then-else flow that checks conditions and defines the outcomes of the flow,
    possibly carrying out final actions.

The steps below detail the insertion of the step that sends entities to Intelligence Center without furter context. If you would like to integrate this step into a single playbook that enriches and send entities in Chronicle to Intelligence Center, see the steps for creating an automatic enrichment playbook.

  1. In Chronicle, in the left navigation bar, go to Response > Playbooks.

  2. Open an existing playbook.

  3. From the Actions tab on the left-hand side, expand the EclecticIQ section and drag the Send Entities to EclecticIQ option over to a Drag a step over here.

  4. Select the step you just dragged in for advanced configuration.

  5. (Optional) Add a tag signifying a succesfull export.

    1. From the Actions tab on the left-hand side, expand the Siemplify section and drag the Case Tag option over to the top box labeled Drag a step over here (connected to the 1. Branch line) in the center of the screen.

    2. Select the right-most blue Siemplify_Case Tag_# box in the center of the screen.

    3. In the Tag field enter “SuccessfullySentToEIQ” or a different tag of your choosing.

Manually send entities#

To manually send entities from Google Chronicle cases to Intelligence Center:

  1. In Chronicle, in the left navigation bar, go to Cases.

  2. Open the case you’d like to send to Intelligence Center.

  3. From the right-hand side, select the Manual action button (cogwheel with a playbutton icon).

  4. Expand the EclecticIQ dropdown and select Send to EclecticIQ.

  5. From the Choose Instance dropdown, select your Intelligence Center instance.

  6. (Optional) If there are multiple Alerts in the case, from the Run on Alerts dropdown, select the alerts you’d like to send to Intelligence Center.

  7. For Group Name enter the name of the group you’d like to have as the Source of the entities in Intelligence Center. This can only be a group that the user who created the API token used when configuring the Chronicle integration is in.

  8. Select Execute.

Do this for every case you’d like to send to Intelligence Center.

Mapping of case and entity types#

When you send entities to Intelligence Center, a Sighting or Indicator observable will be created for the Case.

In Intelligence Center, entities will be created for the entities in the Chronicle Case. The following mapping shows which Chronicle entity types are mapped to which Intelligence Center entity types:

Chronicle

Intelligence Center

HOSTNAME

host

ADDRESS

ipv4

PROCESS

process

PARENTPROCESS

process

CHILDPROCESS

process

FILENAME

file

FILEHASH

hash -sha256

PARENTHASH

hash -sha256

CHILDHASH

hash -sha256

URL

uri

EMAILMESSAGE

email

CVEID

cve

CREDITCARD

card

PHONENUMBER

telephone

CVE

cve

THREATACTOR

actor -id

SOURCEDOMAIN

domain

DESTINATIONDOMAIN

domain

DOMAIN

domain