This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Environment Setup in Chronicle SOAR

Posted on 07-16-2024 01:55 AM
vanitharaj1208
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

1. Alias

  •  What is Alias ? 
  • How to leverage this alias , while setting up new environments ?
  • can any one provide an example ?

Link :https://cloud.google.com/chronicle/docs/soar/admin-tasks/environments/add-a-new-environment 

"Make sure to add in an alias if the third party integration has a different tenant name defined."environment.png

Solved Solved
0 2 333
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
SoarAndy
Staff
Reply posted on --/--/---- --:-- AM

We have orgs/MSSP that run some Connectors which ingest Alerts on behalf of different customers. two examples:

- a mailbox that multiple customers forward emails to (e.g. phishing@mssp), this is Exchange connector

- a connector to an old shared SIEM that is not multi tenant (no customer access allowed), but a MSSP is routing inbound SIEM-SOAR alerts into the MultiTenancy

In these cases the Connector has 'Environment field name', which allows the Connector to analyse a Key of the inbound alert, and the associated Value is compared to the Alias field you point to above. 

SoarAndy_0-1721225134798.png

It's a feature for specific use cases, and is not used by the majority of customers.

HTH

Andy

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
KyHud
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hey,

An example of an Alias we use, say for example you have an EDR product which references Company name "LimitedCompany LTD", but you want to name your Environment "LimitedCompany", setting the Alias as "LimitedCompany LTD" allows you to refer to this in playbooks with the [Environment.Alias] placeholder for the specific EDR product steps.

This is also handy if you want to have environments as seperate networks (therefore have different resolver groups), but they all come under the company name in things like ITSM toolsets. You can have each environment named as the network, but have the Alias as the Company name. 

Think of it as a secondary label for your environment, which you can also use within playbooks, but not necessarily have it as the name of the environment.

Cheers

K

Jump to Solution

Posted on --/--/---- --:-- AM
SoarAndy
Staff
Reply posted on --/--/---- --:-- AM

We have orgs/MSSP that run some Connectors which ingest Alerts on behalf of different customers. two examples:

- a mailbox that multiple customers forward emails to (e.g. phishing@mssp), this is Exchange connector

- a connector to an old shared SIEM that is not multi tenant (no customer access allowed), but a MSSP is routing inbound SIEM-SOAR alerts into the MultiTenancy

In these cases the Connector has 'Environment field name', which allows the Connector to analyse a Key of the inbound alert, and the associated Value is compared to the Alias field you point to above. 

SoarAndy_0-1721225134798.png

It's a feature for specific use cases, and is not used by the majority of customers.

HTH

Andy

Jump to Solution
0 Likes
Top Solution Authors
View all