Google Security Operations (Google SecOps)

Google Security Operations (Google SecOps) is a unified, cloud-native platform that combines Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) capabilities. It empowers security teams to detect, investigate, and respond to cyber threats with speed, scalability, and intelligence powered by Google’s infrastructure.

Arcanna - Google SecOps integration

The Arcanna integration is available in the Google SecOps Marketplace and can be easily installed and configured directly from Google SecOps. This enables the users to request a decision from Arcanna at any point in a given playbook as well as to automatically close the feedback-loop by providing feedback to Arcanna when a case is closed.

Steps to configure Arcanna integration:

Prerequisites

A valid Arcanna.ai instance - for setup, follow this user guide.
Google Security Operations with Log/Alert Source (i.e, Cloud Services, Detection System, SIEM, etc..)

How to connect

Go to Arcanna instance:

Generate an Arcanna API Key
Connect to Google SecOps:
- Go to the Integrations tab
- Search for Google SecOps integration and click on it:
- Fill in all the fields as shown below using your own API Key and Title, and then click Confirm:
Create an Arcanna job using Google SecOps integration:
- Go to AI Jobs tab and click Create job
- Complete the Title and select the Google SecOps integration just created as the input, as shown below:
- Click Save and run to save and start the job.

Go to Google SecOps dashboard:

Access the Google SecOps Dashboard:
- Log in to your Google Cloud Console.
- Navigate to the Google Security Operations dashboard.
Open the Google SecOps Marketplace:
- From the Google SecOps dashboard, locate and click on the Marketplace tab:
- Search for Arcanna and click 'Install' on the integration:
- Configure Arcanna integration with your Arcanna instance URL (IP:PORT or DNS) and the API Key configured above:
To test the integration, proceed to hit the test button. If everything went well, you will receive a checkmark next to the "Test" button.

This will be the default Arcanna instance, multiple instances can be added if needed.
(Optional) Configure additional Arcanna instance(s):
- Open Response --> Integrations Setup tab:
- Select either Default Environment or Shared Instances:
- Click '+' button ('Create a new instance') from the upper-right menu:
- Click 'Save' button:
- Configure new instance parameters, test the integration and click 'Save':

Arcanna - Google SecOps integration Actions

Now that everything is set up, you will be able to use different interactions with the Arcanna API within any given playbook as well as test each component independently via the IDE.

Explore Arcanna integration actions

Go to Response --> IDE (or to Playbooks -> Actions) and select ArcannaAI to discover available integration actions. We selected the IDE view since is easier to test individual actions.

The currently available interactions with Arcanna (API calls)

To test an action, select it from the list, navigate to the Testing tab, fill in the required parameters, and click the Run button (right arrow). For each test, use the Arcanna instance defined earlier by selecting its name in the Integration Instance field. Any additional parameters required by Arcanna will be specified at each step.

Ping - Used to check the connection with Arcanna

Just select Arcanna instance and click Run:

Returns 'status': 'true' if executed successfully.

Get AI job by name - Used to get a specific job information (job have to use the API Key defined above)

We will use the job defined above. Complete its exact name in Job name field and click Run. Keep in mind the job_id from the returned result, as it will be used in the next steps:

Get jobs - Returns a list of jobs which use the defined API Key

Click Run and see the result now is a list instead (with one job information):

Get Decisions by Job Name - Returns a list of specified job possible Arcanna decisions

Complete its exact name in Job name field and click Run.
See the result is a list with three possible decisions (Escalate, Drop, Investigate):

Get Decisions by Job ID - The same as above but using job id instead of job name

Complete the Job ID field with job id from Step 2 and click Run.
See the result is a list with three possible decisions (Escalate, Drop, Investigate):

Send JSON Document to Arcanna - Use to send a specified JSON document to a specified job

Complete the Job ID field, and JSON Document field and click Run.
(Optional) Complete Identifier field with a specific id field in the document and set Use document ID as ID to true to use this field value as the document ID in Arcanna.
If everything went fine you should get a response specifying the event_id and other information:
You can see now that the Arcanna - Google SecOps Demo Job have ingested one document, the one sent earlier:
Now we can navigate to the job's Event Explorer page and review our document. The fields "my_test_id" and "alert" as defined in the request, are visible. The remaining fields are Arcanna generated fields:

Export full event - Used to export a specific event from Arcanna

Complete the Job ID and Event ID field and click Run.
It can be observed in the output message that we used the same document as above for easier understanding:

Send Active Alert from Case to Arcanna

Complete the Job ID, set to true Use Alert ID as ID in Arcanna (for better alert traceability in Arcanna) and click Run.
It can be observed in the output message that the Google SecOps internal id was used as event_id in Arcanna:

Send Event to Arcanna

Complete the Job ID, Username and click Run.
(Optional) Complete Event ID mapping field with a field to be used as ID field in Arcanna.
(Optional) Set to true Send individual alerts from case.
It can be observed in the output message that the Google SecOps internal id was used as event_id in Arcanna:

Send Analyst Feedback to Arcanna - Used to incorporate analyst knowledge into Arcanna

Before this step: Go to Arcanna and select Decision Points (for testing purposes, we selected the 'alert' field defined in Step 6)
Complete the Job Id, Event Id (for simplicity we can use the one defined at Step 6), Username and Analyst Feedback and click Run.
Analyst Feedback can be one of the decision from Step 4 or 5
We should see 'status': 'updated' in the response, indicating that the feedback was successfully applied:

Send Analyst Multiple Feedback to Arcanna - Used to incorporate analyst knowledge into Arcanna

Before this step: Go to Arcanna and select Decision Points (for testing purposes, we selected the 'alert' field defined in Step 6)
Complete Username and Analyst Feedback and Events information JSON and click Run
Analyst Feedback can be one of the decision from Step 4 or 5
Events information JSON is now a list of pairs in the format [{"event_id": "eID", "job_id": "jID"}]:

Repeat **Step 6 and 10 (or 11) ** (adding document and applying feedback to it) to generate enough labeled data to trigger a retrain session in Step 12.

Trigger AI Model training

Complete the Job id and click Run.
If everything goes well, the output message should include 'status': 'ok'.
Repeat Step 6 and save the event id to use in the Step 13.

Get Arcanna Decision - Used to obtain Arcanna's prediction for a given alert

Complete the Job Id, Event Id (event id of the alert that was just added) and click Run.
The response indicates that the prediction for the above unseen alert is 'Escalate':

Map value to job name - Returns searched value from a dictionary

This is useful in playbooks, such as selecting a specific job for a specific dataset.
In this example, we extract the value from the field 'my_test_field' in the provided JSON:
Similarly, we can use dynamic reference in field to search for to map values dynamically:
Here is an example of mapping a specific dataset to an Arcanna job in a Google SecOps Playbook.

Update alert priority - Change the alert priority based on the input

Change the alert priority based on Priority input (Informative - Low - Medium - High - Critical):

Similar, we can use dynamic reference in Priority to dynamically update priority (e.g., based on Arcanna prediction):

Here is an example that uses the Arcanna result label (prediction) to update the alert priority. (Arcanna labels can be customized to match the exact priority names in Google SecOps, or a mapping can be applied)

Arcanna - Google SecOps integration​

Steps to configure Arcanna integration:​

Prerequisites​

How to connect​

Arcanna - Google SecOps integration Actions​

Explore Arcanna integration actions​

The currently available interactions with Arcanna (API calls)​

Ping - Used to check the connection with Arcanna​

Get AI job by name - Used to get a specific job information (job have to use the API Key defined above)​

Get jobs - Returns a list of jobs which use the defined API Key​

Get Decisions by Job Name - Returns a list of specified job possible Arcanna decisions​

Get Decisions by Job ID - The same as above but using job id instead of job name​

Send JSON Document to Arcanna - Use to send a specified JSON document to a specified job​

Export full event - Used to export a specific event from Arcanna​

Send Active Alert from Case to Arcanna​

Send Event to Arcanna​

Send Analyst Feedback to Arcanna - Used to incorporate analyst knowledge into Arcanna​

Send Analyst Multiple Feedback to Arcanna - Used to incorporate analyst knowledge into Arcanna​

Trigger AI Model training​

Get Arcanna Decision - Used to obtain Arcanna's prediction for a given alert​

Map value to job name - Returns searched value from a dictionary​

Update alert priority - Change the alert priority based on the input​