Google Security Operations (Google SecOps)

Google Security Operations (Google SecOps) is a unified, cloud-native platform that combines Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) capabilities. It empowers security teams to detect, investigate, and respond to cyber threats with speed, scalability, and intelligence powered by Google’s infrastructure.

---

Arcanna - Google SecOps integration

Arcanna.ai is a decision intelligence platform that uses NLP, deep learning and user feedback that can be integrated with Google SecOps SOAR Platform to assist in decision making, learn from daily incident resolutions and to incorporate knowledge to scale team’s capacity and to lead to a true autonomous SOC.

The Arcanna.ai integration is available in the Google SecOps Marketplace and can be easily installed and configured directly from Google SecOps. This enables the users to request a decision from Arcanna.ai at any point in a given playbook as well as to automatically close the feedback-loop by providing feedback to Arcanna.ai when a case is closed.

Steps to configure Arcanna integration:

Prerequisites

• Arcanna.ai - Arcanna.ai can be deployed in the cloud (AWS), or on-premise. For setup, you can follow this user guide. For flexibility reasons, Arcanna.ai is exporting the AI processed alerts to an internal Elasticsearch/Opensearch data warehouse, that needs be installed at the same time with Arcanna.ai. You can use an Elasticsearch/Opensearch instance you already have, or a new one dedicated just for Arcanna.ai backend.

• Google Security Operations with Log/Alert Source (i.e, Cloud Services, Detection System, SIEM, etc..)

How to connect

Go to Arcanna.ai instance:

1. Generate an Arcanna.ai API Key:

   • Select API key tab in Arcanna
   
   • Click 'Create API key'
   
   • Complete the API key name field and Click 'Generate'.
   
   • Click the Copy API key to save the key for further use.
   

2. Create the Google SecOps integration:

   • Go to the Integrations tab
   • Search for Google SecOps integration and click on it
   
   • Fill in all the fields as shown below, using your own API Key and Title, then press Confirm.
   

3. Create an Arcanna.ai job using Google SecOps integration:

   • Go to AI Jobs tab and click Create job
   • Complete the Title and select the Google SecOps integration just created as the input, as shown below.
   
   • Click Save and run to save and start the job.

Go to Google SecOps dashboard:

1. Access the Google SecOps Dashboard:

   • Log in to your Google Cloud Console.
   • Navigate to the Google Security Operations dashboard.

2. Open the Google SecOps Marketplace:

   • From the Google SecOps dashboard, locate and click on the Marketplace tab.
   • Search for Arcanna and click 'Install' on the integration.
   • Configure Arcanna integration with your Arcanna instance URL (IP:PORT or DNS) and the API Key configured above.

   To test the integration, proceed to hit the test button. If everything went well, you will receive a checkmark next to the "Test" button.

   This will be the default Arcanna instance, multiple instances can be added if needed.

3. (Optional) Configure additional Arcanna instance(s):

   • Open Response --> Integrations Setup tab.

     

   • Select either Default Environment or Shared Instances

     

   • Click '+' button ('Create a new instance') from the upper right

     

   • Click 'Save' button

     

   • Configure new instance parameters, test the integration and click 'Save'

     

---

Discover Arcanna.ai - Google SecOps integration Actions

Now that everything is set up, you will be able to use different interactions with the Arcanna.Ai API within any given playbook as well as test each component independently via the IDE.

Explore Arcanna integration actions

Go to Response --> IDE (or to Playbooks -> Actions) and select ArcannaAI to discover available integration actions. We selected the IDE view since is easier to test individual actions.

The currently available interactions with Arcanna.Ai (API calls) are as follows:

To test an action select it from the list, go to Testing tab, complete required parameters and click 'Run' button (right arrow). For every test we'll use the Arcanna instance defined above, select its name in Integration Instance field. Any extra parameter required by Arcanna will be specified at each step.

1. Ping - Used to check the connection with Arcanna.Ai

   • Just select Arcanna instance and click 'Run'.
   
   • Returns 'status': 'true' if executed successfully.

2. Get AI job by name - Used to get a specific job information (job have to use the API Key defined above):

   • We'll use the job defined above. Complete its exact name in Job name field and click Run. Keep in mind the job_id from the returned result, we'll use it in the next steps.
   

3. Get jobs - Returns a list of jobs which use the defined API Key:

   • 'Run' and see the result now is a list instead (with one job information).
   

4. Get Decisions by Job Name - Returns a list of specified job possible Arcanna decisions:

   • Complete its exact name in Job name field and click Run.
   • See the result is a list with three possible decisions (Escalate, Drop, Investigate).

5. Get Decisions by Job ID - The same as above but using job id instead of job name:

   • Complete the Job ID field with job id from Step 2 and click Run.
   • See the result is a list with three possible decisions (Escalate, Drop, Investigate).

6. Send JSON Document to Arcanna - Use to send a specified JSON document to a specified job:

   • Complete the Job ID field, and JSON Document field and click Run.
   • (Optional) Complete Identifier field with a specific id field in the document and set to true Use document ID as ID field to use this field value as document ID in Arcanna.
   • If everything went fine you should get a response specifying the event_id and other information.
   • You can see now that the Arcanna - Google SecOps Demo Job have ingested one document, the one sent above.
   • Now we can go to job Event Explorer page and check our document. We can see the fields "my_test_id" and "alert" as we defined in request. The other fields are Arcanna fields.

7. Export full event - Used to export a specific event from Arcanna:

   • Complete the Job ID and Event ID field and click Run.
   • It can be observed in the output message that we used the same document as above for easier understanding.

8. Send Active Alert from Case to Arcanna:

   • Complete the Job ID, set to true Use Alert ID as ID in Arcanna (for better alert traceability in Arcanna) and click Run.
   • It can be observed in the output message that Google SecOps internal id was used as event_id in Arcanna.

9. Send Event to Arcanna:

   • Complete the Job ID, Username and click Run.
   • (Optional) Complete Event ID mapping field with a field to be used as ID field in Arcanna.
   • (Optional) Set to true Send individual alerts from case.
   • It can be observed in the output message that Google SecOps internal id was used as event_id in Arcanna.

10. Send Analyst Feedback to Arcanna - Used to incorporate analyst knowledge into Arcanna:

• Before this step: Go to Arcanna and select Decision Points (for testing purposes, we can select the 'alert' field defined in Step 6)
• Complete the Job Id, Event Id (for simplicity we can use the one defined at Step 6), Username and Analyst Feedback and click Run.
• Analyst Feedback can be one of the decision from Step 4 or 5
• We should see 'status': 'updated' in the response, indicating that the feedback was successfully applied.

11. Send Analyst Multiple Feedback to Arcanna - Used to incorporate analyst knowledge into Arcanna:
    • Before this step: Go to Arcanna and select Decision Points (for testing purposes, we can select the 'alert' field defined in Step 6)
    • Complete Username and Analyst Feedback and Events information JSON and click Run
    • Analyst Feedback can be one of the decision from Step 4 or 5
    • Events information JSON is now a list of pairs in the format [{"event_id": "eID", "job_id": "jID"}]
    

• Repeat **Step 6 and 10 (or 11) ** (adding document and applying feedback to it) to generate enough labeled data to trigger a retrain session in Step 12.

12. Trigger AI Model training:
    • Complete the Job id and click Run.
    • If everything goes well, the output message should include 'status': 'ok'.

• Repeat Step 6 and save the event id to use in the Step 13.

13. Get Arcanna Decision - Used to obtain Arcanna's prediction for a given alert:

    • Complete the Job Id, Event Id (event id of the alert that was just added) and click Run.
    • The response indicates that the prediction for the above unseen alert is 'Escalate'.

14. Map value to job name - Returns searched value from a dictionary:

    • Useful in playbooks (e.g. select a specific job for a specific dataset).
    • In this initial dummy example, we extract the value from the field 'my_test_field' in the provided JSON.
    • Similar we can use dynamic reference in field to search for to dynamically map values.
    • Here is an example of using this to map a specific dataset to an Arcanna job in a Google SecOps Playbook.

15. Update alert priority - Change the alert priority based on the input:

    • Change alert priority based on Priority input (Informative - Low - Medium - High - Critical)
    
    • Similar we can use dynamic reference in Priority to dynamically update priority (e.g. based on Arcanna prediction).
    
    • Here is an example that uses the Arcanna result label (prediction) to update the alert priority. (Arcanna labels can be modified to match the exact priority names in Google SecOps, or a mapping can be applied)

---