Add SIEM or SOAR users to Google SecOps

Supported in:

This document is for Google Security Operations admins who want to grant permission to specific users to use only the SIEM features in Google SecOps (such as investigating raw data) or only the SOAR features of Google SecOps (such as managing cases). Due to the nature of the Google SecOps platform, both sets of users need minimal permissions from both the SIEM and SOAR sides before they can log in to the platform.

Before you begin

These procedures are based on the assumption that you have already onboarded to the Google SecOps platform, enabled the Chronicle API, and started working with IAM permissions. The following procedures may vary slightly, depending on whether you configured a Cloud Identity provider or if you configured a third-party identity provider.

Set up users with SIEM only permissions

  1. Define either a predefined role or a custom role with the relevant SIEM permissions:
  2. In both cases, in the Idp Group mapping screen, map the email or the group to the minimal control access parameters, as follows:
    • Permission groups:
      • Set License Type to Standard.
      • Set Landing Page to SIEM Search.
      • Under Read/Write Permissions, turn on the Homepage toggle.
    • SOC roles: Select SIEM only. You need to create this first by adding it as a new SOC role.
    • Environments: Select Default.

Set up users with SOAR-only permissions

  1. Define either a predefined role or a custom role. The custom role must contain the following minimum permissions:
    • chronicle.instances.get
    • chronicle.preferenceSets.get.
  2. If you are using the Cloud Identity Provider, map a user email into the IdP group mapping page.
  3. If you are using a third-party identity provider, map groups into the IdP group mapping page. You can choose the control access parameters that meet your needs. For more information see, control access parameters.