SOC Prime

Ensure you've received the credentials of the Microsoft Azure authentication app created and managed by SOC Prime. This app acts as an Identity Provider: the trust relationship is established between it and your Google Cloud. Here are the credentials you need:

- Azure Tenant ID
- Azure Client ID
- Azure Client Secret
- Issuer URL

If you haven't received these credentials, please contact your SOC Prime Platform account manager.

In your Google Cloud Console, ensure the following APIs are enabled. These APIs are required for the WIF authentication to work:

1. IAM Service Account Credentials API.
    
   
    
2. Security Service Token API.
    
   
    
3. Chronicle API.
    
   
    

Create a service account that will issue dynamic temporary access tokens (STS tokens) to the Microsoft Azure app.

1. Set a meaningful account name and, optionally, description.
 
 
 
2. Set the following roles in the Permissions section:
 1. <code>Chronicle API Editor</code> role if you are going to use it for automation/deploy or <code>Chronicle API Viewer</code> if it's intended for Attack Detective.
 
 
 
 2. <code>Service Usage Consumer</code> (this role is required for using WIF).
3. Leave the section Principals with access empty.

1. Create an Identity pool and set a meaningful name for it.
 
 
 
2. Create a provider to pool:
 1. Select OpenID Connect (OIDC) as the provider.
 2. Set a meaningful provider name.
 3. Enter the URL provided by SOC Prime as the Issuer URL.
 4. Leave the JWK file field empty.
 5. In the Audiences section, select Allowed audiences and enter the Azure Client ID provided to you by SOC Prime (see step 1) in the Audience 1 field.
 
 
 
3. Configure provider attributes by entering <code>assertion.sub</code> in the OICD 1 field.

Assign a principal to the service account created at step 3:

1. Open the Principals with access tab of the service account.
2. In the New principals field, enter the following value: <code>principalSet://iam.googleapis.com/projects/{PROJECT_NUMBER}/locations/global/workloadIdentityPools/{IDENTITY_POOL_NAME}/*</code>
 
 where:
 
 <code>{PROJECT_NUMBER}</code> replace with your Google SecOps project number (you can find it on the Settings tab of the project)
 
 <code>{IDENTITY_POOL_NAME}</code> replace with the name of the identity pool you've set at step 4-a
3. In the Role dropdown, select the Workload Identity User option.

Configure a Data Plane on the SOC Prime Platform:

1. Choose Cloud Chronicle API with WIF as the environment type for your Google SecOps Data plane.
2. Fill in the required parameters:
 1. Google SecOps Project Number – Copy the Project number from the Settings tab of your Google SecOps project.
 
 
 
 
 2. Google SecOps Service Account Email – Copy the value of the Email field of the service account you've created at step 3.
 
 
 
 
 3. Region – select the region of your Google SecOps from the dropdown. You can find your region on the Google SecOps → Overview tab.
 
 
 
 
 4. Instance ID – Copy the Customer ID value from the Google SecOps → Overview tab. 
 
 
 
 
 5. Project ID – Copy the Project ID from the Settings tab of your Google SecOps project.
 
 
 
 
 6. Azure Tenant ID – use the value provided by SOC Prime (see step 1).
 7. Azure Client ID – use the value provided by SOC Prime (see step 1).
 8. Azure Client Secret – use the value provided by SOC Prime (see step 1).
 9. WIF Pool ID – Identity pool name you've set at step 4-a.
 10. WIF Provider ID – Identity provider name you've set at step 4-b-ii.

1. Ensure you've received the credentials of the Microsoft Azure authentication app created and managed by SOC Prime. This app acts as an Identity Provider: the trust relationship is established between it and your Google Cloud. Here are the credentials you need:
 - Azure Tenant ID
 - Azure Client ID
 - Azure Client Secret
 - Issuer URL
 
 If you haven't received these credentials, please contact your SOC Prime Platform account manager.
2. In your Google Cloud Console, ensure the following APIs are enabled. These APIs are required for the WIF authentication to work:
 1. IAM Service Account Credentials API.
 
 
 
 2. Security Service Token API.
 
 
 
 3. Chronicle API.
 
 
 
3. Create a service account that will issue dynamic temporary access tokens (STS tokens) to the Microsoft Azure app.
 1. Set a meaningful account name and, optionally, description.
 
 
 
 2. Set the following roles in the Permissions section:
 1. <code>Chronicle API Editor</code> role if you are going to use it for automation/deploy or <code>Chronicle API Viewer</code> if it's intended for Attack Detective.
 
 
 
 2. <code>Service Usage Consumer</code> (this role is required for using WIF).
 3. Leave the section Principals with access empty.
 
 
 
4. Set up Workload Identity Federation.
 
 
 
 1. Create an Identity pool and set a meaningful name for it.
 
 
 
 2. Create a provider to pool:
 1. Select OpenID Connect (OIDC) as the provider.
 2. Set a meaningful provider name.
 3. Enter the URL provided by SOC Prime as the Issuer URL.
 4. Leave the JWK file field empty.
 5. In the Audiences section, select Allowed audiences and enter the Azure Client ID provided to you by SOC Prime (see step 1) in the Audience 1 field.
 
 
 
 3. Configure provider attributes by entering <code>assertion.sub</code> in the OICD 1 field.
 
 
 
5. Assign a principal to the service account created at step 3:
 1. Open the Principals with access tab of the service account.
 2. In the New principals field, enter the following value: <code>principalSet://iam.googleapis.com/projects/{PROJECT_NUMBER}/locations/global/workloadIdentityPools/{IDENTITY_POOL_NAME}/*</code>
 
 where:
 
 <code>{PROJECT_NUMBER}</code> replace with your Google SecOps project number (you can find it on the Settings tab of the project)
 
 <code>{IDENTITY_POOL_NAME}</code> replace with the name of the identity pool you've set at step 4-a
 3. In the Role dropdown, select the Workload Identity User option.
 
 
 
 
6. Configure a Data Plane on the SOC Prime Platform:
 
 
 
 
 1. Choose Cloud Chronicle API with WIF as the environment type for your Google SecOps Data plane.
 2. Fill in the required parameters:
 1. Google SecOps Project Number – Copy the Project number from the Settings tab of your Google SecOps project.
 
 
 
 
 2. Google SecOps Service Account Email – Copy the value of the Email field of the service account you've created at step 3.
 
 
 
 
 3. Region – select the region of your Google SecOps from the dropdown. You can find your region on the Google SecOps → Overview tab.
 
 
 
 
 4. Instance ID – Copy the Customer ID value from the Google SecOps → Overview tab. 
 
 
 
 
 5. Project ID – Copy the Project ID from the Settings tab of your Google SecOps project.
 
 
 
 
 6. Azure Tenant ID – use the value provided by SOC Prime (see step 1).
 7. Azure Client ID – use the value provided by SOC Prime (see step 1).
 8. Azure Client Secret – use the value provided by SOC Prime (see step 1).
 9. WIF Pool ID – Identity pool name you've set at step 4-a.
 10. WIF Provider ID – Identity provider name you've set at step 4-b-ii.

How to Get Credentials for Google SecOps and Set up WIF

Threat Detection Marketplace

Find answers and get help from Intercom Support and Community Experts

Conversations you've started through the messenger will appear here.

No conversations created by you

Try using different keywords or checking for typos.

No conversations found

Title

This site employs cookies and other technologies that we and our third party vendors use to monitor and record personal information about you and your interactions with the site (including content viewed, cursor movements, screen recordings, and chat contents) for the purposes described in our Cookie Policy. By continuing to visit our site, you agree to our {websiteTermsLink}, {privacyPolicyLink} and {cookiePolicyLink}.

This site uses cookies and similar technologies ("cookies") as strictly necessary for site operation. We and our partners also would like to set additional cookies to enable site performance analytics, functionality, advertising and social media features. See our {cookiePolicyLink} for details. You can change your cookie preferences in our Cookie Settings.

We use cookies to make our site work and also for analytics and advertising purposes. You can enable or disable optional cookies as desired. See our {cookiePolicyLink} for more details.

Advertising cookies are set by our advertising partners to collect information about your use of the site, our communications, and other online services over time and with different browsers and devices. They use this information to show you ads online that they think will interest you and measure the ads' performance. Social media cookies are set by social media platforms to enable you to share content on those platforms, and are capable of tracking information about your activity across other online services for use as described in their privacy policies.

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

These cookies are necessary for the website to function and cannot be switched off in our systems.

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.

You have the right to opt out of the sale of your personal information. See our {cookiePolicyLink} for more details about how we use your data.

Your Privacy Choices

We use cookies to enhance your experience. You can customize your cookie preferences below. See our {cookiePolicyLink} for more details.

Cookie Settings

Empty Help Center

Uh oh. That page doesn’t exist.

Home

Search results

Disappointed

Neutral

Smiley

Thinking...

Searching through sources...

Analyzing...

Tickets submitted through the messenger or by a support agent in your conversation will appear here.