Add SIEM or SOAR users to Google SecOps

Supported in:

This document is for Google Security Operations admins who want to grant permission to specific users to use only the SIEM features in Google SecOps (such as investigating raw data) or only the SOAR features of Google SecOps (such as managing cases). Due to the nature of the Google SecOps platform, both sets of users need minimal permissions from both the SIEM and SOAR sides before they can sign in to the platform.

Before you begin

These procedures are based on the assumption that you have already onboarded to the Google SecOps platform, enabled the Chronicle API, and started working with IAM permissions. The following procedures may vary slightly, depending on whether you configured a Cloud Identity provider or a third-party identity provider.

Set up users with SIEM only permissions

  1. Define either a predefined role or a custom role with the relevant SIEM permissions:
  2. On either page, map the IdP groups or email groups to the minimial control access parameters, as follows:
    • Permission groups:
      • Set the license type to Standard.
      • Set the landing page to SIEM Search.
      • Under Read/Write Permissions, click the Homepage toggle.
    • SOC roles: Select SIEM only. You need to create the SIEM SOC role first by adding it as a new SOC role.
    • Environments: Select Default.

Set up users with SOAR-only permissions

  1. Define either a predefined role or a custom role. The custom role must contain the following minimum permissions:
    • chronicle.instances.get
    • chronicle.preferenceSets.get.
  2. If you're using the Cloud Identity Provider, map user email groups into the email group mapping page.
  3. If you're using a third-party identity provider, map IdP groups into the IdP group mapping page. You can choose the control access parameters that meet your needs. For more information see, control access parameters.

Need more help? Get answers from Community members and Google SecOps professionals.