Configuring the Connector
Overview
When a new connector is being configured, the platform uses the connector script in an integration as a template only, and the configured connector is an instance of that connector template. You can add multiple connectors with different configurations using the same code you created for the connector in the IDE.
Connector Configuration
-
Select the
icon in the upper right hand corner to access the connectors module and
configure a connector under the relevant environment.
-
Next, from the Connectors screen click the
icon in the upper left hand corner to add a new Connector item.
-
Configure the Connector parameters and select the environment relevant for
the connector.
Connector Fields:
The field “Environment”:
defines which environment this connector connects to. If you do not need to define the environment, select “Default Environment”
The field “Run Every”:
Defines the interval of connector runs.
“Product Field Name”:
Is required by the connector in order to identify the product that generates the alerts pulled into Chronicle SOAR.
Do not enter the product name here. Instead - enter the event field (a key from your JSON event) that describes the product.
Example:
Put “_index” to indicate that “cloudtrail” is the product that generated the alert.
“Event Field Name”:
Is required by the connector in order to identify the type of the security event pulled into Chronicle SOAR.
Do not enter the event name or type here. Instead - enter here the event field (a key from your JSON event) that describes the event type.
Example:
Enter “_source.userIdentity.type
” to indicate that “AssumedRole” is the type of the security event.
“Event Count Limit”:
If you are pulling a correlation alert - indicate what is the limit of the underlying events Chronicle SOAR should fetch with it.
This is required to make a connector run faster (in case the alerts are heavy on redundant events) and reduce the redundancy for security analysts.
- In this example, the connector is configured under the Default Environment. Once you fill in all the credentials, save the connector.
In the next step, we will test the Connector and ingest a test case into Chronicle SOAR platform.