Multi-Tenancy Features
Chronicle SOAR uses environments to manage tenants. Each environment that represents a tenant \ customer is created with a set of metadata fields – customer image, customer name, description, contact name, phone and email and Remote Agents configuration. In addition, the following capabilities are provided by Chronicle SOAR for additional value in a multi-tenant deployment:
Environment Operational Settings
The following settings are configured per environment to help with
customer specific use-cases in daily operation: SLAs, custom lists, customer
domains and networks, email templates, blocklisted items.
Connectors
Connectors are
applications that ingest alerts from different types of sources (SIEM,
Database, Email box etc.) into Chronicle SOAR. Multiple connectors can run in
parallel collecting alerts from local or remote products, and assigning them
automatically to the relevant environment.
Connectors can also take into
consideration the multi-tenancy defined in the source product (e.g.
multi-tenant QRadar SIEM).
Data Separation
Ingested and
collected data (Cases, Alerts, Events, Playbook Results etc.) is separated
into environments. Each environment will contain data relevant to the
customer, without any possibility for data moving to another environment. Data
assigned to an environment will be visible to permitted users only.
Data Consolidation
All data
is consolidated in a single queue with the same language for the SOC team
(analyzed processes) – regardless of the source product.
Easier to
onboard new customers (just switching the connector) and new security analysts
(they don’t need to be experts in products).
Support more customers
with different types of technologies (EK, Splunk, AlienVault etc.)
Entity Explorer
Security
teams can view entities across the entire customer base or within the context
of a specific environment (e.g. see if a malicious hash found on
“Customer A” also appeared on “Customer B” site.)
User Permissions
Along with
module permissions, users can also be assigned to the environments they can
view or handle. Customers can also get limited user access to Chronicle SOAR
to review dashboards, reports, playbooks etc. with their relevant information
alone.
Marketplace
Integrations are
defined per environment.
Playbooks
Extend the
playbooks to customer remote sites, to allow security analysts (who have
sufficient privileges) collect information and run IR processes on customers
environment. Security teams can create generic playbooks (which can
automatically pick the integration credentials relevant to the customer) and
customer specific playbooks as-well.
Remote Agents
Chronicle SOAR
platform has the ability to orchestrate and automate workflows on remote \
separated networks. This ability allows MSSPs to extend the use cases between
their SOC and the customer.
Dashboards
Dashboards can be
customer specific or generic.
In any case, it is always possible to
filter a dashboard by environment.
Reports
Reports can be
customer specific or generic. Chronicle SOAR provides periodic reports that
can be generated automatically for different customers and purposes (e.g.
weekly SLA, attacks statistics etc.) It is also possible to add customer logos
to reports.