Understand the Chronicle SecOps platform

Following the article Navigate the platform you will see that there are areas divided into SIEM and SOAR. This is because the Chronicle Security Operations platform provides tools for security information and event management (SIEM) and security orchestration, automation, and response (SOAR). Some parts of the Chronicle SecOps platform are specific to either SIEM or SOAR only and therefore are labeled as such.

In the Chronicle SecOps platform, there are two separate Search screens.

SIEM Search directs you to the UDM Search page. UDM search enables you to find Unified Data Model (UDM) events and alerts in your Chronicle instance. You can search either for individual UDM events or for groups of UDM events tied to shared search terms. It also provides a uniquely holistic experience as the search also includes information on alerts that were ingested from the SOAR connectors and webhooks. For more information, see SIEM Search

The SOAR Search screen focuses on two main areas: cases and entities. From this screen, you can search for both open or closed cases or search for entities that were involved in cases. You can drill down to the entities you are looking for to see further information on them. You can perform bulk actions such as merge cases on your search results. For more information, see SOAR search.

SIEM Dashboards and SOAR Dashboards

SIEM dashboards display information about your UDM events data. This includes security telemetry, ingestion metrics, detections, alerts, IOCs, and more. For more information, see SIEM Dashboards

The SOAR Dashboards display information on cases, playbooks, and SOC analyst data. You can create new dashboards and share them with other users. For more information, see SOAR dashboards.

SIEM Settings and SOAR Settings

The majority of the SOAR administration and configuration are located within the SOAR Settings and the majority of the SIEM administration and configuration are located within the SIEM Settings. The permissions are set separately for each side of the platform and there is no dependency between them. For example, you could choose to limit permissions to Playbooks in the SOAR Settings for certain user groups whilst giving full permissions to all modules in the SIEM settings.

However, there are a few settings that apply to the entire Chronicle SecOps platform. These platform-wide settings are controlled from the SOAR settings. This includes the IDP Group Mapping page which maps all the Chronicle SecOps platform user groups and the Permissions Groups page, which defines a choice of landing page for each user group. Changes in permissions that are managed via Identity and Access Management (IAM) are applied immediately. However, permissions managed from the SOAR settings are only applied the next time the user logs into the platform.

For information on SIEM settings, see SIEM settings.

For information on SOAR settings, refer to SOAR settings.

Ingesting data using SecOps SIEM and third party SIEMS

The Chronicle SecOps platform offers the opportunity to not only ingest alerts using the inbuilt SIEM platform (which ingests raw logs using forwarders and data feeds) but also accepts alerts from third party SIEMS (via SOAR > Connectors and Webhooks).

This provides you with the flexibility to take advantage of other SIEMs as well our own Chronicle SecOps SIEM offering. Google recommends using the inbuilt SIEM wherever possible for a more seamless experience.
Alerts ingested from both the inbuilt SIEM and third party SIEMS can be grouped into Cases and looked at as part of the Case Management features. Alerts ingested from third party SIEMs are sent to the SIEM side of the platform and can be seen using the UDM search but are not subjected to the inbuilt SIEM rules.