New Chronicle integrations with leading SOAR platforms

2 min readMar 24, 2021


As enterprises look to more efficiently manage the incident response process, Security Orchestration, Automation, and Response (SOAR) platforms have steadily gained traction. These tools help SOC teams speed up security operations and create consistency when it comes to responding to security threats.

To help customers take advantage of their incident response toolkit, Chronicle now offers SOC playbook and orchestration-ready APIs and integrations with leading SOAR vendors such as D3 Security, IBM, Palo Alto Networks, ServiceNow, Siemplify, Splunk, and Swimlane. This means that Chronicle instances, APIs and search parameters are accessible directly within these platforms, allowing customers to combine Chronicle’s real-time threat detection and investigation with their SOAR playbooks.

To make this happen, Chronicle has exposed its search, investigate and rules engine functionality through APIs which are widely leveraged by customers and MSSP partners. Using these purpose-built integrations, APIs and search parameters are accessible directly within pre-integrated SOAR platforms.

“During our evaluation, we liked how Chronicle directly integrated with our other platforms through APIs. The data was streamed straight in — from there, the work for us was very easy.” — Paradigm Quest

“The first thing that really stood out was the API-centric approach. We have a lot of infrastructure-as-code pipelines for the ways we want our alerts set up, and the Chronicle APIs allow us to integrate directly with the architecture we already have.” — BetterCloud

Here’s a summary of our new SOAR integrations, with more to come:

D3 SOAR. D3 integrates with Chronicle to enrich security events with rich telemetry and query Chronicle to gather contextual data to support advanced investigations.

IBM Resilient. Chronicle IOC alerts related to enterprise assets or malicious domains can be generated in Resilient for immediate follow-up, providing enrichment details and seamless threat lookup directly from the SOAR interface.

Palo Alto Networks Cortex XSOAR. Chronicle instances, APIs and search parameters are all accessible directly within Cortex XSOAR for full automation of playbooks.

ServiceNow Security Operations. Chronicle alerts are imported to create prioritized security incidents, enrich observables with Chronicle data, run threat lookup workflows, and perform sighting searches for Chronicle observables.

Siemplify. Siemplify can ingest Chronicle alerts as part of case management, and automatically group related alerts from any detection tool into threat-centric cases. Playbooks can also automatically query Chronicle for investigation and threat hunting, eliminating repetitive tasks and freeing up analyst time for higher-level work.

Splunk Phantom. Chronicle instances, APIs and search parameters are accessible directly within Phantom to help find assets that have been impacted by an IOC, see alerts and events for a particular asset, and identify domain and IP reputation.

Swimlane. ​The Swimlane plugin enables Chronicle customers to access their security data directly through API calls to the platform, including listing assets given a specified artifact.

Stay tuned for more blog posts about Chronicle’s technology integrations. To learn more about our SOAR integrations, contact our sales team.