Integrating Google SecOps SOAR

This integration enables the Delinea Platform to forward JSON-formatted event logs to Google Security Operations (SecOps) SOAR using HTTPS webhooks. Logs are ingested by Google SecOps and normalized within the Chronicle data pipeline, allowing administrators to monitor, analyze, and automate response actions based on Delinea audit and security events.

Benefits

This integration offers the following benefits:

• Centralizes Delinea Platform security events in Google SecOps for correlation and advanced analytics

• Provides unified visibility into privileged access activity, authentication sessions, and audit events

• Enables automated incident response through SOAR workflows and playbooks

• Enhances alerting and detection by normalizing Delinea events into the Chronicle data model

Prerequisites

The integration of Google SecOps SOAR with the Delinea Platform requires that the following requirements be met:

• The Delinea Platform is properly provisioned and configured in your environment.

• You have administrator permissions for managing webhooks in the Delinea Platform.

• You have a Google SecOps SOAR instance with permissions to create incoming webhooks.

• If required by your environment, obtain a Google SecOps API key or bearer token for webhook authentication.

Configuration

To enable the integration between Google SecOps SOAR and the Delinea Platform, complete the following steps:

Step 1: Create an Incoming Webhook in Google SecOps

1. Log in to the Google SecOps SOAR console.

2. Navigate to SOAR Settings → Ingestion → Webhooks.

3. Click Add Incoming Webhook.

4. Enter a descriptive name (for example, “Delinea Platform Logs”) and choose the appropriate environment.

5. Click Save.

6. Copy the generated Webhook URL (endpoint).

Step 2: Configure a Webhook in the Delinea Platform

1. In the Delinea Platform, navigate to Settings → General settings → Webhooks.

2. Click Create Webhook.

3. On the Create Webhook page, complete the following fields:

   • Name: Forward to Google SecOps

   • Target: Paste the webhook URL copied from Google SecOps

   • Description: Optional (for example, “Forwards audit events to Google Security Operations SOAR”)

   • Webhook State: Enabled

4. Under Triggers, select the service(s) and event levels (Info, Warning, Error) to forward.

5. (Optional) If authentication is required, add a custom header:

   • Key: Authorization

   • Value: Bearer <Google API Key>

6. Click Save to complete the configuration.

Step 3: Map and Validate Event Data

1. Go back to the webhook you just created in Delinea and click View Webhook Logs.

2. Select a log and click View Payload to inspect the JSON.

Example Delinea Webhook Payload

{
    "event_type": "SecretAccessed",
    "service": "Secret Management",
    "level": "info",
    "details": {
        "user": "frank",
        "secret_id": "A1B2C3",
        "timestamp": "2025-09-16T16:55:00Z"
    }
}

3. Use the following mapping to ensure that Delinea Platform logs are ingested correctly into Google SecOps SOAR:

4. Use these samples in the Google SecOps Data Mapping step, associating each Delinea field with the appropriate SecOps UDM or alert attribute.

Verification

To verify that the integration works:

• Trigger a test event in the Delinea Platform or use the Test Webhook option.

• Confirm that the event appears in the Google SecOps ingestion logs.

• Check that field mappings (event type, user, resource, timestamp) are correctly populated.

• Verify that events are visible in Chronicle Search or SOAR dashboards.

Troubleshooting

The following table provides troubleshooting guidance for common issues you may encounter when integrating the Delinea Platform with Google SecOps SOAR.