The SOC can see endpoints, network traffic, and cloud posture in real time, but historically, identity security has been a blind spot. The Silverfort integration for Google Security Operations helps to change that.
Google Security Operations users can pull live Silverfort identity risk into their playbooks, push risk updates back into Silverfort from any external detection and operate Silverfort service account and authentication policies directly from a response case. That includes enforcement on legacy protocols like NTLM, Kerberos, and LDAP that can be challenging to secure without rewriting applications or making changes to deployment.
The integration covers three Silverfort APIs (Risk, Service Accounts, Policies) and ships through the Google Cloud partner integrations catalog for Google Security Operations.
Why identity is the SOC’s hardest problem
Stolen credentials and identity abuse sit at the top of every credible breach report as the leading initial attack vector. Most enterprise environments are still running with thousands of service accounts that no single owner is accountable for.
The SOC typically has deep visibility into almost everything except the identity layer that the attacker is actually moving through. EDR covers the endpoint. SSE covers the network. CSPM covers cloud posture. But Identity arrives last and is often least structured. Raw Kerberos and NTLM events land in the SIEM without risk context. Service account behavior sits behind a separate console. When a detection fires, the analyst pivots to an identity product to check whether the user is already risky, then pivots again to apply a policy change that may live in another IDP entirely.
This integration helps to remove both of those pivots. Live Silverfort risk, third party risk and authentication policy state are available inside the response workflow case, alongside the data the analyst already works with.
What data flows and how
This is a response-side integration. Google Security Operations initiates the calls; Silverfort responds with the requested data or applies the requested change.
Read actions pull live Silverfort context into the response workflow case:
- Get Entity Risk returns the current risk score, severity, and risk factors for a user principal name or a resource name.
- Get Service Account and List Service Accounts return protected service account records with optional field filtering.
- Get Policy and List Policies return Silverfort authentication policies for review inside the response workflow case.
Write actions apply enforcement back to Silverfort:
- Update Entity Risk sets a user risk indicator (activity, malware, data breach, or custom) at a chosen severity and validity window from a response playbook outcome. Silverfort policies then enforce the new posture across every subsequent authentication for that user.
- Update SA Policy partially updates a service account policy: risk thresholds, protocol scope, allowed source and destination lists. This gives the SOC a direct lever on the population that has historically been hardest to govern.
- Update Policy and Change Policy State modify policy membership or toggle a policy on or off during incident response.
Each Silverfort API family uses its own credential pair, so permissions are scoped independently for Risk, Service Accounts, and Policies operations. A risk-only playbook can run with risk-only credentials and nothing more, which keeps the blast radius tight and the audit trail clean.
Use cases
Enrich identity-driven alerts with live Silverfort risk before deciding what to do. A detection fires from the EDR or SIEM on a user account. The playbook calls Get Entity Risk for that user. If Silverfort already shows a high score with risk factors like Kerberoasting, lateral movement, or anomalous service account behavior, the case gets auto prioritized and the analyst opens an incident with the full identity picture already there. Context that used to take minutes is available in seconds.
Raise user risk in Silverfort after an external detection so policies enforce containment automatically. Malware detonation or a device compromise lands in the SOAR queue. The playbook calls Update Entity Risk to raise the user’s risk indicator in Silverfort with a defined severity and validity window. Silverfort then enforces stronger controls across every authentication that user attempts, including on legacy protocols like NTLM and Kerberos where MFA has historically been impossible. Depending on the policy, that could mean an MFA prompt, a deny on legacy authentication, or a hard block. One playbook step closes the loop from detection to enforcement.
Lock down a suspicious service account from inside the SOAR case. An analyst sees a service account operating outside its normal pattern. The playbook calls Update SA Policy to tighten the allowed source list, narrow protocol scope, or raise the risk threshold. The change applies in Silverfort, and the case records the action. Service accounts are typically the biggest blind spot in the SOC. For many teams, this is the first time they will have any lever on them from inside SOAR.
Toggle authentication policies during active response. When containment requires turning a policy on or off (say, a temporary deny on all NTLM authentication during an active intrusion), Change Policy State applies the change from inside the playbook. No switching consoles. The policy state change gets captured in the case timeline as evidence.
Getting started
Install the Silverfort integration through your standard Google Security Operations content deployment process and configure the connection from the integration instance page. The minimum configuration is the Silverfort API Root, External API Key, and one app-user credential pair for the API family you want to automate first. Run Ping to validate, then wire actions into playbooks. A single risk-enrichment step added to an existing identity alert playbook changes how cases are triaged from day one.
Full configuration parameters, action input examples, and supported features are in the Silverfort integration guide. The Google Security Operations integrations page for the connector is at https://docs.cloud.google.com/chronicle/docs/reference/partner-hosted-siem-integrations. For questions or to request a demo, contact us at ecosystem@silverfort.com.
