This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Syncing Entities From SOAR to SIEM

Posted on 11-26-2024 02:01 PM
_eo
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I'm adding new properties to entities via playbooks or manual actions and I am looking for a way to have those changes propegated to the SIEM side for the same entity. Is there a way to do this? This way, when a new connector alert is created with that entity, the new property is included and can be used for filtering, etc.

0 4 176
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
ajohnson
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

what kind of properties are you adding and what is the log source(s) that you are often doing this with?

@_eo wrote:

This way, when a new connector alert is created with that entity, the new property is included and can be used for filtering, etc.

Are you trying to filter the new property in SIEM/SOAR? 

For example: if it is additional info on the user and you use Azure/Entra, you can utilize the Azure AD context feed to enrich the data on the SIEM side:  https://cloud.google.com/chronicle/docs/ingestion/default-parsers/azure-ad-context

0 Likes

Posted on --/--/---- --:-- AM
_eo
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

The log source would be connectors like EDRs, etc. The properties would be something like -

key: is_benign and value: true.

@ajohnson wrote:

Are you trying to filter the new property in SIEM/SOAR? 

We are trying to use the new properities in a playbook. If entity has this property with value x, go down this branch, if not go down this branch. The additional property is something an analyst would manually add to the entity and then when new alerts are generated and have the same entity, say hash value, the playbook would go down the correct branch.

0 Likes

Posted on --/--/---- --:-- AM
ddiserens
Staff
In response to _eo
Reply posted on --/--/---- --:-- AM

If I am understanding your question correctly. What you are trying to do is pull a value that was saved in the entity graph.

There is an action that I believe is called enrich from entity explorer which should accomplish what you are trying to do. 

0 Likes

Posted on --/--/---- --:-- AM
hzmndt
Staff
Reply posted on --/--/---- --:-- AM

I believe this is not available today, suggest to open a support case to rase the feature request and follow up the feature request from here:
https://issuetracker.google.com/issues?q=SOAR%20entity

0 Likes
Top Solution Authors
View all
OSZAR »