Hello all,
there is no current post regarding this topic, so I open a new post.
Is there any chance to ingest the IOC Matches from Google SIEM into Google SOAR as a new alert / case.
In the past I thought there was a connector function which allowed to directly create alerts based on the IOC Matches.
Or are there anywhere public IOC Detection Rules, which are reporting exactly the IOC Matches.
Thank you for your help.
~Marinus
Have you tried the Madiant Threat Intelligence integration?
You could also download the CSV from your screenshot, then import that in a custom list.
Have you tried the Madiant Threat Intelligence integration?
You could also download the CSV from your screenshot, then import that in a custom list.
Thank you for your answer.
But, the Mandiant Threat Intelligence integration won´t solve this issue, you can enrich existing entities in SOAR.
To import the CSV in a list for a rule and search for detections is also not a proper solution.
It is manual work and not proactive.
You can do it with a detection rule that matches the IOC data with your UDM events.
Which Google SecOps licenses have access to this feature? Is it already available on enterprise? Trying to search anything with entity graph fields, I'm getting this error: “Search query contains unsupported sources”. I find it strange because I can see the enrichment of threat intelligence sources, like VirusTotal, for example, but I don't see the Entity Graph fields present in the documentation, such as: graph.metadata.entity_type graph.metadata.threat.severity graph.metadata.product_name $sb.graph.metadata.source_type = "GLOBAL_CONTEXT" And I also can't access any Entity Graph fields in the search.
Hello,
You could use the “List IOCs” action inside GoogleChronicle integration to get all IOCs.
In your specific case, maybe, you could create a custom job inside GoogleChronicle integration to get all IOCs and foreach IOC creates a case.
Thanks for your reply, @bsalvatore!
For the first option you mentioned (“List IOCs”), would I need to create a playbook that automatically creates the cases? If so, what would typically be the trigger for that playbook?
I agree that your second option (custom job inside GoogleChronicle integration) might make more sense. However, in both approaches, how can I avoid creating duplicate cases? From what I understand, every time the job runs (every X minutes), it would generate a new case for each IOC match, which could lead to multiple cases with the same IOCs.
First option:
Use the method “set_job_context_property” to save the IOCs analyzed.
Second option:
Get all cases ingested on the SOAR via get_cases_by_filter to view if IOC are already analyzed (depend on case structure where you create a new case/alert from ingested IOCs)
thanks for the answer.
ok, im going to try these steps.
But, why can't I search using Entity Graph? Is this feature not available in the Enterprise tier?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
