Skip to main content

Hi folks,
Needed a clarification about a scenario.
I have a SecOps instance consisting of both: SIEM and SOAR capabilities.
If an alert is generated using custom rules in SecOps SIEM, then will it be visible in the SOAR platform as well (under Case name: {rule_name}) ?

As per my understanding, currently, to see all the alerts created in SIEM, into SOAR, we must use the Google Chronicle integration's connector that would fetch the detections and create cases and alerts.

Let me know what is the correct behaviour.
Thanks.

Hello @preet_mehta 

Yes, your assumption is correct.  The Google Chronicle Connector is responsible for seeing the Alerts on the SIEM side, and pulling them into the SOAR side as cases.  If you go to SOAR Settings > Case Data > Case Name, you can select the order of variables you'd like to name the cases with.  If one of the variable values is missing, it will try to use the next variable in the list.  

I hope this helps, let us know if you have any further questions or you are not seeing this expected behavior from the Google Chronicle Connector. 


Have a great day! 

The one other item I'll call out is that not all detection rules that are active will generate cases. You specifically need to enable Alerting for the rule to generate an alert and be synchronized to a case. 


-mike





Turn on Alerting on the Rule

Check the Connector to ingest:






Google Chronicle - Chronicle Alerts Connector. (Soar Settings, ingest, Connector)

Then check out these two jobs (read description for what they do and if they are appropriate to how you are running)

Google Chronicle Alerts Creator Job (Response, jobs)
Google Chronicle Sync Job (Response, Jobs)












Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.