Skip to main content

Hi All,

I’ve looked high and low in search of a solution here, so hopefully, someone here can help us. We provide access to specific cases and event data based on environments, but I cannot figure out how to have cases created by curated alerts automatically assigned to the correct environment based on feed.

If anyone has documentation or can provide guidance on how this can be done, it would be much appreciated. We have ingestion label of Org set up on specific feeds with the org names set as values, but it’s unclear how we use this to have cases automatically created in the correct environments. If feed namespaces are the better method for this, cool, please let us know how we would go about doing that.

Solution doesn’t seem to be at the playbook level, since there’s no action to move cases to specific environments based on conditions.

Thanks,

[removed by moderator]

Hi,

I Have a possible solution, did you try to create a dynamic list filter?

Because using a dynamic list filter (https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/google-chronicle#dynamic-list-filter), you could create a dedicated connector to import only a specific rule name via the following filter:

Rule.ruleName = “Active Breach Priority Host Indicators” (for example)

Onestly I didn’t find any correlation that you can use to identify a curated rules and use it inside the 

Environment Field Name/Environment Regex Pattern settings

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.