Skip to main content

Hi everyone,

We’re currently implementing SecOps and I’m struggling with a specific scenario where I couldn’t find clear documentation. At the moment, we have a single environment that centralizes all open cases. Our requirement is to segment these alerts so that, for example, firewall events are separated by client, in different environments, based on criteria such as IP addresses, domain names, or even email addresses.

My questions are:

  • What would be the best way to automatically assign these cases to the right environment?

  • Should this be handled with rules, or is it better to use playbooks for this type of segmentation?

If anyone has faced a similar situation or can share best practices, I’d really appreciate your input.

We use rule metadata to split alerts into different environments.

You can have a key/value pair in a rule like so -

environment = “Environment A”

and then setup a connector rule SOAR side on the Dynamic List -

Rule.ruleLabels.environment=”Environment A”

 

I would check out the following documentation for your use case -

https://cloud.google.com/chronicle/docs/soar/admin-tasks/environments/work-with-environments

https://cloud.google.com/chronicle/docs/soar/admin-tasks/configuration/manage-networks - if you add your CIDR ranges and tweak the priorities right and specify your environments you could achieve the IP address criteria.

 

There is also a SOAR API for “/api/external/v1/dynamic-cases/IngestCaseInOtherEnvironment” if you’re pre-migration to the Chronicle APIs. Details available here-
 

https://{YOUR_INSTANCE_URL}/swagger/index.html

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.