Skip to main content

Hello Team, 

I need help building a SOAR playbook using a custom list in the Google SecOps platform. I’ve added the entity details with categories to the custom list and created a playbook to check those values against alerts. However, when I run the playbook, it seems to fail and goes to the 'else' condition instead of recognizing the matches.

I’ve tried adding the category and the actual values into the previous action condition block using both OR and AND conditions, but it still fails. Although I’ve defined the category in the custom list, it doesn’t seem to work.

Can anyone assist me in defining the conditions in the block to match these scenarios for false positive alert flows? I’ve also been working on use cases for EDR false positive alerts and certain cloud accounts where we expect a couple of alerts, and I want to ignore those alerts from the custom list.

I even tried running a simulator to test the flow. In the custom list option, I can see that it is taking the value I input, but it seems unable to verify against the actual custom list. The value I included in the SOAR playbook block is already present in the custom list.

Thanks,

Dnyaneshwar

That 'Is In Custom List' action is going to need a few things to match in order to actually return a True.



  1. The entity you are evaluating must be included in the entities  drop down for the action

  2. The Category is case sensitive and must exact match between the action and the value in your custom list.

  3. The entity name is case sensitive and must exact match between the action and the value in your custom list

  4. The case must be in the same environment as the custom list entry


Since you are already working in simulation mode its easiest to check these by clicking the 'Entities' button in the corner of the simulation window. From there  you can see the entity details and check #1 and #3.
Based on your screenshots #2 looks like it already matches.
For #4 you can check the environment from the playbook, or if the playbook is set to 'All Environments' Use the cases view to confirm the environment of your test case, and compare that against the custom list.


Once those are matching and you run the simulation again you should get 'This alert contains entitites...' and ScriptResult=true from the is in custom list action. And then your condition should be Previous Actions Conditions, pick your action from the dropdown and select '=' the value 'true'

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.