Chronicle Rule → Outcome → SOAR Playbook Workflow

this is a template of a rule and how it creates the output fields for the playbook. FYI, we are using Legacy Chronicle still.

!--scriptorstartfragment-->

rule sh_template_rule_workflow_context_to_playbook {

  meta:

    author = "template"

    description = "TEMPLATE: Demonstrates the Chronicle rule → standardized outcome context → Gemini playbook workflow. This rule detects a high-signal suspicious command execution pattern (example technique) and emits consistent outcome fields (host, user, process chain, target process, event metadata, and user role hints). The intent is to show how the detection rule provides the context contract that the SOAR/Gemini playbook consumes to produce a verdict and recommended actions. MITRE: (template) Defense Evasion (TXXXX), Discovery (TXXXX)."

    gemini_prompt = "This alert was generated by a TEMPLATE Chronicle rule designed to demonstrate the workflow where the rule provides structured context to a SOAR/Gemini playbook via standardized outcome fields. The detection data includes the hostname (alertHostname), user (alertPrincipalUser), user role hints (outcomeUserRoleHint, outcomeUserIsTechnical), target process (alertTargetProcessPath, alertTargetProcessCommandLine), principal/parent process context (alertPrincipalProcessPath, alertPrincipalProcessCommandLine, alertParentProcessPath, alertParentProcessCommandLine), and event metadata (alertEventType, alertProductEventType) plus an event count (alertDistinctEventCount). Use ONLY the data in this alert; do not assume related alerts, prior cases, or historical context. Evaluate: 1) Who ran it (alertPrincipalUser) and whether their role hint suggests this is expected; non-technical users performing high-risk actions are more suspicious. 2) The process chain and execution method; interactive shells and unusual parents increase suspicion. 3) Whether the command line indicates high-risk intent versus routine administration. 4) Identify what additional validation steps an analyst should take to confirm maliciousness or benign intent (e.g., corroborating process tree, verifying change tickets, checking follow-on behaviors). Provide a verdict of Suspicious or Malicious by default unless there is clear evidence of an approved/admin scenario. Output valid JSON with exactly three fields: explanation, verdict, verdict_explanation. Do not include any additional text."

    reference = "https://example.com/template-reference"

    tags = "attack.example, workflow.template, rule-to-playbook, gemini"

    rule_inspiration = "Community workflow example: rule provides context contract for playbook"

    rule_validation = "Template / Not validated"

    severity = "Medium"

    dataTables = "UserRole_Technical_Titles, UserRole_Technical_Depts, UserRole_Elevated_Titles, UserRole_Elevated_Depts"

  events:

    // TEMPLATE: Replace vendor/product filters with what your environment uses.

    ($e1.metadata.vendor_name = "Crowdstrike" or $e1.metadata.product_name = "Microsoft-Windows-Sysmon")

    and ($e1.metadata.event_type = "PROCESS_LAUNCH"

            or $e1.metadata.event_type = "STATUS_UPDATE"

            or $e1.metadata.event_type = "PROCESS_UNCATEGORIZED"

    )

    and $e1.principal.hostname = $hostname

    // TEMPLATE DETECTION: Example suspicious command execution patterns (safe to share).

    // Swap this section to match your actual use case (bcdedit, vssadmin, netsh, schtasks, etc.)

    and (

      // --- PATH 1: High-signal discovery/admin commands launched interactively ---

      ($e1.target.process.command_line = /\b(cmd\.exe|powershell\.exe)\b/ nocase

            and $e1.target.process.command_line = /\b(whoami|nltest|net\s+user|net\s+group|dsquery|wmic|systeminfo)\b/ nocase

      )

      // --- PATH 2: High-risk configuration change keywords (template) ---

      or ($e1.target.process.command_line = /\b(set|config|disable|delete)\b/ nocase

            and $e1.target.process.command_line = /\b(policy|logging|security|firewall|defender)\b/ nocase

      )

    )

    // TEMPLATE: Exclude common enterprise tooling (keep generic)

    and not $e1.principal.process.file.full_path = /\\Tanium\\|\\BigFix\\|\\ConfigMgr\\|\\SCCM\\|\\Lansweeper\\|\\Defender\\/ nocase

  match:

    $hostname over 5m

  outcome:

    // --- Host & User Context (4) ---

    $alertHostname = array_distinct($e1.principal.hostname)

    $alertPrincipalUser = array_distinct($e1.principal.user.userid)

    // Use your established "service/machine account aware" role-hinting pattern

    $outcomeUserIsTechnical = array_distinct(

      if(

        ($e1.principal.user.userid = /\$$/)

        or ($e1.principal.user.windows_sid = "S-1-5-18")

        or ($e1.principal.user.windows_sid = "S-1-5-19")

        or ($e1.principal.user.windows_sid = "S-1-5-20")

        or ($e1.principal.user.windows_sid = /S-1-5-93-/),

        "true",

        if(

          ($e1.principal.user.title in regex %UserRole_Technical_Titles.Title nocase)

          or

          ($e1.principal.user.department in %UserRole_Technical_Depts.dept nocase),

          "true",

          "false"

        )

      )

    )

    $outcomeUserRoleHint = array_distinct(

      if(

        ($e1.principal.user.userid = /\$$/)

        or ($e1.principal.user.windows_sid = "S-1-5-18")

        or ($e1.principal.user.windows_sid = "S-1-5-19")

        or ($e1.principal.user.windows_sid = "S-1-5-20")

        or ($e1.principal.user.windows_sid = /S-1-5-93-/),

        "service",

        if(

          (

            ($e1.principal.user.title in regex %UserRole_Technical_Titles.Title nocase)

            or

            ($e1.principal.user.department in %UserRole_Technical_Depts.dept nocase)

            or

            ($e1.principal.user.title in regex %UserRole_Elevated_Titles.Title nocase)

            or

            ($e1.principal.user.department in %UserRole_Elevated_Depts.dept nocase)

          ),

          "technical",

          "non-technical"

        )

      )

    )

    // --- Process Chain (4) ---

    $alertPrincipalProcessPath = array_distinct($e1.principal.process.file.full_path)

    $alertPrincipalProcessCommandLine = array_distinct($e1.principal.process.command_line)

    $alertParentProcessPath = array_distinct($e1.principal.process.parent_process.file.full_path)

    $alertParentProcessCommandLine = array_distinct($e1.principal.process.parent_process.command_line)

    // --- Target Process (2) ---

    $alertTargetProcessPath = array_distinct($e1.target.process.file.full_path)

    $alertTargetProcessCommandLine = array_distinct($e1.target.process.command_line)

    // --- Event Metadata (2) ---

    $alertEventType = array_distinct($e1.metadata.event_type)

    $alertProductEventType = array_distinct($e1.metadata.product_event_type)

    // --- Count (1) ---

    $alertDistinctEventCount = count_distinct($e1.metadata.id)

  condition:

    $e1

}!--scriptorendfragment-->

then a simple playbook outline to show how we inject the information to gemini and parse the response:

Playbook name: Rule and Gemini Integration
Purpose: When a Chronicle detection generates a case, this playbook:

1. Pulls the rule metadata (especially metadata.gemini_prompt, plus description/tags)
2. Builds a Gemini prompt that includes:
   • the rule’s gemini_prompt
   • the rule’s description/tags
   • up to 20 outcome fields from the detection event
3. Calls “Ask Gemini”
4. Cleans Gemini’s response (because the result comes back HTML-wrapped / code-block-wrapped)
5. Parses the JSON (unflattens it so key/value fields are easy to reference)
6. Branches based on verdict (Benign vs not Benign)
7. Writes Gemini’s verdict/explanation into the case as a “General Insight”

Now that’s what I’m talking about! Thanks ​@mccrilb for sharing this with the Community! Would love to hear feedback from Community members on this. Keep ‘em coming ​@mccrilb!