I am using the Create Entity action and trying to create entities for internal ips and domains in a playbook. I do not want to create entities for external entities. For entity type, I select internal and i checked the "is internal" box in the action. Why is the action creating entities for external entities not included in these settings - https://cloud.google.com/chronicle/docs/soar/admin-tasks/configuration/manage-networks
Page 1 / 1
Hi @smit8 There is another post related to this topic here.
Check it out and see if any of the conversation helps. I would suggest jumping in on the conversation. If that doesn't help let us know.
Hi @smit8 There is another post related to this topic here.
Check it out and see if any of the conversation helps. I would suggest jumping in on the conversation. If that doesn't help let us know.
This is with the API, I am trying to do it in a case via a playbook with IPs, hosts, etc. from the alert.
@smit8 That Create Entity action is going to create entities for anything in the 'Entities Identifies' box. Normally those entities would be flagged as internal if there matching rules in settings-> environments -> Networks or Domains. The 'is internal' checkbox allows you to override that auto detection and force the entity to be created with the isInternal:True tag (even without a matching environment rule). There aren't any settings on that action which will allow you to pre-filter your string to only create an entity if it would be detected as internal.
Depending on your use case you may be able achieve what you need one of these routes:
A) Update your ontology or use that 'create entities' option to create all the entities from your alert (internal and external), then use the entity type selector for each other action in the playbook to only take actions on internal entities. This is likely the easiest to implement, and won't take any actions on external entities but would leave them attached to the case.
B) You may be able to use the 'String Functions' action (Included in the 'functions' powerup) with the 'regex' option to filter the entities string before passing the string to the create entities action. This would require you creating a regex to match the definition of your internal environment, so may only be feasible if you have a relatively straightforward environment.
C) Create a custom action that can parse and filter the entities string before you pass it to the create entities action. This will require you to create that custom action in the IDE and build out your environment definition in python, the complexity of this will depend on how complex your environment is, but this can give you complete control over how your entity string is filtered and can ensure that only the entities you want are present before passing that value to the create action.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.