Skip to main content

Hello,


Let me add some context: 
I have an exclusion list that includes the user, the country where the exception will apply, the date until which the exclusion will be valid, and another field that automatically indicates whether it has expired or is still valid, without having to keep track of the date and modify it manually (and prevent it from becoming obsolete).

What I need is for the tool to somehow go to the document when the alert is triggered, review the user, and check the value to see if the exclusion has expired or is still valid. I haven't seen a way to integrate this list into the playbooks or the rule syntax itself in Chronicle.

Does anyone have any information about this or has encountered the same problem?

Hey ​@rjosende ,

 

If the goal is to have this as part of the automated response, then this sounds like a use case for Data tables. Here is the relevant guide.

If the goal is to prevent the alert from being triggered, unfortunately, I don’t have a solution for that.

If the goal is to prevent the alert from being ingested as a SOAR Alert, then it should be doable with custom changes to the connector, but it’s going to be a pretty big change as it will require for you to check the associated user of the alert and then query data tables to make a decision. 

Hi ​@rjosende, I’d say that ​@ylandovskyy’s suggestion is on spot. If you need to somehow handle them within a SOAR playbook you may consider using the GoogleChronicle integration which already has the action to interact with Data tables.

If this is still not enough, you could write your own integration/action.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.