Dynamic listing in SIEM/SOAR

Question

Hello,Let me add some context: I have an exclusion list that includes the user, the country where the exception will apply, the date until which the exclusion will be valid, and another field that automatically indicates whether it has expired or is still valid, without having to keep track of the date and modify it manually (and prevent it from becoming obsolete).What I need is for the tool to somehow go to the document when the alert is triggered, review the user, and check the value to see if the exclusion has expired or is still valid. I haven't seen a way to integrate this list into the playbooks or the rule syntax itself in Chronicle.Does anyone have any information about this or has encountered the same problem?

ylandovskyy · Answer

Hey ​@rjosende,If the goal is to have this as part of the automated response, then this sounds like a use case for Data tables. Here is the relevant guide.If the goal is to prevent the alert from being triggered, unfortunately, I don’t have a solution for that.If the goal is to prevent the alert from being ingested as a SOAR Alert, then it should be doable with custom changes to the connector, but it’s going to be a pretty big change as it will require for you to check the associated user of the alert and then query data tables to make a decision.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded