Hi folks,
I have created an entity insight for an IP Address entity, if the enrichment process of IP finds it to be suspicious. However, later on, if the IP is marked as non-suspicious, I would like to delete this insight, or maybe edit it.
Is this possible ? I could not find any action (via SDK, code, or even UI) that supports edit/delete action on entity insights.
Thanks.
Page 1 / 1
Unfortunately, you're correct. As of right now, Google Chronicle SecOps SOAR doesn't offer a direct way to edit or delete entity insights through the UI, SDK, or code.
Here's why this is a challenge and some potential workarounds:
- Entity Insights are Immutable: Entity insights are designed to provide a historical record of an entity's state at a specific point in time. Modifying or deleting them could disrupt this record and potentially hinder investigations.
- No Direct API Endpoints: The current SOAR API doesn't include specific endpoints for managing entity insights directly.
Possible Workarounds:
Overwrite with New Insights: You could create a new entity insight with the updated "non-suspicious" information. While the old insight will still exist, the newer one will likely be prioritized in the UI, effectively overriding the old information.
Time-Based Expiration: When creating the initial "suspicious" insight, include a time-to-live (TTL) value. This will automatically remove the insight after the specified duration, ensuring that outdated information doesn't persist.
Custom Playbook: Develop a playbook that automatically updates or removes entity insights based on specific conditions or triggers. This would require some custom scripting and integration with the SOAR API, but it could automate the process.
Feature Request: Submit a feature request to Google Chronicle. Explain your use case and the need for editing or deleting entity insights. This can help prioritize the development of such functionality in future releases.
Unfortunately, you're correct. As of right now, Google Chronicle SecOps SOAR doesn't offer a direct way to edit or delete entity insights through the UI, SDK, or code.
Here's why this is a challenge and some potential workarounds:
- Entity Insights are Immutable: Entity insights are designed to provide a historical record of an entity's state at a specific point in time. Modifying or deleting them could disrupt this record and potentially hinder investigations.
- No Direct API Endpoints: The current SOAR API doesn't include specific endpoints for managing entity insights directly.
Possible Workarounds:
Overwrite with New Insights: You could create a new entity insight with the updated "non-suspicious" information. While the old insight will still exist, the newer one will likely be prioritized in the UI, effectively overriding the old information.
Time-Based Expiration: When creating the initial "suspicious" insight, include a time-to-live (TTL) value. This will automatically remove the insight after the specified duration, ensuring that outdated information doesn't persist.
Custom Playbook: Develop a playbook that automatically updates or removes entity insights based on specific conditions or triggers. This would require some custom scripting and integration with the SOAR API, but it could automate the process.
Feature Request: Submit a feature request to Google Chronicle. Explain your use case and the need for editing or deleting entity insights. This can help prioritize the development of such functionality in future releases.
Got it! Thanks.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.