Hey @preet_mehta,
There is an action called "Create Or Update Entity Properties", which allows you to add custom properties onto the SOAR entities from any data. In your case, you can use information from the event and push it onto the entity.
Would that solve your problem?
Hey @preet_mehta,
There is an action called "Create Or Update Entity Properties", which allows you to add custom properties onto the SOAR entities from any data. In your case, you can use information from the event and push it onto the entity.
Would that solve your problem?
Hi, let me have a look into this. However, is there a possibility that we add properties into entities directly from the SIEM rules ?
Thanks.
Answer with lots of bits for other people who read in the future:
i) Keys you put in Meta appear in SOAR as [Alert.], keys you put in outcome should appear in [Event.]
The first approach to putting this into an Entity it the ontology page:
Open a case -> Alert-> Events tab -> in the single Event press the gear icon-> "Event Configuration" page-> Mapping secion
From here, find the Entity type (e.g. SourceAddress) row -> three dot icon -> Add Enrichment
This will associate any Event.Keys to the [Entity.keys]
Remember, do this as far 'left' as possible in the ontology for scalability.
ii) As Yuriy mentioned, we have many Actions in the "Enrichment" powerup in the marketplace, each allow different ways to get the key value defined.
Though I've never used it, "From Event Field" should allow you to do this
Or potentially another route using 'Enrich Entity From JSON'
HTH?
Answer with lots of bits for other people who read in the future:
i) Keys you put in Meta appear in SOAR as [Alert.], keys you put in outcome should appear in [Event.]
The first approach to putting this into an Entity it the ontology page:
Open a case -> Alert-> Events tab -> in the single Event press the gear icon-> "Event Configuration" page-> Mapping secion
From here, find the Entity type (e.g. SourceAddress) row -> three dot icon -> Add Enrichment
This will associate any Event.Keys to the [Entity.keys]
Remember, do this as far 'left' as possible in the ontology for scalability.
ii) As Yuriy mentioned, we have many Actions in the "Enrichment" powerup in the marketplace, each allow different ways to get the key value defined.
Though I've never used it, "From Event Field" should allow you to do this
Or potentially another route using 'Enrich Entity From JSON'
HTH?
This is very helpful, thanks.
