Skip to main content
Solved

Enrich Entity Data in SOAR using rules in SIEM

  • March 6, 2025
  • 4 replies
  • 58 views
P
Forum|alt.badge.img+7

Hi folks,
I am ingesting an alert created in SecOps SIEM into SOAR using Google Chronicle connector.  I have noticed that when add a variable in the outcome section of the rule, then it is visible in the event details part in SOAR alert with the name "detection_outcomes_{outcome_varname}".

Now, is it possible to edit the rule in such a manner that instead of event details, the variable is shown in the entity details page in SOAR, so I can extract this using "entity.additional_properties.get({varname})" ?

Best answer by SoarAndy

Answer with lots of bits for other people who read in the future:

i) Keys you put in Meta appear in SOAR as [Alert.], keys you put in outcome should appear in [Event.]

The first approach to putting this into an Entity it the ontology page:
Open a case -> Alert-> Events tab -> in the single Event press the gear icon-> "Event Configuration" page-> Mapping secion

From here, find the Entity type (e.g. SourceAddress) row -> three dot icon -> Add Enrichment

This will associate any Event.Keys to the [Entity.keys]

Remember, do this as far 'left' as possible in the ontology for scalability.

ii) As Yuriy mentioned, we have many Actions in the "Enrichment" powerup in the marketplace, each allow different ways to get the key value defined.

Though I've never used it, "From Event Field" should allow you to do this

Or potentially another route using 'Enrich Entity From JSON'

HTH?

 

4 replies

ylandovskyy
Staff
Forum|alt.badge.img+16
  • ylandovskyy
  • Staff
  • March 6, 2025

Hey @preet_mehta,

There is an action called "Create Or Update Entity Properties", which allows you to add custom properties onto the SOAR entities from any data. In your case, you can use information from the event and push it onto the entity. 

Would that solve your problem? 

P
Forum|alt.badge.img+7
  • preet_mehtaBronze 5
  • Author
  • Bronze 5
  • March 7, 2025

Hey @preet_mehta,

There is an action called "Create Or Update Entity Properties", which allows you to add custom properties onto the SOAR entities from any data. In your case, you can use information from the event and push it onto the entity. 

Would that solve your problem? 


Hi, let me have a look into this. However, is there a possibility that we add properties into entities directly from the SIEM rules ?

Thanks.

SoarAndy
Staff
Forum|alt.badge.img+12
  • SoarAndy
  • Staff
  • Answer
  • March 7, 2025

Answer with lots of bits for other people who read in the future:

i) Keys you put in Meta appear in SOAR as [Alert.], keys you put in outcome should appear in [Event.]

The first approach to putting this into an Entity it the ontology page:
Open a case -> Alert-> Events tab -> in the single Event press the gear icon-> "Event Configuration" page-> Mapping secion

From here, find the Entity type (e.g. SourceAddress) row -> three dot icon -> Add Enrichment

This will associate any Event.Keys to the [Entity.keys]

Remember, do this as far 'left' as possible in the ontology for scalability.

ii) As Yuriy mentioned, we have many Actions in the "Enrichment" powerup in the marketplace, each allow different ways to get the key value defined.

Though I've never used it, "From Event Field" should allow you to do this

Or potentially another route using 'Enrich Entity From JSON'

HTH?

 

P
Forum|alt.badge.img+7
  • preet_mehtaBronze 5
  • Author
  • Bronze 5
  • March 7, 2025

Answer with lots of bits for other people who read in the future:

i) Keys you put in Meta appear in SOAR as [Alert.], keys you put in outcome should appear in [Event.]

The first approach to putting this into an Entity it the ontology page:
Open a case -> Alert-> Events tab -> in the single Event press the gear icon-> "Event Configuration" page-> Mapping secion

From here, find the Entity type (e.g. SourceAddress) row -> three dot icon -> Add Enrichment

This will associate any Event.Keys to the [Entity.keys]

Remember, do this as far 'left' as possible in the ontology for scalability.

ii) As Yuriy mentioned, we have many Actions in the "Enrichment" powerup in the marketplace, each allow different ways to get the key value defined.

Though I've never used it, "From Event Field" should allow you to do this

Or potentially another route using 'Enrich Entity From JSON'

HTH?

 


This is very helpful, thanks.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.