In Google SecOps SOAR playbooks, When I am trying to enrich IP/domain, all the IPs/Domains are being enriched.
I dont see any option to use a particular IP in Enrich IP action of VirusTotalV3 integration.
How can we enrich only desired IPs.
Page 1 / 1
So we have a couple ways you can further refine enrichment while using the VT integration:
- Define “networks” within the SOAR. This will differentiate internal vs external IPs/hostnames. You often don’t want to enrich internal IPs and hosts as they’re hopefuly not malicious :) https://cloud.google.com/chronicle/docs/soar/admin-tasks/configuration/manage-networks
- If that doesn’t refine it enough, you’re going to want to use the “Enrich IOC” action. This will allow you to choose provide indicators for enrichment, rather than using entities. https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/virustotal-v3#enrich_ioc
-mike
Adding a third option: entity selection action allows you to define your own logic for a group or specific entity. This action creates an entity scope in the dropdown for you to use in future actions.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.