Google Secops Environments

Question

Hi,I'm struggling to get cases into the right Environments in Google SecOps.I have my environments defined in the SOAR settings, and I’ve set the Ingestion Label and Namespace correctly in the feeds. I also configured the Chronicle Alerts connector to use a UDM field that carries the environment name, but for some reason, all cases still land in the "Default Environment."I've already tried swapping fields in the connector but no luck. Is there something specific about how the connector parses UDM fields for environment mapping that I might be missing?Any advice would be appreciated!Thanks

hliu · Answer

in the SOAR connector setting, the value in ‘Environment Field Name’ must be flatten.

The connector applies some flattening method on the retrieved alert events with json structure, using the underscore (_) as delimiter.

Let’s say in the rule meta section we’ve defined a soar_environment field.
The retrieved alert would have something like this:
{"detection":{"ruleLabels":{"soar_environment": "test"}}}

In the SOAR connector setting ‘Environment Field Name’ we should use the flatten value detection_ruleLabels_soar_environment

If the connector doesn’t get any value, it reverts back to ‘Default Environment’

Detection fields for reference.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded