I am aware that we can include the artifacts like source IP's to the case but what I want to know is cant we attach the exact events we need to a case? For example, we do a threat hunt and we found some suspicious events. Is there a way to attach these suspicious events into a case?
Thanks
How to attach events to case in Google SecOps SOAR?
+1
+12There is no way to create additional 'Events' in the platform to accompany the events created during original alert ingestion.
However using the case wall you can attach files, text, formatted tables, and you can add entities. These are some of the workflows to support an analyst in their investigation.
You can also combine these: upload CSV to the case wall, then run additional playbook that parses casewall objects to extract strings and turn them into Entities. Building this playbook would depend on how the data is structured AND what you want to do with it from an automated standpoint.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.