Google Security Operations

Hello All, How can I use headers for Case Description? tired markup did not worked. I tried like "### Case Overview". thanks

In the documentation it seems that the arrays.contains function can be used like the following, arrays.contains($asset_id_list, "id_1234")Is it possible to use the function with two variables so I can compare the list with a value in a UDM field?The following code snippet shows a possible use case for this scenario: rule Example_rule_for_arrays { meta: author = "amalone" description = "Look for a spike in failed logins for a User account followed by a successful login from an IP address associated with a fail" severity = "Low" events: $fail.metadata.event_type = "USER_LOGIN" $fail.security_result.summary = /Failed/ nocase $fail.target.user.userid = $user $success.metadata.event_type = "USER_LOGIN" $success.security_result.summary = /Success/ nocase $success.target.user.userid = $user $fail.metadata.event_timestamp.seconds <= $success.metadata.event_timestamp.seconds match: $user over 2d outcome: $Total_Fai

Is there any way in Yara-L to check if a UDM field contains a substring of another UDM field? The following example shows a use case for this and the question I am trying to ask of the data: rule variable_testing {meta:  author = "amalone"  description = "Test to see if we can find a substring of one UDM field inside another udm field"    severity = "Low"events:  $file.metadata.event_type = "FILE_MODIFICATION"  $file.principal.hostname = $hst  // Get the name of the file involved in the file modification  $fileName = re.capture($file.target.file.full_path, `(?:\\\\|\\/)([^\\/\\\\]+)$`)      $launch.metadata.event_type = "PROCESS_LAUNCH"  $launch.principal.hostname = $hst   /* 

Hey @Tomtomfridman , approval links got broken somehow. Is that a known issue? View files in slack

Hi all, I'm making my first connector. I must be misunderstanding something, but how do I prevent the connector from making duplicate investigations?

Hi Team, Looking for guidance creating customers in chronicle siem using the api. Can't seem to get it working.

Hi, all! We're still working on the details, but I wanted to share a cool non-security alert automation my team is working on using Chronicle SOAR. We've got a very busy 24/7/365 SOC with 20+ analysts/analyst interns, and we also have a very permissive PTO policy (Our SOC's motto is "People First; Mission Always". We don't track PTO and encourage frequent time off to protect against burn out.) Managing that can get pretty crazy, so one of our senior analysts developed a form using Google Sheets/Google Studio to manage PTO requests. After submission, the form sends an email to our monitoring inbox which creates a Chronicle SOAR case/alert with the basic details of the request and sends a notification to our Sr Analyst Slack channel (where most of our comms occur). We're just getting started on this playbook and will eventually add a lot more functionality, but this was a cool use case that I thought I'd share. View files in slack

Hi All, I was wondering if the Demo has the 'Enterprise insights' feature

Hi, All! currently these entity types are supported https://documents.siemplify.co/en/articles/158-what-entity-types-do-we-support , anyone know how we can create new entity types? for example EmailAddress would be one I would be interested to create. thanks in advance

Hello Team, looking for guidance on how to make a copy of an already existing playbook in our default environment.

Does anyone have any advice on how you could create a dashboard to see the average amount of time between the initial log time and a detection firing based off of that log? If possible I would like to see the distributions of time based on log source as well.

Does anybody know a way to get the creation date of an Entity? Also, if it has isEnriched set to True, can we get anyhow the date, the last enrichment happened?

Hey guys, was wondering, how can I control the outcome of the playbook in case that "Multi-Choice Question" using Approval Links is not getting answered under the given time (For example 5 minutes)? View files in slack

Another question, when I decline an action using Approval Links, this is the response I see in the playbook flow. The question is, how I can set a condition for that state? is_success = false isn't working. View files in slack

Hello All, can we make an entity out fields which are already coming with alerts of Cases, for example I have an alerts where I want to make the recepient email an entity and go further, wondering how to proceed with it. some guidance would be appreciated. thanks

Has anyone had any success getting the Duo Connector for the Duo Integration to work on 6.2.2.1 or 5.6.4.520?

Hi all, is there a way to make it so that "generic" alerts from a connector are attached as events to the actual triggering alert? Thanks!

Any way to escape Siemplify treating it as a placeholder? View files in slack

@Lokesh_Dachepal If you don't want to use a SIEM product, you can always do Windows event forwarding to get all logs to a centralized place. https://learn.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection#bkmk-appendixc

Hey guys, I am facing difficulties trying to wait for a reply on Slack Question I executed in the playbook. It seems like the question is sent and there is no way of getting anything to rely on it but it being sent. Suggestion on a solution or alternatives would be highly appreciated.

Hi, How SOAR playbook will identify the credentials of a particular machine and do the remidiation; If we need to store the credentials somewhere in the phantom - Where we neeed to store them.

Hey all, how can I pass the entire event json to a block im calling? (What is the placeholder)

Hello all, I'm setting up a new integration and connector and was wondering if anyone could explain how to run an option for capturing old alerts after it's done? Essentially a lookback window? If so, is the methodology specific to each integration or is there a generalized process? Thanks in advance!

Have Remote Agents been tested on CentOS 8 or is there a hard requirement for CentOS 7?

Hello, I'm trying to export one playbook from my Siemplify Community Cloud instance. I see in the documentation that it is possible to export a playbook through an API call but it seems that I can't do it with a community version. Am I wrong ?If someone has a solution it would be great.Thanks