Ingested alerts to a specific environment

Hi ​@vanitharaj1208 Can you please share some more info? What type of environments? Use case(s)? Thanks

​@matthewnichols  basically she is asking

How can we route or control alerts originating from the same source in (Google Chronicle) so they are directed to different environments based on specific criteria?

For example:

Alert Type A → Route to LogStory environment
Alert Type B → Route to Cymbal environment

Key Questions:

Is it possible to filter and route alerts based on attributes such as alert type, severity, rule name, or other fields to specific environments?

Is there an “Environment Regex” or similar filtering mechanism that supports conditional routing of ingested alerts?

Would this require multiple connector instances (one per environment) configured with different filters, or can a single connector dynamically route alerts to different environments based on defined logic?

Hi ​@Mufa_shah thanks for the context. ​@vanitharaj1208 and ​@Mufa_shah This come from Gemini, so please double check the content of the response. Please let me know if this answers your question or helps you find the answers you were looking for. 

Is it possible to filter and route alerts to specific environments?

Yes, but the "how" depends on where the alert is originating.

• For Ingested Alerts (External SIEM/EDR): You can route alerts using Environment Extraction settings within the connector configuration. Google SecOps allows you to define the environment based on fields within the alert payload (e.g., alert_type, vendor, or a custom tag).

• For Chronicle-Native Alerts (YARA-L): If you are generating alerts inside Chronicle using YARA-L and want them to appear in specific SOAR environments, you typically use a Google Chronicle - Chronicle Alerts connector.

Is there an "Environment Regex" or filtering mechanism?

Yes. Within the connector settings in the SOAR (Cases) side of the platform, there are specific fields designed for this:

• Environment Field Name: You specify the JSON field in the incoming alert that contains the environment identifier.

• Environment Regex Pattern: You can apply a RE2-compliant regex to that field. For example, if a field contains prod-LogStory-01, your regex can extract LogStory and map it to the "LogStory" environment.

• Static Mapping: If the regex result matches an existing Environment name in Google SecOps, the alert is automatically routed there.

Single vs. Multiple Connector Instances?

Both approaches are valid, but they serve different architectural needs:

• Single Connector (Dynamic): Best if the alert source (like a master SIEM or a centralized Pub/Sub) sends alerts for all environments in one stream. You use the Environment Regex mentioned above to split them dynamically.

• Multiple Connectors (Filtered): Best if you want strict isolation or if the sources are physically different. You can use a Dynamic List Filter on each connector instance.

  • Instance 1: Filter RuleName = "LogStory_Rules" → Environment: LogStory

  • Instance 2: Filter RuleName = "Cymbal_Rules" → Environment: Cymbal