Hey Team, Is there any way through which we can get the raw logs ( not UDM mapped) from Chronicle SIEM back to SOAR? Something like a reverse search from SOAR to SIEM or anything else, as we are only having the mapped fields available in SOAR.... Thank you
Is there any way through which we can get the raw logs from Chronicle SIEM back to SOAR?
+12- Silver 2
I can think of one that we have for a use case.
Email-generated alerts or API alerts from tools that we pull into the SOAR. to then forward into the SIEM for other event correlation would be very useful.
+3You can use a custom action and pass the metadata.id field from the event. This will return a base64 encoded format which you can later decode it
https://cloud.google.com/chronicle/docs/reference/search-api#getlog
For this " Something like a reverse search from SOAR to SIEM or anything else" you can also use an out of the box action within Chronicle Integration called Execute UDM Query which allows you to execute queries from SOAR into Chronicle SIEM and get back results.
+3@severinsimko yes but it's says "not UDM mapped". The key issue is, we always don't have all the needed info in UDM fields.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.