Hi everyone! Recently I've configured the Google Chronicle Alerts Connector in order to receive an alert on the SOAR everytime a rule in the SIEM is triggered. Now I need to catch within a playbook some informations that are stored in the meta section of the triggered Yara-L rule. These fields are mapped in chronicle SOAR as something like "detection_1_ruleLabels_1_FIELDNAME". The problem is that the number after "ruleLabels" is not static. For example the field "detection_1_ruleLabels_1_author" could be "detection_1_ruleLabels_7_author" for another alert in the same case. Did anyone know if there is a way to match something like "detection_1_ruleLabels_*_FIELDNAME" in a playbook?
Is there is a way to match something like "detection_1_ruleLabels_*_FIELDNAME" in a playbook?
+5
+9checked with the team, in Q2 plan we should have an update to the Chronicle connector exactly for this issue, to improve mapping and handling capabilities of events
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.