Has anyone had any luck configuring their event mappings in SOAR for this integration?
Seems every single event type could relate to a different named incident from Defender which makes this rather painful.
With documentation thin on both sides (understandably), I can't help but feel some of us might be mucking through in silence.
Hello,
I have not seen the Defender event types, so I am guessing they contain some dynamic data like a date or unique event I'd? if so, using regex look ahead and look behind techniques could possibly extract the static portion of the event type.
Using Regex in Ontology mapping: https://cloud.google.com/chronicle/docs/soar/admin-tasks/ontology/create-entities-mapping--modeling#extract-regular-expressions
Hello,
I have not seen the Defender event types, so I am guessing they contain some dynamic data like a date or unique event I'd? if so, using regex look ahead and look behind techniques could possibly extract the static portion of the event type.
Using Regex in Ontology mapping: https://cloud.google.com/chronicle/docs/soar/admin-tasks/ontology/create-entities-mapping--modeling#extract-regular-expressions
Ah this is useful! Thank you!
Hello,
I have not seen the Defender event types, so I am guessing they contain some dynamic data like a date or unique event I'd? if so, using regex look ahead and look behind techniques could possibly extract the static portion of the event type.
Using Regex in Ontology mapping: https://cloud.google.com/chronicle/docs/soar/admin-tasks/ontology/create-entities-mapping--modeling#extract-regular-expressions
Do you know if we're able to delete 'Event Types' in Ontology if they're unused?
Do you mean removing Rule Level "Event Type" entries in a visual family, then yes. If you have the correct permissions, locate the Event Type entity field, note make sure you have selected the EventType level in Mapping page, select the 3 dots menu on the right end of the entry, select edit, and look for the trashcan icon in the left bottom of that modal.
Do you mean removing Rule Level "Event Type" entries in a visual family, then yes. If you have the correct permissions, locate the Event Type entity field, note make sure you have selected the EventType level in Mapping page, select the 3 dots menu on the right end of the entry, select edit, and look for the trashcan icon in the left bottom of that modal.
Not so much the rules, but the event types that the rules sit in.
Using a different connector as an example:
In this image "Unknown event type" is typically the name of the Alert
ChronicleSOAR -> The name of the detection engine
Connectors -> the product that created TCP/SYN to communicate the alert
Entity extraction configs on the left (Connectors) trickle down to the right (Uknown Event type)
So the more you configure at the top (80%), means the less you have to do in the middle (15%) and do a few specific mappings on the right. This means you define at the product level, and allow for fine tuning for specific alerts that have data different to similar alerts.
Using a different connector as an example:
In this image "Unknown event type" is typically the name of the Alert
ChronicleSOAR -> The name of the detection engine
Connectors -> the product that created TCP/SYN to communicate the alert
Entity extraction configs on the left (Connectors) trickle down to the right (Uknown Event type)
So the more you configure at the top (80%), means the less you have to do in the middle (15%) and do a few specific mappings on the right. This means you define at the product level, and allow for fine tuning for specific alerts that have data different to similar alerts.
Thanks Andy, finally getting my head round it.
I've raised a support request to get assistance in cleaning up old product/event types so we can start fresh.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.