I am looking to build a dynamic asset inventory in Chronicle SIEM to map AWS Account IDs to their respective OUs.
My environment has a lot of accounts and CloudTrail logs lack OU context.
My plan is to create a Chronicle Data Table with a bulk export of current accounts and then use a YARA-L detection rule to catch CreateAccount events (which contain the OU name). This rule would trigger a SOAR playbook to automatically append the new Account ID and OU mapping to the Data Table.
What is the best practice for my problem?
Which YARA-L rule and playbook should I create for this solution?
Thanks
Question
Secops - Data Table - AWS log
+9- Bronze 5
Hello,
You do not need a SOAR playbook anymore to insert Rule Outcomes into Datatables, it can be done natively ! You can check the docs at https://docs.cloud.google.com/chronicle/docs/investigation/data-tables#write-yara-l-results
Hi,
Thank you very much for the solution you suggested.
In the context of this solution, how can I make sure that for every log that arrives with a specific account ID, the log is enriched with the corresponding OU name from the table I created?
Additionally, how can I ensure that this enrichment is available both when querying/investigating logs and in any case that is opened?
Thanks a lot for your help!
Login to the community
Login with SSO
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.