Skip to main content
Solved

Secops - Data Table - AWS log

  • January 22, 2026
  • 3 replies
  • 77 views
Roni11

I am looking to build a dynamic asset inventory in Chronicle SIEM to map AWS Account IDs to their respective OUs.
My environment has a lot of accounts and CloudTrail logs lack OU context. 
My plan is to create a Chronicle Data Table with a bulk export of current accounts and then use a YARA-L detection rule to catch CreateAccount events (which contain the OU name). This rule would trigger a SOAR playbook to automatically append the new Account ID and OU mapping to the Data Table. 
What is the best practice for my problem?
Which YARA-L rule and playbook should I create for this solution?
Thanks

Best answer by chrisd2

Hello,

 

You do not need a SOAR playbook anymore to insert Rule Outcomes into Datatables, it can be done natively ! You can check the docs at https://docs.cloud.google.com/chronicle/docs/investigation/data-tables#write-yara-l-results

    3 replies

    chrisd2
    Forum|alt.badge.img+9
    • chrisd2Bronze 5
    • Bronze 5
    • Answer
    • January 23, 2026

    Hello,

     

    You do not need a SOAR playbook anymore to insert Rule Outcomes into Datatables, it can be done natively ! You can check the docs at https://docs.cloud.google.com/chronicle/docs/investigation/data-tables#write-yara-l-results

      Roni11
      • Roni11Bronze 3
      • Author
      • January 24, 2026

      Hi,

      Thank you very much for the solution you suggested.

       

      In the context of this solution, how can I make sure that for every log that arrives with a specific account ID, the log is enriched with the corresponding OU name from the table I created?

       

      Additionally, how can I ensure that this enrichment is available both when querying/investigating logs and in any case that is opened?

       

      Thanks a lot for your help!

      chrisd2
      Forum|alt.badge.img+9
      • chrisd2Bronze 5
      • Bronze 5
      • January 30, 2026

      Hello ​@Roni11 , sorry for the delay, did not catch the notification :)

       

      From my understanding, you cannot really “enrich” the events via DataTables (as of today).

      In Rules, you can actually override/append the entity_graph with the content of a DataTables (see docs) but from what I understand, this enrichment is only existing in the context of the rule execution. So in your case, better filter directly based on the DataTable content.

      In Search, you cannot enrich events with DataTables (see docs) but only filter them.

       

      regards,

      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.