Skip to main content

I need to report SOAR cases by bespoke cateogries:

A good way to add tags to my SOAR cases uses the SIEM rule syntax meta section ("meta: "; e.g I add something like: report_category = "UnAuthorized Access"

But I'm struggling to see how I can use these as tags to define categories in the SOAR

...also struggling to see how I can use anything except strings in the alert names for this purpose either. [EDIT: I can't even recall what I meant here - 😞  ]

Anyone have any luck creating metrics reporting cases per bespoke category? or even by ATT&CK category.

thanks

 

@Chris_B ,

what about using using the tags in the rule output section, for example 




outcome:
$mitre_attack_technique = "Service Stop"
$mitre_attack_technique_id = "T1489"

 

 

The in each playbook add  "Siemplify - Case Tag" action to assign the mitre attack technique as tag to the case

 


 


Once assigned, you will be able to generate reports and dashboard using that assigned tag.


I hope this workaround can help you.


Will you please explain more about your question " how I can use anything except strings in the alert names for this purpose either." ? are you asking about alert name or case name?

Thanks


 



Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.