Looking at a recent alert flowing into SOAR I see Chronicle identifies one of its entities as a asset but does not mark the IsInternal as True. I can see multiple enriched LDAP fields that get passed along and fields with asset marking. Is there a setting to have this update?
Update Entity Is_Internal Based on SIEM Asset Findings
+10Have you configured your networks and domains under the SOAR Settings > Environments > Domains/Networks?
You can also change the value via a playbook action (https://www.googlecloudcommunity.com/gc/SecOps-SOAR/Entity-Is-Internal-Not-Being-Reflected/m-p/745015).
+2- Bronze 1
Have you configured your networks and domains under the SOAR Settings > Environments > Domains/Networks?
You can also change the value via a playbook action (https://www.googlecloudcommunity.com/gc/SecOps-SOAR/Entity-Is-Internal-Not-Being-Reflected/m-p/745015).
Would this work for machine names where the domain is part of the name itself? I am worried about changing it in a playbook because I have other playbooks I need to run on that alert outside of enriching the entities.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.