Hi team,
We recently observed a change (intentionally made/unknown to us - we are still looking at it) in the cases tab -> events and right side pop up window doesnt give us all fields any more like it used to show us.
Example - earlier it used to display detection meta data, associated event from matched detection rule but now am unable to view any meta tags from detection details or outcome variables i have defined in the rule.
Would be great if someone help us determine a possible reason for this? How to get detection details - outcome variables, meta tags we defined, with other ingested alert sourcing data in the events tab when clicked under a case ?
Thanks,
Milind
Solved
View specific Events in a case
+3- Bronze 3
Best answer by Eoved
There are several ways to achieve the desired outcome of displaying detection metadata and outcome variables within the Google SecOps Cases tab.
The most direct approach is to focus on the customization options available within the 'Case Overview' tab and the underlying configurations of your detection rules. SecOps administrators have the ability to tailor the views within the 'Cases' tab, which may have inadvertently led to the missing information.
Example (Key Value Widget😞 You can configure a 'Key Value' widget with 'Key' as "Detection Outcome" and 'Value' as "[Alert.Detection.OutcomeVariableName]" (replace OutcomeVariableName with the actual name of your outcome variable).
+8- Bronze 1
- Answer
There are several ways to achieve the desired outcome of displaying detection metadata and outcome variables within the Google SecOps Cases tab.
The most direct approach is to focus on the customization options available within the 'Case Overview' tab and the underlying configurations of your detection rules. SecOps administrators have the ability to tailor the views within the 'Cases' tab, which may have inadvertently led to the missing information.
Example (Key Value Widget😞 You can configure a 'Key Value' widget with 'Key' as "Detection Outcome" and 'Value' as "[Alert.Detection.OutcomeVariableName]" (replace OutcomeVariableName with the actual name of your outcome variable).
+3- Bronze 3
@Eoved Thanks for checking in. Our administrators haven't done anything on the case management side yet i see events being restricted within event tab. I believe this is a native UI change for our tenant from chronicle team.
+3- Bronze 3
THis was actually a native change - we got it checked from support and the reason it got added is we signed up for new feature implementation in prod without any notice about it.
Thanks @Eoved
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.