+5Google SecOps Chronicle SOAR, when using a custom connector, you can return a CaseInfo() or AlertInfo() object. If CaseInfo() is returned, it creates a case and may generate an event, which sometimes Chronicle treats as an alert.
Can you clarify the following:
+10A Case is a collection of one or more Alerts, grouped by common values and time. Alerts can be detections generated by rules or ingested via connectors or webhooks and are made up of Events. Each Alert contains one or more security Events. Events represent information gathered from various security technologies and log sources ingested into SecOps as raw logs.
+16Here's a visual of this for you:
There's 5 alerts - each tab is a specific alert and the number in parentheses shows the events tied to that alert.
+12My own personal analogy
In the old traditional world of IDS, a single TCP packet would trigger detection. In this case 1 Event happened, and it triggered 1 Alert. This is ingested into SecOps and becomes, or joins, an existing case.
If the IDS has a rule for "10 Packet to the same port in 5 minutes" this would be 10 packets in 1 Alert. Here each Event maps to 1 of the Packets (or in other cases logs map to Events).
Therefore in playbook building, if you are wanting port numbers, IP, username, these are usually in the Event, but if you are wanting the detection severity that fired, that is in the encapsulating Alert level.
Hope that helps
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.