Skip to main content

I want to add longer descriptions in the meta of  some SIEM rules so the info shows up in the related SOAR cases .

The description has to be in quotes (""s) I know, but can it have line breaks?

E.g.  can I do this without breaking the rule ? Will the whole description present in the SOAR cases

 

 

rule some_rule {

meta:
author = "analyst-name"
description = "Failed MFAs. This is available as well as a Saved Search. Make sure to corrrelate time frame with alerted event.
Use this SOP
(link to SOP) "
severity = "Low"

 

 

I know this isn't the best way to handle the SOP presentation in the SOAR - just using that to create an example 'multi-line' description string with line-breaks.

thanks

 

 

Hi @Chris_B Sorry for the super long delay in getting back to you. Were you able to find the answers to your question? We're looking into this for you but wanted to double check. Thanks

Hi @Chris_B ,
Would it be ok to use the description as a part of the outcome fields ? this way you will have multi-line support and it wil lbe part of the Alert in SIEM as well.


You could use other alternatives ; Adding the mapping between Rule names and descriptions in the SOAR SIEM connector, including the mapping as a block/action in the playbooks for enrichment, etc...

Thanks for the replies

My current thought on adding detailed info to meta is to just respect the limitations of the fields and values in rule text and instead add a line for "SOP" or similar and put link text to a Google Doc or other resource.

I think there's a way to have the link text be a clickable link in a SOAR description panel.

 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.