This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

SIEM Rules - meta - longer descriptions viewable in SOAR cases

Posted on 06-05-2024 07:55 AM
Chris_B
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

I want to add longer descriptions in the meta of  some SIEM rules so the info shows up in the related SOAR cases .

The description has to be in quotes (""s) I know, but can it have line breaks?

E.g.  can I do this without breaking the rule ? Will the whole description present in the SOAR cases

 

 

rule some_rule {

  meta:
    author = "analyst-name"
    description = "Failed MFAs. This is available as well as a Saved Search. Make sure to corrrelate time frame with alerted event.
Use this SOP
(link to SOP) "
    severity = "Low"

 

 

I know this isn't the best way to handle the SOP presentation in the SOAR - just using that to create an example 'multi-line' description string with line-breaks.

thanks

 

 

Solved Solved
0 3 281
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Chris_B
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Thanks for the replies

My current thought on adding detailed info to meta is to just respect the limitations of the fields and values in rule text and instead add a line for "SOP" or similar and put link text to a Google Doc or other resource.

I think there's a way to have the link text be a clickable link in a SOAR description panel.

 

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
matthewnichols
Community Manager
Community Manager
Reply posted on --/--/---- --:-- AM

Hi @Chris_B Sorry for the super long delay in getting back to you. Were you able to find the answers to your question? We're looking into this for you but wanted to double check. Thanks

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
AbdElHafez
Staff
Reply posted on --/--/---- --:-- AM

Hi @Chris_B ,
Would it be ok to use the description as a part of the outcome fields ? this way you will have multi-line support and it wil lbe part of the Alert in SIEM as well.

You could use other alternatives ; Adding the mapping between Rule names and descriptions in the SOAR SIEM connector, including the mapping as a block/action in the playbooks for enrichment, etc...

Jump to Solution

Posted on --/--/---- --:-- AM
Chris_B
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Thanks for the replies

My current thought on adding detailed info to meta is to just respect the limitations of the fields and values in rule text and instead add a line for "SOP" or similar and put link text to a Google Doc or other resource.

I think there's a way to have the link text be a clickable link in a SOAR description panel.

 

Jump to Solution
Top Solution Authors
View all