SOAR Case (rule events missing in SOAR)

irfancho1994 · 05-30-2024 04:31 AM

Hello Team,

For the 'impossible_travel_login_activity' alert involving from a user, our initial review of the events showed activity from only one country in the SOAR case. However, when we applied the rule in the SIEM, it identified an additional event indicating activity from a different country

We have a rule for "impossible_travel_login_activity" that flags logins from two different countries within a 3-hour time period

Once we investigated the alert in the SIEM, we observed 61 events from both countries. However, only 10 events for one country were captured in the case. Is the case section limited to only 10 events, or can we modify this limit? If modification is possible, please let us know how to proceed

Thanks

matthewnichols

Hi @irfancho1994 Apologies for the very delayed response. Chris Martin recently created a two part series blog about Impossible Travel. Check them out here. Hopefully this helps answer your questions.

SIEM: https://www.googlecloudcommunity.com/gc/Community-Blog/Detecting-Impossible-Travel-with-Google-SecOp...

SOAR: https://www.googlecloudcommunity.com/gc/Community-Blog/Detecting-Impossible-Travel-with-Google-SecOp...

AymanC

Hi @irfancho1994.

In reference to only 10 events being shown, this is event sampling.

"There is a limit of up to 10 event samples for each event variable defined in the rule. Event samples past this limit will be omitted. The Download as CSV option appears if event samples were omitted from your detection. A maximum of 100,000 events can be downloaded. "

https://cloud.google.com/chronicle/docs/detection/downloading-events