This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Using CSV_CUSTOM_IOC entity data

Posted on 03-07-2025 01:55 PM
jocab
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I was able to setup a feed to read from a csv file to load data with CSV_CUSTOM_IOC data type.

However, how can this data be leveraged? I tried creating a rule to throw an alert matching an IP address in that csv file but it does not seem to fire.

Is there a reference on this entity data type and how it should be referenced in rule?

0 8 253
Topic Labels
0 Likes
8 REPLIES 8

Posted on --/--/---- --:-- AM
vaskenh
Staff
Reply posted on --/--/---- --:-- AM

Hi @jocab, hope you're well.  The expectation is that you should be able to see an IOC Match as a result of setting up this feed and then subsequently triggering an event that contains one of the IOCs.

vaskenh_2-1741627797522.png

Could you share a bit more metadata about the CSV file itself (like the headers only)?

On my end, I set up a CSV file feed and I'm able to see evidence of it as a "log source" when I use the legacy search (you can use other means to do this if you prefer).  Do you see your CSV as a log source similar to what I show below?

vaskenh_1-1741627648604.png

https://cloud.google.com/chronicle/docs/investigation/alerts-iocs

Posted on --/--/---- --:-- AM
jocab
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

So apparently, it's no longe rshowing up as a log source in a legacy search drop down. I know for a fact it was before. The feed is running: 

Completed
Google Cloud Storage
CSV Custom IOC
2025-03-10 17:30:18

I'll have to look into why it's no longer showing up as a log source.

0 Likes

Posted on --/--/---- --:-- AM
cmorris
Staff
In response to jocab
Reply posted on --/--/---- --:-- AM

Try adjusting the date of your search. The log source list is populated based on that.

0 Likes

Posted on --/--/---- --:-- AM
jocab
Bronze 1
Bronze 1
In response to cmorris
Reply posted on --/--/---- --:-- AM

Ok, that pulled up the CSV Custom IOC source data when I went back as far as February. I didn't realize it would only pop up once to correspond to the ingestion time for that specific entry. I was thinking it would get updated every time the file is read.

Posted on --/--/---- --:-- AM
cmorris
Staff
In response to jocab
Reply posted on --/--/---- --:-- AM

It sounds like the file was read in then and hasn't been since then, if you don't see it for more recent dates.

Posted on --/--/---- --:-- AM
jocab
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

@vaskenh  BTW: This is what I was following based on a medium article

# "category","value", "score", "severity"
suspicious_url,domain.com,86
mal_ip,1.2.3.4,17

https://medium.com/@thatsiemguy/ioc-matching-in-chronicle-siem-45a97c0b91a8


it does seem to parse as it shows up in the parser editor.

SIEM_Settings_-_Parsers___Google_SecOps-6.png


0 Likes

Posted on --/--/---- --:-- AM
vaskenh
Staff
Reply posted on --/--/---- --:-- AM

Thanks for the extra detail @jocab.   In this scenario, even though the custom rule you created isn't firing, is there evidence of an IOC hit in "IOC Matches" tab (Detection > Alerts and IOCs)?  What I'm trying to establish is whether we can separate the rule firing from getting an indicator match.  If we can get the latter, then we can focus on the custom rule and why it's not firing.

0 Likes

Posted on --/--/---- --:-- AM
jocab
Bronze 1
Bronze 1
In response to vaskenh
Reply posted on --/--/---- --:-- AM

I have been ssh'ing to the ip / hostname that is in my test csv and there is no alert being thrown in IOC Matches -> Detections -> IOC Matches.

Furthermore, when you filter the IOC Matches sources, there isn't one for the custom csv.

IOCs___Google_SecOps.png

0 Likes
Top Solution Authors
View all