This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

About number of events in SOAR Alerts

Posted on 01-04-2024 02:25 AM
AThebrand
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hello, community, 

Today I'm facing something weird and can't figure out how this is possible...

I've implemented a custom detection rule on my Chronicle SIEM instance that detects when a particular user deletes more than 20 files over 10 seconds. To test the rule I've deleted 26 files. 

On the SIEM side the rule correctly detects file deletion events and raises an alert grouping all 26 file deletions.

On the SOAR side I correctly received a new case with an alert but inside the alert, I can see 120 events... Looking at these events I can find a lot of duplicates... 

I can't figure out why this strange behavior. The Chronicle connector has been configured from a while and with other alerts works fine pulling the correct number of events. 

What I'm missing? 

Thank you!

A

0 14 1,012
Topic Labels
0 Likes
14 REPLIES 14
Top Solution Authors
View all