This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Displaying User Enrichment Information for Multiple Users in Separate Insights

Posted on 10-24-2024 09:28 AM
skadav
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

I am currently working on displaying User Enrichment information in Google SecOps. To achieve this, I have used the action: AzureActiveDirectory - Enrich User and added the output to the General Insight Action to display the information on the Case Overview.

This setup works perfectly for a single user. However, when there are multiple users, the General Insight does not show the results correctly. It combines the information for all users into a single insight.

I would like to display the enrichment information for each user in separate insights. Has anyone faced a similar issue or know how to achieve this?

Thanks in advance!

Solved Solved
0 9 453
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
AymanC
Silver 3
Silver 3
Reply posted on --/--/---- --:-- AM

Hi @skadav,

I don't believe doing this via an insight is possible (unless looping became a capability). However, I have a similar use case which I have solved by using a HTML Widget, to display at the alert level.

AAD Enrich User -> 'Render Template from Array (Jinja) to loop through each result, and extract the relevant data into a table -> HTML Widget has a list of each 'Entity' on the left, which can be clicked which presents the alert viewer results for that Entity, of which any can be selected on the left. This is done by grabbing the data within the contents of the 'Render Template From Array' ScriptResult output which loops through each 'Entity' within the AAD enrichment action.

Kind Regards,

Ayman C

View solution in original post

Jump to Solution
9 REPLIES 9

Posted on --/--/---- --:-- AM
vaskenh
Staff
Reply posted on --/--/---- --:-- AM

Hi @skadav .  In this scenario, I just wanted to confirm whether the exact action you're using is the Add General Insight Action, or if it's a different one.  If it is, can you share some more detail around exactly how you're specifying the users as part of this Action? 

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
skadav
Silver 1
Silver 1
In response to vaskenh
Reply posted on --/--/---- --:-- AM

Hello @vaskenh 

below scenario will explain what I am actually looking for.

Scenario 1: - Working perfectly fine
User Name is getting enriched with AzureActiveDirectory - Enrich User Action. and its output is getting added to General Insight Action and this is creating insight on case wall. 

skadav_1-1730202687679.png

Scenario 2: Not working as expected
Multiple User Name is getting enriched with AzureActiveDirectory - Enrich User Action. and its output is getting added to General Insight Action and this is creating combined insight on case wall. 

skadav_2-1730202772591.png

Expected Output Scenario:

Multiple User Name is getting enriched with AzureActiveDirectory - Enrich User Action. and its output is getting added to General Insight Action and this should create separate insight on case wall for each user. 

skadav_3-1730203069005.png

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

This also another interesting ask.  Whats the use case where 3 usernames are involved?  what is happening?  

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
skadav
Silver 1
Silver 1
In response to dnehoda
Reply posted on --/--/---- --:-- AM

@dnehoda  Basically this solution offers multiple use cases. but one is, tracking multiple user sign-ins on a single workstation. Aim is to provide primary enrichment information to analyst as an insight on Case Overview. 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
AymanC
Silver 3
Silver 3
Reply posted on --/--/---- --:-- AM

Hi @skadav,

I don't believe doing this via an insight is possible (unless looping became a capability). However, I have a similar use case which I have solved by using a HTML Widget, to display at the alert level.

AAD Enrich User -> 'Render Template from Array (Jinja) to loop through each result, and extract the relevant data into a table -> HTML Widget has a list of each 'Entity' on the left, which can be clicked which presents the alert viewer results for that Entity, of which any can be selected on the left. This is done by grabbing the data within the contents of the 'Render Template From Array' ScriptResult output which loops through each 'Entity' within the AAD enrichment action.

Kind Regards,

Ayman C

Jump to Solution

Posted on --/--/---- --:-- AM
skadav
Silver 1
Silver 1
In response to AymanC
Reply posted on --/--/---- --:-- AM

@AymanC  Sounds interesting. 
I tried it and First attempt is successful. Will experiment with it further. 
Thanks for sharing.

I used https://cloud.google.com/chronicle/docs/soar/marketplace-and-integrations/power-ups/templateengine for more information on Render Templates

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ylandovskyy
Staff
Reply posted on --/--/---- --:-- AM

Hey folks, currently, the integration supports a predefined widget that can render information from the "Enrich User" action. You don't need to do anything, just drag and drop it into the view for the playbook that is relevant.

ylandovskyy_0-1731068714855.png

This is how it looks like:

ylandovskyy_2-1731069018960.png

It does support output, if multiple users were enriched.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
SoarAndy
Staff
Reply posted on --/--/---- --:-- AM

At the Alert level, this Action already has a widget that should cope with multiple people (in a more powerful way then an Insight)

However you said Case level.  Alert level widgets do not get used here, so yes you need to do something different than the OOTB predefined wigets.

There is a roadmap item currently planned to be released November/December that includes some HTML widget code where you can throw any JSON object at it (i.e. array of results) and it will automagically render.  This will be under the 'new HTML widget'.  That might help you, but until it's released I can't comment more, sorry.

HTH Andy

Jump to Solution

Posted on --/--/---- --:-- AM
ylandovskyy
Staff
Reply posted on --/--/---- --:-- AM

Thanks @SoarAndy I've missed the requirement associated with the fact that it needs to be at case level. In that situation, we can still leverage the predefine widget that comes with integration, but it will need to be tweaked a little bit. For example, in the predefined widget as part of the code, we have this line:

const actionListData = [{stepInstanceName}.JsonResult];

 

 You can replace the [{stepInstanceName}.JsonResult] with a different placeholder that will contain the output of "Enrich User" action. For example, you can set a context value at the Case level inside the playbook using "Set Context Value" value with the following configuration:

ylandovskyy_0-1731073192230.png

Next step is to go to "Settings -> SOAR Settings -> Case -> Views" and drag & drop "HTML" widget onto the canvas. In the configuration of the widget you will need to set the correct height, width and most importantly conditions. Here is an example of configuration, if you are using the same "AD_ENRICH_USER" context value:

ylandovskyy_1-1731073442696.png

In the copied html we will replace the line:

const actionListData = [{stepInstanceName}.JsonResult];

with

const actionListData = [Case.AD_ENRICH_USER];

After all of these changes, you expect to see the widget at the case level that looks exactly, how our predefined does. Let me know, if you have any question!

 

Jump to Solution
0 Likes
Top Solution Authors
View all