Solved: Displaying User Enrichment Information for Multipl... - Page 2

skadav · 10-24-2024 09:28 AM

I am currently working on displaying User Enrichment information in Google SecOps. To achieve this, I have used the action: AzureActiveDirectory - Enrich User and added the output to the General Insight Action to display the information on the Case Overview.

This setup works perfectly for a single user. However, when there are multiple users, the General Insight does not show the results correctly. It combines the information for all users into a single insight.

I would like to display the enrichment information for each user in separate insights. Has anyone faced a similar issue or know how to achieve this?

Thanks in advance!

AymanC

Hi @skadav,

I don't believe doing this via an insight is possible (unless looping became a capability). However, I have a similar use case which I have solved by using a HTML Widget, to display at the alert level.

AAD Enrich User -> 'Render Template from Array (Jinja) to loop through each result, and extract the relevant data into a table -> HTML Widget has a list of each 'Entity' on the left, which can be clicked which presents the alert viewer results for that Entity, of which any can be selected on the left. This is done by grabbing the data within the contents of the 'Render Template From Array' ScriptResult output which loops through each 'Entity' within the AAD enrichment action.

Kind Regards,

Ayman C

View solution in original post

Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

Displaying User Enrichment Information for Multiple Users in Separate Insights

Webinar May 14th: Gemini's generative AI within Google SecOpsWebinar May 29th: Log Ingestion: Bindplane + Google SecOps

Displaying User Enrichment Information for Multiple Users in Separate Insights

Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps