This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Dynamic Case Name and Severity

Posted on 12-26-2024 12:24 AM
Aswin_Asokan
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

We have onboarded alerts from a 3rd party security product in SIEM. We have a single detection rule which monitors those events and creates cases in SOAR. By default the case name and severity is assigned as rule name and severity (meta section) in the detection rule.

The events from the security product contain different kind of alerts and associated severitu and extracted those values in security.event fields and we have mapped to outcomes section as below,

detection.outcomes.rule_detection and detection.outcomes.severity

Does SecOps having the capability to dynamically  assign the case name and severity based on the field values in outcomes section rather than the default values provided in YARA-L rule?

Solved Solved
0 2 181
Topic Labels
Jump to Solution
0 Likes
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
mikewilusz
Staff
Reply posted on --/--/---- --:-- AM

As alerts flow to the case management system, you can optionally add playbooks to enable enrichment and automated response. Playbooks can rename cases (using fields from the alert), along with changing the severity using the underlying severity from the vendor's detection. Both change alert/case name and change severity are available as actions in the SOAR.

-mike

View solution in original post

Jump to Solution

Posted on --/--/---- --:-- AM
Chica
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Best way to do is create a block which will assign dynamic case name with case id (use actions to assign case name)

and even for severity you can create a block .

when you create a playbook , add these 2 blocks at the beginning. 

you can custom case name and severity based on the use case!!

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
mikewilusz
Staff
Reply posted on --/--/---- --:-- AM

As alerts flow to the case management system, you can optionally add playbooks to enable enrichment and automated response. Playbooks can rename cases (using fields from the alert), along with changing the severity using the underlying severity from the vendor's detection. Both change alert/case name and change severity are available as actions in the SOAR.

-mike

Jump to Solution

Posted on --/--/---- --:-- AM
Chica
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Best way to do is create a block which will assign dynamic case name with case id (use actions to assign case name)

and even for severity you can create a block .

when you create a playbook , add these 2 blocks at the beginning. 

you can custom case name and severity based on the use case!!

Jump to Solution
Top Solution Authors
View all