Solved: Re: Enrich Entity Data in SOAR using rules in SIEM

preet_mehta · 03-05-2025 10:27 PM

Hi folks,
I am ingesting an alert created in SecOps SIEM into SOAR using Google Chronicle connector. I have noticed that when add a variable in the outcome section of the rule, then it is visible in the event details part in SOAR alert with the name "detection_outcomes_{outcome_varname}".

Now, is it possible to edit the rule in such a manner that instead of event details, the variable is shown in the entity details page in SOAR, so I can extract this using "entity.additional_properties.get({varname})" ?

SoarAndy

Answer with lots of bits for other people who read in the future:

i) Keys you put in Meta appear in SOAR as [Alert.], keys you put in outcome should appear in [Event.]

The first approach to putting this into an Entity it the ontology page:
Open a case -> Alert-> Events tab -> in the single Event press the gear icon-> "Event Configuration" page-> Mapping secion

From here, find the Entity type (e.g. SourceAddress) row -> three dot icon -> Add Enrichment

This will associate any Event.Keys to the [Entity.keys]

Remember, do this as far 'left' as possible in the ontology for scalability.

ii) As Yuriy mentioned, we have many Actions in the "Enrichment" powerup in the marketplace, each allow different ways to get the key value defined.

Though I've never used it, "From Event Field" should allow you to do this

Or potentially another route using 'Enrich Entity From JSON'

HTH?

View solution in original post

ylandovskyy

Hey @preet_mehta,

There is an action called "Create Or Update Entity Properties", which allows you to add custom properties onto the SOAR entities from any data. In your case, you can use information from the event and push it onto the entity.

Would that solve your problem?

preet_mehta

Hi, let me have a look into this. However, is there a possibility that we add properties into entities directly from the SIEM rules ?

Thanks.

SoarAndy

Answer with lots of bits for other people who read in the future:

i) Keys you put in Meta appear in SOAR as [Alert.], keys you put in outcome should appear in [Event.]

The first approach to putting this into an Entity it the ontology page:
Open a case -> Alert-> Events tab -> in the single Event press the gear icon-> "Event Configuration" page-> Mapping secion

From here, find the Entity type (e.g. SourceAddress) row -> three dot icon -> Add Enrichment

This will associate any Event.Keys to the [Entity.keys]

Remember, do this as far 'left' as possible in the ontology for scalability.

ii) As Yuriy mentioned, we have many Actions in the "Enrichment" powerup in the marketplace, each allow different ways to get the key value defined.

Though I've never used it, "From Event Field" should allow you to do this

Or potentially another route using 'Enrich Entity From JSON'

HTH?

preet_mehta

This is very helpful, thanks.

New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps

Enrich Entity Data in SOAR using rules in SIEM