This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Security Community will be in read-only mode July 16 - July 22 as we migrate platforms. 

Read more and check out our FAQ
Log in to ask a question

How to attach events to case in Google SecOps SOAR?

Posted on 07-12-2024 05:24 AM
Daham
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I am aware that we can include the artifacts like source IP's to the case but what I want to know is cant we attach the exact events we need to a case? For example, we do a threat hunt and we found some suspicious events. Is there a way to attach these suspicious events into a case? 

Thanks

0 1 489
Topic Labels
0 Likes
Reply
1 REPLY 1

Posted on --/--/---- --:-- AM
SoarAndy
Staff
Reply posted on --/--/---- --:-- AM

There is no way to create additional 'Events' in the platform to accompany the events created during original alert ingestion.

SoarAndy_0-1721224092263.png

However using the case wall you can attach files, text, formatted tables, and you can add entities.  These are some of the workflows to support an analyst in their investigation.

SoarAndy_1-1721224157757.png

You can also combine these: upload CSV to the case wall, then run additional playbook that parses casewall objects to extract strings and turn them into Entities. Building this playbook would depend on how the data is structured AND what you want to do with it from an automated standpoint. 

 

Reply
Top Solution Authors
View all