This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

How to get SIEM IOC Matches into SOAR

Posted on 10-14-2024 07:30 AM
MarinusC
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hello all, 

there is no current post regarding this topic, so I open a new post. 
Is there any chance to ingest the IOC Matches from Google SIEM into Google SOAR as a new alert / case. 
In the past I thought there was a connector function which allowed to directly create alerts based on the IOC Matches. 
Or are there anywhere public IOC Detection Rules, which are reporting exactly the IOC Matches.

MarinusC_0-1728916055884.png

Thank you for your help.
~Marinus

0 3 1,428
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
pigram86
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Have you tried the Madiant Threat Intelligence integration? 

You could also download the CSV from your screenshot, then import that in a custom list.

0 Likes

Posted on --/--/---- --:-- AM
MarinusC
Bronze 4
Bronze 4
In response to pigram86
Reply posted on --/--/---- --:-- AM

Thank you for your answer.
But, the Mandiant Threat Intelligence integration won´t solve this issue, you can enrich existing entities in SOAR.
To import the CSV in a list for a rule and search for detections is also not a proper solution. 
It is manual work and not proactive.

0 Likes

Posted on --/--/---- --:-- AM
dlove40
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

You can do it with a detection rule that matches the IOC data with your UDM events.

dlove40_0-1730404373920.png

 

Top Solution Authors
View all