This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Hi everyone! Recently I've configured the Google Chronicle Alerts Connector in order to receive an alert on the SOAR everytime a rule in the SIEM is triggered. Now I need to catch within a playbook some informations that are stored in the meta section of the triggered Yara-L rule. These fields are mapped in chronicle SOAR as something like "detection_1_ruleLabels_1_FIELDNAME". The problem is that the number after "ruleLabels" is not static. For example the field "detection_1_ruleLabels_1_author" could be "detection_1_ruleLabels_7_author" for another alert in the same case. Did anyone know if there is a way to match something like "detection_1_ruleLabels_*_FIELDNAME" in a playbook?
checked with the team, in Q2 plan we should have an update to the Chronicle connector exactly for this issue, to improve mapping and handling capabilities of events
LinkedIn
Twitter
