This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Log Ingestion using Google Chronicle Connector

Posted on 09-25-2024 08:09 AM
AV007
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

We currently have a Google Chronicle connector set up with the default environment, which successfully ingests alerts into SOAR. I've recently created a new environment (Test env) and integrated a new connector, activating it while deactivating the previous one. However, I'm now facing issues with alert ingestion into SOAR from this new setup.

Is there any additional configuration required on the Chronicle SIEM side to ensure alerts are received through the new connector?

Solved Solved
0 1 303
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
cmmartin_google
Staff
Reply posted on --/--/---- --:-- AM

In the SIEM Connector within SOAR you can specify the SOAR Environment that YARA-L Alerts are mapped to using the "Environment Field". 

If this is one SIEM tenant, but you want alerts to go to multiple SOAR Environments, then ideally you have a way of synchronizing the YARA-L Alerts and the SOAR Namespace, e.g., using the UDM field `event_metadata_baseLabels_namespaces_1`.  This is a neat solution if you have consistent Namespace tagging. 

If you don't have a consistent Naming convention to link between the two then you can create a Chronicle Alerts Connector per SOAR Environment and use the Dynamic List feature to include or exclude YARA-L rules based upon their rule ID:

`Rule.ruleID = ru_b38e2076-cd4e-4054-b911-ed82782f93d4,ru_8cb13672-e52f-42a6-a1a1-3cdd7e5409cb`

View solution in original post

Jump to Solution
1 REPLY 1

Posted on --/--/---- --:-- AM
cmmartin_google
Staff
Reply posted on --/--/---- --:-- AM

In the SIEM Connector within SOAR you can specify the SOAR Environment that YARA-L Alerts are mapped to using the "Environment Field". 

If this is one SIEM tenant, but you want alerts to go to multiple SOAR Environments, then ideally you have a way of synchronizing the YARA-L Alerts and the SOAR Namespace, e.g., using the UDM field `event_metadata_baseLabels_namespaces_1`.  This is a neat solution if you have consistent Namespace tagging. 

If you don't have a consistent Naming convention to link between the two then you can create a Chronicle Alerts Connector per SOAR Environment and use the Dynamic List feature to include or exclude YARA-L rules based upon their rule ID:

`Rule.ruleID = ru_b38e2076-cd4e-4054-b911-ed82782f93d4,ru_8cb13672-e52f-42a6-a1a1-3cdd7e5409cb`

Jump to Solution
Top Solution Authors
View all