This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

SIEM entity enrichments does not reflect on SOAR

Posted 3 weeks ago
jaymin
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello community,

I have a question regarding the availability of SIEM entity attribute.label fields in the SOAR. When an alert is generated from an event associated with an entity that has attribute.label fields in the SIEM, are those fields reflected in the entity when visiting the entity highlight section of the alert in the case? If so, how can I make those fields available in the SOAR?

entity_highlights_.png

siem_entity_.png

Solved Solved
0 3 237
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
ylandovskyy
Staff
Reply posted on --/--/---- --:-- AM

Hey @jaymin ,

There is no simple way of achieving this without writing custom code, but I am right now working on an action "Enrich Entities" for Google Chronicle integration, which will use as the source the same information as you've highlighted in the pictures. 

I've already added a note to myself that custom "attributes" should also be handled.

In terms of when that action will be available, can't give an ETA, but the plan is start the work already in Q2.

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
ylandovskyy
Staff
Reply posted on --/--/---- --:-- AM

Hey @jaymin ,

There is no simple way of achieving this without writing custom code, but I am right now working on an action "Enrich Entities" for Google Chronicle integration, which will use as the source the same information as you've highlighted in the pictures. 

I've already added a note to myself that custom "attributes" should also be handled.

In terms of when that action will be available, can't give an ETA, but the plan is start the work already in Q2.

Jump to Solution

Posted on --/--/---- --:-- AM
jaymin
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hi @ylandovskyy , Thanks for the update. Looking forward to see that "Enrich Entities" action in work.
In the meantime, I've been exploring the Chronicle API to see if I can use it to retrieve entity data in the SOAR.
I came across the following endpoints that might be useful for my use case:

However, when I try to make the API call to both endpoints, I'm getting a 404 Client Error: Not Found for the URL https://chronicle.googleapis.com/v1alpha/projects/<PROJECT_ID>/locations/<LOCATION>/instances/<CUSTOMER_ID>:findEntity?entity=entities/<ENTITY_IDENTIFIER>.

I've also tried using the secops python package, but it doesn't support the `findEntity` method. I tried using the `summarizeEntity` method instead, but it only returns metadata information and not the fields I need.

Do you know what might be causing the 404 error I'm getting when trying to call the `findEntity` and `searchEntities` endpoints?
Is there an alternative way to retrieve the entity data from the SIEM in the SOAR?
Should I wait for the "Enrich Entities" action to be available?
I appreciate your help.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ylandovskyy
Staff
In response to jaymin
Reply posted on --/--/---- --:-- AM

@jaymin For my design, I used this endpoint:

https://{API Root}/v1alpha/projects/{project ID}/locations/{location}/instances/{customer id}:searchEntities?indicator={entity identifier like IP, domain, hash}

I've used Google Cloud API integration to test and it worked correctly.

Up to you to decide, if you want to wait for the official release.

Jump to Solution
Top Solution Authors
View all