Re: What is the difference between Alert and Event...

shubhamagar · 11-19-2024 03:48 AM

Google SecOps Chronicle SOAR, when using a custom connector, you can return a CaseInfo() or AlertInfo() object. If CaseInfo() is returned, it creates a case and may generate an event, which sometimes Chronicle treats as an alert.

Can you clarify the following:

When does Chronicle create an Alert versus an Event?
What’s the difference between a Case, Alert, and Event?

cmorris

A Case is a collection of one or more Alerts, grouped by common values and time. Alerts can be detections generated by rules or ingested via connectors or webhooks and are made up of Events. Each Alert contains one or more security Events. Events represent information gathered from various security technologies and log sources ingested into SecOps as raw logs.

dnehoda

Here's a visual of this for you:

There's 5 alerts - each tab is a specific alert and the number in parentheses shows the events tied to that alert.

SoarAndy

My own personal analogy

In the old traditional world of IDS, a single TCP packet would trigger detection. In this case 1 Event happened, and it triggered 1 Alert. This is ingested into SecOps and becomes, or joins, an existing case.

If the IDS has a rule for "10 Packet to the same port in 5 minutes" this would be 10 packets in 1 Alert. Here each Event maps to 1 of the Packets (or in other cases logs map to Events).

Therefore in playbook building, if you are wanting port numbers, IP, username, these are usually in the Event, but if you are wanting the detection severity that fired, that is in the encapsulating Alert level.
Hope that helps

Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

What is the difference between Alert and Event inside a case ?