[Quick Tip] How to share information between playbooks
Sometimes, you might be in a situation, where you want to share information between multiple playbooks, even a...
SecOps SOAR
This is the place to discuss all things related to SOAR, including best practices, tools, and use cases. We encourage you to ask questions, share your knowledge and experience with the community.
Forum Posts
[Important] New Platform Feature - Custom Fields
This week we released Custom Fields - a new Case Management feature that allows you to extend the cases and al...
Leverage GenAI in automation with Vertex AI integration
We just released a new integration - Vertex AI! It's in public preview. If you are not familiar with Vertex AI...
Upgrade to Python 3.11 for the latest security and functionality updates
Hello Google SecOps Users, On July 14, 2024, Python 3.11 with migration best practices was made available in G...
How to Check If Mandiant Threat Intelligence is Working in Google Chronicle for IOC Matches
Hi everyone,We’ve noticed that for the past week, we haven’t seen any alerts or results related to Mandiant Th...
How to create and join to the Chronicle Free Edition
Has anyone figured out how to use Chronicle SOAR free edition? I have an account and it shows my profile and t...
Is there a Chronicle Trial for the SIEM ?
Is there a Chronicle Trial for the SIEM part that allows you to test ingestions?
Context value verification
I have set a context value for a filed Threat_type = "URL" and used action get context value to verify if it w...
Widget - Tag Filter
We are creating Widgets and the Tag Filter is taking forever to return results. Is this normal? We don't have ...
Issue with IsFavorite Parameter Not Being Reflected in API response (add attachment)
We are using the /external/v1/cases/AddEvidence/ endpoint to add evidence as an attachment to a case. Despite ...
Virustotal enrich list of IP's
Hi,I have got a list of IP's which was accesed by a process and was enriched with a block and now wanted to ch...
SOAR Community Edition - Access
Unable to reach the SOAR Community Edition Access request page - https://chronicle.security/soar-free-edition/...
Ping action in Secops SOAR
Heyy Everyone,I'm working on creating a custom integration for Copilot. However, I'm encountering an issue whe...
Dynamic Case Name and Severity
We have onboarded alerts from a 3rd party security product in SIEM. We have a single detection rule which moni...
How can we use an action from Integration-A in a custom action in Integration-B ?
I'm looking for the method for using an action from Integration-A within a custom-action in Integration-B in G...
Does Action = "GoogleChronicle-Add Values To Reference List" overwrites the values in reference list
Hello All,Just a question: Does Action = "GoogleChronicle-Add Values To Reference List" overwrites the values ...
Attaching/running multiple playbooks at ingestion
Hey everyone,I have a use case in which I need to run multiple playbooks on the same ingested alert.My first p...
How to update Context Value using API
Looking for updating Context Values using API just like an Action - Set Context Value.
need to write a custom job for action failures in a playbook
Team,My instance is multitenant , i have updated the Actions Monitor code , in the receipients i given my mail...
Convert Epoch time | TemplateEngine - Render Template
Hi,Exploring the TemplateEngine action named Render Template.Trying to convert Epoch time to date and time but...
Creating a Custom Entity View
Hi All,I have a question regarding creating a custom entity view.For example, I have multiple user entities, a...
LDAP Query in SOAR
Looking for a way to query LDAP using a custom action similar to Splunk SOAR's ldap query but do not see a cur...
String Function Action Json
Currently I am trying to test a playbook that takes in a hash as input, but I have multiple hashes coming in t...
EmailV2 Integration Send Mail Failed
I try to use EmailV2 integration to send emails. I created a simple playbook that when there is an alert it wi...
How to avoid duplication of cases/events/alerts ?
I have created a custom connector in Google Secops SOAR but whenever the connector runs it re-creates even tho...
Handling Duplicate Alerts in SOAR with Enabled Connector
When a custom connector runs automatically and ingests the same alerts, cases, or events (alertInfo/caseInfo o...
What is the most effective method to store a value, such as an offset, and subsequently retrieve it?
When working with custom connectors in Google SecOps, it's often necessary to persist certain values, like off...
set context value for field for multiple values
i have these values from the events which is MME file typebut some events have 3 values ,4 values ,5 values -w...
activityKind
HiI was wondering if there is an official list of activityKind?I see activitykind in wall data json for a give...
Soar remote agent
Hi, reading the official doc it says that is necessary to install RHEL 8.7 or centos 7.9, but manual installat...
Issue with "Google Chronicle - Run UDM Query" Action
I'm currently trying to run a query with the run UDM query action in the "Google Chronicle" integration. When ...
Issues with the "Blocklist" - Exclusion does not work
Hello team,Some of our alerts are grouped into one case because of a similar IP Address (0.0.0.0).When trying ...
Replace Old Block with New in the playbook
Hi,I have a working playbook with multiple blocks. To make changes in one of the block i made a copy of the bl...
Create entity
I am using the Create Entity action and trying to create entities for internal ips and domains in a playbook. ...
