Community Webinar: SecOps Forwarder Deprecation & Open Telemetry Bindplane Use Cases
Got a question? Need an answer? Let's connect!
Q&A, discussions, share, network
Your learning hub for all things security
Join a local meetup!
Discover, RSVP, connect
I'm looking for a way to identify Google SecOps SOAR cases where one or more playbook executions have failed. My goal is to programmatically retrieve a list of these cases, ideally using methods available within the Siemplify SDK (Python), so I can process them further in custom jobs or actions Is there a specific Siemplify SDK method, API endpoint, or recommended approach to filter cases based on the success/failure status of their associated playbook runs? I'm trying to avoid manually checking the playbook monitor for each case.Thanks!
I’m trying to use the Chronicle SOAR integration from a SecOps instance to work with Data Tables.The integration works when tested and with actions like UDM queries, Enrich, etc but fails with the following error when using the Data Tables actions: ```Permission chronicle.dataTables.get' denied on resource //chronicle.googleapis.com/projects/REDACTED/locations/europe-west1/instances/REDACTED/dataTables/Test' (or it may not exist).``` Who should I assign these permissions to?
Created a quick action which allows users to quickly create a HTML report based on multiple values across all alerts/events. Added quick action via SOAR Settings -> Case Data -> Views -> Default Case View -> Quick ActionsProblem I am facing:The Action does not allow me to pre-configure the "Run on Alerts" field. If a user does not uncheck all but one alert, my action executes up to 20 times flooding the case wall with report comments.Is there a setting/configuration I am missing?
TL;DR: We're launching Policy-based challenges for reCAPTCHA. This new feature bridges the gap between passive, score-based protection and user-facing challenges, giving you precise, deterministic control. Now you can:Trigger challenges based on your selected risk scores, not a black box. Set custom risk score thresholds for specific user actions (e.g., login, checkout). Intelligently apply friction only to suspicious traffic, protecting user experience and your properties.reCAPTCHA previously offered two distinct capabilities for protecting your web properties from fraud and abuse.First, there's score-based detection, a powerful, frictionless way to assess interaction risk behind the scenes, providing a score from 0.0 to 1.0. This option offers flexibility, giving you the final decision on how to act on the score.Second, there are checkbox challenges, which provide a clear "pass/fail" verification with a risk score. While effective, the timing of these challenges was not customizable.
Risk Analytics is a crucial feature within Google SecOps SIEM designed to help security teams identify unusual behavior and quantify the potential risk that various entities pose to the enterprise. It empowers analysts to move beyond basic alert triage and focus on the entities that represent the most significant threat. Key Components of the Risk Analytics Dashboard The central hub for this feature is the Risk Analytics dashboard, which provides a holistic view of entity risks, accessible to users with global scope in RBAC systems. Behavioral Analytics: This section lists entities (such as user accounts, servers, or laptops) based on their calculated Google Security Operations Entities risk scores. This allows tracking an entity's risk over time and serves as a metric for detection use cases. Watchlist: This section highlights entities based on internal enterprise risk calculations, complementing the behavioral analysis with organization-specific context. Risk Calculation Window:
Hi, I’m trying to create a detection rule in Chronicle that identifies cases where too many requests are sent to an external load balancer — specifically, more than 10,000 requests from the same IP within one day, where the response status is 400 or 500. This is the rule I wrote - rule too_many_requests_to_external_lb{meta: severity = "HIGH" platform = "Chronicle"events: $e.metadata.event_type = "NETWORK_CONNECTION" $e.principal.ip = $ip $e.network.http.response_code = 400 OR $e.network.http.response_code = 500match: $ip over 24h outcome: $http_method = array_distinct($e.network.http.method) $rule_name = array_distinct($e.security_result.rule_name) $remote_ip = array($ip)condition: #e >= 10000} According to my Cloud Logging data, I know exactly when such an event occurred, so I used those timestamps to run Rule Test.I expected to get a detection with around 10,000 events, but instead I always get 1 detection with only 10 events. I would like to understand wh
I am working on an integration for which the SDK is available on GitHub, but it is not registered on PyPI. I wanted to check whether I can use that SDK to create my integration.I am able to add custom .whl files to my integration in the SecOps SOAR IDE, but I want to make sure that it’s allowed to use such libraries and include custom .whl files when submitting the integration to the marketplace. Any feedback is appreciated.Thanks.cc: @talshapir @ylandovskyy
If I have to disable a human user on the Google Workspace using the Google SecOps SOAR, what is the integration I should use for the Google Workspace.
Hi, I want to verify that Cloud Armor logs are indeed visible in Chronicle through the Load Balancer logs.From what I understand, Cloud Armor events are included in the external load balancer logs and should appear in Chronicle withevent_type = "NETWORK_CONNECTION". When I filter the logs in secops ingestion, I currently use:OR log_id("loadbalancing.googleapis.com/external_regional_requests")OR log_id("requests") Is this filter sufficient to capture all relevant Cloud Armor activity (such as allowed or blocked requests),or are there additional log_id values that I should include to ensure full coverage of Cloud Armor logs in Chronicle? Thank you!
I want to assign a department name to each feed ID using a data table.I want to assign a department name to the Department variable for each feed_id used for import.The data table contains a combination of feed_id and department name for each row. For example, when the feed_id is "86d50640-a952-4723-8001-fbbc22e7c446", I want the Department variable to be set to "C".Is this possible?I tried creating the following query, but it didn't work.---------ingestion.log_type = "CISCO_MERAKI"$Department = if(ingestion.feed_id in %imano_feed_id.feed_id,%imano_feed_id.department ,"other")match:$Departmentoutcome:$Volume = math.round(sum(ingestion.log_volume) / (1000), 2)order:$Volume desc---------The error message is as follows:compilation error compiling query: validating query: unsupported Data Table field imano_feed_id as argument in function IfThenElse line: 4 column: 1-97 : invalid argumentIf the above is difficult, is it possible to manually set the department and only compare the feed_id fr
when we run a test in a rule editor, and we get a list of few test detections, is it possible to create a case out of them to test or refer for the playbook creation ?
I have 2 question that needs to be addressed how to move cases from” default” to another environment. is there a way to associate a detection rule when alerts created tied to specific environment other than default? is it possible to move cases from default to another environment via playbook? what action I need to use?
Hi, I’m building a dashboard (v2) but the fields I want to dashboard use IDs instead of names. I want some of the IDs to point to the same name too. I’m not sure what feature of YARA-L to use to achieve this. Here’s an example with dummy data:I want IDs 52a11631-8a6d-42be-aeb9-a6f8754e186c and 9a50ae9f-11e5-4475-88de-0ba55d8d6745 to be displayed as a single item named “XSS” while fcfc4231-21cf-4eec-b542-14687225b1b4 and 106886e1-e52d-4254-b57a-54b550db1602 to be displayed as a single item named “SQLi” in a bar chart in the dashboard It doesn’t look like the dashboard interface is capable of doing this so I’m thinking I need to build out a YARA-L query. I want to create query that looks similar to the following but I’m not sure how to do it within the constraints of the YARA-L syntax supported by the new dashboards engine:metadata.product_name = "WAF" AND security_result.action = "BLOCK"$Rule_ID = security_result.rule_idif($Rule_ID = ((“ID-string-1”,”ID-string-2”),$Rule_name = “XSS”)if(
The leaderboard is currently empty. Contribute to the community to earn your spot!
Already have an account? Login
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.
Sorry, our virus scanner detected that this file isn't safe to download.
