Re: Is there any way through which we can get the ...

Suraj_R · 06-25-2023 01:48 AM

Hey Team, Is there any way through which we can get the raw logs ( not UDM mapped) from Chronicle SIEM back to SOAR? Something like a reverse search from SOAR to SIEM or anything else, as we are only having the mapped fields available in SOAR.... Thank you

Gal_Polak1

Hi @Suraj_R , Can you please tell me which use case are you using for this?.

mccrilb

I can think of one that we have for a use case.

Email-generated alerts or API alerts from tools that we pull into the SOAR. to then forward into the SIEM for other event correlation would be very useful.

rodneysamuel

You can use a custom action and pass the metadata.id field from the event. This will return a base64 encoded format which you can later decode it

https://cloud.google.com/chronicle/docs/reference/search-api#getlog

severinsimko

For this " Something like a reverse search from SOAR to SIEM or anything else" you can also use an out of the box action within Chronicle Integration called Execute UDM Query which allows you to execute queries from SOAR into Chronicle SIEM and get back results.

rodneysamuel

@severinsimko yes but it's says "not UDM mapped". The key issue is, we always don't have all the needed info in UDM fields.

Is there any way through which we can get the raw logs from Chronicle SIEM back to SOAR?