Cool non-security alert automation

Cool non-security alert automation

Hi, all! We're still working on the details, but I wanted to share a cool non-security alert automation my team is working on using Chronicle SOAR. We've got a very busy 24/7/365 SOC with 20+ analysts/analyst interns, and we also have a very permissive PTO policy (Our SOC's motto is "People First; Mission Always". We don't track PTO and encourage frequent time off to protect against burn out.) Managing that can get pretty crazy, so one of our senior analysts developed a form using Google Sheets/Google Studio to manage PTO requests. After submission, the form sends an email to our monitoring inbox which creates a Chronicle SOAR case/alert with the basic details of the request and sends a notification to our Sr Analyst Slack channel (where most of our comms occur). We're just getting started on this playbook and will eventually add a lot more functionality, but this was a cool use case that I thought I'd share.

View files in slack



  • this is cool I hooked up a google form using a google app script

    var POST_URL = "https://**********";

    function onSubmit(e) {
    var form = FormApp.getActiveForm();
    var allResponses = form.getResponses();
    var latestResponse = allResponses[allResponses.length - 1];
    var response = latestResponse.getItemResponses();
    //var id = e.source.getId();
    var formId = latestResponse.getId();
    var payload = {};
    for (var i = 0; i < response.length; i++) {
    var malURL = response[i].getResponse();
    if (i=1){
    var email = response[i].getResponse();}
    console.log(malURL + " " + email);
    payload={"URL": malURL, "Time":, "ID": formId, "Email": email, "data":[email, malURL]}

    var options = {
    "method": "post",
    "contentType": "application/json",
    "payload": JSON.stringify(payload)
    UrlFetchApp.fetch(POST_URL, options);
    }; I just have to figure out how to get chronicle SOAR to recognise the payload as event data. I hope it’ll streamline data ingestion into SOAR from people across the business.

    The use case for this form is to collect malicious url’s that internal users may have concerns about

Sign In or Register to comment.