Cool non-security alert automation
Cyrus Robinson
Siemplify Champion
Hi, all! We're still working on the details, but I wanted to share a cool non-security alert automation my team is working on using Chronicle SOAR. We've got a very busy 24/7/365 SOC with 20+ analysts/analyst interns, and we also have a very permissive PTO policy (Our SOC's motto is "People First; Mission Always". We don't track PTO and encourage frequent time off to protect against burn out.) Managing that can get pretty crazy, so one of our senior analysts developed a form using Google Sheets/Google Studio to manage PTO requests. After submission, the form sends an email to our monitoring inbox which creates a Chronicle SOAR case/alert with the basic details of the request and sends a notification to our Sr Analyst Slack channel (where most of our comms occur). We're just getting started on this playbook and will eventually add a lot more functionality, but this was a cool use case that I thought I'd share.
View files in slack
Comments
this is cool I hooked up a google form using a google app script
var POST_URL = "https://*****.siemplify-soar.com/webhooks/*****";
function onSubmit(e) {
var form = FormApp.getActiveForm();
var allResponses = form.getResponses();
var latestResponse = allResponses[allResponses.length - 1];
var response = latestResponse.getItemResponses();
//var id = e.source.getId();
var formId = latestResponse.getId();
var payload = {};
for (var i = 0; i < response.length; i++) {
var malURL = response[i].getResponse();
console.log(malURL)
if (i=1){
var email = response[i].getResponse();}
console.log(malURL + " " + email);
payload={"URL": malURL, "Time": Date.now(), "ID": formId, "Email": email, "data":[email, malURL]}
}
var options = {
"method": "post",
"contentType": "application/json",
"payload": JSON.stringify(payload)
};
UrlFetchApp.fetch(POST_URL, options);
}; I just have to figure out how to get chronicle SOAR to recognise the payload as event data. I hope it’ll streamline data ingestion into SOAR from people across the business.
The use case for this form is to collect malicious url’s that internal users may have concerns about