ELLIO for Google SecOps
ELLIO brings its non-spoofable recon and mass-exploitation intelligence into Google SecOps (Chronicle) across two surfaces. Use either or both.
| You want to | Use |
|---|---|
| Stream ELLIO indicators into the SIEM for native detection rules, dashboards, and IoC matches | SIEM integration |
| Enrich, classify, and blocklist IPs on a case, from a playbook or manually | SOAR integration |
Both surfaces meet on the case: an ELLIO detection rule fires, and the case opens with the attacker’s full ELLIO context - verdict, detections, ports, fingerprints, observed HTTP - one click from the ELLIO Platform record:

SIEM: indicators in the entity graph
Section titled “SIEM: indicators in the entity graph”ELLIO Platform pushes the indicators you select - the full active set, once a day - to a
webhook feed in your tenant. The ELLIO parser turns each record into a UDM IP_ADDRESS
entity carrying the verdict, risk score, CVEs, behavior tags, and fingerprints.
- Detection rules correlate your network telemetry against the entities, with a graded severity ladder - from recon noise up to allowed exploitation and callback patterns. See Detection rules.
- Dashboards track the active set, classification mix, risk distribution, and feed health. See Dashboards.
- On Enterprise tiers, events touching an active indicator surface in IoC Matches automatically.
- Indicators carry a validity window refreshed on every push, so anything that leaves ELLIO’s active set expires on its own - no stale IoCs, no cleanup jobs.
SOAR: enrichment and response on the case
Section titled “SOAR: enrichment and response on the case”The ELLIO integration from the SecOps Content Hub adds four actions - Enrich IP, CBS Lookup, Add IP to Blocklist, and Ping. It calls the ELLIO API directly with your API key; there is no Google Cloud provisioning.
A ready-made playbook enriches every external IP on new alerts and recommends a case priority your playbook can apply.
Content pack
Section titled “Content pack”Parser, rules, dashboard, and playbook live in the open content pack: github.com/ELLIO-Technology/ellio-secops-content-pack.