Skip to content

New: Microsoft Sentinel TAXII integration is in technical preview.Read the integration guide

ELLIO for Google SecOps

Google Cloud Security

ELLIO brings its non-spoofable recon and mass-exploitation intelligence into Google SecOps (Chronicle) across two surfaces. Use either or both.

You want to Use
Stream ELLIO indicators into the SIEM for native detection rules, dashboards, and IoC matches SIEM integration
Enrich, classify, and blocklist IPs on a case, from a playbook or manually SOAR integration

Both surfaces meet on the case: an ELLIO detection rule fires, and the case opens with the attacker’s full ELLIO context - verdict, detections, ports, fingerprints, observed HTTP - one click from the ELLIO Platform record:

A case from an ELLIO detection rule, with the ELLIO insight card on the attacker IP

ELLIO Platform pushes the indicators you select - the full active set, once a day - to a webhook feed in your tenant. The ELLIO parser turns each record into a UDM IP_ADDRESS entity carrying the verdict, risk score, CVEs, behavior tags, and fingerprints.

  • Detection rules correlate your network telemetry against the entities, with a graded severity ladder - from recon noise up to allowed exploitation and callback patterns. See Detection rules.
  • Dashboards track the active set, classification mix, risk distribution, and feed health. See Dashboards.
  • On Enterprise tiers, events touching an active indicator surface in IoC Matches automatically.
  • Indicators carry a validity window refreshed on every push, so anything that leaves ELLIO’s active set expires on its own - no stale IoCs, no cleanup jobs.

Set up the SIEM integration.

The ELLIO integration from the SecOps Content Hub adds four actions - Enrich IP, CBS Lookup, Add IP to Blocklist, and Ping. It calls the ELLIO API directly with your API key; there is no Google Cloud provisioning.

A ready-made playbook enriches every external IP on new alerts and recommends a case priority your playbook can apply.

Set up the SOAR integration.

Parser, rules, dashboard, and playbook live in the open content pack: github.com/ELLIO-Technology/ellio-secops-content-pack.