Skip to content

New: Microsoft Sentinel TAXII integration is in technical preview.Read the integration guide

SOAR integration

The ELLIO integration for Google SecOps SOAR enriches IP entities with ELLIO threat intelligence on the case, classifies IPs against Common Business Services, and lets you push IP addresses to ELLIO Blocklist Automation. It calls the ELLIO API directly with your API key - no Google Cloud IAM, no service account.

Action What it does
Enrich IP Writes classification, tags, CVEs, fingerprints, and observed activity onto the entity, adds an insight card, and returns a recommended case priority.
CBS Lookup Tells known cloud / CDN / SaaS provider infrastructure apart from attacker-controlled hosts.
Add IP to Blocklist Push IP addresses to an ELLIO Blocklist Automation ruleset for enforcement.
Ping Validates connectivity and credentials.

Enrich IP and CBS Lookup each add a card to the case, so the verdict and the service context are readable at a glance - and available to Gemini case summaries:

Enrich IP insight card: classification, CVEs, detections, ports, fingerprintsCBS Lookup insight card: provider pills and service label tree

The same context feeds Gemini’s case analysis - the classification, CVEs, and scanning behavior from the ELLIO_* fields show up in the generated case summary:

Gemini case overview built on the ELLIO enrichment: risk scores, CVEs, ATT&CK mapping

Enrich IP never changes the case priority itself. It returns recommended_priority as its script result - High when a malicious IP was found, otherwise None - and your playbook decides whether to apply it. The ready-made playbook wires this up.

  • An ELLIO API key from ELLIO Platform. A read key covers Enrich IP and CBS Lookup; Add IP to Blocklist needs read_write.
  • For Add IP to Blocklist: the Blocklist Automation ruleset ID the key owns.
  • Egress from the SOAR runtime to https://api.ellio.tech.