Skip to content

New: Microsoft Sentinel TAXII integration is in technical preview.Read the integration guide

SOAR setup

  • An ELLIO API key from ELLIO Platform - read_write if you will push IPs to a blocklist, read for enrichment only.
  • For Add IP to Blocklist: the Blocklist Automation ruleset ID the key owns.

In Google SecOps, open the Content Hub, search for ELLIO, and install the integration.

In Integrations Setup, open the ELLIO integration and configure an instance - shared across environments or per environment:

Parameter Value
API Root https://api.ellio.tech
API Key your key (read, or read_write for blocklisting)
Blocklist Ruleset ID the ruleset ID - only needed for Add IP to Blocklist
Verify SSL enabled

The configured ELLIO instance: API root, key, and Blocklist Ruleset ID

Run Ping (or the instance Test button). Success confirms the key and connectivity.

The content pack ships Automatically enrich public IPs - on every new alert it runs Enrich IP and CBS Lookup over the alert’s external IP entities, adding both insight cards and the priority recommendation.

  1. Download automatically_enrich_public_ips.json and compress it into a ZIP.
  2. In Response → Playbooks, choose Import and select the ZIP.
  3. Open each step and select your ELLIO integration instance.
  4. Review the trigger and environments - the playbook arrives attached to all incoming alerts in Default Environment; scope it to the alert types you want.

The playbook on the canvas: All alerts trigger, Enrich IP, then CBS Lookup

Once it runs, the case’s Insights panel carries the ELLIO cards - the threat verdict from Enrich IP, and the provider context from CBS Lookup where the IP sits in a known cloud/CDN/SaaS range:

The case Insights panel: the ELLIO threat card and the Common Business Services card for the same IP

The playbook is two automatic steps on the default trigger - recreating it in the designer takes a minute:

  1. In Response → Playbooks, create a new playbook in your environment. Keep the All trigger, or scope it to the alert types you want.
  2. Add the ELLIO > Enrich IP step. Set its entity scope to External IP addresses and leave Create Insight enabled.
  3. Chain ELLIO > CBS Lookup after it, with the same scope.
  4. Save and enable the playbook.

Extend the playbook (or your own) with the response half:

  1. Branch on Enrich IP’s script result recommended_priority.
  2. High - a malicious IP was found: run the built-in Change Priority → High, and optionally ELLIO > Add IP to Blocklist behind a human-approval step.
  3. None - leave the priority untouched; the ELLIO_* context stays on the entities for triage.