Skip to main content

Review Limitations

While the Cyware Intel Exchange integration with Google SecOps enables ingestion and correlation of threat intelligence, there are some platform and deployment limitations to be aware of:

  • The Cloud Function deployment will fail if the required environment variables are not specified.

  • Only Cyware Intel Exchange entity data can be parsed by the CBN parser.

  • It is recommended to use the second generation of Cloud Function (maximum 60-minute execution). First generation (max 9 minutes) may not complete ingestion if logs are large.

  • Google SecOps Ingestion API accepts a maximum payload of 4 MB. Logs exceeding this limit will be skipped.

  • Comma-separated values for CYWARE_SAVED_RESULT_SET_NAME are supported only through the deployment script; manual deployments do not support this format.

  • Google SecOps does not enforce validation; start time can be greater than end time, or both values can be identical, without errors.

  • Google SecOps does not have a marketplace for integrations. The integration code is pushed to the Google public repo, which undergoes Google-side checks.

  • Filters follow calendar-based logic (for example, Past 1 Week is Monday–Sunday). Selecting the filter early in the week may show partial results.

  • Dashboard Limitations:

    • A maximum of 10,000 records is displayed in tabular dashboards.

    • Raw log data is not directly accessible; dashboards rely on parsed data, so granular details may be missing.

    • Single Value panel counts may differ from Table panel counts due to aggregation logic.

  • IOC entity activeness is determined by interval.start_time and interval.end_time. Entities may appear outside selected time ranges if still active.

  • Only IP addresses, domains, and file hashes (MD5, SHA-1, and SHA-256) are supported in correlation dashboards.

  • Time range filters should cover at least the past 13 hours for accurate dashboard data.

  • Parser Field Mapping:

    • enrichment_data[].tool_response is stored as a string in additional.fields; top-level key-value pairs are mapped individually.

    • File indicators with subtypes other than MD5, SHA-1, and SHA-256 are mapped to the resource schema only.