The SOAR functionality of the Google Security Operations platform uses connectors to ingest alerts from a variety of
data sources into the platform. A connector is one of the items in an
integration package which can be downloaded through the Google SecOps
Marketplace. Connectors are configured from SOAR Settings >
Ingestion > Connectors.
Connectors are Python based applications that allow the platform to pull
alerts from third-party products into Google SecOps. Connectors also
parse and normalize the raw data (alerts, events) into a Google SecOps
format which are then presented as a case in the case queue.
If you are running a third-party SIEM (a central place for all your alerts),
one connector is enough. It is also possible to pull data from multiple
sources with several connectors. Each connector has a dedicated
documentation link for additional help.
Example: set up an email connector
Navigate to Google SecOps Marketplace > Integrations.
Search for and install Email integration.
Select
settings
Configure default instance to open up the
Email - Configure Instance dialog. Complete all
required parameters. To configure the integration to a
different instance (not the default environment), go to
SOAR Settings > Response > Integrations Setup.
On the setup page, you can configure the integration for the relevant instance.
Go to SOAR Settings > Ingestion > Connectors.
Click
add
Create New Connector.
Select the IMAP Email connector and click Create.
Fill in the empty mandatory fields and save the connector. Click Yes on the
confirmation message.
Enable the connector and save it again. This makes it run periodically
to pull any new emails according to the configuration.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eGoogle Security Operations (SecOps) uses connectors to ingest alerts from various data sources into the platform's SOAR functionality.\u003c/p\u003e\n"],["\u003cp\u003eConnectors, found within integration packages in the Google SecOps Marketplace, are Python-based applications that pull alerts from third-party products.\u003c/p\u003e\n"],["\u003cp\u003eConnectors parse and normalize raw data into a format that is displayed as a case in the case queue, allowing for data ingestion from singular or multiple sources.\u003c/p\u003e\n"],["\u003cp\u003eTo set up an email connector, users must install the Email integration from the Marketplace, configure the instance, create the connector in the SOAR settings, and then enable it.\u003c/p\u003e\n"]]],[],null,["# Ingest data using SOAR connectors\n=================================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nThe SOAR functionality of the Google Security Operations platform uses connectors to ingest alerts from a variety of\ndata sources into the platform. A connector is one of the items in an\nintegration package which can be downloaded through the Google SecOps\nMarketplace. Connectors are configured from **SOAR Settings \\\u003e\nIngestion \\\u003e Connectors**.\n\n\nConnectors are Python based applications that allow the platform to pull\nalerts from third-party products into Google SecOps. Connectors also\nparse and normalize the raw data (alerts, events) into a Google SecOps\nformat which are then presented as a case in the case queue. \n\nIf you are running a third-party SIEM (a central place for all your alerts),\none connector is enough. It is also possible to pull data from multiple\nsources with several connectors. Each connector has a dedicated\ndocumentation link for additional help.\n\nExample: set up an email connector\n----------------------------------\n\n1. Navigate to **Google SecOps Marketplace \\\u003e Integrations** . \n2. Search for and install Email integration.\n3. Select settings **Configure default instance** to open up the **Email - Configure Instance** dialog. Complete all required parameters. To configure the integration to a different instance (not the default environment), go to **SOAR Settings \\\u003e Response \\\u003e Integrations Setup**. On the setup page, you can configure the integration for the relevant instance.\n4. Go to **SOAR Settings \\\u003e Ingestion \\\u003e Connectors**.\n5. Click add **Create New Connector**.\n6. Select the IMAP Email connector and click **Create**.\n7. Fill in the empty mandatory fields and save the connector. Click **Yes** on the confirmation message.\n8. Enable the connector and save it again. This makes it run periodically to pull any new emails according to the configuration.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
