Integrate Google Chronicle with Google SecOps
This document explains how to integrate Google Chronicle with Google Security Operations (Google SecOps).
Integration version: 49.0
Use cases
The Google Chronicle integration can address the following use cases:
Automated phishing investigation and remediation: use the SOAR capabilities of Google SecOps to automatically query the integration for historical email data, user activity logs, and threat intelligence to assess email legitimacy. The automated remediation can help you with triage and containment by preventing the spread of malware or data breaches.
Enrichment of security alerts: use the SOAR capabilities of Google SecOps to enrich the alert generated in SIEM with historical context, such as past user behavior and asset information. The alert enrichment provides analysts with a comprehensive view of the incident, enabling faster and more informed decision-making.
Threat hunting based on Google SecOps insights: use the SOAR capabilities of Google SecOps to automate the process of querying other security tools for related indicators of compromise (IOCs). The insight-based threat hunting can help you stay ahead of threats and identify potential breaches before they escalate.
Automated incident response playbooks: use the SOAR capabilities of Google SecOps to trigger a predefined playbook which uses Google SecOps data to isolate compromised systems, block malicious IP addresses, and notify relevant stakeholders. Using the incident response playbooks can reduce the incident response time and minimize the impact of security incidents.
Compliance reporting and auditing: use the SOAR capabilities of Google SecOps to automate the collection of security data from Google SecOps for compliance reporting purposes, streamline the audit process, and reduce the manual effort required for compliance reporting.
Integration parameters
The Google Chronicle integration requires the following parameters:
| Parameter | Description |
|---|---|
UI Root |
Required. The UI root of the Google Security Operations SIEM (Google SecOps SIEM) instance used to create a link that points back to Google SecOps SIEM across multiple actions. The default value is
|
API Root |
Required. The API root of the Google SecOps SIEM instance. The default value is Google SecOps provides regional endpoints for each API,
such as By default, Google SecOps uses the following scopes for
your Google API client:
To use Chronicle API, set the parameter value in the following format:
https://REGION-chronicle.googleapis.com/v1alpha/
projects/PROJECT_ID/locations/REGION/instances/INSTANCE_ID
|
User's Service Account |
Optional. The service account of the Google SecOps SIEM instance. You can configure this parameter or the To configure this parameter, provide the full content of the service account key JSON file. |
Workload Identity Email |
Optional. The client email address of your Workload Identity Federation. You can configure this parameter or the In this integration, authenticating with the Workload Identity Federation has priority over the service account key JSON file. To impersonate service accounts with the Workload Identity Federation,
grant the |
Verify SSL |
Required. If selected, the integration verifies that the SSL certificate for connecting to the Google SecOps SIEM server is valid. Selected by default. |
You can make changes at a later stage, if necessary. After you configure instances, you can use them in playbooks. For more information on configuring and supporting multiple instances, see Supporting multiple instances.
For instructions on how to configure an integration in Google SecOps, see Configure integrations.
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.
Add Values To Reference List
Use the Add Values To Reference List action to add values to a reference list in Google SecOps.
This action doesn't run on Google SecOps entities.
Action inputs
To configure the action, use the following parameters:
| Parameter | Description |
|---|---|
Reference List Name |
Required. The name of the reference list to update. |
Values |
Required. A comma-separated list of values to add to a reference list. |
Action outputs
The Add Value To Reference List action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| Entity insight | Not available |
| JSON result | Available |
| Output messages | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Add Value To Reference List action:
{
"name": "list_name",
"description": "description of the list",
"lines": [
"192.0.2.0/24",
"198.51.100.0/24"
],
"create_time": "2020-11-20T17:18:20.409247Z",
"content_type": "CIDR"
}
The following example describes the JSON result output received when using the Add Value To Reference List action with Chronicle API:
{
"name": "projects/PROJECT_ID/locations/us/instances/INSTANCE_ID/referenceLists/REFERENCE_LIST_NAME",
"displayName": "REFERENCE_LIST_NAME",
"revisionCreateTime": "2025-01-16T09:15:21.795743Z",
"description": "Test reference list",
"entries": [
{
"value": "example.com"
},
{
"value": "exampledomain.com"
}
],
"syntaxType": "REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING",
"scopeInfo": {
"referenceListScope": {}
},
"createTime": "2025-01-16T09:15:21.795743Z",
"lines": [
"example.com",
"exampledomain.com"
]
}
Output messages
The Add Values To Reference List action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully added values to the reference list
REFERENCE_LIST_NAME. |
Action succeeded. |
Error executing action "Add Values To Reference List". Reason:
ERROR_REASON |
Action failed.
Check the connection to the server, the input parameters, or the credentials. |
Script result
The following table describes the values for the script result output when using the Add Values To Reference List action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Enrich Domain
Use the Enrich Domain action to enrich domains using information from IoCs in Google SecOps SIEM.
This action runs on the following Google SecOps entities:
URLHostname
Action inputs
The Enrich Domain action requires the following parameters:
| Parameter | Description |
|---|---|
Create Insight |
If selected, action will create an insight containing information about
the entities. Selected by default. |
Only Suspicious Insight |
If selected, action will only create an insight for entities that are
marked as suspicious. Not selected by default. If you select this parameter, select the |
Lowest Suspicious Severity |
Required. The lowest severity that is associated with the domain to mark it suspicious. The default value is
|
Mark Suspicious N/A Severity |
Required. If selected and the information about severity is unavailable, the action marks the entity as suspicious. |
Action outputs
The Enrich Domain action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Available |
| Entity insight | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
The Enrich Domain action provides the following table:
Name: ENTITY_IDENTIFIER
Columns:
- Source
- Severity
- Category
- Confidence
Entity enrichment
The Enrich Domain action supports the following entity enrichment logic:
| Enrichment field | Logic (when to apply) |
|---|---|
severity |
When available in JSON |
average_confidence |
When available in JSON |
related_domains |
When available in JSON |
categories |
When available in JSON |
sources |
When available in JSON |
first_seen |
When available in JSON |
last_seen |
When available in JSON |
report_link |
When available in JSON |
JSON result
The following example describes the JSON result output received when using the Enrich Domain action:
{
{
"sources": [
{
"source": "ET Intelligence Rep List",
"confidenceScore": {
"normalizedConfidenceScore": "Low",
"intRawConfidenceScore": 0
},
"rawSeverity": "High",
"category": "Malware Command and Control Server"
}
],
"iocIngestTime": "2021-01-26T17:00:00Z",
"firstSeenTime": "2018-10-03T00:03:53Z",
"lastSeenTime": "2022-02-09T10:52:21.229Z",
"uri": [
"https://INSTANCE/domainResults?domain=example.net&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2022-02-09T11%3A51%3A52.393783515Z"
]
}
}
The following example describes the JSON result output received when using the Enrich Domain action with Chronicle API:
[
{
"Entity": "example.com",
"EntityResult": {
"sources": [
{
"category": "Indicator was published in publicly available sources",
"firstActiveTime": "1970-01-01T00:00:01Z",
"lastActiveTime": "9999-12-31T23:59:59Z",
"addresses": [
{
"domain": "example.com"
}
],
"rawSeverity": "medium",
"confidenceScore": {
"strRawConfidenceScore": "100"
}
},
{
"category": "Phishing",
"firstActiveTime": null,
"lastActiveTime": "2020-11-27T14:31:37Z",
"addresses": [
{
"domain": "example.com"
},
{
"ipAddress": "IP_ADDRESS"
}
],
"rawSeverity": "high",
"confidenceScore": {
"strRawConfidenceScore": "high"
}
},
{
"category": "Indicator was published in publicly available sources",
"firstActiveTime": "1970-01-01T00:00:01Z",
"lastActiveTime": "9999-12-31T23:59:59Z",
"addresses": [
{
"domain": "example.com"
}
],
"rawSeverity": "medium",
"confidenceScore": {
"strRawConfidenceScore": "100"
}
}
],
"feeds": [
{
"metadata": {
"title": "Mandiant Open Source Intelligence",
"description": "Open Source Intel IoC",
"confidenceScoreBucket": {
"rangeEnd": 100
}
},
"iocs": [
{
"domainAndPorts": {
"domain": "example.com"
},
"categorization": "Indicator was published in publicly available sources",
"activeTimerange": {
"start": "1970-01-01T00:00:01Z",
"end": "9999-12-31T23:59:59Z"
},
"confidenceScore": "100",
"rawSeverity": "Medium"
}
]
},
{
"metadata": {
"title": "ESET Threat Intelligence",
"description": "ESET Threat Intelligence"
},
"iocs": [
{
"domainAndPorts": {
"domain": "example.com"
},
"categorization": "Phishing",
"activeTimerange": {
"end": "2020-11-27T14:31:37Z"
},
"ipAndPorts": {
"ipAddress": "IP_ADDRESS"
},
"confidenceScore": "High",
"rawSeverity": "High"
}
]
},
{
"metadata": {
"title": "Mandiant Active Breach Intelligence",
"description": "Mandiant Active Breach IoC",
"confidenceScoreBucket": {
"rangeEnd": 100
}
},
"iocs": [
{
"domainAndPorts": {
"domain": "example.com"
},
"categorization": "Indicator was published in publicly available sources",
"activeTimerange": {
"start": "1970-01-01T00:00:01Z",
"end": "9999-12-31T23:59:59Z"
},
"confidenceScore": "100",
"rawSeverity": "Medium"
}
]
}
]
}
}
]
Output messages
The Enrich Domain action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully enriched the following domain in Google Chronicle:
LIST_OF_IDS |
Action is successful. |
Error executing action "Enrich Domain". Reason:
ERROR_REASON |
The action returned an error. Check connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Enrich Domain action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Enrich IP
Use the Enrich IP action to enrich IP entities using information from IoCs in Google SecOps SIEM.
This action runs on the IP Address entity.
Action inputs
The Enrich IP action requires the following parameters:
| Parameter | Description |
|---|---|
Create Insight |
If selected, the action creates an insight which contains information
about entities. Selected by default. |
Only Suspicious Insight |
If selected, the action creates insights only for entities that are
marked as suspicious. Not selected by default. If you select this parameter, also select the |
Lowest Suspicious Severity |
Required. The lowest severity associated with the IP address to mark it suspicious. The default value is
|
Mark Suspicious N/A Severity |
Required. If selected and the information about severity is unavailable, the action marks the entity as suspicious. |
Action outputs
The Enrich IP action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
Name: ENTITY_IDENTIFIER
Columns:
- Source
- Severity
- Category
- Confidence
- Related Domains
Entity enrichment
The Enrich IP action supports the following entity enrichment logic:
| Enrichment field | Logic (when to apply) |
|---|---|
severity |
When available in JSON |
average_confidence |
When available in JSON |
related_domains |
When available in JSON |
categories |
When available in JSON |
sources |
When available in JSON |
first_seen |
When available in JSON |
last_seen |
When available in JSON |
report_link |
When available in JSON |
JSON result
The following example describes the JSON result output received when using the Enrich IP action:
{
{
"sources": [
{
"source": "Example List",
"confidenceScore": {
"normalizedConfidenceScore": "Low",
"intRawConfidenceScore": 0
},
"rawSeverity": "High",
"category": "Malware Command and Control Server"
}
],
"iocIngestTime": "2021-01-26T17:00:00Z",
"firstSeenTime": "2018-10-03T00:03:53Z",
"lastSeenTime": "2022-02-09T10:52:21.229Z",
"uri": [
"https://INSTANCE/domainResults?domain=example.net&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2022-02-09T11%3A51%3A52.393783515Z"
]
}
}
The following example describes the JSON result output received when using the Enrich IP action with Chronicle API:
[
{
"Entity": "192.0.2.121",
"EntityResult": {
"sources": [
{
"category": "Indicator was published in publicly available sources",
"firstActiveTime": "1970-01-01T00:00:01Z",
"lastActiveTime": "9999-12-31T23:59:59Z",
"addresses": [
{
"ipAddress": "IP_ADDRESS"
}
],
"rawSeverity": "low",
"confidenceScore": {
"strRawConfidenceScore": "67"
}
}
],
"feeds": [
{
"metadata": {
"title": "Mandiant Open Source Intelligence",
"description": "Open Source Intel IoC",
"confidenceScoreBucket": {
"rangeEnd": 100
}
},
"iocs": [
{
"categorization": "Indicator was published in publicly available sources",
"activeTimerange": {
"start": "1970-01-01T00:00:01Z",
"end": "9999-12-31T23:59:59Z"
},
"ipAndPorts": {
"ipAddress": "IP_ADDRESS"
},
"confidenceScore": "67",
"rawSeverity": "Low"
}
]
}
]
}
}
]
Output messages
The Enrich IP action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully enriched the following IPs from Google Chronicle:
LIST_OF_IPS |
Action succeeded. |
Error executing action "Enrich IP". Reason:
ERROR_REASON |
Action failed. Check the connection to the server, the input parameters, or the credentials. |
Script result
The following table describes the values for the script result output when using the Enrich IP action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Execute Retrohunt
Use the Execute Retrohunt action to execute a rule retrohunt in Google SecOps.
This action doesn't run on Google SecOps entities.
Action inputs
The Execute Retrohunt action requires the following parameters:
| Parameter | Description |
|---|---|
Rule ID |
Required. The ID of the rule to run a retrohunt for. |
Time Frame |
A period to retrieve the results for.
The default value is
If If If |
Start Time |
The start time for the results. Configure the parameter value in a ISO 8601 format. This parameter is required if the |
End Time |
The end time for the results. Configure the parameter value in an ISO 8601 format. If you don't set a value and select the |
Action outputs
The Execute Retrohunt action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| Entity insight | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Execute Retrohunt action:
{
"retrohuntId": "oh_d738c8ea-8fd7-4cc1-b43d-25835b8e1785",
"ruleId": "ru_30979d84-aa89-47d6-bf4d-b4bb0eacb497",
"versionId": "ru_30979d84-aa89-47d6-bf4d-b4bb0eacb497@v_1612472807_179679000",
"eventStartTime": "2021-01-14T23:00:00Z",
"eventEndTime": "2021-01-30T23:00:00Z",
"retrohuntStartTime": "2021-02-08T02:40:59.192113Z",
"state": "RUNNING"
}
The following example describes the JSON result output received when using the Execute Retrohunt action with Chronicle API:
{
"name": "projects/PROJECT_ID/locations/us/instances/INSTANCE_ID/operations/OPERATION_ID",
"metadata": {
"@type": "type.googleapis.com/RetrohuntMetadata",
"retrohunt": "projects/PROJECT_ID/locations/us/instances/INSTANCE_ID/rules/RULE_ID/retrohunts/RETROHUNT_ID",
"executionInterval": {
"startTime": "2025-01-22T12:16:20.963182Z",
"endTime": "2025-01-23T12:16:20.963182Z"
}
},
"retrohuntId": "RETROHUNT_ID",
"ruleId": "RULE_ID",
"versionId": "VERSION_ID",
"eventStartTime": "2025-01-22T12:16:20.963182Z",
"eventEndTime": "2025-01-23T12:16:20.963182Z"
}
Output messages
The Execute Retrohunt action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully executed a retrohunt for the provided rule in Google
Chronicle.
|
Action succeeded. |
Error executing action "Execute Retrohunt". Reason:
ERROR_REASON |
Action failed.
Check the connection to the server, the input parameters, or the credentials. |
Script result
The following table describes the values for the script result output when using the Execute Retrohunt action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Execute UDM Query
Use the Execute UDM Query action to execute a custom UDM query in Google SecOps.
120 action executions are allowed per hour.
This action doesn't run on Google SecOps entities.
Action inputs
The Execute UDM Query action requires the following parameters:
| Parameter | Description |
|---|---|
Query String |
Required. A query to execute in Google SecOps. |
Time Frame |
A specified timeframe for the results.
The default value is
If If If |
Start Time |
The start time for the results. Configure the parameter value
in an ISO 8601 format with milliseconds and a timezone using the following
template: This parameter is required if the The maximum time range (from start time to end time) is 90 days. |
End Time |
The end time for the results. Configure the parameter value
in an ISO 8601 format with milliseconds and a timezone using the following
template: If you don't set a value and
the The maximum time range (from start time to end time) is 90 days. |
Max Results To Return |
The number of results to return for a single query. The default value is 50. The maximum value is 10,000. |
Action outputs
The Execute UDM Query action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Execute UDM Query action:
{
"events":[
"event":{
"metadata":{
"eventTimestamp":"2022-01-20T09:15:15.687Z",
"eventType":"USER_LOGIN",
"vendorName":"Example Vendor",
"productName":"Example Product",
"ingestedTimestamp":"2022-01-20T09:45:07.433587Z"
},
"principal":{
"hostname":"example-user-pc",
"ip":[
"203.0.113.0"
],
"mac":[
"01:23:45:ab:cd:ef",
"01:23:45:ab:cd:ef",
"01:23:45:ab:cd:ef"
],
"location":{
"city":"San Francisco",
"state":"California",
"countryOrRegion":"US"
},
"asset":{
"hostname":"example-user-pc",
"ip":[
"203.0.113.1",
"203.0.113.1",
"203.0.113.1"
],
"mac":[
"01:23:45:ab:cd:ef",
"01:23:45:ab:cd:ef",
"01:23:45:ab:cd:ef"
]
}
},
"target":{
"user":{
"userid":"Example",
"userDisplayName":"Example User",
"windowsSid":"S-1-5-21-4712406912-7108061610-2717800068-993683",
"emailAddresses":[
"example@example.com",
"admin.example@example.com"
],
"employeeId":"2406187",
"productObjectId":"f93f1540-4935-4266-aa8e-a750a319aa1c",
"firstName":"Example",
"lastName":"User",
"phoneNumbers":[
"555-01-75"
],
"title":"Executive Assistant",
"companyName":"Example Corp",
"department":[
"Executive - Admin"
],
"managers":[
{
"userDisplayName":"Example User",
"windowsSid":"S-1-5-21-6051382818-4135626959-8120238335-834071",
"emailAddresses":[
"user@example.com"
],
"employeeId":"5478500",
"productObjectId":"8b3924d5-6157-43b3-857b-78aa6bd94705",
"firstName":"User",
"lastName":"Example",
"phoneNumbers":[
"555-01-75"
],
"title":"Chief Technology Officer",
"companyName":"Example Corp",
"department":[
"Executive - Admin"
]
}
]
},
"ip":[
"198.51.100.1"
],
"email":"email@example.com",
"application":"Example Sign In"
},
"securityResult":[
{
"summary":"Successful Login",
"action":[
"ALLOW"
]
}
],
"extensions":{
"auth":{
"type":"SSO"
}
}
},
"eventLogToken":"96f23eb9ffaa9f7e7b0e2ff5a0d2e34c,1,1642670115687000,USER,|USER_LOGIN"
]
}
Output messages
The Execute UDM Query action provides the following output messages:
| Output message | Message description |
|---|---|
|
Action succeeded. |
Error executing action "Execute UDM Query". Reason:
ERROR_REASON
|
Action failed. Check the connection to the server, the input parameters, or the credentials. |
Error executing action "Execute UDM Query". Reason: you've reached a
rate limit. Please wait for several minutes and try again. |
Action failed. Wait for several minutes before running the action again. |
Script result
The following table describes the values for the script result output when using the Execute UDM Query action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Get Detection Details
Use the Get Detection Details action to retrieve information about a detection in Google SecOps.
If you provide special characters in the Detection ID parameter, the
action doesn't fail but returns a list of detections.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Detection Details action requires the following parameters:
| Parameter | Description |
|---|---|
Rule ID |
Required. The ID of the rule related to the detection. If you use the
|
Detection ID |
Required. The ID of the detection to fetch details for. |
Action outputs
The Get Detection Details action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Get Detection Details action:
{
"type": "RULE_DETECTION",
"detection": [
{
"ruleName": "singleEventRule2",
"urlBackToProduct":
"https://INSTANCE/ruleDetections?
ruleId=ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d&selectedList=RuleDetectionsViewTimeline&
selectedParentDetectionId=de_ce594791-09ed-9681-27fa-3b7c8fa6054c&
selectedTimestamp=2020-12-03T16: 50: 47.647245Z","ruleId": "ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d",
"ruleVersion": "ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d@v_1605892822_687503000",
"alertState": "NOT_ALERTING",
"ruleType": "SINGLE_EVENT"
}
],
"createdTime": "2020-12-03T19:19:21.325134Z",
"id": "de_ce594791-09ed-9681-27fa-3b7c8fa6054c",
"timeWindow": {
"startTime": "2020-12-03T16:50:47.647245Z",
"endTime": "2020-12-03T16:50:47.647245Z"
},
"collectionElements": [
{
"references": [
{
"event": {
"metadata": {
"eventTimestamp": "2020-12-03T16:50:47.647245Z",
"collectedTimestamp": "2020-12-03T16:50:47.666064010Z",
"eventType": "NETWORK_DNS",
"productName": "ProductName",
"ingestedTimestamp": "2020-12-03T16:50:49.494542Z"
},
"principal": {
"ip": [
"192.0.2.1"
]
},
"target": {
"ip": [
"203.0.113.1"
]
},
"securityResult": [
{
"action": [
"UNKNOWN_ACTION"
]
}
],
"network": {
"applicationProtocol": "DNS",
"dns": {
"questions": [
{
"name": "example.com",
"type": 1,
"class": 1
}
],
"id": 12345,
"recursionDesired": true
}
}
}
}
],
"label": "e"
}
],
"detectionTime": "2020-12-03T16:50:47.647245Z"
}
Output messages
The Get Detection Details action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully fetched information about the detection with ID
DETECTION_ID in Google Chronicle. |
Action succeeded. |
Error executing action "Get Detection Details". Reason:
ERROR_REASON |
Action returned an error.
Check connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Get Detection Details action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Get Reference Lists
Use the Get Reference Lists action to get available reference lists in Google SecOps.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Reference Lists action requires the following parameters:
| Parameter | Description |
|---|---|
Filter Key |
The key to use to filter reference lists. The possible values are as follows:
|
Filter Logic |
An applicable filter logic. The default value is
|
Filter Value |
The value to use in the filter.
If If The If no value is provided for this parameter, the filter isn't applied. |
Expanded Details |
If selected, action will return detailed information about the reference
lists.
Not selected by default. |
Max Reference Lists To Return |
The number of reference lists to return. The default value is 100. |
Action outputs
The Get Reference List action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
On a Case Wall, the Get Reference Lists provides the following table:
Name: Available Reference Lists
Columns:
- Name
- Description
- Type
JSON result
The following example describes the JSON result output received when using the Get Reference Lists action:
{
"name": "list_name",
"description": "description of the list",
"lines": [
"192.0.2.0/24",
"198.51.100.0/24"
],
"create_time": "2020-11-20T17:18:20.409247Z",
"content_type": "CIDR"
}
The following example describes the JSON result output received when using the Get Reference Lists action with Chronicle API:
[
{
"name": "projects/PROJECT_ID/locations/us/instances/INSTANCE_ID/referenceLists/REFERENCE_LIST_ID",
"displayName": "REFERENCE_LIST_ID",
"revisionCreateTime": "2025-01-09T15:53:10.851775Z",
"description": "Test reference list",
"syntaxType": "REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING",
"scopeInfo": {
"referenceListScope": {}
},
"createTime": "2025-01-09T15:53:10.851775Z"
}
]
Output messages
The Get Reference Lists action provides the following output messages:
| Output message | Message description |
|---|---|
|
Action is successful. |
Error executing action "ACTION_NAME". Reason:
ERROR_REASON
|
Action failed.
Check the connection to the server, the input parameters, or the credentials. |
Error executing action "ACTION_NAME". Reason: "Invalid
value was provided for "Max Reference Lists to Return":
PROVIIDED_VALUE. Positive number should be provided. |
Action failed.
Check the value for the |
Script result
The following table describes the values for the script result output when using the Get Reference Lists action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Get Rule Details
Use the Get Rule Details action to retrieve information about a rule in Google SecOps.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Rule Details action requires the following parameters:
| Parameter | Description |
|---|---|
Rule ID |
Required. The rule ID to fetch the details for. |
Action outputs
The Get Rule Details action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Get Rule Details action:
{
"ruleId": "ru_e6abfcb5-1b85-41b0-b64c-695b3250436f",
"versionId": "ru_e6abfcb5-1b85-41b0-b64c-695b3250436f@v_1602631093_146879000",
"ruleName": "SampleRule",
"metadata": {
"description": "Sample Description of the Rule",
"author": "author@example.com"
},
"ruleText": "rule SampleRule {
meta:
description = \"Sample Description of the Rule\"
author = \"author@example.com\"
events:
// This will just generate lots of detections
$event.metadata.event_type = \"NETWORK_HTTP\"
condition:
$event
} ",
"liveRuleEnabled": true,
"versionCreateTime": "2020-10-13T23:18:13.146879Z",
"compilationState": "SUCCEEDED"
}
The following example describes the JSON result output received when using the Get Rule Details action with Chronicle API:
{
"name": "projects/PROJECT_ID/locations/us/instances/INSTANCE_ID/rules/RULE_ID",
"revisionId": "v_1733917896_973567000",
"displayName": "Test_rule_SingleEvent",
"text": "rule Test_rule_SingleEvent {\n // This rule matches single events. Rules can also match multiple events within\n // some time window. For details about how to write a multi-event rule, see\n // URL\n\n meta:\n // Allows for storage of arbitrary key-value pairs of rule details - who\n // wrote it, what it detects on, version control, etc.\n // The \"author\" and \"severity\" fields are special, as they are used as\n // columns on the rules dashboard. If you want to sort based on\n // these fields on the dashboard, make sure to add them here.\n // Severity value, by convention, should be \"Low\", \"Medium\" or \"High\"\n author = \"example_user\"\n description = \"windowed single event example rule\"\n //severity = \"Medium\"\n\n events:\n $e.metadata.event_type = \"USER_LOGIN\"\n $e.principal.user.userid = $user\n\n //outcome:\n // For a multi-event rule an aggregation function is required\n // e.g., risk_score = max(0)\n // See URL\n //$risk_score = 0\n match:\n $user over 1m\n\n condition:\n #e > 0\n}\n",
"author": "example_user",
"metadata": {
"author": "example_user",
"description": "windowed single event example rule",
"severity": null
},
"createTime": "2024-12-11T11:36:18.192127Z",
"revisionCreateTime": "2024-12-11T11:51:36.973567Z",
"compilationState": "SUCCEEDED",
"type": "SINGLE_EVENT",
"allowedRunFrequencies": [
"LIVE",
"HOURLY",
"DAILY"
],
"etag": "CMj55boGEJjondAD",
"ruleId": "RULE_ID",
"versionId": "RULE_ID@v_1733917896_973567000",
"ruleName": "Test_rule_SingleEvent",
"ruleText": "rule Test_rule_SingleEvent {\n // This rule matches single events. Rules can also match multiple events within\n // some time window. For details about how to write a multi-event rule, see\n // URL\n\n meta:\n // Allows for storage of arbitrary key-value pairs of rule details - who\n // wrote it, what it detects on, version control, etc.\n // The \"author\" and \"severity\" fields are special, as they are used as\n // columns on the rules dashboard. If you want to sort based on\n // these fields on the dashboard, make sure to add them here.\n // Severity value, by convention, should be \"Low\", \"Medium\" or \"High\"\n author = \"example_user\"\n description = \"windowed single event example rule\"\n //severity = \"Medium\"\n\n events:\n $e.metadata.event_type = \"USER_LOGIN\"\n $e.principal.user.userid = $user\n\n //outcome:\n // For a multi-event rule an aggregation function is required\n // e.g., risk_score = max(0)\n // See URL\n //$risk_score = 0\n match:\n $user over 1m\n\n condition:\n #e > 0\n}\n",
"ruleType": "SINGLE_EVENT",
"versionCreateTime": "2024-12-11T11:51:36.973567Z"
}
Output messages
The Get Rule Details action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully fetched information about the rule with ID
RULE_ID in Google Chronicle.
|
Action succeeded. |
Error executing action "Get Rule Details". Reason:
ERROR_REASON
|
Action failed.
Check the connection to the server, the input parameters, or the credentials. |
Script result
The following table describes the values for the script result output when using the Get Rule Details action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Is Value In Reference List
Use the Is Value In Reference List action to check if provided values are found in the reference lists in Google SecOps.
This action doesn't run on Google SecOps entities.
Action inputs
The Is Value In Reference List action requires the following parameters:
| Parameter | Description |
|---|---|
Reference List Names |
Required. A comma-separated list of reference list names to search through. |
Values |
Required. A comma-separated list of values to search for in reference lists. |
Case Insensitive Search |
If selected, the action performs case insensitive matching. |
Action outputs
The Is Value In Reference List action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Is Value In Reference List action:
{
"Entity": "example.com",
"EntityResult": {
"found_in": [
"Reference list names, where item was found"
],
"not_found_in": [
"Reference list names, where items wasn't found"
],
"overall_status": "found, if at least one reference list had the value/not found, if non of the reference lists found the value"
}
}
The following example describes the JSON result output received when using the Is Value In Reference List action with Chronicle API:
{
"Entity": "example.com",
"EntityResult": {
"found_in": [
"Reference list names, where item was found"
],
"not_found_in": [
"Reference list names, where items wasn't found"
],
"overall_status": "found, if at least one reference list had the value/not found, if non of the reference lists found the value"
}
}
Output messages
The Is Value In Reference List action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully searched provided values in the reference lists in
Google Chronicle.
|
Action succeeded. |
| Error executing action "Is Value In Reference List". Reason: ERROR_REASON | Action failed.
Check the connection to the server, the input parameters, or the credentials. |
Error executing action "Is Value In Reference List". Reason: the
following reference lists were not found in Google Chronicle:
MISSING_REFERENCE_LIST_NAME(S). Please use the action "Get
Reference Lists" to see what reference lists are available.
|
Action failed. Run the Get Reference Lists action to check for available lists. |
Script result
The following table describes the values for the script result output when using the Is Value In Reference List action:
| Script result name | Value |
|---|---|
is_success |
True or False |
List Assets
Use the List Assets action to list assets in Google SecOps SIEM that are based on the related entities in the specified time period.
This action only supports the MD5, SHA-1, and SHA-256 hashes.
This action runs on the following Google SecOps entities:
URLIP AddressHash
Action inputs
The List Assets action requires the following parameters:
| Parameter | Description |
|---|---|
Max Hours Backwards |
The number of hours before now to fetch the assets. The default value is 1. |
Create Insight |
If selected, the action creates an insight that contains information
about the entities. Selected by default. |
Max Assets To Return |
The number of assets to return in the response. The default value is 50. |
Time Frame |
A specified timeframe for the results.
The default value is If When you provide the
|
Start Time |
The start time for the results. Configure the parameter value in a ISO 8601 format. This parameter is required if the
|
End Time |
The end time for the results. Configure the parameter value in a ISO 8601 format. If you don't set a value and set the |
Action outputs
The List Assets action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
Name: ENTITY_IDENTIFIER
Columns:
- Hostname
- IP Address
- First Seen Artifact
- Last Seen Artifact
JSON result
The following example describes the JSON result output received when using the List Assets action:
{
"assets": [
{
"asset": {
"hostname": "example"
},
"firstSeenArtifactInfo": {
"artifactIndicator": {
"domainName": "www.example.com"
},
"seenTime": "2020-02-28T09:18:15.675Z"
},
"lastSeenArtifactInfo": {
"artifactIndicator": {
"domainName": "www.example.com"
},
"seenTime": "2020-09-24T06:43:59Z"
}
}
],
"uri": [
"https://INSTANCE/domainResults?domain=www.example.com&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2020-09-27T12%3A07%3A34.166830443Z"
]
}
The following example describes the JSON result output received when using the List Assets action with Chronicle API:
[
{
"Entity": "192.0.2.229",
"EntityResult": {
"assets": [
{
"artifactIndicator": {
"domain": "example.com"
},
"sources": [
"Mandiant Open Source Intelligence"
],
"categories": [
"Indicator was published in publicly available sources"
],
"assetIndicators": [
{
"assetIpAddress": "192.0.2.229"
}
],
"iocIngestTimestamp": "2024-09-20T14:14:07.843Z",
"firstSeenTimestamp": "2025-01-15T11:20:00Z",
"lastSeenTimestamp": "2025-01-15T11:20:00Z",
"filterProperties": {
"stringProperties": {
"TLD": {
"values": [
{
"rawValue": ".com"
}
]
},
"IOC FEED": {
"values": [
{
"rawValue": "Mandiant Open Source Intelligence"
}
]
},
"IOC CATEGORIES": {
"values": [
{
"rawValue": "Indicator was published in publicly available sources"
}
]
},
"IOC CONFIDENCE SCORE": {
"values": [
{
"rawValue": "High"
}
]
},
"IOC/ALERT SEVERITY": {
"values": [
{
"rawValue": "Medium"
}
]
}
}
},
"confidenceBucket": "High",
"rawSeverity": "Medium",
"logType": "OPEN_SOURCE_INTEL_IOC",
"confidenceScore": 100,
"globalCustomerId": "ID",
"confidenceScoreBucket": {
"rangeEnd": 100
},
"categorization": "Indicator was published in publicly available sources",
"domainAndPorts": {
"domain": "example.com"
},
"activeTimerange": {
"startTime": "1970-01-01T00:00:01Z",
"endTime": "9999-12-31T23:59:59Z"
},
"feedName": "MANDIANT",
"id": "ID",
"fieldAndValue": {
"value": "ex ",
"valueType": "DOMAIN_NAME"
}
},
{
"artifactIndicator": {
"domain": "example.com"
},
"sources": [
"Mandiant Active Breach Intelligence"
],
"categories": [
"Indicator was published in publicly available sources"
],
"assetIndicators": [
{
"assetIpAddress": "192.0.2.229"
}
],
"iocIngestTimestamp": "2023-07-05T02:42:52.935Z",
"firstSeenTimestamp": "2025-01-15T11:20:00Z",
"lastSeenTimestamp": "2025-01-15T11:20:00Z",
"filterProperties": {
"stringProperties": {
"IOC/ALERT SEVERITY": {
"values": [
{
"rawValue": "Medium"
}
]
},
"IOC CONFIDENCE SCORE": {
"values": [
{
"rawValue": "High"
}
]
},
"IOC FEED": {
"values": [
{
"rawValue": "Mandiant Active Breach Intelligence"
}
]
},
"IOC CATEGORIES": {
"values": [
{
"rawValue": "Indicator was published in publicly available sources"
}
]
},
"TLD": {
"values": [
{
"rawValue": ".com"
}
]
}
}
},
"confidenceBucket": "High",
"rawSeverity": "Medium",
"logType": "MANDIANT_ACTIVE_BREACH_IOC",
"confidenceScore": 100,
"globalCustomerId": "ID",
"confidenceScoreBucket": {
"rangeEnd": 100
},
"categorization": "Indicator was published in publicly available sources",
"domainAndPorts": {
"domain": "example.com"
},
"activeTimerange": {
"startTime": "1970-01-01T00:00:01Z",
"endTime": "9999-12-31T23:59:59Z"
},
"feedName": "MANDIANT",
"id": "ID",
"fieldAndValue": {
"value": "example.com",
"valueType": "DOMAIN_NAME"
}
}
],
"uri": "https://INSTANCE.backstory.chronicle.security/destinationIpResults?ADDRESS=192.0.2.229&selectedList=IpViewDistinctAssets&referenceTime=2025-01-23T11%3A16%3A24.517449Z"
}
}
]
Output messages
The List Assets action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully listed related assets for the following entities
from Google Chronicle: ENTITY_IDENTIFIER |
Action succeeded. |
Error executing action "List Assets". Reason:
ERROR_REASON |
Action failed. Check the connection to the server, the input parameters, or the credentials. |
Script result
The following table describes the values for the script result output when using the List Assets action:
| Script result name | Value |
|---|---|
is_success |
True or False |
List Events
Use the List Events action to list events on the particular asset in the specified time period.
This action can only retrieve 10,000 events. Make sure to narrow down the time period for better results.
This action runs on the following Google SecOps entities:
IP addressMAC addressHostname
Action inputs
The List Events action requires the following parameters:
| Parameter | Description |
|---|---|
Event Types |
A comma-separated list of the event types that should be returned. If no value is provided, the action fetches all event types. To check all possible values for this parameter, see Event type possible values. |
Time Frame |
The specified time period for the results.
The default value is If you select the If you provide the
|
Start Time |
The start time for the results. Configure the parameter value in a ISO 8601 format. This parameter is required if you set the
|
End Time |
The end time for the results. Configure the parameter value in a ISO 8601 format. If you don't set a value and set the This parameter accepts the |
Reference Time |
The reference time for the event search.
Configure the parameter value in the following format:
If you don't set a value, the action uses an end time as the reference time. |
Output |
Required. The output for this action. The possible values are as follows:
|
Max Events To Return |
The number of events to process for a single entity type. The default value is 100. |
Event type possible values
The full list of possible values for the Event Type parameter is as follows:
EVENTTYPE_UNSPECIFIED, PROCESS_UNCATEGORIZED,
PROCESS_LAUNCH, PROCESS_INJECTION,
PROCESS_PRIVILEGE_ESCALATION, PROCESS_TERMINATION,
PROCESS_OPEN, PROCESS_MODULE_LOAD,
REGISTRY_UNCATEGORIZED, REGISTRY_CREATION,
REGISTRY_MODIFICATION, REGISTRY_DELETION,
SETTING_UNCATEGORIZED, SETTING_CREATION,
SETTING_MODIFICATION, SETTING_DELETION,
MUTEX_UNCATEGORIZED, MUTEX_CREATION,
FILE_UNCATEGORIZED, FILE_CREATION, FILE_DELETION
, FILE_MODIFICATION, FILE_READ,
FILE_COPY, FILE_OPEN, FILE_MOVE,
FILE_SYNC, USER_UNCATEGORIZED, USER_LOGIN,
USER_LOGOUT, USER_CREATION,
USER_CHANGE_PASSWORD, USER_CHANGE_PERMISSIONS,
USER_STATS, USER_BADGE_IN, USER_DELETION,
USER_RESOURCE_CREATION, USER_RESOURCE_UPDATE_CONTENT, USER_RESOURCE_UPDATE_PERMISSIONS, USER_COMMUNICATION,
USER_RESOURCE_ACCESS, USER_RESOURCE_DELETION,
GROUP_UNCATEGORIZED, GROUP_CREATION,
GROUP_DELETION, GROUP_MODIFICATION,
EMAIL_UNCATEGORIZED, EMAIL_TRANSACTION,
EMAIL_URL_CLICK, NETWORK_UNCATEGORIZED,
NETWORK_FLOW, NETWORK_CONNECTION, NETWORK_FTP,
NETWORK_DHCP, NETWORK_DNS, NETWORK_HTTP,
NETWORK_SMTP, STATUS_UNCATEGORIZED,
STATUS_HEARTBEAT, STATUS_STARTUP, STATUS_SHUTDOWN
, STATUS_UPDATE, SCAN_UNCATEGORIZED,
SCAN_FILE, SCAN_PROCESS_BEHAVIORS, SCAN_PROCESS
, SCAN_HOST, SCAN_VULN_HOST,
SCAN_VULN_NETWORK, SCAN_NETWORK,
SCHEDULED_TASK_UNCATEGORIZED, SCHEDULED_TASK_CREATION,
SCHEDULED_TASK_DELETION, SCHEDULED_TASK_ENABLE,
SCHEDULED_TASK_DISABLE, SCHEDULED_TASK_MODIFICATION, SYSTEM_AUDIT_LOG_UNCATEGORIZED, SYSTEM_AUDIT_LOG_WIPE,
SERVICE_UNSPECIFIED, SERVICE_CREATION,
SERVICE_DELETION, SERVICE_START, SERVICE_STOP,
SERVICE_MODIFICATION, GENERIC_EVENT,
RESOURCE_CREATION, RESOURCE_DELETION,
RESOURCE_PERMISSIONS_CHANGE, RESOURCE_READ,
RESOURCE_WRITTEN, ANALYST_UPDATE_VERDICT,
ANALYST_UPDATE_REPUTATION, ANALYST_UPDATE_SEVERITY_SCORE,
ANALYST_UPDATE_STATUS, ANALYST_ADD_COMMENT.
Action outputs
The List Events action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the List Events action:
{
"statistics": {
"NETWORK_CONNECTION": 10
}
{
"events": [
{
"metadata": {
"eventTimestamp": "2020-09-28T14:20:00Z",
"eventType": "NETWORK_CONNECTION",
"productName": "EXAMPLE Name",
"productEventType": "NETWORK_DNS",
"ingestedTimestamp": "2020-09-28T16:28:11.615578Z"
},
"principal": {
"hostname": "user-example-pc",
"assetId": "EXAMPLE:user-example-pc",
"process": {
"pid": "1101",
"productSpecificProcessId": "EXAMPLE:32323"
}
},
"target": {
"hostname": "example.com",
"user": {
"userid": "user"
},
"process": {
"pid": "8172",
"file": {
"md5": "a219fc7fcc93890a842183388f80369e",
"fullPath": "C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe"
},
"commandLine": "\"C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe\" ...",
"productSpecificProcessId": "EXAMPLE:82315"
}
}
},
{
"metadata": {
"eventTimestamp": "2020-09-28T17:20:00Z",
"eventType": "NETWORK_CONNECTION",
"productName": "EXAMPLE Name",
"productEventType": "NETWORK_DNS",
"ingestedTimestamp": "2020-09-28T16:28:11.615578Z"
},
"principal": {
"hostname": "user-example-pc",
"assetId": "EXAMPLE:user-example-pc",
"process": {
"pid": "1101",
"productSpecificProcessId": "EXAMPLE:32323"
}
},
"target": {
"hostname": "example.com",
"user": {
"userid": "user"
},
"process": {
"pid": "8172",
"file": {
"md5": "a219fc7fcc93890a842183388f80369e",
"fullPath": "C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe"
},
"commandLine": "\"C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe\" ...",
"productSpecificProcessId": "EXAMPLE:82315"
}
}
}
],
"uri": [
"https://INSTANCE/assetResults?assetIdentifier=user-example-pc&referenceTime=2020-09-28T17%3A00%3A00Z&selectedList=AssetViewTimeline&startTime=2020-09-28T14%3A20%3A00Z&endTime=2020-09-28T20%3A20%3A00Z"
]
}
}
Output messages
The List Events action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully listed related events for the following entities
from Google Chronicle: ENTITY_IDENTIFIER |
Action succeeded. |
Error executing action "List Events". Reason:
ERROR_REASON
|
Action failed. Check the connection to the server, the input parameters, or the credentials. |
Error executing action "List Events". Reason: invalid event type
is provided. Please check the spelling. Supported event types:
SUPPORTED_EVENT_TYPES
|
Action failed. Check the spelling. |
Script result
The following table describes the values for the script result output when using the List Events action:
| Script result name | Value |
|---|---|
is_success |
True or False |
List IOCs
Use the List IOCs action to list all of the IoCs discovered in your enterprise within the specified time range.
If you receive the maximum number of IoCs you specified using the Max IoCs to
Fetch parameter (or 10,000, the default value), there might still be more IoCs
discovered in your Google SecOps account. Some IoCs within
your data could be present before Google SecOps discovered them.
To ensure that you have visibility on all possible IoCs, narrow down the time
range and run the action again.
This action doesn't run on Google SecOps entities.
Action inputs
The List IOCs action requires the following parameters:
| Parameter | Description |
|---|---|
Start Time |
The start time for the results. Use the ISO 8601 format to configure this parameter. |
Max IoCs to Fetch |
The maximum number of IoCs to return. The applicable range is from 1 to 10,000. The default value is 50. |
Action outputs
The List IOCs action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the List IOCs action:
{
"matches":[
{
"artifact":{
"domainName":"www.example.com"
},
"firstSeenTime":"2018-05-25T20:47:11.048998Z",
"iocIngestTime":"2019-08-14T21:00:00Z",
"lastSeenTime":"2019-10-24T16:19:46.880830Z",
"sources":[
{
"category":"Spyware Reporting Server",
"confidenceScore":{
"intRawConfidenceScore":0,
"normalizedConfidenceScore":"Low"
},
"rawSeverity":"Medium",
"source":"Example List"
}
],
"uri":["URI"]
}
],
"moreDataAvailable":true
}
Output messages
The List IOCs action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully listed IOCs from the provided timeframe in Google
Chronicle. |
Action succeeded. |
Error executing action "List IOCs". Reason:
ERROR_REASON
|
Action failed Check connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the List IOCs action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Case wall table
Columns:
- Domain
- Category
- Source
- Confidence
- Severity
- IoC Ingest Time
- IoC First Seen Time
- IoC Last Seen Time
- URI
Lookup Similar Alerts
Use the Lookup Similar Alerts action to search for similar alerts in Google SecOps.
This action only works with Google SecOps alerts received from the Chronicle Alerts Connector. To get better results, narrow down the search period.
Depending on the underlying alert type, the action behaves differently. If the alert is rule-based (Rule alert), the action attempts to match alerts based on rule names. For External alerts, the action matches alerts based on the alert name.
The Lookup Similar Alerts action queries a sizable volume of alerts in the background based on the configured period. In responses, the action searches for specific keys and extracts possible IoCs.
This action creates distinct results based on the alert, rule, or product name, and IoC that was used during the search.
How the Similarity By parameter works
Rule alerts and External alerts work differently in regards to the
Similarity By parameter.
For example, if Alert Name, Alert Type and Product or Alert Name, Alert Type
options are selected:
- For External alerts, the action only searches for other External alerts and returns only information about those that have the same name.
- For Rule alerts, the action looks at the rule name that triggered the alert and only processes alerts originating from the same rule.
If you select the Product option, the action only processes alerts
originated from the same product. For example, if an alert originated in
Crowdstrike, the action only matches with alerts that also originated in
Crowdstrike. It doesn't matter if it was a Rule alert or External alert because
the action queries and extracts data from both alert types. In all situations,
the action searches for the IoCs provided in the IOCs/Assets parameter in the
predefined fields.
An IoC alert can only run this action with the Similarity By parameter
set to Only IOCs/Assets. If any other option is provided, the action sets the
value to Only IOCs/Assets in the background.
The Lookup Similar Alerts is a general purpose action suitable for all playbooks working with the Google SecOps SIEM alerts. This action lets analysts correlate different alerts that happen in the same period and extract all of the relevant IoCs, which are then used to understand if there is a true positive incident.
Action inputs
The Lookup Similar Alerts action requires the following parameters:
| Parameter | Description |
|---|---|
Time Frame |
The specified time period for the results.
The default value is
If you select If you select |
IOCs / Assets |
Required. A comma-separated list of IoCs or assets to find in the alerts. The action performs a different search for every provided item. |
Similarity By |
Attributes to use when the action is searching for similar alerts. The default value is
If you select If you select If you select |
Action outputs
The Lookup Similar Alerts action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Lookup Similar Alerts action:
{
"count": 123,
"distinct": [
{
"first_seen": "time of the first alert that matched our conditions",
"last_seen": "time of the last alert that matched our conditions",
"product_name": "product name",
"used_ioc_asset": "what user provided in the parameter IOCs and Assets",
"name": "Alert Name/Rule Name",
"hostnames": "csv list of unique hostnames that were found in alerts",
"urls": "csv list of unique urls that were found in alerts",
"ips": "csv list of unique ips that were found in alerts",
"subjects": "csv list of unique subjects that were found in alerts",
"users": "csv list of unique users that were found in alerts",
"email_addresses": "csv list of unique email_addresses that were found in alerts",
"hashes": "csv list of unique hashes that were found in alerts",
"processes": "csv list of unique processes that were found in alerts"
"rule_urls": ["Chronicle URL from API response for Rule"]
"count": 123
}
],
"processed_alerts": 10000,
"run_time": "how long it took to run the action or at least API request",
"EXTERNAL_url": "Chronicle URL from API response for EXTERNAL"
}
Output messages
The Lookup Similar Alerts action provides the following output messages:
| Output message | Message description |
|---|---|
|
Action is successful. |
Error executing action "Lookup Similar Alerts". Reason:
ERROR_REASON
|
Action failed. Check the connection to the server, the input parameters, or the credentials. |
Error executing action "Lookup Similar Alerts". Reason: all of the
retries are exhausted. Please wait for a minute and try again.
|
Action failed. Wait for a minute before running the action again. |
Script result
The following table describes the values for the script result output when using the Lookup Similar Alerts action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Case wall table
Name: IOC/ASSET_IDENTIFIER
Columns:
- Product
- Hostnames
- IPs
- Users
- Email Addresses
- Subjects
- URLs
- Hashes
- Processes
- First Seen
- Last Seen
- Alert Name
- General
Case wall link
- CBN: GENERATED_LINK_BASED_ON_IU_ROOT_URL
- Rule: GENERATED_LINK_BASED_ON_IU_ROOT_URL
Ping
Use the Ping action to test the connectivity to Google SecOps.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Ping action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | N/A |
| Output messages | Available |
| Script result | Available |
Output messages
The Ping action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully connected to the Google Chronicle backstory with the
provided connection parameters! |
Action succeeded. |
Failed to connect to the Google Chronicle backstory. Error is
ERROR_REASON
|
Action failed. Check the connection to the server. |
Script result
The following table describes the values for the script result output when using the Ping action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Remove Values From Reference List
Use the Remove Values From Reference List action to remove values from a reference list in Google SecOps.
This action doesn't run on Google SecOps entities.
Action inputs
The Remove Values From Reference List action requires the following parameters:
| Parameter | Description |
|---|---|
Reference List Name |
Required. The reference list name to update. |
Values |
Required. A comma-separated list of values to remove from a reference list. |
Action outputs
The Remove Values From Reference List action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Remove Values From Reference List action:
{
"name": "list_name",
"description": "description of the list",
"lines": [
"192.0.2.0/24",
"198.51.100.0/24"
],
"create_time": "2020-11-20T17:18:20.409247Z",
"content_type": "CIDR"
}
The following example describes the JSON result output received when using the Remove Values From Reference List action with Chronicle API:
{
"name": "projects/PROJECT_ID/locations/us/instances/INSTANCE_ID/referenceLists/<var class="readonly">REFERENCE_LIST_NAME</var>' }}",
"displayName": "REFERENCE_LIST_NAME",
"revisionCreateTime": "2025-01-16T09:15:21.795743Z",
"description": "Test reference list",
"entries": [
{
"value": "example.com"
},
{
"value": "exampledomain.com"
}
],
"syntaxType": "REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING",
"scopeInfo": {
"referenceListScope": {}
},
"createTime": "2025-01-16T09:15:21.795743Z",
"lines": [
"example.com",
"exampledomain.com"
]
}
Output messages
The Remove Values From Reference List action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully removed values from the reference list.
|
Action succeeded. |
Error executing action "Remove Values From Reference List". Reason:
ERROR_REASON
|
Action failed.
Check the connection to the server, the input parameters, or the credentials. |
Script result
The following table describes the values for the script result output when using the Remove Values From Reference List action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Connectors
For more detail about how to configure connectors in Google SecOps, see Ingest your data (connectors).
Chronicle Alerts Connector
Use the Chronicle Alerts Connector to pull information about the rule-based alerts from Google SecOps SIEM.
You can use the dynamic list to filter alerts and alert types.
Overview
This connector lets you ingest multiple alert types from Google SecOps SIEM.
To ensure the flexibility of the connector, use a dynamic list. For more details about the supported filter, see the Dynamic list filter section.
The Chronicle Alerts Connector queries data within a one-week period.
A delay can occur between the time that Google SecOps SIEM indexes an alert and when indexing completes. To mitigate the risk of missing alerts, set a padding period for the connector. Additionally, increase the connector timeout. A significant padding period can negatively impact connector performance.
If the Google SecOps SOAR alert lacks a severity value, the
connector uses the value specified in the Fallback Severity parameter when
creating the corresponding Google SecOps SOAR alert.
To ingest IOCs using the Chronicle Alerts Connector, create a detection rule in Google SecOps SIEM to generate alerts based on the IOCs. To create a detection rule, see Default detection rules.
Dynamic list filter
The purpose of the dynamic list is to filter different alert types. You can access the dynamic list from the connector configuration page.
Operator rules
The operator rules for the dynamic list are as follows:
- Values provided in a comma-separated manner are treated with OR logic.
- Every line in the dynamic list is treated with AND logic.
- Supported operators are different between different Filter Keys.
The following are the examples of using operator rules:
- Rule.severity = medium: The connector only ingests rule alerts with the medium severity.
- Rule.severity = low,medium: The connector only ingests rule alerts with the medium or low severity.
- Rule.ruleName = default_rule: The connector only ingests rule alerts
with the
default_rulename.
Supported filters list
The Chronicle ALerts Connector supports the following filters:
| Filter key | Response key | Operators | Possible values |
|---|---|---|---|
Rule.severity |
detection or ruleLabels or severity |
=, !=, >, <,
>=, <= |
The values are case insensitive. |
Rule.ruleName |
detection or ruleName |
=, != |
Not applicable Defined by the user. |
Rule.ruleID |
detection or ruleId |
=, != |
Not applicable Defined by the user. |
Rule.ruleLabels.{key} |
detection or ruleLabels |
=, != |
Defined by the user. |
Dynamic key handling for the rule based detection
To work with the ruleLabels key, format your dynamic list as follows:
Rule.ruleLabels.{key}
Example
The rule is as follows:
"ruleLabels": [
{
"key": "author",
"value": "analyst123"
},
{
"key": "type",
"value": "suspicious_behaviour"
},
{
"key": "severity",
"value": "Medium"
}
]
To apply filters based on ruleLabels.type, the input for the dynamic
list is as follows:
Rule.ruleLabels.type=suspicious_behaviour
Connector inputs
The Chronicle Alerts Connector requires the following parameters:
| Parameter | Description |
|---|---|
Product Field Name |
Required. The name of the field where the product name is stored. The default value is The product name
primarily impacts mapping. To streamline and improve the mapping process for
the connector, the default value |
Event Field Name |
Required. The name of the field where the event name (subtype) is stored. The default value is |
Environment Field Name |
Optional. The name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. The default value is |
Environment Regex Pattern |
Optional. A regular expression pattern to run on the value found in the
Use the default value If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
Script Timeout (Seconds) |
Required. The timeout limit for the Python process running the current script. the default value is 180. |
API Root |
Required. The API root of the Google SecOps SIEM instance. Google SecOps provides regional endpoints for each API, for
example, If you don't know which endpoint to use, contact Cloud Customer Care. The default value is |
User's Service Account |
Required. The full JSON file content of the service account that you use to authenticate. |
Fallback Severity |
Required. The fallback severity for the detection. This parameter is used if Google SecOps SIEM detection doesn't include any information that is related to the severity. The default value is
|
Max Hours Backwards |
Optional. The number of hours before the first connector iteration to retrieve the incidents from. This parameter applies only once to the initial connector iteration after you enable the connector for the first time. The default value is 1 hour. The maximum value is 1 week. |
Max Alerts To Fetch |
Optional. The number of alerts to process per one connector iteration. The default value is 100. |
Disable Event Splitting |
Optional. If selected, the connector doesn't split original events into multiple and there is a matching count of events between Google SecOps SIEM and Google SecOps SOAR. Not selected by default. |
Verify SSL |
Required. If selected, Google SecOps verifies that the SSL certificate for connecting to the Google SecOps SIEM server is valid. Selected by default. |
Proxy Server Address |
Optional. The address of the proxy server to use. |
Proxy Username |
Optional. The proxy username to authenticate with. |
Proxy Password |
Optional. The proxy password to authenticate with. |
Disable Overflow |
Optional. Select to disable an event overflow. Not selected by default. |
Connector rules
The connector supports proxies.
Alert structure
The following table describes the structure of alerts in Google SecOps:
| Alert attribute name | Product source (JSON key from an API response) | Output JSON example |
|---|---|---|
SourceSystemName |
Filled by framework | Filled by framework |
TicketId |
Value from ids.json file |
60112f06545160bf3f54e8b3 |
DisplayId |
Automatically generated | cf24dbb0-89fa-11ea-d9dc-000000000003 |
Name |
alertInfos/name IOC Alert detection/ruleName |
Suspicious: File |
Reason |
Not avavilable | Not available |
Description |
For the rule-based alerts only: detection/ruleLabels/description (if exists) | Not available |
DeviceVendor |
Hardcoded value is Google Chronicle |
Checkpoint |
DeviceProduct |
Hardcoded field:
|
Harmony Mobile |
Priority |
Taken from response or from the Fallback Severity parameter | High |
RuleGenerator |
|
FILE |
SourceGroupingIdentifier |
Not available | Not available |
StartTime |
|
2020-10-12T16:31:49.019Z |
EndTime |
|
2020-10-12T16:31:49.019Z |
Chronicle Alert - Extensions |
|
Not available |
Chronicle Alert - Attachments |
Not available | Not available |
Events
Events for the Chronicle Alerts Connector include rule alerts, external alerts, and IOC alerts.
Rule alerts
An example of the rule alert is as follows:
{
"alert_type": "RULE",
"event_type": "NETWORK_DHCP",
"type": "RULE_DETECTION",
"detection": [
{
"ruleName": "d3_test",
"urlBackToProduct": "https://INSTANCE/ruleDetections?ruleId=ru_74dd17e2-5aad-4053-acd7-958bead014f2&selectedList=RuleDetectionsViewTimeline&selectedParentDetectionId=de_b5dadaf4-b398-325f-9f09-833b71b3ffbb&selectedTimestamp=2022-02-08T05:02:36Z&versionTimestamp=2020-11-19T18:19:11.951951Z",
"ruleId": "ru_74dd17e2-5aad-4053-acd7-958bead014f2",
"ruleVersion": "ru_74dd17e2-5aad-4053-acd7-958bead014f2@v_1605809951_951951000",
"alertState": "NOT_ALERTING",
"ruleType": "SINGLE_EVENT",
"ruleLabels": [
{
"key": "author",
"value": "analyst123"
},
{
"key": "description",
"value": "8:00 AM local time"
},
{
"key": "severity",
"value": "Medium"
}
]
}
],
"createdTime": "2022-02-08T06:07:33.944951Z",
"id": "de_b5dadaf4-b398-325f-9f09-833b71b3ffbb",
"timeWindow": {
"startTime": "2022-02-08T05:02:36Z",
"endTime": "2022-02-08T05:02:36Z"
},
"collectionElements": [
{
"references": [
{
"event": {
"metadata": {
"eventTimestamp": "2022-02-08T05:02:36Z",
"eventType": "NETWORK_DHCP",
"productName": "Infoblox DHCP",
"ingestedTimestamp": "2022-02-08T05:03:03.892234Z"
},
"principal": {
"ip": [
"198.51.100.255",
"198.51.100.1"
],
"mac": [
"01:23:45:ab:cd:ef"
],
"email_address": [
"example@example.com"
]
},
"target": {
"hostname": "dhcp_server",
"ip": [
"198.51.100.0",
"198.51.100.1"
]
},
"network": {
"applicationProtocol": "DHCP",
"dhcp": {
"opcode": "BOOTREQUEST",
"ciaddr": "198.51.100.255",
"giaddr": "198.51.100.0",
"chaddr": "01:23:45:ab:cd:ef",
"type": "REQUEST",
"clientHostname": "example-user-pc",
"clientIdentifier": "AFm/LDfjAw=="
}
}
}
}
],
"label": "e"
}
],
"detectionTime": "2022-02-08T05:02:36Z"
}
External alerts
The example of an external alert is as follows:
{
"alert_type": "External",
"event_type": "GENERIC_EVENT",
"name": "Authentication failure [32038]",
"sourceProduct": "Internal Alert",
"severity": "Medium",
"timestamp": "2020-09-30T18:03:34.898194Z",
"rawLog": "U2VwIDMwIDE4OjAzOjM0Ljg5ODE5NCAxMC4wLjI5LjEwOSBBdXRoZW50aWNhdGlvbiBmYWlsdXJlIFszMjAzOF0=",
"uri": [
"https://INSTANCE/assetResults?assetIdentifier=198.51.100.109&namespace=[untagged]&referenceTime=2020-09-30T18%3A03%3A34.898194Z&selectedList=AssetViewTimeline&startTime=2020-09-30T17%3A58%3A34.898194Z&endTime=2020-09-30T18%3A08%3A34.898194Z&selectedAlert=-610875602&selectedEventTimestamp=2020-09-30T18%3A03%3A34.898194Z"
],
"event": {
"metadata": {
"eventTimestamp": "2020-09-30T18:03:34.898194Z",
"eventType": "GENERIC_EVENT",
"productName": "Chronicle Internal",
"ingestedTimestamp": "2020-09-30T18:03:34.991592Z"
},
"target": [
{
"ip": [
"198.51.100.255",
"198.51.100.1"
]
}
],
"securityResult": [
{
"summary": "Authentication failure [32038]",
"severityDetails": "Medium"
}
]
}
}
IOC Alerts
The example of an IOC alert is as follows:
{
"alert_type": "IOC",
"event_type": "IOC Alert",
"artifact": {
"domainName": "example.com"
},
"sources": [
{
"source": "Example List",
"confidenceScore": {
"normalizedConfidenceScore": "Low",
"intRawConfidenceScore": 0
},
"rawSeverity": "High",
"category": "Malware Command and Control Server"
}
],
"iocIngestTime": "2020-09-07T11:00:00Z",
"firstSeenTime": "2018-10-03T00:01:59Z",
"lastSeenTime": "2022-02-04T20:02:29.191Z",
"uri": [
"https://INSTANCE/domainResults?domain=example.com&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2022-02-08T15%3A08%3A52.434022777Z"
]
}
Alerts Connector - Deprecated
This connector pulls asset alerts from Google SecOps SIEM and converts them into Google SecOps SIEM alerts.
You can authenticate using the Google
library
with google.oauth2.service_account and AuthorizedSession.
This connector requires the Google SecOps SIEM Search API.
Connector inputs
The Alerts Connector requires the following parameters:
| Parameter | Description |
|---|---|
Product Field Name |
Required. Enter the source field name to retrieve the Product Field name. The default value is |
Environment Field Name |
Optional. The name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. The default value is |
Environment Regex Pattern |
Optional. A regular expression pattern to run on the value found in the
Use the default value If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
Script Timeout (Seconds) |
Required. The timeout limit for the Python process running the current script. the default value is 180. |
Service Account Credentials |
Required. The content of the service account JSON file. |
Fetch Max Hours Backwards |
Optional. The number of hours before the first connector iteration to retrieve the incidents from. This parameter applies only once to the initial connector iteration after you enable the connector for the first time. The default value is 1 hour. Max value is 1 week. |
IoCs Connector - Deprecated
This connector pulls the IOC domain matches from Google SecOps SIEM and converts them into Google SecOps SIEM alerts.
You can authenticate using the Google
library and
google.oauth2.service_account and AuthorizedSession.
This connector uses the Google SecOps SIEM Search API.
Connector inputs
The Alerts Connector requires the following parameters:
| Parameter | Description |
|---|---|
Product Field Name |
Required. Enter the source field name to retrieve the Product Field name. The default value is |
Environment Field Name |
Optional. The name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. The default value is |
Environment Regex Pattern |
Optional. A regular expression pattern to run on the value found in the
Use the default value If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
Script Timeout (Seconds) |
Required. The timeout limit for the Python process running the current script. the default value is 180. |
Service Account Credentials |
Required. The content of the service account JSON file. |
Fetch Max Hours Backwards |
Optional. The number of hours before the first connector iteration to retrieve the incidents from. This parameter applies only once to the initial connector iteration after you enable the connector for the first time. The default value is 1 hour. Max value is 1 week. |
Max Alerts To Fetch |
Optional. The number of alerts to process in a one connector iteration. You can specify the number of alerts between 1 and 100,000. |
Jobs
The Google Chronicle integration lets you use the following jobs:
Job configuration prerequisites
Before proceeding to the job configuration, configure the Chronicle Alerts Connector.
To configure Google Chronicle jobs, follow these steps:
In Google SecOps SOAR, go to Response > Job Scheduler.
Click addCreate New Job.
In the Add Job dialog that appears, select the corresponding Google Chronicle job and click Save.
Optional: Edit the job name and description, if necessary.
In the Job Details section:
- Make sure that GoogleChronicle is selected in the Integration field.
To automatically run the job at specified intervals, set up a scheduler interval. Configuring the scheduler is mandatory to complete the job configuration.
As Google Chronicle jobs can synchronize large amounts of data in one run, Google recommends that you minimally set the scheduler interval to 2 minutes.
Google Chronicle Sync Data job
This job works with alerts created by the Chronicle Alerts Connector and the Chronicle Alerts Creator job, but not with alerts from deprecated connectors (Alerts Connector and IOCs Connector).
The Google Chronicle Sync Data job synchronizes updated Google SecOps alerts and cases managed in Google SecOps SOAR back to Google SecOps SIEM. Consequently, you can track the same information on both systems immediately after you make changes in Google SecOps SOAR.
Case and alerts data synchronization
The Google Chronicle Sync Data job tracks and synchronizes the following fields for cases:
| Tracked field | Synchronized field |
|---|---|
Priority |
Priority |
Status |
Status |
Title |
Title |
| Not applicable | Stage |
| Not applicable | Google SecOps Case ID |
| Not applicable | Google SecOps Case ID |
Google SecOps Case ID is a unique case identifier in Google SecOps SOAR and Google SecOps SIEM.
The Google Chronicle Sync Data job tracks and synchronizes the following fields for alerts:
| Tracked field | Synchronized field |
|---|---|
Priority |
Priority |
Status |
Status |
Case ID |
Not applicable |
| Not applicable | Google SecOps Alert ID |
| Not applicable | Google SecOps Case ID |
| Not applicable | Verdict |
| Not applicable | Closure Comment |
| Not applicable | Closure Reason |
| Not applicable | Closure Root Cause |
| Not applicable | Usefulness |
Google SecOps Alert ID is a unique alert identifier in Google SecOps SOAR.
In one iteration, the job synchronizes up to 1,000 cases and 1,000 alerts. The synchronization occurs within the Google SecOps SOAR environment that is specified in the job configuration. The synchronization mechanism ensures that a case from the specified environment cannot be synced with another environment.
Configure the Google Chronicle Sync Data job
This job only synchronizes the Google SecOps SOAR cases that were ingested from Google SecOps SIEM.
Make sure you have completed the prerequisite steps before configuring the job.
To configure the Google Chronicle Sync Data job, follow these steps:
In the Parameters section, configure the following parameters:
Parameter Description EnvironmentRequired.
The name of the environment created in Google SecOps SOAR where you want to sync cases and alerts.
API RootRequired.
The API root of the Google SecOps SIEM instance.
Google SecOps provides regional endpoints for each API.
For example,
https://europe-backstory.googleapis.comorhttps://asia-southeast1-backstory.googleapis.com.If you don't know which endpoint to use, [contact Cloud Customer Care](/chronicle/docs/getting-support).
The default value is
https://backstory.googleapis.com.User's Service AccountRequired.
The content of the service account JSON file of your Google SecOps SIEM instance.
Max Hours BackwardsOptional.
The number of hours to fetch alerts from. Use only positive numbers. If you enter 0 or a negative number, an error is reported. If this parameter is empty, the job uses the default value.
The default value is 24 hours.
Verify SSLRequired.
If selected, Google SecOps verifies that the SSL certificate for connecting to the Google SecOps SIEM server is valid. We recommend that you select this option.
Selected by default.
The Google Chronicle Sync Data job is enabled by default. When you save the correctly configured job, it starts synchronizing data with Google SecOps SIEM immediately. To disable the job, switch the toggle next to the job name.
To complete the configuration, click Save.
If the Save button is inactive, make sure that you have set all mandatory parameters.
Optional: To run the job immediately after saving, click Run Now.
The Run Now option lets you trigger a single job run that synchronizes the current Google SecOps SOAR alerts and cases data with Google SecOps SIEM.
Log messages
The following table lists possible log messages for the Google Chronicle Data Sync job:
| Log entry | Type | Description |
|---|---|---|
Unable to parse credentials as JSON. Please validate creds.
|
Error | The service account provided in the User's Service Account
parameter is corrupted. |
"Max Hours Backwards" parameter must be a positive number. |
Error | The Max Hours backwards parameter is set to 0 or a negative
number. |
Current platform version does not support SDK methods designed for
Google SecOps. Please use version 6.1.33 or higher. |
Error | The current Google SecOps platform instance version doesn't support the Chronicle Sync Data job script execution. This means that the instance's build version is older than 6.1.33. |
Unable to connect to Google SecOps, please validate
your credentials: CREDENTIALS |
Error | The service account or API root values couldn't be validated against the Google SecOps SIEM instance. This error is reported if the connectivity testing fails. |
--- Start Processing Updated Cases --- |
Info | The case processing loop has started running. |
Last success time. Date time:DATE_AND_TIME.
Unix:UNIX_EPOCH_TIME
|
Info | The timestamp of the last successful script execution for cases or alerts:
|
Key: "DATABASE_KEY" does not exist in the
database. Returning default
value instead: DEFAULT_VALUE |
Info | The pending case or alert database key does not exist in the database. This log entry always appears in the first execution of the script. |
Failed to parse data as JSON. Returning default value instead:
"DEFAULT_VALUE. ERROR:
ERROR |
Error | The value retrieved from the database is not a valid JSON format. |
Exception was raised from the database. ERROR:
ERROR. |
Error | There is a connection problem with the database. |
|
Info | The pending cases or alerts IDs have been successfully retrieved from the backlog. CASE_IDS is the number of case IDs brought. |
|
Error | The number of pending cases or alerts IDs that are fetched from the database is greater than the limit (1000). Any IDs over the limit are ignored. This error can indicate a possible database corruption. |
|
Info | The newly updated case or alert IDs were successfully fetched from the platform. |
|
Info | The update of cases and alerts in the Google SecOps SIEM instance has started. |
|
Error | The specified case or alert cannot be synchronized with Google SecOps SIEM. |
|
Info | The specified pending case or alert has reached the sync retry limit (5) and is not inserted back to the backlog. |
|
Info | The list of case or alert IDs that cannot be synchronized with Google SecOps SIEM. |
Updated External Case IDs for the following cases:
CASE_IDS |
Info | The list of cases for which the job updated the matching Google SecOps SIEM external case ID in the Google SecOps SOAR platform. |
Failed to update external ids. |
Error | The log entry indicating that there was a problem with the SDK method or connection that prevented updating external case IDs in the platform. |
|
Error | The log entry indicating that there was a certain terminating error that prevented the case or alerts processing loop to finish naturally. The stacktrace is printed after this log with the specific error. |
|
Info | The cases and alerts processing loop has finished, either naturally or with an error. |
|
Error | The list of failed case or alert IDs that have a retry count less than or equal to 5 to be written back to the backlog. |
|
Info | The stage of processing case and alert has been finished. |
Saving timestamps. |
Info | Saving the last successful case and alert update timestamps to the database. |
Saving pending ids. |
Info | Saving pending case and alert IDs to the database. |
Got exception on main handler. Error:
ERROR_REASON |
Error | A general termination error has occurred. The stacktrace is printed after this log with the specific error. |
Google Chronicle Alerts Creator job
The Google Chronicle Alerts Creator job requires the Google SecOps platform version 6.2.30 or later.
This job creates all alerts from Google SecOps SOAR to Google SecOps SIEM, including overflow alerts. The Google Chronicle Alerts Creator job doesn't replicate alerts that originate from Google SecOps.
The Google Chronicle Alerts Creator job queries the SOAR platform using the Python SDK for non-synchronized alerts. The job sends non-synchronized alerts to SIEM individually. SIEM updates and returns the identifiers of the corresponding SIEM alerts, and SOAR saves the identifiers using the SOAR platform API through the Python SDK.
Relationship between the Google Chronicle jobs
A complete Google SecOps system runs the following three components concurrently:
- Chronicle Alerts Connector
- Google Chronicle Sync Data job
- Google Chronicle Alerts Creator job
The Google Chronicle Sync Data job creates and synchronizes cases. It also synchronizes the case and alert modifications, such as priority changes.
The Google Chronicle Alerts Creator job generates all alerts, except SIEM alerts. The Google Chronicle Sync Data job sends updates on unsynchronized alerts after the Google Chronicle Alerts Creator job creates the alerts.
Case and alerts data synchronization
Cases are synchronized in the same manner as with the Google Chronicle Sync Data job.
In Google SecOps SIEM, each alert is identified with a SIEM alert identifier. SOAR alerts can adopt a SIEM identifier in two scenarios:
Alert is generated in SIEM.
This alert already exists in Google SecOps SIEM and there is no need to duplicate it. The connector populates the
siem_alert_idfield.Alert is generated in third-party connectors.
This alert does not exist in Google SecOps SIEM and requires running an explicit synchronization operation that the Google Chronicle Alerts Creator job is responsible for. Upon completing the synchronization operation, the alert acquires a new SIEM identifier.
Configure the Google Chronicle Alerts Creator job
Make sure you have completed the prerequisite steps before configuring the job.
To configure the Google Chronicle Alerts Creator job, follow these steps:
Configure the job parameters from the following table:
Parameter Description EnvironmentRequired.
The name of the environment created in Google SecOps SOAR where you want to sync cases and alerts.
API RootRequired.
The API root of the Google SecOps SIEM instance.
Google SecOps provides regional endpoints for each API.
For example,
https://europe-backstory.googleapis.comorhttps://asia-southeast1-backstory.googleapis.com.If you don't know which endpoint to use, [contact Cloud Customer Care](/chronicle/docs/getting-support).
The default value is
https://backstory.googleapis.com.User's Service AccountRequired.
The content of the service account JSON file of your Google SecOps SIEM instance.
Verify SSLRequired.
If selected, Google SecOps verifies that the SSL certificate for connecting to the Google SecOps SIEM server is valid. We recommend that you select this option.
Selected by default.
To complete the configuration, click Save.
If the Save button is inactive, make sure that you have set all mandatory parameters.
Optional: To run the job immediately after saving, click Run Now.
The Run Now option lets you trigger a single job run that synchronizes the current Google SecOps SOAR alerts and cases data with Google SecOps SIEM.
Log messages and error handling
| Log | Level | Description |
|---|---|---|
|
ERROR | The service account provided in the User's Service Account parameter is corrupted. |
|
ERROR | The current Google SecOps platform instance version doesn't support the Google Chronicle Alerts Creator Job script execution. This error means that the instance build version is earlier than 6.2.30. |
|
ERROR | The service account or API root values cannot be validated against the Google SecOps SIEM instance. This error is reported if the connectivity testing fails. |
|
INFO | Log message indicating that the job has started. |
|
INFO | Log message indicating that the main function has started. |
|
INFO | Log message indicating the iteration number for the current consecutive attempt. |
|
INFO | Log message indicating that the code doesn't retrieve more than BATCH_SIZE new alerts from SOAR. |
|
INFO | Log message indicating that NUMBER_OF_NEW_ALERTS SOAR alerts were fetched. |
|
INFO | Log message indicating that no new SOAR alerts were found, and that the job is stopping. |
|
INFO | Log message indicating that the job has fetched the SOAR alerts with the following identifiers in the ID list. You can use this information to track the progress of the job and to troubleshoot issues with the code. |
|
INFO | Log message indicating that the job is dispatching SOAR alerts to SIEM. |
|
ERROR | Log message indicating that the alert was not created successfully in SIEM due to an error. |
|
INFO | Log message indicating that the job is updating SOAR with the SIEM response. |
|
WARNING | Indicates that SOAR was unable to update the status of the alert synchronization. |
|
INFO | Log message indicating that a total of total_synced alerts
were synced in the current run. |
|
INFO | Log message indicating that the job has finished. |
|
ERROR | Log message indicating that an exception occurred in the main function. The exception message is included in the log message. |
Use cases
The Google Chronicle integration lets you run the following use cases:
- Chronicle Windows Threats Investigation and Response
- Security Command Center and Chronicle Cloud DIR
Install the use case
In the Google SecOps Marketplace, go to the Use Cases tab.
In a search field, enter the use case name.
Click the use case.
Follow the configuration steps and instructions in the installation wizard.
Once finished, all of the required components are installed on your Google SecOps machine. To finalize the installation, configure the Initialization block in the playbook that corresponds to your use case.
Chronicle Windows Threats Investigation & Response
Use the power of Google SecOps to respond in real time to Windows threats in your environment. Using Threat Intelligence for Google SecOps, security teams can take advantage of a high-fidelity threat intelligence service together with Google SecOps. Real threats in your environment can now be automatically triaged and remediated in a short and effective time period.
In Google SecOps, go to Response > Playbooks.
Select the Google Chronicle - Windows Threats Investigation & Response playbook. The playbook opens in the playbook designer view.
Double-click Set Initialization Block_1. The block configuration dialog opens.
To configure the playbook, use the following parameters:
Input parameter Possible values Description edr_product- Crowdstrike
- Carbon Black
- None
The EDR product to use in the playbook. itsm_product- Service Now
- Jira
- ZenDesk
- None
The ITSM product to use in the playbook. Jira requires additional configuration in the Open Ticket block. crowdstrike_use_spotlightTrueorFalseIf True, the playbook executes Crowdstrike actions that require a Spotlight license (Vulnerability information).use_mandiantTrueorFalseIf True, the playbook executes the Mandiant block.slack_userUsername or Email Address The username or email address of the Slack user. If none is provided, the playbook skips Slack blocks. Click Save. The block configuration dialog closes.
In the playbook designer pane, click Save.
To test the playbook in the use case, ingest the test case included in the package. Some test case capabilities can fail because the data used for testing are unavailable in your environment.
Security Command Center and Chronicle Cloud DIR
Integrate Security Command Center with Google SecOps SIEM to let your analysts investigate incidents and threats that Security Command Center detects.
Configure the use case
The use case requires you to configure the following integrations:
- Siemplify
- Tools
- Mitre ATT&CK
- Google Cloud IAM
- Google Chronicle
- Functions
- Google Cloud Compute
- Email V2
- VirusTotal v3
The Google Security Command Center and Mandiant integrations are optional.
Make sure that you have installed the use case before configuring it.
- In Google SecOps, go to the Playbooks tab.
- Select the SCC & Chronicle Cloud DIR playbook.
- Double-click the Initialization block to configure it.
- Configure the playbook using the following parameters:
| Parameter name | Possible values | Description |
|---|---|---|
Mandiant_Enrichment |
True or False |
If The Mandiant integration needs to be configured for this setup. You can remove the enrichment if you rarely get meaningful information. Removing the enrichment block improves the execution speed of the playbook. |
SCC_Enrichment |
True or False |
If The Security Command Center integration must be configured for this setup. You can remove the enrichment if you rarely get meaningful information. Removing the enrichment block improves the execution speed of the playbook. |
IAM_Enrichment |
True or False |
If True, the playbook uses the IAM capabilities
for additional enrichment. You can remove the enrichment if you rarely
get meaningful information. Removing the enrichment block improves
the execution speed of the playbook. |
Compute_Enrichment |
True or False |
If True, the playbook uses Compute Engine capabilities
for additional enrichment. You can remove the enrichment if you
rarely get meaningful information. Removing the enrichment block improves
the execution speed of the playbook. |