Integrate Google Chronicle with Google SecOps

This document explains how to integrate Google Chronicle with Google Security Operations (Google SecOps).

Integration version: 64.0

Use cases

The Google Chronicle integration can address the following use cases:

  • Automated phishing investigation and remediation: Use Google SecOps SOAR capabilities to automatically query for historical email data, user activity logs, and threat intelligence to assess email legitimacy. The automated remediation can help you with triage and containment by preventing the spread of malware or data breaches.

  • Enrichment of security alerts: Use Google SecOps SOAR capabilities to enrich an alert generated in a SIEM with historical context, such as past user behavior and asset information. This provides analysts with a comprehensive view of an incident, enabling faster and more informed decision-making.

  • Threat hunting based on Google SecOps insights: Use Google SecOps SOAR capabilities to automate the process of querying other security tools for related indicators of compromise (IOCs). This can help you proactively identify potential breaches before they escalate.

  • Automated incident response playbooks: Use Google SecOps SOAR capabilities to trigger predefined playbooks that use Google SecOps data to isolate compromised systems, block malicious IP addresses, and notify relevant stakeholders. This can reduce incident response time and minimize the impact of security incidents.

  • Compliance reporting and auditing: Use Google SecOps SOAR capabilities to automate the collection of security data from Google SecOps for compliance reporting, streamlining the audit process, and reducing manual effort.

Before you begin

Before you configure the Google Chronicle integration in Google SecOps, make sure you have the following:

  • Google Cloud project: Access to an active Google Cloud project.

  • Permissions: The necessary Identity and Access Management (IAM) roles in your Google Cloud project to create and manage Service Accounts and IAM policies.

Configure the integration

The configuration steps depend on your Google SecOps deployment type:

  • Unified SecOps deployment: If your Google SecOps instance is part of a Unified SecOps deployment (integrated with Google Security Operations SIEM), the integration typically leverages a default Service Account managed by Google. In this case, you don't need to upload a Service Account JSON key or manually configure Workload Identity. Required permissions are either pre-configured or inherited from the host environment.

  • Standalone SOAR deployment: If your Google SecOps instance is a standalone SOAR deployment (not integrated with Google Security Operations SIEM), you must manually configure authentication using one of the following methods:

    • Service Account JSON key file

    • Workload Identity Federation

Authentication with a Service Account JSON key

The authentication process for a Service Account JSON key differs between the Chronicle API and the Backstory API.

To use the Chronicle API, you must create a Service Account in your Google Cloud project.

  1. In the Google Cloud console, go to IAM & Admin > Service Accounts.

  2. Select Create Service Account and follow the prompts to create your required Service Account.

  3. Select the email address of the new Service Account and go to Keys > Add Key > Create new key.

  4. Select JSON as the key type and click Create. A JSON key file is downloaded to your computer.

  5. In Permissions > Manage access, assign the required Google SecOps-specific IAM roles to the Service Account.

Backstory API authentication

To use the Backstory API, a Service Account is required. An Administrator must create this account for you.

  1. Contact Google SecOps Support and request a Service Account for the Backstory API. Provide the necessary details for your SOAR deployment.

  2. Google SecOps Support will provide you with a JSON key file for the Service Account.

  3. Use the provided key in the integration configuration.

Authentication with Workload Identity (recommended)

Workload Identity is the recommended and more secure authentication method for standalone SOAR deployments. It eliminates the need to manage long-lived Service Account keys by enabling short-lived, federated credentials.

To set up authentication with Workload Identity, follow these steps:

  1. Create a Workload Identity Pool and Provider:

    1. In the Google Cloud console, go to IAM & Admin > Workload Identity Federation.

    2. Follow the prompts to create a Workload Identity Pool and then a Workload Identity Pool Provider that trusts Google SecOps as an external identity.

    You can configure the provider to trust Google SecOps as an external identity source using OpenID Connect (OIDC).

  2. Create a Service Account:

    1. In the Google Cloud console, go to IAM & Admin > Service Accounts.

    2. Create a dedicated Service Account in your Google Cloud project. This account will be impersonated by the external workload (Google SecOps).

  3. Grant permissions to the Service Account:

    1. Assign the required Google SecOps-specific IAM roles (for example, Chronicle Viewer, Chronicle Security Operations Editor) to the Service Account.

    2. Grant the Service Account Token Creator role to the Workload Identity Pool Provider you created. This permission allows the provider to impersonate this Service Account.

  4. Configure the trust relationship:

    Establish the trust relationship between your Workload Identity Pool Provider and the Service Account. This links the external identity (representing Google SecOps) to the Google Cloud Service Account.

  5. Configure the integration parameter:

    In the integration configuration dialog, enter the email address of the Service Account in the Workload Identity Email field.

For more detailed instructions on setting up Workload Identity Federation, refer to Google Cloud Workload Identity.

Integration parameters

The Google Chronicle integration requires the following parameters:

Parameter Description
UI Root

Required.

The base URL of the Google SecOps SIEM interface.

This is used to automatically generate direct links back to the SIEM platform from your case records.

The default value is https://INSTANCE.chronicle.security/.

API Root

Required.

The API root for your Google SecOps SIEM instance. The value depends on your authentication method:

  • For Google-provided credentials: Use the legacy Backstory API format.

    The default value is https://backstory.googleapis.com.

  • For self-service credentials: Use the new Chronicle API format, including your project ID, region, and instance ID. For example, https://chronicle.us.rep.googleapis.com/v1alpha/projects/PROJECT_ID/locations/us/instances/INSTANCE_ID.

Using the wrong credentials for the API root results in a connection failure.

User's Service Account

Optional.

The full content of the Service Account JSON key file.

If this and the Workload Identity Email parameters aren't set, the integration uses the default Service Account of your Google SecOps instance.

Workload Identity Email

Optional.

The client email address of your Workload Identity Federation.

This parameter has priority over the User's Service Account key file.

To use Workload Identity Federation, you must grant the Service Account Token Creator role to your service account.

Verify SSL

Required.

If selected, the integration validates the SSL certificate when connecting to the Google SecOps SIEM server.

Enabled by default.

For instructions about how to configure an integration in Google SecOps, see Configure integrations.

You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances.

Actions

For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.

Add Rows To Data Table

Use the Add Rows To Data Table action to add rows to a data table in Google SecOps.

This action doesn't run on Google SecOps entities.

Action inputs

To configure the action, use the following parameters:

Parameter Description
Data Table Name

Required.

The display name of the data table to update.

Rows

Required.

A list of JSON objects containing information about the rows to add.

For example:

  {
    "columnName1": "value1",
    "columnName2": "value2"
  }

Action outputs

The Add Rows To Data Table action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
Entity insight Not available
JSON result Available
Output messages Available
Script result Available
JSON result

The following example shows a sample JSON result returned by the Add Rows To Data Table action:

{
          "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/dataTables/data_table/dataTableRows/840d18a85944833e1b97ed6d2fb11377",
          "values": {
              "columnName1": "asda",
              "columnName2": "asdasd",
              "columnName3": "zxczxc"
          }
}
Output messages

The Add Rows To Data Table action provides the following output messages:

Output message Message description
Successfully added rows to the data table DATA_TABLE_NAME in Google SecOps. The action succeeded.
Error executing action "Add Rows to Data Table". Reason: ERROR_REASON The action failed.

Check the connection to the server, the input parameters, or the credentials.

Script result

The following table describes the values for the script result output when using the Add Rows To Data Table action:

Script result name Value
is_success true or false

Add Values To Reference List

Use the Add Values To Reference List action to add values to a reference list in Google SecOps.

This action doesn't run on Google SecOps entities.

Action inputs

To configure the action, use the following parameters:

Parameter Description
Reference List Name

Required.

The name of the reference list to update.

Values

Required.

A comma-separated list of values to add to the reference list.

Action outputs

The Add Value To Reference List action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
Entity insight Not available
JSON result Available
Output messages Available
Script result Available
JSON result

The following example describes the JSON result output received when using the Add Value To Reference List action with Backstory API:

{
   "name": "list_name",
   "description": "description of the list",
   "lines": [
       "192.0.2.0/24",
       "198.51.100.0/24"
   ],
   "create_time": "2020-11-20T17:18:20.409247Z",
   "content_type": "CIDR"
}

The following example describes the JSON result output received when using the Add Value To Reference List action with Chronicle API:

{
  "name": "projects/PROJECT_ID/locations/us/instances/INSTANCE_ID/referenceLists/REFERENCE_LIST_NAME",
  "displayName": "REFERENCE_LIST_NAME",
  "revisionCreateTime": "2025-01-16T09:15:21.795743Z",
  "description": "Test reference list",
  "entries": [
    {
      "value": "example.com"
    },
    {
      "value": "exampledomain.com"
    }
  ],
  "syntaxType": "REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING",
  "scopeInfo": {
    "referenceListScope": {}
  },
  "createTime": "2025-01-16T09:15:21.795743Z",
  "lines": [
    "example.com",
    "exampledomain.com"
  ]
}
Output messages

The Add Values To Reference List action provides the following output messages:

Output message Message description
Successfully added values to the reference list REFERENCE_LIST_NAME. The action succeeded.
Error executing action "Add Values To Reference List". Reason: ERROR_REASON The action failed.

Check the connection to the server, the input parameters, or the credentials.

Script result

The following table describes the values for the script result output when using the Add Values To Reference List action:

Script result name Value
is_success True or False

Ask Gemini

Use the Ask Gemini action to send a text prompt to Gemini in Google SecOps.

This action doesn't run on Google SecOps entities.

Action inputs

To configure the action, use the following parameters:

Parameter Description
Automatic Opt-in

Optional.

If selected, the playbook automatically opts in the user for the Gemini conversation without requiring a manual confirmation.

Enabled by default.

Prompt

Required.

The initial text prompt or question to send to Gemini.

Action outputs

The Ask Gemini action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
Entity insight Not available
JSON result Available
Output messages Available
Script result Available
JSON result

The following example describes the JSON result output received when using the Ask Gemini action:

{
  {
        "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/users/me/conversations/db3b0fc2-94f8-42ae-b743-c3693f593269/messages/b58e3186-e697-4400-9da8-8ef252a20bd9",
        "input": {
            "body": "Is IP 159.138.84.217 malicious? What can you tell me about it?"
        },
        "responses": [
            {
                "blocks": [
                    {
                        "blockType": "HTML",
                        "htmlContent": {
                            "privateDoNotAccessOrElseSafeHtmlWrappedValue": "<p>The IP address 159.138.84.217 is associated with malware and threat actors.</p>\n<ul>\n<li>It is an IPv4 indicator.</li>\n<li>It is associated with BEACON malware.</li>\n<li>It is categorized as malware-Backdoor.</li>\n<li>It has a low confidence, high severity threat rating.</li>\n<li>VirusTotal&#39;s IP Address Report indicates the network for this IP is 159.138.80.0/20, and the IP is associated with HUAWEI CLOUDS in Singapore.</li>\n<li>VirusTotal&#39;s last analysis on April 22, 2025, showed 8 malicious detections out of 94 sources.</li>\n</ul>\n<p>I might have more details for a question with more context (e.g., what is the source of the IP, what type of network traffic is associated with the IP).</p>\n"
                        }
                    }
                ],
                "references": [
                    {
                        "blockType": "HTML",
                        "htmlContent": {
                            "privateDoNotAccessOrElseSafeHtmlWrappedValue": "<ol>\n<li><a href=\"https://advantage.mandiant.com/indicator/ipv4/159.138.84.217\" target=\"_blank\">Mandiant - indicator - 159.138.84.217</a></li>\n</ol>\n"
                        }
                    }
                ],
                "groundings": [
                    "IP address 159.138.84.217 malicious cybersecurity",
                    "IP address 159.138.84.217 threat intelligence"
                ]
            }
        ],
        "createTime": "2025-05-16T11:31:36.660538Z"
    }
}
Output messages

The Ask Gemini action provides the following output messages:

Output message Message description
Successfully executed a prompt in Google SecOps. The action succeeded.
Error executing action "GoogleChronicle - Ask Gemini". Reason: ERROR_REASON The action failed.

Check the connection to the server, the input parameters, or the credentials.

Script result

The following table describes the values for the script result output when using the Ask Gemini action:

Script result name Value
is_success True or False

Enrich Domain - Deprecated

Use the Enrich Domain action to enrich domains using information from IoCs in Google SecOps SIEM.

This action runs on the following Google SecOps entities:

  • URL
  • Hostname

Action inputs

The Enrich Domain action requires the following parameters:

Parameter Description
Create Insight If selected, action will create an insight containing information about the entities.

Enabled by default.

Only Suspicious Insight If selected, action will only create an insight for entities that are marked as suspicious.

Not enabled by default.

If you select this parameter, you must also select Create Insight.

Lowest Suspicious Severity

Required.

The lowest severity associated with the domain needed to flag it as suspicious.

The default value is Medium.

The possible values are as follows:
  • High
  • Medium
  • Low
  • Info
Mark Suspicious N/A Severity

Required.

If selected and the information about severity is unavailable, the action marks the entity as suspicious.

Action outputs

The Enrich Domain action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Available
Enrichment table Available
Entity insight Not available
JSON result Available
Output messages Available
Script result Available
Case wall table

The Enrich Domain action provides the following table:

Name: ENTITY_IDENTIFIER

Columns:

  • Source
  • Severity
  • Category
  • Confidence
Entity enrichment

The Enrich Domain action supports the following entity enrichment logic:

Enrichment field Logic (when to apply)
severity When available in JSON
average_confidence When available in JSON
related_domains When available in JSON
categories When available in JSON
sources When available in JSON
first_seen When available in JSON
last_seen When available in JSON
report_link When available in JSON
JSON Result

The following example describes the JSON result output received when using the Enrich Domain action with Backstory API:


  {
              {
                  "sources": [
                      {
                          "source": "ET Intelligence Rep List",
                          "confidenceScore": {
                              "normalizedConfidenceScore": "Low",
                              "intRawConfidenceScore": 0
                          },
                          "rawSeverity": "High",
                          "category": "Malware Command and Control Server"
                      }
                  ],
                  "iocIngestTime": "2021-01-26T17:00:00Z",
                  "firstSeenTime": "2018-10-03T00:03:53Z",
                  "lastSeenTime": "2022-02-09T10:52:21.229Z",
                  "uri": [
                      "https://INSTANCE/domainResults?domain=example.net&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2022-02-09T11%3A51%3A52.393783515Z"
                  ]
              }
  }
  

The following example describes the JSON result output received when using the Enrich Domain action with the Chronicle API:


[
  {
    "Entity": "example.com",
    "EntityResult": {
      "sources": [
        {
          "category": "Indicator was published in publicly available sources",
          "firstActiveTime": "1970-01-01T00:00:01Z",
          "lastActiveTime": "9999-12-31T23:59:59Z",
          "addresses": [
            {
              "domain": "example.com"
            }
          ],
          "rawSeverity": "medium",
          "confidenceScore": {
            "strRawConfidenceScore": "100"
          }
        },
        {
          "category": "Phishing",
          "firstActiveTime": null,
          "lastActiveTime": "2020-11-27T14:31:37Z",
          "addresses": [
            {
              "domain": "example.com"
            },
            {
              "ipAddress": "IP_ADDRESS"
            }
          ],
          "rawSeverity": "high",
          "confidenceScore": {
            "strRawConfidenceScore": "high"
          }
        },
        {
          "category": "Indicator was published in publicly available sources",
          "firstActiveTime": "1970-01-01T00:00:01Z",
          "lastActiveTime": "9999-12-31T23:59:59Z",
          "addresses": [
            {
              "domain": "example.com"
            }
          ],
          "rawSeverity": "medium",
          "confidenceScore": {
            "strRawConfidenceScore": "100"
          }
        }
      ],
      "feeds": [
        {
          "metadata": {
            "title": "Mandiant Open Source Intelligence",
            "description": "Open Source Intel IoC",
            "confidenceScoreBucket": {
              "rangeEnd": 100
            }
          },
          "iocs": [
            {
              "domainAndPorts": {
                "domain": "example.com"
              },
              "categorization": "Indicator was published in publicly available sources",
              "activeTimerange": {
                "start": "1970-01-01T00:00:01Z",
                "end": "9999-12-31T23:59:59Z"
              },
              "confidenceScore": "100",
              "rawSeverity": "Medium"
            }
          ]
        },
        {
          "metadata": {
            "title": "ESET Threat Intelligence",
            "description": "ESET Threat Intelligence"
          },
          "iocs": [
            {
              "domainAndPorts": {
                "domain": "example.com"
              },
              "categorization": "Phishing",
              "activeTimerange": {
                "end": "2020-11-27T14:31:37Z"
              },
              "ipAndPorts": {
                "ipAddress": "IP_ADDRESS"
              },
              "confidenceScore": "High",
              "rawSeverity": "High"
            }
          ]
        },
        {
          "metadata": {
            "title": "Mandiant Active Breach Intelligence",
            "description": "Mandiant Active Breach IoC",
            "confidenceScoreBucket": {
              "rangeEnd": 100
            }
          },
          "iocs": [
            {
              "domainAndPorts": {
                "domain": "example.com"
              },
              "categorization": "Indicator was published in publicly available sources",
              "activeTimerange": {
                "start": "1970-01-01T00:00:01Z",
                "end": "9999-12-31T23:59:59Z"
              },
              "confidenceScore": "100",
              "rawSeverity": "Medium"
            }
          ]
        }
      ]
    }
  }
]
  
Output messages

The Enrich Domain action provides the following output messages:

Output message Message description
Successfully enriched the following domain in Google Chronicle: LIST_OF_IDS The action succeeded.
Error executing action "Enrich Domain". Reason: ERROR_REASON

The action failed.

Check connection to the server, input parameters, or credentials.

Script result

The following table describes the values for the script result output when using the Enrich Domain action:

Script result name Value
is_success True or False

Enrich Entities

Use the Enrich Entities action to query Google SecOps for additional context and attributes for specified entity types. This action enhances threat investigation data by integrating external intelligence.

This action runs on the following Google SecOps entities:

  • Domain
  • File Hash
  • Hostname
  • IP Address
  • URL (extracts domain from URL)
  • User
  • Email (user entity with email regex)

Action inputs

The Enrich Entities action requires the following parameters:

Parameter Description
Namespace

Optional.

The logical grouping or scope of the entities to enrich.

If not selected, the enrichment applies to entities in the default namespace or all accessible namespaces.

Entities must belong to this namespace to be processed.

Time Frame

Optional.

A relative timeframe (for example, 1 day, 2 hours).

This parameter takes precedence over Start Time and End Time.

Start Time

Optional.

The start time for the enrichment period in ISO 8601 format.

Use this with End Time if Time Frame is not set.

End Time

Optional.

The absolute end time for the enrichment period in ISO 8601 format.

Used with Start Time if Time Frame is not set.

Action outputs

The Enrich Entities action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Available
JSON result Available
Output messages Available
Script result Available

  • The Enrich Entities action supports the following entity enrichment for any entity:
  • Enrichment field Source (JSON key) Applicability
    GoogleSecOps_related_entities The number of related_entities When available in the JSON result.
    GoogleSecOps_alert_count_ruleName {alertCounts.count} for each specific rule When available in the JSON result.
    GoogleSecOps_first_seen metric.firstSeen When available in the JSON result.
    GoogleSecOps_last_seen metric.lastSeen When available in the JSON result.
    GoogleSecOps_flattened_key_under_entity The value of the key, flattened from the nested structure under the "entity" object. When available in the JSON result.
    JSON result

    The following example shows the JSON result output received when using the Enrich Entities action:

    [
     {
       "Entity": "HTTP://MARKOSSOLOMON.COM/F1Q7QX.PHP",
       "EntityResult": {
         "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/ChFtYXJrb3Nzb2xvbW9uLmNvbRDIAQ",
         "metadata": { "entityType": "DOMAIN_NAME" },
         "entity": {
           "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/ChFtYXJrb3Nzb2xvbW9uLmNvbRDIAQ",
           "metadata": { "entityType": "DOMAIN_NAME" },
           "entity": {
             "domain": {
               "name": "markossolomon.com",
               "firstSeenTime": "1970-01-01T00:00:00Z",
               "lastSeenTime": "1970-01-01T00:00:00Z",
               "registrar": "NameCheap, Inc.",
               "creationTime": "2013-12-06T02:41:09Z",
               "updateTime": "2019-11-06T11:48:33Z",
               "expirationTime": "2020-12-06T02:41:09Z",
               "registrant": {
                 "userDisplayName": "WhoisGuard Protected",
                 "emailAddresses": [
                   "58d09cb5035042e9920408f8bafd0869.protect@whoisguard.com"
                 ],
                 "personalAddress": { "countryOrRegion": "PANAMA" },
                 "companyName": "WhoisGuard, Inc."
               }
             }
           }
         },
         "timeline": {
           "buckets": [
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {}
           ],
           "bucketSize": "172800s"
         }
       }
     },
     {
       "Entity": "npatni-sysops",
       "EntityResult": {
         "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/Cg1ucGF0bmktc3lzb3BzEGYaBVl1cml5IhsKCwiC-OzCBhCAvYMUEgwIqvnnwwYQgMyI4QE",
         "metadata": {
           "entityType": "ASSET",
           "interval": {
             "startTime": "2025-06-25T00:00:02.042Z",
             "endTime": "2025-07-18T07:50:02.472Z"
           }
         },
         "entity": {
           "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/Cg1ucGF0bmktc3lzb3BzEGYaBVl1cml5IhsKCwiC-OzCBhCAvYMUEgwIqvnnwwYQgMyI4QE",
           "metadata": {
             "entityType": "ASSET",
             "interval": {
               "startTime": "2025-06-25T00:00:02.042Z",
               "endTime": "2025-07-18T07:50:02.472Z"
             }
           },
           "entity": {
             "namespace": "Yuriy",
             "asset": { "hostname": "npatni-sysops" }
           },
           "metric": {
             "firstSeen": "2025-06-25T00:00:02.042Z",
             "lastSeen": "2025-07-18T07:50:02.472Z"
           }
         },
         "metric": {
           "firstSeen": "2025-06-25T00:00:02.042Z",
           "lastSeen": "2025-07-18T07:50:02.472Z"
         },
         "alertCounts": [
           { "rule": "rule_Pavel_test_Risk_score", "count": "329" },
           { "rule": "rule_testbucket", "count": "339" },
           { "rule": "pavel_test2_rule_1749239699456", "count": "332" }
         ],
         "timeline": {
           "buckets": [
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             { "alertCount": 1000 }
           ],
           "bucketSize": "172800s"
         }
       }
     },
     {
       "Entity": "exlab2019-ad",
       "EntityResult": {
         "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/CgxleGxhYjIwMTktYWQQZhoFWXVyaXkiGwoMCLv57MIGEMCp7qgDEgsI8PTnwwYQwLD6SA",
         "metadata": {
           "entityType": "ASSET",
           "interval": {
             "startTime": "2025-06-25T00:03:07.891Z",
             "endTime": "2025-07-18T07:40:32.153Z"
           }
         },
         "entity": {
           "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/CgxleGxhYjIwMTktYWQQZhoFWXVyaXkiGwoMCLv57MIGEMCp7qgDEgsI8PTnwwYQwLD6SA",
           "metadata": {
             "entityType": "ASSET",
             "interval": {
               "startTime": "2025-06-25T00:03:07.891Z",
               "endTime": "2025-07-18T07:40:32.153Z"
             }
           },
           "entity": {
             "namespace": "Yuriy",
             "asset": { "hostname": "exlab2019-ad" }
           },
           "metric": {
             "firstSeen": "2025-06-25T00:03:07.891Z",
             "lastSeen": "2025-07-18T07:40:32.153Z"
           }
         },
         "metric": {
           "firstSeen": "2025-06-25T00:03:07.891Z",
           "lastSeen": "2025-07-18T07:40:32.153Z"
         },
         "alertCounts": [
           { "rule": "pavel_test2_rule_1749239699456", "count": "319" },
           { "rule": "rule_testbucket", "count": "360" },
           { "rule": "rule_Pavel_test_Risk_score", "count": "321" }
         ],
         "timeline": {
           "buckets": [
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             { "alertCount": 26 },
             { "alertCount": 175 },
             { "alertCount": 185 },
             { "alertCount": 195 },
             { "alertCount": 182 },
             { "alertCount": 168 },
             { "alertCount": 69 }
           ],
           "bucketSize": "172800s"
         }
       }
     },
     {
       "Entity": "172.30.202.229",
       "EntityResult": {
         "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/Cg4xNzIuMzAuMjAyLjIyORBkGgVZdXJpeSIbCgwIu_nswgYQwKnuqAMSCwjw9OfDBhDAsPpI",
         "metadata": {
           "entityType": "ASSET",
           "interval": {
             "startTime": "2025-06-25T00:03:07.891Z",
             "endTime": "2025-07-18T07:40:32.153Z"
           }
         },
         "entity": {
           "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/Cg4xNzIuMzAuMjAyLjIyORBkGgVZdXJpeSIbCgwIu_nswgYQwKnuqAMSCwjw9OfDBhDAsPpI",
           "metadata": {
             "entityType": "ASSET",
             "interval": {
               "startTime": "2025-06-25T00:03:07.891Z",
               "endTime": "2025-07-18T07:40:32.153Z"
             }
           },
           "entity": {
             "namespace": "Yuriy",
             "asset": { "ip": ["172.30.202.229"] }
           },
           "metric": {
             "firstSeen": "2025-06-25T00:03:07.891Z",
             "lastSeen": "2025-07-18T07:40:32.153Z"
           }
         },
         "metric": {
           "firstSeen": "2025-06-25T00:03:07.891Z",
           "lastSeen": "2025-07-18T07:40:32.153Z"
         },
         "alertCounts": [
           { "rule": "rule_Pavel_test_Risk_score", "count": "321" },
           { "rule": "rule_testbucket", "count": "360" },
           { "rule": "pavel_test2_rule_1749239699456", "count": "319" }
         ],
         "timeline": {
           "buckets": [
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             { "alertCount": 26 },
             { "alertCount": 175 },
             { "alertCount": 185 },
             { "alertCount": 195 },
             { "alertCount": 182 },
             { "alertCount": 168 },
             { "alertCount": 69 }
           ],
           "bucketSize": "172800s"
         }
       }
     },
     {
       "Entity": "172.17.0.1",
       "EntityResult": {
         "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/CgoxNzIuMTcuMC4xEGQaBVl1cml5IhsKCwjOzre-BhDA1rU_EgwI9ZOMwAYQgPn82QM",
         "metadata": {
           "entityType": "ASSET",
           "interval": {
             "startTime": "2025-03-09T19:09:02.133Z",
             "endTime": "2025-04-19T02:27:01.994Z"
           }
         },
         "entity": {
           "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/CgoxNzIuMTcuMC4xEGQaBVl1cml5IhsKCwjOzre-BhDA1rU_EgwI9ZOMwAYQgPn82QM",
           "metadata": {
             "entityType": "ASSET",
             "interval": {
               "startTime": "2025-03-09T19:09:02.133Z",
               "endTime": "2025-04-19T02:27:01.994Z"
             }
           },
           "entity": { "namespace": "Yuriy", "asset": { "ip": ["172.17.0.1"] } },
           "metric": {
             "firstSeen": "2025-03-09T19:09:02.133Z",
             "lastSeen": "2025-04-19T02:27:01.994Z"
           }
         },
         "metric": {
           "firstSeen": "2025-03-09T19:09:02.133Z",
           "lastSeen": "2025-04-19T02:27:01.994Z"
         },
         "timeline": {
           "buckets": [
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {}
           ],
           "bucketSize": "172800s"
         }
       }
     },
     {
       "Entity": "911d039e71583a07320b32bde22f8e22",
       "EntityResult": {
         "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/CiA5MTFkMDM5ZTcxNTgzYTA3MzIwYjMyYmRlMjJmOGUyMhCwAiIVCgYItrj6ugYSCwi_9ufDBhDAyroV",
         "metadata": {
           "entityType": "FILE",
           "interval": {
             "startTime": "2024-12-15T09:07:02Z",
             "endTime": "2025-07-18T07:43:59.045Z"
           }
         },
         "entity": {
           "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/CiA5MTFkMDM5ZTcxNTgzYTA3MzIwYjMyYmRlMjJmOGUyMhCwAiIVCgYItrj6ugYSCwi_9ufDBhDAyroV",
           "metadata": {
             "entityType": "FILE",
             "interval": {
               "startTime": "2024-12-15T09:07:02Z",
               "endTime": "2025-07-18T07:43:59.045Z"
             }
           },
           "entity": {
             "file": {
               "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527",
               "md5": "911d039e71583a07320b32bde22f8e22",
               "sha1": "ded8fd7f36417f66eb6ada10e0c0d7c0022986e9",
               "size": "278528",
               "fileType": "FILE_TYPE_PE_EXE",
               "names": [
                 "C:\\Windows\\System32\\cmd.exe",
                 "cmd",
                 "Cmd.Exe",
                 "C:\\Windows\\system32\\cmd.exe",
                 "C:\\Windows\\SYSTEM32\\cmd.exe",
                 "cmd.exe",
                 "C:\\\\Windows\\\\System32\\\\cmd.exe",
                 "C:\\windows\\SYSTEM32\\cmd.exe",
                 "C:\\Users\\user\\AppData\\Local\\Temp\\wjxpour4.d0f\\cmd.exe",
                 "c:\\Windows\\System32\\cmd.exe",
                 "Utilman.exe",
                 "c:\\windows\\system32\\cmd.exe",
                 "System32/cmd.exe",
                 "UtilityVM/Files/Windows/System32/cmd.exe",
                 "KerishDoctor/Data/KerishDoctor/Restore/cmd.rst",
                 "cmd.exe_",
                 "C:\\WINDOWS\\SYSTEM32\\cmd.exe",
                 "Cmd.exe",
                 "Windows/System32/cmd.exe",
                 "sethc.exe",
                 "C:\\WINDOWS\\System32\\cmd.exe",
                 "esRzqurX.exe",
                 "rofl.png",
                 "F:\\Windows\\SYSTEM32\\cmd.exe",
                 "utilman.exe",
                 "C:\\Windows\\system32\\CMD.exe",
                 "sys32exe/cmd.exe",
                 "cmd.txt",
                 "C:\\WINDOWS\\system32\\cmd.exe",
                 "cmd2.exe",
                 "Utilman.exe.sc",
                 "uhrHRIv8.exe",
                 "C:\\windows\\system32\\cmd.exe",
                 "submitted_file",
                 "C:\\Users\\user\\AppData\\Local\\Temp\\n1qo0bq3.2tn\\KerishDoctor\\Data\\KerishDoctor\\Restore\\cmd.rst",
                 "J6ff7z0hLYo.exe",
                 "N:\\Windows\\System32\\cmd.exe",
                 "Q:\\Windows\\System32\\cmd.exe",
                 "C:\\Users\\user\\AppData\\Local\\Temp\\cmd.exe",
                 "C:\\Users\\<USER>\\AppData\\Local\\Temp\\cmd.exe",
                 "test.exe",
                 "68E2F01F8DE9EFCAE9C0DD893DF0E8C34E2B5C98A6C4073C9C9E8093743D318600.blob",
                 "8FCVE0Kq.exe",
                 "cmd (7).exe",
                 "cmd (8).exe",
                 "21455_16499564_bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527_cmd.exe",
                 "LinX v0.9.11 (Intel)/cmd.exe",
                 "C:\\Users\\user\\AppData\\Local\\Temp\\inbvmkaa.1xd\\LinX v0.9.11 (Intel)\\cmd.exe",
                 "cmd_b.exe",
                 "C:\\Users\\user\\AppData\\Local\\Temp\\sfd5bhoe.nqi\\cmd.exe",
                 "cMd.exe",
                 "Repl_Check.bat__",
                 "cmd.pdf",
                 "cmd.EXE",
                 "C:\\Users\\user\\AppData\\Local\\Temp\\uszjr42t.kda\\cmd.exe",
                 "LFepc1St.exe",
                 "firefox.exe",
                 "3BcnNlWV.exe",
                 "Utilman.exebak",
                 "utilman1.exe",
                 "1.exe",
                 "C:\\Users\\user\\AppData\\Local\\Temp\\ispvscgp.ep2\\sys32exe\\cmd.exe",
                 "cmd_1771019736291028992.exe",
                 "C:\\Users\\user\\AppData\\Local\\Temp\\xijgwqvd.54g\\cmd.exe",
                 "Sethc.exe",
                 "\\Device\\CdRom1\\DANFE352023067616112\\DANFE352023067616112.EXE",
                 "DANFE352023067616112.exe",
                 "file.exe",
                 "DANFE352023067616112/DANFE352023067616112.exe",
                 "C:\\Windows\\SYSTEM32\\Cmd.exe",
                 "pippo.exe",
                 "C:\\Windows\\System32\\sethc.exe",
                 "cmd.exe-bws024-windowsfolder",
                 "whatever.exe",
                 "sethc.exe.bak",
                 "S71dbOR1.exe",
                 "F:\\windows\\SYSTEM32\\cmd.exe",
                 "L6puhWL7.exe",
                 "DANFE357986551413927.exe",
                 "DANFE357666506667634.exe",
                 "\\Device\\CdRom1\\DANFE357666506667634\\DANFE357666506667634.EXE",
                 "\\Device\\CdRom1\\DANFE357986551413927\\DANFE357986551413927.EXE",
                 "\\Device\\CdRom1\\DANFE358567378531506\\DANFE358567378531506.EXE",
                 "\\Device\\CdRom1\\HtmlFactura3f48daa069f0e42253194ca7b51e7481DPCYKJ4Ojk\\HTMLFACTURA3F48DAA069F0E42253194CA7B51E7481DPCYKJ4OJK.EXE",
                 "\\Device\\CdRom1\\DANFE357410790837014\\DANFE357410790837014.EXE",
                 "\\Device\\CdRom1\\DANFE357702036539112\\DANFE357702036539112.EXE",
                 "winlogon.exe",
                 "AccessibilityEscalation.A' in file 'utilman.exe'",
                 "qpl9AqT0.exe",
                 "C:\\windows\\system32\\CMD.exe",
                 "C:\\po8az\\2po9hmc\\4v1b5.exe",
                 "batya.exe",
                 "nqAwJaba.exe",
                 "\\Device\\CdRom1\\DANFE356907191810758\\DANFE356907191810758.EXE",
                 "/Volumes/10_11_2023/DANFE356907191810758/DANFE356907191810758.exe",
                 "/Volumes/09_21_2023/DANFE357986551413927/DANFE357986551413927.exe",
                 "\\Device\\CdRom1\\DANFE355460800350113\\DANFE355460800350113.EXE",
                 "/Volumes/09_19_2023/DANFE355460800350113/DANFE355460800350113.exe",
                 "DANFE352429512050669.exe",
                 "/Volumes/04_15_2023/HtmlFacturaeb58f4396e2028a70905705291031e7b3dlvDNyGp3/HtmlFacturaeb58f4396e2028a70905705291031e7b3dlvDNyGp3.exe"
               ],
               "firstSeenTime": "2024-12-15T09:07:02Z",
               "lastSeenTime": "2025-07-18T07:43:59.045Z",
               "lastAnalysisTime": "2025-07-16T10:06:40Z",
               "signatureInfo": {
                 "sigcheck": {
                   "verificationMessage": "Signed",
                   "verified": true,
                   "signers": [{ "name": "Microsoft Windows" }]
                 }
               },
               "firstSubmissionTime": "2025-07-15T16:30:27Z"
             }
           },
           "metric": {
             "firstSeen": "2024-12-15T09:07:02Z",
             "lastSeen": "2025-07-18T07:43:59.045Z"
           }
         },
         "metric": {
           "firstSeen": "2024-12-15T09:07:02Z",
           "lastSeen": "2025-07-18T07:43:59.045Z"
         },
         "alertCounts": [
           { "rule": "pavel_test2_rule_1749239699456", "count": "329" },
           { "rule": "rule_testbucket", "count": "345" },
           { "rule": "rule_Pavel_test_Risk_score", "count": "326" }
         ],
         "timeline": {
           "buckets": [
             {},
             {},
             {},
             {},
             { "alertCount": 31 },
             { "alertCount": 111 },
             { "alertCount": 109 },
             { "alertCount": 82 },
             { "alertCount": 86 },
             { "alertCount": 98 },
             { "alertCount": 86 },
             { "alertCount": 85 },
             { "alertCount": 92 },
             { "alertCount": 89 },
             { "alertCount": 90 },
             { "alertCount": 41 }
           ],
           "bucketSize": "172800s"
         },
         "prevalenceResult": [
           { "prevalenceTime": "2025-01-16T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-01-17T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-01-18T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-01-19T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-01-20T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-01-21T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-01-22T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-01-23T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-01-24T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-01-25T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-01-26T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-01-27T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-01-28T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-01-29T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-01-30T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-01-31T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-01T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-02T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-03T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-04T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-05T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-06T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-07T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-08T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-09T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-10T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-11T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-12T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-13T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-14T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-15T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-16T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-17T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-18T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-19T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-20T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-21T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-22T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-23T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-24T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-25T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-26T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-27T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-02-28T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-01T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-02T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-03T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-04T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-05T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-06T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-07T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-08T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-09T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-10T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-11T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-12T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-13T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-14T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-15T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-16T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-17T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-18T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-19T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-20T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-21T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-22T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-23T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-24T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-25T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-26T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-27T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-28T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-29T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-30T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-03-31T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-01T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-02T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-03T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-04T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-05T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-06T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-07T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-08T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-09T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-10T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-11T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-12T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-13T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-14T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-15T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-16T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-17T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-18T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-19T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-20T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-21T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-22T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-23T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-24T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-25T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-26T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-27T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-28T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-29T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-04-30T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-01T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-02T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-03T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-04T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-05T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-06T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-07T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-08T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-09T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-10T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-11T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-12T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-13T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-14T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-15T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-16T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-17T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-18T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-19T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-20T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-21T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-22T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-23T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-24T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-25T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-26T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-27T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-28T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-29T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-30T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-05-31T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-01T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-02T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-03T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-04T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-05T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-06T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-07T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-08T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-09T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-10T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-11T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-12T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-13T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-14T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-15T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-16T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-17T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-18T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-19T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-20T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-21T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-22T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-23T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-24T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-25T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-26T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-27T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-28T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-29T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-06-30T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-07-01T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-07-02T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-07-03T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-07-04T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-07-05T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-07-06T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-07-07T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-07-08T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-07-09T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-07-10T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-07-11T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-07-12T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-07-13T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-07-14T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-07-15T00:00:00Z", "count": 1 },
           { "prevalenceTime": "2025-07-16T00:00:00Z", "count": 2 },
           { "prevalenceTime": "2025-07-17T00:00:00Z", "count": 2 },
           { "prevalenceTime": "2025-07-18T00:00:00Z", "count": 2 }
         ],
         "relatedEntities": [
           {
             "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/CgxleGxhYjIwMTktYWQQZhoFWXVyaXkiFQoGCPbso7wGEgsIv_bnwwYQwMq6FQ",
             "metadata": {
               "entityType": "ASSET",
               "interval": {
                 "startTime": "2025-01-16T12:07:18Z",
                 "endTime": "2025-07-18T07:43:59.045Z"
               }
             },
             "entity": {
               "namespace": "Yuriy",
               "asset": {
                 "hostname": "exlab2019-ad",
                 "firstSeenTime": "2025-01-16T12:07:18Z"
               }
             },
             "metric": {
               "firstSeen": "2025-01-16T12:07:18Z",
               "lastSeen": "2025-07-18T07:43:59.045Z"
             }
           },
           {
             "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/Cg4xNzIuMzAuMjAyLjIyORBkGgVZdXJpeSIVCgYI9uyjvAYSCwi_9ufDBhDAyroV",
             "metadata": {
               "entityType": "ASSET",
               "interval": {
                 "startTime": "2025-01-16T12:07:18Z",
                 "endTime": "2025-07-18T07:43:59.045Z"
               }
             },
             "entity": {
               "namespace": "Yuriy",
               "asset": {
                 "ip": ["172.30.202.229"],
                 "firstSeenTime": "2025-01-16T12:07:18Z"
               }
             },
             "metric": {
               "firstSeen": "2025-01-16T12:07:18Z",
               "lastSeen": "2025-07-18T07:43:59.045Z"
             }
           }
         ]
       }
     },
     {
       "Entity": "tencent.com",
       "EntityResult": {
         "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/Cgt0ZW5jZW50LmNvbRDIASIQCgYInNyZvAYSBgjo-Jm8Bg",
         "metadata": {
           "entityType": "DOMAIN_NAME",
           "interval": {
             "startTime": "2025-01-14T14:01:00Z",
             "endTime": "2025-01-14T15:02:00Z"
           }
         },
         "entity": {
           "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/Cgt0ZW5jZW50LmNvbRDIASIQCgYInNyZvAYSBgjo-Jm8Bg",
           "metadata": {
             "entityType": "DOMAIN_NAME",
             "interval": {
               "startTime": "2025-01-14T14:01:00Z",
               "endTime": "2025-01-14T15:02:00Z"
             }
           },
           "entity": {
             "domain": {
               "name": "tencent.com",
               "firstSeenTime": "2025-01-14T14:01:00Z",
               "lastSeenTime": "2025-01-14T15:02:00Z",
               "registrar": "MarkMonitor Information Technology (Shanghai) Co., Ltd.",
               "creationTime": "1998-09-14T04:00:00Z",
               "updateTime": "2024-08-20T08:04:01Z",
               "expirationTime": "2032-09-13T04:00:00Z",
               "registrant": {
                 "emailAddresses": [""],
                 "personalAddress": { "countryOrRegion": "CHINA" },
                 "companyName": "\u6df1\u5733\u5e02\u817e\u8baf\u8ba1\u7b97\u673a\u7cfb\u7edf\u6709\u9650\u516c\u53f8"
               }
             }
           },
           "metric": {
             "firstSeen": "2025-01-14T14:01:00Z",
             "lastSeen": "2025-01-14T15:02:00Z"
           }
         },
         "metric": {
           "firstSeen": "2025-01-14T14:01:00Z",
           "lastSeen": "2025-01-14T15:02:00Z"
         },
         "timeline": {
           "buckets": [
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {}
           ],
           "bucketSize": "172800s"
         }
       }
     },
     {
       "Entity": "00:50:56:b6:34:86",
       "EntityResult": {
         "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/ChEwMDo1MDo1NjpiNjozNDo4NhBlGgVZdXJpeSIKCgASBgjemLzBBg",
         "metadata": {
           "entityType": "ASSET",
           "interval": {
             "startTime": "1970-01-01T00:00:00Z",
             "endTime": "2025-05-22T11:37:02Z"
           }
         },
         "entity": {
           "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/ChEwMDo1MDo1NjpiNjozNDo4NhBlGgVZdXJpeSIKCgASBgjemLzBBg",
           "metadata": {
             "entityType": "ASSET",
             "interval": {
               "startTime": "1970-01-01T00:00:00Z",
               "endTime": "2025-05-22T11:37:02Z"
             }
           },
           "entity": {
             "namespace": "Yuriy",
             "asset": { "mac": ["00:50:56:b6:34:86"] }
           },
           "metric": {
             "firstSeen": "1970-01-01T00:00:00Z",
             "lastSeen": "2025-05-22T11:37:02Z"
           }
         },
         "metric": {
           "firstSeen": "1970-01-01T00:00:00Z",
           "lastSeen": "2025-05-22T11:37:02Z"
         },
         "timeline": {
           "buckets": [
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {},
             {}
           ],
           "bucketSize": "172800s"
         }
       }
     }
    ]
    
    Output messages

    The Enrich Entities action can return the following output messages:

    Output message Message description

    Successfully enriched the following entities information from Google SecOps: ENTITY_ID

    Action wasn't able to enrich the following entities using information from Google SecOps: ENTITY_ID

    None of the provided entities were enriched using information from Google SecOps.

    The action succeeded.
    Error executing action "Enrich Entities". Reason: ERROR_REASON

    The action failed.

    Check the connection to the server, input parameters, or credentials.

    Script result

    The following table lists the value for the script result output when using the Enrich Entities action:

    Script result name Value
    is_success True or False

    Enrich IP - Deprecated

    Use the Enrich IP action to enrich IP entities using information from IoCs in Google SecOps SIEM.

    This action runs on the `IP Address` entity.

    Action inputs

    The Enrich IP action requires the following parameters:

    Parameter Description
    Create Insight

    Optional.

    If selected, the action creates an insight which contains information about entities.

    Enabled by default.

    Only Suspicious Insight

    Optional.

    If selected, the action creates insights only for entities that are marked as suspicious.

    Not enabled by default.

    If you select this parameter, Create Insight must also be selected.

    Lowest Suspicious Severity

    Required.

    The lowest severity associated with the IP address to mark it suspicious.

    The default value is Medium.

    The possible values are as follows:
    • High
    • Medium
    • Low
    • Info
    Mark Suspicious N/A Severity

    Required.

    If selected and the information about severity is unavailable, the action marks the entity as suspicious.

    Action outputs

    The Enrich IP action provides the following outputs:

    Action output type Availability
    Case wall attachment Not available
    Case wall link Not available
    Case wall table Available
    Enrichment table Available
    JSON result Available
    Output messages Available
    Script result Available
    Case wall table

    Name: ENTITY_IDENTIFIER

    Columns:

    • Source
    • Severity
    • Category
    • Confidence
    • Related Domains

    Entity enrichment

    The Enrich IP action supports the following entity enrichment logic:

    Enrichment field Logic (when to apply)
    severity When available in JSON
    average_confidence When available in JSON
    related_domains When available in JSON
    categories When available in JSON
    sources When available in JSON
    first_seen When available in JSON
    last_seen When available in JSON
    report_link When available in JSON
    JSON result

    The following example describes the JSON result output received when using the Enrich IP action with Backstory API:

    
    {
                {
                    "sources": [
                        {
                            "source": "Example List",
                            "confidenceScore": {
                                "normalizedConfidenceScore": "Low",
                                "intRawConfidenceScore": 0
                            },
                            "rawSeverity": "High",
                            "category": "Malware Command and Control Server"
                        }
                    ],
                    "iocIngestTime": "2021-01-26T17:00:00Z",
                    "firstSeenTime": "2018-10-03T00:03:53Z",
                    "lastSeenTime": "2022-02-09T10:52:21.229Z",
                    "uri": [
                        "https://INSTANCE/domainResults?domain=example.net&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2022-02-09T11%3A51%3A52.393783515Z"
                    ]
                }
    }
    

    The following example describes the JSON result output received when using the Enrich IP action with Chronicle API:

    
    [
      {
        "Entity": "192.0.2.121",
        "EntityResult": {
          "sources": [
            {
              "category": "Indicator was published in publicly available sources",
              "firstActiveTime": "1970-01-01T00:00:01Z",
              "lastActiveTime": "9999-12-31T23:59:59Z",
              "addresses": [
                {
                  "ipAddress": "IP_ADDRESS"
                }
              ],
              "rawSeverity": "low",
              "confidenceScore": {
                "strRawConfidenceScore": "67"
              }
            }
          ],
          "feeds": [
            {
              "metadata": {
                "title": "Mandiant Open Source Intelligence",
                "description": "Open Source Intel IoC",
                "confidenceScoreBucket": {
                  "rangeEnd": 100
                }
              },
              "iocs": [
                {
                  "categorization": "Indicator was published in publicly available sources",
                  "activeTimerange": {
                    "start": "1970-01-01T00:00:01Z",
                    "end": "9999-12-31T23:59:59Z"
                  },
                  "ipAndPorts": {
                    "ipAddress": "IP_ADDRESS"
                  },
                  "confidenceScore": "67",
                  "rawSeverity": "Low"
                }
              ]
            }
          ]
        }
      }
    ]
    
    Output messages

    The Enrich IP action provides the following output messages:

    Output message Message description
    Successfully enriched the following IPs from Google Chronicle: LIST_OF_IPS The action succeeded.
    Error executing action "Enrich IP". Reason: ERROR_REASON

    The action failed.

    Check the connection to the server, the input parameters, or the credentials.

    Script result

    The following table describes the values for the script result output when using the Enrich IP action:

    Script result name Value
    is_success True or False

    Execute Retrohunt

    Use the Execute Retrohunt action to execute a rule retrohunt in Google SecOps.

    This action doesn't run on Google SecOps entities.

    Action inputs

    The Execute Retrohunt action requires the following parameters:

    Parameter Description
    Rule ID

    Required.

    The ID of the rule to run a retrohunt for.

    Use the format ru_{UUID} for the latest version of a rule, or ru_{UUID}@v_{int64}_{int64} for a specific version.

    Time Frame

    Optional.

    A period to retrieve the results for.

    The possible values are as follows:

    • Last Hour
    • Last 6 Hours
    • Last 24 Hours
    • Last Week
    • Last Month
    • Alert Time Till Now
    • 5 Minutes Around Alert Time
    • 30 Minutes Around Alert Time
    • 1 Hour Around Alert Time
    • Custom

    If Custom is selected, the Start Time parameter is required.

    The default value is Last Hour.

    Start Time

    The start time for the results in ISO 8601 format.

    This parameter is required if the Time Frame parameter is set to Custom.

    End Time The end time for the results in ISO 8601 format.

    If you don't set a value and select the Custom value for the Time Frame parameter, the current time is used.

    Action outputs

    The Execute Retrohunt action provides the following outputs:

    Action output type Availability
    Case wall attachment Not available
    Case wall link Not available
    Case wall table Not available
    Enrichment table Not available
    Entity insight Not available
    JSON result Available
    Output messages Available
    Script result Available
    JSON result

    The following example describes the JSON result output received when using the Execute Retrohunt action with Backstory API:

    {
      "retrohuntId": "oh_d738c8ea-8fd7-4cc1-b43d-25835b8e1785",
      "ruleId": "ru_30979d84-aa89-47d6-bf4d-b4bb0eacb497",
      "versionId": "ru_30979d84-aa89-47d6-bf4d-b4bb0eacb497@v_1612472807_179679000",
      "eventStartTime": "2021-01-14T23:00:00Z",
      "eventEndTime": "2021-01-30T23:00:00Z",
      "retrohuntStartTime": "2021-02-08T02:40:59.192113Z",
      "state": "RUNNING"
    }
    

    The following example describes the JSON result output received when using the Execute Retrohunt action with Chronicle API:

    {
      "name": "projects/PROJECT_ID/locations/us/instances/INSTANCE_ID/operations/OPERATION_ID",
      "metadata": {
        "@type": "type.googleapis.com/RetrohuntMetadata",
        "retrohunt": "projects/PROJECT_ID/locations/us/instances/INSTANCE_ID/rules/RULE_ID/retrohunts/RETROHUNT_ID",
        "executionInterval": {
          "startTime": "2025-01-22T12:16:20.963182Z",
          "endTime": "2025-01-23T12:16:20.963182Z"
        }
      },
      "retrohuntId": "RETROHUNT_ID",
      "ruleId": "RULE_ID",
      "versionId": "VERSION_ID",
      "eventStartTime": "2025-01-22T12:16:20.963182Z",
      "eventEndTime": "2025-01-23T12:16:20.963182Z"
    }
    
    Output messages

    The Execute Retrohunt action provides the following output messages:

    Output message Message description
    Successfully executed a retrohunt for the provided rule in Google Chronicle. The action succeeded.
    Error executing action "Execute Retrohunt". Reason: ERROR_REASON The action failed.

    Check the connection to the server, the input parameters, or the credentials.

    Script result

    The following table describes the values for the script result output when using the Execute Retrohunt action:

    Script result name Value
    is_success True or False

    Execute UDM Query

    Use the Execute UDM Query action to execute a custom UDM query in Google SecOps.

    This action doesn't run on Google SecOps entities.

    Action inputs

    The Execute UDM Query action requires the following parameters:

    Parameter Description
    Query String

    Required.

    The query to execute in Google SecOps.

    Time Frame

    Optional.

    A period to retrieve the results for.

    The possible values are as follows:

    • Last Hour
    • Last 6 Hours
    • Last 24 Hours
    • Last Week
    • Last Month
    • Alert Time Till Now
    • 5 Minutes Around Alert Time
    • 30 Minutes Around Alert Time
    • 1 Hour Around Alert Time
    • Custom

    If Custom is selected, the Start Time parameter is required.

    The default value is Last Hour.

    Start Time

    Optional.

    The start time for the results in ISO 8601 format (for example, YYYY-MM-DD HH:mm:ss.SSSZ).

    This parameter is required if the Time Frame parameter is set to Custom.

    The maximum time range is 90 days.

    End Time

    Optional.

    The end time for the results in an ISO 8601 format (for example, YYYY-MM-DD HH:mm:ss.SSSZ).

    If you don't set a value and the Time Frame parameter is set to Custom, the current time is used.

    The maximum time range is 90 days.

    Max Results To Return

    Optional.

    The number of results to return for a single query.

    The maximum value is 10,000.

    The default value is 50.

    Action outputs

    The Execute UDM Query action provides the following outputs:

    Action output type Availability
    Case wall attachment Not available
    Case wall link Not available
    Case wall table Not available
    Enrichment table Not available
    JSON result Available
    Output messages Available
    Script result Available
    JSON result

    The following example describes the JSON result output received when using the Execute UDM Query action:

    {
      "events":[
        "event":{
          "metadata":{
            "eventTimestamp":"2022-01-20T09:15:15.687Z",
            "eventType":"USER_LOGIN",
            "vendorName":"Example Vendor",
            "productName":"Example Product",
            "ingestedTimestamp":"2022-01-20T09:45:07.433587Z"
          },
          "principal":{
            "hostname":"example-user-pc",
            "ip":[
              "203.0.113.0"
            ],
            "mac":[
              "01:23:45:ab:cd:ef",
              "01:23:45:ab:cd:ef",
              "01:23:45:ab:cd:ef"
            ],
            "location":{
              "city":"San Francisco",
              "state":"California",
              "countryOrRegion":"US"
            },
            "asset":{
              "hostname":"example-user-pc",
              "ip":[
                "203.0.113.1",
                "203.0.113.1",
                "203.0.113.1"
              ],
              "mac":[
                "01:23:45:ab:cd:ef",
                "01:23:45:ab:cd:ef",
                "01:23:45:ab:cd:ef"
              ]
            }
          },
          "target":{
            "user":{
              "userid":"Example",
              "userDisplayName":"Example User",
              "windowsSid":"S-1-5-21-4712406912-7108061610-2717800068-993683",
              "emailAddresses":[
                "example@example.com",
                "admin.example@example.com"
              ],
              "employeeId":"2406187",
              "productObjectId":"f93f1540-4935-4266-aa8e-a750a319aa1c",
              "firstName":"Example",
              "lastName":"User",
              "phoneNumbers":[
                "555-01-75"
              ],
              "title":"Executive Assistant",
              "companyName":"Example Corp",
              "department":[
                "Executive - Admin"
              ],
              "managers":[
                {
                  "userDisplayName":"Example User",
                  "windowsSid":"S-1-5-21-6051382818-4135626959-8120238335-834071",
                  "emailAddresses":[
                    "user@example.com"
                  ],
                  "employeeId":"5478500",
                  "productObjectId":"8b3924d5-6157-43b3-857b-78aa6bd94705",
                  "firstName":"User",
                  "lastName":"Example",
                  "phoneNumbers":[
                    "555-01-75"
                  ],
                  "title":"Chief Technology Officer",
                  "companyName":"Example Corp",
                  "department":[
                    "Executive - Admin"
                  ]
                }
              ]
            },
            "ip":[
              "198.51.100.1"
            ],
            "email":"email@example.com",
            "application":"Example Sign In"
          },
          "securityResult":[
            {
              "summary":"Successful Login",
              "action":[
                "ALLOW"
              ]
            }
          ],
          "extensions":{
            "auth":{
              "type":"SSO"
            }
          }
        },
        "eventLogToken":"96f23eb9ffaa9f7e7b0e2ff5a0d2e34c,1,1642670115687000,USER,|USER_LOGIN"
      ]
    }
    
    Output messages

    The Execute UDM Query action provides the following output messages:

    Output message Message description

    Successfully returned results for the query QUERY in Google Chronicle.

    No results were found for the query QUERY in Google Chronicle.

    The action succeeded.
    Error executing action "Execute UDM Query". Reason: ERROR_REASON

    The action failed.

    Check the connection to the server, the input parameters, or the credentials.

    Error executing action "Execute UDM Query". Reason: you've reached a rate limit. Please wait for several minutes and try again.

    The action failed.

    Wait for several minutes before running the action again.

    Script result

    The following table describes the values for the script result output when using the Execute UDM Query action:

    Script result name Value
    is_success True or False

    Get Data Tables

    Use the Get Data Tables action to retrieve available data tables in Google SecOps.

    This action doesn't run on Google SecOps entities.

    Action inputs

    The Get Data Tables action requires the following parameters:

    Parameter Description
    Filter Key

    Optional.

    The key to filter by

    The Name option refers to the display name of the data table.

    The possible values are as follows:

  • Name
  • Description
  • Filter Logic

    Optional.

    The filter logic to apply.

    The possible values are as follows:

  • Equal (for exact matches)
  • Contains(for substring matches)
  • Filter Value

    Optional.

    The value to use in the filter.

    The possible values are as follows:

  • Equal (for exact matches)
  • Contains(for substring matches)
  • Equal works with the Title parameter, while Contains works with all values in the response.

    If nothing is provided, the filter won't be applied.

    Expanded Rows

    Optional.

    If selected, the response includes detailed data table rows.

    Not enabled by default.

    Max Data Tables To Return

    Required.

    The number of data tables to return.

    The maximum value is 1000.

    Max Data Table Rows To Return

    Required.

    The amount of data table rows to return.

    Only use this parameter if Expanded Rows is enabled.

    The maximum value is 1000.

    Action outputs

    The Get Data Tables action provides the following outputs:

    Action output type Availability
    Case wall attachment Not available
    Case wall link Not available
    Case wall table Not available
    Enrichment table Not available
    JSON result Available
    Output messages Available
    Script result Available
    JSON result

    The following example describes the JSON result output received when using the Get Data Tables action:

    {
          "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/dataTables/data_table",
          "displayName": "data_table",
          "createTime": "2025-05-14T12:52:50.064133Z",
          "updateTime": "2025-05-14T13:13:48.631442Z",
          "columnInfo": [
              {
                  "originalColumn": "columnName1",
                  "columnType": "STRING"
              },
              {
                  "columnIndex": 1,
                  "originalColumn": "columnName2",
                  "columnType": "STRING"
              },
              {
                  "columnIndex": 2,
                  "originalColumn": "columnName3",
                  "columnType": "STRING"
              }
          ],
          "dataTableUuid": "c3cce57bb8d940d5ac4523c37d540436",
          "approximateRowCount": "2",
          "rows": [
              {
                  "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/dataTables/data_table/dataTableRows/840d18a85944833e1b97ed6d2fb11377",
                  "values": {
                      "columnName1": "asda",
                      "columnName2": "asdasd",
                      "columnName3": "zxczxc"
                  },
                  "createTime": "2025-05-14T12:52:51.908143Z",
                  "updateTime": "2025-05-14T12:52:51.908143Z"
              }
          ]
    }
    
    Output messages

    The Get Data Tables action provides the following output messages:

    Output message Message description
    Successfully found data tables for the provided criteria in Google SecOps The action succeeded.
    Error executing action "Get Data Tables". Reason: ERROR_REASON The action failed.

    Check connection to the server, input parameters, or credentials.

    Script result

    The following table describes the values for the script result output when using the Get Data Tables action:

    Script result name Value
    is_success true or false

    Get Detection Details

    Use the Get Detection Details action to retrieve information about a detection in Google SecOps.

    This action doesn't run on Google SecOps entities.

    Action inputs

    The Get Detection Details action requires the following parameters:

    Parameter Description
    Rule ID

    Required.

    The ID of the rule related to the detection.

    Use the format ru_{UUID} for the latest version of a rule, or ru_{UUID}@v_{int64}_{int64} for a specific version.

    Detection ID

    Required.

    The ID of the detection to fetch details for.

    If special characters are provided, the action doesn't fail, but returns a list of detections.

    Action outputs

    The Get Detection Details action provides the following outputs:

    Action output type Availability
    Case wall attachment Not available
    Case wall link Not available
    Case wall table Not available
    Enrichment table Not available
    JSON result Available
    Output messages Available
    Script result Available
    JSON result

    The following example describes the JSON result output received when using the Get Detection Details action:

    {
        "type": "RULE_DETECTION",
        "detection": [
            {
                "ruleName": "singleEventRule2",
                "urlBackToProduct":
            "https://INSTANCE/ruleDetections?
            ruleId=ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d&selectedList=RuleDetectionsViewTimeline&
            selectedParentDetectionId=de_ce594791-09ed-9681-27fa-3b7c8fa6054c&
            selectedTimestamp=2020-12-03T16: 50: 47.647245Z","ruleId": "ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d",
                "ruleVersion": "ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d@v_1605892822_687503000",
                "alertState": "NOT_ALERTING",
                "ruleType": "SINGLE_EVENT"
            }
        ],
        "createdTime": "2020-12-03T19:19:21.325134Z",
        "id": "de_ce594791-09ed-9681-27fa-3b7c8fa6054c",
        "timeWindow": {
            "startTime": "2020-12-03T16:50:47.647245Z",
            "endTime": "2020-12-03T16:50:47.647245Z"
        },
        "collectionElements": [
            {
                "references": [
                    {
                        "event": {
                            "metadata": {
                                "eventTimestamp": "2020-12-03T16:50:47.647245Z",
                                "collectedTimestamp": "2020-12-03T16:50:47.666064010Z",
                                "eventType": "NETWORK_DNS",
                                "productName": "ProductName",
                                "ingestedTimestamp": "2020-12-03T16:50:49.494542Z"
                            },
                            "principal": {
                                "ip": [
                                    "192.0.2.1"
                                ]
                            },
                            "target": {
                                "ip": [
                                    "203.0.113.1"
                                ]
                            },
                            "securityResult": [
                                {
                                    "action": [
                                        "UNKNOWN_ACTION"
                                    ]
                                }
                            ],
                            "network": {
                                "applicationProtocol": "DNS",
                                "dns": {
                                    "questions": [
                                        {
                                            "name": "example.com",
                                            "type": 1,
                                            "class": 1
                                        }
                                    ],
                                    "id": 12345,
                                    "recursionDesired": true
                                }
                            }
                        }
                    }
                ],
                "label": "e"
            }
        ],
        "detectionTime": "2020-12-03T16:50:47.647245Z"
    }
    
    Output messages

    The Get Detection Details action provides the following output messages:

    Output message Message description
    Successfully fetched information about the detection with ID DETECTION_ID in Google Chronicle. The action succeeded.
    Error executing action "Get Detection Details". Reason: ERROR_REASON The action failed.

    Check connection to the server, input parameters, or credentials.

    Script result

    The following table describes the values for the script result output when using the Get Detection Details action:

    Script result name Value
    is_success True or False

    Get Reference Lists

    Use the Get Reference Lists action to retrieve available reference lists in Google SecOps.

    This action doesn't run on Google SecOps entities.

    Action inputs

    The Get Reference Lists action requires the following parameters:

    Parameter Description
    Filter Key The key to filter by.

    The possible values are as follows:

    • Name
    • Content Type
    • Description
    Filter Logic

    The filter logic to apply.

    The possible values are as follows:

  • Equal (for exact matches)
  • Contains(for substring matches)
  • The default value is Equal.

    Filter Value The value to use in the filter.

    The possible values are as follows:

  • Equal (for exact matches)
  • Contains(for substring matches)
  • Equal works with Title parameter, while Contains works with all values in response.

    If no value is provided, the filter isn't applied.

    Expanded Details If selected, the action returns detailed information about the reference lists.

    Not enabled by default.

    Max Reference Lists To Return The number of reference lists to return.

    The default value is 100.

    Action outputs

    The Get Reference List action provides the following outputs:

    Action output type Availability
    Case wall attachment Not available
    Case wall link Not available
    Case wall table Available
    Enrichment table Not available
    JSON result Available
    Output messages Available
    Script result Available
    Case wall table

    On a Case Wall, the Get Reference Lists provides the following table:

    Name: Available Reference Lists

    Columns:

    • Name
    • Description
    • Type
    JSON result

    The following example describes the JSON result output received when using the Get Reference Lists action with Backstory API:

    {
       "name": "list_name",
       "description": "description of the list",
       "lines": [
           "192.0.2.0/24",
           "198.51.100.0/24"
       ],
       "create_time": "2020-11-20T17:18:20.409247Z",
       "content_type": "CIDR"
    }
    

    The following example describes the JSON result output received when using the Get Reference Lists action with Chronicle API:

    [
      {
        "name": "projects/PROJECT_ID/locations/us/instances/INSTANCE_ID/referenceLists/REFERENCE_LIST_ID",
        "displayName": "REFERENCE_LIST_ID",
        "revisionCreateTime": "2025-01-09T15:53:10.851775Z",
        "description": "Test reference list",
        "syntaxType": "REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING",
        "scopeInfo": {
          "referenceListScope": {}
        },
        "createTime": "2025-01-09T15:53:10.851775Z"
      }
    ]
    
    
    Output messages

    The Get Reference Lists action provides the following output messages:

    Output message Message description

    Successfully found reference lists for the provided criteria in Google Chronicle.

    The filter was not applied because parameter "Filter Value" has an empty value.

    The action succeeded.
    Error executing action ACTION_NAME. Reason: ERROR_REASON The action failed.

    Check the connection to the server, the input parameters, or the credentials.

    Error executing action ACTION_NAME. Reason: "Invalid value was provided for "Max Reference Lists to Return": PROVIIDED_VALUE. Positive number should be provided. The action failed.

    Check the value for the Max Reference Lists to Return parameter.

    Script

    The following table describes the values for the script result output when using the Get Reference Lists action:

    Script result name Value
    is_success True or False

    Get Rule Details

    Use the Get Rule Details action to retrieve information about a rule in Google SecOps.

    This action doesn't run on Google SecOps entities.

    Action inputs

    The Get Rule Details action requires the following parameters:

    Parameter Description
    Rule ID

    Required.

    The rule ID to fetch the details for.

    Action outputs

    The Get Rule Details action provides the following outputs:

    Action output type Availability
    Case wall attachment Not available
    Case wall link Not available
    Case wall table Not available
    Enrichment table Not available
    JSON result Available
    Output messages Available
    Script result Available
    JSON result

    The following example describes the JSON result output received when using the Get Rule Details action with Backstory API:

    {
        "ruleId": "ru_e6abfcb5-1b85-41b0-b64c-695b3250436f",
        "versionId": "ru_e6abfcb5-1b85-41b0-b64c-695b3250436f@v_1602631093_146879000",
        "ruleName": "SampleRule",
        "metadata": {
          "description": "Sample Description of the Rule",
          "author": "author@example.com"
        },
        "ruleText": "rule SampleRule {
            meta:
              description = \"Sample Description of the Rule\"
              author = \"author@example.com\"
            events:
              // This will just generate lots of detections
              $event.metadata.event_type = \"NETWORK_HTTP\"
            condition:
              $event
            } ",
        "liveRuleEnabled": true,
        "versionCreateTime": "2020-10-13T23:18:13.146879Z",
        "compilationState": "SUCCEEDED"
      }
    

    The following example describes the JSON result output received when using the Get Rule Details action with Chronicle API:

    {
        "name": "projects/PROJECT_ID/locations/us/instances/INSTANCE_ID/rules/RULE_ID",
        "revisionId": "v_1733917896_973567000",
        "displayName": "Test_rule_SingleEvent",
        "text": "rule Test_rule_SingleEvent {\n  // This rule matches single events. Rules can also match multiple events within\n  // some time window. For details about how to write a multi-event rule, see\n  // URL\n\n  meta:\n    // Allows for storage of arbitrary key-value pairs of rule details - who\n    // wrote it, what it detects on, version control, etc.\n    // The \"author\" and \"severity\" fields are special, as they are used as\n    // columns on the rules dashboard. If you want to sort based on\n    // these fields on the dashboard, make sure to add them here.\n    // Severity value, by convention, should be \"Low\", \"Medium\" or \"High\"\n    author = \"example_user\"\n    description = \"windowed single event example rule\"\n    //severity = \"Medium\"\n\n  events:\n    $e.metadata.event_type = \"USER_LOGIN\"\n    $e.principal.user.userid = $user\n\n  //outcome:\n    // For a multi-event rule an aggregation function is required\n    // e.g., risk_score = max(0)\n    // See URL\n    //$risk_score = 0\n  match:\n    $user over 1m\n\n  condition:\n    #e > 0\n}\n",
        "author": "example_user",
        "metadata": {
            "author": "example_user",
            "description": "windowed single event example rule",
            "severity": null
        },
        "createTime": "2024-12-11T11:36:18.192127Z",
        "revisionCreateTime": "2024-12-11T11:51:36.973567Z",
        "compilationState": "SUCCEEDED",
        "type": "SINGLE_EVENT",
        "allowedRunFrequencies": [
            "LIVE",
            "HOURLY",
            "DAILY"
        ],
        "etag": "CMj55boGEJjondAD",
        "ruleId": "RULE_ID",
        "versionId": "RULE_ID@v_1733917896_973567000",
        "ruleName": "Test_rule_SingleEvent",
        "ruleText": "rule Test_rule_SingleEvent {\n  // This rule matches single events. Rules can also match multiple events within\n  // some time window. For details about how to write a multi-event rule, see\n  // URL\n\n  meta:\n    // Allows for storage of arbitrary key-value pairs of rule details - who\n    // wrote it, what it detects on, version control, etc.\n    // The \"author\" and \"severity\" fields are special, as they are used as\n    // columns on the rules dashboard. If you want to sort based on\n    // these fields on the dashboard, make sure to add them here.\n    // Severity value, by convention, should be \"Low\", \"Medium\" or \"High\"\n    author = \"example_user\"\n    description = \"windowed single event example rule\"\n    //severity = \"Medium\"\n\n  events:\n    $e.metadata.event_type = \"USER_LOGIN\"\n    $e.principal.user.userid = $user\n\n  //outcome:\n    // For a multi-event rule an aggregation function is required\n    // e.g., risk_score = max(0)\n    // See URL\n    //$risk_score = 0\n  match:\n    $user over 1m\n\n  condition:\n    #e > 0\n}\n",
        "ruleType": "SINGLE_EVENT",
        "versionCreateTime": "2024-12-11T11:51:36.973567Z"
    }
    
    Output messages

    The Get Rule Details action provides the following output messages:

    Output message Message description
    Successfully fetched information about the rule with ID RULE_ID in Google Chronicle. The action succeeded.
    Error executing action "Get Rule Details". Reason: ERROR_REASON The action failed.

    Check the connection to the server, the input parameters, or the credentials.

    Script result

    The following table describes the values for the script result output when using the Get Rule Details action:

    Script result name Value
    is_success True or False

    Is Value In Data Table

    Use the Is Value In Data Table to check if provided values are in a data table in Google SecOps.

    This action doesn't run on Google SecOps entities.

    Action inputs

    The Is Value In Data Table action requires the following parameters:

    Parameter Description
    Data Table Name

    Required.

    The display name of the data table to search.

    Column

    Optional.

    A comma-separated list of columns to search.

    If no value is provided, the action searches all columns.

    Values

    Required.

    A comma-separated list of values to search for.

    Case Insensitive Search

    Optional.

    If selected, the search is case-insensitive.

    Enabled by default.

    Max Data Table Rows To Return

    Required.

    The number of data table rows to return per matched value.

    The maximum value is 1000.

    Action outputs

    The Is Value In Data Table action provides the following outputs:

    Action output type Availability
    Case wall attachment Not available
    Case wall link Not available
    Case wall table Not available
    Enrichment table Not available
    JSON result Available
    Output messages Available
    Script result Available
    JSON result

    The following example describes the JSON result output received when using the Is Value In Data Table action:

    [{
      "Entity": "asda",
      "EntityResult": {
          "is_found": true,
          "matched_rows": [
              {
                  "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/dataTables/data_table/dataTableRows/840d18a85944833e1b97ed6d2fb11377",
                  "values": {
                      "columnName1": "asda",
                      "columnName2": "asdasd",
                      "columnName3": "zxczxc"
                  },
                  "createTime": "2025-05-14T12:52:51.908143Z",
                  "updateTime": "2025-05-14T12:52:51.908143Z"
              }
          ]
      }
    }]
    
    Output messages

    The Is Value In Data Table action provides the following output messages:

    Output message Message description
    Successfully searched provided values in the data table {data table} in Google SecOps. The action succeeded.
    Error executing action "Is Value In Data Table". Reason: ERROR_REASON The action failed.

    Check the connection to the server, the input parameters, or the credentials.

    Error executing action "Is Value In Data Table". Reason: the following data tables were not found in: DATA_TABLE_NAME: COLUMN_NAMES. Please check the spelling. The action failed.
    Error executing action "Is Value In Data Table". Reason: This action is not supported for Backstory API configuration. Please update the integration configuration. The action failed.
    Script result

    The following table describes the values for the script result output when using the Is Value In Data Table action:

    Script result name Value
    is_success true or false

    Is Value In Reference List

    Use the Is Value In Reference List action to check if provided values are found in reference lists in Google SecOps.

    This action doesn't run on Google SecOps entities.

    Action inputs

    The Is Value In Reference List action requires the following parameters:

    Parameter Description
    Reference List Names

    Required.

    A comma-separated list of reference list names to search.

    Values

    Required.

    A comma-separated list of values to search for.

    Case Insensitive Search

    Optional.

    If selected, the search is case-insensitive.

    Action outputs

    The Is Value In Reference List action provides the following outputs:

    Action output type Availability
    Case wall attachment Not available
    Case wall link Not available
    Case wall table Not available
    Enrichment table Not available
    JSON result Available
    Output messages Available
    Script result Available
    JSON result

    The following example describes the JSON result output received when using the Is Value In Reference List action with Backstory API:

    {
        "Entity": "example.com",
        "EntityResult": {
            "found_in": [
                "Reference list names, where item was found"
            ],
            "not_found_in": [
                "Reference list names, where items wasn't found"
            ],
            "overall_status": "found, if at least one reference list had the value/not found, if non of the reference lists found the value"
        }
    }
    
    

    The following example describes the JSON result output received when using the Is Value In Reference List action with Chronicle API:

    {
        "Entity": "example.com",
        "EntityResult": {
            "found_in": [
                "Reference list names, where item was found"
            ],
            "not_found_in": [
                "Reference list names, where items wasn't found"
            ],
            "overall_status": "found, if at least one reference list had the value/not found, if non of the reference lists found the value"
        }
    }
    
    Output messages

    The Is Value In Reference List action provides the following output messages:

    Output message Message description
    Successfully searched provided values in the reference lists in Google Chronicle. The action succeeded.
    Error executing action "Is Value In Reference List". Reason: ERROR_REASON The action failed.

    Check the connection to the server, the input parameters, or the credentials.

    Error executing action "Is Value In Reference List". Reason: the following reference lists were not found in Google Chronicle: MISSING_REFERENCE_LIST_NAME(S). Please use the action "Get Reference Lists" to see what reference lists are available. The action failed.

    Run the Get Reference Lists action to check for available lists.

    Script result

    The following table describes the values for the script result output when using the Is Value In Reference List action:

    Script result name Value
    is_success True or False

    List Assets

    Use the List Assets action to list assets in Google SecOps SIEM based on related entities within a specified time period.

    This action only supports the MD5, SHA-1, and SHA-256 hashes.

    This action runs on the following Google SecOps entities:

    • URL
    • IP Address
    • Hash

    Action inputs

    The List Assets action requires the following parameters:

    Parameter Description
    Max Hours Backwards The number of hours prior to now to fetch the assets.

    The default value is 1.

    Create Insight If selected, the action creates an insight with information about the entities.

    Enabled by default.

    Max Assets To Return The number of assets to return.

    The default value is 50.

    Time Frame

    Optional.

    A period to retrieve the results for.

    The possible values are as follows:

    • Last Hour
    • Last 6 Hours
    • Last 24 Hours
    • Last Week
    • Last Month
    • Alert Time Till Now
    • 5 Minutes Around Alert Time
    • 30 Minutes Around Alert Time
    • 1 Hour Around Alert Time
    • Custom

    If Custom is selected, the Start Time parameter is required.

    The default value is Last Hour.

    Start Time

    The start time in ISO 8601 format.

    This parameter is required if the Time Frame parameter is set to Custom.

    End Time The end time in ISO 8601 format.

    If you don't set a value and set the Time Frame parameter to Custom, the current time is used.

    Action outputs

    The List Assets action provides the following outputs:

    Action output type Availability
    Case wall attachment Not available
    Case wall link Not available
    Case wall table Available
    Enrichment table Not available
    JSON result Available
    Output messages Available
    Script result Available
    Case wall table

    Name: ENTITY_IDENTIFIER

    Columns:

    • Hostname
    • IP Address
    • First Seen Artifact
    • Last Seen Artifact
    JSON result

    The following example describes the JSON result output received when using the List Assets action with Backstory API:

    {
        "assets": [
          {
            "asset": {
              "hostname": "example"
            },
            "firstSeenArtifactInfo": {
              "artifactIndicator": {
                "domainName": "www.example.com"
              },
              "seenTime": "2020-02-28T09:18:15.675Z"
            },
            "lastSeenArtifactInfo": {
              "artifactIndicator": {
                "domainName": "www.example.com"
              },
              "seenTime": "2020-09-24T06:43:59Z"
            }
          }
        ],
        "uri": [
          "https://INSTANCE/domainResults?domain=www.example.com&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2020-09-27T12%3A07%3A34.166830443Z"
        ]
      }
    

    The following example describes the JSON result output received when using the List Assets action with Chronicle API:

    [
      {
        "Entity": "192.0.2.229",
        "EntityResult": {
          "assets": [
            {
              "artifactIndicator": {
                "domain": "example.com"
              },
              "sources": [
                "Mandiant Open Source Intelligence"
              ],
              "categories": [
                "Indicator was published in publicly available sources"
              ],
              "assetIndicators": [
                {
                  "assetIpAddress": "192.0.2.229"
                }
              ],
              "iocIngestTimestamp": "2024-09-20T14:14:07.843Z",
              "firstSeenTimestamp": "2025-01-15T11:20:00Z",
              "lastSeenTimestamp": "2025-01-15T11:20:00Z",
              "filterProperties": {
                "stringProperties": {
                  "TLD": {
                    "values": [
                      {
                        "rawValue": ".com"
                      }
                    ]
                  },
                  "IOC FEED": {
                    "values": [
                      {
                        "rawValue": "Mandiant Open Source Intelligence"
                      }
                    ]
                  },
                  "IOC CATEGORIES": {
                    "values": [
                      {
                        "rawValue": "Indicator was published in publicly available sources"
                      }
                    ]
                  },
                  "IOC CONFIDENCE SCORE": {
                    "values": [
                      {
                        "rawValue": "High"
                      }
                    ]
                  },
                  "IOC/ALERT SEVERITY": {
                    "values": [
                      {
                        "rawValue": "Medium"
                      }
                    ]
                  }
                }
              },
              "confidenceBucket": "High",
              "rawSeverity": "Medium",
              "logType": "OPEN_SOURCE_INTEL_IOC",
              "confidenceScore": 100,
              "globalCustomerId": "ID",
              "confidenceScoreBucket": {
                "rangeEnd": 100
              },
              "categorization": "Indicator was published in publicly available sources",
              "domainAndPorts": {
                "domain": "example.com"
              },
              "activeTimerange": {
                "startTime": "1970-01-01T00:00:01Z",
                "endTime": "9999-12-31T23:59:59Z"
              },
              "feedName": "MANDIANT",
              "id": "ID",
              "fieldAndValue": {
                "value": "ex  ",
                "valueType": "DOMAIN_NAME"
              }
            },
            {
              "artifactIndicator": {
                "domain": "example.com"
              },
              "sources": [
                "Mandiant Active Breach Intelligence"
              ],
              "categories": [
                "Indicator was published in publicly available sources"
              ],
              "assetIndicators": [
                {
                  "assetIpAddress": "192.0.2.229"
                }
              ],
              "iocIngestTimestamp": "2023-07-05T02:42:52.935Z",
              "firstSeenTimestamp": "2025-01-15T11:20:00Z",
              "lastSeenTimestamp": "2025-01-15T11:20:00Z",
              "filterProperties": {
                "stringProperties": {
                  "IOC/ALERT SEVERITY": {
                    "values": [
                      {
                        "rawValue": "Medium"
                      }
                    ]
                  },
                  "IOC CONFIDENCE SCORE": {
                    "values": [
                      {
                        "rawValue": "High"
                      }
                    ]
                  },
                  "IOC FEED": {
                    "values": [
                      {
                        "rawValue": "Mandiant Active Breach Intelligence"
                      }
                    ]
                  },
                  "IOC CATEGORIES": {
                    "values": [
                      {
                        "rawValue": "Indicator was published in publicly available sources"
                      }
                    ]
                  },
                  "TLD": {
                    "values": [
                      {
                        "rawValue": ".com"
                      }
                    ]
                  }
                }
              },
              "confidenceBucket": "High",
              "rawSeverity": "Medium",
              "logType": "MANDIANT_ACTIVE_BREACH_IOC",
              "confidenceScore": 100,
              "globalCustomerId": "ID",
              "confidenceScoreBucket": {
                "rangeEnd": 100
              },
              "categorization": "Indicator was published in publicly available sources",
              "domainAndPorts": {
                "domain": "example.com"
              },
              "activeTimerange": {
                "startTime": "1970-01-01T00:00:01Z",
                "endTime": "9999-12-31T23:59:59Z"
              },
              "feedName": "MANDIANT",
              "id": "ID",
              "fieldAndValue": {
                "value": "example.com",
                "valueType": "DOMAIN_NAME"
              }
            }
          ],
          "uri": "https://INSTANCE.backstory.chronicle.security/destinationIpResults?ADDRESS=192.0.2.229&selectedList=IpViewDistinctAssets&referenceTime=2025-01-23T11%3A16%3A24.517449Z"
        }
      }
    ]
    
    Output messages

    The List Assets action provides the following output messages:

    Output message Message description
    Successfully listed related assets for the following entities from Google Chronicle: ENTITY_IDENTIFIER The action succeeded.
    Error executing action "List Assets". Reason: ERROR_REASON

    The action failed.

    Check the connection to the server, the input parameters, or the credentials.

    Script result

    The following table describes the values for the script result output when using the List Assets action:

    Script result name Value
    is_success True or False

    List Events

    Use the List Events action to list events on a particular asset within a specified time period.

    This action can only retrieve 10,000 events.

    This action runs on the following Google SecOps entities:

    • IP address
    • MAC address
    • Hostname

    Action inputs

    The List Events action requires the following parameters:

    Parameter Description
    Event Types A comma-separated list of event types.

    If no value is provided, all event types are fetched.

    For a list of all possible values, see Event type possible values.

    Time Frame The specified time period. We recommend keeping it as small as possible for better results.

    If Custom is selected, the Start Time parameter is required.

    If Max Hours Backwards is selected, it provides a time filter and ensures backwards compatibility.

    The possible values are as follows:

    • Max Hours Backwards
    • Last Hour
    • Last 6 Hours
    • Last 24 Hours
    • Last Week
    • Last Month
    • Custom

    The default value is Custom.

    Start Time

    The start time in ISO 8601 format.

    This parameter is required if the Time Frame parameter is set to Custom.

    End Time

    The end time in ISO 8601 format.

    If no value is provided and the Time Frame parameter is set to Custom, the current time is used.

    This parameter accepts the now value.

    Reference Time The reference time for the event search.

    If no value is provided, the action uses the end time as the reference.

    Output

    Required.

    The output format.

    The possible values are as follows:

    • Events + Statistics
    • Only Events
    • Only Statistics
    Max Events To Return

    The number of events to process for each entity type.

    The default value is 100.

    Event type possible values

    The possible values for the Event Type parameter are as follows:

    • EVENTTYPE_UNSPECIFIED
    • PROCESS_UNCATEGORIZED
    • PROCESS_LAUNCH
    • PROCESS_INJECTION
    • PROCESS_PRIVILEGE_ESCALATION
    • PROCESS_TERMINATION
    • PROCESS_OPEN
    • PROCESS_MODULE_LOAD
    • REGISTRY_UNCATEGORIZED
    • REGISTRY_CREATION
    • REGISTRY_MODIFICATION
    • REGISTRY_DELETION
    • SETTING_UNCATEGORIZED
    • SETTING_CREATION
    • SETTING_MODIFICATION
    • SETTING_DELETION
    • MUTEX_UNCATEGORIZED
    • MUTEX_CREATION
    • FILE_UNCATEGORIZED
    • FILE_CREATION
    • FILE_DELETION
    • FILE_MODIFICATION
    • FILE_READ
    • FILE_COPY
    • FILE_OPEN
    • FILE_MOVE
    • FILE_SYNC
    • USER_UNCATEGORIZED
    • USER_LOGIN
    • USER_LOGOUT
    • USER_CREATION
    • USER_CHANGE_PASSWORD
    • USER_CHANGE_PERMISSIONS
    • USER_STATS
    • USER_BADGE_IN
    • USER_DELETION
    • USER_RESOURCE_CREATION
    • USER_RESOURCE_UPDATE_CONTENT
    • USER_RESOURCE_UPDATE_PERMISSIONS
    • USER_COMMUNICATION
    • USER_RESOURCE_ACCESS
    • USER_RESOURCE_DELETION
    • GROUP_UNCATEGORIZED
    • GROUP_CREATION
    • GROUP_DELETION
    • GROUP_MODIFICATION
    • EMAIL_UNCATEGORIZED
    • EMAIL_TRANSACTION
    • EMAIL_URL_CLICK
    • NETWORK_UNCATEGORIZED
    • NETWORK_FLOW
    • NETWORK_CONNECTION
    • NETWORK_FTP
    • NETWORK_DHCP
    • NETWORK_DNS
    • NETWORK_HTTP
    • NETWORK_SMTP
    • STATUS_UNCATEGORIZED
    • STATUS_HEARTBEAT
    • STATUS_STARTUP
    • STATUS_SHUTDOWN
    • STATUS_UPDATE
    • SCAN_UNCATEGORIZED
    • SCAN_FILE
    • SCAN_PROCESS_BEHAVIORS
    • SCAN_PROCESS
    • SCAN_HOST
    • SCAN_VULN_HOST
    • SCAN_VULN_NETWORK
    • SCAN_NETWORK
    • SCHEDULED_TASK_UNCATEGORIZED
    • SCHEDULED_TASK_CREATION
    • SCHEDULED_TASK_DELETION
    • SCHEDULED_TASK_ENABLE
    • SCHEDULED_TASK_DISABLE
    • SCHEDULED_TASK_MODIFICATION
    • SYSTEM_AUDIT_LOG_UNCATEGORIZED
    • SYSTEM_AUDIT_LOG_WIPE
    • SERVICE_UNSPECIFIED
    • SERVICE_CREATION
    • SERVICE_DELETION
    • SERVICE_START
    • SERVICE_STOP
    • SERVICE_MODIFICATION
    • GENERIC_EVENT
    • RESOURCE_CREATION
    • RESOURCE_DELETION
    • RESOURCE_PERMISSIONS_CHANGE
    • RESOURCE_READ
    • RESOURCE_WRITTEN
    • ANALYST_UPDATE_VERDICT
    • ANALYST_UPDATE_REPUTATION
    • ANALYST_UPDATE_SEVERITY_SCORE
    • ANALYST_UPDATE_STATUS
    • ANALYST_ADD_COMMENT

    Action outputs

    The List Events action provides the following outputs:

    Action output type Availability
    Case wall attachment Not available
    Case wall link Not available
    Case wall table Not available
    Enrichment table Not available
    JSON result Available
    Output messages Available
    Script result Available
    JSON result

    The following example describes the JSON result output received when using the List Events action:

    {
        "statistics": {
    "NETWORK_CONNECTION": 10
    }
    {
        "events": [
          {
            "metadata": {
              "eventTimestamp": "2020-09-28T14:20:00Z",
              "eventType": "NETWORK_CONNECTION",
              "productName": "EXAMPLE Name",
              "productEventType": "NETWORK_DNS",
              "ingestedTimestamp": "2020-09-28T16:28:11.615578Z"
            },
            "principal": {
              "hostname": "user-example-pc",
              "assetId": "EXAMPLE:user-example-pc",
              "process": {
                "pid": "1101",
                "productSpecificProcessId": "EXAMPLE:32323"
              }
            },
            "target": {
              "hostname": "example.com",
              "user": {
                "userid": "user"
              },
              "process": {
                "pid": "8172",
                "file": {
                  "md5": "a219fc7fcc93890a842183388f80369e",
                  "fullPath": "C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe"
                },
                "commandLine": "\"C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe\" ...",
                "productSpecificProcessId": "EXAMPLE:82315"
              }
            }
          },
          {
            "metadata": {
              "eventTimestamp": "2020-09-28T17:20:00Z",
              "eventType": "NETWORK_CONNECTION",
              "productName": "EXAMPLE Name",
              "productEventType": "NETWORK_DNS",
              "ingestedTimestamp": "2020-09-28T16:28:11.615578Z"
            },
            "principal": {
              "hostname": "user-example-pc",
              "assetId": "EXAMPLE:user-example-pc",
              "process": {
                "pid": "1101",
                "productSpecificProcessId": "EXAMPLE:32323"
              }
            },
            "target": {
              "hostname": "example.com",
              "user": {
                "userid": "user"
              },
              "process": {
                "pid": "8172",
                "file": {
                  "md5": "a219fc7fcc93890a842183388f80369e",
                  "fullPath": "C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe"
                },
                "commandLine": "\"C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe\" ...",
                "productSpecificProcessId": "EXAMPLE:82315"
              }
            }
          }
        ],
        "uri": [
          "https://INSTANCE/assetResults?assetIdentifier=user-example-pc&referenceTime=2020-09-28T17%3A00%3A00Z&selectedList=AssetViewTimeline&startTime=2020-09-28T14%3A20%3A00Z&endTime=2020-09-28T20%3A20%3A00Z"
        ]
      }
    }
    
    Output messages

    The List Events action provides the following output messages:

    Output message Message description
    Successfully listed related events for the following entities from Google Chronicle: ENTITY_IDENTIFIER The action succeeded.
    Error executing action "List Events". Reason: ERROR_REASON

    The action failed.

    Check the connection to the server, the input parameters, or the credentials.

    Error executing action "List Events". Reason: invalid event type is provided. Please check the spelling. Supported event types: SUPPORTED_EVENT_TYPES The action failed.

    Check the spelling.

    Script result

    The following table describes the values for the script result output when using the List Events action:

    Script result name Value
    is_success True or False

    List IOCs

    Use the List IOCs action to list all IoCs discovered in your enterprise within a specified time range.

    This action doesn't run on Google SecOps entities.

    Action inputs

    The List IOCs action requires the following parameters:

    Parameter Description
    Start Time The start time for the results in ISO 8601 format.
    Max IoCs to Fetch The maximum number of IoCs to return.

    The range is 1 - 10,000.

    The default value is 50.

    Action outputs

    The List IOCs action provides the following outputs:

    Action output type Availability
    Case wall attachment Not available
    Case wall link Not available
    Case wall table Available
    Enrichment table Not available
    JSON result Available
    Output messages Available
    Script result Available
    Case wall table

    Columns:

    • Domain
    • Category
    • Source
    • Confidence
    • Severity
    • IoC Ingest Time
    • IoC First Seen Time
    • IoC Last Seen Time
    • URI
    JSON result

    The following example describes the JSON result output received when using the List IOCs action:

    {
       "matches":[
          {
             "artifact":{
                "domainName":"www.example.com"
             },
             "firstSeenTime":"2018-05-25T20:47:11.048998Z",
             "iocIngestTime":"2019-08-14T21:00:00Z",
             "lastSeenTime":"2019-10-24T16:19:46.880830Z",
             "sources":[
                {
                   "category":"Spyware Reporting Server",
                   "confidenceScore":{
                      "intRawConfidenceScore":0,
                      "normalizedConfidenceScore":"Low"
                   },
                   "rawSeverity":"Medium",
                   "source":"Example List"
                }
             ],
             "uri":["URI"]
          }
       ],
       "moreDataAvailable":true
    }
    
    Output messages

    The List IOCs action provides the following output messages:

    Output message Message description
    Successfully listed IOCs from the provided timeframe in Google Chronicle. The action succeeded.
    Error executing action "List IOCs". Reason: ERROR_REASON. The action failed.

    Check connection to the server, input parameters, or credentials.

    Script result

    The following table describes the values for the script result output when using the List IOCs action:

    Script result name Value
    is_success True or False

    Lookup Similar Alerts

    Use the Lookup Similar Alerts action to search for similar alerts in Google SecOps.

    This action only works with Google SecOps alerts received from the Chronicle Alerts Connector.

    Action inputs

    The Lookup Similar Alerts action requires the following parameters:

    Parameter Description
    Time Frame The specified time period for the results. To get the best results, keep the timeframe as narrow as possible.

    The possible values are as follows:

    • Last Hour
    • Last 6 Hours
    • Last 24 Hours
    • Last Week
    • Last Month
    • Alert Time Till Now: Searches for events from the start time of the alert to End Time.
    • 5 Minutes Around Alert Time: Searches for events 5 minutes before and after the alert's creation time.
    • 30 Minutes Around Alert Time: Searches for events 30 minutes before and after the alert's creation time.
    • 1 Hour Around Alert Time
    • : Searches for events 1 hour before and after the alert's creation time.
    IOCs / Assets

    Required.

    A comma-separated list of IoCs or assets to find in the alerts. The action performs a separate search for each provided item.

    Similarity By

    The attributes to use for finding similar alerts.

    The possible values are as follows:

    The default value is Alert Name, Alert Type and Product.

    How the Similarity By parameter works

    The Similarity By parameter applies differently to Rule alerts and External alerts.

    • If Alert Name, Alert Type and Product or Alert Name, Alert Type is selected:

      • For External alerts, the action searches for other External alerts that have the same name.

      • For Rule alerts, the action processes alerts that originated from the same rule.

    • If Product is selected:

      • The action processes alerts that originated from the same product, regardless of whether they are Rule alerts or External alerts.

      For example, an alert originating in Crowdstrike will only be matched with other alerts from Crowdstrike.

    • If Only IOCs/Assets is selected:

      • The action matches alerts based on the IOCs provided in the IOCs/Assets parameter. It searches for these indicators in both Rule alerts and External alerts.

      • An IOC alert can only run this action when this option is selected. If any other option is provided, the action defaults to Only IOCs/Assets.

    The Lookup Similar Alerts action is a versatile tool for analyzing alerts. It enables analysts to correlate alerts from the same time period and extract relevant IOCs to determine if an incident is a true positive.

    Action outputs

    The Lookup Similar Alerts action provides the following outputs:

    Action output type Availability
    Case wall attachment Not available
    Case wall link Available
    Case wall table Available
    Enrichment table Not available
    JSON result Available
    Output messages Available
    Script result Available
    JSON result

    The following example describes the JSON result output received when using the Lookup Similar Alerts action:

    {
        "count": 123,
        "distinct": [
            {
                "first_seen": "time of the first alert that matched our conditions",
                "last_seen": "time of the last alert that matched our conditions",
                "product_name": "product name",
                "used_ioc_asset": "what user provided in the parameter IOCs and Assets",
                "name": "Alert Name/Rule Name",
                "hostnames": "csv list of unique hostnames that were found in alerts",
                "urls": "csv list of unique urls that were found in alerts",
                "ips": "csv list of unique ips that were found in alerts",
                "subjects": "csv list of unique subjects that were found in alerts",
                "users": "csv list of unique users that were found in alerts",
                "email_addresses": "csv list of unique email_addresses that were found in alerts",
                "hashes": "csv list of unique hashes that were found in alerts",
                "processes": "csv list of unique processes that were found in alerts"
                "rule_urls": ["Chronicle URL from API response for Rule"]
                "count": 123
            }
        ],
        "processed_alerts": 10000,
        "run_time": "how long it took to run the action or at least API request",
        "EXTERNAL_url": "Chronicle URL from API response for EXTERNAL"
    
    }
    
    Output messages

    The Lookup Similar Alerts action provides the following output messages:

    Output message Message description

    Successfully found similar alerts from the provided timeframe in Google Chronicle.

    No similar alerts were found from the provided timeframe in Google Chronicle.

    The action succeeded.
    Error executing action "Lookup Similar Alerts". Reason: ERROR_REASON

    The action failed.

    Check the connection to the server, the input parameters, or the credentials.

    Error executing action "Lookup Similar Alerts". Reason: all of the retries are exhausted. Please wait for a minute and try again.

    The action failed.

    Wait for a minute before running the action again.

    Script result

    The following table describes the values for the script result output when using the Lookup Similar Alerts action:

    Script result name Value
    is_success True or False
    Case wall table

    Table name: IOC/ASSET_IDENTIFIER

    Table columns:

    • Product
    • Hostnames
    • IPs
    • Users
    • Email Addresses
    • Subjects
    • URLs
    • Hashes
    • Processes
    • First Seen
    • Last Seen
    • Alert Name
    • General

    The Lookup Similar Alerts action can return the following links:

    • CBN: GENERATED_LINK_BASED_ON_IU_ROOT_URL
    • Rule: GENERATED_LINK_BASED_ON_IU_ROOT_URL

    Ping

    Use the Ping action to test the connectivity to Google SecOps.

    This action doesn't run on Google SecOps entities.

    Action inputs

    None.

    Action outputs

    The Ping action provides the following outputs:

    Action output type Availability
    Case wall attachment Not available
    Case wall link Not available
    Case wall table Not available
    Enrichment table Not available
    JSON result Not available
    Output messages Available
    Script result Available
    Output messages

    The Ping action provides the following output messages:

    Output message Message description
    Successfully connected to the Google Chronicle backstory with the provided connection parameters! The action succeeded.
    Failed to connect to the Google Chronicle backstory. Error is ERROR_REASON

    The action failed.

    Check the connection to the server, input parameters, or credentials.

    Script result

    The following table describes the values for the script result output when using the Ping action:

    Script result name Value
    is_success True or False

    Remove Rows From Data Table

    Use the Remove Rows From Data Table action to remove rows from a data table in Google SecOps.

    This action doesn't run on Google SecOps entities.

    Action inputs

    The Remove Rows From Data Table action requires the following parameters:

    Parameter Description
    Data Table Name

    Required.

    The display name of the data table to update.

    Rows

    Required.

    A list of JSON objects used to search for and delete rows.

    Only valid columns should be included.

    The default value is:

    
      {
        "columnName1": "value1"
      }
      

    Action outputs

    The Remove Rows From Data Table action provides the following outputs:

    Action output type Availability
    Case wall attachment Not available
    Case wall link Not available
    Case wall table Not available
    Enrichment table Not available
    JSON result Available
    Output messages Available
    Script result Available
    JSON result

    The following example describes the JSON result output received when using the Remove Rows From Data Table action:

    {
              "name": "projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/dataTables/data_table/dataTableRows/840d18a85944833e1b97ed6d2fb11377",
              "values": {
                  "columnName1": "asda",
                  "columnName2": "asdasd",
                  "columnName3": "zxczxc"
              },
              "createTime": "2025-05-14T12:52:51.908143Z",
              "updateTime": "2025-05-14T12:52:51.908143Z"
    }
    
    Output messages

    The Remove Rows From Data Table action provides the following output messages:

    Output message Message description
    Successfully removed rows from the data table DATA_TABLE_NAME in Google SecOps. The action succeeded.
    Error executing action "Remove Rows From Data Table". Reason: ERROR_REASON The action failed.

    Check the connection to the server, the input parameters, or the credentials.

    Script result

    The following table describes the values for the script result output when using the Remove Rows From Data Table action:

    Script result name Value
    is_success True or False

    Remove Values From Reference List

    Use the Remove Values From Reference List action to remove values from a reference list in Google SecOps.

    This action doesn't run on Google SecOps entities.

    Action inputs

    The Remove Values From Reference List action requires the following parameters:

    Parameter Description
    Reference List Name

    Required.

    The name of the reference list to update.

    Values

    Required.

    A comma-separated list of values to remove from the reference list.

    Action outputs

    The Remove Values From Reference List action provides the following outputs:

    Action output type Availability
    Case wall attachment Not available
    Case wall link Not available
    Case wall table Not available
    Enrichment table Not available
    JSON result Available
    Output messages Available
    Script result Available
    JSON result

    The following example describes the JSON result output received when using the Remove Values From Reference List action with Backstory API:

    {
       "name": "list_name",
       "description": "description of the list",
       "lines": [
           "192.0.2.0/24",
           "198.51.100.0/24"
       ],
       "create_time": "2020-11-20T17:18:20.409247Z",
       "content_type": "CIDR"
    }
    

    The following example describes the JSON result output received when using the Remove Values From Reference List action with Chronicle API:

    {
      "name": "projects/PROJECT_ID/locations/us/instances/INSTANCE_ID/referenceLists/<var class="readonly">REFERENCE_LIST_NAME</var>' }}",
      "displayName": "REFERENCE_LIST_NAME",
      "revisionCreateTime": "2025-01-16T09:15:21.795743Z",
      "description": "Test reference list",
      "entries": [
        {
          "value": "example.com"
        },
        {
          "value": "exampledomain.com"
        }
      ],
      "syntaxType": "REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING",
      "scopeInfo": {
        "referenceListScope": {}
      },
      "createTime": "2025-01-16T09:15:21.795743Z",
      "lines": [
        "example.com",
        "exampledomain.com"
      ]
    }
    
    Output messages

    The Remove Values From Reference List action provides the following output messages:

    Output message Message description
    Successfully removed values from the reference list. The action succeeded.
    Error executing action "Remove Values From Reference List". Reason: ERROR_REASON The action failed.

    Check the connection to the server, the input parameters, or the credentials.

    Script result

    The following table describes the values for the script result output when using the Remove Values From Reference List action:

    Script result name Value
    is_success True or False

    Connectors

    For more detail about how to configure connectors in Google SecOps, see Ingest your data (connectors).

    Google Chronicle - Chronicle Alerts Connector

    Use the Google Chronicle - Chronicle Alerts Connector to pull information about rule-based alerts from Google SecOps SIEM.

    This connector can be filtered using a dynamic list.

    Overview

    The Google Chronicle - Chronicle Alerts Connector ingests multiple alert types from Google SecOps SIEM.

    Key features and operational details include:

    • It queries data within a one-week period.

      To prevent missed alerts from indexing delays, a padding period and increased connector timeout can be configured, though significant padding may negatively affect performance.

    • The connector utilizes dynamic lists for flexible configuration.

    • It provides a Fallback Severity for alerts that lack a severity value.

    • To ingest IoCs, a corresponding detection rule must be created in Google SecOps SIEM that generates alerts based on the IoCs.

    Dynamic list filter

    The dynamic list is used to filter alerts directly from the connector configuration page.

    Operator logic

    The dynamic list uses a combination of AND and OR logic to process filter rules:

    • OR Logic: Values on the same line, separated by a comma, are treated with OR logic (such as, Rule.severity = low,medium means low OR medium severity).

    • AND Logic: Each separate line in the dynamic list is treated with AND logic (such as, a line for Rule.severity and a line for Rule.ruleName means severity AND ruleName).

    • Supported operators (=, !=, >, <, >=, <=) vary depending on the Filter Key.

    The following are the examples of using operator rules:

    • Rule.severity = medium: The connector only ingests rule alerts with the medium severity.
    • Rule.severity = low,medium: The connector only ingests rule alerts with the medium or low severity.
    • Rule.ruleName = default_rule: The connector only ingests rule alerts with the default_rule name.
    Supported filters

    The Chronicle ALerts Connector supports filtering on the following keys:

    Filter key Response key Operators Possible values
    Rule.severity detection or ruleLabels or severity =, !=, >, <, >=, <=

    Info, Error, Low, Medium, High, Critical.

    The values are case-insensitive.

    Rule.ruleName detection or ruleName =, != Defined by the user.
    Rule.ruleID detection or ruleId =, != Defined by the user.
    Rule.ruleLabels.{key} detection or ruleLabels =, != Defined by the user.
    Handling ruleLabels

    To filter on a specific label within a rule, use the Rule.ruleLabels.{key} format.

    For example, to filter on a label with the key type and value suspicious_behaviour, the dynamic list input should be:

    Rule.ruleLabels.type=suspicious_behaviour

    Connector inputs

    The Chronicle Alerts Connector requires the following parameters:

    The default value is Medium.

    Parameter Description
    Product Field Name

    Required.

    The name of the field where the product name is stored.

    The product name primarily impacts mapping. To streamline and improve the mapping process for the connector, the default value resolves to a fallback value that is referenced from the code. Any invalid input for this parameter resolves to a fallback value by default.

    The default value is Product Name.

    Event Field Name

    Required.

    The name of the field that determines the event name (subtype).

    Environment Field Name

    Optional.

    The name of the field where the environment name is stored.

    If the environment field is missing, the connector uses the default value.

    The default value is "".

    Environment Regex Pattern

    Optional.

    A regular expression pattern to run on the value found in the Environment Field Name field. This parameter lets you manipulate the environment field using the regular expression logic.

    Use the default value .* to retrieve the required raw Environment Field Name value.

    If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment.

    Script Timeout (Seconds)

    Required.

    The timeout limit, in seconds, for the Python process that runs the current script.

    The default value is 180.

    API Root

    Required.

    The API root of the Google SecOps SIEM instance.

    Google SecOps provides regional endpoints for each API, for example, https://europe-backstory.googleapis.com or https://asia-southeast1-backstory.googleapis.com

    Contact Cloud Customer Care to find out which endpoint to use.

    The default value is https://backstory.googleapis.com.

    User's Service Account

    Required.

    The full JSON content of the service account used for authentication.

    Fallback Severity

    Required.

    The default severity to use if the alert from Google SecOps SIEM does not include a severity value.

    The possible values are as follows:
    • Critical
    • High
    • Medium
    • Low
    • Info
    Max Hours Backwards

    Optional.

    The number of hours prior to the initial connector run to retrieve incidents from.

    This parameter applies only once.

    The maximum value is 168 (one week).

    The default value is 1.

    Max Alerts To Fetch

    Optional.

    The number of alerts to process in every connector iteration.

    The default value is 100.

    Disable Event Splitting

    Optional.

    If selected, the connector doesn't split original events into multiple parts, ensuringthe event count matches between the source and Google SecOps SOAR.

    Not enabled by default.

    Verify SSL

    Required.

    If selected, the integration validates the SSL certificate when connecting to the Google SecOps SIEM server.

    Enabled by default.

    Proxy Server Address

    Optional.

    The address of the proxy server to use.

    Proxy Username

    Optional.

    The proxy username to authenticate with.

    Proxy Password

    Optional.

    The proxy password to authenticate with.

    Disable Overflow

    Optional.

    If selected, the connector ignores the Google SecOps overflow mechanism.

    Not enabled by default.

    Connector rules

    The Google Chronicle - Chronicle Alerts Connector supports proxies.

    Connector events

    The Google Chronicle - Chronicle Alerts Connector processes three types of events from Google SecOps SIEM.

    Rule-base alerts

    This event type is generated by a detection rule in Google SecOps SIEM.

     {
        "alert_type": "RULE",
        "event_type": "NETWORK_DHCP",
        "type": "RULE_DETECTION",
        "detection": [
            {
                "ruleName": "d3_test",
                "urlBackToProduct": "https://INSTANCE/ruleDetections?ruleId=ru_74dd17e2-5aad-4053-acd7-958bead014f2&selectedList=RuleDetectionsViewTimeline&selectedParentDetectionId=de_b5dadaf4-b398-325f-9f09-833b71b3ffbb&selectedTimestamp=2022-02-08T05:02:36Z&versionTimestamp=2020-11-19T18:19:11.951951Z",
                "ruleId": "ru_74dd17e2-5aad-4053-acd7-958bead014f2",
                "ruleVersion": "ru_74dd17e2-5aad-4053-acd7-958bead014f2@v_1605809951_951951000",
                "alertState": "NOT_ALERTING",
                "ruleType": "SINGLE_EVENT",
                "ruleLabels": [
                    {
                        "key": "author",
                        "value": "analyst123"
                    },
                    {
                        "key": "description",
                        "value": "8:00 AM local time"
                    },
                    {
                        "key": "severity",
                        "value": "Medium"
                    }
                ]
            }
        ],
        "createdTime": "2022-02-08T06:07:33.944951Z",
        "id": "de_b5dadaf4-b398-325f-9f09-833b71b3ffbb",
        "timeWindow": {
            "startTime": "2022-02-08T05:02:36Z",
            "endTime": "2022-02-08T05:02:36Z"
        },
        "collectionElements": [
            {
                "references": [
                    {
                        "event": {
                            "metadata": {
                                "eventTimestamp": "2022-02-08T05:02:36Z",
                                "eventType": "NETWORK_DHCP",
                                "productName": "Infoblox DHCP",
                                "ingestedTimestamp": "2022-02-08T05:03:03.892234Z"
                            },
                            "principal": {
                                "ip": [
                                    "198.51.100.255",
                                    "198.51.100.1"
                                ],
                                "mac": [
                                    "01:23:45:ab:cd:ef"
                                ],
                                "email_address": [
                                    "example@example.com"
                                ]
                            },
                            "target": {
                                "hostname": "dhcp_server",
                                "ip": [
                                    "198.51.100.0",
                                    "198.51.100.1"
                                ]
                            },
                            "network": {
                                "applicationProtocol": "DHCP",
                                "dhcp": {
                                    "opcode": "BOOTREQUEST",
                                    "ciaddr": "198.51.100.255",
                                    "giaddr": "198.51.100.0",
                                    "chaddr": "01:23:45:ab:cd:ef",
                                    "type": "REQUEST",
                                    "clientHostname": "example-user-pc",
                                    "clientIdentifier": "AFm/LDfjAw=="
                                }
                            }
                        }
                    }
                ],
                "label": "e"
            }
        ],
        "detectionTime": "2022-02-08T05:02:36Z"
    }
    
    External alerts

    This event type is based on an external alert that is ingested into Google SecOps SIEM.

    {
        "alert_type": "External",
        "event_type": "GENERIC_EVENT",
        "name": "Authentication failure [32038]",
        "sourceProduct": "Internal Alert",
        "severity": "Medium",
        "timestamp": "2020-09-30T18:03:34.898194Z",
        "rawLog": "U2VwIDMwIDE4OjAzOjM0Ljg5ODE5NCAxMC4wLjI5LjEwOSBBdXRoZW50aWNhdGlvbiBmYWlsdXJlIFszMjAzOF0=",
        "uri": [
            "https://INSTANCE/assetResults?assetIdentifier=198.51.100.109&namespace=[untagged]&referenceTime=2020-09-30T18%3A03%3A34.898194Z&selectedList=AssetViewTimeline&startTime=2020-09-30T17%3A58%3A34.898194Z&endTime=2020-09-30T18%3A08%3A34.898194Z&selectedAlert=-610875602&selectedEventTimestamp=2020-09-30T18%3A03%3A34.898194Z"
        ],
        "event": {
            "metadata": {
                "eventTimestamp": "2020-09-30T18:03:34.898194Z",
                "eventType": "GENERIC_EVENT",
                "productName": "Chronicle Internal",
                "ingestedTimestamp": "2020-09-30T18:03:34.991592Z"
            },
            "target": [
                {
                    "ip": [
                        "198.51.100.255",
                        "198.51.100.1"
                    ]
                }
            ],
            "securityResult": [
                {
                    "summary": "Authentication failure [32038]",
                    "severityDetails": "Medium"
                }
            ]
        }
    }
    
    IoC Alerts

    This event type is a match against a predefined list of IoCs.

    {
        "alert_type": "IOC",
        "event_type": "IOC Alert",
        "artifact": {
            "domainName": "example.com"
        },
        "sources": [
            {
                "source": "Example List",
                "confidenceScore": {
                    "normalizedConfidenceScore": "Low",
                    "intRawConfidenceScore": 0
                },
                "rawSeverity": "High",
                "category": "Malware Command and Control Server"
            }
        ],
        "iocIngestTime": "2020-09-07T11:00:00Z",
        "firstSeenTime": "2018-10-03T00:01:59Z",
        "lastSeenTime": "2022-02-04T20:02:29.191Z",
        "uri": [
            "https://INSTANCE/domainResults?domain=example.com&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2022-02-08T15%3A08%3A52.434022777Z"
        ]
    }
    

    Alert structure

    The following table describes how the Google Chronicle - Chronicle Alerts Connector populates the attributes of an alert in Google SecOps. The alert attributes are grouped by their origin and alert type for clarity.

    Internally generated attributes

    These attributes are generated by the framework and are consistent across all alert types.

    Alert Attribute Name Source
    SourceSystemName Internally generated by the framework.
    TicketId The value is taken from the ids.json file.
    DisplayId Automatically generated.
    Attributes for all alert types

    These attributes are derived from the source alert, but their source key varies by alert type.

    Alert Attribute Name Source
    Priority Taken from the API response or the Fallback Severity parameter.
    DeviceVendor Hardcoded value is Google Chronicle.
    DeviceProduct A hardcoded value that depends on the alert type: RULE for rule detection alerts, IOC for IOC matches, or EXTERNAL for external alerts.
    Description For rule-based alerts, this is sourced from detection/ruleLabels/description (if it exists). Not available for other alert types.
    Reason Not available.
    SourceGroupingIdentifier Not available.
    Chronicle Alert - Attachments Not available.
    Specific alert types

    These attributes are specific to the alert's origin, making it easier to understand how each is populated.

    Alert Attribute Name Rule-based Alerts IOC-based Alerts External Alerts
    Name detection/ruleName IOC Alert (hardcoded) alertInfos/name
    RuleGenerator detection/ruleName IOC Alert (hardcoded) alertInfos/name
    StartTime & EndTime timeWindow or startTime lastSeenTime timestamp
    Chronicle Alert - Extensions rule_id (ruleId), product_name (CSV of an event or metadata or a productName value) Not applicable alert_name (name), product_name (CSV of a UDM event or metadata or a productName value)

    Deprecated: Google Chronicle - Alerts Connector

    This connector pulls asset alerts from Google SecOps SIEM and converts them into Google SecOps SIEM alerts.

    You can authenticate using the Google library with google.oauth2.service_account and AuthorizedSession.

    This connector requires the Google SecOps SIEM Search API.

    Connector inputs

    The Alerts Connector requires the following parameters:

    Parameter Description
    Product Field Name

    Required.

    The name of the field where the product name is stored.

    The product name primarily impacts mapping. To streamline and improve the mapping process for the connector, the default value resolves to a fallback value that is referenced from the code. Any invalid input for this parameter resolves to a fallback value by default.

    The default value is Product Name.

    Environment Field Name

    Optional.

    The name of the field where the environment name is stored.

    If the environment field is missing, the connector uses the default value.

    The default value is "".

    Environment Regex Pattern

    Optional.

    A regular expression pattern to run on the value found in the Environment Field Name field. This parameter lets you manipulate the environment field using the regular expression logic.

    Use the default value .* to retrieve the required raw Environment Field Name value.

    If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment.

    Script Timeout (Seconds)

    Required.

    The timeout limit, in seconds, for the Python process that runs the current script.

    The default value is 180.

    Service Account Credentials

    Required.

    The content of the service account JSON file.

    Fetch Max Hours Backwards

    Optional.

    The number of hours prior to the initial connector run to retrieve incidents from.

    This parameter applies only once.

    The maximum value is 168 (one week).

    The default value is 1.

    Deprecated: Google Chronicle - IoCs Connector

    Use the Chronicle Alerts Connector instead.

    This connector pulls the IOC domain matches from Google SecOps SIEM and converts them into Google SecOps SIEM alerts.

    You can authenticate using the Google library with google.oauth2.service_account and AuthorizedSession.

    This connector uses the Google SecOps SIEM Search API.

    Connector inputs

    The Google Chronicle - IoCs Connector requires the following parameters:

    Parameter Description
    Product Field Name

    Required.

    The name of the field where the product name is stored.

    The product name primarily impacts mapping. To streamline and improve the mapping process for the connector, the default value resolves to a fallback value that is referenced from the code. Any invalid input for this parameter resolves to a fallback value by default.

    The default value is Product Name.

    Environment Field Name

    Optional.

    The name of the field where the environment name is stored.

    If the environment field is missing, the connector uses the default value.

    The default value is "".

    Environment Regex Pattern

    Optional.

    A regular expression pattern to run on the value found in the Environment Field Name field. This parameter lets you manipulate the environment field using the regular expression logic.

    Use the default value .* to retrieve the required raw Environment Field Name value.

    If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment.

    Script Timeout (Seconds)

    Required.

    The timeout limit, in seconds, for the Python process that runs the current script.

    The default value is 180.

    Service Account Credentials

    Required.

    The content of the service account JSON file.

    Fetch Max Hours Backwards

    Optional.

    The number of hours prior to the initial connector run to retrieve alerts from.

    This parameter applies only once.

    The maximum value is 168 (one week).

    The default value is 1.

    Max Alerts To Fetch

    Optional.

    The maximum number of alerts to process in every connector iteration.

    The default value is 100.

    ## Jobs {: #google-chronicle-jobs-} The Google Chronicle integration lets you use the following jobs: * [Google Chronicle Sync Data job](#sync-data-job) * [Google Chronicle Alerts Creator job](#alerts-creator-job) ### Job configuration prerequisites {: #job-prerequisites} Important: If you update the integration, re-create Google SecOps SIEM jobs to update their code. Before proceeding to the job configuration, configure the [Chronicle Alerts Connector](#chronicle-alerts-connector). To configure Google Chronicle jobs, follow these steps: 1. In Google SecOps SOAR, go to **Response > Job Scheduler**. 1. Click **addCreate New Job**. 1. In the **Add Job** dialog that appears, select the corresponding Google Chronicle job and click **Save**. 1. Optional: Edit the job name and description, if necessary. 1. In the **Job Details** section: * Make sure that **GoogleChronicle** is selected in the **Integration** field. * To automatically run the job at specified intervals, set up a scheduler interval. Configuring the scheduler is mandatory to complete the job configuration. As Google Chronicle jobs can synchronize large amounts of data in one run, Google recommends that you minimally set the scheduler interval to 2 minutes. ### Google Chronicle Sync Data job {: #sync-data-job} This job works with alerts created by the [Chronicle Alerts Connector](#chronicle-alerts-connector) and the **Chronicle Alerts Creator** job, but not with alerts from deprecated connectors (**Alerts Connector** and **IOCs Connector**). The **Google Chronicle Sync Data** job synchronizes updated Google SecOps alerts and cases managed in Google SecOps SOAR back to Google SecOps SIEM. Consequently, you can track the same information on both systems immediately after you make changes in Google SecOps SOAR. #### Case and alerts data synchronization {: #sync-cases-alerts} The **Google Chronicle Sync Data** job tracks and synchronizes the following fields for cases:
    Tracked field Synchronized field
    Priority Priority
    Status Status
    Title Title
    Not applicable Stage
    Not applicable Google SecOps Case ID
    Not applicable Google SecOps Case ID

    Google SecOps Case ID is a unique case identifier in Google SecOps SOAR and Google SecOps SIEM.

    The Google Chronicle Sync Data job tracks and synchronizes the following fields for alerts:

    Tracked field Synchronized field
    Priority Priority
    Status Status
    Case ID Not applicable
    Not applicable Google SecOps Alert ID
    Not applicable Google SecOps Case ID
    Not applicable Verdict
    Not applicable Closure Comment
    Not applicable Closure Reason
    Not applicable Closure Root Cause
    Not applicable Usefulness

    Google SecOps Alert ID is a unique alert identifier in Google SecOps SOAR.

    In one iteration, the job synchronizes up to 1,000 cases and 1,000 alerts. The synchronization occurs within the Google SecOps SOAR environment that is specified in the job configuration. The synchronization mechanism ensures that a case from the specified environment cannot be synced with another environment.

    Configure the Google Chronicle Sync Data job

    This job only synchronizes the Google SecOps SOAR cases that were ingested from Google SecOps SIEM.

    Make sure you have completed the prerequisite steps before configuring the job.

    To configure the Google Chronicle Sync Data job, follow these steps:

    1. In the Parameters section, configure the following parameters:

      Parameter Description
      Environment

      Required.

      The name of the environment created in Google SecOps SOAR where you want to sync cases and alerts.

      API Root

      Required.

      The API root of the Google SecOps SIEM instance.

      Google SecOps provides regional endpoints for each API.

      For example, https://europe-backstory.googleapis.com or https://asia-southeast1-backstory.googleapis.com.

      If you don't know which endpoint to use, [contact Cloud Customer Care](/chronicle/docs/getting-support).

      The default value is https://backstory.googleapis.com.

      User's Service Account

      Required.

      The content of the service account JSON file of your Google SecOps SIEM instance.

      Max Hours Backwards

      Optional.

      The number of hours to fetch alerts from. Use only positive numbers. If you enter 0 or a negative number, an error is reported. If this parameter is empty, the job uses the default value.

      The default value is 24.

      Verify SSL

      Required.

      If selected, Google SecOps verifies that the SSL certificate for connecting to the Google SecOps SIEM server is valid. We recommend that you select this option.

      Selected by default.

      The Google Chronicle Sync Data job is enabled by default. When you save the correctly configured job, it starts synchronizing data with Google SecOps SIEM immediately. To disable the job, switch the toggle next to the job name.

    2. To complete the configuration, click Save.

      If the Save button is inactive, make sure that you have set all mandatory parameters.

    3. Optional: To run the job immediately after saving, click Run Now.

      The Run Now option lets you trigger a single job run that synchronizes the current Google SecOps SOAR alerts and cases data with Google SecOps SIEM.

    Log messages

    The following table lists possible log messages for the Google Chronicle Data Sync job:

    Log entry Type Description
    Unable to parse credentials as JSON. Please validate creds. Error The service account provided in the User's Service Account parameter is corrupted.
    "Max Hours Backwards" parameter must be a positive number. Error The Max Hours backwards parameter is set to 0 or a negative number.
    Current platform version does not support SDK methods designed for Google SecOps. Please use version 6.1.33 or higher. Error The current Google SecOps platform instance version doesn't support the Chronicle Sync Data job script execution. This means that the instance's build version is older than 6.1.33.
    Unable to connect to Google SecOps, please validate your credentials: CREDENTIALS Error The service account or API root values couldn't be validated against the Google SecOps SIEM instance. This error is reported if the connectivity testing fails.
    --- Start Processing Updated Cases --- Info The case processing loop has started running.
    Last success time. Date time:DATE_AND_TIME. Unix:UNIX_EPOCH_TIME Info

    The timestamp of the last successful script execution for cases or alerts:

    • datetime_result is a date and time value
    • unix_result is a Unix epoch time value
    Key: "DATABASE_KEY" does not exist in the database. Returning default value instead: DEFAULT_VALUE Info The pending case or alert database key does not exist in the database. This log entry always appears in the first execution of the script.
    Failed to parse data as JSON. Returning default value instead: "DEFAULT_VALUE. ERROR: ERROR Error The value retrieved from the database is not a valid JSON format.
    Exception was raised from the database. ERROR: ERROR. Error There is a connection problem with the database.

    Successfully loaded CASE_IDS pending IDs.

    Successfully loaded ALERT_IDS pending alert IDs.

    Info

    The pending cases or alerts IDs have been successfully retrieved from the backlog.

    CASE_IDS is the number of case IDs brought.

    Cases overload: case limit is 1000 NUMBER_OF_CASES cases will not be synced.

    Alerts overload: alert limit is 1000 NUMBER_OF_ALERTS alerts will not be synced.

    Error

    The number of pending cases or alerts IDs that are fetched from the database is greater than the limit (1000). Any IDs over the limit are ignored.

    This error can indicate a possible database corruption.

    Found NUMBER_OF_UPDATED_CASES updated cases since last fetch time.

    Info The newly updated case or alert IDs were successfully fetched from the platform.

    --- Start Updating Cases in Google SecOps ----

    -- Start Processing Updated Alerts ---

    Info The update of cases and alerts in the Google SecOps SIEM instance has started.

    Failed to update case CASE_ID. Reason: ERROR_REASON

    Failed to update alert ALERT_ID. Reason: ERROR_REASON

    Error The specified case or alert cannot be synchronized with Google SecOps SIEM.

    Max retries reached for case CASE_ID. Removing from backlog.

    Max retries reached for alert ALERT_GROUP_ID . Removing from backlog.

    Info The specified pending case or alert has reached the sync retry limit (5) and is not inserted back to the backlog.

    The following cases were not synced: CASE_IDS

    The following alerts were not synced: ALERT_IDS

    Info The list of case or alert IDs that cannot be synchronized with Google SecOps SIEM.
    Updated External Case IDs for the following cases: CASE_IDS Info The list of cases for which the job updated the matching Google SecOps SIEM external case ID in the Google SecOps SOAR platform.
    Failed to update external ids. Error The log entry indicating that there was a problem with the SDK method or connection that prevented updating external case IDs in the platform.

    Failed to update cases in Google SecOps.

    Failed to update alerts in Google SecOps.

    Error The log entry indicating that there was a certain terminating error that prevented the case or alerts processing loop to finish naturally. The stacktrace is printed after this log with the specific error.

    --- Finished Updating Cases in Google SecOps ---

    --- Finished Updating Alerts in Google SecOps ---

    Info The cases and alerts processing loop has finished, either naturally or with an error.

    The following failed case ids were put in the backlog: CASE_IDS

    The following failed alert ids were put in the backlog: ALERT_IDS

    Error The list of failed case or alert IDs that have a retry count less than or equal to 5 to be written back to the backlog.

    --- Finished Processing Updated Cases ---

    --- Finished Processing Updated Alerts ---

    Info The stage of processing case and alert has been finished.
    Saving timestamps. Info Saving the last successful case and alert update timestamps to the database.
    Saving pending ids. Info Saving pending case and alert IDs to the database.
    Got exception on main handler. Error: ERROR_REASON Error A general termination error has occurred. The stacktrace is printed after this log with the specific error.

    Google Chronicle Alerts Creator job

    The Google Chronicle Alerts Creator job requires the Google SecOps platform version 6.2.30 or later.

    This job creates all alerts from Google SecOps SOAR to Google SecOps SIEM, including overflow alerts. The Google Chronicle Alerts Creator job doesn't replicate alerts that originate from Google SecOps.

    The Google Chronicle Alerts Creator job queries the SOAR platform using the Python SDK for non-synchronized alerts. The job sends non-synchronized alerts to SIEM individually. SIEM updates and returns the identifiers of the corresponding SIEM alerts, and SOAR saves the identifiers using the SOAR platform API through the Python SDK.

    Relationship between the Google Chronicle jobs

    A complete Google SecOps system runs the following three components concurrently:

    1. Chronicle Alerts Connector
    2. Google Chronicle Sync Data job
    3. Google Chronicle Alerts Creator job

    The Google Chronicle Sync Data job creates and synchronizes cases. It also synchronizes the case and alert modifications, such as priority changes.

    The Google Chronicle Alerts Creator job generates all alerts, except SIEM alerts. The Google Chronicle Sync Data job sends updates on unsynchronized alerts after the Google Chronicle Alerts Creator job creates the alerts.

    Case and alerts data synchronization

    Cases are synchronized in the same manner as with the Google Chronicle Sync Data job.

    In Google SecOps SIEM, each alert is identified with a SIEM alert identifier. SOAR alerts can adopt a SIEM identifier in two scenarios:

    1. Alert is generated in SIEM.

      This alert already exists in Google SecOps SIEM and there is no need to duplicate it. The connector populates the siem_alert_id field.

    2. Alert is generated in third-party connectors.

      This alert does not exist in Google SecOps SIEM and requires running an explicit synchronization operation that the Google Chronicle Alerts Creator job is responsible for. Upon completing the synchronization operation, the alert acquires a new SIEM identifier.

    Configure the Google Chronicle Alerts Creator job

    Make sure you have completed the prerequisite steps before configuring the job.

    To configure the Google Chronicle Alerts Creator job, follow these steps:

    1. Configure the job parameters from the following table:

      Parameter Description
      Environment

      Required.

      The name of the environment created in Google SecOps SOAR where you want to sync cases and alerts.

      API Root

      Required.

      The API root of the Google SecOps SIEM instance.

      Google SecOps provides regional endpoints for each API.

      For example, https://europe-backstory.googleapis.com or https://asia-southeast1-backstory.googleapis.com.

      If you don't know which endpoint to use, [contact Cloud Customer Care](/chronicle/docs/getting-support).

      The default value is https://backstory.googleapis.com.

      User's Service Account

      Required.

      The content of the service account JSON file of your Google SecOps SIEM instance.

      Verify SSL

      Required.

      If selected, Google SecOps verifies that the SSL certificate for connecting to the Google SecOps SIEM server is valid. We recommend that you select this option.

      Selected by default.

    2. To complete the configuration, click Save.

      If the Save button is inactive, make sure that you have set all mandatory parameters.

    3. Optional: To run the job immediately after saving, click Run Now.

      The Run Now option lets you trigger a single job run that synchronizes the current Google SecOps SOAR alerts and cases data with Google SecOps SIEM.

    Log messages and error handling

    Log Level Description

    Unable to parse credentials as JSON. Please validate creds.

    ERROR The service account provided in the User's Service Account parameter is corrupted.

    Current platform version does not support SDK methods designed for Google Chronicle. Please use version 6.2.30 or later.

    ERROR The current Google SecOps platform instance version doesn't support the Google Chronicle Alerts Creator Job script execution. This error means that the instance build version is earlier than 6.2.30.

    Unable to connect to Google Chronicle, please validate your credentials: CREDENTIALS

    ERROR The service account or API root values cannot be validated against the Google SecOps SIEM instance. This error is reported if the connectivity testing fails.

    --------------- JOB STARTED ---------------

    INFO Log message indicating that the job has started.

    ----------------- Main - Started -----------------

    INFO Log message indicating that the main function has started.

    "Starting i + 1/MAXIMUM_ITERATIONS_NUMBER fetch attempt"

    INFO Log message indicating the iteration number for the current consecutive attempt.

    "Fetching up to BATCH_SIZE new alerts from the SOAR"

    INFO Log message indicating that the code doesn't retrieve more than BATCH_SIZE new alerts from SOAR.

    "NUMBER_OF_NEW_ALERTS SOAR alerts were fetched"

    INFO Log message indicating that NUMBER_OF_NEW_ALERTS SOAR alerts were fetched.

    "No new SOAR alerts were found. Stopping..."

    INFO Log message indicating that no new SOAR alerts were found, and that the job is stopping.

    "Fetched the following SOAR alerts: ID_LIST"

    INFO Log message indicating that the job has fetched the SOAR alerts with the following identifiers in the ID list. You can use this information to track the progress of the job and to troubleshoot issues with the code.

    "Dispatching SOAR alerts to SIEM"

    INFO Log message indicating that the job is dispatching SOAR alerts to SIEM.

    "Failed to create alert ALERT_GROUP_ID in SIEM. Reason: ERROR_REASON"

    ERROR Log message indicating that the alert was not created successfully in SIEM due to an error.

    "Updating SOAR with SIEM response"

    INFO Log message indicating that the job is updating SOAR with the SIEM response.

    "SOAR has failed updating the status of alert ALERT_ID"

    WARNING Indicates that SOAR was unable to update the status of the alert synchronization.

    "Total of NUMBER_OF_SYNCED_ALERTS alerts were synced in this run"

    INFO Log message indicating that a total of total_synced alerts were synced in the current run.

    "--------------- JOB FINISHED ---------------"

    INFO Log message indicating that the job has finished.

    "Got exception on main handler. Error: ERROR_REASON"

    ERROR Log message indicating that an exception occurred in the main function. The exception message is included in the log message.

    Use cases

    The Google Chronicle integration lets you run the following use cases:

    • Chronicle Windows Threats Investigation and Response
    • Security Command Center and Chronicle Cloud DIR

    Install the use case

    1. In the Google SecOps Marketplace, go to the Use Cases tab.

    2. In a search field, enter the use case name.

    3. Click the use case.

    4. Follow the configuration steps and instructions in the installation wizard.

    Once finished, all of the required components are installed on your Google SecOps machine. To finalize the installation, configure the Initialization block in the playbook that corresponds to your use case.

    Chronicle Windows Threats Investigation & Response

    Use the power of Google SecOps to respond in real time to Windows threats in your environment. Using Threat Intelligence for Google SecOps, security teams can take advantage of a high-fidelity threat intelligence service together with Google SecOps. Real threats in your environment can now be automatically triaged and remediated in a short and effective time period.

    1. In Google SecOps, go to Response > Playbooks.

    2. Select the Google Chronicle - Windows Threats Investigation & Response playbook. The playbook opens in the playbook designer view.

    3. Double-click Set Initialization Block_1. The block configuration dialog opens.

    4. To configure the playbook, use the following parameters:

      Input parameter Possible values Description
      edr_product
      • Crowdstrike
      • Carbon Black
      • None
      The EDR product to use in the playbook.
      itsm_product
      • Service Now
      • Jira
      • ZenDesk
      • None
      The ITSM product to use in the playbook. Jira requires additional configuration in the Open Ticket block.
      crowdstrike_use_spotlight True or False If True, the playbook executes Crowdstrike actions that require a Spotlight license (Vulnerability information).
      use_mandiant True or False If True, the playbook executes the Mandiant block.
      slack_user Username or Email Address The username or email address of the Slack user. If none is provided, the playbook skips Slack blocks.
    5. Click Save. The block configuration dialog closes.

    6. In the playbook designer pane, click Save.

    To test the playbook in the use case, ingest the test case included in the package. Some test case capabilities can fail because the data used for testing are unavailable in your environment.

    Security Command Center and Chronicle Cloud DIR

    Integrate Security Command Center with Google SecOps SIEM to let your analysts investigate incidents and threats that Security Command Center detects.

    Configure the use case

    The use case requires you to configure the following integrations:

    The Google Security Command Center and Mandiant integrations are optional.

    Make sure that you have installed the use case before configuring it.

    1. In Google SecOps, go to the Playbooks tab.
    2. Select the SCC & Chronicle Cloud DIR playbook.
    3. Double-click the Initialization block to configure it.
    4. Configure the playbook using the following parameters:
    Parameter name Possible values Description
    Mandiant_Enrichment True or False

    If True, the playbook uses Mandiant for additional enrichment.

    The Mandiant integration needs to be configured for this setup. You can remove the enrichment if you rarely get meaningful information. Removing the enrichment block improves the execution speed of the playbook.

    SCC_Enrichment True or False

    If True, the playbook uses Security Command Center capabilities for additional enrichment.

    The Security Command Center integration must be configured for this setup. You can remove the enrichment if you rarely get meaningful information. Removing the enrichment block improves the execution speed of the playbook.

    IAM_Enrichment True or False If True, the playbook uses the IAM capabilities for additional enrichment. You can remove the enrichment if you rarely get meaningful information. Removing the enrichment block improves the execution speed of the playbook.
    Compute_Enrichment True or False If True, the playbook uses Compute Engine capabilities for additional enrichment. You can remove the enrichment if you rarely get meaningful information. Removing the enrichment block improves the execution speed of the playbook.

    Need more help? Get answers from Community members and Google SecOps professionals.