Integrate Siemplify with Google SecOps

This document explains how to integrate Siemplify with Google Security Operations (Google SecOps).

Integration version: 90.0

Use cases

The Siemplify integration can address the following use cases:

• Phishing investigation: Use Google SecOps capabilities to automate the process of analyzing phishing emails, extracting indicators of compromise (IOCs), and enriching them with threat intelligence.

• Malware containment: Use Google SecOps capabilities to automatically isolate infected endpoints, initiate scans, and quarantine malicious files upon detection of malware.

• Vulnerability management: Use Google SecOps capabilities to orchestrate vulnerability scans, prioritize vulnerabilities based on risk, and automatically create tickets for remediation.

• Threat hunting: Use Google SecOps capabilities to automate running of threat hunting queries across various security tools and datasets.

• Security alert triage: Use Google SecOps capabilities to automatically enrich security alerts with contextual information, correlate them with other events, and prioritize them based on severity.

• Incident response: Use Google SecOps capabilities to orchestrate the entire incident response process, from initial detection to containment and eradication.

• Compliance reporting: Use Google SecOps capabilities to automate the collection and analysis of security data for compliance reporting.

Integration parameters

The Siemplify integration requires the following parameters:

For instructions about how to configure an integration in Google SecOps, see Configure integrations.

You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances.

Actions

For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.

Add Entity Insight

Use the Add Entity Insight action to add an insight to the targeted Google SecOps entity in Siemplify.

This action runs on all Google SecOps entities.

Action inputs

The Add Entity Insight action requires the following parameters:

Action outputs

The Add Entity Insight action provides the following outputs:

Output messages

The Add Entity Insight action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Add Entity Insight action:

Add General Insight

Use the Add General Insight action to add a general insight to the case.

This action runs on all Google SecOps entities.

Action inputs

The Add General Insight action requires the following parameters:

Action outputs

The Add General Insight action provides the following outputs:

Output messages

The Add General Insight action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Add General Insight action:

Add Tags To Similar Cases

Use the Add Tags To Similar Cases action to add tags to similar cases.

To find similar cases, the action uses the siemplify.get_similar_cases() function with the retrieved parameters that returns a list of case IDs.

This action doesn't run on Google SecOps entities.

Action inputs

The Add Tags To Similar Cases action requires the following parameters:

Action outputs

The Add Tags To Similar Cases action provides the following outputs:

Output messages

The Add Tags To Similar Cases action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Add Tags To Similar Cases action:

Add to Custom List

Use the Add to Custom List action to add an entity identifier to a categorized custom list and perform future comparisons in other actions.

This action runs on all Google SecOps entities.

Action inputs

The Add to Custom List action requires the following parameters:

Action outputs

The Add to Custom List action provides the following outputs:

Output messages

The Add to Custom List action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Add to Custom List action:

Assign Case

Use the Assign Case action to assign a case to a specific user or user group.

This action runs on all Google SecOps entities.

Action inputs

The Assign Case action requires the following parameters:

Action outputs

The Assign Case action provides the following outputs:

Output messages

The Add to Custom List action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Assign Case action:

Attach Playbook to Alert

Use the Attach Playbook to Alert action to attach a specific playbook to an alert.

This action runs on all Google SecOps entities.

Action inputs

The Attach Playbook to Alert action requires the following parameters:

Action outputs

The Attach Playbook to Alert action provides the following outputs:

Output messages

The Search Graphs action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Attach Playbook to Alert action:

Case Comment

Use the Case Comment action to add a comment to the case in which the current alert is grouped.

This action runs on all Google SecOps entities.

Action inputs

The Case Comment action requires the following parameters:

Action outputs

The Case Comment action provides the following outputs:

Output messages

The Add Vote To Entity action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Case Comment action:

Case Tag

Use the Case Tag action to add a tag to the case which the current alert is grouped into.

This action runs on all Google SecOps entities.

Action inputs

The Case Tag action requires the following parameters:

Action outputs

The Case Tag action provides the following outputs:

Output messages

The Case Tag action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Case Tag action:

Change Alert Priority

Use the Change Alert Priority action to update the priority of an alert in a case.

This action runs on all Google SecOps entities.

Action inputs

The Change Alert Priority action requires the following parameters:

Action outputs

The Change Alert Priority action provides the following outputs:

Output messages

The Add Vote To Entity action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Change Alert Priority action:

Change Case Stage

Use the Change Case Stage action to change the case stage.

This action runs on all Google SecOps entities.

Action inputs

The Change Case Stage action requires the following parameters:

Action outputs

The Change Case Stage action provides the following outputs:

Output messages

The Add Vote To Entity action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Change Case Stage action:

Change Priority

Use the Change Priority action to updates the priority of the investigated case.

This action runs on all Google SecOps entities.

Action inputs

The Change Priority action requires the following parameters:

Action outputs

The Change Priority action provides the following outputs:

Output messages

The Add Vote To Entity action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Change Priority action:

Close Alert

Use the Close Alert action to close the alert.

This action runs on all Google SecOps entities.

Action inputs

The Close Alert action requires the following parameters:

Action outputs

The Close Alert action provides the following outputs:

Output messages

The Add Vote To Entity action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Close Alert action:

Close Case

Use the Close Case action to close the case.

This action runs on all Google SecOps entities.

Action inputs

The Close Case action requires the following parameters:

Action outputs

The Close Case action provides the following outputs:

Output messages

The Add Vote To Entity action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Close Case action:

Create Entity

Use the Create Entity action to create a new entity and add it to an alert.

This action runs on all Google SecOps entities.

Action inputs

The Create Entity action requires the following parameters:

Action outputs

The Create Entity action provides the following outputs:

Output messages

The Create Entity action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Create Entity action:

Create Gemini Case Summary

Use the Create Gemini Case Summary action to create a new Gemini case summary and add it to an alert.

This action runs on all Google SecOps entities.

Action inputs

None.

Action outputs

The Create Gemini Case Summary action provides the following outputs:

JSON result

The following example shows the JSON result output received when using the Create Gemini Case Summary action:

{
  "summary": "On the Linux agent instance-1 (IP addresses 10.150.0.3 and 34.85.128.214), user vanshikavw_google_com initiated the process curl (SHA1 hash 3395856ce81f2b7382dee72602f798b642f14140) to create the malware file /home/vanshikavw_google_com/eicar_test_vanshikavw-test-new.\n*  VirusTotal identifies the SHA1 hash 3395856ce81f2b7382dee72602f798b642f14140 as a virus.eicar/test.\n*  CURL is associated with multiple actors, including APT27, APT34, APT41, APT44, APT9, FIN11, FIN13, FIN6, TEMP.Armageddon, Turla Team, UNC1151, UNC1860, UNC215, UNC2165, UNC2500, UNC251, UNC2595, UNC2633, UNC2900, UNC2975, UNC3569, UNC3661, UNC3944, UNC4483, UNC4936, UNC4962, UNC5007, UNC5051, UNC5055, UNC5156, UNC5221, UNC5266, UNC5330, UNC5371, UNC5470, UNC5859, and UNC961.\n*  CURL is known to use MITRE ATT&CK techniques such as T1113, T1095, T1036, T1553, T1222, T1055, T1140, T1070, T1027, T1622, T1057, T1010, T1083, T1518, T1082, T1016, T1059, T1496, and T1588.\n*  A GTI MALWARE search did not find any information about eicar_test_vanshikavw-test-new.\n*  A GTI IP_ADDRESS search did not find any information about 10.150.0.3 or 34.85.128.214.", 
  "next_steps": ["Isolate instance-1 to prevent any potential lateral movement or further compromise of the network, as the curl process is associated with multiple threat actors.", 
  "Investigate the user account vanshikavw_google_com to determine if the user's credentials have been compromised or if the user initiated the curl process intentionally, as the curl process is associated with multiple threat actors.", 
  "Analyze the network traffic to and from the IP addresses 10.150.0.3 and 34.85.128.214 for any suspicious communication patterns, as the curl process is associated with multiple threat actors.", 
  "Examine the process execution logs on instance-1 for any other unusual or unauthorized activities, as the curl process is associated with multiple threat actors.", 
  "Review the configuration of the Linux agent on instance-1 to ensure that it is properly secured and that no unauthorized modifications have been made, as the curl process is associated with multiple threat actors."], 
  "reasons": ["The case involves a Linux agent instance-1 (IP addresses 10.150.0.3 and 34.85.128.214) where user vanshikavw_google_com initiated the process curl to create the file /home/vanshikavw_google_com/eicar_test_vanshikavw-test-new.", 
  "The SHA1 hash 3395856ce81f2b7382dee72602f798b642f14140 of the curl process is identified by VirusTotal as virus.eicar/test, indicating it is a known test virus.", 
  "The process CURL is associated with multiple threat actors, including APT27, APT34, APT41, APT44, APT9, FIN11, FIN13, FIN6, TEMP.Armageddon, Turla Team, UNC1151, UNC1860, UNC215, UNC2165, UNC2500, UNC251, UNC2595, UNC2633, UNC2900, UNC2975, UNC3569, UNC3661, UNC3944, UNC4483, UNC4936, UNC4962, UNC5007, UNC5051, UNC5055, UNC5156, UNC5221, UNC5266, UNC5330, UNC5371, UNC5470, UNC5859, and UNC961, suggesting a potential link to malicious activity.", 
  "CURL is known to use various MITRE ATT&CK techniques such as T1113, T1095, T1036, T1553, T1222, T1055, T1140, T1070, T1027, T1622, T1057, T1010, T1083, T1518, T1082, T1016, T1059, T1496, and T1588, indicating a wide range of potential malicious behaviors.", 
  "The file eicar_test_vanshikavw-test-new was not found in GTI MALWARE searches, and the IP addresses 10.150.0.3 and 34.85.128.214 were not found in GTI IP_ADDRESS searches."]}

Output messages

The Create Gemini Case Summary action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Create Gemini Case Summary action:

Create Or Update Entity Properties

Use the Create Or Update Entity Properties action to create or change properties for entities in the entity scope.

This action runs on all Google SecOps entities.

Action inputs

The Create Or Update Entity Properties action requires the following parameters:

Action outputs

The Create Or Update Entity Properties action provides the following outputs:

Output messages

The Add Vote To Entity action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Create Or Update Entity Properties action:

Get Case Details

Use the Get Case Details action to get all the data from a case (this includes comments, entity information, insights, playbooks that ran, alert information, and events).

TThis action doesn't run on Google SecOps entities.

Action inputs

The Get Case Details action requires the following parameters:

Action outputs

The Get Case Details action provides the following outputs:

JSON result

The following example shows the JSON result output received when using the Get Case Details action:

{
"id": 24879,
"creationTimeUnixTimeInMs": 1750862500562,
"modificationTimeUnixTimeInMs": 1750862500562,
"name": "Malware",
"priority": -1,
"isImportant": false,
"isIncident": false,
"startTimeUnixTimeInMs": 1727243021999,
"endTimeUnixTimeInMs": 1727243022479,
"assignedUser": "@Tier1",
"description": null,
"isTestCase": true,
"type": 1,
"stage": "Triage",
"environment": "Default Environment",
"status": 1,
"incidentId": null,
"tags": ["hi", "Simulated Case"],
"alertCards": [{
  "id": 172354,
  "creationTimeUnixTimeInMs": 1750862500651,
  "modificationTimeUnixTimeInMs": 1750862500651,
  "identifier": "EICAR_TEST_VANSHIKAVW-TEST-NEW0CC43705-04A7-43FD-88CD-B3E7FECA881D",
  "status": 0,
  "name": "EICAR_TEST_VANSHIKAVW-TEST-NEW",
  "priority": -1,
  "workflowsStatus": 1,
  "slaExpirationUnixTime": null,
  "slaCriticalExpirationUnixTime": null,
  "startTime": 1727243021999,
  "endTime": 1727243022479,
  "alertGroupIdentifier": "MalwareSFBrxjAXvKJsJyKe5iQalf00zrv/QwX966dRoEyP2eA=_8cc160b5-7039-421c-926c-1a98073f11d2",
  "eventsCount": 3,
  "title": "EICAR_TEST_VANSHIKAVW-TEST-NEW",
  "ruleGenerator": "Malware",
  "deviceProduct": "SentinelOneV2",
  "deviceVendor": "SentinelOneV2",
  "playbookAttached": "Testing",
  "playbookRunCount": 1,
  "isManualAlert": false,
  "sla": {
    "slaExpirationTime": null,
    "criticalExpirationTime": null,
    "expirationStatus": 2,
    "remainingTimeSinceLastPause": null
    },
  "fieldsGroups": [],
  "sourceUrl": null,
  "sourceRuleUrl": null,
  "siemAlertId": null,
  "relatedCases": [],
  "lastSourceUpdateUnixTimeInMs": null,
  "caseId": 24879,
  "nestingDepth": 0
  }],
"isOverflowCase": false,
"isManualCase": false,
"slaExpirationUnixTime": null,
"slaCriticalExpirationUnixTime": null,
"stageSlaExpirationUnixTimeInMs": null,
"stageSlaCriticalExpirationUnixTimeInMs": null,
"canOpenIncident": false,
"sla": {
  "slaExpirationTime": null,
  "criticalExpirationTime": null,
  "expirationStatus": 2,
  "remainingTimeSinceLastPause": null
  },
"stageSla": {
  "slaExpirationTime": null,
  "criticalExpirationTime": null,
  "expirationStatus": 2,
  "remainingTimeSinceLastPause": null},
  "relatedAlertTicketId": null,
  "relatedAlertCards": []
  }

Output messages

The Get Case Details action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Get Case Details action:

Get Connector Context Value

Use the Get Connector Context Value action to get a value that is stored under a specified key in the Google SecOps database for a connector context.

This action doesn't run on Google SecOps entities.

Action inputs

The Get Connector Context Value action requires the following parameters:

Action outputs

The Get Connector Context Value action provides the following outputs:

Case Wall table

The Get Connector Context Value action can generate the following table:

Table name: Connector

Table columns:

• Connector identifier
• Key
• Value

Output messages

The Get Connector Context Value action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Get Connector Context Value action:

Get Scope Context Value

Use the Get Scope Context Value action to get a value that is stored under a specified key in the Google SecOps database.

This action can work with the following scopes: alert, case, and global.

This action doesn't run on Google SecOps entities.

Action inputs

The Get Scope Context Value action requires the following parameters:

Action outputs

The Get Scope Context Value action provides the following outputs:

Case Wall table

The Get Scope Context Value action can generate the following table:

Table name: SCOPE

Table columns:

• Key
• Value

Output messages

The Get Scope Context Value action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Get Scope Context Value action:

Get Similar Cases

Use the Get Similar Cases action to search for similar cases and return their IDs.

This action runs on all Google SecOps entities.

Action inputs

The Get Similar Cases action requires the following parameters:

The Get Similar Cases action applies the logical AND operator to the Rule Generator, Port, Category Outcome, Entity Identifier, Include Open Cases, and Include Closed Cases parameters to use them in the same search.

Action outputs

The Get Similar Cases action provides the following outputs:

JSON result

The following example shows the JSON result output received when using the Get Similar Cases action:

{
  "results": [{
    "id": 23874, 
    "name": "Malware", 
    "tags": ["hi", "Simulated Case"], 
    "start time": "2024-09-25 05:43:41.999000+00:00", 
    "start time unix": 1727243021999, 
    "last modified": "2025-06-19 13:24:01.062000+00:00", 
    "priority": "Informative", 
    "assigned user": "@Tier1", 
    "matching_criteria": {
        "ruleGenerator": true, 
        "port": true, 
        "outcome": true, 
        "entities": true
      }, 
    "matched_entities": [
      {"entity": "INSTANCE-1", "type": "HOSTNAME", "isSuspicious": false}, 
      {"entity": "10.150.0.3", "type": "ADDRESS", "isSuspicious": false}, {"entity": "172.17.0.1", "type": "ADDRESS", "isSuspicious": false}, {"entity": "VANSHIKAVW_GOOGLE_COM", "type": "USERUNIQNAME", "isSuspicious": false}, 
      {"entity": "CURL", "type": "PROCESS", "isSuspicious": false}, {"entity": "EICAR_TEST_VANSHIKAVW-TEST-NEW", "type": "FILENAME", "isSuspicious": false}, 
      {"entity": "3395856CE81F2B7382DEE72602F798B642F14140", "type": "FILEHASH", "isSuspicious": false}, 
      {"entity": "34.85.128.214", "type": "ADDRESS", "isSuspicious": false}, 
      {"entity": "/HOME/VANSHIKAVW_GOOGLE_COM/EICAR_TEST_VANSHIKAVW-TEST-NEW", "type": "FILENAME", "isSuspicious": false}
      ], 
      "status": "Open"}], 
      "stats": 
      {"Malicious": 0.0, "Is Important": 0.0, "Is Incident": 0.0, "Status Open": 100.0}, 
      "platform_url": "https://soarapitest.backstory.chronicle.security/"
}

Output messages

The Get Similar Cases action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Get Similar Cases action:

Instruction

Use the Instruction action to set instructions for an analyst.

This action runs on all Google SecOps entities.

Action inputs

The Instruction action requires the following parameters:

Action outputs

The Instruction action provides the following outputs:

Output messages

The Add Vote To Entity action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Instruction action:

Is In Custom List

Use the Is In Custom List action to check whether the entity identifier is part of a specified custom list.

This action runs on all Google SecOps entities.

Action inputs

The Is In Custom List action requires the following parameters:

Action outputs

The Is In Custom List action provides the following outputs:

Output messages

The Is In Custom List action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Is In Custom List action:

Mark As Important

Use the Mark As Important action to mark a case as important.

This action runs on all Google SecOps entities.

Action inputs

None.

Action outputs

The Mark As Important action provides the following outputs:

Output messages

The Mark As Important action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Mark As Important action:

Open Web Url

Use the Open Web Url action to generate a browser link.

This action runs on all Google SecOps entities.

Action inputs

The Open Web Url action requires the following parameters:

Action outputs

The Open Web Url action provides the following outputs:

Output messages

The Open Web Url action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Open Web Url action:

Pause Alert SLA

Use the Pause Alert SLA action to pause the Service Level Agreement (SLA) timer for a specific alert in the case.

This action doesn't run on Google SecOps entities.

Action inputs

The Pause Alert SLA action requires the following parameters:

Action outputs

The Pause Alert SLA action provides the following outputs:

Output messages

The Pause Alert SLA action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Pause Alert SLA action:

Permitted Alert Time

Use the Permitted Alert Time action to check if the start time of a selected alert complies with a user-defined time conditions.

This action runs on all Google SecOps entities.

Action inputs

The Permitted Alert Time action requires the following parameters:

Action outputs

The Permitted Alert Time action provides the following outputs:

Output messages

The Permitted Alert Time action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Permitted Alert Time action:

Ping

Use the Ping action to test the connectivity.

This action runs on all Google SecOps entities.

Action inputs

None.

Action outputs

The Ping action provides the following outputs:

Output messages

The Ping action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Ping action:

Raise Incident

Use the Raise Incident action to raise a case incident and mark the true positive cases as Critical.

This action runs on all Google SecOps entities.

Action inputs

The Raise Incident action requires the following parameters:

Action outputs

The Raise Incident action provides the following outputs:

Output messages

The Search ASM Issues action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Raise Incident action:

Remove Tag

Use the Remove Tag action to remove tags from a case.

This action runs on all Google SecOps entities.

Action inputs

The Remove Tag action requires the following parameters:

Action outputs

The Remove Tag action provides the following outputs:

Output messages

The Remove Tag action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Remove Tag action:

Remove From Custom List

Use the Remove From Custom List action to remove entities that are associated with an alert from a specified custom list category.

This action runs on all Google SecOps entities.

Action inputs

The Remove From Custom List action requires the following parameters:

Action outputs

The Remove From Custom List action provides the following outputs:

Output messages

The Remove From Custom List action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Remove From Custom List action:

Resume Alert SLA

Use the Resume Alert SLA action to restart the Service Level Agreement (SLA) timer for a specific alert in the case.

This action doesn't run on Google SecOps entities.

Action inputs

None.

Action outputs

The Resume Alert SLA action provides the following outputs:

Output messages

The Resume Alert SLA action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Resume Alert SLA action:

Set Alert SLA

Use the Set Alert SLA action to set the SLA timer for an alert.

This action has the highest priority and overrides the existing SLA defined for the specific alert.

This action doesn't run on Google SecOps entities.

Action inputs

The Set Alert SLA action requires the following parameters:

Action outputs

The Set Alert SLA action provides the following outputs:

Output messages

The Set Alert SLA action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Set Alert SLA action:

Set Case SLA

Use the Set Case SLA action to set the SLA for a case.

This action has the highest priority and overrides the existing SLA defined for the specific case.

This action doesn't run on Google SecOps entities.

Action inputs

The Set Case SLA action requires the following parameters:

Action outputs

The Set Case SLA action provides the following outputs:

Output messages

The Search ASM Issues action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Set Case SLA action:

Set Custom Fields

Use the Set Custom Fields action to set values for custom fields.

This action doesn't run on Google SecOps entities.

Action inputs

The Set Custom Fields action requires the following parameters:

    {
      "Custom Field Name 1": "Custom Field Value 1",
      "Custom Field Name 2": "Custom Field Value 2"
    }
    

Action outputs

The Set Custom Fields action provides the following outputs:

JSON result

The following example shows the JSON result output received when using the Set Custom Fields action:

{
"Custom Field Name": "Updated Custom Field Value",
"Custom Field Name": "Updated Custom Field Value",
}

Output messages

The Set Custom Fields action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Set Custom Fields action:

Set Risk Score

Use the Set Risk Score action to update the risk score of a case.

This action doesn't run on Google SecOps entities.

Action inputs

The Set Risk Score action requires the following parameters:

Action outputs

The Set Risk Score action provides the following outputs:

Output messages

The Set Risk Score action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Set Risk Score action:

Set Scope Context Value

Use the Set Scope Context Value action to set a value for a key that is stored in the Google SecOps database.

This action doesn't run on Google SecOps entities.

Action inputs

The Set Scope Context Value action requires the following parameters:

Action outputs

The Get Scope Context Value action provides the following outputs:

Output messages

The Set Scope Context Value action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Set Scope Context Value action:

Update Case Description

Use the Update Case Description action to update a case description.

This action doesn't run on Google SecOps entities.

Action inputs

The Update Case Description action requires the following parameters:

Action outputs

The Update Case Description action provides the following outputs:

Output messages

The Update Case Description action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Update Case Description action:

Wait For Custom Fields

Use the Wait For Custom Fields action to wait for custom fields values to continue playbook execution.

This action doesn't run on Google SecOps entities.

Action inputs

The Wait For Custom Fields action requires the following parameters:

    {
      "Custom Field": ""
    }
    

    {
      "Custom Field": "VALUE_1"
    }
    

    {
      "Custom Field Name 1": "Custom Field Value 1",
      "Custom Field Name 2": "Custom Field Value 2"
    }
    

Action outputs

The Wait For Custom Fields action provides the following outputs:

JSON result

The following example shows the JSON result output received when using the Wait For Custom Fields action:

{
"Custom Field Name": "Updated Custom Field Value",
"Custom Field Name": "Updated Custom Field Value",
}

Output messages

The Wait For Custom Fields action can return the following output messages:

Script result

The following table lists the value for the script result output when using the Wait For Custom Fields action:

Jobs

The Siemplify integration lets you use the following jobs:

• Siemplify - Actions Monitor
• Siemplify - Cases Collector DB
• Siemplify - Logs Collector

Siemplify - Actions Monitor

Use the Siemplify - Actions Monitor job to get notifications for all actions that have failed individually at least three times in the past three hours.

Job inputs

The Siemplify - Actions Monitor job requires the following parameters:

Siemplify - Cases Collector DB

Use the Siemplify - Cases Collector DB job to retrieve and process security cases from a designated publisher.

Job inputs

The Siemplify - Cases Collector DB job requires the following parameters:

Siemplify - Logs Collector

Use the Siemplify - Logs Collector job to retrieve and process logs from a specified publisher.

Job inputs

The Siemplify - Logs Collector job requires the following parameters:

Need more help? Get answers from Community members and Google SecOps professionals.