Integrate Web Risk with Google SecOps

This document explains how to integrate Web Risk with Google Security Operations (Google SecOps).

Integration version: 1.0

Integration parameters

The Web Risk integration requires the following parameters:

Parameter Description
Workload Identity Email

Optional.

The client email address of your service account.

You can configure this parameter or the Service Account JSON File Content parameter.

If you set this parameter, configure the Quota Project ID parameter.

To impersonate service accounts with the Workload Identity Federation, grant the Service Account Token Creator role to your service account. For more details about workload identities and how to work with them, see Identities for workloads.

Service Account JSON File Content

Optional.

The content of a service account key JSON file.

You can configure this parameter or the Workload Identity Email parameter.

To configure this parameter, enter the full content of the service account key JSON file that you downloaded when you created a service account.

Quota Project ID

Optional.

The Google Cloud project ID that you use for Google Cloud APIs and billing. This parameter requires you to grant the Service Usage Consumer role to your service account.

If you don't set a value for this parameter, the integration retrieves the project ID from your Google Cloud service account.

Project ID

Optional.

The project ID to use in the integration.

If you don't set a value for this parameter, the integration retrieves the project ID from your Google Cloud service account.

Verify SSL

Required.

If selected, the integration validates the SSL certificate when connecting to the Web Risk server.

Selected by default.

For instructions about how to configure an integration in Google SecOps, see Configure integrations.

You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances.

Actions

For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.

Enrich Entities

Use the Enrich Entities action to return information about Google SecOps entities from Web Risk.

This action runs on the Google SecOps URL entity.

Action inputs

None.

Action outputs

The Enrich Entities action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Entity enrichment table Available
JSON result Available
Output messages Available
Script result Available
Entity enrichment table

The Enrich Entities action can enrich the URL entity and provide the following enrichment results:

Enrichment field name Source (JSON key) Applicability
threatTypes The CSV file of threat types. When available in the JSON result.
JSON result

The following example shows the JSON result output received when using the Enrich Entities action:

{
   "Entity": "Entity",
   "EntityResult": [
       {
           "expireTime": "2024-12-20T13:47:20.786242980Z",
           "threatTypes": [
               "SOCIAL_ENGINEERING_EXTENDED_COVERAGE"
           ]
       }
   ]
}
Output messages

The Enrich Entities action can return the following output messages:

Output message Message description

Successfully enriched the following entities in Web Risk: ENTITY_ID.

The action wasn't able to enrich the following entities in Web Risk: ENTITY_ID.

No information was found for the provided entities.

The action succeeded.
Error executing action "Enrich Entities". Reason: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Enrich Entities action:

Script result name Value
is_success True or False

Ping

Use the Ping action to test the connectivity to Web Risk.

This action doesn't run on Google SecOps entities.

Action inputs

None.

Action outputs

The Ping action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Not available
Output messages Available
Script result Available
Output messages

The Ping action can return the following output messages:

Output message Message description
Successfully connected to the Web Risk server with the provided connection parameters! The action succeeded.
Failed to connect to the Web Risk server! Error is ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Ping action:

Script result name Value
is_success True or False

Submit Entities

Use the Submit Entities action to submit entities to Web Risk for analysis.

This action is asynchronous. Adjust the script timeout value in the Google SecOps integrated development environment (IDE) for the action, as needed.

This action runs on the Google SecOps URL entity.

Action inputs

The Submit Entities action requires the following parameters:

Parameter Description
Abuse Type

Optional.

The abuse type that associates with a submission.

For more information about abuse types, see AbuseType.

The possible values are as follows:

  • Select One
  • Malware
  • Social Engineering
  • Unwanted Software

The default value is Select One.

Confidence Level

Optional.

The confidence level for a submission.

For more information about confidence levels, see Confidence and ConfidenceLevel.

The possible values are as follows:

  • Select One
  • Low
  • Medium
  • High

The default value is Select One.

Justification

Optional.

The justification for a submission.

For more information about justification options, see JustificationLabel.

The possible values are as follows:

  • Manual Verification
  • User Report
  • Automated Report

The default value is User Report.

Comment

Optional.

A comment to justify the submission.

Region Code

Optional.

A comma-separated list of the Common Locale Data Repository (CLDR) codes for countries or regions that associate with the submission. For more information about submissions, see Submission.

Platform

Optional.

A platform type where the submission was detected.

The possible values are as follows:

  • Select One
  • Android
  • iOS
  • MacOS
  • Windows

The default value is Select One.

Skip Waiting

Optional.

If selected, action initializes the submission and does not wait for it to finish.

The default value is True.

Need more help? Get answers from Community members and Google SecOps professionals.