Integrate Web Risk with Google SecOps

This document explains how to integrate Web Risk with Google Security Operations (Google SecOps).

Integration version: 1.0

Integration parameters

The Web Risk integration requires the following parameters:

Parameter	Description
`Workload Identity Email`	Optional. The client email address of your service account. You can configure this parameter or the `Service Account JSON File Content` parameter. If you set this parameter, configure the `Quota Project ID` parameter. To impersonate service accounts with the Workload Identity Federation, grant the `Service Account Token Creator` role to your service account. For more details about workload identities and how to work with them, see Identities for workloads.
`Service Account JSON File Content`	Optional. The content of a service account key JSON file. You can configure this parameter or the `Workload Identity Email` parameter. To configure this parameter, enter the full content of the service account key JSON file that you downloaded when you created a service account.
`Quota Project ID`	Optional. The Google Cloud project ID that you use for Google Cloud APIs and billing. This parameter requires you to grant the `Service Usage Consumer` role to your service account. If you don't set a value for this parameter, the integration retrieves the project ID from your Google Cloud service account.
`Project ID`	Optional. The project ID to use in the integration. If you don't set a value for this parameter, the integration retrieves the project ID from your Google Cloud service account.
`Verify SSL`	Required. If selected, the integration validates the SSL certificate when connecting to the Web Risk server. Selected by default.

For instructions about how to configure an integration in Google SecOps, see Configure integrations.

You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances.

Actions

For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.

Enrich Entities

Use the Enrich Entities action to return information about Google SecOps entities from Web Risk.

This action runs on the Google SecOps URL entity.

Action inputs

None.

Action outputs

The Enrich Entities action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Entity enrichment table	Available
JSON result	Available
Output messages	Available
Script result	Available

Entity enrichment table

The Enrich Entities action can enrich the URL entity and provide the following enrichment results:

Enrichment field name	Source (JSON key)	Applicability
`threatTypes`	The CSV file of threat types.	When available in the JSON result.

JSON result

The following example shows the JSON result output received when using the Enrich Entities action:

{
   "Entity": "Entity",
   "EntityResult": [
       {
           "expireTime": "2024-12-20T13:47:20.786242980Z",
           "threatTypes": [
               "SOCIAL_ENGINEERING_EXTENDED_COVERAGE"
           ]
       }
   ]
}

Output messages

The Enrich Entities action can return the following output messages:

Output message Message description

Output message	Message description
`Successfully enriched the following entities in Web Risk: ENTITY_ID.` `The action wasn't able to enrich the following entities in Web Risk: ENTITY_ID.` `No information was found for the provided entities.`	The action succeeded.
`Error executing action "Enrich Entities". Reason: ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully enriched the following entities in Web Risk: ENTITY_ID.

The action wasn't able to enrich the following entities in Web Risk: ENTITY_ID.

No information was found for the provided entities.

The action succeeded.

Error executing action "Enrich Entities". Reason: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Enrich Entities action:

Script result name	Value
`is_success`	`True` or `False`

Ping

Use the Ping action to test the connectivity to Web Risk.

This action doesn't run on Google SecOps entities.

Action inputs

None.

Action outputs

The Ping action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

The Ping action can return the following output messages:

Output message Message description

Successfully connected to the Web Risk server with the provided connection parameters! The action succeeded.

Output message	Message description
`Successfully connected to the Web Risk server with the provided connection parameters!`	The action succeeded.
`Failed to connect to the Web Risk server! Error is ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Failed to connect to the Web Risk server! Error is ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Ping action:

Script result name	Value
`is_success`	`True` or `False`

Submit Entities

Use the Submit Entities action to submit entities to Web Risk for analysis.

This action is asynchronous. Adjust the script timeout value in the Google SecOps integrated development environment (IDE) for the action, as needed.

This action runs on the Google SecOps URL entity.

Action inputs

The Submit Entities action requires the following parameters:

Parameter	Description
`Abuse Type`	Optional. The abuse type that associates with a submission. For more information about abuse types, see AbuseType. The possible values are as follows: `Select One` `Malware` `Social Engineering` `Unwanted Software` The default value is `Select One`.
`Confidence Level`	Optional. The confidence level for a submission. For more information about confidence levels, see Confidence and ConfidenceLevel. The possible values are as follows: `Select One` `Low` `Medium` `High` The default value is `Select One`.
`Justification`	Optional. The justification for a submission. For more information about justification options, see JustificationLabel. The possible values are as follows: `Manual Verification` `User Report` `Automated Report` The default value is `User Report`.
`Comment`	Optional. A comment to justify the submission.
`Region Code`	Optional. A comma-separated list of the Common Locale Data Repository (CLDR) codes for countries or regions that associate with the submission. For more information about submissions, see Submission.
`Platform`	Optional. A platform type where the submission was detected. The possible values are as follows: `Select One` `Android` `iOS` `MacOS` `Windows` The default value is `Select One`.
`Skip Waiting`	Optional. If selected, action initializes the submission and does not wait for it to finish. The default value is `True`.

Need more help? Get answers from Community members and Google SecOps professionals.