Integrate Web Risk with Google SecOps
This document explains how to integrate Web Risk with Google Security Operations (Google SecOps).
Integration version: 1.0
Integration parameters
The Web Risk integration requires the following parameters:
Parameter | Description |
---|---|
Workload Identity Email |
Optional. The client email address of your service account. You can configure this parameter or the If you set this parameter, configure
the To impersonate service accounts with the Workload Identity Federation,
grant the |
Service Account JSON File Content |
Optional. The content of a service account key JSON file. You can configure this parameter or the To configure this parameter, enter the full content of the service account key JSON file that you downloaded when you created a service account. |
Quota Project ID |
Optional. The Google Cloud project ID that you use for
Google Cloud APIs and billing. This parameter requires you to grant
the
If you don't set a value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Project ID |
Optional. The project ID to use in the integration. If you don't set a value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Verify SSL |
Required. If selected, the integration validates the SSL certificate when connecting to the Web Risk server. Selected by default. |
For instructions about how to configure an integration in Google SecOps, see Configure integrations.
You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances.
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.
Enrich Entities
Use the Enrich Entities action to return information about Google SecOps entities from Web Risk.
This action runs on the Google SecOps URL
entity.
Action inputs
None.
Action outputs
The Enrich Entities action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Entity enrichment table | Available |
JSON result | Available |
Output messages | Available |
Script result | Available |
Entity enrichment table
The Enrich Entities action can enrich the URL
entity and provide the
following enrichment results:
Enrichment field name | Source (JSON key) | Applicability |
---|---|---|
threatTypes |
The CSV file of threat types. | When available in the JSON result. |
JSON result
The following example shows the JSON result output received when using the Enrich Entities action:
{
"Entity": "Entity",
"EntityResult": [
{
"expireTime": "2024-12-20T13:47:20.786242980Z",
"threatTypes": [
"SOCIAL_ENGINEERING_EXTENDED_COVERAGE"
]
}
]
}
Output messages
The Enrich Entities action can return the following output messages:
Output message | Message description |
---|---|
|
The action succeeded. |
Error executing action "Enrich Entities". Reason: ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Enrich Entities action:
Script result name | Value |
---|---|
is_success |
True or False |
Ping
Use the Ping action to test the connectivity to Web Risk.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Ping action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
The Ping action can return the following output messages:
Output message | Message description |
---|---|
Successfully connected to the Web Risk server with the
provided connection parameters! |
The action succeeded. |
Failed to connect to the Web Risk server! Error is ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Ping action:
Script result name | Value |
---|---|
is_success |
True or False |
Submit Entities
Use the Submit Entities action to submit entities to Web Risk for analysis.
This action is asynchronous. Adjust the script timeout value in the Google SecOps integrated development environment (IDE) for the action, as needed.
This action runs on the Google SecOps URL
entity.
Action inputs
The Submit Entities action requires the following parameters:
Parameter | Description |
---|---|
Abuse Type |
Optional. The abuse type that associates with a submission. For more information about abuse types, see AbuseType. The possible values are as follows:
The default value is |
Confidence Level |
Optional. The confidence level for a submission. For more information about confidence levels, see Confidence and ConfidenceLevel. The possible values are as follows:
The default value is |
Justification |
Optional. The justification for a submission. For more information about justification options, see JustificationLabel. The possible values are as follows:
The default value is |
Comment |
Optional. A comment to justify the submission. |
Region Code |
Optional. A comma-separated list of the Common Locale Data Repository (CLDR) codes for countries or regions that associate with the submission. For more information about submissions, see Submission. |
Platform |
Optional. A platform type where the submission was detected. The possible values are as follows:
The default value is |
Skip Waiting |
Optional. If selected, action initializes the submission and does not wait for it to finish. The default value is |
Need more help? Get answers from Community members and Google SecOps professionals.