This document explains how to create custom integrations inside the Integrated Development
Environment (IDE) using the same structure as commercial integrations. You can find and configure custom integrations in the Google Security Operations Marketplace for various environments. You can then use them in playbooks, manual actions, and remote agents. Import and export capability
is also supported, similar to other IDE items.
Create a custom integration in the IDE
You can build a custom integration for the Armis product and
create a manager along with a Ping action. Knowledge of Python and
object-oriented programming is assumed for this procedure.
Use case: Build a custom Armis integration
To create the custom integration in the IDE, follow these steps:
In the main menu, go to Response > IDE.
Click addCreate New Item and select Integration.
Enter a name and click Create.
The integration is now listed with the
settings Settings option, indicating it's a custom integration.
Click
settings
Settings to display the integration settings where you can define
the icon, description, Python dependencies, and integration parameters.
Create a custom manager
Managers are wrappers for third-party tool APIs. Although not mandatory,
we recommend them for integrations that interact with external tools. Managers
shouldn't import from the SDK. After creation, import them into connectors,
actions, and jobs.
To create a custom manager, follow these steps:
In the IDE, click addCreate New Item
and select Manager.
Select the Armis integration and enter a manager's name.
Parameters, Google SecOps Marketplace configuration, and the Ping action
Parameters defined in the integration settings appear in the Google SecOps Marketplace configuration. The parameters include:
API Root: The base URL for the service you're connecting to.
API Secret: A confidential key used to authenticate your application with the service.
Verify SSL checkbox: If enabled, verifies that the SSL certificate for the connection to the Armis server is valid.
Run Remotely checkbox: A setting that determines whether the code or task will be executed on a remote server instead of locally. When this option is enabled, the system sends the necessary instructions and data to a dedicated server for processing.
To update the parameters, follow these steps:
Enter the correct credentials.
Click Save>Test.
If the Ping action is missing, the Test button fails and displays a red X.
Implement a Ping action
The logic of the Ping action acts like a successful
authentication.
To implement a Ping action, do the following:
In the IDE, create a new Action in the Armis integration named
Ping.
Use the ArmisManagerauth method to verify authentication.
Enable the integration
To enable the integration, follow these steps:
In Response > IDE, click the Enable/Disable toggle to the ON position.
Click Save. A green toggle confirms success. Credentials from the Marketplace are passed to ArmisManager. If auth completes without errors, the Test button shows a green checkmark.
Use the extract_configuration_param method to import parameters from the integration configuration. Alternatively, use extract_action_param to define parameters within the action itself. However, the Ping action should always use configuration parameters, as those are tested by the Marketplace.
View custom integrations
Go to the Google SecOps Marketplace and search for the custom
integration you created.
If you didn't create an image during the initial configuration, the
default custom image will be assigned to it. Note that
Google SecOps Marketplace updates
don't override or delete any custom integrations.
Export and import in the IDE
Do one of the following actions:
To import integrations, do the following:
Upload a ZIP file with the correct folder structure; the
integration appears in the IDE and Google SecOps Marketplace.
Click Import. The integration appears in both the IDE and the Marketplace.
The system generates a ZIP file containing the definition, scripts, and configuration. The Managers folder is not included automatically.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eGoogle Security Operations allows users to build custom integrations within the IDE, which function similarly to commercial integrations and are visible in the Google SecOps Marketplace.\u003c/p\u003e\n"],["\u003cp\u003eCustom integrations can be configured for various environments and utilized in playbooks, manual actions, and remote agents, and they support the addition of Python dependencies as wheel files, tarballs, or Python files.\u003c/p\u003e\n"],["\u003cp\u003eManagers, while optional, serve as API wrappers for third-party tools, encapsulating API logic and can be imported into connectors, actions, and jobs.\u003c/p\u003e\n"],["\u003cp\u003eIntegration parameters defined in the settings appear in the Google SecOps Marketplace configuration, and a Ping action, which is a mandatory part of the integration, is necessary to test the connectivity to the system it is meant to interface with.\u003c/p\u003e\n"],["\u003cp\u003eCustom integrations can be exported as ZIP files for backup or sharing, and imported into other environments, with the exception of managers which need to be exported manually.\u003c/p\u003e\n"]]],[],null,["# Build a custom integration\n==========================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \nThis document explains how to create custom integrations inside the Integrated Development\nEnvironment (IDE) using the same structure as commercial integrations. You can find and configure custom integrations in the Google Security Operations Marketplace for various environments. You can then use them in playbooks, manual actions, and remote agents. Import and export capability\nis also supported, similar to other IDE items.\n\nCreate a custom integration in the IDE\n--------------------------------------\n\nYou can build a custom integration for the Armis product and\ncreate a manager along with a **Ping** action. Knowledge of Python and\nobject-oriented programming is assumed for this procedure.\n\n### Use case: Build a custom Armis integration\n\nTo create the custom integration in the IDE, follow these steps:\n\n1. In the main menu, go to **Response \\\u003e IDE**.\n2. Click add**Create New Item** and select **Integration**.\n3. Enter a name and click **Create**.\n\nThe integration is now listed with the settings **Settings** option, indicating it's a custom integration.\n\n\nClick settings **Settings** to display the integration settings where you can define\nthe icon, description, Python dependencies, and integration parameters.\n| **Note:** Script dependencies are Python libraries the custom integration needs to import. Dependencies can be added as \\`.WHL\\`, \\`.TAR\\`, \\`.GZ\\`, or \\`.PY\\` files. Each integration runs in its own virtual environment, allowing you to use different library versions even if one is already installed on the system. For example, to use a different version of the requests library, download it from a trusted source such as PyPI or GitHub and add it as a script dependency. If not installed in the virtual environment, the integration falls back to the system version.\n\n### Create a custom manager\n\nManagers are wrappers for third-party tool APIs. Although not mandatory,\nwe recommend them for integrations that interact with external tools. Managers\nshouldn't import from the SDK. After creation, import them into connectors,\nactions, and jobs.\n\nTo create a custom manager, follow these steps:\n\n1. In the IDE, click add**Create New Item** and select **Manager**.\n2. Select the **Armis** integration and enter a manager's name. \n3. Edit and run the following script:\n\n```python\nimport requests\n\n\nclass ArmisManager:\n def init(self, api_root, api_token):\n self.api_root = api_root\n self.api_token - api_token\n self.session = requests.session()\n self.session.headers = {\"Accept\": \"application/json\"}\n\n\n def auth(self):\n endpoint = \"{}/api/vi/access_token/*\"\n params = {\"secret_key\" : self.api_token}\n response = self.session.post(endpoint.format(self.api_root), params=params)\n self.validate_response(response)\n access_token = response.json()[\"data\"][\"access_token\"]\n self.session.headers.update({\"Authorization\": access_token})\n return True\n\n\n def get_device_by_ip(self, device_ip):\n endpoint = \"{}/api/vi/devices/\"\n params = {\"ip\": device_ip}\n response = self.session.get(endpoint.format(self.api_root), params=params)\n self.validate_response(response)\n return response.json()[\"data\"][\"data\"]\n\n\n @staticmethod\n def validate_response(res, error_msg=\"An error occurred\"):\n \"\"\"Validate a response\n\n\n :param res: (requests. Response) The response to validate\n :param error_msg: (str) The error message to display\n \"\"\"\n try:\n res.raise_for_status()\n except requests.HTTPError as error:\n raise Exception(\"(error_msg): (error) (text)\".format(\n error_msg=error_msg,\n error=error,\n text=error.response.content\n ))\n```\n| **Note:** A manager is not required for basic actions. However, we recommend to create one when grouping small actions for data parsing and transformation.\n\nParameters, Google SecOps Marketplace configuration, and the Ping action\n------------------------------------------------------------------------\n\n\nParameters defined in the integration settings appear in the Google SecOps Marketplace configuration. The parameters include:\n\n- **API Root**: The base URL for the service you're connecting to.\n- **API Secret**: A confidential key used to authenticate your application with the service.\n- **Verify SSL** checkbox: If enabled, verifies that the SSL certificate for the connection to the Armis server is valid.\n- **Run Remotely** checkbox: A setting that determines whether the code or task will be executed on a remote server instead of locally. When this option is enabled, the system sends the necessary instructions and data to a dedicated server for processing.\n\n\nTo update the parameters, follow these steps:\n\n1. Enter the correct credentials.\n2. Click **Save** \\\u003e **Test**.\n\n| **Note:** Always click **Save** after updating credentials. All third-party integrations must implement a **Ping** action. The **Test** button runs this action to validate connectivity.\n\n\nIf the **Ping** action is missing, the **Test** button fails and displays a red **X**.\n\n### Implement a Ping action\n\n\nThe logic of the **Ping** action acts like a successful\nauthentication.\n\nTo implement a **Ping** action, do the following:\n\n1. In the IDE, create a new **Action** in the Armis integration named `Ping`.\n2. Use the `ArmisManager` `auth` method to verify authentication.\n\n### Enable the integration\n\n\nTo enable the integration, follow these steps:\n\n1. In **Response \\\u003e IDE** , click the **Enable/Disable** toggle to the **ON** position.\n2. Click **Save** . A green toggle confirms success. Credentials from the Marketplace are passed to ArmisManager. If `auth` completes without errors, the **Test** button shows a green checkmark.\n\n\nUse the `extract_configuration_param` method to import parameters from the integration configuration. Alternatively, use `extract_action_param` to define parameters within the action itself. However, the **Ping** action should always use configuration parameters, as those are tested by the Marketplace.\n\nView custom integrations\n------------------------\n\n\nGo to the Google SecOps Marketplace and search for the custom\nintegration you created.\nIf you didn't create an image during the initial configuration, the\ndefault custom image will be assigned to it. Note that\nGoogle SecOps Marketplace updates\ndon't override or delete any custom integrations.\n\nExport and import in the IDE\n----------------------------\n\nDo one of the following actions:\n\n- To **import** integrations, do the following:\n 1. Upload a ZIP file with the correct folder structure; the integration appears in the IDE and Google SecOps Marketplace.\n 2. Click **Import**. The integration appears in both the IDE and the Marketplace.\n 3. The system generates a ZIP file containing the definition, scripts, and configuration. The **Managers** folder is not included automatically.\n- To **export** integrations, do the following:\n - Click **Export** to download the package.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
