When a new connector is configured, the platform uses the connector script in
an integration as a template only. The configured connector is an instance of
that connector template. You can add multiple connectors with different
configurations using the same code you created for the connector in the IDE.
Connector configuration
Navigate to SOAR Settings > Ingestion > Connectors to access the connectors module and configure a connector under the relevant environment.
Click add.
Configure the following Connector parameters.
Connector Fields
Environment:
Defines which environment this connector connects to. If you do not need to define the environment, select "Default Environment".
Run Every:
Defines the interval of connector runs.
Product Field Name:
Required by the connector in order to identify the product that generates the alerts pulled into Google Security Operations.
Do not enter the product name here. Instead, enter the event field (a key from your JSON event) that describes the product.
For example: Put "_index" to indicate that "cloudtrail" is the product that generated the alert.
Event Field Name:
Required by the connector in order to identify the type of the security event pulled into Google SecOps.
Do not enter the event name or type here. Instead, enter here the event field (a key from your JSON event) that describes the event type.
For example: Enter "_source.userIdentity.type" to indicate that "AssumedRole" is the type of the security event.
Event Count Limit:
If you are pulling a correlation alert, indicate the limit of the underlying events Google SecOps should fetch with it.
This is required to make a connector run faster (in case the alerts are heavy on redundant events) and reduce the redundancy for security analysts.
In this example, the connector is configured under the Default Environment. Once you fill in all the credentials, save the connector.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eConnectors in Google SecOps SOAR are configured as instances of connector templates, allowing for multiple connectors with different configurations based on the same code.\u003c/p\u003e\n"],["\u003cp\u003eConnector configuration involves navigating to \u003cstrong\u003eSOAR Settings > Ingestion > Connectors\u003c/strong\u003e and specifying parameters such as the environment, run interval, and product/event field names.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003cstrong\u003eProduct Field Name\u003c/strong\u003e and \u003cstrong\u003eEvent Field Name\u003c/strong\u003e fields require keys from JSON events, not the literal product or event names.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003cstrong\u003eEvent Count Limit\u003c/strong\u003e parameter allows you to set a limit on the number of underlying events pulled with a correlation alert, optimizing connector performance and reducing redundancy.\u003c/p\u003e\n"],["\u003cp\u003eConnectors can be configured within a specific or default environment, after filling all of the fields, the connector needs to be saved.\u003c/p\u003e\n"]]],[],null,["# Configure the connector\n=======================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \nWhen a new connector is configured, the platform uses the connector script in\nan integration as a template only. The configured connector is an instance of\nthat connector template. You can add multiple connectors with different\nconfigurations using the same code you created for the connector in the IDE.\n\nConnector configuration\n-----------------------\n\n1. Navigate to **SOAR Settings \\\u003e Ingestion \\\u003e Connectors** to access the connectors module and configure a connector under the relevant environment. \n2. Click add.\n3. Configure the following Connector parameters. \n\n **Connector Fields**\n - **Environment**: Defines which environment this connector connects to. If you do not need to define the environment, select \"Default Environment\".\n - **Run Every** : Defines the interval of connector runs. \n - **Product Field Name**: Required by the connector in order to identify the product that generates the alerts pulled into Google Security Operations. Do not enter the product name here. Instead, enter the event field (a key from your JSON event) that describes the product.\n For example: Put \"_index\" to indicate that \"cloudtrail\" is the product that generated the alert.\n - **Event Field Name** : Required by the connector in order to identify the type of the security event pulled into Google SecOps. \n Do not enter the event name or type here. Instead, enter here the event field (a key from your JSON event) that describes the event type. \n For example: Enter \"`_source.userIdentity.type`\" to indicate that \"AssumedRole\" is the type of the security event.\n - **Event Count Limit** : If you are pulling a correlation alert, indicate the limit of the underlying events Google SecOps should fetch with it. \n\n This is required to make a connector run faster (in case the alerts are heavy on redundant events) and reduce the redundancy for security analysts.\n4. In this example, the connector is configured under the Default Environment. Once you fill in all the credentials, save the connector. [](/static/chronicle/images/soar/emailconnectorexample.png)\n\n\nFor a full list of parameters for each connector, see [Google SecOps Marketplace integrations](/chronicle/docs/soar/marketplace-integrations).\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
