This document explains how to create a custom integration in the Integrated Development Environment (IDE) with the same structure as commercial integrations. Custom integrations appear in the Google Security Operations Marketplace where you can configure them for different environments to use in playbooks, manual actions, and remote agents. You can also import and export them, like other IDE items.
In this custom integration example, you'll build a custom integration for the WHOIS XML
API product. Start by creating your first integration
including the registration process to the WHOIS product, including registering for the product and creating the required API key.
Choose the product to integrate with
In this example, you'll integrate with the WHOIS XML API product, a free
open source tool that provides API access to domain data, including:
To create your first custom integration in the IDE, follow these steps:
On the Response > IDE page, click
add
Add to add a new IDE item.
Select the Integration
radio button and enter a name for the integration.
Click Create. The integration appears with a custom integration icon.
Click settingsSettings.
In the integration dialog, define the Icon, Description, Python Dependencies, and Integration Parameters.
In this example, the following details appear:
An image of the WhoisXML API logo is uploaded. This image appears in the Google SecOps Marketplace with the integration.
An SVG icon has been added next to the integration in the IDE with a brief description and one parameter, the API Key. This is the parameter that the Who Is XML API Product requires for the configuration of the integration.
You don't need additional Python libraries for this integration. By default, the integration is set to run on Python 3.7, and you can change the version in Settings.
Configure the default instance
Once you create the integration, you can view it in your Google SecOps
Response Integrations (search the integration name in the search bar or filter
the Integration type by Custom Integrations) with the image,
description and parameter you defined for the integration.
Click settingsSettings>Configure a default Instance.
Enter your API key and click Save.
Optional: To configure the integration for another environment (not the default environment), click the Configure tab and set parameters for that instance.
The built-in Test button won't work until you create a ping action.
Create a Ping action
In Response > IDE, click
add
Add > Add New IDE Item.
Select the Action radio button, enter a name, and
select the integration.
Click Create.Review the generated code template.
Copy the following code for the Ping action. The Ping action uses the API
Key parameter you configured for the integration and puts it in
the URL provided by the product for testing purposes. For details, see Create your
first action.
from SiemplifyAction import SiemplifyAction
from SiemplifyUtils import output_handler
import requests
INTEGRATION_NAME = "My first Integration - Whois XML API"
SCRIPT_NAME = "Whois XML API Ping"
@output_handler
def main():
siemplify = SiemplifyAction()
siemplify.script_name = SCRIPT_NAME
api_key = siemplify.extract_configuration_param(provider_name=INTEGRATION_NAME,
param_name="API Key")
url = "https://www.whoisxmlapi.com/whoisserver/WhoisService?apiKey={api_key}&domainName=google.com".format(api_key=api_key)
res = requests.get(url)
res.raise_for_status()
if "ApiKey authenticate failed" in res.content.decode("utf-8"):
raise Exception("Error, bad credentials")
siemplify.end("Successful Connection", True)
if __name__ == "__main__":
main()
To test the connection to the product, click the toggle above the action and click Save.
Go to the Google SecOps Marketplace, click settingsConfigure default instance, and make sure that
the integration is configured and saved.
Click Test to test the integration. A successful connection displays a green checkmark; a failed connection displays an X with the associated error.
After you complete authentication, create your first custom action in the custom integration.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eGoogle Security Operations users can build custom integrations within the IDE, which function similarly to commercial integrations and appear in the Google SecOps Marketplace.\u003c/p\u003e\n"],["\u003cp\u003eThis tutorial guides users through creating a custom integration with the "WHOIS XML API" product, starting with registration and API key acquisition.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves creating the integration in the IDE, defining settings like icon, description, dependencies, and the required API Key parameter.\u003c/p\u003e\n"],["\u003cp\u003eUsers can configure and test their integration's connection to the WHOIS XML API product, ensuring successful authentication before creating custom actions.\u003c/p\u003e\n"],["\u003cp\u003eThe tutorial shows how to implement a ping action to test the integration's connection, using the configured API key to verify successful authentication.\u003c/p\u003e\n"]]],[],null,["# Create your first custom integration\n====================================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nThis document explains how to create a custom integration in the Integrated Development Environment (IDE) with the same structure as commercial integrations. Custom integrations appear in the Google Security Operations Marketplace where you can configure them for different environments to use in playbooks, manual actions, and remote agents. You can also import and export them, like other IDE items.\n\n\nIn this custom integration example, you'll build a custom integration for the **WHOIS XML\nAPI** product. Start by creating your first integration\nincluding the registration process to the WHOIS product, including registering for the product and creating the required API key.\n\nChoose the product to integrate with\n------------------------------------\n\n1. In this example, you'll integrate with the **WHOIS XML API** product, a free open source tool that provides API access to domain data, including:\n - Registrant name, organization, email address, registration address\n - Registrar information\n - Domain creation, expiration, and update dates\n - Domain availability and age\n2. Go to [WHOIS XML API/](https://www.whoisxmlapi.com/) and register.\n3. After you sign in, get your API key from your account page: \u003chttps://user.whoisxmlapi.com/products\u003e\n4. Use this API key in your integration parameters.\n\nCreate the first custom integration in the IDE\n----------------------------------------------\n\nTo create your first custom integration in the IDE, follow these steps:\n\n1. On the **Response \\\u003e IDE** page, click add **Add** to add a new IDE item.\n2. Select the **Integration** radio button and enter a name for the integration.\n3. Click **Create**. The integration appears with a custom integration icon.\n4. Click settings **Settings**.\n5. In the integration dialog, define the **Icon** , **Description** , **Python Dependencies** , and **Integration Parameters** . \n In this example, the following details appear:\n - An image of the WhoisXML API logo is uploaded. This image appears in the Google SecOps Marketplace with the integration.\n - An SVG icon has been added next to the integration in the IDE with a brief description and one parameter, the API Key. This is the parameter that the **Who Is XML API** Product requires for the configuration of the integration.\n - You don't need additional Python libraries for this integration. By default, the integration is set to run on Python 3.7, and you can change the version in **Settings**.\n| **Note:** Script dependencies are Python libraries that your custom integration must import. You can add them in formats, such as Wheel files (\\`WHL\\`), tarballs (\\`TAR\\`), Gzip archives (\\`GZ\\`), or Python files (\\`PY\\`). Each integration runs in its own virtual environment, letting you include specific library versions even if a different version is already installed on the system. For example, if you need a particular version of the requests library, download it from a trusted source (such as PyPI or GitHub) and add it to the script dependencies. If the dependency is not in the virtual environment, the integration uses the system-installed version instead.\n\nConfigure the default instance\n------------------------------\n\n6. Once you create the integration, you can view it in your Google SecOps Response Integrations (search the integration name in the search bar or filter the Integration type by **Custom Integrations**) with the image, description and parameter you defined for the integration.\n7. Click settings **Settings** \\\u003e **Configure a default Instance**.\n8. Enter your API key and click **Save**.\n9. Optional: To configure the integration for another environment (not the default environment), click the **Configure** tab and set parameters for that instance.\n10. The built-in **Test** button won't work until you create a ping action.\n\nCreate a Ping action\n--------------------\n\n11. In **Response \\\u003e IDE** , click add **Add \\\u003e Add New IDE Item**.\n12. Select the **Action** radio button, enter a name, and select the integration.\n13. Click **Create**.Review the generated code template.\n14. Copy the following code for the **Ping** action. The **Ping** action uses the `API\n Key` parameter you configured for the integration and puts it in the URL provided by the product for testing purposes. For details, see [Create your\nfirst action](/chronicle/docs/soar/respond/start-developing/my-first-action). \n\n```\nfrom SiemplifyAction import SiemplifyAction\nfrom SiemplifyUtils import output_handler\nimport requests\n\nINTEGRATION_NAME = \"My first Integration - Whois XML API\"\nSCRIPT_NAME = \"Whois XML API Ping\"\n\n@output_handler\ndef main():\n siemplify = SiemplifyAction()\n siemplify.script_name = SCRIPT_NAME\n\n api_key = siemplify.extract_configuration_param(provider_name=INTEGRATION_NAME,\n param_name=\"API Key\")\n url = \"https://www.whoisxmlapi.com/whoisserver/WhoisService?apiKey={api_key}&domainName=google.com\".format(api_key=api_key)\n\n res = requests.get(url)\n res.raise_for_status()\n\n if \"ApiKey authenticate failed\" in res.content.decode(\"utf-8\"):\n raise Exception(\"Error, bad credentials\")\n\n siemplify.end(\"Successful Connection\", True)\nif __name__ == \"__main__\":\n main() \n```\n15. To test the connection to the product, click the toggle above the action and click **Save**.\n16. Go to the **Google SecOps Marketplace** , click settings **Configure default instance**, and make sure that the integration is configured and saved.\n17. Click **Test** to test the integration. A successful connection displays a green checkmark; a failed connection displays an X with the associated error.\n18. After you complete authentication, create your first custom action in the custom integration.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
