This document outlines the requirements for publishing integrations in Google Security Operations SOAR. It lists prerequisites, coding standards, action development guidelines, JSON formatting rules, entity enrichment best practices, and the process for submitting an integration to the Google Security Operations Marketplace. Following these requirements helps ensure integrations are reliable, maintainable, and discoverable by other users.
Integration requirements
Python 3.7: Develop all integrations in Python 3.7.
Integration description: Include a clear description of the product you're integrating with.
Icons
SVG icon: This icon is applied to all instances of the integration in the platform.
PNG icon: This image will appear in the Google SecOps Marketplace.
Integration category: Define a category to let other users filter your integration in the Google SecOps Marketplace. Select a category from the predefined list in the Google SecOps Marketplace.
Dependencies: If your integration requires external libraries, list them in the integration settings.
Integration Parameters: Include all parameters needed for a successful connection to the product, along with clear descriptions.
Manager: To avoid code duplication, create a manager—a Python file that can be referenced by other scripts in the integration.
Ping action: Include a Ping action to verify connectivity. The result should return `true` if the connection is successful. This action should be disabled by default; it's not intended for playbook use.
Linux: The integration should support CentOS 7 or later.
Action requirements
Action description: Clearly describe what the action does.
Action structure: Follow the default Integrated Development Environment (IDE) action template.
Action parameters: Define all parameters that are relevant to the action, including descriptions. Match parameter types to the action's requirements.
Running action on a context of an alert: Where applicable, design the action to run in the context of an alert. For example, scope the logic to specific entity types (for example, URLs) using siemplify.target_entities. For an example, see Create your first action.
Logging: Add logs for complex actions, and log all exceptions or errors with the correct severity level (`info`,
`warn`,
`error`,
and `exception`).
JSON requirements
JSON Result: For actions that return data, use add_result_json to return a JSON result.
Add a JSON Example: Add an example JSON file that can be imported into the Expression Builder for playbook creation. This recommendation lets JSON result values be used as placeholders in a playbook.
Enrich entities
When enriching entities with data from an integrated product, follow these best practices:
Add an enrichment step: Include relevant data from the product in the action output.
Use a prefix: Add a prefix (usually the product name) to enrichment field keys to prevent conflicts.
Example: To enrich an entity with a user's first and last name, add Zoom as the prefix to the new fields.
Update the entity: Use entity.additional_properties.update() to add the enriched data to the entity's properties.
Update the alert: Use siemplify.update_entities(enriched_entities) to add the updated entities to the alert. Click the entity to view the full details.
Publish the integration
To make your integration available to all Google SecOps Marketplace users, contact Google SecOps Customer Support to submit it for review by the Marketplace team.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eIntegrations must be developed in Python 3.7 and include a description, SVG and PNG icons, and a defined category for the Google SecOps Marketplace.\u003c/p\u003e\n"],["\u003cp\u003eEach integration requires a manager file to avoid code reuse, a ping action for connection testing, and must be compatible with Centos OS 7 or above.\u003c/p\u003e\n"],["\u003cp\u003eActions within the integration must have descriptions, structured parameters, support running in the context of an alert, and return data in JSON format using \u003ccode\u003eadd_result_json\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eFor actions that return data, it is recommended to include a JSON example for use in the expression builder and to add enrichment to entities with the data coming from the product integrated with.\u003c/p\u003e\n"],["\u003cp\u003eLogging at appropriate levels (info, warn, error, exception) is crucial for debugging, especially in complex actions, and submitting the integration to the Google SecOps Marketplace requires contacting Customer Support.\u003c/p\u003e\n"]]],[],null,["# Requirements for publishing integrations\n========================================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \nThis document outlines the requirements for publishing integrations in Google Security Operations SOAR. It lists prerequisites, coding standards, action development guidelines, JSON formatting rules, entity enrichment best practices, and the process for submitting an integration to the Google Security Operations Marketplace. Following these requirements helps ensure integrations are reliable, maintainable, and discoverable by other users.\n\nIntegration requirements\n------------------------\n\n- **Python 3.7**: Develop all integrations in Python 3.7.\n- **Integration description**: Include a clear description of the product you're integrating with.\n- **Icons**\n - **SVG icon**: This icon is applied to all instances of the integration in the platform.\n - **PNG icon**: This image will appear in the Google SecOps Marketplace.\n- **Integration category**: Define a category to let other users filter your integration in the Google SecOps Marketplace. Select a category from the predefined list in the Google SecOps Marketplace.\n- **Dependencies**: If your integration requires external libraries, list them in the integration settings.\n- **Integration Parameters**: Include all parameters needed for a successful connection to the product, along with clear descriptions.\n- **Manager**: To avoid code duplication, create a manager---a Python file that can be referenced by other scripts in the integration.\n- **Ping action** : Include a **Ping** action to verify connectivity. The result should return \\`true\\` if the connection is successful. This action should be disabled by default; it's not intended for playbook use.\n- **Linux**: The integration should support CentOS 7 or later.\n\nAction requirements\n-------------------\n\n- **Action description**: Clearly describe what the action does.\n- **Action structure**: Follow the default Integrated Development Environment (IDE) action template.\n- **Action parameters**: Define all parameters that are relevant to the action, including descriptions. Match parameter types to the action's requirements.\n- **Running action on a context of an alert** : Where applicable, design the action to run in the context of an alert. For example, scope the logic to specific entity types (for example, URLs) using `siemplify.target_entities`. For an example, see [Create your first action](/chronicle/docs/soar/respond/start-developing/my-first-action).\n- **Logging** : Add logs for complex actions, and log all exceptions or errors with the correct severity level ([\\`info\\`](/chronicle/docs/soar/reference/script-result-module#info-script-result), [\\`warn\\`](/chronicle/docs/soar/reference/script-result-module#warn-script-result), [\\`error\\`](/chronicle/docs/soar/reference/script-result-module#error-script-result), and [\\`exception\\`](/chronicle/docs/soar/reference/script-result-module#exception-script-result)).\n\nJSON requirements\n-----------------\n\n- **JSON Result** : For actions that return data, use [`add_result_json`](/chronicle/docs/soar/reference/script-result-module#add-result-json-script-result) to return a JSON result.\n- **Add a JSON Example** : Add an example JSON file that can be imported into the **Expression Builder** for playbook creation. This recommendation lets JSON result values be used as placeholders in a playbook.\n\nEnrich entities\n---------------\n\nWhen enriching entities with data from an integrated product, follow these best practices:\n\n- **Add an enrichment step**: Include relevant data from the product in the action output.\n- **Use a prefix** : Add a prefix (usually the product name) to enrichment field keys to prevent conflicts.\n - **Example** : To enrich an entity with a user's first and last name, add `Zoom` as the prefix to the new fields. \n\n entity_enrichment = {\"first_name\":\"First Name\", \"last_name\":\"Last Name\"}\n entity_enrichment = add_prefix_to_dict(entity_enrichment, \"Zoom\")\n\n- **Update the entity** : Use `entity.additional_properties.update()` to add the enriched data to the entity's properties.\n- **Update the alert** : Use `siemplify.update_entities(enriched_entities)` to add the updated entities to the alert. Click the entity to view the full details.\n\nPublish the integration\n-----------------------\n\nTo make your integration available to all Google SecOps Marketplace users, contact Google SecOps Customer Support to submit it for review by the Marketplace team.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
