This document explains how to test a connector by ingesting a sample malicious
email into the Google Security Operations platform. The test process demonstrates how to:
Ingest a sample malicious email.
Run the connector.
Load the alert into the case queue.
View how alert data is translated.
After completing these steps, you can view the new case, preview
the email content, and understand how the alert data is translated and
displayed within the platform before it's mapped and modeled.
Ingest a sample malicious email
To ingest a sample malicious email into the Google SecOps platform, follow these steps:
Insert a malicious email into the platform.
Copy the following sample email text and send this email from another user:
Subject: Your new salary notification
Email body: Hello, You have an important email from the Human Resources Department with regards to your December 2018 Paycheck. This email is enclosed in the Marquette University secure network. Access the documents here: www.example.com. Ensure your login credentials are correct to avoid cancellations.
Faithfully, Human Resources
University of California, Berkeley
Run the connector
To run the connector, follow these steps:
Go to Settings > Ingestion > Connectors.
In the Testing tab, click Run connector once; the results appear in
the Output section. If your connector runs
successfully, an alert for a single unread email appears. Make sure your
mailbox contains at least one unread email for this test.
Optional: Click Preview to see a preview of the email.
Load the alert into the case queue
After ingesting a sample alert, ingest the alert into the case queue by following these steps:
Select the alert and click Load to system.
In the Cases tab, view the ingsted case.
After the connector receives the email by translating the email data to
Google SecOps data, you can see your alert in the Cases tab in
the case queue.
After the connector translates the email data to Google SecOps format, the alert appears in the case queue. When the case first appears, it is not mapped or modeled. These steps occur next in the workflow.
View how alert data is translated
You can see how each field in the connector code corresponds to the relevant field
presented in the platform's context details.
To see how the alert data appears in the platform, do the following:
Click the alert to view the Alert Context details.
The platform field
Code Mapping
Description
Field name / Value
alert_info.name = email_message_data['Subject']
Email subject, for example, "Your New Salary Notification"
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis document guides you through testing a connector by simulating the ingestion of a malicious email into the Google Security Operations platform.\u003c/p\u003e\n"],["\u003cp\u003eYou will learn how to manually insert a sample malicious email into the system, similar to one sent with a subject "Your New Salary Notification" and the body of which directs to a web address.\u003c/p\u003e\n"],["\u003cp\u003eBy running the connector once, you can test it, which should result in a sample alert appearing in the output if there is an unread message in the mailbox.\u003c/p\u003e\n"],["\u003cp\u003eOnce the sample alert is generated, you will move on to loading the alert into the case queue of the Google SecOps system.\u003c/p\u003e\n"],["\u003cp\u003eYou can then review the alert context details, where each field in the Google SecOps platform (e.g., Field name, RuleGenerator, TicketID) is linked to its corresponding field in the code.\u003c/p\u003e\n"]]],[],null,["# Test a connector\n================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nThis document explains how to test a connector by ingesting a sample malicious\nemail into the Google Security Operations platform. The test process demonstrates how to:\n\n- Ingest a sample malicious email.\n- Run the connector.\n- Load the alert into the case queue.\n- View how alert data is translated.\n\nAfter completing these steps, you can view the new case, preview\nthe email content, and understand how the alert data is translated and\ndisplayed within the platform before it's mapped and modeled.\n\nIngest a sample malicious email\n-------------------------------\n\nTo ingest a sample malicious email into the Google SecOps platform, follow these steps:\n\n1. Insert a malicious email into the platform.\n2. Copy the following sample email text and send this email from another user: \n\n ```\n Subject: Your new salary notification\n Email body:\n Hello, You have an important email from the Human Resources Department with regards to your December 2018 Paycheck. This email is enclosed in the Marquette University secure network.\n Access the documents here: www.example.com. Ensure your login credentials are correct to avoid cancellations.\n\n Faithfully,\n Human Resources\n\n University of California, Berkeley\n ```\n\nRun the connector\n-----------------\n\nTo run the connector, follow these steps:\n\n1. Go to **Settings \\\u003e Ingestion \\\u003e Connectors**.\n2. In the **Testing** tab, click **Run connector once** ; the results appear in the **Output** section. \n If your connector runs successfully, an alert for a single unread email appears. Make sure your mailbox contains at least one unread email for this test.\n3. Optional: Click **Preview** to see a preview of the email.\n\nLoad the alert into the case queue\n----------------------------------\n\nAfter ingesting a sample alert, ingest the alert into the case queue by following these steps:\n\n1. Select the alert and click **Load to system**.\n2. In the **Cases** tab, view the ingsted case.\n3. After the connector receives the email by translating the email data to Google SecOps data, you can see your alert in the **Cases** tab in the case queue.\n\n\nAfter the connector translates the email data to Google SecOps format, the alert appears in the case queue. When the case first appears, it is not mapped or modeled. These steps occur next in the workflow.\n\nView how alert data is translated\n---------------------------------\n\nYou can see how each field in the connector code corresponds to the relevant field\npresented in the platform's context details.\n\nTo see how the alert data appears in the platform, do the following:\n\n- Click the alert to view the **Alert Context details**.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
