Ingest your data (connectors)

Google Security Operations SOAR uses connectors to ingest alerts from a variety of data sources into the platform. A connector is one of the items in an integration package which can be downloaded through the Google Security Operations Marketplace. Connectors are configured from SOAR Settings > Ingestion > Connectors.

Connectors are Python based applications that allow the platform to pull alerts from third-party products into Google Security Operations. Connectors also parse and normalize the raw data (alerts, events) into a Google Security Operations format which are then presented as a case in the case queue.
If you are running a third-party SIEM (a central place for all your alerts), one connector is enough. It is also possible to pull data from multiple sources with several connectors. Each connector has a dedicated documentation link for additional help.

Example: set up an email connector

1. Navigate to Google Security Operations Marketplace > Integrations.
   
2. Search for and install Email integration.

   

3. Select settings Configure default instance to open up the Email - Configure Instance dialog. Make sure to fill in all the required parameters. If you would like to configure the integration to a different instance (not the default environment), navigate to SOAR Settings > Response > Integrations Setup. From this page you can configure the integration under the relevant instance.
4. Navigate to SOAR Settings > Ingestion > Connectors.
   
5. Click add Create New Connector.
6. Select the IMAP Email connector and click Create.

   

7. Fill in the empty mandatory fields and save the connector. Click Yes on the confirmation message.
8. Enable the connector and save it again. This makes it run periodically to pull any new emails according to the configuration.