Google Alert Center

Integration version: 5.0

Prerequisites

Create service account credentials

In the Google Cloud console, go to the Credentials page.

Go to Credentials
From the Create credentials menu, select Service account.
Enter a name in the Service account name field.
Optional: Edit the service account ID.
Click Create. A Service account permissions screen appears.
Click Continue. A Grant users access to this service account screen appears.
Click Create key and click Done. A Private key saved to your computer dialog appears and a copy of the private key downloads to your computer.
Click Close.

Delegate domain-wide authority to your service account

From your domain's Admin console, go to Main menu > Security > Access and data control > API controls.
In the Domain wide delegation pane, select Manage Domain Wide Delegation.
Click Add new.
In the Client ID field, enter the client ID obtained from the preceding service account creation steps.
In the OAuth Scopes field, provide the following:
```
https://www.googleapis.com/auth/apps.alerts
```

After you have completed the prerequisite steps, go to Google Security Operations SOAR and provide the JSON key of the service account and the email address for impersonation.

Configure Google Alert Center integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Service Account JSON Secret	Secret	N/A	Yes	JSON that contains the secret of service account keys. Specify the full JSON content of the service account file to be used in the integration.
Impersonation Email Address	Secret	N/A	Yes	Email address that has access to the alert center.
Verify SSL	Checkbox	Checked	Yes	If enabled, verify the SSL certificate for the connection to the alert center server is valid.

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Service Account JSON Secret

Secret

N/A

Yes

JSON that contains the secret of service account keys.

Specify the full JSON content of the service account file to be used in the integration.

Impersonation Email Address

Secret

N/A

Yes

Email address that has access to the alert center.

Verify SSL

Checkbox

Checked

Yes

If enabled, verify the SSL certificate for the connection to the alert center server is valid.

Product Use Cases

Ingestion of alerts

Actions

Ping

Description

Test connectivity to the alert center with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

Case Wall

Result type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the alert center server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: "Failed to connect to the alert center server! Error is {0}".format(exception.stacktrace)	General

Result type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the alert center server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful: "Failed to connect to the alert center server! Error is {0}".format(exception.stacktrace)

General

Delete Alert

Description

Delete an alert in the alert center.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Alert ID	String	N/A	Yes	Specify the id of the alert that needs to be deleted.

Run on

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

Case Wall

Result type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful (is_success=true): "Successfully deleted alert with ID {record id} in alert center." If the incident is not found (is_success=true): "Alert with ID {record id} doesn't exist in alert center." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Delete Alert". Reason: {0}''.format(error.Stacktrace)	General

Result type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful (is_success=true): "Successfully deleted alert with ID {record id} in alert center."

If the incident is not found (is_success=true): "Alert with ID {record id} doesn't exist in alert center."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Delete Alert". Reason: {0}''.format(error.Stacktrace)

General

Connectors

Google Alert Center - Alerts Connector

Description

Pull information about alerts from the alert center.

Configure Google Alert Center - Alerts Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Product Field Name	String	source	Yes	Enter the source field name in order to retrieve the Product Field name.
Event Field Name	String	type	Yes	Enter the source field name in order to retrieve the Event Field name.
Environment Field Name	String	""	No	Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment.
Environment Regex Pattern	String	.*	No	A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.
Script Timeout (Seconds)	Integer	180	Yes	Timeout limit for the python process running the current script.
Service Account JSON Secret	Secret	N/A	Yes	JSON that contains the secret of service account keys.
Impersonation Email Address	Secret	N/A	Yes	Email address that has access to the alert center.
Lowest Severity To Fetch	String	N/A	No	Lowest severity that needs to be used to fetch alerts. Possible values: Informational, Low, Medium, High. If nothing is specified, the connector will ingest alerts with all severities.
Max Hours Backwards	Integer	1	No	Amount of hours from where to fetch alerts.
Max Alerts To Fetch	Integer	100	No	How many alerts to process per one connector iteration. Default: 100.
Use whitelist as a blacklist	Checkbox	Unchecked	Yes	If enabled, whitelist will be used as a blacklist.
Verify SSL	Checkbox	Checked	Yes	If enabled, verify the SSL certificate for the connection to the alert center server is valid.
Proxy Server Address	String	N/A	No	The address of the proxy server to use.
Proxy Username	String	N/A	No	The proxy username to authenticate with.
Proxy Password	Password	N/A	No	The proxy password to authenticate with.

Connector Rules

Proxy Support

The connector supports proxy.