Google BigQuery

Integration version: 6.0

Use Cases

Perform enrichment - Execute SQL Queries.

Product Permissions

In order to authenticate, the integration takes all of the values from the integration configuration parameters and JSON file.

Configure Google BigQuery integration in Google Security Operations SOAR

If you provide invalid:

Account Type
Private Key ID
Client ID
Auth URI
Auth Provider X509 URL
Client X509 URL

the integration still works. This is a normal behaviour from Google SDK.

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Instance Name	String	N/A	No	Name of the Instance you intend to configure integration for.
Description	String	N/A	No	Description of the Instance.
Account Type	String	service_account	No	Type of the BigQuery account. Located at the "type" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Project ID	String	N/A	No	Project ID of the BigQuery account. Located at the "project_id" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Private Key ID	Password	N/A	No	Private Key ID of the BigQuery account. Located at the "private_key_id" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Private Key	Password	N/A	No	Private Key of the BigQuery account. Located at the "private_key" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Client Email	String	N/A	No	Client Email of the BigQuery account. Located at the "client_email" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Client ID	String	N/A	No	Client ID of the BigQuery account. Located at the "client_id" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Auth URI	String	https://accounts.google.com/o/oauth2/auth	No	Auth URI of the BigQuery account. Located at the "auth_uri" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Token URI	String	https://oauth2.googleapis.com/ token	No	Token URI of the BigQuery account. Located at the "token_uri" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Auth Provider X509 URL	String	https://www.googleapis.com/ oauth2/v1/certs	No	Auth Provider X509 URL of the BigQuery account. Located at the "auth_provider_x509_cert_url" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Client X509 URL	String	N/A	No	Client X509 URL of the BigQuery account. Located at the "client_x509_cert_url" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Service Account Json File Content	String	N/A	No	Optional: Instead of specifying Private Key ID, Private Key and other parameters, specify here the full JSON content of the service account file. Other connection parameters are ignored if this parameter is provided.
Verify SSL	Checkbox	Checked	No	If enabled, the integration verifies that the SSL certificate for the connection to the Google Cloud service is valid.

Actions

Ping

Description

Test connectivity to the BigQuery with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Run On

The action doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful: Print "Successfully connected to the BigQuery server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: Print "Failed to connect to the BigQuery server! Error is {0}".format(exception.stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful:

Print "Successfully connected to the BigQuery server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful:

Print "Failed to connect to the BigQuery server! Error is {0}".format(exception.stacktrace)

General

Run SQL Query

Description

Execute queries in BigQuery.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Dataset Name	String	N/A	Yes	Specify the name of the dataset, which will be used, when executing queries.
Query	String	N/A	Yes	Specify the SQL query that needs to be executed.
Max Results To Return	String	50	No	Specify how many results to return in the response.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

{
    "Airport_Code": "MDW",
    "Airport_Name": "Chicago, IL: Chicago Midway International",
    "Time_Label": "2015/05",
    "Time_Month": 5,
    "Time_Month_Name": "May",
    "Time_Year": 2015,
    "Statistics___of_Delays_Carrier": 351,
    "Statistics___of_Delays_Late_Aircraft": 546,
    "Statistics___of_Delays_National_Aviation_System": 292,
    "Statistics___of_Delays_Security": 2,
    "Statistics___of_Delays_Weather": 100,
    "Statistics_Carriers_Names": "Delta Air Lines Inc.,ExpressJet Airlines Inc.,Southwest Airlines Co.",
    "Statistics_Carriers_Total": 3,
    "Statistics_Flights_Cancelled": 88,
    "Statistics_Flights_Delayed": 1289,
    "Statistics_Flights_Diverted": 32,
    "Statistics_Flights_On_Time": 6182,
    "Statistics_Flights_Total": 7591,
    "Statistics_Minutes_Delayed_Carrier": 19332,
    "Statistics_Minutes_Delayed_Late_Aircraft": 34376,
    "Statistics_Minutes_Delayed_National_Aviation_System": 12346,
    "Statistics_Minutes_Delayed_Security": 48,
    "Statistics_Minutes_Delayed_Total": 76163,
    "Statistics_Minutes_Delayed_Weather": 100061
}

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful: "Successfully executed query in the BigQuery dataset "{0}"!".format(dataset name) The action should fail and stop a playbook execution: If not successful: "Error executing action "Run SQL Query". Reason: {0}''.format(error.Stacktrace)	General
Case Wall Table	Table Name: Results Table columns - all columns in the response.	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully executed query in the BigQuery dataset "{0}"!".format(dataset name)

The action should fail and stop a playbook execution:

If not successful: "Error executing action "Run SQL Query". Reason: {0}''.format(error.Stacktrace)

General

Case Wall Table

Table Name: Results

Table columns - all columns in the response.

General