Google SecOps

This document provides guidance to help you configure and integrate Google Chronicle with Google Security Operations SOAR.

Integration version: 43.0

Use cases

The Google Chronicle integration can address the following use cases:

  • Automated phishing investigation and remediation: use the SOAR capabilities of Google SecOps to automatically query the integration for historical email data, user activity logs, and threat intelligence to assess email legitimacy. The automated remediation can help you with triage and containment by preventing the spread of malware or data breaches.

  • Enrichment of security alerts: use the SOAR capabilities of Google SecOps to enrich the alert generated in SIEM with historical context, such as past user behavior and asset information. The alert enrichment provides analysts with a comprehensive view of the incident, enabling faster and more informed decision-making.

  • Threat hunting based on Google SecOps insights: use the SOAR capabilities of Google SecOps to automate the process of querying other security tools for related indicators of compromise (IOCs). The insight-based threat hunting can help you stay ahead of threats and identify potential breaches before they escalate.

  • Automated incident response playbooks: use the SOAR capabilities of Google SecOps to trigger a predefined playbook which uses Google SecOps data to isolate compromised systems, block malicious IP addresses, and notify relevant stakeholders. Using the incident response playbooks can reduce the incident response time and minimize the impact of security incidents.

  • Compliance reporting and auditing: use the SOAR capabilities of Google SecOps to automate the collection of security data from Google SecOps for compliance reporting purposes, streamline the audit process, and reduce the manual effort required for compliance reporting.

Integrate Google Chronicle with Google SecOps

The integration requires the following parameters:

Parameters
UI Root Required

UI root of the Google SecOps SIEM instance used to create a link that points back to Google SecOps SIEM across multiple actions.

Default value is https://INSTANCE.chronicle.security/

API Root Required

API root of the Google SecOps SIEM instance.

Google SecOps provides regional endpoints for each API.

For example: https://europe-backstory.googleapis.com, https://asia-southeast1-backstory.googleapis.com

If you don't know which endpoint to use, [contact Cloud Customer Care](/chronicle/docs/getting-support).

Default value is https://backstory.googleapis.com

User's Service Account Required

Service account of the Google SecOps SIEM instance.

Copy the entire service account JSON file.

Verify SSL Required

When selected, the parameter verifies if the SSL certificate for connecting to the Google SecOps SIEM server is valid.

Selected by default.

You can make changes at a later stage, if necessary. After you configure instances, you can use them in playbooks. For more information on configuring and supporting multiple instances, see Supporting multiple instances.

For instructions on how to configure an integration in Google SecOps, see Configure integrations.

Actions

Add Values To Reference List

Use the Add Values To Reference List action to add values to a reference list in Google SecOps.

This action does not run on entities.

Action inputs

To configure the action, use the following parameters:

Parameters
Reference List Name Required

The name of the reference list to update.

Values Required

A comma-separated list of values to add to a reference list.

Action outputs

The Add Value To Reference List action provides the following outputs:

Action output type
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
Entity insight Not available
JSON result Available
Output messages Available
Output messages Available
Script result Available
JSON result

The following example describes the JSON result output received when using the Add Value To Reference List action:

{
   "name": "list_name",
   "description": "description of the list",
   "lines": [
       "192.0.2.0/24",
       "198.51.100.0/24"
   ],
   "create_time": "2020-11-20T17:18:20.409247Z",
   "content_type": "CIDR"
}
Output messages

The Add Values To Reference List action provides the following output messages:

Output message Message description
Successfully added values to the reference list REFERENCE_LIST_NAME. Action succeeded.
Error executing action "Add Values To Reference List". Reason: ERROR_REASON Action failed.

Check the connection to the server, the input parameters, or the credentials.

Script result

The following table describes the values for the script result output when using the Add Values To Reference List action:

Script result name Value
is_success True or False

Enrich Domain

Use the Enrich Domain action to enrich domains using information from IoCs in Google SecOps SIEM.

This action runs on the following entities:

  • URL
  • Hostname

Action inputs

The Enrich Domain action requires the following parameters:

Parameters
Create Insight If selected, action will create an insight containing information about the entities.

Selected by default.

Only Suspicious Insight If selected, action will only create an insight for entities that are marked as suspicious.

Not selected by default.

If you select this parameter, select the Create Insight parameter, too.

Lowest Suspicious Severity Required

The lowest severity that is associated with the domain to mark it suspicious.

The default value is Medium.

Possible values are as follows:
  • High
  • Medium
  • Low
  • Info
Mark Suspicious N/A Severity Required

If selected and the information about severity is unavailable, the action marks the entity as suspicious.

Action outputs

The Enrich Domain action provides the following outputs:

Action output type
Case wall attachment Not available
Case wall link Not available
Case wall table Available
Enrichment table Available
Entity insight Not available
JSON result Available
Output messages Available
Script result Available
Case wall table

The Enrich Domain action provides the following table:

Name: ENTITY_IDENTIFIER

Columns:

  • Source
  • Severity
  • Category
  • Confidence

Entity enrichment

The Enrich Domain action supports the following entity enrichment logic:

Enrichment field Logic (when to apply)
severity When available in JSON
average_confidence When available in JSON
related_domains When available in JSON
categories When available in JSON
sources When available in JSON
first_seen When available in JSON
last_seen When available in JSON
report_link When available in JSON

JSON result

The following example describes the JSON result output received when using the Enrich Domain action:

{
            {
                "sources": [
                    {
                        "source": "ET Intelligence Rep List",
                        "confidenceScore": {
                            "normalizedConfidenceScore": "Low",
                            "intRawConfidenceScore": 0
                        },
                        "rawSeverity": "High",
                        "category": "Malware Command and Control Server"
                    }
                ],
                "iocIngestTime": "2021-01-26T17:00:00Z",
                "firstSeenTime": "2018-10-03T00:03:53Z",
                "lastSeenTime": "2022-02-09T10:52:21.229Z",
                "uri": [
                    "https://INSTANCE/domainResults?domain=t0.ssl.ak.dynamic.tiles.virtualearth.net&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2022-02-09T11%3A51%3A52.393783515Z"
                ]
            }
}
Output messages

The Enrich Domain action provides the following output messages:

Output message Message description
Successfully enriched the following domain in Google Chronicle: LIST_OF_IDS Action is successful.
Error executing action "Enrich Domain". Reason: ERROR_REASON

The action returned an error.

Check connection to the server, input parameters, or credentials.

Script result

The following table describes the values for the script result output when using the Enrich Domain action:

Script result name Value
is_success True or False

Enrich IP

Use the Enrich IP action to enrich IP entities using information from IoCs in Google SecOps SIEM.

This action runs on the IP Address entity.

Action inputs

The Enrich IP action requires the following parameters:

Parameters
Create Insight If selected, the action creates an insight which contains information about entities.

Selected by default.

Only Suspicious Insight If selected, the action creates insights only for entities that are marked as suspicious.

Not selected by default.

If you select this parameter, also select the Create Insight parameter.

Lowest Suspicious Severity Required

The lowest severity associated with the IP address to mark it suspicious.

The default value is Medium.

Possible values are as follows:
  • High
  • Medium
  • Low
  • Info
Mark Suspicious N/A Severity Required

If selected and the information about severity is unavailable, the action marks the entity as suspicious.

Action outputs

The Enrich IP action provides the following outputs:

Action output type
Case wall attachment Not available
Case wall link Not available
Case wall table Available
Enrichment table Available
JSON result Available
Output messages Available
Script result Available
Case wall table

Name: ENTITY_IDENTIFIER

Columns:

  • Source
  • Severity
  • Category
  • Confidence
  • Related Domains

Entity enrichment

The Enrich IP action supports the following entity enrichment logic:

Enrichment field Logic (when to apply)
severity When available in JSON
average_confidence When available in JSON
related_domains When available in JSON
categories When available in JSON
sources When available in JSON
first_seen When available in JSON
last_seen When available in JSON
report_link When available in JSON
JSON result

The following example describes the JSON result output received when using the Enrich IP action:

{
            {
                "sources": [
                    {
                        "source": "Example List",
                        "confidenceScore": {
                            "normalizedConfidenceScore": "Low",
                            "intRawConfidenceScore": 0
                        },
                        "rawSeverity": "High",
                        "category": "Malware Command and Control Server"
                    }
                ],
                "iocIngestTime": "2021-01-26T17:00:00Z",
                "firstSeenTime": "2018-10-03T00:03:53Z",
                "lastSeenTime": "2022-02-09T10:52:21.229Z",
                "uri": [
                    "https://INSTANCE/domainResults?domain=t0.ssl.ak.dynamic.tiles.virtualearth.net&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2022-02-09T11%3A51%3A52.393783515Z"
                ]
            }
}
Output messages

The Enrich IP action provides the following output messages:

Output message Message description
Successfully enriched the following IPs from Google Chronicle: LIST_OF_IPS Action succeeded.
Error executing action "Enrich IP". Reason: ERROR_REASON

Action failed.

Check the connection to the server, the input parameters, or the credentials.

Script result

The following table describes the values for the script result output when using the Enrich IP action:

Script result name Value
is_success True or False

Execute Retrohunt

Use the Execute Retrohunt action to execute a rule retrohunt in Google SecOps.

This action doesn't run on entities.

Action inputs

The Execute Retrohunt action requires the following parameters:

Parameters
Rule ID Required

The ID of the rule to run a retrohunt for.

Time Frame A period to retrieve the results for.

The default value is Last Hour.

Possible values are as follows:
  • Last Hour
  • Last 6 Hours
  • Last 24 Hours
  • Last Week
  • Last Month
  • Alert Time Till Now
  • 5 Minutes Around Alert Time
  • 30 Minutes Around Alert Time
  • 1 Hour Around Alert Time
  • Custom

If Alert Time Till Now is selected, the action uses the start time of the alert as a start time for the search, and End Time is set to current time.

If 30 Minutes Around Alert Time is selected, the action searches for alerts 30 minutes before and after the current or selected alert has happened. The same timeframe logic applies to the 1 Hour Around Alert Time and 5 Minutes Around Alert Time parameter values with their corresponding timeframes.

If Custom is selected, the Start Time parameter value is required.

Start Time

The start time for the results.

Configure the parameter value in a ISO 8601 format.

This parameter is required if the Time Frame parameter is set to Custom.

End Time The end time for the results.

Configure the parameter value in an ISO 8601 format.

If you provide no value and select the Custom value for the Time Frame parameter, this parameter uses the current time.

Action outputs

The Execute Retrohunt action provides the following outputs:

Action output type
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
Entity insight Not available
JSON result Available
Output messages Available
Script result Available
JSON result

The following example describes the JSON result output received when using the Execute Retrohunt action:

{
  "retrohuntId": "oh_d738c8ea-8fd7-4cc1-b43d-25835b8e1785",
  "ruleId": "ru_30979d84-aa89-47d6-bf4d-b4bb0eacb497",
  "versionId": "ru_30979d84-aa89-47d6-bf4d-b4bb0eacb497@v_1612472807_179679000",
  "eventStartTime": "2021-01-14T23:00:00Z",
  "eventEndTime": "2021-01-30T23:00:00Z",
  "retrohuntStartTime": "2021-02-08T02:40:59.192113Z",
  "state": "RUNNING"
}
Output messages

The Execute Retrohunt action provides the following output messages:

Output message Message description
Successfully executed a retrohunt for the provided rule in Google Chronicle. Action succeeded.
Error executing action "Execute Retrohunt". Reason: ERROR_REASON Action failed.

Check the connection to the server, the input parameters, or the credentials.

Script result

The following table describes the values for the script result output when using the Execute Retrohunt action:

Script result name Value
is_success True or False

Execute UDM Query

Use the Execute UDM Query action to execute a custom UDM query in Google SecOps.

120 action executions are allowed per hour.

This action doesn't run on entities.

Action inputs

The Execute UDM Query action requires the following parameters:

Parameters
Query String Required

A query to execute in Google SecOps.

Time Frame A specified timeframe for the results.

The default value is Last Hour.

Possible values are as follows:
  • Last Hour
  • Last 6 Hours
  • Last 24 Hours
  • Last Week
  • Last Month
  • Alert Time Till Now
  • 5 Minutes Around Alert Time
  • 30 Minutes Around Alert Time
  • 1 Hour Around Alert Time
  • Custom

If Alert Time Till Now is selected, the action uses the start time of the alert as a start time for the search, and sets the End Time parameter to current time.

If 30 Minutes Around Alert Time is selected, the action searches for alerts 30 minutes before and after the current or selected alert has happened. The same timeframe logic applies to the 1 Hour Around Alert Time and 5 Minutes Around Alert Time values with their corresponding timeframes.

If Custom is selected, provide the Start Time parameter.

Start Time

The start time for the results.

Configure the parameter value in an ISO 8601 format with milliseconds and a timezone using the following template: YYYY-MM-DD HH:mm:ss.SSSZ. The example value is as follows: 2024-04-24 20:37:44.000+0000.

This parameter is required if the Time Frame parameter is set to Custom.

The maximum time range (from start time to end time) is 90 days.

End Time The end time for the results.

Configure the parameter value in an ISO 8601 format with milliseconds and a timezone using the following template: YYYY-MM-DD HH:mm:ss.SSSZ. The example value is as follows: 2024-04-24 20:37:44.000+0000.

If you provide no value and the Time Frame parameter is set to Custom, this parameter uses the current time.

The maximum time range (from start time to end time) is 90 days.

Max Results To Return

The number of results to return for a single query.

The default value is 50.

The maximum value is 10,000.

Action outputs

The Execute UDM Query action provides the following outputs:

Action output type
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
JSON result

The following example describes the JSON result output received when using the Execute UDM Query action:

{
  "events":[
    "event":{
      "metadata":{
        "eventTimestamp":"2022-01-20T09:15:15.687Z",
        "eventType":"USER_LOGIN",
        "vendorName":"Example Vendor",
        "productName":"Example Product",
        "ingestedTimestamp":"2022-01-20T09:45:07.433587Z"
      },
      "principal":{
        "hostname":"example-user-pc",
        "ip":[
          "203.0.113.0"
        ],
        "mac":[
          "01:23:45:ab:cd:ef",
          "01:23:45:ab:cd:ef",
          "01:23:45:ab:cd:ef"
        ],
        "location":{
          "city":"San Francisco",
          "state":"California",
          "countryOrRegion":"US"
        },
        "asset":{
          "hostname":"example-user-pc",
          "ip":[
            "203.0.113.1",
            "203.0.113.1",
            "203.0.113.1"
          ],
          "mac":[
            "01:23:45:ab:cd:ef",
            "01:23:45:ab:cd:ef",
            "01:23:45:ab:cd:ef"
          ]
        }
      },
      "target":{
        "user":{
          "userid":"Example",
          "userDisplayName":"Example User",
          "windowsSid":"S-1-5-21-4712406912-7108061610-2717800068-993683",
          "emailAddresses":[
            "example@example.com",
            "admin.example@example.com"
          ],
          "employeeId":"2406187",
          "productObjectId":"f93f1540-4935-4266-aa8e-a750a319aa1c",
          "firstName":"Example",
          "lastName":"User",
          "phoneNumbers":[
            "555-01-75"
          ],
          "title":"Executive Assistant",
          "companyName":"Example Corp",
          "department":[
            "Executive - Admin"
          ],
          "managers":[
            {
              "userDisplayName":"Example User",
              "windowsSid":"S-1-5-21-6051382818-4135626959-8120238335-834071",
              "emailAddresses":[
                "user@example.com"
              ],
              "employeeId":"5478500",
              "productObjectId":"8b3924d5-6157-43b3-857b-78aa6bd94705",
              "firstName":"User",
              "lastName":"Example",
              "phoneNumbers":[
                "555-01-75"
              ],
              "title":"Chief Technology Officer",
              "companyName":"Example Corp",
              "department":[
                "Executive - Admin"
              ]
            }
          ]
        },
        "ip":[
          "198.51.100.1"
        ],
        "email":"email@example.com",
        "application":"Example Sign In"
      },
      "securityResult":[
        {
          "summary":"Successful Login",
          "action":[
            "ALLOW"
          ]
        }
      ],
      "extensions":{
        "auth":{
          "type":"SSO"
        }
      }
    },
    "eventLogToken":"96f23eb9ffaa9f7e7b0e2ff5a0d2e34c,1,1642670115687000,USER,|USER_LOGIN"
  ]
}
Output messages

The Execute UDM Query action provides the following output messages:

Output message Message description

Successfully returned results for the query "QUERY" in Google Chronicle.

No results were found for the query "QUERY" in Google Chronicle.

Action succeeded.
Error executing action "Execute UDM Query". Reason: ERROR_REASON

Action failed.

Check the connection to the server, the input parameters, or the credentials.

Error executing action "Execute UDM Query". Reason: you've reached a rate limit. Please wait for several minutes and try again.

Action failed.

Wait for several minutes before running the action again.

Script result

The following table describes the values for the script result output when using the Execute UDM Query action:

Script result name Value
is_success True or False

Get Detection Details

Use the Get Detection Details action to retrieve information about a detection in Google SecOps.

If you provide special characters in the Detection ID parameter, the action doesn't fail but returns a list of detections.

This action doesn't run on entities.

Action inputs

The Get Detection Details action requires the following parameters:

Parameters
Rule ID Required

The ID of the rule related to the detection.

If you use the ru_{UUID} format, the action returns the results from the latest version of the rule, if any. If the detection belongs to a previous version of the rule, use the following format: ru_{UUID}@v_{int64}_{int64}.

Detection ID Required

The ID of the detection to fetch details for.

Action outputs

The Get Detection Details action provides the following outputs:

Action output type
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
JSON result

The following example describes the JSON result output received when using the Get Detection Details action:

{
    "type": "RULE_DETECTION",
    "detection": [
        {
            "ruleName": "singleEventRule2",
            "urlBackToProduct":
        "https://INSTANCE/ruleDetections?
        ruleId=ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d&selectedList=RuleDetectionsViewTimeline&
        selectedParentDetectionId=de_ce594791-09ed-9681-27fa-3b7c8fa6054c&
        selectedTimestamp=2020-12-03T16: 50: 47.647245Z","ruleId": "ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d",
            "ruleVersion": "ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d@v_1605892822_687503000",
            "alertState": "NOT_ALERTING",
            "ruleType": "SINGLE_EVENT"
        }
    ],
    "createdTime": "2020-12-03T19:19:21.325134Z",
    "id": "de_ce594791-09ed-9681-27fa-3b7c8fa6054c",
    "timeWindow": {
        "startTime": "2020-12-03T16:50:47.647245Z",
        "endTime": "2020-12-03T16:50:47.647245Z"
    },
    "collectionElements": [
        {
            "references": [
                {
                    "event": {
                        "metadata": {
                            "eventTimestamp": "2020-12-03T16:50:47.647245Z",
                            "collectedTimestamp": "2020-12-03T16:50:47.666064010Z",
                            "eventType": "NETWORK_DNS",
                            "productName": "ProductName",
                            "ingestedTimestamp": "2020-12-03T16:50:49.494542Z"
                        },
                        "principal": {
                            "ip": [
                                "192.0.2.1"
                            ]
                        },
                        "target": {
                            "ip": [
                                "203.0.113.1"
                            ]
                        },
                        "securityResult": [
                            {
                                "action": [
                                    "UNKNOWN_ACTION"
                                ]
                            }
                        ],
                        "network": {
                            "applicationProtocol": "DNS",
                            "dns": {
                                "questions": [
                                    {
                                        "name": "example.com",
                                        "type": 1,
                                        "class": 1
                                    }
                                ],
                                "id": 12345,
                                "recursionDesired": true
                            }
                        }
                    }
                }
            ],
            "label": "e"
        }
    ],
    "detectionTime": "2020-12-03T16:50:47.647245Z"
}
Output messages

The Get Detection Details action provides the following output messages:

Output message Message description
Successfully fetched information about the detection with ID DETECTION_ID in Google Chronicle. Action succeeded.
Error executing action "Get Detection Details". Reason: ERROR_REASON Action returned an error.

Check connection to the server, input parameters, or credentials.

Script result

The following table describes the values for the script result output when using the Get Detection Details action:

Script result name Value
is_success True or False

Get Reference Lists

Use the Get Reference Lists action to get available reference lists in Google SecOps.

This action doesn't run on entities.

Action inputs

The Get Reference Lists action requires the following parameters:

=2>Parameters
Filter Key

The key to use to filter reference lists.

Possible values are as follows:
  • Name
  • Content Type
  • Description
Filter Logic

An applicable filter logic.

The default value is Equal.

Possible values are as follows:
  • Equal
  • Contains
Filter Value The value to use in the filter.

If Equal is selected, the action attempts to find the exact match among the results.

If Contains is selected, the action attempts to find results containing that substring.

The Equal value works with the title parameter, while the Contains value works with all values in response.

If no value is provided for this parameter, the filter isn't applied.

Expanded Details If selected, action will return detailed information about the reference lists.

Not selected by default.

Max Reference Lists To Return The number of reference lists to return.

The default value is 100.

Action outputs

The Get Reference List action provides the following outputs:

Action output type
Case wall attachment Not available
Case wall link Not available
Case wall table Available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
Case wall table

On a Case Wall, the Get Reference Lists provides the following table:

Name: Available Reference Lists

Columns:

  • Name
  • Description
  • Type
JSON result

The following example describes the JSON result output received when using the Get Reference Lists action:

{
   "name": "list_name",
   "description": "description of the list",
   "lines": [
       "192.0.2.0/24",
       "198.51.100.0/24"
   ],
   "create_time": "2020-11-20T17:18:20.409247Z",
   "content_type": "CIDR"
}
Output messages

The Get Reference Lists action provides the following output messages:

Output message Message description

Successfully found reference lists for the provided criteria in Google Chronicle.

The filter was not applied because parameter "Filter Value" has an empty value.

Action is successful.
Error executing action "ACTION_NAME". Reason: ERROR_REASON Action failed.

Check the connection to the server, the input parameters, or the credentials.

Error executing action "ACTION_NAME". Reason: "Invalid value was provided for "Max Reference Lists to Return": PROVIIDED_VALUE. Positive number should be provided. Action failed.

Check the value for the Max Reference Lists to Return parameter.

Script result

The following table describes the values for the script result output when using the Get Reference Lists action:

Script result name Value
is_success True or False

Get Rule Details

Use the Get Rule Details action to retrieve information about a rule in Google SecOps.

This action does not run on entities.

Action inputs

The Get Rule Details action requires the following parameters:

Parameters
Rule ID Required

The rule ID to fetch the details for.

Action outputs

The Get Rule Details action provides the following outputs:

Action output type
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
JSON result

The following example describes the JSON result output received when using the Get Rule Details action:

{
    "ruleId": "ru_e6abfcb5-1b85-41b0-b64c-695b3250436f",
    "versionId": "ru_e6abfcb5-1b85-41b0-b64c-695b3250436f@v_1602631093_146879000",
    "ruleName": "SampleRule",
    "metadata": {
      "description": "Sample Description of the Rule",
      "author": "author@example.com"
    },
    "ruleText": "rule SampleRule {
        meta:
          description = \"Sample Description of the Rule\"
          author = \"author@example.com\"
        events:
          // This will just generate lots of detections
          $event.metadata.event_type = \"NETWORK_HTTP\"
        condition:
          $event
        } ",
    "liveRuleEnabled": true,
    "versionCreateTime": "2020-10-13T23:18:13.146879Z",
    "compilationState": "SUCCEEDED"
  }
Output messages

The Get Rule Details action provides the following output messages:

Output message Message description
Successfully fetched information about the rule with ID RULE__ID in Google Chronicle. Action succeeded.
Error executing action "Get Rule Details". Reason: ERROR_REASON Action failed.

Check the connection to the server, the input parameters, or the credentials.

Script result

The following table describes the values for the script result output when using the Get Rule Details action:

Script result name Value
is_success True or False

Is Value In Reference List

Use the Is Value In Reference List action to check if provided values are found in the reference lists in Google SecOps.

This action doesn't run on entities.

Action inputs

The Is Value In Reference List action requires the following parameters:

Parameters
Reference List Names Required

A comma-separated list of reference list names to search through.

Values Required

A comma-separated list of values to search for in reference lists.

Case Insensitive Search If selected, the action performs case insensitive matching.

Action outputs

The Is Value In Reference List action provides the following outputs:

Action output type
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
JSON result

The following example describes the JSON result output received when using the Is Value In Reference List action:

{
    "Entity": "example.com",
    "EntityResult": {
        "found_in": [
            "Reference list names, where item was found"
        ],
        "not_found_in": [
            "Reference list names, where items wasn't found"
        ],
        "overall_status": "found, if at least one reference list had the value/not found, if non of the reference lists found the value"
    }
}

Output messages

The Is Value In Reference List action provides the following output messages:

Output message Message description
Successfully searched provided values in the reference lists in Google Chronicle. Action succeeded.
Error executing action "Is Value In Reference List". Reason: ERROR_REASON Action failed.

Check the connection to the server, the input parameters, or the credentials.

Error executing action "Is Value In Reference List". Reason: the following reference lists were not found in Google Chronicle: MISSING_REFERENCE_LIST_NAME(S). Please use the action "Get Reference Lists" to see what reference lists are available. Action failed.

Run the Get Reference Lists action to check for available lists.

Script result

The following table describes the values for the script result output when using the Is Value In Reference List action:

Script result name Value
is_success True or False

List Assets

Use the List Assets action to list assets in Google SecOps SIEM that are based on the related entities in the specified time period.

This action only supports the MD5, SHA-1, and SHA-256 hashes.

This action runs on the following entities:

  • URL
  • IP Address
  • Hash

Action inputs

The List Assets action requires the following parameters:

Parameters
Max Hours Backwards The number of hours before now to fetch the assets.

The default value is 1.

Create Insight If selected, the action creates an insight that contains information about the entities.

Selected by default.

Max Assets To Return The number of assets to return in the response.

The default value is 50.

Time Frame A specified timeframe for the results.

The default value is Max Hours Backwards.

If Custom is selected, provide the Start Time parameter.

When you provide the Max Hours Backwards parameter, the action uses it to provide a time filter and ensure the backwards compatibility.

Possible values are as follows:
  • Max Hours Backwards
  • Last Hour
  • Last 6 Hours
  • Last 24 Hours
  • Last Week
  • Last Month
  • Custom
Start Time

The start time for the results.

Configure the parameter value in a ISO 8601 format.

This parameter is required if the Time Frame parameter is set to Custom.

End Time The end time for the results.

Configure the parameter value in a ISO 8601 format.

If you provide no value and set the Time Frame parameter to Custom, this parameter uses the current time value.

Action outputs

The List Assets action provides the following outputs:

Action output type
Case wall attachment Not available
Case wall link Not available
Case wall table Available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
Case wall table

Name: ENTITY_IDENTIFIER

Columns:

  • Hostname
  • IP Address
  • First Seen Artifact
  • Last Seen Artifact
JSON result

The following example describes the JSON result output received when using the List Assets action:

{
    "assets": [
      {
        "asset": {
          "hostname": "example"
        },
        "firstSeenArtifactInfo": {
          "artifactIndicator": {
            "domainName": "www.example.com"
          },
          "seenTime": "2020-02-28T09:18:15.675Z"
        },
        "lastSeenArtifactInfo": {
          "artifactIndicator": {
            "domainName": "www.example.com"
          },
          "seenTime": "2020-09-24T06:43:59Z"
        }
      }
    ],
    "uri": [
      "https://INSTANCE/domainResults?domain=www.example.com&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2020-09-27T12%3A07%3A34.166830443Z"
    ]
  }
Output messages

The List Assets action provides the following output messages:

Output message Message description
Successfully listed related assets for the following entities from Google Chronicle: ENTITY_IDENTIFIER Action succeeded.
Error executing action "List Assets". Reason: ERROR_REASON

Action failed.

Check the connection to the server, the input parameters, or the credentials.

Script result

The following table describes the values for the script result output when using the List Assets action:

Script result name Value
is_success True or False

List Events

Use the List Events action to list events on the particular asset in the specified time period.

This action can only retrieve 10,000 events. Make sure to narrow down the time period for better results.

This action runs on the following entities:

  • IP address
  • MAC address
  • Hostname

Action inputs

The List Events action requires the following parameters:

Parameters
Event Types

A comma-separated list of the event types that should be returned. If no value is provided, the action fetches all event types.

To check all possible values for this parameter, see Event type possible values.

Time Frame The specified time period for the results.

The default value is Custom.

If you select the Custom value, provide the Start Time parameter.

If you provide the Max Hours Backwards parameter, the action uses it to provide a time filter and ensure the backwards compatibility.

Possible values are as follows:
  • Max Hours Backwards
  • Last Hour
  • Last 6 Hours
  • Last 24 Hours
  • Last Week
  • Last Month
  • Custom
Start Time

The start time for the results.

Configure the parameter value in a ISO 8601 format.

This parameter is required if you set the Time Frame parameter to Custom.

End Time The end time for the results.

Configure the parameter value in a ISO 8601 format.

If you provide no value and set the Time Frame parameter to Custom, this parameter uses the current time value.

This parameter accepts the now value.

Reference Time The reference time for the event search.

Configure the parameter value in the following format: YYYY-MM-DDThh:mmTZD.

If you provide no value, the action uses an end time as the reference time.

Output Required

The output for this action.

Possible values are as follows:
  • Events + Statistics
  • Only Events
  • Only Statistics
Max Events To Return

The number of events to process for a single entity type.

The default value is 100.

Event type possible values

The full list of possible values for the Event Type parameter is as follows:

EVENTTYPE_UNSPECIFIED, PROCESS_UNCATEGORIZED, PROCESS_LAUNCH, PROCESS_INJECTION, PROCESS_PRIVILEGE_ESCALATION, PROCESS_TERMINATION, PROCESS_OPEN, PROCESS_MODULE_LOAD, REGISTRY_UNCATEGORIZED, REGISTRY_CREATION, REGISTRY_MODIFICATION, REGISTRY_DELETION, SETTING_UNCATEGORIZED, SETTING_CREATION, SETTING_MODIFICATION, SETTING_DELETION, MUTEX_UNCATEGORIZED, MUTEX_CREATION, FILE_UNCATEGORIZED, FILE_CREATION, FILE_DELETION , FILE_MODIFICATION, FILE_READ, FILE_COPY, FILE_OPEN, FILE_MOVE, FILE_SYNC, USER_UNCATEGORIZED, USER_LOGIN, USER_LOGOUT, USER_CREATION, USER_CHANGE_PASSWORD, USER_CHANGE_PERMISSIONS, USER_STATS, USER_BADGE_IN, USER_DELETION, USER_RESOURCE_CREATION, USER_RESOURCE_UPDATE_CONTENT, USER_RESOURCE_UPDATE_PERMISSIONS, USER_COMMUNICATION, USER_RESOURCE_ACCESS, USER_RESOURCE_DELETION, GROUP_UNCATEGORIZED, GROUP_CREATION, GROUP_DELETION, GROUP_MODIFICATION, EMAIL_UNCATEGORIZED, EMAIL_TRANSACTION, EMAIL_URL_CLICK, NETWORK_UNCATEGORIZED, NETWORK_FLOW, NETWORK_CONNECTION, NETWORK_FTP, NETWORK_DHCP, NETWORK_DNS, NETWORK_HTTP, NETWORK_SMTP, STATUS_UNCATEGORIZED, STATUS_HEARTBEAT, STATUS_STARTUP, STATUS_SHUTDOWN , STATUS_UPDATE, SCAN_UNCATEGORIZED, SCAN_FILE, SCAN_PROCESS_BEHAVIORS, SCAN_PROCESS , SCAN_HOST, SCAN_VULN_HOST, SCAN_VULN_NETWORK, SCAN_NETWORK, SCHEDULED_TASK_UNCATEGORIZED, SCHEDULED_TASK_CREATION, SCHEDULED_TASK_DELETION, SCHEDULED_TASK_ENABLE, SCHEDULED_TASK_DISABLE, SCHEDULED_TASK_MODIFICATION, SYSTEM_AUDIT_LOG_UNCATEGORIZED, SYSTEM_AUDIT_LOG_WIPE, SERVICE_UNSPECIFIED, SERVICE_CREATION, SERVICE_DELETION, SERVICE_START, SERVICE_STOP, SERVICE_MODIFICATION, GENERIC_EVENT, RESOURCE_CREATION, RESOURCE_DELETION, RESOURCE_PERMISSIONS_CHANGE, RESOURCE_READ, RESOURCE_WRITTEN, ANALYST_UPDATE_VERDICT, ANALYST_UPDATE_REPUTATION, ANALYST_UPDATE_SEVERITY_SCORE, ANALYST_UPDATE_STATUS, ANALYST_ADD_COMMENT.

Action outputs

The List Events action provides the following outputs:

Action output type
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
JSON result

The following example describes the JSON result output received when using the List Events action:

{
    "statistics": {
"NETWORK_CONNECTION": 10
}
{
    "events": [
      {
        "metadata": {
          "eventTimestamp": "2020-09-28T14:20:00Z",
          "eventType": "NETWORK_CONNECTION",
          "productName": "EXAMPLE Name",
          "productEventType": "NETWORK_DNS",
          "ingestedTimestamp": "2020-09-28T16:28:11.615578Z"
        },
        "principal": {
          "hostname": "user-example-pc",
          "assetId": "EXAMPLE:user-example-pc",
          "process": {
            "pid": "1101",
            "productSpecificProcessId": "EXAMPLE:32323"
          }
        },
        "target": {
          "hostname": "example.com",
          "user": {
            "userid": "user"
          },
          "process": {
            "pid": "8172",
            "file": {
              "md5": "a219fc7fcc93890a842183388f80369e",
              "fullPath": "C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe"
            },
            "commandLine": "\"C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe\" ...",
            "productSpecificProcessId": "EXAMPLE:82315"
          }
        }
      },
      {
        "metadata": {
          "eventTimestamp": "2020-09-28T17:20:00Z",
          "eventType": "NETWORK_CONNECTION",
          "productName": "EXAMPLE Name",
          "productEventType": "NETWORK_DNS",
          "ingestedTimestamp": "2020-09-28T16:28:11.615578Z"
        },
        "principal": {
          "hostname": "user-example-pc",
          "assetId": "EXAMPLE:user-example-pc",
          "process": {
            "pid": "1101",
            "productSpecificProcessId": "EXAMPLE:32323"
          }
        },
        "target": {
          "hostname": "example.com",
          "user": {
            "userid": "user"
          },
          "process": {
            "pid": "8172",
            "file": {
              "md5": "a219fc7fcc93890a842183388f80369e",
              "fullPath": "C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe"
            },
            "commandLine": "\"C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe\" ...",
            "productSpecificProcessId": "EXAMPLE:82315"
          }
        }
      }
    ],
    "uri": [
      "https://INSTANCE/assetResults?assetIdentifier=user-example-pc&referenceTime=2020-09-28T17%3A00%3A00Z&selectedList=AssetViewTimeline&startTime=2020-09-28T14%3A20%3A00Z&endTime=2020-09-28T20%3A20%3A00Z"
    ]
  }
}
Output messages

The List Events action provides the following output messages:

Output message Message description
Successfully listed related events for the following entities from Google Chronicle: ENTITY_IDENTIFIER Action succeeded.
Error executing action "List Events". Reason: ERROR_REASON

Action failed.

Check the connection to the server, the input parameters, or the credentials.

Error executing action "List Events". Reason: invalid event type is provided. Please check the spelling. Supported event types: SUPPORTED_EVENT_TYPES

Action failed.

Check the spelling.

Script result

The following table describes the values for the script result output when using the List Events action:

Script result name Value
is_success True or False

List IOCs

Use the List IOCs action to list all of the IoCs discovered in your enterprise within the specified time range.

If you receive the maximum number of IoCs you specified using the Max IoCs to Fetch parameter (or 10,000, the default value), there might still be more IoCs discovered in your Google SecOps account. Some IoCs within your data could be present before Google SecOps discovered them. To ensure that you have visibility on all possible IoCs, narrow down the time range and run the action again.

This action doesn't run on entities.

Action inputs

The List IOCs action requires the following parameters:

Parameters
Start Time The start time for the results.

Use the ISO 8601 format to configure this parameter.

Max IoCs to Fetch The maximum number of IoCs to return.

The applicable range is from 1 to 10,000.

The default value is 50.

Action outputs

The List IOCs action provides the following outputs:

Action output type
Case wall attachment Not available
Case wall link Not available
Case wall table Available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
JSON result

The following example describes the JSON result output received when using the List IOCs action:

{
   "matches":[
      {
         "artifact":{
            "domainName":"www.example.com"
         },
         "firstSeenTime":"2018-05-25T20:47:11.048998Z",
         "iocIngestTime":"2019-08-14T21:00:00Z",
         "lastSeenTime":"2019-10-24T16:19:46.880830Z",
         "sources":[
            {
               "category":"Spyware Reporting Server",
               "confidenceScore":{
                  "intRawConfidenceScore":0,
                  "normalizedConfidenceScore":"Low"
               },
               "rawSeverity":"Medium",
               "source":"Example List"
            }
         ],
         "uri":["URI"]
      }
   ],
   "moreDataAvailable":true
}
Output messages

The List IOCs action provides the following output messages:

Output message Message description
Successfully listed IOCs from the provided timeframe in Google Chronicle. Action succeeded.
Error executing action "List IOCs". Reason: ERROR_REASON

Action failed

Check connection to the server, input parameters, or credentials.

Script result

The following table describes the values for the script result output when using the List IOCs action:

Script result name Value
is_success True or False
Case wall table

Columns:

  • Domain
  • Category
  • Source
  • Confidence
  • Severity
  • IoC Ingest Time
  • IoC First Seen Time
  • IoC Last Seen Time
  • URI

Lookup Similar Alerts

Use the Lookup Similar Alerts action to search for similar alerts in Google SecOps.

This action only works with Google SecOps alerts received from the Chronicle Alerts Connector. To get better results, narrow down the search period.

Depending on the underlying alert type, the action behaves differently. If the alert is rule-based (Rule alert), the action attempts to match alerts based on rule names. For External alerts, the action matches alerts based on the alert name.

The Lookup Similar Alerts action queries a sizable volume of alerts in the background based on the configured period. In responses, the action searches for specific keys and extracts possible IoCs.

This action creates distinct results based on the alert, rule, or product name, and IoC that was used during the search.

How the Similarity By parameter works

Rule alerts and External alerts work differently in regards to the Similarity By parameter.

For example, if Alert Name, Alert Type and Product or Alert Name, Alert Type options are selected:

  • For External alerts, the action only searches for other External alerts and returns only information about those that have the same name.
  • For Rule alerts, the action looks at the rule name that triggered the alert and only processes alerts originating from the same rule.

If you select the Product option, the action only processes alerts originated from the same product. For example, if an alert originated in Crowdstrike, the action only matches with alerts that also originated in Crowdstrike. It doesn't matter if it was a Rule alert or External alert because the action queries and extracts data from both alert types. In all situations, the action searches for the IoCs provided in the IOCs/Assets parameter in the predefined fields.

An IoC alert can only run this action with the Similarity By parameter set to Only IOCs/Assets. If any other option is provided, the action sets the value to Only IOCs/Assets in the background.

The Lookup Similar Alerts is a general purpose action suitable for all playbooks working with the Google SecOps SIEM alerts. This action lets analysts correlate different alerts that happen in the same period and extract all of the relevant IoCs, which are then used to understand if there is a true positive incident.

Action inputs

The Lookup Similar Alerts action requires the following parameters:

Parameters
Time Frame The specified time period for the results.

The default value is Last Hour.

Possible values are as follows:
  • Last Hour
  • Last 6 Hours
  • Last 24 Hours
  • Last Week
  • Last Month
  • Alert Time Till Now
  • 5 Minutes Around Alert Time
  • 30 Minutes Around Alert Time
  • 1 Hour Around Alert Time

If you select Alert Time Till Now, the action uses the start time of the alert as a start time for the search and sets the End Time parameter to current time.

If you select 30 Minutes Around Alert Time, the action searches for alerts 30 minutes before and after the current or selected alert has happened. The same logic applies to the 1 Hour Around Alert Time and 5 Minutes Around Alert Time values with their corresponding timeframes.

IOCs / Assets Required

A comma-separated list of IoCs or assets to find in the alerts.

The action performs a different search for every provided item.

Similarity By

Attributes to use when the action is searching for similar alerts.

The default value is Alert Name, Alert Type and Product.

Possible values are as follows:
  • Alert Name, Alert Type and Product
  • Alert Name and Alert Type
  • Product
  • Only IOCs/Assets

If you select Alert Name and Alert Type, the action attempts to find all of the alerts with the same alert name and IoCs/Assets for the underlying alert type.

If you select Product, the action attempts to find all alerts originating from the same product and possessing the same IoCs/ Assets. The action searches through both External and Rule alerts.

If you select Only IOCs/Assets, the action matches the similarity based upon the items provided in the IOCs/Assets parameter. The action searches through both External and Rule alerts.

Action outputs

The Lookup Similar Alerts action provides the following outputs:

Action output type
Case wall attachment Not available
Case wall link Available
Case wall table Available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
JSON result

The following example describes the JSON result output received when using the Lookup Similar Alerts action:

{
    "count": 123,
    "distinct": [
        {
            "first_seen": "time of the first alert that matched our conditions",
            "last_seen": "time of the last alert that matched our conditions",
            "product_name": "product name",
            "used_ioc_asset": "what user provided in the parameter IOCs and Assets",
            "name": "Alert Name/Rule Name",
            "hostnames": "csv list of unique hostnames that were found in alerts",
            "urls": "csv list of unique urls that were found in alerts",
            "ips": "csv list of unique ips that were found in alerts",
            "subjects": "csv list of unique subjects that were found in alerts",
            "users": "csv list of unique users that were found in alerts",
            "email_addresses": "csv list of unique email_addresses that were found in alerts",
            "hashes": "csv list of unique hashes that were found in alerts",
            "processes": "csv list of unique processes that were found in alerts"
            "rule_urls": ["Chronicle URL from API response for Rule"]
            "count": 123
        }
    ],
    "processed_alerts": 10000,
    "run_time": "how long it took to run the action or at least API request",
    "EXTERNAL_url": "Chronicle URL from API response for EXTERNAL"

}
Output messages

The Lookup Similar Alerts action provides the following output messages:

Output message Message description

Successfully found similar alerts from the provided timeframe in Google Chronicle.

No similar alerts were found from the provided timeframe in Google Chronicle.

Action is successful.
Error executing action "Lookup Similar Alerts". Reason: ERROR_REASON

Action failed.

Check the connection to the server, the input parameters, or the credentials.

Error executing action "Lookup Similar Alerts". Reason: all of the retries are exhausted. Please wait for a minute and try again.

Action failed.

Wait for a minute before running the action again.

Script result

The following table describes the values for the script result output when using the Lookup Similar Alerts action:

Script result name Value
is_success True or False
Case wall table

Name: IOC/ASSET_IDENTIFIER

Columns:

  • Product
  • Hostnames
  • IPs
  • Users
  • Email Addresses
  • Subjects
  • URLs
  • Hashes
  • Processes
  • First Seen
  • Last Seen
  • Alert Name
  • General
  • CBN: GENERATED_LINK_BASED_ON_IU_ROOT_URL
  • Rule: GENERATED_LINK_BASED_ON_IU_ROOT_URL

Ping

Use the Ping action to test connectivity to Google SecOps SIEM.

This action doesn't run on entities.

Action inputs

None.

Action outputs

The Ping action provides the following outputs:

Action output type
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result N/A
Output messages Available
Script result Available
Output messages

The Ping action provides the following output messages:

Output message Message description
Successfully connected to the Google Chronicle backstory with the provided connection parameters! Action succeeded.
Failed to connect to the Google Chronicle backstory. Error is ERROR_REASON

Action failed.

Check the connection to the server.

Script result

The following table describes the values for the script result output when using the Ping action:

Script result name Value
is_success True or False

Remove Values From Reference List

Use the Remove Values From Reference List action to remove values from a reference list in Google SecOps.

This action doesn't run on entities.

Action inputs

The Remove Values From Reference List action requires the following parameters:

Parameters
Reference List Name Required

The reference list name to update.

Values Required

A comma-separated list of values to remove from a reference list.

Action outputs

The Remove Values From Reference List action provides the following outputs:

Action output type
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
JSON result

The following example describes the JSON result output received when using the Remove Values From Reference List action:

{
   "name": "list_name",
   "description": "description of the list",
   "lines": [
       "192.0.2.0/24",
       "198.51.100.0/24"
   ],
   "create_time": "2020-11-20T17:18:20.409247Z",
   "content_type": "CIDR"
}
Output messages

The Remove Values From Reference List action provides the following output messages:

Output message Message description
Successfully removed values from the reference list. Action succeeded.
Error executing action "Remove Values From Reference List". Reason: ERROR_REASON Action failed.

Check the connection to the server, the input parameters, or the credentials.

Script result

The following table describes the values for the script result output when using the Remove Values From Reference List action:

Script result name Value
is_success True or False

Connectors

For more detail about how to configure connectors in Google SecOps SOAR, see Ingest your data (connectors).

Chronicle Alerts Connector

Use the Chronicle Alerts Connector to pull information about the rule-based alerts from Google SecOps SIEM.

You can use the dynamic list to filter alerts and alert types.

Overview

This connector lets you ingest multiple alert types from Google SecOps SIEM.

To ensure the flexibility of the connector, use a dynamic list. For more details about the supported filter, see the Dynamic list filter section.

The Chronicle Alerts Connector queries data within a one-week period.

A delay can occur between the time that Google SecOps SIEM indexes an alert and when indexing completes. To mitigate the risk of missing alerts, set a padding period for the connector. Additionally, increase the connector timeout. A significant padding period can negatively impact connector performance.

If the Google SecOps SOAR alert lacks a severity value, the connector uses the value specified in the Fallback Severity parameter when creating the corresponding Google SecOps SOAR alert.

To ingest IOCs using the Chronicle Alerts Connector, create a detection rule in Google SecOps SIEM to generate alerts based on the IOCs. To create a detection rule, see Default detection rules in the Google SecOps SIEM documentation.

Dynamic list filter

The purpose of the dynamic list is to filter different alert types. You can access the dynamic list from the connector configuration page.

Operator rules

The operator rules for the dynamic list are as follows:

  • Values provided in a comma-separated manner are treated with OR logic.
  • Every line in the dynamic list is treated with AND logic.
  • Supported operators are different between different Filter Keys.

The following are the examples of using operator rules:

  • Rule.severity = medium: The connector only ingests rule alerts with the medium severity.
  • Rule.severity = low,medium: The connector only ingests rule alerts with the medium or low severity.
  • Rule.ruleName = default_rule: The connector only ingests rule alerts with the default_rule name.
Supported filters list

The Chronicle ALerts Connector supports the following filters:

Filter key Response key Operators Possible values
Rule.severity detection or ruleLabels or severity =, !=, >, <, >=, <=

Info, Error, Low, Medium, High, Critical.

The values are case insensitive.

Rule.ruleName detection or ruleName =, !=

Not applicable

Defined by the user.

Rule.ruleID detection or ruleId =, !=

Not applicable

Defined by the user.

Rule.ruleLabels.{key} detection or ruleLabels =, != Defined by the user.
Dynamic key handling for the rule based detection

To work with the ruleLabels key, format your dynamic list as follows:

Rule.ruleLabels.{key}

Example

The rule is as follows:

                    "ruleLabels": [
                        {
                            "key": "author",
                            "value": "analyst123"
                        },
                        {
                            "key": "type",
                            "value": "suspicious_behaviour"
                        },
                        {
                            "key": "severity",
                            "value": "Medium"
                        }
                    ]

To apply filters based on ruleLabels.type, the input for the dynamic list is as follows:

Rule.ruleLabels.type=suspicious_behaviour
Connector inputs

The Chronicle Alerts Connector requires the following parameters:

Parameters
Product Field Name Required

Enter the source field name to retrieve the Product Field name.

The default value is Product Name.

Event Field Name Required

Enter the source field name to retrieve the Event Field name.

The default value is event_type.

Environment Field Name Optional

The name of the field where the environment name is stored.

If the environment field isn't found, the environment is the default environment.

The default value is "".

Environment Regex Pattern Optional

A regular expression pattern to run on the value found in the Environment Field Name field. This parameter lets you manipulate the environment field using the regular expression logic.

Use the default value .* to retrieve the required raw Environment Field Name value.

If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment.

Script Timeout (Seconds) Required

The timeout limit for the Python process running the current script.

the default value is 180.

API Root Required

The API root of the Google SecOps SIEM instance.

Google SecOps provides regional endpoints for each API, for example, https://europe-backstory.googleapis.com or https://asia-southeast1-backstory.googleapis.com

If you don't know which endpoint to use, [contact Cloud Customer Care](/chronicle/docs/getting-support).

The default value is https://backstory.googleapis.com.

User's Service Account Required

The service account that you use for authentication.

Fallback Severity Required

The fallback severity for the detection.

This parameter is used if Google SecOps SIEM detection doesn't include any information related to the severity.

The default value is Medium.

Possible values are as follows:
  • Critical
  • High
  • Medium
  • Low
  • Info
Max Hours Backwards Optional

The number of hours before the first connector iteration to retrieve the incidents from. This parameter applies only once to the initial connector iteration after you enable the connector for the first time.

The default value is 1 hour. Max value is 1 week.

Max Alerts To Fetch Optional

The number of alerts to process per one connector iteration.

The default value is 100.

Disable Event Splitting Optional

If selected, the connector doesn't split original events into multiple and there is a matching count of events between Google SecOps SIEM and Google SecOps SOAR.

Not selected by default.

Verify SSL Required

If selected, Google SecOps verifies that the SSL certificate for the connection to the Google SecOps SIEM server is valid.

Selected by default.

Proxy Server Address Optional

The address of the proxy server to use.

Proxy Username Optional

The proxy username to authenticate with.

Proxy Password Optional

The proxy password to authenticate with.

Disable Overflow Optional

Select to disable an event overflow.

Not selected by default.

Connector rules

The connector supports proxies.

Alert structure

The following table describes the structure of alerts in Google SecOps:

Alert attribute name Product source (JSON key from an API response) Output JSON example
SourceSystemName Filled by framework Filled by framework
TicketId Value from ids.json file 60112f06545160bf3f54e8b3
DisplayId Automatically generated cf24dbb0-89fa-11ea-d9dc-000000000003
Name

alertInfos/name

IOC Alert

detection/ruleName

Suspicious: File
Reason Not avavilable Not available
Description For the rule based alerts Only: detection/ruleLabels/description (if exists) Not available
DeviceVendor Hardcoded value is Google Chronicle Checkpoint
DeviceProduct Hardcoded field:
  • RULE: For rule detection alerts
  • IOC: For IOC matches
  • EXTERNAL: For external alerts
Harmony Mobile
Priority Taken from response or from the Fallback Severity parameter High
RuleGenerator

alertInfos/name for external alerts

IOC Alert (hardcoded) for IOC matches

detection/ruleName for rule detection alerts

FILE
SourceGroupingIdentifier Not available Not available
StartTime

timestamp for external alerts

lastSeenTime for IOC based alerts

timeWindow or startTime for rule based alerts

2020-10-12T16:31:49.019Z
EndTime

timestamp for external alerts

lastSeenTime for IOC based alerts

timeWindow or startTime for rule based alerts

2020-10-12T16:31:49.019Z
Chronicle Alert - Extensions

alert_type (alert_type) for all alerts

rule_id (ruleId), product_name (CSV of an event or a metadata or a productName value) for rule based alerts

alert_name (name), product_name (CSV of a UDM event or a metadata or a productName value) for external alerts

Not available
Chronicle Alert - Attachments Not available Not available

Events

Events for the Chronicle Alerts Connector include rule alerts, external alerts, and IOC alerts.

Rule alerts

An example of the rule alert is as follows:

 {
    "alert_type": "RULE",
    "event_type": "NETWORK_DHCP",
    "type": "RULE_DETECTION",
    "detection": [
        {
            "ruleName": "d3_test",
            "urlBackToProduct": "https://INSTANCE/ruleDetections?ruleId=ru_74dd17e2-5aad-4053-acd7-958bead014f2&selectedList=RuleDetectionsViewTimeline&selectedParentDetectionId=de_b5dadaf4-b398-325f-9f09-833b71b3ffbb&selectedTimestamp=2022-02-08T05:02:36Z&versionTimestamp=2020-11-19T18:19:11.951951Z",
            "ruleId": "ru_74dd17e2-5aad-4053-acd7-958bead014f2",
            "ruleVersion": "ru_74dd17e2-5aad-4053-acd7-958bead014f2@v_1605809951_951951000",
            "alertState": "NOT_ALERTING",
            "ruleType": "SINGLE_EVENT",
            "ruleLabels": [
                {
                    "key": "author",
                    "value": "analyst123"
                },
                {
                    "key": "description",
                    "value": "8:00 AM local time"
                },
                {
                    "key": "severity",
                    "value": "Medium"
                }
            ]
        }
    ],
    "createdTime": "2022-02-08T06:07:33.944951Z",
    "id": "de_b5dadaf4-b398-325f-9f09-833b71b3ffbb",
    "timeWindow": {
        "startTime": "2022-02-08T05:02:36Z",
        "endTime": "2022-02-08T05:02:36Z"
    },
    "collectionElements": [
        {
            "references": [
                {
                    "event": {
                        "metadata": {
                            "eventTimestamp": "2022-02-08T05:02:36Z",
                            "eventType": "NETWORK_DHCP",
                            "productName": "Infoblox DHCP",
                            "ingestedTimestamp": "2022-02-08T05:03:03.892234Z"
                        },
                        "principal": {
                            "ip": [
                                "198.51.100.255",
                                "198.51.100.1"
                            ],
                            "mac": [
                                "01:23:45:ab:cd:ef"
                            ],
                            "email_address": [
                                "example@example.com"
                            ]
                        },
                        "target": {
                            "hostname": "dhcp_server",
                            "ip": [
                                "198.51.100.0",
                                "198.51.100.1"
                            ]
                        },
                        "network": {
                            "applicationProtocol": "DHCP",
                            "dhcp": {
                                "opcode": "BOOTREQUEST",
                                "ciaddr": "198.51.100.255",
                                "giaddr": "198.51.100.0",
                                "chaddr": "01:23:45:ab:cd:ef",
                                "type": "REQUEST",
                                "clientHostname": "example-user-pc",
                                "clientIdentifier": "AFm/LDfjAw=="
                            }
                        }
                    }
                }
            ],
            "label": "e"
        }
    ],
    "detectionTime": "2022-02-08T05:02:36Z"
}
External alerts

The example of an external alert is as follows:

{
    "alert_type": "External",
    "event_type": "GENERIC_EVENT",
    "name": "Authentication failure [32038]",
    "sourceProduct": "Internal Alert",
    "severity": "Medium",
    "timestamp": "2020-09-30T18:03:34.898194Z",
    "rawLog": "U2VwIDMwIDE4OjAzOjM0Ljg5ODE5NCAxMC4wLjI5LjEwOSBBdXRoZW50aWNhdGlvbiBmYWlsdXJlIFszMjAzOF0=",
    "uri": [
        "https://INSTANCE/assetResults?assetIdentifier=198.51.100.109&namespace=[untagged]&referenceTime=2020-09-30T18%3A03%3A34.898194Z&selectedList=AssetViewTimeline&startTime=2020-09-30T17%3A58%3A34.898194Z&endTime=2020-09-30T18%3A08%3A34.898194Z&selectedAlert=-610875602&selectedEventTimestamp=2020-09-30T18%3A03%3A34.898194Z"
    ],
    "event": {
        "metadata": {
            "eventTimestamp": "2020-09-30T18:03:34.898194Z",
            "eventType": "GENERIC_EVENT",
            "productName": "Chronicle Internal",
            "ingestedTimestamp": "2020-09-30T18:03:34.991592Z"
        },
        "target": [
            {
                "ip": [
                    "198.51.100.255",
                    "198.51.100.1"
                ]
            }
        ],
        "securityResult": [
            {
                "summary": "Authentication failure [32038]",
                "severityDetails": "Medium"
            }
        ]
    }
}
IOC Alerts

The example of an IOC alert is as follows:

{
    "alert_type": "IOC",
    "event_type": "IOC Alert",
    "artifact": {
        "domainName": "example.com"
    },
    "sources": [
        {
            "source": "Example List",
            "confidenceScore": {
                "normalizedConfidenceScore": "Low",
                "intRawConfidenceScore": 0
            },
            "rawSeverity": "High",
            "category": "Malware Command and Control Server"
        }
    ],
    "iocIngestTime": "2020-09-07T11:00:00Z",
    "firstSeenTime": "2018-10-03T00:01:59Z",
    "lastSeenTime": "2022-02-04T20:02:29.191Z",
    "uri": [
        "https://INSTANCE/domainResults?domain=example.com&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2022-02-08T15%3A08%3A52.434022777Z"
    ]
}

Alerts Connector - Deprecated

This connector pulls asset alerts from Google SecOps SIEM and converts them into Google SecOps SIEM alerts.

You can authenticate using the Google library with google.oauth2.service_account and AuthorizedSession.

This connector requires the Google SecOps SIEM Search API.

Connector inputs

The Alerts Connector requires the following parameters:

Parameters
Product Field Name Required

Enter the source field name to retrieve the Product Field name.

The default value is Product Name.

Environment Field Name Optional

The name of the field where the environment name is stored.

If the environment field isn't found, the environment is the default environment.

The default value is "".

Environment Regex Pattern Optional

A regular expression pattern to run on the value found in the Environment Field Name field. This parameter lets you manipulate the environment field using the regular expression logic.

Use the default value .* to retrieve the required raw Environment Field Name value.

If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment.

Script Timeout (Seconds) Required

The timeout limit for the Python process running the current script.

the default value is 180.

Service Account Credentials Required

The content of the service account JSON file.

Fetch Max Hours Backwards Optional

The number of hours before the first connector iteration to retrieve the incidents from. This parameter applies only once to the initial connector iteration after you enable the connector for the first time.

The default value is 1 hour. Max value is 1 week.

IoCs Connector - Deprecated

This connector pulls the IOC domain matches from Google SecOps SIEM and converts them into Google SecOps SIEM alerts.

You can authenticate using the Google library and google.oauth2.service_account and AuthorizedSession.

This connector uses the Google SecOps SIEM Search API.

Connector inputs

The Alerts Connector requires the following parameters:

Parameters
Product Field Name Required

Enter the source field name to retrieve the Product Field name.

The default value is Product Name.

Environment Field Name Optional

The name of the field where the environment name is stored.

If the environment field isn't found, the environment is the default environment.

The default value is "".

Environment Regex Pattern Optional

A regular expression pattern to run on the value found in the Environment Field Name field. This parameter lets you manipulate the environment field using the regular expression logic.

Use the default value .* to retrieve the required raw Environment Field Name value.

If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment.

Script Timeout (Seconds) Required

The timeout limit for the Python process running the current script.

the default value is 180.

Service Account Credentials Required

The content of the service account JSON file.

Fetch Max Hours Backwards Optional

The number of hours before the first connector iteration to retrieve the incidents from. This parameter applies only once to the initial connector iteration after you enable the connector for the first time.

The default value is 1 hour. Max value is 1 week.

Max Alerts To Fetch Optional

The number of alerts to process in a one connector iteration.

You can specify the number of alerts between 1 and 100,000.

Jobs

The Google Chronicle integration lets you use the following jobs:

Job configuration prerequisites

Before proceeding to the job configuration, configure the Chronicle Alerts Connector.

To configure Google Chronicle jobs, follow these steps:

  1. In Google SecOps SOAR, go to Response > Job Scheduler.

  2. Click addCreate New Job.

  3. In the Add Job dialog that appears, select the corresponding Google Chronicle job and click Save.

  4. Optional: Edit the job name and description, if necessary.

  5. In the Job Details section:

    • Make sure that GoogleChronicle is selected in the Integration field.
    • To automatically run the job at specified intervals, set up a scheduler interval. Configuring the scheduler is mandatory to complete the job configuration.

      As Google Chronicle jobs can synchronize large amounts of data in one run, Google recommends that you set the scheduler interval at least to 2 minutes (>= 2 minutes).

Google Chronicle Sync Data job

This job works with alerts created by the Chronicle Alerts Connector and the Chronicle Alerts Creator job, but not with alerts from deprecated connectors (Alerts Connector and IOCs Connector).

The Google Chronicle Sync Data job synchronizes updated Google SecOps alerts and cases managed in Google SecOps SOAR back to Google SecOps SIEM. Consequently, you can track the same information on both systems immediately after you make changes in Google SecOps SOAR.

Case and alerts data synchronization

The Google Chronicle Sync Data job tracks and synchronizes the following fields for cases:

Tracked field Synchronized field
Priority Priority
Status Status
Title Title
Not applicable Stage
Not applicable Siemplify Case ID
Not applicable Siemplify Case ID

Siemplify Case ID is a unique case identifier in Google SecOps SOAR and Google SecOps SIEM.

The Google Chronicle Sync Data job tracks and synchronizes the following fields for alerts:

Tracked field Synchronized field
Priority Priority
Status Status
Case ID Not applicable
Not applicable Siemplify Alert ID
Not applicable Siemplify Case ID
Not applicable Verdict
Not applicable Closure Comment
Not applicable Closure Reason
Not applicable Closure Root Cause
Not applicable Usefulness

Siemplify Alert ID is a unique alert identifier in Google SecOps SOAR.

In one iteration, the job synchronizes up to 1,000 cases and 1,000 alerts. The synchronization occurs within the Google SecOps SOAR environment that is specified in the job configuration. The synchronization mechanism ensures that a case from the specified environment cannot be synced with another environment.

Configure the Google Chronicle Sync Data job

This job only synchronizes the Google SecOps SOAR cases that were ingested from Google SecOps SIEM.

Make sure you have completed the prerequisite steps before configuring the job.

To configure the Google Chronicle Sync Data job, follow these steps:

  1. In the Parameters section, configure the following parameters:

    Parameter name Description
    Environment Required

    The name of the environment created in Google SecOps SOAR where you want to sync cases and alerts.

    API Root Required

    The API root of the Google SecOps SIEM instance.

    Google SecOps provides regional endpoints for each API.

    For example, https://europe-backstory.googleapis.com or https://asia-southeast1-backstory.googleapis.com.

    If you don't know which endpoint to use, [contact Cloud Customer Care](/chronicle/docs/getting-support).

    The default value is https://backstory.googleapis.com.

    User's Service Account Required

    The content of the service account JSON file of your Google SecOps SIEM instance.

    Max Hours Backwards Optional

    The number of hours to fetch alerts from. Use only positive numbers. If you enter 0 or a negative number, an error is reported. If this parameter is empty, the job uses the default value.

    The default value is 24 hours.

    Verify SSL Required

    If selected, Google SecOps verifies that the SSL certificate for the connection to the Google SecOps SIEM server is valid. We recommend that you select this option.

    Selected by default.

    The Google Chronicle Sync Data job is enabled by default. When you save the correctly configured job, it starts synchronizing data with Google SecOps SIEM immediately. To disable the job, switch the toggle next to the job name.

  2. To complete the configuration, click Save.

    If the Save button is inactive, make sure that you have set all mandatory parameters.

  3. Optional: To run the job immediately after saving, click Run Now.

    The Run Now option lets you trigger a single job run that synchronizes the current Google SecOps SOAR alerts and cases data with Google SecOps SIEM.

Log messages

The following table lists possible log messages for the Google Chronicle Data Sync job:

Log entry Type Description
Unable to parse credentials as JSON. Please validate creds. Error The service account provided in the User's Service Account parameter is corrupted.
"Max Hours Backwards" parameter must be a positive number. Error The Max Hours backwards parameter is set to 0 or a negative number.
Current platform version does not support SDK methods designed for Google SecOps. Please use version 6.1.33 or higher. Error The current Google SecOps SOAR platform instance version doesn't support the Chronicle Sync Data job script execution. This means that the instance's build version is older than 6.1.33.
Unable to connect to Google SecOps, please validate your credentials: CREDENTIALS Error The service account or API root values couldn't be validated against the Google SecOps SIEM instance. This error is reported if connectivity testing fails.
--- Start Processing Updated Cases --- Info The case processing loop has started running.
Last success time. Date time:DATE_AND_TIME. Unix:UNIX_EPOCH_TIME Info

The timestamp of the last successful script execution for cases or alerts:

  • datetime_result is a date and time value
  • unix_result is a Unix epoch time value
Key: "DATABASE_KEY" does not exist in the database. Returning default value instead: DEFAULT_VALUE Info The pending case or alert database key does not exist in the database. This log entry always appears in the first execution of the script.
Failed to parse data as JSON. Returning default value instead: "DEFAULT_VALUE. ERROR: ERROR Error The value retrieved from the database is not a valid JSON format.
Exception was raised from the database. ERROR: ERROR. Error There is a connection problem with the database.

Successfully loaded CASE_IDS pending IDs.

Successfully loaded ALERT_IDS pending alert IDs.

Info

The pending cases or alerts IDs have been successfully retrieved from the backlog.

CASE_IDS is the number of case IDs brought.

Cases overload: case limit is 1000 NUMBER_OF_CASES cases will not be synced.

Alerts overload: alert limit is 1000 NUMBER_OF_ALERTS alerts will not be synced.

Error

The number of pending cases or alerts IDs that are fetched from the database is greater than the limit (1000). Any IDs over the limit are ignored.

This error can indicate a possible database corruption.

Found NUMBER_OF_UPDATED_CASES updated cases since last fetch time.

Info The newly updated case or alert IDs were successfully fetched from the platform.

--- Start Updating Cases in Google SecOps ----

-- Start Processing Updated Alerts ---

Info The update of cases and alerts in the Google SecOps SIEM instance has started.

Failed to update case CASE_ID. Reason: ERROR_REASON

Failed to update alert ALERT_ID. Reason: ERROR_REASON

Error The specified case or alert cannot be synchronized with Google SecOps SIEM.

Max retries reached for case CASE_ID. Removing from backlog.

Max retries reached for alert ALERT_GROUP_ID . Removing from backlog.

Info The specified pending case or alert has reached the sync retry limit (5) and is not inserted back to the backlog.

The following cases were not synced: CASE_IDS

The following alerts were not synced: ALERT_IDS

Info The list of case or alert IDs that cannot be synchronized with Google SecOps SIEM.
Updated External Case IDs for the following cases: CASE_IDS Info The list of cases for which the job updated the matching Google SecOps SIEM external case ID in the Google SecOps SOAR platform.
Failed to update external ids. Error The log entry indicating that there was a problem with the SDK method or connection that prevented updating external case IDs in the platform.

Failed to update cases in Google SecOps.

Failed to update alerts in Google SecOps.

Error The log entry indicating that there was a certain terminating error that prevented the case or alerts processing loop to finish naturally. The stacktrace is printed after this log with the specific error.

--- Finished Updating Cases in Google SecOps ---

--- Finished Updating Alerts in Google SecOps ---

Info The cases and alerts processing loop has finished, either naturally or with an error.

The following failed case ids were put in the backlog: CASE_IDS

The following failed alert ids were put in the backlog: ALERT_IDS

Error The list of failed case or alert IDs that have a retry count less than or equal to 5 to be written back to the backlog.

--- Finished Processing Updated Cases ---

--- Finished Processing Updated Alerts ---

Info The stage of processing case and alert has been finished.
Saving timestamps. Info Saving the last successful case and alert update timestamps to the database.
Saving pending ids. Info Saving pending case and alert IDs to the database.
Got exception on main handler. Error: ERROR_REASON Error A general termination error has occurred. The stacktrace is printed after this log with the specific error.

Google Chronicle Alerts Creator job

The Google Chronicle Alerts Creator job requires the Google SecOps platform version 6.2.30 or later.

This job creates all alerts from Google SecOps SOAR to Google SecOps SIEM, including overflow alerts. The Alerts Creator job doesn't replicate alerts originated from Google SecOps.

The Google Chronicle Alerts Creator job queries the SOAR platform using the Python SDK for non-synchronized alerts. The job sends non-synchronized alerts to SIEM individually. SIEM updates and returns the identifiers of the corresponding SIEM alerts, and SOAR saves the identifiers using the SOAR platform API through the Python SDK.

Relationship between the Google Chronicle jobs

A complete Google SecOps system runs the following three components concurrently:

  1. Chronicle Alerts Connector
  2. Google Chronicle Sync Data job
  3. Google Chronicle Alerts Creator job

The Google Chronicle Sync Data job creates and synchronizes cases. It also synchronizes the case and alert modifications, such as priority changes.

The Google Chronicle Alerts Creator job generates all alerts, except SIEM alerts. The Google Chronicle Sync Data job sends updates on unsynchronized alerts after the Google Chronicle Alerts Creator job creates the alerts.

Case and alerts data synchronization

Cases are synchronized in the same manner as with the Google Chronicle Sync Data job.

In Google SecOps SIEM, each alert is identified with a SIEM alert identifier. SOAR alerts can adopt a SIEM identifier in two scenarios:

  1. Alert is generated in SIEM.

    This alert already exists in Google SecOps SIEM and there is no need to duplicate it. The connector populates the siem_alert_id field.

  2. Alert is generated in third-party connectors.

    This alert does not exist in Google SecOps SIEM and requires running an explicit synchronization operation that the Google Chronicle Alerts Creator job is responsible for. Upon completing the synchronization operation, the alert acquires a new SIEM identifier.

Configure the Google Chronicle Alerts Creator job

Make sure you have completed the prerequisite steps before configuring the job.

To configure the Google Chronicle Alerts Creator job, follow these steps:

  1. Configure the job parameters from the following table:

    Parameter name Description
    Environment Required

    The name of the environment created in Google SecOps SOAR where you want to sync cases and alerts.

    API Root Required

    The API root of the Google SecOps SIEM instance.

    Google SecOps provides regional endpoints for each API.

    For example, https://europe-backstory.googleapis.com or https://asia-southeast1-backstory.googleapis.com.

    If you don't know which endpoint to use, [contact Cloud Customer Care](/chronicle/docs/getting-support).

    The default value is https://backstory.googleapis.com.

    User's Service Account Required

    The content of the service account JSON file of your Google SecOps SIEM instance.

    Verify SSL Required

    If selected, Google SecOps verifies that the SSL certificate for the connection to the Google SecOps SIEM server is valid. We recommend that you select this option.

    Selected by default.

  2. To complete the configuration, click Save.

    If the Save button is inactive, make sure that you have set all mandatory parameters.

  3. Optional: To run the job immediately after saving, click Run Now.

    The Run Now option lets you trigger a single job run that synchronizes the current Google SecOps SOAR alerts and cases data with Google SecOps SIEM.

Log messages and error handling

Log Level Description

Unable to parse credentials as JSON. Please validate creds.

ERROR The service account provided in the User's Service Account parameter is corrupted.

Current platform version does not support SDK methods designed for Google Chronicle. Please use version 6.2.30 or later.

ERROR The current Google SecOps SOAR platform instance version doesn't support the Google Chronicle Alerts Creator Job script execution. This error means that the instance build version is earlier than 6.2.30.

Unable to connect to Google Chronicle, please validate your credentials: CREDENTIALS

ERROR The service account or API root values cannot be validated against the Google SecOps SIEM instance. This error is reported if connectivity testing fails.

--------------- JOB STARTED ---------------

INFO Log message indicating that the job has started.

----------------- Main - Started -----------------

INFO Log message indicating that the main function has started.

"Starting i + 1/MAXIMUM_ITERATIONS_NUMBER fetch attempt"

INFO Log message indicating the iteration number for the current consecutive attempt.

"Fetching up to BATCH_SIZE new alerts from the SOAR"

INFO Log message indicating that the code doesn't retrieve more than BATCH_SIZE new alerts from SOAR.

"NUMBER_OF_NEW_ALERTS SOAR alerts were fetched"

INFO Log message indicating that NUMBER_OF_NEW_ALERTS SOAR alerts were fetched.

"No new SOAR alerts were found. Stopping..."

INFO Log message indicating that no new SOAR alerts were found, and that the job is stopping.

"Fetched the following SOAR alerts: ID_LIST"

INFO Log message indicating that the job has fetched the SOAR alerts with the following identifiers in the ID list. You can use this information to track the progress of the job and to troubleshoot issues with the code.

"Dispatching SOAR alerts to SIEM"

INFO Log message indicating that the job is dispatching SOAR alerts to SIEM.

"Failed to create alert ALERT_GROUP_ID in SIEM. Reason: ERROR_REASON"

ERROR Log message indicating that the alert was not created successfully in SIEM due to an error.

"Updating SOAR with SIEM response"

INFO Log message indicating that the job is updating SOAR with the SIEM response.

"SOAR has failed updating the status of alert ALERT_ID"

WARNING Indicates that SOAR was unable to update the status of the alert synchronization.

"Total of NUMBER_OF_SYNCED_ALERTS alerts were synced in this run"

INFO Log message indicating that a total of total_synced alerts were synced in the current run.

"--------------- JOB FINISHED ---------------"

INFO Log message indicating that the job has finished.

"Got exception on main handler. Error: ERROR_REASON"

ERROR Log message indicating that an exception occurred in the main function. The exception message is included in the log message.

Use cases

The Google Chronicle integration lets you run the following use cases:

  • Chronicle Windows Threats Investigation and Response
  • Security Command Center and Chronicle Cloud DIR

Install the use case

  1. In the Google SecOps Marketplace, go to the Use Cases tab.

  2. In a search field, enter the use case name.

  3. Click the use case.

  4. Follow the configuration steps and instructions in the installation wizard.

Once finished, all of the required components are installed on your Google SecOps SOAR machine. To finalize the installation, configure the Initialization block in the playbook that corresponds to your use case.

Chronicle Windows Threats Investigation & Response

Use the power of Google SecOps to respond in real time to Windows threats in your environment. Using Threat Intelligence for Google SecOps, security teams can take advantage of a high-fidelity threat intelligence service together with Google SecOps SOAR. Real threats in your environment can now be automatically triaged and remediated in a short and effective time period.

  1. In Google SecOps SOAR, go to Response > Playbooks.

  2. Select the Google Chronicle - Windows Threats Investigation & Response playbook. The playbook opens in the playbook designer view.

  3. Double-click Set Initialization Block_1. The block configuration dialog opens.

  4. To configure the playbook, use the following parameters:

    Input parameter Possible values Description
    edr_product
    • Crowdstrike
    • Carbon Black
    • None
    The EDR product to use in the playbook.
    itsm_product
    • Service Now
    • Jira
    • ZenDesk
    • None
    The ITSM product to use in the playbook. Jira requires additional configuration in the Open Ticket block.
    crowdstrike_use_spotlight True or False If True, the playbook executes Crowdstrike actions that require a Spotlight license (Vulnerability information).
    use_mandiant True or False If True, the playbook executes the Mandiant block.
    slack_user Username or Email Address The username or email address of the Slack user. If none is provided, the playbook skips Slack blocks.
  5. Click Save. The block configuration dialog closes.

  6. In the playbook designer pane, click Save.

To test the playbook in the use case, ingest the test case included in the package. Some test case capabilities can fail because the data used for testing are unavailable in your environment.

Security Command Center and Chronicle Cloud DIR

Integrate Security Command Center with Google SecOps SIEM to let your analysts investigate incidents and threats that Security Command Center detects.

Configure the use case

The use case requires you to configure the following integrations:

The Google Security Command Center and Mandiant integrations are optional.

Make sure that you have installed the use case before configuring it.

  1. In the Google SecOps SOAR, go to the Playbooks tab.
  2. Select the SCC & Chronicle Cloud DIR playbook.
  3. Double-click the Initialization block to configure it.
  4. Configure the playbook using the following parameters:
Parameter name Possible values Description
Mandiant_Enrichment True or False

If True, the playbook uses Mandiant for additional enrichment.

The Mandiant integration needs to be configured for this setup. You can remove the enrichment if you rarely get meaningful information. Removing the enrichment block improves the execution speed of the playbook.

SCC_Enrichment True or False

If True, the playbook uses Security Command Center capabilities for additional enrichment.

The Security Command Center integration must be configured for this setup. You can remove the enrichment if you rarely get meaningful information. Removing the enrichment block improves the execution speed of the playbook.

IAM_Enrichment True or False If True, the playbook uses the IAM capabilities for additional enrichment. You can remove the enrichment if you rarely get meaningful information. Removing the enrichment block improves the execution speed of the playbook.
Compute_Enrichment True or False If True, the playbook uses Compute Engine capabilities for additional enrichment. You can remove the enrichment if you rarely get meaningful information. Removing the enrichment block improves the execution speed of the playbook.