Google SecOps
Integration version: 24.0
Prerequisites
Following are the setup steps required for the Google Security Operations integration to properly work with Google Security Operations SIEM.
Integration permissions
- Associate Google Security Operations SOAR URL to Google Security Operations SIEM.
- Set permission (Search V3) for pivoting from Google Security Operations SOAR to Google Security Operations SIEM.
Set Google Security Operations API permissions for Actions, Connectors, and Jobs:
- Create a service account or use an existing service account.
- Make sure that the service account has the following roles granted:
- Response User
- Rules User
- Search User
If you are not sure whether the preceding roles or steps exist in your Google Security Operations instance, or you are new to the integration, contact your Google Security Operations Customer Engineer.
Configure Google Chronicle integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration inputs
To configure the integration, use the following parameters:
| Parameters | |
|---|---|
UI Root |
Required
UI root of the Google Security Operations SIEM instance used to create a link that points back to Google Security Operations SIEM across multiple actions. Default value is |
API Root |
Required
API root of the Google Security Operations SIEM instance. Google Security Operations provides regional endpoints for each API. For example: If you don't know which endpoint to use, contact Google Support. Default value is |
User's Service Account |
Required
Service account of the Google Security Operations SIEM instance. Make sure to provide the full content of the service account JSON file. |
Verify SSL |
Required
When checked, the parameter verifies if the SSL certificate for connecting to the Google Security Operations SIEM server is valid. Checked by default. |
Use cases
- Ingest asset alerts or IOC domain matches as Google Security Operations SOAR alerts.
- Use alerts in Google Security Operations SOAR to perform orchestrations with playbooks or manual analysis.
- Fetch a list of infected assets, search for events.
- Provide reputation and threat enrichment of IPs or domains observed.
Actions
Add Values To Reference List
Add values to a reference list in Google Security Operations.
Entities
The action does not run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Reference List Name |
Required
Name of the reference list to update. |
Values |
Required
A comma-separated list of values to be add to a reference list. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"name": "list_name",
"description": "description of the list",
"lines": [
"192.0.2.0/24",
"198.51.100.0/24"
],
"create_time": "2020-11-20T17:18:20.409247Z",
"content_type": "CIDR"
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully added values to the reference list "REFERENCE_LIST_NAME". | Action is successful. |
| Error executing action "ACTION_NAME". Reason: ERROR_REASON | Action returned an error.
Check connection to the server, input parameters, or credentials. |
Enrich Domain
Enrich domains using information from IoCs in Google Security Operations SIEM.
Entities
The action runs on the following entities:
- URL
- Hostname
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Create Insight |
If enabled, action will create an insight containing information about
the entities. Enabled by default. |
Only Suspicious Insight |
If enabled, action will only create an insight for entities that are
marked as suspicious. Disabled by default. |
Lowest Suspicious Severity |
Required
Specify the lowest severity that should be associated with the domain to mark it suspicious. Default value is
|
Mark Suspicious N/A Severity |
Required
If enabled and the information about severity is unavailable, the action marks the entity as suspicious. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | Available |
| Enrichment table | Available |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
{
"sources": [
{
"source": "ET Intelligence Rep List",
"confidenceScore": {
"normalizedConfidenceScore": "Low",
"intRawConfidenceScore": 0
},
"rawSeverity": "High",
"category": "Malware Command and Control Server"
}
],
"iocIngestTime": "2021-01-26T17:00:00Z",
"firstSeenTime": "2018-10-03T00:03:53Z",
"lastSeenTime": "2022-02-09T10:52:21.229Z",
"uri": [
"https://demodev.backstory.chronicle.security/domainResults?domain=t0.ssl.ak.dynamic.tiles.virtualearth.net&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2022-02-09T11%3A51%3A52.393783515Z"
]
}
}
Entity enrichment – Prefix: G_Chronicle
| Enrichment field name | Logic: When to apply |
|---|---|
| severity | When available in JSON |
| average_confidence | When available in JSON |
| related_domains | When available in JSON |
| categories | When available in JSON |
| sources | When available in JSON |
| first_seen | When available in JSON |
| last_seen | When available in JSON |
| report_link | When available in JSON |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully enriched the following domain in Google Chronicle: LIST_OF_IDS | Action is successful. |
| Error executing action "Enrich Domain". Reason: ERROR_REASON | The action returned an error. Check connection to the server, input parameters, or credentials. |
Case wall table
Name: ENTITY_IDENTIFIER
Columns:
- Source
- Severity
- Category
- Confidence
Enrich IP
Enrich IP entities using information from IoCs in Google Security Operations SIEM.
Entities
The action runs on the IP Address entity.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Create Insight |
If enabled, action will create an insight containing information about
the entities. Enabled by default. |
Only Suspicious Insight |
If enabled, action will only create an insight for entities that are
marked as suspicious. Disabled by default. |
Lowest Suspicious Severity |
Required
Specify the lowest severity that should be associated with IP to mark it suspicious. Default value is
|
Mark Suspicious N/A Severity |
Required
If enabled and the information about severity is unavailable, the action marks the entity as suspicious. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | Available |
| Enrichment table | Available |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
{
"sources": [
{
"source": "Example List",
"confidenceScore": {
"normalizedConfidenceScore": "Low",
"intRawConfidenceScore": 0
},
"rawSeverity": "High",
"category": "Malware Command and Control Server"
}
],
"iocIngestTime": "2021-01-26T17:00:00Z",
"firstSeenTime": "2018-10-03T00:03:53Z",
"lastSeenTime": "2022-02-09T10:52:21.229Z",
"uri": [
"https://demodev.backstory.chronicle.security/domainResults?domain=t0.ssl.ak.dynamic.tiles.virtualearth.net&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2022-02-09T11%3A51%3A52.393783515Z"
]
}
}
Entity enrichment – Prefix: G_Chronicle
| Enrichment Field Name | Logic: When to apply |
|---|---|
| severity | When available in JSON |
| average_confidence | When available in JSON |
| related_domains | When available in JSON |
| categories | When available in JSON |
| sources | When available in JSON |
| first_seen | When available in JSON |
| last_seen | When available in JSON |
| report_link | When available in JSON |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully enriched the following IPs from Google Chronicle: LIST_OF_IPS | Action is successful. |
| Error executing action "Enrich IP". Reason: ERROR_REASON | The action returned an error. Check connection to the server, input parameters, or credentials. |
Case wall table
Name: ENTITY_IDENTIFIER
Columns:
- Source
- Severity
- Category
- Confidence
- Related Domains
Execute Retrohunt
Execute a rule retrohunt in Google Security Operations.
Entities
The action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Rule ID |
Required
ID of the rule to run a retrohunt for. |
Time Frame |
Timeframe for the results.
Default value is
If If If |
Start Time |
Start time for the results. Format: ISO 8601. |
End Time |
End time for the results. Format: ISO 8601. If no value is provided and |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"retrohuntId": "oh_d738c8ea-8fd7-4cc1-b43d-25835b8e1785",
"ruleId": "ru_30979d84-aa89-47d6-bf4d-b4bb0eacb497",
"versionId": "ru_30979d84-aa89-47d6-bf4d-b4bb0eacb497@v_1612472807_179679000",
"eventStartTime": "2021-01-14T23:00:00Z",
"eventEndTime": "2021-01-30T23:00:00Z",
"retrohuntStartTime": "2021-02-08T02:40:59.192113Z",
"state": "RUNNING"
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully executed a retrohunt for the provided rule in Google Chronicle. | Action is successful. |
| Error executing action "Execute Retrohunt". Reason: ERROR_REASON | Action returned an error.
Check connection to the server, input parameters, or credentials. |
Execute UDM Query
Execute custom UDM query in Google Security Operations.
Entities
This action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Query String |
Required
A query to execute in Google Security Operations. |
Time Frame |
Specified time frame for the results.
Default value is
If If If |
Start Time |
Start time for the results. Format: ISO 8601. The maximum time range (from start time to end time) is 90 days. |
End Time |
End time for the results. Format: ISO 8601. This parameter uses current time if no value is provided and
the The maximum time range (from start time to end time) is 90 days. |
Max Results To Return |
Number of results to return per query. Default value is 50. Max value is 10,000. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"events": [
"event": {
"metadata": {
"eventTimestamp": "2022-01-20T09:15:15.687Z",
"eventType": "USER_LOGIN",
"vendorName": "Example Vendor",
"productName": "Example Product",
"ingestedTimestamp": "2022-01-20T09:45:07.433587Z"
},
"principal": {
"hostname": "example-user-pc",
"ip": [
"203.0.113.0"
],
"mac": [
"01:23:45:ab:cd:ef",
"01:23:45:ab:cd:ef",
"01:23:45:ab:cd:ef"
],
"location": {
"city": "San Francisco",
"state": "California",
"countryOrRegion": "US"
},
"asset": {
"hostname": "example-user-pc",
"ip": [
"203.0.113.1",
"203.0.113.1",
"203.0.113.1"
],
"mac": [
"01:23:45:ab:cd:ef",
"01:23:45:ab:cd:ef",
"01:23:45:ab:cd:ef"
]
}
},
"target": {
"user": {
"userid": "Example",
"userDisplayName": "Example User",
"windowsSid": "S-1-5-21-4712406912-7108061610-2717800068-993683",
"emailAddresses": [
"example@example.com",
"admin.example@example.com"
],
"employeeId": "2406187",
"productObjectId": "f93f1540-4935-4266-aa8e-a750a319aa1c",
"firstName": "Example",
"lastName": "User",
"phoneNumbers": [
"555-01-75"
],
"title": "Executive Assistant",
"companyName": "Example Corp",
"department": [
"Executive - Admin"
],
"managers": [
{
"userDisplayName": "Example User",
"windowsSid": "S-1-5-21-6051382818-4135626959-8120238335-834071",
"emailAddresses": [
"user@example.com"
],
"employeeId": "5478500",
"productObjectId": "8b3924d5-6157-43b3-857b-78aa6bd94705",
"firstName": "User",
"lastName": "Example",
"phoneNumbers": [
"555-01-75"
],
"title": "Chief Technology Officer",
"companyName": "Example Corp",
"department": [
"Executive - Admin"
]
}
]
},
"ip": [
"198.51.100.1"
],
"email": "alice@ecorp.com",
"application": "Example Sign In"
},
"securityResult": [
{
"summary": "Successful Login",
"action": [
"ALLOW"
]
}
],
"extensions": {
"auth": {
"type": "SSO"
}
}
},
"eventLogToken": "96f23eb9ffaa9f7e7b0e2ff5a0d2e34c,1,1642670115687000,USER,|USER_LOGIN"
}
]
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully returned results for the query "QUERY" in Google Chronicle. | Action is successful. |
| No results were found for the query "QUERY" in Google Chronicle. | Action is successful. |
| Error executing action "Execute UDM Query". Reason: ERROR_REASON | The action returned an error. Check connection to the server, input parameters, or credentials. |
| Error executing action "Execute UDM Query". Reason: you've reached a rate limit. Please wait for several minutes and try again. | The action returned an error. Wait for several minutes before running the action again. |
Get Detection Details
Fetch information about a detection in Google Security Operations.
Entities
The action does not run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Rule ID |
Required
ID of the rule related to the detection. |
Detection ID |
Required
ID of the detection to fetch details for. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"type": "RULE_DETECTION",
"detection": [
{
"ruleName": "singleEventRule2",
"urlBackToProduct":
"https://example.backstory.chronicle.security/ruleDetections?
ruleId=ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d&selectedList=RuleDetectionsViewTimeline&
selectedParentDetectionId=de_ce594791-09ed-9681-27fa-3b7c8fa6054c&
selectedTimestamp=2020-12-03T16: 50: 47.647245Z","ruleId": "ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d",
"ruleVersion": "ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d@v_1605892822_687503000",
"alertState": "NOT_ALERTING",
"ruleType": "SINGLE_EVENT"
}
],
"createdTime": "2020-12-03T19:19:21.325134Z",
"id": "de_ce594791-09ed-9681-27fa-3b7c8fa6054c",
"timeWindow": {
"startTime": "2020-12-03T16:50:47.647245Z",
"endTime": "2020-12-03T16:50:47.647245Z"
},
"collectionElements": [
{
"references": [
{
"event": {
"metadata": {
"eventTimestamp": "2020-12-03T16:50:47.647245Z",
"collectedTimestamp": "2020-12-03T16:50:47.666064010Z",
"eventType": "NETWORK_DNS",
"productName": "ProductName",
"ingestedTimestamp": "2020-12-03T16:50:49.494542Z"
},
"principal": {
"ip": [
"192.0.2.1"
]
},
"target": {
"ip": [
"203.0.113.1"
]
},
"securityResult": [
{
"action": [
"UNKNOWN_ACTION"
]
}
],
"network": {
"applicationProtocol": "DNS",
"dns": {
"questions": [
{
"name": "altostrat.com",
"type": 1,
"class": 1
}
],
"id": 12345,
"recursionDesired": true
}
}
}
}
],
"label": "e"
}
],
"detectionTime": "2020-12-03T16:50:47.647245Z"
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully fetched information about the detection with ID DETECTION_ID in Google Chronicle. | Action is successful. |
| Error executing action "Get Detection Details". Reason: ERROR_REASON | Action returned an error.
Check connection to the server, input parameters, or credentials. |
Get Reference Lists
Get available reference lists in Google Security Operations.
Entities
The action does not run on entities.
Action inputs
To configure the action, use the following parameters:
| =2>Parameters | |
|---|---|
Filter Key |
Key that should be used to filter reference lists. Possible values are:
|
Filter Logic |
Applicable filter logic. Default value is
|
Filter Value |
Specifies what value should be used in the filter.
If If The If no value is provided for this parameter, the filter isn't applied. |
Expanded Details |
If enabled, action will return detailed information about the reference
lists.
Disabled by default. |
Max Reference Lists To Return |
Number of reference lists to return. Default value is 100. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | Available |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"name": "list_name",
"description": "description of the list",
"lines": [
"192.0.2.0/24",
"198.51.100.0/24"
],
"create_time": "2020-11-20T17:18:20.409247Z",
"content_type": "CIDR"
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully found reference lists for the provided criteria in Google Chronicle. | Action is successful. |
| The filter was not applied because parameter "Filter Value" has an empty value. | Action is successful. Check the Filter Value parameter.
|
| Error executing action "ACTION_NAME". Reason: ERROR_REASON | Action returned an error.
Check connection to the server, input parameters, or credentials. |
| Error executing action "ACTION_NAME". Reason: "Invalid value was provided for "Max Reference Lists to Return": PROVIIDED_VALUE. Positive number should be provided. | Action returned an error.
Check the value for the |
Case Wall Table
Name: Available Reference Lists
Columns:
- Name
- Description
- Type
Get Rule Details
Entities
The action does not run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Rule ID |
Required
Specifies the rule ID to fetch details for. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"ruleId": "ru_e6abfcb5-1b85-41b0-b64c-695b3250436f",
"versionId": "ru_e6abfcb5-1b85-41b0-b64c-695b3250436f@v_1602631093_146879000",
"ruleName": "SampleRule",
"metadata": {
"description": "Sample Description of the Rule",
"author": "author@example.com"
},
"ruleText": "rule SampleRule {
meta:
description = \"Sample Description of the Rule\"
author = \"author@example.com\"
events:
// This will just generate lots of detections
$event.metadata.event_type = \"NETWORK_HTTP\"
condition:
$event
} ",
"liveRuleEnabled": true,
"versionCreateTime": "2020-10-13T23:18:13.146879Z",
"compilationState": "SUCCEEDED"
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully fetched information about the rule with ID RULE__ID in Google Chronicle. | Action is successful. |
| Error executing action "Get Rule Details". Reason: ERROR_REASON | Action returned an error.
Check connection to the server, input parameters, or credentials. |
Is Value In Reference List
Checks if provided values are found in reference lists in Google Google Security Operations.
Entities
The action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Reference List Names |
Required
A comma-separated list of reference list names to search through. |
Values |
Required
A comma-separated list of values to search for in reference lists. |
Case Insensitive Search |
If enabled, the action performs case insensitive matching. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"Entity": "example.com",
"EntityResult": {
"found_in": [
"Reference list names, where item was found"
],
"not_found_in": [
"Reference list names, where items wasn't found"
],
"overall_status": "found, if at least one reference list had the value/not found, if non of the reference lists found the value"
}
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully searched provided values in the reference lists in Google Chronicle. | Action is successful. |
| Error executing action "Is Value In Reference List". Reason: ERROR_REASON | Action returned an error.
Check connection to the server, input parameters, or credentials. |
| Error executing action "Is Value In Reference List". Reason: the following reference lists were not found in Google Chronicle: MISSING_REFERENCE_LIST_NAME(S). Please use the action "Get Reference Lists" to see what reference lists are available. | Action returned an error. Run the Get Reference Lists action to check for available lists. |
List Assets
List assets in Google Security Operations SIEM based on the related entities in the specified time frame. Only the MD5, SHA-1 or SHA-256 hashes are supported.
Entities
This action runs on the following entities:
- URL
- IP Address
- Hash
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Max Hours Backwards |
Number of hours backwards to fetch the assets. Default value is 1. |
Create Insight |
If enabled, action will create an insight containing information about
the entities. Enabled by default. |
Max Assets To Return |
Number of assets to return in the response. Default value is 50. |
Time Frame |
Specified time frame for the results.
Default value is If If the
|
Start Time |
Start time for the results. Format: ISO 8601. |
End Time |
End time for the results. Format: ISO 8601. This parameter uses current time if no value is provided and
the |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | Available |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"assets": [
{
"asset": {
"hostname": "imimumhd6qy6r"
},
"firstSeenArtifactInfo": {
"artifactIndicator": {
"domainName": "www.example.com"
},
"seenTime": "2020-02-28T09:18:15.675Z"
},
"lastSeenArtifactInfo": {
"artifactIndicator": {
"domainName": "www.example.com"
},
"seenTime": "2020-09-24T06:43:59Z"
}
}
],
"uri": [
"https://example.backstory.chronicle.security/domainResults?domain=www.example.com&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2020-09-27T12%3A07%3A34.166830443Z"
]
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully listed related assets for the following entities from Google Chronicle: ENTITY_IDENTIFIER | Action is successful. |
| Error executing action "List Assets". Reason: ERROR_REASON | The action returned an error. Check connection to the server, input parameters, or credentials. |
Case wall table
Name: ENTITY_IDENTIFIER
Columns:
- Hostname
- IP Address
- First Seen Artifact
- Last Seen Artifact
List Events
List events on the particular asset in the specified time frame.
Entities
This action runs on the following entities:
- IP address
- MAC address
- Hostname
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Event Types |
A comma-separated list of the event types that should be returned. If no value is provided, the action fetches all event types. To check all possible values for this parameter, see Event type possible values. |
Time Frame |
Specified time frame for the results.
Default value is If If the
|
Start Time |
Start time for the results. Format: ISO 8601. |
End Time |
End time for the results. Format: ISO 8601. This parameter uses current time if no value is provided and
the The |
Reference Time |
Reference time for the event search.
Format: YYYY-MM-DDThh:mmTZD.
|
Output |
Required Output for this action. Possible values are:
|
Max Events To Return |
Number of events to process per entity type. Default value is 100. |
Event type possible values
The full list of possible values for the Event Type parameter is as follows:
EVENTTYPE_UNSPECIFIED, PROCESS_UNCATEGORIZED,
PROCESS_LAUNCH, PROCESS_INJECTION,
PROCESS_PRIVILEGE_ESCALATION, PROCESS_TERMINATION,
PROCESS_OPEN, PROCESS_MODULE_LOAD,
REGISTRY_UNCATEGORIZED, REGISTRY_CREATION,
REGISTRY_MODIFICATION, REGISTRY_DELETION,
SETTING_UNCATEGORIZED, SETTING_CREATION,
SETTING_MODIFICATION, SETTING_DELETION,
MUTEX_UNCATEGORIZED, MUTEX_CREATION,
FILE_UNCATEGORIZED, FILE_CREATION, FILE_DELETION
, FILE_MODIFICATION, FILE_READ,
FILE_COPY, FILE_OPEN, FILE_MOVE,
FILE_SYNC, USER_UNCATEGORIZED, USER_LOGIN,
USER_LOGOUT, USER_CREATION,
USER_CHANGE_PASSWORD, USER_CHANGE_PERMISSIONS,
USER_STATS, USER_BADGE_IN, USER_DELETION,
USER_RESOURCE_CREATION, USER_RESOURCE_UPDATE_CONTENT, USER_RESOURCE_UPDATE_PERMISSIONS, USER_COMMUNICATION,
USER_RESOURCE_ACCESS, USER_RESOURCE_DELETION,
GROUP_UNCATEGORIZED, GROUP_CREATION,
GROUP_DELETION, GROUP_MODIFICATION,
EMAIL_UNCATEGORIZED, EMAIL_TRANSACTION,
EMAIL_URL_CLICK, NETWORK_UNCATEGORIZED,
NETWORK_FLOW, NETWORK_CONNECTION, NETWORK_FTP,
NETWORK_DHCP, NETWORK_DNS, NETWORK_HTTP,
NETWORK_SMTP, STATUS_UNCATEGORIZED,
STATUS_HEARTBEAT, STATUS_STARTUP, STATUS_SHUTDOWN
, STATUS_UPDATE, SCAN_UNCATEGORIZED,
SCAN_FILE, SCAN_PROCESS_BEHAVIORS, SCAN_PROCESS
, SCAN_HOST, SCAN_VULN_HOST,
SCAN_VULN_NETWORK, SCAN_NETWORK,
SCHEDULED_TASK_UNCATEGORIZED, SCHEDULED_TASK_CREATION,
SCHEDULED_TASK_DELETION, SCHEDULED_TASK_ENABLE,
SCHEDULED_TASK_DISABLE, SCHEDULED_TASK_MODIFICATION, SYSTEM_AUDIT_LOG_UNCATEGORIZED, SYSTEM_AUDIT_LOG_WIPE,
SERVICE_UNSPECIFIED, SERVICE_CREATION,
SERVICE_DELETION, SERVICE_START, SERVICE_STOP,
SERVICE_MODIFICATION, GENERIC_EVENT,
RESOURCE_CREATION, RESOURCE_DELETION,
RESOURCE_PERMISSIONS_CHANGE, RESOURCE_READ,
RESOURCE_WRITTEN, ANALYST_UPDATE_VERDICT,
ANALYST_UPDATE_REPUTATION, ANALYST_UPDATE_SEVERITY_SCORE,
ANALYST_UPDATE_STATUS, ANALYST_ADD_COMMENT.
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"statistics": {
"NETWORK_CONNECTION": 10
}
{
"events": [
{
"metadata": {
"eventTimestamp": "2020-09-28T14:20:00Z",
"eventType": "NETWORK_CONNECTION",
"productName": "EXAMPLE Name",
"productEventType": "NETWORK_DNS",
"ingestedTimestamp": "2020-09-28T16:28:11.615578Z"
},
"principal": {
"hostname": "user-example-pc",
"assetId": "EXAMPLE:user-example-pc",
"process": {
"pid": "1101",
"productSpecificProcessId": "EXAMPLE:32323"
}
},
"target": {
"hostname": "example.com",
"user": {
"userid": "user"
},
"process": {
"pid": "8172",
"file": {
"md5": "a219fc7fcc93890a842183388f80369e",
"fullPath": "C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe"
},
"commandLine": "\"C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe\" ...",
"productSpecificProcessId": "EXAMPLE:82315"
}
}
},
{
"metadata": {
"eventTimestamp": "2020-09-28T17:20:00Z",
"eventType": "NETWORK_CONNECTION",
"productName": "EXAMPLE Name",
"productEventType": "NETWORK_DNS",
"ingestedTimestamp": "2020-09-28T16:28:11.615578Z"
},
"principal": {
"hostname": "user-example-pc",
"assetId": "EXAMPLE:user-example-pc",
"process": {
"pid": "1101",
"productSpecificProcessId": "EXAMPLE:32323"
}
},
"target": {
"hostname": "example.com",
"user": {
"userid": "user"
},
"process": {
"pid": "8172",
"file": {
"md5": "a219fc7fcc93890a842183388f80369e",
"fullPath": "C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe"
},
"commandLine": "\"C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe\" ...",
"productSpecificProcessId": "EXAMPLE:82315"
}
}
}
],
"uri": [
"https://demodev.backstory.chronicle.security/assetResults?assetIdentifier=user-example-pc&referenceTime=2020-09-28T17%3A00%3A00Z&selectedList=AssetViewTimeline&startTime=2020-09-28T14%3A20%3A00Z&endTime=2020-09-28T20%3A20%3A00Z"
]
}
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully listed related events for the following entities from Google Chronicle: ENTITY_IDENTIFIER | Action is successful. |
| Error executing action "List Events". Reason: ERROR_REASON | The action returned an error. Check connection to the server, input parameters, or credentials. |
| Error executing action "List Events". Reason: invalid event type is provided. Please check the spelling. Supported event types: SUPPORTED_EVENT_TYPES | The action returned an error. Check the spelling. |
List IOCs
List all of the IoCs discovered within your enterprise within the specified time range.
If you receive the maximum number of IoCs you specified using the Max IoCs to
Fetch parameter (or 10,000, the default value), there might still be more IoCs
discovered in your Google Security Operations account. You might want to narrow the time
range and run the call again to ensure you have visibility on all possible IoCs.
Entities
This action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Start Time |
Start time for the results. Format: ISO 8601. |
Max IoCs to Fetch |
Maximum number of IoCs to return. Applicable range is from 1 to 10,000. Default value is 50. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | Available |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"matches":[
{
"artifact":{
"domainName":"www.example.com"
},
"firstSeenTime":"2018-05-25T20:47:11.048998Z",
"iocIngestTime":"2019-08-14T21:00:00Z",
"lastSeenTime":"2019-10-24T16:19:46.880830Z",
"sources":[
{
"category":"Spyware Reporting Server",
"confidenceScore":{
"intRawConfidenceScore":0,
"normalizedConfidenceScore":"Low"
},
"rawSeverity":"Medium",
"source":"ET Intelligence Rep List"
}
],
"uri":["<var>URI</var>"]
}
],
"moreDataAvailable":true
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully listed IOCs from the provided time frame in Google Chronicle. | Action is successful. |
| Error executing action "List IOCs". Reason: ERROR_REASON | The action returned an error. Check connection to the server, input parameters, or credentials. |
Case wall table
Columns:
- Domain
- Category
- Source
- Confidence
- Severity
- IoC Ingest Time
- IoC First Seen Time
- IoC Last Seen Time
- URI
Lookup Similar Alerts
Lookup similar alerts in Google Security Operations.
Depending on the underlying alert type, the action behaves differently. If the alert is rule-based (Rule alert), the action attempts to match alerts based on rule names, while for External alerts, the action match is based on the alert name.
This action queries a sizable volume of alerts in the background based on the provided time frame.
In responses, the action searches for specific keys and extracts possible IoCs.
In addition, the action creates distinct results based on the Alert/Rule name, Product Name and IoC that was used during the search.
How the Similarity By parameter works
Rule alerts and External alerts work slightly differently in regards to the
Similarity By parameter.
For example, if Alert Name, Alert Type and Product or Alert Name, Alert Type
options are selected:
- For External alerts, the action only searches for other External alerts and returns only information about those that have the same name.
- For Rule alerts, the action looks at the rule name that triggered the alert and only processes alerts originating from the same rule.
When the Product option is selected, the action only processes alerts
originated from the same product. For example, if an alert originated in
Crowdstrike, the action only matches with alerts that also originated in
Crowdstrike. It doesn't matter if it was a Rule alert or External alert because
the action will query and extract data from both alert types. In all situations,
the action searches for the IoCs provided in the IOCs/Assets parameter in the
predefined fields.
If any other option is provided, the action sets the value to Only IOCs/Assets
in the background.
Use cases
This is a general purpose action suitable for all playbooks working with Google Security Operations SIEM alerts. It allows analysts to correlate different alerts happening in the same time frame and extract all of the relevant IoCs, which are then used to understand whether there is a true positive incident or not.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Time Frame |
Specified time frame for the results.
Default value is
If If |
IOCs / Assets |
Required
A comma-separated list of IoCs or assets to find in the alerts. |
Similarity By |
Specifies what attributes should be used when the action is searching for similar alerts. Default value is
If If If |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | Available |
| Case wall table | Available |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"count": 123,
"distinct": [
{
"first_seen": "time of the first alert that matched our conditions",
"last_seen": "time of the last alert that matched our conditions",
"product_name": "product name",
"used_ioc_asset": "what user provided in the parameter IOCs and Assets",
"name": "Alert Name/Rule Name",
"hostnames": "csv list of unique hostnames that were found in alerts",
"urls": "csv list of unique urls that were found in alerts",
"ips": "csv list of unique ips that were found in alerts",
"subjects": "csv list of unique subjects that were found in alerts",
"users": "csv list of unique users that were found in alerts",
"email_addresses": "csv list of unique email_addresses that were found in alerts",
"hashes": "csv list of unique hashes that were found in alerts",
"processes": "csv list of unique processes that were found in alerts"
"rule_urls": ["Chronicle URL from API response for Rule"]
"count": 123
}
],
"processed_alerts": 10000,
"run_time": "how long it took to run the action or at least API request",
"EXTERNAL_url": "Chronicle URL from API response for EXTERNAL"
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully found similar alerts from the provided time frame in Google Chronicle. | Action is successful. |
| No similar alerts were found from the provided time frame in Google Chronicle. | Action is successful. |
| Error executing action "Lookup Similar Alerts". Reason: ERROR_REASON | The action returned an error. Check connection to the server, input parameters, or credentials. |
| Error executing action "Lookup Similar Alerts". Reason: all of the retries are exhausted. Please wait for a minute and try again. | The action returned an error. Wait for a minute before running the action again. |
Case wall
Name: IOC/ASSET_IDENTIFIER
Columns:
- Product
- Hostnames
- IPs
- Users
- Email Addresses
- Subjects
- URLs
- Hashes
- Processes
- First Seen
- Last Seen
- Alert Name
- General
Case wall link
- CBN: {generated link based on UI Root URL in integration configuration}
- Rule: {generated link based on UI Root URL in integration configuration}
Ping
Test connectivity to Google Security Operations SIEM with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Entities
The action doesn't run on entities.
Action inputs
N/A
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | N/A |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully connected to the Google Chronicle backstory with the provided connection parameters! | Action is successful. |
| Failed to connect to the Google Chronicle backstory. Error is ERROR_REASON | The action returned an error. Check connection to the server. |
Remove Values From Reference List
Remove values from a reference list in Google Security Operations.
Entities
The action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Reference List Name |
Required
Reference list name to update. |
Values |
Required
A comma-separated list of values to remove from a reference list. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"name": "list_name",
"description": "description of the list",
"lines": [
"192.0.2.0/24",
"198.51.100.0/24"
],
"create_time": "2020-11-20T17:18:20.409247Z",
"content_type": "CIDR"
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully removed values from the reference list. | Action is successful. |
| Error executing action "Remove Values From Reference List". Reason: ERROR_REASON | Action returned an error.
Check connection to the server, input parameters, or credentials. |
Connectors
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Chronicle Alerts Connector
Pull information about the rule-based alerts from Google Security Operations SIEM.
Overview
This connector allows users to ingest multiple alert types from Google Security Operations SIEM.
To ensure the flexibility of the connector, use a dynamic list. All of the supported filters are described in the Dynamic list filter section.
The connector can only query data one week backwards.
Sometimes, there may be a delay between the time of alert indexing in Google Security Operations SIEM and the time the indexing has actually happened. To reduce the risks of the alert being missed, set a padding period in the connector. Keep in mind that a significant padding period can lead to a performance degradation, so make sure to increase the connector timeout.
For Google Security Operations SOAR, severity is a mandatory field that isn't always
available in Google Security Operations SIEM. To solve this issue, a new parameter
called Fallback Severity was added. If the connector is not able to extract a
severity, the value provided in a Fallback Severity parameter is used when the
Google Security Operations SOAR alert is created.
Dynamic list filter
The purpose of the dynamic list is to filter different alert types. You can access the dynamic list from the connector configuration page.
Operator rules
- Values provided in a comma-separated manner are treated with OR logic.
- Supported operators are different between different Filter Keys.
- Rule.severity = medium -> The connector only ingests rule alerts with the medium severity.
Examples
- Rule.severity = low,medium -> The connector only ingests rule alerts with the medium or low severity.
- Every line in the dynamic list is treated with AND logic.
- Rule.severity = low,medium -> The connector only ingests rule alerts with the medium or low severity.
- Rule.ruleName = default_rule -> The connector only ingests rule alerts
with the
default_rulename.
Supported filters list
| Filter Key | Response Key | Operators | Possible values |
|---|---|---|---|
| Rule.severity | detection/ruleLabels/severity | =, !=, >, <, >=, <= | Info, Error, Low, Medium, High, Critical. Should be case insensitive. |
| Rule.ruleName | detection/ruleName | =, != | N/A Defined by the user. |
| Rule.ruleID | detection/ruleId | =, != | N/A Defined by the user. |
| Rule.alertState | detection/alertState | =, != | Alerting, Not alerting |
| Rule.ruleLabels.{key} | detection/ruleLabels | =, != | N/A. Defined by the user. |
Dynamic key handling for the rule based detection
To work with the ruleLabels key, format your dynamic list as follows:
Rule.ruleLabels.{key}
Example
The rule is as follows:
"ruleLabels": [
{
"key": "author",
"value": "analyst123"
},
{
"key": "type",
"value": "suspicious_behaviour"
},
{
"key": "severity",
"value": "Medium"
}
]
To apply filters based on ruleLabels.type, the input for the dynamic
list is as follows:
Rule.ruleLabels.type=suspicious_behaviour
Connector inputs
To configure the connector, use the following parameters:
| Parameters | |
|---|---|
| Product Field Name | Required
Enter the source field name in order to retrieve the Product Field name. Default value is |
| Event Field Name | Required
Enter the source field name in order to retrieve the Event Field name. Default value is |
| Environment Field Name | Optional
Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. Default value is |
| Environment Regex Pattern | Optional
A regular expression pattern to run on the value found in the
Default value The parameter allows the user to manipulate the environment field using the regular expression logic. If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Required
Timeout limit for the python process running the current script. Default value is 180. |
| API Root | Required
API root of the Google Security Operations SIEM instance. Google Security Operations provides regional endpoints for each API. For example: If you don't know which endpoint to use, contact Google Support. Default value is |
| User's Service Account | Required
Service Account used for authentication. |
| Fallback Severity | Required
Specify the fallback severity for the detection. This parameter is used if Google Security Operations SIEM detection doesn't include any information related to the severity. Default value is
|
| Max Hours Backwards | Optional Amount of hours from where to fetch incidents. Default value is 1 hour. Max value is 1 week. |
| Max Alerts To Fetch | Optional
The number of alerts to process per one connector iteration. Default value is 100. |
| Verify SSL | Required
If checked, verifies that the SSL certificate for the connection to the Google Security Operations SIEM server is valid. Checked by default. |
| Proxy Server Address | Optional The address of the proxy server to use. |
| Proxy Username | Optional The proxy username to authenticate with. |
| Proxy Password | Optional The proxy password to authenticate with. |
Connector rules
The connector supports proxy.
Google Security Operations alert structure
| Google Security Operations Alert Attribute Name | Product Source (JSON key from API Response) | Output Json Example |
|---|---|---|
| SourceSystemName | (Filled by Framework) | (Filled by Framework). |
| TicketId | Value that is in ids.json | 60112f06545160bf3f54e8b3 |
| DisplayId | Automatically generated | cf24dbb0-89fa-11ea-d9dc-000000000003 |
| Name | alertInfos/name IOC Alert detection/ruleName[0] |
Suspicious: File |
| Reason | N/A | N/A |
| Description | For Rule based Alert Only: detection/ruleLabels/description (if exists) | N/A |
| DeviceVendor | Hardcoded value = "Google Chronicle" | Checkpoint |
| DeviceProduct | Hardcoded Field |
Harmony Mobile |
| Priority | Taken from response or from Fallback Severity | High |
| RuleGenerator | alertInfos/name - for External Alert |
FILE |
| SourceGroupingIdentifier | N/A | N/A |
| StartTime | External Alert -> converted(timestamp) IOC based Alert -> converted(lastSeenTime) Rule based Alert -> converted(timeWindow/startTime) |
2020-10-12T16:31:49.019Z |
| EndTime | External Alert -> converted(timestamp) IOC based Alert -> converted(lastSeenTime) Rule based Alert -> converted(timeWindow/endTime) |
2020-10-12T16:31:49.019Z |
| Chronicle Alert - Extensions | All Alerts -> alert_type: {alert_type} Rule based Alert -> "rule_id": {ruleId}, product_name: {CSV of event/metadata/productName} External Alert -> "alert_name": {name}, product_name: {CSV of udmEvent/metadata/productName} |
N/A |
| Chronicle Alert - Attachments | N/A | N/A |
Google Security Operations events
Rule alerts
An example of the Rule alert is as follows:
{
"alert_type": "RULE",
"event_type": "NETWORK_DHCP",
"type": "RULE_DETECTION",
"detection": [
{
"ruleName": "d3_test",
"urlBackToProduct": "https://demodev.backstory.chronicle.security/ruleDetections?ruleId=ru_74dd17e2-5aad-4053-acd7-958bead014f2&selectedList=RuleDetectionsViewTimeline&selectedParentDetectionId=de_b5dadaf4-b398-325f-9f09-833b71b3ffbb&selectedTimestamp=2022-02-08T05:02:36Z&versionTimestamp=2020-11-19T18:19:11.951951Z",
"ruleId": "ru_74dd17e2-5aad-4053-acd7-958bead014f2",
"ruleVersion": "ru_74dd17e2-5aad-4053-acd7-958bead014f2@v_1605809951_951951000",
"alertState": "NOT_ALERTING",
"ruleType": "SINGLE_EVENT",
"ruleLabels": [
{
"key": "author",
"value": "analyst123"
},
{
"key": "description",
"value": "8:00 AM local time"
},
{
"key": "severity",
"value": "Medium"
}
]
}
],
"createdTime": "2022-02-08T06:07:33.944951Z",
"id": "de_b5dadaf4-b398-325f-9f09-833b71b3ffbb",
"timeWindow": {
"startTime": "2022-02-08T05:02:36Z",
"endTime": "2022-02-08T05:02:36Z"
},
"collectionElements": [
{
"references": [
{
"event": {
"metadata": {
"eventTimestamp": "2022-02-08T05:02:36Z",
"eventType": "NETWORK_DHCP",
"productName": "Infoblox DHCP",
"ingestedTimestamp": "2022-02-08T05:03:03.892234Z"
},
"principal": {
"ip": [
"198.51.100.255",
"198.51.100.1"
],
"mac": [
"01:23:45:ab:cd:ef"
],
"email_address": [
"example@example.com"
]
},
"target": {
"hostname": "dhcp_server",
"ip": [
"198.51.100.0",
"198.51.100.1"
]
},
"network": {
"applicationProtocol": "DHCP",
"dhcp": {
"opcode": "BOOTREQUEST",
"ciaddr": "198.51.100.255",
"giaddr": "198.51.100.0",
"chaddr": "01:23:45:ab:cd:ef",
"type": "REQUEST",
"clientHostname": "example-user-pc",
"clientIdentifier": "AFm/LDfjAw=="
}
}
}
}
],
"label": "e"
}
],
"detectionTime": "2022-02-08T05:02:36Z"
}
External alerts
The example of an External alert is as follows:
{
"alert_type": "External",
"event_type": "GENERIC_EVENT",
"name": "Authentication failure [32038]",
"sourceProduct": "Internal Alert",
"severity": "Medium",
"timestamp": "2020-09-30T18:03:34.898194Z",
"rawLog": "U2VwIDMwIDE4OjAzOjM0Ljg5ODE5NCAxMC4wLjI5LjEwOSBBdXRoZW50aWNhdGlvbiBmYWlsdXJlIFszMjAzOF0=",
"uri": [
"https://demodev.backstory.chronicle.security/assetResults?assetIdentifier=10.0.29.109&namespace=[untagged]&referenceTime=2020-09-30T18%3A03%3A34.898194Z&selectedList=AssetViewTimeline&startTime=2020-09-30T17%3A58%3A34.898194Z&endTime=2020-09-30T18%3A08%3A34.898194Z&selectedAlert=-610875602&selectedEventTimestamp=2020-09-30T18%3A03%3A34.898194Z"
],
"event": {
"metadata": {
"eventTimestamp": "2020-09-30T18:03:34.898194Z",
"eventType": "GENERIC_EVENT",
"productName": "Chronicle Internal",
"ingestedTimestamp": "2020-09-30T18:03:34.991592Z"
},
"target": [
{
"ip": [
"198.51.100.255",
"198.51.100.1"
]
}
],
"securityResult": [
{
"summary": "Authentication failure [32038]",
"severityDetails": "Medium"
}
]
}
}
IOC Alerts
{
"alert_type": "IOC",
"event_type": "IOC Alert",
"artifact": {
"domainName": "example.com"
},
"sources": [
{
"source": "Example List",
"confidenceScore": {
"normalizedConfidenceScore": "Low",
"intRawConfidenceScore": 0
},
"rawSeverity": "High",
"category": "Malware Command and Control Server"
}
],
"iocIngestTime": "2020-09-07T11:00:00Z",
"firstSeenTime": "2018-10-03T00:01:59Z",
"lastSeenTime": "2022-02-04T20:02:29.191Z",
"uri": [
"https://demodev.backstory.chronicle.security/domainResults?domain=example.com&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2022-02-08T15%3A08%3A52.434022777Z"
]
}
Alerts Connector - Deprecated
Description
Pull Asset alerts from Google Security Operations SIEM and convert them into Google Security Operations SIEM alerts.
Authentication
Using google library - google.oauth2.service_account and AuthorizedSession.
API
Use Google Security Operations SIEM Search API.
Connector parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field through regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| Service Account Credentials | Password | N/A | Yes | A JSON formatted string act as a token access |
| Fetch Max hours Backwards | Integer | 1 | No | Number of hours from where to fetch alerts. |
IoCs Connector - Deprecated
Description
Pull IOC Domain matches from Google Security Operations SIEM and convert them into Google Security Operations SIEM alerts.
Authentication
Using Google library - google.oauth2.service_account and AuthorizedSession.
API
Use Google Security Operations SIEM Search API.
Connector parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field through regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| Service Account Credentials | Password | N/A | Yes | A JSON formatted string act as a token access |
| Fetch Max hours Backwards | Integer | 1 | No | Number of hours from where to fetch alerts. |
| Max Alerts To Fetch | Integer | 50 | No | Number of alerts to process per one connector iteration. You can specify between 1 and 100,000. |
Jobs
Job configuration prerequisites
Before you begin:
- You need to properly configure the Google Security Operations Alerts Connector in Google Security Operations SOAR.
- You need to perform additional actions on the Google Security Operations SIEM side. For more information, see the Integration Permissions section.
To configure the Google Chronicle job, follow these steps:
In Google Security Operations SOAR, go to Settings > Jobs.
Click Create New Job.
In the Add Job dialog that appears, select the corresponding Google Google Security Operations job and click Save.
Optional: Edit the job name and description, if necessary.
In the Job Details section:
- Make sure that GoogleChronicle is selected in the Integration field.
- To automatically run the job at specified intervals, set up a scheduler interval. Configuring the scheduler is mandatory to complete the job configuration.
Google Chronicle Sync Data job
This job works with alerts created by the Chronicle Alerts Connector and Chronicle Alerts Creator job.
The Google Chronicle Sync Data job synchronizes updated Google Security Operations alerts and cases managed in Google Security Operations SOAR back to Google Security Operations SIEM. As a result, tracking of the alert and case status is much easier as you see the same information on both systems right after making changes to Google Security Operations SOAR.
Case and alerts data synchronization
The Google Chronicle Sync Data job tracks and synchronizes the following fields for cases:
| Tracked fields | Synchronized fields |
|---|---|
| Priority | Priority |
| Status | Status |
| Title | Title |
| N/A | Stage |
| N/A | Siemplify Case ID |
| N/A | Siemplify Case ID |
Siemplify Case ID is a unique case identifier in Google Security Operations SOAR.
Siemplify Case ID is a unique case identifier in Google Security Operations SIEM.
The Google Chronicle Sync Data job tracks and synchronizes the following fields for alerts:
| Tracked fields | Synchronized fields |
|---|---|
| Priority | Priority |
| Status | Status |
| Case ID | N/A |
| N/A | Siemplify Alert ID |
| N/A | Siemplify Case ID |
| N/A | Verdict |
| N/A | Closure Comment |
| N/A | Closure Reason |
| N/A | Closure Root Cause |
| N/A | Usefulness |
Siemplify Alert ID is a unique alert identifier in Google Security Operations SOAR.
In one iteration, the job synchronizes up to 1,000 cases and 1,000 alerts. The synchronization occurs within the Google Security Operations SOAR environment that was specified in the job configuration. Thanks to this mechanism, a case from the specified environment cannot be synced with another environment.
Configure the Google Chronicle Sync Data job
Make sure you have completed the prerequisite steps before configuring the job.
To configure the Google Chronicle Sync Data job, follow these steps:
In the Parameters section, configure the following parameters:
Parameter Display Name Type Default Value Is Mandatory Description Environment String Default Environment Yes Name of the environment created in Google Security Operations SOAR where you want to sync cases and alerts. API Root String https://backstory.googleapis.com Yes API root of the Google Security Operations SIEM instance.
Google Security Operations provides regional endpoints for each API.
For example: https://europe-backstory.googleapis.com, https://asia-southeast1-backstory.googleapis.com
If you don't know which endpoint to use, contact Google Support.
User's Service Account Password N/A Yes Service account of the Google Security Operations SIEM instance. A full JSON file should be provided. Max Hours Backwards Integer 24 No Number of hours from when to fetch alerts. Use only positive numbers. If you enter 0 or a negative number, an error is reported. If this parameter is empty, the job uses the default value. Verify SSL Checkbox Checked Yes If enabled, verifies that the SSL certificate for the connection to the Google Security Operations SIEM server is valid. We recommend that you enable this option. To complete the configuration, click Save.
Optional: To run the job immediately after saving, click Run Now.
The Run Now option allows you to trigger a single job run that synchronizes the current Google Security Operations SOAR alerts and cases data with Google Security Operations SIEM.
Log messages
The following table lists possible log messages for the job:
| Log entry | Type | Description |
|---|---|---|
Unable to parse credentials as JSON. Please validate creds. |
Error | The service account provided in the User's Service Account parameter is corrupted. |
"Max Hours Backwards" parameter must be a positive number. |
Error | The Max Hours backwards parameter is set to 0 or a negative number. |
Current platform version does not support SDK methods designed for Google Security Operations. Please use version 6.1.33 or higher. |
Error | The current Google Security Operations SOAR platform instance version doesn't support the Google Security Operations Sync Data job script execution. This means that the instance's build version is older than 6.1.33. |
Unable to connect to Google Security Operations, please validate your credentials: {e} |
Error | The service account or API root values could not be validated against the Google Security Operations SIEM instance. This error is reported if connectivity testing fails. |
--- Start Processing Updated Cases --- |
Info | The case processing loop has started running. |
Last success time. Date time:{datetime_result}.Unix:{unix_result} |
Info | The timestamp of the last successful script execution for cases or alerts:
|
Key: "{db_key}" does not exist in the database. Returning default value instead: {default_value_to_return} |
Info | The pending case or alert database key does not yet exist in the database. This log entry always appears in the first execution of the script. |
Failed to parse data as JSON. Returning default value instead: "{default_value_to_return}". ERROR: {err} |
Error | The value retrieved from the database is not a valid JSON format. |
Exception was raised from the database. ERROR: {error}. |
Error | There is a connection problem with the database. |
|
Info | The pending cases or alerts IDs have been successfully retrieved from the backlog. len(pending_case_ids) is the number of case IDs brought. |
|
Error | The number of pending cases or alerts IDs that are fetched from the database is greater than the limit (1000). The last x IDs over the limit are ignored. This error should not happen as the writing IDs are limited. This may indicate database corruption. |
|
Info | The newly updated case or alert IDs have been successfully fetched from the platform. |
|
Info | The update of cases and alerts in the Google Security Operations SIEM instance has started. |
|
Error | The specified case or alert cannot be synchronized with Google Security Operations SIEM. |
|
Info | The specified pending case or alert has reached the sync retry limit (5) and is not inserted back to the backlog. |
|
Info | The list of case or alert IDs that cannot be synchronized with Google Security Operations SIEM. |
Updated External Case Ids for the following cases: {updated_case_ids} |
Info | The list of cases for which the job updated the matching Google Security Operations SIEM external case ID in the Google Security Operations SOAR platform. |
Failed to update external ids. |
Error | The log entry indicating that there was a problem with the SDK method or connection that prevented updating external case IDs in the platform. |
|
Error | The log entry indicating that there was a certain terminating error that prevented the case or alerts processing loop to finish naturally. The stacktrace is printed after this log with the specific error. |
|
Info | The cases and alerts processing loop has finished, either naturally or with an error. |
|
Error | The list of failed case or alert IDs that have a retry count less than or equal to 5 to be written back to the backlog. |
|
Info | The stage of processing case and alert has been finished. |
Saving timestamps. |
Info | Saving the last successful case and alert update timestamps to the database. |
Saving pending ids. |
Info | Saving pending case and alert IDs to the database. |
Got exception on main handler. Error: {error}' |
Error | A general termination error has occurred. The stacktrace is printed after this log with the specific error. |
Google Chronicle Alerts Creator
This job creates all alerts from Google SecOps SOAR to Google SecOps SIEM, including overflow alerts. The Alerts Creator job does not replicate alerts originated from Google SecOps.
The job queries the SOAR platform using the SOAR Python SDK for non-synced alerts. The non-synced alerts will be sent to SIEM in a batch. Once updated in SIEM, the identifiers of the corresponding SIEM alerts will be returned and saved in SOAR using the SOAR platform API through the Python SDK.
Relationship between the Google Chronicle jobs
In a complete SecOps system, three components run concurrently:
- The Chronicle Alerts Connector.
- The Data Sync job that is responsible for the following:
- Creating and synchronizing cases.
- Synchronizing case modifications—for example, changing the case priority.
- Synchronizing alert modifications—for example, changing the alert priority.
- The Alerts Creator job that is responsible only for creating alerts.
Case and alerts data synchronization
Cases are synchronized in the same manner as with the Sync job.
In Google Security Operations SIEM, each alert is identified with a SIEM alert identifier. SOAR alerts could adopt a SIEM identifier in two scenarios:
Alert sourced in SIEM.
This alert already exists in Google Security Operations SIEM and there is no need to create it in SIEM again. The connector populates the
siem_alert_idfield.Alert sourced in third-party connectors.
This alert does not exist in Google Security Operations SIEM and requires running an explicit synchronization operation that the Alerts Creator Job is responsible for. Upon completing the synchronization operation, the alert acquires a new SIEM identifier.
Configure the Google Chronicle Alerts Creator job
Make sure you have completed the prerequisite steps before configuring the job.
To configure the Google Chronicle Alerts Creator job, follow these steps:
Configure the job parameters from the following table:
Parameter name Type Default value Is mandatory Description Environment String Default Environment Yes Name of the environment created in Google Security Operations SOAR where you want to sync cases and alerts. API Root String https://backstory.googleapis.com Yes API root of the Google Security Operations SIEM instance.
Google SecOps SOAR provides regional endpoints for each API.
For example: https://europe-backstory.googleapis.com, https://asia-southeast1-backstory.googleapis.com
If you don't know which endpoint to use, contact Cloud Customer Care.
User's Service Account Password N/A Yes Service account of the Google Security Operations SIEM instance. A full JSON file should be provided. Verify SSL Checkbox Checked Yes If enabled, verifies that the SSL certificate for the connection to the Google Security Operations SIEM server is valid. We recommend that you enable this option. To complete the configuration, click Save.
If the Save button is inactive, make sure that you have set all mandatory parameters.
Optional: To run the job immediately after saving, click Run Now.
The Run Now option allows you to trigger a single job run that synchronizes the current Google Security Operations SOAR alerts and cases data with Google Security Operations SIEM.
Log messages and error handling
| Log | Level | Description |
|---|---|---|
|
ERROR | The service account provided in the User's Service Account parameter is corrupted. |
|
ERROR | The current Google Security Operations SOAR platform instance version doesn't support the Google Chronicle Alerts Creator Job script execution. This means that the instance build version is older than 6.2.30. |
|
ERROR | The service account or API root values could not be validated against the Google Security Operations SIEM instance. This error is reported if connectivity testing fails. |
|
INFO | Log message indicating that the job has started. |
|
INFO | Log message indicating that the main function has started. |
|
INFO | Log message indicating that the code is starting the i-th fetch attempt. |
|
INFO | Log message indicating that the code is fetching up to batch_size new alerts from SOAR. |
|
INFO | Log message indicating that new_alerts_count SOAR alerts were fetched. |
|
INFO | Log message indicating that no new SOAR alerts were found, and that the job is stopping. |
|
INFO | Log message indicating that the job has fetched the SOAR alerts with the following identifiers in the ids list. This information can be used to track the progress of the job and to troubleshoot issues with the code. |
|
INFO | Log message indicating that the job is dispatching SOAR alerts to SIEM. |
|
ERROR | Log message indicating that the alert was not created successfully in SIEM due to an error. |
|
INFO | Log message indicating that the job is updating SOAR with the SIEM response. |
|
WARNING | Indicates that SOAR was unable to update the status of the alert synchronization. |
|
INFO | Log message indicating that a total of total_synced alerts were synced in the current run. |
|
INFO | Log message indicating that the job has finished. |
|
ERROR | Log message indicating that an exception occurred in the main function. The exception message is included in the log message. |
Use Cases
Install the use case
- In the Google Security Operations Marketplace, go to the Use Cases tab.
Once opened, click the Spotlight window when the required Google Security Operations Use Case appears, and then click Run Use Case.
Also, you can browse through all of the use cases, search for the one you need to run, and click it.
Follow the configuration steps and instructions in the wizard.
Once finished, all of the required components are installed on your Google Security Operations SOAR machine. To finalize the configuration, you need to configure the Initialization block in the playbook that corresponds to your use case.
Chronicle Windows Threats Investigation & Response
Use the power of Google SecOps to respond in real time to Windows threats in your environment. Using Threat Intelligence for Google SecOps, security teams can take advantage of a high-fidelity threat intelligence service together with Google SecOps SOAR. Real threats in your environment can now be automatically triaged and remediated in a short and effective time frame.
In Google Security Operations SOAR, go to Response > Playbooks.
Select the Google Chronicle - Windows Threats Investigation & Response playbook. The playbook opens in the playbook designer view.
Double-click Set Initialization Block_1. The block configuration dialog opens.
To configure the playbook, use the following parameters:
Input Parameter Possible Values Description edr_product - Crowdstrike
- Carbon Black
- None
Sets the EDR product that will be used in the playbook. itsm_product - Service Now
- Jira
- ZenDesk
- None
Sets the ITSM product that will be used in the playbook. Note: Jira requires additional configuration in the "Open Ticket" block. crowdstrike_use_spotlight True / False if the value is "True" the playbook will execute Crowdstrike actions that require Spotlight license (Vulnerability information). use_mandiant True / False if the value is "True" the playbook will execute Mandiant block. slack_user Username / Email Address Provide the username or email address of the Slack user. If "None" is provided, playbook will skip Slack blocks. Click Save. The block configuration dialog closes.
In the playbook designer pane, click Save.
To test the playbook in the use case, ingest the test case included in the package. Some test case functionality can fail because the data used for testing are unavailable in your environment.
Security Command Center & Chronicle Cloud DIR
Use the synergy of Security Command Center and Google Security Operations SIEM to investigate incidents automatically with Chronicle Cloud Detection, Investigation, and Response (CDIR) and provide your analysts with a seamless turn-key solution for your cloud security operations.
Configure the use case
- In the Google Security Operations SOAR, go to the Playbooks tab.
- Select the SCC & Chronicle Cloud DIR playbook.
- Double click the Initialization block.
- Double click it to enable the configuring option.
- Configure the playbook using the following parameters:
| Parameter name | Parameter type | Possible values | Description |
|---|---|---|---|
| Mandiant_Enrichment | Bool | True/False | If True, the playbook will utilize Mandiant for additional enrichment.Note: Mandiant integration needs to be configured for this setup. You can remove the enrichment, if you see that you rarely get meaningful information. This will improve execution speed of the playbook. |
| SCC_Enrichment | Bool | True/False | If True, the playbook will utilize Google Security Command Center for additional enrichment. Note: Google Security Command Center integration needs to be configured for this setup. You can remove the enrichment, if you see that you rarely get meaningful information. This will improve execution speed of the playbook. |
| IAM_Enrichment | Bool | True/False | If True, the playbook will utilize Google IAM for additional enrichment. You can remove the enrichment, if you see that you rarely get meaningful information. This will improve execution speed of the playbook. |
| Compute_Enrichment | Bool | True/False | If True, the playbook will utilize Google Compute for additional enrichment. You can remove the enrichment, if you see that you rarely get meaningful information. This will improve execution speed of the playbook. |
Mandatory integrations
- Siemplify
- Tools
- Mitre ATT&CK
- Google Cloud IAM
- Google Chronicle
- Functions
- Google Cloud Compute
- Email V2
- VirusTotal v3
Optional integrations
- Google Security Command Center
- Mandiant
Configure integrations for the use case
| Integration name | Reference link |
|---|---|
| Google Cloud IAM | Product permissions |
| Google Cloud Compute | Create service account |
| VirusTotal v3 | Configure the VirusTotal v3 integration for use cases |
| Google Chronicle | Integration permissions |
| Mandiant | Generate client ID and client secret |
| Google Security Command Center | Google Security Command Center integration |