Google SecOps
Integration version: 37.0
Integrate Google Chronicle with Google SecOps SOAR
To configure the integration, use the following parameters:
| Parameters | |
|---|---|
UI Root |
Required
UI root of the Google SecOps SIEM instance used to create a link that points back to Google SecOps SIEM across multiple actions. Default value is |
API Root |
Required
API root of the Google SecOps SIEM instance. Google SecOps provides regional endpoints for each API. For example: If you don't know which endpoint to use, [contact Cloud Customer Care](/chronicle/docs/getting-support). Default value is |
User's Service Account |
Required
Service account of the Google SecOps SIEM instance. Copy the entire service account JSON file. |
Verify SSL |
Required
When selected, the parameter verifies if the SSL certificate for connecting to the Google SecOps SIEM server is valid. Selected by default. |
You can make changes at a later stage, if necessary. After you configure instances, you can use them in playbooks. For more information on configuring and supporting multiple instances, see Supporting multiple instances.
For detailed instructions on how to configure an integration in Google SecOps SOAR, see Configure integrations.
Use cases
The Google Chronicle integration can address the following use cases:
- Ingest asset alerts or IOC domain matches as Google SecOps SOAR alerts.
- Use alerts in Google SecOps SOAR to perform orchestrations with playbooks or manual analysis.
- Fetch a list of infected assets, search for events.
- Provide reputation and threat enrichment of IP addresses or domains observed.
Actions
Add Values To Reference List
Add values to a reference list in Google SecOps.
Entities
The action does not run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Reference List Name |
Required
The name of the reference list to update. |
Values |
Required
A comma-separated list of values to add to a reference list. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True or False |
JSON result
{
"name": "list_name",
"description": "description of the list",
"lines": [
"192.0.2.0/24",
"198.51.100.0/24"
],
"create_time": "2020-11-20T17:18:20.409247Z",
"content_type": "CIDR"
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully added values to the reference list "REFERENCE_LIST_NAME". | Action is successful. |
| Error executing action "ACTION_NAME". Reason: ERROR_REASON | Action returned an error.
Check connection to the server, input parameters, or credentials. |
Enrich Domain
Enrich domains using information from IoCs in Google SecOps SIEM.
Entities
The action runs on the following entities:
- URL
- Hostname
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Create Insight |
If enabled, action will create an insight containing information about
the entities. Enabled by default. |
Only Suspicious Insight |
If enabled, action will only create an insight for entities that are
marked as suspicious. Disabled by default. |
Lowest Suspicious Severity |
Required
Specify the lowest severity that should be associated with the domain to mark it suspicious. Default value is
|
Mark Suspicious N/A Severity |
Required
If enabled and the information about severity is unavailable, the action marks the entity as suspicious. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | Available |
| Enrichment table | Available |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True or False |
JSON result
{
{
"sources": [
{
"source": "ET Intelligence Rep List",
"confidenceScore": {
"normalizedConfidenceScore": "Low",
"intRawConfidenceScore": 0
},
"rawSeverity": "High",
"category": "Malware Command and Control Server"
}
],
"iocIngestTime": "2021-01-26T17:00:00Z",
"firstSeenTime": "2018-10-03T00:03:53Z",
"lastSeenTime": "2022-02-09T10:52:21.229Z",
"uri": [
"https://demodev.backstory.chronicle.security/domainResults?domain=t0.ssl.ak.dynamic.tiles.virtualearth.net&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2022-02-09T11%3A51%3A52.393783515Z"
]
}
}
Entity enrichment – Prefix: G_Chronicle
| Enrichment field name | Logic: When to apply |
|---|---|
| severity | When available in JSON |
| average_confidence | When available in JSON |
| related_domains | When available in JSON |
| categories | When available in JSON |
| sources | When available in JSON |
| first_seen | When available in JSON |
| last_seen | When available in JSON |
| report_link | When available in JSON |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully enriched the following domain in Google Chronicle: LIST_OF_IDS | Action is successful. |
| Error executing action "Enrich Domain". Reason: ERROR_REASON | The action returned an error. Check connection to the server, input parameters, or credentials. |
Case wall table
Name: ENTITY_IDENTIFIER
Columns:
- Source
- Severity
- Category
- Confidence
Enrich IP
Enrich IP entities using information from IoCs in Google SecOps SIEM.
Entities
The action runs on the IP Address entity.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Create Insight |
If enabled, action will create an insight containing information about
the entities. Enabled by default. |
Only Suspicious Insight |
If enabled, action will only create an insight for entities that are
marked as suspicious. Disabled by default. |
Lowest Suspicious Severity |
Required
Specify the lowest severity that should be associated with IP to mark it suspicious. Default value is
|
Mark Suspicious N/A Severity |
Required
If enabled and the information about severity is unavailable, the action marks the entity as suspicious. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | Available |
| Enrichment table | Available |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True or False |
JSON result
{
{
"sources": [
{
"source": "Example List",
"confidenceScore": {
"normalizedConfidenceScore": "Low",
"intRawConfidenceScore": 0
},
"rawSeverity": "High",
"category": "Malware Command and Control Server"
}
],
"iocIngestTime": "2021-01-26T17:00:00Z",
"firstSeenTime": "2018-10-03T00:03:53Z",
"lastSeenTime": "2022-02-09T10:52:21.229Z",
"uri": [
"https://demodev.backstory.chronicle.security/domainResults?domain=t0.ssl.ak.dynamic.tiles.virtualearth.net&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2022-02-09T11%3A51%3A52.393783515Z"
]
}
}
Entity enrichment – Prefix: G_Chronicle
| Enrichment Field Name | Logic: When to apply |
|---|---|
| severity | When available in JSON |
| average_confidence | When available in JSON |
| related_domains | When available in JSON |
| categories | When available in JSON |
| sources | When available in JSON |
| first_seen | When available in JSON |
| last_seen | When available in JSON |
| report_link | When available in JSON |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully enriched the following IPs from Google Chronicle: LIST_OF_IPS | Action is successful. |
| Error executing action "Enrich IP". Reason: ERROR_REASON | The action returned an error. Check connection to the server, input parameters, or credentials. |
Case wall table
Name: ENTITY_IDENTIFIER
Columns:
- Source
- Severity
- Category
- Confidence
- Related Domains
Execute Retrohunt
Execute a rule retrohunt in Google SecOps.
Entities
The action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Rule ID |
Required
ID of the rule to run a retrohunt for. |
Time Frame |
Timeframe for the results.
Default value is
If If If |
Start Time |
Start time for the results. Format: ISO 8601. |
End Time |
End time for the results. Format: ISO 8601. If no value is provided and |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True or False |
JSON result
{
"retrohuntId": "oh_d738c8ea-8fd7-4cc1-b43d-25835b8e1785",
"ruleId": "ru_30979d84-aa89-47d6-bf4d-b4bb0eacb497",
"versionId": "ru_30979d84-aa89-47d6-bf4d-b4bb0eacb497@v_1612472807_179679000",
"eventStartTime": "2021-01-14T23:00:00Z",
"eventEndTime": "2021-01-30T23:00:00Z",
"retrohuntStartTime": "2021-02-08T02:40:59.192113Z",
"state": "RUNNING"
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully executed a retrohunt for the provided rule in Google Chronicle. | Action is successful. |
| Error executing action "Execute Retrohunt". Reason: ERROR_REASON | Action returned an error.
Check connection to the server, input parameters, or credentials. |
Execute UDM Query
Execute custom UDM query in Google SecOps.
Entities
This action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Query String |
Required
A query to execute in Google SecOps. |
Time Frame |
Specified timeframe for the results.
Default value is
If If If |
Start Time |
Start time for the results. Format: ISO 8601. The maximum time range (from start time to end time) is 90 days. |
End Time |
End time for the results. Format: ISO 8601. This parameter uses current time if no value is provided and
the The maximum time range (from start time to end time) is 90 days. |
Max Results To Return |
Number of results to return per query. Default value is 50. Max value is 10,000. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True or False |
JSON result
{
"events": [
"event": {
"metadata": {
"eventTimestamp": "2022-01-20T09:15:15.687Z",
"eventType": "USER_LOGIN",
"vendorName": "Example Vendor",
"productName": "Example Product",
"ingestedTimestamp": "2022-01-20T09:45:07.433587Z"
},
"principal": {
"hostname": "example-user-pc",
"ip": [
"203.0.113.0"
],
"mac": [
"01:23:45:ab:cd:ef",
"01:23:45:ab:cd:ef",
"01:23:45:ab:cd:ef"
],
"location": {
"city": "San Francisco",
"state": "California",
"countryOrRegion": "US"
},
"asset": {
"hostname": "example-user-pc",
"ip": [
"203.0.113.1",
"203.0.113.1",
"203.0.113.1"
],
"mac": [
"01:23:45:ab:cd:ef",
"01:23:45:ab:cd:ef",
"01:23:45:ab:cd:ef"
]
}
},
"target": {
"user": {
"userid": "Example",
"userDisplayName": "Example User",
"windowsSid": "S-1-5-21-4712406912-7108061610-2717800068-993683",
"emailAddresses": [
"example@example.com",
"admin.example@example.com"
],
"employeeId": "2406187",
"productObjectId": "f93f1540-4935-4266-aa8e-a750a319aa1c",
"firstName": "Example",
"lastName": "User",
"phoneNumbers": [
"555-01-75"
],
"title": "Executive Assistant",
"companyName": "Example Corp",
"department": [
"Executive - Admin"
],
"managers": [
{
"userDisplayName": "Example User",
"windowsSid": "S-1-5-21-6051382818-4135626959-8120238335-834071",
"emailAddresses": [
"user@example.com"
],
"employeeId": "5478500",
"productObjectId": "8b3924d5-6157-43b3-857b-78aa6bd94705",
"firstName": "User",
"lastName": "Example",
"phoneNumbers": [
"555-01-75"
],
"title": "Chief Technology Officer",
"companyName": "Example Corp",
"department": [
"Executive - Admin"
]
}
]
},
"ip": [
"198.51.100.1"
],
"email": "alice@ecorp.com",
"application": "Example Sign In"
},
"securityResult": [
{
"summary": "Successful Login",
"action": [
"ALLOW"
]
}
],
"extensions": {
"auth": {
"type": "SSO"
}
}
},
"eventLogToken": "96f23eb9ffaa9f7e7b0e2ff5a0d2e34c,1,1642670115687000,USER,|USER_LOGIN"
}
]
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully returned results for the query "QUERY" in Google Chronicle. | Action is successful. |
| No results were found for the query "QUERY" in Google Chronicle. | Action is successful. |
| Error executing action "Execute UDM Query". Reason: ERROR_REASON | The action returned an error. Check connection to the server, input parameters, or credentials. |
| Error executing action "Execute UDM Query". Reason: you've reached a rate limit. Please wait for several minutes and try again. | The action returned an error. Wait for several minutes before running the action again. |
Get Detection Details
Fetch information about a detection in Google SecOps.
Entities
The action does not run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Rule ID |
Required
ID of the rule related to the detection. |
Detection ID |
Required
ID of the detection to fetch details for. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True or False |
JSON result
{
"type": "RULE_DETECTION",
"detection": [
{
"ruleName": "singleEventRule2",
"urlBackToProduct":
"https://example.backstory.chronicle.security/ruleDetections?
ruleId=ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d&selectedList=RuleDetectionsViewTimeline&
selectedParentDetectionId=de_ce594791-09ed-9681-27fa-3b7c8fa6054c&
selectedTimestamp=2020-12-03T16: 50: 47.647245Z","ruleId": "ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d",
"ruleVersion": "ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d@v_1605892822_687503000",
"alertState": "NOT_ALERTING",
"ruleType": "SINGLE_EVENT"
}
],
"createdTime": "2020-12-03T19:19:21.325134Z",
"id": "de_ce594791-09ed-9681-27fa-3b7c8fa6054c",
"timeWindow": {
"startTime": "2020-12-03T16:50:47.647245Z",
"endTime": "2020-12-03T16:50:47.647245Z"
},
"collectionElements": [
{
"references": [
{
"event": {
"metadata": {
"eventTimestamp": "2020-12-03T16:50:47.647245Z",
"collectedTimestamp": "2020-12-03T16:50:47.666064010Z",
"eventType": "NETWORK_DNS",
"productName": "ProductName",
"ingestedTimestamp": "2020-12-03T16:50:49.494542Z"
},
"principal": {
"ip": [
"192.0.2.1"
]
},
"target": {
"ip": [
"203.0.113.1"
]
},
"securityResult": [
{
"action": [
"UNKNOWN_ACTION"
]
}
],
"network": {
"applicationProtocol": "DNS",
"dns": {
"questions": [
{
"name": "altostrat.com",
"type": 1,
"class": 1
}
],
"id": 12345,
"recursionDesired": true
}
}
}
}
],
"label": "e"
}
],
"detectionTime": "2020-12-03T16:50:47.647245Z"
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully fetched information about the detection with ID DETECTION_ID in Google Chronicle. | Action is successful. |
| Error executing action "Get Detection Details". Reason: ERROR_REASON | Action returned an error.
Check connection to the server, input parameters, or credentials. |
Get Reference Lists
Get available reference lists in Google SecOps.
Entities
The action does not run on entities.
Action inputs
To configure the action, use the following parameters:
| =2>Parameters | |
|---|---|
Filter Key |
Key that should be used to filter reference lists. Possible values are:
|
Filter Logic |
Applicable filter logic. Default value is
|
Filter Value |
Specifies what value should be used in the filter.
If If The If no value is provided for this parameter, the filter isn't applied. |
Expanded Details |
If enabled, action will return detailed information about the reference
lists.
Disabled by default. |
Max Reference Lists To Return |
Number of reference lists to return. Default value is 100. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | Available |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True or False |
JSON result
{
"name": "list_name",
"description": "description of the list",
"lines": [
"192.0.2.0/24",
"198.51.100.0/24"
],
"create_time": "2020-11-20T17:18:20.409247Z",
"content_type": "CIDR"
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully found reference lists for the provided criteria in Google Chronicle. | Action is successful. |
| The filter was not applied because parameter "Filter Value" has an empty value. | Action is successful. Check the Filter Value parameter.
|
| Error executing action "ACTION_NAME". Reason: ERROR_REASON | Action returned an error.
Check connection to the server, input parameters, or credentials. |
| Error executing action "ACTION_NAME". Reason: "Invalid value was provided for "Max Reference Lists to Return": PROVIIDED_VALUE. Positive number should be provided. | Action returned an error.
Check the value for the |
Case Wall Table
Name: Available Reference Lists
Columns:
- Name
- Description
- Type
Get Rule Details
Entities
The action does not run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Rule ID |
Required
Specifies the rule ID to fetch details for. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True or False |
JSON result
{
"ruleId": "ru_e6abfcb5-1b85-41b0-b64c-695b3250436f",
"versionId": "ru_e6abfcb5-1b85-41b0-b64c-695b3250436f@v_1602631093_146879000",
"ruleName": "SampleRule",
"metadata": {
"description": "Sample Description of the Rule",
"author": "author@example.com"
},
"ruleText": "rule SampleRule {
meta:
description = \"Sample Description of the Rule\"
author = \"author@example.com\"
events:
// This will just generate lots of detections
$event.metadata.event_type = \"NETWORK_HTTP\"
condition:
$event
} ",
"liveRuleEnabled": true,
"versionCreateTime": "2020-10-13T23:18:13.146879Z",
"compilationState": "SUCCEEDED"
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully fetched information about the rule with ID RULE__ID in Google Chronicle. | Action is successful. |
| Error executing action "Get Rule Details". Reason: ERROR_REASON | Action returned an error.
Check connection to the server, input parameters, or credentials. |
Is Value In Reference List
Checks if provided values are found in reference lists in Google Google SecOps.
Entities
The action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Reference List Names |
Required
A comma-separated list of reference list names to search through. |
Values |
Required
A comma-separated list of values to search for in reference lists. |
Case Insensitive Search |
If enabled, the action performs case insensitive matching. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True or False |
JSON result
{
"Entity": "example.com",
"EntityResult": {
"found_in": [
"Reference list names, where item was found"
],
"not_found_in": [
"Reference list names, where items wasn't found"
],
"overall_status": "found, if at least one reference list had the value/not found, if non of the reference lists found the value"
}
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully searched provided values in the reference lists in Google Chronicle. | Action is successful. |
| Error executing action "Is Value In Reference List". Reason: ERROR_REASON | Action returned an error.
Check connection to the server, input parameters, or credentials. |
| Error executing action "Is Value In Reference List". Reason: the following reference lists were not found in Google Chronicle: MISSING_REFERENCE_LIST_NAME(S). Please use the action "Get Reference Lists" to see what reference lists are available. | Action returned an error. Run the Get Reference Lists action to check for available lists. |
List Assets
List assets in Google SecOps SIEM that are based on the related entities in the specified timeframe. Only the MD5, SHA-1 or SHA-256 hashes are supported.
Entities
This action runs on the following entities:
- URL
- IP Address
- Hash
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Max Hours Backwards |
Number of hours backwards to fetch the assets. Default value is 1. |
Create Insight |
If enabled, action will create an insight containing information about
the entities. Enabled by default. |
Max Assets To Return |
Number of assets to return in the response. Default value is 50. |
Time Frame |
Specified timeframe for the results.
Default value is If If the
|
Start Time |
Start time for the results. Format: ISO 8601. |
End Time |
End time for the results. Format: ISO 8601. This parameter uses current time if no value is provided and
the |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | Available |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True or False |
JSON result
{
"assets": [
{
"asset": {
"hostname": "imimumhd6qy6r"
},
"firstSeenArtifactInfo": {
"artifactIndicator": {
"domainName": "www.example.com"
},
"seenTime": "2020-02-28T09:18:15.675Z"
},
"lastSeenArtifactInfo": {
"artifactIndicator": {
"domainName": "www.example.com"
},
"seenTime": "2020-09-24T06:43:59Z"
}
}
],
"uri": [
"https://example.backstory.chronicle.security/domainResults?domain=www.example.com&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2020-09-27T12%3A07%3A34.166830443Z"
]
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully listed related assets for the following entities from Google Chronicle: ENTITY_IDENTIFIER | Action is successful. |
| Error executing action "List Assets". Reason: ERROR_REASON | The action returned an error. Check connection to the server, input parameters, or credentials. |
Case wall table
Name: ENTITY_IDENTIFIER
Columns:
- Hostname
- IP Address
- First Seen Artifact
- Last Seen Artifact
List Events
List events on the particular asset in the specified timeframe.
This action can only fetch 10,000 events. Make sure to narrow down the timeframe for better results.
Entities
This action runs on the following entities:
- IP address
- MAC address
- Hostname
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Event Types |
A comma-separated list of the event types that should be returned. If no value is provided, the action fetches all event types. To check all possible values for this parameter, see Event type possible values. |
Time Frame |
Specified time frame for the results.
Default value is If If the
|
Start Time |
Start time for the results. Format: ISO 8601. |
End Time |
End time for the results. Format: ISO 8601. This parameter uses current time if no value is provided and
the The |
Reference Time |
Reference time for the event search.
Format: YYYY-MM-DDThh:mmTZD.
|
Output |
Required Output for this action. Possible values are:
|
Max Events To Return |
Number of events to process per entity type. Default value is 100. |
Event type possible values
The full list of possible values for the Event Type parameter is as follows:
EVENTTYPE_UNSPECIFIED, PROCESS_UNCATEGORIZED,
PROCESS_LAUNCH, PROCESS_INJECTION,
PROCESS_PRIVILEGE_ESCALATION, PROCESS_TERMINATION,
PROCESS_OPEN, PROCESS_MODULE_LOAD,
REGISTRY_UNCATEGORIZED, REGISTRY_CREATION,
REGISTRY_MODIFICATION, REGISTRY_DELETION,
SETTING_UNCATEGORIZED, SETTING_CREATION,
SETTING_MODIFICATION, SETTING_DELETION,
MUTEX_UNCATEGORIZED, MUTEX_CREATION,
FILE_UNCATEGORIZED, FILE_CREATION, FILE_DELETION
, FILE_MODIFICATION, FILE_READ,
FILE_COPY, FILE_OPEN, FILE_MOVE,
FILE_SYNC, USER_UNCATEGORIZED, USER_LOGIN,
USER_LOGOUT, USER_CREATION,
USER_CHANGE_PASSWORD, USER_CHANGE_PERMISSIONS,
USER_STATS, USER_BADGE_IN, USER_DELETION,
USER_RESOURCE_CREATION, USER_RESOURCE_UPDATE_CONTENT, USER_RESOURCE_UPDATE_PERMISSIONS, USER_COMMUNICATION,
USER_RESOURCE_ACCESS, USER_RESOURCE_DELETION,
GROUP_UNCATEGORIZED, GROUP_CREATION,
GROUP_DELETION, GROUP_MODIFICATION,
EMAIL_UNCATEGORIZED, EMAIL_TRANSACTION,
EMAIL_URL_CLICK, NETWORK_UNCATEGORIZED,
NETWORK_FLOW, NETWORK_CONNECTION, NETWORK_FTP,
NETWORK_DHCP, NETWORK_DNS, NETWORK_HTTP,
NETWORK_SMTP, STATUS_UNCATEGORIZED,
STATUS_HEARTBEAT, STATUS_STARTUP, STATUS_SHUTDOWN
, STATUS_UPDATE, SCAN_UNCATEGORIZED,
SCAN_FILE, SCAN_PROCESS_BEHAVIORS, SCAN_PROCESS
, SCAN_HOST, SCAN_VULN_HOST,
SCAN_VULN_NETWORK, SCAN_NETWORK,
SCHEDULED_TASK_UNCATEGORIZED, SCHEDULED_TASK_CREATION,
SCHEDULED_TASK_DELETION, SCHEDULED_TASK_ENABLE,
SCHEDULED_TASK_DISABLE, SCHEDULED_TASK_MODIFICATION, SYSTEM_AUDIT_LOG_UNCATEGORIZED, SYSTEM_AUDIT_LOG_WIPE,
SERVICE_UNSPECIFIED, SERVICE_CREATION,
SERVICE_DELETION, SERVICE_START, SERVICE_STOP,
SERVICE_MODIFICATION, GENERIC_EVENT,
RESOURCE_CREATION, RESOURCE_DELETION,
RESOURCE_PERMISSIONS_CHANGE, RESOURCE_READ,
RESOURCE_WRITTEN, ANALYST_UPDATE_VERDICT,
ANALYST_UPDATE_REPUTATION, ANALYST_UPDATE_SEVERITY_SCORE,
ANALYST_UPDATE_STATUS, ANALYST_ADD_COMMENT.
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True or False |
JSON result
{
"statistics": {
"NETWORK_CONNECTION": 10
}
{
"events": [
{
"metadata": {
"eventTimestamp": "2020-09-28T14:20:00Z",
"eventType": "NETWORK_CONNECTION",
"productName": "EXAMPLE Name",
"productEventType": "NETWORK_DNS",
"ingestedTimestamp": "2020-09-28T16:28:11.615578Z"
},
"principal": {
"hostname": "user-example-pc",
"assetId": "EXAMPLE:user-example-pc",
"process": {
"pid": "1101",
"productSpecificProcessId": "EXAMPLE:32323"
}
},
"target": {
"hostname": "example.com",
"user": {
"userid": "user"
},
"process": {
"pid": "8172",
"file": {
"md5": "a219fc7fcc93890a842183388f80369e",
"fullPath": "C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe"
},
"commandLine": "\"C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe\" ...",
"productSpecificProcessId": "EXAMPLE:82315"
}
}
},
{
"metadata": {
"eventTimestamp": "2020-09-28T17:20:00Z",
"eventType": "NETWORK_CONNECTION",
"productName": "EXAMPLE Name",
"productEventType": "NETWORK_DNS",
"ingestedTimestamp": "2020-09-28T16:28:11.615578Z"
},
"principal": {
"hostname": "user-example-pc",
"assetId": "EXAMPLE:user-example-pc",
"process": {
"pid": "1101",
"productSpecificProcessId": "EXAMPLE:32323"
}
},
"target": {
"hostname": "example.com",
"user": {
"userid": "user"
},
"process": {
"pid": "8172",
"file": {
"md5": "a219fc7fcc93890a842183388f80369e",
"fullPath": "C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe"
},
"commandLine": "\"C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe\" ...",
"productSpecificProcessId": "EXAMPLE:82315"
}
}
}
],
"uri": [
"https://demodev.backstory.chronicle.security/assetResults?assetIdentifier=user-example-pc&referenceTime=2020-09-28T17%3A00%3A00Z&selectedList=AssetViewTimeline&startTime=2020-09-28T14%3A20%3A00Z&endTime=2020-09-28T20%3A20%3A00Z"
]
}
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully listed related events for the following entities from Google Chronicle: ENTITY_IDENTIFIER | Action is successful. |
| Error executing action "List Events". Reason: ERROR_REASON | The action returned an error. Check connection to the server, input parameters, or credentials. |
| Error executing action "List Events". Reason: invalid event type is provided. Please check the spelling. Supported event types: SUPPORTED_EVENT_TYPES | The action returned an error. Check the spelling. |
List IOCs
List all of the IoCs discovered within your enterprise within the specified time range.
If you receive the maximum number of IoCs you specified using the Max IoCs to
Fetch parameter (or 10,000, the default value), there might still be more IoCs
discovered in your Google SecOps account. You might want to narrow
the time range and run the call again to ensure you have visibility on all
possible IoCs.
Entities
This action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Start Time |
Start time for the results. Format: ISO 8601. |
Max IoCs to Fetch |
Maximum number of IoCs to return. Applicable range is from 1 to 10,000. Default value is 50. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | Available |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True or False |
JSON result
{
"matches":[
{
"artifact":{
"domainName":"www.example.com"
},
"firstSeenTime":"2018-05-25T20:47:11.048998Z",
"iocIngestTime":"2019-08-14T21:00:00Z",
"lastSeenTime":"2019-10-24T16:19:46.880830Z",
"sources":[
{
"category":"Spyware Reporting Server",
"confidenceScore":{
"intRawConfidenceScore":0,
"normalizedConfidenceScore":"Low"
},
"rawSeverity":"Medium",
"source":"ET Intelligence Rep List"
}
],
"uri":["<var>URI</var>"]
}
],
"moreDataAvailable":true
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully listed IOCs from the provided time frame in Google Chronicle. | Action is successful. |
| Error executing action "List IOCs". Reason: ERROR_REASON | The action returned an error. Check connection to the server, input parameters, or credentials. |
Case wall table
Columns:
- Domain
- Category
- Source
- Confidence
- Severity
- IoC Ingest Time
- IoC First Seen Time
- IoC Last Seen Time
- URI
Lookup Similar Alerts
Search for similar alerts in Google SecOps.
Depending on the underlying alert type, the action behaves differently. If the alert is rule-based (Rule alert), the action attempts to match alerts based on rule names, while for External alerts, the action match is based on the alert name.
This action queries a sizable volume of alerts in the background based on the provided timeframe.
In responses, the action searches for specific keys and extracts possible IoCs.
In addition, the action creates distinct results based on the alert, rule, or product name and IoC that was used during the search.
How the Similarity By parameter works
Rule alerts and External alerts work slightly differently in regards to the
Similarity By parameter.
For example, if Alert Name, Alert Type and Product or Alert Name, Alert Type
options are selected:
- For External alerts, the action only searches for other External alerts and returns only information about those that have the same name.
- For Rule alerts, the action looks at the rule name that triggered the alert and only processes alerts originating from the same rule.
When the Product option is selected, the action only processes alerts
originated from the same product. For example, if an alert originated in
Crowdstrike, the action only matches with alerts that also originated in
Crowdstrike. It doesn't matter if it was a Rule alert or External alert because
the action will query and extract data from both alert types. In all situations,
the action searches for the IoCs provided in the IOCs/Assets parameter in the
predefined fields.
If any other option is provided, the action sets the value to Only IOCs/Assets
in the background.
Use cases
This is a general purpose action suitable for all playbooks working with Google SecOps SIEM alerts. It allows analysts to correlate different alerts happening in the same timeframe and extract all of the relevant IoCs, which are then used to understand whether there is a true positive incident or not.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Time Frame |
Specified timeframe for the results.
Default value is
If If |
IOCs / Assets |
Required
A comma-separated list of IoCs or assets to find in the alerts. |
Similarity By |
Specifies what attributes should be used when the action is searching for similar alerts. Default value is
If If If |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | Available |
| Case wall table | Available |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True or False |
JSON result
{
"count": 123,
"distinct": [
{
"first_seen": "time of the first alert that matched our conditions",
"last_seen": "time of the last alert that matched our conditions",
"product_name": "product name",
"used_ioc_asset": "what user provided in the parameter IOCs and Assets",
"name": "Alert Name/Rule Name",
"hostnames": "csv list of unique hostnames that were found in alerts",
"urls": "csv list of unique urls that were found in alerts",
"ips": "csv list of unique ips that were found in alerts",
"subjects": "csv list of unique subjects that were found in alerts",
"users": "csv list of unique users that were found in alerts",
"email_addresses": "csv list of unique email_addresses that were found in alerts",
"hashes": "csv list of unique hashes that were found in alerts",
"processes": "csv list of unique processes that were found in alerts"
"rule_urls": ["Chronicle URL from API response for Rule"]
"count": 123
}
],
"processed_alerts": 10000,
"run_time": "how long it took to run the action or at least API request",
"EXTERNAL_url": "Chronicle URL from API response for EXTERNAL"
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully found similar alerts from the provided time frame in Google Chronicle. | Action is successful. |
| No similar alerts were found from the provided time frame in Google Chronicle. | Action is successful. |
| Error executing action "Lookup Similar Alerts". Reason: ERROR_REASON | The action returned an error. Check connection to the server, input parameters, or credentials. |
| Error executing action "Lookup Similar Alerts". Reason: all of the retries are exhausted. Please wait for a minute and try again. | The action returned an error. Wait for a minute before running the action again. |
Case wall
Name: IOC/ASSET_IDENTIFIER
Columns:
- Product
- Hostnames
- IPs
- Users
- Email Addresses
- Subjects
- URLs
- Hashes
- Processes
- First Seen
- Last Seen
- Alert Name
- General
Case wall link
- CBN: {generated link based on UI Root URL in integration configuration}
- Rule: {generated link based on UI Root URL in integration configuration}
Ping
Test connectivity to Google SecOps SIEM with parameters provided at the integration configuration page.
Entities
The action doesn't run on entities.
Action inputs
N/A
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | N/A |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True or False |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully connected to the Google Chronicle backstory with the provided connection parameters! | Action is successful. |
| Failed to connect to the Google Chronicle backstory. Error is ERROR_REASON | The action returned an error. Check connection to the server. |
Remove Values From Reference List
Remove values from a reference list in Google SecOps.
Entities
The action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Reference List Name |
Required
Reference list name to update. |
Values |
Required
A comma-separated list of values to remove from a reference list. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True or False |
JSON result
{
"name": "list_name",
"description": "description of the list",
"lines": [
"192.0.2.0/24",
"198.51.100.0/24"
],
"create_time": "2020-11-20T17:18:20.409247Z",
"content_type": "CIDR"
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully removed values from the reference list. | Action is successful. |
| Error executing action "Remove Values From Reference List". Reason: ERROR_REASON | Action returned an error.
Check connection to the server, input parameters, or credentials. |
Connectors
For detailed instructions on how to configure a connector in Google SecOps SOAR, see Configuring the connector.
Chronicle Alerts Connector
Use the Chronicle Alerts Connector to pull information about the rule-based alerts from Google SecOps SIEM.
You can use the dynamic list to filter alerts and alert types.
Overview
This connector lets you ingest multiple alert types from Google SecOps SIEM.
To ensure the flexibility of the connector, use a dynamic list. For more details about the supported filter, see the Dynamic list filter section.
The Chronicle Alerts Connector queries data within a one-week timeframe.
A delay can occur between the time that Google SecOps SIEM indexes an alert and when indexing completes. To mitigate the risk of missing alerts, set a padding period for the connector. Additionally, increase the connector timeout. A significant padding period can negatively impact connector performance.
If the Google SecOps SOAR alert lacks a severity value, the connector uses the value specified in the Fallback Severity parameter when creating the corresponding Google SecOps SOAR alert.
Dynamic list filter
The purpose of the dynamic list is to filter different alert types. You can access the dynamic list from the connector configuration page.
Operator rules
The operator rules for the dynamic list are as follows:
- Values provided in a comma-separated manner are treated with OR logic.
- Every line in the dynamic list is treated with AND logic.
- Supported operators are different between different Filter Keys.
The following are the examples of using operator rules:
- Rule.severity = medium: The connector only ingests rule alerts with the medium severity.
- Rule.severity = low,medium: The connector only ingests rule alerts with the medium or low severity.
- Rule.ruleName = default_rule: The connector only ingests rule alerts
with the
default_rulename.
Supported filters list
The Chronicle ALerts Connector supports the following filters:
| Filter key | Response key | Operators | Possible values |
|---|---|---|---|
| Rule.severity | detection or ruleLabels or severity | =, !=, >, <, >=, <= | Info, Error, Low, Medium, High, Critical. The values are case insensitive. |
| Rule.ruleName | detection or ruleName | =, != | Not applicable Defined by the user. |
| Rule.ruleID | detection or ruleId | =, != | Not applicable Defined by the user. |
| Rule.alertState | detection or alertState | =, != | Alerting, Not alerting |
| Rule.ruleLabels.{key} | detection or ruleLabels | =, != | Defined by the user. |
Dynamic key handling for the rule based detection
To work with the ruleLabels key, format your dynamic list as follows:
Rule.ruleLabels.{key}
Example
The rule is as follows:
"ruleLabels": [
{
"key": "author",
"value": "analyst123"
},
{
"key": "type",
"value": "suspicious_behaviour"
},
{
"key": "severity",
"value": "Medium"
}
]
To apply filters based on ruleLabels.type, the input for the dynamic
list is as follows:
Rule.ruleLabels.type=suspicious_behaviour
Connector inputs
To configure the connector, use the following parameters:
| Parameters | |
|---|---|
Product Field Name |
Required
Enter the source field name in order to retrieve the Product Field name. Default value is |
Event Field Name |
Required
Enter the source field name in order to retrieve the Event Field name. Default value is |
Environment Field Name |
Optional
Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. Default value is |
Environment Regex Pattern |
Optional
A regular expression pattern to run on the value found in the
Use the default value If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
Script Timeout (Seconds) |
Required
Timeout limit for the python process running the current script. Default value is 180. |
API Root |
Required
API root of the Google SecOps SIEM instance. Google SecOps provides regional endpoints for each API. For example: If you don't know which endpoint to use, [contact Cloud Customer Care](/chronicle/docs/getting-support). Default value is |
User's Service Account |
Required
Service Account used for authentication. |
Fallback Severity |
Required
Specify the fallback severity for the detection. This parameter is used if Google SecOps SIEM detection doesn't include any information related to the severity. Default value is
|
Max Hours Backwards |
Optional Number of hours before the first connector iteration to retrieve incidents from. This parameter applies only once to the initial connector iteration after you enable the connector for the first time. Default value is 1 hour. Max value is 1 week. |
Max Alerts To Fetch |
Optional
The number of alerts to process per one connector iteration. Default value is 100. |
Disable Event Splitting |
Optional
If selected, the connector doesn't split original events into multiple and there is a matching count of events between Google SecOps SIEM and Google SecOps SOAR. Not selected by default. |
Verify SSL |
Required
If selected, Google SecOps verifies that the SSL certificate for the connection to the Google SecOps SIEM server is valid. Selected by default. |
Proxy Server Address |
Optional The address of the proxy server to use. |
Proxy Username |
Optional The proxy username to authenticate with. |
Proxy Password |
Optional The proxy password to authenticate with. |
Disable Overflow |
Optional Select to disable an event overflow. Not selected by default. |
Connector rules
The connector supports proxy.
Alert structure
The following table describes the structure of alerts in Google SecOps:
| Alert attribute name | Product source (JSON key from an API response) | Output JSON example |
|---|---|---|
SourceSystemName |
Filled by framework | Filled by framework |
TicketId |
Value from ids.json file |
60112f06545160bf3f54e8b3 |
DisplayId |
Automatically generated | cf24dbb0-89fa-11ea-d9dc-000000000003 |
Name |
alertInfos/name IOC Alert detection/ruleName |
Suspicious: File |
Reason |
Not avavilable | Not available |
Description |
For the rule based alerts Only: detection/ruleLabels/description (if exists) | Not available |
DeviceVendor |
Hardcoded value is Google Chronicle |
Checkpoint |
DeviceProduct |
Hardcoded field:
|
Harmony Mobile |
Priority |
Taken from response or from the Fallback Severity parameter | High |
RuleGenerator |
|
FILE |
SourceGroupingIdentifier |
Not available | Not available |
StartTime |
|
2020-10-12T16:31:49.019Z |
EndTime |
|
2020-10-12T16:31:49.019Z |
Chronicle Alert - Extensions |
|
Not available |
Chronicle Alert - Attachments |
Not available | Not available |
Events
Events for the Chronicle Alerts Connector include rule alerts, external alerts, and IOC alerts.
Rule alerts
An example of the rule alert is as follows:
{
"alert_type": "RULE",
"event_type": "NETWORK_DHCP",
"type": "RULE_DETECTION",
"detection": [
{
"ruleName": "d3_test",
"urlBackToProduct": "https://demodev.backstory.chronicle.security/ruleDetections?ruleId=ru_74dd17e2-5aad-4053-acd7-958bead014f2&selectedList=RuleDetectionsViewTimeline&selectedParentDetectionId=de_b5dadaf4-b398-325f-9f09-833b71b3ffbb&selectedTimestamp=2022-02-08T05:02:36Z&versionTimestamp=2020-11-19T18:19:11.951951Z",
"ruleId": "ru_74dd17e2-5aad-4053-acd7-958bead014f2",
"ruleVersion": "ru_74dd17e2-5aad-4053-acd7-958bead014f2@v_1605809951_951951000",
"alertState": "NOT_ALERTING",
"ruleType": "SINGLE_EVENT",
"ruleLabels": [
{
"key": "author",
"value": "analyst123"
},
{
"key": "description",
"value": "8:00 AM local time"
},
{
"key": "severity",
"value": "Medium"
}
]
}
],
"createdTime": "2022-02-08T06:07:33.944951Z",
"id": "de_b5dadaf4-b398-325f-9f09-833b71b3ffbb",
"timeWindow": {
"startTime": "2022-02-08T05:02:36Z",
"endTime": "2022-02-08T05:02:36Z"
},
"collectionElements": [
{
"references": [
{
"event": {
"metadata": {
"eventTimestamp": "2022-02-08T05:02:36Z",
"eventType": "NETWORK_DHCP",
"productName": "Infoblox DHCP",
"ingestedTimestamp": "2022-02-08T05:03:03.892234Z"
},
"principal": {
"ip": [
"198.51.100.255",
"198.51.100.1"
],
"mac": [
"01:23:45:ab:cd:ef"
],
"email_address": [
"example@example.com"
]
},
"target": {
"hostname": "dhcp_server",
"ip": [
"198.51.100.0",
"198.51.100.1"
]
},
"network": {
"applicationProtocol": "DHCP",
"dhcp": {
"opcode": "BOOTREQUEST",
"ciaddr": "198.51.100.255",
"giaddr": "198.51.100.0",
"chaddr": "01:23:45:ab:cd:ef",
"type": "REQUEST",
"clientHostname": "example-user-pc",
"clientIdentifier": "AFm/LDfjAw=="
}
}
}
}
],
"label": "e"
}
],
"detectionTime": "2022-02-08T05:02:36Z"
}
External alerts
The example of an external alert is as follows:
{
"alert_type": "External",
"event_type": "GENERIC_EVENT",
"name": "Authentication failure [32038]",
"sourceProduct": "Internal Alert",
"severity": "Medium",
"timestamp": "2020-09-30T18:03:34.898194Z",
"rawLog": "U2VwIDMwIDE4OjAzOjM0Ljg5ODE5NCAxMC4wLjI5LjEwOSBBdXRoZW50aWNhdGlvbiBmYWlsdXJlIFszMjAzOF0=",
"uri": [
"https://demodev.backstory.chronicle.security/assetResults?assetIdentifier=10.0.29.109&namespace=[untagged]&referenceTime=2020-09-30T18%3A03%3A34.898194Z&selectedList=AssetViewTimeline&startTime=2020-09-30T17%3A58%3A34.898194Z&endTime=2020-09-30T18%3A08%3A34.898194Z&selectedAlert=-610875602&selectedEventTimestamp=2020-09-30T18%3A03%3A34.898194Z"
],
"event": {
"metadata": {
"eventTimestamp": "2020-09-30T18:03:34.898194Z",
"eventType": "GENERIC_EVENT",
"productName": "Chronicle Internal",
"ingestedTimestamp": "2020-09-30T18:03:34.991592Z"
},
"target": [
{
"ip": [
"198.51.100.255",
"198.51.100.1"
]
}
],
"securityResult": [
{
"summary": "Authentication failure [32038]",
"severityDetails": "Medium"
}
]
}
}
IOC Alerts
The example of an IOC alert is as follows:
{
"alert_type": "IOC",
"event_type": "IOC Alert",
"artifact": {
"domainName": "example.com"
},
"sources": [
{
"source": "Example List",
"confidenceScore": {
"normalizedConfidenceScore": "Low",
"intRawConfidenceScore": 0
},
"rawSeverity": "High",
"category": "Malware Command and Control Server"
}
],
"iocIngestTime": "2020-09-07T11:00:00Z",
"firstSeenTime": "2018-10-03T00:01:59Z",
"lastSeenTime": "2022-02-04T20:02:29.191Z",
"uri": [
"https://demodev.backstory.chronicle.security/domainResults?domain=example.com&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2022-02-08T15%3A08%3A52.434022777Z"
]
}
Alerts Connector - Deprecated
Description
Pull asset alerts from Google SecOps SIEM and convert them into Google SecOps SIEM alerts.
Authentication
You can authenticate using the Google library
with google.oauth2.service_account and AuthorizedSession.
API
Use the Google SecOps SIEM Search API.
Connector parameters
| Parameter | Type | Default value | Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Environment Field Name | String | "" | No | The name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | Optional
A regular expression pattern to run on the value found in the
Use the default value If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
|||
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the Python process running the current script. |
| Service Account Credentials | Password | Not applicable | Yes | A JSON formatted string to act as a token access. |
| Fetch Max hours Backwards | Integer | 1 | No | Number of hours where to fetch alerts from. |
IoCs Connector - Deprecated
Description
Pull IOC Domain matches from Google SecOps SIEM and convert them into Google SecOps SIEM alerts.
Authentication
You can authenticate using the Google
library and
google.oauth2.service_account and AuthorizedSession.
API
Use Google SecOps SIEM Search API.
Connector parameters
| Parameter name | Type | Default value | Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name to retrieve the Product Field name. |
| Environment Field Name | String | "" | No | The name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | Optional
A regular expression pattern to run on the value found in the
Use the default value If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
|||
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the Python process running the current script. |
| Service Account Credentials | Password | Not appicable | Yes | A JSON formatted string act as a token access |
| Fetch Max hours Backwards | Integer | 1 | No | Number of hours where to fetch alerts from. |
| Max Alerts To Fetch | Integer | 50 | No | Number of alerts to process in a one connector iteration. You can specify the number of alerts between 1 and 100,000. |
Jobs
The Google Chronicle integration lets you use the following jobs:
Job configuration prerequisites
Before proceeding to the job configuration, configure the Chronicle Alerts Connector.
To configure Google Chronicle jobs, follow these steps:
In Google SecOps SOAR, go to Response > Job Scheduler.
Click addCreate New Job.
In the Add Job dialog that appears, select the corresponding Google Chronicle job and click Save.
Optional: Edit the job name and description, if necessary.
In the Job Details section:
- Make sure that GoogleChronicle is selected in the Integration field.
To automatically run the job at specified intervals, set up a scheduler interval. Configuring the scheduler is mandatory to complete the job configuration.
As Google Chronicle jobs can synchronize large amounts of data in one run, Google recommends that you set the scheduler interval at least to 2 minutes (>= 2 minutes).
Google Chronicle Sync Data job
This job works with alerts created by the Chronicle Alerts Connector and the Chronicle Alerts Creator job, but not with alerts from deprecated connectors (Alerts Connector and IOCs Connector).
The Google Chronicle Sync Data job synchronizes updated Google SecOps alerts and cases managed in Google SecOps SOAR back to Google SecOps SIEM. Consequently, you can track the same information on both systems immediately after you make changes in Google SecOps SOAR.
Case and alerts data synchronization
The Google Chronicle Sync Data job tracks and synchronizes the following fields for cases:
| Tracked field | Synchronized field |
|---|---|
| Priority | Priority |
| Status | Status |
| Title | Title |
| Not applicable | Stage |
| Not applicable | Siemplify Case ID |
| Not applicable | Siemplify Case ID |
Siemplify Case ID is a unique case identifier in Google SecOps SOAR and Google SecOps SIEM.
The Google Chronicle Sync Data job tracks and synchronizes the following fields for alerts:
| Tracked field | Synchronized field |
|---|---|
| Priority | Priority |
| Status | Status |
| Case ID | Not applicable |
| Not applicable | Siemplify Alert ID |
| Not applicable | Siemplify Case ID |
| Not applicable | Verdict |
| Not applicable | Closure Comment |
| Not applicable | Closure Reason |
| Not applicable | Closure Root Cause |
| Not applicable | Usefulness |
Siemplify Alert ID is a unique alert identifier in Google SecOps SOAR.
In one iteration, the job synchronizes up to 1,000 cases and 1,000 alerts. The synchronization occurs within the Google SecOps SOAR environment that is specified in the job configuration. The synchronization mechanism ensures that a case from the specified environment cannot be synced with another environment.
Configure the Google Chronicle Sync Data job
This job only synchronizes Google SecOps SOAR cases that were ingested from Google SecOps SIEM.
Make sure you have completed the prerequisite steps before configuring the job.
To configure the Google Chronicle Sync Data job, follow these steps:
In the Parameters section, configure the following parameters:
Parameter name Type Default value Mandatory Description Environment String Default Environment Yes Name of the environment created in Google SecOps SOAR where you want to sync cases and alerts. API Root String https://backstory.googleapis.comYes API root of the Google SecOps SIEM instance.
Google SecOps provides regional endpoints for each API.
For example,
https://europe-backstory.googleapis.comorhttps://asia-southeast1-backstory.googleapis.com.If you don't know which endpoint to use, [contact Cloud Customer Care](/chronicle/docs/getting-support).
User's Service Account Password N/A Yes Service account of the Google SecOps SIEM instance. Copy the entire service account JSON file. Max Hours Backwards Integer 24 No Number of hours to fetch alerts from. Use only positive numbers. If you enter 0 or a negative number, an error is reported. If this parameter is empty, the job uses the default value. Verify SSL Checkbox Selected Yes If selected, Google SecOps verifies that the SSL certificate for the connection to the Google SecOps SIEM server is valid. We recommend that you select this option. The Google Chronicle Sync Data job is enabled by default. This means that when you save the correctly configured job, it starts synchronizing data with Google SecOps SIEM immediately. To disable the job, switch the toggle next to the job name.
To complete the configuration, click Save.
If the Save button is inactive, make sure that you have set all mandatory parameters.
Optional: To run the job immediately after saving, click Run Now.
The Run Now option lets you trigger a single job run that synchronizes the current Google SecOps SOAR alerts and cases data with Google SecOps SIEM.
Log messages
The following table lists possible log messages for the Google Chronicle Data Sync job:
| Log entry | Type | Description |
|---|---|---|
Unable to parse credentials as JSON. Please validate creds.
|
Error | The service account provided in the User's Service Account parameter is corrupted. |
"Max Hours Backwards" parameter must be a positive number. |
Error | The Max Hours backwards parameter is set to 0 or a negative number. |
Current platform version does not support SDK methods designed for
Google SecOps. Please use version 6.1.33 or higher. |
Error | The current Google SecOps SOAR platform instance version doesn't support the Chronicle Sync Data job script execution. This means that the instance's build version is older than 6.1.33. |
Unable to connect to Google SecOps, please validate your
credentials: CREDENTIALS |
Error | The service account or API root values couldn't be validated against the Google SecOps SIEM instance. This error is reported if connectivity testing fails. |
--- Start Processing Updated Cases --- |
Info | The case processing loop has started running. |
Last success time. Date time:DATE_AND_TIME.
Unix:UNIX_EPOCH_TIME
|
Info | The timestamp of the last successful script execution for cases or alerts:
|
Key: "DATABASE_KEY" does not exist in the
database. Returning default
value instead: DEFAULT_VALUE |
Info | The pending case or alert database key does not exist in the database. This log entry always appears in the first execution of the script. |
Failed to parse data as JSON. Returning default value instead:
"DEFAULT_VALUE. ERROR:
ERROR |
Error | The value retrieved from the database is not a valid JSON format. |
Exception was raised from the database. ERROR:
ERROR. |
Error | There is a connection problem with the database. |
|
Info | The pending cases or alerts IDs have been successfully retrieved from the backlog. CASE_IDS is the number of case IDs brought. |
|
Error | The number of pending cases or alerts IDs that are fetched from the database is greater than the limit (1000). Any IDs over the limit are ignored. This error can indicate a possible database corruption. |
|
Info | The newly updated case or alert IDs were successfully fetched from the platform. |
|
Info | The update of cases and alerts in the Google SecOps SIEM instance has started. |
|
Error | The specified case or alert cannot be synchronized with Google SecOps SIEM. |
|
Info | The specified pending case or alert has reached the sync retry limit (5) and is not inserted back to the backlog. |
|
Info | The list of case or alert IDs that cannot be synchronized with Google SecOps SIEM. |
Updated External Case IDs for the following cases:
CASE_IDS |
Info | The list of cases for which the job updated the matching Google SecOps SIEM external case ID in the Google SecOps SOAR platform. |
Failed to update external ids. |
Error | The log entry indicating that there was a problem with the SDK method or connection that prevented updating external case IDs in the platform. |
|
Error | The log entry indicating that there was a certain terminating error that prevented the case or alerts processing loop to finish naturally. The stacktrace is printed after this log with the specific error. |
|
Info | The cases and alerts processing loop has finished, either naturally or with an error. |
|
Error | The list of failed case or alert IDs that have a retry count less than or equal to 5 to be written back to the backlog. |
|
Info | The stage of processing case and alert has been finished. |
Saving timestamps. |
Info | Saving the last successful case and alert update timestamps to the database. |
Saving pending ids. |
Info | Saving pending case and alert IDs to the database. |
Got exception on main handler. Error:
ERROR_REASON |
Error | A general termination error has occurred. The stacktrace is printed after this log with the specific error. |
Google Chronicle Alerts Creator job
The Google Chronicle Alerts Creator job requires the Google SecOps platform version 6.2.30 or later.
This job creates all alerts from Google SecOps SOAR to Google SecOps SIEM, including overflow alerts. The Alerts Creator job doesn't replicate alerts originated from Google SecOps.
The Alerts Creator job queries the SOAR platform using the Python SDK for non-synchronized alerts. The job sends non-synchronized alerts to SIEM individually. SIEM updates and returns the identifiers of the corresponding SIEM alerts, and SOAR saves the identifiers using the SOAR platform API through the Python SDK.
Relationship between the Google Chronicle jobs
A complete Google SecOps system runs the following three components concurrently:
- Chronicle Alerts Connector
- Data Sync job
- Alerts Creator job
The Data Sync job creates and synchronizes cases. It also synchronizes case and alert modifications, such as priority changes.
The Alerts Creator job generates all alerts, except SIEM alerts. The Data Sync job sends updates on unsynchronized alerts after the Alerts Creator job creates the alerts.
Case and alerts data synchronization
Cases are synchronized in the same manner as with the Sync job.
In Google SecOps SIEM, each alert is identified with a SIEM alert identifier. SOAR alerts can adopt a SIEM identifier in two scenarios:
Alert is generated in SIEM.
This alert already exists in Google SecOps SIEM and there is no need to duplicate it. The connector populates the
siem_alert_idfield.Alert is generated in third-party connectors.
This alert does not exist in Google SecOps SIEM and requires running an explicit synchronization operation that the Alerts Creator Job is responsible for. Upon completing the synchronization operation, the alert acquires a new SIEM identifier.
Configure the Google Chronicle Alerts Creator job
Make sure you have completed the prerequisite steps before configuring the job.
To configure the Google Chronicle Alerts Creator job, follow these steps:
Configure the job parameters from the following table:
Parameter name Type Default value Is mandatory Description Environment String Default Environment Yes Name of the environment created in Google SecOps SOAR where you want to sync cases and alerts. API Root String https://backstory.googleapis.comYes API root of the Google SecOps SIEM instance.
Google SecOps SOAR provides regional endpoints for each API.
For example,
https://europe-backstory.googleapis.comorhttps://asia-southeast1-backstory.googleapis.comIf you don't know which endpoint to use, [contact Cloud Customer Care](/chronicle/docs/getting-support).
User's Service Account Password Not applicable Yes Service account of the Google SecOps SIEM instance. Copy the entire service account JSON file. Verify SSL Checkbox Selected Yes If selected, verifies that the SSL certificate for the connection to the Google SecOps SIEM server is valid. We recommend that you select this option. To complete the configuration, click Save.
If the Save button is inactive, make sure that you have set all mandatory parameters.
Optional: To run the job immediately after saving, click Run Now.
The Run Now option lets you trigger a single job run that synchronizes the current Google SecOps SOAR alerts and cases data with Google SecOps SIEM.
Log messages and error handling
| Log | Level | Description |
|---|---|---|
|
ERROR | The service account provided in the User's Service Account parameter is corrupted. |
|
ERROR | The current Google SecOps SOAR platform instance version doesn't support the Google Chronicle Alerts Creator Job script execution. This error means that the instance build version is earlier than 6.2.30. |
|
ERROR | The service account or API root values cannot be validated against the Google SecOps SIEM instance. This error is reported if connectivity testing fails. |
|
INFO | Log message indicating that the job has started. |
|
INFO | Log message indicating that the main function has started. |
|
INFO | Log message indicating the iteration number for the current consecutive attempt. |
|
INFO | Log message indicating that the code doesn't retrieve more than BATCH_SIZE new alerts from SOAR. |
|
INFO | Log message indicating that NUMBER_OF_NEW_ALERTS SOAR alerts were fetched. |
|
INFO | Log message indicating that no new SOAR alerts were found, and that the job is stopping. |
|
INFO | Log message indicating that the job has fetched the SOAR alerts with the following identifiers in the ID list. You can use this information to track the progress of the job and to troubleshoot issues with the code. |
|
INFO | Log message indicating that the job is dispatching SOAR alerts to SIEM. |
|
ERROR | Log message indicating that the alert was not created successfully in SIEM due to an error. |
|
INFO | Log message indicating that the job is updating SOAR with the SIEM response. |
|
WARNING | Indicates that SOAR was unable to update the status of the alert synchronization. |
|
INFO | Log message indicating that a total of total_synced alerts
were synced in the current run. |
|
INFO | Log message indicating that the job has finished. |
|
ERROR | Log message indicating that an exception occurred in the main function. The exception message is included in the log message. |
Use cases
The Google Chronicle integration lets you run the following use cases:
- Chronicle Windows Threats Investigation and Response
- Security Command Center and Chronicle Cloud DIR
Install the use case
In the Google SecOps Marketplace, go to the Use Cases tab.
In a search field, enter the use case name.
Click the use case.
Follow the configuration steps and instructions in the installation wizard.
Once finished, all of the required components are installed on your Google SecOps SOAR machine. To finalize the installation, configure the Initialization block in the playbook that corresponds to your use case.
Chronicle Windows Threats Investigation & Response
Use the power of Google SecOps to respond in real time to Windows threats in your environment. Using Threat Intelligence for Google SecOps, security teams can take advantage of a high-fidelity threat intelligence service together with Google SecOps SOAR. Real threats in your environment can now be automatically triaged and remediated in a short and effective timeframe.
In Google SecOps SOAR, go to Response > Playbooks.
Select the Google Chronicle - Windows Threats Investigation & Response playbook. The playbook opens in the playbook designer view.
Double-click Set Initialization Block_1. The block configuration dialog opens.
To configure the playbook, use the following parameters:
Input parameter Possible values Description edr_product - Crowdstrike
- Carbon Black
- None
The EDR product to use in the playbook. itsm_product - Service Now
- Jira
- ZenDesk
- None
The ITSM product to use in the playbook. Jira requires additional configuration in the Open Ticket block. crowdstrike_use_spotlight True or False If True, the playbook executes Crowdstrike actions that require a Spotlight license (Vulnerability information). use_mandiant True or False if True, the playbook executes the Mandiant block. slack_user Username or Email Address The username or email address of the Slack user. If none is provided, the playbook skips Slack blocks. Click Save. The block configuration dialog closes.
In the playbook designer pane, click Save.
To test the playbook in the use case, ingest the test case included in the package. Some test case capabilities can fail because the data used for testing are unavailable in your environment.
Security Command Center and Chronicle Cloud DIR
Integrate Security Command Center with Google SecOps SIEM to let your analysts investigate incidents and threats that Security Command Center detects.
Configure the use case
The use case requires you to configure the following integrations:
- Siemplify
- Tools
- Mitre ATT&CK
- Google Cloud IAM
- Google Chronicle
- Functions
- Google Cloud Compute
- Email V2
- VirusTotal v3
The Google Security Command Center and Mandiant integrations are optional.
Make sure that you have installed the use case before configuring it.
- In the Google SecOps SOAR, go to the Playbooks tab.
- Select the SCC & Chronicle Cloud DIR playbook.
- Double-click the Initialization block to configure it.
- Configure the playbook using the following parameters:
| Parameter name | Parameter type | Possible values | Description |
|---|---|---|---|
| Mandiant_Enrichment | Bool | True or False | If The Mandiant integration needs to be configured for this setup. You can remove the enrichment if you rarely get meaningful information. Removing the enrichment block improves the execution speed of the playbook. |
| SCC_Enrichment | Bool | True or False | If The Security Command Center integration must be configured for this setup. You can remove the enrichment if you rarely get meaningful information. Removing the enrichment block improves the execution speed of the playbook. |
| IAM_Enrichment | Bool | True or False | If True, the playbook uses the IAM capabilities
for additional enrichment. You can remove the enrichment if you rarely
get meaningful information. Removing the enrichment block improves
the execution speed of the playbook. |
| Compute_Enrichment | Bool | True or False | If True, the playbook uses Compute Engine capabilities
for additional enrichment. You can remove the enrichment if you
rarely get meaningful information. Removing the enrichment block improves
the execution speed of the playbook. |