Google Cloud API

This document provides guidance to help you configure and integrate Google Cloud API with Google Security Operations SOAR.

Integrate Google Cloud API with Google SecOps SOAR

The integration requires the following parameters:

Parameters Description
Test URL Optional

A test URL for validating the authentication to the Google Cloud API. This parameter uses a GET request.

Service Account Json File Content Optional

The content of the service account key JSON file.

You can configure either this parameter, the Workload Identity Email parameter, or set all the preceding integration parameters.

To configure this parameter, provide the full content of the service account key JSON file that you have downloaded when creating a service account.

For more information about using service accounts as an authentication method, see Service accounts overview.

In this integration, authenticating with the service account key JSON file has a priority over the Workload Identity Federation.

Organization ID Optional

The organization ID to use in the integration.

To retrieve the value from this parameter during the action execution, set the following placeholder: {{org_id}}.

Project ID Optional

The project ID to use in the integration.

To retrieve the value from this parameter during the action execution, set the following placeholder: {{project_id}}.

Quota Project ID Optional

The Google Cloud project ID which you use for Google Cloud APIs and billing. This parameter requires you to grant the Service Usage Consumer role to your service account.

The integration attaches this parameter value to all API requests.

If you do not set a value for this parameter, the integration retrieves the project ID from your Google Cloud service account.

Workload Identity Email Optional

The client email address of your Workload Identity Federation.

You can configure either this parameter or the Service Account Json File Content parameter.

In this integration, authenticating with the service account key JSON file has priority over the Workload Identity Federation.

To impersonate service accounts with the Workload Identity Federation, grant the Service Account Token Creator role to your service account. For more details about workload identities and how to work with them, see Identities for workloads.

OAuth Scopes Optional

A comma-separated list of OAuth scopes that are required to execute the Google Cloud API requests.

Verify SSL Required

If selected, the integration verifies that the SSL certificate for connecting to the Google Cloud service is valid.

Selected by default.

For instructions about configuring an integration in Google SecOps, see Configure integrations.

You can make changes at a later stage if needed. After you configure an integration instance, you can use it in playbooks. For more information about configuring and supporting multiple instances, see Supporting multiple instances.

Actions

The Google Cloud API integration includes the following actions:

Execute HTTP Request

Use the Execute HTTP Request action to execute an HTTP request.

This action doesn't run on Google SecOps entities.

Action inputs

The Execute HTTP Request action requires the following parameters:

Parameter Description
Method Optional

A method to use in the request.

The default value is GET.

Possible values are:
  • GET
  • POST
  • PUT
  • PATCH
  • DELETE
  • HEAD
  • OPTIONS
URL Path Optional

A URL to execute.

The default value is https://.

URL Params Optional

The URL parameters.

The action uses any value provided alongside the values that you directly provided in the URL Path parameter.

This parameter requires the JSON object format as an input. The default value is as follows:

{
    "URL Field Name": "URL_FIELD_VALUE"
    }
Headers Optional

Headers to use in the HTTP request.

This parameter requires the JSON object format as an input. The default value is as follows:

{
    "Content-Type": "application/json; charset=utf-8",
    "Accept": "application/json",
    "User-Agent" : "GoogleSecOps"
    }
Cookie Optional

The parameters to use in the Cookie header.

This parameter overwrites cookies provided in the Headers parameter.

This parameter requires the JSON object format as an input. The default value is as follows:

{
    "Cookie_1": "COOKIE_1_VALUE"
    }
Body Payload
Optional

A body for the HTTP request. The action constructs different payloads depending on the Content-Type header value provided in the Headers parameter.

This parameter requires the JSON object format as an input except when a third-party product requires XML or the multipart/form-data content. If you submit or upload a file using the API request, provide the base64-encoded version of the file in the Body Payload parameter and set the header to "Content-type": "multipart/form-data".

The default value is as follows:

{
    "Body Field Name": "BODY_FIELD_VALUE"
    }
Expected Response Values Optional

The expected response values.

If you configure this parameter, the action works in an asynchronous mode and executes until receiving the expected values or reaching a timeout.

Save To Case Wall Optional

If selected, the action saves the file and attaches the saved file to the case wall. The file is archived with the .zip extension. The .zip file isn't password-protected.

Not selected by default.

Password Protect Zip Optional

If selected, the action adds a password to the .zip file created using the Save To Case Wall parameter. The password is as follows: infected.

Use this parameter when working with suspicious files.

Selected by default.

Follow Redirects Optional

If selected, the action follows the redirects.

Selected by default.

Fail on 4xx/5xx Optional

If selected, the action fails if the status code of the response is 4xx or 5xx errors.

Selected by default.

Base64 Output Optional

If selected, the action converts the response to the base64 format.

Use this parameter when downloading files.

The JSON result cannot exceed 15 MB.

Not selected by default.

Fields To Return Required

The fields to return. The possible values are as follows:

  • response_data
  • redirects
  • response_code
  • response_cookies
  • response_headers
  • apparent_encoding
Request Timeout Required

A period to wait for the server to send data before the action fails.

The default value is 120 seconds.

Action outputs

The Execute HTTP Request action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
JSON result

The following example describes the JSON result output received when using the Execute HTTP Request action:

{
   "response_data": {
       "data": {
           "relationships": {
               "comment": [
                   {
                       "name": "item",
                       "description": "Object to which the comment belongs to."
                   },
                   {
                       "name": "author",
                       "description": "User who wrote the comment."
                   }
               ]
           }
       }
   },
   "redirects": [],
   "response_code": 200,
   "cookies": {},
   "response_headers": {
       "Content-Type": "application/json",
       "X-Cloud-Trace-Context": "VALUE",
       "Date": "Fri, 03 Nov 2023 16:14:13 GMT",
       "Server": "Google Frontend",
       "Content-Length": "36084"
   },
   "apparent_encoding": "ascii"
}
Output messages

The Execute HTTP Request action provides the following output messages:

Output message Message description

Successfully executed API request.

Successfully executed API request, but the status code {4xx/5xx} was returned. Please check the request or try again later.

The action succeeded.
Failed to execute API request. Error: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table describes the values for the script result output when using the Execute HTTP Request action:

Script result name Value
is_success True or False

Ping

Use the Ping action to test connectivity to Google Cloud.

This action doesn't run on Google SecOps entities.

Action inputs

None.

Action outputs

The Ping action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
JSON result

The following example describes the JSON result output received when using the Ping action:

{
"endpoint": "TEST_URL"
}
Output messages

The Ping action provides the following output messages:

Output message Message description
Successfully tested connectivity. The action succeeded.
Failed to test connectivity.

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table describes the values for the script result output when using the Ping action:

Script result name Value
is_success True or False