Google Cloud API
This document provides guidance to help you configure and integrate Google Cloud API with Google Security Operations SOAR.
Integrate Google Cloud API with Google SecOps SOAR
The integration requires the following parameters:
| Parameters | Description |
|---|---|
Test URL |
Optional A test URL for validating the authentication to the Google Cloud API. This parameter uses a GET request. |
Service Account Json File Content |
Optional The content of the service account key JSON file. You can configure either this parameter, the To configure this parameter, provide the full content of the service account key JSON file that you have downloaded when creating a service account. For more information about using service accounts as an authentication method, see Service accounts overview. In this integration, authenticating with the service account key JSON file has a priority over the Workload Identity Federation. |
Organization ID |
Optional The organization ID to use in the integration. To retrieve the value from this parameter during the action execution,
set the following placeholder: |
Project ID |
Optional The project ID to use in the integration. To retrieve the value from this parameter during the action execution,
set the following placeholder:
|
Quota Project ID |
Optional The Google Cloud project ID which you use for
Google Cloud APIs and billing. This parameter requires you to grant
the The integration attaches this parameter value to all API requests. If you do not set a value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Workload Identity Email |
Optional The client email address of your Workload Identity Federation. You can configure either this parameter or the In this integration, authenticating with the service account key JSON file has priority over the Workload Identity Federation. To impersonate service accounts with the Workload Identity Federation,
grant the |
OAuth Scopes |
Optional A comma-separated list of OAuth scopes that are required to execute the Google Cloud API requests. |
Verify SSL |
Required If selected, the integration verifies that the SSL certificate for connecting to the Google Cloud service is valid. Selected by default. |
For instructions about configuring an integration in Google SecOps, see Configure integrations.
You can make changes at a later stage if needed. After you configure an integration instance, you can use it in playbooks. For more information about configuring and supporting multiple instances, see Supporting multiple instances.
Actions
The Google Cloud API integration includes the following actions:
Execute HTTP Request
Use the Execute HTTP Request action to execute an HTTP request.
This action doesn't run on Google SecOps entities.
Action inputs
The Execute HTTP Request action requires the following parameters:
| Parameter | Description |
|---|---|
Method |
Optional A method to use in the request. The default
value is
|
URL Path |
Optional A URL to execute. The default value is
|
URL Params |
Optional The URL parameters. The action uses any value provided alongside the values that you directly provided in the URL Path parameter. This parameter requires the JSON object format as an input. The default value is as follows: {
"URL Field Name": "URL_FIELD_VALUE"
} |
Headers |
Optional Headers to use in the HTTP request. This parameter requires the JSON object format as an input. The default value is as follows: {
"Content-Type": "application/json; charset=utf-8",
"Accept": "application/json",
"User-Agent" : "GoogleSecOps"
} |
Cookie |
Optional The parameters to use in the This parameter overwrites cookies provided in the Headers parameter. This parameter requires the JSON object format as an input. The default value is as follows: {
"Cookie_1": "COOKIE_1_VALUE"
} |
|
Optional
A body for the HTTP request. The action constructs different
payloads depending on the This parameter requires the JSON object format as an input except when a
third-party product requires XML or the The default value is as follows: {
"Body Field Name": "BODY_FIELD_VALUE"
} |
Expected Response Values |
Optional The expected response values. If you configure this parameter, the action works in an asynchronous mode and executes until receiving the expected values or reaching a timeout. |
Save To Case Wall |
Optional If selected, the action saves the file and attaches
the saved file to the case wall. The file is archived with the
Not selected by default. |
Password Protect Zip |
Optional If selected, the action adds a password to
the Use this parameter when working with suspicious files. Selected by default. |
Follow Redirects |
Optional If selected, the action follows the redirects. Selected by default. |
Fail on 4xx/5xx |
Optional If selected, the action fails if the status code of the response is 4xx or 5xx errors. Selected by default. |
Base64 Output |
Optional If selected, the action converts the response to the base64 format. Use this parameter when downloading files. The JSON result cannot exceed 15 MB. Not selected by default. |
Fields To Return |
Required The fields to return. The possible values are as follows:
|
Request Timeout |
Required A period to wait for the server to send data before the action fails. The default value is 120 seconds. |
Action outputs
The Execute HTTP Request action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Execute HTTP Request action:
{
"response_data": {
"data": {
"relationships": {
"comment": [
{
"name": "item",
"description": "Object to which the comment belongs to."
},
{
"name": "author",
"description": "User who wrote the comment."
}
]
}
}
},
"redirects": [],
"response_code": 200,
"cookies": {},
"response_headers": {
"Content-Type": "application/json",
"X-Cloud-Trace-Context": "VALUE",
"Date": "Fri, 03 Nov 2023 16:14:13 GMT",
"Server": "Google Frontend",
"Content-Length": "36084"
},
"apparent_encoding": "ascii"
}
Output messages
The Execute HTTP Request action provides the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Failed to execute API request. Error:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Execute HTTP Request action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Ping
Use the Ping action to test connectivity to Google Cloud.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Ping action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Ping action:
{
"endpoint": "TEST_URL"
}
Output messages
The Ping action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully tested connectivity. |
The action succeeded. |
Failed to test connectivity. |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Ping action:
| Script result name | Value |
|---|---|
is_success |
True or False |