Integrate Compute Engine with Google SecOps
Integration version: 13.0
This document provides guidance on how to integrate Compute Engine with Google Security Operations (Google SecOps).
Use cases
The integration for Compute Engine helps you solve the following use cases:
Automated incident response: use Google SecOps capabilities to automatically isolate an instance from the network using playbooks upon detecting a compromised Compute Engine instance. Isolating an instance limits the spread of the attack and reduces potential damage. An automated incident response helps you accelerate the incident response time and reduces the workload on your security team.
Threat hunting and investigation: use Google SecOps capabilities to automate the collection of logs and security telemetry from Compute Engine instances across multiple projects. You can analyze the collected data for suspicious activity and potential threats to proactively hunt threats and speed up investigations by automating data collection.
Vulnerability management: integrate vulnerability scanning tools with Google SecOps to automatically scan Compute Engine instances for known vulnerabilities. You can use Google SecOps capabilities to automatically generate tickets for remediation or even patch the vulnerabilities directly to reduce the risk of exploitation and improve the security posture of your organization.
Compliance automation: use Google SecOps capabilities to automate the collection of audit logs and configuration data from Compute Engine instances and comply with regulatory requirements. You can use collected data to generate reports and dashboards for auditors to simplify compliance reporting and reduce the manual effort required to analyze data.
Security orchestration: orchestrate security workflows across multiple Google Cloud services, including Compute Engine. For example, Google SecOps can trigger the creation of a new firewall rule in response to a security event detected on a Compute Engine instance. The security orchestration provides you with a more coordinated and automated security posture by integrating different security tools and services.
Before you begin
To use the integration, you need a custom Identity and Access Management (IAM) role and a Google Cloud service account. You can use an existing service account or create a new one.
Create and configure the IAM role
To create a and configure a custom IAM role for the integration, complete the following steps:
In the Google Cloud console, go to the IAM Roles page.
Click Create role to create a custom role with permissions required for the integration.
For a new custom role, provide the Title, Description, and a unique ID.
Set the Role Launch Stage to General Availability.
Add the following permissions to the created role:
compute.instances.list
compute.instances.start
compute.instances.stop
compute.instances.delete
compute.instances.setLabels
compute.instances.getIamPolicy
compute.instances.setIamPolicy
compute.instances.get
compute.zones.list
Create a service account
For guidance on creating a service account, see Create service accounts. Make sure to grant your custom IAM role to the service account under Grant this service account access to project.
If you use a service account to authenticate to Google Cloud, you can create a service account key in JSON and provide the content of the downloaded JSON file when configuring the integration parameters.
For security reasons, we recommend using a workload identity email address instead of a service account key. For more information about the workload identities, see Identities for workloads.
Integration parameters
The Compute Engine integration requires the following parameters:
Parameters | Description |
---|---|
Account Type |
Optional The type of Google Cloud account. Provide the value that is set in the The default value is
|
Project ID |
Optional The project ID of the Google Cloud account. Provide the value that is set in the |
Private Key ID |
Optional The private key ID of the Google Cloud account. Provide the value that is set in the
|
Private Key |
Optional The private key of the Google Cloud account. Provide the value that is set in the |
Client Email |
Optional The client email address of the Google Cloud account. Provide the value that is set in the
|
Client ID |
Optional The client ID of the Google Cloud account. Provide the value that is set in the |
Auth URI |
Optional The authentication URI of the Google Cloud account. Provide the value that is set in the The default value is
|
Token URI |
Optional The token URI of the Google Cloud account. Provide the value that is set in the The default value is
|
Auth Provider X509 URL |
Optional The authentication provider X.509 URL of the Google Cloud account. Provide the value that is set in the
The default value is
|
Client X509 URL |
Optional The client X.509 URL of the Google Cloud account. Provide the value that is set in the
|
User Service Account JSON |
Optional The content of the service account key JSON file. You can configure this parameter or the To configure this parameter, provide the full content of the service account key JSON file that you have downloaded when creating a service account. |
Workload Identity Email |
Optional The client email address of your Workload Identity Federation. You can configure this parameter or the To impersonate service accounts with the Workload Identity Federation,
grant the |
For instructions about configuring an integration in Google SecOps, see Configure integrations.
You can make changes at a later stage if needed. After you configure an integration instance, you can use it in playbooks. For more information about configuring and supporting multiple instances, see Supporting multiple instances.
Actions
For more information about actions, see Respond to pending actions from your workdesk and Perform a manual action.
Add IP To Firewall Rule
Use the Add IP To Firewall Rule action to
This action doesn't run on Google SecOps entities.
Action inputs
The Add IP To Firewall Rule action requires the following parameters:
Parameter | Description |
---|---|
Resource Name |
Optional The full resource name of the Compute Engine
instance, such as
This parameter has a
priority over the |
Project ID |
Optional The project name of the Compute Engine instance. If you don't set a value, the action retrieves the project name from the integration configuration. |
Firewall Rule |
Optional The name of the firewall rule to update. |
Type |
Required The type of the IP address range to add. The possible values are The default value is |
IP Ranges |
Required The list of IP address ranges to add to the firewall rule. |
Action outputs
The Add IP To Firewall Rule action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
The Add IP To Firewall Rule action can return the following output messages:
Output message | Message description |
---|---|
|
The action succeeded. |
Error executing action "AAdd IP To Firewall Rule". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add IP To Firewall Rule action:
Script result name | Value |
---|---|
is_success |
True or False |
Add Labels to Instance
Use the Add Labels to Instance action to add labels to the Compute Engine instance.
This action doesn't run on Google SecOps entities.
Action inputs
The Add Labels to Instance action requires the following parameters:
Parameters | Description |
---|---|
Resource Name |
Optional The resource name for the Compute Engine instance. This parameter has higher priority over the combination of
the Provide the parameter value in
the following format: |
Project ID |
Optional The name of the project for your Compute Engine instance. If you set no value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Instance Zone |
Optional The name of an instance zone to search for instances in. |
Instance ID |
Optional The ID of the instance to start. You can retrieve the instance ID using the List Instances action. |
Instance Labels |
Required The instance label to add to an instance. To configure this parameter, set the value in a following format:
This parameter accepts multiple values as a comma-separated string. |
Action outputs
The Add Labels to Instance action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example describes the JSON result output received when using the Add Labels to Instance action:
{
"id": "ID",
"name": "operation-OPERATION_ID",
"zone": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a",
"operationType": "setLabels",
"targetLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/instances/INSTANCE_ID",
"targetId": "INSTANCE_ID",
"status": "RUNNING",
"user": "user@example.com",
"progress": 0,
"insertTime": "2021-04-28T23:01:29.395-07:00",
"startTime": "2021-04-28T23:01:29.397-07:00",
"selfLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/operations/operation-OPERATION_ID",
"kind": "compute#operation"
}
Output messages
The Add Labels to Instance action can return the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Error executing action "Add Labels to Instance". Reason:
ERROR_REASON |
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add Labels to Instance action:
Script result name | Value |
---|---|
is_success |
True or False |
Add Network Tags
Use the Add Network Tags action to add network tags to the Compute Engine instance.
This action is asynchronous. Adjust the script timeout value in the Google SecOps integrated development environment (IDE) for the action as needed.
This action doesn't run on Google SecOps entities.
Action inputs
The Add Network Tags action requires the following parameters:
Parameter | Description |
---|---|
Resource Name |
Optional The full resource name of the Compute Engine
instance, such as
This parameter has a
priority over the |
Project ID |
Optional The project name of the Compute Engine instance. If you don't set a value, the action retrieves the project name from the integration configuration. |
Instance Zone |
Optional The zone name of the Compute Engine instance. This parameter is required if you configure the
Compute Engine instance using the |
Instance ID |
Optional The Compute Engine instance ID. This
parameter is required if you configure the Compute Engine instance
using the |
Network Tags |
Required A comma-separated list of network tags to add to the Compute Engine instance. This parameter only accepts tags that contain lowercase letters, numbers, and hyphens. |
Action outputs
The Add Network Tags action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
The Add Network Tags action can return the following output messages:
Output message | Message description |
---|---|
|
The action succeeded. |
Error executing action "Add Network Tags". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add Network Tags action:
Script result name | Value |
---|---|
is_success |
True or False |
Delete Instance
Use the Delete Instance action to delete Compute Engine instances.
This action doesn't run on Google SecOps entities.
Action inputs
The Delete Instance action requires the following parameters:
Parameters | Description |
---|---|
Resource Name |
Optional The resource name for the Compute Engine instance. This parameter has higher priority over the combination of
the Provide the parameter value in
the following format: |
Project ID |
Optional The name of the project for your Compute Engine instance. If you set no value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Instance Zone |
Optional The name of an instance zone to search for instances in. |
Instance ID |
Optional The ID of the instance to start. You can retrieve the instance ID using the List Instances action. |
Action outputs
The Delete Instance action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example describes the JSON result output received when using the Delete Instance action:
{
"id": "ID",
"name": "operation-OPERATION_ID",
"zone": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a",
"operationType": "delete",
"targetLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/instances/INSTANCE_ID",
"targetId": "INSTANCE_ID",
"status": "RUNNING",
"user": "user@example.com",
"progress": 0,
"insertTime": "2021-04-28T23:01:29.395-07:00",
"startTime": "2021-04-28T23:01:29.397-07:00",
"selfLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/operations/operation-OPERATION_ID",
"kind": "compute#operation"
}
Output messages
The Delete Instance action can return the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Delete Instance action:
Script result name | Value |
---|---|
is_success |
True or False |
Enrich Entities
Use the Enrich Entities action to enrich Google SecOps
IP Address
entities with the instance information from Compute Engine.
This action doesn't run on Google SecOps entities.
Action inputs
The Enrich Entities action requires the following parameters:
Parameters | Description |
---|---|
Project ID |
Optional The name of the project for your Compute Engine instance. If you set no value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Instance Zone |
Optional The name of an instance zone to search for instances in. |
Action outputs
The Enrich Entities action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Available |
Enrichment table | Available |
JSON result | Available |
Output messages | Available |
Script result | Available |
Case wall table
After completing execution, the Enrich Entities action provides the following table:
Table name: ENTITY Enrichment Table
Columns:
- Entity Field
- Value
Enrichment table
The Enrich Entities action supports the following entity enrichment:
Enrichment field | Source (JSON key) | Logic |
---|---|---|
Google_Compute_instance_id |
id |
Not available |
Google_Compute_creation_timestamp |
creationTimestamp |
Not available |
Google_Compute_instance_name |
name |
Not available |
Google_Compute_description |
description |
Not available |
Google_Compute_tags |
tags |
Provide the tags in a CSV list |
Google_Compute_machine_type |
machineType |
Not available |
Google_Compute_instance_status |
status |
Not available |
Google_Compute_instance_zone |
zone |
Not available |
Google_Compute_can_ip_forward |
canIpForward |
Not available |
Google_Compute_instance_network_interfaces_name_INDEX
|
networkInterfaces.name |
Expand if there are more network interfaces available |
Google_Compute_instance_network_interfaces_name_access_configs_type_INDEX |
networkInterfaces.accessConfigs.type |
Expand if there are more network interfaces available |
Google_Compute_instance_network_interfaces_name_access_configs_name_INDEX |
networkInterfaces.accessConfigs.name |
Expand if there are more network interfaces available |
Google_Compute_instance_network_interfaces_name_access_configs_natIP_INDEX |
networkInterfaces.accessConfigs.natIP |
Expand if there are more network interfaces available |
Google_Compute_instance_metadata |
metadata |
CSV list of values from instance metadata |
Google_Compute_service_account_INDEX
|
serviceAccounts.email |
Expand if there are more service accounts available |
Google_Compute_service_account_scopes_INDEX
|
serviceAccounts.scopes |
Expand if there are more service accounts available |
Google_Compute_link_to_Google_Compute |
selfLink |
Not available |
Google_Compute_labels |
labels |
Provide a CSV list of values |
Google_Compute_instance_last_start_timestamp |
lastStartTimestamp |
Not available |
Google_Compute_instance_last_stop_timestamp |
lastStopTimestamp |
Not available |
JSON result
The following example describes the JSON result output received when using the Enrich Entities action:
{
"id": "ID",
"creationTimestamp": "2021-04-28T21:34:57.369-07:00",
"name": "instance-1",
"description": "",
"tags": {
"fingerprint": "VALUE"
},
"machineType": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/machineTypes/f1-micro",
"status": "RUNNING",
"zone": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a",
"canIpForward": false,
"networkInterfaces": [
{
"network": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/default",
"subnetwork": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/subnetworks/default",
"networkIP": "203.0.113.2",
"name": "example",
"accessConfigs": [
{
"type": "ONE_TO_ONE_NAT",
"name": "External NAT",
"natIP": "198.51.100.59",
"networkTier": "PREMIUM",
"kind": "compute#accessConfig"
}
],
"fingerprint": "VALUE",
"kind": "compute#networkInterface"
}
],
"disks": [
{
"type": "PERSISTENT",
"mode": "READ_WRITE",
"source": "https://www.googleapis.com/compute/v1/PROJECT_ID/zones/us-central1-a/disks/instance-1",
"deviceName": "instance-1",
"index": 0,
"boot": true,
"autoDelete": true,
"licenses": [
"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/licenses/LICENSE"
],
"interface": "SCSI",
"guestOsFeatures": [
{
"type": "UEFI_COMPATIBLE"
},
{
"type": "VIRTIO_SCSI_MULTIQUEUE"
}
],
"diskSizeGb": "10",
"kind": "compute#attachedDisk"
}
],
"metadata": {
"fingerprint": "VALUE",
"kind": "compute#metadata"
},
"serviceAccounts": [
{
"email": "user@example.com",
"scopes": [
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
"https://www.googleapis.com/auth/servicecontrol",
"https://www.googleapis.com/auth/service.management.readonly",
"https://www.googleapis.com/auth/trace.append"
]
}
],
"selfLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/instances/instance-1",
"scheduling": {
"onHostMaintenance": "MIGRATE",
"automaticRestart": true,
"preemptible": false
},
"cpuPlatform": "Intel Haswell",
"labels": {
"vm_test_tag": "tag1"
},
"labelFingerprint": "VALUE",
"startRestricted": false,
"deletionProtection": false,
"reservationAffinity": {
"consumeReservationType": "ANY_RESERVATION"
},
"displayDevice": {
"enableDisplay": false
},
"shieldedInstanceConfig": {
"enableSecureBoot": false,
"enableVtpm": true,
"enableIntegrityMonitoring": true
},
"shieldedInstanceIntegrityPolicy": {
"updateAutoLearnPolicy": true
},
"confidentialInstanceConfig": {
"enableConfidentialCompute": false
},
"fingerprint": "VALUE",
"lastStartTimestamp": "2021-04-28T21:35:07.865-07:00",
"kind": "compute#instance"
}
Output messages
The Enrich Entities action can return the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Error executing action "Enrich Entities". Reason:
ERROR_REASON |
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Enrich Entities action:
Script result name | Value |
---|---|
is_success |
True or False |
Execute VM Patch Job
Use the Execute VM Patch Job action to execute a VM patch job on Compute Engine instances.
This action is asynchronous. Adjust the script timeout value in the Google SecOps integrated development environment (IDE) for the action as needed.
This action doesn't run on Google SecOps entities.
The Execute VM Patch Job action requires you to enable the OS Config API.
Action inputs
The Execute VM Patch Job action requires the following parameters:
Parameter | Description |
---|---|
Instance Filter Object |
Required A JSON object to set an instance filter. The default value is as follows: { "all": "true" } |
Name |
Required The name for the patching job. |
Description |
Optional The description for the patching job. |
Patching Config Object |
Optional A JSON object that specifies the steps for the patching job to execute. If you don't set a value, the action patches
the Compute Engine instances using the default value. To configure
this parameter, use the following format: The default value is as follows: { "rebootConfig": "DEFAULT", "apt": { "type": "DIST" }, "yum": { "security": true }, "zypper": { "withUpdate": true }, "windowsUpdate": { "classifications": ["CRITICAL", "SECURITY"] } } |
Patch Duration Timeout |
Required The timeout value in minutes for a patching job. The default value is |
Rollout Strategy |
Optional The rollout strategy for a patching job. The possible values are |
Disruption Budget |
Required The disruption budget for a patching job. To
configure this parameter, you can use a specific number or a percentage,
such as The default value is |
Wait For Completion |
Required If selected, the action waits for the patching job to complete. |
Fail If Completed With Errors |
Required If selected and the patching job status is
|
Action outputs
The Execute VM Patch Job action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
JSON result
The following example shows the JSON result output received when using the Execute VM Patch Job action:
{
"name": "projects/PROJECT_ID/patchJobs/JOB_ID",
"createTime": "2024-09-24T16:00:43.354907Z",
"updateTime": "2024-09-24T16:00:44.626050Z",
"state": "PATCHING",
"patchConfig": {
"rebootConfig": "DEFAULT",
"apt": {
"type": "UPGRADE"
},
"yum": {},
"zypper": {},
"windowsUpdate": {}
},
"duration": "3600s",
"instanceDetailsSummary": {
"startedInstanceCount": "1"
},
"percentComplete": 20,
"instanceFilter": {
"instances": [
"zones/us-central1-a/instances/INSTANCE_ID"
]
},
"displayName": "test",
"rollout": {
"mode": "ZONE_BY_ZONE",
"disruptionBudget": {
"percent": 25
}
}
}
Output messages
The Execute VM Patch Job action can return the following output messages:
Output message | Message description |
---|---|
|
The action succeeded. |
Error executing action "Execute VM Patch Job". Reason: ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Execute VM Patch Job action:
Script result name | Value |
---|---|
is_success |
True or False |
Get Instance IAM Policy
Use the Get Instance IAM Policy action to get the access control policy for a resource. If you assign no policy to the resource initially, the returned policy can be empty.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Instance IAM Policy action requires the following parameters:
Parameters | Description |
---|---|
Resource Name |
Optional The resource name for the Compute Engine instance. This parameter has higher priority over the combination of
the Provide the parameter value in
the following format: |
Project ID |
Optional The name of the project for your Compute Engine instance. If you set no value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Instance Zone |
Optional The name of an instance zone to search for instances in. |
Instance ID |
Optional The ID of the instance to start. You can retrieve the instance ID using the List Instances action. |
Action outputs
The Get Instance IAM Policy action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example describes the JSON result output received when using the Get Instance IAM Policy action:
{
"version": 1,
"etag": "BwXBfsc47MI=",
"bindings": [
{
"role": "roles/compute.networkViewer_withcond_2f0c00",
"members": [
"user:user@example.com"
]
}
]
}
Output messages
The Get Instance IAM Policy action can return the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Error executing action "Get Instance IAM Policy". Reason:
ERROR_REASON |
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Instance IAM Policy action:
Script result name | Value |
---|---|
is_success |
True or False |
List Instances
Use the List Instances action to list Compute Engine instances based on the specified search criteria.
This action doesn't run on Google SecOps entities.
Action inputs
The List Instances action requires the following parameters:
Parameters | Description |
---|---|
Project ID |
Optional The name of the project to list instances. If you set no value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Instance Zone |
Optional The name of an instance zone to search for instances in. |
Instance Name |
Optional The instance name to search for. This parameter accepts multiple values as a comma-separated string. |
Instance Status |
Optional The instance status to search for. This parameter accepts multiple values as a comma-separated string. |
Instance Labels |
Optional The instance label to search for. To configure
this parameter, set the value in a following format:
This parameter accepts multiple values as a comma-separated string. |
Max Rows to Return |
Optional The number of instances to return for a single action run. The default value is 50. |
Action outputs
The List Instances action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
Case wall table
The List Instances action provides the following table:
Table name: Google Cloud Compute Instances
Table columns:
- Instance Name
- Instance ID
- Instance Creation Time
- Instance Description
- Instance Type
- Instance Status
- Instance Labels
JSON result
The following example describes the JSON result output received when using the List Instances action:
{ "id": "projects/PROJECT_ID/zones/us-central1-a/instances",
"items": [
{
"id": "ID",
"creationTimestamp": "2021-04-28T21:34:57.369-07:00",
"name": "instance-1",
"description": "",
"tags": {
"fingerprint": "VALUE"
},
"machineType": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/machineTypes/f1-micro",
"status": "RUNNING",
"zone": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a",
"canIpForward": false,
"networkInterfaces": [
{
"network": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/default",
"subnetwork": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/subnetworks/default",
"networkIP": "192.0.2.2",
"name": "example",
"accessConfigs": [
{
"type": "ONE_TO_ONE_NAT",
"name": "External NAT",
"natIP": "203.0.113.59",
"networkTier": "PREMIUM",
"kind": "compute#accessConfig"
}
],
"fingerprint": "VALUE",
"kind": "compute#networkInterface"
}
],
"disks": [
{
"type": "PERSISTENT",
"mode": "READ_WRITE",
"source": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/disks/instance-1",
"deviceName": "instance-1",
"index": 0,
"boot": true,
"autoDelete": true,
"licenses": [
"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/licenses/LICENSE"
],
"interface": "SCSI",
"guestOsFeatures": [
{
"type": "UEFI_COMPATIBLE"
},
{
"type": "VIRTIO_SCSI_MULTIQUEUE"
}
],
"diskSizeGb": "10",
"kind": "compute#attachedDisk"
}
],
"metadata": {
"fingerprint": "VALUE",
"kind": "compute#metadata"
},
"serviceAccounts": [
{
"email": "user@example.com",
"scopes": [
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
"https://www.googleapis.com/auth/servicecontrol",
"https://www.googleapis.com/auth/service.management.readonly",
"https://www.googleapis.com/auth/trace.append"
]
}
],
"selfLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_IDzones/us-central1-a/instances/instance-1",
"scheduling": {
"onHostMaintenance": "MIGRATE",
"automaticRestart": true,
"preemptible": false
},
"cpuPlatform": "Intel Haswell",
"labels": {
"vm_test_tag": "tag1"
},
"labelFingerprint": "VALUE",
"startRestricted": false,
"deletionProtection": false,
"reservationAffinity": {
"consumeReservationType": "ANY_RESERVATION"
},
"displayDevice": {
"enableDisplay": false
},
"shieldedInstanceConfig": {
"enableSecureBoot": false,
"enableVtpm": true,
"enableIntegrityMonitoring": true
},
"shieldedInstanceIntegrityPolicy": {
"updateAutoLearnPolicy": true
},
"confidentialInstanceConfig": {
"enableConfidentialCompute": false
},
"fingerprint": "VALUE",
"lastStartTimestamp": "2021-04-28T21:35:07.865-07:00",
"kind": "compute#instance"
}
]
}
Output messages
On a Case Wall, the List Instances action can return the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Error executing action "List Instances". Reason:
ERROR_REASON |
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the List Instances action:
Script result name | Value |
---|---|
is_success |
True or False |
Ping
Use the Ping action to test connectivity to Compute Engine.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Ping action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
On a Case Wall, the Ping action can return the following output messages:
Output message | Message description |
---|---|
Successfully connected to the Google Cloud Compute service with
the provided connection parameters! |
Action succeeded. |
Failed to connect to the Google Cloud Compute service! Error is
ERROR_REASON |
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Ping action:
Script result name | Value |
---|---|
is_success |
True or False |
Remove External IP Addresses
Use the Remove External IP Addresses action to remove external IP addresses on a Compute Engine instance.
This action is asynchronous. Adjust the script timeout value in the Google SecOps integrated development environment (IDE), if necessary.
This action doesn't run on Google SecOps entities.
Action inputs
The Remove External IP Addresses action requires the following parameters:
Parameters | Description |
---|---|
Resource Name |
Optional The resource name for the Compute Engine instance. This parameter has higher priority over the combination of
the Provide the parameter value in
the following format: |
Project ID |
Optional The name of the project for your Compute Engine instance. If you set no value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Instance Zone |
Optional The name of an instance zone to search for instances in. |
Instance ID |
Optional The ID of the instance to start. You can retrieve the instance ID using the List Instances action. |
Network Interface |
Optional A comma-separated list of network interfaces to
modify. If you leave this parameter empty or provide the |
Action outputs
The Remove External IP Addresses action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example describes the JSON result output received when using the Remove External IP Addresses action:
[
{
"endTime": "2024-05-21T04:28:05.371-07:00",
"id": "ID",
"insertTime": "2024-05-21T04:28:04.176-07:00",
"kind": "compute#operation",
"name": "operation-OPERATION_ID",
"operationType": "updateNetworkInterface",
"progress": 100,
"selfLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-west1-a/operations/operation-OPERATION_ID",
"startTime": "2024-05-21T04:28:04.190-07:00",
"status": "DONE",
"targetId": "TARGET_ID",
"targetLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-west1-a/instances/INSTANCE_ID",
"user": "user@example.com",
"zone": "us-west1-a",
"networkInterface": "example"
},
{
"endTime": "2024-05-21T04:28:06.549-07:00",
"id": "2531200345768541098",
"insertTime": "2024-05-21T04:28:05.419-07:00",
"kind": "compute#operation",
"name": "operation-OPERATION_ID",
"operationType": "deleteAccessConfig",
"progress": 100,
"selfLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-west1-a/operations/operation-OPERATION_ID",
"startTime": "2024-05-21T04:28:05.430-07:00",
"status": "DONE",
"targetId": "3905740668247239013",
"targetLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-west1-a/instances/INSTANCE_ID",
"user": "user@example.com",
"zone": "us-west1-a",
"networkInterface": "example"
}
]
Output messages
The Remove External IP Addresses action can return the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Remove External IP Addresses action:
Script result name | Value |
---|---|
is_success |
True or False |
Remove IP From Firewall Rule
Use the Remove IP From Firewall Rule action to remove IP addresses from a firewall rule in Compute Engine instance.
This action is asynchronous. Adjust the script timeout value in the Google SecOps integrated development environment (IDE) for the action as needed.
This action doesn't run on Google SecOps entities.
Action inputs
The Remove IP From Firewall Rule action requires the following parameters:
Parameter | Description |
---|---|
Resource Name |
Optional The full resource name of the Compute Engine
instance, such as
This parameter has a
priority over the |
Project ID |
Optional The project name of the Compute Engine instance. If you don't set a value, the action retrieves the project name from the integration configuration. |
Firewall Rule |
Optional The name of the firewall rule to update. |
Type |
Optional The type of the IP address range to add. The possible values are The default value is |
IP Ranges |
Required The list of IP address ranges to add to the firewall rule. |
Action outputs
The Remove IP From Firewall Rule action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
The Remove IP From Firewall Rule action can return the following output messages:
Output message | Message description |
---|---|
|
The action succeeded. |
Error executing action "Remove IP From Firewall Rule". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Remove IP From Firewall Rule action:
Script result name | Value |
---|---|
is_success |
True or False |
Remove Network Tags
Use the Remove Network Tags action to remove network tags from the Compute Engine instance.
This action is asynchronous. Adjust the script timeout value in the Google SecOps integrated development environment (IDE) for the action as needed.
This action doesn't run on Google SecOps entities.
Action inputs
The Remove Network Tags action requires the following parameters:
Parameter | Description |
---|---|
Resource Name |
Optional The full resource name of the Compute Engine
instance, such as
This parameter has a
priority over the |
Project ID |
Optional The project name of the Compute Engine instance. If you don't set a value, the action retrieves the project name from the integration configuration. |
Instance Zone |
Optional The zone name of the Compute Engine instance. This parameter is required if you configure the
Compute Engine instance using the |
Instance ID |
Optional The Compute Engine instance ID. This
parameter is required if you configure the Compute Engine instance
using the |
Network Tags |
Required A comma-separated list of network tags to add to the Compute Engine instance. This parameter only accepts tags that contain lowercase letters, numbers, and hyphens. |
Action outputs
The Remove Network Tags action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
The Remove Network Tags action can return the following output messages:
Output message | Message description |
---|---|
|
The action succeeded. |
Error executing action "Remove Network Tags". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Remove Network Tags action:
Script result name | Value |
---|---|
is_success |
True or False |
Set Instance IAM Policy
Use the Set Instance IAM Policy action to sets the access control policy for the specified resource. The policy that you provide in the action replaces any existing policy.
This action doesn't run on Google SecOps entities.
Action inputs
The Set Instance IAM Policy action requires the following parameters:
Parameters | Description |
---|---|
Resource Name |
Optional The resource name for the Compute Engine instance. This parameter has higher priority over the combination of
the Provide the parameter value in
the following format: |
Project ID |
Optional The name of the project for your Compute Engine instance. If you set no value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Instance Zone |
Optional The name of an instance zone to search for instances in. |
Instance ID |
Optional The ID of the instance to start. You can retrieve the instance ID using the List Instances action. |
Policy |
Required The JSON policy document to set to the instance. |
Action outputs
The Set Instance IAM Policy action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example describes the JSON result output received when using the Set Instance IAM Policy action:
{
"version": 1,
"etag": "BwXBftu99FE=",
"bindings": [
{
"role": "roles/compute.networkViewer",
"members": [
"user:user@example.com"
]
}
]
}
Output messages
The Set Instance IAM Policy action can return the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Error executing action "Set Instance IAM Policy". Reason:
ERROR_REASON
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Set Instance IAM Policy action:
Script result name | Value |
---|---|
is_success |
True or False |
Start Instance
Use the Start Instance action to start a previously stopped Compute Engine instance.
The instance doesn't start running immediately.
This action doesn't run on Google SecOps entities.
Action inputs
The Start Instance action requires the following parameters:
Parameters | Description |
---|---|
Resource Name |
Optional The resource name for the Compute Engine instance. This parameter has higher priority over the combination of
the Provide the parameter value in
the following format: |
Project ID |
Optional The name of the project for your Compute Engine instance. If you set no value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Instance Zone |
Optional The name of an instance zone to search for instances in. |
Instance ID |
Optional The ID of the instance to start. You can retrieve the instance ID using the List Instances action. |
Action outputs
The Start Instance action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example describes the JSON result output received when using the Start Instance action:
{
"id": "ID",
"name": "operation-OPERATION_ID",
"zone": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a",
"operationType": "start",
"targetLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/instances/INSTANCE_ID",
"targetId": "INSTANCE_ID",
"status": "DONE",
"user": "user@example.com",
"progress": 100,
"insertTime": "2021-04-28T23:01:29.395-07:00",
"startTime": "2021-04-28T23:01:29.397-07:00",
"endTime": "2021-04-28T23:01:29.397-07:00",
"selfLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/operations/operation-OPERATION_ID",
"kind": "compute#operation"
}
Output messages
The Start Instance action can return the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Start Instance action:
Script result name | Value |
---|---|
is_success |
True or False |
Stop Instance
Use the Stop Instance action to stop a running Compute Engine instance. You can restart the instance at a later time.
The VM usage charges don't apply to the stopped instances. However, charges apply to the resources that the VM is using, such as persistent disks and static IP addresses, unless you delete the resources.
This action doesn't run on Google SecOps entities.
Action inputs
The Stop Instance action requires the following parameters:
Parameters | Description |
---|---|
Resource Name |
Optional The resource name for the Compute Engine instance. This parameter has higher priority over the combination of
the Provide the parameter value in
the following format: |
Project ID |
Optional The name of the project for your Compute Engine instance. If you set no value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Instance Zone |
Optional The name of an instance zone to search for instances in. |
Instance ID |
Optional The ID of the instance to start. You can retrieve the instance ID using the List Instances action. |
Action outputs
The Stop Instance action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example describes the JSON result output received when using the Stop Instance action:
{
"id": "ID",
"name": "operation-OPERATION_ID",
"zone": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a",
"operationType": "stop",
"targetLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/instances/INSTANCE_ID",
"targetId": "INSTANCE_ID",
"status": "RUNNING",
"user": "user@example.com",
"progress": 100,
"insertTime": "2021-04-28T23:01:29.395-07:00",
"startTime": "2021-04-28T23:01:29.397-07:00",
"selfLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/operations/operation-OPERATION_ID",
"kind": "compute#operation"
}
Output messages
The Stop Instance action can return the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Error executing action "Stop Instance". Reason:
ERROR_REASON |
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Stop Instance action:
Script result name | Value |
---|---|
is_success |
True or False |
Update Firewall Rule
Use the Update Firewall Rule action to update a firewall rule with the provided parameters in Compute Engine.
This action is asynchronous. Adjust the script timeout value in the Google SecOps integrated development environment (IDE), if necessary.
This action doesn't run on Google SecOps entities.
Action inputs
The Update Firewall Rule action requires the following parameters:
Parameters | Description |
---|---|
Resource Name |
Optional The resource name for the Compute Engine instance. This parameter has higher priority over the combination of
the Provide the parameter value in the following format: |
Project ID |
Optional The name of the project for your Compute Engine instance. If you set no value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Firewall Rule |
Optional A firewall rule name to update. |
Source IP Ranges |
Optional A comma-separated list of source IP ranges. This
parameter supports the If you provide the
|
Source Tags |
Optional A comma-separated list of source tags. This
parameter supports the If you provide the
|
Source Service Accounts |
Optional A comma-separated list of source service accounts.
This parameter supports the If you provide
the |
TCP Ports |
Optional A comma-separated list of TCP ports. If you configure this parameter, the action uses the parameter value to update and determine allowlists and denylists. This parameter supports the |
UDP Ports |
Optional A comma-separated list of UDP ports. If you configure this parameter, the action uses the parameter value to update and determine allowlists and denylists. This parameter supports the |
Other Protocols |
Optional A comma-separated list of other protocols. This parameter supports the |
Destination IP Ranges |
Optional A comma-separated list of the destination IP address ranges. This parameter supports the If you set the |
Action outputs
The Update Firewall Rule action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example describes the JSON result output received when using the Update Firewall Rule action:
{
"endTime": "2024-05-20T09:42:09.381-07:00",
"id": "ID",
"insertTime": "2024-05-20T09:42:05.150-07:00",
"kind": "compute#operation",
"name": "operation-OPERATION_ID",
"operationType": "patch",
"progress": 100,
"selfLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/operations/operation-OPERATION_ID",
"startTime": "2024-05-20T09:42:05.164-07:00",
"status": "DONE",
"targetId": "7886634413370691799",
"targetLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/firewalls/default-allow-rdp",
"user": "user@example.com"
}
Output messages
The Update Firewall Rule action can return the following output messages:
Output message | Message description |
---|---|
Successfully updated firewall rule in Cloud Compute.
|
Action succeeded. |
Error executing action "Update Firewall Rule". Reason:
ERROR_REASON
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Update Firewall Rule action:
Script result name | Value |
---|---|
is_success |
True or False |