Stay organized with collections
Save and categorize content based on your preferences.
ObserveIT
Integration version: 4.0
Use Cases
Ingest ObserveIT alerts and use them to create Google Security Operations alerts.
Next, in Google SecOps, alerts can be used to perform orchestrations
with playbooks or manual analysis.
Generate Client ID and Client Secret
Go to https://:/v2/apps/portal/home.html?#creds.
Press on the "+ Create App" button
Fill out the "Application Name" parameter.
Press on the "Save".
You will find a new ObserveIT application. Press on it and you will see this
window.
Copy "Client Id" and "Client Secret".
Use these values in the integration configuration.
Configure ObserveIT integration in Google SecOps
For detailed instructions on how to configure an integration in
Google SecOps, see Configure
integrations.
Integration parameters
Use the following parameters to configure the integration:
Parameter Display Name
Type
Default Value
Is mandatory
Description
API Root
String
https://<address>:<port>
Yes
ObserveIT API Root.
Client ID
String
N/A
Yes
Client ID of the ObserveIT app.
Client Secret
Password
N/A
Yes
Client Secret of the ObserveIT app.
Use SSL
Checkbox
Checked
Yes
Option to enable SSL/TLS connection
Actions
Ping
Description
Test connectivity to ObserveIT with parameters provided at the integration
configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Playbook Use Cases Examples
The action is used to test connectivity at the integration configuration page on
the Google Security Operations Marketplace tab, and it can be executed as a manual action,
not used in playbooks.
Run On
The action doesn't run on entities, nor has mandatory input parameters.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
Script Result Name
Value Options
Example
is_success
True/False
is_success:False
JSON Result
N/A
Connectors
ObserveIT - Alerts Connector
Description
Pull alerts from ObserveIT.
Configure ObserveIT - Alerts Connector in Google SecOps
For detailed instructions on how to configure a connector in
Google SecOps, see Configuring the
connector.
Connector parameters
Use the following parameters to configure the connector:
Parameter Display Name
Type
Default Value
Is mandatory
Description
Product Field Name
String
Product Name
Yes
Enter the source field name in order to retrieve the Product Field name.
Event Field Name
String
eventType
Yes
Enter the source field name in order to retrieve the Event Field name.
Environment Field Name
String
""
No
Describes the name of the field where the environment name is stored.
If the environment field isn't found, the environment is the default environment.
Environment Regex Pattern
String
.*
No
A regex pattern to run on the value found in the "Environment Field Name" field.
Default is .* to catch all and return the value unchanged.
Used to allow the user to manipulate the environment field via regex logic.
If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.
Script Timeout (Seconds)
Integer
180
Yes
Timeout limit for the python process running the current script.
API Root
String
https://x.x.x.x:x
Yes
API root of ObserveIT server.
Client ID
String
N/A
Yes
Client ID of the ObserveIT app.
Client Secret
Password
Yes
Client Secret of the ObserveIT app.
Lowest Severity To Fetch
String
Medium
Yes
Lowest severity that will be used to fetch Alerts.
Possible values: Low
Medium
High
Critical
Fetch Max Hours Backwards
Integer
1
No
Amount of hours from where to fetch alerts.
Max Alerts To Fetch
Integer
25
No
How many alerts to process per one connector iteration.
Use whitelist as a blacklist
Checkbox
Unchecked
Yes
If enabled, whitelist will be used as a blacklist.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eObserveIT alerts can be ingested and used to create alerts within Google Security Operations SOAR for orchestration and analysis.\u003c/p\u003e\n"],["\u003cp\u003eTo integrate ObserveIT, a Client ID and Client Secret must be generated by creating an application in ObserveIT, noting a known bug where only the first 36 characters of the Client ID are validated.\u003c/p\u003e\n"],["\u003cp\u003eThe ObserveIT integration in Google Security Operations SOAR requires several parameters, including API Root, Client ID, Client Secret, and whether to Use SSL, as well as others.\u003c/p\u003e\n"],["\u003cp\u003eThe "Ping" action allows testing the connection to ObserveIT using the integration parameters.\u003c/p\u003e\n"],["\u003cp\u003eThe ObserveIT - Alerts Connector pulls alerts from ObserveIT, using parameters like API Root, Client ID, Client Secret, lowest severity to fetch, and other options.\u003c/p\u003e\n"]]],[],null,["# ObserveIT\n=========\n\nIntegration version: 4.0\n\nUse Cases\n---------\n\nIngest ObserveIT alerts and use them to create Google Security Operations alerts.\nNext, in Google SecOps, alerts can be used to perform orchestrations\nwith playbooks or manual analysis.\n\nGenerate Client ID and Client Secret\n------------------------------------\n\n| **Note:** ObserveIT has a bug, where it would authenticate integration, even if invalid Client ID is specified. It happens because the backend in ObserveIT only validates the first 36 characters and everything else is ignored. For example, if AAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAAA is known valid Client ID, if you use AAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAABBBBB it will still let you to authenticate.\n\n1. Go to https://:/v2/apps/portal/home.html?#creds.\n2. Press on the \"+ Create App\" button\n3. Fill out the \"Application Name\" parameter.\n\n4. Press on the \"Save\".\n\n5. You will find a new ObserveIT application. Press on it and you will see this\n window.\n\n6. Copy \"Client Id\" and \"Client Secret\".\n\n7. Use these values in the integration configuration.\n\nConfigure ObserveIT integration in Google SecOps\n------------------------------------------------\n\nFor detailed instructions on how to configure an integration in\nGoogle SecOps, see [Configure\nintegrations](/chronicle/docs/soar/respond/integrations-setup/configure-integrations).\n\n### Integration parameters\n\nUse the following parameters to configure the integration:\n\nActions\n-------\n\n### Ping\n\n#### Description\n\nTest connectivity to ObserveIT with parameters provided at the integration\nconfiguration page in the Google Security Operations Marketplace tab.\n\n#### Parameters\n\nN/A\n\n#### Playbook Use Cases Examples\n\nThe action is used to test connectivity at the integration configuration page on\nthe Google Security Operations Marketplace tab, and it can be executed as a manual action,\nnot used in playbooks.\n\n#### Run On\n\nThe action doesn't run on entities, nor has mandatory input parameters.\n\n#### Action Results\n\n##### Entity Enrichment\n\nN/A\n\n##### Insights\n\nN/A\n\n##### Script Result\n\n##### JSON Result\n\n N/A\n\nConnectors\n----------\n\n### ObserveIT - Alerts Connector\n\n#### Description\n\nPull alerts from ObserveIT.\n\n#### Configure ObserveIT - Alerts Connector in Google SecOps\n\nFor detailed instructions on how to configure a connector in\nGoogle SecOps, see [Configuring the\nconnector](/chronicle/docs/soar/ingest/connectors/ingest-your-data-connectors).\n\n##### Connector parameters\n\nUse the following parameters to configure the connector:\n\n#### Connector Rules\n\n##### Proxy Support\n\nThe connector supports proxy.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
