Integrate Siemplify with Google SecOps

This document explains how to integrate Siemplify with Google Security Operations (Google SecOps).

Integration version: 83.0

Use cases

The Siemplify integration can address the following use cases:

Phishing investigation: use Google SecOps capabilities to automate the process of analyzing phishing emails, extracting indicators of compromise (IOCs), and enriching them with threat intelligence.
Malware containment: use Google SecOps capabilities to automatically isolate infected endpoints, initiate scans, and quarantine malicious files upon detection of malware.
Vulnerability management: use Google SecOps capabilities to orchestrate vulnerability scans, prioritize vulnerabilities based on risk, and automatically create tickets for remediation.
Threat hunting: use Google SecOps capabilities to automate running of threat hunting queries across various security tools and datasets.
Security alert triage: use Google SecOps capabilities to automatically enrich security alerts with contextual information, correlate them with other events, and prioritize them based on severity.
Incident response: use Google SecOps capabilities to orchestrate the entire incident response process, from initial detection to containment and eradication.
Compliance reporting: use Google SecOps capabilities to automate the collection and analysis of security data for compliance reporting.

Endpoints

The Siemplify integration uses the following endpoints:

Endpoint Description

Endpoint	Description
`/external/v1/cases/PauseAlertSLA`	Required. Pauses the Service Level Agreement (SLA) timer for an alert. This endpoint applies to the Pause Alert SLA action and requires Google SecOps version 5.6.1 or later.
`/external/v1/cases/ResumeAlertSLA`	Required. Resumes the SLA timer for an alert. This endpoint applies to the Resume Alert SLA action and requires Google SecOps version 5.6.1 or later.

/external/v1/cases/PauseAlertSLA

Required.

Pauses the Service Level Agreement (SLA) timer for an alert.

This endpoint applies to the Pause Alert SLA action and requires Google SecOps version 5.6.1 or later.

/external/v1/cases/ResumeAlertSLA

Required.

Resumes the SLA timer for an alert.

This endpoint applies to the Resume Alert SLA action and requires Google SecOps version 5.6.1 or later.

Integration parameters

The Siemplify integration requires the following parameters:

Parameter Description

Parameter	Description
`Monitors Mail Recipients`	Required. A comma-separated list of email addresses to validate. The default value is `example@mail.com,example1@mail.com`.
`Elastic Server Address`	Required. The address of the Elastic server. The default value is `localhost`.

Monitors Mail Recipients

Required.

A comma-separated list of email addresses to validate.

The default value is example@mail.com,example1@mail.com.

Elastic Server Address

Required.

The address of the Elastic server.

The default value is localhost.

For instructions about how to configure an integration in Google SecOps, see Configure integrations.

You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances.

Actions

For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.

Add Entity Insight

Use the Add Entity Insight action to add an insight to the targeted entity.

This action runs on all Google SecOps entities.

Action inputs

The Add Entity Insight action requires the following parameters:

Parameter Description

Parameter	Description
`Message`	Required. A message content to add to the entity. This parameter supports HTML elements, such as headings (`<h1></h1>`, `<h2></h2>`), paragraphs (`<p></p>`), text formatting (`<b></b>`, `<i></i>`, `<br>`), and links (`<a href="example.com"></a>`).

Message

Required.

A message content to add to the entity.

This parameter supports HTML elements, such as headings (<h1></h1>, <h2></h2>), paragraphs (<p></p>), text formatting (<b></b>, <i></i>, <br>), and links (<a href="example.com"></a>).

Action outputs

The Add Entity Insight action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Add Entity Insight action:

Script result name	Value
`null`	Not applicable

Add General Insight

Use the Add General Insight action to add a general insight to the case.

This action runs on all Google SecOps entities.

Action inputs

The Add General Insight action requires the following parameters:

Parameter Description

Parameter	Description
`Title`	Required. The title of the insight.
`Message`	Required. A message content to add to the entity. This parameter supports HTML elements, such as headings (`<h1></h1>`, `<h2></h2>`), paragraphs (`<p></p>`), text formatting (`<b></b>`, `<i></i>`, `<br>`), and links (`<a href="example.com"></a>`).
`Triggered By`	Optional A justification for the insight.

Title

Required.

The title of the insight.

Message

Required.

A message content to add to the entity.

This parameter supports HTML elements, such as headings (<h1></h1>, <h2></h2>), paragraphs (<p></p>), text formatting (<b></b>, <i></i>, <br>), and links (<a href="example.com"></a>).

Triggered By

Optional

A justification for the insight.

Action outputs

The Add General Insight action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Add General Insight action:

Script result name	Value
`null`	Not applicable

Add Tags To Similar Cases

Use the Add Tags To Similar Cases action to add tags to similar cases.

To find similar cases, the action uses the siemplify.get_similar_cases() function with the retrieved parameters that returns a list of case IDs.

This action doesn't run on Google SecOps entities.

Action inputs

The Add Tags To Similar Cases action requires the following parameters:

Parameter	Description
`Rule Generator`	Optional If selected, the action searches for similar cases using the rule generator. Selected by default.
`Port`	Optional If selected, the action searches for similar cases using port numbers. Selected by default.
`Category Outcome`	Optional If selected, the action searches for similar cases using the category outcome. Selected by default.
`Entity Identifier`	Optional If selected, the action searches for similar cases using the entity identifier. Selected by default.
`Days Back`	Required. The number of days before now for the action to search for similar cases.
`Tags`	Required. A comma-separated list of tags to add to similar cases.

The Add Tags To Similar Cases action applies the logical AND operator to the Rule Generator, Port, Category Outcome, and Entity Identifier parameters to use them in the same search.

Action outputs

The Add Tags To Similar Cases action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Add Tags To Similar Cases action:

Script result name	Value
`SimilarCasesIds`	A list of similar case IDs.

Add to Custom List

Use the Add to Custom List action to add an entity identifier to a categorized custom list and perform future comparisons in other actions.

This action runs on all Google SecOps entities.

Action inputs

The Add to Custom List action requires the following parameters:

Parameter Description

Parameter	Description
`Category`	Required. A custom list of categories to use.

Category

Required.

A custom list of categories to use.

Action outputs

The Add to Custom List action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Add to Custom List action:

Script result name	Value
`is_success`	`True` or `False`

Assign Case

Use the Assign Case action to assign a case to a specific user or a user group.

This action runs on all Google SecOps entities.

Action inputs

The Assign Case action requires the following parameters:

Parameter Description

Parameter	Description
`Assigned User`	Required. A user or a user group to assign a case to.

Assigned User

Required.

A user or a user group to assign a case to.

Action outputs

The Assign Case action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Assign Case action:

Script result name	Value
`null`	Not applicable

Async Custom Action

Use the Async Custom Action action to iterate through the targeted entities and prints their identifiers to the console.

This action runs on all Google SecOps entities.

Action inputs

None.

Action outputs

The Async Custom Action action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Async Custom Action action:

Script result name	Value
`null`	Not applicable

Attach Playbook to Alert

Use the Attach Playbook to Alert action to attach a specific playbook to an alert.

This action runs on all Google SecOps entities.

Action inputs

The Attach Playbook to Alert action requires the following parameters:

Parameter Description

Parameter	Description
`Playbook Name`	Required. The name of the playbook to attach to the current alert.

Playbook Name

Required.

The name of the playbook to attach to the current alert.

Action outputs

The Attach Playbook to Alert action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Attach Playbook to Alert action:

Script result name	Value
`null`	Not applicable

Case Comment

Use the Case Comment action to add a comment to the case which the current alert is grouped into.

This action runs on all Google SecOps entities.

Action inputs

The Case Comment action requires the following parameters:

Parameter Description

Parameter	Description
`Comment`	Required. A comment to add to the case.

Comment

Required.

A comment to add to the case.

Action outputs

The Case Comment action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Case Comment action:

Script result name	Value
`SuccessStatus`	`True` or `False`

Case Tag

Use the Case Tag action to add a tag to the case which the current alert is grouped into.

This action runs on all Google SecOps entities.

Action inputs

The Case Tag action requires the following parameters:

Parameter Description

Parameter	Description
`Tag`	Required. A tag to add to the case.

Tag

Required.

A tag to add to the case.

Action outputs

The Case Tag action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Case Tag action:

Script result name	Value
`null`	Not applicable

Change Alert Priority

Use the Change Case Stage action to updates the priority of an alert in a case.

This action runs on all Google SecOps entities.

In Google SecOps, by default, the highest alert priority determines the case priority.

For example, if the case priority is Medium, it means that at least one alert among all alerts that are grouped in the case has a Medium priority, while others have lower priorities, such as Low or Informative. If you update the priority of any case alert to High, Google SecOps automatically sets the case priority to High.

Action inputs

The Change Alert Priority action requires the following parameters:

Parameter Description

Parameter	Description
`Alert Priority`	Required. The new priority for the alert. The possible values are as follows: `Informative` `Low` `Medium` `High` `Critical`

Alert Priority

Required.

The new priority for the alert.

The possible values are as follows:

Informative
Low
Medium
High
Critical

Action outputs

The Change Alert Priority action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Change Alert Priority action:

Script result name	Value
`null`	Not applicable

Change Case Stage

Use the Change Case Stage action to change the case stage.

This action runs on all Google SecOps entities.

Action inputs

The Change Case Stage action requires the following parameters:

Parameter Description

Parameter	Description
`Stage`	Required. The stage to move the case to. The possible values are as follows: `Triage` `Assessment` `Investigation` `Incident` `Improvement` `Research`

Stage

Required.

The stage to move the case to.

The possible values are as follows:

Triage
Assessment
Investigation
Incident
Improvement
Research

Action outputs

The Change Case Stage action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Change Case Stage action:

Script result name	Value
`null`	Not applicable

Change Priority

Use the Change Priority action to updates the priority of the investigated case.

This action runs on all Google SecOps entities.

In Google SecOps, by default, the highest alert priority determines the case priority.

If you update the case priority to Low, Google SecOps overwrites the case priority to Low. If you update the priority of any case alert to High, Google SecOps automatically sets the case priority to High.

Action inputs

The Change Priority action requires the following parameters:

Parameter Description

Parameter	Description
`Priority`	Required. The priority to set for the case. The possible values are as follows: `Informative` `Low` `Medium` `High` `Critical`

Priority

Required.

The priority to set for the case.

The possible values are as follows:

Informative
Low
Medium
High
Critical

Action outputs

The Change Priority action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Change Priority action:

Script result name	Value
`null`	Not applicable

Close Alert

Use the Close Alert action to close the alert.

This action runs on all Google SecOps entities.

Action inputs

The Close Alert action requires the following parameters:

Parameter	Description
`Reason`	Required. A reason for closing the alert. The possible values are as follows: `Malicious` `NotMalicious` `Maintenance` `Inconclusive`
`Root Cause`	Required. A primary cause for closing the alert.
`Comment`	Required. A comment to add to the alert.
`Assign to User`	Optional The user to assign the alert to.
`Tags`	Optional A comma-separated list of tags.

Action outputs

The Close Alert action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Close Alert action:

Script result name	Value
`StatusResult`	`True` or `False`

Close Case

Use the Close Case action to close the case.

This action runs on all Google SecOps entities.

Action inputs

The Close Case action requires the following parameters:

Parameter Description

Parameter	Description
`Reason`	Required. A reason for closing the case. The possible values are as follows: `Malicious` `NotMalicious` `Maintenance` `Inconclusive`
`Root Cause`	Required. A primary cause for closing the case.
`Comment`	Required. A comment to add to the case.

Reason

Required.

A reason for closing the case.

The possible values are as follows:

Malicious
NotMalicious
Maintenance
Inconclusive

Root Cause

Required.

A primary cause for closing the case.

Comment

Required.

A comment to add to the case.

Action outputs

The Close Case action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Close Case action:

Script result name	Value
`StatusResult`	`True` or `False`

Create Domain Entity

Use the Create Domain Entity action to add new entities to a case, avoiding duplicates.

This action runs on all Google SecOps entities.

Action inputs

The Create Domain Entity action requires the following parameters:

Parameter	Description
`Entities Identifies`	Required. A comma-separated list of entity identifiers to create in the case, such as `VALUE1,VALUE2,VALUE3`.
`Delimiter`	Optional The delimiter used to split the input from the `Entities Identifies` parameter into multiple identifiers. If you don't set a value, the action treats the input as a single entity identifier. The default value is `,`.
`Entity Type`	Required. The type of the entity to create, such as `HOSTNAME`, `USERNAME`, or `IP`.
`Is Internal`	Optional If selected, the action treats entities as part of an internal network. Not selected by default.
`Is Suspicious`	Optional If selected, the action treats entities as suspicious. Not selected by default.

Action outputs

The Create Domain Entity action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Create Domain Entity action:

Script result name	Value
`StatusResult`	`True` or `False`

Create Entity

Use the Create Entity action to create a new entity and add it to an alert.

This action runs on all Google SecOps entities.

For the Google SecOps platform version 5.6.2 and later, the Create Entity action lets you choose the delimiter in the mapping process and ignore the database configuration.

For the Google SecOps platform version 5.6.0 up to 5.6.2, the delimiting can happen in the Create Entity action or the database.

To use a custom (non-default) delimiter when you create an entity, use the same delimiter in the action and the database. To use a custom delimiter, complete any of the following:

Change the default delimiter (,) to your custom delimiter in the action inputs and the database.
Change the delimiter in the database and keep the Delimiter parameter value empty in the action.

Action inputs

The Create Entity action requires the following parameters:

Parameter	Description
`Entities Identifies`	Required. A comma-separated list of entity identifiers to create in the case, such as `VALUE1,VALUE2,VALUE3`.
`Delimiter`	Optional The delimiter used to split the input from the `Entities Identifies` parameter into multiple identifiers. If you don't set a value, the action treats the input as a single entity identifier. The default value is `,`.
`Entity Type`	Required. The type of the entity to create, such as `HOSTNAME`, `USERNAME`, and `IP`.
`Is Internal`	Optional If selected, the action treats entities as part of an internal network. Not selected by default.
`Is Suspicious`	Optional If selected, the action treats entities as suspicious. Not selected by default.

Action outputs

The Create Entity action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Create Entity action:

Script result name	Value
`StatusResult`	`True` or `False`

Create Or Update Entity Properties

Use the Create Or Update Entity Properties action to create or change properties for entities in the entity scope.

This action runs on all Google SecOps entities.

Action inputs

The Create Or Update Entity Properties action requires the following parameters:

Parameter Description

Parameter	Description
`Entity Field`	Required. The name of the entity field to create or update.
`Field Value`	Required. The value to set for the specified entity field.

Entity Field

Required.

The name of the entity field to create or update.

Field Value

Required.

The value to set for the specified entity field.

Action outputs

The Create Or Update Entity Properties action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Create Or Update Entity Properties action:

Script result name	Value
`is_success`	`True` or `False`

Get Connector Context Value

Use the Get Connector Context Value action to get a value that is stored under a specified key in the Google SecOps database for a connector context.

This action doesn't run on Google SecOps entities.

Action inputs

The Get Connector Context Value action requires the following parameters:

Parameter Description

Connector Identifier

Required.

The connector identifier for which to retrieve the context value.

Key Name

Required.

The key name for which to retrieve the context value.

Create Case Wall Table

Optional

If selected, the action creates a Case Wall table with the retrieved context value, unless the value exceeds the character limit.

Selected by default.

Action outputs

The Get Connector Context Value action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Case Wall table

The Get Connector Context Value action can generate the following table:

Table name: Available Connector Context Values Table Columns

Table columns:

Connector identifier
Key
Value

Output messages

The Get Connector Context Value action can return the following output messages:

Output message Message description

Successfully found context value for the provided context key CONTEXT_KEY for the connector identifier CONNECTOR_IDENTIFIER.

Context value was not found for the provided context key CONTEXT_KEY and connector identifier CONNECTOR_IDENTIFIER.

Action can't return the Case Wall table as the context values are too big.

The action succeeded.

Error executing action "Get Connector Context Value". Reason:
      ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Get Connector Context Value action:

Script result name	Value
`is_success`	`True` or `False`

Get Scope Context Value

Use the Get Scope Context Value action to get a value that is stored under a specified key in the Google SecOps database.

This action can work with the following scopes: alert, case, and global.

This action doesn't run on Google SecOps entities.

Action inputs

The Get Scope Context Value action requires the following parameters:

Parameter Description

Context Scope

Required.

The context scope to retrieve data from.

Possible values are as follows:

Not specified
Alert
Case
Global

Key Name

Required.

The key name to retrieve the corresponding value from the specified context.

Create Case Wall Table

Optional

If selected, the action creates a Case Wall table with the retrieved context value, unless the value exceeds the character limit.

Selected by default.

Action outputs

The Get Scope Context Value action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Case Wall table

The Get Scope Context Value action can generate the following table:

Table name: Context values for scope SCOPE

Table columns:

Key
Value

Output messages

The Get Scope Context Value action can return the following output messages:

Output message Message description

Successfully found context value for the provided context key CONTEXT_KEY with scope CONTEXT_SCOPE.

No context values were found for the provided context scope CONTEXT_SCOPE.

Context value was not found for the provided context key CONTEXT_KEY with scope CONTEXT_SCOPE.

Action can't return the Case Wall table as the context values are too big.

The action succeeded.

Error executing action "Get Scope Context Value". Reason:
      ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Get Scope Context Value action:

Script result name	Value
`is_success`	`True` or `False`

Get Similar Cases

Use the Get Similar Cases action to search for similar cases and return their IDs.

This action runs on all Google SecOps entities.

Action inputs

The Get Similar Cases action requires the following parameters:

Parameter	Description
`Rule Generator`	Optional If selected, the action searches for similar cases using the rule generator. Selected by default.
`Port`	Optional If selected, the action searches for similar cases using port numbers. Selected by default.
`Category Outcome`	Optional If selected, the action searches for similar cases using the category outcome. Selected by default.
`Entity Identifier`	Optional If selected, the action searches for similar cases using the entity identifier. Selected by default.
`Days Back`	Required. The number of days prior to today for the action to search for similar cases.
`Include Open Cases`	Optional If selected, the action searches through open cases. Selected by default.
`Include Closed Cases`	Optional If selected, the action searches through closed cases. Selected by default.

The Get Similar Cases action applies the logical AND operator to the Rule Generator, Port, Category Outcome, Entity Identifier, Include Open Cases, and Include Closed Cases parameters to use them in the same search.

Action outputs

The Get Similar Cases action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Get Similar Cases action:

Script result name	Value
`SimilarCasesIds`	`CASE_IDS_LIST`

Instruction

Use the Instruction action to set instructions for an analyst.

This action runs on all Google SecOps entities.

Action inputs

The Instruction action requires the following parameters:

Parameter Description

Instruction

Required.

The instruction content for the analyst.

Action outputs

The Instruction action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Instruction action:

Script result name	Value
`null`	Not applicable

Is In Custom List

Use the Is In Custom List action to check whether the entity identifier is part of a specified custom list.

This action runs on all Google SecOps entities.

Action inputs

The Is In Custom List action requires the following parameters:

Parameter Description

Category

Required.

A custom list category to check for alert entities.

Action outputs

The Is In Custom List action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Is In Custom List action:

Script result name	Value
`null`	Not applicable

Mark As Important

Use the Mark As Important action to mark a case as important.

This action runs on all Google SecOps entities.

Action inputs

None.

Action outputs

The Mark As Important action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Mark As Important action:

Script result name	Value
`null`	Not applicable

Open Web Url

Use the Open Web Url action to generate a browser link.

This action runs on all Google SecOps entities.

Action inputs

The Open Web Url action requires the following parameters:

Parameter Description

Title

Required.

The title for the URL.

URL

Required.

The target URL.

Action outputs

The Open Web Url action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Open Web Url action:

Script result name	Value
`null`	Not applicable

Pause Alert SLA

Use the Pause Alert SLA action to pause the Service Level Agreement (SLA) timer for a specific alert in the case.

This action doesn't run on Google SecOps entities.

Action inputs

The Pause Alert SLA action requires the following parameters:

Parameter	Description
`Message`	Optional The reason for pausing the alert SLA.

Action outputs

The Pause Alert SLA action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Pause Alert SLA action:

Script result name	Value
`is_success`	`True` or `False`

Permitted Alert Time

Use the Permitted Alert Time action to check if the start time of a selected alert complies with a user-defined time conditions.

This action runs on all Google SecOps entities.

Action inputs

The Permitted Alert Time action requires the following parameters:

Parameter	Description
`Permitted Start Time`	Required. The start time of the permitted period for alerts.
`Permitted End Time`	Required. The end time of the permitted period for alerts.
`Monday`	Optional If selected, the action treats Mondays as permitted days for alerts. Not selected by default.
`Tuesday`	Optional If selected, the action treats Tuesdays as permitted days for alerts. Selected by default.
`Wednesday`	Optional If selected, the action treats Wednesdays as permitted days for alerts. Selected by default.
`Thursday`	Optional If selected, the action treats Thursdays as permitted days for alerts. Not selected by default.
`Friday`	Optional If selected, the action treats Fridays as permitted days for alerts. Not selected by default.
`Saturday`	Optional If selected, the action treats Saturdays as permitted days for alerts. Not selected by default.
`Sunday`	Optional If selected, the action treats Sundays as permitted days for alerts. Not selected by default.
`Input Timezone`	Required. The timezone to use for comparing the alert time. The default value is `UTC`.

Action outputs

The Permitted Alert Time action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Permitted Alert Time action:

Script result name	Value
`permitted`	Not applicable

Ping

Use the Ping action to test the connectivity.

This action runs on all Google SecOps entities.

Action inputs

None.

Action outputs

The Ping action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Ping action:

Script result name	Value
`null`	Not applicable

Raise Incident

Use the Raise Incident action to raise a case incident and mark the true positive cases as Critical.

This action runs on all Google SecOps entities.

Action inputs

The Raise Incident action requires the following parameters:

Parameter	Description
`Soc Role`	Optional The Google SecOps Security Operation Center (SOC) role to assign the case to.

Action outputs

The Raise Incident action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Raise Incident action:

Script result name	Value
`null`	Not applicable

Remove From Custom List

Use the Remove From Custom List action to remove entities that are associated with an alert from a specified custom list category.

This action runs on all Google SecOps entities.

Action inputs

The Remove From Custom List action requires the following parameters:

Parameter Description

Category

Required.

The custom list category name from which to remove the entities.

Action outputs

The Remove From Custom List action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Remove From Custom List action:

Script result name	Value
`ScriptResult`	Not applicable

Remove Tag

Use the Remove Tag action to remove tags from a case.

This action runs on all Google SecOps entities.

Action inputs

The Remove Tag action requires the following parameters:

Parameter Description

Tag

Required.

A comma-separated list of tags to remove from a case.

Action outputs

The Remove Tag action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

The Remove Tag action can return the following output messages:

Output message Message description

Successfully removed the following tags from case CASE_ID The action succeeded.

It is not possible to remove the tag.

Error executing action "Remove Tag". Reason: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Remove Tag action:

Script result name	Value
`is_success`	`True` or `False`

Resume Alert SLA

Use the Resume Alert SLA action to restart the Service Level Agreement (SLA) timer for a specific alert in the case.

This action doesn't run on Google SecOps entities.

Action inputs

None.

Action outputs

The Resume Alert SLA action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Resume Alert SLA action:

Script result name	Value
`is_success`	`True` or `False`

Set Alert SLA

Use the Set Alert SLA action to set the SLA timer for an alert.

This action has the highest priority and overrides the existing SLA defined for the specific alert.

This action doesn't run on Google SecOps entities.

Action inputs

The Set Alert SLA action requires the following parameters:

Parameter	Description
`SLA Period`	Required. The SLA breach period. The default value is `5`.
`SLA Time Unit`	Required. The time unit for the SLA period. The default value is `Minutes`. The possible values are as follows: `Minutes` `Hours` `Days`
`SLA Time To Critical Period`	Required. The critical SLA threshold. The default value is `4`.
`SLA Time To Critical Unit`	Required. The time unit for the critical SLA period. The default value is `Minutes`. The possible values are as follows: `Minutes` `Hours` `Days`

Action outputs

The Set Alert SLA action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Set Alert SLA action:

Script result name	Value
`is_success`	`True` or `False`

Set Case SLA

Use the Set Case SLA action to set the SLA for a case.

This action has the highest priority and overrides the existing SLA defined for the specific case.

This action doesn't run on Google SecOps entities.

Action inputs

The Set Case SLA action requires the following parameters:

Parameter	Description
`SLA Period`	Required. The SLA breach period. The default value is `5`.
`SLA Time Unit`	Required. The time unit for the SLA period. The default value is `Minutes`. The possible values are as follows: `Minutes` `Hours` `Days`
`SLA Time To Critical Period`	Required. The critical SLA threshold. The default value is `4`.
`SLA Time To Critical Unit`	Required. The time unit for the critical SLA period. The default value is `Minutes`. The possible values are as follows: `Minutes` `Hours` `Days`

Action outputs

The Set Case SLA action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Set Case SLA action:

Script result name	Value
`is_success`	`True` or `False`

Set Risk Score

Use the Set Risk Score action to update the risk score of a case.

This action doesn't run on Google SecOps entities.

Action inputs

The Set Risk Score action requires the following parameters:

Parameter Description

Risk Score

Required.

The risk score to set for the selected case.

Action outputs

The Set Risk Score action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Script result	Available

Script result

The following table lists the value for the script result output when using the Set Risk Score action:

Script result name	Value
`is_success`	`True` or `False`

Set Scope Context Value

Use the Set Scope Context Value action to set a value for a key that is stored in the Google SecOps database.

This action can work with the following scopes: alert, case, and global.

This action doesn't run on Google SecOps entities.

Action inputs

The Set Scope Context Value action requires the following parameters:

Parameter Description

Context Scope

Required.

The context scope to retrieve data from.

Possible values are as follows:

Not specified
Alert
Case
Global

Key Name

Required.

The key name to retrieve the corresponding value from the specified context.

Key Value

Required.

The value to store under the specified key.

Action outputs

The Get Scope Context Value action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

The Set Scope Context Value action can return the following output messages:

Output message Message description

Successfully set context value for the context key CONTEXT_KEY with scope CONTEXT_SCOPE. The action succeeded.

Error executing action "Set Scope Context Value". Reason:
      ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Set Scope Context Value action:

Script result name	Value
`is_success`	`True` or `False`

Update Case Description

Use the Update Case Description action to update a case description.

This action doesn't run on Google SecOps entities.

Action inputs

The Update Case Description action requires the following parameters:

Parameter Description

Description

Required.

The description to set for the case.

Action outputs

The Update Case Description action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

The Update Case Description action can return the following output messages:

Output message Message description

Successfully updated the case description. The action succeeded.

Error executing action "Update Case Description". Reason: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Update Case Description action:

Script result name	Value
`StatusResult`	`True` or `False`

Jobs

The Siemplify integration lets you use the following jobs:

Siemplify - Actions Monitor
Siemplify - Cases Collector DB
Siemplify - ETL Monitor
Siemplify - Jobs Monitor
Siemplify - Logs Collector

Siemplify - Actions Monitor

Use the Siemplify - Actions Monitor job to get notifications for all actions that have failed individually at least three times in the past three hours.

Job inputs

The Siemplify - Actions Monitor job requires the following parameters:

Parameter Description

Run Interval In Seconds

Optional

The interval in seconds for the job to run.

This parameter determines how often the integration checks for failed playbook actions.

The default value is 900.

Is Enabled

Optional

If selected, the job is active.

Selected by default.

Siemplify - Cases Collector DB

Use the Siemplify - Cases Collector DB job to retrieve and process security cases from a designated publisher.

Job inputs

The Siemplify - Cases Collector DB job requires the following parameters:

Parameter Description

Publisher Id

Required.

The ID of the publisher from which to collect cases and logs.

Verify SSL

Optional

If selected, the job verifies that the SSL certificate of the publisher is valid.

Not selected by default.

Siemplify - ETL Monitor

Use the Siemplify - ETL Monitor job to get notifications about errors in the Extract, Transform, Load (ETL) alert ingestion process.

Job inputs

The Siemplify - ETL Monitor job requires the following parameters:

Parameter Description

Recipients

Required.

A comma-separated list of recipients to receive email notifications.

Siemplify - Jobs Monitor

Use the Siemplify - Jobs Monitor job to get notifications about all jobs that failed in the past three hours.

Job inputs

The Siemplify - Jobs Monitor job requires the following parameters:

Parameter Description

Recipients

Required.

A comma-separated list of recipients to receive email notifications about the failed jobs.

Siemplify - Logs Collector

Use the Siemplify - Jobs Monitor job to retrieve and process logs from a specified publisher.

Job inputs

The Siemplify - Logs Collector job requires the following parameters:

Parameter Description

Publisher Id

Required.

The ID of the publisher from which to collect the logs.

Verify SSL

Optional

If selected, the job verifies that the SSL certificate of the publisher is valid.

Not selected by default.

Need more help? Get answers from Community members and Google SecOps professionals.