Configure the connector
Supported in:
When a new connector is configured, the platform uses the connector script in an integration as a template only. The configured connector is an instance of that connector template. You can add multiple connectors with different configurations using the same code you created for the connector in the IDE.
Connector configuration
-
Navigate to SOAR Settings > Ingestion > Connectors to access the connectors module and configure a connector under the relevant environment.
- Click .
-
Configure the following Connector parameters.
Connector Fields- Environment: Defines which environment this connector connects to. If you do not need to define the environment, select "Default Environment".
- Run Every:
Defines the interval of connector runs.
- Product Field Name: Required by the connector in order to identify the product that generates the alerts pulled into Google Security Operations. Do not enter the product name here. Instead, enter the event field (a key from your JSON event) that describes the product. For example: Put "_index" to indicate that "cloudtrail" is the product that generated the alert.
- Event Field Name:
Required by the connector in order to identify the type of the security event pulled into Google SecOps.
Do not enter the event name or type here. Instead, enter here the event field (a key from your JSON event) that describes the event type.
For example: Enter "_source.userIdentity.type
" to indicate that "AssumedRole" is the type of the security event. - Event Count Limit:
If you are pulling a correlation alert, indicate the limit of the underlying events Google SecOps should fetch with it.
This is required to make a connector run faster (in case the alerts are heavy on redundant events) and reduce the redundancy for security analysts. - In this example, the connector is configured under the Default Environment. Once you fill in all the credentials, save the connector.
For a full list of parameters for each connector, see Google SecOps Marketplace integrations.