Testing the connector
In this section we will show an example of an alert that is ingested into the Google Security Operations platform.
- Insert a malicious email into the platform.
-
Copy the text below and send this email from another user:
Subject: Your New Salary Notification
Email body:
Hello, You have an important email from the Human Resources Department with regards to your December 2018 Paycheck
This email is enclosed in the Marquette University secure network.
Access the documents here www.example.com
Ensure your login credentials are correct to avoid cancellations
Faithfully
Human Resources
University of California, Berkeley -
Navigate to the 'Testing' tab and test your connector by
clicking the button 'Run connector once' and view the result in
the "Output" section on the right.
If your connector runs successfully you will see an alert which is a single unread email message that the connector ingested (make sure that you have an unread email in your mailbox to insert a sample alert).
-
You can see a preview of the email by clicking on the preview icon.
-
After ingesting a sample alert by clicking "Run connector
once", we will ingest the alert into the case queue by selecting the
alert and clicking "Load to system".
-
Navigate to the Cases tab to view the case you have ingested into the
Google Security Operations platform.
- After the connector receives the email by translating the email data to Google Security Operations data, we can see our alert in the "Cases" tab in the case queue.
When the case first appears in the system, it is not mapped and modeled. This will be done in the next step.
Next, we will see how each field in the code corresponds to the relevant field presented in the context details in the platform itself. Click on the alert to view the Alert Context details on the right.
The field in the platform | The field in the code |
---|---|
Field name / Value |
alert_info.name = email_message_data['Subject']
This represents the subject of the email message : "YOUR NEW
SALARY NOTIFICATION"
|
RuleGenerator / Mail |
alert_info.rule_generator = RULE_GENERATOR_EXAMPLE # The name of the
siem rule which causes the creation of the alert
|
TicketID |
alert_info.ticket_id = f"{alert_id}"
The email message unique id
|
AlertID |
alert_info.display_id = f"{alert_id}"
The email message unique id
|
DeviceProduct / Mail |
alert_info.device_product = PRODUCT
As we defined in CONSTANTS:
PRODUCT= "Mail"
|
DeviceVendor / Mail |
alert_info.device_vendor = VENDOR
As we defined in CONSTANTS:
VENDOR = "Mail"
|
DetectionTime / EndTime / StartTime / EstimatedStartTime |
alert_info.start_time = datetime_in_unix_time
alert_info.end_time = datetime_in_unix_time
The time the email message was received
|
Priority / Informative
|
alert_info.priority = 60
As we defined for this alert: Informative = -1, Low = 40, Medium = 60,
High = 80, Critical = 100.
|