Testing the connector

In this section we will show an example of an alert that is ingested into the Google Security Operations platform.

  1. Insert a malicious email into the platform.
  2. Copy the text below and send this email from another user:

    Subject: Your New Salary Notification

    Email body:
    Hello, You have an important email from the Human Resources Department with regards to your December 2018 Paycheck
    This email is enclosed in the Marquette University secure network.
    Access the documents here www.example.com
    Ensure your login credentials are correct to avoid cancellations
    Human Resources
    University of California, Berkeley

  3. Navigate to the 'Testing' tab and test your connector by clicking the button 'Run connector once' and view the result in the "Output" section on the right.
    If your connector runs successfully you will see an alert which is a single unread email message that the connector ingested (make sure that you have an unread email in your mailbox to insert a sample alert).
  4. You can see a preview of the email by clicking on the preview icon.
  5. After ingesting a sample alert by clicking "Run connector once", we will ingest the alert into the case queue by selecting the alert and clicking "Load to system".
  6. Navigate to the Cases tab to view the case you have ingested into the Google Security Operations platform.
  7. After the connector receives the email by translating the email data to Google Security Operations data, we can see our alert in the "Cases" tab in the case queue.

When the case first appears in the system, it is not mapped and modeled. This will be done in the next step.

Next, we will see how each field in the code corresponds to the relevant field presented in the context details in the platform itself. Click on the alert to view the Alert Context details on the right.

The field in the platform The field in the code

Field name / Value
alert_info.name = email_message_data['Subject'] This represents the subject of the email message : "YOUR NEW SALARY NOTIFICATION"
RuleGenerator / Mail alert_info.rule_generator = RULE_GENERATOR_EXAMPLE # The name of the siem rule which causes the creation of the alert
TicketID alert_info.ticket_id = f"{alert_id}" The email message unique id
alert_info.display_id = f"{alert_id}" The email message unique id

DeviceProduct / Mail
alert_info.device_product = PRODUCT As we defined in CONSTANTS: PRODUCT= "Mail"
DeviceVendor / Mail alert_info.device_vendor = VENDOR As we defined in CONSTANTS: VENDOR = "Mail"
DetectionTime / EndTime / StartTime / EstimatedStartTime alert_info.start_time = datetime_in_unix_time alert_info.end_time = datetime_in_unix_time The time the email message was received
Priority / Informative
alert_info.priority = 60 As we defined for this alert: Informative = -1, Low = 40, Medium = 60, High = 80, Critical = 100.