Integrate Azure API with Google SecOps

Integration version: 1.0

This document explains how to integrate Azure API with Google Security Operations.

Use cases

TheAzure API integration uses Google SecOpscapabilities to support the following use cases:

  • Universal Microsoft 365 investigation: Use the custom HTTP requestcapability to query any Microsoft Graph endpoint, allowing analysts to gatherdata across Teams, SharePoint, and Exchange from a single interface.

  • Custom incident remediation: Execute targeted POST or PATCH requests toremediate threats in Azure services when a dedicated "one-click" action is notavailable, ensuring rapid response to emerging vulnerabilities.

  • Automated data ingestion: Perform scheduled ingestion of security eventsand audit logs from various Azure repositories to maintain comprehensivevisibility over the cloud environment.

  • Secure malware handling: Safely download and analyze suspicious files byusing the built-in password-protected ZIP archiving feature, which preventsaccidental execution of malicious content.

  • Persistent authentication management: Use theRefresh Token Renewal Job to automatically rotateOAuth 2.0 tokens, ensuring that automated playbooks and hunting jobs maintainuninterrupted, secure access to Microsoft 365 services.

Before you begin

Before you configure the integration in Google SecOps, verifythat you have the following:

  • Microsoft Entra ID application: An application registered in the MicrosoftEntra ID portal to facilitate API communication.

  • Client ID and client secret: Valid credentials generated from yourapplication registration.

  • Tenant ID: The unique identifier of your Azure Active Directory instance.

  • Redirect URL: A configured Redirect URI that matches the one provided inthe integration parameters.

  • API permissions (scopes): The specificpermissions assigned to your application based on the Azure services you intendto query.

  • Refresh token: A token valid for 90days required for persistent delegated access.

  • Refresh Token Renewal Job: A criticalsecurity automation used to prevent integration failure due to token expiration.

Azure API authentication setup

The Azure API integration supports two types of authentication. The set ofpermissions required depends on the specific API requests and Azure services youquery.

  • Application permissions: API requests are executed from the perspective ofthe application configured in Microsoft Entra ID. This setup only requires aclient ID and client Secret.

  • Delegated permissions: API requests are executed on behalf of a specificuser for whom impersonation is configured.

Establish delegated authentication

To use delegated permissions, you must manually generate an initial refreshtoken using the following steps:

  1. Provide theClient ID,Client Secret,Scope,Redirect URL, andTenant ID in the integration configuration.

  2. Run theGet Authorization action.

  3. Open the link generated by the action in a browser and copythe resulting redirected link.

  4. Provide the redirected link as an input to theGenerate Token action.

  5. Copy the token returned by the action and enter it intoRefresh Tokenduring integration configuration.

Configure refresh token renewal

The initial refresh token is valid for 90 days. To ensure uninterrupted service,configure theRefresh Token Renewal Job toautomatically update the refresh token for the integration instance.

Integration parameters

TheAzure API integration requires the following parameters:

ParameterDescription
Microsoft Login API Root

Required.

The API root of the Microsoft identity platform login service used for Azure API authentication.

The default value ishttps://login.microsoftonline.com.

Microsoft Graph API Root

Required.

The API root of the Microsoft Graph service used for Azure API operations.

The default value ishttps://graph.microsoft.com.

Client ID

Required.

The client ID for the Azure API account.

Client Secret

Required.

The client secret for the Azure API account.

Tenant ID

Required.

The tenant ID for the Azure API account.

Refresh Token

Optional.

The refresh token used for delegated access to the Azure API account.

This token is valid for 90 days and is obtained in theinitial setup.

Verify SSL

Optional.

If selected, the integration validates the SSL certificate when connecting tothe Azure API server.

Enabled by default.

Redirect URL

Optional.

The redirect URI associated with the Microsoft Entra ID application.

The default value ishttp://localhost.

Test URL

Required.

The URL used to validate the authentication to Azure API using a GET request.

Scopes

Required.

A comma-separated list of the scopes for the Azure API authentication.

For instructions about how to configure an integration inGoogle SecOps, seeConfigureintegrations.

You can make changes at a later stage, if needed. After you configure anintegration instance, you can use it in playbooks. For more information abouthow to configure and support multiple instances, seeSupportingmultiple instances.

Actions

For more information about actions, seeRespond to pending actions from Your Workdesk andPerform amanual action.

Execute HTTP Request

Use theExecute HTTP Request action to construct and execute a customizedHTTP API request against a target URL.

This action doesn't run on Google SecOps entities.

Action behavior

This action supports complex behaviors including asynchronous polling, dynamicpayload construction, and file management.

Asynchronous polling

WhenExpected Response Values is provided, theaction operates in asynchronous mode. In this mode, the action repeatedly pollsthe target endpoint to track the state of a response (for example, waiting for a long-running task to complete).

The action evaluates the response body against the JSON conditions provided inthe parameter and continues execution until the conditions are met or the actionreaches its timeout.

Condition logic

The action supports the following logic for tracking response states:

  • Single field matching: The action waits for a specific field to reach asingle value.

    {"state":"finished"}

  • Multiple values (OR logic): The action stops execution if a field matchesany value in a provided list. This is useful for stopping on both "success" and"error" states to avoid unnecessary polling.

    {"state":["finished","error"]}

  • Multiple fields (AND logic): The action waits until all specified fieldsmatch their respective values simultaneously.

    {"state":"finished","percentage":"100"}

  • Combined logic: You can combine multiple conditions within the JSONobject.

    {"state":["finished","error"],"percentage":"10"}
JSON parsing behavior

When evaluating conditions, the action follows these rules:

  • Global search: The action searches the entire JSON response object for thespecified keys. Provide the key name exactly as it appears in theJSON without prepending parent object names or using prefixes (for example, use"state", not"data_state" or"data-state").

  • Multiple identical keys: If the response contains multiple keys with thesame name at different levels of the JSON hierarchy, the expected output is onlyreached when all matching key names satisfy the identical expected value.

    For example, to search for thefinished state in the JSON response andignore other states, set allstate keys inExpected Response Values tofinished:

    {"data":{"state":"finished"},"state":"finished"}
Body payload construction

The action constructs the request body based on theContent-Type headerprovided inHeaders.

This is theBody Payload input used forthe following construction examples:

{"Id":"123123","sorting":"asc"}

  • application/x-www-form-urlencoded: The action generates the payload asId=123123&sorting=asc.

  • application/json: The action generates the following JSON payload:

    {"Id":"123123","sorting":"asc"}

  • XML: If the third-party product requires XML, provide an XML-formattedinput directly inBody Payload:

    <?xmlversion="1.0"encoding="utf-8"?><soap:Envelopexmlns:soap="[http://schemas.xmlsoap.org/soap/envelope/](http://schemas.xmlsoap.org/soap/envelope/)"><soap:Body><NumberToWordsxmlns="[http://www.dataaccess.com/webservicesserver/](http://www.dataaccess.com/webservicesserver/)"><ubiNum>500</ubiNum></NumberToWords></soap:Body></soap:Envelope>
File handling

The action supports the following workflows for managing files:

  • Downloading files:

    • To return file data as part of the JSON result in base64 format, selectBase64 Output.

    • To save a file directly to the Case Wall as a ZIP archive, selectSave To Case Wall.

  • Uploading files: To upload a file, convert it to a base64-encoded stringand include it as part of theBody Payload value.

    The following example shows an image file converted to a base64-encodedstring:

    iVBORw0KGgoAAAANSUhEUgAAAOEAAADgCAMAAADCMfHtAAAAvVBMVEX////2yBctLS32xgAAAAASEhLPz8/2xwAfHx8qKiqTk5P1wwD2xw4XFxf///u9vb3w8PAlJSXi4uJBQUH++eb+++z//fP76rH99df98sz64qD64Y/523b41Vr53Hz39/f87bv878T989H3zjH634j76rL3zzz76Kj42GbZ2dn41FCvr68TExM6OjpRUVFmZmb40kiOjo6wsLB8fHxdXV3645j41V9ubm5ISEjGxsahoaFhYWGFhYX53Xn63oxSMwp1AAAMpUlEQVR4nO1da1fiOhemBmg7KWCV+00QBUQdmVHU8Z2Z//+zDpfxgn3SZKdJi+/q8+GctWZJk6fJvmY3u1DIkSNHjhw5cuTIkSNHjq+DZn08brVm3S1ardG4Xc96SqbQHs2GC4dxzj6Bc3c67806zaxnmADt1nDKNsyCwIEI3A1Td7AafUGane5iQ05A7RPRNU1neNnIes7qaLbmLlcjt8dysupkPXUVNLtLzlwSu3eW3B2OsyYgweWCunifwJh70c6ahRDtoaLgSUjy6ayaNReEyylnyeltsRbKi0Mzl9Wua2L53sH443nWpD6g2WOmlu8dAV8ejGq1we8fx4PQrDPXDr8dx0Hm8jh27PHbcexn6tHVB9yofkFgbJYdwZ59fluO04x8gPbE7gZ9R8AvsnABLtJZwB2Yk/oy1qfEBQy2weArXFHIKPw576VLcKbuwQTBhpAzWc77vd7laI1urzcfTHfxrzpRtkwxgKzOuSK7DYVFb3SOrFqjPW79mTjuhr/aw1Kz/3UlFbNhN+2NZRa7et6aO4pOLb9IhV9hrDCdYB0E/xkrb6v2bBmokGSDNHTqSr5DGZv0qJFBYzRQIMkc+15cX0ZwPc++XlDQmE2lPnzgWg6qqgPJFAKWKEBv9wMZRzYyxgagKrGCLlskjekaK0eyWXnLCBc8uhObRHPZwITnUe1K4hW+MjAKRMOJe7mBGX4byDjaohhPkE1N5hyqvdi42g7FWILMMS0c9cc4cbThpVYn4gEDZiMQH8e5TrxrerjqVKxk2MROUqw6jFlG4xo1xg6yvjVXqhOjcbjZ1zoXjuS6I6Mj7aMqHthhJoNisS9qPWoTR6KBY27okZjg0NggIrSFO9WdmhqjLhoiSCXR11yIxmdzMyMI7UTgpnSw0BdR5Gbe8KPg+UEKsdo/XAhX0UQs1RUIIZukmG7vCt9yckslEsJUCRYKLdE0kouiQAjZNOUDk5GAYmLfRiABKa/gBiKKLNlMzrEQBpMMzhFmmGKwSPRUHDEFTiZneitMMdE+7eFnuhkdzIpERv99C/Qoy6yCAJvmBPp0AfdohmeyAvdKO5AaQzWTgrMtRgMuYjDRfBxUM8HS6JSpGON9qretsKfkZlzsirWNq2O9qjAxYzenroIl2llMJ/cGXxbrG58xFVgUNSxGEz3IhCufGNC3YfTDU7iEhvNbmoBGjLyIUAoPYI9uAB0R8iJCH5DynspaONafHFWdwo1AsTrFkgaKNbWHI0vNaHn+S/CWaJ5D8UgDFUWG0NsKSAyR/0dTM1YZQqNIMtVt8I6CAYWgZYZwghR/EiUoOe2YwC7DwgBtMvWwtYqkkLaEthmiRSS4bkjPEJfQNkO4iK7yr4Eck4Mm2wzRIirrwkaSH6fFEC2Dss8FXFt6FG2dIcqfMsXfTsHbIQfR1hkit0uxArWJ1BQ5arLPEHinijkkoElder7OPsM6WAk1bTqPBk4aGVL7DJGuUbNpQILVDU2aDMFmUwowwGGMRooAMQw9GVSjpx2AwlAy20iANZIXUYbh/TcZflyRxgDpDBV7AX6msUkBwxJt+goAB8MqiwE0qU56BjAsazwmFsD5UhBE4O9pZYHTYAiyGQohEFh5rpPIT4UhSHnKJWoY+VHg6AyeCkNwTiMPg6MZGh1bkRJDYC/kIgXUk/Q3CKkwBIIoVTXA2SOkPz4gDWuBZErqQoOoSzXo2kc6axjVi9JINhr9BnpVnOkw7NAXJKp/Nc/t02EIVA2XVA5HU1hMryAnHTks0CM9YCz0vk2NMqzUTt5xfKb11AiiMaJM9euYUAgQPVXezpjC8PT70+/rK7XDtDj0I4so23NgX+sNLYmAfT/0Kje3T9cJSUYLRtjf2B8Ac6hnLNRifD+seE+1JBs2GudLkqbnhrxSQhYjLD2/6HOM2m9JHWbUvujWQBHyNH7llJS9+AiwJPH2G7wS4pnTK0iZKL/0pCmPUbGSbLooQ91CPWKuzTv6pTVMNMw/VIZH/s1PnWFAIiM+Bo56snrRoU6+tPSiMw7VvEUdb916WY2McElnFb8Uw6Oihm/+tRj6Pt0wUhlmKYdrePfWGWanS3coUiMssi61xND/gFiG4ffEDMn2UNunqVS20ZK3ZXX6hluv5IXmFpHs05jzS1+uf9XKb/HuB5yUX+7EHEOiJAK/NH7C5mKLWJzc34h2a4X2JHJsYS4+lOCXSCCJ+SpyfIiUr53i9SsBRY/mu5FjfHN5Gil+lbAg3pGeQs/TGMu1yXEH1Y1/S3pItLpJlmsD+VJbn6qV8SKWSA8B+VLJB+zGct4KwAyLlEcAl0aW8wZHHcZun/iM71DXkBhqnFsYO3tSwBMURBJDcJAkO3sydn6ogPvkDKOqVF6CZ+oMuCDX+g+QIUnTaJwBI/WrpWpqxQfZnxwhOfRPCYNoneObqsXwfe85Pgd6BkNIksUHWkOmSmHBn/xHUVxX1pO9jQ2FahXE0PtGGEWrngbVRF0SBt3hLNzswDC8jvmbZ2gsSAWYWjVRqK6NXiH84u2EqiLO1l/fIIJHRUJ6H0VCCgWmJmoTz7y3TXckWMYy3KM0txR8VKBSm6j5sz388N6nXHlGB4Q1z0DwpFlfimqEifbieM/j9G+eX072/+DkviIIgIsn+JEIujXCwF2nbtN7b3/avhc+fCuf7CTs+KT25HuY31EoNaIfoFvnnbxW/wTWeN/4p98fHh6+n4aVUJhSJOX1wZcvarX6ib+3wP7mtjohDGMTpqQl1P/eAn4zQyiiRUuoCIoUouuBVBUG+u6J8KE0zk6ooELxZ5C+UJUm9O2aum8qSE4oIHymEETfrqlqRPT9oXo+6ll3CX2fVK2AdpqyVQOWVD25f32jR9GvkI4s0D1r6p+BJvsO+OSuFH/AhAne0JLdyb4DTvotd+1W5LIIEd5S1KjgW27CLd/RMJj2MffZi0/jWPofsWIIfo9PiGMTX1lQOH65VZfHsEItNEl+6QNQVA6npffPfj4UBQHEJ37FJ9oOLeB7MWjzQ8aG/j331Y/bkoSkHxbv6DUmcHrEdBK8Yoh+0/tZ+fdp0RN52v7aCf+tU/0N76chnq/Ay9q0rmA8u3p5Oip53r7P7YeeV7y916uehRdWUu8YwvdE6V7BeHZ1/ePu1C+WSpVtAUPRu334fX2lWTiL74kiN4SAdzERlc0+zo6Py+Xaz5+1cvk4Uak+vpOOvL/wlXvB/9F9bYLbvrK/zwxfqqqjIgT3JtKzw4aBTLWGFG6AbyZmGbdAx3dfakoPvr/U2pGwEvCd15rfZonuoM1SFLEQat9BWxhgUTy8e4S1+weI7oLOrNMy7nSRZFcJ7ghnGd3nLehzkejiX7wrTHZ4IUBwfzpPZMBQpOkc1r36rmaJ7ysE7y2D3ggCgkl7IwhciAwoirqU8FHSJx9IjxIRQRPtglrCPjMpalSBUjdUoy1qDHYQvYLMdCYT93tKx/SLm68Z6vck7tmlk5uio7kUrqAxFxm74LsxrBvGjrC9q7m+a+KuVpuuSJaFcRXTO8+kNhd2PlsLo82ovylqibZZQpP9D0Ve/W4Z7e3UcUwPS+PdbmK6OTPHjk6t9uP6kI6MDxfTajVgcwsOziiu7bGN1tXN2H7AgWm7UR/E9gNOv+XxWqma3KrNCxbXAtxe2+q4UQO2NNW6vrqK7yFvr/V4M755fMAGJjjKe6tb9KSq8RQdly2T7tVGT8IvYdZCipjezv/WcTJLkMQ5n8f2VN8StO3u/xE6cG8cg7meMa53J0zGLzDsySDMZBTXepU5QyrJemsZxNmHf0+epJHl68gnsl5I5sxHyk75+WqqQG9N8DGdHF89rnH9x5UMpsOxbFM1O7PBWkMp0FuLoE7vMT305Tt1i/VSus5iOOq0gVfXOB9355PNi1B7mJtWC+ktLlWntaO5cVCmg3mv15uNRuv/9ufLyVpprP9d/TFskW7+si6xjIDohtEr3ECd2u7X9vwYIVacOMkkYBP7RiKKNnkZdRHoXpKTGKvYAMAYrOeCYtCY29+qzLUQ7BLQUbON2nD5MOPGp4VCS+or6yPg8+w26Ad0LXEM+CALDQrRVXS7KHD540H0BH3FzDHLkfH5wazfK0YLbmqzBsz9m3FxGUb7wshmZXyarX2IxehROVQQ0XN6B6E+xWi2Fkyai8AIGHcvDkq7iFC97LucuJTrEItPVwenXGLQnj2uWSrR3ERVfPJ3dAAF1lS0L/8uNzSZKBjcRozcmXfHX5DdG+rj2d/BxOWc7YNz7iz73db5Vya3h3q7M2q1Wt1ud7b+33hcz9yhzpEjR44cOXLkyJEjh0H8ByMJ8u+aLBzeAAAAAElFTkSuQmCC

  • Security: For sensitive files (such as malware), selectPassword Protect Zip. This automatically encrypts thesaved ZIP archive created usingSave To Case Wall with the passwordinfected.

Playbook block configuration

The following configuration demonstrates how to use theExecute HTTP Requestaction within a playbook block. Use this example to understand how to applyplaceholders and input prefixes.

When using block inputs as placeholders, you must include theInput. prefix(for example,[Input.comment]).

  • Method:PUT

  • URL Path:

    https://{API_URL}/[Input.table_name]/[Input.sys_id]

  • Headers:

    {"Content-type":"application/json; charset=utf-8","Accept":"application/json","User-Agent":"GoogleSecops"}

  • Body Payload:

    {"work_notes":"[Input.comment]"}

Action inputs

TheExecute HTTP Request action requires the following parameters:

ParameterDescription
Method

Optional.

The HTTP method (verb) used for the request.

The possible values are as follows:

  • GET
  • POST
  • PUT
  • PATCH
  • DELETE
  • HEAD
  • OPTIONS

The default value isGET.

URL Path

Required.

The API endpoint where the request executes. This path can optionally include query parameters.

URL Params

Optional.

The query parameters for the URL, provided as a JSON object.

This is the recommended input method for this parameter, as they are appended to any query parameters already defined inURL Path.

Headers

Optional.

The headers for the HTTP request, provided as a JSON object.

Headers control aspects such as authentication and define the format ofBody Payload (usingContent-Type).

Cookie

Optional.

The cookies constructed into the HTTPCookie header, provided as a JSON object.

This parameter overrides any cookie values provided inHeaders.

Body Payload

Optional.

The content payload for the HTTP request, provided as a JSON object.

The request's format (JSON or form-urlencoded) is determined by theContent-Type set inHeaders.

Expected Response Values

Optional.

The JSON object containing the field-value pairs that define the required state of the response body.

Note: Providing a value for this parameter triggers asynchronous polling behavior. For detailed information on formatting conditions and logical operators, seeAction behavior.
Save To Case Wall

Optional.

If selected, the action saves the response data as a file and attaches it to the case wall.

The file is archived with a.zip extension. This zip is not password protected unlessPassword Protect Zip is enabled.

Password Protect Zip

Optional.

If selected, the action encrypts the downloaded ZIP archive (created usingSave To Case Wall) with a password (such asinfected).

Use this option when dealing with suspicious or potentially malicious files to prevent accidental execution.

Enabled by default.

Follow Redirects

Optional.

If selected, the action automatically follows any HTTP redirect responses (such as 301 or 302 status codes) to the final destination URL.

Enabled by default.

Fail on 4xx/5xx

Optional.

If selected, the action explicitly fails the step when the HTTP response returns a client Error (4xx) or server Error (5xx) status code.

Enabled by default.

Base64 Output

Optional.

If selected, the action converts the HTTP response body into a Base64 encoded string. This is useful for processing or storing downloaded files.

The encoded string can't exceed 15 MB.

Fields To Return

Required.

A comma-separated list of fields that the action returns in the output.

The possible values are as follows:

  • response_data
  • redirects
  • response_code
  • response_cookies
  • response_headers
  • apparent_encoding

The default value isresponse_data,redirects,response_code,response_cookies,response_headers,apparent_encoding.

Request Timeout

Required.

The maximum time, in seconds, the action waits for the server to send data before the request is aborted.

The default value is120.

Action outputs

TheExecute HTTP Request action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultAvailable
Output messagesAvailable
Script result.Available
JSON result

The following example shows the JSON result output received when using theExecute HTTP Request action:

{"response_data":{"data":{"relationships":{"comment":[{"name":"example_resource_name","description":"Description of the object to which the comment belongs."},{"name":"example_user_role","description":"Description of the user role associated with the comment."}]}}},"redirects":[],"response_code":200,"cookies":{},"response_headers":{"Content-Type":"application/json","X-Cloud-Trace-Context":"REDACTED_TRACE_ID","Date":"REDACTED_DATE_TIME","Server":"REDACTED_SERVER_NAME","Content-Length":"REDACTED_VALUE"},"apparent_encoding":"ascii"}
Output messages

TheExecute HTTP Request action can return the following output messages:

Output messageMessage description

Successfully executed API request.

Successfully executed API request, but the status code4xx_OR_5xx was returned. Please check the request or try again later.

The action succeeded.
Failed to execute API request. Error:ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheExecute HTTP Request action:

Script result nameValue
is_successtrue orfalse

Get Authorization

Use theGet Authorization action to initiate the OAuth flow and obtain alink that contains the required access code for delegated authentication.

This action doesn't run on Google SecOps entities.

Action inputs

TheGet Authorization action requires the following parameters:

ParameterDescription
Oauth Scopes

Required.

A comma-separated list of permissions (scopes) that define the level of access for the access and refresh tokens.

The default value isuser.read, offline_access.

Action outputs

TheGet Authorization action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultNot available
Output messagesAvailable
Script result.Available
Output messages

TheGet Authorization action can return the following output messages:

Output messageMessage description

Authorization URL generated successfully. To obtain a URL with access code,Please navigate to the link below as the user that you want to run the integration with., to get a URL with access code. Provide the URL with the access code should be provided next in the Generate Token action.

The action succeeded.
Failed to generate the authorization URL! Error isERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheGet Authorization action:

Script result nameValue
is_successtrue orfalse

Generate Token

Use theGenerate Token action to obtain a persistent refresh token requiredfor delegated authentication.

This token is generated using the authorization URL received from theGet Authorization action.

This action doesn't run on Google SecOps entities.

Note: We strongly recommend configuring and activating theRefresh Token Renewal Job immediately after generatingthe initial refresh token. This job automatically renews the token periodically,ensuring it remains valid and preventing integration failures due to expiration.

Action inputs

TheGenerate Token action requires the following parameters:

ParameterDescription
Authorization URL

Required.

The full redirected URL containing the authorization code received from theGet Authorization action. This URL is used to request and generate the refresh token.

Action outputs

TheGenerate Token action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultNot available
Output messagesAvailable
Script result.Available
Output messages

TheGenerate Token action can return the following output messages:

Output messageMessage description

Successfully fetched the refresh token:TOKEN_VALUE. Enter this token in the integration configuration to enable the integration to authenticate with delegated permissions on behalf of the user that performed the configuration steps. Note: We strongly recommend you configure the "Refresh Token Renewal Job" after you generate the initial refresh token so the job automatically renews and keeps the token valid.

The action succeeded.
Failed to get the refresh token! Error isERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheGenerate Token action:

Script result nameValue
is_successtrue orfalse

Ping

Use thePing action to test the connectivity to Azure API.

This action doesn't run on Google SecOps entities.

Action inputs

None.

Action outputs

ThePing action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultAvailable
Output messagesAvailable
Script result.Available
JSON result

The following example shows the JSON result output received when using thePing action:

{"endpoint":"https://api.example-cloud-provider.com/v1.0/health"}
Output messages

ThePing action can return the following output messages:

Output messageMessage description

Successfully tested connectivity.

The action succeeded.
Failed to test connectivity.ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingthePing action:

Script result nameValue
is_successtrue orfalse

Jobs

For more information on jobs, seeConfigure a new job andAdvanced scheduling.

Refresh Token Renewal Job

Use theRefresh Token Renewal Job to periodically update the refresh tokenconfigured for the integration.

By default, the refresh token expires every 90 days. We recommended you toconfigure this job to automatically run every 7 or 14 days to keep the refreshtoken up to date.

Important: This job can cause conflicts if it doesn't have a unique name acrossall integrations.

To prevent this, follow these steps:

  1. Create a copy of the job in the IDE.
  2. Rename the copied job to a unique name.

    The recommended naming convention is "Azure API - Refresh Token Renewal Job".

Job parameters

TheRefresh Token Renewal Job requires the following parameters:

ParameterDescription
Integration Environments

Optional.

A comma-separated list of integration environment names for which the job updates refresh tokens.

Each environment name must be enclosed in double quotes.

Need more help?Get answers from Community members and Google SecOps professionals.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.