Integrate Google Chronicle withGoogle SecOps
Integration version: 69.0
This document explains how to integrate Google Chronicle withGoogle Security Operations (Google SecOps).
Important: Google Chronicle was rebranded to Google SecOps. Inthe Google SecOps platform, the integration forGoogle SecOps is calledGoogle Chronicle.Use cases
The Google Chronicle integration can address the following use cases:
Automated phishing investigation and remediation: UseGoogle SecOps SOAR capabilities to automatically query forhistorical email data, user activity logs, and threatintelligence to assess email legitimacy. The automated remediation canhelp you with triage and containment by preventing the spread ofmalware or data breaches.
Enrichment of security alerts: Use Google SecOps SOARcapabilities to enrich an alert generated in a SIEM withhistorical context, such as past user behavior and asset information. Thisprovides analysts with a comprehensive view of an incident,enabling faster and more informed decision-making.
Threat hunting based on Google SecOps insights: UseGoogle SecOps SOAR capabilities to automate the process ofquerying other security tools for related indicators of compromise (IOCs).This can help you proactively identify potential breaches before theyescalate.
Automated incident response playbooks: UseGoogle SecOps capabilities to trigger predefinedplaybooks that use Google SecOps data to isolate compromisedsystems, block malicious IP addresses, and notify relevant stakeholders.This can reduce incident response time and minimize theimpact of security incidents.
Compliance reporting and auditing: UseGoogle SecOps capabilities to automate the collection ofsecurity data from Google SecOps for compliance reporting,streamlining the audit process, and reducing manual effort.
Before you begin
Before you configure the Google Chronicle integration inGoogle SecOps, make sure you have access to an activeGoogle Cloud project.
Migration from Backstory API to Chronicle API
Some new features and actions in this integration onlysupport the Chronicle API, so we strongly recommend that all users migrate theirdeployment to use the Chronicle API credentials.
Important: New deployments provisioned from the start of Q4 2025 are provisionedwith the Chronicle API credentials configured in the system.The only requirement is tofind the Chronicle API Root and enter itinto the integration configuration. This value can be found in your instance'sconnectors and jobsAPI Root parameter.
If a connection test fails after entering the new API root, continue withthe following steps.
Finding the Chronicle API Root
When accessing Chronicle API, you must locate your environment's uniqueAPI Root for the integration configuration.
Open your browser'sDeveloper Tools and navigate to theGoogle SecOps platform.
SelectInvestigation> Data Tables.
In Developer Tools, navigate to theNetwork tab and click an item in theName column, such as
dataTables?pageSize=1000.In the details pane, selectHeaders and copy the value of
Request URL, found underGeneral, excluding the endpoint and any queryparameters (the name of the selected item).For example, if the value is
https://us-chronicle.googleapis.com/v1alpha/projects/{project}/locations/{location}/instances/{instance}/dataTables?pageSize=1000,the API Root excludes/dataTables?pageSize=1000and ishttps://us-chronicle.googleapis.com/v1alpha/projects/{project}/locations/{location}/instances/{instance}.
Credentialing Requirements for Chronicle API
Access to the Chronicle API requires both a new API Root and new credentials,which depend on how your underlying Google Cloud project is managed:
| Project Type | Credential Requirement |
|---|---|
| Google-Managed Project (Default) | Contact Google Support to provision the necessary hidden credentials and grant permissions to your environment. |
| Bring Your Own Project (BYOP) | You must manually configure a dedicated Service Account in your project using either aJSON Key or aWorkload Identity, andassign theChronicle API Editor role. |
Authentication with a Service Account JSON key
Authentication using a Service Account JSON Key is supported for the ChronicleAPI and is mandatory for BYOP users who don't choose Workload Identity.
Note: Authentication can be done with either a JSON key orWorkload Identity. We recommend usingWorkload Identity.Create a dedicated service account and create your JSON key
For authentication with a Service Account JSON key, complete the followingsteps to create your JSON key:
In the Google Cloud console, go toIAM & Admin> Service Accounts.
SelectCreate Service Account and follow the prompts.
Select the email address of the new Service Account and go toKeys> Add Key> Create new key.
Select
JSONas the key type and clickCreate. A JSON key file isdownloaded to your computer.
Chronicle API: Role required for your service account
When using Chronicle API, your service account requires theChronicle API Editor role.
In the Google Cloud console, go toAPIs and Services> Credentials.
UnderService Accounts, select your service account and clickPermissions> Manage access.
ClickaddAdd role andselect the
Chronicle API Editorrole. ClickSave.
Authentication with a Workload Identity (recommended)
Authentication using a Workload Identity is the recommended and most securemethod.
To set up authentication with a Workload Identity, follow these steps:
Create a service account
To create a service account, complete the following steps:
In the Google Cloud console, go to theCredentials page.
From theCreate credentials menu, selectService account.
UnderService account details, enter a name in theService account name field.
Optional: Edit the service account ID.
ClickCreate and continue. APermissions screen appears.
ClickContinue. APrincipals with access screenappears.
ClickDone.
Chronicle API: Role required for your service account
When using Chronicle API, your service account requires theChronicle API Editor role.
In the Google Cloud console, go toAPIs and Services> Credentials.
UnderService Accounts, select your service account and clickPermissions> Manage access.
ClickaddAdd role andselect the
Chronicle API Editorrole. ClickSave.
Grant impersonation permissions to your Google SecOps instance
To use Workload Identity, you must grant your Google SecOpsinstance permission to impersonate your service account. This is the final stepthat allows the instance to securely access Google Cloud resources.
In Google SecOps, go toMarketplace>Response Integrations.
Select the integration you're configuring, and enter your service accountemail in the
Workload Identity Emailfield.Enter the email you want the integration to impersonate in the
Delegated Emailfield.ClickSave> Test. The test is expected to fail.
Clickclose_small to the rightofTest and search the error message for
gke-init-python@YOUR_PROJECT. Copythis unique email, which identifies your Google SecOps instance.Go toService accounts,select your project, and select your service account.
SelectPrincipals with access>addGrant access.
UnderAdd principals, paste the value you copied.
UnderAdd Roles, select the
Note: It may take a few minutes after completing this step for the test to pass.Service Account Token Creator(roles/iam.serviceAccountTokenCreator) role.
Troubleshoot connectivity to Chronicle API
If you encounter issues connecting your integration to the Chronicle API, followthese steps to troubleshoot the configuration and resolve credential issues:
- Find the Chronicle API Root and ensure it iscorrectly entered into the integration configuration.
- Ensure all other mandatory configuration parameters are accurately filled.
Test the connection. If the test succeeds, no further steps are needed. If the test fails, proceed to the next step.
Verify Google Cloud project ownership and credentials:
- Google-Managed Project: If your Google Cloud project is managed byGoogle (default deployment), contact Google Support for assistancewith credential issues.
- Bring Your Own Project (BYOP): If your Google Cloud project isself-managed (BYOP), verify that you have manually configured a serviceaccount and assigned it the appropriate roles.
Integration parameters
The Google Chronicle integration requires the following parameters:
| Parameter | Description |
|---|---|
UI Root | Required. The base URL of the Google SecOps interface. This is used to automatically generate direct links back to the SIEM platform from your case records. The default value is |
API Root | Required. The API root for your Google SecOps instance. The valuedepends on your authentication method:
|
User's Service Account | Optional. The full content of the Service Account JSON key file. If this and the To use the Chronicle API, you must provide this field or |
Workload Identity Email | Optional. The client email address of your Workload Identity Federation. This parameter has priority over the To use Workload Identity Federation, you must grant the |
Verify SSL | Required. If selected, the integration validates the SSL certificate when connecting tothe Google SecOps server. Enabled by default. |
For instructions about how to configure an integration inGoogle SecOps, seeConfigureintegrations.
You can make changes at a later stage, if needed. After you configure anintegration instance, you can use it in playbooks. For more information abouthow to configure and support multiple instances, seeSupportingmultiple instances.
Actions
For more information about actions, seeRespond to pending actions from Your Workdesk andPerform amanual action.
Add Entry To Watchlist
Use theAdd Entry To Watchlist action to add a specified entity to anexisting Risk Analytics Watchlist in Google SecOps.
This action doesn't run on Google SecOps entities.
Note: This action requires Chronicle API authentication. Legacy Backstory APIauthentication is not supported.Action inputs
TheAdd Entry To Watchlist action requires the following parameters:
| Parameter | Description |
|---|---|
Watchlist Name | Required. The name of the Risk Analytics watchlist to add the entry to. |
Entry | Required. The JSON object representing the entity to add to the watchlist. The JSON structure requires the entity value, entity type, and an optional namespace. The default value is: [ { "entity": "", "type": "ASSET_IP_ADDRESS/MAC/HOSTNAME/PRODUCT_SPECIFIC_ID/USERNAME/EMAIL/EMPLOYEE_ID/WINDOWS_SID/PRODUCT_OBJECT_ID", "namespace": "Optional" } ] |
Action outputs
TheAdd Entry To Watchlist action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using theAdd Entry To Watchlist action:
[{"namespace":"Yuriy","asset":{"hostname":"koko"}},{"namespace":"Yuriy","asset":{"hostname":"koko"}}]Output messages
TheAdd Entry To Watchlist action can return the following output messages:
| Output message | Message description |
|---|---|
| The action succeeded. |
Error executing action "Add Entry To Watchlist". Reason:ERROR_REASON | The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when usingtheAdd Entry To Watchlist action:
| Script result name | Value |
|---|---|
is_success | true orfalse |
Add Rows To Data Table
Use theAdd Rows To Data Table action to add rows to a data table inGoogle SecOps.
This action doesn't run on Google SecOps entities.
Action inputs
To configure the action, use the following parameters:
| Parameter | Description |
|---|---|
Data Table Name | Required. The display name of the data table to update. |
Rows | Required. A list of JSON objects containing information about the rows to add. For example: [ { "columnName1": "value1", "columnName2": "value2", }, { "columnName1": "value1", "columnName2": "value2", } ] |
Action outputs
TheAdd Rows To Data Table action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| Entity insight | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows a sample JSON result returned by theAdd Rows To Data Table action:
{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/dataTables/data_table/dataTableRows/840d18a85944833e1b97ed6d2fb11377","values":{"columnName1":"asda","columnName2":"asdasd","columnName3":"zxczxc"}}Output messages
TheAdd Rows To Data Table action provides the following outputmessages:
| Output message | Message description |
|---|---|
Successfully added rows to the data tableDATA_TABLE_NAME in Google SecOps. | The action succeeded. |
Error executing action "Add Rows to Data Table". Reason:ERROR_REASON | The action failed. Check the connection to the server, the input parameters, or the credentials. |
Script result
The following table describes the values for the script result output when usingtheAdd Rows To Data Table action:
| Script result name | Value |
|---|---|
is_success | true orfalse |
Add Values To Reference List
Use theAdd Values To Reference List action to add values to a referencelist in Google SecOps.
This action doesn't run on Google SecOps entities.
Action inputs
To configure the action, use the following parameters:
| Parameter | Description |
|---|---|
Reference List Name | Required. The name of the reference list to update. |
Values | Required. A comma-separated list of values to add to the reference list. |
Action outputs
TheAdd Value To Reference List action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| Entity insight | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using theAdd Value To Reference List action with Backstory API:
{"name":"list_name","description":"description of the list","lines":["192.0.2.0/24","198.51.100.0/24"],"create_time":"2020-11-20T17:18:20.409247Z","content_type":"CIDR"}The following example describes the JSON result output received when using theAdd Value To Reference List action with Chronicle API:
{"name":"projects/PROJECT_ID/locations/us/instances/INSTANCE_ID/referenceLists/REFERENCE_LIST_NAME","displayName":"REFERENCE_LIST_NAME","revisionCreateTime":"2025-01-16T09:15:21.795743Z","description":"Test reference list","entries":[{"value":"example.com"},{"value":"exampledomain.com"}],"syntaxType":"REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING","scopeInfo":{"referenceListScope":{}},"createTime":"2025-01-16T09:15:21.795743Z","lines":["example.com","exampledomain.com"]}Output messages
TheAdd Values To Reference List action provides the following outputmessages:
| Output message | Message description |
|---|---|
Successfully added values to the reference listREFERENCE_LIST_NAME. | The action succeeded. |
Error executing action "Add Values To Reference List". Reason:ERROR_REASON | The action failed. Check the connection to the server, the input parameters, or the credentials. |
Script result
The following table describes the values for the script result output when usingtheAdd Values To Reference List action:
| Script result name | Value |
|---|---|
is_success | True orFalse |
Ask Gemini
Use theAsk Gemini action to send a text prompt to Geminiin Google SecOps.
This action doesn't run on Google SecOps entities.
Note: This action only works with Chronicle API authentication. Backstory API isnot supported. If you're using a Unified SecOps deployment, verify that you haveconfigured a dedicated Service Account and provided credentials in theintegration parameters.Input size and processing limits
TheAsk Gemini action is subject to strict payload and processingconstraints within the Google SecOps pipeline. Prompts thatexceed these limits typically result in a503 Service Unavailable error.
To ensure successful execution, your requests must adhere to the followingspecifications:
Intent Recognition (EIR) payload limit: The total size of the prompt,including any pasted data or result sets, must not exceed 11,000 bytes (~11 KB)or 4,096 tokens.
Inputs larger than this fail during the initial processing phase.
Response generation cap: The generation phase is limited to a maximum of28,000 tokens.
Timeouts: Intent recognition has a 30-second timeout. The total end-to-endCreateMessage RPC has a deadline of 120 seconds. Large summarization tasks thatexceed this processing time cause the action to fail.
Action inputs
To configure the action, use the following parameters:
| Parameter | Description |
|---|---|
Automatic Opt-in | Optional. If selected, the playbook automatically opts in the user for the Gemini conversation without requiring a manual confirmation. Enabled by default. |
Prompt | Required. The initial text prompt or question to send to Gemini. Important: The input must not exceed 11 KB (~4,000 tokens). Large inputs may result in a 503 error. |
Action outputs
TheAsk Gemini action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| Entity insight | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using theAsk Gemini action:
{{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/users/me/conversations/db3b0fc2-94f8-42ae-b743-c3693f593269/messages/b58e3186-e697-4400-9da8-8ef252a20bd9","input":{"body":"Is IP 159.138.84.217 malicious? What can you tell me about it?"},"responses":[{"blocks":[{"blockType":"HTML","htmlContent":{"privateDoNotAccessOrElseSafeHtmlWrappedValue":"<p>The IP address 159.138.84.217 is associated with malware and threat actors.</p>\n<ul>\n<li>It is an IPv4 indicator.</li>\n<li>It is associated with BEACON malware.</li>\n<li>It is categorized as malware-Backdoor.</li>\n<li>It has a low confidence, high severity threat rating.</li>\n<li>VirusTotal's IP Address Report indicates the network for this IP is 159.138.80.0/20, and the IP is associated with HUAWEI CLOUDS in Singapore.</li>\n<li>VirusTotal's last analysis on April 22, 2025, showed 8 malicious detections out of 94 sources.</li>\n</ul>\n<p>I might have more details for a question with more context (e.g., what is the source of the IP, what type of network traffic is associated with the IP).</p>\n"}}],"references":[{"blockType":"HTML","htmlContent":{"privateDoNotAccessOrElseSafeHtmlWrappedValue":"<ol>\n<li><a href=\"https://advantage.mandiant.com/indicator/ipv4/159.138.84.217\" target=\"_blank\">Mandiant - indicator - 159.138.84.217</a></li>\n</ol>\n"}}],"groundings":["IP address 159.138.84.217 malicious cybersecurity","IP address 159.138.84.217 threat intelligence"]}],"createTime":"2025-05-16T11:31:36.660538Z"}}Output messages
TheAsk Gemini action provides the following outputmessages:
| Output message | Message description |
|---|---|
Successfully executed a prompt in Google SecOps. | The action succeeded. |
Error executing action "GoogleChronicle - Ask Gemini". Reason:ERROR_REASON | The action failed. Check the connection to the server, the input parameters, or the credentials. |
Script result
The following table describes the values for the script result output when usingtheAsk Gemini action:
| Script result name | Value |
|---|---|
is_success | True orFalse |
Enrich Domain - Deprecated
Deprecated: This action is deprecated.Use theEnrich Domain action to enrich domains using information from IoCs in Google SecOps.
This action runs on the following Google SecOps entities:
URLHostname
Action inputs
TheEnrich Domain action requires the following parameters:
| Parameter | Description |
|---|---|
Create Insight | If selected, action will create an insight containing information about the entities. Enabled by default. |
Only Suspicious Insight | If selected, action will only create an insight for entities that are marked as suspicious. Not enabled by default. If you select this parameter, you must also select |
Lowest Suspicious Severity | Required. The lowest severity associated with the domain needed to flag it as suspicious. The default value is
|
Mark Suspicious N/A Severity | Required. If selected and the information about severity is unavailable, the action marks the entity as suspicious. |
Action outputs
TheEnrich Domain action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Available |
| Entity insight | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
TheEnrich Domain action provides the following table:
Name:ENTITY_IDENTIFIER
Columns:
- Source
- Severity
- Category
- Confidence
Entity enrichment
TheEnrich Domain action supports the following entityenrichment logic:
| Enrichment field | Logic (when to apply) |
|---|---|
severity | When available in JSON |
average_confidence | When available in JSON |
related_domains | When available in JSON |
categories | When available in JSON |
sources | When available in JSON |
first_seen | When available in JSON |
last_seen | When available in JSON |
report_link | When available in JSON |
JSON Result
The following example describes the JSON result output received when using theEnrich Domain action with Backstory API:
{ { "sources": [ { "source": "ET Intelligence Rep List", "confidenceScore": { "normalizedConfidenceScore": "Low", "intRawConfidenceScore": 0 }, "rawSeverity": "High", "category": "Malware Command and Control Server" } ], "iocIngestTime": "2021-01-26T17:00:00Z", "firstSeenTime": "2018-10-03T00:03:53Z", "lastSeenTime": "2022-02-09T10:52:21.229Z", "uri": [ "https://INSTANCE/domainResults?domain=example.net&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2022-02-09T11%3A51%3A52.393783515Z" ] } }The following example describes the JSON result output received when using theEnrich Domain action with the Chronicle API:
[ { "Entity": "example.com", "EntityResult": { "sources": [ { "category": "Indicator was published in publicly available sources", "firstActiveTime": "1970-01-01T00:00:01Z", "lastActiveTime": "9999-12-31T23:59:59Z", "addresses": [ { "domain": "example.com" } ], "rawSeverity": "medium", "confidenceScore": { "strRawConfidenceScore": "100" } }, { "category": "Phishing", "firstActiveTime": null, "lastActiveTime": "2020-11-27T14:31:37Z", "addresses": [ { "domain": "example.com" }, { "ipAddress": "IP_ADDRESS" } ], "rawSeverity": "high", "confidenceScore": { "strRawConfidenceScore": "high" } }, { "category": "Indicator was published in publicly available sources", "firstActiveTime": "1970-01-01T00:00:01Z", "lastActiveTime": "9999-12-31T23:59:59Z", "addresses": [ { "domain": "example.com" } ], "rawSeverity": "medium", "confidenceScore": { "strRawConfidenceScore": "100" } } ], "feeds": [ { "metadata": { "title": "Mandiant Open Source Intelligence", "description": "Open Source Intel IoC", "confidenceScoreBucket": { "rangeEnd": 100 } }, "iocs": [ { "domainAndPorts": { "domain": "example.com" }, "categorization": "Indicator was published in publicly available sources", "activeTimerange": { "start": "1970-01-01T00:00:01Z", "end": "9999-12-31T23:59:59Z" }, "confidenceScore": "100", "rawSeverity": "Medium" } ] }, { "metadata": { "title": "ESET Threat Intelligence", "description": "ESET Threat Intelligence" }, "iocs": [ { "domainAndPorts": { "domain": "example.com" }, "categorization": "Phishing", "activeTimerange": { "end": "2020-11-27T14:31:37Z" }, "ipAndPorts": { "ipAddress": "IP_ADDRESS" }, "confidenceScore": "High", "rawSeverity": "High" } ] }, { "metadata": { "title": "Mandiant Active Breach Intelligence", "description": "Mandiant Active Breach IoC", "confidenceScoreBucket": { "rangeEnd": 100 } }, "iocs": [ { "domainAndPorts": { "domain": "example.com" }, "categorization": "Indicator was published in publicly available sources", "activeTimerange": { "start": "1970-01-01T00:00:01Z", "end": "9999-12-31T23:59:59Z" }, "confidenceScore": "100", "rawSeverity": "Medium" } ] } ] } }]Output messages
TheEnrich Domain action provides the following outputmessages:
| Output message | Message description |
|---|---|
Successfully enriched the following domain in Google Chronicle:LIST_OF_IDS | The action succeeded. |
Error executing action "Enrich Domain". Reason:ERROR_REASON | The action failed. Check connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output whenusing theEnrich Domain action:
| Script result name | Value |
|---|---|
is_success | True orFalse |
Enrich Entities
Use theEnrich Entities action to query Google SecOps foradditional context and attributes for specified entity types. This actionenhances threat investigation data by integrating external intelligence.
This action runs on the following Google SecOps entities:
DomainFile HashHostnameIP AddressURL(extracts domain from URL)UserEmail(user entity with email regex)
Action inputs
TheEnrich Entities action requires the following parameters:
| Parameter | Description |
|---|---|
Namespace | Optional. The logical grouping or scope of the entities to enrich. If not selected, the enrichment applies to entities in the default namespace or all accessible namespaces. Entities must belong to this namespace to be processed. |
Time Frame | Optional. A relative timeframe (for example, This parameter takes precedence over |
Start Time | Optional. The start time for the enrichment period in ISO 8601 format. Use this with |
End Time | Optional. The absolute end time for the enrichment period in ISO 8601 format. Used with |
Action outputs
TheEnrich Entities action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
| Enrichment field | Source (JSON key) | Applicability |
|---|---|---|
GoogleSecOps_related_entities | The number ofrelated_entities | When available in the JSON result. |
GoogleSecOps_alert_count_ruleName | {alertCounts.count} for each specific rule | When available in the JSON result. |
GoogleSecOps_first_seen | metric.firstSeen | When available in the JSON result. |
GoogleSecOps_last_seen | metric.lastSeen | When available in the JSON result. |
GoogleSecOps_flattened_key_under_entity | The value of the key, flattened from the nested structure under the"entity" object. | When available in the JSON result. |
JSON result
The following example shows the JSON result output received when using theEnrich Entities action:
[{"Entity":"HTTP://MARKOSSOLOMON.COM/F1Q7QX.PHP","EntityResult":{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/ChFtYXJrb3Nzb2xvbW9uLmNvbRDIAQ","metadata":{"entityType":"DOMAIN_NAME"},"entity":{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/ChFtYXJrb3Nzb2xvbW9uLmNvbRDIAQ","metadata":{"entityType":"DOMAIN_NAME"},"entity":{"domain":{"name":"markossolomon.com","firstSeenTime":"1970-01-01T00:00:00Z","lastSeenTime":"1970-01-01T00:00:00Z","registrar":"NameCheap, Inc.","creationTime":"2013-12-06T02:41:09Z","updateTime":"2019-11-06T11:48:33Z","expirationTime":"2020-12-06T02:41:09Z","registrant":{"userDisplayName":"WhoisGuard Protected","emailAddresses":["58d09cb5035042e9920408f8bafd0869.protect@whoisguard.com"],"personalAddress":{"countryOrRegion":"PANAMA"},"companyName":"WhoisGuard, Inc."}}}},"timeline":{"buckets":[{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{}],"bucketSize":"172800s"}}},{"Entity":"npatni-sysops","EntityResult":{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/Cg1ucGF0bmktc3lzb3BzEGYaBVl1cml5IhsKCwiC-OzCBhCAvYMUEgwIqvnnwwYQgMyI4QE","metadata":{"entityType":"ASSET","interval":{"startTime":"2025-06-25T00:00:02.042Z","endTime":"2025-07-18T07:50:02.472Z"}},"entity":{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/Cg1ucGF0bmktc3lzb3BzEGYaBVl1cml5IhsKCwiC-OzCBhCAvYMUEgwIqvnnwwYQgMyI4QE","metadata":{"entityType":"ASSET","interval":{"startTime":"2025-06-25T00:00:02.042Z","endTime":"2025-07-18T07:50:02.472Z"}},"entity":{"namespace":"Yuriy","asset":{"hostname":"npatni-sysops"}},"metric":{"firstSeen":"2025-06-25T00:00:02.042Z","lastSeen":"2025-07-18T07:50:02.472Z"}},"metric":{"firstSeen":"2025-06-25T00:00:02.042Z","lastSeen":"2025-07-18T07:50:02.472Z"},"alertCounts":[{"rule":"rule_Pavel_test_Risk_score","count":"329"},{"rule":"rule_testbucket","count":"339"},{"rule":"pavel_test2_rule_1749239699456","count":"332"}],"timeline":{"buckets":[{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{"alertCount":1000}],"bucketSize":"172800s"}}},{"Entity":"exlab2019-ad","EntityResult":{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/CgxleGxhYjIwMTktYWQQZhoFWXVyaXkiGwoMCLv57MIGEMCp7qgDEgsI8PTnwwYQwLD6SA","metadata":{"entityType":"ASSET","interval":{"startTime":"2025-06-25T00:03:07.891Z","endTime":"2025-07-18T07:40:32.153Z"}},"entity":{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/CgxleGxhYjIwMTktYWQQZhoFWXVyaXkiGwoMCLv57MIGEMCp7qgDEgsI8PTnwwYQwLD6SA","metadata":{"entityType":"ASSET","interval":{"startTime":"2025-06-25T00:03:07.891Z","endTime":"2025-07-18T07:40:32.153Z"}},"entity":{"namespace":"Yuriy","asset":{"hostname":"exlab2019-ad"}},"metric":{"firstSeen":"2025-06-25T00:03:07.891Z","lastSeen":"2025-07-18T07:40:32.153Z"}},"metric":{"firstSeen":"2025-06-25T00:03:07.891Z","lastSeen":"2025-07-18T07:40:32.153Z"},"alertCounts":[{"rule":"pavel_test2_rule_1749239699456","count":"319"},{"rule":"rule_testbucket","count":"360"},{"rule":"rule_Pavel_test_Risk_score","count":"321"}],"timeline":{"buckets":[{},{},{},{},{},{},{},{},{},{"alertCount":26},{"alertCount":175},{"alertCount":185},{"alertCount":195},{"alertCount":182},{"alertCount":168},{"alertCount":69}],"bucketSize":"172800s"}}},{"Entity":"172.30.202.229","EntityResult":{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/Cg4xNzIuMzAuMjAyLjIyORBkGgVZdXJpeSIbCgwIu_nswgYQwKnuqAMSCwjw9OfDBhDAsPpI","metadata":{"entityType":"ASSET","interval":{"startTime":"2025-06-25T00:03:07.891Z","endTime":"2025-07-18T07:40:32.153Z"}},"entity":{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/Cg4xNzIuMzAuMjAyLjIyORBkGgVZdXJpeSIbCgwIu_nswgYQwKnuqAMSCwjw9OfDBhDAsPpI","metadata":{"entityType":"ASSET","interval":{"startTime":"2025-06-25T00:03:07.891Z","endTime":"2025-07-18T07:40:32.153Z"}},"entity":{"namespace":"Yuriy","asset":{"ip":["172.30.202.229"]}},"metric":{"firstSeen":"2025-06-25T00:03:07.891Z","lastSeen":"2025-07-18T07:40:32.153Z"}},"metric":{"firstSeen":"2025-06-25T00:03:07.891Z","lastSeen":"2025-07-18T07:40:32.153Z"},"alertCounts":[{"rule":"rule_Pavel_test_Risk_score","count":"321"},{"rule":"rule_testbucket","count":"360"},{"rule":"pavel_test2_rule_1749239699456","count":"319"}],"timeline":{"buckets":[{},{},{},{},{},{},{},{},{},{"alertCount":26},{"alertCount":175},{"alertCount":185},{"alertCount":195},{"alertCount":182},{"alertCount":168},{"alertCount":69}],"bucketSize":"172800s"}}},{"Entity":"172.17.0.1","EntityResult":{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/CgoxNzIuMTcuMC4xEGQaBVl1cml5IhsKCwjOzre-BhDA1rU_EgwI9ZOMwAYQgPn82QM","metadata":{"entityType":"ASSET","interval":{"startTime":"2025-03-09T19:09:02.133Z","endTime":"2025-04-19T02:27:01.994Z"}},"entity":{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/CgoxNzIuMTcuMC4xEGQaBVl1cml5IhsKCwjOzre-BhDA1rU_EgwI9ZOMwAYQgPn82QM","metadata":{"entityType":"ASSET","interval":{"startTime":"2025-03-09T19:09:02.133Z","endTime":"2025-04-19T02:27:01.994Z"}},"entity":{"namespace":"Yuriy","asset":{"ip":["172.17.0.1"]}},"metric":{"firstSeen":"2025-03-09T19:09:02.133Z","lastSeen":"2025-04-19T02:27:01.994Z"}},"metric":{"firstSeen":"2025-03-09T19:09:02.133Z","lastSeen":"2025-04-19T02:27:01.994Z"},"timeline":{"buckets":[{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{}],"bucketSize":"172800s"}}},{"Entity":"911d039e71583a07320b32bde22f8e22","EntityResult":{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/CiA5MTFkMDM5ZTcxNTgzYTA3MzIwYjMyYmRlMjJmOGUyMhCwAiIVCgYItrj6ugYSCwi_9ufDBhDAyroV","metadata":{"entityType":"FILE","interval":{"startTime":"2024-12-15T09:07:02Z","endTime":"2025-07-18T07:43:59.045Z"}},"entity":{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/CiA5MTFkMDM5ZTcxNTgzYTA3MzIwYjMyYmRlMjJmOGUyMhCwAiIVCgYItrj6ugYSCwi_9ufDBhDAyroV","metadata":{"entityType":"FILE","interval":{"startTime":"2024-12-15T09:07:02Z","endTime":"2025-07-18T07:43:59.045Z"}},"entity":{"file":{"sha256":"bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527","md5":"911d039e71583a07320b32bde22f8e22","sha1":"ded8fd7f36417f66eb6ada10e0c0d7c0022986e9","size":"278528","fileType":"FILE_TYPE_PE_EXE","names":["C:\\Windows\\System32\\cmd.exe","cmd","Cmd.Exe","C:\\Windows\\system32\\cmd.exe","C:\\Windows\\SYSTEM32\\cmd.exe","cmd.exe","C:\\\\Windows\\\\System32\\\\cmd.exe","C:\\windows\\SYSTEM32\\cmd.exe","C:\\Users\\user\\AppData\\Local\\Temp\\wjxpour4.d0f\\cmd.exe","c:\\Windows\\System32\\cmd.exe","Utilman.exe","c:\\windows\\system32\\cmd.exe","System32/cmd.exe","UtilityVM/Files/Windows/System32/cmd.exe","KerishDoctor/Data/KerishDoctor/Restore/cmd.rst","cmd.exe_","C:\\WINDOWS\\SYSTEM32\\cmd.exe","Cmd.exe","Windows/System32/cmd.exe","sethc.exe","C:\\WINDOWS\\System32\\cmd.exe","esRzqurX.exe","rofl.png","F:\\Windows\\SYSTEM32\\cmd.exe","utilman.exe","C:\\Windows\\system32\\CMD.exe","sys32exe/cmd.exe","cmd.txt","C:\\WINDOWS\\system32\\cmd.exe","cmd2.exe","Utilman.exe.sc","uhrHRIv8.exe","C:\\windows\\system32\\cmd.exe","submitted_file","C:\\Users\\user\\AppData\\Local\\Temp\\n1qo0bq3.2tn\\KerishDoctor\\Data\\KerishDoctor\\Restore\\cmd.rst","J6ff7z0hLYo.exe","N:\\Windows\\System32\\cmd.exe","Q:\\Windows\\System32\\cmd.exe","C:\\Users\\user\\AppData\\Local\\Temp\\cmd.exe","C:\\Users\\<USER>\\AppData\\Local\\Temp\\cmd.exe","test.exe","68E2F01F8DE9EFCAE9C0DD893DF0E8C34E2B5C98A6C4073C9C9E8093743D318600.blob","8FCVE0Kq.exe","cmd (7).exe","cmd (8).exe","21455_16499564_bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527_cmd.exe","LinX v0.9.11 (Intel)/cmd.exe","C:\\Users\\user\\AppData\\Local\\Temp\\inbvmkaa.1xd\\LinX v0.9.11 (Intel)\\cmd.exe","cmd_b.exe","C:\\Users\\user\\AppData\\Local\\Temp\\sfd5bhoe.nqi\\cmd.exe","cMd.exe","Repl_Check.bat__","cmd.pdf","cmd.EXE","C:\\Users\\user\\AppData\\Local\\Temp\\uszjr42t.kda\\cmd.exe","LFepc1St.exe","firefox.exe","3BcnNlWV.exe","Utilman.exebak","utilman1.exe","1.exe","C:\\Users\\user\\AppData\\Local\\Temp\\ispvscgp.ep2\\sys32exe\\cmd.exe","cmd_1771019736291028992.exe","C:\\Users\\user\\AppData\\Local\\Temp\\xijgwqvd.54g\\cmd.exe","Sethc.exe","\\Device\\CdRom1\\DANFE352023067616112\\DANFE352023067616112.EXE","DANFE352023067616112.exe","file.exe","DANFE352023067616112/DANFE352023067616112.exe","C:\\Windows\\SYSTEM32\\Cmd.exe","pippo.exe","C:\\Windows\\System32\\sethc.exe","cmd.exe-bws024-windowsfolder","whatever.exe","sethc.exe.bak","S71dbOR1.exe","F:\\windows\\SYSTEM32\\cmd.exe","L6puhWL7.exe","DANFE357986551413927.exe","DANFE357666506667634.exe","\\Device\\CdRom1\\DANFE357666506667634\\DANFE357666506667634.EXE","\\Device\\CdRom1\\DANFE357986551413927\\DANFE357986551413927.EXE","\\Device\\CdRom1\\DANFE358567378531506\\DANFE358567378531506.EXE","\\Device\\CdRom1\\HtmlFactura3f48daa069f0e42253194ca7b51e7481DPCYKJ4Ojk\\HTMLFACTURA3F48DAA069F0E42253194CA7B51E7481DPCYKJ4OJK.EXE","\\Device\\CdRom1\\DANFE357410790837014\\DANFE357410790837014.EXE","\\Device\\CdRom1\\DANFE357702036539112\\DANFE357702036539112.EXE","winlogon.exe","AccessibilityEscalation.A' in file 'utilman.exe'","qpl9AqT0.exe","C:\\windows\\system32\\CMD.exe","C:\\po8az\\2po9hmc\\4v1b5.exe","batya.exe","nqAwJaba.exe","\\Device\\CdRom1\\DANFE356907191810758\\DANFE356907191810758.EXE","/Volumes/10_11_2023/DANFE356907191810758/DANFE356907191810758.exe","/Volumes/09_21_2023/DANFE357986551413927/DANFE357986551413927.exe","\\Device\\CdRom1\\DANFE355460800350113\\DANFE355460800350113.EXE","/Volumes/09_19_2023/DANFE355460800350113/DANFE355460800350113.exe","DANFE352429512050669.exe","/Volumes/04_15_2023/HtmlFacturaeb58f4396e2028a70905705291031e7b3dlvDNyGp3/HtmlFacturaeb58f4396e2028a70905705291031e7b3dlvDNyGp3.exe"],"firstSeenTime":"2024-12-15T09:07:02Z","lastSeenTime":"2025-07-18T07:43:59.045Z","lastAnalysisTime":"2025-07-16T10:06:40Z","signatureInfo":{"sigcheck":{"verificationMessage":"Signed","verified":true,"signers":[{"name":"Microsoft Windows"}]}},"firstSubmissionTime":"2025-07-15T16:30:27Z"}},"metric":{"firstSeen":"2024-12-15T09:07:02Z","lastSeen":"2025-07-18T07:43:59.045Z"}},"metric":{"firstSeen":"2024-12-15T09:07:02Z","lastSeen":"2025-07-18T07:43:59.045Z"},"alertCounts":[{"rule":"pavel_test2_rule_1749239699456","count":"329"},{"rule":"rule_testbucket","count":"345"},{"rule":"rule_Pavel_test_Risk_score","count":"326"}],"timeline":{"buckets":[{},{},{},{},{"alertCount":31},{"alertCount":111},{"alertCount":109},{"alertCount":82},{"alertCount":86},{"alertCount":98},{"alertCount":86},{"alertCount":85},{"alertCount":92},{"alertCount":89},{"alertCount":90},{"alertCount":41}],"bucketSize":"172800s"},"prevalenceResult":[{"prevalenceTime":"2025-01-16T00:00:00Z","count":1},{"prevalenceTime":"2025-01-17T00:00:00Z","count":1},{"prevalenceTime":"2025-01-18T00:00:00Z","count":1},{"prevalenceTime":"2025-01-19T00:00:00Z","count":1},{"prevalenceTime":"2025-01-20T00:00:00Z","count":1},{"prevalenceTime":"2025-01-21T00:00:00Z","count":1},{"prevalenceTime":"2025-01-22T00:00:00Z","count":1},{"prevalenceTime":"2025-01-23T00:00:00Z","count":1},{"prevalenceTime":"2025-01-24T00:00:00Z","count":1},{"prevalenceTime":"2025-01-25T00:00:00Z","count":1},{"prevalenceTime":"2025-01-26T00:00:00Z","count":1},{"prevalenceTime":"2025-01-27T00:00:00Z","count":1},{"prevalenceTime":"2025-01-28T00:00:00Z","count":1},{"prevalenceTime":"2025-01-29T00:00:00Z","count":1},{"prevalenceTime":"2025-01-30T00:00:00Z","count":1},{"prevalenceTime":"2025-01-31T00:00:00Z","count":1},{"prevalenceTime":"2025-02-01T00:00:00Z","count":1},{"prevalenceTime":"2025-02-02T00:00:00Z","count":1},{"prevalenceTime":"2025-02-03T00:00:00Z","count":1},{"prevalenceTime":"2025-02-04T00:00:00Z","count":1},{"prevalenceTime":"2025-02-05T00:00:00Z","count":1},{"prevalenceTime":"2025-02-06T00:00:00Z","count":1},{"prevalenceTime":"2025-02-07T00:00:00Z","count":1},{"prevalenceTime":"2025-02-08T00:00:00Z","count":1},{"prevalenceTime":"2025-02-09T00:00:00Z","count":1},{"prevalenceTime":"2025-02-10T00:00:00Z","count":1},{"prevalenceTime":"2025-02-11T00:00:00Z","count":1},{"prevalenceTime":"2025-02-12T00:00:00Z","count":1},{"prevalenceTime":"2025-02-13T00:00:00Z","count":1},{"prevalenceTime":"2025-02-14T00:00:00Z","count":1},{"prevalenceTime":"2025-02-15T00:00:00Z","count":1},{"prevalenceTime":"2025-02-16T00:00:00Z","count":1},{"prevalenceTime":"2025-02-17T00:00:00Z","count":1},{"prevalenceTime":"2025-02-18T00:00:00Z","count":1},{"prevalenceTime":"2025-02-19T00:00:00Z","count":1},{"prevalenceTime":"2025-02-20T00:00:00Z","count":1},{"prevalenceTime":"2025-02-21T00:00:00Z","count":1},{"prevalenceTime":"2025-02-22T00:00:00Z","count":1},{"prevalenceTime":"2025-02-23T00:00:00Z","count":1},{"prevalenceTime":"2025-02-24T00:00:00Z","count":1},{"prevalenceTime":"2025-02-25T00:00:00Z","count":1},{"prevalenceTime":"2025-02-26T00:00:00Z","count":1},{"prevalenceTime":"2025-02-27T00:00:00Z","count":1},{"prevalenceTime":"2025-02-28T00:00:00Z","count":1},{"prevalenceTime":"2025-03-01T00:00:00Z","count":1},{"prevalenceTime":"2025-03-02T00:00:00Z","count":1},{"prevalenceTime":"2025-03-03T00:00:00Z","count":1},{"prevalenceTime":"2025-03-04T00:00:00Z","count":1},{"prevalenceTime":"2025-03-05T00:00:00Z","count":1},{"prevalenceTime":"2025-03-06T00:00:00Z","count":1},{"prevalenceTime":"2025-03-07T00:00:00Z","count":1},{"prevalenceTime":"2025-03-08T00:00:00Z","count":1},{"prevalenceTime":"2025-03-09T00:00:00Z","count":1},{"prevalenceTime":"2025-03-10T00:00:00Z","count":1},{"prevalenceTime":"2025-03-11T00:00:00Z","count":1},{"prevalenceTime":"2025-03-12T00:00:00Z","count":1},{"prevalenceTime":"2025-03-13T00:00:00Z","count":1},{"prevalenceTime":"2025-03-14T00:00:00Z","count":1},{"prevalenceTime":"2025-03-15T00:00:00Z","count":1},{"prevalenceTime":"2025-03-16T00:00:00Z","count":1},{"prevalenceTime":"2025-03-17T00:00:00Z","count":1},{"prevalenceTime":"2025-03-18T00:00:00Z","count":1},{"prevalenceTime":"2025-03-19T00:00:00Z","count":1},{"prevalenceTime":"2025-03-20T00:00:00Z","count":1},{"prevalenceTime":"2025-03-21T00:00:00Z","count":1},{"prevalenceTime":"2025-03-22T00:00:00Z","count":1},{"prevalenceTime":"2025-03-23T00:00:00Z","count":1},{"prevalenceTime":"2025-03-24T00:00:00Z","count":1},{"prevalenceTime":"2025-03-25T00:00:00Z","count":1},{"prevalenceTime":"2025-03-26T00:00:00Z","count":1},{"prevalenceTime":"2025-03-27T00:00:00Z","count":1},{"prevalenceTime":"2025-03-28T00:00:00Z","count":1},{"prevalenceTime":"2025-03-29T00:00:00Z","count":1},{"prevalenceTime":"2025-03-30T00:00:00Z","count":1},{"prevalenceTime":"2025-03-31T00:00:00Z","count":1},{"prevalenceTime":"2025-04-01T00:00:00Z","count":1},{"prevalenceTime":"2025-04-02T00:00:00Z","count":1},{"prevalenceTime":"2025-04-03T00:00:00Z","count":1},{"prevalenceTime":"2025-04-04T00:00:00Z","count":1},{"prevalenceTime":"2025-04-05T00:00:00Z","count":1},{"prevalenceTime":"2025-04-06T00:00:00Z","count":1},{"prevalenceTime":"2025-04-07T00:00:00Z","count":1},{"prevalenceTime":"2025-04-08T00:00:00Z","count":1},{"prevalenceTime":"2025-04-09T00:00:00Z","count":1},{"prevalenceTime":"2025-04-10T00:00:00Z","count":1},{"prevalenceTime":"2025-04-11T00:00:00Z","count":1},{"prevalenceTime":"2025-04-12T00:00:00Z","count":1},{"prevalenceTime":"2025-04-13T00:00:00Z","count":1},{"prevalenceTime":"2025-04-14T00:00:00Z","count":1},{"prevalenceTime":"2025-04-15T00:00:00Z","count":1},{"prevalenceTime":"2025-04-16T00:00:00Z","count":1},{"prevalenceTime":"2025-04-17T00:00:00Z","count":1},{"prevalenceTime":"2025-04-18T00:00:00Z","count":1},{"prevalenceTime":"2025-04-19T00:00:00Z","count":1},{"prevalenceTime":"2025-04-20T00:00:00Z","count":1},{"prevalenceTime":"2025-04-21T00:00:00Z","count":1},{"prevalenceTime":"2025-04-22T00:00:00Z","count":1},{"prevalenceTime":"2025-04-23T00:00:00Z","count":1},{"prevalenceTime":"2025-04-24T00:00:00Z","count":1},{"prevalenceTime":"2025-04-25T00:00:00Z","count":1},{"prevalenceTime":"2025-04-26T00:00:00Z","count":1},{"prevalenceTime":"2025-04-27T00:00:00Z","count":1},{"prevalenceTime":"2025-04-28T00:00:00Z","count":1},{"prevalenceTime":"2025-04-29T00:00:00Z","count":1},{"prevalenceTime":"2025-04-30T00:00:00Z","count":1},{"prevalenceTime":"2025-05-01T00:00:00Z","count":1},{"prevalenceTime":"2025-05-02T00:00:00Z","count":1},{"prevalenceTime":"2025-05-03T00:00:00Z","count":1},{"prevalenceTime":"2025-05-04T00:00:00Z","count":1},{"prevalenceTime":"2025-05-05T00:00:00Z","count":1},{"prevalenceTime":"2025-05-06T00:00:00Z","count":1},{"prevalenceTime":"2025-05-07T00:00:00Z","count":1},{"prevalenceTime":"2025-05-08T00:00:00Z","count":1},{"prevalenceTime":"2025-05-09T00:00:00Z","count":1},{"prevalenceTime":"2025-05-10T00:00:00Z","count":1},{"prevalenceTime":"2025-05-11T00:00:00Z","count":1},{"prevalenceTime":"2025-05-12T00:00:00Z","count":1},{"prevalenceTime":"2025-05-13T00:00:00Z","count":1},{"prevalenceTime":"2025-05-14T00:00:00Z","count":1},{"prevalenceTime":"2025-05-15T00:00:00Z","count":1},{"prevalenceTime":"2025-05-16T00:00:00Z","count":1},{"prevalenceTime":"2025-05-17T00:00:00Z","count":1},{"prevalenceTime":"2025-05-18T00:00:00Z","count":1},{"prevalenceTime":"2025-05-19T00:00:00Z","count":1},{"prevalenceTime":"2025-05-20T00:00:00Z","count":1},{"prevalenceTime":"2025-05-21T00:00:00Z","count":1},{"prevalenceTime":"2025-05-22T00:00:00Z","count":1},{"prevalenceTime":"2025-05-23T00:00:00Z","count":1},{"prevalenceTime":"2025-05-24T00:00:00Z","count":1},{"prevalenceTime":"2025-05-25T00:00:00Z","count":1},{"prevalenceTime":"2025-05-26T00:00:00Z","count":1},{"prevalenceTime":"2025-05-27T00:00:00Z","count":1},{"prevalenceTime":"2025-05-28T00:00:00Z","count":1},{"prevalenceTime":"2025-05-29T00:00:00Z","count":1},{"prevalenceTime":"2025-05-30T00:00:00Z","count":1},{"prevalenceTime":"2025-05-31T00:00:00Z","count":1},{"prevalenceTime":"2025-06-01T00:00:00Z","count":1},{"prevalenceTime":"2025-06-02T00:00:00Z","count":1},{"prevalenceTime":"2025-06-03T00:00:00Z","count":1},{"prevalenceTime":"2025-06-04T00:00:00Z","count":1},{"prevalenceTime":"2025-06-05T00:00:00Z","count":1},{"prevalenceTime":"2025-06-06T00:00:00Z","count":1},{"prevalenceTime":"2025-06-07T00:00:00Z","count":1},{"prevalenceTime":"2025-06-08T00:00:00Z","count":1},{"prevalenceTime":"2025-06-09T00:00:00Z","count":1},{"prevalenceTime":"2025-06-10T00:00:00Z","count":1},{"prevalenceTime":"2025-06-11T00:00:00Z","count":1},{"prevalenceTime":"2025-06-12T00:00:00Z","count":1},{"prevalenceTime":"2025-06-13T00:00:00Z","count":1},{"prevalenceTime":"2025-06-14T00:00:00Z","count":1},{"prevalenceTime":"2025-06-15T00:00:00Z","count":1},{"prevalenceTime":"2025-06-16T00:00:00Z","count":1},{"prevalenceTime":"2025-06-17T00:00:00Z","count":1},{"prevalenceTime":"2025-06-18T00:00:00Z","count":1},{"prevalenceTime":"2025-06-19T00:00:00Z","count":1},{"prevalenceTime":"2025-06-20T00:00:00Z","count":1},{"prevalenceTime":"2025-06-21T00:00:00Z","count":1},{"prevalenceTime":"2025-06-22T00:00:00Z","count":1},{"prevalenceTime":"2025-06-23T00:00:00Z","count":1},{"prevalenceTime":"2025-06-24T00:00:00Z","count":1},{"prevalenceTime":"2025-06-25T00:00:00Z","count":1},{"prevalenceTime":"2025-06-26T00:00:00Z","count":1},{"prevalenceTime":"2025-06-27T00:00:00Z","count":1},{"prevalenceTime":"2025-06-28T00:00:00Z","count":1},{"prevalenceTime":"2025-06-29T00:00:00Z","count":1},{"prevalenceTime":"2025-06-30T00:00:00Z","count":1},{"prevalenceTime":"2025-07-01T00:00:00Z","count":1},{"prevalenceTime":"2025-07-02T00:00:00Z","count":1},{"prevalenceTime":"2025-07-03T00:00:00Z","count":1},{"prevalenceTime":"2025-07-04T00:00:00Z","count":1},{"prevalenceTime":"2025-07-05T00:00:00Z","count":1},{"prevalenceTime":"2025-07-06T00:00:00Z","count":1},{"prevalenceTime":"2025-07-07T00:00:00Z","count":1},{"prevalenceTime":"2025-07-08T00:00:00Z","count":1},{"prevalenceTime":"2025-07-09T00:00:00Z","count":1},{"prevalenceTime":"2025-07-10T00:00:00Z","count":1},{"prevalenceTime":"2025-07-11T00:00:00Z","count":1},{"prevalenceTime":"2025-07-12T00:00:00Z","count":1},{"prevalenceTime":"2025-07-13T00:00:00Z","count":1},{"prevalenceTime":"2025-07-14T00:00:00Z","count":1},{"prevalenceTime":"2025-07-15T00:00:00Z","count":1},{"prevalenceTime":"2025-07-16T00:00:00Z","count":2},{"prevalenceTime":"2025-07-17T00:00:00Z","count":2},{"prevalenceTime":"2025-07-18T00:00:00Z","count":2}],"relatedEntities":[{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/CgxleGxhYjIwMTktYWQQZhoFWXVyaXkiFQoGCPbso7wGEgsIv_bnwwYQwMq6FQ","metadata":{"entityType":"ASSET","interval":{"startTime":"2025-01-16T12:07:18Z","endTime":"2025-07-18T07:43:59.045Z"}},"entity":{"namespace":"Yuriy","asset":{"hostname":"exlab2019-ad","firstSeenTime":"2025-01-16T12:07:18Z"}},"metric":{"firstSeen":"2025-01-16T12:07:18Z","lastSeen":"2025-07-18T07:43:59.045Z"}},{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/Cg4xNzIuMzAuMjAyLjIyORBkGgVZdXJpeSIVCgYI9uyjvAYSCwi_9ufDBhDAyroV","metadata":{"entityType":"ASSET","interval":{"startTime":"2025-01-16T12:07:18Z","endTime":"2025-07-18T07:43:59.045Z"}},"entity":{"namespace":"Yuriy","asset":{"ip":["172.30.202.229"],"firstSeenTime":"2025-01-16T12:07:18Z"}},"metric":{"firstSeen":"2025-01-16T12:07:18Z","lastSeen":"2025-07-18T07:43:59.045Z"}}]}},{"Entity":"tencent.com","EntityResult":{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/Cgt0ZW5jZW50LmNvbRDIASIQCgYInNyZvAYSBgjo-Jm8Bg","metadata":{"entityType":"DOMAIN_NAME","interval":{"startTime":"2025-01-14T14:01:00Z","endTime":"2025-01-14T15:02:00Z"}},"entity":{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/Cgt0ZW5jZW50LmNvbRDIASIQCgYInNyZvAYSBgjo-Jm8Bg","metadata":{"entityType":"DOMAIN_NAME","interval":{"startTime":"2025-01-14T14:01:00Z","endTime":"2025-01-14T15:02:00Z"}},"entity":{"domain":{"name":"tencent.com","firstSeenTime":"2025-01-14T14:01:00Z","lastSeenTime":"2025-01-14T15:02:00Z","registrar":"MarkMonitor Information Technology (Shanghai) Co., Ltd.","creationTime":"1998-09-14T04:00:00Z","updateTime":"2024-08-20T08:04:01Z","expirationTime":"2032-09-13T04:00:00Z","registrant":{"emailAddresses":[""],"personalAddress":{"countryOrRegion":"CHINA"},"companyName":"\u6df1\u5733\u5e02\u817e\u8baf\u8ba1\u7b97\u673a\u7cfb\u7edf\u6709\u9650\u516c\u53f8"}}},"metric":{"firstSeen":"2025-01-14T14:01:00Z","lastSeen":"2025-01-14T15:02:00Z"}},"metric":{"firstSeen":"2025-01-14T14:01:00Z","lastSeen":"2025-01-14T15:02:00Z"},"timeline":{"buckets":[{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{}],"bucketSize":"172800s"}}},{"Entity":"00:50:56:b6:34:86","EntityResult":{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/ChEwMDo1MDo1NjpiNjozNDo4NhBlGgVZdXJpeSIKCgASBgjemLzBBg","metadata":{"entityType":"ASSET","interval":{"startTime":"1970-01-01T00:00:00Z","endTime":"2025-05-22T11:37:02Z"}},"entity":{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/entities/ChEwMDo1MDo1NjpiNjozNDo4NhBlGgVZdXJpeSIKCgASBgjemLzBBg","metadata":{"entityType":"ASSET","interval":{"startTime":"1970-01-01T00:00:00Z","endTime":"2025-05-22T11:37:02Z"}},"entity":{"namespace":"Yuriy","asset":{"mac":["00:50:56:b6:34:86"]}},"metric":{"firstSeen":"1970-01-01T00:00:00Z","lastSeen":"2025-05-22T11:37:02Z"}},"metric":{"firstSeen":"1970-01-01T00:00:00Z","lastSeen":"2025-05-22T11:37:02Z"},"timeline":{"buckets":[{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{}],"bucketSize":"172800s"}}}]Output messages
TheEnrich Entities action can return the following output messages:
| Output message | Message description |
|---|---|
| The action succeeded. |
Error executing action "Enrich Entities". Reason:ERROR_REASON | The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when usingtheEnrich Entities action:
| Script result name | Value |
|---|---|
is_success | True orFalse |
Enrich IP - Deprecated
Deprecated: This action is deprecated.Use theEnrich IP action to enrich IP entities using information from IoCs in Google SecOps.
This action runs on the `IP Address` entity.
Action inputs
TheEnrich IP action requires the following parameters:
| Parameter | Description |
|---|---|
Create Insight | Optional. If selected, the action creates an insight which contains information about entities.Enabled by default. |
Only Suspicious Insight | Optional. If selected, the action creates insights only for entities that are marked as suspicious.Not enabled by default. If you select this parameter, |
Lowest Suspicious Severity | Required. The lowest severity associated with the IP address to mark it suspicious. The default value is
|
Mark Suspicious N/A Severity | Required. If selected and the information about severity is unavailable, the action marks the entity as suspicious. |
Action outputs
TheEnrich IP action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
Name:ENTITY_IDENTIFIER
Columns:
- Source
- Severity
- Category
- Confidence
- Related Domains
Entity enrichment
TheEnrich IP action supports the following entityenrichment logic:
| Enrichment field | Logic (when to apply) |
|---|---|
severity | When available in JSON |
average_confidence | When available in JSON |
related_domains | When available in JSON |
categories | When available in JSON |
sources | When available in JSON |
first_seen | When available in JSON |
last_seen | When available in JSON |
report_link | When available in JSON |
JSON result
The following example describes the JSON result output received when usingtheEnrich IP action with Backstory API:
{{"sources":[{"source":"Example List","confidenceScore":{"normalizedConfidenceScore":"Low","intRawConfidenceScore":0},"rawSeverity":"High","category":"Malware Command and Control Server"}],"iocIngestTime":"2021-01-26T17:00:00Z","firstSeenTime":"2018-10-03T00:03:53Z","lastSeenTime":"2022-02-09T10:52:21.229Z","uri":["https://INSTANCE/domainResults?domain=example.net&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2022-02-09T11%3A51%3A52.393783515Z"]}}The following example describes the JSON result output received when using theEnrich IP action with Chronicle API:
[{"Entity":"192.0.2.121","EntityResult":{"sources":[{"category":"Indicator was published in publicly available sources","firstActiveTime":"1970-01-01T00:00:01Z","lastActiveTime":"9999-12-31T23:59:59Z","addresses":[{"ipAddress":"IP_ADDRESS"}],"rawSeverity":"low","confidenceScore":{"strRawConfidenceScore":"67"}}],"feeds":[{"metadata":{"title":"Mandiant Open Source Intelligence","description":"Open Source Intel IoC","confidenceScoreBucket":{"rangeEnd":100}},"iocs":[{"categorization":"Indicator was published in publicly available sources","activeTimerange":{"start":"1970-01-01T00:00:01Z","end":"9999-12-31T23:59:59Z"},"ipAndPorts":{"ipAddress":"IP_ADDRESS"},"confidenceScore":"67","rawSeverity":"Low"}]}]}}]Output messages
TheEnrich IP action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully enriched the following IPs from Google Chronicle:LIST_OF_IPS | The action succeeded. |
Error executing action "Enrich IP". Reason:ERROR_REASON | The action failed. Check the connection to the server, the input parameters, or the credentials. |
Script result
The following table describes the values for the script result output whenusing theEnrich IP action:
| Script result name | Value |
|---|---|
is_success | True orFalse |
Execute Retrohunt
Use theExecute Retrohunt action to execute a rule retrohunt inGoogle SecOps.
This action doesn't run on Google SecOps entities.
Action inputs
TheExecute Retrohunt action requires the following parameters:
| Parameter | Description |
|---|---|
Rule ID | Required. The ID of the rule to run a retrohunt for. Use the format |
Time Frame | Optional. A period to retrieve the results for. The possible values are as follows:
If The default value is |
Start Time | The start time for the results in ISO 8601 format. This parameter is required if the |
End Time | The end time for the results in ISO 8601 format. If you don't set a value and select the |
Action outputs
TheExecute Retrohunt action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| Entity insight | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using theExecute Retrohunt action with Backstory API:
{"retrohuntId":"oh_d738c8ea-8fd7-4cc1-b43d-25835b8e1785","ruleId":"ru_30979d84-aa89-47d6-bf4d-b4bb0eacb497","versionId":"ru_30979d84-aa89-47d6-bf4d-b4bb0eacb497@v_1612472807_179679000","eventStartTime":"2021-01-14T23:00:00Z","eventEndTime":"2021-01-30T23:00:00Z","retrohuntStartTime":"2021-02-08T02:40:59.192113Z","state":"RUNNING"}The following example describes the JSON result output received when using theExecute Retrohunt action with Chronicle API:
{"name":"projects/PROJECT_ID/locations/us/instances/INSTANCE_ID/operations/OPERATION_ID","metadata":{"@type":"type.googleapis.com/RetrohuntMetadata","retrohunt":"projects/PROJECT_ID/locations/us/instances/INSTANCE_ID/rules/RULE_ID/retrohunts/RETROHUNT_ID","executionInterval":{"startTime":"2025-01-22T12:16:20.963182Z","endTime":"2025-01-23T12:16:20.963182Z"}},"retrohuntId":"RETROHUNT_ID","ruleId":"RULE_ID","versionId":"VERSION_ID","eventStartTime":"2025-01-22T12:16:20.963182Z","eventEndTime":"2025-01-23T12:16:20.963182Z"}Output messages
TheExecute Retrohunt action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully executed a retrohunt for the provided rule in Google Chronicle. | The action succeeded. |
Error executing action "Execute Retrohunt". Reason:ERROR_REASON | The action failed. Check the connection to the server, the input parameters, or the credentials. |
Script result
The following table describes the values for the script result output when usingtheExecute Retrohunt action:
| Script result name | Value |
|---|---|
is_success | True orFalse |
Execute UDM Query
Use theExecute UDM Query action to execute a custom UDM query inGoogle SecOps.
This action doesn't run on Google SecOps entities.
Action inputs
TheExecute UDM Query action requires the following parameters:
| Parameter | Description |
|---|---|
Query | Required. The query to execute in Google SecOps. |
Include Raw Log Data | Optional. If selected, the action retrieves the original raw log file associated with the UDM search results. This option is only available when using Chronicle API authentication. Disabled by default. |
Time Frame | Optional. A period to retrieve the results for. The possible values are as follows:
If The default value is |
Start Time | Optional. The start time for the results in ISO 8601 format (for example, This parameter is required if the The maximum time range is 90 days. |
End Time | Optional. The end time for the results in an ISO 8601 format (for example, If you don't set a value and the The maximum time range is 90 days. |
Max Results To Return | Optional. The number of results to return for a single query. The maximum value is The default value is |
Action outputs
TheExecute UDM Query action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using theExecute UDM Query action:
{"events":["event":{"metadata":{"eventTimestamp":"2022-01-20T09:15:15.687Z","eventType":"USER_LOGIN","vendorName":"Example Vendor","productName":"Example Product","ingestedTimestamp":"2022-01-20T09:45:07.433587Z"},"principal":{"hostname":"example-user-pc","ip":["203.0.113.0"],"mac":["01:23:45:ab:cd:ef","01:23:45:ab:cd:ef","01:23:45:ab:cd:ef"],"location":{"city":"San Francisco","state":"California","countryOrRegion":"US"},"asset":{"hostname":"example-user-pc","ip":["203.0.113.1","203.0.113.1","203.0.113.1"],"mac":["01:23:45:ab:cd:ef","01:23:45:ab:cd:ef","01:23:45:ab:cd:ef"]}},"target":{"user":{"userid":"Example","userDisplayName":"Example User","windowsSid":"S-1-5-21-4712406912-7108061610-2717800068-993683","emailAddresses":["example@example.com","admin.example@example.com"],"employeeId":"2406187","productObjectId":"f93f1540-4935-4266-aa8e-a750a319aa1c","firstName":"Example","lastName":"User","phoneNumbers":["555-01-75"],"title":"Executive Assistant","companyName":"Example Corp","department":["Executive - Admin"],"managers":[{"userDisplayName":"Example User","windowsSid":"S-1-5-21-6051382818-4135626959-8120238335-834071","emailAddresses":["user@example.com"],"employeeId":"5478500","productObjectId":"8b3924d5-6157-43b3-857b-78aa6bd94705","firstName":"User","lastName":"Example","phoneNumbers":["555-01-75"],"title":"Chief Technology Officer","companyName":"Example Corp","department":["Executive - Admin"]}]},"ip":["198.51.100.1"],"email":"email@example.com","application":"Example Sign In"},"securityResult":[{"summary":"Successful Login","action":["ALLOW"]}],"extensions":{"auth":{"type":"SSO"}}},"eventLogToken":"96f23eb9ffaa9f7e7b0e2ff5a0d2e34c,1,1642670115687000,USER,|USER_LOGIN"]}Output messages
TheExecute UDM Query action provides the following output messages:
| Output message | Message description |
|---|---|
| The action succeeded. |
Error executing action "Execute UDM Query". Reason:ERROR_REASON | The action failed. Check the connection to the server, the input parameters, or the credentials. |
Error executing action "Execute UDM Query". Reason: you've reached a rate limit. Please wait for several minutes and try again. | The action failed. Wait for several minutes before running the action again. |
Script result
The following table describes the values for the script result output when usingtheExecute UDM Query action:
| Script result name | Value |
|---|---|
is_success | True orFalse |
Generate UDM Query
(Preview) Use theGenerate UDM Query action to construct complex UDM queriesusing natural language prompts in Google SecOps.
This action doesn't run on Google SecOps entities.
Note: This action requires Chronicle API authentication. The legacy BackstoryAPI authentication is not supportedAction inputs
TheGenerate UDM Query action requires the following parameters:
| Parameter | Description |
|---|---|
Prompt | Required. The prompt that the system uses to generate the structured UDM query. |
Action outputs
TheGet Data Tables action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using theGenerate UDM Query action:
{"query":"ip = \"10.0.0.1\""}Output messages
TheGenerate UDM Query action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully generated a UDM query in Google SecOps. | The action succeeded. |
Error executing action "Generate UDM Query". Reason:ERROR_REASON | The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when usingtheGenerate UDM Query action:
| Script result name | Value |
|---|---|
is_success | true orfalse |
Get Data Tables
Use theGet Data Tables action to retrieve available data tables inGoogle SecOps.
This action doesn't run on Google SecOps entities.
Note: This action only works with Chronicle API authentication. Backstory API isnot supported. If you are using a Unified SecOps deployment, ensure you haveconfigured a dedicated Service Account and provided credentials in theintegration parameters.Action inputs
TheGet Data Tables action requires the following parameters:
| Parameter | Description |
|---|---|
Filter Key | Optional. The key to filter by The The possible values are as follows: NameDescription |
Filter Logic | Optional. The filter logic to apply. The possible values are as follows: Equal (for exact matches)Contains(for substring matches) |
Filter Value | Optional. The value to use in the filter. The possible values are as follows: Equal (for exact matches)Contains(for substring matches)
If nothing is provided, the filter won't be applied. |
Expanded Rows | Optional. If selected, the response includes detailed data table rows. Not enabled by default. |
Max Data Tables To Return | Required. The number of data tables to return. The maximum value is |
Max Data Table Rows To Return | Required. The amount of data table rows to return. Only use this parameter if The maximum value is |
Action outputs
TheGet Data Tables action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using theGet Data Tables action:
{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/dataTables/data_table","displayName":"data_table","createTime":"2025-05-14T12:52:50.064133Z","updateTime":"2025-05-14T13:13:48.631442Z","columnInfo":[{"originalColumn":"columnName1","columnType":"STRING"},{"columnIndex":1,"originalColumn":"columnName2","columnType":"STRING"},{"columnIndex":2,"originalColumn":"columnName3","columnType":"STRING"}],"dataTableUuid":"c3cce57bb8d940d5ac4523c37d540436","approximateRowCount":"2","rows":[{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/dataTables/data_table/dataTableRows/840d18a85944833e1b97ed6d2fb11377","values":{"columnName1":"asda","columnName2":"asdasd","columnName3":"zxczxc"},"createTime":"2025-05-14T12:52:51.908143Z","updateTime":"2025-05-14T12:52:51.908143Z"}]}Output messages
TheGet Data Tables action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully found data tables for the provided criteria in Google SecOps | The action succeeded. |
Error executing action "Get Data Tables". Reason:ERROR_REASON | The action failed. Check connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when usingtheGet Data Tables action:
| Script result name | Value |
|---|---|
is_success | true orfalse |
Get Detection Details
Use theGet Detection Details action to retrieve information about adetection in Google SecOps.
This action doesn't run on Google SecOps entities.
Action inputs
TheGet Detection Details action requires the following parameters:
| Parameter | Description |
|---|---|
Rule ID | Required. The ID of the rule related to the detection. Use the format |
Detection ID | Required. The ID of the detection to fetch details for. If special characters are provided, the action doesn't fail, but returns a list of detections. |
Include Raw Log Data | Optional. If selected, the action retrieves the original raw log file associated with the UDM search results. This option is only available when using Chronicle API authentication. Disabled by default. |
Action outputs
TheGet Detection Details action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using theGet Detection Details action:
{"type":"RULE_DETECTION","detection":[{"ruleName":"singleEventRule2","urlBackToProduct":"https://INSTANCE/ruleDetections? ruleId=ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d&selectedList=RuleDetectionsViewTimeline& selectedParentDetectionId=de_ce594791-09ed-9681-27fa-3b7c8fa6054c& selectedTimestamp=2020-12-03T16: 50: 47.647245Z","ruleId":"ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d","ruleVersion":"ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d@v_1605892822_687503000","alertState":"NOT_ALERTING","ruleType":"SINGLE_EVENT"}],"createdTime":"2020-12-03T19:19:21.325134Z","id":"de_ce594791-09ed-9681-27fa-3b7c8fa6054c","timeWindow":{"startTime":"2020-12-03T16:50:47.647245Z","endTime":"2020-12-03T16:50:47.647245Z"},"collectionElements":[{"references":[{"event":{"metadata":{"eventTimestamp":"2020-12-03T16:50:47.647245Z","collectedTimestamp":"2020-12-03T16:50:47.666064010Z","eventType":"NETWORK_DNS","productName":"ProductName","ingestedTimestamp":"2020-12-03T16:50:49.494542Z"},"principal":{"ip":["192.0.2.1"]},"target":{"ip":["203.0.113.1"]},"securityResult":[{"action":["UNKNOWN_ACTION"]}],"network":{"applicationProtocol":"DNS","dns":{"questions":[{"name":"example.com","type":1,"class":1}],"id":12345,"recursionDesired":true}}}}],"label":"e"}],"detectionTime":"2020-12-03T16:50:47.647245Z"}Output messages
TheGet Detection Details action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully fetched information about the detection with IDDETECTION_ID in Google Chronicle. | The action succeeded. |
Error executing action "Get Detection Details". Reason:ERROR_REASON | The action failed. Check connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when usingtheGet Detection Details action:
| Script result name | Value |
|---|---|
is_success | True orFalse |
Get Reference Lists
Use theGet Reference Lists action to retrieve available reference lists inGoogle SecOps.
This action doesn't run on Google SecOps entities.
Action inputs
TheGet Reference Lists action requires the following parameters:
| Parameter | Description |
|---|---|
Filter Key | The key to filter by. The possible values are as follows:
|
Filter Logic | The filter logic to apply. The possible values are as follows: Equal (for exact matches)Contains(for substring matches)The default value is |
Filter Value | The value to use in the filter. The possible values are as follows: Equal (for exact matches)Contains(for substring matches)
If no value is provided, the filter isn't applied. |
Expanded Details | If selected, the action returns detailed information about the reference lists. Not enabled by default. |
Max Reference Lists To Return | The number of reference lists to return. The default value is |
Action outputs
TheGet Reference List action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
On a Case Wall, theGet Reference Lists provides the following table:
Name:Available Reference Lists
Columns:
- Name
- Description
- Type
JSON result
The following example describes the JSON result output received when using theGet Reference Lists action with Backstory API:
{"name":"list_name","description":"description of the list","lines":["192.0.2.0/24","198.51.100.0/24"],"create_time":"2020-11-20T17:18:20.409247Z","content_type":"CIDR"}The following example describes the JSON result output received when using theGet Reference Lists action with Chronicle API:
[{"name":"projects/PROJECT_ID/locations/us/instances/INSTANCE_ID/referenceLists/REFERENCE_LIST_ID","displayName":"REFERENCE_LIST_ID","revisionCreateTime":"2025-01-09T15:53:10.851775Z","description":"Test reference list","syntaxType":"REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING","scopeInfo":{"referenceListScope":{}},"createTime":"2025-01-09T15:53:10.851775Z"}]Output messages
TheGet Reference Lists action provides the following output messages:
| Output message | Message description |
|---|---|
| The action succeeded. |
Error executing actionACTION_NAME. Reason:ERROR_REASON | The action failed. Check the connection to the server, the input parameters, or the credentials. |
Error executing actionACTION_NAME. Reason: "Invalid value was provided for "Max Reference Lists to Return":PROVIIDED_VALUE. Positive number should be provided. | The action failed. Check the value for the |
Script
The following table describes the values for the script result output when usingtheGet Reference Lists action:
| Script result name | Value |
|---|---|
is_success | True orFalse |
Get Rule Details
Use theGet Rule Details action to retrieve information about a rule inGoogle SecOps.
This action doesn't run on Google SecOps entities.
Note: Information regarding curated rules can only be retrieved using the Chronicle API and may require specific permissions.Action inputs
TheGet Rule Details action requires the following parameters:
| Parameter | Description |
|---|---|
Rule ID | Required. The unique ID of the rule for which to fetch details. The default value is |
Action outputs
TheGet Rule Details action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using theGet Rule Details action with Backstory API:
{"ruleId":"ru_e6abfcb5-1b85-41b0-b64c-695b3250436f","versionId":"ru_e6abfcb5-1b85-41b0-b64c-695b3250436f@v_1602631093_146879000","ruleName":"SampleRule","metadata":{"description":"Sample Description of the Rule","author":"author@example.com"},"ruleText":"rule SampleRule { meta: description = \"Sample Description of the Rule\" author = \"author@example.com\" events: // This will just generate lots of detections $event.metadata.event_type = \"NETWORK_HTTP\" condition: $event } ","liveRuleEnabled":true,"versionCreateTime":"2020-10-13T23:18:13.146879Z","compilationState":"SUCCEEDED"}The following example describes the JSON result output received when using theGet Rule Details action with Chronicle API:
{"name":"projects/PROJECT_ID/locations/us/instances/INSTANCE_ID/rules/RULE_ID","revisionId":"v_1733917896_973567000","displayName":"Test_rule_SingleEvent","text":"rule Test_rule_SingleEvent {\n // This rule matches single events. Rules can also match multiple events within\n // some time window. For details about how to write a multi-event rule, see\n //URL\n\n meta:\n // Allows for storage of arbitrary key-value pairs of rule details - who\n // wrote it, what it detects on, version control, etc.\n // The \"author\" and \"severity\" fields are special, as they are used as\n // columns on the rules dashboard. If you want to sort based on\n // these fields on the dashboard, make sure to add them here.\n // Severity value, by convention, should be \"Low\", \"Medium\" or \"High\"\n author = \"example_user\"\n description = \"windowed single event example rule\"\n //severity = \"Medium\"\n\n events:\n $e.metadata.event_type = \"USER_LOGIN\"\n $e.principal.user.userid = $user\n\n //outcome:\n // For a multi-event rule an aggregation function is required\n // e.g., risk_score = max(0)\n // SeeURL\n //$risk_score = 0\n match:\n $user over 1m\n\n condition:\n #e > 0\n}\n","author":"example_user","metadata":{"author":"example_user","description":"windowed single event example rule","severity":null},"createTime":"2024-12-11T11:36:18.192127Z","revisionCreateTime":"2024-12-11T11:51:36.973567Z","compilationState":"SUCCEEDED","type":"SINGLE_EVENT","allowedRunFrequencies":["LIVE","HOURLY","DAILY"],"etag":"CMj55boGEJjondAD","ruleId":"RULE_ID","versionId":"RULE_ID@v_1733917896_973567000","ruleName":"Test_rule_SingleEvent","ruleText":"rule Test_rule_SingleEvent {\n // This rule matches single events. Rules can also match multiple events within\n // some time window. For details about how to write a multi-event rule, see\n //URL\n\n meta:\n // Allows for storage of arbitrary key-value pairs of rule details - who\n // wrote it, what it detects on, version control, etc.\n // The \"author\" and \"severity\" fields are special, as they are used as\n // columns on the rules dashboard. If you want to sort based on\n // these fields on the dashboard, make sure to add them here.\n // Severity value, by convention, should be \"Low\", \"Medium\" or \"High\"\n author = \"example_user\"\n description = \"windowed single event example rule\"\n //severity = \"Medium\"\n\n events:\n $e.metadata.event_type = \"USER_LOGIN\"\n $e.principal.user.userid = $user\n\n //outcome:\n // For a multi-event rule an aggregation function is required\n // e.g., risk_score = max(0)\n // SeeURL\n //$risk_score = 0\n match:\n $user over 1m\n\n condition:\n #e > 0\n}\n","ruleType":"SINGLE_EVENT","versionCreateTime":"2024-12-11T11:51:36.973567Z"}Output messages
TheGet Rule Details action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully fetched information about the rule with IDRULE_ID in Google Chronicle. | The action succeeded. |
Error executing action "Get Rule Details". Reason:ERROR_REASON | The action failed. Check the connection to the server, the input parameters, or the credentials. |
Script result
The following table describes the values for the script result output when usingtheGet Rule Details action:
| Script result name | Value |
|---|---|
is_success | True orFalse |
Is Value In Data Table
Use theIs Value In Data Table to check if provided values are ina data table in Google SecOps.
This action doesn't run on Google SecOps entities.
Note: This action only works with Chronicle API authentication. Backstory API isnot supported. If you are using a Unified SecOps deployment, ensure you haveconfigured a dedicated Service Account and provided credentials in theintegration parameters.Action inputs
TheIs Value In Data Table action requires the following parameters:
| Parameter | Description |
|---|---|
Data Table Name | Required. The display name of the data table to search. |
Column | Optional. A comma-separated list of columns to search. If no value is provided, the action searches all columns. |
Values | Required. A comma-separated list of values to search for. |
Case Insensitive Search | Optional. If selected, the search is case-insensitive. Enabled by default. |
Max Data Table Rows To Return | Required. The number of data table rows to return per matched value. The maximum value is |
Action outputs
TheIs Value In Data Table action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using theIs Value In Data Table action:
[{"Entity":"asda","EntityResult":{"is_found":true,"matched_rows":[{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/dataTables/data_table/dataTableRows/840d18a85944833e1b97ed6d2fb11377","values":{"columnName1":"asda","columnName2":"asdasd","columnName3":"zxczxc"},"createTime":"2025-05-14T12:52:51.908143Z","updateTime":"2025-05-14T12:52:51.908143Z"}]}}]Output messages
TheIs Value In Data Table action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully searched provided values in the data table {data table} in Google SecOps. | The action succeeded. |
| Error executing action "Is Value In Data Table". Reason:ERROR_REASON | The action failed. Check the connection to the server, the input parameters, or the credentials. |
Error executing action "Is Value In Data Table". Reason: the following data tables were not found in:DATA_TABLE_NAME:COLUMN_NAMES. Please check the spelling. | The action failed. |
Error executing action "Is Value In Data Table". Reason: This action is not supported for Backstory API configuration. Please update the integration configuration. | The action failed. |
Script result
The following table describes the values for the script result output when usingtheIs Value In Data Table action:
| Script result name | Value |
|---|---|
is_success | true orfalse |
Is Value In Reference List
Use theIs Value In Reference List action to check if provided values arefound in reference lists in Google SecOps.
This action doesn't run on Google SecOps entities.
Action inputs
TheIs Value In Reference List action requires the following parameters:
| Parameter | Description |
|---|---|
Reference List Names | Required. A comma-separated list of reference list names to search. |
Values | Required. A comma-separated list of values to search for. |
Case Insensitive Search | Optional. If selected, the search is case-insensitive. |
Action outputs
TheIs Value In Reference List action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using theIs Value In Reference List action with Backstory API:
{"Entity":"example.com","EntityResult":{"found_in":["Reference list names, where item was found"],"not_found_in":["Reference list names, where items wasn't found"],"overall_status":"found, if at least one reference list had the value/not found, if non of the reference lists found the value"}}The following example describes the JSON result output received when using theIs Value In Reference List action with Chronicle API:
{"Entity":"example.com","EntityResult":{"found_in":["Reference list names, where item was found"],"not_found_in":["Reference list names, where items wasn't found"],"overall_status":"found, if at least one reference list had the value/not found, if non of the reference lists found the value"}}Output messages
TheIs Value In Reference List action provides the following outputmessages:
| Output message | Message description |
|---|---|
Successfully searched provided values in the reference lists in Google Chronicle. | The action succeeded. |
| Error executing action "Is Value In Reference List". Reason:ERROR_REASON | The action failed. Check the connection to the server, the input parameters, or the credentials. |
Error executing action "Is Value In Reference List". Reason: the following reference lists were not found in Google Chronicle:MISSING_REFERENCE_LIST_NAME(S). Please use the action "Get Reference Lists" to see what reference lists are available. | The action failed. Run theGet Reference Lists action to check for available lists. |
Script result
The following table describes the values for the script result output when usingtheIs Value In Reference List action:
| Script result name | Value |
|---|---|
is_success | True orFalse |
List Assets
Use theList Assets action to list assets inGoogle SecOps based on related entities within aspecified time period.
This action only supports theMD5,SHA-1, andSHA-256 hashes.
This action runs on the following Google SecOps entities:
URLIP AddressHash
Action inputs
TheList Assets action requires the following parameters:
| Parameter | Description |
|---|---|
Max Hours Backwards | The number of hours prior to now to fetch the assets. The default value is |
Create Insight | If selected, the action creates an insight with information about the entities. Enabled by default. |
Max Assets To Return | The number of assets to return. The default value is |
Time Frame | Optional. A period to retrieve the results for. The possible values are as follows:
If The default value is |
Start Time | The start time in ISO 8601 format. This parameter is required if the |
End Time | The end time in ISO 8601 format. If you don't set a value and set the |
Action outputs
TheList Assets action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
Name:ENTITY_IDENTIFIER
Columns:
- Hostname
- IP Address
- First Seen Artifact
- Last Seen Artifact
JSON result
The following example describes the JSON result output received when using theList Assets action with Backstory API:
{"assets":[{"asset":{"hostname":"example"},"firstSeenArtifactInfo":{"artifactIndicator":{"domainName":"www.example.com"},"seenTime":"2020-02-28T09:18:15.675Z"},"lastSeenArtifactInfo":{"artifactIndicator":{"domainName":"www.example.com"},"seenTime":"2020-09-24T06:43:59Z"}}],"uri":["https://INSTANCE/domainResults?domain=www.example.com&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2020-09-27T12%3A07%3A34.166830443Z"]}The following example describes the JSON result output received when using theList Assets action with Chronicle API:
[{"Entity":"192.0.2.229","EntityResult":{"assets":[{"artifactIndicator":{"domain":"example.com"},"sources":["Mandiant Open Source Intelligence"],"categories":["Indicator was published in publicly available sources"],"assetIndicators":[{"assetIpAddress":"192.0.2.229"}],"iocIngestTimestamp":"2024-09-20T14:14:07.843Z","firstSeenTimestamp":"2025-01-15T11:20:00Z","lastSeenTimestamp":"2025-01-15T11:20:00Z","filterProperties":{"stringProperties":{"TLD":{"values":[{"rawValue":".com"}]},"IOC FEED":{"values":[{"rawValue":"Mandiant Open Source Intelligence"}]},"IOC CATEGORIES":{"values":[{"rawValue":"Indicator was published in publicly available sources"}]},"IOC CONFIDENCE SCORE":{"values":[{"rawValue":"High"}]},"IOC/ALERT SEVERITY":{"values":[{"rawValue":"Medium"}]}}},"confidenceBucket":"High","rawSeverity":"Medium","logType":"OPEN_SOURCE_INTEL_IOC","confidenceScore":100,"globalCustomerId":"ID","confidenceScoreBucket":{"rangeEnd":100},"categorization":"Indicator was published in publicly available sources","domainAndPorts":{"domain":"example.com"},"activeTimerange":{"startTime":"1970-01-01T00:00:01Z","endTime":"9999-12-31T23:59:59Z"},"feedName":"MANDIANT","id":"ID","fieldAndValue":{"value":"ex ","valueType":"DOMAIN_NAME"}},{"artifactIndicator":{"domain":"example.com"},"sources":["Mandiant Active Breach Intelligence"],"categories":["Indicator was published in publicly available sources"],"assetIndicators":[{"assetIpAddress":"192.0.2.229"}],"iocIngestTimestamp":"2023-07-05T02:42:52.935Z","firstSeenTimestamp":"2025-01-15T11:20:00Z","lastSeenTimestamp":"2025-01-15T11:20:00Z","filterProperties":{"stringProperties":{"IOC/ALERT SEVERITY":{"values":[{"rawValue":"Medium"}]},"IOC CONFIDENCE SCORE":{"values":[{"rawValue":"High"}]},"IOC FEED":{"values":[{"rawValue":"Mandiant Active Breach Intelligence"}]},"IOC CATEGORIES":{"values":[{"rawValue":"Indicator was published in publicly available sources"}]},"TLD":{"values":[{"rawValue":".com"}]}}},"confidenceBucket":"High","rawSeverity":"Medium","logType":"MANDIANT_ACTIVE_BREACH_IOC","confidenceScore":100,"globalCustomerId":"ID","confidenceScoreBucket":{"rangeEnd":100},"categorization":"Indicator was published in publicly available sources","domainAndPorts":{"domain":"example.com"},"activeTimerange":{"startTime":"1970-01-01T00:00:01Z","endTime":"9999-12-31T23:59:59Z"},"feedName":"MANDIANT","id":"ID","fieldAndValue":{"value":"example.com","valueType":"DOMAIN_NAME"}}],"uri":"https://INSTANCE.backstory.chronicle.security/destinationIpResults?ADDRESS=192.0.2.229&selectedList=IpViewDistinctAssets&referenceTime=2025-01-23T11%3A16%3A24.517449Z"}}]Output messages
TheList Assets action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully listed related assets for the following entities from Google Chronicle:ENTITY_IDENTIFIER | The action succeeded. |
Error executing action "List Assets". Reason:ERROR_REASON | The action failed. Check the connection to the server, the input parameters, or the credentials. |
Script result
The following table describes the values for the script result output when usingtheList Assets action:
| Script result name | Value |
|---|---|
is_success | True orFalse |
List Events
Use theList Events action to list events on a particular asset within aspecified time period.
This action can only retrieve 10,000 events.
This action runs on the following Google SecOps entities:
IP addressMAC addressHostname
Action inputs
TheList Events action requires the following parameters:
| Parameter | Description |
|---|---|
Event Types | A comma-separated list of event types. If no value is provided, all event types are fetched. For a list of all possible values, seeEvent type possible values. |
Time Frame | The specified time period. We recommend keeping it as small as possible for better results. If If The possible values are as follows:
The default value is |
Start Time | The start time in ISO 8601 format. This parameter is required if the |
End Time | The end time in ISO 8601 format. If no value is provided and the This parameter accepts the |
Reference Time | The reference time for the event search. If no value is provided, the action uses the end time as the reference. |
Output | Required. The output format. The possible values are as follows:
|
Max Events To Return | The number of events to process for each entity type. The default value is |
Event type possible values
The possible values for theEvent Type parameter are as follows:
EVENTTYPE_UNSPECIFIEDPROCESS_UNCATEGORIZEDPROCESS_LAUNCHPROCESS_INJECTIONPROCESS_PRIVILEGE_ESCALATIONPROCESS_TERMINATIONPROCESS_OPENPROCESS_MODULE_LOADREGISTRY_UNCATEGORIZEDREGISTRY_CREATIONREGISTRY_MODIFICATIONREGISTRY_DELETIONSETTING_UNCATEGORIZEDSETTING_CREATIONSETTING_MODIFICATIONSETTING_DELETIONMUTEX_UNCATEGORIZEDMUTEX_CREATIONFILE_UNCATEGORIZEDFILE_CREATIONFILE_DELETIONFILE_MODIFICATIONFILE_READFILE_COPYFILE_OPENFILE_MOVEFILE_SYNCUSER_UNCATEGORIZEDUSER_LOGINUSER_LOGOUTUSER_CREATIONUSER_CHANGE_PASSWORDUSER_CHANGE_PERMISSIONSUSER_STATSUSER_BADGE_INUSER_DELETIONUSER_RESOURCE_CREATIONUSER_RESOURCE_UPDATE_CONTENTUSER_RESOURCE_UPDATE_PERMISSIONSUSER_COMMUNICATIONUSER_RESOURCE_ACCESSUSER_RESOURCE_DELETIONGROUP_UNCATEGORIZEDGROUP_CREATIONGROUP_DELETIONGROUP_MODIFICATIONEMAIL_UNCATEGORIZEDEMAIL_TRANSACTIONEMAIL_URL_CLICKNETWORK_UNCATEGORIZEDNETWORK_FLOWNETWORK_CONNECTIONNETWORK_FTPNETWORK_DHCPNETWORK_DNSNETWORK_HTTPNETWORK_SMTPSTATUS_UNCATEGORIZEDSTATUS_HEARTBEATSTATUS_STARTUPSTATUS_SHUTDOWNSTATUS_UPDATESCAN_UNCATEGORIZEDSCAN_FILESCAN_PROCESS_BEHAVIORSSCAN_PROCESSSCAN_HOSTSCAN_VULN_HOSTSCAN_VULN_NETWORKSCAN_NETWORKSCHEDULED_TASK_UNCATEGORIZEDSCHEDULED_TASK_CREATIONSCHEDULED_TASK_DELETIONSCHEDULED_TASK_ENABLESCHEDULED_TASK_DISABLESCHEDULED_TASK_MODIFICATIONSYSTEM_AUDIT_LOG_UNCATEGORIZEDSYSTEM_AUDIT_LOG_WIPESERVICE_UNSPECIFIEDSERVICE_CREATIONSERVICE_DELETIONSERVICE_STARTSERVICE_STOPSERVICE_MODIFICATIONGENERIC_EVENTRESOURCE_CREATIONRESOURCE_DELETIONRESOURCE_PERMISSIONS_CHANGERESOURCE_READRESOURCE_WRITTENANALYST_UPDATE_VERDICTANALYST_UPDATE_REPUTATIONANALYST_UPDATE_SEVERITY_SCOREANALYST_UPDATE_STATUSANALYST_ADD_COMMENT
Action outputs
TheList Events action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using theList Events action:
{"statistics":{"NETWORK_CONNECTION":10}{"events":[{"metadata":{"eventTimestamp":"2020-09-28T14:20:00Z","eventType":"NETWORK_CONNECTION","productName":"EXAMPLE Name","productEventType":"NETWORK_DNS","ingestedTimestamp":"2020-09-28T16:28:11.615578Z"},"principal":{"hostname":"user-example-pc","assetId":"EXAMPLE:user-example-pc","process":{"pid":"1101","productSpecificProcessId":"EXAMPLE:32323"}},"target":{"hostname":"example.com","user":{"userid":"user"},"process":{"pid":"8172","file":{"md5":"a219fc7fcc93890a842183388f80369e","fullPath":"C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe"},"commandLine":"\"C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe\" ...","productSpecificProcessId":"EXAMPLE:82315"}}},{"metadata":{"eventTimestamp":"2020-09-28T17:20:00Z","eventType":"NETWORK_CONNECTION","productName":"EXAMPLE Name","productEventType":"NETWORK_DNS","ingestedTimestamp":"2020-09-28T16:28:11.615578Z"},"principal":{"hostname":"user-example-pc","assetId":"EXAMPLE:user-example-pc","process":{"pid":"1101","productSpecificProcessId":"EXAMPLE:32323"}},"target":{"hostname":"example.com","user":{"userid":"user"},"process":{"pid":"8172","file":{"md5":"a219fc7fcc93890a842183388f80369e","fullPath":"C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe"},"commandLine":"\"C:\\Program Files(x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe\" ...","productSpecificProcessId":"EXAMPLE:82315"}}}],"uri":["https://INSTANCE/assetResults?assetIdentifier=user-example-pc&referenceTime=2020-09-28T17%3A00%3A00Z&selectedList=AssetViewTimeline&startTime=2020-09-28T14%3A20%3A00Z&endTime=2020-09-28T20%3A20%3A00Z"]}}Output messages
TheList Events action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully listed related events for the following entities from Google Chronicle:ENTITY_IDENTIFIER | The action succeeded. |
Error executing action "List Events". Reason:ERROR_REASON | The action failed. Check the connection to the server, the input parameters, or the credentials. |
Error executing action "List Events". Reason: invalid event type is provided. Please check the spelling. Supported event types:SUPPORTED_EVENT_TYPES | The action failed. Check the spelling. |
Script result
The following table describes the values for the script result output when usingtheList Events action:
| Script result name | Value |
|---|---|
is_success | True orFalse |
List IOCs
Use theList IOCs action to list all IoCs discovered in yourenterprise within a specified time range.
This action doesn't run on Google SecOps entities.
Action inputs
TheList IOCs action requires the following parameters:
| Parameter | Description |
|---|---|
Start Time | The start time for the results in ISO 8601 format. |
Max IoCs to Fetch | The maximum number of IoCs to return. The range is The default value is |
Action outputs
TheList IOCs action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
Columns:
- Domain
- Category
- Source
- Confidence
- Severity
- IoC Ingest Time
- IoC First Seen Time
- IoC Last Seen Time
- URI
JSON result
The following example describes the JSON result output received when using theList IOCs action:
{"matches":[{"artifact":{"domainName":"www.example.com"},"firstSeenTime":"2018-05-25T20:47:11.048998Z","iocIngestTime":"2019-08-14T21:00:00Z","lastSeenTime":"2019-10-24T16:19:46.880830Z","sources":[{"category":"Spyware Reporting Server","confidenceScore":{"intRawConfidenceScore":0,"normalizedConfidenceScore":"Low"},"rawSeverity":"Medium","source":"Example List"}],"uri":["URI"]}],"moreDataAvailable":true}Output messages
TheList IOCs action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully listed IOCs from the provided timeframe in Google Chronicle. | The action succeeded. |
Error executing action "List IOCs". Reason:ERROR_REASON. | The action failed. Check connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when usingtheList IOCs action:
| Script result name | Value |
|---|---|
is_success | True orFalse |
Lookup Similar Alerts
Use theLookup Similar Alerts action to search for similar alerts inGoogle SecOps.
Important: This action only works with Google SecOps alerts received fromtheChronicle Alerts Connector.Action inputs
TheLookup Similar Alerts action requires the following parameters:
| Parameter | Description |
|---|---|
Time Frame | The time period for the results. To get the best results, keep the timeframe as narrow as possible. The possible values are as follows:
|
IOCs / Assets | Required. A comma-separated list of IoCs or assets to find in the alerts. The action performs a separate search for each provided item. |
Similarity By | The attributes to use for finding similar alerts. The possible values are as follows:
The default value is |
How the Similarity By parameter works
TheSimilarity By parameter applies differently to Rule alerts and Externalalerts.
If
Alert Name, Alert Type and ProductorAlert Name, Alert Typeis selected:For External alerts, the action searches for other External alerts thathave the same name.
For Rule alerts, the action processes alerts that originated from the samerule.
If
Productis selected:- The action processes alerts that originated from the same product,regardless of whether they are Rule alerts or External alerts.
For example, an alert originating in Crowdstrike will only be matched withother alerts from Crowdstrike.
If
Only IOCs/Assetsis selected:The action matches alerts based on the IOCs provided in the
IOCs/Assetsparameter. It searches for these indicators in both Rule alerts and Externalalerts.An IOC alert can only run this action when this option is selected. If anyother option is provided, the action defaults to
Only IOCs/Assets.
TheLookup Similar Alerts action is a versatile tool for analyzing alerts.It enables analysts to correlate alerts from the same time period and extractrelevant IOCs to determine if an incident is a true positive.
Action outputs
TheLookup Similar Alerts action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall link
TheLookup Similar Alerts action can return the following links:
- CBN:GENERATED_LINK_BASED_ON_IU_ROOT_URL
- Rule:GENERATED_LINK_BASED_ON_IU_ROOT_URL
Case wall table
Table name:IOC/ASSET_IDENTIFIER
Table columns:
- Product
- Hostnames
- IPs
- Users
- Email Addresses
- Subjects
- URLs
- Hashes
- Processes
- First Seen
- Last Seen
- Alert Name
- General
JSON result
The following example describes the JSON result output received when using theLookup Similar Alerts action:
{"count":123,"distinct":[{"first_seen":"time of the first alert that matched our conditions","last_seen":"time of the last alert that matched our conditions","product_name":"product name","used_ioc_asset":"what user provided in the parameter IOCs and Assets","name":"Alert Name/Rule Name","hostnames":"csv list of unique hostnames that were found in alerts","urls":"csv list of unique urls that were found in alerts","ips":"csv list of unique ips that were found in alerts","subjects":"csv list of unique subjects that were found in alerts","users":"csv list of unique users that were found in alerts","email_addresses":"csv list of unique email_addresses that were found in alerts","hashes":"csv list of unique hashes that were found in alerts","processes":"csv list of unique processes that were found in alerts""rule_urls":["Chronicle URL from API response for Rule"]"count":123}],"processed_alerts":10000,"run_time":"how long it took to run the action or at least API request","EXTERNAL_url":"Chronicle URL from API response for EXTERNAL"}Output messages
TheLookup Similar Alerts action provides the following output messages:
| Output message | Message description |
|---|---|
| The action succeeded. |
Error executing action "Lookup Similar Alerts". Reason:ERROR_REASON | The action failed. Check the connection to the server, the input parameters, or the credentials. |
Error executing action "Lookup Similar Alerts". Reason: all of the retries are exhausted. Please wait for a minute and try again. | The action failed. Wait a few minutes before running the action again. |
Script result
The following table describes the values for the script result output when usingtheLookup Similar Alerts action:
| Script result name | Value |
|---|---|
is_success | True orFalse |
Ping
Use thePing action to test the connectivity toGoogle SecOps.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
ThePing action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
ThePing action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully connected to the Google Chronicle backstory with the provided connection parameters! | The action succeeded. |
Failed to connect to the Google Chronicle backstory. Error isERROR_REASON | The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when usingthePing action:
| Script result name | Value |
|---|---|
is_success | True orFalse |
Remove Rows From Data Table
Use theRemove Rows From Data Table action to remove rows from a data tablein Google SecOps.
This action doesn't run on Google SecOps entities.
Action inputs
TheRemove Rows From Data Table action requires the followingparameters:
| Parameter | Description |
|---|---|
Data Table Name | Required. The display name of the data table to update. |
Rows | Required. A list of JSON objects used to search for and delete rows. Only include valid columns. The default value is as follows: |
Action outputs
TheRemove Rows From Data Table action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using theRemove Rows From Data Table action:
{"name":"projects/365235532452/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/dataTables/data_table/dataTableRows/840d18a85944833e1b97ed6d2fb11377","values":{"columnName1":"asda","columnName2":"asdasd","columnName3":"zxczxc"},"createTime":"2025-05-14T12:52:51.908143Z","updateTime":"2025-05-14T12:52:51.908143Z"}Output messages
TheRemove Rows From Data Table action provides the following outputmessages:
| Output message | Message description |
|---|---|
Successfully removed rows from the data tableDATA_TABLE_NAME inGoogle SecOps. | The action succeeded. |
Error executing action "Remove Rows From Data Table". Reason:ERROR_REASON | The action failed. Check the connection to the server, the input parameters, or thecredentials. |
Script result
The following table describes the values for the script result output when usingtheRemove Rows From Data Table action:
| Script result name | Value |
|---|---|
is_success | True orFalse |
Remove Values From Reference List
Use theRemove Values From Reference List action to remove values from areference list in Google SecOps.
This action doesn't run on Google SecOps entities.
Action inputs
TheRemove Values From Reference List action requires the followingparameters:
| Parameter | Description |
|---|---|
Reference List Name | Required. The name of the reference list to update. |
Values | Required. A comma-separated list of values to remove from the reference list. |
Action outputs
TheRemove Values From Reference List action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using theRemove Values From Reference List action with Backstory API:
{"name":"list_name","description":"description of the list","lines":["192.0.2.0/24","198.51.100.0/24"],"create_time":"2020-11-20T17:18:20.409247Z","content_type":"CIDR"}The following example describes the JSON result output received when using theRemove Values From Reference List action with Chronicle API:
{"name":"projects/PROJECT_ID/locations/us/instances/INSTANCE_ID/referenceLists/<vardevsite-syntax-err">readonly">REFERENCE_LIST_NAME</var>' }}","displayName":"REFERENCE_LIST_NAME","revisionCreateTime":"2025-01-16T09:15:21.795743Z","description":"Test reference list","entries":[{"value":"example.com"},{"value":"exampledomain.com"}],"syntaxType":"REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING","scopeInfo":{"referenceListScope":{}},"createTime":"2025-01-16T09:15:21.795743Z","lines":["example.com","exampledomain.com"]}Output messages
TheRemove Values From Reference List action provides the following outputmessages:
| Output message | Message description |
|---|---|
Successfully removed values from the reference list. | The action succeeded. |
Error executing action "Remove Values From Reference List". Reason:ERROR_REASON | The action failed. Check the connection to the server, the input parameters, or the credentials. |
Script result
The following table describes the values for the script result output when usingtheRemove Values From Reference List action:
| Script result name | Value |
|---|---|
is_success | True orFalse |
Connectors
To learn more about configuring connectors in Google SecOps,seeIngest your data (connectors).Note: To prevent data loss, connectors utilizeEvent Flattening. If a raw alert contains a list of entities (such as multiple email addresses, hostnames, or IP addresses), connectors automatically flatten them into separate, unique events. For example, a single raw alert containing three different email addresses is ingested as three separate events, each containing one distinct email address. This process ensures that every entity is correctly indexed as a unique asset, making it fully searchable and actionable in playbooks.
Google Chronicle - Chronicle Alerts Connector
Use theGoogle Chronicle - Chronicle Alerts Connector to pull informationabout rule-based alerts from Google SecOps.
Note: This connector can befiltered using a dynamiclist.Overview
TheGoogle Chronicle - Chronicle Alerts Connector ingests multiple alerttypes from Google SecOps.
Key features and operational details include:
Queries data within a one-week period.
To prevent missed alerts from indexing delays, a paddingperiod and increased connector timeout can be configured, though significantpadding may negatively affect performance.
Utilizesdynamic lists for flexibleconfiguration.
Provides a
Fallback Severityfor alerts that lack aseverity value.To ingest IoCs, a correspondingdetection rule must be created inGoogle SecOps that generates alerts based on the IoCs.
Dynamic list filter
The dynamic list is used to filter alerts directly from the connectorconfiguration page.
Operator logic
The dynamic list uses a combination ofAND andOR logic to process filterrules:
ORlogic: Values on the same line, separated by a comma, are treated withORlogic (such asRule.severity = low,mediummeanslowORmediumseverity).ANDlogic: Each separate line in the dynamic list is treated withANDlogic (such as a line forRule.severityand a line forRule.ruleNamemeansseverityANDruleName).Supported operators (
=,!=,>,<,>=,<=) vary depending on theFilter Key.
The following are the examples of using operator rules:
- Rule.severity = medium: The connector only ingests rule alerts withthe medium severity.
- Rule.severity = low,medium: The connector only ingests rulealerts with the medium or low severity.
- Rule.ruleName = default_rule: The connector only ingests rule alertswith the
default_rulename.
Supported filters
TheChronicle Alerts Connector supports filtering on the following keys:
| Filter key | Response key | Operators | Possible values |
|---|---|---|---|
Rule.severity | detection orruleLabels orseverity | =,!=,>,<,>=,<= |
The values are case-insensitive. |
Rule.ruleName | detection orruleName | =,!= | Defined by the user. |
Rule.ruleID | detection orruleId | =,!= | Defined by the user. |
Rule.ruleLabels.{key} | detection orruleLabels | =,!= | Defined by the user. |
HandlingruleLabels
To filter on a specific label within a rule, use theRule.ruleLabels.{key}format.
For example, to filter on a label with the keytype and valuesuspicious_behaviour, the dynamic list input should be:
Rule.ruleLabels.type=suspicious_behaviour
Connector inputs
TheChronicle Alerts Connector requires the following parameters:
| Parameter | Description |
|---|---|
Product Field Name | Required. The name of the field where the product name is stored. The product name primarily impacts mapping. To streamline and improve the mapping process for the connector, the default value resolves to a fallback value that is referenced from the code. Any invalid input for this parameter resolves to a fallback value by default. The default value is |
Event Field Name | Required. The name of the field that determines the event name (subtype). |
Environment Field Name | Optional. The name of the field where the environment name is stored. If theenvironment field is missing, the connector uses the default value. The default value is |
Environment Regex Pattern | Optional. A regular expression pattern to run on the value found in the Use the default value If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
Script Timeout (Seconds) | Required. The timeout limit, in seconds, for the Python process that runs thecurrent script. The default value is |
API Root | Required. The API root of the Google SecOps instance. Google SecOps provides regional endpoints for each API, for example, Contact Cloud Customer Care to find out which endpoint to use. The default value is |
User's Service Account | Required. The full JSON content of the service account used for authentication. |
Fallback Severity | Required. The default severity to use if the alert from Google SecOps does not include a severity value. The possible values are as follows:
|
Max Hours Backwards | Optional. The number of hours prior to the initial connector run to retrieve incidents from. This parameter applies only once. The maximum value is The default value is |
Max Alerts To Fetch | Optional. The number of alerts to process in every connector iteration. The default value is |
Disable Event Splitting | Optional. If selected, the connector doesn't split original events into multiple parts, ensuringthe event count matches between the source and Google SecOps SOAR. Not enabled by default. |
Verify SSL | Required. If selected, the integration validates the SSL certificate when connecting tothe Google SecOps server. Enabled by default. |
Proxy Server Address | Optional. The address of the proxy server to use. |
Proxy Username | Optional. The proxy username to authenticate with. |
Proxy Password | Optional. The proxy password to authenticate with. |
Disable Overflow | Optional. If selected, the connector ignores the Google SecOpsoverflow mechanism. Not enabled by default. |
Connector rules
TheGoogle Chronicle - Chronicle Alerts Connector supports proxies.
Connector events
TheGoogle Chronicle - Chronicle Alerts Connector processes three types ofevents from Google SecOps.
Rule-base alerts
This event type is generated by a detection rule inGoogle SecOps.
{"alert_type":"RULE","event_type":"NETWORK_DHCP","type":"RULE_DETECTION","detection":[{"ruleName":"d3_test","urlBackToProduct":"https://INSTANCE/ruleDetections?ruleId=ru_74dd17e2-5aad-4053-acd7-958bead014f2&selectedList=RuleDetectionsViewTimeline&selectedParentDetectionId=de_b5dadaf4-b398-325f-9f09-833b71b3ffbb&selectedTimestamp=2022-02-08T05:02:36Z&versionTimestamp=2020-11-19T18:19:11.951951Z","ruleId":"ru_74dd17e2-5aad-4053-acd7-958bead014f2","ruleVersion":"ru_74dd17e2-5aad-4053-acd7-958bead014f2@v_1605809951_951951000","alertState":"NOT_ALERTING","ruleType":"SINGLE_EVENT","ruleLabels":[{"key":"author","value":"analyst123"},{"key":"description","value":"8:00 AM local time"},{"key":"severity","value":"Medium"}]}],"createdTime":"2022-02-08T06:07:33.944951Z","id":"de_b5dadaf4-b398-325f-9f09-833b71b3ffbb","timeWindow":{"startTime":"2022-02-08T05:02:36Z","endTime":"2022-02-08T05:02:36Z"},"collectionElements":[{"references":[{"event":{"metadata":{"eventTimestamp":"2022-02-08T05:02:36Z","eventType":"NETWORK_DHCP","productName":"Infoblox DHCP","ingestedTimestamp":"2022-02-08T05:03:03.892234Z"},"principal":{"ip":["198.51.100.255","198.51.100.1"],"mac":["01:23:45:ab:cd:ef"],"email_address":["example@example.com"]},"target":{"hostname":"dhcp_server","ip":["198.51.100.0","198.51.100.1"]},"network":{"applicationProtocol":"DHCP","dhcp":{"opcode":"BOOTREQUEST","ciaddr":"198.51.100.255","giaddr":"198.51.100.0","chaddr":"01:23:45:ab:cd:ef","type":"REQUEST","clientHostname":"example-user-pc","clientIdentifier":"AFm/LDfjAw=="}}}}],"label":"e"}],"detectionTime":"2022-02-08T05:02:36Z"}External alerts
This event type is based on an external alert that is ingested into Google SecOps.
{"alert_type":"External","event_type":"GENERIC_EVENT","name":"Authentication failure [32038]","sourceProduct":"Internal Alert","severity":"Medium","timestamp":"2020-09-30T18:03:34.898194Z","rawLog":"U2VwIDMwIDE4OjAzOjM0Ljg5ODE5NCAxMC4wLjI5LjEwOSBBdXRoZW50aWNhdGlvbiBmYWlsdXJlIFszMjAzOF0=","uri":["https://INSTANCE/assetResults?assetIdentifier=198.51.100.109&namespace=[untagged]&referenceTime=2020-09-30T18%3A03%3A34.898194Z&selectedList=AssetViewTimeline&startTime=2020-09-30T17%3A58%3A34.898194Z&endTime=2020-09-30T18%3A08%3A34.898194Z&selectedAlert=-610875602&selectedEventTimestamp=2020-09-30T18%3A03%3A34.898194Z"],"event":{"metadata":{"eventTimestamp":"2020-09-30T18:03:34.898194Z","eventType":"GENERIC_EVENT","productName":"Chronicle Internal","ingestedTimestamp":"2020-09-30T18:03:34.991592Z"},"target":[{"ip":["198.51.100.255","198.51.100.1"]}],"securityResult":[{"summary":"Authentication failure [32038]","severityDetails":"Medium"}]}}IoC Alerts
This event type is a match against a predefined list of IoCs.
{"alert_type":"IOC","event_type":"IOC Alert","artifact":{"domainName":"example.com"},"sources":[{"source":"Example List","confidenceScore":{"normalizedConfidenceScore":"Low","intRawConfidenceScore":0},"rawSeverity":"High","category":"Malware Command and Control Server"}],"iocIngestTime":"2020-09-07T11:00:00Z","firstSeenTime":"2018-10-03T00:01:59Z","lastSeenTime":"2022-02-04T20:02:29.191Z","uri":["https://INSTANCE/domainResults?domain=example.com&selectedList=DomainViewDistinctAssets&whoIsTimestamp=2022-02-08T15%3A08%3A52.434022777Z"]}Alert structure
The following table describes how theGoogle Chronicle - Chronicle Alerts Connector populates the attributes of analert in Google SecOps. The alert attributes are grouped by theirorigin and alert type for clarity.
Internally generated attributes
These attributes are generated by the framework and are consistent across allalert types.
| Alert Attribute Name | Source |
|---|---|
SourceSystemName | Internally generated by the framework. |
TicketId | The value is taken from theids.json file. |
DisplayId | Automatically generated. |
Attributes for all alert types
These attributes are derived from the source alert, but their source key variesby alert type.
Note: Some alert attributes are not populated by this connector due to theChronicle API not providing a corresponding field for this data in the alertresponses.| Alert Attribute Name | Source |
|---|---|
Priority | Taken from the API response or theFallback Severity parameter. |
DeviceVendor | Hardcoded value isGoogle Chronicle. |
DeviceProduct | A hardcoded value that depends on the alert type:RULE for ruledetection alerts,IOC for IOC matches, orEXTERNAL forexternal alerts. |
Description | For rule-based alerts, this is sourced fromdetection/ruleLabels/description (if it exists). Not available forother alert types. |
Reason | Not available. |
SourceGroupingIdentifier | Not available. |
Chronicle Alert - Attachments | Not available. |
Specific alert types
These attributes are specific to the alert's origin, making it easier tounderstand how each is populated.
| Alert Attribute Name | Rule-based Alerts | IOC-based Alerts | External Alerts |
|---|---|---|---|
Name | detection/ruleName | IOC Alert (hardcoded) | alertInfos/name |
RuleGenerator | detection/ruleName | IOC Alert (hardcoded) | alertInfos/name |
StartTime &EndTime | timeWindow orstartTime | lastSeenTime | timestamp |
Chronicle Alert - Extensions | rule_id (ruleId),product_name (CSVof an event or metadata or aproductName value) | Not applicable | alert_name (name),product_name (CSVof a UDM event or metadata or aproductName value) |
Deprecated: Google Chronicle - Alerts Connector
This connector no longer gets updates or code changes.Use theChronicle Alerts Connectorinstead.
This connector pulls asset alerts from Google SecOps andconverts them into Google SecOps alerts.
You can authenticate using theGoogle library withgoogle.oauth2.service_account andAuthorizedSession.
This connector requires the Google SecOpsSIEM Search API.
Connector inputs
TheAlerts Connector requires the following parameters:
| Parameter | Description |
|---|---|
Product Field Name | Required. The name of the field where the product name is stored. The product name primarily impacts mapping. To streamline and improve the mapping process for the connector, the default value resolves to a fallback value that is referenced from the code. Any invalid input for this parameter resolves to a fallback value by default. The default value is |
Environment Field Name | Optional. The name of the field where the environment name is stored. If theenvironment field is missing, the connector uses the default value. The default value is |
Environment Regex Pattern | Optional. A regular expression pattern to run on the value found in the Use the default value If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
Script Timeout (Seconds) | Required. The timeout limit, in seconds, for the Python process that runs thecurrent script. The default value is |
Service Account Credentials | Required. The content of the service account JSON file. |
Fetch Max Hours Backwards | Optional. The number of hours prior to the initial connector run to retrieve incidentsfrom. This parameter applies only once. The maximum value is The default value is |
Deprecated: Google Chronicle - IoCs Connector
This connector is no longer getting updates or code changes.Use theChronicle Alerts Connectorinstead.
This connector pulls the IOC domain matches fromGoogle SecOps and converts them intoGoogle SecOps alerts.
You can authenticate using theGoogle library withgoogle.oauth2.service_account andAuthorizedSession.
This connector uses the Google SecOps Search API.
Connector inputs
The Google Chronicle - IoCs Connector requires the following parameters:
| Parameter | Description |
|---|---|
Product Field Name | Required. The name of the field where the product name is stored. The product name primarily impacts mapping. To streamline and improve the mapping process for the connector, the default value resolves to a fallback value that is referenced from the code. Any invalid input for this parameter resolves to a fallback value by default. The default value is |
Environment Field Name | Optional. The name of the field where the environment name is stored. If theenvironment field is missing, the connector uses the default value. The default value is |
Environment Regex Pattern | Optional. A regular expression pattern to run on the value found in the Use the default value If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
Script Timeout (Seconds) | Required. The timeout limit, in seconds, for the Python process that runs thecurrent script. The default value is |
Service Account Credentials | Required. The content of the service account JSON file. |
Fetch Max Hours Backwards | Optional. The number of hours prior to the initial connector run to retrieve alerts from. This parameter applies only once. The maximum value is The default value is |
Max Alerts To Fetch | Optional. The maximum number of alerts to process in every connector iteration. The default value is |
Jobs
For more information on jobs, seeConfigure a new job andAdvanced scheduling.
Job configuration prerequisites
Important: If you update the integration, re-createGoogle SecOps jobs to update their code.Before proceeding to the job configuration, configure theChronicle Alerts Connector.
To configure Google Chronicle jobs, follow these steps:
In Google SecOps SOAR, go toResponse> JobScheduler.
ClickaddCreate New Job.
In theAdd Job dialog that appears, select the corresponding GoogleChronicle job and clickSave.
Optional: Edit the job name and description, if necessary.
In theJob Details section:
- Make sure thatGoogleChronicle is selected in theIntegrationfield.
To automatically run the job at specified intervals, set up a schedulerinterval. Configuring the scheduler is mandatory to complete the jobconfiguration.
As Google Chronicle jobs can synchronize large amounts ofdata in one run, Google recommends that you minimally set the schedulerinterval to 2 minutes.
Google Chronicle - Sync Data Job
This job works with alerts created by theChronicle Alerts Connector and theChronicle Alerts Creator job, but not with alerts from deprecated connectors(Alerts Connector andIOCs Connector).
TheGoogle Chronicle Sync Data job synchronizes updatedGoogle SecOps alerts and cases managed inGoogle SecOps SOAR back toGoogle SecOps. Consequently, you can track the sameinformation on both systems immediately after you make changes inGoogle SecOps SOAR.
Case and alerts data synchronization
TheGoogle Chronicle Sync Data job tracks and synchronizes the followingfields for cases:
| Tracked field | Synchronized field |
|---|---|
Priority | Priority |
Status | Status |
Title | Title |
| Not applicable | Stage |
| Not applicable | Google SecOps Case ID |
| Not applicable | Google SecOps Case ID |
Google SecOps Case ID is a unique case identifier inGoogle SecOps SOAR and Google SecOps.
TheGoogle Chronicle Sync Data job tracks and synchronizes the followingfields for alerts:
| Tracked field | Synchronized field |
|---|---|
Priority | Priority |
Status | Status |
Case ID | Not applicable |
| Not applicable | Google SecOps Alert ID |
| Not applicable | Google SecOps Case ID |
| Not applicable | Verdict |
| Not applicable | Closure Comment |
| Not applicable | Closure Reason |
| Not applicable | Closure Root Cause |
| Not applicable | Usefulness |
Google SecOps Alert ID is a unique alert identifier inGoogle SecOps SOAR.
In one iteration, the job synchronizes up to 1,000 cases and 1,000 alerts. Thesynchronization occurs within the Google SecOps SOAR environmentthat is specified in the job configuration. The synchronization mechanismensures that a case from the specified environment cannot be synced with anotherenvironment.
Configure the Google Chronicle Sync Data job
This job only synchronizes Google SecOps SOAR casesingested from Google SecOps.
Ensure you've completed theprerequisite steps beforeyou configure this job.
To configure theGoogle Chronicle Sync Data job, follow thesesteps:
In theParameters section, configure the following parameters:
Parameter Description EnvironmentRequired.
The name of the environment created inGoogle SecOps SOAR to sync cases and alerts to.
API RootRequired.
The API root of the Google SecOpsinstance.
Google SecOps provides regional endpoints for each API.
For example,
https://europe-backstory.googleapis.comorhttps://asia-southeast1-backstory.googleapis.com.If you don't know which endpoint to use, [contactCloud Customer Care](/chronicle/docs/getting-support).
The default value is
https://backstory.googleapis.com.User's Service AccountRequired.
The content of the service account JSON file of yourGoogle SecOps instance.
Max Hours BackwardsOptional.
The number of hours to fetch alerts from. Only usepositive numbers.
The default value is
24.Verify SSLRequired.
If selected, the integration validates the SSL certificate when connecting tothe Google SecOps server.
Enabled by default.
TheGoogle Chronicle Sync Data job is enabled by default. When you savethe correctly configured job, it startssynchronizing data with Google SecOps immediately. Todisable the job, switch the toggle next to the job name.
To complete the configuration, clickSave.
If theSave button is inactive, make sure that you have set allmandatory parameters.
Optional: To run the job immediately after saving, clickRun Now.
TheRun Now option lets you trigger a single job run that synchronizesthe current Google SecOps SOAR alerts and cases data withGoogle SecOps.
Log messages
The following table lists possible log messages for theGoogle Chronicle DataSync job:
| Log entry | Type | Description |
|---|---|---|
Unable to parse credentials as JSON. Please validate creds. | Error | The service account provided in theUser's Service Account parameter is corrupted. |
"Max Hours Backwards" parameter must be a positive number. | Error | TheMax Hours backwards parameter is set to 0 or a negative number. |
Current platform version does not support SDK methods designed for Google SecOps. Please use version 6.1.33 or higher. | Error | The current Google SecOps platform instance version doesn't support the Chronicle Sync Data job script execution. This means that the instance's build version is older than 6.1.33. |
Unable to connect to Google SecOps, please validate your credentials:CREDENTIALS | Error | The service account or API root values couldn't be validated against the Google SecOps instance. This error is reported if the connectivity testing fails. |
--- Start Processing Updated Cases --- | Info | The case processing loop has started running. |
Last success time. Date time:DATE_AND_TIME. Unix:UNIX_EPOCH_TIME | Info | The timestamp of the last successful script execution for cases or alerts:
|
Key: "DATABASE_KEY" does not exist in the database. Returning default value instead:DEFAULT_VALUE | Info | The pending case or alert database key does not exist in the database. This log entry always appears in the first execution of the script. |
Failed to parse data as JSON. Returning default value instead: "DEFAULT_VALUE. ERROR:ERROR | Error | The value retrieved from the database is not a valid JSON format. |
Exception was raised from the database. ERROR:ERROR. | Error | There is a connection problem with the database. |
| Info | The pending cases or alerts IDs have been successfully retrieved from the backlog. CASE_IDS is the number of case IDs brought. |
| Error | The number of pending cases or alerts IDs that are fetched from the database is greater than the limit (1000). Any IDs over the limit are ignored. This error can indicate a possible database corruption. |
| Info | The newly updated case or alert IDs were successfully fetched from the platform. |
| Info | The update of cases and alerts in the Google SecOps instance has started. |
| Error | The specified case or alert cannot be synchronized with Google SecOps. |
| Info | The specified pending case or alert has reached the sync retry limit (5) and is not inserted back to the backlog. |
| Info | The list of case or alert IDs that cannot be synchronized with Google SecOps. |
Updated External Case IDs for the following cases:CASE_IDS | Info | The list of cases for which the job updated the matching Google SecOps external case ID in the Google SecOps SOAR platform. |
Failed to update external ids. | Error | The log entry indicating that there was a problem with the SDK method or connection that prevented updating external case IDs in the platform. |
| Error | The log entry indicating that there was a certain terminating error that prevented the case or alerts processing loop to finish naturally. The stacktrace is printed after this log with the specific error. |
| Info | The cases and alerts processing loop has finished, either naturally or with an error. |
| Error | The list of failed case or alert IDs that have a retry count less than or equal to 5 to be written back to the backlog. |
| Info | The stage of processing case and alert has been finished. |
Saving timestamps. | Info | Saving the last successful case and alert update timestamps to the database. |
Saving pending ids. | Info | Saving pending case and alert IDs to the database. |
Got exception on main handler. Error:ERROR_REASON | Error | A general termination error has occurred. The stacktrace is printed after this log with the specific error. |
Google Chronicle Alerts Creator job
TheGoogle Chronicle Alerts Creator job requires theGoogle SecOps platform version 6.2.30 or later.
This job creates all alerts from Google SecOps SOAR toGoogle SecOps, including overflow alerts. TheGoogleChronicle Alerts Creator job doesn't replicate alerts that originate fromGoogle SecOps.
TheGoogle Chronicle Alerts Creator job queries the SOAR platform using thePython SDK for non-synchronized alerts. The job sends non-synchronized alerts toSIEM individually. SIEM updates and returns the identifiers of the correspondingSIEM alerts, and SOAR saves the identifiers using the SOAR platform API throughthe Python SDK.
Relationship between the Google Chronicle jobs
A complete Google SecOps system runs the following threecomponents concurrently:
- Chronicle Alerts Connector
- Google Chronicle Sync Data job
- Google Chronicle Alerts Creator job
TheGoogle Chronicle Sync Data job creates and synchronizes cases. It alsosynchronizes the case and alert modifications, such as priority changes.
TheGoogle Chronicle Alerts Creator job generates all alerts, except SIEMalerts. TheGoogle Chronicle Sync Data job sends updates on unsynchronizedalerts after theGoogle Chronicle Alerts Creator job createsthe alerts.
Case and alerts data synchronization
Cases are synchronized in the same manner as with theGoogle Chronicle SyncData job.
In Google SecOps, each alert is identified with a SIEM alertidentifier. SOAR alerts can adopt a SIEM identifier in two scenarios:
Alert is generated in SIEM.
This alert already exists in Google SecOps and there isno need to duplicate it. The connector populates the
siem_alert_idfield.Alert is generated in third-party connectors.
This alert does not exist in Google SecOps and requiresrunning an explicit synchronization operation that theGoogle ChronicleAlerts Creator job is responsible for. Upon completing the synchronizationoperation, the alert acquires a new SIEM identifier.
Configure the Google Chronicle Alerts Creator job
Make sure you have completed theprerequisite steps beforeconfiguring the job.
To configure theGoogle Chronicle Alerts Creator job, follow thesesteps:
Configure the job parameters from the following table:
Parameter Description EnvironmentRequired.
The name of the environment created inGoogle SecOps SOAR whereyou want to sync cases and alerts.
API RootRequired.
The API root of the Google SecOpsinstance.
Google SecOps provides regional endpoints for each API.
For example,
https://europe-backstory.googleapis.comorhttps://asia-southeast1-backstory.googleapis.com.If you don't know which endpoint to use, [contactCloud Customer Care](/chronicle/docs/getting-support).
The default value is
https://backstory.googleapis.com.User's Service AccountRequired.
The content of the service account JSON file of yourGoogle SecOps instance.
Verify SSLRequired.
If selected, the integration validates the SSL certificate when connecting tothe Google SecOps server.
Enabled by default.
To complete the configuration, clickSave.
If theSave button is inactive, make sure that you have set allmandatory parameters.
Optional: To run the job immediately after saving, clickRun Now.
TheRun Now option lets you trigger a single job run that synchronizesthe current Google SecOps SOAR alerts and cases data withGoogle SecOps.
Log messages and error handling
| Log | Level | Description |
|---|---|---|
| ERROR | The service account provided in the User's Service Account parameter is corrupted. |
| ERROR | The current Google SecOps platform instance version doesn't support the Google Chronicle Alerts Creator Job script execution. This error means that the instance build version is earlier than 6.2.30. |
| ERROR | The service account or API root values cannot be validated against the Google SecOps instance. This error is reported if the connectivity testing fails. |
| INFO | Log message indicating that the job has started. |
| INFO | Log message indicating that the main function has started. |
| INFO | Log message indicating the iteration number for the current consecutive attempt. |
| INFO | Log message indicating that the code doesn't retrieve more thanBATCH_SIZE new alerts from SOAR. |
| INFO | Log message indicating thatNUMBER_OF_NEW_ALERTS SOAR alerts were fetched. |
| INFO | Log message indicating that no new SOAR alerts were found, and that the job is stopping. |
| INFO | Log message indicating that the job has fetched the SOAR alerts with the following identifiers in the ID list. You can use this information to track the progress of the job and to troubleshoot issues with the code. |
| INFO | Log message indicating that the job is dispatching SOAR alerts to SIEM. |
| ERROR | Log message indicating that the alert was not created successfully in SIEM due to an error. |
| INFO | Log message indicating that the job is updating SOAR with the SIEM response. |
| WARNING | Indicates that SOAR was unable to update the status of the alert synchronization. |
| INFO | Log message indicating that a total oftotal_synced alerts were synced in the current run. |
| INFO | Log message indicating that the job has finished. |
| ERROR | Log message indicating that an exception occurred in the main function. The exception message is included in the log message. |
Use cases
The Google Chronicle integration lets you run the following use cases:
- Chronicle Windows Threats Investigation and Response
- Security Command Center and Chronicle Cloud DIR
Install the use case
In the Google SecOps Marketplace, go to theUse Casestab.
In a search field, enter the use case name.
Click the use case.
Follow the configuration steps and instructions in the installation wizard.
Once finished, all of the required components are installed on yourGoogle SecOps machine. To finalize the installation,configure theInitialization block in the playbook that corresponds to youruse case.
Chronicle Windows Threats Investigation & Response
Use the power of Google SecOps to respond in real timeto Windows threats in your environment. Using Threat Intelligence forGoogle SecOps, security teams can take advantage of ahigh-fidelity threat intelligence service together withGoogle SecOps. Real threats in your environment can now beautomatically triaged and remediated in a short and effective time period.
In Google SecOps, go toResponse> Playbooks.
Select theGoogle Chronicle - Windows Threats Investigation & Responseplaybook. The playbook opens in the playbook designer view.
Double-clickSet Initialization Block_1. The block configuration dialogopens.
To configure the playbook, use the following parameters:
Input parameter Possible values Description edr_product- Crowdstrike
- Carbon Black
- None
The EDR product to use in the playbook. itsm_product- Service Now
- Jira
- ZenDesk
- None
The ITSM product to use in the playbook. Jira requires additional configuration in the Open Ticket block. crowdstrike_use_spotlightTrueorFalseIf True, the playbook executes Crowdstrike actions that require a Spotlight license (Vulnerability information).use_mandiantTrueorFalseIf True, the playbook executes the Mandiant block.slack_userUsername or Email Address The username or email address of the Slack user. If none is provided, the playbook skips Slack blocks. ClickSave. The block configuration dialog closes.
In the playbook designer pane, clickSave.
To test the playbook in the use case, ingest the test case included in thepackage. Some test case capabilities can fail because the data used for testingare unavailable in your environment.
Security Command Center and Chronicle Cloud DIR
Integrate Security Command Center with Google SecOps to let youranalysts investigate incidents and threats that Security Command Center detects.
Configure the use case
The use case requires you to configure the following integrations:
- Siemplify
- Tools
- Mitre ATT&CK
- Google Cloud IAM
- Google Chronicle
- Functions
- Google Cloud Compute
- Email V2
- VirusTotal v3
TheGoogle Security Command Center andMandiantintegrations are optional.
Make sure that you haveinstalled the use case beforeconfiguring it.
- In Google SecOps, go to thePlaybooks tab.
- Select theSCC & Chronicle Cloud DIR playbook.
- Double-click theInitialization block to configure it.
- Configure the playbook using the following parameters:
| Parameter name | Possible values | Description |
|---|---|---|
Mandiant_Enrichment | True orFalse | If The Mandiant integration needs to be configured for this setup. You can remove the enrichment if you rarely get meaningful information. Removing the enrichment block improves the execution speed of the playbook. |
SCC_Enrichment | True orFalse | If The Security Command Center integration must be configured for this setup. You can remove the enrichment if you rarely get meaningful information. Removing the enrichment block improves the execution speed of the playbook. |
IAM_Enrichment | True orFalse | IfTrue, the playbook uses the IAM capabilities for additional enrichment. You can remove the enrichment if you rarely get meaningful information. Removing the enrichment block improves the execution speed of the playbook. |
Compute_Enrichment | True orFalse | IfTrue, the playbook uses Compute Engine capabilities for additional enrichment. You can remove the enrichment if you rarely get meaningful information. Removing the enrichment block improves the execution speed of the playbook. |
Need more help?Get answers from Community members and Google SecOps professionals.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.