Google Cloud API

This document provides guidance to help you configure and integrateGoogle Cloud API with Google SecOps.

Integration version: 4.0

Integrate Google Cloud API with Google SecOps SOAR

The integration requires the following parameters:

ParametersDescription
Test URLOptional

A test URL for validating the authentication to the Google Cloud API. This parameter uses a GET request.

Service Account Json File ContentOptional

The content of the service account key JSON file.

You can configure either this parameter, theWorkload Identity Email parameter, or set all the preceding integration parameters.

To configure this parameter, provide the full content of the service account key JSON file that you have downloaded when creating a service account.

For more information about using service accounts as an authentication method, seeService accounts overview andService account impersonation.

In this integration, authenticating with the service account key JSON file has a priority over the Workload identity email.

Organization IDOptional

The organization ID to use in the integration.

To retrieve the value from this parameter during the action execution, set the following placeholder:{{org_id}}.

Project IDOptional

The project ID to use in the integration.

To retrieve the value from this parameter during the action execution, set the following placeholder:{{project_id}}.

Quota Project IDOptional

The Google Cloud project ID which you use for Google Cloud APIs and billing. This parameter requires you to grant theService Usage Consumer role to your service account.

The integration attaches this parameter value to all API requests.

If you do not set a value for this parameter, the integration retrieves the project ID from your Google Cloud service account.

Workload Identity EmailOptional

The client email address of your Service Account.

You can configure either this parameter or theService Account Json File Content parameter.

In this integration, authenticating with the service account key JSON file has priority over the Workload identity email.

To impersonate service accounts with Workload identity, grant theService Account Token Creator role to your service account. For more details about workload identities and how to work with them, seeIdentities for workloads.

OAuth ScopesOptional

A comma-separated list of OAuth scopes that are required to execute the Google Cloud API requests.

Verify SSLRequired

If selected, the integration verifies that the SSL certificate for connecting to the Google Cloud service is valid.

Selected by default.

For instructions about configuring an integration inGoogle SecOps, seeConfigureintegrations.

You can make changes at a later stage if needed. After you configure anintegration instance, you can use it in playbooks. For more information aboutconfiguring and supporting multiple instances, seeSupporting multipleinstances.

Actions

For more information about actions, seeRespond to pending actions from Your Workdesk andPerform amanual action.

Execute HTTP Request

Use theExecute HTTP Request action to construct and execute a customizedHTTP API request against a target URL.

This action doesn't run on Google SecOps entities.

Action behavior

This action supports complex behaviors including asynchronous polling, dynamicpayload construction, and file management.

Asynchronous polling

WhenExpected Response Values is provided, theaction operates in asynchronous mode. In this mode, the action repeatedly pollsthe target endpoint to track the state of a response (for example, waiting for a long-running task to complete).

The action evaluates the response body against the JSON conditions provided inthe parameter and continues execution until the conditions are met or the actionreaches its timeout.

Condition logic

The action supports the following logic for tracking response states:

  • Single field matching: The action waits for a specific field to reach asingle value.

    {"state":"finished"}

  • Multiple values (OR logic): The action stops execution if a field matchesany value in a provided list. This is useful for stopping on both "success" and"error" states to avoid unnecessary polling.

    {"state":["finished","error"]}

  • Multiple fields (AND logic): The action waits until all specified fieldsmatch their respective values simultaneously.

    {"state":"finished","percentage":"100"}

  • Combined logic: You can combine multiple conditions within the JSONobject.

    {"state":["finished","error"],"percentage":"10"}
JSON parsing behavior

When evaluating conditions, the action follows these rules:

  • Global search: The action searches the entire JSON response object for thespecified keys. Provide the key name exactly as it appears in theJSON without prepending parent object names or using prefixes (for example, use"state", not"data_state" or"data-state").

  • Multiple identical keys: If the response contains multiple keys with thesame name at different levels of the JSON hierarchy, the expected output is onlyreached when all matching key names satisfy the identical expected value.

    For example, to search for thefinished state in the JSON response andignore other states, set allstate keys inExpected Response Values tofinished:

    {"data":{"state":"finished"},"state":"finished"}
Body payload construction

The action constructs the request body based on theContent-Type headerprovided inHeaders.

This is theBody Payload input used forthe following construction examples:

{"Id":"123123","sorting":"asc"}

  • application/x-www-form-urlencoded: The action generates the payload asId=123123&sorting=asc.

  • application/json: The action generates the following JSON payload:

    {"Id":"123123","sorting":"asc"}

  • XML: If the third-party product requires XML, provide an XML-formattedinput directly inBody Payload:

    <?xmlversion="1.0"encoding="utf-8"?><soap:Envelopexmlns:soap="[http://schemas.xmlsoap.org/soap/envelope/](http://schemas.xmlsoap.org/soap/envelope/)"><soap:Body><NumberToWordsxmlns="[http://www.dataaccess.com/webservicesserver/](http://www.dataaccess.com/webservicesserver/)"><ubiNum>500</ubiNum></NumberToWords></soap:Body></soap:Envelope>
File handling

The action supports the following workflows for managing files:

  • Downloading files:

    • To return file data as part of the JSON result in base64 format, selectBase64 Output.

    • To save a file directly to the Case Wall as a ZIP archive, selectSave To Case Wall.

  • Uploading files: To upload a file, convert it to a base64-encoded stringand include it as part of theBody Payload value.

    The following example shows an image file converted to a base64-encodedstring:

    iVBORw0KGgoAAAANSUhEUgAAAOEAAADgCAMAAADCMfHtAAAAvVBMVEX////2yBctLS32xgAAAAASEhLPz8/2xwAfHx8qKiqTk5P1wwD2xw4XFxf///u9vb3w8PAlJSXi4uJBQUH++eb+++z//fP76rH99df98sz64qD64Y/523b41Vr53Hz39/f87bv878T989H3zjH634j76rL3zzz76Kj42GbZ2dn41FCvr68TExM6OjpRUVFmZmb40kiOjo6wsLB8fHxdXV3645j41V9ubm5ISEjGxsahoaFhYWGFhYX53Xn63oxSMwp1AAAMpUlEQVR4nO1da1fiOhemBmg7KWCV+00QBUQdmVHU8Z2Z//+zDpfxgn3SZKdJi+/q8+GctWZJk6fJvmY3u1DIkSNHjhw5cuTIkSNHjq+DZn08brVm3S1ardG4Xc96SqbQHs2GC4dxzj6Bc3c67806zaxnmADt1nDKNsyCwIEI3A1Td7AafUGane5iQ05A7RPRNU1neNnIes7qaLbmLlcjt8dysupkPXUVNLtLzlwSu3eW3B2OsyYgweWCunifwJh70c6ahRDtoaLgSUjy6ayaNReEyylnyeltsRbKi0Mzl9Wua2L53sH443nWpD6g2WOmlu8dAV8ejGq1we8fx4PQrDPXDr8dx0Hm8jh27PHbcexn6tHVB9yofkFgbJYdwZ59fluO04x8gPbE7gZ9R8AvsnABLtJZwB2Yk/oy1qfEBQy2weArXFHIKPw576VLcKbuwQTBhpAzWc77vd7laI1urzcfTHfxrzpRtkwxgKzOuSK7DYVFb3SOrFqjPW79mTjuhr/aw1Kz/3UlFbNhN+2NZRa7et6aO4pOLb9IhV9hrDCdYB0E/xkrb6v2bBmokGSDNHTqSr5DGZv0qJFBYzRQIMkc+15cX0ZwPc++XlDQmE2lPnzgWg6qqgPJFAKWKEBv9wMZRzYyxgagKrGCLlskjekaK0eyWXnLCBc8uhObRHPZwITnUe1K4hW+MjAKRMOJe7mBGX4byDjaohhPkE1N5hyqvdi42g7FWILMMS0c9cc4cbThpVYn4gEDZiMQH8e5TrxrerjqVKxk2MROUqw6jFlG4xo1xg6yvjVXqhOjcbjZ1zoXjuS6I6Mj7aMqHthhJoNisS9qPWoTR6KBY27okZjg0NggIrSFO9WdmhqjLhoiSCXR11yIxmdzMyMI7UTgpnSw0BdR5Gbe8KPg+UEKsdo/XAhX0UQs1RUIIZukmG7vCt9yckslEsJUCRYKLdE0kouiQAjZNOUDk5GAYmLfRiABKa/gBiKKLNlMzrEQBpMMzhFmmGKwSPRUHDEFTiZneitMMdE+7eFnuhkdzIpERv99C/Qoy6yCAJvmBPp0AfdohmeyAvdKO5AaQzWTgrMtRgMuYjDRfBxUM8HS6JSpGON9qretsKfkZlzsirWNq2O9qjAxYzenroIl2llMJ/cGXxbrG58xFVgUNSxGEz3IhCufGNC3YfTDU7iEhvNbmoBGjLyIUAoPYI9uAB0R8iJCH5DynspaONafHFWdwo1AsTrFkgaKNbWHI0vNaHn+S/CWaJ5D8UgDFUWG0NsKSAyR/0dTM1YZQqNIMtVt8I6CAYWgZYZwghR/EiUoOe2YwC7DwgBtMvWwtYqkkLaEthmiRSS4bkjPEJfQNkO4iK7yr4Eck4Mm2wzRIirrwkaSH6fFEC2Dss8FXFt6FG2dIcqfMsXfTsHbIQfR1hkit0uxArWJ1BQ5arLPEHinijkkoElder7OPsM6WAk1bTqPBk4aGVL7DJGuUbNpQILVDU2aDMFmUwowwGGMRooAMQw9GVSjpx2AwlAy20iANZIXUYbh/TcZflyRxgDpDBV7AX6msUkBwxJt+goAB8MqiwE0qU56BjAsazwmFsD5UhBE4O9pZYHTYAiyGQohEFh5rpPIT4UhSHnKJWoY+VHg6AyeCkNwTiMPg6MZGh1bkRJDYC/kIgXUk/Q3CKkwBIIoVTXA2SOkPz4gDWuBZErqQoOoSzXo2kc6axjVi9JINhr9BnpVnOkw7NAXJKp/Nc/t02EIVA2XVA5HU1hMryAnHTks0CM9YCz0vk2NMqzUTt5xfKb11AiiMaJM9euYUAgQPVXezpjC8PT70+/rK7XDtDj0I4so23NgX+sNLYmAfT/0Kje3T9cJSUYLRtjf2B8Ac6hnLNRifD+seE+1JBs2GudLkqbnhrxSQhYjLD2/6HOM2m9JHWbUvujWQBHyNH7llJS9+AiwJPH2G7wS4pnTK0iZKL/0pCmPUbGSbLooQ91CPWKuzTv6pTVMNMw/VIZH/s1PnWFAIiM+Bo56snrRoU6+tPSiMw7VvEUdb916WY2McElnFb8Uw6Oihm/+tRj6Pt0wUhlmKYdrePfWGWanS3coUiMssi61xND/gFiG4ffEDMn2UNunqVS20ZK3ZXX6hluv5IXmFpHs05jzS1+uf9XKb/HuB5yUX+7EHEOiJAK/NH7C5mKLWJzc34h2a4X2JHJsYS4+lOCXSCCJ+SpyfIiUr53i9SsBRY/mu5FjfHN5Gil+lbAg3pGeQs/TGMu1yXEH1Y1/S3pItLpJlmsD+VJbn6qV8SKWSA8B+VLJB+zGct4KwAyLlEcAl0aW8wZHHcZun/iM71DXkBhqnFsYO3tSwBMURBJDcJAkO3sydn6ogPvkDKOqVF6CZ+oMuCDX+g+QIUnTaJwBI/WrpWpqxQfZnxwhOfRPCYNoneObqsXwfe85Pgd6BkNIksUHWkOmSmHBn/xHUVxX1pO9jQ2FahXE0PtGGEWrngbVRF0SBt3hLNzswDC8jvmbZ2gsSAWYWjVRqK6NXiH84u2EqiLO1l/fIIJHRUJ6H0VCCgWmJmoTz7y3TXckWMYy3KM0txR8VKBSm6j5sz388N6nXHlGB4Q1z0DwpFlfimqEifbieM/j9G+eX072/+DkviIIgIsn+JEIujXCwF2nbtN7b3/avhc+fCuf7CTs+KT25HuY31EoNaIfoFvnnbxW/wTWeN/4p98fHh6+n4aVUJhSJOX1wZcvarX6ib+3wP7mtjohDGMTpqQl1P/eAn4zQyiiRUuoCIoUouuBVBUG+u6J8KE0zk6ooELxZ5C+UJUm9O2aum8qSE4oIHymEETfrqlqRPT9oXo+6ll3CX2fVK2AdpqyVQOWVD25f32jR9GvkI4s0D1r6p+BJvsO+OSuFH/AhAne0JLdyb4DTvotd+1W5LIIEd5S1KjgW27CLd/RMJj2MffZi0/jWPofsWIIfo9PiGMTX1lQOH65VZfHsEItNEl+6QNQVA6npffPfj4UBQHEJ37FJ9oOLeB7MWjzQ8aG/j331Y/bkoSkHxbv6DUmcHrEdBK8Yoh+0/tZ+fdp0RN52v7aCf+tU/0N76chnq/Ay9q0rmA8u3p5Oip53r7P7YeeV7y916uehRdWUu8YwvdE6V7BeHZ1/ePu1C+WSpVtAUPRu334fX2lWTiL74kiN4SAdzERlc0+zo6Py+Xaz5+1cvk4Uak+vpOOvL/wlXvB/9F9bYLbvrK/zwxfqqqjIgT3JtKzw4aBTLWGFG6AbyZmGbdAx3dfakoPvr/U2pGwEvCd15rfZonuoM1SFLEQat9BWxhgUTy8e4S1+weI7oLOrNMy7nSRZFcJ7ghnGd3nLehzkejiX7wrTHZ4IUBwfzpPZMBQpOkc1r36rmaJ7ysE7y2D3ggCgkl7IwhciAwoirqU8FHSJx9IjxIRQRPtglrCPjMpalSBUjdUoy1qDHYQvYLMdCYT93tKx/SLm68Z6vck7tmlk5uio7kUrqAxFxm74LsxrBvGjrC9q7m+a+KuVpuuSJaFcRXTO8+kNhd2PlsLo82ovylqibZZQpP9D0Ve/W4Z7e3UcUwPS+PdbmK6OTPHjk6t9uP6kI6MDxfTajVgcwsOziiu7bGN1tXN2H7AgWm7UR/E9gNOv+XxWqma3KrNCxbXAtxe2+q4UQO2NNW6vrqK7yFvr/V4M755fMAGJjjKe6tb9KSq8RQdly2T7tVGT8IvYdZCipjezv/WcTJLkMQ5n8f2VN8StO3u/xE6cG8cg7meMa53J0zGLzDsySDMZBTXepU5QyrJemsZxNmHf0+epJHl68gnsl5I5sxHyk75+WqqQG9N8DGdHF89rnH9x5UMpsOxbFM1O7PBWkMp0FuLoE7vMT305Tt1i/VSus5iOOq0gVfXOB9355PNi1B7mJtWC+ktLlWntaO5cVCmg3mv15uNRuv/9ufLyVpprP9d/TFskW7+si6xjIDohtEr3ECd2u7X9vwYIVacOMkkYBP7RiKKNnkZdRHoXpKTGKvYAMAYrOeCYtCY29+qzLUQ7BLQUbON2nD5MOPGp4VCS+or6yPg8+w26Ad0LXEM+CALDQrRVXS7KHD540H0BH3FzDHLkfH5wazfK0YLbmqzBsz9m3FxGUb7wshmZXyarX2IxehROVQQ0XN6B6E+xWi2Fkyai8AIGHcvDkq7iFC97LucuJTrEItPVwenXGLQnj2uWSrR3ERVfPJ3dAAF1lS0L/8uNzSZKBjcRozcmXfHX5DdG+rj2d/BxOWc7YNz7iz73db5Vya3h3q7M2q1Wt1ud7b+33hcz9yhzpEjR44cOXLkyJEjh0H8ByMJ8u+aLBzeAAAAAElFTkSuQmCC

  • Security: For sensitive files (such as malware), selectPassword Protect Zip. This automatically encrypts thesaved ZIP archive created usingSave To Case Wall with the passwordinfected.

Playbook block configuration

The following configuration demonstrates how to use theExecute HTTP Requestaction within a playbook block. Use this example to understand how to applyplaceholders and input prefixes.

When using block inputs as placeholders, you must include theInput. prefix(for example,[Input.comment]).

  • Method:PUT

  • URL Path:

    https://{API_URL}/[Input.table_name]/[Input.sys_id]

  • Headers:

    {"Content-type":"application/json; charset=utf-8","Accept":"application/json","User-Agent":"GoogleSecops"}

  • Body Payload:

    {"work_notes":"[Input.comment]"}

Action inputs

TheExecute HTTP Request action requires the following parameters:

ParameterDescription
MethodOptional

A method to use in the request.

The default value isGET.

Possible values are:
  • GET
  • POST
  • PUT
  • PATCH
  • DELETE
  • HEAD
  • OPTIONS
URL PathOptional

A URL to execute.

The default value ishttps://.

URL ParamsOptional

The URL parameters.

The action uses any value provided alongside the values that you directly provided in theURL Path parameter.

This parameter requires the JSON object format as an input. The default value is as follows:

{    "URL Field Name": "URL_FIELD_VALUE"    }
HeadersOptional

Headers to use in the HTTP request.

This parameter requires the JSON object format as an input. The default value is as follows:

{    "Content-Type": "application/json; charset=utf-8",    "Accept": "application/json",    "User-Agent" : "GoogleSecOps"    }
CookieOptional

The parameters to use in theCookie header.

This parameter overwrites cookies provided in theHeaders parameter.

This parameter requires the JSON object format as an input. The default value is as follows:

{    "Cookie_1": "COOKIE_1_VALUE"    }
Body Payload
Optional

A body for the HTTP request. The action constructs different payloads depending on theContent-Type header value provided in theHeaders parameter.

This parameter requires the JSON object format as an input except when a third-party product requires XML or themultipart/form-data content. If you submit or upload a file using the API request, provide the base64-encoded version of the file in theBody Payload parameter and set the header to"Content-type": "multipart/form-data".

The default value is as follows:

{    "Body Field Name": "BODY_FIELD_VALUE"    }
Expected Response Values

Optional.

The JSON object containing the field-value pairs that define the required state of the response body.

Note: Providing a value for this parameter triggers asynchronous polling behavior. For detailed information on formatting conditions and logical operators, seeAction behavior.
Save To Case WallOptional

If selected, the action saves the file and attaches the saved file to the case wall. The file is archived with the.zip extension. The.zip file isn't password-protected.

Not selected by default.

Password Protect ZipOptional

If selected, the action adds a password to the.zip file created using theSave To Case Wall parameter. The password is as follows:infected.

Use this parameter when working with suspicious files.

Selected by default.

Follow RedirectsOptional

If selected, the action follows the redirects.

Selected by default.

Fail on 4xx/5xxOptional

If selected, the action fails if the status code of the response is 4xx or 5xx errors.

Selected by default.

Base64 OutputOptional

If selected, the action converts the response to the base64 format.

Use this parameter when downloading files.

The JSON result cannot exceed 15 MB.

Not selected by default.

Fields To ReturnRequired

The fields to return. The possible values are as follows:

  • response_data
  • redirects
  • response_code
  • response_cookies
  • response_headers
  • apparent_encoding
Request TimeoutRequired

A period to wait for the server to send data before the action fails.

The default value is 120 seconds.

Action outputs

TheExecute HTTP Request action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultAvailable
Output messagesAvailable
Script resultAvailable
JSON result

The following example describes the JSON result output received when using theExecute HTTP Request action:

{"response_data":{"data":{"relationships":{"comment":[{"name":"item","description":"Object to which the comment belongs to."},{"name":"author","description":"User who wrote the comment."}]}}},"redirects":[],"response_code":200,"cookies":{},"response_headers":{"Content-Type":"application/json","X-Cloud-Trace-Context":"VALUE","Date":"Fri, 03 Nov 2023 16:14:13 GMT","Server":"Google Frontend","Content-Length":"36084"},"apparent_encoding":"ascii"}
Output messages

TheExecute HTTP Request action provides the following output messages:

Output messageMessage description

Successfully executed API request.

Successfully executed API request, but the status code {4xx/5xx} was returned. Please check the request or try again later.

The action succeeded.
Failed to execute API request. Error:ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table describes the values for the script result output when usingtheExecute HTTP Request action:

Script result nameValue
is_successTrue orFalse

Ping

Use thePing action to test connectivity to Google Cloud.

This action doesn't run on Google SecOps entities.

Action inputs

None.

Action outputs

ThePing action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultAvailable
Output messagesAvailable
Script resultAvailable
JSON result

The following example describes the JSON result output received when using thePing action:

{"endpoint":"TEST_URL"}
Output messages

ThePing action provides the following output messages:

Output messageMessage description
Successfully tested connectivity.The action succeeded.
Failed to test connectivity.

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table describes the values for the script result output when usingthePing action:

Script result nameValue
is_successTrue orFalse

Need more help?Get answers from Community members and Google SecOps professionals.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.