Integrate Compute Engine withGoogle SecOps
Integration version: 13.0
This document explains how to integrate Compute Engine withGoogle Security Operations.
Important: In the Google SecOps platform, the integration forCompute Engine is calledGoogle Cloud Compute.Use cases
The Compute Engine integration uses Google SecOpscapabilities to support the following use cases:
Automated incident response: Use playbooks to automatically isolate acompromised Compute Engine instance from the network. Automatedcontainment limits the attack's spread, accelerates response time, and reducessecurity team workload.
Threat hunting and investigation: Automate the collection of logs andsecurity telemetry from Compute Engine instances across multipleprojects. Analyzing this consolidated data enables proactive threat hunting andspeeds up investigations by automating data collection.
Vulnerability management: Integrate vulnerability scanning tools withGoogle SecOps to automatically scan Compute Engineinstances for known vulnerabilities. Generate remediation tickets or patchvulnerabilities directly to reduce exploitation risk and improve securityposture.
Compliance automation: Automate the collection of audit logs andconfiguration data from Compute Engine instances to comply withregulatory requirements. Generate reports and dashboards for auditors tosimplify compliance reporting and reduce manual effort.
Security orchestration: Orchestrate security workflows across multipleGoogle Cloud services, including Compute Engine. For example,trigger the creation of a new firewall rule in response to a security eventdetected on an instance, leading to a more coordinated and automated securityposture.
Before you begin
To integrate Compute Engine with Google SecOps, you mustconfigure a service account with the necessary permissions.
Create a custom IAM role
Create a custom Identity and Access Management (IAM) role with the specific permissionsrequired for the integration to manage your instances.
In the Google Cloud console, go toIAM & Admin> Roles.
ClickCreate role.
Provide aTitle (for example,
SecOps Compute Engine Integration),Description, and a uniqueID.Set theRole Launch Stage toGeneral Availability.
ClickAdd Permissions and add the following:
compute.instances.listcompute.instances.startcompute.instances.stopcompute.instances.deletecompute.instances.setLabelscompute.instances.getIamPolicycompute.instances.setIamPolicycompute.instances.getcompute.zones.list
ClickCreate.
Create a service account
Create a service account that the integration will use to perform actions inyour project.
In the Google Cloud console, go toIAM & Admin> Service Accounts.
Select your project and clickCreate Service Account.
Enter aService account name andDescription, and clickCreate and Continue.
In theGrant this service account access to project step, search for andselect the custom role you created in the previous section.
ClickDone.
Configure an authentication method
Workload Identity is the recommended authentication method because it isfundamentally more secure. The distinction between the options is as follows:
JSON key: This method relies on a static, long-lived secret,creating a persistent security risk if compromised.
Workload Identity: This method uses short-lived,temporary access tokens, eliminating the need to store any secrets, whichgreatly improves your security posture.
Configure a JSON key
To create a JSON key, complete the following steps:
- Select your service account and go toKeys.
- ClickAdd key.
- SelectCreate new key.
- For the key type, selectJSON and clickCreate. APrivate keysaved to your computer dialog appears and a copy of the private keydownloads to your computer.
Configure Workload Identity credentials
Workload Identity lets you securely access Google Cloud resources from yourGoogle SecOps instance without exporting credentials.
Grant impersonation permissions to your Google SecOps instance
To use Workload Identity, you must grant your Google SecOpsinstance permission to impersonate your service account. This is the final stepthat allows the instance to securely access Google Cloud resources.
In Google SecOps, go toContent Hub> Response Integrations.
Select the integration you're configuring, and enter your service accountemail in the
Workload Identity Emailfield.Enter the email you want the integration to impersonate in the
Delegated Emailfield.ClickSave> Test. The test is expected to fail.
Clickclose_small to the rightofTest and search the error message for
gke-init-python@YOUR_PROJECT. Copythis unique email, which identifies your Google SecOps instance.Go toIAM & Admin> Service Accounts,select your project, and select your service account.
SelectPrincipals with access>addGrant access.
UnderAdd principals, paste the value you copied.
UnderAdd Roles, select the
Note: It may take a few minutes after completing this step for the test to pass.Service Account Token Creator(roles/iam.serviceAccountTokenCreator) role.
Integration parameters
TheCompute Engine integration requires the following parameters:
| Parameter | Description |
|---|---|
API Root | Optional. The base URL for the Compute Engine API. The default value is |
OS Config API Root | Optional. The base URL for the Cloud OS Config API. The default value is |
Account Type | Optional. The type of Google Cloud account. This corresponds to the The default value is |
Project ID | Optional. The ID of the Google Cloud project. This corresponds to the |
Private Key ID | Optional. The private key ID of the Google Cloud account. This corresponds to the |
Private Key | Optional. The private key of the Google Cloud account. This corresponds to the |
Client Email | Optional. The client email address of the Google Cloud account. This corresponds to the |
Client ID | Optional. The client ID of the Google Cloud account. This corresponds to the |
Auth URI | Optional. The authentication URI of the Google Cloud account. This corresponds to the The default value is |
Token URI | Optional. The token URI of the Google Cloud account. This corresponds to the The default value is |
Auth Provider X509 URL | Optional. The authentication provider X.509 URL of the Google Cloud account. This corresponds to the The default value is |
Client X509 URL | Optional. The client X.509 URL of the Google Cloud account. This corresponds to the |
Service Account Json File Content | Optional. The content of the service account key JSON file. Use this parameter if you are authenticating with a service account key. Paste the full content of the downloaded JSON file. If you use this parameter, leave |
Workload Identity Email | Optional. The email address of the service account that you want to impersonate. Use this parameter if you are authenticating using Workload Identity. If you use this parameter, leave |
Verify SSL | Required. If selected, the integration validates the SSL certificate when connecting tothe Compute Engine server. Enabled by default. |
For instructions about how to configure an integration inGoogle SecOps, seeConfigureintegrations.
You can make changes at a later stage, if needed. After you configure anintegration instance, you can use it in playbooks. For more information abouthow to configure and support multiple instances, seeSupportingmultiple instances.
Actions
For more information about actions, seeRespond to pending actions from Your Workdesk andPerform amanual action.
Add IP To Firewall Rule
Use theAdd IP Range to Firewall Rule action to append an IP range to anexisting firewall rule within a Compute Engine instance.
This action doesn't run on Google SecOps entities.
Note: This action runs asynchronously. Adjust the script timeout value in theGoogle SecOps IDE as needed to ensure the action has sufficienttime to complete the request.Action inputs
TheAdd IP To Firewall Rule action requires the following parameters:
| Parameter | Description |
|---|---|
Resource Name | Optional. The full resource name of the Compute Engine instance, in the format This parameter takes priority over |
Project ID | Optional. The project name associated with the Compute Engine instance. If no value is provided, the action uses the project ID from the integration configuration. |
Firewall Rule | Optional. The name of the specific firewall rule to update. |
Type | Required. The direction of the traffic for the IP range being added. The possible values are as follows:
The default value is |
IP Ranges | Required. A comma-separated list of IP address ranges (CIDR notation) to add to the firewall rule. |
Action outputs
TheAdd IP To Firewall Rule action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using theAdd IP To Firewall Rule action:
{"kind":"compute#operation","id":"0000000000000000000","name":"operation-1716223324528-618e5619d1f93-174eac81-6b38200d","operationType":"patch","targetLink":"https://www.googleapis.com/compute/v1/projects/project-id/global/firewalls/firewall-name","targetId":"7886634413370691799","status":"DONE","user":"compute-admin@project-id.iam.gserviceaccount.com","progress":100,"insertTime":"2024-05-20T09:42:05.150-07:00","startTime":"2024-05-20T09:42:05.164-07:00","endTime":"2024-05-20T09:42:09.381-07:00","selfLink":"https://www.googleapis.com/compute/v1/projects/project-id/global/operations/operation-1234567890","firewall":{"kind":"compute#firewall","id":"6297155974506248217","creationTimestamp":"2023-09-13T07:28:06.690-07:00","name":"firewall-name","description":"","network":"https://www.googleapis.com/compute/v1/projects/project-id/global/networks/vpc-network","priority":1000,"sourceRanges":["0.0.0.0/0"],"destinationRanges":["0.0.0.0/21"],"allowed":[{"IPProtocol":"tcp","ports":["22"]}],"direction":"INGRESS","logConfig":{"enable":false},"disabled":false,"selfLink":"https://www.googleapis.com/compute/v1/projects/project-id/global/firewalls/firewall-name"}}Output messages
TheAdd IP To Firewall Rule action can return the following output messages:
| Output message | Message description |
|---|---|
| The action succeeded. |
Error executing action "Add IP To Firewall Rule". Reason:ERROR_REASON | The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when usingtheAdd IP To Firewall Rule action:
| Script result name | Value |
|---|---|
is_success | true orfalse |
Add Labels to Instance
Use theAdd Labels to Instance action to add or update labels on a specificCompute Engine instance.
This action doesn't run on Google SecOps entities.
Action inputs
TheAdd Labels to Instance action requires the following parameters:
| Parameter | Description |
|---|---|
Resource Name | Optional. The full resource name of the Compute Engine instance, in the format This parameter takes priority over |
Project ID | Optional. The ID of the project associated with the Compute Engine instance. If no value is provided, the action retrieves the project ID from the integration configuration. |
Instance Zone | Optional. The specific zone where the instance is located. This parameter is required if you are identifying the instance using |
Instance ID | Optional. The unique ID of the Compute Engine instance. This parameter is required if you are identifying the instance using |
Instance Labels | Required. A comma-separated list of labels to apply to the instance, in the |
Action outputs
TheAdd Labels to Instance action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using theAdd Labels to Instance action:
{"id":"ID","name":"operation-OPERATION_ID","zone":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a","operationType":"setLabels","targetLink":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/instances/INSTANCE_ID","targetId":"INSTANCE_ID","status":"RUNNING","user":"user@example.com","progress":0,"insertTime":"2021-04-28T23:01:29.395-07:00","startTime":"2021-04-28T23:01:29.397-07:00","selfLink":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/operations/operation-OPERATION_ID","kind":"compute#operation"}Output messages
TheAdd Labels to Instance action can return the following output messages:
| Output message | Message description |
|---|---|
| The action succeeded. |
Error executing action "Add Labels to Instance". Reason:ERROR_REASON | The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when usingtheAdd Labels to Instance action:
| Script result name | Value |
|---|---|
is_success | true orfalse |
Add Network Tags
Use theAdd Network Tags action to append one or more network tags to aspecific Compute Engine instance.
This action doesn't run on Google SecOps entities.
Note: This action runs asynchronously. Adjust the script timeout value in theGoogle SecOps IDE as needed to ensure the action has sufficienttime to complete the request.Action inputs
TheAdd Network Tags action requires the following parameters:
| Parameter | Description |
|---|---|
Resource Name | Optional. The full resource name of the Compute Engine instance, in the format This parameter takes priority over |
Project ID | Optional. The ID of the project associated with the Compute Engine instance. If no value is provided, the action retrieves the project ID from the integration configuration. |
Instance Zone | Optional. The specific zone where the instance is located. This parameter is required if you are identifying the instance using |
Instance ID | Optional. The unique ID of the Compute Engine instance. This parameter is required if you are identifying the instance using |
Network Tags | Required. A comma-separated list of network tags to add to the instance. All tags must only contain lowercase letters, numbers, and hyphens. |
Action outputs
TheAdd Network Tags action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using theAdd Network Tags action:
{"kind":"compute#instance","id":"1459671903146615834","creationTimestamp":"2023-09-13T04:20:21.993-07:00","name":"instance-2","description":"","tags":{"items":["another-tag","tag"],"fingerprint":"BCeEINC7Ths="},"machineType":"https://www.googleapis.com/compute/v1/projects/project-id/zones/us-central1-a/machineTypes/e2-micro","status":"RUNNING","zone":"https://www.googleapis.com/compute/v1/projects/project-id/zones/us-central1-a","canIpForward":false,"networkInterfaces":[{"kind":"compute#networkInterface","network":"https://www.googleapis.com/compute/v1/projects/project-id/global/networks/default","subnetwork":"https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/subnetworks/default","networkIP":"10.128.0.3","name":"nic0","fingerprint":"-ZnnV7hiDfs=","stackType":"IPV4_ONLY"}],"disks":[{"kind":"compute#attachedDisk","type":"PERSISTENT","mode":"READ_WRITE","source":"https://www.googleapis.com/compute/v1/projects/project-id/zones/us-central1-a/disks/instance-2","deviceName":"instance-2","index":0,"boot":true,"autoDelete":true,"licenses":["https://www.googleapis.com/compute/v1/projects/centos-cloud/global/licenses/centos-7"],"interface":"SCSI","guestOsFeatures":[{"type":"UEFI_COMPATIBLE"},{"type":"GVNIC"}],"diskSizeGb":"20","architecture":"X86_64"}],"metadata":{"kind":"compute#metadata","fingerprint":"NBmH4-7Jw9U=","items":[]},"serviceAccounts":[{"email":"1111111111-compute@developer.gserviceaccount.com","scopes":["https://www.googleapis.com/auth/devstorage.read_only","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring.write","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append"]}],"selfLink":"https://www.googleapis.com/compute/v1/projects/project-id/zones/us-central1-a/instances/instance-2","scheduling":{"onHostMaintenance":"MIGRATE","automaticRestart":true,"preemptible":false,"provisioningModel":"STANDARD"},"cpuPlatform":"Intel Broadwell","deletionProtection":false,"shieldedInstanceConfig":{"enableSecureBoot":false,"enableVtpm":true,"enableIntegrityMonitoring":true}}Output messages
TheAdd Network Tags action can return the following output messages:
| Output message | Message description |
|---|---|
| The action succeeded. |
Error executing action "Add Network Tags". Reason:ERROR_REASON | The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when usingtheAdd Network Tags action:
| Script result name | Value |
|---|---|
is_success | true orfalse |
Delete Instance
Use theDelete Instance action to delete Compute Engine instances.
This action doesn't run on Google SecOps entities.
Action inputs
TheDelete Instance action requires the following parameters:
| Parameter | Description |
|---|---|
Resource Name | Optional. The full resource name of the Compute Engine instance, in the format This parameter takes priority over |
Project ID | Optional. The ID of the project associated with the Compute Engine instance. If no value is provided, the action retrieves the project ID from the integration configuration. |
Instance Zone | Optional. The specific zone where the instance is located. This parameter is required if you are identifying the instance using |
Instance ID | Optional. The unique ID of the instance you want to start. You can retrieve this value using theList Instances action. This parameter is required if you are identifying the instance using |
Action outputs
TheDelete Instance action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using theDelete Instance action:
{"id":"ID","name":"operation-OPERATION_ID","zone":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a","operationType":"delete","targetLink":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/instances/INSTANCE_ID","targetId":"INSTANCE_ID","status":"RUNNING","user":"user@example.com","progress":0,"insertTime":"2021-04-28T23:01:29.395-07:00","startTime":"2021-04-28T23:01:29.397-07:00","selfLink":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/operations/operation-OPERATION_ID","kind":"compute#operation"}Output messages
TheDelete Instance action can return the following output messages:
| Output message | Message description |
|---|---|
| The action succeeded. |
| The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when usingtheDelete Instance action:
| Script result name | Value |
|---|---|
is_success | true orfalse |
Enrich Entities
Use theEnrich Entities action to enrich Google SecOpsIP Address entities with the instance information from Compute Engine.
This action runs on the following Google SecOps entities:
IP Address
Action inputs
TheEnrich Entities action requires the following parameters:
| Parameters | Description |
|---|---|
Project ID | Optional. The ID of the project associated with the Compute Engine instance. If no value is provided, the action retrieves the project ID from the integration configuration. |
Instance Zone | Optional. The specific zone where the instance is located. |
Action outputs
TheEnrich Entities action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
After completing execution, theEnrich Entities action provides thefollowing table:
Table name:ENTITY Enrichment Table
Columns:
- Entity Field
- Value
Enrichment table
TheEnrich Entities action supports the following entity enrichment:
| Enrichment field | Source (JSON key) | Logic |
|---|---|---|
Google_Compute_instance_id | id | Not available |
Google_Compute_creation_timestamp | creationTimestamp | Not available |
Google_Compute_instance_name | name | Not available |
Google_Compute_description | description | Not available |
Google_Compute_tags | tags | Provide the tags in a CSV list |
Google_Compute_machine_type | machineType | Not available |
Google_Compute_instance_status | status | Not available |
Google_Compute_instance_zone | zone | Not available |
Google_Compute_can_ip_forward | canIpForward | Not available |
Google_Compute_instance_network_interfaces_name_INDEX | networkInterfaces.name | Expand if there are more network interfaces available |
Google_Compute_instance_network_interfaces_name_access_configs_type_INDEX | networkInterfaces.accessConfigs.type | Expand if there are more network interfaces available |
Google_Compute_instance_network_interfaces_name_access_configs_name_INDEX | networkInterfaces.accessConfigs.name | Expand if there are more network interfaces available |
Google_Compute_instance_network_interfaces_name_access_configs_natIP_INDEX | networkInterfaces.accessConfigs.natIP | Expand if there are more network interfaces available |
Google_Compute_instance_metadata | metadata | CSV list of values from instance metadata |
Google_Compute_service_account_INDEX | serviceAccounts.email | Expand if there are more service accounts available |
Google_Compute_service_account_scopes_INDEX | serviceAccounts.scopes | Expand if there are more service accounts available |
Google_Compute_link_to_Google_Compute | selfLink | Not available |
Google_Compute_labels | labels | Provide a CSV list of values |
Google_Compute_instance_last_start_timestamp | lastStartTimestamp | Not available |
Google_Compute_instance_last_stop_timestamp | lastStopTimestamp | Not available |
JSON result
The following example describes the JSON result output received when using theEnrich Entities action:
{"id":"ID","creationTimestamp":"2021-04-28T21:34:57.369-07:00","name":"instance-1","description":"","tags":{"fingerprint":"VALUE"},"machineType":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/machineTypes/f1-micro","status":"RUNNING","zone":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a","canIpForward":false,"networkInterfaces":[{"network":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/default","subnetwork":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/subnetworks/default","networkIP":"203.0.113.2","name":"example","accessConfigs":[{"type":"ONE_TO_ONE_NAT","name":"External NAT","natIP":"198.51.100.59","networkTier":"PREMIUM","kind":"compute#accessConfig"}],"fingerprint":"VALUE","kind":"compute#networkInterface"}],"disks":[{"type":"PERSISTENT","mode":"READ_WRITE","source":"https://www.googleapis.com/compute/v1/PROJECT_ID/zones/us-central1-a/disks/instance-1","deviceName":"instance-1","index":0,"boot":true,"autoDelete":true,"licenses":["https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/licenses/LICENSE"],"interface":"SCSI","guestOsFeatures":[{"type":"UEFI_COMPATIBLE"},{"type":"VIRTIO_SCSI_MULTIQUEUE"}],"diskSizeGb":"10","kind":"compute#attachedDisk"}],"metadata":{"fingerprint":"VALUE","kind":"compute#metadata"},"serviceAccounts":[{"email":"user@example.com","scopes":["https://www.googleapis.com/auth/devstorage.read_only","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring.write","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append"]}],"selfLink":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/instances/instance-1","scheduling":{"onHostMaintenance":"MIGRATE","automaticRestart":true,"preemptible":false},"cpuPlatform":"Intel Haswell","labels":{"vm_test_tag":"tag1"},"labelFingerprint":"VALUE","startRestricted":false,"deletionProtection":false,"reservationAffinity":{"consumeReservationType":"ANY_RESERVATION"},"displayDevice":{"enableDisplay":false},"shieldedInstanceConfig":{"enableSecureBoot":false,"enableVtpm":true,"enableIntegrityMonitoring":true},"shieldedInstanceIntegrityPolicy":{"updateAutoLearnPolicy":true},"confidentialInstanceConfig":{"enableConfidentialCompute":false},"fingerprint":"VALUE","lastStartTimestamp":"2021-04-28T21:35:07.865-07:00","kind":"compute#instance"}Output messages
TheEnrich Entities action can return the following output messages:
| Output message | Message description |
|---|---|
| The action succeeded. |
Error executing action "Enrich Entities". Reason:ERROR_REASON | The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when usingtheEnrich Entities action:
| Script result name | Value |
|---|---|
is_success | true orfalse |
Execute VM Patch Job
Use theExecute VM Patch Job action to execute a VM patch job onCompute Engine instances.
This action doesn't run on Google SecOps entities.
Note: This action runs asynchronously. Adjust the script timeout value in theGoogle SecOps IDE as needed to ensure the action has sufficienttime to complete the request.Important: TheExecute VM Patch Job action requires you to enable theOS Config API.Action inputs
TheExecute VM Patch Job action requires the following parameters:
| Parameter | Description |
|---|---|
Instance Filter Object | Required. The JSON object used to target specific instances for patching. The default value targets all instances: {"all":"true"} |
Name | Required. The unique name for the patching job. |
Description | Optional. A brief description of the patching job's purpose. |
Patching Config Object | Optional. A JSON object that defines the specific update steps and configurations for different operating systems. If no value is provided, the action uses the following default value: {"rebootConfig":"DEFAULT","apt":{"type":"DIST"},"yum":{"security":true},"zypper":{"withUpdate":true},"windowsUpdate":{"classifications":["CRITICAL","SECURITY"]}} |
Patch Duration Timeout | Required. The maximum time, in minutes, allowed for the patching job to run. The default value is |
Rollout Strategy | Optional. The method used to deploy the patch across multiple zones. The possible values are as follows:
The default value is |
Disruption Budget | Required. The number or percentage of instances that can be offline at the same time (for example, The default value is |
Wait For Completion | Required. If selected, the action remains active until the patching job finishes. Enabled by default. |
Fail If Completed With Errors | Required. If selected, the action fails if the job status is This parameter is ignored if Enabled by default. |
Action outputs
TheExecute VM Patch Job action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using theExecute VM Patch Job action:
{"name":"projects/PROJECT_ID/patchJobs/JOB_ID","createTime":"2024-09-24T16:00:43.354907Z","updateTime":"2024-09-24T16:00:44.626050Z","state":"PATCHING","patchConfig":{"rebootConfig":"DEFAULT","apt":{"type":"UPGRADE"},"yum":{},"zypper":{},"windowsUpdate":{}},"duration":"3600s","instanceDetailsSummary":{"startedInstanceCount":"1"},"percentComplete":20,"instanceFilter":{"instances":["zones/us-central1-a/instances/INSTANCE_ID"]},"displayName":"test","rollout":{"mode":"ZONE_BY_ZONE","disruptionBudget":{"percent":25}}}Output messages
TheExecute VM Patch Job action can return the following output messages:
| Output message | Message description |
|---|---|
| The action succeeded. |
Error executing action "Execute VM Patch Job". Reason:ERROR_REASON | The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when usingtheExecute VM Patch Job action:
| Script result name | Value |
|---|---|
is_success | true orfalse |
Get Instance IAM Policy
Use theGet Instance IAM Policy action to retrieve theIdentity and Access Management (iam_name_short) access control policy for a specificCompute Engine resource.
This action doesn't run on Google SecOps entities.
Note: If no policy has been explicitly defined for the resource, the actionreturns an empty policy object.Action inputs
TheGet Instance IAM Policy action requires the followingparameters:
| Parameter | Description |
|---|---|
Resource Name | Optional. The full resource name of the Compute Engine instance, in the format This parameter takes priority over |
Project ID | Optional. The ID of the project associated with the Compute Engine instance. If no value is provided, the action retrieves the project ID from the integration configuration. |
Instance Zone | Optional. The specific zone where the instance is located. This parameter is required if you are identifying the instance using |
Instance ID | Optional. The unique ID of the instance you want to start. You can retrieve this value using theList Instances action. This parameter is required if you are identifying the instance using |
Action outputs
TheGet Instance IAM Policy action provides the followingoutputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using theGet Instance IAM Policy action:
{"version":1,"etag":"BwXBfsc47MI=","bindings":[{"role":"roles/compute.networkViewer_withcond_2f0c00","members":["user:user@example.com"]}]}Output messages
TheGet Instance IAM Policy action can return the followingoutput messages:
| Output message | Message description |
|---|---|
| The action succeeded. |
Error executing action "Get Instance IAM Policy". Reason:ERROR_REASON | The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when usingtheGet Instance IAM Policy action:
| Script result name | Value |
|---|---|
is_success | true orfalse |
List Instances
Use theList Instances action to list Compute Engine instances basedon specified search criteria.
This action doesn't run on Google SecOps entities.
Action inputs
TheList Instances action requires the following parameters:
| Parameter | Description |
|---|---|
Project ID | Optional. The ID of the project from which to list instances. If no value is provided, the action retrieves the project ID from the Google Cloud service account used in the integration configuration. |
Instance Zone | Optional. The specific zone to search for instances in. If no value is provided, the action searches across all available zones. |
Instance Name | Optional. A name of the instance to search for. This parameter accepts multiple values as a comma-separated string. |
Instance Status | Optional. The current state of the instances to include in the search results, such as This parameter accepts multiple values as a comma-separated string. |
Instance Labels | Optional. The labels used to filter the instance results, provided in This parameter accepts multiple values as a comma-separated string. |
Max Rows to Return | Optional. The maximum number of instances to return in the results. The default value is |
Action outputs
TheList Instances action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
TheList Instances action provides the following table:
Table name:Compute Engine Instances
Table columns:
- Instance Name
- Instance ID
- Instance Creation Time
- Instance Description
- Instance Type
- Instance Status
- Instance Labels
JSON result
The following example describes the JSON result output received when using theList Instances action:
{"id":"projects/PROJECT_ID/zones/us-central1-a/instances","items":[{"id":"ID","creationTimestamp":"2021-04-28T21:34:57.369-07:00","name":"instance-1","description":"","tags":{"fingerprint":"VALUE"},"machineType":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/machineTypes/f1-micro","status":"RUNNING","zone":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a","canIpForward":false,"networkInterfaces":[{"network":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/default","subnetwork":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/subnetworks/default","networkIP":"192.0.2.2","name":"example","accessConfigs":[{"type":"ONE_TO_ONE_NAT","name":"External NAT","natIP":"203.0.113.59","networkTier":"PREMIUM","kind":"compute#accessConfig"}],"fingerprint":"VALUE","kind":"compute#networkInterface"}],"disks":[{"type":"PERSISTENT","mode":"READ_WRITE","source":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/disks/instance-1","deviceName":"instance-1","index":0,"boot":true,"autoDelete":true,"licenses":["https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/licenses/LICENSE"],"interface":"SCSI","guestOsFeatures":[{"type":"UEFI_COMPATIBLE"},{"type":"VIRTIO_SCSI_MULTIQUEUE"}],"diskSizeGb":"10","kind":"compute#attachedDisk"}],"metadata":{"fingerprint":"VALUE","kind":"compute#metadata"},"serviceAccounts":[{"email":"user@example.com","scopes":["https://www.googleapis.com/auth/devstorage.read_only","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring.write","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append"]}],"selfLink":"https://www.googleapis.com/compute/v1/projects/PROJECT_IDzones/us-central1-a/instances/instance-1","scheduling":{"onHostMaintenance":"MIGRATE","automaticRestart":true,"preemptible":false},"cpuPlatform":"Intel Haswell","labels":{"vm_test_tag":"tag1"},"labelFingerprint":"VALUE","startRestricted":false,"deletionProtection":false,"reservationAffinity":{"consumeReservationType":"ANY_RESERVATION"},"displayDevice":{"enableDisplay":false},"shieldedInstanceConfig":{"enableSecureBoot":false,"enableVtpm":true,"enableIntegrityMonitoring":true},"shieldedInstanceIntegrityPolicy":{"updateAutoLearnPolicy":true},"confidentialInstanceConfig":{"enableConfidentialCompute":false},"fingerprint":"VALUE","lastStartTimestamp":"2021-04-28T21:35:07.865-07:00","kind":"compute#instance"}]}Output messages
TheList Instances action can return the following output messages:
| Output message | Message description |
|---|---|
| The action succeeded. |
Error executing action "List Instances". Reason:ERROR_REASON | The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when usingtheList Instances action:
| Script result name | Value |
|---|---|
is_success | true orfalse |
Ping
Use thePing action to test the connectivity to Compute Engine.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
ThePing action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
ThePing action can return the following output messages:
| Output message | Message description |
|---|---|
Successfully connected to the Compute Engine service with the provided connection parameters! | The action succeeded. |
Failed to connect to the Compute Engine service! Error isERROR_REASON | The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when usingthePing action:
| Script result name | Value |
|---|---|
is_success | true orfalse |
Remove External IP Addresses
Use theRemove External IP Addresses action to remove external IP addresseson a Compute Engine instance.
This action doesn't run on Google SecOps entities.
Note: This action runs asynchronously. Adjust the script timeout value in theGoogle SecOps IDE as needed to ensure the action has sufficienttime to complete the request.Action inputs
TheRemove External IP Addresses action requires the following parameters:
| Parameters | Description |
|---|---|
Resource Name | Optional. The full resource name of the Compute Engine instance, in the format This parameter takes priority over |
Project ID | Optional. The ID of the project associated with the Compute Engine instance. If no value is provided, the action retrieves the project ID from the integration configuration. |
Instance Zone | Optional. The specific zone where the instance is located. This parameter is required if you are identifying the instance using |
Instance ID | Optional. The unique ID of the instance you want to start. You can retrieve this value using theList Instances action. This parameter is required if you are identifying the instance using |
Network Interfaces | Optional. A comma-separated list of the specific network interfaces to modify. If no value is provided or if you use the The default value is |
Action outputs
TheRemove External IP Addresses action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using theRemove External IP Addresses action:
[{"endTime":"2024-05-21T04:28:05.371-07:00","id":"ID","insertTime":"2024-05-21T04:28:04.176-07:00","kind":"compute#operation","name":"operation-OPERATION_ID","operationType":"updateNetworkInterface","progress":100,"selfLink":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-west1-a/operations/operation-OPERATION_ID","startTime":"2024-05-21T04:28:04.190-07:00","status":"DONE","targetId":"TARGET_ID","targetLink":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-west1-a/instances/INSTANCE_ID","user":"user@example.com","zone":"us-west1-a","networkInterface":"example"},{"endTime":"2024-05-21T04:28:06.549-07:00","id":"2531200345768541098","insertTime":"2024-05-21T04:28:05.419-07:00","kind":"compute#operation","name":"operation-OPERATION_ID","operationType":"deleteAccessConfig","progress":100,"selfLink":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-west1-a/operations/operation-OPERATION_ID","startTime":"2024-05-21T04:28:05.430-07:00","status":"DONE","targetId":"3905740668247239013","targetLink":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-west1-a/instances/INSTANCE_ID","user":"user@example.com","zone":"us-west1-a","networkInterface":"example"}]Output messages
TheRemove External IP Addresses action can return the following outputmessages:
| Output message | Message description |
|---|---|
| The action succeeded. |
| The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when usingtheRemove External IP Addresses action:
| Script result name | Value |
|---|---|
is_success | true orfalse |
Remove IP From Firewall Rule
Use theRemove IP From Firewall Rule action to delete specific IP addressranges from an existing Compute Engine firewall rule.
This action doesn't run on Google SecOps entities.
Note: This action runs asynchronously. Adjust the script timeout value in theGoogle SecOps IDE as needed to ensure the action has sufficienttime to complete the request.Action inputs
TheRemove IP From Firewall Rule action requires the following parameters:
| Parameter | Description |
|---|---|
Resource Name | Optional. The full resource name of the Compute Engine instance, in the format This parameter takes priority over |
Project ID | Optional. The ID of the project associated with the Compute Engine instance. If no value is provided, the action retrieves the project ID from the integration configuration. |
Firewall Rule | Optional. The name of the specific firewall rule to update. |
Type | Required. The direction of the traffic for the IP range being added. The possible values are as follows:
The default value is |
IP Ranges | Required. A comma-separated list of IP address ranges (CIDR notation) to add to the firewall rule. |
Action outputs
TheRemove IP From Firewall Rule action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using theRemove IP From Firewall Rule action:
{"kind":"compute#operation","id":"9160761312385876914","name":"operation-1716223324528-618e5619d1f93-174eac81-6b38200d","operationType":"patch","targetLink":"https://www.googleapis.com/compute/v1/projects/project-id/global/firewalls/firewall-name","targetId":"7886634413370691799","status":"DONE","user":"compute-admin@project-id.iam.gserviceaccount.com","progress":100,"insertTime":"2024-05-20T09:42:05.150-07:00","startTime":"2024-05-20T09:42:05.164-07:00","endTime":"2024-05-20T09:42:09.381-07:00","selfLink":"https://www.googleapis.com/compute/v1/projects/project-id/global/operations/operation-1716223324528-618e5619d1f93-174eac81-6b38200d","firewall":{"kind":"compute#firewall","id":"6297155974506248217","creationTimestamp":"2023-09-13T07:28:06.690-07:00","name":"firewall-name","description":"","network":"https://www.googleapis.com/compute/v1/projects/project-id/global/networks/vpc-network","priority":1000,"sourceRanges":["0.0.0.0/0"],"destinationRanges":["0.0.0.0/21"],"allowed":[{"IPProtocol":"tcp","ports":["22"]}],"direction":"INGRESS","logConfig":{"enable":false},"disabled":false,"selfLink":"https://www.googleapis.com/compute/v1/projects/project-id/global/firewalls/firewall-name"}}Output messages
TheRemove IP From Firewall Rule action can return the following outputmessages:
| Output message | Message description |
|---|---|
| The action succeeded. |
Error executing action "Remove IP From Firewall Rule". Reason:ERROR_REASON | The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when usingtheRemove IP From Firewall Rule action:
| Script result name | Value |
|---|---|
is_success | true orfalse |
Remove Network Tags
Use theRemove Network Tags action to remove network tags from theCompute Engine instance.
This action doesn't run on Google SecOps entities.
Note: This action runs asynchronously. Adjust the script timeout value in theGoogle SecOps IDE as needed to ensure the action has sufficienttime to complete the request.Action inputs
TheRemove Network Tags action requires the following parameters:
| Parameter | Description |
|---|---|
Resource Name | Optional. The full resource name of the Compute Engine instance, in the format This parameter takes priority over |
Project ID | Optional. The ID of the project associated with the Compute Engine instance. If no value is provided, the action retrieves the project ID from the integration configuration. |
Instance Zone | Optional. The specific zone where the instance is located. This parameter is required if you are identifying the instance using |
Instance ID | Optional. The unique ID of the instance you want to start. You can retrieve this value using theList Instances action. This parameter is required if you are identifying the instance using |
Network Tags | Required. A comma-separated list of network tags to add to the instance. All tags must only contain lowercase letters, numbers, and hyphens. |
Action outputs
TheRemove Network Tags action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using theExample action:
{"kind":"compute#instance","id":"1459671903146615834","creationTimestamp":"2023-09-13T04:20:21.993-07:00","name":"instance-2","description":"","tags":{"items":["another-tag","tag"],"fingerprint":"BCeEINC7Ths="},"machineType":"https://www.googleapis.com/compute/v1/projects/project-id/zones/us-central1-a/machineTypes/e2-micro","status":"RUNNING","zone":"https://www.googleapis.com/compute/v1/projects/project-id/zones/us-central1-a","canIpForward":false,"networkInterfaces":[{"kind":"compute#networkInterface","network":"https://www.googleapis.com/compute/v1/projects/project-id/global/networks/default","subnetwork":"https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/subnetworks/default","networkIP":"10.128.0.3","name":"nic0","fingerprint":"-ZnnV7hiDfs=","stackType":"IPV4_ONLY"}],"disks":[{"kind":"compute#attachedDisk","type":"PERSISTENT","mode":"READ_WRITE","source":"https://www.googleapis.com/compute/v1/projects/project-id/zones/us-central1-a/disks/instance-2","deviceName":"instance-2","index":0,"boot":true,"autoDelete":true,"licenses":["https://www.googleapis.com/compute/v1/projects/centos-cloud/global/licenses/centos-7"],"interface":"SCSI","guestOsFeatures":[{"type":"UEFI_COMPATIBLE"},{"type":"GVNIC"}],"diskSizeGb":"20","architecture":"X86_64"}],"metadata":{"kind":"compute#metadata","fingerprint":"NBmH4-7Jw9U=","items":[]},"serviceAccounts":[{"email":"1111111111-compute@developer.gserviceaccount.com","scopes":["https://www.googleapis.com/auth/devstorage.read_only","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring.write","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append"]}],"selfLink":"https://www.googleapis.com/compute/v1/projects/project-id/zones/us-central1-a/instances/instance-2","scheduling":{"onHostMaintenance":"MIGRATE","automaticRestart":true,"preemptible":false,"provisioningModel":"STANDARD"},"cpuPlatform":"Intel Broadwell","deletionProtection":false,"shieldedInstanceConfig":{"enableSecureBoot":false,"enableVtpm":true,"enableIntegrityMonitoring":true}}Output messages
TheRemove Network Tags action can return the following output messages:
| Output message | Message description |
|---|---|
| The action succeeded. |
Error executing action "Remove Network Tags". Reason:ERROR_REASON | The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when usingtheRemove Network Tags action:
| Script result name | Value |
|---|---|
is_success | true orfalse |
Set Instance IAM Policy
Use theSet Instance IAM Policy action to sets the accesscontrol policy for the specified resource. The policy that you provide in theaction replaces any existing policy.
This action doesn't run on Google SecOps entities.
Action inputs
TheSet Instance IAM Policy action requires the following parameters:
| Parameters | Description |
|---|---|
Resource Name | Optional. The full resource name of the Compute Engine instance, in the format This parameter takes priority over |
Project ID | Optional. The ID of the project associated with the Compute Engine instance. If no value is provided, the action retrieves the project ID from the integration configuration. |
Instance Zone | Optional. The specific zone where the instance is located. This parameter is required if you are identifying the instance using |
Instance ID | Optional. The unique ID of the instance you want to start. You can retrieve this value using theList Instances action. This parameter is required if you are identifying the instance using |
Policy | Required. The IAM policy document to apply to the instance, provided as a JSON object. |
Action outputs
TheSet Instance IAM Policy action provides the followingoutputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using theSet Instance IAM Policy action:
{"version":1,"etag":"BwXBftu99FE=","bindings":[{"role":"roles/compute.networkViewer","members":["user:user@example.com"]}]}Output messages
TheSet Instance IAM Policy action can return the followingoutput messages:
| Output message | Message description |
|---|---|
| The action succeeded. |
Error executing action "Set Instance IAM Policy". Reason:ERROR_REASON
| The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when usingtheSet Instance IAM Policy action:
| Script result name | Value |
|---|---|
is_success | true orfalse |
Start Instance
Use theStart Instance action to power on a Compute Engine instancethat is in a stopped or terminated state.
This action doesn't run on Google SecOps entities.
Note: This action runs asynchronously. Adjust the script timeout value in theGoogle SecOps IDE as needed to ensure the action has sufficienttime to complete the request.Action inputs
TheStart Instance action requires the following parameters:
| Parameters | Description |
|---|---|
Resource Name | Optional. The full resource name of the Compute Engine instance, in the format This parameter takes priority over |
Project ID | Optional. The ID of the project associated with the Compute Engine instance. If no value is provided, the action retrieves the project ID from the integration configuration. |
Instance Zone | Optional. The specific zone where the instance is located. This parameter is required if you are identifying the instance using |
Instance ID | Optional. The unique ID of the instance you want to start. You can retrieve this value using theList Instances action. This parameter is required if you are identifying the instance using |
Action outputs
TheStart Instance action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using theStart Instance action:
{"id":"ID","name":"operation-OPERATION_ID","zone":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a","operationType":"start","targetLink":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/instances/INSTANCE_ID","targetId":"INSTANCE_ID","status":"DONE","user":"user@example.com","progress":100,"insertTime":"2021-04-28T23:01:29.395-07:00","startTime":"2021-04-28T23:01:29.397-07:00","endTime":"2021-04-28T23:01:29.397-07:00","selfLink":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/operations/operation-OPERATION_ID","kind":"compute#operation"}Output messages
TheStart Instance action can return the following output messages:
| Output message | Message description |
|---|---|
| The action succeeded. |
| The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when usingtheStart Instance action:
| Script result name | Value |
|---|---|
is_success | true orfalse |
Stop Instance
Use theStop Instance action to shut down a running Compute Engine instance. You can restart a stopped instance at any time.
Stopping an instance stops VM usage charges, but charges continue to apply forassociated resources such as persistent disks and static IP addresses unlessthose resources are deleted.
This action doesn't run on Google SecOps entities.
Note: This action runs asynchronously. Adjust the script timeout value in theGoogle SecOps IDE as needed to ensure the action has sufficienttime to complete the request.Action inputs
TheStop Instance action requires the following parameters:
| Parameters | Description |
|---|---|
Resource Name | Optional. The full resource name of the Compute Engine instance, in the format This parameter takes priority over |
Project ID | Optional. The ID of the project associated with the Compute Engine instance. If no value is provided, the action retrieves the project ID from the integration configuration. |
Instance Zone | Optional. The specific zone where the instance is located. This parameter is required if you are identifying the instance using |
Instance ID | Optional. The unique ID of the instance you want to start. You can retrieve this value using theList Instances action. This parameter is required if you are identifying the instance using |
Action outputs
TheStop Instance action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using theStop Instance action:
{"id":"ID","name":"operation-OPERATION_ID","zone":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a","operationType":"stop","targetLink":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/instances/INSTANCE_ID","targetId":"INSTANCE_ID","status":"RUNNING","user":"user@example.com","progress":100,"insertTime":"2021-04-28T23:01:29.395-07:00","startTime":"2021-04-28T23:01:29.397-07:00","selfLink":"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/operations/operation-OPERATION_ID","kind":"compute#operation"}Output messages
TheStop Instance action can return the following output messages:
| Output message | Message description |
|---|---|
| The action succeeded. |
Error executing action "Stop Instance". Reason:ERROR_REASON | The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when usingtheStop Instance action:
| Script result name | Value |
|---|---|
is_success | true orfalse |
Update Firewall Rule
Use theUpdate Firewall Rule action to modify the configuration of anexisting Compute Engine firewall rule. This action lets you updatespecific parameters while maintaining the rule's identity.
This action doesn't run on Google SecOps entities.
Note: This action runs asynchronously. Adjust the script timeout value in theGoogle SecOps IDE as needed to ensure the action has sufficienttime to complete the request.Action inputs
TheUpdate Firewall Rule action requires the following parameters:
| Parameters | Description |
|---|---|
Firewall Rule | Optional. The name of the specific firewall rule to update. |
Project ID | Optional. The ID of the project associated with the Compute Engine instance. If no value is provided, the action retrieves the project ID from the integration configuration. |
Resource Name | Optional. The full resource name of the Compute Engine instance, in the format This parameter takes priority over |
Source IP Ranges | Optional. A comma-separated list of the source IP address ranges for the firewall rule. If the If no value is provided, the existing values remain unchanged. |
Source Tags | Optional. A comma-separated list of source network tags to apply to the rule. If the If no value is provided, the existing values remain unchanged. |
Source Service Accounts | Optional. A comma-separated list of source service accounts to apply to the rule. If the If no value is provided, the existing values remain unchanged. |
TCP Ports | Optional. A comma-separated list of TCP ports or port ranges to allow or deny. This parameter supports the |
UDP Ports | Optional. A comma-separated list of UDP ports or port ranges to allow or deny. This parameter supports the |
Other Protocols | Optional. A comma-separated list of protocols other than TCP and UDP to include in the rule. If the |
Destination IP Ranges | Optional. A comma-separated list of the destination IP address ranges for the firewall rule. If the If no value is provided, the existing values remain unchanged. |
Action outputs
TheUpdate Firewall Rule action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using theUpdate Firewall Rule action:
{"kind":"compute#operation","id":"9160761312385876914","name":"operation-1716223324528-618e5619d1f93-174eac81-6b38200d","operationType":"patch","targetLink":"https://www.googleapis.com/compute/v1/projects/project-id/global/firewalls/firewall-name","targetId":"7886634413370691799","status":"DONE","user":"compute-admin@project-id.iam.gserviceaccount.com","progress":100,g"insertTime":"2024-05-20T09:42:05.150-07:00","startTime":"2024-05-20T09:42:05.164-07:00","endTime":"2024-05-20T09:42:09.381-07:00","selfLink":"https://www.googleapis.com/compute/v1/projects/project-id/global/operations/operation-1716223324528-618e5619d1f93-174eac81-6b38200d","firewall":{"kind":"compute#firewall","id":"6297155974506248217","creationTimestamp":"2023-09-13T07:28:06.690-07:00","name":"firewall-name","description":"","network":"https://www.googleapis.com/compute/v1/projects/project-id/global/networks/vpc-network","priority":1000,"sourceRanges":["0.0.0.0/0"],"destinationRanges":["0.0.0.0/21"],"allowed":[{"IPProtocol":"tcp","ports":["22"]}],"direction":"INGRESS","logConfig":{"enable":false},"disabled":false,"selfLink":"https://www.googleapis.com/compute/v1/projects/project-id/global/firewalls/firewall-name"}}Output messages
TheUpdate Firewall Rule action can return the following output messages:
| Output message | Message description |
|---|---|
Successfully updated firewall rule in Cloud Compute.
| The action succeeded. |
Error executing action "Update Firewall Rule". Reason:ERROR_REASON
| The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when usingtheUpdate Firewall Rule action:
| Script result name | Value |
|---|---|
is_success | true orfalse |
Need more help?Get answers from Community members and Google SecOps professionals.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.