Google Chronicle Backstory
Use the Chronicle integration to retrieve Asset alerts or IOC Domain matches as Incidents. Use it to fetch a list of infected assets based on the indicator accessed. This integration also provides reputation and threat enrichment of indicators observed in the enterprise.
Analytics & SIEM · Google SecOps
Configuration parameters
service_account_credential— User's Service Account JSON (required)region— Regionother_region— Other Regionmalicious_categories— Provide comma(',') separated categories (e.g. APT-Activity, Phishing). Indicators belonging to these "categories" would be considered as "malicious" when executing reputation commands.suspicious_categories— Provide comma(',') separated categories (e.g. Unwanted, VirusTotal YARA Rule Match). Indicators belonging to these "categories" would be considered as "suspicious" when executing reputation commands.override_severity_malicious— Specify the "severity" of indicator that should be considered as "malicious" irrespective of the category. If you wish to consider all indicators with High severity as Malicious, set this parameter to 'High'. Allowed values are 'High', 'Medium' and 'Low'. This configuration is applicable to reputation commands only.override_severity_suspicious— Specify the "severity" of indicator that should be considered as "suspicious" irrespective of the category. If you wish to consider all indicators with Medium severity as Suspicious, set this parameter to 'Medium'. Allowed values are 'High', 'Medium' and 'Low'. This configuration is applicable to reputation commands only.override_confidence_score_malicious_threshold— Specify the numeric value of "confidence score". If the indicator's confidence score is equal or above the configured threshold, it would be considered as "malicious". The value provided should be greater than the suspicious threshold. This configuration is applicable to reputation commands only.override_confidence_score_suspicious_threshold— Specify the numeric value of "confidence score". If the indicator's confidence score is equal or above the configured threshold, it would be considered as "suspicious". The value provided should be smaller than the malicious threshold. This configuration is applicable to reputation commands only.override_confidence_level_malicious— Select the confidence score level. If the indicator's confidence score level is equal or above the configured level, it would be considered as "malicious". The confidence level configured should have higher precedence than the suspicious level. This configuration is applicable to reputation commands only. Refer the "confidence score" level precedence UNKNOWN SEVERITY < INFORMATIONAL < LOW < MEDIUM < HIGH.override_confidence_level_suspicious— Select the confidence score level. If the indicator's confidence score level is equal or above the configured level, it would be considered as "suspicious". The confidence level configured should have lesser precedence than the malicious level. This configuration is applicable to reputation commands only. Refer the "confidence score" level precedence UNKNOWN SEVERITY < INFORMATIONAL < LOW < MEDIUM < HIGH.isFetch— Fetch incidentsincidentType— Incident typefirst_fetch— First fetch timemax_fetch— How many incidents to fetch each timebackstory_alert_type— Chronicle Alert Type (Select the type of data to consider for fetch incidents).incident_severity— Select the severity of alerts to be filtered for Fetch Incidents. Available options are 'High', 'Medium', 'Low' and 'Unspecified' (If not selected, fetches all alerts).fetch_detection_by_ids— Detections to fetch by Rule ID or Version IDfetch_all_detections— Fetch all rules detectionsfetch_detection_by_alert_state— Filter detections by alert statetime_window— Time window (in minutes)fetch_detection_by_list_basis— List Basisinsecure— Trust any certificate (not secure)proxy— Use system proxy settingsintegrationReliability— Source ReliabilityfeedExpirationPolicy—feedExpirationInterval—
Commands (35)
-
domainChecks the reputation of a domain.
-
gcb-assetsReturns a list of the assets that accessed the input artifact (IP, domain, MD5, SHA1 and SHA256) during the specified time.
-
gcb-cancel-retrohuntCancel a retrohunt for a specified rule.
-
gcb-change-live-rule-statusUpdates the live rule status for a rule specified by Rule ID.
-
gcb-change-rule-alerting-statusUpdates the alerting status for a rule specified by Rule ID.
-
gcb-create-reference-listCreate a new reference list.
-
gcb-create-ruleCreates a new rule. By default the live rule status will be set to disabled.
-
gcb-create-rule-versionCreates a new version of an existing rule.
-
gcb-delete-ruleDeletes the rule specified by Rule ID.
-
gcb-get-eventGet the specific event with the given ID from Chronicle. Note: This command returns more than 60 different types of events. Any event would have only specific output context set. Refer the UDM documentation to figure out the output properties specific to the event types.
-
gcb-get-reference-listReturns the specified list.
-
gcb-get-retrohuntGet retrohunt for a specific version of rule.
-
gcb-get-ruleRetrieves the rule details of specified Rule ID or Version ID.
-
gcb-ioc-detailsAccepts an artifact indicator and returns any threat intelligence associated with the artifact. The threat intelligence information is drawn from your enterprise security systems and from Chronicle's IoC partners (for example, the DHS threat feed).
-
gcb-list-alertsList all the alerts tracked within your enterprise for the specified time range. Both the parsed alerts and their corresponding raw alert logs are returned.
-
gcb-list-assetaliasesLists all the aliases of an asset in an enterprise for the specified asset identifier and time period.
-
gcb-list-curatedrule-detectionsReturn the detections for the specified curated rule identifier.
-
gcb-list-curatedrulesList curated rules.
-
gcb-list-detectionsReturn the detections for the specified version of a rule, the latest version of a rule, all versions of a rule, or all versions of all rules.
-
gcb-list-eventsList all of the events discovered within your enterprise on a particular device within the specified time range. If you receive the maximum number of events you specified using the page_size parameter (or 100, the default), there might still be more events within your Chronicle account. You can narrow the time range and issue the call again to ensure you have visibility into all possible events. This command returns more than 60 different types of events. Any event would have only specific output context set. Refer the UDM documentation to figure out the output properties specific to the event types.
-
gcb-list-iocsLists the IOC Domain matches within your enterprise for the specified time interval. The indicator of compromise (IOC) domain matches lists for which the domains that your security infrastructure has flagged as both suspicious and that have been seen recently within your enterprise.
-
gcb-list-reference-listRetrieve all the reference lists.
-
gcb-list-retrohuntsList retrohunts for a rule.
-
gcb-list-rulesList the latest versions of all Rules.
-
gcb-list-useraliasesLists all the aliases of a user in an enterprise for a specified user identifier and time period.
-
gcb-reference-list-append-contentAppends lines into an existing reference list.
-
gcb-reference-list-remove-contentRemoves lines from an existing reference list.
-
gcb-start-retrohuntInitiate a retrohunt for the specified rule.
-
gcb-test-rule-streamTest a rule over a specified time range. Return any errors and any detections up to the specified maximum.
-
gcb-udm-searchLists the events for the specified UDM Search query. Note: The underlying API has the rate limit of 120 queries per hour.
-
gcb-update-reference-listUpdates an existing reference list.
-
gcb-verify-reference-listValidates list content and returns any errors found for each line.
-
gcb-verify-ruleVerifies that a rule is a valid YARA-L 2.0 rule without creating a new rule or evaluating it over data.
-
gcb-verify-value-in-reference-listCheck if provided values are found in the reference lists in Google Chronicle.
-
ipChecks the reputation of an IP address.