Google Chronicle Backstory

Use the Chronicle integration to retrieve Asset alerts or IOC Domain matches as Incidents. Use it to fetch a list of infected assets based on the indicator accessed. This integration also provides reputation and threat enrichment of indicators observed in the enterprise.

Analytics & SIEM · Google SecOps

Configuration parameters

  • service_account_credential — User's Service Account JSON (required)
  • region — Region
  • other_region — Other Region
  • malicious_categories — Provide comma(',') separated categories (e.g. APT-Activity, Phishing). Indicators belonging to these "categories" would be considered as "malicious" when executing reputation commands.
  • suspicious_categories — Provide comma(',') separated categories (e.g. Unwanted, VirusTotal YARA Rule Match). Indicators belonging to these "categories" would be considered as "suspicious" when executing reputation commands.
  • override_severity_malicious — Specify the "severity" of indicator that should be considered as "malicious" irrespective of the category. If you wish to consider all indicators with High severity as Malicious, set this parameter to 'High'. Allowed values are 'High', 'Medium' and 'Low'. This configuration is applicable to reputation commands only.
  • override_severity_suspicious — Specify the "severity" of indicator that should be considered as "suspicious" irrespective of the category. If you wish to consider all indicators with Medium severity as Suspicious, set this parameter to 'Medium'. Allowed values are 'High', 'Medium' and 'Low'. This configuration is applicable to reputation commands only.
  • override_confidence_score_malicious_threshold — Specify the numeric value of "confidence score". If the indicator's confidence score is equal or above the configured threshold, it would be considered as "malicious". The value provided should be greater than the suspicious threshold. This configuration is applicable to reputation commands only.
  • override_confidence_score_suspicious_threshold — Specify the numeric value of "confidence score". If the indicator's confidence score is equal or above the configured threshold, it would be considered as "suspicious". The value provided should be smaller than the malicious threshold. This configuration is applicable to reputation commands only.
  • override_confidence_level_malicious — Select the confidence score level. If the indicator's confidence score level is equal or above the configured level, it would be considered as "malicious". The confidence level configured should have higher precedence than the suspicious level. This configuration is applicable to reputation commands only. Refer the "confidence score" level precedence UNKNOWN SEVERITY < INFORMATIONAL < LOW < MEDIUM < HIGH.
  • override_confidence_level_suspicious — Select the confidence score level. If the indicator's confidence score level is equal or above the configured level, it would be considered as "suspicious". The confidence level configured should have lesser precedence than the malicious level. This configuration is applicable to reputation commands only. Refer the "confidence score" level precedence UNKNOWN SEVERITY < INFORMATIONAL < LOW < MEDIUM < HIGH.
  • isFetch — Fetch incidents
  • incidentType — Incident type
  • first_fetch — First fetch time
  • max_fetch — How many incidents to fetch each time
  • backstory_alert_type — Chronicle Alert Type (Select the type of data to consider for fetch incidents).
  • incident_severity — Select the severity of alerts to be filtered for Fetch Incidents. Available options are 'High', 'Medium', 'Low' and 'Unspecified' (If not selected, fetches all alerts).
  • fetch_detection_by_ids — Detections to fetch by Rule ID or Version ID
  • fetch_all_detections — Fetch all rules detections
  • fetch_detection_by_alert_state — Filter detections by alert state
  • time_window — Time window (in minutes)
  • fetch_detection_by_list_basis — List Basis
  • insecure — Trust any certificate (not secure)
  • proxy — Use system proxy settings
  • integrationReliability — Source Reliability
  • feedExpirationPolicy
  • feedExpirationInterval

Commands (35)

  • domain

    Checks the reputation of a domain.

  • gcb-assets

    Returns a list of the assets that accessed the input artifact (IP, domain, MD5, SHA1 and SHA256) during the specified time.

  • gcb-cancel-retrohunt

    Cancel a retrohunt for a specified rule.

  • gcb-change-live-rule-status

    Updates the live rule status for a rule specified by Rule ID.

  • gcb-change-rule-alerting-status

    Updates the alerting status for a rule specified by Rule ID.

  • gcb-create-reference-list

    Create a new reference list.

  • gcb-create-rule

    Creates a new rule. By default the live rule status will be set to disabled.

  • gcb-create-rule-version

    Creates a new version of an existing rule.

  • gcb-delete-rule

    Deletes the rule specified by Rule ID.

  • gcb-get-event

    Get the specific event with the given ID from Chronicle. Note: This command returns more than 60 different types of events. Any event would have only specific output context set. Refer the UDM documentation to figure out the output properties specific to the event types.

  • gcb-get-reference-list

    Returns the specified list.

  • gcb-get-retrohunt

    Get retrohunt for a specific version of rule.

  • gcb-get-rule

    Retrieves the rule details of specified Rule ID or Version ID.

  • gcb-ioc-details

    Accepts an artifact indicator and returns any threat intelligence associated with the artifact. The threat intelligence information is drawn from your enterprise security systems and from Chronicle's IoC partners (for example, the DHS threat feed).

  • gcb-list-alerts

    List all the alerts tracked within your enterprise for the specified time range. Both the parsed alerts and their corresponding raw alert logs are returned.

  • gcb-list-assetaliases

    Lists all the aliases of an asset in an enterprise for the specified asset identifier and time period.

  • gcb-list-curatedrule-detections

    Return the detections for the specified curated rule identifier.

  • gcb-list-curatedrules

    List curated rules.

  • gcb-list-detections

    Return the detections for the specified version of a rule, the latest version of a rule, all versions of a rule, or all versions of all rules.

  • gcb-list-events

    List all of the events discovered within your enterprise on a particular device within the specified time range. If you receive the maximum number of events you specified using the page_size parameter (or 100, the default), there might still be more events within your Chronicle account. You can narrow the time range and issue the call again to ensure you have visibility into all possible events. This command returns more than 60 different types of events. Any event would have only specific output context set. Refer the UDM documentation to figure out the output properties specific to the event types.

  • gcb-list-iocs

    Lists the IOC Domain matches within your enterprise for the specified time interval. The indicator of compromise (IOC) domain matches lists for which the domains that your security infrastructure has flagged as both suspicious and that have been seen recently within your enterprise.

  • gcb-list-reference-list

    Retrieve all the reference lists.

  • gcb-list-retrohunts

    List retrohunts for a rule.

  • gcb-list-rules

    List the latest versions of all Rules.

  • gcb-list-useraliases

    Lists all the aliases of a user in an enterprise for a specified user identifier and time period.

  • gcb-reference-list-append-content

    Appends lines into an existing reference list.

  • gcb-reference-list-remove-content

    Removes lines from an existing reference list.

  • gcb-start-retrohunt

    Initiate a retrohunt for the specified rule.

  • gcb-test-rule-stream

    Test a rule over a specified time range. Return any errors and any detections up to the specified maximum.

  • gcb-udm-search

    Lists the events for the specified UDM Search query. Note: The underlying API has the rate limit of 120 queries per hour.

  • gcb-update-reference-list

    Updates an existing reference list.

  • gcb-verify-reference-list

    Validates list content and returns any errors found for each line.

  • gcb-verify-rule

    Verifies that a rule is a valid YARA-L 2.0 rule without creating a new rule or evaluating it over data.

  • gcb-verify-value-in-reference-list

    Check if provided values are found in the reference lists in Google Chronicle.

  • ip

    Checks the reputation of an IP address.