GoogleSecOps

Use the Google SecOps integration to retrieve IOC Domain matches as Incidents. This integration also provides reputation and threat enrichment of indicators observed in the enterprise.

Analytics & SIEM · Google SecOps

Configuration parameters

  • credentials — (required)
  • url_format — API URL Format
  • secops_project_instance_id — Google SecOps Project Instance ID (required)
  • secops_project_number — Google SecOps Project Number
  • region — Region (required)
  • other_region — Other Region
  • malicious_categories — Provide comma(',') separated categories (e.g. APT-Activity, Phishing). Indicators belonging to these "categories" would be considered as "malicious" when executing reputation commands.
  • suspicious_categories — Provide comma(',') separated categories (e.g. Unwanted, VirusTotal YARA Rule Match). Indicators belonging to these "categories" would be considered as "suspicious" when executing reputation commands.
  • override_severity_malicious — Specify the "severity" of indicator that should be considered as "malicious" irrespective of the category. If you wish to consider all indicators with High severity as Malicious, set this parameter to 'High'. Allowed values are 'High', 'Medium' and 'Low'. This configuration is applicable to reputation commands only.
  • override_severity_suspicious — Specify the "severity" of indicator that should be considered as "suspicious" irrespective of the category. If you wish to consider all indicators with Medium severity as Suspicious, set this parameter to 'Medium'. Allowed values are 'High', 'Medium' and 'Low'. This configuration is applicable to reputation commands only.
  • override_confidence_score_malicious_threshold — Specify the numeric value of "confidence score". If the indicator's confidence score is equal or above the configured threshold, it would be considered as "malicious". The value provided should be greater than the suspicious threshold. This configuration is applicable to reputation commands only.
  • override_confidence_score_suspicious_threshold — Specify the numeric value of "confidence score". If the indicator's confidence score is equal or above the configured threshold, it would be considered as "suspicious". The value provided should be smaller than the malicious threshold. This configuration is applicable to reputation commands only.
  • override_confidence_level_malicious — Select the confidence score level. If the indicator's confidence score level is equal or above the configured level, it would be considered as "malicious". The confidence level configured should have higher precedence than the suspicious level. This configuration is applicable to reputation commands only. Refer the "confidence score" level precedence UNKNOWN SEVERITY < INFORMATIONAL < LOW < MEDIUM < HIGH.
  • override_confidence_level_suspicious — Select the confidence score level. If the indicator's confidence score level is equal or above the configured level, it would be considered as "suspicious". The confidence level configured should have lesser precedence than the malicious level. This configuration is applicable to reputation commands only. Refer the "confidence score" level precedence UNKNOWN SEVERITY < INFORMATIONAL < LOW < MEDIUM < HIGH.
  • isFetch — Fetch incidents
  • incidentType — Incident type
  • first_fetch — First fetch time
  • max_fetch — How many incidents to fetch each time
  • time_window — Time window (in minutes)
  • integrationReliability — Source Reliability
  • insecure — Trust any certificate (not secure)
  • proxy — Use system proxy settings

Commands (38)

  • domain

    Checks the reputation of a domain.

  • gcb-cancel-retrohunt

    Cancel a retrohunt for a specified rule.

  • gcb-change-live-rule-status

    Updates the live rule status for a rule specified by Rule ID.

  • gcb-change-rule-alerting-status

    Updates the alerting status for a rule specified by Rule ID.

  • gcb-create-data-table

    Creates a new data table schema.

  • gcb-create-reference-list

    Create a new reference list.

  • gcb-create-rule

    Creates a new rule. By default the live rule status will be set to disabled.

  • gcb-create-rule-version

    Creates a new version of an existing rule.

  • gcb-data-table-add-row

    Adds rows to a data table.

  • gcb-data-table-remove-row

    Removes rows from a data table based on specified row data. Note: This command only removes the first 1000 data table rows. To remove the next set of rows, use the page_token argument.

  • gcb-delete-rule

    Deletes the rule specified by Rule ID.

  • gcb-get-data-table

    Retrieves the data table details of specified data table name.

  • gcb-get-detection

    Retrieves the detection details of specified detection ID.

  • gcb-get-event

    Get the specific event with the given ID from Google SecOps. Note: This command returns more than 60 different types of events. Any event would have only specific output context set. Refer the UDM documentation to figure out the output properties specific to the event types.

  • gcb-get-reference-list

    Returns the specified list.

  • gcb-get-retrohunt

    Get retrohunt for a specific version of rule.

  • gcb-get-rule

    Retrieves the rule details of specified Rule ID or Version ID.

  • gcb-ioc-details

    Accepts an artifact indicator and returns any threat intelligence associated with the artifact. The threat intelligence information is drawn from your enterprise security systems and from Chronicle's IoC partners (for example, the DHS threat feed).

  • gcb-list-curatedrule-detections

    Return the detections for the specified curated rule identifier.

  • gcb-list-curatedrules

    List curated rules.

  • gcb-list-data-tables

    Returns a list of data tables.

  • gcb-list-detections

    Return the detections for the specified version of a rule, the latest version of a rule, all versions of a rule, or all versions of all rules.

  • gcb-list-events

    List all of the events discovered within your enterprise on a particular device within the specified time range. If you receive the maximum number of events you specified using the page_size parameter (or 100, the default), there might still be more events within your Google SecOps account. You can narrow the time range and issue the call again to ensure you have visibility into all possible events. This command returns more than 60 different types of events. Any event would have only specific output context set. Refer the UDM documentation to figure out the output properties specific to the event types.

  • gcb-list-iocs

    Lists the IOC Domain matches within your enterprise for the specified time interval. The indicator of compromise (IOC) domain matches lists for which the domains that your security infrastructure has flagged as both suspicious and that have been seen recently within your enterprise.

  • gcb-list-reference-list

    Retrieve all the reference lists.

  • gcb-list-retrohunts

    List retrohunts for a rule.

  • gcb-list-rules

    List the latest versions of all Rules.

  • gcb-reference-list-append-content

    Appends lines into an existing reference list.

  • gcb-reference-list-remove-content

    Removes lines from an existing reference list.

  • gcb-start-retrohunt

    Initiate a retrohunt for the specified rule.

  • gcb-test-rule-stream

    Test a rule over a specified time range. Return any errors and any detections up to the specified maximum.

  • gcb-udm-search

    Lists the events for the specified UDM Search query. Note: For more information about rate limits, see [Google service limits](https://cloud.google.com/chronicle/docs/reference/service-limits#:~:text=udmSearch-,360%20QPH,-Search%20API#:~:text=udmSearch-,360%20QPH,-Search%20API).

  • gcb-update-reference-list

    Updates an existing reference list.

  • gcb-verify-reference-list

    Validates list content and returns any errors found for each line.

  • gcb-verify-rule

    Verifies that a rule is a valid YARA-L 2.0 rule without creating a new rule or evaluating it over data.

  • gcb-verify-value-in-data-table

    Check if provided values are found in the data table. Note: This command only searches in the first 1000 data table rows. To search next set of rows, use the page_token argument.

  • gcb-verify-value-in-reference-list

    Check if provided values are found in the reference lists in Google SecOps.

  • ip

    Checks the reputation of an IP address.