GoogleSecOps
Use the Google SecOps integration to retrieve IOC Domain matches as Incidents. This integration also provides reputation and threat enrichment of indicators observed in the enterprise.
Analytics & SIEM · Google SecOps
Configuration parameters
credentials— (required)url_format— API URL Formatsecops_project_instance_id— Google SecOps Project Instance ID (required)secops_project_number— Google SecOps Project Numberregion— Region (required)other_region— Other Regionmalicious_categories— Provide comma(',') separated categories (e.g. APT-Activity, Phishing). Indicators belonging to these "categories" would be considered as "malicious" when executing reputation commands.suspicious_categories— Provide comma(',') separated categories (e.g. Unwanted, VirusTotal YARA Rule Match). Indicators belonging to these "categories" would be considered as "suspicious" when executing reputation commands.override_severity_malicious— Specify the "severity" of indicator that should be considered as "malicious" irrespective of the category. If you wish to consider all indicators with High severity as Malicious, set this parameter to 'High'. Allowed values are 'High', 'Medium' and 'Low'. This configuration is applicable to reputation commands only.override_severity_suspicious— Specify the "severity" of indicator that should be considered as "suspicious" irrespective of the category. If you wish to consider all indicators with Medium severity as Suspicious, set this parameter to 'Medium'. Allowed values are 'High', 'Medium' and 'Low'. This configuration is applicable to reputation commands only.override_confidence_score_malicious_threshold— Specify the numeric value of "confidence score". If the indicator's confidence score is equal or above the configured threshold, it would be considered as "malicious". The value provided should be greater than the suspicious threshold. This configuration is applicable to reputation commands only.override_confidence_score_suspicious_threshold— Specify the numeric value of "confidence score". If the indicator's confidence score is equal or above the configured threshold, it would be considered as "suspicious". The value provided should be smaller than the malicious threshold. This configuration is applicable to reputation commands only.override_confidence_level_malicious— Select the confidence score level. If the indicator's confidence score level is equal or above the configured level, it would be considered as "malicious". The confidence level configured should have higher precedence than the suspicious level. This configuration is applicable to reputation commands only. Refer the "confidence score" level precedence UNKNOWN SEVERITY < INFORMATIONAL < LOW < MEDIUM < HIGH.override_confidence_level_suspicious— Select the confidence score level. If the indicator's confidence score level is equal or above the configured level, it would be considered as "suspicious". The confidence level configured should have lesser precedence than the malicious level. This configuration is applicable to reputation commands only. Refer the "confidence score" level precedence UNKNOWN SEVERITY < INFORMATIONAL < LOW < MEDIUM < HIGH.isFetch— Fetch incidentsincidentType— Incident typefirst_fetch— First fetch timemax_fetch— How many incidents to fetch each timetime_window— Time window (in minutes)integrationReliability— Source Reliabilityinsecure— Trust any certificate (not secure)proxy— Use system proxy settings
Commands (38)
-
domainChecks the reputation of a domain.
-
gcb-cancel-retrohuntCancel a retrohunt for a specified rule.
-
gcb-change-live-rule-statusUpdates the live rule status for a rule specified by Rule ID.
-
gcb-change-rule-alerting-statusUpdates the alerting status for a rule specified by Rule ID.
-
gcb-create-data-tableCreates a new data table schema.
-
gcb-create-reference-listCreate a new reference list.
-
gcb-create-ruleCreates a new rule. By default the live rule status will be set to disabled.
-
gcb-create-rule-versionCreates a new version of an existing rule.
-
gcb-data-table-add-rowAdds rows to a data table.
-
gcb-data-table-remove-rowRemoves rows from a data table based on specified row data. Note: This command only removes the first 1000 data table rows. To remove the next set of rows, use the page_token argument.
-
gcb-delete-ruleDeletes the rule specified by Rule ID.
-
gcb-get-data-tableRetrieves the data table details of specified data table name.
-
gcb-get-detectionRetrieves the detection details of specified detection ID.
-
gcb-get-eventGet the specific event with the given ID from Google SecOps. Note: This command returns more than 60 different types of events. Any event would have only specific output context set. Refer the UDM documentation to figure out the output properties specific to the event types.
-
gcb-get-reference-listReturns the specified list.
-
gcb-get-retrohuntGet retrohunt for a specific version of rule.
-
gcb-get-ruleRetrieves the rule details of specified Rule ID or Version ID.
-
gcb-ioc-detailsAccepts an artifact indicator and returns any threat intelligence associated with the artifact. The threat intelligence information is drawn from your enterprise security systems and from Chronicle's IoC partners (for example, the DHS threat feed).
-
gcb-list-curatedrule-detectionsReturn the detections for the specified curated rule identifier.
-
gcb-list-curatedrulesList curated rules.
-
gcb-list-data-tablesReturns a list of data tables.
-
gcb-list-detectionsReturn the detections for the specified version of a rule, the latest version of a rule, all versions of a rule, or all versions of all rules.
-
gcb-list-eventsList all of the events discovered within your enterprise on a particular device within the specified time range. If you receive the maximum number of events you specified using the page_size parameter (or 100, the default), there might still be more events within your Google SecOps account. You can narrow the time range and issue the call again to ensure you have visibility into all possible events. This command returns more than 60 different types of events. Any event would have only specific output context set. Refer the UDM documentation to figure out the output properties specific to the event types.
-
gcb-list-iocsLists the IOC Domain matches within your enterprise for the specified time interval. The indicator of compromise (IOC) domain matches lists for which the domains that your security infrastructure has flagged as both suspicious and that have been seen recently within your enterprise.
-
gcb-list-reference-listRetrieve all the reference lists.
-
gcb-list-retrohuntsList retrohunts for a rule.
-
gcb-list-rulesList the latest versions of all Rules.
-
gcb-reference-list-append-contentAppends lines into an existing reference list.
-
gcb-reference-list-remove-contentRemoves lines from an existing reference list.
-
gcb-start-retrohuntInitiate a retrohunt for the specified rule.
-
gcb-test-rule-streamTest a rule over a specified time range. Return any errors and any detections up to the specified maximum.
-
gcb-udm-searchLists the events for the specified UDM Search query. Note: For more information about rate limits, see [Google service limits](https://cloud.google.com/chronicle/docs/reference/service-limits#:~:text=udmSearch-,360%20QPH,-Search%20API#:~:text=udmSearch-,360%20QPH,-Search%20API).
-
gcb-update-reference-listUpdates an existing reference list.
-
gcb-verify-reference-listValidates list content and returns any errors found for each line.
-
gcb-verify-ruleVerifies that a rule is a valid YARA-L 2.0 rule without creating a new rule or evaluating it over data.
-
gcb-verify-value-in-data-tableCheck if provided values are found in the data table. Note: This command only searches in the first 1000 data table rows. To search next set of rows, use the page_token argument.
-
gcb-verify-value-in-reference-listCheck if provided values are found in the reference lists in Google SecOps.
-
ipChecks the reputation of an IP address.