Google Chronicle Detection Engine

28 min

the google chronicle detection engine connector enables streamlined access to threat detection capabilities, allowing users to list and manage detections and rules within the google chronicle ecosystem google chronicle detection engine is a powerful threat detection service that leverages massive data and analytics to identify threats across your enterprise this connector enables swimlane turbine users to integrate with google chronicle, allowing them to retrieve detailed detection information, manage alert states, and list detection rules directly within their security workflows by harnessing the capabilities of google chronicle, security teams can enhance their threat detection and response strategies, streamline investigations, and maintain a proactive security posture prerequisites to effectively utilize the google chronicle detection engine connector within swimlane turbine, ensure you have the following prerequisites oauth2 0 authentication for google chronicle with the following parameters service account info a json file containing your service account credentials url the api endpoint url for google chronicle scopes specific oauth2 scopes required for the necessary permissions capabilities this connector provides the following capabilities list detections of all versions and all rules list detections of all versions of a rule id list detections by version id list detections of latest vesions of a rule id list rules asset setup the cee provided credential json needs to be passed in the asset input service account info as a base64 encoded string failure to do so will result in the incorrect padding error regional endpoints chronicle provides regional endpoints for each api https //backstory googleapis com/ https //europe backstory googleapis com/ https //europe west2 backstory googleapis com/ https //asia southeast1 backstory googleapis com/ notes for more information on chronicle https //chronicle security/products/platform https //cloud google com/chronicle/docs/reference/detection engine api configurations asset oauth2 0 authentication for google chronicle configuration parameters parameter description type required b64 service info base64 encoded bk credentials json authentication file contents string required url server api address string required scopes scope to be used for authentication array required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions list detections all verisons all rules retrieve a comprehensive list of detections across all versions and rules from the google chronicle detection engine endpoint url v2/detect/rules/ /detections method get input argument name type required description parameters alert state string optional filter detections on if they are "alerting" or "not alerting" parameters start time string optional time to begin returning detections, filtering by the detection field specified in the list basis parameter if not specified, the start time is treated as open ended parameters end time string optional time to stop returning detections, filtering by the detection field specified by the list basis parameter if not specified, the end time is treated as open ended parameters list basis string optional sort detections by "detection time" or by "created time" if not specified, it defaults to "detection time" detections are returned in descending order of the timestamp parameters page size number optional specify the maximum number of detections to return (range is 1 through 1,000) the default is 100 parameters page token string optional use to retrieve another page of detections input example {"parameters" {"alert state" "string","start time" "string","end time" "string","list basis" "string","page size" 123,"page token" "string"}} output parameter type description detections array output field detections detections type string type of the resource detections detection array output field detections detection detections detection rulename string name of the resource detections detection urlbacktoproduct string url endpoint for the request detections detection ruleid string unique identifier detections detection ruleversion string output field detections detection ruleversion detections detection alertstate string output field detections detection alertstate detections detection ruletype string type of the resource detections createdtime string time value detections id string unique identifier detections timewindow object output field detections timewindow detections timewindow\ starttime string time value detections timewindow\ endtime string time value detections collectionelements array output field detections collectionelements detections collectionelements references array output field detections collectionelements references detections collectionelements references event object output field detections collectionelements references event detections collectionelements references event metadata object response data detections collectionelements references event principal object output field detections collectionelements references event principal detections collectionelements references event target object output field detections collectionelements references event target detections collectionelements references event securityresult array result of the operation detections collectionelements references event network object output field detections collectionelements references event network detections collectionelements label string output field detections collectionelements label detections detectiontime string time value nextpagetoken string output field nextpagetoken output example {"detections" \[{"type" "rule detection","detection" \[],"createdtime" "2020 12 03t19 19 19 720174z","id" "de 69d1ff3c 3528 6171 fb48 28ee813ec3ec","timewindow" {},"collectionelements" \[],"detectiontime" "2020 12 03t16 59 55 124243z"},{"type" "rule detection","detection" \[],"createdtime" "2020 12 03t19 19 19 720174z","id" "de ec2bc52b a522 aeaf 6a94 f7c7ce0eff15","timewindow" {},"collectionelements" \[],"detectiontime" "2020 12 03t16 59 48 916995z"}],"nextpagetoken" "cgsikdvj guq2m2ixbimciszpp4felj list detections all versions by rule id retrieve all versions of detections for a given rule id in google chronicle detection engine, using the specified path parameter endpoint url v2/detect/rules/{{ruleid}}@ /detections method get input argument name type required description path parameters ruleid string required unique identifier for a rule, defined and returned by the server use the following format to specify the rule ru {uuid} parameters alert state string optional filter detections on if they are "alerting" or "not alerting" parameters start time string optional time to begin returning detections, filtering by the detection field specified in the list basis parameter if not specified, the start time is treated as open ended parameters end time string optional time to stop returning detections, filtering by the detection field specified by the list basis parameter if not specified, the end time is treated as open ended parameters list basis string optional sort detections by "detection time" or by "created time" if not specified, it defaults to "detection time" detections are returned in descending order of the timestamp parameters page size number optional specify the maximum number of detections to return (range is 1 through 1,000) the default is 100 parameters page token string optional use to retrieve another page of detections input example {"path parameters" {"ruleid" "string"},"parameters" {"alert state" "string","start time" "string","end time" "string","list basis" "string","page size" 123,"page token" "string"}} output parameter type description detections array output field detections detections type string type of the resource detections detection array output field detections detection detections detection rulename string name of the resource detections detection urlbacktoproduct string url endpoint for the request detections detection ruleid string unique identifier detections detection ruleversion string output field detections detection ruleversion detections detection alertstate string output field detections detection alertstate detections detection ruletype string type of the resource detections createdtime string time value detections id string unique identifier detections timewindow object output field detections timewindow detections timewindow\ starttime string time value detections timewindow\ endtime string time value detections collectionelements array output field detections collectionelements detections collectionelements references array output field detections collectionelements references detections collectionelements references event object output field detections collectionelements references event detections collectionelements references event metadata object response data detections collectionelements references event principal object output field detections collectionelements references event principal detections collectionelements references event target object output field detections collectionelements references event target detections collectionelements references event securityresult array result of the operation detections collectionelements references event network object output field detections collectionelements references event network detections collectionelements label string output field detections collectionelements label detections detectiontime string time value nextpagetoken string output field nextpagetoken output example {"detections" \[{"type" "rule detection","detection" \[],"createdtime" "2020 12 03t19 19 19 720174z","id" "de 69d1ff3c 3528 6171 fb48 28ee813ec3ec","timewindow" {},"collectionelements" \[],"detectiontime" "2020 12 03t16 59 55 124243z"},{"type" "rule detection","detection" \[],"createdtime" "2020 12 03t19 19 19 720174z","id" "de ec2bc52b a522 aeaf 6a94 f7c7ce0eff15","timewindow" {},"collectionelements" \[],"detectiontime" "2020 12 03t16 59 48 916995z"}],"nextpagetoken" "cgsikdvj guq2m2ixbimciszpp4felj list detections by version id retrieve detections linked to a specific version id in google chronicle detection engine, requiring the versionid as a path parameter endpoint url v2/detect/rules/{{versionid}}/detections method get input argument name type required description path parameters versionid string required unique identifier for a specific version of a rule, defined and returned by the server use the following format to specify the rule {ruleid}@v {int64} {int64} parameters alert state string optional filter detections on if they are "alerting" or "not alerting" parameters start time string optional time to begin returning detections, filtering by the detection field specified in the list basis parameter if not specified, the start time is treated as open ended parameters end time string optional time to stop returning detections, filtering by the detection field specified by the list basis parameter if not specified, the end time is treated as open ended parameters list basis string optional sort detections by "detection time" or by "created time" if not specified, it defaults to "detection time" detections are returned in descending order of the timestamp parameters page size number optional specify the maximum number of detections to return (range is 1 through 1,000) the default is 100 parameters page token string optional use to retrieve another page of detections input example {"path parameters" {"versionid" "string"},"parameters" {"alert state" "string","start time" "string","end time" "string","list basis" "string","page size" 123,"page token" "string"}} output parameter type description detections array output field detections detections type string type of the resource detections detection array output field detections detection detections detection rulename string name of the resource detections detection urlbacktoproduct string url endpoint for the request detections detection ruleid string unique identifier detections detection ruleversion string output field detections detection ruleversion detections detection alertstate string output field detections detection alertstate detections detection ruletype string type of the resource detections createdtime string time value detections id string unique identifier detections timewindow object output field detections timewindow detections timewindow\ starttime string time value detections timewindow\ endtime string time value detections collectionelements array output field detections collectionelements detections collectionelements references array output field detections collectionelements references detections collectionelements references event object output field detections collectionelements references event detections collectionelements references event metadata object response data detections collectionelements references event principal object output field detections collectionelements references event principal detections collectionelements references event target object output field detections collectionelements references event target detections collectionelements references event securityresult array result of the operation detections collectionelements references event network object output field detections collectionelements references event network detections collectionelements label string output field detections collectionelements label detections detectiontime string time value nextpagetoken string output field nextpagetoken output example {"detections" \[{"type" "rule detection","detection" \[],"createdtime" "2020 12 03t19 19 19 720174z","id" "de 69d1ff3c 3528 6171 fb48 28ee813ec3ec","timewindow" {},"collectionelements" \[],"detectiontime" "2020 12 03t16 59 55 124243z"},{"type" "rule detection","detection" \[],"createdtime" "2020 12 03t19 19 19 720174z","id" "de ec2bc52b a522 aeaf 6a94 f7c7ce0eff15","timewindow" {},"collectionelements" \[],"detectiontime" "2020 12 03t16 59 48 916995z"}],"nextpagetoken" "cgsikdvj guq2m2ixbimciszpp4felj list detections latest version by rule id retrieve the most recent detections for a specific rule in google chronicle using the provided ruleid endpoint url v2/detect/rules/{{ruleid}}/detections method get input argument name type required description path parameters ruleid string required unique identifier for a rule, defined and returned by the server use the following format to specify the rule ru {uuid} parameters alert state string optional filter detections on if they are "alerting" or "not alerting" parameters start time string optional time to begin returning detections, filtering by the detection field specified in the list basis parameter if not specified, the start time is treated as open ended parameters end time string optional time to stop returning detections, filtering by the detection field specified by the list basis parameter if not specified, the end time is treated as open ended parameters list basis string optional sort detections by "detection time" or by "created time" if not specified, it defaults to "detection time" detections are returned in descending order of the timestamp parameters page size number optional specify the maximum number of detections to return (range is 1 through 1,000) the default is 100 parameters page token string optional use to retrieve another page of detections input example {"path parameters" {"ruleid" "string"},"parameters" {"alert state" "string","start time" "string","end time" "string","list basis" "string","page size" 123,"page token" "string"}} output parameter type description detections array output field detections detections type string type of the resource detections detection array output field detections detection detections detection rulename string name of the resource detections detection urlbacktoproduct string url endpoint for the request detections detection ruleid string unique identifier detections detection ruleversion string output field detections detection ruleversion detections detection alertstate string output field detections detection alertstate detections detection ruletype string type of the resource detections createdtime string time value detections id string unique identifier detections timewindow object output field detections timewindow detections timewindow\ starttime string time value detections timewindow\ endtime string time value detections collectionelements array output field detections collectionelements detections collectionelements references array output field detections collectionelements references detections collectionelements references event object output field detections collectionelements references event detections collectionelements references event metadata object response data detections collectionelements references event principal object output field detections collectionelements references event principal detections collectionelements references event target object output field detections collectionelements references event target detections collectionelements references event securityresult array result of the operation detections collectionelements references event network object output field detections collectionelements references event network detections collectionelements label string output field detections collectionelements label detections detectiontime string time value nextpagetoken string output field nextpagetoken output example {"detections" \[{"type" "rule detection","detection" \[],"createdtime" "2020 12 03t19 19 19 720174z","id" "de 69d1ff3c 3528 6171 fb48 28ee813ec3ec","timewindow" {},"collectionelements" \[],"detectiontime" "2020 12 03t16 59 55 124243z"},{"type" "rule detection","detection" \[],"createdtime" "2020 12 03t19 19 19 720174z","id" "de ec2bc52b a522 aeaf 6a94 f7c7ce0eff15","timewindow" {},"collectionelements" \[],"detectiontime" "2020 12 03t16 59 48 916995z"}],"nextpagetoken" "cgsikdvj guq2m2ixbimciszpp4felj list rules retrieve the latest versions of all detection rules from the google chronicle detection engine endpoint url /v2/detect/rules method get input argument name type required description parameters page size number optional specify the maximum number of rules to return (range is 1 through 1,000) the default is 100 parameters page token string optional page token received from a previous call use to retrieve the next page parameters state string optional list rules based on their state input example {"parameters" {"page size" 100,"page token" " ","state" "active"}} output parameter type description rules array output field rules rules ruleid string unique identifier rules versionid string unique identifier rules rulename string name of the resource rules metadata object response data rules metadata type string response data rules metadata data source string response data rules metadata platform string response data rules metadata severity string response data rules metadata priority string response data rules metadata author string response data rules metadata description string response data rules ruletext string output field rules ruletext rules versioncreatetime string time value rules compilationstate string output field rules compilationstate rules ruletype string type of the resource rules lastalertstatuschangetime string status value rules liveruleenabled boolean output field rules liveruleenabled rules alertingenabled boolean output field rules alertingenabled nextpagetoken string output field nextpagetoken output example {"rules" \[],"nextpagetoken" "string"} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt