Google Chronicle Detection Engine
google chronicle detection engine is a cloud native security analytics platform that enables organizations to detect and respond to threats efficiently google chronicle detection engine is a powerful threat detection platform that leverages google's infrastructure to provide comprehensive security insights this connector allows swimlane turbine users to seamlessly integrate with google chronicle, enabling automated retrieval and management of detection rules and alerts by integrating with google chronicle, users can enhance their threat detection capabilities, streamline incident response, and gain real time visibility into security events, all within the swimlane turbine platform prerequisites before you can use the google chronicle detection engine connector for turbine, you'll need access to the google chronicle api this requires the following oauth2 0 authentication using the following parameters service account info json key file for service account authentication url endpoint url for accessing google chronicle services scopes permissions required for accessing specific resources within google chronicle capabilities this connector provides the following capabilities list detections of all versions and all rules list detections of all versions of a rule id list detections by version id list detections of latest vesions of a rule id list rules asset setup the cee provided credential json needs to be passed in the asset input service account info as a base64 encoded string failure to do so will result in the incorrect padding error regional endpoints chronicle provides regional endpoints for each api https //backstory googleapis com/ https //europe backstory googleapis com/ https //europe west2 backstory googleapis com/ https //asia southeast1 backstory googleapis com/ notes for more information on chronicle https //chronicle security/products/platform https //cloud google com/chronicle/docs/reference/detection engine api additional documentation https //docs swimlane com/connectors/google chronicle detection engine https //chronicle security/products/platform configurations asset oauth2 0 authentication for google chronicle configuration parameters parameter description type required b64 service info base64 encoded bk credentials json authentication file contents string required url server api address string required scopes scope to be used for authentication array required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions list detections all verisons all rules retrieve a comprehensive list of detections across all versions and rules from the google chronicle detection engine endpoint url v2/detect/rules/ /detections method get input argument name type required description parameters alert state string optional filter detections on if they are "alerting" or "not alerting" parameters start time string optional time to begin returning detections, filtering by the detection field specified in the list basis parameter if not specified, the start time is treated as open ended parameters end time string optional time to stop returning detections, filtering by the detection field specified by the list basis parameter if not specified, the end time is treated as open ended parameters list basis string optional sort detections by "detection time" or by "created time" if not specified, it defaults to "detection time" detections are returned in descending order of the timestamp parameters page size number optional specify the maximum number of detections to return (range is 1 through 1,000) the default is 100 parameters page token string optional use to retrieve another page of detections timeout integer optional maximum number of seconds to wait for the search to complete before timing out default is 600 seconds (10 minutes) input example {"parameters" {"alert state" "string","start time" "string","end time" "string","list basis" "string","page size" 123,"page token" "string"},"timeout" 600} output parameter type description detections array output field detections detections type string type of the resource detections detection array output field detections detection detections detection rulename string name of the resource detections detection urlbacktoproduct string url endpoint for the request detections detection ruleid string unique identifier detections detection ruleversion string output field detections detection ruleversion detections detection alertstate string output field detections detection alertstate detections detection ruletype string type of the resource detections createdtime string time value detections id string unique identifier detections timewindow object output field detections timewindow detections timewindow\ starttime string time value detections timewindow\ endtime string time value detections collectionelements array output field detections collectionelements detections collectionelements references array output field detections collectionelements references detections collectionelements references event object output field detections collectionelements references event detections collectionelements references event metadata object response data detections collectionelements references event principal object output field detections collectionelements references event principal detections collectionelements references event target object output field detections collectionelements references event target detections collectionelements references event securityresult array result of the operation detections collectionelements references event network object output field detections collectionelements references event network detections collectionelements label string output field detections collectionelements label detections detectiontime string time value nextpagetoken string output field nextpagetoken output example {"detections" \[{"type" "rule detection","detection" \[],"createdtime" "2020 12 03t19 19 19 720174z","id" "de 69d1ff3c 3528 6171 fb48 28ee813ec3ec","timewindow" {},"collectionelements" \[],"detectiontime" "2020 12 03t16 59 55 124243z"},{"type" "rule detection","detection" \[],"createdtime" "2020 12 03t19 19 19 720174z","id" "de ec2bc52b a522 aeaf 6a94 f7c7ce0eff15","timewindow" {},"collectionelements" \[],"detectiontime" "2020 12 03t16 59 48 916995z"}],"nextpagetoken" "cgsikdvj guq2m2ixbimciszpp4felj list detections all versions by rule id retrieve all versions of detections associated with a specific rule id in google chronicle detection engine requires the ruleid as a path parameter endpoint url v2/detect/rules/{{ruleid}}@ /detections method get input argument name type required description path parameters ruleid string required unique identifier for a rule, defined and returned by the server use the following format to specify the rule ru {uuid} parameters alert state string optional filter detections on if they are "alerting" or "not alerting" parameters start time string optional time to begin returning detections, filtering by the detection field specified in the list basis parameter if not specified, the start time is treated as open ended parameters end time string optional time to stop returning detections, filtering by the detection field specified by the list basis parameter if not specified, the end time is treated as open ended parameters list basis string optional sort detections by "detection time" or by "created time" if not specified, it defaults to "detection time" detections are returned in descending order of the timestamp parameters page size number optional specify the maximum number of detections to return (range is 1 through 1,000) the default is 100 parameters page token string optional use to retrieve another page of detections timeout integer optional maximum number of seconds to wait for the search to complete before timing out default is 600 seconds (10 minutes) input example {"path parameters" {"ruleid" "string"},"parameters" {"alert state" "string","start time" "string","end time" "string","list basis" "string","page size" 123,"page token" "string"},"timeout" 600} output parameter type description detections array output field detections detections type string type of the resource detections detection array output field detections detection detections detection rulename string name of the resource detections detection urlbacktoproduct string url endpoint for the request detections detection ruleid string unique identifier detections detection ruleversion string output field detections detection ruleversion detections detection alertstate string output field detections detection alertstate detections detection ruletype string type of the resource detections createdtime string time value detections id string unique identifier detections timewindow object output field detections timewindow detections timewindow\ starttime string time value detections timewindow\ endtime string time value detections collectionelements array output field detections collectionelements detections collectionelements references array output field detections collectionelements references detections collectionelements references event object output field detections collectionelements references event detections collectionelements references event metadata object response data detections collectionelements references event principal object output field detections collectionelements references event principal detections collectionelements references event target object output field detections collectionelements references event target detections collectionelements references event securityresult array result of the operation detections collectionelements references event network object output field detections collectionelements references event network detections collectionelements label string output field detections collectionelements label detections detectiontime string time value nextpagetoken string output field nextpagetoken output example {"detections" \[{"type" "rule detection","detection" \[],"createdtime" "2020 12 03t19 19 19 720174z","id" "de 69d1ff3c 3528 6171 fb48 28ee813ec3ec","timewindow" {},"collectionelements" \[],"detectiontime" "2020 12 03t16 59 55 124243z"},{"type" "rule detection","detection" \[],"createdtime" "2020 12 03t19 19 19 720174z","id" "de ec2bc52b a522 aeaf 6a94 f7c7ce0eff15","timewindow" {},"collectionelements" \[],"detectiontime" "2020 12 03t16 59 48 916995z"}],"nextpagetoken" "cgsikdvj guq2m2ixbimciszpp4felj list detections by version id retrieve detections associated with a specified versionid in google chronicle detection engine endpoint url v2/detect/rules/{{versionid}}/detections method get input argument name type required description path parameters versionid string required unique identifier for a specific version of a rule, defined and returned by the server use the following format to specify the rule {ruleid}@v {int64} {int64} parameters alert state string optional filter detections on if they are "alerting" or "not alerting" parameters start time string optional time to begin returning detections, filtering by the detection field specified in the list basis parameter if not specified, the start time is treated as open ended parameters end time string optional time to stop returning detections, filtering by the detection field specified by the list basis parameter if not specified, the end time is treated as open ended parameters list basis string optional sort detections by "detection time" or by "created time" if not specified, it defaults to "detection time" detections are returned in descending order of the timestamp parameters page size number optional specify the maximum number of detections to return (range is 1 through 1,000) the default is 100 parameters page token string optional use to retrieve another page of detections timeout integer optional maximum number of seconds to wait for the search to complete before timing out default is 600 seconds (10 minutes) input example {"path parameters" {"versionid" "string"},"parameters" {"alert state" "string","start time" "string","end time" "string","list basis" "string","page size" 123,"page token" "string"},"timeout" 600} output parameter type description detections array output field detections detections type string type of the resource detections detection array output field detections detection detections detection rulename string name of the resource detections detection urlbacktoproduct string url endpoint for the request detections detection ruleid string unique identifier detections detection ruleversion string output field detections detection ruleversion detections detection alertstate string output field detections detection alertstate detections detection ruletype string type of the resource detections createdtime string time value detections id string unique identifier detections timewindow object output field detections timewindow detections timewindow\ starttime string time value detections timewindow\ endtime string time value detections collectionelements array output field detections collectionelements detections collectionelements references array output field detections collectionelements references detections collectionelements references event object output field detections collectionelements references event detections collectionelements references event metadata object response data detections collectionelements references event principal object output field detections collectionelements references event principal detections collectionelements references event target object output field detections collectionelements references event target detections collectionelements references event securityresult array result of the operation detections collectionelements references event network object output field detections collectionelements references event network detections collectionelements label string output field detections collectionelements label detections detectiontime string time value nextpagetoken string output field nextpagetoken output example {"detections" \[{"type" "rule detection","detection" \[],"createdtime" "2020 12 03t19 19 19 720174z","id" "de 69d1ff3c 3528 6171 fb48 28ee813ec3ec","timewindow" {},"collectionelements" \[],"detectiontime" "2020 12 03t16 59 55 124243z"},{"type" "rule detection","detection" \[],"createdtime" "2020 12 03t19 19 19 720174z","id" "de ec2bc52b a522 aeaf 6a94 f7c7ce0eff15","timewindow" {},"collectionelements" \[],"detectiontime" "2020 12 03t16 59 48 916995z"}],"nextpagetoken" "cgsikdvj guq2m2ixbimciszpp4felj list detections latest version by rule id retrieve the latest version of detections for a given rule in google chronicle using the specified ruleid endpoint url v2/detect/rules/{{ruleid}}/detections method get input argument name type required description path parameters ruleid string required unique identifier for a rule, defined and returned by the server use the following format to specify the rule ru {uuid} parameters alert state string optional filter detections on if they are "alerting" or "not alerting" parameters start time string optional time to begin returning detections, filtering by the detection field specified in the list basis parameter if not specified, the start time is treated as open ended parameters end time string optional time to stop returning detections, filtering by the detection field specified by the list basis parameter if not specified, the end time is treated as open ended parameters list basis string optional sort detections by "detection time" or by "created time" if not specified, it defaults to "detection time" detections are returned in descending order of the timestamp parameters page size number optional specify the maximum number of detections to return (range is 1 through 1,000) the default is 100 parameters page token string optional use to retrieve another page of detections timeout integer optional maximum number of seconds to wait for the search to complete before timing out default is 600 seconds (10 minutes) input example {"path parameters" {"ruleid" "string"},"parameters" {"alert state" "string","start time" "string","end time" "string","list basis" "string","page size" 123,"page token" "string"},"timeout" 600} output parameter type description detections array output field detections detections type string type of the resource detections detection array output field detections detection detections detection rulename string name of the resource detections detection urlbacktoproduct string url endpoint for the request detections detection ruleid string unique identifier detections detection ruleversion string output field detections detection ruleversion detections detection alertstate string output field detections detection alertstate detections detection ruletype string type of the resource detections createdtime string time value detections id string unique identifier detections timewindow object output field detections timewindow detections timewindow\ starttime string time value detections timewindow\ endtime string time value detections collectionelements array output field detections collectionelements detections collectionelements references array output field detections collectionelements references detections collectionelements references event object output field detections collectionelements references event detections collectionelements references event metadata object response data detections collectionelements references event principal object output field detections collectionelements references event principal detections collectionelements references event target object output field detections collectionelements references event target detections collectionelements references event securityresult array result of the operation detections collectionelements references event network object output field detections collectionelements references event network detections collectionelements label string output field detections collectionelements label detections detectiontime string time value nextpagetoken string output field nextpagetoken output example {"detections" \[{"type" "rule detection","detection" \[],"createdtime" "2020 12 03t19 19 19 720174z","id" "de 69d1ff3c 3528 6171 fb48 28ee813ec3ec","timewindow" {},"collectionelements" \[],"detectiontime" "2020 12 03t16 59 55 124243z"},{"type" "rule detection","detection" \[],"createdtime" "2020 12 03t19 19 19 720174z","id" "de ec2bc52b a522 aeaf 6a94 f7c7ce0eff15","timewindow" {},"collectionelements" \[],"detectiontime" "2020 12 03t16 59 48 916995z"}],"nextpagetoken" "cgsikdvj guq2m2ixbimciszpp4felj list rules retrieve the latest versions of all detection rules from the google chronicle detection engine endpoint url /v2/detect/rules method get input argument name type required description parameters page size number optional specify the maximum number of rules to return (range is 1 through 1,000) the default is 100 parameters page token string optional page token received from a previous call use to retrieve the next page parameters state string optional list rules based on their state timeout integer optional maximum number of seconds to wait for the search to complete before timing out default is 600 seconds (10 minutes) input example {"parameters" {"page size" 100,"page token" " ","state" "active"}} output parameter type description rules array output field rules rules ruleid string unique identifier rules versionid string unique identifier rules rulename string name of the resource rules metadata object response data rules metadata type string response data rules metadata data source string response data rules metadata platform string response data rules metadata severity string response data rules metadata priority string response data rules metadata author string response data rules metadata description string response data rules ruletext string output field rules ruletext rules versioncreatetime string time value rules compilationstate string output field rules compilationstate rules ruletype string type of the resource rules lastalertstatuschangetime string status value rules liveruleenabled boolean output field rules liveruleenabled rules alertingenabled boolean output field rules alertingenabled nextpagetoken string output field nextpagetoken output example {"rules" \[],"nextpagetoken" "string"} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt