Google Chronicle Detection Engine

the google chronicle detection engine connector facilitates the integration of google's advanced threat detection capabilities into the swimlane turbine platform google chronicle detection engine is a powerful threat detection service that leverages massive data and analytics to uncover potential threats this connector enables swimlane turbine users to integrate with google chronicle, providing streamlined access to detection rules and alerts users can filter, sort, and retrieve detailed detection information, enhancing their security automation and response capabilities the integration facilitates comprehensive threat monitoring and analysis, allowing for proactive defense measures within the swimlane ecosystem prerequisites to effectively utilize the google chronicle detection engine connector within swimlane turbine, ensure you have the following prerequisites oauth2 0 authentication for google chronicle with the following parameters service account info the json key file from your google service account url the api endpoint url for the google chronicle detection engine capabilities ​ this connector provides the following capabilities ​ list detections of all versions and all rules list detections of all versions of a rule id list detections by version id list detections of latest vesions of a rule id list rules asset setup the cee provided credential json needs to be passed in the asset input service account info as a base64 encoded string failure to do so will result in the incorrect padding error regional endpoints chronicle provides regional endpoints for each api https //backstory googleapis com/ https //backstory googleapis com/https //europe backstory googleapis com/ https //europe backstory googleapis com/https //europe west2 backstory googleapis com/ https //europe west2 backstory googleapis com/https //asia southeast1 backstory googleapis com/ https //asia southeast1 backstory googleapis com/ configurations asset oauth2 0 authentication for google chronicle configuration parameters parameter description type required b64 service info base64 encoded bk credentials json authentication file contents string required url server api address string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions list detections all verisons all rules retrieve a comprehensive list of detections across all versions and rules from the google chronicle detection engine endpoint url v2/detect/rules/ /detections method get input argument name type required description alert state string optional filter detections on if they are "alerting" or "not alerting" start time string optional time to begin returning detections, filtering by the detection field specified in the list basis parameter if not specified, the start time is treated as open ended end time string optional time to stop returning detections, filtering by the detection field specified by the list basis parameter if not specified, the end time is treated as open ended list basis string optional sort detections by "detection time" or by "created time" if not specified, it defaults to "detection time" detections are returned in descending order of the timestamp page size number optional specify the maximum number of detections to return (range is 1 through 1,000) the default is 100 page token string optional use to retrieve another page of detections output parameter type description detections array output field detections type string type of the resource detection array output field detection rulename string name of the resource urlbacktoproduct string url endpoint for the request ruleid string unique identifier ruleversion string output field ruleversion alertstate string output field alertstate ruletype string type of the resource createdtime string time value id string unique identifier timewindow object output field timewindow starttime string time value endtime string time value collectionelements array output field collectionelements references array output field references event object output field event metadata object response data principal object output field principal target object output field target securityresult array result of the operation network object output field network label string output field label detectiontime string time value nextpagetoken string output field nextpagetoken example \[ { "detections" \[ {}, {} ], "nextpagetoken" "cgsikdvj guq2m2ixbimciszpp4felj3oludgidkzv9lyzjiyzuyyi1hntiylwflywytnme5nc1mn2m3 " } ] list detections all versions by rule id retrieve all detection versions associated with a specific rule id in google chronicle detection engine endpoint url v2/detect/rules/{{ruleid}}@ /detections method get input argument name type required description ruleid string required unique identifier for a rule, defined and returned by the server use the following format to specify the rule ru {uuid} alert state string optional filter detections on if they are "alerting" or "not alerting" start time string optional time to begin returning detections, filtering by the detection field specified in the list basis parameter if not specified, the start time is treated as open ended end time string optional time to stop returning detections, filtering by the detection field specified by the list basis parameter if not specified, the end time is treated as open ended list basis string optional sort detections by "detection time" or by "created time" if not specified, it defaults to "detection time" detections are returned in descending order of the timestamp page size number optional specify the maximum number of detections to return (range is 1 through 1,000) the default is 100 page token string optional use to retrieve another page of detections output parameter type description detections array output field detections type string type of the resource detection array output field detection rulename string name of the resource urlbacktoproduct string url endpoint for the request ruleid string unique identifier ruleversion string output field ruleversion alertstate string output field alertstate ruletype string type of the resource createdtime string time value id string unique identifier timewindow object output field timewindow starttime string time value endtime string time value collectionelements array output field collectionelements references array output field references event object output field event metadata object response data principal object output field principal target object output field target securityresult array result of the operation network object output field network label string output field label detectiontime string time value nextpagetoken string output field nextpagetoken example \[ { "detections" \[ {}, {} ], "nextpagetoken" "cgsikdvj guq2m2ixbimciszpp4felj3oludgidkzv9lyzjiyzuyyi1hntiylwflywytnme5nc1mn2m3 " } ] list detections by version id retrieve a list of detections associated with a specified version id in google chronicle detection engine endpoint url v2/detect/rules/{{versionid}}/detections method get input argument name type required description versionid string required unique identifier for a specific version of a rule, defined and returned by the server use the following format to specify the rule {ruleid}@v {int64} {int64} alert state string optional filter detections on if they are "alerting" or "not alerting" start time string optional time to begin returning detections, filtering by the detection field specified in the list basis parameter if not specified, the start time is treated as open ended end time string optional time to stop returning detections, filtering by the detection field specified by the list basis parameter if not specified, the end time is treated as open ended list basis string optional sort detections by "detection time" or by "created time" if not specified, it defaults to "detection time" detections are returned in descending order of the timestamp page size number optional specify the maximum number of detections to return (range is 1 through 1,000) the default is 100 page token string optional use to retrieve another page of detections output parameter type description detections array output field detections type string type of the resource detection array output field detection rulename string name of the resource urlbacktoproduct string url endpoint for the request ruleid string unique identifier ruleversion string output field ruleversion alertstate string output field alertstate ruletype string type of the resource createdtime string time value id string unique identifier timewindow object output field timewindow starttime string time value endtime string time value collectionelements array output field collectionelements references array output field references event object output field event metadata object response data principal object output field principal target object output field target securityresult array result of the operation network object output field network label string output field label detectiontime string time value nextpagetoken string output field nextpagetoken example \[ { "detections" \[ {}, {} ], "nextpagetoken" "cgsikdvj guq2m2ixbimciszpp4felj3oludgidkzv9lyzjiyzuyyi1hntiylwflywytnme5nc1mn2m3 " } ] list detections latest version by rule id retrieve the most recent detections for a specific rule in google chronicle using the provided ruleid endpoint url v2/detect/rules/{{ruleid}}/detections method get input argument name type required description ruleid string required unique identifier for a rule, defined and returned by the server use the following format to specify the rule ru {uuid} alert state string optional filter detections on if they are "alerting" or "not alerting" start time string optional time to begin returning detections, filtering by the detection field specified in the list basis parameter if not specified, the start time is treated as open ended end time string optional time to stop returning detections, filtering by the detection field specified by the list basis parameter if not specified, the end time is treated as open ended list basis string optional sort detections by "detection time" or by "created time" if not specified, it defaults to "detection time" detections are returned in descending order of the timestamp page size number optional specify the maximum number of detections to return (range is 1 through 1,000) the default is 100 page token string optional use to retrieve another page of detections output parameter type description detections array output field detections type string type of the resource detection array output field detection rulename string name of the resource urlbacktoproduct string url endpoint for the request ruleid string unique identifier ruleversion string output field ruleversion alertstate string output field alertstate ruletype string type of the resource createdtime string time value id string unique identifier timewindow object output field timewindow starttime string time value endtime string time value collectionelements array output field collectionelements references array output field references event object output field event metadata object response data principal object output field principal target object output field target securityresult array result of the operation network object output field network label string output field label detectiontime string time value nextpagetoken string output field nextpagetoken example \[ { "detections" \[ {}, {} ], "nextpagetoken" "cgsikdvj guq2m2ixbimciszpp4felj3oludgidkzv9lyzjiyzuyyi1hntiylwflywytnme5nc1mn2m3 " } ] list rules retrieve the latest versions of all detection rules from the google chronicle detection engine endpoint url /v2/detect/rules method get input argument name type required description page size number optional specify the maximum number of rules to return (range is 1 through 1,000) the default is 100 page token string optional page token received from a previous call use to retrieve the next page state string optional list rules based on their state output parameter type description rules array output field rules ruleid string unique identifier versionid string unique identifier rulename string name of the resource metadata object response data type string type of the resource data source string response data platform string output field platform severity string output field severity priority string output field priority author string output field author description string output field description ruletext string output field ruletext versioncreatetime string time value compilationstate string output field compilationstate ruletype string type of the resource lastalertstatuschangetime string status value liveruleenabled boolean output field liveruleenabled alertingenabled boolean output field alertingenabled nextpagetoken string output field nextpagetoken example \[ { "rules" \[], "nextpagetoken" "string" } ] notes ​ for more information on chronicle chronicle main site https //chronicle security/products/platform detection engine api documentation https //cloud google com/chronicle/docs/reference/detection engine api