Google Chronicle Search

this connector integrates google chronicle search api with swimlane turbine prerequisites in order to authenticate you will need to complete the following use your administrator gsuite account to create an application to do this, from apps, select saml apps and then click set up my own custom app next provide the sso idp configuration url and entity id insert " https //lanternalauth com https //lanternalauth com " for both download your sso idp configuration in the form of an xml metadata file and provide it to your customer experience engineer (cee) your cee will provide you with a google developer service account credential (bk credentials json) to enable the google api client to communicate with the api capabilities this connector provides the following capabilities list alerts list iocs list ioc details udm search asset setup the cee provided credential json needs to be passed in the asset input service account info as a base64 encoded string failure to do so will result in the incorrect padding error regional endpoints chronicle provides regional endpoints for each api region endpoint european multi region https //europe backstory googleapis com/ https //europe backstory googleapis com/ tel aviv https //me west1 backstory googleapis com/ https //me west1 backstory googleapis com/ london https //europe west2 backstory googleapis com/ https //europe west2 backstory googleapis com/ singapore https //asia southeast1 backstory googleapis com/ https //asia southeast1 backstory googleapis com/ sydney https //australia southeast1 backstory googleapis com/ https //australia southeast1 backstory googleapis com/ united states multi region https //backstory googleapis com/ https //backstory googleapis com/ action setup for the list ioc details action, either domain name or destination ip address parameters must be specified both parameters must not be used at the same time configurations asset oauth2 0 authentication for google chronicle configuration parameters parameter description type required b64 service info base64 encoded bk credentials json authentication file contents string required url server api address string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions list alerts returns information about both asset based and user based alerts with event timestamps within the specified time range endpoint url v1/alert/listalerts method get input argument name type required description start time string required rfc 3339 formatted date and time string which is the earliest event timestamp of alerts returned end time string required rfc 3339 formatted date and time string which is the latest event timestamp of the alerts returned page size number optional specify the maximum number of alerts to return you can specify between 1 and 100,000 the default is 10,000 output parameter type description alerts array output field alerts asset object output field asset hostname string name of the resource alertinfos array output field alertinfos name string name of the resource sourceproduct string output field sourceproduct severity string output field severity timestamp string output field timestamp rawlog string output field rawlog uri array output field uri udmevent object output field udmevent metadata object response data eventtimestamp string output field eventtimestamp eventtype string type of the resource vendorname string name of the resource productname string name of the resource producteventtype string type of the resource description string output field description urlbacktoproduct string url endpoint for the request ingestedtimestamp string output field ingestedtimestamp principal object output field principal hostname string name of the resource target object output field target file object output field file securityresult array result of the operation example \[ { "alerts" \[ {} ], "useralerts" \[ {} ] } ] list ioc details returns the threat intelligence associated with an artifact the threat intelligence information is obtained from your enterprise security systems and from ioc partners of google you can only specify a single artifact endpoint url v1/artifact/listiocdetails method get input argument name type required description artifact domain name string optional domain name artifact destination ip address string optional destination ip address output parameter type description sources array output field sources sourcename string name of the resource sourceurl string url endpoint for the request confidencescore object unique identifier strrawconfidencescore string unique identifier rawseverity string output field rawseverity category string output field category addresses array output field addresses port array output field port domain string output field domain firstactivetime string time value lastactivetime string time value uri array output field uri example \[ { "sources" \[ {} ], "uri" \[ "https //sample backstory chronicle security/domainresults?domain=altostrat com\&selectedlist=domainviewdistinctassets\&whoistimestamp=2020 01 09t01%3a29%3a59 526z" ] } ] list iocs lists all the iocs discovered within your enterprise within the specified time range endpoint url v1/ioc/listiocs method get input argument name type required description start time string required start time for your request page size number optional specify the maximum number of iocs to return you can specify between 1 and 10,000 the default is 10,000 output parameter type description done boolean output field done response object output field response @type string type of the resource matches array output field matches artifact object output field artifact domainname string name of the resource firstseentime string time value iocingesttime string time value lastseentime string time value sources array output field sources category string output field category confidencescore object unique identifier intrawconfidencescore number unique identifier normalizedconfidencescore string unique identifier rawseverity string output field rawseverity source string output field source uri array output field uri moredataavailable boolean response data example \[ { "done" true, "response" { "@type" "type googleapis com/chronicle backstory v1 listiocsresponse", "matches" \[], "moredataavailable" true } } ] udm search this method enables customers to programmatically complete a udm search query and retrieve matches endpoint url v1/events\ udmsearch method get input argument name type required description query string required parameter for udm search time range start time string optional time value time range end time string optional time value limit number optional parameter for udm search output parameter type description status code number http status code of the response reason string response reason phrase events array output field events name string name of the resource udm object output field udm metadata object response data eventtimestamp string output field eventtimestamp eventtype string type of the resource ingestedtimestamp string output field ingestedtimestamp id string unique identifier principal object output field principal ip array output field ip target object output field target ip array output field ip port number output field port example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 23 aug 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "events" \[] } } ] response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated wed, 23 aug 2023 20 37 23 gmt notes for more information on chronicle chronicle main site link https //chronicle security/products/platform search api documentation https //cloud google com/chronicle/docs/reference/search api