Google Chronicle Search

google chronicle search is a security analytics platform that provides advanced threat detection and investigation capabilities google chronicle is a cloud native security analytics platform designed to help organizations detect, investigate, and respond to threats at scale the google chronicle search connector enables swimlane turbine users to seamlessly integrate with google chronicle, allowing them to retrieve alerts, threat intelligence, and indicators of compromise (iocs) efficiently this integration enhances security operations by providing comprehensive insights and actionable intelligence, enabling users to automate threat detection and response workflows within the swimlane platform prerequisites before you can use the google chronicle search connector for turbine, you'll need access to the google chronicle api this requires the following oauth2 0 authentication using the following parameters service account info json key file for service account authentication url the endpoint url for accessing google chronicle services scopes permissions required for accessing specific google chronicle resources capabilities this connector provides the following capabilities list alerts list iocs list ioc details udm search asset setup the cee provided credential json needs to be passed in the asset input service account info as a base64 encoded string failure to do so will result in the incorrect padding error regional endpoints chronicle provides regional endpoints for each api region endpoint european multi region https //europe backstory googleapis com/ tel aviv https //me west1 backstory googleapis com/ london https //europe west2 backstory googleapis com/ singapore https //asia southeast1 backstory googleapis com/ sydney https //australia southeast1 backstory googleapis com/ united states multi region https //backstory googleapis com/ action setup for the list ioc details action, either domain name or destination ip address parameters must be specified both parameters must not be used at the same time notes for more information on chronicle https //chronicle security/products/platform https //cloud google com/chronicle/docs/reference/search api additional documentation https //docs swimlane com/connectors/google chronicle search https //chronicle security/products/platform configurations asset oauth2 0 authentication for google chronicle configuration parameters parameter description type required b64 service info base64 encoded bk credentials json authentication file contents string required url server api address string required scopes scope to be used for authentication array required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions list alerts retrieve asset based and user based alerts from google chronicle search within a specified time range, requiring start time and end time parameters endpoint url v1/alert/listalerts method get input argument name type required description parameters start time string required rfc 3339 formatted date and time string which is the earliest event timestamp of alerts returned parameters end time string required rfc 3339 formatted date and time string which is the latest event timestamp of the alerts returned parameters page size number optional specify the maximum number of alerts to return you can specify between 1 and 100,000 the default is 10,000 input example {"parameters" {"start time" "string","end time" "string","page size" 123}} output parameter type description alerts array output field alerts alerts asset object output field alerts asset alerts asset hostname string name of the resource alerts alertinfos array output field alerts alertinfos alerts alertinfos name string name of the resource alerts alertinfos sourceproduct string output field alerts alertinfos sourceproduct alerts alertinfos severity string output field alerts alertinfos severity alerts alertinfos timestamp string output field alerts alertinfos timestamp alerts alertinfos rawlog string output field alerts alertinfos rawlog alerts alertinfos uri array output field alerts alertinfos uri alerts alertinfos udmevent object output field alerts alertinfos udmevent alerts alertinfos udmevent metadata object response data alerts alertinfos udmevent metadata eventtimestamp string response data alerts alertinfos udmevent metadata eventtype string response data alerts alertinfos udmevent metadata vendorname string response data alerts alertinfos udmevent metadata productname string response data alerts alertinfos udmevent metadata producteventtype string response data alerts alertinfos udmevent metadata description string response data alerts alertinfos udmevent metadata urlbacktoproduct string response data alerts alertinfos udmevent metadata ingestedtimestamp string response data alerts alertinfos udmevent principal object output field alerts alertinfos udmevent principal alerts alertinfos udmevent principal hostname string name of the resource alerts alertinfos udmevent target object output field alerts alertinfos udmevent target alerts alertinfos udmevent target file object output field alerts alertinfos udmevent target file alerts alertinfos udmevent securityresult array result of the operation output example {"alerts" \[{"asset" {},"alertinfos" \[]}],"useralerts" \[{"user" {},"alertinfos" \[]}]} list ioc details retrieve threat intelligence for a specified artifact from enterprise security systems and google ioc partners endpoint url v1/artifact/listiocdetails method get input argument name type required description parameters artifact domain name string optional domain name parameters artifact destination ip address string optional destination ip address input example {"parameters" {"artifact domain name" "example name","artifact destination ip address" "string"}} output parameter type description sources array output field sources sources sourcename string name of the resource sources sourceurl string url endpoint for the request sources confidencescore object unique identifier sources confidencescore strrawconfidencescore string unique identifier sources rawseverity string output field sources rawseverity sources category string output field sources category sources addresses array output field sources addresses sources addresses port array output field sources addresses port sources addresses domain string output field sources addresses domain sources firstactivetime string time value sources lastactivetime string time value uri array output field uri output example {"sources" \[{"sourcename" "et intelligence rep list","sourceurl" "http //tools emergingthreats net/docs/et%20intelligence%20rep%20list%20tech%20de ","confidencescore" {},"rawseverity" "medium","category" "bitcoin mining and related","addresses" \[],"firstactivetime" "2020 07 19t00 00 00z","lastactivetime" "2022 04 20t00 00 00z"}],"uri" \["https //sample backstory chronicle security/domainresults?domain=altostrat com\&s "]} list iocs retrieve a list of indicators of compromise (iocs) found across your enterprise for a specified time range requires the start time parameter endpoint url v1/ioc/listiocs method get input argument name type required description parameters start time string required start time for your request parameters page size number optional specify the maximum number of iocs to return you can specify between 1 and 10,000 the default is 10,000 input example {"parameters" {"start time" "string","page size" 123}} output parameter type description done boolean output field done response object output field response response \@type string type of the resource response matches array output field response matches response matches artifact object output field response matches artifact response matches artifact domainname string name of the resource response matches firstseentime string time value response matches iocingesttime string time value response matches lastseentime string time value response matches sources array output field response matches sources response matches sources category string output field response matches sources category response matches sources confidencescore object unique identifier response matches sources confidencescore intrawconfidencescore number unique identifier response matches sources confidencescore normalizedconfidencescore string unique identifier response matches sources rawseverity string output field response matches sources rawseverity response matches sources source string output field response matches sources source response matches uri array output field response matches uri response moredataavailable boolean response data output example {"done"\ true,"response" {"@type" "type googleapis com/chronicle backstory v1 listiocsresponse","matches" \[{}],"moredataavailable"\ true}} udm search execute a udm search query in google chronicle to retrieve matching events based on the provided 'query' parameter endpoint url v1/events\ udmsearch method get input argument name type required description parameters query string required parameters for the udm search action parameters time range start time string optional parameters for the udm search action parameters time range end time string optional parameters for the udm search action parameters limit number optional parameters for the udm search action input example {"parameters" {"query" "metadata event type+%3d+%22network connection%22+and+principal hostname%3d%22jdx%22","time range start time" "2022 10 01t20 51 11 907461z","time range end time" "2022 12 01t20 51 11 907461z","limit" 100}} output parameter type description status code number http status code of the response reason string response reason phrase events array output field events events name string name of the resource events udm object output field events udm events udm metadata object response data events udm metadata eventtimestamp string response data events udm metadata eventtype string response data events udm metadata ingestedtimestamp string response data events udm metadata id string response data events udm principal object output field events udm principal events udm principal ip array output field events udm principal ip events udm target object output field events udm target events udm target ip array output field events udm target ip events udm target port number output field events udm target port output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {"events" \[{},{}]}} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated wed, 23 aug 2023 20 37 23 gmt