Google Chronicle Search

the google chronicle search connector allows users to perform advanced security data searches and analysis, integrating threat intelligence and alert management directly into the swimlane ecosystem google chronicle search is a powerful threat detection and investigation platform that enables security teams to rapidly identify and analyze security threats this connector allows swimlane turbine users to seamlessly integrate with google chronicle search, providing the ability to retrieve alerts, investigate indicators of compromise (iocs), and execute advanced udm search queries directly within the swimlane platform by leveraging this integration, users can enhance their security operations with enriched alert context, streamline threat intelligence, and accelerate incident response times without the need for complex coding prerequisites to effectively utilize the google chronicle search connector within swimlane turbine, ensure you have the following prerequisites oauth2 0 authentication for google chronicle with the following parameters service account info a json file containing your service account credentials url the endpoint url for the google chronicle api scopes specific access scopes required for the api functions you intend to use capabilities this connector provides the following capabilities list alerts list iocs list ioc details udm search asset setup the cee provided credential json needs to be passed in the asset input service account info as a base64 encoded string failure to do so will result in the incorrect padding error regional endpoints chronicle provides regional endpoints for each api region endpoint european multi region https //europe backstory googleapis com/ tel aviv https //me west1 backstory googleapis com/ london https //europe west2 backstory googleapis com/ singapore https //asia southeast1 backstory googleapis com/ sydney https //australia southeast1 backstory googleapis com/ united states multi region https //backstory googleapis com/ action setup for the list ioc details action, either domain name or destination ip address parameters must be specified both parameters must not be used at the same time notes for more information on chronicle https //chronicle security/products/platform https //cloud google com/chronicle/docs/reference/search api configurations asset oauth2 0 authentication for google chronicle configuration parameters parameter description type required b64 service info base64 encoded bk credentials json authentication file contents string required url server api address string required scopes scope to be used for authentication array required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions list alerts retrieves asset based and user based alerts from google chronicle search within a specified time range, requiring start time and end time parameters endpoint url v1/alert/listalerts method get input argument name type required description parameters start time string required rfc 3339 formatted date and time string which is the earliest event timestamp of alerts returned parameters end time string required rfc 3339 formatted date and time string which is the latest event timestamp of the alerts returned parameters page size number optional specify the maximum number of alerts to return you can specify between 1 and 100,000 the default is 10,000 input example {"parameters" {"start time" "string","end time" "string","page size" 123}} output parameter type description alerts array output field alerts alerts asset object output field alerts asset alerts asset hostname string name of the resource alerts alertinfos array output field alerts alertinfos alerts alertinfos name string name of the resource alerts alertinfos sourceproduct string output field alerts alertinfos sourceproduct alerts alertinfos severity string output field alerts alertinfos severity alerts alertinfos timestamp string output field alerts alertinfos timestamp alerts alertinfos rawlog string output field alerts alertinfos rawlog alerts alertinfos uri array output field alerts alertinfos uri alerts alertinfos udmevent object output field alerts alertinfos udmevent alerts alertinfos udmevent metadata object response data alerts alertinfos udmevent metadata eventtimestamp string response data alerts alertinfos udmevent metadata eventtype string response data alerts alertinfos udmevent metadata vendorname string response data alerts alertinfos udmevent metadata productname string response data alerts alertinfos udmevent metadata producteventtype string response data alerts alertinfos udmevent metadata description string response data alerts alertinfos udmevent metadata urlbacktoproduct string response data alerts alertinfos udmevent metadata ingestedtimestamp string response data alerts alertinfos udmevent principal object output field alerts alertinfos udmevent principal alerts alertinfos udmevent principal hostname string name of the resource alerts alertinfos udmevent target object output field alerts alertinfos udmevent target alerts alertinfos udmevent target file object output field alerts alertinfos udmevent target file alerts alertinfos udmevent securityresult array result of the operation output example {"alerts" \[{"asset" {},"alertinfos" \[]}],"useralerts" \[{"user" {},"alertinfos" \[]}]} list ioc details retrieve threat intelligence for a specified artifact from enterprise security systems and google ioc partners endpoint url v1/artifact/listiocdetails method get input argument name type required description parameters artifact domain name string optional domain name parameters artifact destination ip address string optional destination ip address input example {"parameters" {"artifact domain name" "example name","artifact destination ip address" "string"}} output parameter type description sources array output field sources sources sourcename string name of the resource sources sourceurl string url endpoint for the request sources confidencescore object unique identifier sources confidencescore strrawconfidencescore string unique identifier sources rawseverity string output field sources rawseverity sources category string output field sources category sources addresses array output field sources addresses sources addresses port array output field sources addresses port sources addresses domain string output field sources addresses domain sources firstactivetime string time value sources lastactivetime string time value uri array output field uri output example {"sources" \[{"sourcename" "et intelligence rep list","sourceurl" "http //tools emergingthreats net/docs/et%20intelligence%20rep%20list%20tech%20de ","confidencescore" {},"rawseverity" "medium","category" "bitcoin mining and related","addresses" \[],"firstactivetime" "2020 07 19t00 00 00z","lastactivetime" "2022 04 20t00 00 00z"}],"uri" \["https //sample backstory chronicle security/domainresults?domain=altostrat com\&s "]} list iocs retrieve a list of indicators of compromise (iocs) found across your enterprise for a given time range, requiring a start time parameter endpoint url v1/ioc/listiocs method get input argument name type required description parameters start time string required start time for your request parameters page size number optional specify the maximum number of iocs to return you can specify between 1 and 10,000 the default is 10,000 input example {"parameters" {"start time" "string","page size" 123}} output parameter type description done boolean output field done response object output field response response \@type string type of the resource response matches array output field response matches response matches artifact object output field response matches artifact response matches artifact domainname string name of the resource response matches firstseentime string time value response matches iocingesttime string time value response matches lastseentime string time value response matches sources array output field response matches sources response matches sources category string output field response matches sources category response matches sources confidencescore object unique identifier response matches sources confidencescore intrawconfidencescore number unique identifier response matches sources confidencescore normalizedconfidencescore string unique identifier response matches sources rawseverity string output field response matches sources rawseverity response matches sources source string output field response matches sources source response matches uri array output field response matches uri response moredataavailable boolean response data output example {"done"\ true,"response" {"@type" "type googleapis com/chronicle backstory v1 listiocsresponse","matches" \[{}],"moredataavailable"\ true}} udm search execute a udm search query in google chronicle to retrieve matching events based on the provided 'query' parameter endpoint url v1/events\ udmsearch method get input argument name type required description parameters query string required parameters for the udm search action parameters time range start time string optional parameters for the udm search action parameters time range end time string optional parameters for the udm search action parameters limit number optional parameters for the udm search action input example {"parameters" {"query" "metadata event type+%3d+%22network connection%22+and+principal hostname%3d%22jdx%22","time range start time" "2022 10 01t20 51 11 907461z","time range end time" "2022 12 01t20 51 11 907461z","limit" 100}} output parameter type description status code number http status code of the response reason string response reason phrase events array output field events events name string name of the resource events udm object output field events udm events udm metadata object response data events udm metadata eventtimestamp string response data events udm metadata eventtype string response data events udm metadata ingestedtimestamp string response data events udm metadata id string response data events udm principal object output field events udm principal events udm principal ip array output field events udm principal ip events udm target object output field events udm target events udm target ip array output field events udm target ip events udm target port number output field events udm target port output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {"events" \[{},{}]}} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated wed, 23 aug 2023 20 37 23 gmt