Google Chronicle Siem

the google chronicle siem connector enables streamlined integration of security data analysis and threat detection capabilities into the swimlane turbine platform google chronicle siem is a powerful security information and event management platform that provides advanced threat detection and incident response capabilities this connector enables swimlane turbine users to integrate with google chronicle siem, allowing them to create and manage log entries, fetch alerts, and forward unstructured log entries and udm events by leveraging this integration, users can enhance their security automation workflows, enrich incident data, and streamline threat hunting and response activities within the swimlane turbine platform limitations none to date supported versions this google chronicle siem connector uses the latest version api additional docs https //cloud google com/chronicle/docs/reference/reference lists api configuration prerequisites to effectively utilize the google chronicle siem connector within swimlane turbine, ensure you have the following prerequisites oauth2 0 authentication for google chronicle siem with the following parameters service account info a json file containing your service account credentials url the api endpoint url for google chronicle siem scopes specific access scopes required for the api calls authentication methods oauth 2 0 client credentials authentication to effectively utilize the google chronicle siem connector within swimlane turbine, ensure you have the following prerequisites oauth2 0 authentication for google chronicle siem with these parameters service account info a json file containing your service account credentials url the endpoint url for the google chronicle siem api gcp project creation log in to gcp console here https //console cloud google com/ navigate to this link to create a new project https //console cloud google com/projectcreate name your project and click create we recommend specific and recognizable project names navigate to your projects, and select your new project enable the google chronicle api go to the api & services dashboard in the cloud console click on the "enable apis and services" button asset configuration configuring a service account google chronicle siem connector requires a google service account to authenticate open https //console developers google com/iam admin/serviceaccounts select the appropriate project click + create new service account assign a name for the service account and add a description, click create and continue click the select a role dropdown and type “owner” in the filter choose owner , chronicle api admin and click continue for the menu specifying grant users access to this service account (optional) you may select users or skip and click done this is not required for the connector click on the newly created service account email navigate to the keys menu click add key , select create new key , select json format, and click create make sure you download the json file presented json needs to be passed in the asset input service account info as a base64 encoded string this file will be needed when configuring the asset in swimlane setting api scopes after creating a service account, the necessary api scopes required to be authorized must be set from https //admin google com/ , navigate to security > api controls and then click manage domain wide delegation at the bottom of the window click add new in the client id field, enter the unique id from the service account details menu enter the following csv value into the oauth scopes (comma delimited) input https //www googleapis com/auth/chronicle backstory click authorize capabilities this google chronicle siem connector provides the following capabilities create entities fetch alerts log types udm events unstructured log entries update alert update reference list create entities creates entities https //cloud google com/chronicle/docs/reference/ingestion api#createentities fetch alerts legacy streaming endpoint for getting alerts (and in some cases, non alerting detections) along with aggregated fields that match the query https //cloud google com/chronicle/docs/reference/rest/v1alpha/projects locations instances legacy/legacyfetchalertsview?rep location=us log types retrieve a list of supported log types https //cloud google com/chronicle/docs/reference/ingestion api#logtypes udm events forwards udm events to google secops in batches https //cloud google com/chronicle/docs/reference/rest/v1alpha/projects locations instances/udmsearch unstructured log entries forwards unstructured log entries to google secops one batch at a time https //cloud google com/chronicle/docs/reference/ingestion api#unstructuredlogentries update alert legacy endpoint for updating an alert https //cloud google com/chronicle/docs/reference/rest/v1alpha/projects locations instances legacy/legacyupdatealert#legacyfeedback update reference list updates an existing list https //cloud google com/chronicle/docs/reference/reference lists api#updatereferencelist regional endpoints chronicle provides regional endpoints for each api region endpoint european multi region https //europe backstory googleapis com/ tel aviv https //me west1 backstory googleapis com/ london https //europe west2 backstory googleapis com/ singapore https //asia southeast1 backstory googleapis com/ sydney https //australia southeast1 backstory googleapis com/ united states multi region https //backstory googleapis com/ configurations google chronicle siem authentication oauth2 0 authentication for google chronicle siem configuration parameters parameter description type required b64 service info base64 encoded credentials json authentication file contents string required url server api address string required scopes scope to be used for authentication array required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create entries create new log entries in google chronicle siem with specified customer id, log type, and entity details endpoint url /v2/entities\ batchcreate method post input argument name type required description timeout integer optional maximum number of seconds to wait for the search to complete before timing out default is 600 seconds (10 minutes) customer id string optional unique identifier (uuid) corresponding to a particular google secops instance provided by your google secops representative log type string optional any log type value returned by the logtypes endpoint entities array optional array of entities entities metadata object optional response data entities metadata collected timestamp string optional response data entities metadata entity type string optional response data entities metadata vendor name string optional response data entities metadata product name string optional response data entities entity object optional parameter for create entries entities entity user object optional parameter for create entries entities entity user userid string optional unique identifier entities entity user product object id string optional unique identifier input example {"json body" {"customer id" "c8c65bfa 5f2c 42d4 9189 64bb7b939f2c","log type" "azure ad context","entities" \[{"metadata" {"collected timestamp" "2021 11 14t15 30 18 142265z","entity type" "user","vendor name" "vendor","product name" "product"},"entity" {"user" {"userid" "johndoe","product object id" "doejohn"}}},{"metadata" {"collected timestamp" "2021 11 14t16 30 18 142265z","entity type" "user","vendor name" "vendor","product name" "product"},"entity" {"user" {"userid" "janedoe","product object id" "doejane"}}}]}} fetch alerts retrieve alerts and detections from google chronicle siem using specific queries and a defined time range, with required parameters such as instance, baselinequery, snapshotquery, start time, and end time endpoint url v1alpha/{{instance}}/legacy\ legacyfetchalertsview method get input argument name type required description parameters baselinequery string required the baseline query to search for the baseline query is used for this request and its results are cached for subseqent requests, so that supplying additional filters in the snapshotquery will not require re running the baseline query parameters snapshotquery string required the snapshot query to search for this uses a syntax similar to udm search, with support for all fields within 7 levels of nesting within the collection proto for composite detections, the filters prefixed with "collectionelements references event" or "collectionelements references entity" are also checked against one level of producer detections parameters time range start time string required the start of the time range of alerts to search for parameters time range end time string required the end of the time range of alerts to search for parameters alertlistoptions maxreturnedalerts number optional the maximum number of alerts to return parameters alertlistoptions entityindicator indicatornamespace string optional parameters for the fetch alerts action parameters alertlistoptions entityindicator hostname string optional parameters for the fetch alerts action parameters alertlistoptions entityindicator assetipaddress string optional parameters for the fetch alerts action parameters alertlistoptions entityindicator mac string optional parameters for the fetch alerts action parameters alertlistoptions entityindicator productid string optional parameters for the fetch alerts action parameters alertlistoptions entityindicator username string optional parameters for the fetch alerts action parameters alertlistoptions entityindicator email string optional parameters for the fetch alerts action parameters alertlistoptions entityindicator employeeid string optional parameters for the fetch alerts action parameters alertlistoptions entityindicator windowssid string optional parameters for the fetch alerts action parameters alertlistoptions entityindicator productobjectid string optional parameters for the fetch alerts action parameters alertlistoptions entityindicator rawpid string optional parameters for the fetch alerts action parameters alertlistoptions entityindicator processid string optional parameters for the fetch alerts action parameters alertlistoptions entityindicator fullcommandline string optional parameters for the fetch alerts action parameters alertlistoptions entityindicator parentprocessid string optional parameters for the fetch alerts action parameters alertlistoptions entityindicator hashmd5 string optional parameters for the fetch alerts action parameters alertlistoptions entityindicator hashsha1 string optional parameters for the fetch alerts action parameters alertlistoptions entityindicator hashsha256 string optional parameters for the fetch alerts action parameters alertlistoptions entityindicator filepath string optional parameters for the fetch alerts action parameters alertlistoptions entityindicator destinationipaddress string optional parameters for the fetch alerts action parameters alertlistoptions entityindicator domainname string optional parameters for the fetch alerts action input example {"parameters" {"baselinequery" "severity='high' or severity='critical'","snapshotquery" "severity='high' or severity='critical'","time range start time" "2023 10 01t00 00 00z","time range end time" "2023 10 31t23 59 59z","alertlistoptions maxreturnedalerts" 50,"alertlistoptions entityindicator indicatornamespace" "misp","alertlistoptions entityindicator hostname" "example host","alertlistoptions entityindicator assetipaddress" "192 168 1 1","alertlistoptions entityindicator mac" "00 1a 2b 3c 4d 5e","alertlistoptions entityindicator productid" "prod 12345","alertlistoptions entityindicator username" "jdoe","alertlistoptions entityindicator email" "jdoe\@example com","alertlistoptions entityindicator employeeid" "e123456","alertlistoptions entityindicator windowssid" "s 1 5 21 3623811015 3361044348 30300820 1013","alertlistoptions entityindicator productobjectid" "prod obj 001","alertlistoptions entityindicator rawpid" "4567","alertlistoptions entityindicator processid" "1234","alertlistoptions entityindicator fullcommandline" "python script py","alertlistoptions entityindicator parentprocessid" "4321","alertlistoptions entityindicator hashmd5" "098f6bcd4621d373cade4e832627b4f6","alertlistoptions entityindicator hashsha1" "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3","alertlistoptions entityindicator hashsha256" "9e107d9d372bb6826bd81d3542a419d6","alertlistoptions entityindicator filepath" "/usr/bin/example","alertlistoptions entityindicator destinationipaddress" "10 0 0 2","alertlistoptions entityindicator domainname" "example com","alertlistoptions entityindicator resourceprojectobjectid" "res proj 001","alertlistoptions entityindicator resourcename" "resource 1","fieldaggregationoptions maxvaluesperfield" 5,"enablecache" "alerts feature preference unspecified","includenonalertingdetections" "alerts feature preference unspecified"},"path parameters" {"instance" "testing 1"}} output parameter type description data object response data output example {"data" {}} log types retrieve a list of supported log types from google chronicle siem for integration and analysis endpoint url /v2/logtypes method get input argument name type required description timeout integer optional maximum number of seconds to wait for the search to complete before timing out default is 600 seconds (10 minutes) input example {"timeout" 600} output parameter type description status code number http status code of the response reason string response reason phrase logtypes array type of the resource logtypes log type string type of the resource logtypes description string type of the resource output example {"status code" 200,"reason" "ok","json body" {"logtypes" \[{"log type" "bind dns","description" "bind dns server"},{"log type" "windows dns","description" "windows dns"},{"log type" "windows dhcp","description" "windows dhcp"}]}} udm events forwards user defined management (udm) events to google chronicle siem, utilizing specified instance paths and time range queries endpoint url v1alpha/{{instance path}}\ udmsearch method post input argument name type required description path parameters instance path string required parameters for the udm events action parameters query string required the boolean query to search for example 'ip=/172 / and metadata event type!="network connection" and ( target ip = "3 225 179 73" or target ip = "23 47 48 70")' parameters time range start time string required the start of the time range of events to search for parameters time range end time string required the end of the time range of events to search for parameters limit number optional maximum number of results to be returned for the query anything over 10000 will be coerced to 10000 timeout integer optional maximum number of seconds to wait for the search to complete before timing out default is 600 seconds (10 minutes) input example {"parameters" {"query" "metadata event type!='network connection'"},"path parameters" {"instance path" "testing"}} output parameter type description data object response data output example {"data" {}} unstructured log entries forwards batches of unstructured log entries to google chronicle siem, utilizing customer id, log type, namespace, and entries endpoint url /v2/unstructuredlogentries\ batchcreate method post input argument name type required description timeout integer optional maximum number of seconds to wait for the search to complete before timing out default is 600 seconds (10 minutes) customer id string optional unique identifier (uuid) corresponding to a particular google secops instance provided by your google secops representative log type string optional identifies the log entries in the batch (for example, windows dns) namespace string optional user configured environment namespace to identify the data domain the logs originated from use namespace as a tag to identify the appropriate data domain for indexing and enrichment functionality labels array optional array of objects containing the key value pairs for labels to be applied to the logs labels key string optional name of a key for applying a label labels value string optional value for applying a label entries array optional array of objects containing the fields for the raw log and its timestamp entries log text string optional text of the raw log entry this should not contain any binary data and should only use utf 8 strings entries ts epoch microseconds number optional unix timestamp in microseconds associated with the log entry entries ts rfc3339 string optional timestamp associated with the log entry in rfc 3339 format input example {"json body" {"customer id" "c8c65bfa 5f2c 42d4 9189 64bb7b939f2c","log type" "bind dns","namespace" "default","labels" \[{"key" "key name one","value" "value one"},{"key" "key name two","value" "value two"}],"entries" \[{"log text" "26 feb 2019 13 35 02 187 client 10 120 20 32#4238 query altostrat com in a + (203 0 113 102)","ts epoch microseconds" 1551188102187000},{"log text" "26 feb 2019 13 37 04 523 client 10 50 100 33#1116 query examplepetstore com in a + (203 0 113 102)","ts rfc3339" "2019 26 02t13 37 04 523 08 00"},{"log text" "26 feb 2019 13 39 01 115 client 10 1 2 3#3333 query www example com in a + (203 0 113 102)"}]}} update alert updates an existing alert in google chronicle siem with user provided feedback, utilizing the given instance and alert id endpoint url v1alpha/{{instance}}/legacy\ legacyupdatealert method post input argument name type required description path parameters instance string required chronicle instance this request is sent to timeout integer optional maximum number of seconds to wait for the search to complete before timing out default is 600 seconds (10 minutes) alertid string optional the unique identifier for the alert to be updated feedback object optional parameter for update alert feedback verdict string optional a verdict on whether the finding reflects a security inc feedback reputation string optional a categorization of the finding as useful or not useful feedback confidencescore number optional confidence score (0 100) of the finding feedback riskscore number optional risk score (0 100) of the finding feedback disregarded boolean optional analyst disregard (or un disregard) the event feedback severity number optional severity score (1 100) of the finding feedback comment string optional analyst comment feedback status string optional the status of the alert feedback priority string optional the priority of the alert feedback rootcause string optional the root cause of the alert feedback reason string optional the reason for the alert feedback severitydisplay string optional severity display name for ui and filtering feedback triageagentinvestigationid string optional output only investigation id of the latest investigation performed by the triage agent on the alert the triage agent is designed to autonomously investigate alerts and determine whether an alert needs to be escalated to a human while providing transparency about the actions it took as part of its investigation feedback usertype string optional output only type of user that submitted or updated the feedback this field is used to distinguish between the feedback submitted by a human analyst and an ai agent by default, the user is assumed to be a human analyst casename string optional the case name that the alert is associated with responseplatforminfo object optional the response platform info of the alert responseplatforminfo alertid string optional id of the alert in soar product responseplatforminfo responseplatformtype string optional type of soar product input example {"json body" {"alertid" "alert 1","feedback" {"verdict" "malicious","reputation" "high","confidencescore" 85,"riskscore" 70,"disregarded"\ false,"severity" 4,"comment" "suspicious activity detected ","status" "open","priority" "high","rootcause" "phishing email","reason" "suspicious behavior","severitydisplay" "critical","triageagentinvestigationid" "invest 67890","usertype" "employee"},"casename" "case name 1","responseplatforminfo" {"alertid" "alert 1","responseplatformtype" "response platform type unspecified"}},"path parameters" {"instance" "testing 1"}} output parameter type description data object response data output example {"data" {}} update reference list updates a reference list in google chronicle siem with new entries, using 'update mask' for specific changes and requiring 'name' and 'lines' endpoint url /v2/lists method patch input argument name type required description parameters update mask array required mask that identifies which fields on the list to update timeout integer optional maximum number of seconds to wait for the search to complete before timing out default is 600 seconds (10 minutes) name string optional unique name for the list description string optional description of the list lines array optional list of line items content type string optional type of list content are "content type default string", "regex", "cidr" must match the type of the existing list you are updating if omitted, defaults to "content type default string" input example {"parameters" {"update mask" \["list lines"]},"json body" {"name" "list name here","description" "list description here","lines" \["1 2 3 4/24","5 6 7 8/24"],"content type" "content type default string"}} output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description lines array output field lines create time string time value content type string type of the resource output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"name" "list name","description" "description of the list","lines" \["1 2 3 4/24","5 6 7 8/24"],"create time" "2020 11 20t17 18 20 409247z","content type" "cidr"}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt