Google Chronicle SIEM

the google chronicle siem connector facilitates the automation of security event management and analysis by integrating with swimlane turbine google chronicle siem is a powerful security information and event management platform that enables organizations to analyze and store petabytes of security telemetry this connector allows swimlane turbine users to integrate with google chronicle siem, providing capabilities such as creating log entries, fetching alerts, and updating reference lists by leveraging this integration, users can enhance their security operations with advanced threat detection, streamlined incident response, and enriched security data analysis directly within the swimlane turbine platform limitations none to date supported versions this google chronicle siem connector uses the latest version api additional docs google chronicle siem api documentation https //cloud google com/chronicle/docs/reference/reference lists api configuration prerequisites to effectively utilize the google chronicle siem connector with swimlane turbine, ensure you have the following oauth2 0 authentication credentials with the following parameters service account info a json file containing your service account credentials url the endpoint url for the google chronicle siem api authentication methods oauth 2 0 client credentials authentication to effectively utilize the google chronicle siem connector within swimlane turbine, ensure you have the following prerequisites oauth2 0 authentication for google chronicle siem with these parameters service account info a json file containing your service account credentials url the endpoint url for the google chronicle siem api gcp project creation log in to gcp console here https //console cloud google com/ https //console cloud google com/ navigate to this link to create a new project https //console cloud google com/projectcreate https //console cloud google com/projectcreate name your project and click create we recommend specific and recognizable project names navigate to your projects, and select your new project enable the google chronicle api go to the api & services dashboard in the cloud console click on the "enable apis and services" button asset configuration configuring a service account google chronicle siem connector requires a google service account to authenticate open https //console developers google com/iam admin/serviceaccounts https //console developers google com/iam admin/serviceaccounts select the appropriate project click + create new service account assign a name for the service account and add a description, click create and continue click the select a role dropdown and type “owner” in the filter choose owner , chronicle api admin and click continue for the menu specifying grant users access to this service account (optional) you may select users or skip and click done this is not required for the connector click on the newly created service account email navigate to the keys menu click add key , select create new key , select json format, and click create make sure you download the json file presented json needs to be passed in the asset input service account info as a base64 encoded string this file will be needed when configuring the asset in swimlane setting api scopes after creating a service account, the necessary api scopes required to be authorized must be set from https //admin google com https //admin google com/ , navigate to security > api controls and then click manage domain wide delegation at the bottom of the window click add new in the client id field, enter the unique id from the service account details menu enter the following csv value into the oauth scopes (comma delimited) input https //www googleapis com/auth/chronicle backstory click authorize capabilities this google chronicle siem connector provides the following capabilities create entities fetch alerts log types udm events unstructured log entries update alert update reference list create entities creates entities here https //cloud google com/chronicle/docs/reference/ingestion api#createentities fetch alerts legacy streaming endpoint for getting alerts (and in some cases, non alerting detections) along with aggregated fields that match the query here https //cloud google com/chronicle/docs/reference/rest/v1alpha/projects locations instances legacy/legacyfetchalertsview?rep location=us log types retrieve a list of supported log types here https //cloud google com/chronicle/docs/reference/ingestion api#logtypes udm events forwards udm events to google secops in batches here https //cloud google com/chronicle/docs/reference/rest/v1alpha/projects locations instances/udmsearch unstructured log entries forwards unstructured log entries to google secops one batch at a time here https //cloud google com/chronicle/docs/reference/ingestion api#unstructuredlogentries update alert legacy endpoint for updating an alert here https //cloud google com/chronicle/docs/reference/rest/v1alpha/projects locations instances legacy/legacyupdatealert#legacyfeedback update reference list updates an existing list here https //cloud google com/chronicle/docs/reference/reference lists api#updatereferencelist regional endpoints chronicle provides regional endpoints for each api region endpoint european multi region https //europe backstory googleapis com/ https //europe backstory googleapis com/ tel aviv https //me west1 backstory googleapis com/ https //me west1 backstory googleapis com/ london https //europe west2 backstory googleapis com/ https //europe west2 backstory googleapis com/ singapore https //asia southeast1 backstory googleapis com/ https //asia southeast1 backstory googleapis com/ sydney https //australia southeast1 backstory googleapis com/ https //australia southeast1 backstory googleapis com/ united states multi region https //backstory googleapis com/ https //backstory googleapis com/ configurations google chronicle siem authentication oauth2 0 authentication for google chronicle siem configuration parameters parameter description type required b64 service info base64 encoded credentials json authentication file contents string required url server api address string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create entries creates new log entries in google chronicle siem for a given customer id and log type with detailed entity information endpoint url /v2/entities\ batchcreate method post input argument name type required description customer id string required unique identifier (uuid) corresponding to a particular google secops instance provided by your google secops representative log type string required any log type value returned by the logtypes endpoint entities array required array of entities metadata object optional response data collected timestamp string optional parameter for create entries entity type string optional type of the resource vendor name string optional name of the resource product name string optional name of the resource entity object optional parameter for create entries user object optional parameter for create entries userid string optional unique identifier product object id string optional unique identifier fetch alerts retrieve alerts and detections from google chronicle siem using specified queries and time range, requiring instance, baselinequery, snapshotquery, start time, and end time parameters endpoint url v1alpha/{{instance}}/legacy\ legacyfetchalertsview method get input argument name type required description baselinequery string required the baseline query to search for the baseline query is used for this request and its results are cached for subseqent requests, so that supplying additional filters in the snapshotquery will not require re running the baseline query snapshotquery string required the snapshot query to search for this uses a syntax similar to udm search, with support for all fields within 7 levels of nesting within the collection proto for composite detections, the filters prefixed with "collectionelements references event" or "collectionelements references entity" are also checked against one level of producer detections time range start time string required the start of the time range of alerts to search for time range end time string required the end of the time range of alerts to search for alertlistoptions maxreturnedalerts number optional the maximum number of alerts to return alertlistoptions entityindicator indicatornamespace string optional name of the resource alertlistoptions entityindicator hostname string optional name of the resource alertlistoptions entityindicator assetipaddress string optional parameter for fetch alerts alertlistoptions entityindicator mac string optional parameter for fetch alerts alertlistoptions entityindicator productid string optional unique identifier alertlistoptions entityindicator username string optional name of the resource alertlistoptions entityindicator email string optional parameter for fetch alerts alertlistoptions entityindicator employeeid string optional unique identifier alertlistoptions entityindicator windowssid string optional unique identifier alertlistoptions entityindicator productobjectid string optional unique identifier alertlistoptions entityindicator rawpid string optional unique identifier alertlistoptions entityindicator processid string optional unique identifier alertlistoptions entityindicator fullcommandline string optional parameter for fetch alerts alertlistoptions entityindicator parentprocessid string optional unique identifier alertlistoptions entityindicator hashmd5 string optional parameter for fetch alerts alertlistoptions entityindicator hashsha1 string optional parameter for fetch alerts alertlistoptions entityindicator hashsha256 string optional parameter for fetch alerts alertlistoptions entityindicator filepath string optional parameter for fetch alerts alertlistoptions entityindicator destinationipaddress string optional parameter for fetch alerts alertlistoptions entityindicator domainname string optional name of the resource output parameter type description data object response data example \[ { "data" {} } ] log types retrieve supported log types from google chronicle siem for integration and analysis purposes endpoint url /v2/logtypes method get output parameter type description status code number http status code of the response reason string response reason phrase logtypes array type of the resource log type string type of the resource description string output field description example \[ { "status code" 200, "reason" "ok", "json body" { "logtypes" \[] } } ] udm events forwards batches of user defined management (udm) events to google chronicle siem, requiring instance path, query, and a specified time range endpoint url v1alpha/{{instance path}}\ udmsearch method post input argument name type required description instance path string required parameter for udm events query string required the boolean query to search for example 'ip=/172 / and metadata event type!="network connection" and ( target ip = "3 225 179 73" or target ip = "23 47 48 70")' time range start time string required the start of the time range of events to search for time range end time string required the end of the time range of events to search for limit number optional maximum number of results to be returned for the query anything over 10000 will be coerced to 10000 output parameter type description data object response data example \[ { "data" {} } ] unstructured log entries forwards batches of unstructured log entries to google chronicle siem, utilizing customer id, log type, namespace, and entries endpoint url /v2/unstructuredlogentries\ batchcreate method post input argument name type required description customer id string required unique identifier (uuid) corresponding to a particular google secops instance provided by your google secops representative log type string required identifies the log entries in the batch (for example, windows dns) namespace string required user configured environment namespace to identify the data domain the logs originated from use namespace as a tag to identify the appropriate data domain for indexing and enrichment functionality labels array optional array of objects containing the key value pairs for labels to be applied to the logs key string optional name of a key for applying a label value string optional value for applying a label entries array required array of objects containing the fields for the raw log and its timestamp log text string optional text of the raw log entry this should not contain any binary data and should only use utf 8 strings ts epoch microseconds number optional unix timestamp in microseconds associated with the log entry ts rfc3339 string optional timestamp associated with the log entry in rfc 3339 format update alert updates an existing alert in google chronicle siem using the specified instance and alert id, with provided feedback endpoint url v1alpha/{{instance}}/legacy\ legacyupdatealert method post input argument name type required description instance string required chronicle instance this request is sent to alertid string required the unique identifier for the alert to be updated feedback object required parameter for update alert verdict string optional a verdict on whether the finding reflects a security inc reputation string optional a categorization of the finding as useful or not useful confidencescore number optional confidence score (0 100) of the finding riskscore number optional risk score (0 100) of the finding disregarded boolean optional analyst disregard (or un disregard) the event severity number optional severity score (1 100) of the finding comment string optional analyst comment status string optional the status of the alert priority string optional the priority of the alert rootcause string optional the root cause of the alert reason string optional the reason for the alert severitydisplay string optional severity display name for ui and filtering triageagentinvestigationid string optional output only investigation id of the latest investigation performed by the triage agent on the alert the triage agent is designed to autonomously investigate alerts and determine whether an alert needs to be escalated to a human while providing transparency about the actions it took as part of its investigation usertype string optional output only type of user that submitted or updated the feedback this field is used to distinguish between the feedback submitted by a human analyst and an ai agent by default, the user is assumed to be a human analyst casename string optional the case name that the alert is associated with responseplatforminfo object optional the response platform info of the alert alertid string optional id of the alert in soar product responseplatformtype string optional type of soar product output parameter type description data object response data example \[ { "data" {} } ] update reference list updates a specific reference list with new entries in google chronicle siem, using 'update mask' for precise modifications endpoint url /v2/lists method patch input argument name type required description update mask array required mask that identifies which fields on the list to update name string required unique name for the list description string optional description of the list lines array required list of line items content type string optional type of list content are "content type default string", "regex", "cidr" must match the type of the existing list you are updating if omitted, defaults to "content type default string" output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description lines array output field lines create time string time value content type string type of the resource example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "name" "list name", "description" "description of the list", "lines" \[], "create time" "2020 11 20t17 18 20 409247z", "content type" "cidr" } } ]