Integrate Siemplify with Google SecOps
Integration version: 94.0
This document explains how to integrate Siemplify with Google Security Operations (Google SecOps).
Use cases
The Siemplifyintegration can address the following use cases:
-
Phishing investigation: Use Google SecOps capabilities to automate the process of analyzing phishing emails, extracting indicators of compromise (IOCs), and enriching them with threat intelligence.
-
Malware containment: Use Google SecOps capabilities to automatically isolate infected endpoints, initiate scans, and quarantine malicious files upon detection of malware.
-
Vulnerability management: Use Google SecOps capabilities to orchestrate vulnerability scans, prioritize vulnerabilities based on risk, and automatically create tickets for remediation.
-
Threat hunting: Use Google SecOps capabilities to automate running of threat hunting queries across various security tools and datasets.
-
Security alert triage: Use Google SecOps capabilities to automatically enrich security alerts with contextual information, correlate them with other events, and prioritize them based on severity.
-
Incident response: Use Google SecOps capabilities to orchestrate the entire incident response process, from initial detection to containment and eradication.
-
Compliance reporting: Use Google SecOps capabilities to automate the collection and analysis of security data for compliance reporting.
Integration parameters
The Siemplifyintegration requires the following parameters:
| Parameter | Description |
|---|---|
Monitors Mail Recipients
|
Required. A comma-separated list of email addresses for validation in the integration's email-related workflows. This list is used to define the recipients for processing. The default value is |
Elastic Server Address
|
Required. The address of the Elastic server used to connect to the Siemplify database. This is typically the address of the host machine where the Elastic instance runs. The default value is |
For instructions about how to configure an integration in Google SecOps, see Configure integrations .
You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances .
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action .
Add Entity Insight
Use the Add Entity Insightaction to add an insight to a Google SecOps entity in Siemplify.
This action runs on all Google SecOps entities.
Action inputs
The Add Entity Insightaction requires the following parameters:
Message
Required.
The message to add to the entity.
This parameter supports HTML elements, such as:
- Headings (
<h1></h1>,<h2></h2>) - Paragraphs (
<p></p>) - Text formatting (
<b></b>,<i></i>,<br>) - Links (
<a href="example.com"></a>).
Action outputs
The Add Entity Insightaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Entity Insightaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Add Entity Insight". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add Entity Insightaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Add General Insight
Use the Add General Insightaction to add a general insight to the case.
This action doesn't run on Google SecOps entities.
Action inputs
The Add General Insightaction requires the following parameters:
Title
Required.
The title of the insight.
Message
Required.
The message to add to the entity.
This parameter supports HTML elements, such as:
- Headings (
<h1></h1>,<h2></h2>) - Paragraphs (
<p></p>) - Text formatting (
<b></b>,<i></i>,<br>) - Links (
<a href="example.com"></a>).
Triggered By
Optional.
A free-text field to provide a justification for the insight, explaining why it was added to the case.
Action outputs
The Add General Insightaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add General Insightaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Add General Insight". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add General Insightaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Add Tags To Similar Cases
Use the Add Tags To Similar Casesaction to add tags to similar cases.
To find similar cases, the action uses the siemplify.get_similar_cases()
function to retrieve a list of case IDs based on a set of criteria and
parameters.
The logical AND
operator is applied to the Rule Generator
, Port
, Category Outcome
, and Entity Identifier
parameters to filter for cases that match all specified criteria.
This action doesn't run on Google SecOps entities.
Action inputs
The Add Tags To Similar Casesaction requires the following parameters:
| Parameter | Description |
|---|---|
Rule Generator
|
Optional. If selected, the action searches for similar cases using the rule generator. Enabled by default. |
Port
|
Optional. If selected, the action searches for similar cases using port numbers. Enabled by default. |
Category Outcome
|
Optional. If selected, the action searches for similar cases using the category outcome. Enabled by default. |
Entity Identifier
|
Optional. If selected, the action searches for similar cases using the entity identifier. Enabled by default. |
Days Back
|
Required. The number of days prior to the current date to search through for similar cases. |
Tags
|
Required. A comma-separated list of tags to apply to the similar cases found. |
Action outputs
The Add Tags To Similar Casesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Tags To Similar Casesaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Add Tags To Similar Cases". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add Tags To Similar Casesaction:
| Script result name | Value |
|---|---|
SimilarCasesIds
|
A list of similar case IDs. |
Add to Custom List
Use the Add to Custom Listaction to add an entity identifier to a categorized custom list and perform future comparisons in other actions.
This action runs on all Google SecOps entities.
Action inputs
The Add to Custom Listaction requires the following parameters:
| Parameter | Description |
|---|---|
Category
|
Required. The name of the custom list category to add the entity identifier to. |
Action outputs
The Add to Custom Listaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add to Custom Listaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Add to Custom List". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add to Custom Listaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Assign Case
Use the Assign Caseaction to assign the case to a specific user or user group.
This action doesn't run on Google SecOps entities.
Action inputs
The Assign Caseaction requires the following parameters:
| Parameter | Description |
|---|---|
Assigned User
|
Required. The user or user group to assign the case to. |
Action outputs
The Assign Caseaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add to Custom Listaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Assign Case". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Assign Caseaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Attach Playbook to Alert
Use the Attach Playbook to Alertaction to attach a specific playbook to the alert.
This action doesn't run on Google SecOps entities.
Action inputs
The Attach Playbook to Alertaction requires the following parameters:
| Parameter | Description |
|---|---|
Playbook Name
|
Required. The name of the playbook to attach to the current alert. |
Allow Duplicates
|
Optional. If selected, the playbook can be attached to the alert more than once. Enabled by default. |
Action outputs
The Attach Playbook to Alertaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Search Graphsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Attach Playbook to Alert". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Attach Playbook to Alertaction:
| Script result name | Value |
|---|---|
| Script Result | true
or false
|
Case Comment
Use the Case Commentaction to add a comment to the case in which the current alert is grouped.
This action doesn't run on Google SecOps entities.
Action inputs
The Case Commentaction requires the following parameters:
| Parameter | Description |
|---|---|
Comment
|
Required. The comment to add to the case. |
Action outputs
The Case Commentaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Vote To Entityaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Case Comment". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Case Commentaction:
| Script result name | Value |
|---|---|
SuccessStatus
|
true
or false
|
Case Tag
Use the Case Tagaction to add a tag to to the case in which the current alert is grouped.
This action doesn't run on Google SecOps entities.
Action inputs
The Case Tagaction requires the following parameters:
| Parameter | Description |
|---|---|
Tag
|
Required. The tag to add to the case. |
Action outputs
The Case Tagaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Case Tagaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Add Vote To Entity". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Case Tagaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Change Alert Priority
Use the Change Alert Priorityaction to update the priority of an alert in a case.
This action doesn't run on Google SecOps entities.
Action inputs
The Change Alert Priorityaction requires the following parameters:
Alert Priority
Required.
The new priority for the alert.
If the alert priority is updated to be higher than the current case priority, the case's priority will automatically update to match the new, higher priority.
The possible values are as follows:
-
Informative -
Low -
Medium -
High -
Critical
Action outputs
The Change Alert Priorityaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Vote To Entityaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Change Alert Priority". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Change Alert Priorityaction:
| Script result name | Value |
|---|---|
| Script Result | true
or false
|
Change Case Stage
Use the Change Case Stageaction to change the case stage.
This action doesn't run on Google SecOps entities.
Action inputs
The Change Case Stageaction requires the following parameters:
Stage
Required.
The stage to move the case to.
The possible values are as follows:
-
Triage -
Assessment -
Investigation -
Incident -
Improvement -
Research
Action outputs
The Change Case Stageaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Vote To Entityaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Change Case Stage". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Change Case Stageaction:
| Script result name | Value |
|---|---|
| Script Result | true
or false
|
Change Priority
Use the Change Priorityaction to change the priority of the case.
This action doesn't run on Google SecOps entities.
Action inputs
The Change Priorityaction requires the following parameters:
Priority
Required.
The priority to set for the case.
The possible values are as follows:
-
Informative -
Low -
Medium -
High -
Critical
Action outputs
The Change Priorityaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Vote To Entityaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Close Alert". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Change Priorityaction:
| Script result name | Value |
|---|---|
| Script Result | true
or false
|
Close Alert
Use the Close Alertaction to close the alert.
This action doesn't run on Google SecOps entities.
Action inputs
The Close Alertaction requires the following parameters:
Reason
Required.
The primary classification for the alert closure.
The possible values are as follows:
-
Malicious -
NotMalicious -
Maintenance -
Inconclusive
Root Cause
Required.
The detailed explanation of the technical issue that led to the alert.
Comment
Required.
The notes, summary of the investigation, or additional context for the alert closure.
Assign to User
Optional.
A user to assign the alert to after it's closure.
Tags
Optional.
A comma-separated list of tags to attach to the alert for classification, filtering, and future searchability.
Action outputs
The Close Alertaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Vote To Entityaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Close Alert". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Close Alertaction:
| Script result name | Value |
|---|---|
StatusResult
|
true
or false
|
Close Case
Use the Close Caseaction to close the case.
This action doesn't run on Google SecOps entities.
Action inputs
The Close Caseaction requires the following parameters:
Reason
Required.
The primary classification for the alert closure.
The possible values are as follows:
-
Malicious -
NotMalicious -
Maintenance -
Inconclusive
Root Cause
Required.
A detailed explanation of the technical issue that led to the alert.
Comment
Required.
The notes, summary of the investigation, or additional context for the alert closure.
Action outputs
The Close Caseaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Vote To Entityaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Close Case". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Close Caseaction:
| Script result name | Value |
|---|---|
StatusResult
|
true
or false
|
Create Entity
Use the Create Entityaction to create a new entity and add it to an alert.
This action runs on all Google SecOps entities.
Action inputs
The Create Entityaction requires the following parameters:
| Parameter | Description |
|---|---|
Entities Identifies
|
Required. A comma-separated list of entity identifiers to create in the case,
such as |
Delimiter
|
Optional. A delimiter used to split the input from If no value is provided, the action treats the input as a single entity identifier. The default value is |
Entity Type
|
Required. The type of the entity to create, such as |
Is Internal
|
Optional. If selected, the action marks entities as part of an internal network. Not enabled by default. |
Is Suspicious
|
Optional. If selected, the action marks entities as suspicious. Not enabled by default. |
Action outputs
The Create Entityaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Create Entityaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Create Entity". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Create Entityaction:
| Script result name | Value |
|---|---|
StatusResult
|
true
or false
|
Create Gemini Case Summary
Use the Create Gemini Case Summaryaction to create a new Gemini case summary and add it to an alert.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Create Gemini Case Summaryaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Create Gemini Case Summaryaction:
{
"summary"
:
"On the Linux agent instance-1 (IP addresses 10.150.0.3 and 34.85.128.214), user vanshikavw_google_com initiated the process curl (SHA1 hash 3395856ce81f2b7382dee72602f798b642f14140) to create the malware file /home/vanshikavw_google_com/eicar_test_vanshikavw-test-new.\n* VirusTotal identifies the SHA1 hash 3395856ce81f2b7382dee72602f798b642f14140 as a virus.eicar/test.\n* CURL is associated with multiple actors, including APT27, APT34, APT41, APT44, APT9, FIN11, FIN13, FIN6, TEMP.Armageddon, Turla Team, UNC1151, UNC1860, UNC215, UNC2165, UNC2500, UNC251, UNC2595, UNC2633, UNC2900, UNC2975, UNC3569, UNC3661, UNC3944, UNC4483, UNC4936, UNC4962, UNC5007, UNC5051, UNC5055, UNC5156, UNC5221, UNC5266, UNC5330, UNC5371, UNC5470, UNC5859, and UNC961.\n* CURL is known to use MITRE ATT&CK techniques such as T1113, T1095, T1036, T1553, T1222, T1055, T1140, T1070, T1027, T1622, T1057, T1010, T1083, T1518, T1082, T1016, T1059, T1496, and T1588.\n* A GTI MALWARE search did not find any information about eicar_test_vanshikavw-test-new.\n* A GTI IP_ADDRESS search did not find any information about 10.150.0.3 or 34.85.128.214."
,
"next_steps"
:
[
"Isolate instance-1 to prevent any potential lateral movement or further compromise of the network, as the curl process is associated with multiple threat actors."
,
"Investigate the user account vanshikavw_google_com to determine if the user's credentials have been compromised or if the user initiated the curl process intentionally, as the curl process is associated with multiple threat actors."
,
"Analyze the network traffic to and from the IP addresses 10.150.0.3 and 34.85.128.214 for any suspicious communication patterns, as the curl process is associated with multiple threat actors."
,
"Examine the process execution logs on instance-1 for any other unusual or unauthorized activities, as the curl process is associated with multiple threat actors."
,
"Review the configuration of the Linux agent on instance-1 to ensure that it is properly secured and that no unauthorized modifications have been made, as the curl process is associated with multiple threat actors."
],
"reasons"
:
[
"The case involves a Linux agent instance-1 (IP addresses 10.150.0.3 and 34.85.128.214) where user vanshikavw_google_com initiated the process curl to create the file /home/vanshikavw_google_com/eicar_test_vanshikavw-test-new."
,
"The SHA1 hash 3395856ce81f2b7382dee72602f798b642f14140 of the curl process is identified by VirusTotal as virus.eicar/test, indicating it is a known test virus."
,
"The process CURL is associated with multiple threat actors, including APT27, APT34, APT41, APT44, APT9, FIN11, FIN13, FIN6, TEMP.Armageddon, Turla Team, UNC1151, UNC1860, UNC215, UNC2165, UNC2500, UNC251, UNC2595, UNC2633, UNC2900, UNC2975, UNC3569, UNC3661, UNC3944, UNC4483, UNC4936, UNC4962, UNC5007, UNC5051, UNC5055, UNC5156, UNC5221, UNC5266, UNC5330, UNC5371, UNC5470, UNC5859, and UNC961, suggesting a potential link to malicious activity."
,
"CURL is known to use various MITRE ATT&CK techniques such as T1113, T1095, T1036, T1553, T1222, T1055, T1140, T1070, T1027, T1622, T1057, T1010, T1083, T1518, T1082, T1016, T1059, T1496, and T1588, indicating a wide range of potential malicious behaviors."
,
"The file eicar_test_vanshikavw-test-new was not found in GTI MALWARE searches, and the IP addresses 10.150.0.3 and 34.85.128.214 were not found in GTI IP_ADDRESS searches."
]
}
Output messages
The Create Gemini Case Summaryaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Create Gemini Case Summary".
Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Create Gemini Case Summaryaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Create Or Update Entity Properties
Use the Create Or Update Entity Propertiesaction to create or change the properties of entities in the entity scope.
This action runs on all Google SecOps entities.
Action inputs
The Create Or Update Entity Propertiesaction requires the following parameters:
| Parameter | Description |
|---|---|
Entity Field
|
Required. The entity field to create or update. |
Field Value
|
Required. The value of the specified entity field. |
Action outputs
The Create Or Update Entity Propertiesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Create Or Update Entity Propertiesaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Create Or Update Entity Properties".
Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Create Or Update Entity Propertiesaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Get Case Alerts
Use the Get Case Alertsaction to retrieve alerts related to specified cases.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Case Alertsaction requires the following parameters:
| Parameter | Description |
|---|---|
Case ID
|
Required. A comma-separated list of case IDs for which the action retrieves the associated alerts. |
Alert ID
|
Optional. A comma-separated list of alert IDs, limiting the alerts returned. This parameter is only used when |
Fields To Return
|
Optional. A comma-separated list of fields to return in the JSON result. To retrieve nested values, use If no value is provided, all fields are returned. |
Nested Keys Delimiter
|
Optional. The character used to separate nested keys and list indexes when defining fields to return. This parameter can't be a comma ( |
Get Case Details
Use the Get Case Detailsaction to get all data from a case (including comments, entity information, insights, playbooks that ran, alert information, and events).
This action doesn't run on Google SecOps entities.
Action inputs
The Get Case Detailsaction requires the following parameters:
| Parameter | Description |
|---|---|
Case Id
|
Optional. The ID of the case to retrieve details from. If no value is provided, the action will use the current case. |
Fields to Return
|
Optional. A comma-separated list of fields to return. If nothing is provided, all fields are returned. Specific nested values can be retrieved by using the |
Nested Keys Delimiter
|
Optional. The character used to separate nested keys when requesting specific fields. This lets you retrieve values from nested objects. The delimiter cannot be a comma( |
Action outputs
The Get Case Detailsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Case Detailsaction:
{
"id"
:
24879
,
"creationTimeUnixTimeInMs"
:
1750862500562
,
"modificationTimeUnixTimeInMs"
:
1750862500562
,
"name"
:
"Malware"
,
"priority"
:
-1
,
"isImportant"
:
false
,
"isIncident"
:
false
,
"startTimeUnixTimeInMs"
:
1727243021999
,
"endTimeUnixTimeInMs"
:
1727243022479
,
"assignedUser"
:
"@Tier1"
,
"description"
:
null
,
"isTestCase"
:
true
,
"type"
:
1
,
"stage"
:
"Triage"
,
"environment"
:
"Default Environment"
,
"status"
:
1
,
"incidentId"
:
null
,
"tags"
:
[
"hi"
,
"Simulated Case"
],
"alertCards"
:
[{
"id"
:
172354
,
"creationTimeUnixTimeInMs"
:
1750862500651
,
"modificationTimeUnixTimeInMs"
:
1750862500651
,
"identifier"
:
"EICAR_TEST_VANSHIKAVW-TEST-NEW0CC43705-04A7-43FD-88CD-B3E7FECA881D"
,
"status"
:
0
,
"name"
:
"EICAR_TEST_VANSHIKAVW-TEST-NEW"
,
"priority"
:
-1
,
"workflowsStatus"
:
1
,
"slaExpirationUnixTime"
:
null
,
"slaCriticalExpirationUnixTime"
:
null
,
"startTime"
:
1727243021999
,
"endTime"
:
1727243022479
,
"alertGroupIdentifier"
:
"MalwareSFBrxjAXvKJsJyKe5iQalf00zrv/QwX966dRoEyP2eA=_8cc160b5-7039-421c-926c-1a98073f11d2"
,
"eventsCount"
:
3
,
"title"
:
"EICAR_TEST_VANSHIKAVW-TEST-NEW"
,
"ruleGenerator"
:
"Malware"
,
"deviceProduct"
:
"SentinelOneV2"
,
"deviceVendor"
:
"SentinelOneV2"
,
"playbookAttached"
:
"Testing"
,
"playbookRunCount"
:
1
,
"isManualAlert"
:
false
,
"sla"
:
{
"slaExpirationTime"
:
null
,
"criticalExpirationTime"
:
null
,
"expirationStatus"
:
2
,
"remainingTimeSinceLastPause"
:
null
},
"fieldsGroups"
:
[],
"sourceUrl"
:
null
,
"sourceRuleUrl"
:
null
,
"siemAlertId"
:
null
,
"relatedCases"
:
[],
"lastSourceUpdateUnixTimeInMs"
:
null
,
"caseId"
:
24879
,
"nestingDepth"
:
0
}],
"isOverflowCase"
:
false
,
"isManualCase"
:
false
,
"slaExpirationUnixTime"
:
null
,
"slaCriticalExpirationUnixTime"
:
null
,
"stageSlaExpirationUnixTimeInMs"
:
null
,
"stageSlaCriticalExpirationUnixTimeInMs"
:
null
,
"canOpenIncident"
:
false
,
"sla"
:
{
"slaExpirationTime"
:
null
,
"criticalExpirationTime"
:
null
,
"expirationStatus"
:
2
,
"remainingTimeSinceLastPause"
:
null
},
"stageSla"
:
{
"slaExpirationTime"
:
null
,
"criticalExpirationTime"
:
null
,
"expirationStatus"
:
2
,
"remainingTimeSinceLastPause"
:
null
},
"relatedAlertTicketId"
:
null
,
"relatedAlertCards"
:
[]
}
Output messages
The Get Case Detailsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Case Details".
Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Case Detailsaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Get Connector Context Value
Use the Get Connector Context Valueaction to retrieve a value from a specified key in the Google SecOps database for a connector context.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Connector Context Valueaction requires the following parameters:
| Parameter | Description |
|---|---|
Connector Identifier
|
Required. The unique identifier of the connector to retrieve the context value from. |
Key Name
|
Required. The key under which the context value is stored. |
Create Case Wall Table
|
Optional. If selected, the action creates a case wall table with the retrieved context value. The table won't be created if the retrieved value exceeds the character limit. Enabled by default. |
Action outputs
The Get Connector Context Valueaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Case Wall table
The Get Connector Context Valueaction can generate the following table:
Table name: Connector
Table columns:
- Connector identifier
- Key
- Value
Output messages
The Get Connector Context Valueaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Connector Context Value". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Connector Context Valueaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Get Custom Field Values
Use the Get Custom Field Valuesaction to retrieve current values of a custom field based on the specified scope.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Custom Field Valuesaction requires the following parameters:
Scope
Required.
The scope to retrieve the custom fields from.
The possible values are as follows:
-
Case -
Alert -
All
Action outputs
The Get Custom Field Valuesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Custom Field Valuesaction:
[{
"Case"
:
{
"Case Custom Field Name 1"
:
"Updated Custom Field Value"
,
"Case Custom Field Name 2"
:
"Updated Custom Field Value"
},
"Alert"
:
{
"Alert Custom Field Name 1"
:
"Updated Custom Field Value"
,
"Alert Custom Field Name 2"
:
"Updated Custom Field Value"
}
}]
Output messages
The Get Custom Field Valuesaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Custom Field Values". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Custom Field Valuesaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Get Scope Context Value
Use the Get Scope Context Valueaction to retrieve a value from the Google SecOps database that is stored under a specified key and context.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Scope Context Valueaction requires the following parameters:
Context Scope
Required.
The context scope to retrieve the value from.
The possible values are as follows:
-
Not specified -
Alert -
Case -
Global
The default value is Not specified
.
Key Name
Required.
The key under which the value is stored in the specified context.
Create Case Wall Table
Optional.
If selected, the action creates a case wall table with the retrieved context value.
The table won't be created if the retrieved value exceeds the character limit.
Enabled by default.
Action outputs
The Get Scope Context Valueaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Case Wall table
The Get Scope Context Valueaction can generate the following table:
Table name: SCOPE
Table columns:
- Key
- Value
Output messages
The Get Scope Context Valueaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Scope Context Value". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Scope Context Valueaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Get Similar Cases
Use the Get Similar Casesaction to search for similar cases and return their IDs.
The action applies the logical AND
operator to
the Rule Generator
, Port
, Category Outcome
, Entity Identifier
, Include Open Cases
, and Include Closed Cases
parameters to filter for
cases that match all specified criteria.
This action runs on all Google SecOps entities.
Action inputs
The Get Similar Casesaction requires the following parameters:
| Parameter | Description |
|---|---|
Rule Generator
|
Optional. If selected, the action searches for similar cases using the rule generator. Enabled by default. |
Port
|
Optional. If selected, the action searches for similar cases using port numbers. Enabled by default. |
Category Outcome
|
Optional. If selected, the action searches for similar cases using the category outcome. Enabled by default. |
Entity Identifier
|
Optional. If selected, the action searches for similar cases using the entity identifier. Enabled by default. |
Days Back
|
Required. The number of days prior to the current date for the action to search through. |
Include Open Cases
|
Optional. If selected, the action includes open cases in the search. Enabled by default. |
Include Closed Cases
|
Optional. If selected, the action includes closed cases in the search. Enabled by default. |
Action outputs
The Get Similar Casesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Similar Casesaction:
{
"results"
:
[{
"id"
:
23874
,
"name"
:
"Malware"
,
"tags"
:
[
"hi"
,
"Simulated Case"
],
"start time"
:
"2024-09-25 05:43:41.999000+00:00"
,
"start time unix"
:
1727243021999
,
"last modified"
:
"2025-06-19 13:24:01.062000+00:00"
,
"priority"
:
"Informative"
,
"assigned user"
:
"@Tier1"
,
"matching_criteria"
:
{
"ruleGenerator"
:
true
,
"port"
:
true
,
"outcome"
:
true
,
"entities"
:
true
},
"matched_entities"
:
[
{
"entity"
:
"INSTANCE-1"
,
"type"
:
"HOSTNAME"
,
"isSuspicious"
:
false
},
{
"entity"
:
"10.150.0.3"
,
"type"
:
"ADDRESS"
,
"isSuspicious"
:
false
},
{
"entity"
:
"172.17.0.1"
,
"type"
:
"ADDRESS"
,
"isSuspicious"
:
false
},
{
"entity"
:
"VANSHIKAVW_GOOGLE_COM"
,
"type"
:
"USERUNIQNAME"
,
"isSuspicious"
:
false
},
{
"entity"
:
"CURL"
,
"type"
:
"PROCESS"
,
"isSuspicious"
:
false
},
{
"entity"
:
"EICAR_TEST_VANSHIKAVW-TEST-NEW"
,
"type"
:
"FILENAME"
,
"isSuspicious"
:
false
},
{
"entity"
:
"3395856CE81F2B7382DEE72602F798B642F14140"
,
"type"
:
"FILEHASH"
,
"isSuspicious"
:
false
},
{
"entity"
:
"34.85.128.214"
,
"type"
:
"ADDRESS"
,
"isSuspicious"
:
false
},
{
"entity"
:
"/HOME/VANSHIKAVW_GOOGLE_COM/EICAR_TEST_VANSHIKAVW-TEST-NEW"
,
"type"
:
"FILENAME"
,
"isSuspicious"
:
false
}
],
"status"
:
"Open"
}],
"stats"
:
{
"Malicious"
:
0.0
,
"Is Important"
:
0.0
,
"Is Incident"
:
0.0
,
"Status Open"
:
100.0
},
"platform_url"
:
"https://soarapitest.backstory.chronicle.security/"
}
Output messages
The Get Similar Casesaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Similar Cases". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Similar Casesaction:
| Script result name | Value |
|---|---|
SimilarCasesIds
|
A list of similar case IDs. |
Instruction
Use the Instructionaction to provide instructions to an analyst directly on the case.
This action doesn't run on Google SecOps entities.
Action inputs
The Instructionaction requires the following parameters:
| Parameter | Description |
|---|---|
Instruction
|
Required. The instructions for the analyst. |
Action outputs
The Instructionaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Vote To Entityaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Instruction". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Instructionaction:
| Script result name | Value |
|---|---|
| Script Result | true
or false
|
Is In Custom List
Use the Is In Custom Listaction to check if an entity exists within a designated custom list.
This action runs on all Google SecOps entities.
Action inputs
The Is In Custom Listaction requires the following parameters:
| Parameter | Description |
|---|---|
Category
|
Required. The name of the custom list category to search. |
Action outputs
The Is In Custom Listaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Is In Custom Listaction can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Is In Custom List". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Is In Custom Listaction:
| Script result name | Value |
|---|---|
ScriptResult
|
true
or false
|
Mark As Important
Use the Mark As Importantaction to mark the case as important.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Mark As Importantaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Mark As Importantaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Mark As Important". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Mark As Importantaction:
| Script result name | Value |
|---|---|
| Script Result | true
or false
|
Open Web Url
Use the Open Web Urlaction to generate a browser link.
This action doesn't run on Google SecOps entities.
Action inputs
The Open Web Urlaction requires the following parameters:
| Parameter | Description |
|---|---|
Title
|
Required. The title of the URL. |
URL
|
Required. The target URL. |
Action outputs
The Open Web Urlaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Open Web Urlaction can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Open Web Url". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Open Web Urlaction:
| Script result name | Value |
|---|---|
| Script Result | true
or false
|
Pause Alert SLA
Use the Pause Alert SLAaction to pause the Service Level Agreement (SLA) timer for the alert.
This action doesn't run on Google SecOps entities.
Action inputs
The Pause Alert SLAaction requires the following parameters:
| Parameter | Description |
|---|---|
Message
|
Optional. The reason for pausing the alert SLA. |
Action outputs
The Pause Alert SLAaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Pause Alert SLAaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Pause Alert SLA". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Pause Alert SLAaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Pause Case SLA
Use the Pause Case SLAaction to pause the Service Level Agreement (SLA) timer for the case.
This action doesn't run on Google SecOps entities.
Action inputs
The Pause Case SLAaction requires the following parameters:
| Parameter | Description |
|---|---|
Message
|
Optional. The reason for pausing the case SLA. |
Action outputs
The Pause Case SLAaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Pause Case SLAaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Pause Case SLA". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Pause Case SLAaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Permitted Alert Time
Use the Permitted Alert Timeaction to check if the start time of the alert complies with user-defined time conditions.
This action doesn't run on Google SecOps entities.
Action inputs
The Permitted Alert Timeaction requires the following parameters:
Timestamp Type
Optional.
The type of timestamp to use for comparison.
The possible values are as follows:
-
Alert Start Time -
Alert Creation Time -
Case Creation Time
The default value is Alert Start Time
.
Permitted Start Time
Required.
The start time of the permitted period for alerts, such as 0:00:00
.
Permitted End Time
Required.
The end time of the permitted period for alerts, such as 0:00:00
.
Monday
Optional.
If selected, the action includes Mondays in the permitted days for alerts.
Not enabled by default.
Tuesday
Optional.
If selected, the action includes Tuesdays in the permitted days for alerts.
Enabled by default.
Wednesday
Optional.
If selected, the action includes Wednesdays in the permitted days for alerts.
Enabled by default.
Thursday
Optional.
If selected, the action includes Thursdays in the permitted days for alerts.
Not enabled by default.
Friday
Optional.
If selected, the action includes Fridays in the permitted days for alerts.
Not enabled by default.
Saturday
Optional.
If selected, the action includes Saturdays in the permitted days for alerts.
Not enabled by default.
Sunday
Optional.
If selected, the action includes Sundays in the permitted days for alerts.
Not enabled by default.
Input Timezone
Optional.
This action supports standard time zones, such as UTC
, in
addition to IANA zones, such as America/New_York
.
If you provide an IANA zone, the action automatically adjusts for daylight saving.
Action outputs
The Permitted Alert Timeaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Permitted Alert Timeaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Permitted Alert Time". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Permitted Alert Timeaction:
| Script result name | Value |
|---|---|
Permitted
|
true
or false
|
Ping
Use the Pingaction to test the connectivity to Siemplify.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Pingaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Pingaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Ping". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Pingaction:
| Script result name | Value |
|---|---|
| Script Result | true
or false
|
Raise Incident
Use the Raise Incidentaction to mark a true positive case as Critical
and
raise the case incident.
This action doesn't run on Google SecOps entities.
Action inputs
The Raise Incidentaction requires the following parameters:
| Parameter | Description |
|---|---|
Soc Role
|
Optional. The Google SecOps SOC role to assign the case to. |
Action outputs
The Raise Incidentaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Raise Incidentaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Raise Incident".
Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Raise Incidentaction:
| Script result name | Value |
|---|---|
| Script Result | true
or false
|
Remove Tag
Use the Remove Tagaction to remove tags from the case.
This action doesn't run on Google SecOps entities.
Action inputs
The Remove Tagaction requires the following parameters:
| Parameter | Description |
|---|---|
Tag
|
Required. A comma-separated list of tags to remove from the case. |
Action outputs
The Remove Tagaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Remove Tagaction can return the following output messages:
| Output message | Message description |
|---|---|
Successfully removed the following tags from case CASE_ID
: TAGS
|
The action succeeded. |
| |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Remove Tagaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Remove From Custom List
Use the Remove From Custom Listaction to remove entities associated with an alert from a custom list category.
This action runs on all Google SecOps entities.
Action inputs
The Remove From Custom Listaction requires the following parameters:
| Parameter | Description |
|---|---|
Category
|
Required. The name of the custom list category to remove the entity identifier from. |
Action outputs
The Remove From Custom Listaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Remove From Custom Listaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Remove From Custom List". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Remove From Custom Listaction:
| Script result name | Value |
|---|---|
ScriptResult
|
true
or false
|
Resume Alert SLA
Use the Resume Alert SLAaction to unpause and restart the Service Level Agreement (SLA) timer for the alert.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Resume Alert SLAaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Resume Alert SLAaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Resume Alert SLA". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Resume Alert SLAaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Resume Case SLA
Use the Resume Case SLAaction to unpause and restart the Service Level Agreement (SLA) timer for the case.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Resume Case SLAaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Resume Case SLAaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Resume Case SLA". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Resume Case SLAaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Set Alert SLA
Use the Set Alert SLAaction to set the SLA timer for the alert.
This action doesn't run on Google SecOps entities.
Action inputs
The Set Alert SLAaction requires the following parameters:
SLA Period
Required.
The total duration of the SLA before it is considered breached.
The total SLA period cannot exceed 30 days.
The default value is 5
.
SLA Time Unit
Required.
The time unit for the SLA period.
The possible values are as follows:
-
Minutes -
Hours -
Days
The default value is Minutes
.
SLA Time To Critical Period
Required.
The duration of the SLA before it enters a critical state.
The default value is 4
.
SLA Time To Critical Unit
Required.
The time unit for the critical SLA period.
The possible values are as follows:
-
Minutes -
Hours -
Days
The default value is Minutes
.
Action outputs
The Set Alert SLAaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Set Alert SLAaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Set Alert SLA". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Set Alert SLAaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Set Case SLA
Use the Set Case SLAaction to set the SLA for the case.
This action has the highest priority and overrides the existing SLA defined for the specific case.
This action doesn't run on Google SecOps entities.
Action inputs
The Set Case SLAaction requires the following parameters:
SLA Period
Required.
The total duration of the SLA before it is considered breached.
The total SLA period cannot exceed 30 days.
The default value is 5
.
SLA Time Unit
Required.
The time unit for the SLA period.
The possible values are as follows:
-
Minutes -
Hours -
Days
The default value is Minutes
.
SLA Time To Critical Period
Optional.
The duration of the SLA before it enters a critical state.
The default value is 4
.
SLA Time To Critical Unit
Required.
The time unit for the critical SLA period.
The possible values are as follows:
-
Minutes -
Hours -
Days
The default value is Minutes
.
Action outputs
The Set Case SLAaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Search ASM Issuesaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Set Case SLA". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Set Case SLAaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Set Custom Fields
Use the Set Custom Fieldsaction to set values for custom fields.
This action doesn't run on Google SecOps entities.
Action inputs
The Set Custom Fieldsaction requires the following parameters:
Scope
Required.
The scope to set for the custom fields.
The possible values are as follows:
-
Case -
Alert
The default value is Case
.
Custom Fields Data
Required.
The updated values for the custom fields.
You can update multiple custom fields in a single action run.
The default value is:
{ "Custom Field Name 1" : "Custom Field Value 1" , "Custom Field Name 2" : "Custom Field Value 2" }
Append Values
Optional.
If selected, the action appends the inputs from Custom Fields Data
to the existing values of the
custom fields.
If not selected, the action overwrites the existing
values with the inputs from the Custom Fields Data
parameter.
Not enabled by default.
Action outputs
The Set Custom Fieldsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Set Custom Fieldsaction:
{
"Custom Field Name"
:
"Updated Custom Field Value"
,
"Custom Field Name"
:
"Updated Custom Field Value"
,
}
Output messages
The Set Custom Fieldsaction can return the following output messages:
| Output message | Message description |
|---|---|
Successfully updated the following SCOPE
custom fields: UPDATED_CUSTOM_FIELD_NAMES
|
The action succeeded. |
Error executing action "Set Custom Fields". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Set Custom Fieldsaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Set Risk Score
Use the Set Risk Scoreaction to update the risk score of the case.
This action doesn't run on Google SecOps entities.
Action inputs
The Set Risk Scoreaction requires the following parameters:
| Parameter | Description |
|---|---|
Risk Score
|
Required. The risk score to set for the case. |
Action outputs
The Set Risk Scoreaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Set Risk Scoreaction can return the following output messages:
| Output message | Message description |
|---|---|
Successfully set Risk Score for case CASE_ID
|
The action succeeded. |
Error executing action "Set Risk Score". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Set Risk Scoreaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Set Scope Context Value
Use the Set Scope Context Valueaction to set a value for a key that is stored in the Google SecOps database.
This action doesn't run on Google SecOps entities.
Action inputs
The Set Scope Context Valueaction requires the following parameters:
Context Scope
Required.
The context scope to retrieve data from.
The possible values are as follows:
-
Not specified -
Alert -
Case -
Global
The default value is Not specified
.
Key Name
Required.
The key name to retrieve the corresponding value from.
Key Value
Required.
The value to store under the specified key.
Action outputs
The Set Scope Context Valueaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Set Scope Context Valueaction can return the following output messages:
| Output message | Message description |
|---|---|
Successfully set context value for the context key CONTEXT_KEY
with scope CONTEXT_SCOPE
.
|
The action succeeded. |
Error executing action "Set Scope Context Value". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Set Scope Context Valueaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Update Case Description
Use the Update Case Descriptionaction to update the case description.
This action doesn't run on Google SecOps entities.
Action inputs
The Update Case Descriptionaction requires the following parameters:
| Parameter | Description |
|---|---|
Description
|
Required. The description to set for the case. |
Action outputs
The Update Case Descriptionaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Update Case Descriptionaction can return the following output messages:
| Output message | Message description |
|---|---|
Successfully updated the case description.
|
The action succeeded. |
Error executing action "Update Case Description". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Update Case Descriptionaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Wait For Custom Fields
Use the Wait For Custom Fieldsaction to wait for custom field values to continue playbook execution.
This action doesn't run on Google SecOps entities.
Action inputs
The Wait For Custom Fieldsaction requires the following parameters:
Scope
Required.
The scope to set for the custom fields.
The possible values are as follows:
-
Case -
Alert
The default value is Case
.
Custom Fields Data
Required.
The conditions for custom fields that must be met to resume a playbook. The custom field names and their required values need to be configured as a JSON object.
If you set conditions for multiple fields, the action waits for all fields to match their respective conditions.
- To resume when a custom field has any value, configure an empty
string:
{ "Custom Field Name" : "" }
- To resume when a custom field equals a specific value, such as
VALUE_1, specify the value:{ "Custom Field Name" : "VALUE_1" }
The default value shows the expected JSON format:
{ "Custom Field Name 1" : "Custom Field Value 1" , "Custom Field Name 2" : "Custom Field Value 2" }
Action outputs
The Wait For Custom Fieldsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Wait For Custom Fieldsaction:
{
"Custom Field Name"
:
"Updated Custom Field Value"
,
"Custom Field Name"
:
"Updated Custom Field Value"
,
}
Output messages
The Wait For Custom Fieldsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Wait For Custom Fields". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Wait For Custom Fieldsaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Jobs
For more information on jobs, see Configure a new job and Advanced scheduling .
Siemplify - Actions Monitor
Use the Siemplify - Actions Monitorjob to receive notifications about actions that have failed at least three separate times in the last three hours.
Job parameters
The Siemplify - Actions Monitorjob requires the following parameters:
| Parameter | Description |
|---|---|
Run Interval In Seconds
|
Optional. The interval, in seconds, for the job to run. This parameter determines how often the integration checks for failed playbook actions. The default value is |
Is Enabled
|
Optional. If selected, the job is active and will run on schedule. When not selected, the job is disabled and won't execute. Enabled by default. |
Siemplify - Cases Collector DB
Use the Siemplify - Cases Collector DBjob to retrieve and process security cases from a designated publisher.
Job parameters
The Siemplify - Cases Collector DBjob requires the following parameters:
| Parameter | Description |
|---|---|
Publisher Id
|
Required. The ID of the publisher from which to collect cases and logs. |
Verify SSL
|
Optional. If selected, the job verifies that the SSL certificate of the publisher is valid. Not enabled by default. |
Siemplify - Logs Collector
Use the Siemplify - Logs Collectorjob to retrieve and process logs from a specified publisher.
Job inputs
The Siemplify - Logs Collectorjob requires the following parameters:
| Parameter | Description |
|---|---|
Publisher Id
|
Required. The ID of the publisher from which to collect the logs. |
Verify SSL
|
Optional. If selected, the job verifies that the publisher's SSL certificate is valid. Not enabled by default. |
Need more help? Get answers from Community members and Google SecOps professionals.
