When you configure a new connector, the platform uses the connector script in
an integration as a template only. The configured connector is an instance of
that connector template. You can add multiple connectors with different
configurations using the same code you created for the connector in the IDE.
To configure a connector, follow these steps:
Go toSOAR Settings>Ingestion>Connectorsto access
the connectors module and configure a connector under the relevant environment.
ClickaddCreate new Connector.
In theAdd Connectordialog, select the connector type from the list.
Optional: Select theRemote Connectorcheckbox.
ClickCreate.
In theParameterssection, enter the following connector parameters:
Environment: Defines which environment this connector connects to.
If you don't need to define the environment, selectDefault Environment.
Run Every: Defines the interval of connector runs.
Product Field Name: Required by the connector to identify the product that generates the alerts pulled into Google Security Operations. Don't enter the product name here. Instead, enter the event field (a key from your JSON event) instead of the product name. For example: Put_indexto indicate thatcloudtrailis the product that generated the alert.
Event Field Name: Required by the connector to identify the type of the security event pulled into Google SecOps. Don't enter the event name or type here. Enter the event field (a key from your JSON event) instead of the event name or type. For example: Enter "_source.userIdentity.type" to indicate thatAssumedRoleis the type of the security event.
Event Count Limit: If you're pulling a correlation alert, indicate the limit of the underlying events Google SecOps should fetch with it. This is required to make a connector run faster (in case the alerts are heavy on redundant events) and reduce the redundancy for security analysts.
The connector is configured underDefault Environment. Once you fill in all the parameters, clickSaveto save the connector.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-07 UTC."],[[["\u003cp\u003eConnectors in Google SecOps SOAR are configured as instances of connector templates, allowing for multiple connectors with different configurations based on the same code.\u003c/p\u003e\n"],["\u003cp\u003eConnector configuration involves navigating to \u003cstrong\u003eSOAR Settings > Ingestion > Connectors\u003c/strong\u003e and specifying parameters such as the environment, run interval, and product/event field names.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003cstrong\u003eProduct Field Name\u003c/strong\u003e and \u003cstrong\u003eEvent Field Name\u003c/strong\u003e fields require keys from JSON events, not the literal product or event names.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003cstrong\u003eEvent Count Limit\u003c/strong\u003e parameter allows you to set a limit on the number of underlying events pulled with a correlation alert, optimizing connector performance and reducing redundancy.\u003c/p\u003e\n"],["\u003cp\u003eConnectors can be configured within a specific or default environment, after filling all of the fields, the connector needs to be saved.\u003c/p\u003e\n"]]],[],null,["Configure the connector \nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \nWhen you configure a new connector, the platform uses the connector script in\nan integration as a template only. The configured connector is an instance of\nthat connector template. You can add multiple connectors with different\nconfigurations using the same code you created for the connector in the IDE.\n\nTo configure a connector, follow these steps:\n\n1. Go to **SOAR Settings \\\u003e Ingestion \\\u003e Connectors** to access the connectors module and configure a connector under the relevant environment. \n2. Click add **Create new Connector**.\n3. In the **Add Connector** dialog, select the connector type from the list.\n4. Optional: Select the **Remote Connector** checkbox.\n5. Click **Create**.\n6. In the **Parameters** section, enter the following connector parameters:\n - **Environment** : Defines which environment this connector connects to. If you don't need to define the environment, select **Default Environment**.\n - **Run Every**: Defines the interval of connector runs.\n - **Product Field Name** : Required by the connector to identify the product that generates the alerts pulled into Google Security Operations. Don't enter the product name here. Instead, enter the event field (a key from your JSON event) instead of the product name. For example: Put `_index` to indicate that `cloudtrail` is the product that generated the alert.\n - **Event Field Name** : Required by the connector to identify the type of the security event pulled into Google SecOps. Don't enter the event name or type here. Enter the event field (a key from your JSON event) instead of the event name or type. \n For example: Enter \"`_source.userIdentity.type`\" to indicate that `AssumedRole` is the type of the security event.\n - **Event Count Limit**: If you're pulling a correlation alert, indicate the limit of the underlying events Google SecOps should fetch with it. This is required to make a connector run faster (in case the alerts are heavy on redundant events) and reduce the redundancy for security analysts.\n7. The connector is configured under **Default Environment** . Once you fill in all the parameters, click **Save** to save the connector.\n\n\nFor a full list of parameters for each connector, see [Google SecOps response integrations](/chronicle/docs/soar/marketplace-integrations).\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
