Integrate Siemplify with Google SecOps
This document explains how to integrate Siemplify with Google Security Operations (Google SecOps).
Integration version: 94.0
Use cases
The Siemplify integration can address the following use cases:
-
Phishing investigation: Use Google SecOps capabilities to automate the process of analyzing phishing emails, extracting indicators of compromise (IOCs), and enriching them with threat intelligence.
-
Malware containment:Use Google SecOps capabilities to automatically isolate infected endpoints, initiate scans, and quarantine malicious files upon detection of malware.
-
Vulnerability management:Use Google SecOps capabilities to orchestrate vulnerability scans, prioritize vulnerabilities based on risk, and automatically create tickets for remediation.
-
Threat hunting:Use Google SecOps capabilities to automate running of threat hunting queries across various security tools and datasets.
-
Security alert triage:Use Google SecOps capabilities to automatically enrich security alerts with contextual information, correlate them with other events, and prioritize them based on severity.
-
Incident response:Use Google SecOps capabilities to orchestrate the entire incident response process, from initial detection to containment and eradication.
-
Compliance reporting:Use Google SecOps capabilities to automate the collection and analysis of security data for compliance reporting.
Integration parameters
The Siemplify integration requires the following parameters:
| Parameter | Description |
|---|---|
Monitors Mail Recipients
|
Required. A comma-separated list of email addresses to validate. The default value is |
Elastic Server Address
|
Required. The address of the Elastic server. The default value is |
For instructions about how to configure an integration in Google SecOps, see Configure integrations .
You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances .
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action .
Add Entity Insight
Use the Add Entity Insightaction to add an insight to the targeted Google SecOps entity in Siemplify.
This action runs on all Google SecOps entities.
Action inputs
The Add Entity Insightaction requires the following parameters:
| Parameter | Description |
|---|---|
Message
|
Required. The message to add to the entity. This parameter supports HTML elements, such as headings
( |
Action outputs
The Add Entity Insightaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Entity Insightaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Add Entity Insight". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add Entity Insightaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Add General Insight
Use the Add General Insightaction to add a general insight to the case.
This action runs on all Google SecOps entities.
Action inputs
The Add General Insightaction requires the following parameters:
| Parameter | Description |
|---|---|
Title
|
Required. The title of the insight. |
Message
|
Required. The message to add to the entity. This parameter supports HTML elements, such as headings
( |
Triggered By
|
Optional. A justification for the insight. |
Action outputs
The Add General Insightaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add General Insightaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Add General Insight". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add General Insightaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Add Tags To Similar Cases
Use the Add Tags To Similar Casesaction to add tags to similar cases.
To find similar cases, the action uses the siemplify.get_similar_cases()
function with the retrieved parameters that returns a list of case IDs.
This action doesn't run on Google SecOps entities.
Action inputs
The Add Tags To Similar Casesaction requires the following parameters:
| Parameter | Description |
|---|---|
Rule Generator
|
Optional. If selected, the action searches for similar cases using the rule generator. Selected by default. |
Port
|
Optional. If selected, the action searches for similar cases using port numbers. Selected by default. |
Category Outcome
|
Optional. If selected, the action searches for similar cases using the category outcome. Selected by default. |
Entity Identifier
|
Optional. If selected, the action searches for similar cases using the entity identifier. Selected by default. |
Days Back
|
Required. The number of days to look back when searching for similar cases. |
Tags
|
Required. A comma-separated list of tags to add to similar cases. |
Action outputs
The Add Tags To Similar Casesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Tags To Similar Casesaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Add Tags To Similar Cases". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add Tags To Similar Casesaction:
| Script result name | Value |
|---|---|
SimilarCasesIds
|
A list of similar case IDs. |
Add to Custom List
Use the Add to Custom Listaction to add an entity identifier to a categorized custom list and perform future comparisons in other actions.
This action runs on all Google SecOps entities.
Action inputs
The Add to Custom Listaction requires the following parameters:
| Parameter | Description |
|---|---|
Category
|
Required. A custom list of categories to use. |
Action outputs
The Add to Custom Listaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add to Custom Listaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Add to Custom List". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add to Custom Listaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Assign Case
Use the Assign Caseaction to assign a case to a specific user or user group.
This action runs on all Google SecOps entities.
Action inputs
The Assign Caseaction requires the following parameters:
| Parameter | Description |
|---|---|
Assigned User
|
Required. A user or user group to assign a case to. |
Action outputs
The Assign Caseaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add to Custom Listaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Assign Case". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Assign Caseaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Attach Playbook to Alert
Use the Attach Playbook to Alertaction to attach a specific playbook to an alert.
This action runs on all Google SecOps entities.
Action inputs
The Attach Playbook to Alertaction requires the following parameters:
| Parameter | Description |
|---|---|
Playbook Name
|
Required. The name of the playbook to attach to the current alert. |
Action outputs
The Attach Playbook to Alertaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Search Graphsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Attach Playbook to Alert". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Attach Playbook to Alertaction:
| Script result name | Value |
|---|---|
| Script Result | true
or false
|
Case Comment
Use the Case Commentaction to add a comment to the case in which the current alert is grouped.
This action runs on all Google SecOps entities.
Action inputs
The Case Commentaction requires the following parameters:
| Parameter | Description |
|---|---|
Comment
|
Required. The comment to add to the case. |
Action outputs
The Case Commentaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Vote To Entityaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Case Comment". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Case Commentaction:
| Script result name | Value |
|---|---|
SuccessStatus
|
true
or false
|
Case Tag
Use the Case Tagaction to add a tag to the case which the current alert is grouped into.
This action runs on all Google SecOps entities.
Action inputs
The Case Tagaction requires the following parameters:
| Parameter | Description |
|---|---|
Tag
|
Required. A tag to add to the case. |
Action outputs
The Case Tagaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Case Tagaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Add Vote To Entity". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Case Tagaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Change Alert Priority
Use the Change Alert Priorityaction to update the priority of an alert in a case.
This action runs on all Google SecOps entities.
Action inputs
The Change Alert Priorityaction requires the following parameters:
Alert Priority
Required.
The new priority for the alert.
The possible values are as follows:
-
Informative -
Low -
Medium -
High -
Critical
Action outputs
The Change Alert Priorityaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Vote To Entityaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Change Alert Priority". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Change Alert Priorityaction:
| Script result name | Value |
|---|---|
| Script Result | true
or false
|
Change Case Stage
Use the Change Case Stageaction to change the case stage.
This action runs on all Google SecOps entities.
Action inputs
The Change Case Stageaction requires the following parameters:
Stage
Required.
The stage to move the case to.
The possible values are as follows:
-
Triage -
Assessment -
Investigation -
Incident -
Improvement -
Research
Action outputs
The Change Case Stageaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Vote To Entityaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Change Case Stage". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Change Case Stageaction:
| Script result name | Value |
|---|---|
| Script Result | true
or false
|
Change Priority
Use the Change Priorityaction to updates the priority of the investigated case.
This action runs on all Google SecOps entities.
Action inputs
The Change Priorityaction requires the following parameters:
Priority
Required.
The priority to set for the case.
The possible values are as follows:
-
Informative -
Low -
Medium -
High -
Critical
Action outputs
The Change Priorityaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Vote To Entityaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Close Alert". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Change Priorityaction:
| Script result name | Value |
|---|---|
| Script Result | true
or false
|
Close Alert
Use the Close Alertaction to close the alert.
This action runs on all Google SecOps entities.
Action inputs
The Close Alertaction requires the following parameters:
Reason
Required.
A reason for closing the alert.
The possible values are as follows:
-
Malicious -
NotMalicious -
Maintenance -
Inconclusive
Root Cause
Required.
A primary cause for closing the alert.
Comment
Required.
A comment to add to the alert.
Assign to User
Optional.
The user to assign the alert to.
Tags
Optional.
A comma-separated list of tags.
Action outputs
The Close Alertaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Vote To Entityaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Close Alert". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Close Alertaction:
| Script result name | Value |
|---|---|
StatusResult
|
true
or false
|
Close Case
Use the Close Caseaction to close the case.
This action runs on all Google SecOps entities.
Action inputs
The Close Caseaction requires the following parameters:
Reason
Required.
A reason for closing the case.
The possible values are as follows:
-
Malicious -
NotMalicious -
Maintenance -
Inconclusive
Root Cause
Required.
A primary cause for closing the case.
Comment
Required.
A comment to add to the case.
Action outputs
The Close Caseaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Vote To Entityaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Close Case". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Close Caseaction:
| Script result name | Value |
|---|---|
StatusResult
|
true
or false
|
Create Entity
Use the Create Entityaction to create a new entity and add it to an alert.
This action runs on all Google SecOps entities.
Action inputs
The Create Entityaction requires the following parameters:
| Parameter | Description |
|---|---|
Entities Identifies
|
Required. A comma-separated list of entity identifiers to create in the case,
such as |
Delimiter
|
Optional. The delimiter used to split the input from the If you don't set a value, the action treats the input as a single entity identifier. The default value is |
Entity Type
|
Required. The type of the entity to create, such as |
Is Internal
|
Optional. If selected, the action treats entities as part of an internal network. Not selected by default. |
Is Suspicious
|
Optional. If selected, the action treats entities as suspicious. Not selected by default. |
Action outputs
The Create Entityaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Create Entityaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Create Entity". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Create Entityaction:
| Script result name | Value |
|---|---|
StatusResult
|
true
or false
|
Create Gemini Case Summary
Use the Create Gemini Case Summaryaction to create a new Gemini case summary and add it to an alert.
This action runs on all Google SecOps entities.
Action inputs
None.
Action outputs
The Create Gemini Case Summaryaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Create Gemini Case Summaryaction:
{
"summary"
:
"On the Linux agent instance-1 (IP addresses 10.150.0.3 and 34.85.128.214), user vanshikavw_google_com initiated the process curl (SHA1 hash 3395856ce81f2b7382dee72602f798b642f14140) to create the malware file /home/vanshikavw_google_com/eicar_test_vanshikavw-test-new.\n* VirusTotal identifies the SHA1 hash 3395856ce81f2b7382dee72602f798b642f14140 as a virus.eicar/test.\n* CURL is associated with multiple actors, including APT27, APT34, APT41, APT44, APT9, FIN11, FIN13, FIN6, TEMP.Armageddon, Turla Team, UNC1151, UNC1860, UNC215, UNC2165, UNC2500, UNC251, UNC2595, UNC2633, UNC2900, UNC2975, UNC3569, UNC3661, UNC3944, UNC4483, UNC4936, UNC4962, UNC5007, UNC5051, UNC5055, UNC5156, UNC5221, UNC5266, UNC5330, UNC5371, UNC5470, UNC5859, and UNC961.\n* CURL is known to use MITRE ATT&CK techniques such as T1113, T1095, T1036, T1553, T1222, T1055, T1140, T1070, T1027, T1622, T1057, T1010, T1083, T1518, T1082, T1016, T1059, T1496, and T1588.\n* A GTI MALWARE search did not find any information about eicar_test_vanshikavw-test-new.\n* A GTI IP_ADDRESS search did not find any information about 10.150.0.3 or 34.85.128.214."
,
"next_steps"
:
[
"Isolate instance-1 to prevent any potential lateral movement or further compromise of the network, as the curl process is associated with multiple threat actors."
,
"Investigate the user account vanshikavw_google_com to determine if the user's credentials have been compromised or if the user initiated the curl process intentionally, as the curl process is associated with multiple threat actors."
,
"Analyze the network traffic to and from the IP addresses 10.150.0.3 and 34.85.128.214 for any suspicious communication patterns, as the curl process is associated with multiple threat actors."
,
"Examine the process execution logs on instance-1 for any other unusual or unauthorized activities, as the curl process is associated with multiple threat actors."
,
"Review the configuration of the Linux agent on instance-1 to ensure that it is properly secured and that no unauthorized modifications have been made, as the curl process is associated with multiple threat actors."
],
"reasons"
:
[
"The case involves a Linux agent instance-1 (IP addresses 10.150.0.3 and 34.85.128.214) where user vanshikavw_google_com initiated the process curl to create the file /home/vanshikavw_google_com/eicar_test_vanshikavw-test-new."
,
"The SHA1 hash 3395856ce81f2b7382dee72602f798b642f14140 of the curl process is identified by VirusTotal as virus.eicar/test, indicating it is a known test virus."
,
"The process CURL is associated with multiple threat actors, including APT27, APT34, APT41, APT44, APT9, FIN11, FIN13, FIN6, TEMP.Armageddon, Turla Team, UNC1151, UNC1860, UNC215, UNC2165, UNC2500, UNC251, UNC2595, UNC2633, UNC2900, UNC2975, UNC3569, UNC3661, UNC3944, UNC4483, UNC4936, UNC4962, UNC5007, UNC5051, UNC5055, UNC5156, UNC5221, UNC5266, UNC5330, UNC5371, UNC5470, UNC5859, and UNC961, suggesting a potential link to malicious activity."
,
"CURL is known to use various MITRE ATT&CK techniques such as T1113, T1095, T1036, T1553, T1222, T1055, T1140, T1070, T1027, T1622, T1057, T1010, T1083, T1518, T1082, T1016, T1059, T1496, and T1588, indicating a wide range of potential malicious behaviors."
,
"The file eicar_test_vanshikavw-test-new was not found in GTI MALWARE searches, and the IP addresses 10.150.0.3 and 34.85.128.214 were not found in GTI IP_ADDRESS searches."
]}
Output messages
The Create Gemini Case Summaryaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Create Gemini Case Summary". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Create Gemini Case Summaryaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Create Or Update Entity Properties
Use the Create Or Update Entity Propertiesaction to create or change properties for entities in the entity scope.
This action runs on all Google SecOps entities.
Action inputs
The Create Or Update Entity Propertiesaction requires the following parameters:
| Parameter | Description |
|---|---|
Entity Field
|
Required. The name of the entity field to create or update. |
Field Value
|
Required. The value to set for the specified entity field. |
Action outputs
The Create Or Update Entity Propertiesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Vote To Entityaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Create Or Update Entity Properties". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Create Or Update Entity Propertiesaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Get Case Details
Use the Get Case Detailsaction to get all the data from a case (this includes comments, entity information, insights, playbooks that ran, alert information, and events).
TThis action doesn't run on Google SecOps entities.
Action inputs
The Get Case Detailsaction requires the following parameters:
| Parameter | Description |
|---|---|
Case Id
|
Optional. The ID of the case to query. If nothing is provided, the action will default to using the current case. |
Fields to Return
|
Optional. A comma-separated list of fields to return. If nothing is provided, all fields are returned. Note: Nested values can be retrieved by chaining keys and list indexes using the |
Nested Keys Delimiter
|
Optional. The character used to separate nested keys when requesting specific fields. The delimiter cannot be a comma( Nested key retrieval requires this delimiter. |
Action outputs
The Get Case Detailsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Case Detailsaction:
{
"id"
:
24879
,
"creationTimeUnixTimeInMs"
:
1750862500562
,
"modificationTimeUnixTimeInMs"
:
1750862500562
,
"name"
:
"Malware"
,
"priority"
:
-1
,
"isImportant"
:
false
,
"isIncident"
:
false
,
"startTimeUnixTimeInMs"
:
1727243021999
,
"endTimeUnixTimeInMs"
:
1727243022479
,
"assignedUser"
:
"@Tier1"
,
"description"
:
null
,
"isTestCase"
:
true
,
"type"
:
1
,
"stage"
:
"Triage"
,
"environment"
:
"Default Environment"
,
"status"
:
1
,
"incidentId"
:
null
,
"tags"
:
[
"hi"
,
"Simulated Case"
],
"alertCards"
:
[{
"id"
:
172354
,
"creationTimeUnixTimeInMs"
:
1750862500651
,
"modificationTimeUnixTimeInMs"
:
1750862500651
,
"identifier"
:
"EICAR_TEST_VANSHIKAVW-TEST-NEW0CC43705-04A7-43FD-88CD-B3E7FECA881D"
,
"status"
:
0
,
"name"
:
"EICAR_TEST_VANSHIKAVW-TEST-NEW"
,
"priority"
:
-1
,
"workflowsStatus"
:
1
,
"slaExpirationUnixTime"
:
null
,
"slaCriticalExpirationUnixTime"
:
null
,
"startTime"
:
1727243021999
,
"endTime"
:
1727243022479
,
"alertGroupIdentifier"
:
"MalwareSFBrxjAXvKJsJyKe5iQalf00zrv/QwX966dRoEyP2eA=_8cc160b5-7039-421c-926c-1a98073f11d2"
,
"eventsCount"
:
3
,
"title"
:
"EICAR_TEST_VANSHIKAVW-TEST-NEW"
,
"ruleGenerator"
:
"Malware"
,
"deviceProduct"
:
"SentinelOneV2"
,
"deviceVendor"
:
"SentinelOneV2"
,
"playbookAttached"
:
"Testing"
,
"playbookRunCount"
:
1
,
"isManualAlert"
:
false
,
"sla"
:
{
"slaExpirationTime"
:
null
,
"criticalExpirationTime"
:
null
,
"expirationStatus"
:
2
,
"remainingTimeSinceLastPause"
:
null
},
"fieldsGroups"
:
[],
"sourceUrl"
:
null
,
"sourceRuleUrl"
:
null
,
"siemAlertId"
:
null
,
"relatedCases"
:
[],
"lastSourceUpdateUnixTimeInMs"
:
null
,
"caseId"
:
24879
,
"nestingDepth"
:
0
}],
"isOverflowCase"
:
false
,
"isManualCase"
:
false
,
"slaExpirationUnixTime"
:
null
,
"slaCriticalExpirationUnixTime"
:
null
,
"stageSlaExpirationUnixTimeInMs"
:
null
,
"stageSlaCriticalExpirationUnixTimeInMs"
:
null
,
"canOpenIncident"
:
false
,
"sla"
:
{
"slaExpirationTime"
:
null
,
"criticalExpirationTime"
:
null
,
"expirationStatus"
:
2
,
"remainingTimeSinceLastPause"
:
null
},
"stageSla"
:
{
"slaExpirationTime"
:
null
,
"criticalExpirationTime"
:
null
,
"expirationStatus"
:
2
,
"remainingTimeSinceLastPause"
:
null
},
"relatedAlertTicketId"
:
null
,
"relatedAlertCards"
:
[]
}
Output messages
The Get Case Detailsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Case Details". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Case Detailsaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Get Connector Context Value
Use the Get Connector Context Valueaction to get a value that is stored under a specified key in the Google SecOps database for a connector context.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Connector Context Valueaction requires the following parameters:
| Parameter | Description |
|---|---|
Connector Identifier
|
Required. The connector identifier for which to retrieve the context value. |
Key Name
|
Required. The key name for which to retrieve the context value. |
Create Case Wall Table
|
Optional. If selected, the action creates a Case Wall table with the retrieved context value, unless the value exceeds the character limit. Selected by default. |
Action outputs
The Get Connector Context Valueaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Case Wall table
The Get Connector Context Valueaction can generate the following table:
Table name: Connector
Table columns:
- Connector identifier
- Key
- Value
Output messages
The Get Connector Context Valueaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Connector Context Value". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Connector Context Valueaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Get Custom Field Values
Use the Get Custom Field Valuesaction to retrieve the custom field's current values based on the specified scope.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Custom Field Valuesaction requires the following parameters:
Scope
Required.
The scope from which to get the custom fields.
Possible values are as follows:
-
Case -
Alert -
All
Action outputs
The Get Custom Field Valuesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Custom Field Valuesaction:
[{
"Case"
:
{
"Case Custom Field Name 1"
:
"Updated Custom Field Value"
,
"Case Custom Field Name 2"
:
"Updated Custom Field Value"
},
"Alert"
:
{
"Alert Custom Field Name 1"
:
"Updated Custom Field Value"
,
"Alert Custom Field Name 2"
:
"Updated Custom Field Value"
}
}]
Output messages
The Get Custom Field Valuesaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Custom Field Values". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Custom Field Valuesaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get Scope Context Value
Use the Get Scope Context Valueaction to get a value that is stored under a specified key in the Google SecOps database.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Scope Context Valueaction requires the following parameters:
Context Scope
Required.
The context scope to retrieve data from.
Possible values are as follows:
-
Not specified -
Alert -
Case -
Global
Key Name
Required.
The key name to retrieve the corresponding value from the specified context.
Create Case Wall Table
Optional.
If selected, the action creates a Case Wall table with the retrieved context value, unless the value exceeds the character limit.
Selected by default.
Action outputs
The Get Scope Context Valueaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Case Wall table
The Get Scope Context Valueaction can generate the following table:
Table name: SCOPE
Table columns:
- Key
- Value
Output messages
The Get Scope Context Valueaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Scope Context Value". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Scope Context Valueaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Get Similar Cases
Use the Get Similar Casesaction to search for similar cases and return their IDs.
This action runs on all Google SecOps entities.
Action inputs
The Get Similar Casesaction requires the following parameters:
| Parameter | Description |
|---|---|
Rule Generator
|
Optional. If selected, the action searches for similar cases using the rule generator. Selected by default. |
Port
|
Optional. If selected, the action searches for similar cases using port numbers. Selected by default. |
Category Outcome
|
Optional. If selected, the action searches for similar cases using the category outcome. Selected by default. |
Entity Identifier
|
Optional. If selected, the action searches for similar cases using the entity identifier. Selected by default. |
Days Back
|
Required. The number of days prior to today for the action to search for similar cases. |
Include Open Cases
|
Optional. If selected, the action searches through open cases. Selected by default. |
Include Closed Cases
|
Optional. If selected, the action searches through closed cases. Selected by default. |
The Get Similar Casesaction applies the logical AND
operator to
the Rule Generator
, Port
, Category Outcome
, Entity Identifier
, Include Open Cases
, and Include Closed Cases
parameters to use them in the
same search.
Action outputs
The Get Similar Casesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Similar Casesaction:
{
"results"
:
[{
"id"
:
23874
,
"name"
:
"Malware"
,
"tags"
:
[
"hi"
,
"Simulated Case"
],
"start time"
:
"2024-09-25 05:43:41.999000+00:00"
,
"start time unix"
:
1727243021999
,
"last modified"
:
"2025-06-19 13:24:01.062000+00:00"
,
"priority"
:
"Informative"
,
"assigned user"
:
"@Tier1"
,
"matching_criteria"
:
{
"ruleGenerator"
:
true
,
"port"
:
true
,
"outcome"
:
true
,
"entities"
:
true
},
"matched_entities"
:
[
{
"entity"
:
"INSTANCE-1"
,
"type"
:
"HOSTNAME"
,
"isSuspicious"
:
false
},
{
"entity"
:
"10.150.0.3"
,
"type"
:
"ADDRESS"
,
"isSuspicious"
:
false
},
{
"entity"
:
"172.17.0.1"
,
"type"
:
"ADDRESS"
,
"isSuspicious"
:
false
},
{
"entity"
:
"VANSHIKAVW_GOOGLE_COM"
,
"type"
:
"USERUNIQNAME"
,
"isSuspicious"
:
false
},
{
"entity"
:
"CURL"
,
"type"
:
"PROCESS"
,
"isSuspicious"
:
false
},
{
"entity"
:
"EICAR_TEST_VANSHIKAVW-TEST-NEW"
,
"type"
:
"FILENAME"
,
"isSuspicious"
:
false
},
{
"entity"
:
"3395856CE81F2B7382DEE72602F798B642F14140"
,
"type"
:
"FILEHASH"
,
"isSuspicious"
:
false
},
{
"entity"
:
"34.85.128.214"
,
"type"
:
"ADDRESS"
,
"isSuspicious"
:
false
},
{
"entity"
:
"/HOME/VANSHIKAVW_GOOGLE_COM/EICAR_TEST_VANSHIKAVW-TEST-NEW"
,
"type"
:
"FILENAME"
,
"isSuspicious"
:
false
}
],
"status"
:
"Open"
}],
"stats"
:
{
"Malicious"
:
0.0
,
"Is Important"
:
0.0
,
"Is Incident"
:
0.0
,
"Status Open"
:
100.0
},
"platform_url"
:
"https://soarapitest.backstory.chronicle.security/"
}
Output messages
The Get Similar Casesaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Similar Cases". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Similar Casesaction:
| Script result name | Value |
|---|---|
SimilarCasesIds
|
CASE_IDS_LIST
|
Instruction
Use the Instructionaction to set instructions for an analyst.
This action runs on all Google SecOps entities.
Action inputs
The Instructionaction requires the following parameters:
| Parameter | Description |
|---|---|
Instruction
|
Required. The instruction content for the analyst. |
Action outputs
The Instructionaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Vote To Entityaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Instruction". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Instructionaction:
| Script result name | Value |
|---|---|
| Script Result | true
or false
|
Is In Custom List
Use the Is In Custom Listaction to check whether the entity identifier is part of a specified custom list.
This action runs on all Google SecOps entities.
Action inputs
The Is In Custom Listaction requires the following parameters:
| Parameter | Description |
|---|---|
Category
|
Required. A custom list category to check for alert entities. |
Action outputs
The Is In Custom Listaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Is In Custom Listaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Is In Custom List". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Is In Custom Listaction:
| Script result name | Value |
|---|---|
ScriptResult
|
true
or false
|
Mark As Important
Use the Mark As Importantaction to mark a case as important.
This action runs on all Google SecOps entities.
Action inputs
None.
Action outputs
The Mark As Importantaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Mark As Importantaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Mark As Important". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Mark As Importantaction:
| Script result name | Value |
|---|---|
| Script Result | true
or false
|
Open Web Url
Use the Open Web Urlaction to generate a browser link.
This action runs on all Google SecOps entities.
Action inputs
The Open Web Urlaction requires the following parameters:
| Parameter | Description |
|---|---|
Title
|
Required. The title of the URL. |
URL
|
Required. The target URL. |
Action outputs
The Open Web Urlaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Open Web Urlaction can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Open Web Url". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Open Web Urlaction:
| Script result name | Value |
|---|---|
| Script Result | true
or false
|
Pause Alert SLA
Use the Pause Alert SLAaction to pause the Service Level Agreement (SLA) timer for a specific alert in the case.
This action doesn't run on Google SecOps entities.
Action inputs
The Pause Alert SLAaction requires the following parameters:
| Parameter | Description |
|---|---|
Message
|
Optional. The reason for pausing the alert SLA. |
Action outputs
The Pause Alert SLAaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Pause Alert SLAaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Pause Alert SLA". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Pause Alert SLAaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Pause Case SLA
Use the Pause Case SLAaction to pause the Service Level Agreement (SLA) timer for a specific case.
This action doesn't run on Google SecOps entities.
Action inputs
The Pause Case SLAaction requires the following parameters:
| Parameter | Description |
|---|---|
Message
|
Optional. The reason for pausing the case SLA. |
Action outputs
The Pause Case SLAaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Pause Case SLAaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Pause Case SLA". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Pause Case SLAaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Permitted Alert Time
Use the Permitted Alert Timeaction to check if the start time of a selected alert complies with a user-defined time conditions.
This action runs on all Google SecOps entities.
Action inputs
The Permitted Alert Timeaction requires the following parameters:
| Parameter | Description |
|---|---|
Permitted Start Time
|
Required. The start time of the permitted period for alerts. |
Permitted End Time
|
Required. The end time of the permitted period for alerts. |
Monday
|
Optional. If selected, the action treats Mondays as permitted days for alerts. Not selected by default. |
Tuesday
|
Optional. If selected, the action treats Tuesdays as permitted days for alerts. Selected by default. |
Wednesday
|
Optional. If selected, the action treats Wednesdays as permitted days for alerts. Selected by default. |
Thursday
|
Optional. If selected, the action treats Thursdays as permitted days for alerts. Not selected by default. |
Friday
|
Optional. If selected, the action treats Fridays as permitted days for alerts. Not selected by default. |
Saturday
|
Optional. If selected, the action treats Saturdays as permitted days for alerts. Not selected by default. |
Sunday
|
Optional. If selected, the action treats Sundays as permitted days for alerts. Not selected by default. |
Timestamp Type
|
Optional. The type of timestamp that will be used for comparison. |
Input Timezone
|
Optional. The timezone name. For example: UTC. This action also supports input with IANA zones (eq America/New_York). If the input is provided using zones, then the action automatically adjusts for daylight savings. |
Action outputs
The Permitted Alert Timeaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Permitted Alert Timeaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Permitted Alert Time". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Permitted Alert Timeaction:
| Script result name | Value |
|---|---|
Permitted
|
true
or false
|
Ping
Use the Pingaction to test the connectivity.
This action runs on all Google SecOps entities.
Action inputs
None.
Action outputs
The Pingaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Pingaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Ping". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Pingaction:
| Script result name | Value |
|---|---|
| Script Result | true
or false
|
Raise Incident
Use the Raise Incidentaction to raise a case incident and mark the true
positive cases as Critical
.
This action runs on all Google SecOps entities.
Action inputs
The Raise Incidentaction requires the following parameters:
| Parameter | Description |
|---|---|
Soc Role
|
Optional. The Google SecOps SOC role to assign the case to. |
Action outputs
The Raise Incidentaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Search ASM Issuesaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Raise Incident". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Raise Incidentaction:
| Script result name | Value |
|---|---|
| Script Result | true
or false
|
Remove Tag
Use the Remove Tagaction to remove tags from a case.
This action runs on all Google SecOps entities.
Action inputs
The Remove Tagaction requires the following parameters:
| Parameter | Description |
|---|---|
Tag
|
Required. A comma-separated list of tags to remove from a case. |
Action outputs
The Remove Tagaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Remove Tagaction can return the following output messages:
| Output message | Message description |
|---|---|
Successfully removed the following tags from case CASE_ID
: TAGS
|
The action succeeded. |
| |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Remove Tagaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Remove From Custom List
Use the Remove From Custom Listaction to remove entities that are associated with an alert from a specified custom list category.
This action runs on all Google SecOps entities.
Action inputs
The Remove From Custom Listaction requires the following parameters:
| Parameter | Description |
|---|---|
Category
|
Required. The custom list category name from which to remove the entities. |
Action outputs
The Remove From Custom Listaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Remove From Custom Listaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Remove From Custom List". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Remove From Custom Listaction:
| Script result name | Value |
|---|---|
ScriptResult
|
true
or false
|
Resume Alert SLA
Use the Resume Alert SLAaction to restart the Service Level Agreement (SLA) timer for a specific alert in the case.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Resume Alert SLAaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Resume Alert SLAaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Resume Alert SLA". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Resume Alert SLAaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Resume Case SLA
Use the Resume Case SLAaction to restart the Service Level Agreement (SLA) timer for a specific case.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Resume Case SLAaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Resume Case SLAaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Resume Case SLA". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Resume Case SLAaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Set Alert SLA
Use the Set Alert SLAaction to set the SLA timer for an alert.
This action has the highest priority and overrides the existing SLA defined for the specific alert.
This action doesn't run on Google SecOps entities.
Action inputs
The Set Alert SLAaction requires the following parameters:
SLA Period
Required.
The SLA breach period.
The default value is 5
.
SLA Time Unit
Required.
The time unit for the SLA period.
The default value is Minutes
.
The possible values are as follows:
-
Minutes -
Hours -
Days
SLA Time To Critical Period
Required.
The critical SLA threshold.
The default value is 4
.
SLA Time To Critical Unit
Required.
The time unit for the critical SLA period.
The default value is Minutes
.
The possible values are as follows:
-
Minutes -
Hours -
Days
Action outputs
The Set Alert SLAaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Set Alert SLAaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Set Alert SLA". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Set Alert SLAaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Set Case SLA
Use the Set Case SLAaction to set the SLA for a case.
This action has the highest priority and overrides the existing SLA defined for the specific case.
This action doesn't run on Google SecOps entities.
Action inputs
The Set Case SLAaction requires the following parameters:
SLA Period
Required.
The SLA breach period.
The default value is 5
.
SLA Time Unit
Required.
The time unit for the SLA period.
The default value is Minutes
.
The possible values are as follows:
-
Minutes -
Hours -
Days
SLA Time To Critical Period
Required.
The critical SLA threshold.
The default value is 4
.
SLA Time To Critical Unit
Required.
The time unit for the critical SLA period.
The default value is Minutes
.
The possible values are as follows:
-
Minutes -
Hours -
Days
Action outputs
The Set Case SLAaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Search ASM Issuesaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Set Case SLA". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Set Case SLAaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Set Custom Fields
Use the Set Custom Fieldsaction to set values for custom fields.
This action doesn't run on Google SecOps entities.
Action inputs
The Set Custom Fieldsaction requires the following parameters:
| Parameter | Description |
|---|---|
Scope
|
Required. The scope to set for the custom fields. The possible values are The default value is |
Custom Fields Data
|
Required. The values to update for the custom fields. You can update multiple custom fields in a single action run. The default value is as follows: { "Custom Field Name 1" : "Custom Field Value 1" , "Custom Field Name 2" : "Custom Field Value 2" } |
Append Values
|
Optional. If selected, the action appends the inputs from the If not selected, the action overwrites the existing
values with the inputs from the Not selected by default. |
Action outputs
The Set Custom Fieldsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Set Custom Fieldsaction:
{
"Custom Field Name"
:
"Updated Custom Field Value"
,
"Custom Field Name"
:
"Updated Custom Field Value"
,
}
Output messages
The Set Custom Fieldsaction can return the following output messages:
| Output message | Message description |
|---|---|
Successfully updated the following SCOPE
custom fields: UPDATED_CUSTOM_FIELD_NAMES
|
The action succeeded. |
Error executing action "Set Custom Fields". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Set Custom Fieldsaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Set Risk Score
Use the Set Risk Scoreaction to update the risk score of a case.
This action doesn't run on Google SecOps entities.
Action inputs
The Set Risk Scoreaction requires the following parameters:
| Parameter | Description |
|---|---|
Risk Score
|
Required. The risk score to set for the selected case. |
Action outputs
The Set Risk Scoreaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Set Risk Scoreaction can return the following output messages:
| Output message | Message description |
|---|---|
Successfully set Risk Score for case CASE_ID
|
The action succeeded. |
Error executing action "Set Risk Score". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Set Risk Scoreaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Set Scope Context Value
Use the Set Scope Context Valueaction to set a value for a key that is stored in the Google SecOps database.
This action doesn't run on Google SecOps entities.
Action inputs
The Set Scope Context Valueaction requires the following parameters:
Context Scope
Required.
The context scope to retrieve data from.
Possible values are as follows:
-
Not specified -
Alert -
Case -
Global
Key Name
Required.
The key name to retrieve the corresponding value from the specified context.
Key Value
Required.
The value to store under the specified key.
Action outputs
The Get Scope Context Valueaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Set Scope Context Valueaction can return the following output messages:
| Output message | Message description |
|---|---|
Successfully set context value for the context key CONTEXT_KEY
with scope CONTEXT_SCOPE
.
|
The action succeeded. |
Error executing action "Set Scope Context Value". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Set Scope Context Valueaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Update Case Description
Use the Update Case Descriptionaction to update a case description.
This action doesn't run on Google SecOps entities.
Action inputs
The Update Case Descriptionaction requires the following parameters:
| Parameter | Description |
|---|---|
Description
|
Required. The description to set for the case. |
Action outputs
The Update Case Descriptionaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Update Case Descriptionaction can return the following output messages:
| Output message | Message description |
|---|---|
Successfully updated the case description.
|
The action succeeded. |
Error executing action "Update Case Description". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Update Case Descriptionaction:
| Script result name | Value |
|---|---|
StatusResult
|
true
or false
|
Wait For Custom Fields
Use the Wait For Custom Fieldsaction to wait for custom fields values to continue playbook execution.
This action doesn't run on Google SecOps entities.
Action inputs
The Wait For Custom Fieldsaction requires the following parameters:
| Parameter | Description |
|---|---|
Scope
|
Required. The scope to set for the custom fields. The possible values are The default value is |
Custom Fields Data
|
Required. The required conditions for the custom fields to allow the action to resume running a playbook. Configure the custom field names and their required values as a JSON object. If you set conditions for multiple fields, the action waits for all fields to match their respective conditions. The action behavior depends on the input that you provide. For the action to resume running a playbook with any value in a custom field, configure an empty string for the custom field as follows: { "Custom Field" : "" } For the action to resume running a playbook when the custom field equals
a specific value, such as { "Custom Field" : " VALUE_1 " } The default value is as follows: { "Custom Field Name 1" : "Custom Field Value 1" , "Custom Field Name 2" : "Custom Field Value 2" } |
Action outputs
The Wait For Custom Fieldsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Wait For Custom Fieldsaction:
{
"Custom Field Name"
:
"Updated Custom Field Value"
,
"Custom Field Name"
:
"Updated Custom Field Value"
,
}
Output messages
The Wait For Custom Fieldsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Wait For Custom Fields". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Wait For Custom Fieldsaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Jobs
The Siemplify integration lets you use the following jobs:
Siemplify - Actions Monitor
Use the Siemplify - Actions Monitorjob to get notifications for all actions that have failed individually at least three times in the past three hours.
Job inputs
The Siemplify - Actions Monitorjob requires the following parameters:
| Parameter | Description |
|---|---|
Run Interval In Seconds
|
Optional. The interval in seconds for the job to run. This parameter determines how often the integration checks for failed playbook actions. The default value is |
Is Enabled
|
Optional. If selected, the job is active. Selected by default. |
Siemplify - Cases Collector DB
Use the Siemplify - Cases Collector DBjob to retrieve and process security cases from a designated publisher.
Job inputs
The Siemplify - Cases Collector DBjob requires the following parameters:
| Parameter | Description |
|---|---|
Publisher Id
|
Required. The ID of the publisher from which to collect cases and logs. |
Verify SSL
|
Optional. If selected, the job verifies that the SSL certificate of the publisher is valid. Not selected by default. |
Siemplify - Logs Collector
Use the Siemplify - Logs Collectorjob to retrieve and process logs from a specified publisher.
Job inputs
The Siemplify - Logs Collectorjob requires the following parameters:
| Parameter | Description |
|---|---|
Publisher Id
|
Required. The ID of the publisher from which to collect the logs. |
Verify SSL
|
Optional. If selected, the job verifies that the SSL certificate of the publisher is valid. Not selected by default. |
Need more help? Get answers from Community members and Google SecOps professionals.
