The Google Security Operations SOAR platform functionality uses connectors
to ingest alerts from a variety of data sources into the platform. A connector
is an item in an integration package that you can download from
the Google SecOps Content Hub (Marketplace). You configure connectors fromSOAR Settings>Ingestion>Connectors.
Connectors are Python-based applications that pull
alerts from third-party products into Google SecOps. Connectors also
parse and normalize the raw data (alerts and events) into a Google SecOps
format, which is then presented as a case in the case queue.
If you're running a third-party SIEM (a central place for all your alerts),
one connector is sufficient. You can also pull data from multiple
sources with several connectors. Each connector has a dedicated
documentation link for additional help.
Use case: Set up an email connector
Go toGoogle SecOps Content Hub (Marketplace)>Integrations.
Search for and install email integration.
SelectsettingsConfigure default instanceto open theEmail - Configure Instancedialog.
Complete all required parameters.
Optional: Go toSOAR Settings>Response>Integrations Setupto configure the integration to a different, relevant
instance (not the default environment).
Go toSOAR Settings>Ingestion>Connectors.
ClickaddCreate New Connector.
Select the IMAP Email connector and clickCreate.
Complete the required fields. When prompted, clickSave, and then clickYes.
Enable the connector and save it again. This makes it run periodically
to pull any new emails according to the configuration.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eGoogle Security Operations (SecOps) uses connectors to ingest alerts from various data sources into the platform's SOAR functionality.\u003c/p\u003e\n"],["\u003cp\u003eConnectors, found within integration packages in the Google SecOps Marketplace, are Python-based applications that pull alerts from third-party products.\u003c/p\u003e\n"],["\u003cp\u003eConnectors parse and normalize raw data into a format that is displayed as a case in the case queue, allowing for data ingestion from singular or multiple sources.\u003c/p\u003e\n"],["\u003cp\u003eTo set up an email connector, users must install the Email integration from the Marketplace, configure the instance, create the connector in the SOAR settings, and then enable it.\u003c/p\u003e\n"]]],[],null,["Ingest data using SOAR connectors \nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nThe Google Security Operations SOAR platform functionality uses connectors\nto ingest alerts from a variety of data sources into the platform. A connector\nis an item in an integration package that you can download from\nthe Google SecOps Content Hub (Marketplace). You configure connectors from\n**SOAR Settings \\\u003e Ingestion \\\u003e Connectors**.\n\n\nConnectors are Python-based applications that pull\nalerts from third-party products into Google SecOps. Connectors also\nparse and normalize the raw data (alerts and events) into a Google SecOps\nformat, which is then presented as a case in the case queue.\n\nIf you're running a third-party SIEM (a central place for all your alerts),\none connector is sufficient. You can also pull data from multiple\nsources with several connectors. Each connector has a dedicated\ndocumentation link for additional help.\n\nUse case: Set up an email connector\n\n1. Go to **Google SecOps Content Hub (Marketplace) \\\u003e Integrations**.\n2. Search for and install email integration.\n3. Select settings **Configure default instance** to open the **Email - Configure Instance** dialog.\n4. Complete all required parameters.\n5. Optional: Go to **SOAR Settings \\\u003e Response \\\u003e\n Integrations Setup** to configure the integration to a different, relevant instance (not the default environment).\n6. Go to **SOAR Settings \\\u003e Ingestion \\\u003e Connectors**.\n7. Click add **Create New Connector**.\n8. Select the IMAP Email connector and click **Create**.\n9. Complete the required fields. When prompted, click **Save** , and then click **Yes**.\n10. Enable the connector and save it again. This makes it run periodically to pull any new emails according to the configuration.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
