Integrate Active Directory with Google SecOps
This document explains how to integrate Active Directory with Google Security Operations (Google SecOps).
Integration version: 37.0
This integration uses one or more open source components. You can download a zipped copy of the full source code of this integration from the Cloud Storage bucket .
Use cases
The Active Directory integration can help you solve the following use cases:
-
Activate and deactivate users:use Google SecOps capabilities to deactivate a potentially compromised user account and prevent further unauthorized access.
-
Reset passwords:use Google SecOps capabilities to automatically reset the user password in Active Directory and notify the user of the change.
-
Manage groups:use Google SecOps capabilities to add new users to the appropriate security groups based on their role and ensure that the users have the correct access permissions.
-
Retrieve User Information:use Google SecOps capabilities to retrieve user details such as group memberships, last sign in time, and contact information about a specific user account.
-
Automate offboarding:use Google SecOps capabilities to disable accounts, remove them from groups, and transfer file ownership in a case when an employee offboards.
Before you begin
To successfully integrate Active Directory with Google SecOps,
it is required that you configure the /etc/hosts
file.
If you have the DNS resolution configured with your DNS setup and your Active
Directory domain is resolved by the fully qualified DNS name, you don't need
to configure the /etc/hosts
file.
Configure the /etc/hosts
file
To configure the /etc/hosts
file, complete the following steps:
-
On your remote agent container image, go to the
/etc/hostsfile. -
Enter the following command to edit the
/etc/hostsfile:sudo vi /etc/hosts/. -
In the
/etc/hostsfile, add the IP address and the hostname of the host that you use to connect to Active Directory, such as192.0.2.195 hostname.example. -
Save the changes.
If you don't need the certification authority certificate for the integration, proceed to configuring the integration parameters .
If you need the certification authority certificate for the integration, proceed to the following section.
Optional: Configure the certification authority (CA) certificate
If required, you can configure the Active Directory integration using a certification authority (CA) certificate file.
To configure the integration with a CA certificate, complete the following steps:
-
To obtain the CA certificate, enter the
cat mycert.crtcommand:bash-3.2# cat mycert.crt -----BEGIN CERTIFICATE----- CERTIFICATE_STRING -----END CERTIFICATE----- bash-3.2# -
To encode the root CA certificate file to the base64 format with the
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----strings, enter thecat mycert.crt |base64command:bash-3.2# cat mycert.crt |base64 BASE64_ENCODED_CERTIFICATE_STRING bash-3.2# -
Copy the
BASE64_ENCODED_CERTIFICATE_STRINGvalue and enter it in theCA Certificate File - parsed into Base64 Stringparameter value field in Google SecOps Active Directory integration configuration . -
To configure the
Serverparameter Google SecOps Active Directory integration configuration , enter the hostname of your Active Directory server, not the IP address. -
Click Testto test the configuration.
Integration parameters
The Active Directory integration requires the following parameters:
| Parameter | Description |
|---|---|
Server
|
Required. The hostname, DNS name, or IP address of the Active Directory server. The integration communicates using the LDAP protocol. You can use a custom port by appending it to the address (such as, By default, the integration uses port 636 when SSL/TLS is enabled and port 389 when it's disabled. |
Username
|
Required. The email address of the user to connect to Active
Directory, such as This parameter
also accepts the |
Domain
|
Required. The full DNS path to your domain within the network namespace. To configure this parameter, enter the fully qualified
domain name (FQDN) of your domain if the following format: example.local
, the FQDN to enter is example.local
. If your internal Active Directory domain is corp.example.com
, the FQDN to enter is corp.example.com
. |
Password
|
Required. The password for the user account. |
Custom Query Fields
|
Optional. Custom fields of the Active Directory integration,
such as |
CA Certificate File - parsed into Base64 String
|
Optional. The CA certificate file string encoded into the base64 format that you obtained when configuring the CA certificate . To configure this parameter, enter the full BASE64_ENCODED_CERTIFICATE_STRING value. |
Use SSL
|
Optional. If selected, the integration validates the SSL certificate when connecting to the Active Directory server. The integration uses secure LDAPS (port 636) when selected. If not selected, it uses standard LDAP (port 389). Not selected by default. |
For instructions about how to configure an integration in Google SecOps, see Configure integrations .
You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances .
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action .
Add User to Group
Use the Add User to Groupaction to add user to groups.
This action runs on the Google SecOps User
entity.
Action inputs
The Add User to Groupaction requires the following parameters:
| Parameter | Description |
|---|---|
Group Name
|
Required. A comma-separated list of groups to add users to. |
Action outputs
The Add User to Groupaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add User to Groupaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Add User to Group". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add User to Groupaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Change Host OU
Use the Change Host OUaction to change the organizational unit (OU) of a host.
This action runs on the Google SecOps Hostname
entity.
Action inputs
The Change Host OUaction requires the following parameters:
| Parameter | Description |
|---|---|
OU Name
|
Required. The name of the new user OU. |
Action outputs
The Change Host OUaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Change Host OUaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Change User OU
Use the Change User OUaction to change the organizational unit (OU) of a user.
This action runs on the Google SecOps User
entity.
Action inputs
The Change User OUaction requires the following parameters:
| Parameter | Description |
|---|---|
OU Name
|
Required. The name of the new user OU. |
Action outputs
The Change User OUaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Change User OUaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Disable Account
Use the Disable Accountaction to disable a user account.
This action runs on the Google SecOps User
entity.
Action inputs
None.
Action outputs
The Disable Accountaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Disable Accountaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Disable Computer
Use the Disable Computeraction to disable a computer account.
This action runs on the Google SecOps Hostname
entity.
Action inputs
None.
Action outputs
The Disable Computeraction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Disable Computeraction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Enable Account
Use the Enable Accountaction to enable a user account.
This action runs on the Google SecOps User
entity.
Action inputs
None.
Action outputs
The Enable Accountaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Enable Accountaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Enable Computer
Use the Enable Computeraction to enable a computer account.
This action runs on the Google SecOps Hostname
entity.
Action inputs
None.
Action outputs
The Enable Computeraction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Enable Computeraction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Enrich Entities
Use the Enrich Entitiesaction to enrich the Hostname
or Username
entities with Active Directory properties.
This action is asynchronous. Adjust the script timeout value in the Google SecOps IDE for the action, if needed.
The Enrich Entitiesaction runs on the following Google SecOps entities:
-
User -
Hostname
Action inputs
The Enrich Entitiesaction requires the following parameters:
| Parameter | Description |
|---|---|
Mark entities as internal
|
Required. If selected, the action automatically marks the successfully enriched entities as internal entities. |
Specific Attribute Names To Enrich With
|
Optional. A comma-separated list of attribute names to enrich the entities with. If you don't set any value, the action enriches entities with all available attributes. If an attribute contains multiple values, the action enriches the attribute with all available values. This parameter is case sensitive. |
Should Case Wall table be filtered by the specified
attributes?
|
Optional. If selected, the action populates the case wall
table only with attributes that you specified in the Not selected by default. |
Should JSON result be filtered by the specified
attributes?
|
Optional. If selected, the JSON result returns only
attributes that you specified in the Not selected by default. |
Action outputs
The Enrich Entitiesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Entity enrichment table | Available |
| JSON result | Available |
| Script result | Available |
Entity enrichment
The Enrich Entitiesaction supports the following entity enrichment:
| Enrichment field name | Logic |
|---|---|
AD_primaryGroupID
|
The action returns the value if it exists in the JSON result. |
AD_logonCount
|
The action returns the value if it exists in the JSON result. |
AD_cn
|
The action returns the value if it exists in the JSON result. |
AD_countryCode
|
The action returns the value if it exists in the JSON result. |
AD_objectClass
|
The action returns the value if it exists in the JSON result. |
AD_userPrincipalName
|
The action returns the value if it exists in the JSON result. |
AD_adminCount
|
The action returns the value if it exists in the JSON result. |
AD_lastLogonTimestamp
|
The action returns the value if it exists in the JSON result. |
AD_manager
|
The action returns the value if it exists in the JSON result. |
AD_instanceType
|
The action returns the value if it exists in the JSON result. |
AD_distinguishedName
|
The action returns the value if it exists in the JSON result. |
AD_dSCorePropagationData
|
The action returns the value if it exists in the JSON result. |
AD_msDS-SupportedEncryptionTypes
|
The action returns the value if it exists in the JSON result. |
AD_objectSid
|
The action returns the value if it exists in the JSON result. |
AD_whenCreated
|
The action returns the value if it exists in the JSON result. |
AD_uSNCreated
|
The action returns the value if it exists in the JSON result. |
AD_lockoutTime
|
The action returns the value if it exists in the JSON result. |
AD_badPasswordTime
|
The action returns the value if it exists in the JSON result. |
AD_pwdLastSet
|
The action returns the value if it exists in the JSON result. |
AD_sAMAccountName
|
The action returns the value if it exists in the JSON result. |
AD_objectCategory
|
The action returns the value if it exists in the JSON result. |
AD_lastLogon
|
The action returns the value if it exists in the JSON result. |
AD_objectGUID
|
The action returns the value if it exists in the JSON result. |
AD_whenChanged
|
The action returns the value if it exists in the JSON result. |
AD_badPwdCount
|
The action returns the value if it exists in the JSON result. |
AD_accountExpires
|
The action returns the value if it exists in the JSON result. |
AD_displayName
|
The action returns the value if it exists in the JSON result. |
AD_name
|
The action returns the value if it exists in the JSON result. |
AD_memberOf
|
The action returns the value if it exists in the JSON result. |
AD_codePage
|
The action returns the value if it exists in the JSON result. |
AD_userAccountControl
|
The action returns the value if it exists in the JSON result. |
AD_sAMAccountType
|
The action returns the value if it exists in the JSON result. |
AD_uSNChanged
|
The action returns the value if it exists in the JSON result. |
AD_sn
|
The action returns the value if it exists in the JSON result. |
AD_givenName
|
The action returns the value if it exists in the JSON result. |
AD_lastLogoff
|
The action returns the value if it exists in the JSON result. |
JSON result
The following example shows the JSON result output received when using the Enrich Entitiesaction:
[
{
"EntityResult"
:
{
"primaryGroupID"
:
[
513
],
"logonCount"
:
[
6505
],
"cn"
:
[
"user name"
],
"countryCode"
:
[
0
],
"objectClass"
:
[
"top"
,
"person"
,
"organizationalPerson"
],
"userPrincipalName"
:
[
"user@example.com"
],
"adminCount"
:
[
1
],
"lastLogonTimestamp"
:
[
"2019-01-09 08:42:03.540783+00:00"
],
"manager"
:
[
"CN=user name,OU=R&D,OU=TLV,OU=host name,DC=domain,DC=LOCAL"
],
"instanceType"
:
[
4
],
"distinguishedName"
:
[
"CN=user name,OU=R&D,OU=TLV,OU=host,DC=domain,DC=LOCAL"
],
"dSCorePropagationData"
:
[
"2019-01-14 14:39:16+00:00"
],
"msDS-SupportedEncryptionTypes"
:
[
0
],
"objectSid"
:
[
" ID
"
],
"whenCreated"
:
[
"2011-11-07 08:00:44+00:00"
],
"uSNCreated"
:
[
7288202
],
"lockoutTime"
:
[
"1601-01-01 00:00:00+00:00"
],
"badPasswordTime"
:
[
"date"
],
"pwdLastSet"
:
[
"date"
],
"sAMAccountName"
:
[
"example"
],
"objectCategory"
:
[
"CN=Person,CN=Schema,CN=Configuration,DC=host,DC=LOCAL"
],
"lastLogon"
:
[
"2019-01-14 17:13:54.463070+00:00"
],
"objectGUID"
:
[
" GUID
"
],
"whenChanged"
:
[
"2019-01-14 16:49:01+00:00"
],
"badPwdCount"
:
[
1
],
"accountExpires"
:
[
"9999-12-31 23:59:59.999999"
],
"displayName"
:
[
"example user"
],
"name"
:
[
"user"
],
"memberOf"
:
[
"CN=\\\\u05e7\\\\u05d1\\\\u05d5\\\\u05e6\\\\u05d4 \\\\u05d1\\\\u05e2\\\\u05d1\\\\u05e8\\\\u05d9\\\\u05ea,OU=TEST,OU=QA,OU=IT,OU=TLV,OU=host,DC=domain,DC=LOCAL"
,
"CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=domain,DC=LOCAL"
,
"CN=Local Admin,OU=Groups,OU=IT,OU=TLV,OU=host,DC=domain,DC=LOCAL"
],
"codePage"
:
[
0
],
"userAccountControl"
:
[
111
],
"sAMAccountType"
:
[
805306368
],
"uSNChanged"
:
[
15301168
],
"sn"
:
[
"example"
],
"givenName"
:
[
"user"
],
"lastLogoff"
:
[
"1601-01-01 00:00:00+00:00"
]},
"Entity"
:
"user@example.com"
}
]
Script result
The following table lists the value for the script result output when using the Enrich Entitiesaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Force Password Update
Use the Force Password Updateaction to require a user to change their password upon the following sign-in.
This action runs on the Google SecOps User
entity.
Action inputs
None.
Action outputs
The Force Password Updateaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Force Password Updateaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get Group Members
Use the Get Group Membersaction to retrieve the members of a specified Active Directory group.
This action supports retrieving both the user and hostname members and supports searching within nested groups.
Action inputs
The Get Group Membersaction requires the following parameters:
| Parameter | Description |
|---|---|
Group Name
|
Required. The name of the group that contains the listed members. |
Members Type
|
Required. The member type of the group. The default value is |
Perform Nested Search
|
Optional. If selected, the action retrieves additional details about the groups that are a part of the main group. Not selected by default. |
Limit
|
Required. The maximum number of listings to retrieve from Active Directory. The default value is 100. |
Action outputs
The Get Group Membersaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Group Membersaction:
[
{
"cn"
:
"Example User1"
,
"displayName"
:
"Example User1"
,
"distinguishedName"
:
"CN=Example User1,OU=User Accounts,DC=example,DC=local"
},
{
"cn"
:
"Example User2"
,
"displayName"
:
"Example User2"
,
"distinguishedName"
:
"CN=Example User2,CN=Users,DC=example,DC=local"
},
{
"cn"
:
"Example User3"
,
"displayName"
:
"Example User3"
,
"distinguishedName"
:
"CN=Example User3,CN=Users,DC=example,DC=local"
}
]
Script result
The following table lists the value for the script result output when using the Get Group Membersaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get Manager Contact Details
Use the Get Manager Contact Detailsaction to obtain the manager contact details from Active Directory.
This action runs on the Google SecOps User
entity.
Action inputs
None.
Action outputs
The Get Manager Contact Detailsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Entity enrichment table | Available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Entity enrichment
The Get Manager Contact Detailsaction supports the following entity enrichment:
| Enrichment field name | Logic |
|---|---|
AD_Manager_Name
|
The action returns the value if it exists in the JSON result. |
AD_Manager_phone
|
The action returns the value if it exists in the JSON result. |
AD_primaryGroupID
|
The action returns the value if it exists in the JSON result. |
AD_logonCount
|
The action returns the value if it exists in the JSON result. |
AD_cn
|
The action returns the value if it exists in the JSON result. |
AD_countryCode
|
The action returns the value if it exists in the JSON result. |
AD_objectClass
|
The action returns the value if it exists in the JSON result. |
AD_userPrincipalName
|
The action returns the value if it exists in the JSON result. |
AD_adminCount
|
The action returns the value if it exists in the JSON result. |
AD_lastLogonTimestamp
|
The action returns the value if it exists in the JSON result. |
AD_manager
|
The action returns the value if it exists in the JSON result. |
AD_instanceType
|
The action returns the value if it exists in the JSON result. |
AD_distinguishedName
|
The action returns the value if it exists in the JSON result. |
AD_dSCorePropagationData
|
The action returns the value if it exists in the JSON result. |
AD_msDS-SupportedEncryptionTypes
|
The action returns the value if it exists in the JSON result. |
AD_objectSid
|
The action returns the value if it exists in the JSON result. |
AD_whenCreated
|
The action returns the value if it exists in the JSON result. |
AD_uSNCreated
|
The action returns the value if it exists in the JSON result. |
AD_lockoutTime
|
The action returns the value if it exists in the JSON result. |
AD_badPasswordTime
|
The action returns the value if it exists in the JSON result. |
AD_pwdLastSet
|
The action returns the value if it exists in the JSON result. |
AD_sAMAccountName
|
The action returns the value if it exists in the JSON result. |
AD_objectCategory
|
The action returns the value if it exists in the JSON result. |
AD_lastLogon
|
The action returns the value if it exists in the JSON result. |
AD_objectGUID
|
The action returns the value if it exists in the JSON result. |
AD_whenChanged
|
The action returns the value if it exists in the JSON result. |
AD_badPwdCount
|
The action returns the value if it exists in the JSON result. |
AD_accountExpires
|
The action returns the value if it exists in the JSON result. |
AD_displayName
|
The action returns the value if it exists in the JSON result. |
AD_name
|
The action returns the value if it exists in the JSON result. |
AD_memberOf
|
The action returns the value if it exists in the JSON result. |
AD_codePage
|
The action returns the value if it exists in the JSON result. |
AD_userAccountControl
|
The action returns the value if it exists in the JSON result. |
AD_sAMAccountType
|
The action returns the value if it exists in the JSON result. |
AD_uSNChanged
|
The action returns the value if it exists in the JSON result. |
AD_sn
|
The action returns the value if it exists in the JSON result. |
AD_givenName
|
The action returns the value if it exists in the JSON result. |
AD_lastLogoff
|
The action returns the value if it exists in the JSON result. |
JSON result
The following example shows the JSON result output received when using the Get Manager Contact Detailsaction:
[
{
"EntityResult"
:
{
"primaryGroupID"
:
[
513
],
"logonCount"
:
[
6505
],
"cn"
:
[
"user name"
],
"countryCode"
:
[
0
],
"objectClass"
:
[
"top"
,
"person"
,
"organizationalPerson"
],
"userPrincipalName"
:
[
"user@example.com"
],
"adminCount"
:
[
1
],
"lastLogonTimestamp"
:
[
"2019-01-09 08:42:03.540783+00:00"
],
"manager"
:
[
"CN=user name,OU=R&D,OU=TLV,OU=host name,DC=domain,DC=LOCAL"
],
"instanceType"
:
[
4
],
"distinguishedName"
:
[
"CN=user name,OU=R&D,OU=TLV,OU=host,DC=domain,DC=LOCAL"
],
"dSCorePropagationData"
:
[
"2019-01-14 14:39:16+00:00"
],
"msDS-SupportedEncryptionTypes"
:
[
0
],
"objectSid"
:
[
" ID
"
],
"whenCreated"
:
[
"2011-11-07 08:00:44+00:00"
],
"uSNCreated"
:
[
7288202
],
"lockoutTime"
:
[
"1601-01-01 00:00:00+00:00"
],
"badPasswordTime"
:
[
"date"
],
"pwdLastSet"
:
[
"date"
],
"sAMAccountName"
:
[
"example"
],
"objectCategory"
:
[
"CN=Person,CN=Schema,CN=Configuration,DC=host,DC=LOCAL"
],
"lastLogon"
:
[
"2019-01-14 17:13:54.463070+00:00"
],
"objectGUID"
:
[
"{id}"
],
"whenChanged"
:
[
"2019-01-14 16:49:01+00:00"
],
"badPwdCount"
:
[
1
],
"accountExpires"
:
[
"9999-12-31 23:59:59.999999"
],
"displayName"
:
[
"example"
],
"name"
:
[
"user"
],
"memberOf"
:
[
"CN= u05e7 u05d1 u05d5 u05e6 u05d4 u05d1 u05e2 u05d1 u05e8 u05d9 u05ea,OU=TEST,OU=QA,OU=IT,OU=TLV,OU=host,DC=domain,DC=LOCAL"
,
"CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=domain,DC=LOCAL"
,
"CN=Local Admin,OU=Groups,OU=IT,OU=TLV,OU=host,DC=domain,DC=LOCAL"
],
"codePage"
:
[
0
],
"userAccountControl"
:
[
111
],
"sAMAccountType"
:
[
805306368
],
"uSNChanged"
:
[
15301168
],
"sn"
:
[
"example"
],
"givenName"
:
[
"user"
],
"lastLogoff"
:
[
"1601-01-01 00:00:00+00:00"
]
},
"Entity"
:
"user@example.com"
}
]
Output messages
The Pingaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Manager Contact Details".
Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Manager Contact Detailsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Is User in Group
Use the Is User in Groupaction to check if the user is a member of a specific group.
This action runs on the Google SecOps User
entity.
Action inputs
The Is User in Groupaction requires the following parameters:
| Parameter | Description |
|---|---|
Group Name
|
Required. The group name to check, such as |
Action outputs
The Is User in Groupaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Is User in Groupaction:
[
{
"EntityResult"
:
true
,
"Entity"
:
"USER1@EXAMPLE.COM"
},
{
"EntityResult"
:
false
,
"Entity"
:
"USER2@EXAMPLE.COM"
},
{
"EntityResult"
:
true
,
"Entity"
:
"USER3@EXAMPLE.COM"
}
]
Script result
The following table lists the value for the script result output when using the Is User in Groupaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
List User Groups
Use the List User Groupsaction to obtain a list of all user groups that are available in Active Directory.
This action runs on the Google SecOps User
entity.
Action inputs
None.
Action outputs
The List User Groupsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the List User Groupsaction:
[
{
"EntityResult"
:
[
"Domain Users"
],
"Entity"
:
"user@example.com"
}
]
Script result
The following table lists the value for the script result output when using the List User Groupsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Ping
Use the Pingaction to test the connectivity to Active Directory.
This action runs on all Google SecOps entities.
Action inputs
None.
Action outputs
The Pingaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Pingaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Release Locked Account
Use the Release Locked Accountaction to unblock a locked account.
This action runs on the Google SecOps User
entity.
Action inputs
None.
Action outputs
The Release Locked Accountaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Release Locked Accountaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Remove User From Group
Use the Remove User From Groupaction to remove the user from groups.
This action runs on the Google SecOps User
entity.
Action inputs
The Remove User From Groupaction requires the following parameters:
| Parameter | Description |
|---|---|
Group Name
|
Required. A comma-separated list of groups to remove the users from. |
Action outputs
The Remove User From Groupaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Remove User From Groupaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Remove User From Group". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Remove User From Groupaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Search Active Directory
Use the Search Active Directoryaction to search Active Directory using a specified query.
This action doesn't run on Google SecOps entities.
Action inputs
The Search Active Directoryaction requires the following parameters:
| Parameter | Description |
|---|---|
Query String
|
Required. The query string to execute in Active Directory. |
Limit
|
Optional. The maximum number of listings to retrieve from Active Directory. |
Action outputs
The Search Active Directoryaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Search Active Directoryaction:
[
{
"primaryGroupID"
:
[
513
],
"logonCount"
:
[
6505
],
"cn"
:
[
"user name"
],
"countryCode"
:
[
0
],
"objectClass"
:
[
"top"
,
"person"
,
"organizationalPerson"
],
"userPrincipalName"
:
[
"user@example.com"
],
"adminCount"
:
[
1
],
"lastLogonTimestamp"
:
[
"2019-01-09 08:42:03.540783+00:00"
],
"manager"
:
[
"CN=user name,OU=R&D,OU=TLV,OU=host name,DC=domain,DC=LOCAL"
],
"instanceType"
:
[
4
],
"distinguishedName"
:
[
"CN=user name,OU=R&D,OU=TLV,OU=host,DC=domain,DC=LOCAL"
],
"dSCorePropagationData"
:
[
"2019-01-14 14:39:16+00:00"
],
"msDS-SupportedEncryptionTypes"
:
[
0
],
"objectSid"
:
[
" ID
"
],
"whenCreated"
:
[
"2011-11-07 08:00:44+00:00"
],
"uSNCreated"
:
[
7288202
],
"lockoutTime"
:
[
"1601-01-01 00:00:00+00:00"
],
"badPasswordTime"
:
[
"date"
],
"pwdLastSet"
:
[
"date"
],
"sAMAccountName"
:
[
"example"
],
"objectCategory"
:
[
"CN=Person,CN=Schema,CN=Configuration,DC=host,DC=LOCAL"
],
"lastLogon"
:
[
"2019-01-14 17:13:54.463070+00:00"
],
"objectGUID"
:
[
" GUID
"
],
"whenChanged"
:
[
"2019-01-14 16:49:01+00:00"
],
"badPwdCount"
:
[
1
],
"accountExpires"
:
[
"9999-12-31 23:59:59.999999"
],
"displayName"
:
[
"example"
],
"name"
:
[
"user"
],
"memberOf"
:
[
"CN=\\\\u05e7\\\\u05d1\\\\u05d5\\\\u05e6\\\\u05d4 \\\\u05d1\\\\u05e2\\\\u05d1\\\\u05e8\\\\u05d9\\\\u05ea,OU=TEST,OU=QA,OU=IT,OU=TLV,OU=host,DC=domain,DC=LOCAL"
,
"CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=domain,DC=LOCAL"
,
"CN=Local Admin,OU=Groups,OU=IT,OU=TLV,OU=host,DC=domain,DC=LOCAL"
],
"codePage"
:
[
0
],
"userAccountControl"
:
[
111
],
"sAMAccountType"
:
[
805306368
],
"uSNChanged"
:
[
15301168
],
"sn"
:
[
"example"
],
"givenName"
:
[
"user"
],
"lastLogoff"
:
[
"1601-01-01 00:00:00+00:00"
]
}
]
Output messages
The Search Active Directoryaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Search Active Directory". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Search Active Directoryaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Set User Password
Use the Set User Passwordaction to configure the user password.
This action runs on the Google SecOps User
entity.
Action inputs
The Set User Passwordaction requires the following parameters:
| Parameter | Description |
|---|---|
New Password
|
Required. A new password value. |
Action outputs
The Set User Passwordaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Set User Passwordaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Update attributes of an AD Host
Use the Update attributes of an AD Hostaction to update the attributes for the current hosts in Active Directory.
This action runs on the Google SecOps Hostname
entity.
Action inputs
The Update attributes of an AD Hostaction requires the following parameters:
| Parameter | Description |
|---|---|
Attribute Name
|
Required. The name of the attribute to update, such as |
Attribute Value
|
Required. A new value for the attribute. |
Action outputs
The Update attributes of an AD Hostaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Update attributes of an AD Hostaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Failed to update the ATTRIBUTE_NAME
for the following
entities: ENTITY_ID_LIST
.
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Update attributes of an AD Hostaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Update attributes of an AD User
Use the Update attributes of an AD Useraction to update the attributes for the current users in Active Directory.
This action runs on the Google SecOps User
entity.
Action inputs
The Update attributes of an AD Useraction requires the following parameters:
| Parameter | Description |
|---|---|
Attribute Name
|
Required. The name of the attribute to update, such as |
Attribute Value
|
Required. A new value for the attribute. |
Action outputs
The Update attributes of an AD Useraction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Update attributes of an AD Useraction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Failed to update the ATTRIBUTE_NAME
for the following
entities: ENTITY_ID_LIST
.
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Update attributes of an AD Useraction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Need more help? Get answers from Community members and Google SecOps professionals.
