Console
    Contact Us Start free

    Google Cloud API

    This document provides guidance to help you configure and integrate Google Cloud API with Google Security Operations SOAR.

    Integration version: 4.0

    Integrate Google Cloud API with Google SecOps SOAR

    The integration requires the following parameters:

    Parameters Description
    Test URL Optional

    A test URL for validating the authentication to the Google Cloud API. This parameter uses a GET request.
    Service Account Json File Content Optional

    The content of the service account key JSON file.

    You can configure either this parameter, the Workload Identity Email parameter, or set all the preceding integration parameters.

    To configure this parameter, provide the full content of the service account key JSON file that you have downloaded when creating a service account.

    For more information about using service accounts as an authentication method, see Service accounts overview and Service account impersonation .

    In this integration, authenticating with the service account key JSON file has a priority over the Workload identity email.
    Organization ID Optional

    The organization ID to use in the integration.

    To retrieve the value from this parameter during the action execution, set the following placeholder: {{org_id}} .
    Project ID Optional

    The project ID to use in the integration.

    To retrieve the value from this parameter during the action execution, set the following placeholder: {{project_id}} .
    Quota Project ID Optional

    The Google Cloud project ID which you use for Google Cloud APIs and billing. This parameter requires you to grant the Service Usage Consumer role to your service account.

    The integration attaches this parameter value to all API requests.

    If you do not set a value for this parameter, the integration retrieves the project ID from your Google Cloud service account.
    Workload Identity Email Optional

    The client email address of your Service Account.

    You can configure either this parameter or the Service Account Json File Content parameter.

    In this integration, authenticating with the service account key JSON file has priority over the Workload identity email.

    To impersonate service accounts with Workload identity, grant the Service Account Token Creator role to your service account. For more details about workload identities and how to work with them, see Identities for workloads .
    OAuth Scopes Optional

    A comma-separated list of OAuth scopes that are required to execute the Google Cloud API requests.
    Verify SSL Required

    If selected, the integration verifies that the SSL certificate for connecting to the Google Cloud service is valid.

    Selected by default.

    For instructions about configuring an integration in Google SecOps, see Configure integrations .

    You can make changes at a later stage if needed. After you configure an integration instance, you can use it in playbooks. For more information about configuring and supporting multiple instances, see Supporting multiple instances .

    Actions

    The Google Cloud API integration includes the following actions:

    Execute HTTP Request

    Use the Execute HTTP Requestaction to execute an HTTP request.

    This action doesn't run on Google SecOps entities.

    Action inputs

    The Execute HTTP Requestaction requires the following parameters:

    Parameter
    Description
    Method
    Optional

    A method to use in the request.

    The default value is GET .

    Possible values are:
    • GET
    • POST
    • PUT
    • PATCH
    • DELETE
    • HEAD
    • OPTIONS
    URL Path
    Optional

    A URL to execute.

    The default value is https:// .

    URL Params
    Optional

    The URL parameters.

    The action uses any value provided alongside the values that you directly provided in the URL Path parameter.

    This parameter requires the JSON object format as an input. The default value is as follows:

    {
    "URL Field Name": " URL_FIELD_VALUE 
"
    }
    Headers
    Optional

    Headers to use in the HTTP request.

    This parameter requires the JSON object format as an input. The default value is as follows:

    {
    "Content-Type": "application/json; charset=utf-8",
    "Accept": "application/json",
    "User-Agent" : "GoogleSecOps"
    }
    Cookie
    Optional

    The parameters to use in the Cookie header.

    This parameter overwrites cookies provided in the Headers parameter.

    This parameter requires the JSON object format as an input. The default value is as follows:

    {
    "Cookie_1": " COOKIE_1_VALUE 
"
    }
    Body Payload
    Optional

    A body for the HTTP request. The action constructs different payloads depending on the Content-Type header value provided in the Headers parameter.

    This parameter requires the JSON object format as an input except when a third-party product requires XML or the multipart/form-data content. If you submit or upload a file using the API request, provide the base64-encoded version of the file in the Body Payload parameter and set the header to "Content-type": "multipart/form-data" .

    The default value is as follows:

    {
    "Body Field Name": " BODY_FIELD_VALUE 
"
    }
    Expected Response Values
    Optional

    The expected response values.

    If you configure this parameter, the action works in an asynchronous mode and executes until receiving the expected values or reaching a timeout.

    Save To Case Wall
    Optional

    If selected, the action saves the file and attaches the saved file to the case wall. The file is archived with the .zip extension. The .zip file isn't password-protected.

    Not selected by default.

    Password Protect Zip
    Optional

    If selected, the action adds a password to the .zip file created using the Save To Case Wall parameter. The password is as follows: infected .

    Use this parameter when working with suspicious files.

    Selected by default.

    Follow Redirects
    Optional

    If selected, the action follows the redirects.

    Selected by default.

    Fail on 4xx/5xx
    Optional

    If selected, the action fails if the status code of the response is 4xx or 5xx errors.

    Selected by default.

    Base64 Output
    Optional

    If selected, the action converts the response to the base64 format.

    Use this parameter when downloading files.

    The JSON result cannot exceed 15 MB.

    Not selected by default.

    Fields To Return
    Required

    The fields to return. The possible values are as follows:

    • response_data
    • redirects
    • response_code
    • response_cookies
    • response_headers
    • apparent_encoding
    Request Timeout
    Required

    A period to wait for the server to send data before the action fails.

    The default value is 120 seconds.

    Action outputs

    The Execute HTTP Requestaction provides the following outputs:

    Action output type Availability
    Case wall attachment Not available
    Case wall link Not available
    Case wall table Not available
    Enrichment table Not available
    JSON result Available
    Output messages Available
    Script result Available
    JSON result

    The following example describes the JSON result output received when using the Execute HTTP Requestaction:

      { 
  
 "response_data" 
 : 
  
 { 
  
 "data" 
 : 
  
 { 
  
 "relationships" 
 : 
  
 { 
  
 "comment" 
 : 
  
 [ 
  
 { 
  
 "name" 
 : 
  
 "item" 
 , 
  
 "description" 
 : 
  
 "Object to which the comment belongs to." 
  
 }, 
  
 { 
  
 "name" 
 : 
  
 "author" 
 , 
  
 "description" 
 : 
  
 "User who wrote the comment." 
  
 } 
  
 ] 
  
 } 
  
 } 
  
 }, 
  
 "redirects" 
 : 
  
 [], 
  
 "response_code" 
 : 
  
 200 
 , 
  
 "cookies" 
 : 
  
 {}, 
  
 "response_headers" 
 : 
  
 { 
  
 "Content-Type" 
 : 
  
 "application/json" 
 , 
  
 "X-Cloud-Trace-Context" 
 : 
  
 " VALUE 
" 
 , 
  
 "Date" 
 : 
  
 "Fri, 03 Nov 2023 16:14:13 GMT" 
 , 
  
 "Server" 
 : 
  
 "Google Frontend" 
 , 
  
 "Content-Length" 
 : 
  
 "36084" 
  
 }, 
  
 "apparent_encoding" 
 : 
  
 "ascii" 
 }
    Output messages

    The Execute HTTP Requestaction provides the following output messages:

    Output message Message description

    Successfully executed API request.

    Successfully executed API request, but the status code {4xx/5xx} was returned. Please check the request or try again later.

    		The action succeeded.
    Failed to execute API request. Error: ERROR_REASON

    The action failed.

    Check the connection to the server, input parameters, or credentials.
    Script result

    The following table describes the values for the script result output when using the Execute HTTP Requestaction:

    Script result name Value
    is_success True or False

    Ping

    Use the Pingaction to test connectivity to Google Cloud.

    This action doesn't run on Google SecOps entities.

    Action inputs

    None.

    Action outputs

    The Pingaction provides the following outputs:

    Action output type Availability
    Case wall attachment Not available
    Case wall link Not available
    Case wall table Not available
    Enrichment table Not available
    JSON result Available
    Output messages Available
    Script result Available
    JSON result

    The following example describes the JSON result output received when using the Pingaction:

      { 
 "endpoint" 
 : 
  
 " TEST_URL 
" 
 }
    Output messages

    The Pingaction provides the following output messages:

    Output message Message description
    Successfully tested connectivity. The action succeeded.
    Failed to test connectivity.

    The action failed.

    Check the connection to the server, input parameters, or credentials.
    Script result

    The following table describes the values for the script result output when using the Pingaction:

    Script result name Value
    is_success True or False

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: