Integrate Compute Engine with Google SecOps
Integration version: 13.0
This document provides guidance on how to integrate Compute Engine with Google Security Operations (Google SecOps).
Use cases
The integration for Compute Engine helps you solve the following use cases:
-
Automated incident response:use Google SecOps capabilities to automatically isolate an instance from the network using playbooks upon detecting a compromised Compute Engine instance. Isolating an instance limits the spread of the attack and reduces potential damage. An automated incident response helps you accelerate the incident response time and reduces the workload on your security team.
-
Threat hunting and investigation:use Google SecOps capabilities to automate the collection of logs and security telemetry from Compute Engine instances across multiple projects. You can analyze the collected data for suspicious activity and potential threats to proactively hunt threats and speed up investigations by automating data collection.
-
Vulnerability management:integrate vulnerability scanning tools with Google SecOps to automatically scan Compute Engine instances for known vulnerabilities. You can use Google SecOps capabilities to automatically generate tickets for remediation or even patch the vulnerabilities directly to reduce the risk of exploitation and improve the security posture of your organization.
-
Compliance automation:use Google SecOps capabilities to automate the collection of audit logs and configuration data from Compute Engine instances and comply with regulatory requirements. You can use collected data to generate reports and dashboards for auditors to simplify compliance reporting and reduce the manual effort required to analyze data.
-
Security orchestration:orchestrate security workflows across multiple Google Cloud services, including Compute Engine. For example, Google SecOps can trigger the creation of a new firewall rule in response to a security event detected on a Compute Engine instance. The security orchestration provides you with a more coordinated and automated security posture by integrating different security tools and services.
Before you begin
To use the integration, you need a custom Identity and Access Management (IAM) role and a Google Cloud service account. You can use an existing service account or create a new one.
Create and configure the IAM role
To create a and configure a custom IAM role for the integration, complete the following steps:
-
In the Google Cloud console, go to the IAM Rolespage.
-
Click Create roleto create a custom role with permissions required for the integration.
-
For a new custom role, provide the Title, Description, and a unique ID.
-
Set the Role Launch Stageto General Availability.
-
Add the following permissions to the created role:
-
compute.instances.list -
compute.instances.start -
compute.instances.stop -
compute.instances.delete -
compute.instances.setLabels -
compute.instances.getIamPolicy -
compute.instances.setIamPolicy -
compute.instances.get -
compute.zones.list
-
Create a service account
For guidance on creating a service account, see Create service accounts . Make sure to grant your custom IAM role to the service account under Grant this service account access to project.
If you use a service account to authenticate to Google Cloud, you can create a service account key in JSON and provide the content of the downloaded JSON file when configuring the integration parameters .
For security reasons, we recommend using a workload identity email address instead of a service account key. For more information about the workload identities, see Identities for workloads .
Integration parameters
The Compute Engine integration requires the following parameters:
| Parameters | Description |
|---|---|
Account Type
|
Optional
The type of Google Cloud account. Provide the value that is set in the The default value is |
Project ID
|
Optional
The project ID of the Google Cloud account. Provide the value that is set in the |
Private Key ID
|
Optional
The private key ID of the Google Cloud account. Provide the value that is set in the |
Private Key
|
Optional
The private key of the Google Cloud account. Provide the value that is set in the |
Client Email
|
Optional
The client email address of the Google Cloud account. Provide the value that is set in the |
Client ID
|
Optional
The client ID of the Google Cloud account. Provide the value that is set in the |
Auth URI
|
Optional
The authentication URI of the Google Cloud account. Provide the value that is set in the The default value is |
Token URI
|
Optional
The token URI of the Google Cloud account. Provide the value that is set in the The default value is |
Auth Provider X509 URL
|
Optional
The authentication provider X.509 URL of the Google Cloud account. Provide the value that is set in the The default value is |
Client X509 URL
|
Optional
The client X.509 URL of the Google Cloud account. Provide the value that is set in the |
User Service Account JSON
|
Optional
The content of the service account key JSON file. You can configure this parameter or the To configure this parameter, provide the full content of the service account key JSON file that you have downloaded when creating a service account. |
Workload Identity Email
|
Optional
The client email address of your Workload Identity Federation . You can configure this parameter or the To impersonate service accounts with the Workload Identity Federation,
grant the |
For instructions about configuring an integration in Google SecOps, see Configure integrations .
You can make changes at a later stage if needed. After you configure an integration instance, you can use it in playbooks. For more information about configuring and supporting multiple instances, see Supporting multiple instances .
Actions
For more information about actions, see Respond to pending actions from your workdesk and Perform a manual action .
Add IP To Firewall Rule
Use the Add IP To Firewall Ruleaction to
This action doesn't run on Google SecOps entities.
Action inputs
The Add IP To Firewall Ruleaction requires the following parameters:
| Parameter | Description |
|---|---|
Resource Name
|
Optional
The full resource name of the Compute Engine
instance, such as This parameter has a
priority over the |
Project ID
|
Optional
The project name of the Compute Engine instance. If you don't set a value, the action retrieves the project name from the integration configuration. |
Firewall Rule
|
Optional
The name of the firewall rule to update. |
Type
|
Required
The type of the IP address range to add. The possible values are The default value is |
IP Ranges
|
Required
The list of IP address ranges to add to the firewall rule. |
Action outputs
The Add IP To Firewall Ruleaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add IP To Firewall Ruleaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "AAdd IP To Firewall Rule". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add IP To Firewall Ruleaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Add Labels to Instance
Use the Add Labels to Instanceaction to add labels to the Compute Engine instance.
This action doesn't run on Google SecOps entities.
Action inputs
The Add Labels to Instanceaction requires the following parameters:
| Parameters | Description |
|---|---|
Resource Name
|
Optional
The resource name for the Compute Engine instance. This parameter has higher priority over the combination of
the Provide the parameter value in
the following format: |
Project ID
|
Optional
The name of the project for your Compute Engine instance. If you set no value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Instance Zone
|
Optional
The name of an instance zone to search for instances in. |
Instance ID
|
Optional
The ID of the instance to start. You can retrieve the instance ID using the List Instances action. |
Instance Labels
|
Required
The instance label to add to an instance. To configure this parameter, set the value in a following format: This parameter accepts multiple values as a comma-separated string. |
Action outputs
The Add Labels to Instanceaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Add Labels to Instanceaction:
{
"id"
:
" ID
"
,
"name"
:
"operation- OPERATION_ID
"
,
"zone"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/zones/us-central1-a"
,
"operationType"
:
"setLabels"
,
"targetLink"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/zones/us-central1-a/instances/ INSTANCE_ID
"
,
"targetId"
:
" INSTANCE_ID
"
,
"status"
:
"RUNNING"
,
"user"
:
"user@example.com"
,
"progress"
:
0
,
"insertTime"
:
"2021-04-28T23:01:29.395-07:00"
,
"startTime"
:
"2021-04-28T23:01:29.397-07:00"
,
"selfLink"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/zones/us-central1-a/operations/operation- OPERATION_ID
"
,
"kind"
:
"compute#operation"
}
Output messages
The Add Labels to Instanceaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
Action succeeded. |
Error executing action "Add Labels to Instance". Reason: ERROR_REASON
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add Labels to Instanceaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Add Network Tags
Use the Add Network Tagsaction to add network tags to the Compute Engine instance.
This action is asynchronous. Adjust the script timeout value in the Google SecOps integrated development environment (IDE) for the action as needed.
This action doesn't run on Google SecOps entities.
Action inputs
The Add Network Tagsaction requires the following parameters:
| Parameter | Description |
|---|---|
Resource Name
|
Optional
The full resource name of the Compute Engine
instance, such as This parameter has a
priority over the |
Project ID
|
Optional
The project name of the Compute Engine instance. If you don't set a value, the action retrieves the project name from the integration configuration. |
Instance Zone
|
Optional
The zone name of the Compute Engine instance. This parameter is required if you configure the
Compute Engine instance using the |
Instance ID
|
Optional
The Compute Engine instance ID. This
parameter is required if you configure the Compute Engine instance
using the |
Network Tags
|
Required
A comma-separated list of network tags to add to the Compute Engine instance. This parameter only accepts tags that contain lowercase letters, numbers, and hyphens. |
Action outputs
The Add Network Tagsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Network Tagsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Add Network Tags". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add Network Tagsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Delete Instance
Use the Delete Instanceaction to delete Compute Engine instances.
This action doesn't run on Google SecOps entities.
Action inputs
The Delete Instanceaction requires the following parameters:
| Parameters | Description |
|---|---|
Resource Name
|
Optional
The resource name for the Compute Engine instance. This parameter has higher priority over the combination of
the Provide the parameter value in
the following format: |
Project ID
|
Optional
The name of the project for your Compute Engine instance. If you set no value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Instance Zone
|
Optional
The name of an instance zone to search for instances in. |
Instance ID
|
Optional
The ID of the instance to start. You can retrieve the instance ID using the List Instances action. |
Action outputs
The Delete Instanceaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Delete Instanceaction:
{
"id"
:
" ID
"
,
"name"
:
"operation- OPERATION_ID
"
,
"zone"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/zones/us-central1-a"
,
"operationType"
:
"delete"
,
"targetLink"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/zones/us-central1-a/instances/ INSTANCE_ID
"
,
"targetId"
:
" INSTANCE_ID
"
,
"status"
:
"RUNNING"
,
"user"
:
"user@example.com"
,
"progress"
:
0
,
"insertTime"
:
"2021-04-28T23:01:29.395-07:00"
,
"startTime"
:
"2021-04-28T23:01:29.397-07:00"
,
"selfLink"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/zones/us-central1-a/operations/operation- OPERATION_ID
"
,
"kind"
:
"compute#operation"
}
Output messages
The Delete Instanceaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
Action succeeded. |
| |
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Delete Instanceaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Enrich Entities
Use the Enrich Entitiesaction to enrich Google SecOps IP Address
entities with the instance information from Compute Engine.
This action doesn't run on Google SecOps entities.
Action inputs
The Enrich Entitiesaction requires the following parameters:
| Parameters | Description |
|---|---|
Project ID
|
Optional
The name of the project for your Compute Engine instance. If you set no value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Instance Zone
|
Optional
The name of an instance zone to search for instances in. |
Action outputs
The Enrich Entitiesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
After completing execution, the Enrich Entitiesaction provides the following table:
Table name: ENTITY Enrichment Table
Columns:
- Entity Field
- Value
Enrichment table
The Enrich Entitiesaction supports the following entity enrichment:
| Enrichment field | Source (JSON key) | Logic |
|---|---|---|
Google_Compute_instance_id
|
id
|
Not available |
Google_Compute_creation_timestamp
|
creationTimestamp
|
Not available |
Google_Compute_instance_name
|
name
|
Not available |
Google_Compute_description
|
description
|
Not available |
Google_Compute_tags
|
tags
|
Provide the tags in a CSV list |
Google_Compute_machine_type
|
machineType
|
Not available |
Google_Compute_instance_status
|
status
|
Not available |
Google_Compute_instance_zone
|
zone
|
Not available |
Google_Compute_can_ip_forward
|
canIpForward
|
Not available |
Google_Compute_instance_network_interfaces_name_ INDEX
|
networkInterfaces.name
|
Expand if there are more network interfaces available |
Google_Compute_instance_network_interfaces_name_access_configs_type_ INDEX
|
networkInterfaces.accessConfigs.type
|
Expand if there are more network interfaces available |
Google_Compute_instance_network_interfaces_name_access_configs_name_ INDEX
|
networkInterfaces.accessConfigs.name
|
Expand if there are more network interfaces available |
Google_Compute_instance_network_interfaces_name_access_configs_natIP_ INDEX
|
networkInterfaces.accessConfigs.natIP
|
Expand if there are more network interfaces available |
Google_Compute_instance_metadata
|
metadata
|
CSV list of values from instance metadata |
Google_Compute_service_account_ INDEX
|
serviceAccounts.email
|
Expand if there are more service accounts available |
Google_Compute_service_account_scopes_ INDEX
|
serviceAccounts.scopes
|
Expand if there are more service accounts available |
Google_Compute_link_to_Google_Compute
|
selfLink
|
Not available |
Google_Compute_labels
|
labels
|
Provide a CSV list of values |
Google_Compute_instance_last_start_timestamp
|
lastStartTimestamp
|
Not available |
Google_Compute_instance_last_stop_timestamp
|
lastStopTimestamp
|
Not available |
JSON result
The following example describes the JSON result output received when using the Enrich Entitiesaction:
{
"id"
:
" ID
"
,
"creationTimestamp"
:
"2021-04-28T21:34:57.369-07:00"
,
"name"
:
"instance-1"
,
"description"
:
""
,
"tags"
:
{
"fingerprint"
:
" VALUE
"
},
"machineType"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/zones/us-central1-a/machineTypes/f1-micro"
,
"status"
:
"RUNNING"
,
"zone"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/zones/us-central1-a"
,
"canIpForward"
:
false
,
"networkInterfaces"
:
[
{
"network"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/global/networks/default"
,
"subnetwork"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/regions/us-central1/subnetworks/default"
,
"networkIP"
:
"203.0.113.2"
,
"name"
:
"example"
,
"accessConfigs"
:
[
{
"type"
:
"ONE_TO_ONE_NAT"
,
"name"
:
"External NAT"
,
"natIP"
:
"198.51.100.59"
,
"networkTier"
:
"PREMIUM"
,
"kind"
:
"compute#accessConfig"
}
],
"fingerprint"
:
" VALUE
"
,
"kind"
:
"compute#networkInterface"
}
],
"disks"
:
[
{
"type"
:
"PERSISTENT"
,
"mode"
:
"READ_WRITE"
,
"source"
:
"https://www.googleapis.com/compute/v1/ PROJECT_ID
/zones/us-central1-a/disks/instance-1"
,
"deviceName"
:
"instance-1"
,
"index"
:
0
,
"boot"
:
true
,
"autoDelete"
:
true
,
"licenses"
:
[
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/global/licenses/ LICENSE
"
],
"interface"
:
"SCSI"
,
"guestOsFeatures"
:
[
{
"type"
:
"UEFI_COMPATIBLE"
},
{
"type"
:
"VIRTIO_SCSI_MULTIQUEUE"
}
],
"diskSizeGb"
:
"10"
,
"kind"
:
"compute#attachedDisk"
}
],
"metadata"
:
{
"fingerprint"
:
" VALUE
"
,
"kind"
:
"compute#metadata"
},
"serviceAccounts"
:
[
{
"email"
:
"user@example.com"
,
"scopes"
:
[
"https://www.googleapis.com/auth/devstorage.read_only"
,
"https://www.googleapis.com/auth/logging.write"
,
"https://www.googleapis.com/auth/monitoring.write"
,
"https://www.googleapis.com/auth/servicecontrol"
,
"https://www.googleapis.com/auth/service.management.readonly"
,
"https://www.googleapis.com/auth/trace.append"
]
}
],
"selfLink"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/zones/us-central1-a/instances/instance-1"
,
"scheduling"
:
{
"onHostMaintenance"
:
"MIGRATE"
,
"automaticRestart"
:
true
,
"preemptible"
:
false
},
"cpuPlatform"
:
"Intel Haswell"
,
"labels"
:
{
"vm_test_tag"
:
"tag1"
},
"labelFingerprint"
:
" VALUE
"
,
"startRestricted"
:
false
,
"deletionProtection"
:
false
,
"reservationAffinity"
:
{
"consumeReservationType"
:
"ANY_RESERVATION"
},
"displayDevice"
:
{
"enableDisplay"
:
false
},
"shieldedInstanceConfig"
:
{
"enableSecureBoot"
:
false
,
"enableVtpm"
:
true
,
"enableIntegrityMonitoring"
:
true
},
"shieldedInstanceIntegrityPolicy"
:
{
"updateAutoLearnPolicy"
:
true
},
"confidentialInstanceConfig"
:
{
"enableConfidentialCompute"
:
false
},
"fingerprint"
:
" VALUE
"
,
"lastStartTimestamp"
:
"2021-04-28T21:35:07.865-07:00"
,
"kind"
:
"compute#instance"
}
Output messages
The Enrich Entitiesaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
Action succeeded. |
Error executing action "Enrich Entities". Reason: ERROR_REASON
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Enrich Entitiesaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Execute VM Patch Job
Use the Execute VM Patch Jobaction to execute a VM patch job on Compute Engine instances.
This action is asynchronous. Adjust the script timeout value in the Google SecOps integrated development environment (IDE) for the action as needed.
This action doesn't run on Google SecOps entities.
The Execute VM Patch Jobaction requires you to enable the OS Config API .
Action inputs
The Execute VM Patch Jobaction requires the following parameters:
| Parameter | Description |
|---|---|
Instance Filter Object
|
Required
A JSON object to set an instance filter. The default value is as follows: { "all" : "true" } |
Name
|
Required
The name for the patching job. |
Description
|
Optional
The description for the patching job. |
Patching Config Object
|
Optional
A JSON object that specifies the steps for the patching job to execute. If you don't set a value, the action patches
the Compute Engine instances using the default value. To configure
this parameter, use the following format: The default value is as follows: { "rebootConfig" : "DEFAULT" , "apt" : { "type" : "DIST" }, "yum" : { "security" : true }, "zypper" : { "withUpdate" : true }, "windowsUpdate" : { "classifications" : [ "CRITICAL" , "SECURITY" ] } } |
Patch Duration Timeout
|
Required
The timeout value in minutes for a patching job. The default value is |
Rollout Strategy
|
Optional
The rollout strategy for a patching job. The possible values are |
Disruption Budget
|
Required
The disruption budget for a patching job. To
configure this parameter, you can use a specific number or a percentage,
such as The default value is |
Wait For Completion
|
Required
If selected, the action waits for the patching job to complete. |
Fail If Completed With Errors
|
Required
If selected and the patching job status is |
Action outputs
The Execute VM Patch Jobaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Execute VM Patch Jobaction:
{
"name"
:
"projects/ PROJECT_ID
/patchJobs/ JOB_ID
"
,
"createTime"
:
"2024-09-24T16:00:43.354907Z"
,
"updateTime"
:
"2024-09-24T16:00:44.626050Z"
,
"state"
:
"PATCHING"
,
"patchConfig"
:
{
"rebootConfig"
:
"DEFAULT"
,
"apt"
:
{
"type"
:
"UPGRADE"
},
"yum"
:
{},
"zypper"
:
{},
"windowsUpdate"
:
{}
},
"duration"
:
"3600s"
,
"instanceDetailsSummary"
:
{
"startedInstanceCount"
:
"1"
},
"percentComplete"
:
20
,
"instanceFilter"
:
{
"instances"
:
[
"zones/us-central1-a/instances/ INSTANCE_ID
"
]
},
"displayName"
:
"test"
,
"rollout"
:
{
"mode"
:
"ZONE_BY_ZONE"
,
"disruptionBudget"
:
{
"percent"
:
25
}
}
}
Output messages
The Execute VM Patch Jobaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Execute VM Patch Job". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Execute VM Patch Jobaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get Instance IAM Policy
Use the Get Instance IAM Policyaction to get the access control policy for a resource. If you assign no policy to the resource initially, the returned policy can be empty.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Instance IAM Policyaction requires the following parameters:
| Parameters | Description |
|---|---|
Resource Name
|
Optional
The resource name for the Compute Engine instance. This parameter has higher priority over the combination of
the Provide the parameter value in
the following format: |
Project ID
|
Optional
The name of the project for your Compute Engine instance. If you set no value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Instance Zone
|
Optional
The name of an instance zone to search for instances in. |
Instance ID
|
Optional
The ID of the instance to start. You can retrieve the instance ID using the List Instances action. |
Action outputs
The Get Instance IAM Policyaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Get Instance IAM Policyaction:
{
"version"
:
1
,
"etag"
:
"BwXBfsc47MI="
,
"bindings"
:
[
{
"role"
:
"roles/compute.networkViewer_withcond_2f0c00"
,
"members"
:
[
"user:user@example.com"
]
}
]
}
Output messages
The Get Instance IAM Policyaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
Action succeeded. |
Error executing action "Get Instance IAM Policy". Reason: ERROR_REASON
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Instance IAM Policyaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
List Instances
Use the List Instancesaction to list Compute Engine instances based on the specified search criteria.
This action doesn't run on Google SecOps entities.
Action inputs
The List Instancesaction requires the following parameters:
| Parameters | Description |
|---|---|
Project ID
|
Optional
The name of the project to list instances. If you set no value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Instance Zone
|
Optional
The name of an instance zone to search for instances in. |
Instance Name
|
Optional
The instance name to search for. This parameter accepts multiple values as a comma-separated string. |
Instance Status
|
Optional
The instance status to search for. This parameter accepts multiple values as a comma-separated string. |
Instance Labels
|
Optional
The instance label to search for. To configure
this parameter, set the value in a following format: This parameter accepts multiple values as a comma-separated string. |
Max Rows to Return
|
Optional
The number of instances to return for a single action run. The default value is 50. |
Action outputs
The List Instancesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
The List Instancesaction provides the following table:
Table name: Google Cloud Compute Instances
Table columns:
- Instance Name
- Instance ID
- Instance Creation Time
- Instance Description
- Instance Type
- Instance Status
- Instance Labels
JSON result
The following example describes the JSON result output received when using the List Instancesaction:
{
"id"
:
"projects/ PROJECT_ID
/zones/us-central1-a/instances"
,
"items"
:
[
{
"id"
:
" ID
"
,
"creationTimestamp"
:
"2021-04-28T21:34:57.369-07:00"
,
"name"
:
"instance-1"
,
"description"
:
""
,
"tags"
:
{
"fingerprint"
:
" VALUE
"
},
"machineType"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/zones/us-central1-a/machineTypes/f1-micro"
,
"status"
:
"RUNNING"
,
"zone"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/zones/us-central1-a"
,
"canIpForward"
:
false
,
"networkInterfaces"
:
[
{
"network"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/global/networks/default"
,
"subnetwork"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/regions/us-central1/subnetworks/default"
,
"networkIP"
:
"192.0.2.2"
,
"name"
:
"example"
,
"accessConfigs"
:
[
{
"type"
:
"ONE_TO_ONE_NAT"
,
"name"
:
"External NAT"
,
"natIP"
:
"203.0.113.59"
,
"networkTier"
:
"PREMIUM"
,
"kind"
:
"compute#accessConfig"
}
],
"fingerprint"
:
" VALUE
"
,
"kind"
:
"compute#networkInterface"
}
],
"disks"
:
[
{
"type"
:
"PERSISTENT"
,
"mode"
:
"READ_WRITE"
,
"source"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/zones/us-central1-a/disks/instance-1"
,
"deviceName"
:
"instance-1"
,
"index"
:
0
,
"boot"
:
true
,
"autoDelete"
:
true
,
"licenses"
:
[
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/global/licenses/ LICENSE
"
],
"interface"
:
"SCSI"
,
"guestOsFeatures"
:
[
{
"type"
:
"UEFI_COMPATIBLE"
},
{
"type"
:
"VIRTIO_SCSI_MULTIQUEUE"
}
],
"diskSizeGb"
:
"10"
,
"kind"
:
"compute#attachedDisk"
}
],
"metadata"
:
{
"fingerprint"
:
" VALUE
"
,
"kind"
:
"compute#metadata"
},
"serviceAccounts"
:
[
{
"email"
:
"user@example.com"
,
"scopes"
:
[
"https://www.googleapis.com/auth/devstorage.read_only"
,
"https://www.googleapis.com/auth/logging.write"
,
"https://www.googleapis.com/auth/monitoring.write"
,
"https://www.googleapis.com/auth/servicecontrol"
,
"https://www.googleapis.com/auth/service.management.readonly"
,
"https://www.googleapis.com/auth/trace.append"
]
}
],
"selfLink"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
zones/us-central1-a/instances/instance-1"
,
"scheduling"
:
{
"onHostMaintenance"
:
"MIGRATE"
,
"automaticRestart"
:
true
,
"preemptible"
:
false
},
"cpuPlatform"
:
"Intel Haswell"
,
"labels"
:
{
"vm_test_tag"
:
"tag1"
},
"labelFingerprint"
:
" VALUE
"
,
"startRestricted"
:
false
,
"deletionProtection"
:
false
,
"reservationAffinity"
:
{
"consumeReservationType"
:
"ANY_RESERVATION"
},
"displayDevice"
:
{
"enableDisplay"
:
false
},
"shieldedInstanceConfig"
:
{
"enableSecureBoot"
:
false
,
"enableVtpm"
:
true
,
"enableIntegrityMonitoring"
:
true
},
"shieldedInstanceIntegrityPolicy"
:
{
"updateAutoLearnPolicy"
:
true
},
"confidentialInstanceConfig"
:
{
"enableConfidentialCompute"
:
false
},
"fingerprint"
:
" VALUE
"
,
"lastStartTimestamp"
:
"2021-04-28T21:35:07.865-07:00"
,
"kind"
:
"compute#instance"
}
]
}
Output messages
On a Case Wall, the List Instancesaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
Action succeeded. |
Error executing action "List Instances". Reason: ERROR_REASON
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the List Instancesaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Ping
Use the Pingaction to test connectivity to Compute Engine.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Pingaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
On a Case Wall, the Pingaction can return the following output messages:
| Output message | Message description |
|---|---|
Successfully connected to the Google Cloud Compute service with
the provided connection parameters!
|
Action succeeded. |
Failed to connect to the Google Cloud Compute service! Error is ERROR_REASON
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Pingaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Remove External IP Addresses
Use the Remove External IP Addressesaction to remove external IP addresses on a Compute Engine instance.
This action is asynchronous. Adjust the script timeout value in the Google SecOps integrated development environment (IDE), if necessary.
This action doesn't run on Google SecOps entities.
Action inputs
The Remove External IP Addressesaction requires the following parameters:
| Parameters | Description |
|---|---|
Resource Name
|
Optional
The resource name for the Compute Engine instance. This parameter has higher priority over the combination of
the Provide the parameter value in
the following format: |
Project ID
|
Optional
The name of the project for your Compute Engine instance. If you set no value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Instance Zone
|
Optional
The name of an instance zone to search for instances in. |
Instance ID
|
Optional
The ID of the instance to start. You can retrieve the instance ID using the List Instances action. |
Network Interface
|
Optional
A comma-separated list of network interfaces to
modify. If you leave this parameter empty or provide the |
Action outputs
The Remove External IP Addressesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Remove External IP Addressesaction:
[
{
"endTime"
:
"2024-05-21T04:28:05.371-07:00"
,
"id"
:
" ID
"
,
"insertTime"
:
"2024-05-21T04:28:04.176-07:00"
,
"kind"
:
"compute#operation"
,
"name"
:
"operation- OPERATION_ID
"
,
"operationType"
:
"updateNetworkInterface"
,
"progress"
:
100
,
"selfLink"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/zones/us-west1-a/operations/operation- OPERATION_ID
"
,
"startTime"
:
"2024-05-21T04:28:04.190-07:00"
,
"status"
:
"DONE"
,
"targetId"
:
" TARGET_ID
"
,
"targetLink"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/zones/us-west1-a/instances/ INSTANCE_ID
"
,
"user"
:
"user@example.com"
,
"zone"
:
"us-west1-a"
,
"networkInterface"
:
"example"
},
{
"endTime"
:
"2024-05-21T04:28:06.549-07:00"
,
"id"
:
"2531200345768541098"
,
"insertTime"
:
"2024-05-21T04:28:05.419-07:00"
,
"kind"
:
"compute#operation"
,
"name"
:
"operation- OPERATION_ID
"
,
"operationType"
:
"deleteAccessConfig"
,
"progress"
:
100
,
"selfLink"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/zones/us-west1-a/operations/operation- OPERATION_ID
"
,
"startTime"
:
"2024-05-21T04:28:05.430-07:00"
,
"status"
:
"DONE"
,
"targetId"
:
"3905740668247239013"
,
"targetLink"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/zones/us-west1-a/instances/ INSTANCE_ID
"
,
"user"
:
"user@example.com"
,
"zone"
:
"us-west1-a"
,
"networkInterface"
:
"example"
}
]
Output messages
The Remove External IP Addressesaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
Action succeeded. |
| |
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Remove External IP Addressesaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Remove IP From Firewall Rule
Use the Remove IP From Firewall Ruleaction to remove IP addresses from a firewall rule in Compute Engine instance.
This action is asynchronous. Adjust the script timeout value in the Google SecOps integrated development environment (IDE) for the action as needed.
This action doesn't run on Google SecOps entities.
Action inputs
The Remove IP From Firewall Ruleaction requires the following parameters:
| Parameter | Description |
|---|---|
Resource Name
|
Optional
The full resource name of the Compute Engine
instance, such as This parameter has a
priority over the |
Project ID
|
Optional
The project name of the Compute Engine instance. If you don't set a value, the action retrieves the project name from the integration configuration. |
Firewall Rule
|
Optional
The name of the firewall rule to update. |
Type
|
Optional
The type of the IP address range to add. The possible values are The default value is |
IP Ranges
|
Required
The list of IP address ranges to add to the firewall rule. |
Action outputs
The Remove IP From Firewall Ruleaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Remove IP From Firewall Ruleaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Remove IP From Firewall Rule". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Remove IP From Firewall Ruleaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Remove Network Tags
Use the Remove Network Tagsaction to remove network tags from the Compute Engine instance.
This action is asynchronous. Adjust the script timeout value in the Google SecOps integrated development environment (IDE) for the action as needed.
This action doesn't run on Google SecOps entities.
Action inputs
The Remove Network Tagsaction requires the following parameters:
| Parameter | Description |
|---|---|
Resource Name
|
Optional
The full resource name of the Compute Engine
instance, such as This parameter has a
priority over the |
Project ID
|
Optional
The project name of the Compute Engine instance. If you don't set a value, the action retrieves the project name from the integration configuration. |
Instance Zone
|
Optional
The zone name of the Compute Engine instance. This parameter is required if you configure the
Compute Engine instance using the |
Instance ID
|
Optional
The Compute Engine instance ID. This
parameter is required if you configure the Compute Engine instance
using the |
Network Tags
|
Required
A comma-separated list of network tags to add to the Compute Engine instance. This parameter only accepts tags that contain lowercase letters, numbers, and hyphens. |
Action outputs
The Remove Network Tagsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Remove Network Tagsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Remove Network Tags". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Remove Network Tagsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Set Instance IAM Policy
Use the Set Instance IAM Policyaction to sets the access control policy for the specified resource. The policy that you provide in the action replaces any existing policy.
This action doesn't run on Google SecOps entities.
Action inputs
The Set Instance IAM Policyaction requires the following parameters:
| Parameters | Description |
|---|---|
Resource Name
|
Optional
The resource name for the Compute Engine instance. This parameter has higher priority over the combination of
the Provide the parameter value in
the following format: |
Project ID
|
Optional
The name of the project for your Compute Engine instance. If you set no value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Instance Zone
|
Optional
The name of an instance zone to search for instances in. |
Instance ID
|
Optional
The ID of the instance to start. You can retrieve the instance ID using the List Instances action. |
Policy
|
Required
The JSON policy document to set to the instance. |
Action outputs
The Set Instance IAM Policyaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Set Instance IAM Policyaction:
{
"version"
:
1
,
"etag"
:
"BwXBftu99FE="
,
"bindings"
:
[
{
"role"
:
"roles/compute.networkViewer"
,
"members"
:
[
"user:user@example.com"
]
}
]
}
Output messages
The Set Instance IAM Policyaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
Action succeeded. |
Error executing action "Set Instance IAM Policy". Reason: ERROR_REASON
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Set Instance IAM Policyaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Start Instance
Use the Start Instanceaction to start a previously stopped Compute Engine instance.
The instance doesn't start running immediately.
This action doesn't run on Google SecOps entities.
Action inputs
The Start Instanceaction requires the following parameters:
| Parameters | Description |
|---|---|
Resource Name
|
Optional
The resource name for the Compute Engine instance. This parameter has higher priority over the combination of
the Provide the parameter value in
the following format: |
Project ID
|
Optional
The name of the project for your Compute Engine instance. If you set no value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Instance Zone
|
Optional
The name of an instance zone to search for instances in. |
Instance ID
|
Optional
The ID of the instance to start. You can retrieve the instance ID using the List Instances action. |
Action outputs
The Start Instanceaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Start Instanceaction:
{
"id"
:
" ID
"
,
"name"
:
"operation- OPERATION_ID
"
,
"zone"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/zones/us-central1-a"
,
"operationType"
:
"start"
,
"targetLink"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/zones/us-central1-a/instances/ INSTANCE_ID
"
,
"targetId"
:
" INSTANCE_ID
"
,
"status"
:
"DONE"
,
"user"
:
"user@example.com"
,
"progress"
:
100
,
"insertTime"
:
"2021-04-28T23:01:29.395-07:00"
,
"startTime"
:
"2021-04-28T23:01:29.397-07:00"
,
"endTime"
:
"2021-04-28T23:01:29.397-07:00"
,
"selfLink"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/zones/us-central1-a/operations/operation- OPERATION_ID
"
,
"kind"
:
"compute#operation"
}
Output messages
The Start Instanceaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
Action succeeded. |
| |
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Start Instanceaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Stop Instance
Use the Stop Instance action to stop a running Compute Engine instance. You can restart the instance at a later time.
The VM usage charges don't apply to the stopped instances. However, charges apply to the resources that the VM is using, such as persistent disks and static IP addresses, unless you delete the resources.
This action doesn't run on Google SecOps entities.
Action inputs
The Stop Instanceaction requires the following parameters:
| Parameters | Description |
|---|---|
Resource Name
|
Optional
The resource name for the Compute Engine instance. This parameter has higher priority over the combination of
the Provide the parameter value in
the following format: |
Project ID
|
Optional
The name of the project for your Compute Engine instance. If you set no value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Instance Zone
|
Optional
The name of an instance zone to search for instances in. |
Instance ID
|
Optional
The ID of the instance to start. You can retrieve the instance ID using the List Instances action. |
Action outputs
The Stop Instanceaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Stop Instanceaction:
{
"id"
:
" ID
"
,
"name"
:
"operation- OPERATION_ID
"
,
"zone"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/zones/us-central1-a"
,
"operationType"
:
"stop"
,
"targetLink"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/zones/us-central1-a/instances/ INSTANCE_ID
"
,
"targetId"
:
" INSTANCE_ID
"
,
"status"
:
"RUNNING"
,
"user"
:
"user@example.com"
,
"progress"
:
100
,
"insertTime"
:
"2021-04-28T23:01:29.395-07:00"
,
"startTime"
:
"2021-04-28T23:01:29.397-07:00"
,
"selfLink"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/zones/us-central1-a/operations/operation- OPERATION_ID
"
,
"kind"
:
"compute#operation"
}
Output messages
The Stop Instanceaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
Action succeeded. |
Error executing action "Stop Instance". Reason: ERROR_REASON
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Stop Instanceaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Update Firewall Rule
Use the Update Firewall Ruleaction to update a firewall rule with the provided parameters in Compute Engine.
This action is asynchronous. Adjust the script timeout value in the Google SecOps integrated development environment (IDE), if necessary.
This action doesn't run on Google SecOps entities.
Action inputs
The Update Firewall Ruleaction requires the following parameters:
| Parameters | Description |
|---|---|
Resource Name
|
Optional
The resource name for the Compute Engine instance. This parameter has higher priority over the combination of
the Provide the parameter value in the following format: |
Project ID
|
Optional
The name of the project for your Compute Engine instance. If you set no value for this parameter, the integration retrieves the project ID from your Google Cloud service account. |
Firewall Rule
|
Optional
A firewall rule name to update. |
Source IP Ranges
|
Optional
A comma-separated list of source IP ranges. This
parameter supports the If you provide the |
Source Tags
|
Optional
A comma-separated list of source tags. This
parameter supports the If you provide the |
Source Service Accounts
|
Optional
A comma-separated list of source service accounts.
This parameter supports the If you provide
the |
TCP Ports
|
Optional
A comma-separated list of TCP ports. If you configure this parameter, the action uses the parameter value to update and determine allowlists and denylists. This parameter supports the |
UDP Ports
|
Optional
A comma-separated list of UDP ports. If you configure this parameter, the action uses the parameter value to update and determine allowlists and denylists. This parameter supports the |
Other Protocols
|
Optional
A comma-separated list of other protocols. This parameter supports the |
Destination IP Ranges
|
Optional
A comma-separated list of the destination IP address ranges. This parameter supports the If you set the |
Action outputs
The Update Firewall Ruleaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Update Firewall Ruleaction:
{
"endTime"
:
"2024-05-20T09:42:09.381-07:00"
,
"id"
:
" ID
"
,
"insertTime"
:
"2024-05-20T09:42:05.150-07:00"
,
"kind"
:
"compute#operation"
,
"name"
:
"operation- OPERATION_ID
"
,
"operationType"
:
"patch"
,
"progress"
:
100
,
"selfLink"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/global/operations/operation- OPERATION_ID
"
,
"startTime"
:
"2024-05-20T09:42:05.164-07:00"
,
"status"
:
"DONE"
,
"targetId"
:
"7886634413370691799"
,
"targetLink"
:
"https://www.googleapis.com/compute/v1/projects/ PROJECT_ID
/global/firewalls/default-allow-rdp"
,
"user"
:
"user@example.com"
}
Output messages
The Update Firewall Ruleaction can return the following output messages:
| Output message | Message description |
|---|---|
Successfully updated firewall rule in Cloud Compute.
|
Action succeeded. |
Error executing action "Update Firewall Rule". Reason: ERROR_REASON
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Update Firewall Ruleaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Need more help? Get answers from Community members and Google SecOps professionals.
