Internet Storm Center

Integration version: 3.0

Configure Internet Storm Center integration in Google Security Operations

For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations .

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Email Address	String	name@example.com	Yes	Email address that is associated with API requests.
Verify SSL	Checkbox	Checked	Yes	If enabled, verifies that the SSL certificate for the connection to the Google Translate server is valid.

Product Use Cases

Enrich entities.

Actions

Ping

Description

Test connectivity to Internet Storm Center with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run On

This action doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success=False

JSON Result

N/A

Entity Enrichment

N/A

Insights

N/A

Case Wall

Result type	Value/Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the Internet Storm Center server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: "Failed to connect to the Internet Storm Center server! Error is {0}".format(exception.stacktrace) If the response is not JSON: "Failed to connect to the Internet Storm Center server! Reason: please check the configuration. Additionally, your IP might have been blocked."	General

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the Internet Storm Center server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful: "Failed to connect to the Internet Storm Center server! Error is {0}".format(exception.stacktrace)

If the response is not JSON: "Failed to connect to the Internet Storm Center server! Reason: please check the configuration. Additionally, your IP might have been blocked."

General

Enrich Entities

Description

Enrich entities using information from the Internet Storm Center. Supported entities: IP Address.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Create Insight	Checkbox	Checked	No	If enabled, the action creates an insight containing all of the retrieved information about the entity.

Run on

This action runs on the IP Address entity.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success=False

JSON Result

  { 
  
 "ip" 
 : 
  
 { 
  
 "number" 
 : 
  
 "XXXX" 
 , 
  
 "count" 
 : 
  
 , 
  
 "attacks" 
 : 
  
 , 
  
 "maxdate" 
 : 
  
 "2021-12-06" 
 , 
  
 "mindate" 
 : 
  
 "2021-09-20" 
 , 
  
 "updated" 
 : 
  
 "2021-12-06 09:19:16" 
 , 
  
 "comment" 
 : 
  
 null 
 , 
  
 "maxrisk" 
 : 
  
 null 
 , 
  
 "asabusecontact" 
 : 
  
 "" 
 , 
  
 "as" 
 : 
  
 202425 
 , 
  
 "asname" 
 : 
  
 "" 
 , 
  
 "ascountry" 
 : 
  
 "" 
 , 
  
 "assize" 
 : 
  
 , 
  
 "network" 
 : 
  
 "89.248.165.0/24" 
 , 
  
 "threatfeeds" 
 : 
  
 { 
  
 "ciarmy" 
 : 
  
 { 
  
 "lastseen" 
 : 
  
 "2021-12-02" 
 , 
  
 "firstseen" 
 : 
  
 "2021-04-19" 
  
 }, 
  
 "recyber" 
 : 
  
 { 
  
 "lastseen" 
 : 
  
 "2021-12-06" 
 , 
  
 "firstseen" 
 : 
  
 "2021-03-29" 
  
 } 
  
 } 
  
 } 
 }

Entity Enrichment

Enrichment Field Name	Logic - When to apply
count	When available in JSON
attacks	When available in JSON
first_seen	When available in JSON
last_seen	When available in JSON
comment	When available in JSON
maxrisk	When available in JSON
asabuse_contact	When available in JSON
as_name	When available in JSON
as_country	When available in JSON
threatfeeds	When available in JSON

Insights

N/A

Case Wall

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If data is available for one entity (is_success=true): "Successfully enriched the following entities using information from Internet Storm Center: {entity.identifier}."

If data is not available for one entity (is_success=true): "Action wasn't able to enrich the following entities using information from Internet Storm Center: {entity.identifier}"

If data is not available for all entities (is_success=false): " None of the provided entities were enriched."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)

General

Case Wall Table

Table Title:{entity.identifier}

Table Columns:

Key
Value

Entity

Need more help? Get answers from Community members and Google SecOps professionals.