Integrate SiemplifyUtilities with Google SecOps
Integration version: 20.0
This document explains how to integrate SiemplifyUtilities with Google Security Operations (Google SecOps).
Use cases
The SiemplifyUtilitiesintegration can address the following use cases:
-
Export and sharing: Use Google SecOps capabilities with the Export Entities as OpenIOC Fileaction to quickly generate standardized OpenIOC filesfrom security entities (such as IPs, Filehashes, or URLs) and share them with threat intelligence platforms or other security teams.
-
List manipulation for logic: Use Google SecOps capabilities with the List Operationsaction to perform complex logic operations (such as intersection, union, subtract) on two different lists of values within a Playbook, providing advanced filtering or combining of data sources.
-
Data Transformation and Analysis: Use Google SecOps capabilities with the Extract top From JSONaction to process and prioritize large, nested JSON datasets by sorting them based on a specific nested key (like a severity score) and returning only the top relevant results for immediate analysis.
-
Email Forensics: Use Google SecOps capabilities with the Parse EML to JSONaction to convert raw, base64-encoded email messages (EML or MSG files) into a structured JSON format, making the email's headers, body, attachments, and links accessible for automated parsing and investigation.
Integration parameters
None.
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action .
Count Entities in Scope
Use the Count Entities in Scopeto retrieve the number of entities in a specific scope.
This action runs on all Google SecOps entities.
Action inputs
The Count Entities in Scopeaction requires the following parameters:
| Parameter | Description |
|---|---|
Entity Type
|
Required. The type of the target entities. |
Action outputs
The Count Entities in Scopeaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Count Entities in Scopeaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Count Entities in Scope". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Count Entities in Scopeaction:
| Script result name | Value |
|---|---|
list_count
|
NUMBER_OF_ENTITIES
|
Count List
Use the Count Listaction to retrieve the number of items on a list.
This action doesn't run on Google SecOps entities.
Action inputs
The Count Listaction requires the following parameters:
| Parameter | Description |
|---|---|
Input String
|
Optional. A comma-separated list of strings, such as |
Delimiter
|
Optional. The symbol used to separate individual values within the |
Action outputs
The Count Listaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Count Listaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Count List". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Count Listaction:
| Script result name | Value |
|---|---|
list_count
|
NUMBER_OF_ENTITIES
|
Delete File
Use the Delete Fileaction to delete a selected file from the file system.
This action doesn't run on Google SecOps entities.
Action inputs
The Delete Fileaction requires the following parameters:
| Parameter | Description |
|---|---|
File Path
|
Required. The absolute path of the file to delete. |
Action outputs
The Delete Fileaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result outputs received when using the Delete Fileaction:
{
"filepath"
:
""
"status"
:
"deleted/not found"
}
Output messages
The Delete Fileaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Delete File". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Delete Fileaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Export Entities as OpenIOC File
Use the Export Entities as OpenIOC Fileaction to package supported security artifacts from the current case into a standard OpenIOC file format. This file can be used for sharing, threat intelligence, or importing into other security tools.
This action runs on the following Google SecOps entities:
-
Filehash -
IP Address -
URL -
Hostname -
User
Action inputs
The Export Entities as OpenIOC Fileaction requires the following parameters:
Export Folder Path
Required.
The local path of the folder where the generated OpenIOC file will be saved.
Action outputs
The Export Entities as OpenIOC Fileaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result outputs received when using the Export Entities as OpenIOC Fileaction:
{
"absolute_file_path"
:
OpenIOC_
{
random_guid
}
.
txt
}
Output messages
The Export Entities as OpenIOC Fileaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Export Entities as OpenIOC File". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Extract top From JSON
Use the Extract top From JSONaction to sort an input JSON by a specific key and return the top-ranked branches or records.
This action doesn't run on Google SecOps entities.
Action inputs
The Extract top From JSONaction requires the following parameters:
JSON Data
Required.
The JSON data to process.
Key To Sort By
Required.
The nested key used for sorting, with segments separated by dots.
Use *
as a wildcard. For example, Host.*.wassap_list.Severity
.
Field Type
Required.
The data type of the key specified for sorting.
The possible values are as follows:
-
int -
string -
Date
Reverse (DESC -> ASC)
Optional.
If selected, the sort order is Descending . If not selected, the sort order is Ascending .
Enabled by default.
Top Rows
Optional.
The number of top records (rows) to retrieve from the sorted JSON output.
Action outputs
The Extract top From JSONaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result outputs received when using the Extract top From JSONaction:
[
{
"HOST"
:
{
"DETECTION"
:{
"QID"
:
"82003"
,
"SEVERITY"
:
"1"
,
"RESULTS"
:
"Timestamp of host (network byte ordering): 03:40:14 GMT"
},
"IP"
:
"1.1.1.1"
,
"LAST_SCAN_DATETIME"
:
"2018-08-13T10:24:35Z"
,
"OS"
:
"Windows 10"
},
"DATETIME"
:
"2018-08-29T14:01:12Z"
},
{
"HOST"
:{
"DETECTION"
:
{
"PORT"
:
"443"
,
"QID"
:
"11827"
,
"PROTOCOL"
:
"tcp"
,
"RESULTS"
:
"X-Frame-Options or Content-Security-Policy: frame-ancestors HTTP Headers missing on port 443."
,
"SEVERITY"
:
"2"
},
"IP"
:
"1.1.1.1"
,
"LAST_SCAN_DATETIME"
:
"2018-08-13T08:31:58Z"
,
"OS"
:
"Linux 3.13"
},
"DATETIME"
:
"2018-08-29T14:01:12Z"
},
{
"HOST"
:
{
"DETECTION"
:
{
"PORT"
:
"53"
,
"QID"
:
"15033"
,
"PROTOCOL"
:
"udp"
,
"RESULTS"
:
"--- IPv4 --- "
,
"SEVERITY"
:
"4"
},
"IP"
:
"1.1.1.1"
,
"LAST_SCAN_DATETIME"
:
"2018-08-13T08:31:58Z"
,
"OS"
:
"Linux 3.13"
},
"DATETIME"
:
"2018-08-29T14:01:12Z"
}
]
Output messages
The Extract top From JSONaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Extract top From JSON". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Extract top From JSONaction:
| Script result name | Value |
|---|---|
result
|
RESULTS
|
Filter JSON
Use the Filter JSONaction to filter a JSON object based on a specified condition and extract specific results.
This action doesn't run on Google SecOps entities.
Action inputs
The Filter JSONaction requires the following parameters:
JSON Data
Required.
The JSON dictionary data to apply the filter to.
Root Key Path
Optional.
The dot-separated starting path for the JSON search.
Condition Path
Required.
The dot-separated path to the field whose value is evaluated against
the filter
condition.
Condition Operator
Required.
The comparison operator to use in the condition.
The possible values are as follows:
-
= -
!= -
> -
< -
>= -
<= -
in -
not in
Condition Value
Required.
The specific value to use in the filter
condition.
Output Path
Optional.
The dot-separated path to the specific data elements to return from the filtered JSON.
Delimiter
Optional.
The character used to join the output values if multiple elements are returned.
The default value is ,
.
Action outputs
The Filter JSONaction provides the following outputs:
JSON result
The following example shows the JSON result output received when using the Filter JSONaction:
{
"a"
:
{
"HOST"
:
[
{
"DETECTION"
:
{
"QID"
:
"82003"
,
"SEVERITY"
:
"1"
,
"RESULTS"
:
"Timestamp of host (network byte ordering): 03:40:14 GMT"
},
"IP"
:
"1.1.1.1"
,
"LAST_SCAN_DATETIME"
:
"2018-08-13T10:24:35Z"
,
"OS"
:
"Windows 10"
}
],
"DATETIME"
:
"2018-08-29T14:01:12Z"
}
}
Output messages
The Filter JSONaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Filter JSON". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Filter JSONaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Get Deployment URL
Use the Get Deployment URLaction to retrieve the deployment URL for your current Google SecOps instance.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Get Deployment URLaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result outputs received when using the Get Deployment URLaction:
{
"url"
:
""
}
Output messages
The Get Deployment URLaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Deployment URL". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Deployment URLaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
List Operations
Use the List Operationsaction to perform set operations between two provided comma-separated lists.
This action doesn't run on Google SecOps entities.
Action inputs
The List Operationsaction requires the following parameters:
First List
Required.
The first list of comma-separated values for the set
operation.
Second List
Required.
The second list of comma-separated values for the set
operation.
Delimiter
Optional.
The symbol or character used to separate values in both the First List
and Second List
.
The default value is ,
.
Operator
Required.
The type of set
operation to perform.
The possible values are as follows:
-
intersection -
union -
subtract -
xor(exclusive OR).
Action outputs
The List Operationsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result outputs received when using the List Operationsaction:
{
"results"
:
{
"count"
:
6
,
"data"
:
[
"item"
,
"item1"
,
"item2"
]
}
}
Script result
The following table lists the value for the script result output when using the List Operationsaction:
| Script result name | Value |
|---|---|
result_list
|
RESULTS
|
Parse EML to JSON
Use the Parse EML to JSONaction to convert the content of an EML or MSG email file into a structured JSON object within Google SecOps.
This action doesn't run on Google SecOps entities.
Action inputs
The Parse EML to JSONaction requires the following parameters:
EML Content
Required.
The base64-encoded content of the EML or MSG file.
Blacklisted Headers
Optional.
A comma-separated list of headers to exclude from the final JSON output.
Use Blacklist As Whitelist
Optional.
If selected, the list provided in Blacklisted Headers
acts as
a whitelist, including only those listed headers in the JSON output.
Action outputs
The Parse EML to JSONaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result outputs received when using the Parse EML to JSONaction:
{
"HTML Body"
:
"<div><br></div>"
,
"Attachments"
:
{},
"Recipients"
:
"john_doe@example.com"
,
"CC"
:
""
,
"Links"
:
{
"urls_1"
:
"https://lh4.googleusercontent.com/rE6-WYjfFuiHbHUV33G31NCtUeBl9YGnw4bvlorqMeNaC60qWagqtohFwCpq2eJxlMYMJPPDAqqXRZW6Oja8GqOjt3jB3aB6tzJP-jdtbCBoj-m3vu49tttHmWpXGJUSI6UuTUYS"
,
"urls_2"
:
"https://lh4.googleusercontent.com/Uih5TalWnJjBbG_QaRICp8emX5wIakbCmstEDP3YHT7l45qdjIllcxg_Ddapvrh5DqGKszK3KKM5M0kEoC1YX6TgbWKJKPX0OxD5BeWr3uu6SRAHs7lwP20khjHSlxsIM46egQ-M"
},
"BCC"
:
""
,
"To"
:
"john_doe@example.com"
,
"Date"
:
"Mon, 13 Aug 2018 13:20:34 +0300"
,
"From"
:
"john_doe@example.com"
,
"Subject"
:
"TEST6:::Test:::ADVANCE NOTICE: 07.08.2018-Disable Accounts-user\\\r\\\\n Office Il Office"
}
Script result
The following table lists the value for the script result output when using the Parse EML To JSONaction:
| Script result name | Value |
|---|---|
parsed_eml
|
RESULTS
|
The action's JSON output for the with
field is restructured to
separate the ID value into a dedicated field. This change applies to version 10
and later of the integration as described in the following table:
with
field.{"with": "smtp id ID
"}
id
field, and the with
field contains only the protocol.{"id": " ID
", "with": "SMTP"}
Ping
Use the Pingaction to test the connectivity to SiemplifyUtilities.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Pingaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Pingaction provides the following output messages:
| Output message | Message description |
|---|---|
Connection Established.
|
The action succeeded. |
Failed to connect to SiemplifyUtilities. Error is ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Pingaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Query Joiner
Use the Query Joineraction to dynamically construct a structured query string by combining a list of search values, a target field, and a logical operator.
This action doesn't run on Google SecOps entities.
Action inputs
The Query Joineraction requires the following parameters:
Values
Required.
A comma-separated list of values to search for, such as value1,value2,value3
.
Query Field
Required.
The target field name to search in, such as SrcIP
, DestHost
, or UserName
.
Query Operator
Required.
The logical operator used to combine the values, such as AND
or OR
.
Add Quotes
Optional.
If selected, single quotes ( '
) are added around each item in
the Values
list.
Not enabled by default.
Add Double Quotes
Optional.
If selected, double quotes ( "
) are added around each item in
the Values
list.
Not enabled by default.
Action outputs
The Query Joineraction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Query Joineraction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Query Joiner". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Query Joineraction:
| Script result name | Value |
|---|---|
query
|
QUERY_FIELD
= VALUE_1
OPERATOR
QUERY_FIELD
= VALUE_2
OPERATOR
QUERY_FIELD
= VALUE_3
|
Need more help? Get answers from Community members and Google SecOps professionals.
