Google Chronicle
App Vendor: Google Cloud
App Category: Analytics & SIEM
Connector Version: 1.0.0
API Version: 1.0.0
Notice
This is a beta-app and the documentation is in progress.
About App
Chronicle, powered by google infrastructure, enables cost-effective use of security telemetry to improve soc productivity and combat modern threats.
The Google Chronicle app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
---|---|
Get Alert | This action retrieves the alert with the provided ID. |
List Alerts | This action provides a list of assets and user-based alerts. |
List Asset Events | This action provides a list of parsed events for the asset matching the provided identification. Note that one of the hostname, ip_address, mac_address, and product_id must be provided. |
List IOCs | This action provides a list of indicators of compromise within the provided time range. |
Query Events | This action executes the specified query to search for events in the chronicle environment. |
Configuration Parameters
The following configuration parameters are required for the Google Chronicle app to communicate with the Google Chronicle enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Credential File | Enter the google-provided JSON credential file. | File | Required | |
SSL Verification | Choose whether to perform certificate verification on SSL connections. | Boolean | Optional | Default value:true |
Action: Get Alert
This action retrieves the alert with the specified ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Alert ID | Enter the ID of the alert to retrieve the alert details. | Text | Required | You can retrieve the Alert ID using the action List Alerts. |
Action: List Alerts
This action provides a list of assets and user-based alerts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Start time | Enter the beginning of the time range to start the search, as an iso-8601 string (yyyy-mm-ddthh:mm:ss). Example: 1970-01-01t12:00:00 | Text | Required | |
End time | Enter the end of the time range for this search, as an iso-8601 string (yyyy-mm-ddthh:mm:ss). Example: 1970-01-01t12:00:00 | Text | Required | |
Local time | Choose if the specified time is in the system's local timezone, as opposed to UTC. Example: false | Boolean | Optional | Default value:false |
Page size | Enter the maximum number of alerts to return, up to a maximum of 100,000. Example: 1000 | Integer | Optional | Default value:1000 |
Action: List Asset Events
This action provides a list of parsed events for the asset matching the provided identification. Either the hostname, ip_address, mac_address, or product_id must be provided.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Hostname | Enter the hostname of the asset to list all asset events. Example: "enterprise.service.example.com" | Text | Optional | |
IP address | Enter the IP address of the asset. Example: 10.0.2.10 | Text | Optional | |
Mac address | Enter the Mac address of the asset. | Text | Optional | |
Product ID | Enter the product ID of the asset. Example: "CS:3456-7891" | Text | Optional | |
Start time | Enter the beginning of the event time range, as an iso-8601 string (yyyy-mm-ddthh:mm:ss). Example: 1970-01-01t12:00:00 | Text | Optional | |
End time | Enter the end of the event time range, as an iso-8601 string (yyyy-mm-ddthh:mm:ss). Example: 1970-01-01t12:00:00 | Text | Optional | |
Local time | Choose if the specified time is in the system's local timezone, as opposed to UTC. Example: false | Boolean | Optional | Default value: false |
Page size | Enter the maximum number of alerts to return, up to 100,000. Example: 1000 | Integer | Optional | Default value: 1000 |
Action: List IOCs
This action provides a list of indicators of compromise within the provided time range.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Start time | Enter the beginning of the IOC time range, as an iso-8601 string (yyyy-mm-ddthh:mm:ss). Example: 1970-01-01t12:00:00 | Text | Optional | |
End time | Enter the end of the IOC time range, as an iso-8601 string (yyyy-mm-ddthh:mm:ss). Example: 1970-01-01t12:00:00 | Text | Optional | |
Local time | Choose if the specified times are in the system's local timezone, as opposed to UTC. Example: false | Boolean | Optional | Default value: false |
Page size | Enter the maximum number of IOCs to return, up to a maximum of 100,000. Example: 1000 | Integer | Optional | Default value: 1000 |
Action: Query Events
This action executes the specified query to search for events in the chronicle environment.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Raw query | Enter the search query string to search for events. | Text | Required | |
Start time | Enter the beginning of the event time range, as an iso-8601 string (yyyy-mm-ddthh:mm:ss). Example: 1970-01-01t12:00:00 | Text | Required | |
End time | Enter the end of the event time range, as an iso-8601 string (yyyy-mm-ddthh:mm:ss). Example: 1970-01-01t12:00:00 | Text | Required | |
Local time | Choose if the specified times are in the system's local timezone, as opposed to UTC. Example: false | Boolean | Optional | Default value:false |
Page size | Enter the maximum number of events to return, up to 100,000. Example: 1000 | Integer | Optional | Default value:1000 |