### Start A Hunt Action JSON Result Example Source: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/google-rapid-response-grr This JSON output demonstrates the result of the 'Start A Hunt' action, indicating the Hunt ID and its new state, which is 'STARTED'. ```json [{ "Hunt_ID": "HUNT_ID", "State": STARTED}] ``` -------------------------------- ### Install Google Cloud Chronicle Client Library for Go Source: https://cloud.google.com/chronicle/docs/libraries Installs the Google Cloud Chronicle client library for Go using the go get command. This is a prerequisite for interacting with the Chronicle API in Go applications. Ensure you have Go installed and configured. ```go go get cloud.google.com/go/chronicle/apiv1 ``` -------------------------------- ### Get System Info Source: https://cloud.google.com/chronicle/docs/soar/reference/siemplify-module Retrieves system information based on a start timestamp. ```APIDOC ## GET /websites/cloud_google_chronicle/get_system_info ### Description Get system information. ### Method GET ### Endpoint /websites/cloud_google_chronicle/get_system_info ### Parameters #### Query Parameters - **start_time_unixtime_ms** (long) - Required - The start time in Unix milliseconds for retrieving system information. ### Request Example N/A ### Response #### Success Response (200) - **system_info** (dict) - A dictionary containing system information. #### Response Example { "system_info": { "uptime_seconds": 123456, "cpu_usage": "25%" } } ``` -------------------------------- ### Get System Info - Python Source: https://cloud.google.com/chronicle/docs/soar/reference/siemplify-module Retrieves system information, likely related to logs or events, starting from a specified Unix timestamp in milliseconds. The function requires the start timestamp as input. Dependencies: SiemplifyAction library. Inputs: start_time_unixtime_ms (long). Outputs: System information (type not specified, likely dictionary or list). ```python from SiemplifyAction import SiemplifyAction siemplify = SiemplifyAction() start_timestamp = 1678886400000 # Example timestamp in ms system_info = siemplify.get_system_info(start_timestamp) ``` -------------------------------- ### Python: Make GET, POST, and PATCH requests to Chronicle API Source: https://cloud.google.com/chronicle/docs/install/forwarder-management-api These examples demonstrate how to perform GET, POST, and PATCH requests to the Chronicle API using Python's requests library. POST and PATCH examples show how to include JSON bodies and parameters. Ensure you have the 'requests' library installed. ```python # requests GET example response = http_session.request("GET", url) ``` ```python # POST example uses json body = { "foo": "bar" } response = http_session.request("POST", url, json=body) ``` ```python # PATCH example uses params and json params = { "foo": "bar" } response = http_session.request("PATCH", url, params=params, json=body) ``` -------------------------------- ### POST /init_proxy_settings Source: https://cloud.google.com/chronicle/docs/soar/reference/siemplify-module Initializes proxy settings. ```APIDOC ## POST /init_proxy_settings ### Description Initializes proxy settings. ### Method POST ### Endpoint /init_proxy_settings ### Parameters N/A ### Response #### Success Response (200) - **status** (string) - Indicates the status of the operation. #### Response Example { "status": "success" } ``` -------------------------------- ### Fetch Remote Agent Installation Command - HTTP Request Example Source: https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.remoteAgents/fetchInstallationCommand This snippet demonstrates a basic HTTP GET request to fetch the installation command for a remote agent. It includes the base URL, project, location, instance, and remote agent identifiers, along with the required installation type query parameter. ```HTTP GET https://REGION_URL/v1/projects/PROJECT_ID/locations/LOCATION_ID/instances/INSTANCE_ID/remoteAgents/REMOTE_AGENT_ID:fetchInstallationCommand?installationType=INSTALLATION_TYPE_ENUM ``` -------------------------------- ### Install and Verify Google SecOps CLI Source: https://cloud.google.com/chronicle/docs/administration/cli-user-guide Installs the SecOps SDK, which includes the CLI, using pip. It then provides a command to verify the installation by displaying the CLI's help information. ```bash pip install secops $ secops --help ``` -------------------------------- ### Get Forwarder Request Example Source: https://cloud.google.com/chronicle/docs/install/forwarder-management-api This example demonstrates how to make a GET request to retrieve a specific forwarder using its ID. The forwarderID is obtained from a List Forwarders response. ```HTTP GET https://backstory.googleapis.com/v2/forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56 ``` -------------------------------- ### Create Forwarder Source: https://cloud.google.com/chronicle/docs/administration/cli-user-guide Set up a new forwarder for log ingestion using the 'secops forwarder create' command. Options include basic creation with a display name, or advanced configuration with metadata, compression, and HTTP settings. ```bash # Basic forwarder $ secops forwarder create --display-name "my-custom-forwarder" # With metadata and settings $ secops forwarder create --display-name "prod-forwarder" \ --metadata '{"environment":"prod","team":"security"}' \ --upload-compression true \ --http-settings '{"port":80,"host":"example.com"}' ``` -------------------------------- ### Python Backstory API Authentication and Request Examples Source: https://cloud.google.com/chronicle/docs/reference/customer-management-api This Python example demonstrates how to authenticate with the Backstory API using service account credentials and OAuth 2.0 scopes. It also shows how to build an authorized HTTP session and make GET, POST, and PATCH requests to API endpoints. Ensure you have the 'google-api-python-client' package installed and replace the placeholder for your service account file path. ```python # Imports required for the sample - Google Auth and API Client Library Imports. # Get these packages from https://pypi.org/project/google-api-python-client/ or run $ pip # install google-api-python-client from your terminal from google.auth.transport import requests from google.oauth2 import service_account SCOPES = ['https://www.googleapis.com/auth/chronicle-backstory'] # The apikeys-demo.json file contains the customer's OAuth 2 credentials. # SERVICE_ACCOUNT_FILE is the full path to the apikeys-demo.json file # ToDo: Replace this with the full path to your OAuth2 credentials SERVICE_ACCOUNT_FILE = '/customer-keys/apikeys-demo.json' # Create a credential using the Google Developer Service Account Credential and Backstory API # Scope. credentials = service_account.Credentials.from_service_account_file(SERVICE_ACCOUNT_FILE, scopes=SCOPES) # Build a requests Session Object to make authorized OAuth requests. http_session = requests.AuthorizedSession(credentials) # Your endpoint GET|POST|PATCH|etc. code will vary below # Reference List example (for US region) url = 'https://backstory.googleapis.com/v2/lists/COLDRIVER_SHA256' # You might need another regional endpoint for your API call; see # https://cloud.google.com/chronicle/docs/reference/ingestion-api#regional_endpoints # requests GET example response = http_session.request("GET", url) # POST example uses json body = { "foo": "bar" } response = http_session.request("POST", url, json=body) # PATCH example uses params and json params = { "foo": "bar" } response = http_session.request("PATCH", url, params=params, json=body) # For more complete examples, see: # https://github.com/chronicle/api-samples-python/ ``` -------------------------------- ### Get Domain Details JSON Result Example Source: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/cofense Provides an example JSON output for the 'Get Domain Details' action, which retrieves information about a domain from Cofense Triage. The output includes details such as hostname, risk score, creation/update timestamps, and related resources. ```json { "data": [ { "id": "1", "type": "hostnames", "attributes": { "hostname": "cie.org.mx", "risk_score": null, "created_at": "2019-04-12T02:58:19.893Z", "updated_at": "2019-04-12T02:58:19.974Z" }, "relationships": { "clusters": { "links": { "self": "https://tap.phishmecloud.com/api/public/v2/hostnames/1/relationships/clusters", "related": "https://tap.phishmecloud.com/api/public/v2/hostnames/1/clusters" } }, "reports": { "links": { "self": "https://tap.phishmecloud.com/api/public/v2/hostnames/1/relationships/reports", "related": "https://tap.phishmecloud.com/api/public/v2/hostnames/1/reports" } }, "urls": { "links": { "self": "https://tap.phishmecloud.com/api/public/v2/hostnames/1/relationships/urls", "related": "https://tap.phishmecloud.com/api/public/v2/hostnames/1/urls" } } } }, { "id": "2", "type": "hostnames", "links": { "self": "https://tap.phishmecloud.com/api/public/v2/hostnames/2" }, "attributes": { "hostname": "www.paypal.com", "risk_score": null, "created_at": "2019-04-12T02:58:19.898Z", "updated_at": "2019-04-12T02:58:19.965Z" }, "relationships": { "clusters": { "links": { "self": "https://tap.phishmecloud.com/api/public/v2/hostnames/2/relationships/clusters", "related": "https://tap.phishmecloud.com/api/public/v2/hostnames/2/clusters" } }, "reports": { "links": { "self": "https://tap.phishmecloud.com/api/public/v2/hostnames/2/relationships/reports", "related": "https://tap.phishmecloud.com/api/public/v2/hostnames/2/reports" } }, "urls": { "links": { "self": "https://tap.phishmecloud.com/api/public/v2/hostnames/2/relationships/urls", "related": "https://tap.phishmecloud.com/api/public/v2/hostnames/2/urls" } } } } ], "links": { "first": "https://tap.phishmecloud.com/api/public/v2/hostnames?filter%5Bhostname%5D=www.paypal.com%2Ccie.org.mx&page%5Bnumber%5D=1&page%5Bsize%5D=20", "last": "https://tap.phishmecloud.com/api/public/v2/hostnames?filter%5Bhostname%5D=www.paypal.com%2Ccie.org.mx&page%5Bnumber%5D=1&page%5Bsize%5D=20" } } ``` -------------------------------- ### Get Malware Details - JSON Result Example Source: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/mandiant This snippet shows an example JSON output for the 'Get Malware Details' action. It includes various fields such as malware ID, name, description, operating systems, capabilities, and counts. This structure is useful for understanding the data returned by the action. ```json { "inherently_malicious": 1, "operating_systems": [ "Windows" ], "aliases": [], "capabilities": [ { "name": "Allocates memory", "description": "Capable of allocating memory. " } ], "detections": [], "yara": [], "roles": [ "Cryptocurrency Miner" ], "malware": [], "actors": [], "cve": [], "id": "malware--96f82012-c77e-5887-bee9-69aec0b88578", "name": "PHOTOMINER", "description": "PHOTOMINER is a Windows-based modular cryptocurrency mining malware that communicates over HTTP.", "type": "malware", "last_updated": "2022-04-13T02:59:30.000Z", "last_activity_time": "2022-04-13T02:59:30.000Z", "audience": [ { "name": "intel_fusion", "license": "INTEL_RBI_FUS" } ], "is_publishable": true, "counts": { "reports": 0, "capabilities": 26, "malware": 0, "actors": 0, "detections": 0, "cve": 0, "aliases": 0, "industries": 5, "attack_patterns": 19 }, "intel_free": false } ``` -------------------------------- ### Create Reference List Source: https://cloud.google.com/chronicle/docs/administration/cli-user-guide Create a new reference list, which is a simple list of values used in detection rules. Specify the list name, a description, and the entries as a comma-separated string. ```bash $ secops reference-list create \ --name "admin_accounts" \ --description "Administrative accounts" \ --entries "admin,administrator,root,superuser" ``` -------------------------------- ### Start A Hunt Action Source: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/google-rapid-response-grr Initiates a hunt on the GRR Rapid Response server to search for specific artifacts or indicators. ```APIDOC ## POST /hunts ### Description Use the **Start A Hunt** action to initiate a hunt on the GRR Rapid Response server. ### Method POST ### Endpoint `/hunts` ### Parameters #### Request Body * **hunt_query** (String) - Required - The query to be executed during the hunt. * **description** (String) - Optional - A description for the hunt. ### Request Example ```json { "hunt_query": "SELECT * FROM Artifact.Windows.EventLogs.Security WHERE EventID = 4624", "description": "Hunt for Windows logon events" } ``` ### Response #### Success Response (200) - **hunt_id** (String) - The unique identifier for the initiated hunt. #### Response Example ```json { "hunt_id": "hunt_abc123" } ``` ``` -------------------------------- ### Launch Scans Source: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/rapid7-insightsvm Initiates a new scan for a specified site with given parameters. ```APIDOC ## POST /websites/cloud_google_chronicle/scans ### Description Start a scan for a specific site. ### Method POST ### Endpoint /websites/cloud_google_chronicle/scans ### Parameters #### Request Body - **Scan Name** (String) - Optional - The scan name. - **Scan Engine** (String) - Required - The name of the engine to use in the scan. - **Scan Template** (String) - Required - The name of the template to use in the scan. - **Site Name** (String) - Required - The name of the site to run the scan on. - **Fetch Results** (Boolean) - Optional - Whether to wait for the scan to complete and get its results or not. ### Request Example ```json { "Scan Name": "My Daily Scan", "Scan Engine": "Local Scan Engine", "Scan Template": "Full Scan", "Site Name": "My Website", "Fetch Results": true } ``` ### Response #### Success Response (200) - **status** (String) - The status of the scan initiation. - **scanType** (String) - The type of scan initiated. - **assets** (Integer) - The number of assets targeted by the scan. - **links** (Array) - Links related to the scan. - **href** (String) - The URL for the link. - **rel** (String) - The relationship of the link. - **vulnerabilities** (Object) - An object containing counts of different vulnerability severities. - **severe** (Integer) - Count of severe vulnerabilities. - **total** (Integer) - Total count of vulnerabilities. - **critical** (Integer) - Count of critical vulnerabilities. - **moderate** (Integer) - Count of moderate vulnerabilities. - **startTime** (String) - The start time of the scan. - **duration** (String) - The duration of the scan. - **engineName** (String) - The name of the scan engine used. - **endTime** (String) - The end time of the scan. - **id** (Integer) - The unique identifier of the scan. - **scanName** (String) - The name of the scan. #### Response Example ```json { "status": "finished", "scanType": "Manual", "assets": 1, "links": [{ "href": "https://1.1.1.1:3780/api/3/scans/8", "rel": "self" }], "vulnerabilities": { "severe": 12, "total": 18, "critical": 0, "moderate": 6 }, "startTime": "2019-04-11T07:44:00.095Z", "duration": "PT7M58.298S", "engineName": "Local scan engine", "endTime": "2019-04-11T07:51:58.393Z", "id": 8, "scanName": "siemplify_20190411-104353" } ``` ``` -------------------------------- ### Get Bucket ACL JSON Result Example Source: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/google-cloud-storage Provides an example of the JSON output for retrieving a bucket's Access Control List (ACL). This output shows bucket names and their associated ACLs. ```json [ {"BucketName": "ziv", "BucketACLs": [ {"Entity": "project-owners-ID", "Role": "OWNER"} ] } ] ``` -------------------------------- ### List Forwarders Request Example Source: https://cloud.google.com/chronicle/docs/install/forwarder-management-api This example shows the GET request to list all forwarders associated with a Google SecOps instance. No request body is required. ```HTTP GET https://backstory.googleapis.com/v2/forwarders ``` -------------------------------- ### Launch Scan JSON Example Source: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/rapid7-insightsvm This JSON output details the results of a launched scan, including its status, scan type, number of assets scanned, links for further details, vulnerability counts, and timing information. ```json { "status": "finished", "scanType": "Manual", "assets": 1, "links": [ { "href": "https://1.1.1.1:3780/api/3/scans/8", "rel": "self" } ], "vulnerabilities": { "severe": 12, "total": 18, "critical": 0, "moderate": 6 }, "startTime": "2019-04-11T07:44:00.095Z", "duration": "PT7M58.298S", "engineName": "Local scan engine", "endTime": "2019-04-11T07:51:58.393Z", "id": 8, "scanName": "siemplify_20190411-104353" } ``` -------------------------------- ### Create Parser Extension Source: https://cloud.google.com/chronicle/docs/administration/cli-user-guide Create a new parser extension using the 'secops parser-extension create' command. This requires specifying the log type, a sample log file, and the parser configuration file for the extension. ```bash $ secops parser-extension create --log-type OKTA \ --log /path/to/sample.log \ --parser-config-file /path/to/parser-config.conf ``` -------------------------------- ### Get Hunt Details JSON Result Source: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/google-rapid-response-grr Example JSON output for the Get Hunt Details action, detailing hunt information such as name, expiration, creator, and status. This structure is useful for parsing hunt data programmatically. ```json [ { "Name": "ExampleHunt", "Expires": 1537063517000000, "Description": "test", "Creator": "admin", "IsRobot": false, "Status": "PAUSED", "Hunt_ID": "HUNT_ID", "Created": 1535853917657925, "Start_Time": 1535853917657925, "Duration": "2w", "Expiration time": " ", "Crash_limit": 100, "Client_limit": 100, "Client_rate (clients/min)": "20.5", "Client_Queued": "20.5", "Client_Scheduled": "20.5", "Client_Outstanding": "20.5", "Client_Completed": "20.5", "Client_with Results": "20.5", "Results": "20.5", "Total_CPU_Time_Used": "20.5", "Total_Network_Traffic": "20.5", "Flow_Name": "KeepAlive", "Flow_Arguments": "20.5", "Client_Rule_Set": " " } ] ``` -------------------------------- ### List Templates Action Results (JSON Example) Source: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/algosec Provides an example of the JSON output from the 'List Templates' action, showcasing a list of templates with their IDs, names, descriptions, types, and enabled status. This structure is useful for programmatic access to template data. ```json [ { "id": 142, "name": "110: Multi-Approval Request", "description": "Create a traffic change request which requires multiple approvals", "type": "Traffic Change", "enabled": true }, { "id": 597, "name": "190: Verbatim Rule Addition", "description": "Create a traffic change request for bulk rules addition exactly as specified", "type": "Traffic Change", "enabled": true }, { "id": 550, "name": "Basic Change Traffic Request", "description": "Create a basic change traffic request", "type": "Traffic Change", "enabled": true } ] ``` -------------------------------- ### List Webhooks HTTP Request Example Source: https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.webhooks/list Demonstrates how to make an HTTP GET request to the `webhooks.list` endpoint. This example shows the base URL structure and placeholders for necessary parameters. ```http GET https://www.googleapis.com/v1/projects/{project}/locations/{location}/instances/{instance}/webhooks?pageSize=10&pageToken=nextPageToken Host: www.googleapis.com Authorization: Bearer YOUR_ACCESS_TOKEN Accept: application/json ``` -------------------------------- ### JSON Result for Get Groups Source: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/cisco-amp This JSON output represents the result of a 'Get Groups' action in Google Chronicle. It lists groups with their source, GUID, name, and description. This can be used to identify and manage security groups within the platform. ```json { "1": { "source": "CreatedviaAPI", "guid": "1111111111111111111111", "name": "TestGroup", "description": "GroupcreatedbySiemplify" }, "0": { "source": null, "guid": "1111111111111111111111", "name": "Audit", "description": "AuditGroupforPartner-Siemplify" } } ``` -------------------------------- ### UDM Example: PROCESS_MODULE_LOAD Event Source: https://cloud.google.com/chronicle/docs/unified-data-model/udm-usage Illustrates formatting a PROCESS_MODULE_LOAD event using Google SecOps UDM syntax. This example shows the structure for metadata, principal (including hostname and process ID), and target (including process ID and file path). ```UDM metadata { event_timestamp: "2020-01-01T13:27:41+00:00" event_type: PROCESS_MODULE_LOAD vendor_name: "Microsoft" product_name: "Windows" } principal { hostname: "example.com" process { pid: "0x123" } } target { process { pid: "0xc45" file { full_path: "C:\\Windows\\regedit.exe" } } } ``` -------------------------------- ### Activate Release Candidate Parser Source: https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.logTypes.parsers/activateReleaseCandidateParser Activates the release candidate parser for a specified customer. This action makes the parser live. ```APIDOC ## POST /v1/{name=projects/*/locations/*/instances/*/logTypes/*/parsers/*}:activateReleaseCandidateParser ### Description Activates the release candidate parser for a specified customer. This action makes the parser live. ### Method POST ### Endpoint `v1/{name=projects/*/locations/*/instances/*/logTypes/*/parsers/*}:activateReleaseCandidateParser` ### Parameters #### Path Parameters - **name** (string) - Required. The name of the release candidate parser to activate. Format: `projects/{project}/locations/{location}/instances/{instance}/logTypes/{logtype}/parsers/{parser}` #### Request Body The request body must be empty. ### Request Example ```json { "empty": true } ``` ### Response #### Success Response (200) - **empty** (object) - An empty JSON object indicating success. #### Response Example ```json { } ``` ### Authorization scopes Requires the following OAuth scope: - `https://www.googleapis.com/auth/cloud-platform` ### IAM Permissions Requires the following IAM permission on the `name` resource: - `chronicle.parsers.activateReleaseCandidate` ``` -------------------------------- ### Get Operation Status JSON Result Example Source: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/google-gke This JSON object represents the status of an operation in Google Cloud, detailing its name, zone, type, current status, and timestamps. It's typically returned by the 'Get Operation Status' action. ```json { "name": "operation-OPERATION_ID", "zone": "europe-central2-a", "operationType": "SET_NODE_POOL_SIZE", "status": "RUNNING", "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/zones/europe-central2-a/operations/operation-OPERATION_ID", "targetLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/zones/europe-central2-a/clusters/cluster-test/nodePools/default-pool", "startTime": "2021-08-15T11:53:55.904254615Z" } ``` -------------------------------- ### Create Group JSON Result Source: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/cisco-amp Provides an example of the JSON output when creating a new group. This includes source, GUID, name, policies, and description of the created group. It outlines the structure for policy definitions, file lists, IP lists, and group inheritances. ```json { "source": "CreatedviaAPI", "guid": "c5e2099d-3aeb-4dc2-add4-42fb01d05c51", "name": "test", "policies": [{ "product": "windows", "description": "ThispolicyputstheAMPforEndpointsConnectorinamodethatwillonlydetectmaliciousfilesbutnotquarantinethem.Maliciousnetworktrafficisalsodetectedbutnotblocked.", "links": { "policy": "https: //api.amp.cisco.com/v1/policies/a8ba7d10-de10-42a6-a6e4-8d679f5b1ec2", "policy_xml": "https: //api.amp.cisco.com/v1/policies/a8ba7d10-de10-42a6-a6e4-8d679f5b1ec2.xml" }, "default": true, "File_lists": [ { "guid": "cef9b12e-4a25-4f1a-93f4-3836ebd97ed5", "type": "simple_custom_detections", "name": "FileBlacklist" }, { "guid": "38c1a9eb-0389-4f12-8084-96f5ee62d72e", "type": "application_blocking", "name": "ExecutionBlacklist" }, { "guid": "3133128e-5455-4e74-82c5-1ff3c816c414", "type": "application_whitelist", "name": "FileWhitelist" } ], "ip_lists": [], "Used_in_groups": [ { "guid": "d3f8be3c-e53b-4b31-a8b7-a78a69b74ea1", "name": "Audit", "description": "AuditGroupforPartner-Siemplify" } ], "inherited": false, "serial_number": 28, "guid": "a8ba7d10-de10-42a6-a6e4-8d679f5b1ec2", "Exclusion_sets": [ { "guid": "43fc08b5-c603-4c24-9b4d-501d342f443c", "name": "WorkstationExclusions" } ], "name": "Audit" }], "description": "added by siemplify!" } ``` -------------------------------- ### Get Scan Status JSON Result Example Source: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/reversinglabs-a1000 Demonstrates the JSON output for the Get Scan Status action, indicating the processing status of provided hash values within the A1000 system. ```json [ { "EntityResult": "processed", "Entity": "2f61c5a77a64b3d45d651dc2fa7baff7" },{ "EntityResult": "processed", "Entity": "526e57077b938b3c3dbce56f8aaaa7be" } ] ``` -------------------------------- ### Get Report JSON Result Example Source: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/reversinglabs-a1000 Provides an example of the JSON result when retrieving a report for a sample using hash values. This includes threat status, classification details, and entity information. ```json [ { "EntityResult": { "threat_status": "malicious", "local_last_seen": "2019-01-22T14: 21: 35.513535Z", "classification_origin": { "imphash": "", "sha1": "9747d177bddfc9809079283829e6bbbe315dcfa0", "sha512": "efabb440ab2b82dda2614308b8e2d5e1850ede3fb9c8e6f1e521f1b0728d621a6f5174c30b8e27d7964bcff0ae6b8a1a48ecc4a69d0dc3eae7eccf54a4791785", "sha256": "d3133784ef82208faaa3b917096d7c3e0ad9eb89a5eb4d7770418c8261da4a41", "md5": "242b13c72845a90a869ed0add78f6110" }, "threat_name": "Android.Trojan.Agent", "local_first_seen": "2018-01-21T15: 30: 36.698843Z", "classification_reason": "cloud", "threat_level": 5, "trust_factor": 5, "md5": "2f61c5a77a64b3d45d651dc2fa7baff7", "aliases":["76ea783ed0744703347a00403a73694c2a1e5a957f0f969b4284353fc7c919b4"] }, "Entity": "2f61c5a77a64b3d45d651dc2fa7baff7" } ] ``` -------------------------------- ### Complete Parser Workflow using Google Chronicle CLI Source: https://cloud.google.com/chronicle/docs/administration/cli-user-guide Demonstrates a complete workflow for managing parsers: listing, getting details, extracting code, testing, and activating parsers for a specific log type (e.g., OKTA). ```bash # List parsers $ secops parser list --log-type "OKTA" > okta_parsers.json # Get parser details PARSER_ID=$(cat okta_parsers.json | jq -r '.[0].name' | awk -F'/' '{print $NF}') $ secops parser get --log-type "OKTA" --id "$PARSER_ID" > parser_details.json # Extract parser code cat parser_details.json | jq -r '.cbn' | base64 -d > okta_parser.conf # Test parser $ secops parser run \ --log-type "OKTA" \ --parser-code-file "okta_parser.conf" \ --logs-file "sample_logs.txt" > parser_result.json # Activate if successful $ secops parser activate --log-type "OKTA" --id "$PARSER_ID" ``` -------------------------------- ### List Rule Execution Errors - HTTP Request Example Source: https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.ruleExecutionErrors/list Illustrates how to construct an HTTP GET request to the ruleExecutionErrors.list endpoint. This example shows a basic request structure without specific filters or pagination. ```http GET https://chronicle.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/instances/INSTANCE_ID/ruleExecutionErrors?pageSize=1000&filter=rule="projects/PROJECT_ID/rules/RULE_ID" ``` -------------------------------- ### Get Help for secops Command using Google Chronicle CLI Source: https://cloud.google.com/chronicle/docs/administration/cli-user-guide Displays general help information for the secops CLI or specific subcommand. ```bash ### Getting Help View help for any command: ``` $ secops --help $ secops search --help $ secops rule create --help ``` ``` -------------------------------- ### Binary Free Query Action Source: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/carbon-black-response Lists binaries based on a free-form query. ```APIDOC ## Binary Free Query ### Description List binaries by free query. ### Parameters #### Query Parameters - **Query** (String) - Required - Example: `md5:* AND original_filename:{file-name}` ### Run On This action runs on all entities. ### Response #### Success Response (200) - **Script Result Name** (String) - The name of the script result. - **Value Options** (String) - Possible values for the script result. - **Example** (String) - An example of the script result. ##### Script Result - **is_success** (Boolean) - Indicates if the operation was successful. Example: `is_success:False` ``` -------------------------------- ### Example JSON Result for Upload File and Get Report Action Source: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/vmray This JSON object represents the detailed results returned by the 'Upload File and Get Report' action after submitting a file for analysis. It includes various attributes of the analyzed sample such as its hashes, classification, and severity. ```json { "data": { "sample_child_sample_ids": [], "sample_classifications": [ "Dropper", "Pua", "Spyware" ], "sample_container_type": null, "sample_created": "2020-01-30T14:12:07", "sample_filename": "example.exe", "sample_filesize": 86448896, "sample_highest_vti_score": 74, "sample_highest_vti_severity": "suspicious", "sample_id": 4846052, "sample_imphash": "b34f154ec913d2d2c435cbd644e91687", "sample_is_multipart": false, "sample_last_md_score": null, "sample_last_reputation_severity": "whitelisted", "sample_last_vt_score": null, "sample_md5hash": "403799c0fdfb3728cd8f5992a7c8b949", "sample_parent_sample_ids": [], "sample_priority": 1, "sample_score": 74, "sample_severity": "suspicious", "sample_sha1hash": "17df3548dd9b8d0283d4acba8195955916eff5f3", "sample_sha256hash": "2acb1432850b2d2cdb7e6418c57d635950a13f5670eae83324f7ae9130198bbc", "sample_ssdeephash": "1572864:B9nbNI1LT6t5jOvefSRROaqMhUVkjSFuI5ym9Q5klp/yOmdAyNgc:vbNIZOOvUSRRObaCkjSFug4kYd7Nn", "sample_type": "Windows Exe (x86-32)", "sample_url": null, "sample_vti_score": 74, "sample_webif_url": "https://cloud.vmray.com/user/sample/view?id=ID" }, "result": "ok" } ```