Skip to main content

Cancel retrohunt

Action ID: tools.google_secops_detection.cancel_retrohunt Cancel a running retrohunt operation.

Secrets

Required secrets:
  • google_oauth: OAuth token GOOGLE_SERVICE_TOKEN.

Input fields

base_url
string
required
Chronicle API base URL (e.g., ‘https://backstory.googleapis.com’ for US, ‘https://europe-backstory.googleapis.com’ for EU, ‘https://asia-southeast1-backstory.googleapis.com’ for Asia)
retrohunt_id
string
required
The retrohunt ID to cancel
rule_id
string
required
The rule ID

Create detection rule

Action ID: tools.google_secops_detection.create_rule Create a new detection rule in Chronicle.

Secrets

Required secrets:
  • google_oauth: OAuth token GOOGLE_SERVICE_TOKEN.

Input fields

base_url
string
required
Chronicle API base URL (e.g., ‘https://backstory.googleapis.com’ for US, ‘https://europe-backstory.googleapis.com’ for EU, ‘https://asia-southeast1-backstory.googleapis.com’ for Asia)
rule_text
string
required
YARA-L 2.0 rule text

Create retrohunt

Action ID: tools.google_secops_detection.create_retrohunt Create a retrohunt to run a rule against historical data.

Secrets

Required secrets:
  • google_oauth: OAuth token GOOGLE_SERVICE_TOKEN.

Input fields

base_url
string
required
Chronicle API base URL (e.g., ‘https://backstory.googleapis.com’ for US, ‘https://europe-backstory.googleapis.com’ for EU, ‘https://asia-southeast1-backstory.googleapis.com’ for Asia)
end_time
string
required
End time (RFC 3339 format)
rule_id
string
required
The rule ID to run retrohunt for
start_time
string
required
Start time (RFC 3339 format, e.g., ‘2024-01-01T00:00:00Z’)

Delete detection rule

Action ID: tools.google_secops_detection.delete_rule Delete a detection rule.

Secrets

Required secrets:
  • google_oauth: OAuth token GOOGLE_SERVICE_TOKEN.

Input fields

base_url
string
required
Chronicle API base URL (e.g., ‘https://backstory.googleapis.com’ for US, ‘https://europe-backstory.googleapis.com’ for EU, ‘https://asia-southeast1-backstory.googleapis.com’ for Asia)
rule_id
string
required
The rule ID to delete

Disable detection rule

Action ID: tools.google_secops_detection.disable_rule Disable a detection rule to stop live alerting.

Secrets

Required secrets:
  • google_oauth: OAuth token GOOGLE_SERVICE_TOKEN.

Input fields

base_url
string
required
Chronicle API base URL (e.g., ‘https://backstory.googleapis.com’ for US, ‘https://europe-backstory.googleapis.com’ for EU, ‘https://asia-southeast1-backstory.googleapis.com’ for Asia)
rule_id
string
required
The rule ID to disable

Enable detection rule

Action ID: tools.google_secops_detection.enable_rule Enable a detection rule for live alerting.

Secrets

Required secrets:
  • google_oauth: OAuth token GOOGLE_SERVICE_TOKEN.

Input fields

base_url
string
required
Chronicle API base URL (e.g., ‘https://backstory.googleapis.com’ for US, ‘https://europe-backstory.googleapis.com’ for EU, ‘https://asia-southeast1-backstory.googleapis.com’ for Asia)
rule_id
string
required
The rule ID to enable

Get detection rule

Action ID: tools.google_secops_detection.get_rule Get detailed information about a specific detection rule.

Secrets

Required secrets:
  • google_oauth: OAuth token GOOGLE_SERVICE_TOKEN.

Input fields

base_url
string
required
Chronicle API base URL (e.g., ‘https://backstory.googleapis.com’ for US, ‘https://europe-backstory.googleapis.com’ for EU, ‘https://asia-southeast1-backstory.googleapis.com’ for Asia)
rule_id
string
required
The rule ID (e.g., ‘ru_12345678-1234-1234-1234-123456789012’)

Get retrohunt status

Action ID: tools.google_secops_detection.get_retrohunt Get the status and results of a retrohunt operation.

Secrets

Required secrets:
  • google_oauth: OAuth token GOOGLE_SERVICE_TOKEN.

Input fields

base_url
string
required
Chronicle API base URL (e.g., ‘https://backstory.googleapis.com’ for US, ‘https://europe-backstory.googleapis.com’ for EU, ‘https://asia-southeast1-backstory.googleapis.com’ for Asia)
retrohunt_id
string
required
The retrohunt ID
rule_id
string
required
The rule ID

Get rule deployment status

Action ID: tools.google_secops_detection.get_rule_deployment Get the deployment status of a detection rule.

Secrets

Required secrets:
  • google_oauth: OAuth token GOOGLE_SERVICE_TOKEN.

Input fields

base_url
string
required
Chronicle API base URL (e.g., ‘https://backstory.googleapis.com’ for US, ‘https://europe-backstory.googleapis.com’ for EU, ‘https://asia-southeast1-backstory.googleapis.com’ for Asia)
rule_id
string
required
The rule ID

List detection rules

Action ID: tools.google_secops_detection.list_rules List all detection rules in Chronicle.

Secrets

Required secrets:
  • google_oauth: OAuth token GOOGLE_SERVICE_TOKEN.

Input fields

base_url
string
required
Chronicle API base URL (e.g., ‘https://backstory.googleapis.com’ for US, ‘https://europe-backstory.googleapis.com’ for EU, ‘https://asia-southeast1-backstory.googleapis.com’ for Asia)
page_size
integer
Maximum number of rules to returnDefault: 100.
page_token
string | null
Token for paginationDefault: null.

List detections for rule

Action ID: tools.google_secops_detection.list_detections List detections generated by a specific rule.

Secrets

Required secrets:
  • google_oauth: OAuth token GOOGLE_SERVICE_TOKEN.

Input fields

base_url
string
required
Chronicle API base URL (e.g., ‘https://backstory.googleapis.com’ for US, ‘https://europe-backstory.googleapis.com’ for EU, ‘https://asia-southeast1-backstory.googleapis.com’ for Asia)
rule_id
string
required
The rule ID to get detections for
end_time
string | null
End time (RFC 3339 format)Default: null.
page_size
integer
Maximum detections to returnDefault: 100.
page_token
string | null
Token for paginationDefault: null.
start_time
string | null
Start time (RFC 3339 format, e.g., ‘2024-01-01T00:00:00Z’)Default: null.

List retrohunts

Action ID: tools.google_secops_detection.list_retrohunts List all retrohunt operations for a specific rule.

Secrets

Required secrets:
  • google_oauth: OAuth token GOOGLE_SERVICE_TOKEN.

Input fields

base_url
string
required
Chronicle API base URL (e.g., ‘https://backstory.googleapis.com’ for US, ‘https://europe-backstory.googleapis.com’ for EU, ‘https://asia-southeast1-backstory.googleapis.com’ for Asia)
rule_id
string
required
The rule ID
page_size
integer
Maximum retrohunts to returnDefault: 100.
page_token
string | null
Token for paginationDefault: null.

List rule errors

Action ID: tools.google_secops_detection.list_rule_errors List compilation or execution errors for a detection rule.

Secrets

Required secrets:
  • google_oauth: OAuth token GOOGLE_SERVICE_TOKEN.

Input fields

base_url
string
required
Chronicle API base URL (e.g., ‘https://backstory.googleapis.com’ for US, ‘https://europe-backstory.googleapis.com’ for EU, ‘https://asia-southeast1-backstory.googleapis.com’ for Asia)
rule_id
string
required
The rule ID
page_size
integer
Maximum errors to returnDefault: 100.
page_token
string | null
Token for paginationDefault: null.

Update detection rule

Action ID: tools.google_secops_detection.update_rule Update an existing detection rule.

Secrets

Required secrets:
  • google_oauth: OAuth token GOOGLE_SERVICE_TOKEN.

Input fields

base_url
string
required
Chronicle API base URL (e.g., ‘https://backstory.googleapis.com’ for US, ‘https://europe-backstory.googleapis.com’ for EU, ‘https://asia-southeast1-backstory.googleapis.com’ for Asia)
rule_id
string
required
The rule ID to update
rule_text
string
required
Updated YARA-L 2.0 rule text

Verify detection rule

Action ID: tools.google_secops_detection.verify_rule Verify YARA-L rule syntax without creating the rule.

Secrets

Required secrets:
  • google_oauth: OAuth token GOOGLE_SERVICE_TOKEN.

Input fields

base_url
string
required
Chronicle API base URL (e.g., ‘https://backstory.googleapis.com’ for US, ‘https://europe-backstory.googleapis.com’ for EU, ‘https://asia-southeast1-backstory.googleapis.com’ for Asia)
rule_text
string
required
YARA-L 2.0 rule text to validate