Add case tag
Action ID:tools.google_secops_soar.add_case_tag
Add a tag to a Chronicle SOAR case.
Secrets
Required secrets:google_secops_soar: required valuesGOOGLE_SECOPS_API_KEY.
Input fields
Chronicle SOAR API base URL (e.g., ‘https://your-instance.siemplify-soar.com/api/external/v1’)
The case ID
Tag to add to the case
Optional alert identifier within the caseDefault:
null.Assign user to case
Action ID:tools.google_secops_soar.assign_user_to_case
Assign a user or SOC role to a Chronicle SOAR case.
Secrets
Required secrets:google_secops_soar: required valuesGOOGLE_SECOPS_API_KEY.
Input fields
Chronicle SOAR API base URL (e.g., ‘https://your-instance.siemplify-soar.com/api/external/v1’)
The case ID
User ID (GUID) or @RoleName to assign
Optional alert identifier within the caseDefault:
null.Bulk close cases
Action ID:tools.google_secops_soar.bulk_close_cases
Close multiple Chronicle SOAR cases in a single operation.
Secrets
Required secrets:google_secops_soar: required valuesGOOGLE_SECOPS_API_KEY.
Input fields
Chronicle SOAR API base URL (e.g., ‘https://your-instance.siemplify-soar.com/api/external/v1’)
List of case IDs to close
Comment for all closed cases
Close reason enum: 0=Malicious, 1=NotMalicious, 2=Maintenance, 3=Inconclusive, 4=Unknown
Root cause description
Change case stage
Action ID:tools.google_secops_soar.change_case_stage
Change the stage of a Chronicle SOAR case.
Secrets
Required secrets:google_secops_soar: required valuesGOOGLE_SECOPS_API_KEY.
Input fields
Chronicle SOAR API base URL (e.g., ‘https://your-instance.siemplify-soar.com/api/external/v1’)
The case ID
New stage: Triage, Assessment, Investigation, Incident, Improvement, or Research
Close alert
Action ID:tools.google_secops_soar.close_alert
Close a specific alert within a Chronicle SOAR case.
Secrets
Required secrets:google_secops_soar: required valuesGOOGLE_SECOPS_API_KEY.
Input fields
The alert identifier to close
Chronicle SOAR API base URL (e.g., ‘https://your-instance.siemplify-soar.com/api/external/v1’)
Comment explaining why the alert is being closed
Close reason: Malicious, NotMalicious, Maintenance, or Inconclusive
Root cause description
The case ID where the alert is being closed
Alert usefulness: None, NotUseful, or UsefulDefault:
"None".Create case comment
Action ID:tools.google_secops_soar.create_case_comment
Add a comment to a Chronicle SOAR case.
Secrets
Required secrets:google_secops_soar: required valuesGOOGLE_SECOPS_API_KEY.
Input fields
Chronicle SOAR API base URL (e.g., ‘https://your-instance.siemplify-soar.com/api/external/v1’)
The case ID
Comment text to add to the case
Optional alert identifierDefault:
null.Optional base64-encoded file contentDefault:
null.Optional attachment filenameDefault:
null.Optional file type (e.g., ‘.pdf’, ‘.txt’)Default:
null.Reopen alert
Action ID:tools.google_secops_soar.reopen_alert
Reopen a previously closed alert in a Chronicle SOAR case.
Secrets
Required secrets:google_secops_soar: required valuesGOOGLE_SECOPS_API_KEY.
Input fields
The alert identifier to reopen
Chronicle SOAR API base URL (e.g., ‘https://your-instance.siemplify-soar.com/api/external/v1’)
The case ID
Search SOAR cases
Action ID:tools.google_secops_soar.search_cases
Search Chronicle SOAR cases with advanced filtering.
Secrets
Required secrets:google_secops_soar: required valuesGOOGLE_SECOPS_API_KEY.
Input fields
Chronicle SOAR API base URL (e.g., ‘https://your-instance.siemplify-soar.com/api/external/v1’)
List of user IDs or @Role namesDefault:
null.List of specific case IDs to retrieveDefault:
null.UTC end time (ISO 8601 format). Only used when time_range_filter=0 (CUSTOM)Default:
null.List of environments to filter byDefault:
null.Filter by importance: [‘True’] for important cases onlyDefault:
null.Filter by incident flag: [‘True’] for incidents onlyDefault:
null.Filter by case status (true=closed, false=open, null=all)Default:
null.Number of results per page (max 100)Default:
50.List of priorities: Informative, Low, Medium, High, CriticalDefault:
null.Page number (0-indexed)Default:
0.List of stages: Triage, Assessment, Investigation, Incident, Improvement, ResearchDefault:
null.UTC start time (ISO 8601 format, e.g., ‘2024-01-01T00:00:00.000Z’). Only used when time_range_filter=0 (CUSTOM)Default:
null.List of case tags to filter byDefault:
null.Predefined time range in days: 0=CUSTOM, 1=LAST_DAY, 2=LAST_2_DAYS, 3=LAST_3_DAYS, 4=LAST_4_DAYS, 7=LAST_WEEK, 14=LAST_2_WEEKS, 30=LAST_MONTH, 90=LAST_3_MONTHS, 180=LAST_6_MONTHS, 365=LAST_YEAR, 395=LAST_13_MONTHSDefault:
null.Search by case title/name (partial match supported)Default:
null.Update alert priority
Action ID:tools.google_secops_soar.update_alert_priority
Update the priority of a specific alert within a case.
Secrets
Required secrets:google_secops_soar: required valuesGOOGLE_SECOPS_API_KEY.
Input fields
The alert identifier
The alert name
Chronicle SOAR API base URL (e.g., ‘https://your-instance.siemplify-soar.com/api/external/v1’)
The case ID
New priority: -1=Informative, 40=Low, 60=Medium, 80=High, 100=Critical
Previous priority (0=Unchanged if unknown)Default:
0.Update case comment
Action ID:tools.google_secops_soar.update_case_comment
Update an existing comment in a Chronicle SOAR case.
Secrets
Required secrets:google_secops_soar: required valuesGOOGLE_SECOPS_API_KEY.
Input fields
Chronicle SOAR API base URL (e.g., ‘https://your-instance.siemplify-soar.com/api/external/v1’)
Updated comment text
The comment ID to update
Optional attachment ID to updateDefault:
null.Optional updated base64-encoded file contentDefault:
null.Optional updated filenameDefault:
null.Optional updated file typeDefault:
null.Update case priority
Action ID:tools.google_secops_soar.update_case_priority
Update the priority of a Chronicle SOAR case.
Secrets
Required secrets:google_secops_soar: required valuesGOOGLE_SECOPS_API_KEY.
Input fields
Chronicle SOAR API base URL (e.g., ‘https://your-instance.siemplify-soar.com/api/external/v1’)
The case ID
Priority: -1=Informative, 40=Low, 60=Medium, 80=High, 100=Critical