Google SecOps Destination Setup

Create cases with alerts in Google SecOps (formerly Chronicle SOAR/Siemplify) for detection alerts.

Prerequisites

Google SecOps instance with API access
API key with case creation permissions

Setup Steps

1. Get API Key

In Google SecOps:

Navigate to Settings → API
Generate or copy your API Key (AppKey)
Ensure the key has permissions to create cases

Note: The API key is also called "AppKey" in Google SecOps documentation.

2. Test API Access

Test your API key with curl:

curl -X POST "https://your-instance.securityops.google.com/api/external/v1/cases/CreateCase" \
  -H "Content-Type: application/json" \
  -H "AppKey: your-api-key-here" \
  -d '{
    "AlertIdentifier": "test-alert-001",
    "AlertName": "Test Alert",
    "RuleName": "Test Rule",
    "Priority": 60,
    "Environment": "Default Environment",
    "Description": "Test case creation from Query.ai",
    "Events": [{
      "StartTime": 1705320000000,
      "EndTime": 1705323600000,
      "Name": "Test Event",
      "DeviceVendor": "Test",
      "DeviceProduct": "Test",
      "SourceSystemName": "Test",
      "Environment": "Default Environment"
    }]
  }'

Expected Response: true (200 OK)

3. Configure in Query.ai

Contact your Query.ai administrator to configure the Google SecOps destination with:

Required Configuration:

Instance URL (e.g., https://your-instance.securityops.google.com)
API Key (stored securely)

Optional Configuration:

Environment name (default: "Default Environment")
Timeout in seconds (default: 30)

Case Fields

Google SecOps cases are created with the following fields:

Google SecOps Field	Value	Notes
`AlertIdentifier`	`detection-{id}-{run_id}`	Used for deduplication
`AlertName`	`{detection_name} - {severity}`	Case title
`RuleName`	Detection name	Rule that triggered the alert
`Priority`	40-100	Mapped from detection severity
`Environment`	Configured environment	Environment name
`Description`	Detection details	Complete description with all metadata
`TicketId`	Same as AlertIdentifier	For tracking
`Events`	Array with 1 event	Contains detection time range and metadata

Priority Mapping

Detection severity maps to Google SecOps priority:

Detection Severity	Google SecOps Priority
CRITICAL	100
HIGH	80
MEDIUM	60
LOW	40

Description Field Contents

The description includes:

Detection name, severity, outcome, and match count
Run type (SCHEDULED or MANUAL)
Threshold configuration (operator, value, eagerness)
Execution metadata (exhaustiveness, search ID, trace ID if available)
Detection description
Replay link for investigation
Error messages (if any)

Event Fields

Each case includes one event with:

StartTime / EndTime - Detection time range in milliseconds (epoch)
DeviceVendor - "Query.ai"
DeviceProduct - "Federated Detections"
SourceSystemName - "Query.ai Federated Detections"
Environment - Configured environment name

Important Notes

API Response Behavior

The CreateCase API returns a boolean response, not a case ID:

true (200 OK) - Case was accepted by the system
false (200 OK) - Case may be in dedupe queue or dropped

Why false?

Duplicate AlertIdentifier (case already exists)
Case is in deduplication queue
Internal processing rules dropped the case

The API does not return the case ID directly. Cases are identified by AlertIdentifier or TicketId.

Deduplication

Cases are deduplicated by AlertIdentifier:

Format: detection-{detection_id}-{run_id}

This ensures:

Each detection run creates a unique case
Re-running the same detection with the same run_id won't create duplicates
Different detections create separate cases

Testing

Test API Key

Test your API key with Python:

import requests

url = "https://your-instance.securityops.google.com/api/external/v1/cases/CreateCase"
headers = {
    "Content-Type": "application/json",
    "AppKey": "your-api-key-here"
}
payload = {
    "AlertIdentifier": "test-query-ai-001",
    "AlertName": "Test Detection Alert",
    "RuleName": "Test Detection",
    "Priority": 60,
    "Environment": "Default Environment",
    "Description": "Test case from Query.ai Federated Detections",
    "Events": [{
        "StartTime": 1705320000000,
        "EndTime": 1705323600000,
        "Name": "Test Event",
        "DeviceVendor": "Query.ai",
        "DeviceProduct": "Federated Detections",
        "SourceSystemName": "Query.ai Federated Detections",
        "Environment": "Default Environment"
    }]
}

response = requests.post(url, headers=headers, json=payload)
print(f"Status: {response.status_code}")
print(f"Response: {response.json()}")  # Should be True

Test with Detection

Create a test detection with low threshold
Add Google SecOps destination
Click Run Now
Check Google SecOps for new case

Troubleshooting

Common Issues

Error	Cause	Solution
`401 Unauthorized`	Invalid API key	Verify API key in configuration
`false` response	Duplicate or dropped	Check for duplicate AlertIdentifier, review dedupe rules
`404 Not Found`	Incorrect instance URL	Verify instance URL is correct
Case not visible	Wrong environment	Check Environment name matches your SecOps environment
Timeout	Slow response	Increase timeout value, check network connectivity

Verify API Key Permissions

Log into Google SecOps
Navigate to Settings → API
Verify API key exists and is active
Check key has case creation permissions

Check Environment Name

Cases are created in the specified environment. If you don't see cases:

Verify environment name in configuration matches SecOps environment
Check you're viewing the correct environment in SecOps UI
Try using "Default Environment" if unsure

View Logs

Contact your Query.ai administrator to review CloudWatch logs:

aws logs tail /aws/lambda/detection-outcome-handler --follow

Look for Google SecOps-related errors in the logs.

Multiple Environments

Create separate destinations for different Google SecOps environments:

Example Use Cases:

Production cases → Production environment
Test detections → Development environment
Different teams → Team-specific environments

Each destination can use the same API key with different environment names.

Configuration Options

Required

instance_url

Google SecOps instance URL
Format: https://your-instance.securityops.google.com
Do not include trailing slash or API path

api_key (secret)

Google SecOps API key (AppKey)
Generated in SecOps Settings
Stored securely in AWS Secrets Manager

Optional

environment

Environment name where cases will be created
Default: "Default Environment"
Must match an existing environment in SecOps
Case-sensitive

timeout

Request timeout in seconds
Default: 30
Increase if experiencing timeouts
Maximum: 300 (5 minutes)

Google SecOps Workflow Integration

Playbooks

Create playbooks to automate case processing:

Navigate to Playbooks in Google SecOps
Create playbook triggered on case creation
Add filters for Query.ai cases (e.g., DeviceVendor = "Query.ai")
Define automation actions:
- Enrich with threat intelligence
- Assign to analyst
- Send notifications
- Create tickets in other systems

Case Management

Cases from Query.ai appear in SecOps case management:

View in Cases dashboard
Filter by DeviceVendor: "Query.ai"
Use SecOps investigation tools
Link to related cases
Track case lifecycle

Case Investigation

When Google SecOps case is created:

Open case in SecOps portal
Review case details and description
Click replay link to investigate in Query.ai
Use SecOps tools for enrichment and analysis
Document findings in case notes
Update case status as investigation progresses

Security Best Practices

Never Commit API Keys: Always store API keys in Secrets Manager
Rotate API Keys: Rotate every 90 days
Use Dedicated Keys: Use separate API keys per environment
Monitor Usage: Review API usage for anomalies
Restrict Permissions: Grant minimum required permissions to API key
Audit Access: Regularly review API key access logs

API Key Rotation

To rotate API key:

Log into Google SecOps
Navigate to Settings → API
Generate new API key
Copy new key value
Update key in Query.ai configuration
Test with a manual detection run
Revoke old API key after verification