Skip to content

feat(integrations): add Google SecOps SOAR integration #1814

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
generalplantain wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat(integrations): add Google SecOps SOAR integration #1814

generalplantain wants to merge 4 commits into from
+865 −0

Conversation

@generalplantain
Copy link
Contributor

@generalplantain generalplantain commented Dec 18, 2025
edited by cubic-dev-ai bot
Loading

Summary

Adds Google SecOps (Chronicle) SOAR integration for security case management automation.

Changes

  • 11 new UDF functions for SOAR case and alert management
  • Icon added for the Google SecOps SOAR namespace
  • Case search with advanced filtering (time range, tags, priority, status)
  • Case lifecycle management (stage, priority, assignment)
  • Alert handling (close, reopen, priority update)
  • Comment management with attachments
  • Bulk operations support

Functions Included

Function Description
search_cases Search and filter SOAR cases with advanced queries
add_case_tag Add tags to cases for organization
assign_user_to_case Assign users or roles to cases
change_case_stage Update case handling stage
update_case_priority Set case priority level
update_alert_priority Set alert priority within a case
create_case_comment Add comments with optional attachments
update_case_comment Edit existing comments
close_alert Close alerts with reason and root cause
reopen_alert Reopen previously closed alerts
bulk_close_cases Mass close multiple cases

Authentication

Uses API key authentication via AppKey header.
Required secrets: GOOGLE_SECOPS_API_KEY, GOOGLE_SECOPS_BASE_URL

Use Cases

  • SOC Automation: Auto-assign cases based on type/severity
  • Case Triage: Bulk close false positives
  • Incident Response: Update case stages and priorities
  • Documentation: Add comments with investigation findings
  • Alert Management: Close/reopen alerts with proper root cause

Breaking Changes

None - This is a new integration.

Checklist

  • Code follows project style guidelines
  • Functions documented with clear descriptions
  • Icon added for UI display

Summary by cubic

Adds Google SecOps (Chronicle) SOAR integration to automate case and alert workflows in Tracecat. Provides 11 UDFs and a new icon, covering search, lifecycle updates, comments, and bulk actions.

  • New Features

    • Case search with time range, tags, priority, status, stage, assignments
    • Case lifecycle: change stage, update priority, assign user/role
    • Alert actions: close, reopen, update priority
    • Comments: add/edit with optional file attachments
    • Bulk close cases
    • New icon for the Google SecOps SOAR namespace

  • Migration

    • Add secret: GOOGLE_SECOPS_API_KEY
    • Base URL is now passed as a required function argument (no secret needed)
    • No breaking changes

Written for commit 2495932. Summary will update automatically on new commits.

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Dec 18, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 2 files

Prompt for AI agents (all 1 issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="packages/tracecat-registry/tracecat_registry/integrations/google_secops_soar.py">

<violation number="1" location="packages/tracecat-registry/tracecat_registry/integrations/google_secops_soar.py:47">
P2: Returning an empty string when `GOOGLE_SECOPS_BASE_URL` is not configured will cause confusing HTTP errors (requests to relative URLs like `/search/CaseSearchEverything`). Consider raising a descriptive error instead, similar to other integrations like splunk.py.</violation>
</file>

Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR

@topher-lo topher-lo added the integrations Pre-built actions label Dec 21, 2025
topher-lo
topher-lo requested changes Dec 21, 2025
View reviewed changes
@topher-lo topher-lo changed the title feat: add Google SecOps SOAR integration feat(integrations): add Google SecOps SOAR integration Dec 21, 2025
@generalplantain
fix(google_secops_soar): address PR review feedback
32f4b3c 
- Remove GOOGLE_SECOPS_BASE_URL from secrets - base_url is now a required function argument
- Update secret docstring to only include API key
- Return original API payload instead of custom success messages
- Handle 204 No Content responses properly
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Dec 22, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (all issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="packages/tracecat-registry/tracecat_registry/integrations/google_secops_soar.py">

<violation number="1" location="packages/tracecat-registry/tracecat_registry/integrations/google_secops_soar.py:238">
P2: Missing 204/no-content check that was added to other similar functions in this PR. If the API returns 204 No Content or empty body, `response.json()` will raise a `JSONDecodeError`. Add the same defensive check used in the other modified functions.</violation>
</file>

Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR

@generalplantain
fix(google_secops_soar): add 204/no-content check to all functions
2495932 
Add defensive check for 204 No Content and empty body responses
to all remaining functions to prevent JSONDecodeError
topher-lo
topher-lo reviewed Dec 22, 2025
View reviewed changes
Copy link
Contributor

@topher-lo topher-lo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See: #1815 (review)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@topher-lo topher-lo topher-lo requested changes

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

integrations Pre-built actions

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@generalplantain @topher-lo