Google SecOps Integration

New
  • Published on Feb 13, 2026
  • 5 minute(s) read
Prev Next

Silent Push integrates seamlessly with Google SecOps to empower security teams with advanced threat intelligence. This allows users to enrich events and alerts with contextual data, automate incident investigations, and streamline detection and response processes. By leveraging Silent Push's API, you can perform actions like reputation checks, DNS lookups, certificate retrievals, and more directly within the Google SecOps environment.

Prerequisites

  • Active access to a Google SecOps instance.

  • Valid Silent Push API credentials (API key required).

  • Familiarity with Google SecOps Marketplace, Response IDE, and case simulation features.

Installation and Configuration

  1. Log in to your Google SecOps dashboard.

  2. Navigate to the Google SecOps Marketplace and search for Silent Push.
    Overview of Google SecOps Content Hub with highlighted integration options and setup instructions.

  3. Click Install to add the Silent Push integration.

  4. After installation, click Configure and enter the required parameters:        

    • API Key: Your Silent Push API key.

    • Silent Push Server: The endpoint for Silent Push services (default or custom as provided).
      Configuration screen for Silent Push instance with API key and server details.

  5. Navigate to the Application Menu, go to Response > IDE, then search for Silent Push to view the available actions.
    Google SecOps interface showing Silent Push integration options and settings.

Set Up Test Cases for Action Execution

To test or run actions, create a simulated test case in Google SecOps:

  1. From the left dashboard, select Cases.
    Google SecOps interface showing the Cases section in the navigation menu.

  2. Click the icon to add a new case.
    Google SecOps interface displaying case management options and navigation tools.

  3. Choose Simulate Cases, click the  icon to Add or Import Case.

  4. Select Add New Case and provide details such as:        

    • Source / SIEM Name

    • Rule Name

    • Alert Product

    • Alert Name

    • Event Name

    • Additional Alert Fields

    • Additional Event Fields

  5. Click Save to create the case.

  6. Reopen the Simulated Cases list, search for your case, and select it.
    Dialog box for simulating cases with options to select and create alerts.

  7. Click Create, choose the environment, and select Simulate.

  8. Return to the Cases list; your case should now appear.

  9. Open the case, click the three-dot menu (⋮), and select Ingest alert as test case.

  10. The test case is now available in the Test Case dropdown for running actions.

Steps to Run Silent Push Actions

  1. In the Response IDE, select the desired Silent Push action from the list.

  2. Open the Testing panel.
    Form fields for testing parameters including scope, test case, and integration instance.

  3. Select:        

    • Scope: All Entities

    • Test Case: For example, Silent Push

    • Integration Instance: Default

  4. Enter the mandatory parameters (and optional ones for refinement).

  5. Click Run to execute.

  6. View results in the expandable panel below.
    Output message displaying test results and UUID information from a script execution.

Available Actions and Usage

Below is a list of key actions with descriptions, required parameters, and execution notes. All actions require the setup above. Optional parameters can enhance filtering or output.

  • Add Feed: Creates a new feed for organizing indicators.        

    • Required: Feed details (e.g., name, type).

    • Usage: Enter feed parameters and run to add.

  • Add Feed Tags: Adds tags to an existing feed for better organization.        

    • Required: Feed UUID, tags.

    • Usage: Specify feed and tags; optional for custom filtering.

  • Add Indicator: Adds domains, IPs, or other indicators to a feed.        

    • Required: Feed UUID, indicator value.

    • Usage: Provide indicator details; optional timestamps or metadata.

  • Add Indicator Tags: Attaches tags to indicators in a feed.        

    • Required: Feed UUID, indicator, tags.

    • Usage: Useful for classification; optional for bulk operations.

  • Density Lookup: Checks Domain Density on a nameserver to detect suspicious infrastructure.        

    • Required: qtype (e.g., NS), query (nameserver).

    • Usage: Run with scope and test case; view density metrics in results.

  • Forward Padns Lookup: Performs forward Passive DNS lookups with filters.        

    • Required: qtype (e.g., A), qname (domain).

    • Usage: Optional filters, such as time range; results show DNS resolution.

  • Get ASN Reputation: Retrieves reputation data for a specific ASN.        

    • Required: asn (e.g., 12345).

    • Usage: Optional historical data; results include risk scores.

  • Get ASN Takedown Reputation: Fetches takedown history and reputation for an ASN.        

    • Required: asn.

    • Usage: Helps assess provider reliability.

  • Get ASNs for Domain: Lists ASNs used by a domain's A records in the last 30 days.        

    • Required: Domain name.

    • Usage: Includes subdomains; useful for tracking infrastructure changes.

  • Get Data Exports: Downloads exported datasets, such as scan results.        

    • Required: feed_url.

    • Usage: Optional format (e.g., CSV); results provide download links.

  • Get Domain Certificates: Retrieves certificates associated with a domain.        

    • Required: domain.

    • Usage: Optional validity filters; results list cert details.

  • Get Enrichment Data: Provides enriched info for a domain or resource.        

    • Required: resource (e.g., domain), value.

    • Usage: Comprehensive context, including Whois and history.

  • Get Future Attack Indicator: Predicts potential attack indicators from a feed.        

    • Required: feed_uuid.

    • Usage: Proactive threat hunting; optional scoring thresholds.

  • Get IPv4 Reputation: Gets the reputation for an IPv4 address.        

    • Required: IPv4 address.

    • Usage: Risk assessment; optional historical views.

  • Get Nameserver Reputation: Retrieves the reputation for a nameserver.        

    • Required: nameserver.

    • Usage: Detects malicious DNS infrastructure.

  • Get Subnet Reputation: Fetches reputation for an IPv4 subnet.        

    • Required: subnet (e.g., 192.168.1.0/24).

    • Usage: Broad network analysis.

  • Get Job Status: Checks the status or results of a running job.        

    • Required: job_id.

    • Usage: Monitor asynchronous tasks.

  • List Domain Information: Fetches detailed info for one or more domains.        

    • Required: domains (comma-separated).

    • Usage: Includes registration, DNS, and more.

  • List Domain Infratags: Lists infrastructure tags for a domain.        

    • Required: feed_url (or domain).

    • Usage: Categorizes domain attributes.

  • List IP Information: Provides details for IPv4/IPv6 addresses.        

    • Required: IPs (comma-separated).

    • Usage: Geolocation, ownership, etc.

  • Live URL Scan: Scans a URL for hosted metadata and threats.        

    • Required: URL.

    • Usage: Real-time analysis; results include content type and risks.

  • Ping: Verifies API connectivity and health.        

    • Required: None.

    • Usage: Quick health check.

Troubleshooting Tips

  • If any action fails, verify the API key and server configuration.

  • Ensure test cases are properly ingested.

  • For detailed errors, check the results panel in the Testing tab.

  • Refer to the Silent Push API documentation for advanced parameter usage.

Related articles