🔧 refactor(settings): remove chronicle_ prefix from all config fields

Author: Kakudou

external-import/google-secops-siem-incidents/.env.sample

@@ -13,14 +13,14 @@ CONNECTOR_LOG_LEVEL=error
 CONNECTOR_DURATION_PERIOD=PT1H
 
 # Google SecOps SIEM Incidents — Chronicle API credentials
-GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_BASE_URL=https://chronicle.googleapis.com
-GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_PROJECT_ID=ChangeMe
-GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_PROJECT_REGION=ChangeMe
-GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_PROJECT_INSTANCE=ChangeMe
-GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_PRIVATE_KEY=ChangeMe
-GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_PRIVATE_KEY_ID=ChangeMe
-GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_CLIENT_EMAIL=ChangeMe
-GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_CLIENT_ID=ChangeMe
-GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_CLIENT_CERT_URL=ChangeMe
+GOOGLE_SECOPS_SIEM_INCIDENTS_BASE_URL=https://chronicle.googleapis.com
+GOOGLE_SECOPS_SIEM_INCIDENTS_PROJECT_ID=ChangeMe
+GOOGLE_SECOPS_SIEM_INCIDENTS_PROJECT_REGION=ChangeMe
+GOOGLE_SECOPS_SIEM_INCIDENTS_PROJECT_INSTANCE=ChangeMe
+GOOGLE_SECOPS_SIEM_INCIDENTS_PRIVATE_KEY=ChangeMe
+GOOGLE_SECOPS_SIEM_INCIDENTS_PRIVATE_KEY_ID=ChangeMe
+GOOGLE_SECOPS_SIEM_INCIDENTS_CLIENT_EMAIL=ChangeMe
+GOOGLE_SECOPS_SIEM_INCIDENTS_CLIENT_ID=ChangeMe
+GOOGLE_SECOPS_SIEM_INCIDENTS_CLIENT_CERT_URL=ChangeMe
 GOOGLE_SECOPS_SIEM_INCIDENTS_TLP_LEVEL=amber
 GOOGLE_SECOPS_SIEM_INCIDENTS_FIRST_START_TIME=P1D

external-import/google-secops-siem-incidents/README.md

@@ -24,7 +24,7 @@
 
 ## Introduction
 
-This connector fetches SIEM rule alerts from the Google SecOps Chronicle API and imports them into OpenCTI as STIX 2.1 objects. Each Chronicle rule alert is mapped to an OpenCTI Incident, enriched with related observables (IP addresses, hostnames, user accounts, files) and linked via STIX relationships.
+This connector fetches SIEM rule alerts from the Google SecOps API and imports them into OpenCTI as STIX 2.1 objects. Each rule alert is mapped to an OpenCTI Incident, enriched with related observables (IP addresses, hostnames, user accounts, files) and linked via STIX relationships.
 
 The connector uses forward-sliding pagination: on first run it fetches alerts back to a configurable lookback window; on subsequent runs it resumes from the last processed alert timestamp.
 
@@ -33,8 +33,8 @@ The connector uses forward-sliding pagination: on first run it fetches alerts ba
 ### Requirements
 
 - OpenCTI Platform version >= 6.x
-- Google SecOps Chronicle access with a GCP service account authorized for the `https://www.googleapis.com/auth/cloud-platform` scope
-- Chronicle project ID, region, instance UUID, and service account credentials
+- Google SecOps access with a GCP service account authorized for the `https://www.googleapis.com/auth/cloud-platform` scope
+- Google SecOps project ID, region, instance UUID, and service account credentials
 
 ## Configuration variables
 
@@ -61,19 +61,19 @@ There are a number of configuration options, which are set either in `docker-com
 
 | Parameter               | Docker environment variable                                    | Default                                  | Mandatory | Description                                                                                      |
 |-------------------------|----------------------------------------------------------------|------------------------------------------|-----------|--------------------------------------------------------------------------------------------------|
-| Chronicle base URL      | `GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_BASE_URL`              | `https://chronicle.googleapis.com`       | No        | Chronicle API base URL. A region prefix is prepended at runtime.                                 |
-| GCP project ID          | `GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_PROJECT_ID`            | /                                        | Yes       | Google Cloud project ID associated with the Chronicle instance.                                  |
-| Chronicle region        | `GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_PROJECT_REGION`        | /                                        | Yes       | Chronicle region prefix (e.g. `us`, `eu`, `asia`).                                               |
-| Chronicle instance      | `GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_PROJECT_INSTANCE`      | /                                        | Yes       | Chronicle instance UUID.                                                                         |
-| Private key (PEM)       | `GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_PRIVATE_KEY`           | /                                        | Yes       | Service account private key in PEM format.                                                       |
-| Private key ID          | `GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_PRIVATE_KEY_ID`        | /                                        | Yes       | Service account private key ID.                                                                  |
-| Client email            | `GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_CLIENT_EMAIL`          | /                                        | Yes       | Service account client email (`*@*.iam.gserviceaccount.com`).                                    |
-| Client ID               | `GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_CLIENT_ID`             | /                                        | Yes       | Service account client ID (numeric).                                                             |
-| Client cert URL         | `GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_CLIENT_CERT_URL`       | /                                        | Yes       | Service account client certificate URL.                                                          |
+| Base URL                | `GOOGLE_SECOPS_SIEM_INCIDENTS_BASE_URL`              | `https://chronicle.googleapis.com`       | No        | Google SecOps API base URL. A region prefix is prepended at runtime.                             |
+| GCP project ID          | `GOOGLE_SECOPS_SIEM_INCIDENTS_PROJECT_ID`            | /                                        | Yes       | Google Cloud project ID associated with the Google SecOps instance.                              |
+| Region                  | `GOOGLE_SECOPS_SIEM_INCIDENTS_PROJECT_REGION`        | /                                        | Yes       | Google SecOps region prefix (e.g. `us`, `eu`, `asia`).                                           |
+| Instance                | `GOOGLE_SECOPS_SIEM_INCIDENTS_PROJECT_INSTANCE`      | /                                        | Yes       | Google SecOps instance UUID.                                                                     |
+| Private key (PEM)       | `GOOGLE_SECOPS_SIEM_INCIDENTS_PRIVATE_KEY`           | /                                        | Yes       | Service account private key in PEM format.                                                       |
+| Private key ID          | `GOOGLE_SECOPS_SIEM_INCIDENTS_PRIVATE_KEY_ID`        | /                                        | Yes       | Service account private key ID.                                                                  |
+| Client email            | `GOOGLE_SECOPS_SIEM_INCIDENTS_CLIENT_EMAIL`          | /                                        | Yes       | Service account client email (`*@*.iam.gserviceaccount.com`).                                    |
+| Client ID               | `GOOGLE_SECOPS_SIEM_INCIDENTS_CLIENT_ID`             | /                                        | Yes       | Service account client ID (numeric).                                                             |
+| Client cert URL         | `GOOGLE_SECOPS_SIEM_INCIDENTS_CLIENT_CERT_URL`       | /                                        | Yes       | Service account client certificate URL.                                                          |
 | TLP level               | `GOOGLE_SECOPS_SIEM_INCIDENTS_TLP_LEVEL`                       | `amber`                                  | No        | TLP marking applied to all imported entities. Values: `clear`, `white`, `green`, `amber`, `amber+strict`, `red`. |
 | First start time        | `GOOGLE_SECOPS_SIEM_INCIDENTS_FIRST_START_TIME`                | `P1D`                                    | No        | How far back to fetch alerts on the very first run (ISO 8601 duration). Only used when no prior state exists. |
 
-> **Tip — service account JSON:** All `CHRONICLE_*` credential fields map directly to the fields inside a GCP service account JSON key file. You can source them from there directly.
+> **Tip — service account JSON:** All credential fields map directly to the fields inside a GCP service account JSON key file. You can source them from there directly.
 
 ## Deployment
 
@@ -91,14 +91,14 @@ Register the connector in your main OpenCTI `docker-compose.yml`:
       - OPENCTI_TOKEN=ChangeMe
       - CONNECTOR_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
       - CONNECTOR_NAME=Google SecOps
-      - GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_PROJECT_ID=my-gcp-project
-      - GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_PROJECT_REGION=us
-      - GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_PROJECT_INSTANCE=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
-      - GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_PRIVATE_KEY=-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----
-      - GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_PRIVATE_KEY_ID=ChangeMe
-      - GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_CLIENT_EMAIL=my-sa@my-project.iam.gserviceaccount.com
-      - GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_CLIENT_ID=123456789
-      - GOOGLE_SECOPS_SIEM_INCIDENTS_CHRONICLE_CLIENT_CERT_URL=https://www.googleapis.com/robot/v1/metadata/x509/...
+      - GOOGLE_SECOPS_SIEM_INCIDENTS_PROJECT_ID=my-gcp-project
+      - GOOGLE_SECOPS_SIEM_INCIDENTS_PROJECT_REGION=us
+      - GOOGLE_SECOPS_SIEM_INCIDENTS_PROJECT_INSTANCE=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+      - GOOGLE_SECOPS_SIEM_INCIDENTS_PRIVATE_KEY=-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----
+      - GOOGLE_SECOPS_SIEM_INCIDENTS_PRIVATE_KEY_ID=ChangeMe
+      - GOOGLE_SECOPS_SIEM_INCIDENTS_CLIENT_EMAIL=my-sa@my-project.iam.gserviceaccount.com
+      - GOOGLE_SECOPS_SIEM_INCIDENTS_CLIENT_ID=123456789
+      - GOOGLE_SECOPS_SIEM_INCIDENTS_CLIENT_CERT_URL=https://www.googleapis.com/robot/v1/metadata/x509/...
     restart: always
 ```
 
@@ -132,14 +132,14 @@ To force an immediate run, navigate to **Data management → Ingestion → Conne
 
 - On **first run**, fetches alerts from `now - FIRST_START_TIME` to `now`.
 - On **subsequent runs**, resumes from the last processed alert `detection_timestamp + 1s` (persisted in connector state as `last_alert_timestamp`); the +1s offset ensures the boundary alert is not re-fetched on the next run.
-- If the Chronicle API returns `tooManyAlerts=true`, the query window slides **backward**: the `endTime` is replaced by the oldest `detection_timestamp` in the current batch, and fetching continues until all pages are consumed.
+- If the API returns `tooManyAlerts=true`, the query window slides **backward**: the `endTime` is replaced by the oldest `detection_timestamp` in the current batch, and fetching continues until all pages are consumed.
 - Each alert batch is converted to STIX objects and sent as a bundle before advancing state — ensuring no data loss on partial runs.
 - If a paginated run is **interrupted** (crash, restart), the connector persists a `pagination_checkpoint` after each truncated batch. On the next run it detects the checkpoint and resumes the backward-pagination window from where it left off, then clears the checkpoint on clean completion.
 
 ### Mapping to OpenCTI entities
 
-| Chronicle source           | OpenCTI / STIX 2.1 entity      |
-|----------------------------|-------------------------------|
+| Google SecOps source         | OpenCTI / STIX 2.1 entity      |
+|------------------------------|-------------------------------|
 | Rule alert                 | Incident                      |
 | `principal_ip` outcome     | IPv4 / IPv6 Address           |
 | `principal_hostname`       | Hostname                      |
@@ -165,4 +165,4 @@ Common errors and their causes:
 |---|---|
 | `Google authentication failed` | Invalid or expired service account key — check `client_email` and `private_key` in your credentials. |
 | `invalid_grant: account not found` | The service account does not exist or has been deleted in GCP. |
-| `Invalid IP V4 address` | Chronicle returned an empty IP string in an alert outcome — safe to ignore, patched from version X. |
+| `Invalid IP V4 address` | Google SecOps returned an empty IP string in an alert outcome — safe to ignore, patched from version X. |

external-import/google-secops-siem-incidents/__metadata__/CONNECTOR_CONFIG_DOC.md

@@ -0,0 +1,29 @@
+# Connector Configurations
+
+Below is an exhaustive enumeration of all configurable parameters available, each accompanied by detailed explanations of their purposes, default behaviors, and usage guidelines to help you understand and utilize them effectively.
+
+### Type: `object`
+
+| Property | Type | Required | Possible values | Default | Description |
+| -------- | ---- | -------- | --------------- | ------- | ----------- |
+| OPENCTI_URL | `string` | ✅ | Format: [`uri`](https://json-schema.org/understanding-json-schema/reference/string#built-in-formats) |  | The base URL of the OpenCTI instance. |
+| OPENCTI_TOKEN | `string` | ✅ | string |  | The API token to connect to OpenCTI. |
+| GOOGLE_SECOPS_SIEM_INCIDENTS_PROJECT_ID | `string` | ✅ | string |  | GCP project ID. |
+| GOOGLE_SECOPS_SIEM_INCIDENTS_PROJECT_REGION | `string` | ✅ | string |  | Chronicle region (e.g. 'us', 'eu', 'asia'). |
+| GOOGLE_SECOPS_SIEM_INCIDENTS_PROJECT_INSTANCE | `string` | ✅ | string |  | Chronicle instance UUID. |
+| GOOGLE_SECOPS_SIEM_INCIDENTS_PRIVATE_KEY | `string` | ✅ | string |  | Service account private key (PEM). |
+| GOOGLE_SECOPS_SIEM_INCIDENTS_PRIVATE_KEY_ID | `string` | ✅ | string |  | Service account private key ID. |
+| GOOGLE_SECOPS_SIEM_INCIDENTS_CLIENT_EMAIL | `string` | ✅ | string |  | Service account client email. |
+| GOOGLE_SECOPS_SIEM_INCIDENTS_CLIENT_ID | `string` | ✅ | string |  | Service account client ID. |
+| GOOGLE_SECOPS_SIEM_INCIDENTS_CLIENT_CERT_URL | `string` | ✅ | string |  | Service account client cert URL. |
+| CONNECTOR_NAME | `string` |  | string | `"Google SecOps"` | The name of the connector. |
+| CONNECTOR_SCOPE | `array` |  | string | `["Google SecOps SIEM Incidents"]` | The scope of the connector, e.g. 'flashpoint'. |
+| CONNECTOR_LOG_LEVEL | `string` |  | `debug` `info` `warn` `warning` `error` | `"error"` | The minimum level of logs to display. |
+| CONNECTOR_TYPE | `const` |  | `EXTERNAL_IMPORT` | `"EXTERNAL_IMPORT"` |  |
+| CONNECTOR_DURATION_PERIOD | `string` |  | Format: [`duration`](https://json-schema.org/understanding-json-schema/reference/string#built-in-formats) | `"PT1H"` | The period of time to await between two runs of the connector. |
+| GOOGLE_SECOPS_SIEM_INCIDENTS_BASE_URL | `string` |  | string | `"https://chronicle.googleapis.com"` | Chronicle API base URL (region prefix added at runtime). |
+| GOOGLE_SECOPS_SIEM_INCIDENTS_AUTH_URI | `string` |  | string | `"https://accounts.google.com/o/oauth2/auth"` | OAuth2 auth URI. |
+| GOOGLE_SECOPS_SIEM_INCIDENTS_TOKEN_URI | `string` |  | string | `"https://oauth2.googleapis.com/token"` | OAuth2 token URI. |
+| GOOGLE_SECOPS_SIEM_INCIDENTS_AUTH_PROVIDER_CERT | `string` |  | string | `"https://www.googleapis.com/oauth2/v1/certs"` | OAuth2 auth provider cert URL. |
+| GOOGLE_SECOPS_SIEM_INCIDENTS_TLP_LEVEL | `string` |  | `clear` `white` `green` `amber` `amber+strict` `red` | `"amber"` | Default TLP level of the imported entities. |
+| GOOGLE_SECOPS_SIEM_INCIDENTS_FIRST_START_TIME | `string` |  | Format: [`duration`](https://json-schema.org/understanding-json-schema/reference/string#built-in-formats) | `"P1D"` | How far back to fetch alerts on the very first run (ISO-8601 duration, e.g. P1D). Used only when no prior state exists. |