Getting Started
Trust CenterTourStatusPageSupport
Start typing to search…

Create Google SecOps integration

Introduction

The Stairwell Enrichment Integration for Google SecOps provides automated, in-line enrichment of indicators of compromise (IOCs) such as hashes, IP addresses, and hostnames. By connecting SecOps cases directly with Stairwell’s malware corpus and organizational vault, analysts gain immediate context about suspicious artifacts. This reduces the need for manual pivots, accelerates investigations, and provides richer insights within the case workflow itself.

Enrichment Flow

Extraction: SecOps extracts the IOC from the case.

  1. Forwarding: The IOC is sent to Stairwell.
  2. Matching: Stairwell checks the IOC against its malware corpus or the organization’s private vault.
  3. Response: Stairwell returns structured, rich data including verdicts, YARA rule matches, prevalence, variants, registry keys, embedded files, persistence mechanisms, AI-driven summaries, unpacked payloads, dropped files, and anti-analysis details

Analyst Experience

  • Enrichment results appear directly in the case timeline.
  • No need to pivot into other tools or detonate files.
  • Analysts can immediately understand what the file or IOC does and how it relates to others.

How to Connect Stairwell to Google SecOps

Installation

  1. Go to Marketplace > Response Integrations
  2. Search for Stairwell

  1. Click Install

Configuration

  1. Navigate to Response > Integrations Setup

  1. Click Create a new instance and choose Stairwell
  2. Enter the parameters:

  • Organization ID
  • User ID
  • API Key
  • API Root
  1. Save and run the Test button to verify connectivity

Case View Setup

  1. Navigate to Settings → SOAR Settings → Case Data → Views
  2. Select Default Case View
  3. Add the Insights widget under General to enable IOC enrichment visibility inside cases









Usage in Playbooks

  1. Search for Stairwell in the playbook step selection panel.

  1. Actions are prebuilt with widgets for enrichment results.

  • Supported enrichment actions:

    • Enrich Hash - returns file metadata, verdicts, YARA matches, signatures, AI summaries.
    • Enrich Hostname - returns DNS records, verdicts, and comments.
    • Enrich IP – returns verdicts, opinions, and sightings.

  • Enrichment actions are trigger-agnostic: whether cases are created from EDR alerts, SIEM correlations, or other playbooks, if they include a hash, IP, or hostname, Stairwell can enrich them.












Troubleshooting

  1. Go to the IDE under “Response.”
  2. Select the action within Exchange, click Play Item, and review the Debug Output for detailed response information

Updated about 1 month ago