Skip to main content

Hi team,

 

Earlier, we used to send an email to the Google SecOps team for integration submission. However, we now see a new GitHub repository — https://github.com/chronicle/marketplace — being used for this process. We have observed that it contains a different project structure than what we get after exporting an integration from the SecOps instance. Is there a quicker way to convert that into a marketplace-ready integration structure?

 

Any feedback is appreciated.
@cmorris @f3rz ​ @ylandovskyy 

Is there any content in this document that helps with this question:
https://cloud.google.com/chronicle/docs/soar/marketplace/power-ups/gitsync

No, it will not work because the integration submission process has changed. The .defination file format has been replaced with .xml, and .toml and other files have also been added. So, we can’t just export the integration from the Google SecOps instance and publish it the way we used to. Now, I don’t know how to convert the integration downloaded from the SecOps instance into the file format mentioned here https://github.com/chronicle/marketplace.

 

@cmorris @f3rz ​ @ylandovskyy  Please help me here!

 

Hey ​@GaurangPatel ,

We released a special tool for this called mp. This tool is used to deconstruct old format of integration into the new one and vice versa. 

It’s expected that for the Github submissions the new format will be used, when submitting the PR. 

The tool allows you to create the integration and then directly push the code to your SecOps instance for testing, so now you can use your own IDE, build the code there and then test in the SecOps instance.

@ylandovskyy 

Yes, we are using MP for this purpose. It works fine for generating the build. However, when we try to deconstruct the integration after exporting it from the SecOps instance, we encounter multiple errors and are unable to debug them.

We might be doing something wrong. Currently, we are using the following command, but we’re receiving too many errors. 

`mp build --integration my_integration --deconstruct`

If there is a step-by-step guide or video available, please share it.

Thanks.

 

@GaurangPatel  Can you provide the errors that you were receiving?

Hey ​@GaurangPatel, this is indeed the correct command.

The deconstruct flow is still a bit ruff and we’re working on providing more helpful error messages as the errors are indeed dense and hard to understand.

Few points about the deconstruct process:

  • It will not fix your imports to use `soar_sdk.` for SDK imports and `..core.` for core module imports
  • It will not add any dependencies in the pyproject.toml of the integration unless you prepare a requirements.txt file with the main dependencies you want to add (without sub-dependencies)
  • It is recommended to change all file names to snake_case as the new standard, this doesn’t happen in the deconstruction process yet
  • After deconstructing the deconstructed integration will be ready in `repo_root/out/integrations/third_party/your_integration`. Then you can copy it to the integrations folder, and remove the original one after you’re happy with the results. It should generate all the yaml files.
  • About dev dependencies, you’ll need to use uv as instructed [here](https://github.com/chronicle/marketplace/blob/main/packages/README.md), add the SDK as a dev dependency as instructed [here](https://github.com/chronicle/marketplace/blob/main/docs/response_integrations/tools_and_sdk/soar_sdk.md) and integration_testing/pytest to be able to test you integration

If you need specific help regarding a specific issue you can send about it here if you want and I’ll try to help!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.