This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Going Retro! Run Retrohunts using the Google SecOps SDK

Posted 3 weeks ago
vaskenh
Staff
Reply posted on --/--/---- --:-- AM

Last month, we introduced the API Wrapper SDK for Google SecOps.   The SDK encapsulates common use cases of the Google SecOps API like running entity lookups, performing UDM searches, and more.  It makes it easy to run these operations programmatically by exposing the corresponding API functionality in an intuitive way.

In previous posts, I showed how you can install the SDK and authenticate to it as well as how to run natural language queries that get translated to UDM.  In this post, I'll show you how to leverage the SDK to run retrohunts in Google SecOps.

Retrohunts allow us to run an existing rule in Google SecOps against historical data.    Depending on the scope of your retrohunt searches, these queries can take time and are scheduled to run when resources are available.  You can read more about retrohunts in our associated documentation page.   Let's see how we can leverage the new SDK to run a retrohunt programmatically.

From the official Google SecOps SDK Wrapper documentation, we can see that there is a method defined for running retrohunts called create_retrohunt, so let's implement it!  The method takes three parameters: the start and end times for the retrohunt, as well as the rule ID

The rule ID is distinct from the name of the rule, and shows up in the associated rule metadata.  You can obtain the rule ID either by using the Google SecOps console itself or by getting the rule ID programmatically.  Here is an example of a rule and its rule ID listed directly below the display name.

vaskenh_0-1744514482848.png

We now have enough information to write our script.  For the purpose of this post, we won't cover the boilerplate parts of the script like authentication and importing the module since we've already reviewed these in the prior posts.

 

#   This script demonstrates running a retrohunt using the Google SecOps SDK with Python.
#   Prior to running this script, remember to establish authentication with gcloud auth application-default login  or an alternate supported method.
#   Google SecOps SDK and all associated documentation by raybrian@    This tutorial script by vaskenh@

#!/usr/bin/env python3

from secops import SecOpsClient
from datetime import datetime, timedelta, timezone

client = SecOpsClient()

chronicle = client.chronicle(
customer_id="you-can-find-this-value-on-the-secops-overview-page",
project_id="vaskenh-chronicle",
region="us"
)

# Construct the time boundaries for a retrohunt that searches back seven days.
end_time = datetime.now(timezone.utc)
start_time = end_time - timedelta(days=7)

rule_id = 'ru_42d163d7-7ce5-480c-b773-489bf07830a8'
retrohunt = chronicle.create_retrohunt(rule_id, start_time, end_time)
operation_id = retrohunt.get("name", "").split("/")[-1]

retrohunt_status = chronicle.get_retrohunt(rule_id, operation_id)
is_complete = retrohunt_status.get("metadata", {}).get("done", False)

print(retrohunt_status)
print(is_complete)

 

 

5 0 175
Topic Labels
0 REPLIES 0
Top Solution Authors
View all