Solved: How to query via the Chronicle API?

mogriffs

Hi,

I'm trying to query our SecOps SIEM tenant to extract some data that is beyond the limits of the GUI. However, I'm running into problems which seem to be due to changes in the API. The published documentation refers to the backstory API, but our SIEM is hosted in our owned GCP project which does not have a backstory API, but the Chronicle API instead.

I cannot find documentation or examples on how to format the API calls and authentication to work with the Chronicle API as present in GCP.

For example:
"Backstory API has not been used in project 123456789 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/backstory.googleapis.com/overview?project=123456789 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry."
However, there is no Backstory API and that link returns an error.

Either I am missing something, or there needs to be a documentation overhaul from endpoints like:

https://europe-backstory.googleapis.com/v2/detect/rules?page_size=1
to something similar to:

https://chronicle.googleapis.com/v2/detect/rules?page_size=1

Any help?

raybrian

For the Chronicle API, try out the SDK: https://github.com/google/secops-wrapper/tree/main
If you want to roll your own, you can reference the API calls in the methods:
https://github.com/google/secops-wrapper/tree/main/src/secops/chronicle

View solution in original post

alube

Are you an Ent+ customer? They recently deprecated access to BQ for non-Ent+ customers, and instead moved to a BYOBQ route. I've received that error message due to deprecated keys.

https://cloud.google.com/chronicle/docs/reference/bigquery-access-api

https://cloud.google.com/chronicle/docs/reports/export-to-customer-managed-project

If you are Ent+, your Google CE or support should be able to provide you the API key

mogriffs

We are Ent+, but i'm not looking to query BigQuery, but Chronicle SIEM via the API itself.
This appears to be the new API, but it's not clear to me (as a non-API dev) how to turn the scripts provided for querying Backstory into valid scripts for the new API.
https://cloud.google.com/chronicle/docs/reference/rest

raybrian

For the Chronicle API, try out the SDK: https://github.com/google/secops-wrapper/tree/main
If you want to roll your own, you can reference the API calls in the methods:
https://github.com/google/secops-wrapper/tree/main/src/secops/chronicle

cmorris

+1 to the SDK. Backstory API does still exist as well, you can get keys for that from support. Chronicle API is documented here - https://cloud.google.com/chronicle/docs/reference/rest

mogriffs

Thanks, I also just found the secops-wrapper which looks perfect for my needs so i'll give that a go.

Its a weird situation, because it was actually our Google team who provided the backstory scripts but said it would need my own SA and key to work, which seems to be incorrect? the backstory API is from the old architecture where we use the shared tenant and Google-provided keys, is what I'm understanding?

raybrian

Yes, the Chronicle API is the new GCP compliant "one platform" API, with customer controlled IAM via a GCP project. Using it has allowed us to leverage the platform features for API control that Backstory API did not have. We are working to migrate all customers over to the new identity scheme in order to deprecate the Backstory API.

Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

How to query via the Chronicle API?