Solved: How to query via the Chronicle API? - Page 2

mogriffs

Hi,

I'm trying to query our SecOps SIEM tenant to extract some data that is beyond the limits of the GUI. However, I'm running into problems which seem to be due to changes in the API. The published documentation refers to the backstory API, but our SIEM is hosted in our owned GCP project which does not have a backstory API, but the Chronicle API instead.

I cannot find documentation or examples on how to format the API calls and authentication to work with the Chronicle API as present in GCP.

For example:
"Backstory API has not been used in project 123456789 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/backstory.googleapis.com/overview?project=123456789 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry."
However, there is no Backstory API and that link returns an error.

Either I am missing something, or there needs to be a documentation overhaul from endpoints like:

https://europe-backstory.googleapis.com/v2/detect/rules?page_size=1
to something similar to:

https://chronicle.googleapis.com/v2/detect/rules?page_size=1

Any help?

raybrian

For the Chronicle API, try out the SDK: https://github.com/google/secops-wrapper/tree/main
If you want to roll your own, you can reference the API calls in the methods:
https://github.com/google/secops-wrapper/tree/main/src/secops/chronicle

View solution in original post

Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

How to query via the Chronicle API?