How to update Chronicle SIEM alerts with API?

JonathanY · 05-08-2024 11:12 AM

Hi Gurus,

I am new to Chronicle SIEM, I can get alerts with ListDetections APIs(

https://cloud.google.com/chronicle/docs/reference/detection-engine-api#listdetections).

My client hopes to update alerts with API as what we can do on UI, but I cannot find related update detection APIs in API document. May I know if there is API available to update Alerts?

Thanks

David-French

Google SecOps' REST API has a method that lets you update the status of alerts. You can find the documentation here: https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/l...

Rene_Figueroa

The API David mentioned is the new Chronicle API, which requires the Chronicle instance to be on Feature RBAC (IAM)

https://cloud.google.com/chronicle/docs/onboard/configure-feature-access

JonathanY

Thanks a lot. May I know where I can get path parameter instance value (projects/{project}/locations/{region}/instances/{instance})? Can I obtain it with API or I have to find project, region and instance on UI?

David-French

Sure @JonathanY.

project - This is the project ID of the Google Cloud project that's linked to your Google SecOps instance.
region - This is the region where your Google SecOps instance is running. It'll be "us" if it's running in the United States. If it's running in Europe, it'll likely be "eu". If you're not sure, your sales representative can confirm this.
instance - This is the customer ID for your Google SecOps instance. You can find this value by navigating to Settings - SIEM Settings - Profile in SecOps.

DanDye

@JonathanY, we recently shared a Python module that calls the legacyUpdateAlert API method that David referred to. You can find it here:
https://github.com/chronicle/api-samples-python/blob/master/detect/v1alpha/update_alert.py

DanDye

Update: I also wrote a blog post on Bulk closing alerts with Python and the Google Security Operations API

jonathanYao

Hi dear all,

Thank you so much.

I tried the API endpoint(POST https://chronicle.googleapis.com/v1alpha/projects/{project}/locations/{location}/instances/{instance...) with GCP Project ID and Customer ID obtained from SecOps SETTING S Profile; as I don't know the location, so I use the default value "us", but API returns 404 Not Found.

I am not sure if I inputed the wrong location or it is an IAM issue. Appreciate your kind comments.

raybrian

One gotcha is that the API endpoint for the US is

https://us-chronicle.googleapis.com/v1alpha/{instance_id}

Here is some more of my script

jonathanYao

Thanks Brian. So I have to prefix "us-" before POST https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacyUpdateAlert? As in API doc(https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/l...), it doesn't mention that I should prefix region ahead of base url.

Thanks

New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps

How to update Chronicle SIEM alerts with API?