Re: I want to fetch all Cases list in my integrati...

vishnusoni · 04-27-2025 10:44 PM

I want to fetch all Cases list in my integration script but not able to find any specific endpoint which can give me all the Cases.
I found the legacy Batch Get Cases (https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacyBatchGetCases) endpoint but it need names[] parameter so the issue is I don't have any particular cases name.

Let me know if you have any endpoint related to retrieve Cases.

AaronR

Hi @vishnusoni, thanks for reaching out!

The functionality to list and manage cases is located in the SOAR component of SecOps. The SOAR API has the endpoint /api/external/v1/search/CaseSearchEverything which can be used to retrieve a list of case IDs. Once you have the list of Case IDs, you can then iterate through them to get the details for each case using an endpoint like /api/external/v1/dynamic-cases/GetCaseDetails/{caseId}.

The Google SecOps SOAR APIs are documented in Swagger at https://{your_soar_instance_url}/swagger/index.html

rohan1804

Hi @AaronR ,

Could you please guide us on how to identify the SOAR instance URL?

We currently have a Google SecOps tenant that includes both SIEM and SOAR functionalities. However, we're unsure about the specific URL or endpoint to use for accessing the SOAR instance. Specifically, we need to know what "{your_soar_instance_url}" refers to and where we can locate this value in our environment.

Any guidance on how to retrieve or confirm this URL would be greatly appreciated.

Thanks in advance for your assistance!

AaronR

Hi @rohan1804 , great question!

The easiest way I've found would be to go into SecOps > Settings > SOAR Settings > Ingestion and create a temporary, test Webhook. The Webhook URL will have the instance URL needed such as ab123.siemplify-soar.com. The Swagger URL would then be https://ab123.siemplify-soar.com/swagger/index.html . Support should also be able to give you the instance URL if you are unable to use this method for some reason.

vishnusoni

Thanks for the guidance — I was able to retrieve the soar_instance_url successfully.

However, I'm encountering a 401 Unauthorized HTTP error when trying to trigger the SOAR API ({soar_instance_url}/api/external/v1/search/CaseSearchEverything). Could you please confirm if there are any specific permissions or roles required to access the API that we might be missing?

Appreciate your help on this!

AaronR

@vishnusoni

Ensure you're using an API key generated from Settings > SOAR Settings > API Keys. Permission-wise for just this CaseSearchEverything endpoint, you'll want to select a permissions group that has access to Search (+ View Case Search) and Cases (no sub-settings required) under Settings > Organization > Permissions. Additionally, you'll want to have the proper environment and SOC Role configured for the cases you want to see.

Within Swagger, you'll want to enter the API key in the green Authorize section at the top and then re-try the Search > CaseSearchEverything endpoint with your filter criteria.

An easy way to generate your filters would be to go to Investigation > SOAR Search within SecOps, add your filter criteria, open up devtools going to the network tab, and then review the payload tab after executing your search by hitting Apply. You can right-click this request payload and "copy object" to get the full JSON for the filter criteria. Example:

One thing to note that has inadvertently confused me before is that the example execution of that endpoint in Swagger says 401 unauthorized as shown below, but the query you execute is actually the one above this. Hope this helps!

vishnusoni

Thank you so much @AaronR — I genuinely appreciate all the time, effort, and support you've provided.
Your guidance made a big difference, and I can't thank you enough for helping me get this working.
Thanks to your help, I'm now able to successfully fetch Cases data both in my script and via Postman, which had been a major blocker for me.

I do have one final question: I'm trying to find an endpoint that allows me to retrieve the details of an alert using its alertId.
In the response from the /api/external/v1/search/CaseSearchEverything endpoint, there's a field called ticketIds, which seems to be a list of SIEM alert IDs. I'm now looking for a way to use these IDs to get the full alert details.

AaronR

@vishnusoni Correct, you can use ticketIds to get the alert details. You're looking for the SIEM endpoint legacy.legacyGetAlert to do that. You'll need to pass this endpoint the alertId as well as includeDetections true/false and then you'll get a detailed response back containing the alert details.

For example, here is what the request looks like for a US tenant:
https://us-chronicle.googleapis.com/v1alpha/projects/{projectId}/locations/us/instances/{instanceId}/legacy:legacyGetAlert?alertId={alertId}&includeDetections=true

vishnusoni

Thanks for the solution @AaronR .
I got this legacyGetAlert endpoint in my research part and continuing working on the same.

Thanks for all the support you've provided. It helped me a lot.

vishnusoni

@AaronR

1.
I noticed that the example endpoint you shared includes the region in the base URL (e.g., https://us-chronicle.googleapis.com/v1alpha/), whereas the official documentation doesn't specify a region in the endpoint (e.g., https://chronicle.googleapis.com/v1alpha/),. Initially, I was following the documentation, but that resulted in a 404 HTTP error.

However, when I used your example endpoint format with the region included, I started getting a 403 HTTP error instead, which I believe might be related to permissions.

Could you please guide me on the specific IAM permissions that need to be granted to my instance in order to successfully call the legacyGetAlert endpoint? I want to ensure everything is configured according to the documentation.

2.
Similarly, I'm working on legacySearchAlert endpoint also and I’ve been following the official documentation but am consistently receiving a 404 error—both with and without the region in the URL. If possible, could you kindly share a working example for the legacySearchAlert endpoint as well? A sample request, including query parameters, would be extremely helpful for us to move forward.

vishnusoni

Hey @AaronR ,

I hope this message finds you well. I wanted to kindly follow up on my previous request regarding HTTP Error issue and IAM Permissions.
I understand you may be busy, but I would greatly appreciate any assistance or update you can provide on this matter at your earliest convenience.

Thank you for your help, and I look forward to your response.

AaronR

Hello @vishnusoni,

Your integration script should be using a dedicated service account to interact with the Chronicle API. If you don't have one, create it in your Google Cloud project that is linked to your Chronicle instance. For REST authentication, be sure to send an Authorization header with your access token when making the request.

For the legacyGetAlert endpoint permissions, I would recommend the service account have Chronicle API Viewer (roles/chronicle.viewer) which provides read-only access. If you need very specific control and want to grant only the chronicle.legacies.legacyGetAlert permission (and perhaps a few others) without the broader set of permissions in a predefined role, you can create a custom IAM role. Note, a baseline permission like chronicle.instances.get is often required for any interaction with a Chronicle instance, even to make other API calls. The predefined roles like Chronicle API Viewer usually include this and are easier to get started with.

For legacySearchAlerts, that particular endpoint appears to never have been fully implemented. Hence why it is hidden and not searchable in the left menu bar unlike legacyGetAlert. I have made a request to remove that page to avoid confusion and prevent it from being indexed in Google searches.

vishnusoni

Hi @AaronR ,
Thanks for addressing the issue.
I've updates to share with you which is causing blocker for me.

1. legacyGetAlert
I've assigned the required IAM Permission to my dedicated Service Account but still it is giving me 403 IAM Permission error.

2. Question: What can be an alternative to legacySearchAlerts?
I’ve found two potential alternatives to ListAlerts:

legacySearchRulesAlerts – This endpoint is suggested for alerts generated by rules in SecOps' detection engine.
legacyFetchAlertsView – This endpoint is used in the SDK for the get_alerts functionality. SDK link

What are your thoughts? Which one would you recommend, or do you have any other suggestions apart from these?