This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Security Community will be in read-only mode July 16 - July 22 as we migrate platforms. 

Read more and check out our FAQ
Log in to ask a question

custom action on top of the chronicle integration to fetch alerts from legacySearchAlerts

Posted on 10-19-2024 04:09 PM
Zorghost
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello everyone,

I am trying to create a custom action on top of the chronicle integration in SOAR to fetch alerts from the API endpoint legacySearchAlert. For that I will be leveraging the existing default service account that has been used to setup the integration.

My questions are:

  • does this service account require any extra permissions to work or does it come already with all the needed permissions ?
  • Should the scope also be https://www.googleapis.com/auth/cloud-platform  same as stated in the documentation ?

I know that chronicle provides samples for some frequent jobs/actions that users request. Is anyone aware of any sample python that can be leveraged to create an action associated with the mentioned endpoint above ?

Thank you in advance for the support !

Solved Solved
0 5 1,047
Jump to Solution
0 Likes
Reply
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
josemarin
Staff
Reply posted on --/--/---- --:-- AM

Hey!

So, the service account (SA) you have configured in the Chronicle Integration doesn't use the same API as the endpoint you're trying to use. All methods under Chronicle API (Alpha1) require an SA in the project associated with your deployment—this would be a project from your organization.

Chronicle Integration leverages an SA in a Google-managed project and uses different API methods.

Are you trying to get a list of alerts to use in the playbook? Is there any specific data you are trying to retrieve?

If all you want to do is use the endpoint and capture the response—basically just hitting the API—you could use the new GoogleCloudApi integration (you will need a new set of credentials—a new SA). Then, you can pretty much use any endpoint under the Chronicle API, depending on the permissions of the SA. If you can provide additional details about your use case, I might be able to give you some alternatives and more details on how to implement it.

View solution in original post

Jump to Solution
Reply
5 REPLIES 5

Posted on --/--/---- --:-- AM
josemarin
Staff
Reply posted on --/--/---- --:-- AM

Hey!

So, the service account (SA) you have configured in the Chronicle Integration doesn't use the same API as the endpoint you're trying to use. All methods under Chronicle API (Alpha1) require an SA in the project associated with your deployment—this would be a project from your organization.

Chronicle Integration leverages an SA in a Google-managed project and uses different API methods.

Are you trying to get a list of alerts to use in the playbook? Is there any specific data you are trying to retrieve?

If all you want to do is use the endpoint and capture the response—basically just hitting the API—you could use the new GoogleCloudApi integration (you will need a new set of credentials—a new SA). Then, you can pretty much use any endpoint under the Chronicle API, depending on the permissions of the SA. If you can provide additional details about your use case, I might be able to give you some alternatives and more details on how to implement it.

Jump to Solution
Reply

Posted on --/--/---- --:-- AM
Zorghost
Bronze 5
Bronze 5
In response to josemarin
Reply posted on --/--/---- --:-- AM

Good day,

First of all, Thank you very much @josemarin  for the reply!

“Are you trying to get a list of alerts to use in the playbook? Is there any specific data you are trying to retrieve?”

Yes, We will basically capture the json response body (a list of the closed alerts), then use a playbook to process these alerts and generate metadata and then archive the alerts with their associated information somewhere. Basically this is my use case, I am also trying to avoid using listalert since it is getting deprecated.

May I know what do you mean by the new GoogleCloudAPI integration ?

Jump to Solution
0 Likes
Reply

Posted on --/--/---- --:-- AM
josemarin
Staff
In response to Zorghost
Reply posted on --/--/---- --:-- AM

On 09/25 Google released an integration to the market place called "Google Cloud API". It basically works the same way as this one, but its specific for Google Apis where you need a SA and Scopes to authenticate to the API. Its like having a "Postman" client of sort inside SecOps. Very useful for capturing API requests or just hitting API endpoints. 

If you are planning to do a lot of parsing and heavy logic on the result, you might need to go the python way, but that will have to be a separate integration from the Chronicle one. 

Jump to Solution
0 Likes
Reply

Posted on --/--/---- --:-- AM
Zorghost
Bronze 5
Bronze 5
In response to josemarin
Reply posted on --/--/---- --:-- AM

Hi @josemarin , do you think it makes sense to just add the necessary permissions to the default service account that is being managed by google on the chronicle SIEM project level from our end in order to interact with the required API endpoint ?

Jump to Solution
0 Likes
Reply

Posted on --/--/---- --:-- AM
josemarin
Staff
In response to Zorghost
Reply posted on --/--/---- --:-- AM

Unfortunately that wont work. The SA to leverage the new API must be host in your org and linked to the project associated to your SecOps deployment.

Jump to Solution
0 Likes
Reply
Top Solution Authors
View all