This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Security Community will be in read-only mode July 16 - July 22 as we migrate platforms. 

Read more and check out our FAQ
Log in to ask a question

custom action on top of the chronicle integration to fetch alerts from legacySearchAlerts

Posted on 10-19-2024 04:09 PM
Zorghost
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello everyone,

I am trying to create a custom action on top of the chronicle integration in SOAR to fetch alerts from the API endpoint legacySearchAlert. For that I will be leveraging the existing default service account that has been used to setup the integration.

My questions are:

  • does this service account require any extra permissions to work or does it come already with all the needed permissions ?
  • Should the scope also be https://www.googleapis.com/auth/cloud-platform  same as stated in the documentation ?

I know that chronicle provides samples for some frequent jobs/actions that users request. Is anyone aware of any sample python that can be leveraged to create an action associated with the mentioned endpoint above ?

Thank you in advance for the support !

Solved Solved
0 5 1,040
Jump to Solution
0 Likes
Reply
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
josemarin
Staff
Reply posted on --/--/---- --:-- AM

Hey!

So, the service account (SA) you have configured in the Chronicle Integration doesn't use the same API as the endpoint you're trying to use. All methods under Chronicle API (Alpha1) require an SA in the project associated with your deployment—this would be a project from your organization.

Chronicle Integration leverages an SA in a Google-managed project and uses different API methods.

Are you trying to get a list of alerts to use in the playbook? Is there any specific data you are trying to retrieve?

If all you want to do is use the endpoint and capture the response—basically just hitting the API—you could use the new GoogleCloudApi integration (you will need a new set of credentials—a new SA). Then, you can pretty much use any endpoint under the Chronicle API, depending on the permissions of the SA. If you can provide additional details about your use case, I might be able to give you some alternatives and more details on how to implement it.

View solution in original post

Jump to Solution
Reply
5 REPLIES 5
Top Solution Authors
View all