+6Hello everyone,
For compliance reasons, I need to back up the generated alerts from Google Chronicle along with the respective log entries associated with those events.
Could anyone point me to Google documentation or provide information on how to accomplish this?
Thank you.
Best answer by KyHud
Hey Zorghost,
I've recently built something which performs this for a compliance issue my side - and I achieved this by writing a python script external to siemplify and utilising the API.
The general flow of the script would be to establish the timeframe you are wanting to pull back cases for - then utilising the API endpoint:
/api/external/v1/search/CaseSearchEverything to retrieve a list of case ID's which satisfy the timeframe requirement.
Once you have the list of CaseID's you can then iterate through the case ID's with the API endpoint:
/api/external/v1/dynamic-cases/GetCaseDetails/{caseId}
This will pull back a json with more detailed information about the case.
You can then format the data how you wish and save in a format suitable for archive - you can also use other API's if you wish in combination with the above if you require additional information.
For more documentation on API endpoints - please visit https://<YourSOARInstanceURL>/swagger/index.html as this is where API endpoints are documented complete with payload schemas 🙂 Note - if you are going to be interacting with a high volume of cases - you may wish to build in some deliberate delay as Google Armor has a rate limit of 900 requests per minute (https://cloud.google.com/chronicle/docs/soar/reference/working-with-chronicle-soar-apis)
Cheers
K
+5Hey Zorghost,
I've recently built something which performs this for a compliance issue my side - and I achieved this by writing a python script external to siemplify and utilising the API.
The general flow of the script would be to establish the timeframe you are wanting to pull back cases for - then utilising the API endpoint:
/api/external/v1/search/CaseSearchEverything to retrieve a list of case ID's which satisfy the timeframe requirement.
Once you have the list of CaseID's you can then iterate through the case ID's with the API endpoint:
/api/external/v1/dynamic-cases/GetCaseDetails/{caseId}
This will pull back a json with more detailed information about the case.
You can then format the data how you wish and save in a format suitable for archive - you can also use other API's if you wish in combination with the above if you require additional information.
For more documentation on API endpoints - please visit https://<YourSOARInstanceURL>/swagger/index.html as this is where API endpoints are documented complete with payload schemas 🙂 Note - if you are going to be interacting with a high volume of cases - you may wish to build in some deliberate delay as Google Armor has a rate limit of 900 requests per minute (https://cloud.google.com/chronicle/docs/soar/reference/working-with-chronicle-soar-apis)
Cheers
K
+6Hey Zorghost,
I've recently built something which performs this for a compliance issue my side - and I achieved this by writing a python script external to siemplify and utilising the API.
The general flow of the script would be to establish the timeframe you are wanting to pull back cases for - then utilising the API endpoint:
/api/external/v1/search/CaseSearchEverything to retrieve a list of case ID's which satisfy the timeframe requirement.
Once you have the list of CaseID's you can then iterate through the case ID's with the API endpoint:
/api/external/v1/dynamic-cases/GetCaseDetails/{caseId}
This will pull back a json with more detailed information about the case.
You can then format the data how you wish and save in a format suitable for archive - you can also use other API's if you wish in combination with the above if you require additional information.
For more documentation on API endpoints - please visit https://<YourSOARInstanceURL>/swagger/index.html as this is where API endpoints are documented complete with payload schemas 🙂 Note - if you are going to be interacting with a high volume of cases - you may wish to build in some deliberate delay as Google Armor has a rate limit of 900 requests per minute (https://cloud.google.com/chronicle/docs/soar/reference/working-with-chronicle-soar-apis)
Cheers
K
Thank you very much for the reply and I really appreciate your help @KyHud . I still got some things to clarify if you don´t mind: What access do I need to create an integration that does this Job ? Do I have to provision a service account with access to the API endpoints for this ? Thank you in advance !
+5Hey - no problem,
I actually created the solution to this off platform - as it was easier to save it to local disk than to worry about a storage solution / cloud storage solution on top of what I was doing. I used an API key with these highlighted permissions:
You can create API Keys (once you have created an appropriate permissions set) from settings > advanced > API Keys - and you will want to give it permissions for all environments when you create the key.
If you already have a solution for storage (email file or otherwise) you can make this a job within the SOAR platform - which doesn't require any additional api key as you can use the siemplify libraries to perform the actions for you instead. A full list of library functions can be found here https://github.com/chronicle/soar-sdk/tree/main.
Let me know how you get on!
Cheers
Kyle
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
