Skip to main content
Solved

Bulk Close Alerts in SIEM

  • March 20, 2024
  • 4 replies
  • 58 views
E
Forum|alt.badge.img+2

Is there a method to close multiple alerts simultaneously in the SIEM? We've faced an issue where rules set as 'Live' but with 'Alerting OFF' generated alerts in the SIEM. These rules are intended for monitoring purposes and not to trigger alerts.

Best answer by aliraj

I am aware there is a feature request for this functionality but at this moment this is not possible from UI or API.

TimNemceff

4 replies

A
Forum|alt.badge.img+1
  • alirajBronze 1
  • Bronze 1
  • Answer
  • March 20, 2024

I am aware there is a feature request for this functionality but at this moment this is not possible from UI or API.

TimNemceff
E
Forum|alt.badge.img+2
  • ev13
  • Author
  • New Member
  • March 20, 2024

Hi @aliraj , is there a public list where we can find that feature request? I'm just trying to reference that to avoid raising this request.

These are the links that was shared to achieve this via API.


API to close alerts in SIEM: https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacyUpdateAlert#LegacyFeedback

You will need the Alert IDs as input to that, so you would need this endpoint for this purpose: https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacySearchDetections

Unfortunately, I don't have the capability to create a python script to achieve this. 

TimNemceff
TimNemceff
Staff
Forum|alt.badge.img+2
  • TimNemceff
  • Staff
  • March 20, 2024

I think you'll need to ask customer support to add you to the existing internal feature request for this - I'm not aware of any public list.

A
DanDye
Staff
Forum|alt.badge.img+5
  • DanDye
  • Staff
  • July 30, 2024

Hi @aliraj , is there a public list where we can find that feature request? I'm just trying to reference that to avoid raising this request.

These are the links that was shared to achieve this via API.


API to close alerts in SIEM: https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacyUpdateAlert#LegacyFeedback

You will need the Alert IDs as input to that, so you would need this endpoint for this purpose: https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacySearchDetections

Unfortunately, I don't have the capability to create a python script to achieve this. 


Unfortunately, I don't have the capability to create a python script to achieve this. 

I've got you, @ev13!  I published this blog post today that describes usage for new python scripts to bulk close alerts: Bulk closing alerts with Python and the Google Security Operations API 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.