Bulk Close Alerts in SIEM

Question

Is there a method to close multiple alerts simultaneously in the SIEM? We've faced an issue where rules set as 'Live' but with 'Alerting OFF' generated alerts in the SIEM. These rules are intended for monitoring purposes and not to trigger alerts.

aliraj · Accepted Answer

I am aware there is a feature request for this functionality but at this moment this is not possible from UI or API.

ev13 · Answer

Hi @aliraj , is there a public list where we can find that feature request? I'm just trying to reference that to avoid raising this request.

These are the links that was shared to achieve this via API.

API to close alerts in SIEM: https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacyUpdateAlert#LegacyFeedback

You will need the Alert IDs as input to that, so you would need this endpoint for this purpose: https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacySearchDetections

Unfortunately, I don't have the capability to create a python script to achieve this.

Unfortunately, I don't have the capability to create a python script to achieve this.

I've got you, @ev13! I published this blog post today that describes usage for new python scripts to bulk close alerts: Bulk closing alerts with Python and the Google Security Operations API

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded