@Rene_Figueroa , @cmorris , @kentphelps
Hi all,
You've been helpful in my previous threads, so I'm tagging you here directly as I haven't received a response on this new one. Hoping to get some input by the end of the day. Thanks in advance!
@Rene_Figueroa , @cmorris , @kentphelps
Hi all,
You've been helpful in my previous threads, so I'm tagging you here directly as I haven't received a response on this new one. Hoping to get some input by the end of the day. Thanks in advance!
I think you have opened a support case for this, so we will also reply there. In short, CurateDetections have their own dedicated endpoints.
To get the Curated Detections, you must use the https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.curatedRules/list endpoint. The Curated rule ID is returned in the "name" field.
You can then pass the rule ID in https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacySearchCuratedDetections to get all the detections. If you only want to receive the alerts, then you must pass the "alertState" parameter and set it to "ALERTING".
https://cloud.google.com/chronicle/docs/reference/rest/Shared.Types/AlertState
I have test the APIs I mentioned below and verified they work as expected.
Hey @Rene_Figueroa ,
Thanks you so much for addressing the issue here also and for sharing the flow.
I'm using the list_curated_rules function in my Google SecOps script to fetch curated rules from the following endpoint: ListCuratedRules
Although I have 13 curated detections enabled in my SecOps instance, the response from this endpoint is still coming back empty.
Do you have any insights on why this might be happening? Is there any additional configuration needed to retrieve these rules?
Here's the function method which I'm using:
def list_curated_rules(http_session: requests.AuthorizedSession):
print(f"\\nHitting rules API...")
instance = 'projects/<project_id>/locations/us/instances/<customer_id>'
url = f"https://us-chronicle.googleapis.com/v1alpha/{instance}/curatedRules"
try:
response = http_session.request("GET", url)
print("Status Code: ", response.status_code)
response.raise_for_status()
result = response.json()
print("Result: ", result)
except HTTPError as e:
print(f"HTTPError occurred: {e}")
if response:
print(f"Response content: {response.text}")
raise
except Exception as e:
print(f"An unexpected error occurred: {e}")
raise
Here's the output:
Hey @Rene_Figueroa ,
Thanks you so much for addressing the issue here also and for sharing the flow.
I'm using the list_curated_rules function in my Google SecOps script to fetch curated rules from the following endpoint: ListCuratedRules
Although I have 13 curated detections enabled in my SecOps instance, the response from this endpoint is still coming back empty.
Do you have any insights on why this might be happening? Is there any additional configuration needed to retrieve these rules?
Here's the function method which I'm using:
def list_curated_rules(http_session: requests.AuthorizedSession):
print(f"\\nHitting rules API...")
instance = 'projects/<project_id>/locations/us/instances/<customer_id>'
url = f"https://us-chronicle.googleapis.com/v1alpha/{instance}/curatedRules"
try:
response = http_session.request("GET", url)
print("Status Code: ", response.status_code)
response.raise_for_status()
result = response.json()
print("Result: ", result)
except HTTPError as e:
print(f"HTTPError occurred: {e}")
if response:
print(f"Response content: {response.text}")
raise
except Exception as e:
print(f"An unexpected error occurred: {e}")
raise
Here's the output:
Hi @vishnusoni at first glance, the function looks okay; I think the issue with your function might be with how the API response is processed.
We have sample code to interact with our Chronicle API. You can find it in our Github:
https://github.com/chronicle/api-samples-python/tree/master
We have a module for CuratedDetection list:
https://github.com/chronicle/api-samples-python/blob/master/detect/v1alpha/list_rules.py
I tested it and can see that we get the CuratedDetection rules. You can run in this manner:
@user:~/api-samples-python$ python3 -m detect.v1alpha.list_rules -i customerID -p projectID
Hi @vishnusoni at first glance, the function looks okay; I think the issue with your function might be with how the API response is processed.
We have sample code to interact with our Chronicle API. You can find it in our Github:
https://github.com/chronicle/api-samples-python/tree/master
We have a module for CuratedDetection list:
https://github.com/chronicle/api-samples-python/blob/master/detect/v1alpha/list_rules.py
I tested it and can see that we get the CuratedDetection rules. You can run in this manner:
@user:~/api-samples-python$ python3 -m detect.v1alpha.list_rules -i customerID -p projectID
Hi @vishnusoni did the above work for you?
Hi @vishnusoni did the above work for you?
Hey @Rene_Figueroa ,
Thanks so much for your continued support!
Yes, the approach you suggested worked perfectly. We just had to enable some Curated Detections on our SecOps instance, and everything is running smoothly now.
I do have one last question: I remember seeing Rate Limit Quotas for the Chronicle V1-alpha endpoint somewhere, but I can’t seem to find it in the documentation anymore. Could you please point me to the reference link where I can find the rate limits for all Chronicle V1-alpha endpoints?
Thanks again!
Hey @Rene_Figueroa ,
Thanks so much for your continued support!
Yes, the approach you suggested worked perfectly. We just had to enable some Curated Detections on our SecOps instance, and everything is running smoothly now.
I do have one last question: I remember seeing Rate Limit Quotas for the Chronicle V1-alpha endpoint somewhere, but I can’t seem to find it in the documentation anymore. Could you please point me to the reference link where I can find the rate limits for all Chronicle V1-alpha endpoints?
Thanks again!
I found these two references:
But there's nothing related to Chronicle v1-alpha endpoints. I'm interested in these endpoints specially:
- Legacy Search Rules Alerts
- Legacy Search Enterprise Wide IoCs
- Legacy Search Detections
- Legacy Search Curated Detections
- List Rules
- List Curated Rules
- UDM Search
Hi @vishnusoni, you can find quotas for the Chronicle API, including the v1Alpha version, within your own BYOP project. Here's an image the demonstrates where you're able to find the information! Side Note: I don't believe these quotas are adjustable by customers.
Hi @vishnusoni, you can find quotas for the Chronicle API, including the v1Alpha version, within your own BYOP project. Here's an image the demonstrates where you're able to find the information! Side Note: I don't believe these quotas are adjustable by customers.
Hey @maxsiris ,
Thanks for sharing this, we have been through this approach but we're more interested to see if it's documented somewhere in Documentations!
