Skip to main content

Clarifications Needed on Google SecOps Rule and Detection APIs

  • July 2, 2025
  • 9 replies
  • 55 views
vishnusoni
Forum|alt.badge.img+4
We are currently working on an integration involving Google SecOps and would appreciate some clarification on a few points.
 
Alert Retrieval
We are using the legacySearchRulesAlerts endpoint to retrieve alerts from the instance. We have the following questions regarding its behavior:
  1. Does this endpoint return alerts generated by both customer-defined rules and curated rules?
  2. If not, is there a separate endpoint that can retrieve alerts specifically from curated rules?
 
Detection Retrieval
As part of our detection retrieval capability, we are currently using the legacySearchDetections endpoint, which requires a ruleId as a mandatory query parameter. To gather the ruleId values, we are using the listRules endpoint. Here are our questions in this context:
  1. Does the listRules endpoint return rule information for both customer-defined and curated rules?
  2. If not, what is the appropriate method to fetch detections triggered by curated rules?
  3. We came across the curatedRules endpoint and attempted to use it, but received an empty response. Additionally, based on the documentation, the response structure does not seem to include ruleId, which is required by the legacySearchCuratedDetections endpoint.
  4. Given this, could you advise on the correct way to utilize the legacySearchCuratedDetections endpoint?
 
We’d greatly appreciate any insights or guidance you can provide to help us move forward effectively.
Thank you!

9 replies

vishnusoni
Forum|alt.badge.img+4
  • vishnusoni
  • Author
  • New Member
  • July 7, 2025

@Rene_Figueroa , @cmorris , @kentphelps 

Hi all,
You've been helpful in my previous threads, so I'm tagging you here directly as I haven't received a response on this new one. Hoping to get some input by the end of the day. Thanks in advance!

D
Rene_Figueroa
Staff
Forum|alt.badge.img+10

@Rene_Figueroa , @cmorris , @kentphelps 

Hi all,
You've been helpful in my previous threads, so I'm tagging you here directly as I haven't received a response on this new one. Hoping to get some input by the end of the day. Thanks in advance!


I think you have opened a support case for this, so we will also reply there. In short, CurateDetections have their own dedicated endpoints. 

To get the Curated Detections, you must use the https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.curatedRules/list endpoint. The Curated rule ID is returned in the "name" field. 

You can then pass the rule ID in https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacySearchCuratedDetections to get all the detections. If you only want to receive the alerts, then you must pass the "alertState" parameter and set it to "ALERTING". 

https://cloud.google.com/chronicle/docs/reference/rest/Shared.Types/AlertState

I have test the APIs I mentioned below and verified they work as expected.

 

vishnusoni
Forum|alt.badge.img+4
  • vishnusoni
  • Author
  • New Member
  • July 8, 2025

Hey @Rene_Figueroa ,

Thanks you so much for addressing the issue here also and for sharing the flow.

I'm using the list_curated_rules function in my Google SecOps script to fetch curated rules from the following endpoint: ListCuratedRules

Although I have 13 curated detections enabled in my SecOps instance, the response from this endpoint is still coming back empty.

Do you have any insights on why this might be happening? Is there any additional configuration needed to retrieve these rules?



Here's the function method which I'm using:

 

def list_curated_rules(http_session: requests.AuthorizedSession): print(f"\\nHitting rules API...") instance = 'projects/<project_id>/locations/us/instances/<customer_id>' url = f"https://us-chronicle.googleapis.com/v1alpha/{instance}/curatedRules" try: response = http_session.request("GET", url) print("Status Code: ", response.status_code) response.raise_for_status() result = response.json() print("Result: ", result) except HTTPError as e: print(f"HTTPError occurred: {e}") if response: print(f"Response content: {response.text}") raise except Exception as e: print(f"An unexpected error occurred: {e}") raise

 



Here's the output:

 

Rene_Figueroa
Staff
Forum|alt.badge.img+10

Hey @Rene_Figueroa ,

Thanks you so much for addressing the issue here also and for sharing the flow.

I'm using the list_curated_rules function in my Google SecOps script to fetch curated rules from the following endpoint: ListCuratedRules

Although I have 13 curated detections enabled in my SecOps instance, the response from this endpoint is still coming back empty.

Do you have any insights on why this might be happening? Is there any additional configuration needed to retrieve these rules?



Here's the function method which I'm using:

 

def list_curated_rules(http_session: requests.AuthorizedSession): print(f"\\nHitting rules API...") instance = 'projects/<project_id>/locations/us/instances/<customer_id>' url = f"https://us-chronicle.googleapis.com/v1alpha/{instance}/curatedRules" try: response = http_session.request("GET", url) print("Status Code: ", response.status_code) response.raise_for_status() result = response.json() print("Result: ", result) except HTTPError as e: print(f"HTTPError occurred: {e}") if response: print(f"Response content: {response.text}") raise except Exception as e: print(f"An unexpected error occurred: {e}") raise

 



Here's the output:

 


Hi @vishnusoni at first glance, the function looks okay; I think the issue with your function might be with how the API response is processed.

We have sample code to interact with our Chronicle API. You can find it in our Github:

https://github.com/chronicle/api-samples-python/tree/master

We have a module for CuratedDetection list:

https://github.com/chronicle/api-samples-python/blob/master/detect/v1alpha/list_rules.py

I tested it and can see that we get the CuratedDetection rules. You can run in this manner:

@user:~/api-samples-python$ python3 -m detect.v1alpha.list_rules -i customerID -p projectID

 

Rene_Figueroa
Staff
Forum|alt.badge.img+10

Hi @vishnusoni at first glance, the function looks okay; I think the issue with your function might be with how the API response is processed.

We have sample code to interact with our Chronicle API. You can find it in our Github:

https://github.com/chronicle/api-samples-python/tree/master

We have a module for CuratedDetection list:

https://github.com/chronicle/api-samples-python/blob/master/detect/v1alpha/list_rules.py

I tested it and can see that we get the CuratedDetection rules. You can run in this manner:

@user:~/api-samples-python$ python3 -m detect.v1alpha.list_rules -i customerID -p projectID

 


Hi @vishnusoni did the above work for you?

vishnusoni
Forum|alt.badge.img+4
  • vishnusoni
  • Author
  • New Member
  • July 14, 2025

Hi @vishnusoni did the above work for you?


Hey @Rene_Figueroa ,

Thanks so much for your continued support!

Yes, the approach you suggested worked perfectly. We just had to enable some Curated Detections on our SecOps instance, and everything is running smoothly now.

I do have one last question: I remember seeing Rate Limit Quotas for the Chronicle V1-alpha endpoint somewhere, but I can’t seem to find it in the documentation anymore. Could you please point me to the reference link where I can find the rate limits for all Chronicle V1-alpha endpoints?

Thanks again!

vishnusoni
Forum|alt.badge.img+4
  • vishnusoni
  • Author
  • New Member
  • July 14, 2025

Hey @Rene_Figueroa ,

Thanks so much for your continued support!

Yes, the approach you suggested worked perfectly. We just had to enable some Curated Detections on our SecOps instance, and everything is running smoothly now.

I do have one last question: I remember seeing Rate Limit Quotas for the Chronicle V1-alpha endpoint somewhere, but I can’t seem to find it in the documentation anymore. Could you please point me to the reference link where I can find the rate limits for all Chronicle V1-alpha endpoints?

Thanks again!


I found these two references:

But there's nothing related to Chronicle v1-alpha endpoints. I'm interested in these endpoints specially:

  1. Legacy Search Rules Alerts
  2. Legacy Search Enterprise Wide IoCs
  3. Legacy Search Detections
  4. Legacy Search Curated Detections
  5. List Rules
  6. List Curated Rules
  7. UDM Search
M
Staff
Forum|alt.badge.img
  • maxsiris
  • Staff
  • July 14, 2025

Hi @vishnusoni, you can find quotas for the Chronicle API, including the v1Alpha version, within your own BYOP project. Here's an image the demonstrates where you're able to find the information! Side Note: I don't believe these quotas are adjustable by customers.

vishnusoni
Forum|alt.badge.img+4
  • vishnusoni
  • Author
  • New Member
  • July 15, 2025

Hi @vishnusoni, you can find quotas for the Chronicle API, including the v1Alpha version, within your own BYOP project. Here's an image the demonstrates where you're able to find the information! Side Note: I don't believe these quotas are adjustable by customers.


Hey @maxsiris ,
Thanks for sharing this, we have been through this approach but we're more interested to see if it's documented somewhere in Documentations!

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.