Solved

createentities - IngestionAPI - Entities not findable

Forum|Forum|1 year ago
December 9, 2024
6 replies
42 views

dithmer
New Member

Hey everybody!

Is anyone successfully ingesting entities via the createentities-Endpoint of the ingestion API (https://cloud.google.com/chronicle/docs/reference/ingestion-api#createentities) and able to find those entities in their bigquery datalake or able to use those entities via the entitiy_graph in detection rules?

After ingesting the entities, receiving a 200 from the api, none of the entities can be found. Any experiences here and caveats I might have not thought of or low hanging fruits I can try to get the desired outcome?

Thank you in advance and best regards

Tim

Best answer by dithmer

To close this one:

I found the mistake in having a very slight mistake in the datetime format, which caused the entities to be that far in the past, they were not be able to find.

alube
Bronze 1
Forum|Forum|1 year ago
December 9, 2024

Hi @dithmer

I've used the Entity API to successfully send data to SecOps. Entities can't be searched via /Search, but you can do a raw log search to find them.

Query for .* on the Ingestion label you're using, and if they exist you can see the data raw log and normalized data. Entity data I believe only persists for 5 days before aging out.

You can also confirm their existence by reviewing the Ingestion Dashboard for the Entity data label.

dithmer
Author
New Member
Forum|Forum|1 year ago
December 9, 2024

First of all: Thank you for the answer.

Sadly I have already tried to use the Raw log search, looker dashboards and querying the BigQuery Datalake directly.
No data findable, but I am absolutely sure (checked it like a thousand times), that I was using the right service account file and using the right customer id in the request body. I also double checked multiple times, that when we are querying, we are using the correct log type. Still no data to find.

But if you say, you did it already successfully, there is at least some hope. I hope there are people here, experiencing the same issue in the past.

alube
Bronze 1
Forum|Forum|1 year ago
December 9, 2024

I've seen issues in the past with logs when the date wasn't current( I believe its anything over 6 months) not being saved.

I'm not sure what error the service would report if the Entity payload was malformed, but it might be worth reviewing your Entity data as well for any issues. The fact you get a 200 response tells me you're likely doing everything right.

dithmer
Author
New Member
Forum|Forum|1 year ago
December 11, 2024

Thanks for your input.

Even though I was pretty sure, I was doing everything right with dates/times, I went again to look into it. Without success. For me it looks absolutely correct. Nothing too far in the back, rather very current data.

I already had an issue before, which I was able to fix with an engineer from Google itself, causing a "400 - Bad Request". So I already know the things which can go wrong about malforming the request.

I start to become absolutely clueless 🙂

alube
Bronze 1
Forum|Forum|1 year ago
December 11, 2024

Apologies you're still having trouble. Good to know the service reports a 400 for malformed Entity data.

I did check our most recent service call using that endpoint just in case. I was able to verify that the expected data was available within my tenants.

I could provide you with a sample payload from our service, but likely not very valuable since your service is reporting a 200 response.

Since the response is successful, and the data is unavailable, this might unfortunately require a support case with Google.

dithmer
Author
New Member
Answer
Forum|Forum|11 months ago
January 14, 2025

To close this one:

I found the mistake in having a very slight mistake in the datetime format, which caused the entities to be that far in the past, they were not be able to find.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded