Skip to main content
Solved

custom action on top of the chronicle integration to fetch alerts from legacySearchAlerts

  • October 19, 2024
  • 5 replies
  • 62 views
Z
Forum|alt.badge.img+6

Hello everyone,

I am trying to create a custom action on top of the chronicle integration in SOAR to fetch alerts from the API endpoint legacySearchAlert. For that I will be leveraging the existing default service account that has been used to setup the integration.

My questions are:

  • does this service account require any extra permissions to work or does it come already with all the needed permissions ?
  • Should the scope also be https://www.googleapis.com/auth/cloud-platform  same as stated in the documentation ?

I know that chronicle provides samples for some frequent jobs/actions that users request. Is anyone aware of any sample python that can be leveraged to create an action associated with the mentioned endpoint above ?

Thank you in advance for the support !

Best answer by josemarin

Hey!

So, the service account (SA) you have configured in the Chronicle Integration doesn't use the same API as the endpoint you're trying to use. All methods under Chronicle API (Alpha1) require an SA in the project associated with your deployment—this would be a project from your organization.

Chronicle Integration leverages an SA in a Google-managed project and uses different API methods.

Are you trying to get a list of alerts to use in the playbook? Is there any specific data you are trying to retrieve?

If all you want to do is use the endpoint and capture the response—basically just hitting the API—you could use the new GoogleCloudApi integration (you will need a new set of credentials—a new SA). Then, you can pretty much use any endpoint under the Chronicle API, depending on the permissions of the SA. If you can provide additional details about your use case, I might be able to give you some alternatives and more details on how to implement it.

5 replies

josemarin
Staff
Forum|alt.badge.img+3
  • josemarin
  • Staff
  • Answer
  • October 21, 2024

Hey!

So, the service account (SA) you have configured in the Chronicle Integration doesn't use the same API as the endpoint you're trying to use. All methods under Chronicle API (Alpha1) require an SA in the project associated with your deployment—this would be a project from your organization.

Chronicle Integration leverages an SA in a Google-managed project and uses different API methods.

Are you trying to get a list of alerts to use in the playbook? Is there any specific data you are trying to retrieve?

If all you want to do is use the endpoint and capture the response—basically just hitting the API—you could use the new GoogleCloudApi integration (you will need a new set of credentials—a new SA). Then, you can pretty much use any endpoint under the Chronicle API, depending on the permissions of the SA. If you can provide additional details about your use case, I might be able to give you some alternatives and more details on how to implement it.

    Z
    Forum|alt.badge.img+6
    • ZorghostBronze 5
    • Author
    • Bronze 5
    • October 21, 2024

    Hey!

    So, the service account (SA) you have configured in the Chronicle Integration doesn't use the same API as the endpoint you're trying to use. All methods under Chronicle API (Alpha1) require an SA in the project associated with your deployment—this would be a project from your organization.

    Chronicle Integration leverages an SA in a Google-managed project and uses different API methods.

    Are you trying to get a list of alerts to use in the playbook? Is there any specific data you are trying to retrieve?

    If all you want to do is use the endpoint and capture the response—basically just hitting the API—you could use the new GoogleCloudApi integration (you will need a new set of credentials—a new SA). Then, you can pretty much use any endpoint under the Chronicle API, depending on the permissions of the SA. If you can provide additional details about your use case, I might be able to give you some alternatives and more details on how to implement it.


    Good day,

    First of all, Thank you very much @josemarin  for the reply!

    “Are you trying to get a list of alerts to use in the playbook? Is there any specific data you are trying to retrieve?”

    Yes, We will basically capture the json response body (a list of the closed alerts), then use a playbook to process these alerts and generate metadata and then archive the alerts with their associated information somewhere. Basically this is my use case, I am also trying to avoid using listalert since it is getting deprecated.

    May I know what do you mean by the new GoogleCloudAPI integration ?

    josemarin
    Staff
    Forum|alt.badge.img+3
    • josemarin
    • Staff
    • October 22, 2024

    Good day,

    First of all, Thank you very much @josemarin  for the reply!

    “Are you trying to get a list of alerts to use in the playbook? Is there any specific data you are trying to retrieve?”

    Yes, We will basically capture the json response body (a list of the closed alerts), then use a playbook to process these alerts and generate metadata and then archive the alerts with their associated information somewhere. Basically this is my use case, I am also trying to avoid using listalert since it is getting deprecated.

    May I know what do you mean by the new GoogleCloudAPI integration ?


    On 09/25 Google released an integration to the market place called "Google Cloud API". It basically works the same way as this one, but its specific for Google Apis where you need a SA and Scopes to authenticate to the API. Its like having a "Postman" client of sort inside SecOps. Very useful for capturing API requests or just hitting API endpoints. 

    If you are planning to do a lot of parsing and heavy logic on the result, you might need to go the python way, but that will have to be a separate integration from the Chronicle one. 

    Z
    Forum|alt.badge.img+6
    • ZorghostBronze 5
    • Author
    • Bronze 5
    • October 23, 2024

    On 09/25 Google released an integration to the market place called "Google Cloud API". It basically works the same way as this one, but its specific for Google Apis where you need a SA and Scopes to authenticate to the API. Its like having a "Postman" client of sort inside SecOps. Very useful for capturing API requests or just hitting API endpoints. 

    If you are planning to do a lot of parsing and heavy logic on the result, you might need to go the python way, but that will have to be a separate integration from the Chronicle one. 


    Hi @josemarin , do you think it makes sense to just add the necessary permissions to the default service account that is being managed by google on the chronicle SIEM project level from our end in order to interact with the required API endpoint ?

    josemarin
    Staff
    Forum|alt.badge.img+3
    • josemarin
    • Staff
    • October 23, 2024

    Hi @josemarin , do you think it makes sense to just add the necessary permissions to the default service account that is being managed by google on the chronicle SIEM project level from our end in order to interact with the required API endpoint ?


    Unfortunately that wont work. The SA to leverage the new API must be host in your org and linked to the project associated to your SecOps deployment.

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.