Difference between legacySearchAlerts and legacySearchRulesAlerts

I want to archive alerts from Google SecOps SIEM therefore I am still considering a couple of API endpoints to use in order to complete this. I identified legacySearchAlerts and legacySearchRulesAlerts.I noticed that both endpoints doesn´t prvoide the same form of alerts.

My questions are:

what is the difference between alerts that are provided by both endpoints ?
Is the difference just in how alerts are presented or does both endpoints provide absolute different data ?
What is the best choice when it comes to archiving alerts ?

Thank you in advance !

Page 1 / 1

Tried -> Method: legacy.legacySearchAlerts, but showing 404, seems it's gone, will check internally and get document updated.

So left only -> Method: legacy.legacySearchRulesAlerts

@Zorghost, I just created this Python sample file to help you with legacySearchRulesAlerts:

https://github.com/chronicle/api-samples-python/pull/185/files#diff-a5af86cbe7abb76656d9788a5b8552c4f00c317f00ad0920bf11883805a09b67

Once you have the Rule IDs for the alerts you want to close, you may find my blog post on bulk closing alerts helpful:

https://www.googlecloudcommunity.com/gc/Community-Blog/Bulk-closing-alerts-with-Python-and-the-Google-Security/ba-p/783959

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded