Skip to main content

How to update Chronicle SIEM alerts with API?

  • May 8, 2024
  • 10 replies
  • 232 views
J
Forum|alt.badge.img+1

Hi Gurus,

I am new to Chronicle SIEM, I can get alerts with ListDetections APIs(

My client hopes to update alerts with API as what we can do on UI, but I cannot find related update detection APIs in API document. May I know if there is API available to update Alerts?

 

Thanks

 

    10 replies

    David-French
    Staff
    Forum|alt.badge.img+9

    Google SecOps' REST API has a method that lets you update the status of alerts. You can find the documentation here: https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacyUpdateAlert

      Rene_Figueroa
      Staff
      Forum|alt.badge.img+10

      Google SecOps' REST API has a method that lets you update the status of alerts. You can find the documentation here: https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacyUpdateAlert


      The API David mentioned is the new Chronicle API, which requires the Chronicle instance to be on Feature RBAC (IAM)

      https://cloud.google.com/chronicle/docs/onboard/configure-feature-access

       

        J
        Forum|alt.badge.img+1
        • JonathanY
        • Author
        • New Member
        • May 11, 2024

        Google SecOps' REST API has a method that lets you update the status of alerts. You can find the documentation here: https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacyUpdateAlert


        Thanks a lot. May I know where I can get path parameter instance value (projects/{project}/locations/{region}/instances/{instance})? Can I obtain it with API or I have to find project, region and instance on UI?

          David-French
          Staff
          Forum|alt.badge.img+9

          Thanks a lot. May I know where I can get path parameter instance value (projects/{project}/locations/{region}/instances/{instance})? Can I obtain it with API or I have to find project, region and instance on UI?


          Sure @JonathanY.

          • project - This is the project ID of the Google Cloud project that's linked to your Google SecOps instance.
          • region - This is the region where your Google SecOps instance is running. It'll be "us" if it's running in the United States. If it's running in Europe, it'll likely be "eu". If you're not sure, your sales representative can confirm this.
          • instance - This is the customer ID for your Google SecOps instance. You can find this value by navigating to Settings - SIEM Settings - Profile in SecOps.
            DanDye
            Staff
            Forum|alt.badge.img+7
            • DanDye
            • Staff
            • July 23, 2024

            @JonathanY, we recently shared a Python module that calls the legacyUpdateAlert API method that David referred to. You can find it here:
            https://github.com/chronicle/api-samples-python/blob/master/detect/v1alpha/update_alert.py

              DanDye
              Staff
              Forum|alt.badge.img+7
              • DanDye
              • Staff
              • August 6, 2024

              @JonathanY, we recently shared a Python module that calls the legacyUpdateAlert API method that David referred to. You can find it here:
              https://github.com/chronicle/api-samples-python/blob/master/detect/v1alpha/update_alert.py


              Update: I also wrote a blog post on Bulk closing alerts with Python and the Google Security Operations API

                J
                Forum|alt.badge.img+1
                • jonathanYao
                • New Member
                • August 28, 2024

                Hi dear all,

                Thank you so much.

                I tried the API endpoint(POST https://chronicle.googleapis.com/v1alpha/projects/{project}/locations/{location}/instances/{instance}/legacy:legacyUpdateAlert) with GCP Project ID and Customer ID obtained from SecOps SETTING S Profile; as I don't know the location, so I use the default value "us", but API returns 404 Not Found. 

                I am not sure if I inputed the wrong location or it is an IAM issue. Appreciate your kind comments.

                 

                raybrian
                Staff
                Forum|alt.badge.img+6
                • raybrian
                • Staff
                • October 28, 2024

                One gotcha is that the API endpoint for the US is 

                 Here is some more of my script

                 

                J
                Forum|alt.badge.img+1
                • jonathanYao
                • New Member
                • November 1, 2024

                One gotcha is that the API endpoint for the US is 

                 Here is some more of my script

                 


                Thanks Brian. So I have to prefix "us-" before POST https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacyUpdateAlert?  As in API doc(https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacyUpdateAlert#http-request), it doesn't mention that I should prefix region ahead of base url.

                Thanks

                MLz
                Forum|alt.badge.img
                • MLz
                • New Member
                • May 20, 2025

                @DanDye I was able to successfully bulk close the alerts. however closing the alerts does not change case status. is there a method to bulk close cases?

                  Terms & ConditionsCookie settingsAccessibility statement
                  Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

                  © 2025 Google. All rights reserved.