Skip to main content

Hi Gurus,

I am new to Chronicle SIEM, I can get alerts with ListDetections APIs(

My client hopes to update alerts with API as what we can do on UI, but I cannot find related update detection APIs in API document. May I know if there is API available to update Alerts?

 

Thanks

 

Google SecOps' REST API has a method that lets you update the status of alerts. You can find the documentation here: https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacyUpdateAlert

Google SecOps' REST API has a method that lets you update the status of alerts. You can find the documentation here: https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacyUpdateAlert


The API David mentioned is the new Chronicle API, which requires the Chronicle instance to be on Feature RBAC (IAM)


https://cloud.google.com/chronicle/docs/onboard/configure-feature-access


 

Google SecOps' REST API has a method that lets you update the status of alerts. You can find the documentation here: https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacyUpdateAlert


Thanks a lot. May I know where I can get path parameter instance value (projects/{project}/locations/{region}/instances/{instance})? Can I obtain it with API or I have to find project, region and instance on UI?

Thanks a lot. May I know where I can get path parameter instance value (projects/{project}/locations/{region}/instances/{instance})? Can I obtain it with API or I have to find project, region and instance on UI?


Sure @JonathanY.



  • project - This is the project ID of the Google Cloud project that's linked to your Google SecOps instance.

  • region - This is the region where your Google SecOps instance is running. It'll be "us" if it's running in the United States. If it's running in Europe, it'll likely be "eu". If you're not sure, your sales representative can confirm this.

  • instance - This is the customer ID for your Google SecOps instance. You can find this value by navigating to Settings - SIEM Settings - Profile in SecOps.

@JonathanY, we recently shared a Python module that calls the legacyUpdateAlert API method that David referred to. You can find it here:
https://github.com/chronicle/api-samples-python/blob/master/detect/v1alpha/update_alert.py

@JonathanY, we recently shared a Python module that calls the legacyUpdateAlert API method that David referred to. You can find it here:
https://github.com/chronicle/api-samples-python/blob/master/detect/v1alpha/update_alert.py


Update: I also wrote a blog post on Bulk closing alerts with Python and the Google Security Operations API

Hi dear all,

Thank you so much.

I tried the API endpoint(POST https://chronicle.googleapis.com/v1alpha/projects/{project}/locations/{location}/instances/{instance}/legacy:legacyUpdateAlert) with GCP Project ID and Customer ID obtained from SecOps SETTING S Profile; as I don't know the location, so I use the default value "us", but API returns 404 Not Found. 

I am not sure if I inputed the wrong location or it is an IAM issue. Appreciate your kind comments.

 

One gotcha is that the API endpoint for the US is 




 Here is some more of my script




 





One gotcha is that the API endpoint for the US is 




 Here is some more of my script




 






Thanks Brian. So I have to prefix "us-" before POST https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacyUpdateAlert?  As in API doc(https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacyUpdateAlert#http-request), it doesn't mention that I should prefix region ahead of base url.

Thanks

@DanDye I was able to successfully bulk close the alerts. however closing the alerts does not change case status. is there a method to bulk close cases?

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.