Hello everyone,
We are trying to build a custom role in Google SecOps so that a set of users can only:
- View native dashboards
- Run UDM searches and view the resulting events
- Run Raw Log searches and view the resulting events
We have successfully enabled access to native dashboards and UDM search results, but we cannot get Raw Log Search to work with this custom role.
When attempting a raw search, the request returns the following error:
[{"error":{"code":400,"message":"Request contains an invalid argument.","status":"INVALID_ARGUMENT"}}]
If we execute the same raw search using a user with broader permissions it works correctly. Also, It does not report any missing permissions.
Below is the full list of permissions currently included in the custom role:
- chronicle.dashboardCharts.get
- chronicle.dashboardQueries.execute
- chronicle.dataAccessScopes.list
- chronicle.entities.get
- chronicle.entities.searchEntities
- chronicle.entities.summarizeFromQuery
- chronicle.events.batchGet
- chronicle.events.get
- chronicle.events.queryProductSourceStats
- chronicle.events.searchRawLogs
- chronicle.events.udmSearch
- chronicle.events.validateQuery
- chronicle.instances.get
- chronicle.legacies.legacyFetchUdmSearchView
- chronicle.legacies.legacyFindRawLogs
- chronicle.legacies.legacyFindUdmEvents
- chronicle.legacies.legacySearchCustomerStats
- chronicle.legacies.legacySearchIngestionStats
- chronicle.legacies.legacySearchRawLogs
- chronicle.nativeDashboards.get
- chronicle.nativeDashboards.list
- chronicle.operations.list
- chronicle.operations.streamSearch
- chronicle.preferenceSets.get
- chronicle.preferenceSets.update
- chronicle.searchQueries.list
Has anyone encountered this error before? Which additional permissions are required for Raw Log Search?
Thanks!!