How to update Chronicle SIEM alerts with API?

JonathanY

Hi Gurus,

I am new to Chronicle SIEM, I can get alerts with ListDetections APIs(

https://cloud.google.com/chronicle/docs/reference/detection-engine-api#listdetections).

My client hopes to update alerts with API as what we can do on UI, but I cannot find related update detection APIs in API document. May I know if there is API available to update Alerts?

Thanks

David-French

Google SecOps' REST API has a method that lets you update the status of alerts. You can find the documentation here: https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/l...

Rene_Figueroa

The API David mentioned is the new Chronicle API, which requires the Chronicle instance to be on Feature RBAC (IAM)

https://cloud.google.com/chronicle/docs/onboard/configure-feature-access

JonathanY

Thanks a lot. May I know where I can get path parameter instance value (projects/{project}/locations/{region}/instances/{instance})? Can I obtain it with API or I have to find project, region and instance on UI?

David-French

Sure @JonathanY.

project - This is the project ID of the Google Cloud project that's linked to your Google SecOps instance.
region - This is the region where your Google SecOps instance is running. It'll be "us" if it's running in the United States. If it's running in Europe, it'll likely be "eu". If you're not sure, your sales representative can confirm this.
instance - This is the customer ID for your Google SecOps instance. You can find this value by navigating to Settings - SIEM Settings - Profile in SecOps.