This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Backup of Chronicle Alerts and Associated Log Entries for Compliance

Posted on 08-03-2024 08:45 AM
Zorghost
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello everyone,

For compliance reasons, I need to back up the generated alerts from Google Chronicle along with the respective log entries associated with those events.

Could anyone point me to Google documentation or provide information on how to accomplish this?

Thank you.

Solved Solved
0 3 155
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
KyHud
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hey Zorghost,

I've recently built something which performs this for a compliance issue my side - and I achieved this by writing a python script external to siemplify and utilising the API.

The general flow of the script would be to establish the timeframe you are wanting to pull back cases for - then utilising the API endpoint:
/api/external/v1/search/CaseSearchEverything to retrieve a list of case ID's which satisfy the timeframe requirement.

Once you have the list of CaseID's you can then iterate through the case ID's with the API endpoint:
/api/external/v1/dynamic-cases/GetCaseDetails/{caseId}

This will pull back a json with more detailed information about the case.

You can then format the data how you wish and save in a format suitable for archive - you can also use other API's if you wish in combination with the above if you require additional information.

For more documentation on API endpoints - please visit https://<YourSOARInstanceURL>/swagger/index.html as this is where API endpoints are documented complete with payload schemas ๐Ÿ™‚ Note - if you are going to be interacting with a high volume of cases - you may wish to build in some deliberate delay as Google Armor has a rate limit of 900 requests per minute (https://cloud.google.com/chronicle/docs/soar/reference/working-with-chronicle-soar-apis)

Cheers

K

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
KyHud
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hey Zorghost,

I've recently built something which performs this for a compliance issue my side - and I achieved this by writing a python script external to siemplify and utilising the API.

The general flow of the script would be to establish the timeframe you are wanting to pull back cases for - then utilising the API endpoint:
/api/external/v1/search/CaseSearchEverything to retrieve a list of case ID's which satisfy the timeframe requirement.

Once you have the list of CaseID's you can then iterate through the case ID's with the API endpoint:
/api/external/v1/dynamic-cases/GetCaseDetails/{caseId}

This will pull back a json with more detailed information about the case.

You can then format the data how you wish and save in a format suitable for archive - you can also use other API's if you wish in combination with the above if you require additional information.

For more documentation on API endpoints - please visit https://<YourSOARInstanceURL>/swagger/index.html as this is where API endpoints are documented complete with payload schemas ๐Ÿ™‚ Note - if you are going to be interacting with a high volume of cases - you may wish to build in some deliberate delay as Google Armor has a rate limit of 900 requests per minute (https://cloud.google.com/chronicle/docs/soar/reference/working-with-chronicle-soar-apis)

Cheers

K

Jump to Solution

Posted on --/--/---- --:-- AM
Zorghost
Bronze 5
Bronze 5
In response to KyHud
Reply posted on --/--/---- --:-- AM

Thank you very much for the reply and I really appreciate your help @KyHud . I still got some things to clarify if you donยดt mind: What access do I need to create an integration that does this Job ? Do I have to provision a service account with access to the API endpoints for this ? Thank you in advance !

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
KyHud
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hey - no problem,

I actually created the solution to this off platform - as it was easier to save it to local disk than to worry about a storage solution / cloud storage solution on top of what I was doing. I used an API key with these highlighted permissions:

KyHud_0-1723654694354.png

You can create API Keys (once you have created an appropriate permissions set) from settings > advanced > API Keys - and you will want to give it permissions for all environments when you create the key.

If you already have a solution for storage (email file or otherwise) you can make this a job within the SOAR platform - which doesn't require any additional api key as you can use the siemplify libraries to perform the actions for you instead. A full list of library functions can be found here https://github.com/chronicle/soar-sdk/tree/main.

Let me know how you get on!

Cheers

Kyle

Jump to Solution
Top Solution Authors
View all