sat-tp
commented
3 months ago Adjusting my custom code to use the v2 endpoint seems to work, but does however make this rule_cli tool unusable.
Closed sat-tp closed 3 months ago
sat-tp
commented
3 months ago Adjusting my custom code to use the v2 endpoint seems to work, but does however make this rule_cli tool unusable.
threat-punter
commented
3 months ago Hi there,
The rule manager tool works with the new Google SecOps REST API, not the Detection Engine API.
For example, the code uses the REST API's rules methods to manage rules in SecOps.
sat-tp
commented
3 months ago Hi David,
I think I'm simply confused. We have some quirks to our setup in the fact we don't have access to the GCP Project that is linked to our Chronicle instance. I'll work with GCP Support to ensure the Service Account we're using has access to this API and relevant IAM permissions.
Thanks for responding. Thoroughly enjoyed your Detection-as-code talk the other week!
Sam
threat-punter
commented
3 months ago @sat-tp - No worries. Your Google SecOps support representative will be able to help you enable the new REST API in the Google Cloud project that's linked to your SecOps instance.
Once that's done, you can create a service account that has the required permissions to manage rules via the API.
Please let me know how you get on.
And thank you for attending my presentation 😄
Can we confirm that these placeholders/URLs are correct for interacting with the detection engine API?
The docs say differently - https://cloud.google.com/chronicle/docs/reference/detection-engine-api