It’ll most likely take a job in SOAR to automate the system you’ve described.
For pre-migration to the Chronicle API there is a SOAR API endpoint for just this action -
/api/external/v1/connectors/update-from-ide
It takes a Connector instance ID and will update the instance to the latest definition from the updated integration.
For post-migration it looks like there’s similar functionality described here -https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.integrations.connectors.connectorInstances
Hey @keiS ,
Thanks for sharing your feedback. We had plans for this kind of job for quite some time. I will see with the internal team what can be done. We are a little bit sensitive to do force upgrade, but at least to have a notification would definitely go a long way.
It’ll most likely take a job in SOAR to automate the system you’ve described.
For pre-migration to the Chronicle API there is a SOAR API endpoint for just this action -
/api/external/v1/connectors/update-from-ide
It takes a Connector instance ID and will update the instance to the latest definition from the updated integration.
For post-migration it looks like there’s similar functionality described here -https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.integrations.connectors.connectorInstances
Thank you for your reply.
I can't think of a specific method, so I'd like to know which SOAR function you think could be used to implement this.
I look forward to your reply.
Hey @keiS ,
Thanks for sharing your feedback. We had plans for this kind of job for quite some time. I will see with the internal team what can be done. We are a little bit sensitive to do force upgrade, but at least to have a notification would definitely go a long way.
Thank you for your reply.
I'm glad that you'll consider this internally.
I don't think there will be any problems if we can send notifications, so I would appreciate your consideration.
@keiS we’ve done something similar for updating marketplace integrations using a SecOps scheduled job. It basically follows 3 steps:
- Get all of the integrations that we have installed:
/api/external/v1/integrations/GetInstalledIntegrations - Get the details of the integrations and compare the installed version to the latest version on the marketplace:
/api/external/v1/store/GetIntegrationFullDetails - If the version is outdated, update the integration:
/api/external/v1/store/DownloadAndInstallIntegrationFromLocalStore
I’m assuming you could set up similar functionality for the connectors and then run them on a daily basis through the scheduled jobs functionality.
@keiS we’ve done something similar for updating marketplace integrations using a SecOps scheduled job. It basically follows 3 steps:
- Get all of the integrations that we have installed:
/api/external/v1/integrations/GetInstalledIntegrations - Get the details of the integrations and compare the installed version to the latest version on the marketplace:
/api/external/v1/store/GetIntegrationFullDetails - If the version is outdated, update the integration:
/api/external/v1/store/DownloadAndInstallIntegrationFromLocalStore
I’m assuming you could set up similar functionality for the connectors and then run them on a daily basis through the scheduled jobs functionality.
Hey @_K_O , thats a very neat approach. Thank you for sharing, interested in how you know if there are any braking changes before pushing an update?
@quotermice we have no way of knowing if there’s a breaking change, but we have the same issue if we do it manually and we’re more likely to miss updates if it’s not automated. For better or worse, we trust in the updates so if something breaks, we’ll have to deal with it.
@_K_O
Thank you for your response.
Where can I find the API information you mentioned?
I've checked the URL below, but I haven't been able to find it.
https://cloud.google.com/chronicle/docs/reference/rest?rep_location=asia-northeast1
By the way, our environment uses a SecOps instance (not SORA Standalone).
I look forward to your response.
Thank you in advance for your help.
@keiS I generally look for the endpoints that the frontend uses by inspecting the network traffic when I perform the actions using SecOps.
- In your browser, navigate to the developer console
- Click on the networking tab
- Perform the activity that you want to replicate and look for the API request that was made by the platform
Hope this helps!
@_K_O
Thank you for your reply. Is there a page that lists information about the three APIs listed below?
/api/external/v1/integrations/GetInstalledIntegrations
/api/external/v1/store/GetIntegrationFullDetails
/api/external/v1/store/DownloadAndInstallIntegrationFromLocalStore
I don't know what parameters to specify when executing the API.
I look forward to your response.
Best regards
@keiS I’m not sure, I just used the network traffic and recreated the functionality, but this page seems to have most of the endpoints: https://cloud.google.com/chronicle/docs/soar/admin-tasks/advanced/endpoint-mapping-table
@_K_O
Sorry for the late response.
Could you please let me know if my understanding of the following is correct?
1. With the Google SecOps UI open, open the developer tools and select the network tab.
2. Click various buttons in the UI.
3. If there is a corresponding request, create a Python script in the IDE based on that.
In part 2,
I'm not sure which button to click to send the request corresponding to "Get the details of the integrations and compare the installed version to the latest version on the marketplace."
Do you have any tips on finding this request?
I look forward to your response.
Best regards
@keiS yeah that’s the flow I follow.
Sure, you will need to get the installed apps that you have, check the version, and compare the version to the marketplace version.
Get the list of integrations and loop over them:
/api/external/v1/integrations/GetInstalledIntegrations
Get the marketplace version and compare the versions:
/api/external/v1/store/GetIntegrationFullDetails
Hope this helps!
@_K_O Sorry for the late reply.
I understand. Thank you.
First, I'll try to find out where the communication to the API in question is.
Best regards
