Merge branch 'chronicle:master' into v1alpha_ingestion

Author: dandye

common/regions.py

@@ -25,12 +25,17 @@
     "asia-southeast1",
     "australia-southeast1",
     "eu",
+    "europe",
+    "europe-west12",
     "europe-west2",
     "europe-west3",
     "europe-west6",
+    "europe-west9",
+    "me-central1",
     "me-central2",
     "me-west1",
     "northamerica-northeast2",
+    "southamerica-east1",
     "us",
 )
 

detect/v1alpha/bulk_update_alerts.py

@@ -0,0 +1,120 @@
+#!/usr/bin/env python3
+
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+r"""Executable and reusable sample for bulk updating alerts.
+
+The file provided to the --alert_ids_file parameter should have one alert 
+ ID per line like so:
+```
+de_ad9d2771-a567-49ee-6452-1b2db13c1d33
+de_3c2e2556-aba1-a253-7518-b4ddb666cc32
+```
+Usage:
+  python -m alerts.v1alpha.bulk_update_alerts \
+    --project_id=<PROJECT_ID>   \
+    --project_instance=<PROJECT_INSTANCE> \
+    --alert_ids_file=<PATH_TO_FILE> \
+    --confidence_score=<CONFIDENCE_SCORE> \
+    --priority=<PRIORITY> \
+    --reason=<REASON> \
+    --reputation=<REPUTATION> \
+    --priority=<PRIORITY> \
+    --status=<STATUS> \
+    --verdict=<VERDICT> \
+    --risk_score=<RISK_SCORE> \
+    --disregarded=<DISREGARDED> \
+    --severity=<SEVERITY> \
+    --comment=<COMMENT> \
+    --root_cause=<ROOT_CAUSE> \
+    --severity_display=<SEVERITY_DISPLAY>
+
+# pylint: disable=line-too-long
+API reference:
+  https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacyUpdateAlert
+  https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/Noun#Priority
+  https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/Noun#Reason
+  https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/Noun#Reputation
+  https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/Noun#Priority
+  https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/Noun#Status
+  https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/Noun#Verdict
+"""
+# pylint: enable=line-too-long
+
+import json
+
+from common import chronicle_auth
+
+from . import update_alert
+
+
+CHRONICLE_API_BASE_URL = "https://chronicle.googleapis.com"
+SCOPES = [
+    "https://www.googleapis.com/auth/cloud-platform",
+]
+DEFAULT_FEEDBACK = {
+    "comment": "automated cleanup",
+    "reason": "REASON_MAINTENANCE",
+    "reputation": "REPUTATION_UNSPECIFIED",
+    "root_cause": "Other",
+    "status": "CLOSED",
+    "verdict": "VERDICT_UNSPECIFIED",
+}
+
+
+if __name__ == "__main__":
+  parser = update_alert.get_update_parser()
+  parser.add_argument(
+      "--alert_ids_file", type=str, required=True,
+      help="File with one alert ID per line."
+  )
+  parser.set_defaults(
+      comment=DEFAULT_FEEDBACK["comment"],
+      reason=DEFAULT_FEEDBACK["reason"],
+      reputation=DEFAULT_FEEDBACK["reputation"],
+      root_cause=DEFAULT_FEEDBACK["root_cause"],
+      status=DEFAULT_FEEDBACK["status"],
+      verdict=DEFAULT_FEEDBACK["verdict"],
+  )
+  args = parser.parse_args()
+
+  # raise error if required args are not present
+  update_alert.check_args(parser, args)
+
+  auth_session = chronicle_auth.initialize_http_session(
+      args.credentials_file,
+      SCOPES,
+  )
+  with open(args.alert_ids_file) as fh:
+    for alert_id in fh:
+      a_list = update_alert.update_alert(
+          auth_session,
+          args.project_id,
+          args.project_instance,
+          args.region,
+          alert_id.strip(),
+          args.confidence_score,
+          args.reason,
+          args.reputation,
+          args.priority,
+          args.status,
+          args.verdict,
+          args.risk_score,
+          args.disregarded,
+          args.severity,
+          args.comment,
+          args.root_cause,
+      )
+      print(json.dumps(a_list, indent=2))

detect/v1alpha/get_alert.py

@@ -0,0 +1,122 @@
+#!/usr/bin/env python3
+
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+r"""Executable and reusable sample for getting a Reference List.
+
+Usage:
+  python -m alerts.v1alpha.get_alert \
+    --project_id=<PROJECT_ID>   \
+    --project_instance=<PROJECT_INSTANCE> \
+    --alert_id=<ALERT_ID>
+
+API reference:
+  https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacyGetAlert
+
+"""
+
+import argparse
+import json
+from typing import Any, Mapping
+
+from common import chronicle_auth
+from common import project_id
+from common import project_instance
+from common import regions
+
+from google.auth.transport import requests
+
+CHRONICLE_API_BASE_URL = "https://chronicle.googleapis.com"
+SCOPES = [
+    "https://www.googleapis.com/auth/cloud-platform",
+]
+
+
+def get_alert(
+    http_session: requests.AuthorizedSession,
+    proj_id: str,
+    proj_instance: str,
+    proj_region: str,
+    alert_id: str,
+    include_detections: bool = False,
+) -> Mapping[str, Any]:
+  """Gets an Alert.
+
+  Args:
+    http_session: Authorized session for HTTP requests.
+    proj_id: GCP project id or number to which the target instance belongs.
+    proj_instance: Customer ID (uuid with dashes) for the Chronicle instance.
+    proj_region: region in which the target project is located.
+    alert_id: Identifier for the alert.
+    include_detections: Flag to include detections.
+
+  Returns:
+    Dictionary representation of the Alert
+
+  Raises:
+    requests.exceptions.HTTPError: HTTP request resulted in an error
+      (response.status_code >= 400).
+  """
+  base_url_with_region = regions.url_always_prepend_region(
+      CHRONICLE_API_BASE_URL,
+      proj_region
+  )
+  # pylint: disable-next=line-too-long
+  parent = f"projects/{proj_id}/locations/{proj_region}/instances/{proj_instance}"
+
+  query_params = {"alertId": alert_id}
+  if include_detections:
+    query_params["includeDetections"] = True
+
+  url = f"{base_url_with_region}/v1alpha/{parent}/legacy:legacyGetAlert"
+
+  response = http_session.request("GET", url, params=query_params)
+  # Expected server response is described in:
+  # https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacyGetAlert
+  if response.status_code >= 400:
+    print(response.text)
+  response.raise_for_status()
+  return response.json()
+
+
+if __name__ == "__main__":
+  parser = argparse.ArgumentParser()
+  chronicle_auth.add_argument_credentials_file(parser)
+  project_instance.add_argument_project_instance(parser)
+  project_id.add_argument_project_id(parser)
+  regions.add_argument_region(parser)
+  parser.add_argument(
+      "--alert_id", type=str, required=True,
+      help="identifier for the alert"
+  )
+  parser.add_argument(
+      "-d", "--include-detections", type=bool, default=False, required=False,
+      help="flag to include detections"
+  )
+  args = parser.parse_args()
+
+  auth_session = chronicle_auth.initialize_http_session(
+      args.credentials_file,
+      SCOPES,
+  )
+  alert = get_alert(
+      auth_session,
+      args.project_id,
+      args.project_instance,
+      args.region,
+      args.alert_id,
+      args.include_detections,
+  )
+  print(json.dumps(alert, indent=2))