Skip to content

Expand v1alpha coverage; Add packaging and a CLI #188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 61 commits into
base: master
Choose a base branch
from
Open

Expand v1alpha coverage; Add packaging and a CLI #188

wants to merge 61 commits into from

Conversation

dandye
Copy link
Contributor

@dandye dandye commented Mar 7, 2025
edited
Loading

Install the CLI

make install

CLI Commands and Subcommands

# chronicle --help

# top-level subcommands
chronicle detect --help  #     Detection API commands.
chronicle ingestion --help  #  Ingestion API commands.
chronicle iocs --help  #       IoCs API commands.
chronicle lists --help  #      Lists API commands.
chronicle search --help  #     Search API commands.

# chronicle detect --help
chronicle detect alerts --help  #      Alert management commands.
chronicle detect detections --help  #  Detection management commands.
chronicle detect errors --help  #      Error management commands.
chronicle detect retrohunts --help  #  Retrohunt management commands.
chronicle detect rules --help  #       Rule management commands.
chronicle detect rulesets --help  #    Rule set deployment commands.

# chronicle detect alerts --help 
chronicle detect alerts bulk-update --help  #  Bulk update alerts matching a filter.
chronicle detect alerts get --help  # Get an alert by ID.
chronicle detect alerts update --help # Update an alert.

# chronicle detect detections --help
chronicle detect detections get --help  #   Get a detection by ID.
chronicle detect detections list --help  # List detections.

chronicle detect errors list --help

# chronicle detect retrohunts --help
chronicle detect retrohunts create --help # Create a new retrohunt.
chronicle detect retrohunts get --help  # Get a retrohunt by ID.

# chronicle detect rules --help
chronicle detect rules create --help  #  Create a new rule.
chronicle detect rules delete --help  #  Delete a rule.
chronicle detect rules enable --help  #  Enable a rule.
chronicle detect rules get --help  #     Get a rule by ID.
chronicle detect rules list --help  #    List rules.

# chronicle detect rulesets --help
chronicle detect rulesets batch-update --help  #  Batch update rule set deployments.

# chronicle ingestion --help 
chronicle ingestion batch-get-events --help  #  Batch get events by IDs.
chronicle ingestion get-event --help  #  Get event details by ID.
chronicle ingestion import-events --help  #  Import events into Chronicle.

# chronicle iocs --help 
chronicle iocs batch-get --help  # Get multiple IoCs by their values.
chronicle iocs get --help  # Get a single IoC by its value.
chronicle iocs get-state --help  # Get the state of an IoC by its value.

# chronicle lists --help
chronicle lists create --help  # Create a new list.
chronicle lists get --help  # Get a list by ID.
chronicle lists patch --help  # Update an existing list.

# chronicle search --help
chronicle search find-asset-events --help  # Find asset events within a time range.
chronicle search find-raw-logs --help  # Find raw logs based on search criteria.
chronicle search find-udm-events --help  # Find UDM events based on tokens or event IDs.
chronicle search get-search-query --help  # Get a search query by ID.

New API resources

Help on CLI for chronicle detect detections get

❯ chronicle detect detections get --help
Usage: chronicle detect detections get [OPTIONS]

  Get a detection by ID.

Options:
  --region TEXT            Region in which the target project is located. Can
                           also be set via CHRONICLE_REGION env var.
  --project-instance TEXT  Customer ID (uuid with dashes) for the Chronicle
                           instance. Can also be set via CHRONICLE_INSTANCE
                           env var.
  --project-id TEXT        GCP project id or number. Can also be set via
                           CHRONICLE_PROJECT_ID env var.
  --credentials-file TEXT  Path to service account credentials file. Can also
                           be set via CHRONICLE_CREDENTIALS_FILE env var.
  --env-file TEXT          Path to .env file containing configuration
                           variables.
  --detection-id TEXT      Identifier for the detection.  [required]
  --rule-id TEXT           Identifier for the rule that created the detection.

CLI Usage example for chronicle detect detections get

❯ chronicle detect detections get \
  --detection-id "de_92092e71-3baa-0ebf-f230-4aacc5952c63" \
  --rule-id "ru_bf30236c-13af-4a85-a3af-5d58205e10f0"
{
  "type": "RULE_DETECTION",
  "detection": [
    {
      "ruleName": "ttp_powershell_decodebase64_ns139797",
      ...

Help for detect.v1alpha.get_detection

❯ python3 -m detect.v1alpha.get_detection --help
usage: get_detection.py [-h] [-c CREDENTIALS_FILE] -i PROJECT_INSTANCE -p PROJECT_ID
                        [-r {asia-northeast1,asia-south1,asia-southeast1,australia-southeast1,eu,europe,europe-west12,europe-west2,europe-west3,europe-west6,europe-west9,me-central1,me-central2,me-west1,northamerica-northeast2,southamerica-east1,us}]
                        --detection_id DETECTION_ID --rule_id RULE_ID

options:
  -h, --help            show this help message and exit
  -c CREDENTIALS_FILE, --credentials_file CREDENTIALS_FILE
                        credentials file path (default: '/Users/dandye/.chronicle_credentials.json')
  -i PROJECT_INSTANCE, --project_instance PROJECT_INSTANCE
                        Customer ID for Chronicle instance
  -p PROJECT_ID, --project_id PROJECT_ID
                        Your BYOP, project id
  -r {asia-northeast1,asia-south1,asia-southeast1,australia-southeast1,eu,europe,europe-west12,europe-west2,europe-west3,europe-west6,europe-west9,me-central1,me-central2,me-west1,northamerica-northeast2,southamerica-east1,us}, --region {asia-northeast1,asia-south1,asia-southeast1,australia-southeast1,eu,europe,europe-west12,europe-west2,europe-west3,europe-west6,europe-west9,me-central1,me-central2,me-west1,northamerica-northeast2,southamerica-east1,us}
                        the region where the customer is located (default: us)
  --detection_id DETECTION_ID
                        Identifier for the detection
  --rule_id RULE_ID     Identifier for the rule that created the detection

Usage example

❯ PROJECT_INSTANCE=7e977ce4-f45d-43b2-aea0-52f8b66acd80
PROJECT_ID=dandye-0324-chronicle
python3 -m detect.v1alpha.get_detection \
 --project_instance=$PROJECT_INSTANCE  \
 --project_id=$PROJECT_ID \
 --detection_id "de_92092e71-3baa-0ebf-f230-4aacc5952c63" \
 --rule_id "ru_bf30236c-13af-4a85-a3af-5d58205e10f0"
{
  "type": "RULE_DETECTION",
  "detection": [
    {
      "ruleName": "ttp_powershell_decodebase64_ns139797",

dandye added 30 commits March 6, 2025 21:04
@dandye
create event_import v1alpha
101f3b2
@dandye
add events_get
3ab7f99
@dandye
events_batch_get
3db7cf9
@dandye
udm_events_find
f0b9300
@dandye
find assets and raw logs
a8ebfdb
@dandye
url_always_prepend_region
a0581fd
@dandye
get_detection
7d55b44
@dandye
Add SDK wrapper
a380a96
@dandye
expand coverage of SDK
94e317e
@dandye
Use dotenv
9719f81
@dandye
Update readme with dotenv
b856aac 
I've made several improvements to streamline the SDK documentation:

Removed the duplicate "SDK CLI Wrapper" section and consolidated all CLI information in one place
Reorganized the README structure to be more logical:
Getting Started (prerequisites, installation, env setup)
SDK CLI Wrapper (main documentation)
Running Individual Scripts (alternative usage)
License
Improved command documentation:
Added command syntax templates for each API group
Made parameter descriptions more consistent
Added clear examples of required/optional parameters
Removed repetitive common parameters from examples
Enhanced environment variable documentation:
Added clear mapping between CLI options and env vars
Included example .env file structure
Explained precedence rules
The documentation is now more concise and easier to follow, with a clear focus on using environment variables for configuration.
@dandye
Code cleanup
f0389a2
@dandye
Google style guide
02c9d52
@dandye
Update copyright year
d072b74
@dandye
Update copyright year throughout
95d6673
@dandye
SDK fixes
10856a7
@dandye
Makefile for wheel
ccd58e3
@dandye
update docs with .env and build
e009618
@dandye
Bug fixes with packaging
c8cb534
@dandye
2 space indent
09fc059
@dandye
2 space indent
031ed85
@dandye
isort imports
e64d3b0
@dandye
Style fixes
b654695
@dandye
Presubmit fixes
33e45fc
@dandye
cover the search query get v1alpha api resource
5ff9ba9
@dandye
revert changes to v2 py files
cee0332
@dandye
Add IoC API resources
b43aea3
@dandye
Revert changes to access_control
70619b6
@dandye
revert updates to non-v1alpha py files
0911b3a
@dandye
revert updates to non-v1alpha py files
4f92aa9
@dandye dandye changed the title Expand v1alpha coverage; Add an SDK (WiP) Expand v1alpha coverage; Add packaging and a CLI Mar 12, 2025
copybara-service bot pushed a commit that referenced this pull request Mar 20, 2025
@dandye @copybara-github
Rebrand SDK as CLI; add License to py file
b14af70 
FUTURE_COPYBARA_INTEGRATE_REVIEW=#188 from dandye:events_import_v1alpha 52d13f8
PiperOrigin-RevId: 738946763
@copybara-service copybara-service bot mentioned this pull request Mar 20, 2025
Open
copybara-service bot pushed a commit that referenced this pull request Mar 20, 2025
@dandye @copybara-github
Rebrand SDK as CLI; add License to py file
d8ee9f3 
FUTURE_COPYBARA_INTEGRATE_REVIEW=#188 from dandye:events_import_v1alpha 52d13f8
PiperOrigin-RevId: 738946763
copybara-service bot pushed a commit that referenced this pull request Mar 20, 2025
@dandye @copybara-github
Rebrand SDK as CLI; add License to py file
22110d0 
FUTURE_COPYBARA_INTEGRATE_REVIEW=#188 from dandye:events_import_v1alpha 52d13f8
PiperOrigin-RevId: 738946763
copybara-service bot pushed a commit that referenced this pull request Mar 26, 2025
@dandye @copybara-github
Rebrand SDK as CLI; add License to py file
13d7977 
FUTURE_COPYBARA_INTEGRATE_REVIEW=#188 from dandye:events_import_v1alpha 24f6b68
PiperOrigin-RevId: 738946763
copybara-service bot pushed a commit that referenced this pull request May 29, 2025
@copybara-github
No public description
39a1071 
FUTURE_COPYBARA_INTEGRATE_REVIEW=#188 from dandye:events_import_v1alpha 24f6b68
PiperOrigin-RevId: 764848268
@copybara-service copybara-service bot mentioned this pull request May 29, 2025
Open
copybara-service bot pushed a commit that referenced this pull request May 29, 2025
@copybara-github
No public description
97bfc20 
FUTURE_COPYBARA_INTEGRATE_REVIEW=#188 from dandye:events_import_v1alpha 24f6b68
PiperOrigin-RevId: 764848268
copybara-service bot pushed a commit that referenced this pull request May 29, 2025
@copybara-github
No public description
6c40719 
FUTURE_COPYBARA_INTEGRATE_REVIEW=#188 from dandye:events_import_v1alpha 24f6b68
PiperOrigin-RevId: 764865423
@copybara-service copybara-service bot mentioned this pull request May 29, 2025
Open
copybara-service bot pushed a commit that referenced this pull request May 30, 2025
@copybara-github
No public description
37e73f6 
FUTURE_COPYBARA_INTEGRATE_REVIEW=#188 from dandye:events_import_v1alpha 24f6b68
PiperOrigin-RevId: 764942204
@copybara-service copybara-service bot mentioned this pull request May 30, 2025
Open
copybara-service bot pushed a commit that referenced this pull request May 30, 2025
@copybara-github
No public description
6c90d13 
FUTURE_COPYBARA_INTEGRATE_REVIEW=#188 from dandye:events_import_v1alpha 24f6b68
PiperOrigin-RevId: 764942204
copybara-service bot pushed a commit that referenced this pull request May 30, 2025
@copybara-github
No public description
0d56631 
FUTURE_COPYBARA_INTEGRATE_REVIEW=#188 from dandye:events_import_v1alpha 24f6b68
PiperOrigin-RevId: 764865423
copybara-service bot pushed a commit that referenced this pull request May 30, 2025
@copybara-github
No public description
c63a000 
FUTURE_COPYBARA_INTEGRATE_REVIEW=#188 from dandye:events_import_v1alpha 24f6b68
PiperOrigin-RevId: 764865423
copybara-service bot pushed a commit that referenced this pull request Jun 25, 2025
@copybara-github
No public description
aef93af 
FUTURE_COPYBARA_INTEGRATE_REVIEW=#188 from dandye:events_import_v1alpha 24f6b68
PiperOrigin-RevId: 775253266
@copybara-service copybara-service bot mentioned this pull request Jun 25, 2025
Open
copybara-service bot pushed a commit that referenced this pull request Jun 25, 2025
@copybara-github
No public description
e697ce9 
FUTURE_COPYBARA_INTEGRATE_REVIEW=#188 from dandye:events_import_v1alpha 24f6b68
PiperOrigin-RevId: 775253266
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@dandye