diff --git a/CLI.md b/CLI.md index 27bf625b..7fa8d2a0 100644 --- a/CLI.md +++ b/CLI.md @@ -745,6 +745,369 @@ Delete a watchlist: secops watchlist delete --watchlist-id "abc-123-def" ``` +### Integration Management + +#### Marketplace Integrations + +List marketplace integrations: + +```bash +# List all marketplace integration (returns dict with pagination metadata) +secops integration marketplace list + +# List marketplace integration as a direct list (fetches all pages automatically) +secops integration marketplace list --as-list +``` + +Get marketplace integration details: + +```bash +secops integration marketplace get --integration-name "AWSSecurityHub" +``` + +Get marketplace integration diff between installed version and latest version: + +```bash +secops integration marketplace diff --integration-name "AWSSecurityHub" +``` + +Install or update a marketplace integration: + +```bash +# Install with default settings +secops integration marketplace install --integration-name "AWSSecurityHub" + +# Install to staging environment and override any existing ontology mappings +secops integration marketplace install --integration-name "AWSSecurityHub" --staging --override-mapping + +# Installing a currently installed integration with no specified version +# number will update it to the latest version +secops integration marketplace install --integration-name "AWSSecurityHub" + +# Or you can specify a specific version to install +secops integration marketplace install --integration-name "AWSSecurityHub" --version "5.0" +``` + +Uninstall a marketplace integration: + +```bash +secops integration marketplace uninstall --integration-name "AWSSecurityHub" +``` + +#### Integration Actions + +List integration actions: + +```bash +# List all actions for an integration +secops integration actions list --integration-name "MyIntegration" + +# List actions as a direct list (fetches all pages automatically) +secops integration actions list --integration-name "MyIntegration" --as-list + +# List with pagination +secops integration actions list --integration-name "MyIntegration" --page-size 50 + +# List with filtering +secops integration actions list --integration-name "MyIntegration" --filter-string "enabled = true" +``` + +Get action details: + +```bash +secops integration actions get --integration-name "MyIntegration" --action-id "123" +``` + +Create a new action: + +```bash +# Create a basic action with Python code +secops integration actions create \ + --integration-name "MyIntegration" \ + --display-name "Send Alert" \ + --code "def main(context): return {'status': 'success'}" + +# Create an async action +secops integration actions create \ + --integration-name "MyIntegration" \ + --display-name "Async Task" \ + --code "async def main(context): return await process()" \ + --is-async + +# Create with description +secops integration actions create \ + --integration-name "MyIntegration" \ + --display-name "My Action" \ + --code "def main(context): return {}" \ + --description "Action description" +``` + +> **Note:** When creating an action, the following default values are automatically applied: +> - `timeout_seconds`: 300 (5 minutes) +> - `enabled`: true +> - `script_result_name`: "result" +> +> The `--code` parameter contains the Python script that will be executed by the action. + +Update an existing action: + +```bash +# Update display name +secops integration actions update \ + --integration-name "MyIntegration" \ + --action-id "123" \ + --display-name "Updated Action Name" + +# Update code +secops integration actions update \ + --integration-name "MyIntegration" \ + --action-id "123" \ + --code "def main(context): return {'status': 'updated'}" + +# Update multiple fields with update mask +secops integration actions update \ + --integration-name "MyIntegration" \ + --action-id "123" \ + --display-name "New Name" \ + --description "New description" \ + --update-mask "displayName,description" +``` + +Delete an action: + +```bash +secops integration actions delete --integration-name "MyIntegration" --action-id "123" +``` + +Test an action: + +```bash +# Test an action to verify it executes correctly +secops integration actions test --integration-name "MyIntegration" --action-id "123" +``` + +Get action template: + +```bash +# Get synchronous action template +secops integration actions template --integration-name "MyIntegration" + +# Get asynchronous action template +secops integration actions template --integration-name "MyIntegration" --is-async +``` + +#### Action Revisions + +List action revisions: + +```bash +# List all revisions for an action +secops integration action-revisions list \ + --integration-name "MyIntegration" \ + --action-id "123" + +# List revisions as a direct list +secops integration action-revisions list \ + --integration-name "MyIntegration" \ + --action-id "123" \ + --as-list + +# List with pagination +secops integration action-revisions list \ + --integration-name "MyIntegration" \ + --action-id "123" \ + --page-size 10 + +# List with filtering and ordering +secops integration action-revisions list \ + --integration-name "MyIntegration" \ + --action-id "123" \ + --filter-string 'version = "1.0"' \ + --order-by "createTime desc" +``` + +Create a revision backup: + +```bash +# Create revision with comment +secops integration action-revisions create \ + --integration-name "MyIntegration" \ + --action-id "123" \ + --comment "Backup before major refactor" + +# Create revision without comment +secops integration action-revisions create \ + --integration-name "MyIntegration" \ + --action-id "123" +``` + +Rollback to a previous revision: + +```bash +secops integration action-revisions rollback \ + --integration-name "MyIntegration" \ + --action-id "123" \ + --revision-id "r456" +``` + +Delete an old revision: + +```bash +secops integration action-revisions delete \ + --integration-name "MyIntegration" \ + --action-id "123" \ + --revision-id "r789" +``` + +#### Integration Managers + +List integration managers: + +```bash +# List all managers for an integration +secops integration managers list --integration-name "MyIntegration" + +# List managers as a direct list (fetches all pages automatically) +secops integration managers list --integration-name "MyIntegration" --as-list + +# List with pagination +secops integration managers list --integration-name "MyIntegration" --page-size 50 + +# List with filtering +secops integration managers list --integration-name "MyIntegration" --filter-string "enabled = true" +``` + +Get manager details: + +```bash +secops integration managers get --integration-name "MyIntegration" --manager-id "mgr1" +``` + +Create a new manager: + +```bash +secops integration managers create \ + --integration-name "MyIntegration" \ + --display-name "Configuration Manager" \ + --code "def manage_config(context): return {'status': 'configured'}" + +# Create with description and custom ID +secops integration managers create \ + --integration-name "MyIntegration" \ + --display-name "My Manager" \ + --code "def manage(context): return {}" \ + --description "Manager description" \ + --manager-id "custom-manager-id" +``` + +Update an existing manager: + +```bash +# Update display name +secops integration managers update \ + --integration-name "MyIntegration" \ + --manager-id "mgr1" \ + --display-name "Updated Manager Name" + +# Update code +secops integration managers update \ + --integration-name "MyIntegration" \ + --manager-id "mgr1" \ + --code "def manage(context): return {'status': 'updated'}" + +# Update multiple fields with update mask +secops integration managers update \ + --integration-name "MyIntegration" \ + --manager-id "mgr1" \ + --display-name "New Name" \ + --description "New description" \ + --update-mask "displayName,description" +``` + +Delete a manager: + +```bash +secops integration managers delete --integration-name "MyIntegration" --manager-id "mgr1" +``` + +Get manager template: + +```bash +secops integration managers template --integration-name "MyIntegration" +``` + +#### Manager Revisions + +List manager revisions: + +```bash +# List all revisions for a manager +secops integration manager-revisions list \ + --integration-name "MyIntegration" \ + --manager-id "mgr1" + +# List revisions as a direct list +secops integration manager-revisions list \ + --integration-name "MyIntegration" \ + --manager-id "mgr1" \ + --as-list + +# List with pagination +secops integration manager-revisions list \ + --integration-name "MyIntegration" \ + --manager-id "mgr1" \ + --page-size 10 + +# List with filtering and ordering +secops integration manager-revisions list \ + --integration-name "MyIntegration" \ + --manager-id "mgr1" \ + --filter-string 'version = "1.0"' \ + --order-by "createTime desc" +``` + +Get a specific revision: + +```bash +secops integration manager-revisions get \ + --integration-name "MyIntegration" \ + --manager-id "mgr1" \ + --revision-id "r456" +``` + +Create a revision backup: + +```bash +# Create revision with comment +secops integration manager-revisions create \ + --integration-name "MyIntegration" \ + --manager-id "mgr1" \ + --comment "Backup before major refactor" + +# Create revision without comment +secops integration manager-revisions create \ + --integration-name "MyIntegration" \ + --manager-id "mgr1" +``` + +Rollback to a previous revision: + +```bash +secops integration manager-revisions rollback \ + --integration-name "MyIntegration" \ + --manager-id "mgr1" \ + --revision-id "r456" +``` + +Delete an old revision: + +```bash +secops integration manager-revisions delete \ + --integration-name "MyIntegration" \ + --manager-id "mgr1" \ + --revision-id "r789" +``` + ### Rule Management List detection rules: @@ -896,7 +1259,6 @@ secops curated-rule search-detections \ --end-time "2024-01-31T23:59:59Z" \ --list-basis "DETECTION_TIME" \ --page-size 50 - ``` List all curated rule sets: @@ -1543,39 +1905,7 @@ secops reference-list create \ secops parser list # Get details of a specific parser -secops parser get --log-type "WINDOWS" --id "pa_12345" - -# Create a custom parser for a new log format -secops parser create \ - --log-type "CUSTOM_APPLICATION" \ - --parser-code-file "/path/to/custom_parser.conf" \ - --validated-on-empty-logs - -# Copy an existing parser as a starting point -secops parser copy --log-type "OKTA" --id "pa_okta_base" - -# Activate your custom parser -secops parser activate --log-type "CUSTOM_APPLICATION" --id "pa_new_custom" - -# If needed, deactivate and delete old parser -secops parser deactivate --log-type "CUSTOM_APPLICATION" --id "pa_old_custom" -secops parser delete --log-type "CUSTOM_APPLICATION" --id "pa_old_custom" -``` - -### Complete Parser Workflow Example: Retrieve, Run, and Ingest - -This example demonstrates the complete workflow of retrieving an OKTA parser, running it against a sample log, and ingesting the parsed UDM event: - -```bash -# Step 1: List OKTA parsers to find an active one -secops parser list --log-type "OKTA" > okta_parsers.json - -# Extract the first parser ID (you can use jq or grep) -PARSER_ID=$(cat okta_parsers.json | jq -r '.[0].name' | awk -F'/' '{print $NF}') -echo "Using parser: $PARSER_ID" - -# Step 2: Get the parser details and save to a file -secops parser get --log-type "OKTA" --id "$PARSER_ID" > parser_details.json +secops parser get --log-type "WINDOWS" --id "$PARSER_ID" > parser_details.json # Extract and decode the parser code (base64 encoded in 'cbn' field) cat parser_details.json | jq -r '.cbn' | base64 -d > okta_parser.conf @@ -1713,7 +2043,7 @@ secops feed update --id "feed-123" --display-name "Updated Feed Name" secops feed update --id "feed-123" --details '{"httpSettings":{"uri":"https://example.com/updated-feed","sourceType":"FILES"}}' # Update both display name and details -secops feed update --id "feed-123" --display-name "Updated Name" --details '{"httpSettings":{"uri":"https://example.com/updated-feed"}}' +secops feed update --id "feed-123" --display-name "New Name" --details '{"httpSettings":{"uri":"https://example.com/updated-feed"}}' ``` Enable and disable feeds: @@ -1854,4 +2184,5 @@ secops dashboard-query get --id query-id ## Conclusion -The SecOps CLI provides a powerful way to interact with Google Security Operations products directly from your terminal. For more detailed information about the SDK capabilities, refer to the [main README](README.md). \ No newline at end of file +The SecOps CLI provides a powerful way to interact with Google Security Operations products directly from your terminal. For more detailed information about the SDK capabilities, refer to the [main README](README.md). + diff --git a/README.md b/README.md index d746ad5a..ccc72370 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +from tests.chronicle.test_rule_integration import chronicle + # Google SecOps SDK for Python [![PyPI version](https://img.shields.io/pypi/v/secops.svg)](https://pypi.org/project/secops/) @@ -1907,6 +1909,429 @@ for watchlist in watchlists: print(f"Watchlist: {watchlist.get('displayName')}") ``` +## Integration Management + +### Integration Actions + +List all available actions for an integration: + +```python +# Get all actions for an integration +actions = chronicle.list_integration_actions("AWSSecurityHub") +for action in actions.get("actions", []): + print(f"Action: {action.get('displayName')}, ID: {action.get('name')}") + +# Get all actions as a list +actions = chronicle.list_integration_actions("AWSSecurityHub", as_list=True) + +# Get only enabled actions +actions = chronicle.list_integration_actions("AWSSecurityHub", filter_string="enabled = true") +``` + +Get details of a specific action: + +```python + +action = chronicle.get_integration_action( + integration_name="AWSSecurityHub", + action_id="123" +) +``` + +Create an integration action + +```python +from secops.chronicle.models import ActionParameter, ActionParamType + +new_action = chronicle.create_integration_action( + integration_name="MyIntegration", + display_name="New Action", + description="This is a new action", + enabled=True, + timeout_seconds=900, + is_async=False, + script_result_name="script_result", + parameters=[ + ActionParameter( + display_name="Parameter 1", + type=ActionParamType.STRING, + description="This is parameter 1", + mandatory=True, + ) + ], + script="print('Hello, World!')" + ) +``` + +Update an integration action + +```python +from secops.chronicle.models import ActionParameter, ActionParamType + +updated_action = chronicle.update_integration_action( + integration_name="MyIntegration", + action_id="123", + display_name="Updated Action Name", + description="Updated description", + enabled=False, + parameters=[ + ActionParameter( + display_name="New Parameter", + type=ActionParamType.PASSWORD, + description="This is a new parameter", + mandatory=True, + ) + ], + script="print('Updated script')" +) +``` + +Delete an integration action + +```python +chronicle.delete_integration_action( + integration_name="MyIntegration", + action_id="123" +) +``` + +Execute test run of an integration action + +```python +# Get the integration instance ID by using chronicle.list_integration_instances() +integration_instance_id = "abc-123-def-456" + +test_run = chronicle.execute_integration_action_test( + integration_name="MyIntegration", + test_case_id=123456, + action=chronicle.get_integration_action("MyIntegration", "123"), + scope="TEST", + integration_instance_id=integration_instance_id, +) +``` + +Get integration actions by environment + +```python +# Get all actions for an integration in the Default Environment +actions = chronicle.get_integration_actions_by_environment( + integration_name="MyIntegration", + environments=["Default Environment"], + include_widgets=True, +) +``` + +Get a template for creating an action in an integration + +```python +template = chronicle.get_integration_action_template("MyIntegration") +``` + +### Integration Action Revisions + +List all revisions for an action: + +```python +# Get all revisions for an action +revisions = chronicle.list_integration_action_revisions( + integration_name="MyIntegration", + action_id="123" +) +for revision in revisions.get("revisions", []): + print(f"Revision: {revision.get('name')}, Comment: {revision.get('comment')}") + +# Get all revisions as a list +revisions = chronicle.list_integration_action_revisions( + integration_name="MyIntegration", + action_id="123", + as_list=True +) + +# Filter revisions +revisions = chronicle.list_integration_action_revisions( + integration_name="MyIntegration", + action_id="123", + filter_string='version = "1.0"', + order_by="createTime desc" +) +``` + +Delete a specific action revision: + +```python +chronicle.delete_integration_action_revision( + integration_name="MyIntegration", + action_id="123", + revision_id="rev-456" +) +``` + +Create a new revision before making changes: + +```python +# Get the current action +action = chronicle.get_integration_action( + integration_name="MyIntegration", + action_id="123" +) + +# Create a backup revision +new_revision = chronicle.create_integration_action_revision( + integration_name="MyIntegration", + action_id="123", + action=action, + comment="Backup before major refactor" +) +print(f"Created revision: {new_revision.get('name')}") + +# Create revision with custom comment +new_revision = chronicle.create_integration_action_revision( + integration_name="MyIntegration", + action_id="123", + action=action, + comment="Version 2.0 - Added error handling" +) +``` + +Rollback to a previous revision: + +```python +# Rollback to a previous working version +rollback_result = chronicle.rollback_integration_action_revision( + integration_name="MyIntegration", + action_id="123", + revision_id="rev-456" +) +print(f"Rolled back to: {rollback_result.get('name')}") +``` + +Example workflow: Safe action updates with revision control: + +```python +# 1. Get the current action +action = chronicle.get_integration_action( + integration_name="MyIntegration", + action_id="123" +) + +# 2. Create a backup revision +backup = chronicle.create_integration_action_revision( + integration_name="MyIntegration", + action_id="123", + action=action, + comment="Backup before updating logic" +) + +# 3. Make changes to the action +updated_action = chronicle.update_integration_action( + integration_name="MyIntegration", + action_id="123", + display_name="Updated Action", + script=""" +def main(context): + # New logic here + return {"status": "success"} +""" +) + +# 4. Test the updated action +test_result = chronicle.execute_integration_action_test( + integration_name="MyIntegration", + action_id="123", + action=updated_action +) + +# 5. If test fails, rollback to backup +if not test_result.get("successful"): + print("Test failed - rolling back") + chronicle.rollback_integration_action_revision( + integration_name="MyIntegration", + action_id="123", + revision_id=backup.get("name").split("/")[-1] + ) +else: + print("Test passed - changes saved") +``` + +### Integration Managers + +List all available managers for an integration: + +```python +# Get all managers for an integration +managers = chronicle.list_integration_managers("MyIntegration") +for manager in managers.get("managers", []): + print(f"Manager: {manager.get('displayName')}, ID: {manager.get('name')}") + +# Get all managers as a list +managers = chronicle.list_integration_managers("MyIntegration", as_list=True) + +# Filter managers by display name +managers = chronicle.list_integration_managers( + "MyIntegration", + filter_string='displayName = "API Helper"' +) + +# Sort managers by display name +managers = chronicle.list_integration_managers( + "MyIntegration", + order_by="displayName" +) +``` + +Get details of a specific manager: + +```python +manager = chronicle.get_integration_manager( + integration_name="MyIntegration", + manager_id="123" +) +``` + +Create an integration manager: + +```python +new_manager = chronicle.create_integration_manager( + integration_name="MyIntegration", + display_name="API Helper", + description="Shared utility functions for API calls", + script=""" +def make_api_request(url, headers=None): + '''Helper function to make API requests''' + import requests + return requests.get(url, headers=headers) + +def parse_response(response): + '''Parse API response''' + return response.json() +""" +) +``` + +Update an integration manager: + +```python +updated_manager = chronicle.update_integration_manager( + integration_name="MyIntegration", + manager_id="123", + display_name="Updated API Helper", + description="Updated shared utility functions", + script=""" +def make_api_request(url, headers=None, method='GET'): + '''Updated helper function with method parameter''' + import requests + if method == 'GET': + return requests.get(url, headers=headers) + elif method == 'POST': + return requests.post(url, headers=headers) +""" +) + +# Update only specific fields +updated_manager = chronicle.update_integration_manager( + integration_name="MyIntegration", + manager_id="123", + description="New description only" +) +``` + +Delete an integration manager: + +```python +chronicle.delete_integration_manager( + integration_name="MyIntegration", + manager_id="123" +) +``` + +Get a template for creating a manager in an integration: + +```python +template = chronicle.get_integration_manager_template("MyIntegration") +print(f"Template script: {template.get('script')}") +``` + +### Integration Manager Revisions + +List all revisions for a specific manager: + +```python +# Get all revisions for a manager +revisions = chronicle.list_integration_manager_revisions( + integration_name="MyIntegration", + manager_id="123" +) +for revision in revisions.get("revisions", []): + print(f"Revision: {revision.get('name')}, Comment: {revision.get('comment')}") + +# Get all revisions as a list +revisions = chronicle.list_integration_manager_revisions( + integration_name="MyIntegration", + manager_id="123", + as_list=True +) + +# Filter revisions +revisions = chronicle.list_integration_manager_revisions( + integration_name="MyIntegration", + manager_id="123", + filter_string='comment contains "backup"', + order_by="createTime desc" +) +``` + +Get details of a specific revision: + +```python +revision = chronicle.get_integration_manager_revision( + integration_name="MyIntegration", + manager_id="123", + revision_id="r1" +) +print(f"Revision script: {revision.get('manager', {}).get('script')}") +``` + +Create a new revision snapshot: + +```python +# Get the current manager +manager = chronicle.get_integration_manager( + integration_name="MyIntegration", + manager_id="123" +) + +# Create a revision before making changes +revision = chronicle.create_integration_manager_revision( + integration_name="MyIntegration", + manager_id="123", + manager=manager, + comment="Backup before major refactor" +) +print(f"Created revision: {revision.get('name')}") +``` + +Rollback to a previous revision: + +```python +# Rollback to a previous working version +rollback_result = chronicle.rollback_integration_manager_revision( + integration_name="MyIntegration", + manager_id="123", + revision_id="acb123de-abcd-1234-ef00-1234567890ab" +) +print(f"Rolled back to: {rollback_result.get('name')}") +``` + +Delete a revision: + +```python +chronicle.delete_integration_manager_revision( + integration_name="MyIntegration", + manager_id="123", + revision_id="r1" +) +``` + ## Rule Management The SDK provides comprehensive support for managing Chronicle detection rules: diff --git a/api_module_mapping.md b/api_module_mapping.md index bcfa632d..3d006a93 100644 --- a/api_module_mapping.md +++ b/api_module_mapping.md @@ -7,10 +7,643 @@ Following shows mapping between SecOps [REST Resource](https://cloud.google.com/ ## Implementation Statistics - **v1:** 17 endpoints implemented -- **v1alpha:** 113 endpoints implemented +- **v1beta:** 88 endpoints implemented +- **v1alpha:** 203 endpoints implemented ## Endpoint Mapping +| REST Resource | Version | secops-wrapper module | CLI Command | +|--------------------------------------------------------------------------------|---------|------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------| +| dataAccessLabels.create | v1 | | | +| dataAccessLabels.delete | v1 | | | +| dataAccessLabels.get | v1 | | | +| dataAccessLabels.list | v1 | | | +| dataAccessLabels.patch | v1 | | | +| dataAccessScopes.create | v1 | | | +| dataAccessScopes.delete | v1 | | | +| dataAccessScopes.get | v1 | | | +| dataAccessScopes.list | v1 | | | +| dataAccessScopes.patch | v1 | | | +| get | v1 | | | +| operations.cancel | v1 | | | +| operations.delete | v1 | | | +| operations.get | v1 | | | +| operations.list | v1 | | | +| referenceLists.create | v1 | chronicle.reference_list.create_reference_list | secops reference-list create | +| referenceLists.get | v1 | chronicle.reference_list.get_reference_list | secops reference-list get | +| referenceLists.list | v1 | chronicle.reference_list.list_reference_lists | secops reference-list list | +| referenceLists.patch | v1 | chronicle.reference_list.update_reference_list | secops reference-list update | +| rules.create | v1 | chronicle.rule.create_rule | secops rule create | +| rules.delete | v1 | chronicle.rule.delete_rule | secops rule delete | +| rules.deployments.list | v1 | | | +| rules.get | v1 | chronicle.rule.get_rule | secops rule get | +| rules.getDeployment | v1 | | | +| rules.list | v1 | chronicle.rule.list_rules | secops rule list | +| rules.listRevisions | v1 | | | +| rules.patch | v1 | chronicle.rule.update_rule | secops rule update | +| rules.retrohunts.create | v1 | chronicle.rule_retrohunt.create_retrohunt | secops rule-retrohunt create | +| rules.retrohunts.get | v1 | chronicle.rule_retrohunt.get_retrohunt | secops rule-retrohunt get | +| rules.retrohunts.list | v1 | chronicle.rule_retrohunt.list_retrohunts | secops rule-retrohunt list | +| rules.updateDeployment | v1 | chronicle.rule.enable_rule | secops rule enable | +| watchlists.create | v1 | chronicle.watchlist.create_watchlist | secops watchlist create | +| watchlists.delete | v1 | chronicle.watchlist.delete_watchlist | secops watchlist delete | +| watchlists.get | v1 | chronicle.watchlist.get_watchlist | secops watchlist get | +| watchlists.list | v1 | chronicle.watchlist.list_watchlists | secops watchlist list | +| watchlists.patch | v1 | chronicle.watchlist.update_watchlist | secops watchlist update | +| dataAccessLabels.create | v1beta | | | +| dataAccessLabels.delete | v1beta | | | +| dataAccessLabels.get | v1beta | | | +| dataAccessLabels.list | v1beta | | | +| dataAccessLabels.patch | v1beta | | | +| dataAccessScopes.create | v1beta | | | +| dataAccessScopes.delete | v1beta | | | +| dataAccessScopes.get | v1beta | | | +| dataAccessScopes.list | v1beta | | | +| dataAccessScopes.patch | v1beta | | | +| get | v1beta | | | +| integrations.create | v1beta | | | +| integrations.delete | v1beta | chronicle.integration.integrations.delete_integration | secops integration integrations delete | +| integrations.download | v1beta | chronicle.integration.integrations.download_integration | secops integration integrations download | +| integrations.downloadDependency | v1beta | chronicle.integration.integrations.download_integration_dependency | secops integration integrations download-dependency | +| integrations.exportIntegrationItems | v1beta | chronicle.integration.integrations.export_integration_items | secops integration integrations export-items | +| integrations.fetchAffectedItems | v1beta | chronicle.integration.integrations.get_integration_affected_items | secops integration integrations get-affected-items | +| integrations.fetchAgentIntegrations | v1beta | chronicle.integration.integrations.get_agent_integrations | secops integration integrations get-agent | +| integrations.fetchCommercialDiff | v1beta | chronicle.integration.integrations.get_integration_diff | secops integration integrations get-diff | +| integrations.fetchDependencies | v1beta | chronicle.integration.integrations.get_integration_dependencies | secops integration integrations get-dependencies | +| integrations.fetchRestrictedAgents | v1beta | chronicle.integration.integrations.get_integration_restricted_agents | secops integration integrations get-restricted-agents | +| integrations.get | v1beta | chronicle.integration.integrations.get_integration | secops integration integrations get | +| integrations.getFetchProductionDiff | v1beta | chronicle.integration.integrations.get_integration_diff(diff_type=DiffType.PRODUCTION) | secops integration integrations get-diff | +| integrations.getFetchStagingDiff | v1beta | chronicle.integration.integrations.get_integration_diff(diff_type=DiffType.STAGING) | secops integration integrations get-diff | +| integrations.import | v1beta | | | +| integrations.importIntegrationDependency | v1beta | | | +| integrations.importIntegrationItems | v1beta | | | +| integrations.list | v1beta | chronicle.integration.integrations.list_integrations | secops integration integrations list | +| integrations.patch | v1beta | | | +| integrations.pushToProduction | v1beta | chronicle.integration.integrations.transition_integration(target_mode=TargetMode.PRODUCTION) | secops integration integrations transition | +| integrations.pushToStaging | v1beta | chronicle.integration.integrations.transition_integration(target_mode=TargetMode.STAGING) | secops integration integrations transition | +| integrations.updateCustomIntegration | v1beta | | | +| integrations.upload | v1beta | | | +| integrations.actions.create | v1beta | chronicle.integration.actions.create_integration_action | secops integration actions create | +| integrations.actions.delete | v1beta | chronicle.integration.actions.delete_integration_action | secops integration actions delete | +| integrations.actions.executeTest | v1beta | chronicle.integration.actions.execute_integration_action_test | secops integration actions test | +| integrations.actions.fetchActionsByEnvironment | v1beta | chronicle.integration.actions.get_integration_actions_by_environment | | +| integrations.actions.fetchTemplate | v1beta | chronicle.integration.actions.get_integration_action_template | secops integration actions template | +| integrations.actions.get | v1beta | chronicle.integration.actions.get_integration_action | secops integration actions get | +| integrations.actions.list | v1beta | chronicle.integration.actions.list_integration_actions | secops integration actions list | +| integrations.actions.patch | v1beta | chronicle.integration.actions.update_integration_action | secops integration actions update | +| integrations.actions.revisions.create | v1beta | chronicle.integration.action_revisions.create_integration_action_revision | secops integration action-revisions create | +| integrations.actions.revisions.delete | v1beta | chronicle.integration.action_revisions.delete_integration_action_revision | secops integration action-revisions delete | +| integrations.actions.revisions.list | v1beta | chronicle.integration.action_revisions.list_integration_action_revisions | secops integration action-revisions list | +| integrations.actions.revisions.rollback | v1beta | chronicle.integration.action_revisions.rollback_integration_action_revision | secops integration action-revisions rollback | +| integrations.connectors.create | v1beta | chronicle.integration.connectors.create_integration_connector | secops integration connectors create | +| integrations.connectors.delete | v1beta | chronicle.integration.connectors.delete_integration_connector | secops integration connectors delete | +| integrations.connectors.executeTest | v1beta | chronicle.integration.connectors.execute_integration_connector_test | secops integration connectors test | +| integrations.connectors.fetchTemplate | v1beta | chronicle.integration.connectors.get_integration_connector_template | secops integration connectors template | +| integrations.connectors.get | v1beta | chronicle.integration.connectors.get_integration_connector | secops integration connectors get | +| integrations.connectors.list | v1beta | chronicle.integration.connectors.list_integration_connectors | secops integration connectors list | +| integrations.connectors.patch | v1beta | chronicle.integration.connectors.update_integration_connector | secops integration connectors update | +| integrations.connectors.revisions.create | v1beta | chronicle.integration.connector_revisions.create_integration_connector_revision | secops integration connector-revisions create | +| integrations.connectors.revisions.delete | v1beta | chronicle.integration.connector_revisions.delete_integration_connector_revision | secops integration connector-revisions delete | +| integrations.connectors.revisions.list | v1beta | chronicle.integration.connector_revisions.list_integration_connector_revisions | secops integration connector-revisions list | +| integrations.connectors.revisions.rollback | v1beta | chronicle.integration.connector_revisions.rollback_integration_connector_revision | secops integration connector-revisions rollback| +| integrations.connectors.contextProperties.clearAll | v1beta | chronicle.integration.connector_context_properties.delete_all_connector_context_properties | secops integration connector-context-properties delete-all | +| integrations.connectors.contextProperties.create | v1beta | chronicle.integration.connector_context_properties.create_connector_context_property | secops integration connector-context-properties create | +| integrations.connectors.contextProperties.delete | v1beta | chronicle.integration.connector_context_properties.delete_connector_context_property | secops integration connector-context-properties delete | +| integrations.connectors.contextProperties.get | v1beta | chronicle.integration.connector_context_properties.get_connector_context_property | secops integration connector-context-properties get | +| integrations.connectors.contextProperties.list | v1beta | chronicle.integration.connector_context_properties.list_connector_context_properties | secops integration connector-context-properties list | +| integrations.connectors.contextProperties.patch | v1beta | chronicle.integration.connector_context_properties.update_connector_context_property | secops integration connector-context-properties update | +| integrations.connectors.connectorInstances.logs.get | v1beta | chronicle.integration.connector_instance_logs.get_connector_instance_log | secops integration connector-instance-logs get | +| integrations.connectors.connectorInstances.logs.list | v1beta | chronicle.integration.connector_instance_logs.list_connector_instance_logs | secops integration connector-instance-logs list| +| integrations.connectors.connectorInstances.create | v1beta | chronicle.integration.connector_instances.create_connector_instance | secops integration connector-instances create | +| integrations.connectors.connectorInstances.delete | v1beta | chronicle.integration.connector_instances.delete_connector_instance | secops integration connector-instances delete | +| integrations.connectors.connectorInstances.fetchLatestDefinition | v1beta | chronicle.integration.connector_instances.get_connector_instance_latest_definition | secops integration connector-instances get-latest-definition | +| integrations.connectors.connectorInstances.get | v1beta | chronicle.integration.connector_instances.get_connector_instance | secops integration connector-instances get | +| integrations.connectors.connectorInstances.list | v1beta | chronicle.integration.connector_instances.list_connector_instances | secops integration connector-instances list | +| integrations.connectors.connectorInstances.patch | v1beta | chronicle.integration.connector_instances.update_connector_instance | secops integration connector-instances update | +| integrations.connectors.connectorInstances.runOnDemand | v1beta | chronicle.integration.connector_instances.run_connector_instance_on_demand | secops integration connector-instances run-on-demand | +| integrations.connectors.connectorInstances.setLogsCollection | v1beta | chronicle.integration.connector_instances.set_connector_instance_logs_collection | secops integration connector-instances set-logs-collection | +| integrations.integrationInstances.create | v1beta | chronicle.integration.integration_instances.create_integration_instance | secops integration instances create | +| integrations.integrationInstances.delete | v1beta | chronicle.integration.integration_instances.delete_integration_instance | secops integration instances delete | +| integrations.integrationInstances.executeTest | v1beta | chronicle.integration.integration_instances.execute_integration_instance_test | secops integration instances test | +| integrations.integrationInstances.fetchAffectedItems | v1beta | chronicle.integration.integration_instances.get_integration_instance_affected_items | secops integration instances get-affected-items| +| integrations.integrationInstances.fetchDefaultInstance | v1beta | chronicle.integration.integration_instances.get_default_integration_instance | secops integration instances get-default | +| integrations.integrationInstances.get | v1beta | chronicle.integration.integration_instances.get_integration_instance | secops integration instances get | +| integrations.integrationInstances.list | v1beta | chronicle.integration.integration_instances.list_integration_instances | secops integration instances list | +| integrations.integrationInstances.patch | v1beta | chronicle.integration.integration_instances.update_integration_instance | secops integration instances update | +| integrations.jobs.create | v1beta | chronicle.integration.jobs.create_integration_job | secops integration jobs create | +| integrations.jobs.delete | v1beta | chronicle.integration.jobs.delete_integration_job | secops integration jobs delete | +| integrations.jobs.executeTest | v1beta | chronicle.integration.jobs.execute_integration_job_test | secops integration jobs test | +| integrations.jobs.fetchTemplate | v1beta | chronicle.integration.jobs.get_integration_job_template | secops integration jobs template | +| integrations.jobs.get | v1beta | chronicle.integration.jobs.get_integration_job | secops integration jobs get | +| integrations.jobs.list | v1beta | chronicle.integration.jobs.list_integration_jobs | secops integration jobs list | +| integrations.jobs.patch | v1beta | chronicle.integration.jobs.update_integration_job | secops integration jobs update | +| integrations.managers.create | v1beta | chronicle.integration.managers.create_integration_manager | secops integration managers create | +| integrations.managers.delete | v1beta | chronicle.integration.managers.delete_integration_manager | secops integration managers delete | +| integrations.managers.fetchTemplate | v1beta | chronicle.integration.managers.get_integration_manager_template | secops integration managers template | +| integrations.managers.get | v1beta | chronicle.integration.managers.get_integration_manager | secops integration managers get | +| integrations.managers.list | v1beta | chronicle.integration.managers.list_integration_managers | secops integration managers list | +| integrations.managers.patch | v1beta | chronicle.integration.managers.update_integration_manager | secops integration managers update | +| integrations.managers.revisions.create | v1beta | chronicle.integration.manager_revisions.create_integration_manager_revision | secops integration manager-revisions create | +| integrations.managers.revisions.delete | v1beta | chronicle.integration.manager_revisions.delete_integration_manager_revision | secops integration manager-revisions delete | +| integrations.managers.revisions.get | v1beta | chronicle.integration.manager_revisions.get_integration_manager_revision | secops integration manager-revisions get | +| integrations.managers.revisions.list | v1beta | chronicle.integration.manager_revisions.list_integration_manager_revisions | secops integration manager-revisions list | +| integrations.managers.revisions.rollback | v1beta | chronicle.integration.manager_revisions.rollback_integration_manager_revision | secops integration manager-revisions rollback | +| integrations.jobs.revisions.create | v1beta | chronicle.integration.job_revisions.create_integration_job_revision | secops integration job-revisions create | +| integrations.jobs.revisions.delete | v1beta | chronicle.integration.job_revisions.delete_integration_job_revision | secops integration job-revisions delete | +| integrations.jobs.revisions.list | v1beta | chronicle.integration.job_revisions.list_integration_job_revisions | secops integration job-revisions list | +| integrations.jobs.revisions.rollback | v1beta | chronicle.integration.job_revisions.rollback_integration_job_revision | secops integration job-revisions rollback | +| integrations.jobs.jobInstances.create | v1beta | chronicle.integration.job_instances.create_integration_job_instance | secops integration job-instances create | +| integrations.jobs.jobInstances.delete | v1beta | chronicle.integration.job_instances.delete_integration_job_instance | secops integration job-instances delete | +| integrations.jobs.jobInstances.get | v1beta | chronicle.integration.job_instances.get_integration_job_instance | secops integration job-instances get | +| integrations.jobs.jobInstances.list | v1beta | chronicle.integration.job_instances.list_integration_job_instances | secops integration job-instances list | +| integrations.jobs.jobInstances.patch | v1beta | chronicle.integration.job_instances.update_integration_job_instance | secops integration job-instances update | +| integrations.jobs.jobInstances.runOnDemand | v1beta | chronicle.integration.job_instances.run_integration_job_instance_on_demand | secops integration job-instances run-on-demand | +| integrations.jobs.contextProperties.clearAll | v1beta | chronicle.integration.job_context_properties.delete_all_job_context_properties | secops integration job-context-properties delete-all | +| integrations.jobs.contextProperties.create | v1beta | chronicle.integration.job_context_properties.create_job_context_property | secops integration job-context-properties create | +| integrations.jobs.contextProperties.delete | v1beta | chronicle.integration.job_context_properties.delete_job_context_property | secops integration job-context-properties delete | +| integrations.jobs.contextProperties.get | v1beta | chronicle.integration.job_context_properties.get_job_context_property | secops integration job-context-properties get | +| integrations.jobs.contextProperties.list | v1beta | chronicle.integration.job_context_properties.list_job_context_properties | secops integration job-context-properties list | +| integrations.jobs.contextProperties.patch | v1beta | chronicle.integration.job_context_properties.update_job_context_property | secops integration job-context-properties update | +| integrations.jobs.jobInstances.logs.get | v1beta | chronicle.integration.job_instance_logs.get_job_instance_log | secops integration job-instance-logs get | +| integrations.jobs.jobInstances.logs.list | v1beta | chronicle.integration.job_instance_logs.list_job_instance_logs | secops integration job-instance-logs list | +| marketplaceIntegrations.get | v1beta | chronicle.marketplace_integrations.get_marketplace_integration | secops integration marketplace get | +| marketplaceIntegrations.getDiff | v1beta | chronicle.marketplace_integrations.get_marketplace_integration_diff | secops integration marketplace diff | +| marketplaceIntegrations.install | v1beta | chronicle.marketplace_integrations.install_marketplace_integration | secops integration marketplace install | +| marketplaceIntegrations.list | v1beta | chronicle.marketplace_integrations.list_marketplace_integrations | secops integration marketplace list | +| marketplaceIntegrations.uninstall | v1beta | chronicle.marketplace_integrations.uninstall_marketplace_integration | secops integration marketplace uninstall | +| operations.cancel | v1beta | | | +| operations.delete | v1beta | | | +| operations.get | v1beta | | | +| operations.list | v1beta | | | +| referenceLists.create | v1beta | | | +| referenceLists.get | v1beta | | | +| referenceLists.list | v1beta | | | +| referenceLists.patch | v1beta | | | +| rules.create | v1beta | | | +| rules.delete | v1beta | | | +| rules.deployments.list | v1beta | | | +| rules.get | v1beta | | | +| rules.getDeployment | v1beta | | | +| rules.list | v1beta | | | +| rules.listRevisions | v1beta | | | +| rules.patch | v1beta | | | +| rules.retrohunts.create | v1beta | | | +| rules.retrohunts.get | v1beta | | | +| rules.retrohunts.list | v1beta | | | +| rules.updateDeployment | v1beta | | | +| watchlists.create | v1beta | | | +| watchlists.delete | v1beta | | | +| watchlists.get | v1beta | | | +| watchlists.list | v1beta | | | +| watchlists.patch | v1beta | | | +| analytics.entities.analyticValues.list | v1alpha | | | +| analytics.list | v1alpha | | | +| batchValidateWatchlistEntities | v1alpha | | | +| bigQueryAccess.provide | v1alpha | | | +| bigQueryExport.provision | v1alpha | | | +| cases.countPriorities | v1alpha | | | +| contentHub.featuredContentRules.list | v1alpha | chronicle.featured_content_rules.list_featured_content_rules | secops featured-content-rules list | +| curatedRuleSetCategories.curatedRuleSets.curatedRuleSetDeployments.batchUpdate | v1alpha | chronicle.rule_set.batch_update_curated_rule_set_deployments | | +| curatedRuleSetCategories.curatedRuleSets.curatedRuleSetDeployments.patch | v1alpha | chronicle.rule_set.update_curated_rule_set_deployment | secops curated-rule rule-set-deployment update | +| curatedRuleSetCategories.curatedRuleSets.curatedRuleSetDeployments.list | v1alpha | chronicle.rule_set.list_curated_rule_set_deployments | secops curated-rule rule-set-deployment list | +| curatedRuleSetCategories.curatedRuleSets.curatedRuleSetDeployments.get | v1alpha | chronicle.rule_set.get_curated_rule_set_deployment
chronicle.rule_set.get_curated_rule_set_deployment_by_name | secops curated-rule rule-set-deployment get | +| curatedRuleSetCategories.curatedRuleSets.get | v1alpha | chronicle.rule_set.get_curated_rule_set | secops curated-rule rule-set get | +| curatedRuleSetCategories.curatedRuleSets.list | v1alpha | chronicle.rule_set.list_curated_rule_sets | secops curated-rule rule-set list | +| curatedRuleSetCategories.get | v1alpha | chronicle.rule_set.get_curated_rule_set_category | secops curated-rule rule-set-category get | +| curatedRuleSetCategories.list | v1alpha | chronicle.rule_set.list_curated_rule_set_categories | secops curated-rule rule-set-category list | +| curatedRules.get | v1alpha | chronicle.rule_set.get_curated_rule
chronicle.rule_set.get_curated_rule_by_name | secops curated-rule rule get | +| curatedRules.list | v1alpha | chronicle.rule_set.list_curated_rules | secops curated-rule rule list | +| dashboardCharts.batchGet | v1alpha | | | +| dashboardCharts.get | v1alpha | chronicle.dashboard.get_chart | secops dashboard get-chart | +| dashboardQueries.execute | v1alpha | chronicle.dashboard_query.execute_query | secops dashboard-query execute | +| dashboardQueries.get | v1alpha | chronicle.dashboard_query.get_execute_query | secops dashboard-query get | +| dashboards.copy | v1alpha | | | +| dashboards.create | v1alpha | | | +| dashboards.delete | v1alpha | | | +| dashboards.get | v1alpha | | | +| dashboards.list | v1alpha | | | +| dataAccessLabels.create | v1alpha | | | +| dataAccessLabels.delete | v1alpha | | | +| dataAccessLabels.get | v1alpha | | | +| dataAccessLabels.list | v1alpha | | | +| dataAccessLabels.patch | v1alpha | | | +| dataAccessScopes.create | v1alpha | | | +| dataAccessScopes.delete | v1alpha | | | +| dataAccessScopes.get | v1alpha | | | +| dataAccessScopes.list | v1alpha | | | +| dataAccessScopes.patch | v1alpha | | | +| dataExports.cancel | v1alpha | chronicle.data_export.cancel_data_export | secops export cancel | +| dataExports.create | v1alpha | chronicle.data_export.create_data_export | secops export create | +| dataExports.fetchavailablelogtypes | v1alpha | chronicle.data_export.fetch_available_log_types | secops export log-types | +| dataExports.get | v1alpha | chronicle.data_export.get_data_export | secops export status | +| dataExports.list | v1alpha | chronicle.data_export.list_data_export | secops export list | +| dataExports.patch | v1alpha | chronicle.data_export.update_data_export | secops export update | +| dataTableOperationErrors.get | v1alpha | | | +| dataTables.create | v1alpha | chronicle.data_table.create_data_table | secops data-table create | +| dataTables.dataTableRows.bulkCreate | v1alpha | chronicle.data_table.create_data_table_rows | secops data-table add-rows | +| dataTables.dataTableRows.bulkCreateAsync | v1alpha | | | +| dataTables.dataTableRows.bulkGet | v1alpha | | | +| dataTables.dataTableRows.bulkReplace | v1alpha | chronicle.data_table.replace_data_table_rows | secops data-table replace-rows | +| dataTables.dataTableRows.bulkReplaceAsync | v1alpha | | | +| dataTables.dataTableRows.bulkUpdate | v1alpha | chronicle.data_table.update_data_table_rows | secops data-table update-rows | +| dataTables.dataTableRows.bulkUpdateAsync | v1alpha | | | +| dataTables.dataTableRows.create | v1alpha | | | +| dataTables.dataTableRows.delete | v1alpha | chronicle.data_table.delete_data_table_rows | secops data-table delete-rows | +| dataTables.dataTableRows.get | v1alpha | | | +| dataTables.dataTableRows.list | v1alpha | chronicle.data_table.list_data_table_rows | secops data-table list-rows | +| dataTables.dataTableRows.patch | v1alpha | | | +| dataTables.delete | v1alpha | chronicle.data_table.delete_data_table | secops data-table delete | +| dataTables.get | v1alpha | chronicle.data_table.get_data_table | secops data-table get | +| dataTables.list | v1alpha | chronicle.data_table.list_data_tables | secops data-table list | +| dataTables.patch | v1alpha | | | +| dataTables.upload | v1alpha | | | +| dataTaps.create | v1alpha | | | +| dataTaps.delete | v1alpha | | | +| dataTaps.get | v1alpha | | | +| dataTaps.list | v1alpha | | | +| dataTaps.patch | v1alpha | | | +| delete | v1alpha | | | +| enrichmentControls.create | v1alpha | | | +| enrichmentControls.delete | v1alpha | | | +| enrichmentControls.get | v1alpha | | | +| enrichmentControls.list | v1alpha | | | +| entities.get | v1alpha | | | +| entities.import | v1alpha | chronicle.log_ingest.import_entities | secops entity import | +| entities.modifyEntityRiskScore | v1alpha | | | +| entities.queryEntityRiskScoreModifications | v1alpha | | | +| entityRiskScores.query | v1alpha | | | +| errorNotificationConfigs.create | v1alpha | | | +| errorNotificationConfigs.delete | v1alpha | | | +| errorNotificationConfigs.get | v1alpha | | | +| errorNotificationConfigs.list | v1alpha | | | +| errorNotificationConfigs.patch | v1alpha | | | +| events.batchGet | v1alpha | | | +| events.get | v1alpha | | | +| events.import | v1alpha | chronicle.log_ingest.ingest_udm | secops log ingest-udm | +| extractSyslog | v1alpha | | | +| federationGroups.create | v1alpha | | | +| federationGroups.delete | v1alpha | | | +| federationGroups.get | v1alpha | | | +| federationGroups.list | v1alpha | | | +| federationGroups.patch | v1alpha | | | +| feedPacks.get | v1alpha | | | +| feedPacks.list | v1alpha | | | +| feedServiceAccounts.fetchServiceAccountForCustomer | v1alpha | | | +| feedSourceTypeSchemas.list | v1alpha | | | +| feedSourceTypeSchemas.logTypeSchemas.list | v1alpha | | | +| feeds.create | v1alpha | chronicle.feeds.create_feed | secops feed create | +| feeds.delete | v1alpha | chronicle.feeds.delete_feed | secops feed delete | +| feeds.disable | v1alpha | chronicle.feeds.disable_feed | secops feed disable | +| feeds.enable | v1alpha | chronicle.feeds.enable_feed | secops feed enable | +| feeds.generateSecret | v1alpha | chronicle.feeds.generate_secret | secops feed secret | +| feeds.get | v1alpha | chronicle.feeds.get_feed | secops feed get | +| feeds.importPushLogs | v1alpha | | | +| feeds.list | v1alpha | chronicle.feeds.list_feeds | secops feed list | +| feeds.patch | v1alpha | chronicle.feeds.update_feed | secops feed update | +| feeds.scheduleTransfer | v1alpha | | | +| fetchFederationAccess | v1alpha | | | +| findEntity | v1alpha | | | +| findEntityAlerts | v1alpha | | | +| findRelatedEntities | v1alpha | | | +| findUdmFieldValues | v1alpha | | | +| findingsGraph.exploreNode | v1alpha | | | +| findingsGraph.initializeGraph | v1alpha | | | +| findingsRefinements.computeFindingsRefinementActivity | v1alpha | chronicle.rule_exclusion.compute_rule_exclusion_activity | secops rule-exclusion compute-activity | +| findingsRefinements.create | v1alpha | chronicle.rule_exclusion.create_rule_exclusion | secops rule-exclusion create | +| findingsRefinements.get | v1alpha | chronicle.rule_exclusion.get_rule_exclusion | secops rule-exclusion get | +| findingsRefinements.getDeployment | v1alpha | chronicle.rule_exclusion.get_rule_exclusion_deployment | secops rule-exclusion get-deployment | +| findingsRefinements.list | v1alpha | chronicle.rule_exclusion.list_rule_exclusions | secops rule-exclusion list | +| findingsRefinements.patch | v1alpha | chronicle.rule_exclusion.patch_rule_exclusion | secops rule-exclusion update | +| findingsRefinements.updateDeployment | v1alpha | chronicle.rule_exclusion.update_rule_exclusion_deployment | secops rule-exclusion update-deployment | +| forwarders.collectors.create | v1alpha | | | +| forwarders.collectors.delete | v1alpha | | | +| forwarders.collectors.get | v1alpha | | | +| forwarders.collectors.list | v1alpha | | | +| forwarders.collectors.patch | v1alpha | | | +| forwarders.create | v1alpha | chronicle.log_ingest.create_forwarder | secops forwarder create | +| forwarders.delete | v1alpha | chronicle.log_ingest.delete_forwarder | secops forwarder delete | +| forwarders.generateForwarderFiles | v1alpha | | | +| forwarders.get | v1alpha | chronicle.log_ingest.get_forwarder | secops forwarder get | +| forwarders.importStatsEvents | v1alpha | | | +| forwarders.list | v1alpha | chronicle.log_ingest.list_forwarder | secops forwarder list | +| forwarders.patch | v1alpha | chronicle.log_ingest.update_forwarder | secops forwarder update | +| generateCollectionAgentAuth | v1alpha | | | +| generateSoarAuthJwt | v1alpha | | | +| generateUdmKeyValueMappings | v1alpha | | | +| generateWorkspaceConnectionToken | v1alpha | | | +| get | v1alpha | | | +| getBigQueryExport | v1alpha | | | +| getMultitenantDirectory | v1alpha | | | +| getRiskConfig | v1alpha | | | +| ingestionLogLabels.get | v1alpha | | | +| ingestionLogLabels.list | v1alpha | | | +| ingestionLogNamespaces.get | v1alpha | | | +| ingestionLogNamespaces.list | v1alpha | | | +| integrations.create | v1alpha | | | +| integrations.delete | v1alpha | chronicle.integration.integrations.delete_integration(api_version=APIVersion.V1ALPHA) | secops integration integrations delete | +| integrations.download | v1alpha | chronicle.integration.integrations.download_integration(api_version=APIVersion.V1ALPHA) | secops integration integrations download | +| integrations.downloadDependency | v1alpha | chronicle.integration.integrations.download_integration_dependency(api_version=APIVersion.V1ALPHA) | secops integration integrations download-dependency | +| integrations.exportIntegrationItems | v1alpha | chronicle.integration.integrations.export_integration_items(api_version=APIVersion.V1ALPHA) | secops integration integrations export-items | +| integrations.fetchAffectedItems | v1alpha | chronicle.integration.integrations.get_integration_affected_items(api_version=APIVersion.V1ALPHA) | secops integration integrations get-affected-items | +| integrations.fetchAgentIntegrations | v1alpha | chronicle.integration.integrations.get_agent_integrations(api_version=APIVersion.V1ALPHA) | secops integration integrations get-agent | +| integrations.fetchCommercialDiff | v1alpha | chronicle.integration.integrations.get_integration_diff(api_version=APIVersion.V1ALPHA) | secops integration integrations get-diff | +| integrations.fetchDependencies | v1alpha | chronicle.integration.integrations.get_integration_dependencies(api_version=APIVersion.V1ALPHA) | secops integration integrations get-dependencies | +| integrations.fetchRestrictedAgents | v1alpha | chronicle.integration.integrations.get_integration_restricted_agents(api_version=APIVersion.V1ALPHA) | secops integration integrations get-restricted-agents | +| integrations.get | v1alpha | chronicle.integration.integrations.get_integration(api_version=APIVersion.V1ALPHA) | secops integration integrations get | +| integrations.getFetchProductionDiff | v1alpha | chronicle.integration.integrations.get_integration_diff(api_version=APIVersion.V1ALPHA, diff_type=DiffType.PRODUCTION) | secops integration integrations get-diff | +| integrations.getFetchStagingDiff | v1alpha | chronicle.integration.integrations.get_integration_diffapi_version=APIVersion.V1ALPHA, (diff_type=DiffType.STAGING) | secops integration integrations get-diff | +| integrations.import | v1alpha | | | +| integrations.importIntegrationDependency | v1alpha | | | +| integrations.importIntegrationItems | v1alpha | | | +| integrations.list | v1alpha | chronicle.integration.integrations.list_integrations(api_version=APIVersion.V1ALPHA) | secops integration integrations list | +| integrations.patch | v1alpha | | | +| integrations.pushToProduction | v1alpha | chronicle.integration.integrations.transition_integration(api_version=APIVersion.V1ALPHA, target_mode=TargetMode.PRODUCTION) | secops integration integrations transition | +| integrations.pushToStaging | v1alpha | chronicle.integration.integrations.transition_integration(api_version=APIVersion.V1ALPHA, target_mode=TargetMode.STAGING) | secops integration integrations transition | +| integrations.updateCustomIntegration | v1alpha | | | +| integrations.upload | v1alpha | | | +| integrations.actions.create | v1alpha | chronicle.integration.actions.create_integration_action(api_version=APIVersion.V1ALPHA) | secops integration actions create | +| integrations.actions.delete | v1alpha | chronicle.integration.actions.delete_integration_action(api_version=APIVersion.V1ALPHA) | secops integration actions delete | +| integrations.actions.executeTest | v1alpha | chronicle.integration.actions.execute_integration_action_test(api_version=APIVersion.V1ALPHA) | secops integration actions test | +| integrations.actions.fetchActionsByEnvironment | v1alpha | chronicle.integration.actions.get_integration_actions_by_environment(api_version=APIVersion.V1ALPHA) | | +| integrations.actions.fetchTemplate | v1alpha | chronicle.integration.actions.get_integration_action_template(api_version=APIVersion.V1ALPHA) | secops integration actions template | +| integrations.actions.get | v1alpha | chronicle.integration.actions.get_integration_action(api_version=APIVersion.V1ALPHA) | secops integration actions get | +| integrations.actions.list | v1alpha | chronicle.integration.actions.list_integration_actions(api_version=APIVersion.V1ALPHA) | secops integration actions list | +| integrations.actions.patch | v1alpha | chronicle.integration.actions.update_integration_action(api_version=APIVersion.V1ALPHA) | secops integration actions update | +| integrations.actions.revisions.create | v1alpha | chronicle.integration.action_revisions.create_integration_action_revision(api_version=APIVersion.V1ALPHA) | secops integration action-revisions create | +| integrations.actions.revisions.delete | v1alpha | chronicle.integration.action_revisions.delete_integration_action_revision(api_version=APIVersion.V1ALPHA) | secops integration action-revisions delete | +| integrations.actions.revisions.list | v1alpha | chronicle.integration.action_revisions.list_integration_action_revisions(api_version=APIVersion.V1ALPHA) | secops integration action-revisions list | +| integrations.actions.revisions.rollback | v1alpha | chronicle.integration.action_revisions.rollback_integration_action_revision(api_version=APIVersion.V1ALPHA) | secops integration action-revisions rollback | +| integrations.connectors.create | v1alpha | chronicle.integration.connectors.create_integration_connector(api_version=APIVersion.V1ALPHA) | secops integration connectors create | +| integrations.connectors.delete | v1alpha | chronicle.integration.connectors.delete_integration_connector(api_version=APIVersion.V1ALPHA) | secops integration connectors delete | +| integrations.connectors.executeTest | v1alpha | chronicle.integration.connectors.execute_integration_connector_test(api_version=APIVersion.V1ALPHA) | secops integration connectors test | +| integrations.connectors.fetchTemplate | v1alpha | chronicle.integration.connectors.get_integration_connector_template(api_version=APIVersion.V1ALPHA) | secops integration connectors template | +| integrations.connectors.get | v1alpha | chronicle.integration.connectors.get_integration_connector(api_version=APIVersion.V1ALPHA) | secops integration connectors get | +| integrations.connectors.list | v1alpha | chronicle.integration.connectors.list_integration_connectors(api_version=APIVersion.V1ALPHA) | secops integration connectors list | +| integrations.connectors.patch | v1alpha | chronicle.integration.connectors.update_integration_connector(api_version=APIVersion.V1ALPHA) | secops integration connectors update | +| integrations.connectors.revisions.create | v1alpha | chronicle.integration.connector_revisions.create_integration_connector_revision(api_version=APIVersion.V1ALPHA) | secops integration connector-revisions create | +| integrations.connectors.revisions.delete | v1alpha | chronicle.integration.connector_revisions.delete_integration_connector_revision(api_version=APIVersion.V1ALPHA) | secops integration connector-revisions delete | +| integrations.connectors.revisions.list | v1alpha | chronicle.integration.connector_revisions.list_integration_connector_revisions(api_version=APIVersion.V1ALPHA) | secops integration connector-revisions list | +| integrations.connectors.revisions.rollback | v1alpha | chronicle.integration.connector_revisions.rollback_integration_connector_revision(api_version=APIVersion.V1ALPHA) | secops integration connector-revisions rollback| +| integrations.connectors.contextProperties.clearAll | v1alpha | chronicle.integration.connector_context_properties.delete_all_connector_context_properties(api_version=APIVersion.V1ALPHA) | secops integration connector-context-properties delete-all | +| integrations.connectors.contextProperties.create | v1alpha | chronicle.integration.connector_context_properties.create_connector_context_property(api_version=APIVersion.V1ALPHA) | secops integration connector-context-properties create | +| integrations.connectors.contextProperties.delete | v1alpha | chronicle.integration.connector_context_properties.delete_connector_context_property(api_version=APIVersion.V1ALPHA) | secops integration connector-context-properties delete | +| integrations.connectors.contextProperties.get | v1alpha | chronicle.integration.connector_context_properties.get_connector_context_property(api_version=APIVersion.V1ALPHA) | secops integration connector-context-properties get | +| integrations.connectors.contextProperties.list | v1alpha | chronicle.integration.connector_context_properties.list_connector_context_properties(api_version=APIVersion.V1ALPHA) | secops integration connector-context-properties list | +| integrations.connectors.contextProperties.patch | v1alpha | chronicle.integration.connector_context_properties.update_connector_context_property(api_version=APIVersion.V1ALPHA) | secops integration connector-context-properties update | +| integrations.connectors.connectorInstances.logs.get | v1alpha | chronicle.integration.connector_instance_logs.get_connector_instance_log(api_version=APIVersion.V1ALPHA) | secops integration connector-instance-logs get | +| integrations.connectors.connectorInstances.logs.list | v1alpha | chronicle.integration.connector_instance_logs.list_connector_instance_logs(api_version=APIVersion.V1ALPHA) | secops integration connector-instance-logs list| +| integrations.connectors.connectorInstances.create | v1alpha | chronicle.integration.connector_instances.create_connector_instance(api_version=APIVersion.V1ALPHA) | secops integration connector-instances create | +| integrations.connectors.connectorInstances.delete | v1alpha | chronicle.integration.connector_instances.delete_connector_instance(api_version=APIVersion.V1ALPHA) | secops integration connector-instances delete | +| integrations.connectors.connectorInstances.fetchLatestDefinition | v1alpha | chronicle.integration.connector_instances.get_connector_instance_latest_definition(api_version=APIVersion.V1ALPHA) | secops integration connector-instances get-latest-definition | +| integrations.connectors.connectorInstances.get | v1alpha | chronicle.integration.connector_instances.get_connector_instance(api_version=APIVersion.V1ALPHA) | secops integration connector-instances get | +| integrations.connectors.connectorInstances.list | v1alpha | chronicle.integration.connector_instances.list_connector_instances(api_version=APIVersion.V1ALPHA) | secops integration connector-instances list | +| integrations.connectors.connectorInstances.patch | v1alpha | chronicle.integration.connector_instances.update_connector_instance(api_version=APIVersion.V1ALPHA) | secops integration connector-instances update | +| integrations.connectors.connectorInstances.runOnDemand | v1alpha | chronicle.integration.connector_instances.run_connector_instance_on_demand(api_version=APIVersion.V1ALPHA) | secops integration connector-instances run-on-demand | +| integrations.connectors.connectorInstances.setLogsCollection | v1alpha | chronicle.integration.connector_instances.set_connector_instance_logs_collection(api_version=APIVersion.V1ALPHA) | secops integration connector-instances set-logs-collection | +| integrations.integrationInstances.create | v1alpha | chronicle.integration.integration_instances.create_integration_instance(api_version=APIVersion.V1ALPHA) | secops integration instances create | +| integrations.integrationInstances.delete | v1alpha | chronicle.integration.integration_instances.delete_integration_instance(api_version=APIVersion.V1ALPHA) | secops integration instances delete | +| integrations.integrationInstances.executeTest | v1alpha | chronicle.integration.integration_instances.execute_integration_instance_test(api_version=APIVersion.V1ALPHA) | secops integration instances test | +| integrations.integrationInstances.fetchAffectedItems | v1alpha | chronicle.integration.integration_instances.get_integration_instance_affected_items(api_version=APIVersion.V1ALPHA) | secops integration instances get-affected-items| +| integrations.integrationInstances.fetchDefaultInstance | v1alpha | chronicle.integration.integration_instances.get_default_integration_instance(api_version=APIVersion.V1ALPHA) | secops integration instances get-default | +| integrations.integrationInstances.get | v1alpha | chronicle.integration.integration_instances.get_integration_instance(api_version=APIVersion.V1ALPHA) | secops integration instances get | +| integrations.integrationInstances.list | v1alpha | chronicle.integration.integration_instances.list_integration_instances(api_version=APIVersion.V1ALPHA) | secops integration instances list | +| integrations.integrationInstances.patch | v1alpha | chronicle.integration.integration_instances.update_integration_instance(api_version=APIVersion.V1ALPHA) | secops integration instances update | +| integrations.transformers.create | v1alpha | chronicle.integration.transformers.create_integration_transformer | secops integration transformers create | +| integrations.transformers.delete | v1alpha | chronicle.integration.transformers.delete_integration_transformer | secops integration transformers delete | +| integrations.transformers.executeTest | v1alpha | chronicle.integration.transformers.execute_integration_transformer_test | secops integration transformers test | +| integrations.transformers.fetchTemplate | v1alpha | chronicle.integration.transformers.get_integration_transformer_template | secops integration transformers template | +| integrations.transformers.get | v1alpha | chronicle.integration.transformers.get_integration_transformer | secops integration transformers get | +| integrations.transformers.list | v1alpha | chronicle.integration.transformers.list_integration_transformers | secops integration transformers list | +| integrations.transformers.patch | v1alpha | chronicle.integration.transformers.update_integration_transformer | secops integration transformers update | +| integrations.transformers.revisions.create | v1alpha | chronicle.integration.transformer_revisions.create_integration_transformer_revision | secops integration transformer-revisions create| +| integrations.transformers.revisions.delete | v1alpha | chronicle.integration.transformer_revisions.delete_integration_transformer_revision | secops integration transformer-revisions delete| +| integrations.transformers.revisions.list | v1alpha | chronicle.integration.transformer_revisions.list_integration_transformer_revisions | secops integration transformer-revisions list | +| integrations.transformers.revisions.rollback | v1alpha | chronicle.integration.transformer_revisions.rollback_integration_transformer_revision | secops integration transformer-revisions rollback| +| integrations.logicalOperators.create | v1alpha | chronicle.integration.logical_operators.create_integration_logical_operator | secops integration logical-operators create | +| integrations.logicalOperators.delete | v1alpha | chronicle.integration.logical_operators.delete_integration_logical_operator | secops integration logical-operators delete | +| integrations.logicalOperators.executeTest | v1alpha | chronicle.integration.logical_operators.execute_integration_logical_operator_test | secops integration logical-operators test | +| integrations.logicalOperators.fetchTemplate | v1alpha | chronicle.integration.logical_operators.get_integration_logical_operator_template | secops integration logical-operators template | +| integrations.logicalOperators.get | v1alpha | chronicle.integration.logical_operators.get_integration_logical_operator | secops integration logical-operators get | +| integrations.logicalOperators.list | v1alpha | chronicle.integration.logical_operators.list_integration_logical_operators | secops integration logical-operators list | +| integrations.logicalOperators.patch | v1alpha | chronicle.integration.logical_operators.update_integration_logical_operator | secops integration logical-operators update | +| integrations.logicalOperators.revisions.create | v1alpha | chronicle.integration.logical_operator_revisions.create_integration_logical_operator_revision | secops integration logical-operator-revisions create | +| integrations.logicalOperators.revisions.delete | v1alpha | chronicle.integration.logical_operator_revisions.delete_integration_logical_operator_revision | secops integration logical-operator-revisions delete | +| integrations.logicalOperators.revisions.list | v1alpha | chronicle.integration.logical_operator_revisions.list_integration_logical_operator_revisions | secops integration logical-operator-revisions list | +| integrations.logicalOperators.revisions.rollback | v1alpha | chronicle.integration.logical_operator_revisions.rollback_integration_logical_operator_revision | secops integration logical-operator-revisions rollback | +| integrations.jobs.create | v1alpha | chronicle.integration.jobs.create_integration_job(api_version=APIVersion.V1ALPHA) | secops integration jobs create | +| integrations.jobs.delete | v1alpha | chronicle.integration.jobs.delete_integration_job(api_version=APIVersion.V1ALPHA) | secops integration jobs delete | +| integrations.jobs.executeTest | v1alpha | chronicle.integration.jobs.execute_integration_job_test(api_version=APIVersion.V1ALPHA) | secops integration jobs test | +| integrations.jobs.fetchTemplate | v1alpha | chronicle.integration.jobs.get_integration_job_template(api_version=APIVersion.V1ALPHA) | secops integration jobs template | +| integrations.jobs.get | v1alpha | chronicle.integration.jobs.get_integration_job(api_version=APIVersion.V1ALPHA) | secops integration jobs get | +| integrations.jobs.list | v1alpha | chronicle.integration.jobs.list_integration_jobs(api_version=APIVersion.V1ALPHA) | secops integration jobs list | +| integrations.jobs.patch | v1alpha | chronicle.integration.jobs.update_integration_job(api_version=APIVersion.V1ALPHA) | secops integration jobs update | +| integrations.managers.create | v1alpha | chronicle.integration.managers.create_integration_manager(api_version=APIVersion.V1ALPHA) | secops integration managers create | +| integrations.managers.delete | v1alpha | chronicle.integration.managers.delete_integration_manager(api_version=APIVersion.V1ALPHA) | secops integration managers delete | +| integrations.managers.fetchTemplate | v1alpha | chronicle.integration.managers.get_integration_manager_template(api_version=APIVersion.V1ALPHA) | secops integration managers template | +| integrations.managers.get | v1alpha | chronicle.integration.managers.get_integration_manager(api_version=APIVersion.V1ALPHA) | secops integration managers get | +| integrations.managers.list | v1alpha | chronicle.integration.managers.list_integration_managers(api_version=APIVersion.V1ALPHA) | secops integration managers list | +| integrations.managers.patch | v1alpha | chronicle.integration.managers.update_integration_manager(api_version=APIVersion.V1ALPHA) | secops integration managers update | +| integrations.managers.revisions.create | v1alpha | chronicle.integration.manager_revisions.create_integration_manager_revision(api_version=APIVersion.V1ALPHA) | secops integration manager-revisions create | +| integrations.managers.revisions.delete | v1alpha | chronicle.integration.manager_revisions.delete_integration_manager_revision(api_version=APIVersion.V1ALPHA) | secops integration manager-revisions delete | +| integrations.managers.revisions.get | v1alpha | chronicle.integration.manager_revisions.get_integration_manager_revision(api_version=APIVersion.V1ALPHA) | secops integration manager-revisions get | +| integrations.managers.revisions.list | v1alpha | chronicle.integration.manager_revisions.list_integration_manager_revisions(api_version=APIVersion.V1ALPHA) | secops integration manager-revisions list | +| integrations.managers.revisions.rollback | v1alpha | chronicle.integration.manager_revisions.rollback_integration_manager_revision(api_version=APIVersion.V1ALPHA) | secops integration manager-revisions rollback | +| integrations.jobs.revisions.create | v1alpha | chronicle.integration.job_revisions.create_integration_job_revision(api_version=APIVersion.V1ALPHA) | secops integration job-revisions create | +| integrations.jobs.revisions.delete | v1alpha | chronicle.integration.job_revisions.delete_integration_job_revision(api_version=APIVersion.V1ALPHA) | secops integration job-revisions delete | +| integrations.jobs.revisions.list | v1alpha | chronicle.integration.job_revisions.list_integration_job_revisions(api_version=APIVersion.V1ALPHA) | secops integration job-revisions list | +| integrations.jobs.revisions.rollback | v1alpha | chronicle.integration.job_revisions.rollback_integration_job_revision(api_version=APIVersion.V1ALPHA) | secops integration job-revisions rollback | +| integrations.jobs.jobInstances.create | v1alpha | chronicle.integration.job_instances.create_integration_job_instance(api_version=APIVersion.V1ALPHA) | secops integration job-instances create | +| integrations.jobs.jobInstances.delete | v1alpha | chronicle.integration.job_instances.delete_integration_job_instance(api_version=APIVersion.V1ALPHA) | secops integration job-instances delete | +| integrations.jobs.jobInstances.get | v1alpha | chronicle.integration.job_instances.get_integration_job_instance(api_version=APIVersion.V1ALPHA) | secops integration job-instances get | +| integrations.jobs.jobInstances.list | v1alpha | chronicle.integration.job_instances.list_integration_job_instances(api_version=APIVersion.V1ALPHA) | secops integration job-instances list | +| integrations.jobs.jobInstances.patch | v1alpha | chronicle.integration.job_instances.update_integration_job_instance(api_version=APIVersion.V1ALPHA) | secops integration job-instances update | +| integrations.jobs.jobInstances.runOnDemand | v1alpha | chronicle.integration.job_instances.run_integration_job_instance_on_demand(api_version=APIVersion.V1ALPHA) | secops integration job-instances run-on-demand | +| integrations.jobs.contextProperties.clearAll | v1alpha | chronicle.integration.job_context_properties.delete_all_job_context_properties(api_version=APIVersion.V1ALPHA) | secops integration job-context-properties delete-all | +| integrations.jobs.contextProperties.create | v1alpha | chronicle.integration.job_context_properties.create_job_context_property(api_version=APIVersion.V1ALPHA) | secops integration job-context-properties create | +| integrations.jobs.contextProperties.delete | v1alpha | chronicle.integration.job_context_properties.delete_job_context_property(api_version=APIVersion.V1ALPHA) | secops integration job-context-properties delete | +| integrations.jobs.contextProperties.get | v1alpha | chronicle.integration.job_context_properties.get_job_context_property(api_version=APIVersion.V1ALPHA) | secops integration job-context-properties get | +| integrations.jobs.contextProperties.list | v1alpha | chronicle.integration.job_context_properties.list_job_context_properties(api_version=APIVersion.V1ALPHA) | secops integration job-context-properties list | +| integrations.jobs.contextProperties.patch | v1alpha | chronicle.integration.job_context_properties.update_job_context_property(api_version=APIVersion.V1ALPHA) | secops integration job-context-properties update | +| integrations.jobs.jobInstances.logs.get | v1alpha | chronicle.integration.job_instance_logs.get_job_instance_log(api_version=APIVersion.V1ALPHA) | secops integration job-instance-logs get | +| integrations.jobs.jobInstances.logs.list | v1alpha | chronicle.integration.job_instance_logs.list_job_instance_logs(api_version=APIVersion.V1ALPHA) | secops integration job-instance-logs list | +| investigations.fetchAssociated | v1alpha | chronicle.investigations.fetch_associated_investigations | secops investigation fetch-associated | +| investigations.get | v1alpha | chronicle.investigations.get_investigation | secops investigation get | +| investigations.list | v1alpha | chronicle.investigations.list_investigations | secops investigation list | +| investigations.trigger | v1alpha | chronicle.investigations.trigger_investigation | secops investigation trigger | +| iocs.batchGet | v1alpha | | | +| iocs.findFirstAndLastSeen | v1alpha | | | +| iocs.get | v1alpha | | | +| iocs.getIocState | v1alpha | | | +| iocs.searchCuratedDetectionsForIoc | v1alpha | | | +| iocs.updateIocState | v1alpha | | | +| legacy.legacyBatchGetCases | v1alpha | chronicle.case.get_cases_from_list | secops case | +| legacy.legacyBatchGetCollections | v1alpha | | | +| legacy.legacyCreateOrUpdateCase | v1alpha | | | +| legacy.legacyCreateSoarAlert | v1alpha | | | +| legacy.legacyFetchAlertsView | v1alpha | chronicle.alert.get_alerts | secops alert | +| legacy.legacyFetchUdmSearchCsv | v1alpha | chronicle.udm_search.fetch_udm_search_csv | secops search --csv | +| legacy.legacyFetchUdmSearchView | v1alpha | chronicle.udm_search.fetch_udm_search_view | secops udm-search-view | +| legacy.legacyFindAssetEvents | v1alpha | | | +| legacy.legacyFindRawLogs | v1alpha | | | +| legacy.legacyFindUdmEvents | v1alpha | | | +| legacy.legacyGetAlert | v1alpha | chronicle.rule_alert.get_alert | | +| legacy.legacyGetCuratedRulesTrends | v1alpha | | | +| legacy.legacyGetDetection | v1alpha | | | +| legacy.legacyGetEventForDetection | v1alpha | | | +| legacy.legacyGetRuleCounts | v1alpha | | | +| legacy.legacyGetRulesTrends | v1alpha | | | +| legacy.legacyListCases | v1alpha | chronicle.case.get_cases | secops case --ids | +| legacy.legacyRunTestRule | v1alpha | chronicle.rule.run_rule_test | secops rule validate | +| legacy.legacySearchArtifactEvents | v1alpha | | | +| legacy.legacySearchArtifactIoCDetails | v1alpha | | | +| legacy.legacySearchAssetEvents | v1alpha | | | +| legacy.legacySearchCuratedDetections | v1alpha | | | +| legacy.legacySearchCustomerStats | v1alpha | | | +| legacy.legacySearchDetections | v1alpha | chronicle.rule_detection.list_detections | | +| legacy.legacySearchDomainsRecentlyRegistered | v1alpha | | | +| legacy.legacySearchDomainsTimingStats | v1alpha | | | +| legacy.legacySearchEnterpriseWideAlerts | v1alpha | | | +| legacy.legacySearchEnterpriseWideIoCs | v1alpha | chronicle.ioc.list_iocs | secops iocs | +| legacy.legacySearchFindings | v1alpha | | | +| legacy.legacySearchIngestionStats | v1alpha | | | +| legacy.legacySearchIoCInsights | v1alpha | | | +| legacy.legacySearchRawLogs | v1alpha | | | +| legacy.legacySearchRuleDetectionCountBuckets | v1alpha | | | +| legacy.legacySearchRuleDetectionEvents | v1alpha | | | +| legacy.legacySearchRuleResults | v1alpha | | | +| legacy.legacySearchRulesAlerts | v1alpha | chronicle.rule_alert.search_rule_alerts | | +| legacy.legacySearchUserEvents | v1alpha | | | +| legacy.legacyStreamDetectionAlerts | v1alpha | | | +| legacy.legacyTestRuleStreaming | v1alpha | | | +| legacy.legacyUpdateAlert | v1alpha | chronicle.rule_alert.update_alert | | +| listAllFindingsRefinementDeployments | v1alpha | | | +| logProcessingPipelines.associateStreams | v1alpha | chronicle.log_processing_pipelines.associate_streams | secops log-processing associate-streams | +| logProcessingPipelines.create | v1alpha | chronicle.log_processing_pipelines.create_log_processing_pipeline | secops log-processing create | +| logProcessingPipelines.delete | v1alpha | chronicle.log_processing_pipelines.delete_log_processing_pipeline | secops log-processing delete | +| logProcessingPipelines.dissociateStreams | v1alpha | chronicle.log_processing_pipelines.dissociate_streams | secops log-processing dissociate-streams | +| logProcessingPipelines.fetchAssociatedPipeline | v1alpha | chronicle.log_processing_pipelines.fetch_associated_pipeline | secops log-processing fetch-associated | +| logProcessingPipelines.fetchSampleLogsByStreams | v1alpha | chronicle.log_processing_pipelines.fetch_sample_logs_by_streams | secops log-processing fetch-sample-logs | +| logProcessingPipelines.get | v1alpha | chronicle.log_processing_pipelines.get_log_processing_pipeline | secops log-processing get | +| logProcessingPipelines.list | v1alpha | chronicle.log_processing_pipelines.list_log_processing_pipelines | secops log-processing list | +| logProcessingPipelines.patch | v1alpha | chronicle.log_processing_pipelines.update_log_processing_pipeline | secops log-processing update | +| logProcessingPipelines.testPipeline | v1alpha | chronicle.log_processing_pipelines.test_pipeline | secops log-processing test | +| logTypes.create | v1alpha | | | +| logTypes.generateEventTypesSuggestions | v1alpha | | | +| logTypes.get | v1alpha | | | +| logTypes.getLogTypeSetting | v1alpha | | | +| logTypes.legacySubmitParserExtension | v1alpha | | | +| logTypes.list | v1alpha | | | +| logTypes.logs.export | v1alpha | | | +| logTypes.logs.get | v1alpha | | | +| logTypes.logs.import | v1alpha | chronicle.log_ingest.ingest_log | secops log ingest | +| logTypes.logs.list | v1alpha | | | +| logTypes.parserExtensions.activate | v1alpha | chronicle.parser_extension.activate_parser_extension | secops parser-extension activate | +| logTypes.parserExtensions.create | v1alpha | chronicle.parser_extension.create_parser_extension | secops parser-extension create | +| logTypes.parserExtensions.delete | v1alpha | chronicle.parser_extension.delete_parser_extension | secops parser-extension delete | +| logTypes.parserExtensions.extensionValidationReports.get | v1alpha | | | +| logTypes.parserExtensions.extensionValidationReports.list | v1alpha | | | +| logTypes.parserExtensions.extensionValidationReports.validationErrors.list | v1alpha | | | +| logTypes.parserExtensions.get | v1alpha | chronicle.parser_extension.get_parser_extension | secops parser-extension get | +| logTypes.parserExtensions.list | v1alpha | chronicle.parser_extension.list_parser_extensions | secops parser-extension list | +| logTypes.parserExtensions.validationReports.get | v1alpha | | | +| logTypes.parserExtensions.validationReports.parsingErrors.list | v1alpha | | | +| logTypes.parsers.activate | v1alpha | chronicle.parser.activate_parser | secops parser activate | +| logTypes.parsers.activateReleaseCandidateParser | v1alpha | chronicle.parser.activate_release_candidate | secops parser activate-rc | +| logTypes.parsers.copy | v1alpha | chronicle.parser.copy_parser | secops parser copy | +| logTypes.parsers.create | v1alpha | chronicle.parser.create_parser | secops parser create | +| logTypes.parsers.deactivate | v1alpha | chronicle.parser.deactivate_parser | secops parser deactivate | +| logTypes.parsers.delete | v1alpha | chronicle.parser.delete_parser | secops parser delete | +| logTypes.parsers.get | v1alpha | chronicle.parser.get_parser | secops parser get | +| logTypes.parsers.list | v1alpha | chronicle.parser.list_parsers | secops parser list | +| logTypes.parsers.validationReports.get | v1alpha | | | +| logTypes.parsers.validationReports.parsingErrors.list | v1alpha | | | +| logTypes.patch | v1alpha | | | +| logTypes.runParser | v1alpha | chronicle.parser.run_parser | secops parser run | +| logTypes.updateLogTypeSetting | v1alpha | | | +| logs.classify | v1alpha | chronicle.log_types.classify_logs | secops log classify | +| marketplaceIntegrations.get | v1alpha | chronicle.marketplace_integrations.get_marketplace_integration(api_version=APIVersion.V1ALPHA) | secops integration marketplace get | +| marketplaceIntegrations.getDiff | v1alpha | chronicle.marketplace_integrations.get_marketplace_integration_diff(api_version=APIVersion.V1ALPHA) | secops integration marketplace diff | +| marketplaceIntegrations.install | v1alpha | chronicle.marketplace_integrations.install_marketplace_integration(api_version=APIVersion.V1ALPHA) | secops integration marketplace install | +| marketplaceIntegrations.list | v1alpha | chronicle.marketplace_integrations.list_marketplace_integrations(api_version=APIVersion.V1ALPHA) | secops integration marketplace list | +| marketplaceIntegrations.uninstall | v1alpha | chronicle.marketplace_integrations.uninstall_marketplace_integration(api_version=APIVersion.V1ALPHA) | secops integration marketplace uninstall | +| nativeDashboards.addChart | v1alpha | chronicle.dashboard.add_chart | secops dashboard add-chart | +| nativeDashboards.create | v1alpha | chronicle.dashboard.create_dashboard | secops dashboard create | +| nativeDashboards.delete | v1alpha | chronicle.dashboard.delete_dashboard | secops dashboard delete | +| nativeDashboards.duplicate | v1alpha | chronicle.dashboard.duplicate_dashboard | secops dashboard duplicate | +| nativeDashboards.duplicateChart | v1alpha | | | +| nativeDashboards.editChart | v1alpha | chronicle.dashboard.edit_chart | secops dashboard edit-chart | +| nativeDashboards.export | v1alpha | chronicle.dashboard.export_dashboard | secops dashboard export | +| nativeDashboards.get | v1alpha | chronicle.dashboard.get_dashboard | secops dashboard get | +| nativeDashboards.import | v1alpha | chronicle.dashboard.import_dashboard | secops dashboard import | +| nativeDashboards.list | v1alpha | chronicle.dashboard.list_dashboards | secops dashboard list | +| nativeDashboards.patch | v1alpha | chronicle.dashboard.update_dashboard | secops dashboard update | +| nativeDashboards.removeChart | v1alpha | chronicle.dashboard.remove_chart | secops dashboard remove-chart | +| operations.cancel | v1alpha | | | +| operations.delete | v1alpha | | | +| operations.get | v1alpha | | | +| operations.list | v1alpha | | | +| operations.streamSearch | v1alpha | | | +| queryProductSourceStats | v1alpha | | | +| referenceLists.create | v1alpha | | | +| referenceLists.get | v1alpha | | | +| referenceLists.list | v1alpha | | | +| referenceLists.patch | v1alpha | | | +| report | v1alpha | | | +| ruleExecutionErrors.list | v1alpha | chronicle.rule_detection.list_errors | | +| rules.create | v1alpha | | | +| rules.delete | v1alpha | | | +| rules.deployments.list | v1alpha | | | +| rules.get | v1alpha | | | +| rules.getDeployment | v1alpha | | | +| rules.list | v1alpha | | | +| rules.listRevisions | v1alpha | | | +| rules.patch | v1alpha | | | +| rules.retrohunts.create | v1alpha | | | +| rules.retrohunts.get | v1alpha | | | +| rules.retrohunts.list | v1alpha | | | +| rules.updateDeployment | v1alpha | | | +| searchEntities | v1alpha | | | +| searchRawLogs | v1alpha | | | +| summarizeEntitiesFromQuery | v1alpha | chronicle.entity.summarize_entity | secops entity | +| summarizeEntity | v1alpha | chronicle.entity.summarize_entity | | +| testFindingsRefinement | v1alpha | | | +| translateUdmQuery | v1alpha | chronicle.nl_search.translate_nl_to_udm | | +| translateYlRule | v1alpha | | | +| udmSearch | v1alpha | chronicle.search.search_udm | secops search | +| undelete | v1alpha | | | +| updateBigQueryExport | v1alpha | | | +| updateRiskConfig | v1alpha | | | +| users.clearConversationHistory | v1alpha | | | +| users.conversations.create | v1alpha | chronicle.gemini.create_conversation | | +| users.conversations.delete | v1alpha | | | +| users.conversations.get | v1alpha | | | +| users.conversations.list | v1alpha | | | +| users.conversations.messages.create | v1alpha | chronicle.gemini.query_gemini | secops gemini | +| users.conversations.messages.delete | v1alpha | | | +| users.conversations.messages.get | v1alpha | | | +| users.conversations.messages.list | v1alpha | | | +| users.conversations.messages.patch | v1alpha | | | +| users.conversations.patch | v1alpha | | | +| users.getPreferenceSet | v1alpha | chronicle.gemini.opt_in_to_gemini | secops gemini --opt-in | +| users.searchQueries.create | v1alpha | | | +| users.searchQueries.delete | v1alpha | | | +| users.searchQueries.get | v1alpha | | | +| users.searchQueries.list | v1alpha | | | +| users.searchQueries.patch | v1alpha | | | +| users.updatePreferenceSet | v1alpha | | | +| validateQuery | v1alpha | chronicle.validate.validate_query | | +| verifyReferenceList | v1alpha | | | +| verifyRuleText | v1alpha | chronicle.rule_validation.validate_rule | secops rule validate | +| watchlists.create | v1alpha | | | +| watchlists.delete | v1alpha | | | +| watchlists.entities.add | v1alpha | | | +| watchlists.entities.batchAdd | v1alpha | | | +| watchlists.entities.batchRemove | v1alpha | | | +| watchlists.entities.remove | v1alpha | | | +| watchlists.get | v1alpha | | | +| watchlists.list | v1alpha | | | +| watchlists.listEntities | v1alpha | | | +| watchlists.patch | v1alpha | | | | REST Resource | Version | secops-wrapper module | CLI Command | |--------------------------------------------------------------------------------|---------|-------------------------------------------------------------------------------------------------------------------|------------------------------------------------| | dataAccessLabels.create | v1 | | | diff --git a/src/secops/chronicle/__init__.py b/src/secops/chronicle/__init__.py index 15320ac9..e9bd5b46 100644 --- a/src/secops/chronicle/__init__.py +++ b/src/secops/chronicle/__init__.py @@ -98,27 +98,43 @@ search_log_types, ) from secops.chronicle.models import ( + AdvancedConfig, AlertCount, AlertState, Case, CaseList, + DailyScheduleDetails, DataExport, DataExportStage, DataExportStatus, + Date, + DayOfWeek, DetectionType, + DiffType, Entity, EntityMetadata, EntityMetrics, EntitySummary, FileMetadataAndProperties, InputInterval, + IntegrationJobInstanceParameter, + IntegrationParam, + IntegrationParamType, + IntegrationType, ListBasis, + MonthlyScheduleDetails, + OneTimeScheduleDetails, PrevalenceData, + PythonVersion, + ScheduleType, SoarPlatformInfo, + TargetMode, TileType, TimeInterval, Timeline, TimelineBucket, + TimeOfDay, + WeeklyScheduleDetails, WidgetMetadata, ) from secops.chronicle.nl_search import translate_nl_to_udm @@ -198,6 +214,37 @@ create_watchlist, update_watchlist, ) +from secops.chronicle.integration.actions import ( + list_integration_actions, + get_integration_action, + delete_integration_action, + create_integration_action, + update_integration_action, + execute_integration_action_test, + get_integration_actions_by_environment, + get_integration_action_template, +) +from secops.chronicle.integration.action_revisions import ( + list_integration_action_revisions, + delete_integration_action_revision, + create_integration_action_revision, + rollback_integration_action_revision, +) +from secops.chronicle.integration.managers import ( + list_integration_managers, + get_integration_manager, + delete_integration_manager, + create_integration_manager, + update_integration_manager, + get_integration_manager_template, +) +from secops.chronicle.integration.manager_revisions import ( + list_integration_manager_revisions, + get_integration_manager_revision, + delete_integration_manager_revision, + create_integration_manager_revision, + rollback_integration_manager_revision, +) __all__ = [ # Client @@ -315,21 +362,31 @@ "execute_query", "get_execute_query", # Models + "AdvancedConfig", + "AlertCount", + "AlertState", + "Case", + "CaseList", + "DailyScheduleDetails", + "Date", + "DayOfWeek", "Entity", "EntityMetadata", "EntityMetrics", + "EntitySummary", + "FileMetadataAndProperties", + "IntegrationJobInstanceParameter", + "MonthlyScheduleDetails", + "OneTimeScheduleDetails", + "PrevalenceData", + "ScheduleType", + "SoarPlatformInfo", "TimeInterval", - "TimelineBucket", "Timeline", + "TimelineBucket", + "TimeOfDay", + "WeeklyScheduleDetails", "WidgetMetadata", - "EntitySummary", - "AlertCount", - "AlertState", - "Case", - "SoarPlatformInfo", - "CaseList", - "PrevalenceData", - "FileMetadataAndProperties", "ValidationResult", "GeminiResponse", "Block", @@ -367,4 +424,31 @@ "delete_watchlist", "create_watchlist", "update_watchlist", + # Integration Actions + "list_integration_actions", + "get_integration_action", + "delete_integration_action", + "create_integration_action", + "update_integration_action", + "execute_integration_action_test", + "get_integration_actions_by_environment", + "get_integration_action_template", + # Integration Action Revisions + "list_integration_action_revisions", + "delete_integration_action_revision", + "create_integration_action_revision", + "rollback_integration_action_revision", + # Integration Managers + "list_integration_managers", + "get_integration_manager", + "delete_integration_manager", + "create_integration_manager", + "update_integration_manager", + "get_integration_manager_template", + # Integration Manager Revisions + "list_integration_manager_revisions", + "get_integration_manager_revision", + "delete_integration_manager_revision", + "create_integration_manager_revision", + "rollback_integration_manager_revision", ] diff --git a/src/secops/chronicle/client.py b/src/secops/chronicle/client.py index 9b892272..4c5b13e9 100644 --- a/src/secops/chronicle/client.py +++ b/src/secops/chronicle/client.py @@ -13,6 +13,7 @@ # limitations under the License. # """Chronicle API client.""" + import ipaddress import re from collections.abc import Iterator @@ -22,140 +23,143 @@ from google.auth.transport import requests as google_auth_requests +# pylint: disable=line-too-long from secops import auth as secops_auth from secops.auth import RetryConfig from secops.chronicle.alert import get_alerts as _get_alerts from secops.chronicle.case import get_cases_from_list -from secops.chronicle.dashboard import DashboardAccessType, DashboardView -from secops.chronicle.dashboard import add_chart as _add_chart -from secops.chronicle.dashboard import create_dashboard as _create_dashboard -from secops.chronicle.dashboard import delete_dashboard as _delete_dashboard from secops.chronicle.dashboard import ( + DashboardAccessType, + DashboardView, + add_chart as _add_chart, + create_dashboard as _create_dashboard, + delete_dashboard as _delete_dashboard, duplicate_dashboard as _duplicate_dashboard, + edit_chart as _edit_chart, + export_dashboard as _export_dashboard, + get_chart as _get_chart, + get_dashboard as _get_dashboard, + import_dashboard as _import_dashboard, + list_dashboards as _list_dashboards, + remove_chart as _remove_chart, + update_dashboard as _update_dashboard, ) -from secops.chronicle.dashboard import edit_chart as _edit_chart -from secops.chronicle.dashboard import export_dashboard as _export_dashboard -from secops.chronicle.dashboard import get_chart as _get_chart -from secops.chronicle.dashboard import get_dashboard as _get_dashboard -from secops.chronicle.dashboard import import_dashboard as _import_dashboard -from secops.chronicle.dashboard import list_dashboards as _list_dashboards -from secops.chronicle.dashboard import remove_chart as _remove_chart -from secops.chronicle.dashboard import update_dashboard as _update_dashboard from secops.chronicle.dashboard_query import ( execute_query as _execute_dashboard_query, -) -from secops.chronicle.dashboard_query import ( get_execute_query as _get_execute_query, ) from secops.chronicle.data_export import ( cancel_data_export as _cancel_data_export, -) -from secops.chronicle.data_export import ( create_data_export as _create_data_export, -) -from secops.chronicle.data_export import ( fetch_available_log_types as _fetch_available_log_types, -) -from secops.chronicle.data_export import get_data_export as _get_data_export -from secops.chronicle.data_export import list_data_export as _list_data_export -from secops.chronicle.data_export import ( + get_data_export as _get_data_export, + list_data_export as _list_data_export, update_data_export as _update_data_export, ) -from secops.chronicle.data_table import DataTableColumnType -from secops.chronicle.data_table import create_data_table as _create_data_table from secops.chronicle.data_table import ( + DataTableColumnType, + create_data_table as _create_data_table, create_data_table_rows as _create_data_table_rows, -) -from secops.chronicle.data_table import delete_data_table as _delete_data_table -from secops.chronicle.data_table import ( + delete_data_table as _delete_data_table, delete_data_table_rows as _delete_data_table_rows, -) -from secops.chronicle.data_table import get_data_table as _get_data_table -from secops.chronicle.data_table import ( + get_data_table as _get_data_table, list_data_table_rows as _list_data_table_rows, -) -from secops.chronicle.data_table import list_data_tables as _list_data_tables -from secops.chronicle.data_table import ( + list_data_tables as _list_data_tables, replace_data_table_rows as _replace_data_table_rows, -) -from secops.chronicle.data_table import update_data_table as _update_data_table -from secops.chronicle.data_table import ( + update_data_table as _update_data_table, update_data_table_rows as _update_data_table_rows, ) -from secops.chronicle.entity import _detect_value_type_for_query -from secops.chronicle.entity import summarize_entity as _summarize_entity -from secops.chronicle.feeds import CreateFeedModel, UpdateFeedModel -from secops.chronicle.feeds import create_feed as _create_feed -from secops.chronicle.feeds import delete_feed as _delete_feed -from secops.chronicle.feeds import disable_feed as _disable_feed -from secops.chronicle.feeds import enable_feed as _enable_feed -from secops.chronicle.feeds import generate_secret as _generate_secret -from secops.chronicle.feeds import get_feed as _get_feed -from secops.chronicle.feeds import list_feeds as _list_feeds -from secops.chronicle.feeds import update_feed as _update_feed -from secops.chronicle.gemini import GeminiResponse -from secops.chronicle.gemini import opt_in_to_gemini as _opt_in_to_gemini -from secops.chronicle.gemini import query_gemini as _query_gemini -from secops.chronicle.ioc import list_iocs as _list_iocs -from secops.chronicle.investigations import ( - fetch_associated_investigations as _fetch_associated_investigations, +from secops.chronicle.entity import ( + _detect_value_type_for_query, + summarize_entity as _summarize_entity, ) -from secops.chronicle.investigations import ( - get_investigation as _get_investigation, +from secops.chronicle.featured_content_rules import ( + list_featured_content_rules as _list_featured_content_rules, ) -from secops.chronicle.investigations import ( - list_investigations as _list_investigations, +from secops.chronicle.feeds import ( + CreateFeedModel, + UpdateFeedModel, + create_feed as _create_feed, + delete_feed as _delete_feed, + disable_feed as _disable_feed, + enable_feed as _enable_feed, + generate_secret as _generate_secret, + get_feed as _get_feed, + list_feeds as _list_feeds, + update_feed as _update_feed, +) +from secops.chronicle.gemini import ( + GeminiResponse, + opt_in_to_gemini as _opt_in_to_gemini, + query_gemini as _query_gemini, ) from secops.chronicle.investigations import ( + fetch_associated_investigations as _fetch_associated_investigations, + get_investigation as _get_investigation, + list_investigations as _list_investigations, trigger_investigation as _trigger_investigation, ) -from secops.chronicle.log_ingest import create_forwarder as _create_forwarder -from secops.chronicle.log_ingest import delete_forwarder as _delete_forwarder -from secops.chronicle.log_ingest import get_forwarder as _get_forwarder +from secops.chronicle.ioc import list_iocs as _list_iocs from secops.chronicle.log_ingest import ( + create_forwarder as _create_forwarder, + delete_forwarder as _delete_forwarder, + get_forwarder as _get_forwarder, get_or_create_forwarder as _get_or_create_forwarder, + import_entities as _import_entities, + ingest_log as _ingest_log, + ingest_udm as _ingest_udm, + list_forwarders as _list_forwarders, + update_forwarder as _update_forwarder, ) -from secops.chronicle.log_ingest import import_entities as _import_entities -from secops.chronicle.log_ingest import ingest_log as _ingest_log -from secops.chronicle.log_ingest import ingest_udm as _ingest_udm -from secops.chronicle.log_ingest import list_forwarders as _list_forwarders -from secops.chronicle.log_ingest import update_forwarder as _update_forwarder -from secops.chronicle.log_types import classify_logs as _classify_logs -from secops.chronicle.log_types import get_all_log_types as _get_all_log_types -from secops.chronicle.log_types import ( - get_log_type_description as _get_log_type_description, -) -from secops.chronicle.log_types import is_valid_log_type as _is_valid_log_type -from secops.chronicle.log_types import search_log_types as _search_log_types from secops.chronicle.log_processing_pipelines import ( associate_streams as _associate_streams, -) -from secops.chronicle.log_processing_pipelines import ( create_log_processing_pipeline as _create_log_processing_pipeline, -) -from secops.chronicle.log_processing_pipelines import ( delete_log_processing_pipeline as _delete_log_processing_pipeline, -) -from secops.chronicle.log_processing_pipelines import ( dissociate_streams as _dissociate_streams, -) -from secops.chronicle.log_processing_pipelines import ( fetch_associated_pipeline as _fetch_associated_pipeline, -) -from secops.chronicle.log_processing_pipelines import ( fetch_sample_logs_by_streams as _fetch_sample_logs_by_streams, -) -from secops.chronicle.log_processing_pipelines import ( get_log_processing_pipeline as _get_log_processing_pipeline, -) -from secops.chronicle.log_processing_pipelines import ( list_log_processing_pipelines as _list_log_processing_pipelines, -) -from secops.chronicle.log_processing_pipelines import ( + test_pipeline as _test_pipeline, update_log_processing_pipeline as _update_log_processing_pipeline, ) -from secops.chronicle.log_processing_pipelines import ( - test_pipeline as _test_pipeline, +from secops.chronicle.log_types import ( + classify_logs as _classify_logs, + get_all_log_types as _get_all_log_types, + get_log_type_description as _get_log_type_description, + is_valid_log_type as _is_valid_log_type, + search_log_types as _search_log_types, +) +from secops.chronicle.integration.actions import ( + create_integration_action as _create_integration_action, + delete_integration_action as _delete_integration_action, + execute_integration_action_test as _execute_integration_action_test, + get_integration_action as _get_integration_action, + get_integration_action_template as _get_integration_action_template, + get_integration_actions_by_environment as _get_integration_actions_by_environment, + list_integration_actions as _list_integration_actions, + update_integration_action as _update_integration_action, +) +from secops.chronicle.integration.action_revisions import ( + create_integration_action_revision as _create_integration_action_revision, + delete_integration_action_revision as _delete_integration_action_revision, + list_integration_action_revisions as _list_integration_action_revisions, + rollback_integration_action_revision as _rollback_integration_action_revision, +) +from secops.chronicle.integration.managers import ( + create_integration_manager as _create_integration_manager, + delete_integration_manager as _delete_integration_manager, + get_integration_manager as _get_integration_manager, + get_integration_manager_template as _get_integration_manager_template, + list_integration_managers as _list_integration_managers, + update_integration_manager as _update_integration_manager, +) +from secops.chronicle.integration.manager_revisions import ( + create_integration_manager_revision as _create_integration_manager_revision, + delete_integration_manager_revision as _delete_integration_manager_revision, + get_integration_manager_revision as _get_integration_manager_revision, + list_integration_manager_revisions as _list_integration_manager_revisions, + rollback_integration_manager_revision as _rollback_integration_manager_revision, ) from secops.chronicle.models import ( APIVersion, @@ -166,102 +170,70 @@ InputInterval, TileType, ) -from secops.chronicle.nl_search import nl_search as _nl_search -from secops.chronicle.nl_search import translate_nl_to_udm -from secops.chronicle.parser import activate_parser as _activate_parser +from secops.chronicle.nl_search import ( + nl_search as _nl_search, + translate_nl_to_udm, +) from secops.chronicle.parser import ( + activate_parser as _activate_parser, activate_release_candidate_parser as _activate_release_candidate_parser, + copy_parser as _copy_parser, + create_parser as _create_parser, + deactivate_parser as _deactivate_parser, + delete_parser as _delete_parser, + get_parser as _get_parser, + list_parsers as _list_parsers, + run_parser as _run_parser, ) -from secops.chronicle.parser import copy_parser as _copy_parser -from secops.chronicle.parser import create_parser as _create_parser -from secops.chronicle.parser import deactivate_parser as _deactivate_parser -from secops.chronicle.parser import delete_parser as _delete_parser -from secops.chronicle.parser import get_parser as _get_parser -from secops.chronicle.parser import list_parsers as _list_parsers -from secops.chronicle.parser import run_parser as _run_parser -from secops.chronicle.parser_extension import ParserExtensionConfig from secops.chronicle.parser_extension import ( + ParserExtensionConfig, activate_parser_extension as _activate_parser_extension, -) -from secops.chronicle.parser_extension import ( create_parser_extension as _create_parser_extension, -) -from secops.chronicle.parser_extension import ( delete_parser_extension as _delete_parser_extension, -) -from secops.chronicle.parser_extension import ( get_parser_extension as _get_parser_extension, -) -from secops.chronicle.parser_extension import ( list_parser_extensions as _list_parser_extensions, ) from secops.chronicle.reference_list import ( ReferenceListSyntaxType, ReferenceListView, -) -from secops.chronicle.reference_list import ( create_reference_list as _create_reference_list, -) -from secops.chronicle.reference_list import ( get_reference_list as _get_reference_list, -) -from secops.chronicle.reference_list import ( list_reference_lists as _list_reference_lists, -) -from secops.chronicle.reference_list import ( update_reference_list as _update_reference_list, ) - -# Import rule functions -from secops.chronicle.rule import create_rule as _create_rule -from secops.chronicle.rule import delete_rule as _delete_rule -from secops.chronicle.rule import enable_rule as _enable_rule -from secops.chronicle.rule import get_rule as _get_rule -from secops.chronicle.rule import get_rule_deployment as _get_rule_deployment from secops.chronicle.rule import ( + create_rule as _create_rule, + delete_rule as _delete_rule, + enable_rule as _enable_rule, + get_rule as _get_rule, + get_rule_deployment as _get_rule_deployment, list_rule_deployments as _list_rule_deployments, -) -from secops.chronicle.rule import list_rules as _list_rules -from secops.chronicle.rule import run_rule_test -from secops.chronicle.rule import search_rules as _search_rules -from secops.chronicle.rule import set_rule_alerting as _set_rule_alerting -from secops.chronicle.rule import update_rule as _update_rule -from secops.chronicle.rule import ( + list_rules as _list_rules, + run_rule_test, + search_rules as _search_rules, + set_rule_alerting as _set_rule_alerting, + update_rule as _update_rule, update_rule_deployment as _update_rule_deployment, ) from secops.chronicle.rule_alert import ( bulk_update_alerts as _bulk_update_alerts, -) -from secops.chronicle.rule_alert import get_alert as _get_alert -from secops.chronicle.rule_alert import ( + get_alert as _get_alert, search_rule_alerts as _search_rule_alerts, + update_alert as _update_alert, +) +from secops.chronicle.rule_detection import ( + list_detections as _list_detections, + list_errors as _list_errors, ) -from secops.chronicle.rule_alert import update_alert as _update_alert -from secops.chronicle.rule_detection import list_detections as _list_detections -from secops.chronicle.rule_detection import list_errors as _list_errors from secops.chronicle.rule_exclusion import ( RuleExclusionType, UpdateRuleDeployment, -) -from secops.chronicle.rule_exclusion import ( compute_rule_exclusion_activity as _compute_rule_exclusion_activity, -) -from secops.chronicle.rule_exclusion import ( create_rule_exclusion as _create_rule_exclusion, -) -from secops.chronicle.rule_exclusion import ( get_rule_exclusion as _get_rule_exclusion, -) -from secops.chronicle.rule_exclusion import ( get_rule_exclusion_deployment as _get_rule_exclusion_deployment, -) -from secops.chronicle.rule_exclusion import ( list_rule_exclusions as _list_rule_exclusions, -) -from secops.chronicle.rule_exclusion import ( patch_rule_exclusion as _patch_rule_exclusion, -) -from secops.chronicle.rule_exclusion import ( update_rule_exclusion_deployment as _update_rule_exclusion_deployment, ) from secops.chronicle.rule_retrohunt import ( @@ -270,72 +242,45 @@ list_retrohunts as _list_retrohunts, ) from secops.chronicle.rule_set import ( - batch_update_curated_rule_set_deployments as _batch_update_curated_rule_set_deployments, # pylint: disable=line-too-long -) -from secops.chronicle.rule_set import get_curated_rule as _get_curated_rule -from secops.chronicle.rule_set import ( + batch_update_curated_rule_set_deployments as _batch_update_curated_rule_set_deployments, + get_curated_rule as _get_curated_rule, get_curated_rule_by_name as _get_curated_rule_by_name, -) -from secops.chronicle.rule_set import ( get_curated_rule_set as _get_curated_rule_set, -) -from secops.chronicle.rule_set import ( get_curated_rule_set_category as _get_curated_rule_set_category, -) -from secops.chronicle.rule_set import ( get_curated_rule_set_deployment as _get_curated_rule_set_deployment, -) -from secops.chronicle.rule_set import ( - get_curated_rule_set_deployment_by_name as _get_curated_rule_set_deployment_by_name, # pylint: disable=line-too-long -) -from secops.chronicle.rule_set import ( + get_curated_rule_set_deployment_by_name as _get_curated_rule_set_deployment_by_name, list_curated_rule_set_categories as _list_curated_rule_set_categories, -) -from secops.chronicle.rule_set import ( list_curated_rule_set_deployments as _list_curated_rule_set_deployments, -) -from secops.chronicle.rule_set import ( list_curated_rule_sets as _list_curated_rule_sets, -) -from secops.chronicle.rule_set import list_curated_rules as _list_curated_rules -from secops.chronicle.rule_set import ( + list_curated_rules as _list_curated_rules, search_curated_detections as _search_curated_detections, -) -from secops.chronicle.rule_set import ( update_curated_rule_set_deployment as _update_curated_rule_set_deployment, ) -from secops.chronicle.featured_content_rules import ( - list_featured_content_rules as _list_featured_content_rules, -) from secops.chronicle.rule_validation import validate_rule as _validate_rule from secops.chronicle.search import search_udm as _search_udm from secops.chronicle.log_search import search_raw_logs as _search_raw_logs from secops.chronicle.stats import get_stats as _get_stats -from secops.chronicle.udm_mapping import RowLogFormat from secops.chronicle.udm_mapping import ( + RowLogFormat, generate_udm_key_value_mappings as _generate_udm_key_value_mappings, ) - -# Import functions from the new modules from secops.chronicle.udm_search import ( fetch_udm_search_csv as _fetch_udm_search_csv, -) -from secops.chronicle.udm_search import ( fetch_udm_search_view as _fetch_udm_search_view, -) -from secops.chronicle.udm_search import ( find_udm_field_values as _find_udm_field_values, ) from secops.chronicle.validate import validate_query as _validate_query from secops.chronicle.watchlist import ( - list_watchlists as _list_watchlists, - get_watchlist as _get_watchlist, - delete_watchlist as _delete_watchlist, create_watchlist as _create_watchlist, + delete_watchlist as _delete_watchlist, + get_watchlist as _get_watchlist, + list_watchlists as _list_watchlists, update_watchlist as _update_watchlist, ) from secops.exceptions import SecOpsError +# pylint: enable=line-too-long + class ValueType(Enum): """Chronicle API value types.""" @@ -761,6 +706,952 @@ def update_watchlist( update_mask, ) + # ------------------------------------------------------------------------- + # Integration Action methods + # ------------------------------------------------------------------------- + + def list_integration_actions( + self, + integration_name: str, + page_size: int | None = None, + page_token: str | None = None, + filter_string: str | None = None, + order_by: str | None = None, + expand: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + as_list: bool = False, + ) -> dict[str, Any] | list[dict[str, Any]]: + """Get a list of actions for a given integration. + + Args: + integration_name: Name of the integration to get actions for + page_size: Number of results to return per page + page_token: Token for the page to retrieve + filter_string: Filter expression to filter actions + order_by: Field to sort the actions by + expand: Comma-separated list of fields to expand in the response + api_version: API version to use for the request. Default is V1BETA. + as_list: If True, return a list of actions instead of a dict with + actions list and nextPageToken. + + Returns: + If as_list is True: List of actions. + If as_list is False: Dict with actions list and nextPageToken. + + Raises: + APIError: If the API request fails + """ + return _list_integration_actions( + self, + integration_name, + page_size=page_size, + page_token=page_token, + filter_string=filter_string, + order_by=order_by, + expand=expand, + api_version=api_version, + as_list=as_list, + ) + + def get_integration_action( + self, + integration_name: str, + action_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Get details of a specific action for a given integration. + + Args: + integration_name: Name of the integration the action belongs to + action_id: ID of the action to retrieve + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing details of the specified action. + + Raises: + APIError: If the API request fails + """ + return _get_integration_action( + self, + integration_name, + action_id, + api_version=api_version, + ) + + def delete_integration_action( + self, + integration_name: str, + action_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> None: + """Delete a specific action from a given integration. + + Args: + integration_name: Name of the integration the action belongs to + action_id: ID of the action to delete + api_version: API version to use for the request. Default is V1BETA. + + Returns: + None + + Raises: + APIError: If the API request fails + """ + return _delete_integration_action( + self, + integration_name, + action_id, + api_version=api_version, + ) + + def create_integration_action( + self, + integration_name: str, + display_name: str, + script: str, + timeout_seconds: int, + enabled: bool, + script_result_name: str, + is_async: bool, + description: str | None = None, + default_result_value: str | None = None, + async_polling_interval_seconds: int | None = None, + async_total_timeout_seconds: int | None = None, + dynamic_results: list[dict[str, Any]] | None = None, + parameters: list[dict[str, Any]] | None = None, + ai_generated: bool | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Create a new custom action for a given integration. + + Args: + integration_name: Name of the integration to + create the action for. + display_name: Action's display name. + Maximum 150 characters. Required. + script: Action's Python script. Maximum size 5MB. Required. + timeout_seconds: Action timeout in seconds. Maximum 1200. Required. + enabled: Whether the action is enabled or disabled. Required. + script_result_name: Field name that holds the script result. + Maximum 100 characters. Required. + is_async: Whether the action is asynchronous. Required. + description: Action's description. Maximum 400 characters. Optional. + default_result_value: Action's default result value. + Maximum 1000 characters. Optional. + async_polling_interval_seconds: Polling interval + in seconds for async actions. + Cannot exceed total timeout. Optional. + async_total_timeout_seconds: Total async timeout in seconds. Maximum + 1209600 (14 days). Optional. + dynamic_results: List of dynamic result metadata dicts. + Max 50. Optional. + parameters: List of action parameter dicts. Max 50. Optional. + ai_generated: Whether the action was generated by AI. Optional. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the newly created IntegrationAction resource. + + Raises: + APIError: If the API request fails. + """ + return _create_integration_action( + self, + integration_name, + display_name, + script, + timeout_seconds, + enabled, + script_result_name, + is_async, + description=description, + default_result_value=default_result_value, + async_polling_interval_seconds=async_polling_interval_seconds, + async_total_timeout_seconds=async_total_timeout_seconds, + dynamic_results=dynamic_results, + parameters=parameters, + ai_generated=ai_generated, + api_version=api_version, + ) + + def update_integration_action( + self, + integration_name: str, + action_id: str, + display_name: str | None = None, + script: str | None = None, + timeout_seconds: int | None = None, + enabled: bool | None = None, + script_result_name: str | None = None, + is_async: bool | None = None, + description: str | None = None, + default_result_value: str | None = None, + async_polling_interval_seconds: int | None = None, + async_total_timeout_seconds: int | None = None, + dynamic_results: list[dict[str, Any]] | None = None, + parameters: list[dict[str, Any]] | None = None, + ai_generated: bool | None = None, + update_mask: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Update an existing custom action for a given integration. + + Only custom actions can be updated; predefined commercial actions are + immutable. + + Args: + integration_name: Name of the integration the action belongs to. + action_id: ID of the action to update. + display_name: Action's display name. Maximum 150 characters. + script: Action's Python script. Maximum size 5MB. + timeout_seconds: Action timeout in seconds. Maximum 1200. + enabled: Whether the action is enabled or disabled. + script_result_name: Field name that holds the script result. + Maximum 100 characters. + is_async: Whether the action is asynchronous. + description: Action's description. Maximum 400 characters. + default_result_value: Action's default result value. + Maximum 1000 characters. + async_polling_interval_seconds: Polling interval + in seconds for async actions. Cannot exceed total timeout. + async_total_timeout_seconds: Total async timeout in seconds. Maximum + 1209600 (14 days). + dynamic_results: List of dynamic result metadata dicts. Max 50. + parameters: List of action parameter dicts. Max 50. + ai_generated: Whether the action was generated by AI. + update_mask: Comma-separated list of fields to update. If omitted, + the mask is auto-generated from whichever fields are provided. + Example: "displayName,script". + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the updated IntegrationAction resource. + + Raises: + APIError: If the API request fails. + """ + return _update_integration_action( + self, + integration_name, + action_id, + display_name=display_name, + script=script, + timeout_seconds=timeout_seconds, + enabled=enabled, + script_result_name=script_result_name, + is_async=is_async, + description=description, + default_result_value=default_result_value, + async_polling_interval_seconds=async_polling_interval_seconds, + async_total_timeout_seconds=async_total_timeout_seconds, + dynamic_results=dynamic_results, + parameters=parameters, + ai_generated=ai_generated, + update_mask=update_mask, + api_version=api_version, + ) + + def execute_integration_action_test( + self, + integration_name: str, + test_case_id: int, + action: dict[str, Any], + scope: str, + integration_instance_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Execute a test run of an integration action's script. + + Use this method to verify custom action logic, connectivity, and data + parsing against a specified integration instance and test case before + making the action available in playbooks. + + Args: + integration_name: Name of the integration the action belongs to. + test_case_id: ID of the action test case. + action: Dict containing the IntegrationAction to test. + scope: The action test scope. + integration_instance_id: The integration instance ID to use. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict with the test execution results with the following fields: + - output: The script output. + - debugOutput: The script debug output. + - resultJson: The result JSON if it exists (optional). + - resultName: The script result name (optional). + + Raises: + APIError: If the API request fails. + """ + return _execute_integration_action_test( + self, + integration_name, + test_case_id, + action, + scope, + integration_instance_id, + api_version=api_version, + ) + + def get_integration_actions_by_environment( + self, + integration_name: str, + environments: list[str], + include_widgets: bool, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """List actions executable within specified environments. + + Use this method to discover which automated tasks have active + integration instances configured for a particular + network or organizational context. + + Args: + integration_name: Name of the integration to fetch actions for. + environments: List of environments to filter actions by. + include_widgets: Whether to include widget actions in the response. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing a list of IntegrationAction objects that have + integration instances in one of the given environments. + + Raises: + APIError: If the API request fails. + """ + return _get_integration_actions_by_environment( + self, + integration_name, + environments, + include_widgets, + api_version=api_version, + ) + + def get_integration_action_template( + self, + integration_name: str, + is_async: bool = False, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Retrieve a default Python script template for a new + integration action. + + Use this method to jumpstart the development of a custom automated task + by providing boilerplate code for either synchronous or asynchronous + operations. + + Args: + integration_name: Name of the integration to fetch the template for. + is_async: Whether to fetch a template for an async action. Default + is False. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the IntegrationAction template. + + Raises: + APIError: If the API request fails. + """ + return _get_integration_action_template( + self, + integration_name, + is_async=is_async, + api_version=api_version, + ) + + # ------------------------------------------------------------------------- + # Integration Action Revisions methods + # ------------------------------------------------------------------------- + + def list_integration_action_revisions( + self, + integration_name: str, + action_id: str, + page_size: int | None = None, + page_token: str | None = None, + filter_string: str | None = None, + order_by: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + as_list: bool = False, + ) -> dict[str, Any] | list[dict[str, Any]]: + """List all revisions for a specific integration action. + + Use this method to view the history of changes to an action, + enabling version control and the ability to rollback to + previous configurations. + + Args: + integration_name: Name of the integration the action + belongs to. + action_id: ID of the action to list revisions for. + page_size: Maximum number of revisions to return. + page_token: Page token from a previous call to retrieve the + next page. + filter_string: Filter expression to filter revisions. + order_by: Field to sort the revisions by. + api_version: API version to use for the request. Default is + V1BETA. + as_list: If True, return a list of revisions instead of a + dict with revisions list and nextPageToken. + + Returns: + If as_list is True: List of action revisions. + If as_list is False: Dict with action revisions list and + nextPageToken. + + Raises: + APIError: If the API request fails. + """ + return _list_integration_action_revisions( + self, + integration_name, + action_id, + page_size=page_size, + page_token=page_token, + filter_string=filter_string, + order_by=order_by, + api_version=api_version, + as_list=as_list, + ) + + def delete_integration_action_revision( + self, + integration_name: str, + action_id: str, + revision_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> None: + """Delete a specific action revision. + + Use this method to permanently remove a revision from the + action's history. + + Args: + integration_name: Name of the integration the action + belongs to. + action_id: ID of the action the revision belongs to. + revision_id: ID of the revision to delete. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + None + + Raises: + APIError: If the API request fails. + """ + return _delete_integration_action_revision( + self, + integration_name, + action_id, + revision_id, + api_version=api_version, + ) + + def create_integration_action_revision( + self, + integration_name: str, + action_id: str, + action: dict[str, Any], + comment: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Create a new revision for an integration action. + + Use this method to save a snapshot of the current action + configuration before making changes, enabling easy rollback if + needed. + + Args: + integration_name: Name of the integration the action + belongs to. + action_id: ID of the action to create a revision for. + action: The action object to save as a revision. + comment: Optional comment describing the revision. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing the newly created ActionRevision resource. + + Raises: + APIError: If the API request fails. + """ + return _create_integration_action_revision( + self, + integration_name, + action_id, + action, + comment=comment, + api_version=api_version, + ) + + def rollback_integration_action_revision( + self, + integration_name: str, + action_id: str, + revision_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Rollback an integration action to a previous revision. + + Use this method to restore an action to a previously saved + state, reverting any changes made since that revision. + + Args: + integration_name: Name of the integration the action + belongs to. + action_id: ID of the action to rollback. + revision_id: ID of the revision to rollback to. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing the rolled back IntegrationAction resource. + + Raises: + APIError: If the API request fails. + """ + return _rollback_integration_action_revision( + self, + integration_name, + action_id, + revision_id, + api_version=api_version, + ) + + # ------------------------------------------------------------------------- + # Integration Manager methods + # ------------------------------------------------------------------------- + + def list_integration_managers( + self, + integration_name: str, + page_size: int | None = None, + page_token: str | None = None, + filter_string: str | None = None, + order_by: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + as_list: bool = False, + ) -> dict[str, Any] | list[dict[str, Any]]: + """List all managers defined for a specific integration. + + Use this method to discover the library of managers available + within a particular integration's scope. + + Args: + integration_name: Name of the integration to list managers + for. + page_size: Maximum number of managers to return. Defaults to + 100, maximum is 100. + page_token: Page token from a previous call to retrieve the + next page. + filter_string: Filter expression to filter managers. + order_by: Field to sort the managers by. + api_version: API version to use for the request. Default is + V1BETA. + as_list: If True, return a list of managers instead of a + dict with managers list and nextPageToken. + + Returns: + If as_list is True: List of managers. + If as_list is False: Dict with managers list and + nextPageToken. + + Raises: + APIError: If the API request fails. + """ + return _list_integration_managers( + self, + integration_name, + page_size=page_size, + page_token=page_token, + filter_string=filter_string, + order_by=order_by, + api_version=api_version, + as_list=as_list, + ) + + def get_integration_manager( + self, + integration_name: str, + manager_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Get a single manager for a given integration. + + Use this method to retrieve the manager script and its metadata + for review or reference. + + Args: + integration_name: Name of the integration the manager + belongs to. + manager_id: ID of the manager to retrieve. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing details of the specified IntegrationManager. + + Raises: + APIError: If the API request fails. + """ + return _get_integration_manager( + self, + integration_name, + manager_id, + api_version=api_version, + ) + + def delete_integration_manager( + self, + integration_name: str, + manager_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> None: + """Delete a specific custom manager from a given integration. + + Note that deleting a manager may break components (actions, + jobs) that depend on its code. + + Args: + integration_name: Name of the integration the manager + belongs to. + manager_id: ID of the manager to delete. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + None + + Raises: + APIError: If the API request fails. + """ + return _delete_integration_manager( + self, + integration_name, + manager_id, + api_version=api_version, + ) + + def create_integration_manager( + self, + integration_name: str, + display_name: str, + script: str, + description: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Create a new custom manager for a given integration. + + Use this method to add a new shared code utility. Each manager + must have a unique display name and a script containing valid + Python logic for reuse across actions, jobs, and connectors. + + Args: + integration_name: Name of the integration to create the + manager for. + display_name: Manager's display name. Maximum 150 + characters. Required. + script: Manager's Python script. Maximum 5MB. Required. + description: Manager's description. Maximum 400 characters. + Optional. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing the newly created IntegrationManager + resource. + + Raises: + APIError: If the API request fails. + """ + return _create_integration_manager( + self, + integration_name, + display_name, + script, + description=description, + api_version=api_version, + ) + + def update_integration_manager( + self, + integration_name: str, + manager_id: str, + display_name: str | None = None, + script: str | None = None, + description: str | None = None, + update_mask: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Update an existing custom manager for a given integration. + + Use this method to modify the shared code, adjust its + description, or refine its logic across all components that + import it. + + Args: + integration_name: Name of the integration the manager + belongs to. + manager_id: ID of the manager to update. + display_name: Manager's display name. Maximum 150 + characters. + script: Manager's Python script. Maximum 5MB. + description: Manager's description. Maximum 400 characters. + update_mask: Comma-separated list of fields to update. If + omitted, the mask is auto-generated from whichever + fields are provided. Example: "displayName,script". + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing the updated IntegrationManager resource. + + Raises: + APIError: If the API request fails. + """ + return _update_integration_manager( + self, + integration_name, + manager_id, + display_name=display_name, + script=script, + description=description, + update_mask=update_mask, + api_version=api_version, + ) + + def get_integration_manager_template( + self, + integration_name: str, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Retrieve a default Python script template for a new + integration manager. + + Use this method to quickly start developing new managers. + + Args: + integration_name: Name of the integration to fetch the + template for. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing the IntegrationManager template. + + Raises: + APIError: If the API request fails. + """ + return _get_integration_manager_template( + self, + integration_name, + api_version=api_version, + ) + + # ------------------------------------------------------------------------- + # Integration Manager Revisions methods + # ------------------------------------------------------------------------- + + def list_integration_manager_revisions( + self, + integration_name: str, + manager_id: str, + page_size: int | None = None, + page_token: str | None = None, + filter_string: str | None = None, + order_by: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + as_list: bool = False, + ) -> dict[str, Any] | list[dict[str, Any]]: + """List all revisions for a specific integration manager. + + Use this method to browse the version history and identify + previous functional states of a manager. + + Args: + integration_name: Name of the integration the manager + belongs to. + manager_id: ID of the manager to list revisions for. + page_size: Maximum number of revisions to return. + page_token: Page token from a previous call to retrieve the + next page. + filter_string: Filter expression to filter revisions. + order_by: Field to sort the revisions by. + api_version: API version to use for the request. Default is + V1BETA. + as_list: If True, return a list of revisions instead of a + dict with revisions list and nextPageToken. + + Returns: + If as_list is True: List of revisions. + If as_list is False: Dict with revisions list and + nextPageToken. + + Raises: + APIError: If the API request fails. + """ + return _list_integration_manager_revisions( + self, + integration_name, + manager_id, + page_size=page_size, + page_token=page_token, + filter_string=filter_string, + order_by=order_by, + api_version=api_version, + as_list=as_list, + ) + + def get_integration_manager_revision( + self, + integration_name: str, + manager_id: str, + revision_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Get a single revision for a specific integration manager. + + Use this method to retrieve a specific snapshot of an + IntegrationManagerRevision for comparison or review. + + Args: + integration_name: Name of the integration the manager + belongs to. + manager_id: ID of the manager the revision belongs to. + revision_id: ID of the revision to retrieve. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing details of the specified + IntegrationManagerRevision. + + Raises: + APIError: If the API request fails. + """ + return _get_integration_manager_revision( + self, + integration_name, + manager_id, + revision_id, + api_version=api_version, + ) + + def delete_integration_manager_revision( + self, + integration_name: str, + manager_id: str, + revision_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> None: + """Delete a specific revision for a given integration manager. + + Use this method to clean up obsolete snapshots and manage the + historical record of managers. + + Args: + integration_name: Name of the integration the manager + belongs to. + manager_id: ID of the manager the revision belongs to. + revision_id: ID of the revision to delete. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + None + + Raises: + APIError: If the API request fails. + """ + return _delete_integration_manager_revision( + self, + integration_name, + manager_id, + revision_id, + api_version=api_version, + ) + + def create_integration_manager_revision( + self, + integration_name: str, + manager_id: str, + manager: dict[str, Any], + comment: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Create a new revision snapshot of the current integration + manager. + + Use this method to establish a recovery point before making + significant updates to a manager. + + Args: + integration_name: Name of the integration the manager + belongs to. + manager_id: ID of the manager to create a revision for. + manager: Dict containing the IntegrationManager to snapshot. + comment: Comment describing the revision. Maximum 400 + characters. Optional. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing the newly created + IntegrationManagerRevision resource. + + Raises: + APIError: If the API request fails. + """ + return _create_integration_manager_revision( + self, + integration_name, + manager_id, + manager, + comment=comment, + api_version=api_version, + ) + + def rollback_integration_manager_revision( + self, + integration_name: str, + manager_id: str, + revision_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Revert the current manager definition to a previously saved + revision. + + Use this method to rapidly recover a functional state for + common code if an update causes operational issues in dependent + actions or jobs. + + Args: + integration_name: Name of the integration the manager + belongs to. + manager_id: ID of the manager to rollback. + revision_id: ID of the revision to rollback to. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing the IntegrationManagerRevision rolled back + to. + + Raises: + APIError: If the API request fails. + """ + return _rollback_integration_manager_revision( + self, + integration_name, + manager_id, + revision_id, + api_version=api_version, + ) + def get_stats( self, query: str, diff --git a/src/secops/chronicle/entity.py b/src/secops/chronicle/entity.py index 429d4393..84e5060a 100644 --- a/src/secops/chronicle/entity.py +++ b/src/secops/chronicle/entity.py @@ -15,6 +15,7 @@ """ Provides entity search, analysis and summarization functionality for Chronicle. """ + import ipaddress import re from datetime import datetime diff --git a/src/secops/chronicle/feeds.py b/src/secops/chronicle/feeds.py index b9ed7f22..8030b753 100644 --- a/src/secops/chronicle/feeds.py +++ b/src/secops/chronicle/feeds.py @@ -15,6 +15,7 @@ """ Provides ingestion feed management functionality for Chronicle. """ + import json import os import sys diff --git a/src/secops/chronicle/gemini.py b/src/secops/chronicle/gemini.py index abed52cb..eee42374 100644 --- a/src/secops/chronicle/gemini.py +++ b/src/secops/chronicle/gemini.py @@ -16,6 +16,7 @@ Provides access to Chronicle's Gemini conversational AI interface. """ + import re from typing import Any diff --git a/src/secops/chronicle/integration/__init__.py b/src/secops/chronicle/integration/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/src/secops/chronicle/integration/action_revisions.py b/src/secops/chronicle/integration/action_revisions.py new file mode 100644 index 00000000..b5229b3c --- /dev/null +++ b/src/secops/chronicle/integration/action_revisions.py @@ -0,0 +1,201 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration action revisions functionality for Chronicle.""" + +from typing import Any, TYPE_CHECKING + +from secops.chronicle.models import APIVersion +from secops.chronicle.utils.format_utils import format_resource_id +from secops.chronicle.utils.request_utils import ( + chronicle_paginated_request, + chronicle_request, +) + +if TYPE_CHECKING: + from secops.chronicle.client import ChronicleClient + + +def list_integration_action_revisions( + client: "ChronicleClient", + integration_name: str, + action_id: str, + page_size: int | None = None, + page_token: str | None = None, + filter_string: str | None = None, + order_by: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + as_list: bool = False, +) -> dict[str, Any] | list[dict[str, Any]]: + """List all revisions for a specific integration action. + + Use this method to browse the version history and identify previous + configurations of an automated task. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the action belongs to. + action_id: ID of the action to list revisions for. + page_size: Maximum number of revisions to return. + page_token: Page token from a previous call to retrieve the next page. + filter_string: Filter expression to filter revisions. + order_by: Field to sort the revisions by. + api_version: API version to use for the request. Default is V1BETA. + as_list: If True, return a list of revisions instead of a dict with + revisions list and nextPageToken. + + Returns: + If as_list is True: List of revisions. + If as_list is False: Dict with revisions list and nextPageToken. + + Raises: + APIError: If the API request fails. + """ + extra_params = { + "filter": filter_string, + "orderBy": order_by, + } + + # Remove keys with None values + extra_params = {k: v for k, v in extra_params.items() if v is not None} + + return chronicle_paginated_request( + client, + api_version=api_version, + path=( + f"integrations/{format_resource_id(integration_name)}/" + f"actions/{action_id}/revisions" + ), + items_key="revisions", + page_size=page_size, + page_token=page_token, + extra_params=extra_params, + as_list=as_list, + ) + + +def delete_integration_action_revision( + client: "ChronicleClient", + integration_name: str, + action_id: str, + revision_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> None: + """Delete a specific revision for a given integration action. + + Use this method to clean up obsolete action revisions. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the action belongs to. + action_id: ID of the action the revision belongs to. + revision_id: ID of the revision to delete. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + None + + Raises: + APIError: If the API request fails. + """ + chronicle_request( + client, + method="DELETE", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"actions/{action_id}/revisions/{revision_id}" + ), + api_version=api_version, + ) + + +def create_integration_action_revision( + client: "ChronicleClient", + integration_name: str, + action_id: str, + action: dict[str, Any], + comment: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Create a new revision snapshot of the current integration action. + + Use this method to establish a recovery point before making significant + changes to a security operation's script or parameters. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the action belongs to. + action_id: ID of the action to create a revision for. + action: Dict containing the IntegrationAction to snapshot. + comment: Comment describing the revision. Maximum 400 characters. + Optional. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the newly created IntegrationActionRevision resource. + + Raises: + APIError: If the API request fails. + """ + body = {"action": action} + + if comment is not None: + body["comment"] = comment + + return chronicle_request( + client, + method="POST", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"actions/{action_id}/revisions" + ), + api_version=api_version, + json=body, + ) + + +def rollback_integration_action_revision( + client: "ChronicleClient", + integration_name: str, + action_id: str, + revision_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Revert the current action definition to a previously saved revision. + + Use this method to rapidly recover a functional automation state if an + update causes operational issues. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the action belongs to. + action_id: ID of the action to rollback. + revision_id: ID of the revision to rollback to. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the IntegrationActionRevision rolled back to. + + Raises: + APIError: If the API request fails. + """ + return chronicle_request( + client, + method="POST", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"actions/{action_id}/revisions/{revision_id}:rollback" + ), + api_version=api_version, + ) diff --git a/src/secops/chronicle/integration/actions.py b/src/secops/chronicle/integration/actions.py new file mode 100644 index 00000000..d52ba28b --- /dev/null +++ b/src/secops/chronicle/integration/actions.py @@ -0,0 +1,452 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration actions functionality for Chronicle.""" + +from typing import Any, TYPE_CHECKING + +from secops.chronicle.models import APIVersion, ActionParameter +from secops.chronicle.utils.format_utils import ( + format_resource_id, + build_patch_body, +) +from secops.chronicle.utils.request_utils import ( + chronicle_paginated_request, + chronicle_request, +) + +if TYPE_CHECKING: + from secops.chronicle.client import ChronicleClient + + +def list_integration_actions( + client: "ChronicleClient", + integration_name: str, + page_size: int | None = None, + page_token: str | None = None, + filter_string: str | None = None, + order_by: str | None = None, + expand: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + as_list: bool = False, +) -> dict[str, Any] | list[dict[str, Any]]: + """Get a list of actions for a given integration. + + Args: + client: ChronicleClient instance + integration_name: Name of the integration to get actions for + page_size: Number of results to return per page + page_token: Token for the page to retrieve + filter_string: Filter expression to filter actions + order_by: Field to sort the actions by + expand: Comma-separated list of fields to expand in the response + api_version: API version to use for the request. Default is V1BETA. + as_list: If True, return a list of actions instead of a dict with + actions list and nextPageToken. + + Returns: + If as_list is True: List of actions. + If as_list is False: Dict with actions list and nextPageToken. + + Raises: + APIError: If the API request fails + """ + field_map = { + "filter": filter_string, + "orderBy": order_by, + "expand": expand, + } + + # Remove keys with None values + field_map = {k: v for k, v in field_map.items() if v is not None} + + return chronicle_paginated_request( + client, + api_version=api_version, + path=f"integrations/{format_resource_id(integration_name)}/actions", + items_key="actions", + page_size=page_size, + page_token=page_token, + extra_params=field_map, + as_list=as_list, + ) + + +def get_integration_action( + client: "ChronicleClient", + integration_name: str, + action_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Get details of a specific action for a given integration. + + Args: + client: ChronicleClient instance + integration_name: Name of the integration the action belongs to + action_id: ID of the action to retrieve + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing details of the specified action. + + Raises: + APIError: If the API request fails + """ + return chronicle_request( + client, + method="GET", + endpoint_path=f"integrations/{format_resource_id(integration_name)}" + f"/actions/{action_id}", + api_version=api_version, + ) + + +def delete_integration_action( + client: "ChronicleClient", + integration_name: str, + action_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> None: + """Delete a specific action from a given integration. + + Args: + client: ChronicleClient instance + integration_name: Name of the integration the action belongs to + action_id: ID of the action to delete + api_version: API version to use for the request. Default is V1BETA. + + Returns: + None + + Raises: + APIError: If the API request fails + """ + chronicle_request( + client, + method="DELETE", + endpoint_path=f"integrations/{format_resource_id(integration_name)}" + f"/actions/{action_id}", + api_version=api_version, + ) + + +def create_integration_action( + client: "ChronicleClient", + integration_name: str, + display_name: str, + script: str, + timeout_seconds: int, + enabled: bool, + script_result_name: str, + is_async: bool, + description: str | None = None, + default_result_value: str | None = None, + async_polling_interval_seconds: int | None = None, + async_total_timeout_seconds: int | None = None, + dynamic_results: list[dict[str, Any]] | None = None, + parameters: list[dict[str, Any] | ActionParameter] | None = None, + ai_generated: bool | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Create a new custom action for a given integration. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration to create the action for. + display_name: Action's display name. Maximum 150 characters. Required. + script: Action's Python script. Maximum size 5MB. Required. + timeout_seconds: Action timeout in seconds. Maximum 1200. Required. + enabled: Whether the action is enabled or disabled. Required. + script_result_name: Field name that holds the script result. + Maximum 100 characters. Required. + is_async: Whether the action is asynchronous. Required. + description: Action's description. Maximum 400 characters. Optional. + default_result_value: Action's default result value. + Maximum 1000 characters. Optional. + async_polling_interval_seconds: Polling interval in seconds for async + actions. Cannot exceed total timeout. Optional. + async_total_timeout_seconds: Total async timeout in seconds. + Maximum 1209600 (14 days). Optional. + dynamic_results: List of dynamic result metadata dicts. + Max 50. Optional. + parameters: List of ActionParameter instances or dicts. + Max 50. Optional. + ai_generated: Whether the action was generated by AI. Optional. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the newly created IntegrationAction resource. + + Raises: + APIError: If the API request fails. + """ + resolved_parameters = ( + [ + p.to_dict() if isinstance(p, ActionParameter) else p + for p in parameters + ] + if parameters is not None + else None + ) + + body = { + "displayName": display_name, + "script": script, + "timeoutSeconds": timeout_seconds, + "enabled": enabled, + "scriptResultName": script_result_name, + "async": is_async, + "description": description, + "defaultResultValue": default_result_value, + "asyncPollingIntervalSeconds": async_polling_interval_seconds, + "asyncTotalTimeoutSeconds": async_total_timeout_seconds, + "dynamicResults": dynamic_results, + "parameters": resolved_parameters, + "aiGenerated": ai_generated, + } + + # Remove keys with None values + body = {k: v for k, v in body.items() if v is not None} + + return chronicle_request( + client, + method="POST", + endpoint_path=f"integrations/{format_resource_id(integration_name)}" + f"/actions", + api_version=api_version, + json=body, + ) + + +def update_integration_action( + client: "ChronicleClient", + integration_name: str, + action_id: str, + display_name: str | None = None, + script: str | None = None, + timeout_seconds: int | None = None, + enabled: bool | None = None, + script_result_name: str | None = None, + is_async: bool | None = None, + description: str | None = None, + default_result_value: str | None = None, + async_polling_interval_seconds: int | None = None, + async_total_timeout_seconds: int | None = None, + dynamic_results: list[dict[str, Any]] | None = None, + parameters: list[dict[str, Any] | ActionParameter] | None = None, + ai_generated: bool | None = None, + update_mask: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Update an existing custom action for a given integration. + + Only custom actions can be updated; predefined commercial actions are + immutable. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the action belongs to. + action_id: ID of the action to update. + display_name: Action's display name. Maximum 150 characters. + script: Action's Python script. Maximum size 5MB. + timeout_seconds: Action timeout in seconds. Maximum 1200. + enabled: Whether the action is enabled or disabled. + script_result_name: Field name that holds the script result. + Maximum 100 characters. + is_async: Whether the action is asynchronous. + description: Action's description. Maximum 400 characters. + default_result_value: Action's default result value. + Maximum 1000 characters. + async_polling_interval_seconds: Polling interval in seconds for async + actions. Cannot exceed total timeout. + async_total_timeout_seconds: Total async timeout in seconds. Maximum + 1209600 (14 days). + dynamic_results: List of dynamic result metadata dicts. Max 50. + parameters: List of ActionParameter instances or dicts. + Max 50. Optional. + ai_generated: Whether the action was generated by AI. + update_mask: Comma-separated list of fields to update. If omitted, + the mask is auto-generated from whichever fields are provided. + Example: "displayName,script". + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the updated IntegrationAction resource. + + Raises: + APIError: If the API request fails. + """ + body, params = build_patch_body( + field_map=[ + ("displayName", "displayName", display_name), + ("script", "script", script), + ("timeoutSeconds", "timeoutSeconds", timeout_seconds), + ("enabled", "enabled", enabled), + ("scriptResultName", "scriptResultName", script_result_name), + ("async", "async", is_async), + ("description", "description", description), + ("defaultResultValue", "defaultResultValue", default_result_value), + ( + "asyncPollingIntervalSeconds", + "asyncPollingIntervalSeconds", + async_polling_interval_seconds, + ), + ( + "asyncTotalTimeoutSeconds", + "asyncTotalTimeoutSeconds", + async_total_timeout_seconds, + ), + ("dynamicResults", "dynamicResults", dynamic_results), + ("parameters", "parameters", parameters), + ("aiGenerated", "aiGenerated", ai_generated), + ], + update_mask=update_mask, + ) + + return chronicle_request( + client, + method="PATCH", + endpoint_path=f"integrations/{format_resource_id(integration_name)}" + f"/actions/{action_id}", + api_version=api_version, + json=body, + params=params, + ) + + +def execute_integration_action_test( + client: "ChronicleClient", + integration_name: str, + test_case_id: int, + action: dict[str, Any], + scope: str, + integration_instance_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Execute a test run of an integration action's script. + + Use this method to verify custom action logic, connectivity, and data + parsing against a specified integration instance and test case before + making the action available in playbooks. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the action belongs to. + test_case_id: ID of the action test case. + action: Dict containing the IntegrationAction to test. + scope: The action test scope. + integration_instance_id: The integration instance ID to use. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the test execution results with the following fields: + - output: The script output. + - debugOutput: The script debug output. + - resultJson: The result JSON if it exists (optional). + - resultName: The script result name (optional). + + Raises: + APIError: If the API request fails. + """ + body = { + "testCaseId": test_case_id, + "action": action, + "scope": scope, + "integrationInstanceId": integration_instance_id, + } + + return chronicle_request( + client, + method="POST", + endpoint_path=f"integrations/{format_resource_id(integration_name)}" + f"/actions:executeTest", + api_version=api_version, + json=body, + ) + + +def get_integration_actions_by_environment( + client: "ChronicleClient", + integration_name: str, + environments: list[str], + include_widgets: bool, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """List actions executable within specified environments. + + Use this method to discover which automated tasks have active integration + instances configured for a particular network or organizational context. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration to fetch actions for. + environments: List of environments to filter actions by. + include_widgets: Whether to include widget actions in the response. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing a list of IntegrationAction objects that have + integration instances in one of the given environments. + + Raises: + APIError: If the API request fails. + """ + params = { + "environments": environments, + "includeWidgets": include_widgets, + } + + return chronicle_request( + client, + method="GET", + endpoint_path=f"integrations/{format_resource_id(integration_name)}" + f"/actions:fetchActionsByEnvironment", + api_version=api_version, + params=params, + ) + + +def get_integration_action_template( + client: "ChronicleClient", + integration_name: str, + is_async: bool = False, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Retrieve a default Python script template for a new integration action. + + Use this method to jumpstart the development of a custom automated task + by providing boilerplate code for either synchronous or asynchronous + operations. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration to fetch the template for. + is_async: Whether to fetch a template for an async action. Default + is False. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the IntegrationAction template. + + Raises: + APIError: If the API request fails. + """ + return chronicle_request( + client, + method="GET", + endpoint_path=f"integrations/{format_resource_id(integration_name)}" + f"/actions:fetchTemplate", + api_version=api_version, + params={"async": is_async}, + ) diff --git a/src/secops/chronicle/integration/manager_revisions.py b/src/secops/chronicle/integration/manager_revisions.py new file mode 100644 index 00000000..644a8490 --- /dev/null +++ b/src/secops/chronicle/integration/manager_revisions.py @@ -0,0 +1,243 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration manager revisions functionality for Chronicle.""" + +from typing import Any, TYPE_CHECKING + +from secops.chronicle.models import APIVersion +from secops.chronicle.utils.format_utils import ( + format_resource_id, +) +from secops.chronicle.utils.request_utils import ( + chronicle_paginated_request, + chronicle_request, +) + +if TYPE_CHECKING: + from secops.chronicle.client import ChronicleClient + + +def list_integration_manager_revisions( + client: "ChronicleClient", + integration_name: str, + manager_id: str, + page_size: int | None = None, + page_token: str | None = None, + filter_string: str | None = None, + order_by: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + as_list: bool = False, +) -> dict[str, Any] | list[dict[str, Any]]: + """List all revisions for a specific integration manager. + + Use this method to browse the version history and identify previous + functional states of a manager. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the manager belongs to. + manager_id: ID of the manager to list revisions for. + page_size: Maximum number of revisions to return. + page_token: Page token from a previous call to retrieve the next page. + filter_string: Filter expression to filter revisions. + order_by: Field to sort the revisions by. + api_version: API version to use for the request. Default is V1BETA. + as_list: If True, return a list of revisions instead of a dict with + revisions list and nextPageToken. + + Returns: + If as_list is True: List of revisions. + If as_list is False: Dict with revisions list and nextPageToken. + + Raises: + APIError: If the API request fails. + """ + extra_params = { + "filter": filter_string, + "orderBy": order_by, + } + + # Remove keys with None values + extra_params = {k: v for k, v in extra_params.items() if v is not None} + + return chronicle_paginated_request( + client, + api_version=api_version, + path=( + f"integrations/{format_resource_id(integration_name)}/" + f"managers/{manager_id}/revisions" + ), + items_key="revisions", + page_size=page_size, + page_token=page_token, + extra_params=extra_params, + as_list=as_list, + ) + + +def get_integration_manager_revision( + client: "ChronicleClient", + integration_name: str, + manager_id: str, + revision_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Get a single revision for a specific integration manager. + + Use this method to retrieve a specific snapshot of an + IntegrationManagerRevision for comparison or review. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the manager belongs to. + manager_id: ID of the manager the revision belongs to. + revision_id: ID of the revision to retrieve. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing details of the specified IntegrationManagerRevision. + + Raises: + APIError: If the API request fails. + """ + return chronicle_request( + client, + method="GET", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"managers/{manager_id}/revisions/" + f"{format_resource_id(revision_id)}" + ), + api_version=api_version, + ) + + +def delete_integration_manager_revision( + client: "ChronicleClient", + integration_name: str, + manager_id: str, + revision_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> None: + """Delete a specific revision for a given integration manager. + + Use this method to clean up obsolete snapshots and manage the historical + record of managers. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the manager belongs to. + manager_id: ID of the manager the revision belongs to. + revision_id: ID of the revision to delete. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + None + + Raises: + APIError: If the API request fails. + """ + chronicle_request( + client, + method="DELETE", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"managers/{manager_id}/revisions/" + f"{format_resource_id(revision_id)}" + ), + api_version=api_version, + ) + + +def create_integration_manager_revision( + client: "ChronicleClient", + integration_name: str, + manager_id: str, + manager: dict[str, Any], + comment: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Create a new revision snapshot of the current integration manager. + + Use this method to establish a recovery point before making significant + updates to a manager. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the manager belongs to. + manager_id: ID of the manager to create a revision for. + manager: Dict containing the IntegrationManager to snapshot. + comment: Comment describing the revision. Maximum 400 characters. + Optional. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the newly created IntegrationManagerRevision resource. + + Raises: + APIError: If the API request fails. + """ + body = {"manager": manager} + + if comment is not None: + body["comment"] = comment + + return chronicle_request( + client, + method="POST", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"managers/{manager_id}/revisions" + ), + api_version=api_version, + json=body, + ) + + +def rollback_integration_manager_revision( + client: "ChronicleClient", + integration_name: str, + manager_id: str, + revision_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Revert the current manager definition to a previously saved revision. + + Use this method to rapidly recover a functional state for common code if + an update causes operational issues in dependent actions or jobs. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the manager belongs to. + manager_id: ID of the manager to rollback. + revision_id: ID of the revision to rollback to. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the IntegrationManagerRevision rolled back to. + + Raises: + APIError: If the API request fails. + """ + return chronicle_request( + client, + method="POST", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"managers/{manager_id}/revisions/" + f"{format_resource_id(revision_id)}:rollback" + ), + api_version=api_version, + ) diff --git a/src/secops/chronicle/integration/managers.py b/src/secops/chronicle/integration/managers.py new file mode 100644 index 00000000..ced5b199 --- /dev/null +++ b/src/secops/chronicle/integration/managers.py @@ -0,0 +1,285 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration manager functionality for Chronicle.""" + +from typing import Any, TYPE_CHECKING + +from secops.chronicle.models import APIVersion +from secops.chronicle.utils.format_utils import ( + format_resource_id, + build_patch_body, +) +from secops.chronicle.utils.request_utils import ( + chronicle_paginated_request, + chronicle_request, +) + +if TYPE_CHECKING: + from secops.chronicle.client import ChronicleClient + + +def list_integration_managers( + client: "ChronicleClient", + integration_name: str, + page_size: int | None = None, + page_token: str | None = None, + filter_string: str | None = None, + order_by: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + as_list: bool = False, +) -> dict[str, Any] | list[dict[str, Any]]: + """List all managers defined for a specific integration. + + Use this method to discover the library of managers available within a + particular integration's scope. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration to list managers for. + page_size: Maximum number of managers to return. Defaults to 100, + maximum is 100. + page_token: Page token from a previous call to retrieve the next page. + filter_string: Filter expression to filter managers. + order_by: Field to sort the managers by. + api_version: API version to use for the request. Default is V1BETA. + as_list: If True, return a list of managers instead of a dict with + managers list and nextPageToken. + + Returns: + If as_list is True: List of managers. + If as_list is False: Dict with managers list and nextPageToken. + + Raises: + APIError: If the API request fails. + """ + extra_params = { + "filter": filter_string, + "orderBy": order_by, + } + + # Remove keys with None values + extra_params = {k: v for k, v in extra_params.items() if v is not None} + + return chronicle_paginated_request( + client, + api_version=api_version, + path=f"integrations/{format_resource_id(integration_name)}/managers", + items_key="managers", + page_size=page_size, + page_token=page_token, + extra_params=extra_params, + as_list=as_list, + ) + + +def get_integration_manager( + client: "ChronicleClient", + integration_name: str, + manager_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Get a single manager for a given integration. + + Use this method to retrieve the manager script and its metadata for + review or reference. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the manager belongs to. + manager_id: ID of the manager to retrieve. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing details of the specified IntegrationManager. + + Raises: + APIError: If the API request fails. + """ + return chronicle_request( + client, + method="GET", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"managers/{manager_id}" + ), + api_version=api_version, + ) + + +def delete_integration_manager( + client: "ChronicleClient", + integration_name: str, + manager_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> None: + """Delete a specific custom manager from a given integration. + + Note that deleting a manager may break components (actions, jobs) that + depend on its code. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the manager belongs to. + manager_id: ID of the manager to delete. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + None + + Raises: + APIError: If the API request fails. + """ + chronicle_request( + client, + method="DELETE", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"managers/{manager_id}" + ), + api_version=api_version, + ) + + +def create_integration_manager( + client: "ChronicleClient", + integration_name: str, + display_name: str, + script: str, + description: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Create a new custom manager for a given integration. + + Use this method to add a new shared code utility. Each manager must have + a unique display name and a script containing valid Python logic for reuse + across actions, jobs, and connectors. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration to create the manager for. + display_name: Manager's display name. Maximum 150 characters. Required. + script: Manager's Python script. Maximum 5MB. Required. + description: Manager's description. Maximum 400 characters. Optional. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the newly created IntegrationManager resource. + + Raises: + APIError: If the API request fails. + """ + body = { + "displayName": display_name, + "script": script, + } + + if description is not None: + body["description"] = description + + return chronicle_request( + client, + method="POST", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/managers" + ), + api_version=api_version, + json=body, + ) + + +def update_integration_manager( + client: "ChronicleClient", + integration_name: str, + manager_id: str, + display_name: str | None = None, + script: str | None = None, + description: str | None = None, + update_mask: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Update an existing custom manager for a given integration. + + Use this method to modify the shared code, adjust its description, or + refine its logic across all components that import it. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the manager belongs to. + manager_id: ID of the manager to update. + display_name: Manager's display name. Maximum 150 characters. + script: Manager's Python script. Maximum 5MB. + description: Manager's description. Maximum 400 characters. + update_mask: Comma-separated list of fields to update. If omitted, + the mask is auto-generated from whichever fields are provided. + Example: "displayName,script". + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the updated IntegrationManager resource. + + Raises: + APIError: If the API request fails. + """ + body, params = build_patch_body( + field_map=[ + ("displayName", "displayName", display_name), + ("script", "script", script), + ("description", "description", description), + ], + update_mask=update_mask, + ) + + return chronicle_request( + client, + method="PATCH", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"managers/{manager_id}" + ), + api_version=api_version, + json=body, + params=params, + ) + + +def get_integration_manager_template( + client: "ChronicleClient", + integration_name: str, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Retrieve a default Python script template for a new integration manager. + + Use this method to quickly start developing new managers. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration to fetch the template for. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the IntegrationManager template. + + Raises: + APIError: If the API request fails. + """ + return chronicle_request( + client, + method="GET", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + "managers:fetchTemplate" + ), + api_version=api_version, + ) diff --git a/src/secops/chronicle/models.py b/src/secops/chronicle/models.py index 0074bc53..06d81da9 100644 --- a/src/secops/chronicle/models.py +++ b/src/secops/chronicle/models.py @@ -13,6 +13,7 @@ # limitations under the License. # """Data models for Chronicle API responses.""" + import json import sys from dataclasses import asdict, dataclass, field @@ -73,6 +74,686 @@ class DetectionType(StrEnum): CASE = "DETECTION_TYPE_CASE" +class PythonVersion(str, Enum): + """Python version for compatibility checks.""" + + UNSPECIFIED = "PYTHON_VERSION_UNSPECIFIED" + PYTHON_2_7 = "V2_7" + PYTHON_3_7 = "V3_7" + PYTHON_3_11 = "V3_11" + + +class DiffType(str, Enum): + """Type of diff to retrieve.""" + + COMMERCIAL = "Commercial" + PRODUCTION = "Production" + STAGING = "Staging" + + +class TargetMode(str, Enum): + """Target mode for integration transition.""" + + PRODUCTION = "Production" + STAGING = "Staging" + + +class IntegrationType(str, Enum): + """Type of integration.""" + + UNSPECIFIED = "INTEGRATION_TYPE_UNSPECIFIED" + RESPONSE = "RESPONSE" + EXTENSION = "EXTENSION" + + +class IntegrationParamType(str, Enum): + """Type of integration parameter.""" + + PARAM_TYPE_UNSPECIFIED = "PARAM_TYPE_UNSPECIFIED" + BOOLEAN = "BOOLEAN" + INT = "INT" + STRING = "STRING" + PASSWORD = "PASSWORD" + IP = "IP" + IP_OR_HOST = "IP_OR_HOST" + URL = "URL" + DOMAIN = "DOMAIN" + EMAIL = "EMAIL" + VALUES_LIST = "VALUES_LIST" + VALUES_AS_SEMICOLON_SEPARATED_STRING = ( + "VALUES_AS_SEMICOLON_SEPARATED_STRING" + ) + MULTI_VALUES_SELECTION = "MULTI_VALUES_SELECTION" + SCRIPT = "SCRIPT" + FILTER_LIST = "FILTER_LIST" + + +@dataclass +class IntegrationParam: + """A parameter definition for a Chronicle SOAR integration. + + Attributes: + display_name: Human-readable label shown in the UI. + property_name: The programmatic key used in code/config. + type: The data type of the parameter (see IntegrationParamType). + description: Optional. Explanation of what the parameter is for. + mandatory: Whether the parameter must be supplied. Defaults to False. + default_value: Optional. Pre-filled value shown in the UI. + """ + + display_name: str + property_name: str + type: IntegrationParamType + mandatory: bool + description: str | None = None + default_value: str | None = None + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + data: dict = { + "displayName": self.display_name, + "propertyName": self.property_name, + "type": str(self.type.value), + "mandatory": self.mandatory, + } + if self.description is not None: + data["description"] = self.description + if self.default_value is not None: + data["defaultValue"] = self.default_value + return data + + +class ActionParamType(str, Enum): + """Action parameter types for Chronicle SOAR integration actions.""" + + STRING = "STRING" + BOOLEAN = "BOOLEAN" + WFS_REPOSITORY = "WFS_REPOSITORY" + USER_REPOSITORY = "USER_REPOSITORY" + STAGES_REPOSITORY = "STAGES_REPOSITORY" + CLOSE_CASE_REASON_REPOSITORY = "CLOSE_CASE_REASON_REPOSITORY" + CLOSE_CASE_ROOT_CAUSE_REPOSITORY = "CLOSE_CASE_ROOT_CAUSE_REPOSITORY" + PRIORITIES_REPOSITORY = "PRIORITIES_REPOSITORY" + EMAIL_CONTENT = "EMAIL_CONTENT" + CONTENT = "CONTENT" + PASSWORD = "PASSWORD" + ENTITY_TYPE = "ENTITY_TYPE" + MULTI_VALUES = "MULTI_VALUES" + LIST = "LIST" + CODE = "CODE" + MULTIPLE_CHOICE_PARAMETER = "MULTIPLE_CHOICE_PARAMETER" + + +class ActionType(str, Enum): + """Action types for Chronicle SOAR integration actions.""" + + UNSPECIFIED = "ACTION_TYPE_UNSPECIFIED" + STANDARD = "STANDARD" + AI_AGENT = "AI_AGENT" + + +@dataclass +class ActionParameter: + """A parameter definition for a Chronicle SOAR integration action. + + Attributes: + display_name: The parameter's display name. Maximum 150 characters. + type: The parameter's type. + description: The parameter's description. Maximum 150 characters. + mandatory: Whether the parameter is mandatory. + default_value: The default value of the parameter. + Maximum 150 characters. + optional_values: Parameter's optional values. Maximum 50 items. + """ + + display_name: str + type: ActionParamType + description: str + mandatory: bool + default_value: str | None = None + optional_values: list[str] | None = None + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + data: dict = { + "displayName": self.display_name, + "type": str(self.type.value), + "description": self.description, + "mandatory": self.mandatory, + } + if self.default_value is not None: + data["defaultValue"] = self.default_value + if self.optional_values is not None: + data["optionalValues"] = self.optional_values + return data + + +class ParamType(str, Enum): + """Parameter types for Chronicle SOAR integration functions.""" + + UNSPECIFIED = "PARAM_TYPE_UNSPECIFIED" + BOOLEAN = "BOOLEAN" + INT = "INT" + STRING = "STRING" + PASSWORD = "PASSWORD" + IP = "IP" + IP_OR_HOST = "IP_OR_HOST" + URL = "URL" + DOMAIN = "DOMAIN" + EMAIL = "EMAIL" + VALUES_LIST = "VALUES_LIST" + VALUES_AS_SEMICOLON_SEPARATED_STRING = ( + "VALUES_AS_SEMICOLON_SEPARATED_STRING" + ) + MULTI_VALUES_SELECTION = "MULTI_VALUES_SELECTION" + SCRIPT = "SCRIPT" + FILTER_LIST = "FILTER_LIST" + NUMERICAL_VALUES = "NUMERICAL_VALUES" + + +class ConnectorParamMode(str, Enum): + """Parameter modes for Chronicle SOAR integration connectors.""" + + UNSPECIFIED = "PARAM_MODE_UNSPECIFIED" + REGULAR = "REGULAR" + CONNECTIVITY = "CONNECTIVITY" + SCRIPT = "SCRIPT" + + +class ConnectorRuleType(str, Enum): + """Rule types for Chronicle SOAR integration connectors.""" + + UNSPECIFIED = "RULE_TYPE_UNSPECIFIED" + ALLOW_LIST = "ALLOW_LIST" + BLOCK_LIST = "BLOCK_LIST" + + +@dataclass +class ConnectorParameter: + """A parameter definition for a Chronicle SOAR integration connector. + + Attributes: + display_name: The parameter's display name. + type: The parameter's type. + mode: The parameter's mode. + mandatory: Whether the parameter is mandatory for configuring a + connector instance. + default_value: The default value of the parameter. Required for + boolean and mandatory parameters. + description: The parameter's description. + advanced: The parameter's advanced flag. + """ + + display_name: str + type: ParamType + mode: ConnectorParamMode + mandatory: bool + default_value: str | None = None + description: str | None = None + advanced: bool | None = None + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + data: dict = { + "displayName": self.display_name, + "type": str(self.type.value), + "mode": str(self.mode.value), + "mandatory": self.mandatory, + } + if self.default_value is not None: + data["defaultValue"] = self.default_value + if self.description is not None: + data["description"] = self.description + if self.advanced is not None: + data["advanced"] = self.advanced + return data + + +@dataclass +class IntegrationJobInstanceParameter: + """A parameter instance for a Chronicle SOAR integration job instance. + + Note: Most fields are output-only and will be populated by the API. + Only value needs to be provided when configuring a job instance. + + Attributes: + value: The value of the parameter. + """ + + value: str | None = None + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + data: dict = {} + if self.value is not None: + data["value"] = self.value + return data + + +class ScheduleType(str, Enum): + """Schedule types for Chronicle SOAR integration job + instance advanced config.""" + + UNSPECIFIED = "SCHEDULE_TYPE_UNSPECIFIED" + ONCE = "ONCE" + DAILY = "DAILY" + WEEKLY = "WEEKLY" + MONTHLY = "MONTHLY" + + +class DayOfWeek(str, Enum): + """Days of the week for Chronicle SOAR weekly schedule details.""" + + UNSPECIFIED = "DAY_OF_WEEK_UNSPECIFIED" + MONDAY = "MONDAY" + TUESDAY = "TUESDAY" + WEDNESDAY = "WEDNESDAY" + THURSDAY = "THURSDAY" + FRIDAY = "FRIDAY" + SATURDAY = "SATURDAY" + SUNDAY = "SUNDAY" + + +@dataclass +class Date: + """A calendar date for Chronicle SOAR schedule details. + + Attributes: + year: The year. + month: The month of the year (1-12). + day: The day of the month (1-31). + """ + + year: int + month: int + day: int + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + return {"year": self.year, "month": self.month, "day": self.day} + + +@dataclass +class TimeOfDay: + """A time of day for Chronicle SOAR schedule details. + + Attributes: + hours: The hour of the day (0-23). + minutes: The minute of the hour (0-59). + seconds: The second of the minute (0-59). + nanos: The nanoseconds of the second (0-999999999). + """ + + hours: int + minutes: int + seconds: int = 0 + nanos: int = 0 + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + return { + "hours": self.hours, + "minutes": self.minutes, + "seconds": self.seconds, + "nanos": self.nanos, + } + + +@dataclass +class OneTimeScheduleDetails: + """One-time schedule details for a Chronicle SOAR job instance. + + Attributes: + start_date: The date to run the job. + time: The time to run the job. + """ + + start_date: Date + time: TimeOfDay + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + return { + "startDate": self.start_date.to_dict(), + "time": self.time.to_dict(), + } + + +@dataclass +class DailyScheduleDetails: + """Daily schedule details for a Chronicle SOAR job instance. + + Attributes: + start_date: The start date. + time: The time to run the job. + interval: The day interval. + """ + + start_date: Date + time: TimeOfDay + interval: int + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + return { + "startDate": self.start_date.to_dict(), + "time": self.time.to_dict(), + "interval": self.interval, + } + + +@dataclass +class WeeklyScheduleDetails: + """Weekly schedule details for a Chronicle SOAR job instance. + + Attributes: + start_date: The start date. + days: The days of the week to run the job. + time: The time to run the job. + interval: The week interval. + """ + + start_date: Date + days: list[DayOfWeek] + time: TimeOfDay + interval: int + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + return { + "startDate": self.start_date.to_dict(), + "days": [d.value for d in self.days], + "time": self.time.to_dict(), + "interval": self.interval, + } + + +@dataclass +class MonthlyScheduleDetails: + """Monthly schedule details for a Chronicle SOAR job instance. + + Attributes: + start_date: The start date. + day: The day of the month to run the job. + time: The time to run the job. + interval: The month interval. + """ + + start_date: Date + day: int + time: TimeOfDay + interval: int + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + return { + "startDate": self.start_date.to_dict(), + "day": self.day, + "time": self.time.to_dict(), + "interval": self.interval, + } + + +@dataclass +class AdvancedConfig: + """Advanced scheduling configuration for a Chronicle SOAR job instance. + + Exactly one of the schedule detail fields should be provided, corresponding + to the schedule_type. + + Attributes: + time_zone: The zone id. + schedule_type: The schedule type. + one_time_schedule: One-time schedule details. Use with ONCE. + daily_schedule: Daily schedule details. Use with DAILY. + weekly_schedule: Weekly schedule details. Use with WEEKLY. + monthly_schedule: Monthly schedule details. Use with MONTHLY. + """ + + time_zone: str + schedule_type: ScheduleType + one_time_schedule: OneTimeScheduleDetails | None = None + daily_schedule: DailyScheduleDetails | None = None + weekly_schedule: WeeklyScheduleDetails | None = None + monthly_schedule: MonthlyScheduleDetails | None = None + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + data: dict = { + "timeZone": self.time_zone, + "scheduleType": str(self.schedule_type.value), + } + if self.one_time_schedule is not None: + data["oneTimeSchedule"] = self.one_time_schedule.to_dict() + if self.daily_schedule is not None: + data["dailySchedule"] = self.daily_schedule.to_dict() + if self.weekly_schedule is not None: + data["weeklySchedule"] = self.weekly_schedule.to_dict() + if self.monthly_schedule is not None: + data["monthlySchedule"] = self.monthly_schedule.to_dict() + return data + + +@dataclass +class JobParameter: + """A parameter definition for a Chronicle SOAR integration job. + + Attributes: + id: The parameter's id. + display_name: The parameter's display name. + description: The parameter's description. + mandatory: Whether the parameter is mandatory. + type: The parameter's type. + default_value: The default value of the parameter. + """ + + id: int + display_name: str + description: str + mandatory: bool + type: ParamType + default_value: str | None = None + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + data: dict = { + "id": self.id, + "displayName": self.display_name, + "description": self.description, + "mandatory": self.mandatory, + "type": str(self.type.value), + } + if self.default_value is not None: + data["defaultValue"] = self.default_value + return data + + +class IntegrationParameterType(str, Enum): + """Parameter types for Chronicle SOAR integration instances.""" + + UNSPECIFIED = "INTEGRATION_PARAMETER_TYPE_UNSPECIFIED" + BOOLEAN = "BOOLEAN" + INT = "INT" + STRING = "STRING" + PASSWORD = "PASSWORD" + IP = "IP" + IP_OR_HOST = "IP_OR_HOST" + URL = "URL" + DOMAIN = "DOMAIN" + EMAIL = "EMAIL" + VALUES_LIST = "VALUES_LIST" + VALUES_AS_SEMICOLON_SEPARATED_STRING = ( + "VALUES_AS_SEMICOLON_SEPARATED_STRING" + ) + MULTI_VALUES_SELECTION = "MULTI_VALUES_SELECTION" + SCRIPT = "SCRIPT" + FILTER_LIST = "FILTER_LIST" + + +@dataclass +class IntegrationInstanceParameter: + """A parameter instance for a Chronicle SOAR integration instance. + + Note: Most fields are output-only and will be populated by the API. + Only value needs to be provided when configuring an integration instance. + + Attributes: + value: The parameter's value. + """ + + value: str | None = None + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + data: dict = {} + if self.value is not None: + data["value"] = self.value + return data + + +class ConnectorConnectivityStatus(str, Enum): + """Connectivity status for Chronicle SOAR connector instances.""" + + LIVE = "LIVE" + NOT_LIVE = "NOT_LIVE" + + +@dataclass +class ConnectorInstanceParameter: + """A parameter instance for a Chronicle SOAR connector instance. + + Note: Most fields are output-only and will be populated by the API. + Only value needs to be provided when configuring a connector instance. + + Attributes: + value: The value of the parameter. + """ + + value: str | None = None + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + data: dict = {} + if self.value is not None: + data["value"] = self.value + return data + + +class TransformerType(str, Enum): + """Transformer types for Chronicle SOAR integration transformers.""" + + UNSPECIFIED = "TRANSFORMER_TYPE_UNSPECIFIED" + BUILT_IN = "BUILT_IN" + CUSTOM = "CUSTOM" + + +@dataclass +class TransformerDefinitionParameter: + """A parameter definition for a Chronicle SOAR transformer definition. + + Attributes: + display_name: The parameter's display name. May contain letters, + numbers, and underscores. Maximum 150 characters. + mandatory: Whether the parameter is mandatory for configuring a + transformer instance. + id: The parameter's id. Server-generated on creation; must be + provided when updating an existing parameter. + default_value: The default value of the parameter. Required for + boolean and mandatory parameters. + description: The parameter's description. Maximum 2050 characters. + """ + + display_name: str + mandatory: bool + id: str | None = None + default_value: str | None = None + description: str | None = None + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + data: dict = { + "displayName": self.display_name, + "mandatory": self.mandatory, + } + if self.id is not None: + data["id"] = self.id + if self.default_value is not None: + data["defaultValue"] = self.default_value + if self.description is not None: + data["description"] = self.description + return data + + +class LogicalOperatorType(str, Enum): + """Logical operator types for Chronicle SOAR + integration logical operators.""" + + UNSPECIFIED = "LOGICAL_OPERATOR_TYPE_UNSPECIFIED" + BUILT_IN = "BUILT_IN" + CUSTOM = "CUSTOM" + + +@dataclass +class IntegrationLogicalOperatorParameter: + """A parameter definition for a Chronicle SOAR logical operator. + + Attributes: + display_name: The parameter's display name. May contain letters, + numbers, and underscores. Maximum 150 characters. + mandatory: Whether the parameter is mandatory for configuring a + logical operator instance. + id: The parameter's id. Server-generated on creation; must be + provided when updating an existing parameter. + default_value: The default value of the parameter. Required for + boolean and mandatory parameters. + order: The parameter's order in the parameters list. + description: The parameter's description. Maximum 2050 characters. + """ + + display_name: str + mandatory: bool + id: str | None = None + default_value: str | None = None + order: int | None = None + description: str | None = None + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + data: dict = { + "displayName": self.display_name, + "mandatory": self.mandatory, + } + if self.id is not None: + data["id"] = self.id + if self.default_value is not None: + data["defaultValue"] = self.default_value + if self.order is not None: + data["order"] = self.order + if self.description is not None: + data["description"] = self.description + return data + + +@dataclass +class ConnectorRule: + """A rule definition for a Chronicle SOAR integration connector. + + Attributes: + display_name: Connector's rule data name. + type: Connector's rule data type. + """ + + display_name: str + type: ConnectorRuleType + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + return { + "displayName": self.display_name, + "type": str(self.type.value), + } + + @dataclass class TimeInterval: """Time interval with start and end times.""" diff --git a/src/secops/chronicle/stats.py b/src/secops/chronicle/stats.py index 99b46309..42e31aba 100644 --- a/src/secops/chronicle/stats.py +++ b/src/secops/chronicle/stats.py @@ -13,6 +13,7 @@ # limitations under the License. # """Statistics functionality for Chronicle searches.""" + from datetime import datetime from typing import Any, TYPE_CHECKING diff --git a/src/secops/chronicle/utils/format_utils.py b/src/secops/chronicle/utils/format_utils.py index b6567528..126ae503 100644 --- a/src/secops/chronicle/utils/format_utils.py +++ b/src/secops/chronicle/utils/format_utils.py @@ -65,3 +65,34 @@ def parse_json_list( except ValueError as e: raise APIError(f"Invalid {field_name} JSON") from e return value + + +# pylint: disable=line-too-long +def build_patch_body( + field_map: list[tuple[str, str, Any]], + update_mask: str | None = None, +) -> tuple[dict[str, Any], dict[str, Any] | None]: + """Build a request body and params dict for a PATCH request. + + Args: + field_map: List of (api_key, mask_key, value) tuples for + each optional field. + update_mask: Explicit update mask. If provided, + overrides the auto-generated mask. + + Returns: + Tuple of (body, params) where params contains the updateMask or is None. + """ + body = { + api_key: value for api_key, _, value in field_map if value is not None + } + mask_fields = [ + mask_key for _, mask_key, value in field_map if value is not None + ] + + resolved_mask = update_mask or ( + ",".join(mask_fields) if mask_fields else None + ) + params = {"updateMask": resolved_mask} if resolved_mask else None + + return body, params diff --git a/src/secops/chronicle/utils/request_utils.py b/src/secops/chronicle/utils/request_utils.py index 43f2d885..c3b2cd8a 100644 --- a/src/secops/chronicle/utils/request_utils.py +++ b/src/secops/chronicle/utils/request_utils.py @@ -14,7 +14,7 @@ # """Helper functions for Chronicle.""" -from typing import TYPE_CHECKING, Any +from typing import TYPE_CHECKING, Any, Optional import requests from google.auth.exceptions import GoogleAuthError @@ -297,3 +297,66 @@ def chronicle_request( ) return data + + +def chronicle_request_bytes( + client: "ChronicleClient", + method: str, + endpoint_path: str, + *, + api_version: str = APIVersion.V1, + params: Optional[dict[str, Any]] = None, + headers: Optional[dict[str, Any]] = None, + expected_status: int | set[int] | tuple[int, ...] | list[int] = 200, + error_message: str | None = None, + timeout: int | None = None, +) -> bytes: + base = f"{client.base_url(api_version)}/{client.instance_id}" + + if endpoint_path.startswith(":"): + url = f"{base}{endpoint_path}" + else: + url = f'{base}/{endpoint_path.lstrip("/")}' + + try: + response = client.session.request( + method=method, + url=url, + params=params, + headers=headers, + timeout=timeout, + stream=True, + ) + except GoogleAuthError as exc: + base_msg = error_message or "Google authentication failed" + raise APIError(f"{base_msg}: authentication_error={exc}") from exc + except requests.RequestException as exc: + base_msg = error_message or "API request failed" + raise APIError( + f"{base_msg}: method={method}, url={url}, " + f"request_error={exc.__class__.__name__}, detail={exc}" + ) from exc + + if isinstance(expected_status, (set, tuple, list)): + status_ok = response.status_code in expected_status + else: + status_ok = response.status_code == expected_status + + if not status_ok: + # try json for detail, else preview text + try: + data = response.json() + raise APIError( + f"{error_message or 'API request failed'}: method={method}, url={url}, " + f"status={response.status_code}, response={data}" + ) from None + except ValueError: + preview = _safe_body_preview( + getattr(response, "text", ""), limit=MAX_BODY_CHARS + ) + raise APIError( + f"{error_message or 'API request failed'}: method={method}, url={url}, " + f"status={response.status_code}, response_text={preview}" + ) from None + + return response.content diff --git a/src/secops/cli/cli_client.py b/src/secops/cli/cli_client.py index 4c483656..65b787f2 100644 --- a/src/secops/cli/cli_client.py +++ b/src/secops/cli/cli_client.py @@ -39,6 +39,9 @@ from secops.cli.commands.udm_search import setup_udm_search_view_command from secops.cli.commands.watchlist import setup_watchlist_command from secops.cli.commands.rule_retrohunt import setup_rule_retrohunt_command +from secops.cli.commands.integration.integration_client import ( + setup_integrations_command, +) from secops.cli.utils.common_args import add_chronicle_args, add_common_args from secops.cli.utils.config_utils import load_config from secops.exceptions import AuthenticationError, SecOpsError @@ -189,6 +192,7 @@ def build_parser() -> argparse.ArgumentParser: setup_dashboard_query_command(subparsers) setup_watchlist_command(subparsers) setup_rule_retrohunt_command(subparsers) + setup_integrations_command(subparsers) return parser diff --git a/src/secops/cli/commands/__init__.py b/src/secops/cli/commands/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/src/secops/cli/commands/integration/__init__.py b/src/secops/cli/commands/integration/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/src/secops/cli/commands/integration/action_revisions.py b/src/secops/cli/commands/integration/action_revisions.py new file mode 100644 index 00000000..d6999bac --- /dev/null +++ b/src/secops/cli/commands/integration/action_revisions.py @@ -0,0 +1,215 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Google SecOps CLI integration action revisions commands""" + +import sys + +from secops.cli.utils.formatters import output_formatter +from secops.cli.utils.common_args import ( + add_pagination_args, + add_as_list_arg, +) + + +def setup_action_revisions_command(subparsers): + """Setup integration action revisions command""" + revisions_parser = subparsers.add_parser( + "action-revisions", + help="Manage integration action revisions", + ) + lvl1 = revisions_parser.add_subparsers( + dest="action_revisions_command", + help="Integration action revisions command", + ) + + # list command + list_parser = lvl1.add_parser( + "list", help="List integration action revisions" + ) + list_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + list_parser.add_argument( + "--action-id", + type=str, + help="ID of the action", + dest="action_id", + required=True, + ) + add_pagination_args(list_parser) + add_as_list_arg(list_parser) + list_parser.add_argument( + "--filter-string", + type=str, + help="Filter string for listing revisions", + dest="filter_string", + ) + list_parser.add_argument( + "--order-by", + type=str, + help="Order by string for listing revisions", + dest="order_by", + ) + list_parser.set_defaults(func=handle_action_revisions_list_command) + + # delete command + delete_parser = lvl1.add_parser( + "delete", help="Delete an integration action revision" + ) + delete_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + delete_parser.add_argument( + "--action-id", + type=str, + help="ID of the action", + dest="action_id", + required=True, + ) + delete_parser.add_argument( + "--revision-id", + type=str, + help="ID of the revision to delete", + dest="revision_id", + required=True, + ) + delete_parser.set_defaults(func=handle_action_revisions_delete_command) + + # create command + create_parser = lvl1.add_parser( + "create", help="Create a new integration action revision" + ) + create_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + create_parser.add_argument( + "--action-id", + type=str, + help="ID of the action", + dest="action_id", + required=True, + ) + create_parser.add_argument( + "--comment", + type=str, + help="Comment describing the revision", + dest="comment", + ) + create_parser.set_defaults(func=handle_action_revisions_create_command) + + # rollback command + rollback_parser = lvl1.add_parser( + "rollback", help="Rollback action to a previous revision" + ) + rollback_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + rollback_parser.add_argument( + "--action-id", + type=str, + help="ID of the action", + dest="action_id", + required=True, + ) + rollback_parser.add_argument( + "--revision-id", + type=str, + help="ID of the revision to rollback to", + dest="revision_id", + required=True, + ) + rollback_parser.set_defaults(func=handle_action_revisions_rollback_command) + + +def handle_action_revisions_list_command(args, chronicle): + """Handle integration action revisions list command""" + try: + out = chronicle.list_integration_action_revisions( + integration_name=args.integration_name, + action_id=args.action_id, + page_size=args.page_size, + page_token=args.page_token, + filter_string=args.filter_string, + order_by=args.order_by, + as_list=args.as_list, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error listing action revisions: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_action_revisions_delete_command(args, chronicle): + """Handle integration action revision delete command""" + try: + chronicle.delete_integration_action_revision( + integration_name=args.integration_name, + action_id=args.action_id, + revision_id=args.revision_id, + ) + print(f"Action revision {args.revision_id} deleted successfully") + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error deleting action revision: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_action_revisions_create_command(args, chronicle): + """Handle integration action revision create command""" + try: + # Get the current action to create a revision + action = chronicle.get_integration_action( + integration_name=args.integration_name, + action_id=args.action_id, + ) + out = chronicle.create_integration_action_revision( + integration_name=args.integration_name, + action_id=args.action_id, + action=action, + comment=args.comment, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error creating action revision: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_action_revisions_rollback_command(args, chronicle): + """Handle integration action revision rollback command""" + try: + out = chronicle.rollback_integration_action_revision( + integration_name=args.integration_name, + action_id=args.action_id, + revision_id=args.revision_id, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error rolling back action revision: {e}", file=sys.stderr) + sys.exit(1) diff --git a/src/secops/cli/commands/integration/actions.py b/src/secops/cli/commands/integration/actions.py new file mode 100644 index 00000000..a389c8aa --- /dev/null +++ b/src/secops/cli/commands/integration/actions.py @@ -0,0 +1,382 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Google SecOps CLI integration actions commands""" + +import sys + +from secops.cli.utils.formatters import output_formatter +from secops.cli.utils.common_args import ( + add_pagination_args, + add_as_list_arg, +) + + +def setup_actions_command(subparsers): + """Setup integration actions command""" + actions_parser = subparsers.add_parser( + "actions", + help="Manage integration actions", + ) + lvl1 = actions_parser.add_subparsers( + dest="actions_command", help="Integration actions command" + ) + + # list command + list_parser = lvl1.add_parser("list", help="List integration actions") + list_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + add_pagination_args(list_parser) + add_as_list_arg(list_parser) + list_parser.add_argument( + "--filter-string", + type=str, + help="Filter string for listing actions", + dest="filter_string", + ) + list_parser.add_argument( + "--order-by", + type=str, + help="Order by string for listing actions", + dest="order_by", + ) + list_parser.set_defaults(func=handle_actions_list_command) + + # get command + get_parser = lvl1.add_parser("get", help="Get integration action details") + get_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + get_parser.add_argument( + "--action-id", + type=str, + help="ID of the action to get", + dest="action_id", + required=True, + ) + get_parser.set_defaults(func=handle_actions_get_command) + + # delete command + delete_parser = lvl1.add_parser( + "delete", + help="Delete an integration action", + ) + delete_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + delete_parser.add_argument( + "--action-id", + type=str, + help="ID of the action to delete", + dest="action_id", + required=True, + ) + delete_parser.set_defaults(func=handle_actions_delete_command) + + # create command + create_parser = lvl1.add_parser( + "create", help="Create a new integration action" + ) + create_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + create_parser.add_argument( + "--display-name", + type=str, + help="Display name for the action", + dest="display_name", + required=True, + ) + create_parser.add_argument( + "--code", + type=str, + help="Python code for the action", + dest="code", + required=True, + ) + create_parser.add_argument( + "--is-async", + action="store_true", + help="Whether the action is asynchronous", + dest="is_async", + ) + create_parser.add_argument( + "--description", + type=str, + help="Description of the action", + dest="description", + ) + create_parser.add_argument( + "--action-id", + type=str, + help="Custom ID for the action", + dest="action_id", + ) + create_parser.set_defaults(func=handle_actions_create_command) + + # update command + update_parser = lvl1.add_parser( + "update", help="Update an integration action" + ) + update_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + update_parser.add_argument( + "--action-id", + type=str, + help="ID of the action to update", + dest="action_id", + required=True, + ) + update_parser.add_argument( + "--display-name", + type=str, + help="New display name for the action", + dest="display_name", + ) + update_parser.add_argument( + "--script", + type=str, + help="New Python script for the action", + dest="script", + ) + update_parser.add_argument( + "--description", + type=str, + help="New description for the action", + dest="description", + ) + update_parser.add_argument( + "--update-mask", + type=str, + help="Comma-separated list of fields to update", + dest="update_mask", + ) + update_parser.set_defaults(func=handle_actions_update_command) + + # test command + test_parser = lvl1.add_parser( + "test", help="Execute an integration action test" + ) + test_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + test_parser.add_argument( + "--action-id", + type=str, + help="ID of the action to test", + dest="action_id", + required=True, + ) + test_parser.set_defaults(func=handle_actions_test_command) + + # by-environment command + by_env_parser = lvl1.add_parser( + "by-environment", + help="Get integration actions by environment", + ) + by_env_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + by_env_parser.add_argument( + "--environments", + type=str, + nargs="+", + help="List of environments to filter by", + dest="environments", + required=True, + ) + by_env_parser.add_argument( + "--include-widgets", + action="store_true", + help="Whether to include widgets in the response", + dest="include_widgets", + ) + by_env_parser.set_defaults(func=handle_actions_by_environment_command) + + # template command + template_parser = lvl1.add_parser( + "template", + help="Get a template for creating an action", + ) + template_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + template_parser.add_argument( + "--is-async", + action="store_true", + help="Whether to fetch template for async action", + dest="is_async", + ) + template_parser.set_defaults(func=handle_actions_template_command) + + +def handle_actions_list_command(args, chronicle): + """Handle integration actions list command""" + try: + out = chronicle.list_integration_actions( + integration_name=args.integration_name, + page_size=args.page_size, + page_token=args.page_token, + filter_string=args.filter_string, + order_by=args.order_by, + as_list=args.as_list, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error listing integration actions: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_actions_get_command(args, chronicle): + """Handle integration action get command""" + try: + out = chronicle.get_integration_action( + integration_name=args.integration_name, + action_id=args.action_id, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error getting integration action: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_actions_delete_command(args, chronicle): + """Handle integration action delete command""" + try: + chronicle.delete_integration_action( + integration_name=args.integration_name, + action_id=args.action_id, + ) + print(f"Action {args.action_id} deleted successfully") + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error deleting integration action: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_actions_create_command(args, chronicle): + """Handle integration action create command""" + try: + out = chronicle.create_integration_action( + integration_name=args.integration_name, + display_name=args.display_name, + script=args.code, # CLI uses --code flag but API expects script + timeout_seconds=300, # Default 5 minutes + enabled=True, # Default to enabled + script_result_name="result", # Default result field name + is_async=args.is_async, + description=args.description, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error creating integration action: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_actions_update_command(args, chronicle): + """Handle integration action update command""" + try: + out = chronicle.update_integration_action( + integration_name=args.integration_name, + action_id=args.action_id, + display_name=args.display_name, + script=( + args.script if args.script else None + ), # CLI uses --code flag but API expects script + description=args.description, + update_mask=args.update_mask, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error updating integration action: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_actions_test_command(args, chronicle): + """Handle integration action test command""" + try: + # First get the action to test + action = chronicle.get_integration_action( + integration_name=args.integration_name, + action_id=args.action_id, + ) + out = chronicle.execute_integration_action_test( + integration_name=args.integration_name, + action_id=args.action_id, + action=action, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error testing integration action: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_actions_by_environment_command(args, chronicle): + """Handle get actions by environment command""" + try: + out = chronicle.get_integration_actions_by_environment( + integration_name=args.integration_name, + environments=args.environments, + include_widgets=args.include_widgets, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error getting actions by environment: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_actions_template_command(args, chronicle): + """Handle get action template command""" + try: + out = chronicle.get_integration_action_template( + integration_name=args.integration_name, + is_async=args.is_async, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error getting action template: {e}", file=sys.stderr) + sys.exit(1) diff --git a/src/secops/cli/commands/integration/integration_client.py b/src/secops/cli/commands/integration/integration_client.py new file mode 100644 index 00000000..581bfb29 --- /dev/null +++ b/src/secops/cli/commands/integration/integration_client.py @@ -0,0 +1,38 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Top level arguments for integration commands""" + +from secops.cli.commands.integration import ( + actions, + action_revisions, + managers, + manager_revisions, +) + + +def setup_integrations_command(subparsers): + """Setup integration command""" + integrations_parser = subparsers.add_parser( + "integration", help="Manage SecOps integrations" + ) + lvl1 = integrations_parser.add_subparsers( + dest="integrations_command", help="Integrations command" + ) + + # Setup all subcommands under `integration` + actions.setup_actions_command(lvl1) + action_revisions.setup_action_revisions_command(lvl1) + managers.setup_managers_command(lvl1) + manager_revisions.setup_manager_revisions_command(lvl1) diff --git a/src/secops/cli/commands/integration/manager_revisions.py b/src/secops/cli/commands/integration/manager_revisions.py new file mode 100644 index 00000000..82116abe --- /dev/null +++ b/src/secops/cli/commands/integration/manager_revisions.py @@ -0,0 +1,254 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Google SecOps CLI integration manager revisions commands""" + +import sys + +from secops.cli.utils.formatters import output_formatter +from secops.cli.utils.common_args import ( + add_pagination_args, + add_as_list_arg, +) + + +def setup_manager_revisions_command(subparsers): + """Setup integration manager revisions command""" + revisions_parser = subparsers.add_parser( + "manager-revisions", + help="Manage integration manager revisions", + ) + lvl1 = revisions_parser.add_subparsers( + dest="manager_revisions_command", + help="Integration manager revisions command", + ) + + # list command + list_parser = lvl1.add_parser( + "list", help="List integration manager revisions" + ) + list_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + list_parser.add_argument( + "--manager-id", + type=str, + help="ID of the manager", + dest="manager_id", + required=True, + ) + add_pagination_args(list_parser) + add_as_list_arg(list_parser) + list_parser.add_argument( + "--filter-string", + type=str, + help="Filter string for listing revisions", + dest="filter_string", + ) + list_parser.add_argument( + "--order-by", + type=str, + help="Order by string for listing revisions", + dest="order_by", + ) + list_parser.set_defaults(func=handle_manager_revisions_list_command) + + # get command + get_parser = lvl1.add_parser("get", help="Get a specific manager revision") + get_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + get_parser.add_argument( + "--manager-id", + type=str, + help="ID of the manager", + dest="manager_id", + required=True, + ) + get_parser.add_argument( + "--revision-id", + type=str, + help="ID of the revision to get", + dest="revision_id", + required=True, + ) + get_parser.set_defaults(func=handle_manager_revisions_get_command) + + # delete command + delete_parser = lvl1.add_parser( + "delete", help="Delete an integration manager revision" + ) + delete_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + delete_parser.add_argument( + "--manager-id", + type=str, + help="ID of the manager", + dest="manager_id", + required=True, + ) + delete_parser.add_argument( + "--revision-id", + type=str, + help="ID of the revision to delete", + dest="revision_id", + required=True, + ) + delete_parser.set_defaults(func=handle_manager_revisions_delete_command) + + # create command + create_parser = lvl1.add_parser( + "create", help="Create a new integration manager revision" + ) + create_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + create_parser.add_argument( + "--manager-id", + type=str, + help="ID of the manager", + dest="manager_id", + required=True, + ) + create_parser.add_argument( + "--comment", + type=str, + help="Comment describing the revision", + dest="comment", + ) + create_parser.set_defaults(func=handle_manager_revisions_create_command) + + # rollback command + rollback_parser = lvl1.add_parser( + "rollback", help="Rollback manager to a previous revision" + ) + rollback_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + rollback_parser.add_argument( + "--manager-id", + type=str, + help="ID of the manager", + dest="manager_id", + required=True, + ) + rollback_parser.add_argument( + "--revision-id", + type=str, + help="ID of the revision to rollback to", + dest="revision_id", + required=True, + ) + rollback_parser.set_defaults(func=handle_manager_revisions_rollback_command) + + +def handle_manager_revisions_list_command(args, chronicle): + """Handle integration manager revisions list command""" + try: + out = chronicle.list_integration_manager_revisions( + integration_name=args.integration_name, + manager_id=args.manager_id, + page_size=args.page_size, + page_token=args.page_token, + filter_string=args.filter_string, + order_by=args.order_by, + as_list=args.as_list, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error listing manager revisions: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_manager_revisions_get_command(args, chronicle): + """Handle integration manager revision get command""" + try: + out = chronicle.get_integration_manager_revision( + integration_name=args.integration_name, + manager_id=args.manager_id, + revision_id=args.revision_id, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error getting manager revision: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_manager_revisions_delete_command(args, chronicle): + """Handle integration manager revision delete command""" + try: + chronicle.delete_integration_manager_revision( + integration_name=args.integration_name, + manager_id=args.manager_id, + revision_id=args.revision_id, + ) + print(f"Manager revision {args.revision_id} deleted successfully") + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error deleting manager revision: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_manager_revisions_create_command(args, chronicle): + """Handle integration manager revision create command""" + try: + # Get the current manager to create a revision + manager = chronicle.get_integration_manager( + integration_name=args.integration_name, + manager_id=args.manager_id, + ) + out = chronicle.create_integration_manager_revision( + integration_name=args.integration_name, + manager_id=args.manager_id, + manager=manager, + comment=args.comment, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error creating manager revision: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_manager_revisions_rollback_command(args, chronicle): + """Handle integration manager revision rollback command""" + try: + out = chronicle.rollback_integration_manager_revision( + integration_name=args.integration_name, + manager_id=args.manager_id, + revision_id=args.revision_id, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error rolling back manager revision: {e}", file=sys.stderr) + sys.exit(1) diff --git a/src/secops/cli/commands/integration/managers.py b/src/secops/cli/commands/integration/managers.py new file mode 100644 index 00000000..e5f202a0 --- /dev/null +++ b/src/secops/cli/commands/integration/managers.py @@ -0,0 +1,283 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Google SecOps CLI integration managers commands""" + +import sys + +from secops.cli.utils.formatters import output_formatter +from secops.cli.utils.common_args import ( + add_pagination_args, + add_as_list_arg, +) + + +def setup_managers_command(subparsers): + """Setup integration managers command""" + managers_parser = subparsers.add_parser( + "managers", + help="Manage integration managers", + ) + lvl1 = managers_parser.add_subparsers( + dest="managers_command", help="Integration managers command" + ) + + # list command + list_parser = lvl1.add_parser("list", help="List integration managers") + list_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + add_pagination_args(list_parser) + add_as_list_arg(list_parser) + list_parser.add_argument( + "--filter-string", + type=str, + help="Filter string for listing managers", + dest="filter_string", + ) + list_parser.add_argument( + "--order-by", + type=str, + help="Order by string for listing managers", + dest="order_by", + ) + list_parser.set_defaults(func=handle_managers_list_command) + + # get command + get_parser = lvl1.add_parser("get", help="Get integration manager details") + get_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + get_parser.add_argument( + "--manager-id", + type=str, + help="ID of the manager to get", + dest="manager_id", + required=True, + ) + get_parser.set_defaults(func=handle_managers_get_command) + + # delete command + delete_parser = lvl1.add_parser( + "delete", + help="Delete an integration manager", + ) + delete_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + delete_parser.add_argument( + "--manager-id", + type=str, + help="ID of the manager to delete", + dest="manager_id", + required=True, + ) + delete_parser.set_defaults(func=handle_managers_delete_command) + + # create command + create_parser = lvl1.add_parser( + "create", help="Create a new integration manager" + ) + create_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + create_parser.add_argument( + "--display-name", + type=str, + help="Display name for the manager", + dest="display_name", + required=True, + ) + create_parser.add_argument( + "--code", + type=str, + help="Python code for the manager", + dest="code", + required=True, + ) + create_parser.add_argument( + "--description", + type=str, + help="Description of the manager", + dest="description", + ) + create_parser.add_argument( + "--manager-id", + type=str, + help="Custom ID for the manager", + dest="manager_id", + ) + create_parser.set_defaults(func=handle_managers_create_command) + + # update command + update_parser = lvl1.add_parser( + "update", help="Update an integration manager" + ) + update_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + update_parser.add_argument( + "--manager-id", + type=str, + help="ID of the manager to update", + dest="manager_id", + required=True, + ) + update_parser.add_argument( + "--display-name", + type=str, + help="New display name for the manager", + dest="display_name", + ) + update_parser.add_argument( + "--code", + type=str, + help="New Python code for the manager", + dest="code", + ) + update_parser.add_argument( + "--description", + type=str, + help="New description for the manager", + dest="description", + ) + update_parser.add_argument( + "--update-mask", + type=str, + help="Comma-separated list of fields to update", + dest="update_mask", + ) + update_parser.set_defaults(func=handle_managers_update_command) + + # template command + template_parser = lvl1.add_parser( + "template", + help="Get a template for creating a manager", + ) + template_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + template_parser.set_defaults(func=handle_managers_template_command) + + +def handle_managers_list_command(args, chronicle): + """Handle integration managers list command""" + try: + out = chronicle.list_integration_managers( + integration_name=args.integration_name, + page_size=args.page_size, + page_token=args.page_token, + filter_string=args.filter_string, + order_by=args.order_by, + as_list=args.as_list, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error listing integration managers: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_managers_get_command(args, chronicle): + """Handle integration manager get command""" + try: + out = chronicle.get_integration_manager( + integration_name=args.integration_name, + manager_id=args.manager_id, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error getting integration manager: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_managers_delete_command(args, chronicle): + """Handle integration manager delete command""" + try: + chronicle.delete_integration_manager( + integration_name=args.integration_name, + manager_id=args.manager_id, + ) + print(f"Manager {args.manager_id} deleted successfully") + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error deleting integration manager: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_managers_create_command(args, chronicle): + """Handle integration manager create command""" + try: + out = chronicle.create_integration_manager( + integration_name=args.integration_name, + display_name=args.display_name, + code=args.code, + description=args.description, + manager_id=args.manager_id, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error creating integration manager: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_managers_update_command(args, chronicle): + """Handle integration manager update command""" + try: + out = chronicle.update_integration_manager( + integration_name=args.integration_name, + manager_id=args.manager_id, + display_name=args.display_name, + code=args.code, + description=args.description, + update_mask=args.update_mask, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error updating integration manager: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_managers_template_command(args, chronicle): + """Handle get manager template command""" + try: + out = chronicle.get_integration_manager_template( + integration_name=args.integration_name, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error getting manager template: {e}", file=sys.stderr) + sys.exit(1) diff --git a/tests/chronicle/integration/__init__.py b/tests/chronicle/integration/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/tests/chronicle/integration/test_action_revisions.py b/tests/chronicle/integration/test_action_revisions.py new file mode 100644 index 00000000..f9abd9bc --- /dev/null +++ b/tests/chronicle/integration/test_action_revisions.py @@ -0,0 +1,409 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Tests for Chronicle marketplace integration action revisions functions.""" + +from unittest.mock import Mock, patch + +import pytest + +from secops.chronicle.client import ChronicleClient +from secops.chronicle.models import APIVersion +from secops.chronicle.integration.action_revisions import ( + list_integration_action_revisions, + delete_integration_action_revision, + create_integration_action_revision, + rollback_integration_action_revision, +) +from secops.exceptions import APIError + + +@pytest.fixture +def chronicle_client(): + """Create a Chronicle client for testing.""" + with patch("secops.auth.SecOpsAuth") as mock_auth: + mock_session = Mock() + mock_session.headers = {} + mock_auth.return_value.session = mock_session + return ChronicleClient( + customer_id="test-customer", + project_id="test-project", + default_api_version=APIVersion.V1BETA, + ) + + +# -- list_integration_action_revisions tests -- + + +def test_list_integration_action_revisions_success(chronicle_client): + """Test list_integration_action_revisions delegates to chronicle_paginated_request.""" + expected = { + "revisions": [{"name": "r1"}, {"name": "r2"}], + "nextPageToken": "t", + } + + with patch( + "secops.chronicle.integration.action_revisions.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated, patch( + "secops.chronicle.integration.action_revisions.format_resource_id", + return_value="My Integration", + ): + result = list_integration_action_revisions( + chronicle_client, + integration_name="My Integration", + action_id="a1", + page_size=10, + page_token="next-token", + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert "actions/a1/revisions" in kwargs["path"] + assert kwargs["items_key"] == "revisions" + assert kwargs["page_size"] == 10 + assert kwargs["page_token"] == "next-token" + + +def test_list_integration_action_revisions_default_args(chronicle_client): + """Test list_integration_action_revisions with default args.""" + expected = {"revisions": []} + + with patch( + "secops.chronicle.integration.action_revisions.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_action_revisions( + chronicle_client, + integration_name="test-integration", + action_id="a1", + ) + + assert result == expected + + +def test_list_integration_action_revisions_with_filters(chronicle_client): + """Test list_integration_action_revisions with filter and order_by.""" + expected = {"revisions": [{"name": "r1"}]} + + with patch( + "secops.chronicle.integration.action_revisions.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_action_revisions( + chronicle_client, + integration_name="test-integration", + action_id="a1", + filter_string='version = "1.0"', + order_by="createTime", + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert kwargs["extra_params"] == { + "filter": 'version = "1.0"', + "orderBy": "createTime", + } + + +def test_list_integration_action_revisions_as_list(chronicle_client): + """Test list_integration_action_revisions returns list when as_list=True.""" + expected = [{"name": "r1"}, {"name": "r2"}] + + with patch( + "secops.chronicle.integration.action_revisions.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_action_revisions( + chronicle_client, + integration_name="test-integration", + action_id="a1", + as_list=True, + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert kwargs["as_list"] is True + + +def test_list_integration_action_revisions_error(chronicle_client): + """Test list_integration_action_revisions raises APIError on failure.""" + with patch( + "secops.chronicle.integration.action_revisions.chronicle_paginated_request", + side_effect=APIError("Failed to list action revisions"), + ): + with pytest.raises(APIError) as exc_info: + list_integration_action_revisions( + chronicle_client, + integration_name="test-integration", + action_id="a1", + ) + assert "Failed to list action revisions" in str(exc_info.value) + + +# -- delete_integration_action_revision tests -- + + +def test_delete_integration_action_revision_success(chronicle_client): + """Test delete_integration_action_revision issues DELETE request.""" + with patch( + "secops.chronicle.integration.action_revisions.chronicle_request", + return_value=None, + ) as mock_request: + delete_integration_action_revision( + chronicle_client, + integration_name="test-integration", + action_id="a1", + revision_id="r1", + ) + + _, kwargs = mock_request.call_args + assert kwargs["method"] == "DELETE" + assert "actions/a1/revisions/r1" in kwargs["endpoint_path"] + assert kwargs["api_version"] == APIVersion.V1BETA + + +def test_delete_integration_action_revision_error(chronicle_client): + """Test delete_integration_action_revision raises APIError on failure.""" + with patch( + "secops.chronicle.integration.action_revisions.chronicle_request", + side_effect=APIError("Failed to delete action revision"), + ): + with pytest.raises(APIError) as exc_info: + delete_integration_action_revision( + chronicle_client, + integration_name="test-integration", + action_id="a1", + revision_id="r1", + ) + assert "Failed to delete action revision" in str(exc_info.value) + + +# -- create_integration_action_revision tests -- + + +def test_create_integration_action_revision_success(chronicle_client): + """Test create_integration_action_revision issues POST request.""" + expected = { + "name": "revisions/r1", + "comment": "Test revision", + } + + action = { + "name": "actions/a1", + "displayName": "Test Action", + "code": "print('hello')", + } + + with patch( + "secops.chronicle.integration.action_revisions.chronicle_request", + return_value=expected, + ) as mock_request: + result = create_integration_action_revision( + chronicle_client, + integration_name="test-integration", + action_id="a1", + action=action, + comment="Test revision", + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["method"] == "POST" + assert "actions/a1/revisions" in kwargs["endpoint_path"] + assert kwargs["json"]["action"] == action + assert kwargs["json"]["comment"] == "Test revision" + assert kwargs["api_version"] == APIVersion.V1BETA + + +def test_create_integration_action_revision_without_comment(chronicle_client): + """Test create_integration_action_revision without comment.""" + expected = {"name": "revisions/r1"} + + action = { + "name": "actions/a1", + "displayName": "Test Action", + } + + with patch( + "secops.chronicle.integration.action_revisions.chronicle_request", + return_value=expected, + ) as mock_request: + result = create_integration_action_revision( + chronicle_client, + integration_name="test-integration", + action_id="a1", + action=action, + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["json"]["action"] == action + assert "comment" not in kwargs["json"] + + +def test_create_integration_action_revision_error(chronicle_client): + """Test create_integration_action_revision raises APIError on failure.""" + action = {"name": "actions/a1"} + + with patch( + "secops.chronicle.integration.action_revisions.chronicle_request", + side_effect=APIError("Failed to create action revision"), + ): + with pytest.raises(APIError) as exc_info: + create_integration_action_revision( + chronicle_client, + integration_name="test-integration", + action_id="a1", + action=action, + ) + assert "Failed to create action revision" in str(exc_info.value) + + +# -- rollback_integration_action_revision tests -- + + +def test_rollback_integration_action_revision_success(chronicle_client): + """Test rollback_integration_action_revision issues POST request.""" + expected = { + "name": "revisions/r1", + "comment": "Rolled back", + } + + with patch( + "secops.chronicle.integration.action_revisions.chronicle_request", + return_value=expected, + ) as mock_request: + result = rollback_integration_action_revision( + chronicle_client, + integration_name="test-integration", + action_id="a1", + revision_id="r1", + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["method"] == "POST" + assert "actions/a1/revisions/r1:rollback" in kwargs["endpoint_path"] + assert kwargs["api_version"] == APIVersion.V1BETA + + +def test_rollback_integration_action_revision_error(chronicle_client): + """Test rollback_integration_action_revision raises APIError on failure.""" + with patch( + "secops.chronicle.integration.action_revisions.chronicle_request", + side_effect=APIError("Failed to rollback action revision"), + ): + with pytest.raises(APIError) as exc_info: + rollback_integration_action_revision( + chronicle_client, + integration_name="test-integration", + action_id="a1", + revision_id="r1", + ) + assert "Failed to rollback action revision" in str(exc_info.value) + + +# -- API version tests -- + + +def test_list_integration_action_revisions_custom_api_version(chronicle_client): + """Test list_integration_action_revisions with custom API version.""" + expected = {"revisions": []} + + with patch( + "secops.chronicle.integration.action_revisions.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_action_revisions( + chronicle_client, + integration_name="test-integration", + action_id="a1", + api_version=APIVersion.V1ALPHA, + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert kwargs["api_version"] == APIVersion.V1ALPHA + + +def test_delete_integration_action_revision_custom_api_version(chronicle_client): + """Test delete_integration_action_revision with custom API version.""" + with patch( + "secops.chronicle.integration.action_revisions.chronicle_request", + return_value=None, + ) as mock_request: + delete_integration_action_revision( + chronicle_client, + integration_name="test-integration", + action_id="a1", + revision_id="r1", + api_version=APIVersion.V1ALPHA, + ) + + _, kwargs = mock_request.call_args + assert kwargs["api_version"] == APIVersion.V1ALPHA + + +def test_create_integration_action_revision_custom_api_version(chronicle_client): + """Test create_integration_action_revision with custom API version.""" + expected = {"name": "revisions/r1"} + action = {"name": "actions/a1"} + + with patch( + "secops.chronicle.integration.action_revisions.chronicle_request", + return_value=expected, + ) as mock_request: + result = create_integration_action_revision( + chronicle_client, + integration_name="test-integration", + action_id="a1", + action=action, + api_version=APIVersion.V1ALPHA, + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["api_version"] == APIVersion.V1ALPHA + + +def test_rollback_integration_action_revision_custom_api_version(chronicle_client): + """Test rollback_integration_action_revision with custom API version.""" + expected = {"name": "revisions/r1"} + + with patch( + "secops.chronicle.integration.action_revisions.chronicle_request", + return_value=expected, + ) as mock_request: + result = rollback_integration_action_revision( + chronicle_client, + integration_name="test-integration", + action_id="a1", + revision_id="r1", + api_version=APIVersion.V1ALPHA, + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["api_version"] == APIVersion.V1ALPHA + diff --git a/tests/chronicle/integration/test_actions.py b/tests/chronicle/integration/test_actions.py new file mode 100644 index 00000000..6cd0a9ac --- /dev/null +++ b/tests/chronicle/integration/test_actions.py @@ -0,0 +1,666 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Tests for Chronicle marketplace integration actions functions.""" + +from unittest.mock import Mock, patch + +import pytest + +from secops.chronicle.client import ChronicleClient +from secops.chronicle.models import APIVersion +from secops.chronicle.integration.actions import ( + list_integration_actions, + get_integration_action, + delete_integration_action, + create_integration_action, + update_integration_action, + execute_integration_action_test, + get_integration_actions_by_environment, + get_integration_action_template, +) +from secops.exceptions import APIError + + +@pytest.fixture +def chronicle_client(): + """Create a Chronicle client for testing.""" + with patch("secops.auth.SecOpsAuth") as mock_auth: + mock_session = Mock() + mock_session.headers = {} + mock_auth.return_value.session = mock_session + return ChronicleClient( + customer_id="test-customer", + project_id="test-project", + default_api_version=APIVersion.V1BETA, + ) + + +# -- list_integration_actions tests -- + + +def test_list_integration_actions_success(chronicle_client): + """Test list_integration_actions delegates to chronicle_paginated_request.""" + expected = {"actions": [{"name": "a1"}, {"name": "a2"}], "nextPageToken": "t"} + + with patch( + "secops.chronicle.integration.actions.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated, patch( + # Avoid assuming how format_resource_id encodes/cases values + "secops.chronicle.integration.actions.format_resource_id", + return_value="My Integration", + ): + result = list_integration_actions( + chronicle_client, + integration_name="My Integration", + page_size=10, + page_token="next-token", + ) + + assert result == expected + + mock_paginated.assert_called_once_with( + chronicle_client, + api_version=APIVersion.V1BETA, + path="integrations/My Integration/actions", + items_key="actions", + page_size=10, + page_token="next-token", + extra_params={}, + as_list=False, + ) + + +def test_list_integration_actions_default_args(chronicle_client): + """Test list_integration_actions with default args.""" + expected = {"actions": []} + + with patch( + "secops.chronicle.integration.actions.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_actions( + chronicle_client, + integration_name="test-integration", + ) + + assert result == expected + + mock_paginated.assert_called_once_with( + chronicle_client, + api_version=APIVersion.V1BETA, + path="integrations/test-integration/actions", + items_key="actions", + page_size=None, + page_token=None, + extra_params={}, + as_list=False, + ) + + +def test_list_integration_actions_with_filter_order_expand(chronicle_client): + """Test list_integration_actions passes filter/orderBy/expand in extra_params.""" + expected = {"actions": [{"name": "a1"}]} + + with patch( + "secops.chronicle.integration.actions.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_actions( + chronicle_client, + integration_name="test-integration", + filter_string='displayName = "My Action"', + order_by="displayName", + expand="parameters,dynamicResults", + ) + + assert result == expected + + mock_paginated.assert_called_once_with( + chronicle_client, + api_version=APIVersion.V1BETA, + path="integrations/test-integration/actions", + items_key="actions", + page_size=None, + page_token=None, + extra_params={ + "filter": 'displayName = "My Action"', + "orderBy": "displayName", + "expand": "parameters,dynamicResults", + }, + as_list=False, + ) + + +def test_list_integration_actions_as_list(chronicle_client): + """Test list_integration_actions with as_list=True.""" + expected = [{"name": "a1"}, {"name": "a2"}] + + with patch( + "secops.chronicle.integration.actions.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_actions( + chronicle_client, + integration_name="test-integration", + as_list=True, + ) + + assert result == expected + + mock_paginated.assert_called_once_with( + chronicle_client, + api_version=APIVersion.V1BETA, + path="integrations/test-integration/actions", + items_key="actions", + page_size=None, + page_token=None, + extra_params={}, + as_list=True, + ) + + +def test_list_integration_actions_error(chronicle_client): + """Test list_integration_actions propagates APIError from helper.""" + with patch( + "secops.chronicle.integration.actions.chronicle_paginated_request", + side_effect=APIError("Failed to list integration actions"), + ): + with pytest.raises(APIError) as exc_info: + list_integration_actions( + chronicle_client, + integration_name="test-integration", + ) + + assert "Failed to list integration actions" in str(exc_info.value) + + +# -- get_integration_action tests -- + + +def test_get_integration_action_success(chronicle_client): + """Test get_integration_action returns expected result.""" + expected = {"name": "actions/a1", "displayName": "Action 1"} + + with patch( + "secops.chronicle.integration.actions.chronicle_request", + return_value=expected, + ) as mock_request: + result = get_integration_action( + chronicle_client, + integration_name="test-integration", + action_id="a1", + ) + + assert result == expected + + mock_request.assert_called_once_with( + chronicle_client, + method="GET", + endpoint_path="integrations/test-integration/actions/a1", + api_version=APIVersion.V1BETA, + ) + + +def test_get_integration_action_error(chronicle_client): + """Test get_integration_action raises APIError on failure.""" + with patch( + "secops.chronicle.integration.actions.chronicle_request", + side_effect=APIError("Failed to get integration action"), + ): + with pytest.raises(APIError) as exc_info: + get_integration_action( + chronicle_client, + integration_name="test-integration", + action_id="a1", + ) + assert "Failed to get integration action" in str(exc_info.value) + + +# -- delete_integration_action tests -- + + +def test_delete_integration_action_success(chronicle_client): + """Test delete_integration_action issues DELETE request.""" + with patch( + "secops.chronicle.integration.actions.chronicle_request", + return_value=None, + ) as mock_request: + delete_integration_action( + chronicle_client, + integration_name="test-integration", + action_id="a1", + ) + + mock_request.assert_called_once_with( + chronicle_client, + method="DELETE", + endpoint_path="integrations/test-integration/actions/a1", + api_version=APIVersion.V1BETA, + ) + + +def test_delete_integration_action_error(chronicle_client): + """Test delete_integration_action raises APIError on failure.""" + with patch( + "secops.chronicle.integration.actions.chronicle_request", + side_effect=APIError("Failed to delete integration action"), + ): + with pytest.raises(APIError) as exc_info: + delete_integration_action( + chronicle_client, + integration_name="test-integration", + action_id="a1", + ) + assert "Failed to delete integration action" in str(exc_info.value) + + +# -- create_integration_action tests -- + + +def test_create_integration_action_required_fields_only(chronicle_client): + """Test create_integration_action sends only required fields when optionals omitted.""" + expected = {"name": "actions/new", "displayName": "My Action"} + + with patch( + "secops.chronicle.integration.actions.chronicle_request", + return_value=expected, + ) as mock_request: + result = create_integration_action( + chronicle_client, + integration_name="test-integration", + display_name="My Action", + script="print('hi')", + timeout_seconds=120, + enabled=True, + script_result_name="result", + is_async=False, + ) + + assert result == expected + + mock_request.assert_called_once_with( + chronicle_client, + method="POST", + endpoint_path="integrations/test-integration/actions", + api_version=APIVersion.V1BETA, + json={ + "displayName": "My Action", + "script": "print('hi')", + "timeoutSeconds": 120, + "enabled": True, + "scriptResultName": "result", + "async": False, + }, + ) + + +def test_create_integration_action_all_fields(chronicle_client): + """Test create_integration_action with all optional fields.""" + expected = {"name": "actions/new"} + + with patch( + "secops.chronicle.integration.actions.chronicle_request", + return_value=expected, + ) as mock_request: + result = create_integration_action( + chronicle_client, + integration_name="test-integration", + display_name="My Action", + script="print('hi')", + timeout_seconds=120, + enabled=True, + script_result_name="result", + is_async=True, + description="desc", + default_result_value="default", + async_polling_interval_seconds=5, + async_total_timeout_seconds=60, + dynamic_results=[{"name": "dr1"}], + parameters=[{"name": "p1"}], + ai_generated=False, + ) + + assert result == expected + + mock_request.assert_called_once_with( + chronicle_client, + method="POST", + endpoint_path="integrations/test-integration/actions", + api_version=APIVersion.V1BETA, + json={ + "displayName": "My Action", + "script": "print('hi')", + "timeoutSeconds": 120, + "enabled": True, + "scriptResultName": "result", + "async": True, + "description": "desc", + "defaultResultValue": "default", + "asyncPollingIntervalSeconds": 5, + "asyncTotalTimeoutSeconds": 60, + "dynamicResults": [{"name": "dr1"}], + "parameters": [{"name": "p1"}], + "aiGenerated": False, + }, + ) + + +def test_create_integration_action_none_fields_excluded(chronicle_client): + """Test that None optional fields are not included in request body.""" + with patch( + "secops.chronicle.integration.actions.chronicle_request", + return_value={"name": "actions/new"}, + ) as mock_request: + create_integration_action( + chronicle_client, + integration_name="test-integration", + display_name="My Action", + script="print('hi')", + timeout_seconds=120, + enabled=True, + script_result_name="result", + is_async=False, + description=None, + default_result_value=None, + async_polling_interval_seconds=None, + async_total_timeout_seconds=None, + dynamic_results=None, + parameters=None, + ai_generated=None, + ) + + mock_request.assert_called_once_with( + chronicle_client, + method="POST", + endpoint_path="integrations/test-integration/actions", + api_version=APIVersion.V1BETA, + json={ + "displayName": "My Action", + "script": "print('hi')", + "timeoutSeconds": 120, + "enabled": True, + "scriptResultName": "result", + "async": False, + }, + ) + + +def test_create_integration_action_error(chronicle_client): + """Test create_integration_action raises APIError on failure.""" + with patch( + "secops.chronicle.integration.actions.chronicle_request", + side_effect=APIError("Failed to create integration action"), + ): + with pytest.raises(APIError) as exc_info: + create_integration_action( + chronicle_client, + integration_name="test-integration", + display_name="My Action", + script="print('hi')", + timeout_seconds=120, + enabled=True, + script_result_name="result", + is_async=False, + ) + assert "Failed to create integration action" in str(exc_info.value) + + +# -- update_integration_action tests -- + + +def test_update_integration_action_with_explicit_update_mask(chronicle_client): + """Test update_integration_action passes through explicit update_mask.""" + expected = {"name": "actions/a1", "displayName": "New Name"} + + with patch( + "secops.chronicle.integration.actions.chronicle_request", + return_value=expected, + ) as mock_request: + result = update_integration_action( + chronicle_client, + integration_name="test-integration", + action_id="a1", + display_name="New Name", + update_mask="displayName", + ) + + assert result == expected + + mock_request.assert_called_once_with( + chronicle_client, + method="PATCH", + endpoint_path="integrations/test-integration/actions/a1", + api_version=APIVersion.V1BETA, + json={"displayName": "New Name"}, + params={"updateMask": "displayName"}, + ) + + +def test_update_integration_action_auto_update_mask(chronicle_client): + """Test update_integration_action auto-generates updateMask based on fields. + + build_patch_body ordering isn't guaranteed; assert order-insensitively. + """ + expected = {"name": "actions/a1"} + + with patch( + "secops.chronicle.integration.actions.chronicle_request", + return_value=expected, + ) as mock_request: + result = update_integration_action( + chronicle_client, + integration_name="test-integration", + action_id="a1", + enabled=False, + timeout_seconds=300, + ) + + assert result == expected + + # Assert the call happened once and inspect args to avoid ordering issues. + assert mock_request.call_count == 1 + _, kwargs = mock_request.call_args + + assert kwargs["method"] == "PATCH" + assert kwargs["endpoint_path"] == "integrations/test-integration/actions/a1" + assert kwargs["api_version"] == APIVersion.V1BETA + + assert kwargs["json"] == {"enabled": False, "timeoutSeconds": 300} + + update_mask = kwargs["params"]["updateMask"] + assert set(update_mask.split(",")) == {"enabled", "timeoutSeconds"} + + +def test_update_integration_action_error(chronicle_client): + """Test update_integration_action raises APIError on failure.""" + with patch( + "secops.chronicle.integration.actions.chronicle_request", + side_effect=APIError("Failed to update integration action"), + ): + with pytest.raises(APIError) as exc_info: + update_integration_action( + chronicle_client, + integration_name="test-integration", + action_id="a1", + display_name="New Name", + ) + assert "Failed to update integration action" in str(exc_info.value) + + +# -- test_integration_action tests -- + + +def test_execute_test_integration_action_success(chronicle_client): + """Test test_integration_action issues executeTest POST with correct body.""" + expected = {"output": "ok", "debugOutput": ""} + + with patch( + "secops.chronicle.integration.actions.chronicle_request", + return_value=expected, + ) as mock_request: + action = {"displayName": "My Action", "script": "print('hi')"} + result = execute_integration_action_test( + chronicle_client, + integration_name="test-integration", + test_case_id=123, + action=action, + scope="INTEGRATION_INSTANCE", + integration_instance_id="inst-1", + ) + + assert result == expected + + mock_request.assert_called_once_with( + chronicle_client, + method="POST", + endpoint_path="integrations/test-integration/actions:executeTest", + api_version=APIVersion.V1BETA, + json={ + "testCaseId": 123, + "action": action, + "scope": "INTEGRATION_INSTANCE", + "integrationInstanceId": "inst-1", + }, + ) + + +def test_execute_test_integration_action_error(chronicle_client): + """Test test_integration_action raises APIError on failure.""" + with patch( + "secops.chronicle.integration.actions.chronicle_request", + side_effect=APIError("Failed to test integration action"), + ): + with pytest.raises(APIError) as exc_info: + execute_integration_action_test( + chronicle_client, + integration_name="test-integration", + test_case_id=123, + action={"displayName": "My Action"}, + scope="INTEGRATION_INSTANCE", + integration_instance_id="inst-1", + ) + assert "Failed to test integration action" in str(exc_info.value) + + +# -- get_integration_actions_by_environment tests -- + + +def test_get_integration_actions_by_environment_success(chronicle_client): + """Test get_integration_actions_by_environment issues GET with correct params.""" + expected = {"actions": [{"name": "a1"}]} + + with patch( + "secops.chronicle.integration.actions.chronicle_request", + return_value=expected, + ) as mock_request: + result = get_integration_actions_by_environment( + chronicle_client, + integration_name="test-integration", + environments=["prod", "dev"], + include_widgets=True, + ) + + assert result == expected + + mock_request.assert_called_once_with( + chronicle_client, + method="GET", + endpoint_path="integrations/test-integration/actions:fetchActionsByEnvironment", + api_version=APIVersion.V1BETA, + params={"environments": ["prod", "dev"], "includeWidgets": True}, + ) + + +def test_get_integration_actions_by_environment_error(chronicle_client): + """Test get_integration_actions_by_environment raises APIError on failure.""" + with patch( + "secops.chronicle.integration.actions.chronicle_request", + side_effect=APIError("Failed to fetch actions by environment"), + ): + with pytest.raises(APIError) as exc_info: + get_integration_actions_by_environment( + chronicle_client, + integration_name="test-integration", + environments=["prod"], + include_widgets=False, + ) + assert "Failed to fetch actions by environment" in str(exc_info.value) + + +# -- get_integration_action_template tests -- + + +def test_get_integration_action_template_default_async_false(chronicle_client): + """Test get_integration_action_template uses async=False by default.""" + expected = {"script": "# template"} + + with patch( + "secops.chronicle.integration.actions.chronicle_request", + return_value=expected, + ) as mock_request: + result = get_integration_action_template( + chronicle_client, + integration_name="test-integration", + ) + + assert result == expected + + mock_request.assert_called_once_with( + chronicle_client, + method="GET", + endpoint_path="integrations/test-integration/actions:fetchTemplate", + api_version=APIVersion.V1BETA, + params={"async": False}, + ) + + +def test_get_integration_action_template_async_true(chronicle_client): + """Test get_integration_action_template with is_async=True.""" + expected = {"script": "# async template"} + + with patch( + "secops.chronicle.integration.actions.chronicle_request", + return_value=expected, + ) as mock_request: + result = get_integration_action_template( + chronicle_client, + integration_name="test-integration", + is_async=True, + ) + + assert result == expected + + mock_request.assert_called_once_with( + chronicle_client, + method="GET", + endpoint_path="integrations/test-integration/actions:fetchTemplate", + api_version=APIVersion.V1BETA, + params={"async": True}, + ) + + +def test_get_integration_action_template_error(chronicle_client): + """Test get_integration_action_template raises APIError on failure.""" + with patch( + "secops.chronicle.integration.actions.chronicle_request", + side_effect=APIError("Failed to fetch action template"), + ): + with pytest.raises(APIError) as exc_info: + get_integration_action_template( + chronicle_client, + integration_name="test-integration", + ) + assert "Failed to fetch action template" in str(exc_info.value) \ No newline at end of file diff --git a/tests/chronicle/integration/test_manager_revisions.py b/tests/chronicle/integration/test_manager_revisions.py new file mode 100644 index 00000000..7076bd54 --- /dev/null +++ b/tests/chronicle/integration/test_manager_revisions.py @@ -0,0 +1,417 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Tests for Chronicle marketplace integration manager revisions functions.""" + +from unittest.mock import Mock, patch + +import pytest + +from secops.chronicle.client import ChronicleClient +from secops.chronicle.models import APIVersion +from secops.chronicle.integration.manager_revisions import ( + list_integration_manager_revisions, + get_integration_manager_revision, + delete_integration_manager_revision, + create_integration_manager_revision, + rollback_integration_manager_revision, +) +from secops.exceptions import APIError + + +@pytest.fixture +def chronicle_client(): + """Create a Chronicle client for testing.""" + with patch("secops.auth.SecOpsAuth") as mock_auth: + mock_session = Mock() + mock_session.headers = {} + mock_auth.return_value.session = mock_session + return ChronicleClient( + customer_id="test-customer", + project_id="test-project", + default_api_version=APIVersion.V1BETA, + ) + + +# -- list_integration_manager_revisions tests -- + + +def test_list_integration_manager_revisions_success(chronicle_client): + """Test list_integration_manager_revisions delegates to chronicle_paginated_request.""" + expected = { + "revisions": [{"name": "r1"}, {"name": "r2"}], + "nextPageToken": "t", + } + + with patch( + "secops.chronicle.integration.manager_revisions.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated, patch( + "secops.chronicle.integration.manager_revisions.format_resource_id", + return_value="My Integration", + ): + result = list_integration_manager_revisions( + chronicle_client, + integration_name="My Integration", + manager_id="m1", + page_size=10, + page_token="next-token", + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert "managers/m1/revisions" in kwargs["path"] + assert kwargs["items_key"] == "revisions" + assert kwargs["page_size"] == 10 + assert kwargs["page_token"] == "next-token" + + +def test_list_integration_manager_revisions_default_args(chronicle_client): + """Test list_integration_manager_revisions with default args.""" + expected = {"revisions": []} + + with patch( + "secops.chronicle.integration.manager_revisions.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_manager_revisions( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + ) + + assert result == expected + + +def test_list_integration_manager_revisions_with_filters(chronicle_client): + """Test list_integration_manager_revisions with filter and order_by.""" + expected = {"revisions": [{"name": "r1"}]} + + with patch( + "secops.chronicle.integration.manager_revisions.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_manager_revisions( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + filter_string='version = "1.0"', + order_by="createTime", + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert kwargs["extra_params"] == { + "filter": 'version = "1.0"', + "orderBy": "createTime", + } + + +def test_list_integration_manager_revisions_as_list(chronicle_client): + """Test list_integration_manager_revisions returns list when as_list=True.""" + expected = [{"name": "r1"}, {"name": "r2"}] + + with patch( + "secops.chronicle.integration.manager_revisions.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_manager_revisions( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + as_list=True, + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert kwargs["as_list"] is True + + +def test_list_integration_manager_revisions_error(chronicle_client): + """Test list_integration_manager_revisions raises APIError on failure.""" + with patch( + "secops.chronicle.integration.manager_revisions.chronicle_paginated_request", + side_effect=APIError("Failed to list manager revisions"), + ): + with pytest.raises(APIError) as exc_info: + list_integration_manager_revisions( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + ) + assert "Failed to list manager revisions" in str(exc_info.value) + + +# -- get_integration_manager_revision tests -- + + +def test_get_integration_manager_revision_success(chronicle_client): + """Test get_integration_manager_revision issues GET request.""" + expected = { + "name": "revisions/r1", + "manager": { + "displayName": "My Manager", + "script": "def helper(): pass", + }, + "comment": "Initial version", + } + + with patch( + "secops.chronicle.integration.manager_revisions.chronicle_request", + return_value=expected, + ) as mock_request: + result = get_integration_manager_revision( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + revision_id="r1", + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["method"] == "GET" + assert "managers/m1/revisions/r1" in kwargs["endpoint_path"] + assert kwargs["api_version"] == APIVersion.V1BETA + + +def test_get_integration_manager_revision_error(chronicle_client): + """Test get_integration_manager_revision raises APIError on failure.""" + with patch( + "secops.chronicle.integration.manager_revisions.chronicle_request", + side_effect=APIError("Failed to get manager revision"), + ): + with pytest.raises(APIError) as exc_info: + get_integration_manager_revision( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + revision_id="r1", + ) + assert "Failed to get manager revision" in str(exc_info.value) + + +# -- delete_integration_manager_revision tests -- + + +def test_delete_integration_manager_revision_success(chronicle_client): + """Test delete_integration_manager_revision issues DELETE request.""" + with patch( + "secops.chronicle.integration.manager_revisions.chronicle_request", + return_value=None, + ) as mock_request: + delete_integration_manager_revision( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + revision_id="r1", + ) + + _, kwargs = mock_request.call_args + assert kwargs["method"] == "DELETE" + assert "managers/m1/revisions/r1" in kwargs["endpoint_path"] + assert kwargs["api_version"] == APIVersion.V1BETA + + +def test_delete_integration_manager_revision_error(chronicle_client): + """Test delete_integration_manager_revision raises APIError on failure.""" + with patch( + "secops.chronicle.integration.manager_revisions.chronicle_request", + side_effect=APIError("Failed to delete manager revision"), + ): + with pytest.raises(APIError) as exc_info: + delete_integration_manager_revision( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + revision_id="r1", + ) + assert "Failed to delete manager revision" in str(exc_info.value) + + +# -- create_integration_manager_revision tests -- + + +def test_create_integration_manager_revision_required_fields_only( + chronicle_client, +): + """Test create_integration_manager_revision with required fields only.""" + expected = {"name": "revisions/new", "manager": {"displayName": "My Manager"}} + manager_dict = { + "displayName": "My Manager", + "script": "def helper(): pass", + } + + with patch( + "secops.chronicle.integration.manager_revisions.chronicle_request", + return_value=expected, + ) as mock_request: + result = create_integration_manager_revision( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + manager=manager_dict, + ) + + assert result == expected + + mock_request.assert_called_once_with( + chronicle_client, + method="POST", + endpoint_path=( + "integrations/test-integration/managers/m1/revisions" + ), + api_version=APIVersion.V1BETA, + json={"manager": manager_dict}, + ) + + +def test_create_integration_manager_revision_with_comment(chronicle_client): + """Test create_integration_manager_revision includes comment when provided.""" + expected = {"name": "revisions/new"} + manager_dict = {"displayName": "My Manager", "script": "def helper(): pass"} + + with patch( + "secops.chronicle.integration.manager_revisions.chronicle_request", + return_value=expected, + ) as mock_request: + result = create_integration_manager_revision( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + manager=manager_dict, + comment="Backup before major refactor", + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["json"]["comment"] == "Backup before major refactor" + assert kwargs["json"]["manager"] == manager_dict + + +def test_create_integration_manager_revision_error(chronicle_client): + """Test create_integration_manager_revision raises APIError on failure.""" + manager_dict = {"displayName": "My Manager", "script": "def helper(): pass"} + + with patch( + "secops.chronicle.integration.manager_revisions.chronicle_request", + side_effect=APIError("Failed to create manager revision"), + ): + with pytest.raises(APIError) as exc_info: + create_integration_manager_revision( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + manager=manager_dict, + ) + assert "Failed to create manager revision" in str(exc_info.value) + + +# -- rollback_integration_manager_revision tests -- + + +def test_rollback_integration_manager_revision_success(chronicle_client): + """Test rollback_integration_manager_revision issues POST request.""" + expected = { + "name": "revisions/r1", + "manager": { + "displayName": "My Manager", + "script": "def helper(): pass", + }, + } + + with patch( + "secops.chronicle.integration.manager_revisions.chronicle_request", + return_value=expected, + ) as mock_request: + result = rollback_integration_manager_revision( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + revision_id="r1", + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["method"] == "POST" + assert "managers/m1/revisions/r1:rollback" in kwargs["endpoint_path"] + assert kwargs["api_version"] == APIVersion.V1BETA + + +def test_rollback_integration_manager_revision_error(chronicle_client): + """Test rollback_integration_manager_revision raises APIError on failure.""" + with patch( + "secops.chronicle.integration.manager_revisions.chronicle_request", + side_effect=APIError("Failed to rollback manager revision"), + ): + with pytest.raises(APIError) as exc_info: + rollback_integration_manager_revision( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + revision_id="r1", + ) + assert "Failed to rollback manager revision" in str(exc_info.value) + + +# -- API version tests -- + + +def test_list_integration_manager_revisions_custom_api_version(chronicle_client): + """Test list_integration_manager_revisions with custom API version.""" + expected = {"revisions": []} + + with patch( + "secops.chronicle.integration.manager_revisions.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_manager_revisions( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + api_version=APIVersion.V1ALPHA, + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert kwargs["api_version"] == APIVersion.V1ALPHA + + +def test_get_integration_manager_revision_custom_api_version(chronicle_client): + """Test get_integration_manager_revision with custom API version.""" + expected = {"name": "revisions/r1"} + + with patch( + "secops.chronicle.integration.manager_revisions.chronicle_request", + return_value=expected, + ) as mock_request: + result = get_integration_manager_revision( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + revision_id="r1", + api_version=APIVersion.V1ALPHA, + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["api_version"] == APIVersion.V1ALPHA + diff --git a/tests/chronicle/integration/test_managers.py b/tests/chronicle/integration/test_managers.py new file mode 100644 index 00000000..c6bf5c4a --- /dev/null +++ b/tests/chronicle/integration/test_managers.py @@ -0,0 +1,460 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Tests for Chronicle marketplace integration managers functions.""" + +from unittest.mock import Mock, patch + +import pytest + +from secops.chronicle.client import ChronicleClient +from secops.chronicle.models import APIVersion +from secops.chronicle.integration.managers import ( + list_integration_managers, + get_integration_manager, + delete_integration_manager, + create_integration_manager, + update_integration_manager, + get_integration_manager_template, +) +from secops.exceptions import APIError + + +@pytest.fixture +def chronicle_client(): + """Create a Chronicle client for testing.""" + with patch("secops.auth.SecOpsAuth") as mock_auth: + mock_session = Mock() + mock_session.headers = {} + mock_auth.return_value.session = mock_session + return ChronicleClient( + customer_id="test-customer", + project_id="test-project", + default_api_version=APIVersion.V1BETA, + ) + + +# -- list_integration_managers tests -- + + +def test_list_integration_managers_success(chronicle_client): + """Test list_integration_managers delegates to chronicle_paginated_request.""" + expected = {"managers": [{"name": "m1"}, {"name": "m2"}], "nextPageToken": "t"} + + with patch( + "secops.chronicle.integration.managers.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated, patch( + "secops.chronicle.integration.managers.format_resource_id", + return_value="My Integration", + ): + result = list_integration_managers( + chronicle_client, + integration_name="My Integration", + page_size=10, + page_token="next-token", + ) + + assert result == expected + + mock_paginated.assert_called_once_with( + chronicle_client, + api_version=APIVersion.V1BETA, + path="integrations/My Integration/managers", + items_key="managers", + page_size=10, + page_token="next-token", + extra_params={}, + as_list=False, + ) + + +def test_list_integration_managers_default_args(chronicle_client): + """Test list_integration_managers with default args.""" + expected = {"managers": []} + + with patch( + "secops.chronicle.integration.managers.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_managers( + chronicle_client, + integration_name="test-integration", + ) + + assert result == expected + + +def test_list_integration_managers_with_filters(chronicle_client): + """Test list_integration_managers with filter and order_by.""" + expected = {"managers": [{"name": "m1"}]} + + with patch( + "secops.chronicle.integration.managers.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_managers( + chronicle_client, + integration_name="test-integration", + filter_string='displayName = "My Manager"', + order_by="displayName", + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert kwargs["extra_params"] == { + "filter": 'displayName = "My Manager"', + "orderBy": "displayName", + } + + +def test_list_integration_managers_as_list(chronicle_client): + """Test list_integration_managers returns list when as_list=True.""" + expected = [{"name": "m1"}, {"name": "m2"}] + + with patch( + "secops.chronicle.integration.managers.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_managers( + chronicle_client, + integration_name="test-integration", + as_list=True, + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert kwargs["as_list"] is True + + +def test_list_integration_managers_error(chronicle_client): + """Test list_integration_managers raises APIError on failure.""" + with patch( + "secops.chronicle.integration.managers.chronicle_paginated_request", + side_effect=APIError("Failed to list integration managers"), + ): + with pytest.raises(APIError) as exc_info: + list_integration_managers( + chronicle_client, + integration_name="test-integration", + ) + assert "Failed to list integration managers" in str(exc_info.value) + + +# -- get_integration_manager tests -- + + +def test_get_integration_manager_success(chronicle_client): + """Test get_integration_manager issues GET request.""" + expected = { + "name": "managers/m1", + "displayName": "My Manager", + "script": "def helper(): pass", + } + + with patch( + "secops.chronicle.integration.managers.chronicle_request", + return_value=expected, + ) as mock_request: + result = get_integration_manager( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + ) + + assert result == expected + + mock_request.assert_called_once_with( + chronicle_client, + method="GET", + endpoint_path="integrations/test-integration/managers/m1", + api_version=APIVersion.V1BETA, + ) + + +def test_get_integration_manager_error(chronicle_client): + """Test get_integration_manager raises APIError on failure.""" + with patch( + "secops.chronicle.integration.managers.chronicle_request", + side_effect=APIError("Failed to get integration manager"), + ): + with pytest.raises(APIError) as exc_info: + get_integration_manager( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + ) + assert "Failed to get integration manager" in str(exc_info.value) + + +# -- delete_integration_manager tests -- + + +def test_delete_integration_manager_success(chronicle_client): + """Test delete_integration_manager issues DELETE request.""" + with patch( + "secops.chronicle.integration.managers.chronicle_request", + return_value=None, + ) as mock_request: + delete_integration_manager( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + ) + + mock_request.assert_called_once_with( + chronicle_client, + method="DELETE", + endpoint_path="integrations/test-integration/managers/m1", + api_version=APIVersion.V1BETA, + ) + + +def test_delete_integration_manager_error(chronicle_client): + """Test delete_integration_manager raises APIError on failure.""" + with patch( + "secops.chronicle.integration.managers.chronicle_request", + side_effect=APIError("Failed to delete integration manager"), + ): + with pytest.raises(APIError) as exc_info: + delete_integration_manager( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + ) + assert "Failed to delete integration manager" in str(exc_info.value) + + +# -- create_integration_manager tests -- + + +def test_create_integration_manager_required_fields_only(chronicle_client): + """Test create_integration_manager sends only required fields when optionals omitted.""" + expected = {"name": "managers/new", "displayName": "My Manager"} + + with patch( + "secops.chronicle.integration.managers.chronicle_request", + return_value=expected, + ) as mock_request: + result = create_integration_manager( + chronicle_client, + integration_name="test-integration", + display_name="My Manager", + script="def helper(): pass", + ) + + assert result == expected + + mock_request.assert_called_once_with( + chronicle_client, + method="POST", + endpoint_path="integrations/test-integration/managers", + api_version=APIVersion.V1BETA, + json={ + "displayName": "My Manager", + "script": "def helper(): pass", + }, + ) + + +def test_create_integration_manager_with_description(chronicle_client): + """Test create_integration_manager includes description when provided.""" + expected = {"name": "managers/new", "displayName": "My Manager"} + + with patch( + "secops.chronicle.integration.managers.chronicle_request", + return_value=expected, + ) as mock_request: + result = create_integration_manager( + chronicle_client, + integration_name="test-integration", + display_name="My Manager", + script="def helper(): pass", + description="A helpful manager", + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["json"]["description"] == "A helpful manager" + + +def test_create_integration_manager_error(chronicle_client): + """Test create_integration_manager raises APIError on failure.""" + with patch( + "secops.chronicle.integration.managers.chronicle_request", + side_effect=APIError("Failed to create integration manager"), + ): + with pytest.raises(APIError) as exc_info: + create_integration_manager( + chronicle_client, + integration_name="test-integration", + display_name="My Manager", + script="def helper(): pass", + ) + assert "Failed to create integration manager" in str(exc_info.value) + + +# -- update_integration_manager tests -- + + +def test_update_integration_manager_single_field(chronicle_client): + """Test update_integration_manager updates a single field.""" + expected = {"name": "managers/m1", "displayName": "Updated Manager"} + + with patch( + "secops.chronicle.integration.managers.chronicle_request", + return_value=expected, + ) as mock_request, patch( + "secops.chronicle.integration.managers.build_patch_body", + return_value=({"displayName": "Updated Manager"}, {"updateMask": "displayName"}), + ) as mock_build_patch: + result = update_integration_manager( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + display_name="Updated Manager", + ) + + assert result == expected + + mock_build_patch.assert_called_once() + mock_request.assert_called_once_with( + chronicle_client, + method="PATCH", + endpoint_path="integrations/test-integration/managers/m1", + api_version=APIVersion.V1BETA, + json={"displayName": "Updated Manager"}, + params={"updateMask": "displayName"}, + ) + + +def test_update_integration_manager_multiple_fields(chronicle_client): + """Test update_integration_manager updates multiple fields.""" + expected = {"name": "managers/m1", "displayName": "Updated Manager"} + + with patch( + "secops.chronicle.integration.managers.chronicle_request", + return_value=expected, + ) as mock_request, patch( + "secops.chronicle.integration.managers.build_patch_body", + return_value=( + { + "displayName": "Updated Manager", + "script": "def new_helper(): pass", + "description": "New description", + }, + {"updateMask": "displayName,script,description"}, + ), + ): + result = update_integration_manager( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + display_name="Updated Manager", + script="def new_helper(): pass", + description="New description", + ) + + assert result == expected + + +def test_update_integration_manager_with_update_mask(chronicle_client): + """Test update_integration_manager respects explicit update_mask.""" + expected = {"name": "managers/m1", "displayName": "Updated Manager"} + + with patch( + "secops.chronicle.integration.managers.chronicle_request", + return_value=expected, + ) as mock_request, patch( + "secops.chronicle.integration.managers.build_patch_body", + return_value=( + {"displayName": "Updated Manager"}, + {"updateMask": "displayName"}, + ), + ): + result = update_integration_manager( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + display_name="Updated Manager", + update_mask="displayName", + ) + + assert result == expected + + +def test_update_integration_manager_error(chronicle_client): + """Test update_integration_manager raises APIError on failure.""" + with patch( + "secops.chronicle.integration.managers.chronicle_request", + side_effect=APIError("Failed to update integration manager"), + ), patch( + "secops.chronicle.integration.managers.build_patch_body", + return_value=({"displayName": "Updated"}, {"updateMask": "displayName"}), + ): + with pytest.raises(APIError) as exc_info: + update_integration_manager( + chronicle_client, + integration_name="test-integration", + manager_id="m1", + display_name="Updated", + ) + assert "Failed to update integration manager" in str(exc_info.value) + + +# -- get_integration_manager_template tests -- + + +def test_get_integration_manager_template_success(chronicle_client): + """Test get_integration_manager_template issues GET request.""" + expected = { + "displayName": "Template Manager", + "script": "# Template script\ndef template(): pass", + } + + with patch( + "secops.chronicle.integration.managers.chronicle_request", + return_value=expected, + ) as mock_request: + result = get_integration_manager_template( + chronicle_client, + integration_name="test-integration", + ) + + assert result == expected + + mock_request.assert_called_once_with( + chronicle_client, + method="GET", + endpoint_path="integrations/test-integration/managers:fetchTemplate", + api_version=APIVersion.V1BETA, + ) + + +def test_get_integration_manager_template_error(chronicle_client): + """Test get_integration_manager_template raises APIError on failure.""" + with patch( + "secops.chronicle.integration.managers.chronicle_request", + side_effect=APIError("Failed to get integration manager template"), + ): + with pytest.raises(APIError) as exc_info: + get_integration_manager_template( + chronicle_client, + integration_name="test-integration", + ) + assert "Failed to get integration manager template" in str(exc_info.value) + diff --git a/tests/chronicle/utils/test_format_utils.py b/tests/chronicle/utils/test_format_utils.py index c71bda40..5610c2da 100644 --- a/tests/chronicle/utils/test_format_utils.py +++ b/tests/chronicle/utils/test_format_utils.py @@ -18,6 +18,7 @@ import pytest from secops.chronicle.utils.format_utils import ( + build_patch_body, format_resource_id, parse_json_list, ) @@ -98,3 +99,107 @@ def test_parse_json_list_handles_empty_json_array() -> None: def test_parse_json_list_handles_empty_list_input() -> None: result = parse_json_list([], "filters") assert result == [] + + +def test_build_patch_body_all_fields_set_builds_body_and_mask() -> None: + # All three fields provided — body and mask should include all of them + body, params = build_patch_body([ + ("displayName", "display_name", "My Rule"), + ("enabled", "enabled", True), + ("severity", "severity", "HIGH"), + ]) + + assert body == {"displayName": "My Rule", "enabled": True, "severity": "HIGH"} + assert params == {"updateMask": "display_name,enabled,severity"} + + +def test_build_patch_body_partial_fields_omits_none_values() -> None: + # Only non-None values should appear in body and mask + body, params = build_patch_body([ + ("displayName", "display_name", "New Name"), + ("enabled", "enabled", None), + ("severity", "severity", None), + ]) + + assert body == {"displayName": "New Name"} + assert params == {"updateMask": "display_name"} + + +def test_build_patch_body_no_fields_set_returns_empty_body_and_none_params() -> None: + # All values are None — body should be empty and params should be None + body, params = build_patch_body([ + ("displayName", "display_name", None), + ("enabled", "enabled", None), + ]) + + assert body == {} + assert params is None + + +def test_build_patch_body_empty_field_map_returns_empty_body_and_none_params() -> None: + # Empty field_map — nothing to build + body, params = build_patch_body([]) + + assert body == {} + assert params is None + + +def test_build_patch_body_explicit_update_mask_overrides_auto_generated() -> None: + # An explicit update_mask should always win, even when fields are set + body, params = build_patch_body( + [ + ("displayName", "display_name", "Name"), + ("enabled", "enabled", True), + ], + update_mask="display_name", + ) + + assert body == {"displayName": "Name", "enabled": True} + assert params == {"updateMask": "display_name"} + + +def test_build_patch_body_explicit_update_mask_with_no_fields_set_still_applies() -> None: + # Explicit mask should appear even when all values are None (caller's intent) + body, params = build_patch_body( + [ + ("displayName", "display_name", None), + ], + update_mask="display_name", + ) + + assert body == {} + assert params == {"updateMask": "display_name"} + + +def test_build_patch_body_false_and_zero_are_not_treated_as_none() -> None: + # False-like but non-None values (False, 0, "") should be included in the body + body, params = build_patch_body([ + ("enabled", "enabled", False), + ("count", "count", 0), + ("label", "label", ""), + ]) + + assert body == {"enabled": False, "count": 0, "label": ""} + assert params == {"updateMask": "enabled,count,label"} + + +def test_build_patch_body_single_field_produces_single_entry_mask() -> None: + body, params = build_patch_body([ + ("severity", "severity", "LOW"), + ]) + + assert body == {"severity": "LOW"} + assert params == {"updateMask": "severity"} + + +def test_build_patch_body_mask_order_matches_field_map_order() -> None: + # The mask field order should mirror the order of field_map entries + body, params = build_patch_body([ + ("z", "z_key", "z_val"), + ("a", "a_key", "a_val"), + ("m", "m_key", "m_val"), + ]) + + assert params == {"updateMask": "z_key,a_key,m_key"} + assert list(body.keys()) == ["z", "a", "m"] + diff --git a/tests/chronicle/utils/test_request_utils.py b/tests/chronicle/utils/test_request_utils.py index 6f8687a2..c4e8b5b9 100644 --- a/tests/chronicle/utils/test_request_utils.py +++ b/tests/chronicle/utils/test_request_utils.py @@ -26,6 +26,7 @@ from secops.chronicle.utils.request_utils import ( DEFAULT_PAGE_SIZE, chronicle_request, + chronicle_request_bytes, chronicle_paginated_request, ) from secops.exceptions import APIError @@ -655,3 +656,181 @@ def test_chronicle_request_non_json_error_body_is_truncated(client: Mock) -> Non assert "status=500" in msg # Should not include the full 5000 chars, should include truncation marker assert "truncated" in msg + + +# --------------------------------------------------------------------------- +# chronicle_request_bytes() tests +# --------------------------------------------------------------------------- + +def test_chronicle_request_bytes_success_returns_content_and_stream_true(client: Mock) -> None: + resp = _mock_response(status_code=200, json_value={"ignored": True}) + resp.content = b"PK\x03\x04...zip-bytes..." # ZIP magic prefix in real life + client.session.request.return_value = resp + + out = chronicle_request_bytes( + client=client, + method="GET", + endpoint_path="integrations/foo:export", + api_version=APIVersion.V1BETA, + params={"alt": "media"}, + headers={"Accept": "application/zip"}, + ) + + assert out == b"PK\x03\x04...zip-bytes..." + + client.base_url.assert_called_once_with(APIVersion.V1BETA) + client.session.request.assert_called_once_with( + method="GET", + url="https://example.test/chronicle/instances/instance-1/integrations/foo:export", + params={"alt": "media"}, + headers={"Accept": "application/zip"}, + timeout=None, + stream=True, + ) + + +def test_chronicle_request_bytes_builds_url_for_rpc_colon_prefix(client: Mock) -> None: + resp = _mock_response(status_code=200, json_value={"ok": True}) + resp.content = b"binary" + client.session.request.return_value = resp + + out = chronicle_request_bytes( + client=client, + method="POST", + endpoint_path=":exportSomething", + api_version=APIVersion.V1ALPHA, + ) + + assert out == b"binary" + + _, kwargs = client.session.request.call_args + assert kwargs["url"] == "https://example.test/chronicle/instances/instance-1:exportSomething" + assert kwargs["stream"] is True + + +def test_chronicle_request_bytes_accepts_multiple_expected_statuses_set(client: Mock) -> None: + resp = _mock_response(status_code=204, json_value=None) + resp.content = b"" + client.session.request.return_value = resp + + out = chronicle_request_bytes( + client=client, + method="DELETE", + endpoint_path="something", + api_version=APIVersion.V1ALPHA, + expected_status={200, 204}, + ) + + assert out == b"" + + +def test_chronicle_request_bytes_status_mismatch_with_json_includes_json(client: Mock) -> None: + resp = _mock_response(status_code=400, json_value={"error": "bad"}) + resp.content = b"" + client.session.request.return_value = resp + + with pytest.raises( + APIError, + match=r"API request failed: method=GET, " + r"url=https://example\.test/chronicle/instances/instance-1/curatedRules" + r", status=400, response={'error': 'bad'}", + ): + chronicle_request_bytes( + client=client, + method="GET", + endpoint_path="curatedRules", + api_version=APIVersion.V1ALPHA, + ) + + +def test_chronicle_request_bytes_status_mismatch_non_json_includes_text(client: Mock) -> None: + resp = _mock_response(status_code=500, json_raises=True, text="boom") + resp.content = b"" + client.session.request.return_value = resp + + with pytest.raises( + APIError, + match=r"API request failed: method=GET, " + r"url=https://example\.test/chronicle/instances/instance-1/curatedRules, " + r"status=500, response_text=boom", + ): + chronicle_request_bytes( + client=client, + method="GET", + endpoint_path="curatedRules", + api_version=APIVersion.V1ALPHA, + ) + + +def test_chronicle_request_bytes_custom_error_message_used(client: Mock) -> None: + resp = _mock_response(status_code=404, json_value={"message": "not found"}) + resp.content = b"" + client.session.request.return_value = resp + + with pytest.raises( + APIError, + match=r"Failed to download export: method=GET, " + r"url=https://example\.test/chronicle/instances/instance-1/integrations/foo:export, " + r"status=404, response={'message': 'not found'}", + ): + chronicle_request_bytes( + client=client, + method="GET", + endpoint_path="integrations/foo:export", + api_version=APIVersion.V1BETA, + error_message="Failed to download export", + ) + + +def test_chronicle_request_bytes_wraps_requests_exception(client: Mock) -> None: + client.session.request.side_effect = requests.RequestException("no route to host") + + with pytest.raises(APIError) as exc_info: + chronicle_request_bytes( + client=client, + method="GET", + endpoint_path="curatedRules", + api_version=APIVersion.V1ALPHA, + ) + + msg = str(exc_info.value) + assert "API request failed" in msg + assert "method=GET" in msg + assert "url=https://example.test/chronicle/instances/instance-1/curatedRules" in msg + assert "request_error=RequestException" in msg + + +def test_chronicle_request_bytes_wraps_google_auth_error(client: Mock) -> None: + client.session.request.side_effect = GoogleAuthError("invalid_grant") + + with pytest.raises(APIError) as exc_info: + chronicle_request_bytes( + client=client, + method="GET", + endpoint_path="curatedRules", + api_version=APIVersion.V1ALPHA, + ) + + msg = str(exc_info.value) + assert "Google authentication failed" in msg + assert "authentication_error=" in msg + + +def test_chronicle_request_bytes_non_json_error_body_is_truncated(client: Mock) -> None: + long_text = "x" * 5000 + resp = _mock_response(status_code=500, json_raises=True, text=long_text) + resp.content = b"" + resp.headers = {"Content-Type": "text/plain"} + client.session.request.return_value = resp + + with pytest.raises(APIError) as exc_info: + chronicle_request_bytes( + client=client, + method="GET", + endpoint_path="curatedRules", + api_version=APIVersion.V1ALPHA, + ) + + msg = str(exc_info.value) + assert "status=500" in msg + assert "truncated" in msg \ No newline at end of file