api-samples-python
api-samples-python copied to clipboard
chronicle
Expand v1alpha coverage; Add packaging and a CLI
Install the CLI
make install
CLI Commands and Subcommands
# chronicle --help
# top-level subcommands
chronicle detect --help # Detection API commands.
chronicle ingestion --help # Ingestion API commands.
chronicle iocs --help # IoCs API commands.
chronicle lists --help # Lists API commands.
chronicle search --help # Search API commands.
# chronicle detect --help
chronicle detect alerts --help # Alert management commands.
chronicle detect detections --help # Detection management commands.
chronicle detect errors --help # Error management commands.
chronicle detect retrohunts --help # Retrohunt management commands.
chronicle detect rules --help # Rule management commands.
chronicle detect rulesets --help # Rule set deployment commands.
# chronicle detect alerts --help
chronicle detect alerts bulk-update --help # Bulk update alerts matching a filter.
chronicle detect alerts get --help # Get an alert by ID.
chronicle detect alerts update --help # Update an alert.
# chronicle detect detections --help
chronicle detect detections get --help # Get a detection by ID.
chronicle detect detections list --help # List detections.
chronicle detect errors list --help
# chronicle detect retrohunts --help
chronicle detect retrohunts create --help # Create a new retrohunt.
chronicle detect retrohunts get --help # Get a retrohunt by ID.
# chronicle detect rules --help
chronicle detect rules create --help # Create a new rule.
chronicle detect rules delete --help # Delete a rule.
chronicle detect rules enable --help # Enable a rule.
chronicle detect rules get --help # Get a rule by ID.
chronicle detect rules list --help # List rules.
# chronicle detect rulesets --help
chronicle detect rulesets batch-update --help # Batch update rule set deployments.
# chronicle ingestion --help
chronicle ingestion batch-get-events --help # Batch get events by IDs.
chronicle ingestion get-event --help # Get event details by ID.
chronicle ingestion import-events --help # Import events into Chronicle.
# chronicle iocs --help
chronicle iocs batch-get --help # Get multiple IoCs by their values.
chronicle iocs get --help # Get a single IoC by its value.
chronicle iocs get-state --help # Get the state of an IoC by its value.
# chronicle lists --help
chronicle lists create --help # Create a new list.
chronicle lists get --help # Get a list by ID.
chronicle lists patch --help # Update an existing list.
# chronicle search --help
chronicle search find-asset-events --help # Find asset events within a time range.
chronicle search find-raw-logs --help # Find raw logs based on search criteria.
chronicle search find-udm-events --help # Find UDM events based on tokens or event IDs.
chronicle search get-search-query --help # Get a search query by ID.
New API resources
Help on CLI for chronicle detect detections get
❯ chronicle detect detections get --help
Usage: chronicle detect detections get [OPTIONS]
Get a detection by ID.
Options:
--region TEXT Region in which the target project is located. Can
also be set via CHRONICLE_REGION env var.
--project-instance TEXT Customer ID (uuid with dashes) for the Chronicle
instance. Can also be set via CHRONICLE_INSTANCE
env var.
--project-id TEXT GCP project id or number. Can also be set via
CHRONICLE_PROJECT_ID env var.
--credentials-file TEXT Path to service account credentials file. Can also
be set via CHRONICLE_CREDENTIALS_FILE env var.
--env-file TEXT Path to .env file containing configuration
variables.
--detection-id TEXT Identifier for the detection. [required]
--rule-id TEXT Identifier for the rule that created the detection.
CLI Usage example for chronicle detect detections get
❯ chronicle detect detections get \
--detection-id "de_92092e71-3baa-0ebf-f230-4aacc5952c63" \
--rule-id "ru_bf30236c-13af-4a85-a3af-5d58205e10f0"
{
"type": "RULE_DETECTION",
"detection": [
{
"ruleName": "ttp_powershell_decodebase64_ns139797",
...
Help for detect.v1alpha.get_detection
❯ python3 -m detect.v1alpha.get_detection --help
usage: get_detection.py [-h] [-c CREDENTIALS_FILE] -i PROJECT_INSTANCE -p PROJECT_ID
[-r {asia-northeast1,asia-south1,asia-southeast1,australia-southeast1,eu,europe,europe-west12,europe-west2,europe-west3,europe-west6,europe-west9,me-central1,me-central2,me-west1,northamerica-northeast2,southamerica-east1,us}]
--detection_id DETECTION_ID --rule_id RULE_ID
options:
-h, --help show this help message and exit
-c CREDENTIALS_FILE, --credentials_file CREDENTIALS_FILE
credentials file path (default: '/Users/dandye/.chronicle_credentials.json')
-i PROJECT_INSTANCE, --project_instance PROJECT_INSTANCE
Customer ID for Chronicle instance
-p PROJECT_ID, --project_id PROJECT_ID
Your BYOP, project id
-r {asia-northeast1,asia-south1,asia-southeast1,australia-southeast1,eu,europe,europe-west12,europe-west2,europe-west3,europe-west6,europe-west9,me-central1,me-central2,me-west1,northamerica-northeast2,southamerica-east1,us}, --region {asia-northeast1,asia-south1,asia-southeast1,australia-southeast1,eu,europe,europe-west12,europe-west2,europe-west3,europe-west6,europe-west9,me-central1,me-central2,me-west1,northamerica-northeast2,southamerica-east1,us}
the region where the customer is located (default: us)
--detection_id DETECTION_ID
Identifier for the detection
--rule_id RULE_ID Identifier for the rule that created the detection
Usage example
❯ PROJECT_INSTANCE=7e977ce4-f45d-43b2-aea0-52f8b66acd80
PROJECT_ID=dandye-0324-chronicle
python3 -m detect.v1alpha.get_detection \
--project_instance=$PROJECT_INSTANCE \
--project_id=$PROJECT_ID \
--detection_id "de_92092e71-3baa-0ebf-f230-4aacc5952c63" \
--rule_id "ru_bf30236c-13af-4a85-a3af-5d58205e10f0"
{
"type": "RULE_DETECTION",
"detection": [
{
"ruleName": "ttp_powershell_decodebase64_ns139797",
