|
| 1 | +#!/usr/bin/env python3 |
| 2 | + |
| 3 | +# Copyright 2024 Google LLC |
| 4 | +# |
| 5 | +# Licensed under the Apache License, Version 2.0 (the "License"); |
| 6 | +# you may not use this file except in compliance with the License. |
| 7 | +# You may obtain a copy of the License at |
| 8 | +# |
| 9 | +# http://www.apache.org/licenses/LICENSE-2.0 |
| 10 | +# |
| 11 | +# Unless required by applicable law or agreed to in writing, software |
| 12 | +# distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | +# See the License for the specific language governing permissions and |
| 15 | +# limitations under the License. |
| 16 | +# |
| 17 | +r"""Executable and reusable sample for creating a detection rule. |
| 18 | +
|
| 19 | + HTTP request |
| 20 | + POST https://chronicle.googleapis.com/v1alpha/{parent}/rules |
| 21 | +
|
| 22 | + python3 -m detect.v1alpha.create_rule \ |
| 23 | + --project_instance $project_instance \ |
| 24 | + --project_id $PROJECT_ID \ |
| 25 | + --rule_file=./ip_in_abuseipdb_blocklist.yaral |
| 26 | +
|
| 27 | + Requires the following IAM permission on the parent resource: |
| 28 | + chronicle.rules.create |
| 29 | +
|
| 30 | + API reference: |
| 31 | + https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.rules/create |
| 32 | + https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.rules#Rule |
| 33 | +""" |
| 34 | + |
| 35 | +import argparse |
| 36 | +import json |
| 37 | +from typing import Any, Mapping |
| 38 | + |
| 39 | +from google.auth.transport import requests |
| 40 | + |
| 41 | +from common import chronicle_auth |
| 42 | +from common import project_id |
| 43 | +from common import project_instance |
| 44 | +from common import regions |
| 45 | + |
| 46 | +SCOPES = [ |
| 47 | + "https://www.googleapis.com/auth/cloud-platform", |
| 48 | +] |
| 49 | + |
| 50 | + |
| 51 | +def create_rule( |
| 52 | + http_session: requests.AuthorizedSession, |
| 53 | + proj_id: str, |
| 54 | + proj_instance: str, |
| 55 | + proj_region: str, |
| 56 | + rule_file_path: str, |
| 57 | +) -> Mapping[str, Any]: |
| 58 | + """Creates a new detection rule to find matches in logs. |
| 59 | +
|
| 60 | + Args: |
| 61 | + http_session: Authorized session for HTTP requests. |
| 62 | + proj_id: GCP project id or number to which the target instance belongs. |
| 63 | + proj_instance: Customer ID (uuid with dashes) for the Chronicle instance. |
| 64 | + proj_region: region in which the target project is located. |
| 65 | + rule_file_path: Content of the new detection rule, used to evaluate logs. |
| 66 | +
|
| 67 | + Returns: |
| 68 | + New detection rule. |
| 69 | +
|
| 70 | + Raises: |
| 71 | + requests.exceptions.HTTPError: HTTP request resulted in an error |
| 72 | + (response.status_code >= 400). |
| 73 | + """ |
| 74 | + # pylint: disable-next=line-too-long |
| 75 | + parent = f"projects/{proj_id}/locations/{proj_region}/instances/{proj_instance}" |
| 76 | + url = f"https://{proj_region}-chronicle.googleapis.com/v1alpha/{parent}/rules" |
| 77 | + body = { |
| 78 | + "text": rule_file_path.read(), |
| 79 | + } |
| 80 | + response = http_session.request("POST", url, json=body) |
| 81 | + # Expected server response: |
| 82 | + # { |
| 83 | + # # pylint: disable=line-too-long |
| 84 | + # "name": "projects/{project}/locations/{location}/instances/{instance}/rules/{rule_id}", |
| 85 | + # "revisionId": "v_{10_digits}_{9_digits}", |
| 86 | + # "displayName": "{rule_name}", |
| 87 | + # "text": "{rule_content}", |
| 88 | + # "author": str, |
| 89 | + # "severity": { |
| 90 | + # "displayName": str |
| 91 | + # }, |
| 92 | + # "metadata": { |
| 93 | + # "{key_1}": "{value_1}", |
| 94 | + # ... |
| 95 | + # }, |
| 96 | + # "createTime": "yyyy-MM-ddThh:mm:ss.ssssssZ", |
| 97 | + # "revisionCreateTime": "yyyy-MM-ddThh:mm:ss.ssssssZ" |
| 98 | + # "compilationState": "SUCCEEDED", |
| 99 | + # "type": "{{SINGLE,MULTI}_EVENT,RULE_TYPE_UNSPECIFIED}", |
| 100 | + # "referenceLists": [str], |
| 101 | + # "allowedRunFrequencies": [ |
| 102 | + # str, |
| 103 | + # ... |
| 104 | + # ], |
| 105 | + # "etag": str |
| 106 | + # } |
| 107 | + if response.status_code >= 400: |
| 108 | + print(response.text) |
| 109 | + response.raise_for_status() |
| 110 | + return response.json() |
| 111 | + |
| 112 | + |
| 113 | +if __name__ == "__main__": |
| 114 | + parser = argparse.ArgumentParser() |
| 115 | + # common |
| 116 | + chronicle_auth.add_argument_credentials_file(parser) |
| 117 | + project_instance.add_argument_project_instance(parser) |
| 118 | + project_id.add_argument_project_id(parser) |
| 119 | + regions.add_argument_region(parser) |
| 120 | + # local |
| 121 | + parser.add_argument( |
| 122 | + "-f", |
| 123 | + "--rule_file", |
| 124 | + type=argparse.FileType("r"), |
| 125 | + required=True, |
| 126 | + # File example: python3 create_rule.py -f <path> |
| 127 | + # STDIN example: cat rule.txt | python3 create_rule.py -f - |
| 128 | + help="path of a file with the desired rule's content, or - for STDIN", |
| 129 | + ) |
| 130 | + args = parser.parse_args() |
| 131 | + |
| 132 | + auth_session = chronicle_auth.initialize_http_session( |
| 133 | + args.credentials_file, |
| 134 | + SCOPES |
| 135 | + ) |
| 136 | + new_rule = create_rule(auth_session, |
| 137 | + args.project_id, |
| 138 | + args.project_instance, |
| 139 | + args.region, |
| 140 | + args.rule_file) |
| 141 | + print(json.dumps(new_rule, indent=2)) |
0 commit comments