diff --git a/CLI.md b/CLI.md index 27bf625b..fb9d518b 100644 --- a/CLI.md +++ b/CLI.md @@ -745,6 +745,445 @@ Delete a watchlist: secops watchlist delete --watchlist-id "abc-123-def" ``` +### Integration Management + +#### Integration Jobs + +List integration jobs: + +```bash +# List all jobs for an integration +secops integration jobs list --integration-name "MyIntegration" + +# List jobs as a direct list (fetches all pages automatically) +secops integration jobs list --integration-name "MyIntegration" --as-list + +# List with pagination +secops integration jobs list --integration-name "MyIntegration" --page-size 50 + +# List with filtering +secops integration jobs list --integration-name "MyIntegration" --filter-string "enabled = true" + +# Exclude staging jobs +secops integration jobs list --integration-name "MyIntegration" --exclude-staging +``` + +Get job details: + +```bash +secops integration jobs get --integration-name "MyIntegration" --job-id "job1" +``` + +Create a new job: + +```bash +secops integration jobs create \ + --integration-name "MyIntegration" \ + --display-name "Data Processing Job" \ + --code "def process_data(context): return {'status': 'processed'}" + +# Create with description and custom ID +secops integration jobs create \ + --integration-name "MyIntegration" \ + --display-name "Scheduled Report" \ + --code "def generate_report(context): return report_data()" \ + --description "Daily report generation job" \ + --job-id "daily-report-job" + +# Create with parameters +secops integration jobs create \ + --integration-name "MyIntegration" \ + --display-name "Configurable Job" \ + --code "def run(context, params): return process(params)" \ + --parameters '[{"name":"interval","type":"STRING","required":true}]' +``` + +Update an existing job: + +```bash +# Update display name +secops integration jobs update \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --display-name "Updated Job Name" + +# Update code +secops integration jobs update \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --code "def run(context): return {'status': 'updated'}" + +# Update multiple fields with update mask +secops integration jobs update \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --display-name "New Name" \ + --description "New description" \ + --update-mask "displayName,description" + +# Update parameters +secops integration jobs update \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --parameters '[{"name":"timeout","type":"INTEGER","required":false}]' +``` + +Delete a job: + +```bash +secops integration jobs delete --integration-name "MyIntegration" --job-id "job1" +``` + +Test a job: + +```bash +secops integration jobs test --integration-name "MyIntegration" --job-id "job1" +``` + +Get job template: + +```bash +secops integration jobs template --integration-name "MyIntegration" +``` + +#### Job Revisions + +List job revisions: + +```bash +# List all revisions for a job +secops integration job-revisions list \ + --integration-name "MyIntegration" \ + --job-id "job1" + +# List revisions as a direct list +secops integration job-revisions list \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --as-list + +# List with pagination +secops integration job-revisions list \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --page-size 10 + +# List with filtering and ordering +secops integration job-revisions list \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --filter-string 'version = "1.0"' \ + --order-by "createTime desc" +``` + +Create a revision backup: + +```bash +# Create revision with comment +secops integration job-revisions create \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --comment "Backup before refactoring job logic" + +# Create revision without comment +secops integration job-revisions create \ + --integration-name "MyIntegration" \ + --job-id "job1" +``` + +Rollback to a previous revision: + +```bash +secops integration job-revisions rollback \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --revision-id "r456" +``` + +Delete an old revision: + +```bash +secops integration job-revisions delete \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --revision-id "r789" +``` + +#### Job Context Properties + +List job context properties: + +```bash +# List all properties for a job context +secops integration job-context-properties list \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --context-id "mycontext" + +# List properties as a direct list +secops integration job-context-properties list \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --context-id "mycontext" \ + --as-list + +# List with pagination +secops integration job-context-properties list \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --context-id "mycontext" \ + --page-size 50 + +# List with filtering +secops integration job-context-properties list \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --context-id "mycontext" \ + --filter-string 'key = "last_run_time"' +``` + +Get a specific context property: + +```bash +secops integration job-context-properties get \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --context-id "mycontext" \ + --property-id "prop123" +``` + +Create a new context property: + +```bash +# Store last execution time +secops integration job-context-properties create \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --context-id "mycontext" \ + --key "last_execution_time" \ + --value "2026-03-09T10:00:00Z" + +# Store job state for resumable operations +secops integration job-context-properties create \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --context-id "mycontext" \ + --key "processing_offset" \ + --value "1000" +``` + +Update a context property: + +```bash +# Update execution time +secops integration job-context-properties update \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --context-id "mycontext" \ + --property-id "prop123" \ + --value "2026-03-09T11:00:00Z" +``` + +Delete a context property: + +```bash +secops integration job-context-properties delete \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --context-id "mycontext" \ + --property-id "prop123" +``` + +Clear all context properties: + +```bash +# Clear all properties for a specific context +secops integration job-context-properties clear-all \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --context-id "mycontext" +``` + +#### Job Instance Logs + +List job instance logs: + +```bash +# List all logs for a job instance +secops integration job-instance-logs list \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --job-instance-id "inst123" + +# List logs as a direct list +secops integration job-instance-logs list \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --job-instance-id "inst123" \ + --as-list + +# List with pagination +secops integration job-instance-logs list \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --job-instance-id "inst123" \ + --page-size 50 + +# List with filtering (filter by severity or timestamp) +secops integration job-instance-logs list \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --job-instance-id "inst123" \ + --filter-string 'severity = "ERROR"' \ + --order-by "createTime desc" +``` + +Get a specific log entry: + +```bash +secops integration job-instance-logs get \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --job-instance-id "inst123" \ + --log-id "log456" +``` + +#### Job Instances + +List job instances: + +```bash +# List all instances for a job +secops integration job-instances list \ + --integration-name "MyIntegration" \ + --job-id "job1" + +# List instances as a direct list +secops integration job-instances list \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --as-list + +# List with pagination +secops integration job-instances list \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --page-size 50 + +# List with filtering +secops integration job-instances list \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --filter-string 'enabled = true' +``` + +Get job instance details: + +```bash +secops integration job-instances get \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --job-instance-id "inst123" +``` + +Create a new job instance: + +```bash +# Create basic job instance +secops integration job-instances create \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --environment "production" \ + --display-name "Daily Report Generator" + +# Create with schedule and timeout +secops integration job-instances create \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --environment "production" \ + --display-name "Hourly Data Sync" \ + --schedule "0 * * * *" \ + --timeout-seconds 300 \ + --enabled + +# Create with parameters +secops integration job-instances create \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --environment "production" \ + --display-name "Custom Job Instance" \ + --schedule "0 0 * * *" \ + --parameters '[{"name":"batch_size","value":"1000"}]' +``` + +Update a job instance: + +```bash +# Update display name +secops integration job-instances update \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --job-instance-id "inst123" \ + --display-name "Updated Display Name" + +# Update schedule and timeout +secops integration job-instances update \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --job-instance-id "inst123" \ + --schedule "0 */2 * * *" \ + --timeout-seconds 600 + +# Enable or disable instance +secops integration job-instances update \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --job-instance-id "inst123" \ + --enabled true + +# Update multiple fields with update mask +secops integration job-instances update \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --job-instance-id "inst123" \ + --display-name "New Name" \ + --schedule "0 6 * * *" \ + --update-mask "displayName,schedule" + +# Update parameters +secops integration job-instances update \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --job-instance-id "inst123" \ + --parameters '[{"name":"batch_size","value":"2000"}]' +``` + +Delete a job instance: + +```bash +secops integration job-instances delete \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --job-instance-id "inst123" +``` + +Run job instance on demand: + +```bash +# Trigger an immediate execution for testing +secops integration job-instances run-ondemand \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --job-instance-id "inst123" + +# Run with custom parameters +secops integration job-instances run-ondemand \ + --integration-name "MyIntegration" \ + --job-id "job1" \ + --job-instance-id "inst123" \ + --parameters '[{"name":"batch_size","value":"500"}]' +``` + ### Rule Management List detection rules: @@ -896,7 +1335,6 @@ secops curated-rule search-detections \ --end-time "2024-01-31T23:59:59Z" \ --list-basis "DETECTION_TIME" \ --page-size 50 - ``` List all curated rule sets: @@ -1543,39 +1981,7 @@ secops reference-list create \ secops parser list # Get details of a specific parser -secops parser get --log-type "WINDOWS" --id "pa_12345" - -# Create a custom parser for a new log format -secops parser create \ - --log-type "CUSTOM_APPLICATION" \ - --parser-code-file "/path/to/custom_parser.conf" \ - --validated-on-empty-logs - -# Copy an existing parser as a starting point -secops parser copy --log-type "OKTA" --id "pa_okta_base" - -# Activate your custom parser -secops parser activate --log-type "CUSTOM_APPLICATION" --id "pa_new_custom" - -# If needed, deactivate and delete old parser -secops parser deactivate --log-type "CUSTOM_APPLICATION" --id "pa_old_custom" -secops parser delete --log-type "CUSTOM_APPLICATION" --id "pa_old_custom" -``` - -### Complete Parser Workflow Example: Retrieve, Run, and Ingest - -This example demonstrates the complete workflow of retrieving an OKTA parser, running it against a sample log, and ingesting the parsed UDM event: - -```bash -# Step 1: List OKTA parsers to find an active one -secops parser list --log-type "OKTA" > okta_parsers.json - -# Extract the first parser ID (you can use jq or grep) -PARSER_ID=$(cat okta_parsers.json | jq -r '.[0].name' | awk -F'/' '{print $NF}') -echo "Using parser: $PARSER_ID" - -# Step 2: Get the parser details and save to a file -secops parser get --log-type "OKTA" --id "$PARSER_ID" > parser_details.json +secops parser get --log-type "WINDOWS" --id "$PARSER_ID" > parser_details.json # Extract and decode the parser code (base64 encoded in 'cbn' field) cat parser_details.json | jq -r '.cbn' | base64 -d > okta_parser.conf @@ -1713,7 +2119,7 @@ secops feed update --id "feed-123" --display-name "Updated Feed Name" secops feed update --id "feed-123" --details '{"httpSettings":{"uri":"https://example.com/updated-feed","sourceType":"FILES"}}' # Update both display name and details -secops feed update --id "feed-123" --display-name "Updated Name" --details '{"httpSettings":{"uri":"https://example.com/updated-feed"}}' +secops feed update --id "feed-123" --display-name "New Name" --details '{"httpSettings":{"uri":"https://example.com/updated-feed"}}' ``` Enable and disable feeds: @@ -1854,4 +2260,5 @@ secops dashboard-query get --id query-id ## Conclusion -The SecOps CLI provides a powerful way to interact with Google Security Operations products directly from your terminal. For more detailed information about the SDK capabilities, refer to the [main README](README.md). \ No newline at end of file +The SecOps CLI provides a powerful way to interact with Google Security Operations products directly from your terminal. For more detailed information about the SDK capabilities, refer to the [main README](README.md). + diff --git a/README.md b/README.md index d746ad5a..5d1d3635 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +from tests.chronicle.test_rule_integration import chronicle + # Google SecOps SDK for Python [![PyPI version](https://img.shields.io/pypi/v/secops.svg)](https://pypi.org/project/secops/) @@ -1907,6 +1909,682 @@ for watchlist in watchlists: print(f"Watchlist: {watchlist.get('displayName')}") ``` +## Integration Management + +### Integration Jobs + +List all available jobs for an integration: + +```python +# Get all jobs for an integration +jobs = chronicle.list_integration_jobs("MyIntegration") +for job in jobs.get("jobs", []): + print(f"Job: {job.get('displayName')}, ID: {job.get('name')}") + +# Get all jobs as a list +jobs = chronicle.list_integration_jobs("MyIntegration", as_list=True) + +# Get only custom jobs +jobs = chronicle.list_integration_jobs( + "MyIntegration", + filter_string="custom = true" +) + +# Exclude staging jobs +jobs = chronicle.list_integration_jobs( + "MyIntegration", + exclude_staging=True +) +``` + +Get details of a specific job: + +```python +job = chronicle.get_integration_job( + integration_name="MyIntegration", + job_id="123" +) +``` + +Create an integration job: + +```python +from secops.chronicle.models import JobParameter, ParamType + +new_job = chronicle.create_integration_job( + integration_name="MyIntegration", + display_name="Scheduled Sync Job", + description="Syncs data from external source", + script="print('Running scheduled job...')", + version=1, + enabled=True, + custom=True, + parameters=[ + JobParameter( + id=1, + display_name="Sync Interval", + description="Interval in minutes", + type=ParamType.INT, + mandatory=True, + default_value="60" + ) + ] +) +``` + +Update an integration job: + +```python +from secops.chronicle.models import JobParameter, ParamType + +updated_job = chronicle.update_integration_job( + integration_name="MyIntegration", + job_id="123", + display_name="Updated Job Name", + description="Updated description", + enabled=False, + version=2, + parameters=[ + JobParameter( + id=1, + display_name="New Parameter", + description="Updated parameter", + type=ParamType.STRING, + mandatory=True, + ) + ], + script="print('Updated job script')" +) +``` + +Delete an integration job: + +```python +chronicle.delete_integration_job( + integration_name="MyIntegration", + job_id="123" +) +``` + +Execute a test run of an integration job: + +```python +# Test a job before saving it +job = chronicle.get_integration_job( + integration_name="MyIntegration", + job_id="123" +) + +test_result = chronicle.execute_integration_job_test( + integration_name="MyIntegration", + job=job +) + +print(f"Output: {test_result.get('output')}") +print(f"Debug: {test_result.get('debugOutput')}") + +# Test with a specific agent for remote execution +test_result = chronicle.execute_integration_job_test( + integration_name="MyIntegration", + job=job, + agent_identifier="agent-123" +) +``` + +Get a template for creating a job in an integration: + +```python +template = chronicle.get_integration_job_template("MyIntegration") +print(f"Template script: {template.get('script')}") +``` + +### Integration Job Revisions + +List all revisions for a specific job: + +```python +# Get all revisions for a job +revisions = chronicle.list_integration_job_revisions( + integration_name="MyIntegration", + job_id="456" +) +for revision in revisions.get("revisions", []): + print(f"Revision: {revision.get('name')}, Comment: {revision.get('comment')}") + +# Get all revisions as a list +revisions = chronicle.list_integration_job_revisions( + integration_name="MyIntegration", + job_id="456", + as_list=True +) + +# Filter revisions by version +revisions = chronicle.list_integration_job_revisions( + integration_name="MyIntegration", + job_id="456", + filter_string='version = "2"', + order_by="createTime desc" +) +``` + +Delete a job revision: + +```python +chronicle.delete_integration_job_revision( + integration_name="MyIntegration", + job_id="456", + revision_id="r2" +) +``` + +Create a new job revision snapshot: + +```python +# Get the current job +job = chronicle.get_integration_job( + integration_name="MyIntegration", + job_id="456" +) + +# Create a revision before making changes +revision = chronicle.create_integration_job_revision( + integration_name="MyIntegration", + job_id="456", + job=job, + comment="Backup before scheduled update" +) +print(f"Created revision: {revision.get('name')}") +``` + +Rollback to a previous job revision: + +```python +# Rollback to a previous working version +rollback_result = chronicle.rollback_integration_job_revision( + integration_name="MyIntegration", + job_id="456", + revision_id="r2" +) +print(f"Rolled back to: {rollback_result.get('name')}") +``` + +### Integration Job Instances + +List all job instances for a specific job: + +```python +# Get all job instances for a job +job_instances = chronicle.list_integration_job_instances( + integration_name="MyIntegration", + job_id="456" +) +for instance in job_instances.get("jobInstances", []): + print(f"Instance: {instance.get('displayName')}, Enabled: {instance.get('enabled')}") + +# Get all job instances as a list +job_instances = chronicle.list_integration_job_instances( + integration_name="MyIntegration", + job_id="456", + as_list=True +) + +# Filter job instances +job_instances = chronicle.list_integration_job_instances( + integration_name="MyIntegration", + job_id="456", + filter_string="enabled = true", + order_by="displayName" +) +``` + +Get details of a specific job instance: + +```python +job_instance = chronicle.get_integration_job_instance( + integration_name="MyIntegration", + job_id="456", + job_instance_id="ji1" +) +print(f"Interval: {job_instance.get('intervalSeconds')} seconds") +``` + +Create a new job instance: + +```python +from secops.chronicle.models import IntegrationJobInstanceParameter + +# Create a job instance with basic scheduling (interval-based) +new_job_instance = chronicle.create_integration_job_instance( + integration_name="MyIntegration", + job_id="456", + display_name="Daily Data Sync", + description="Syncs data from external source daily", + interval_seconds=86400, # 24 hours + enabled=True, + advanced=False, + parameters=[ + IntegrationJobInstanceParameter(value="production"), + IntegrationJobInstanceParameter(value="https://api.example.com") + ] +) +``` + +Create a job instance with advanced scheduling: + +```python +from secops.chronicle.models import ( + AdvancedConfig, + ScheduleType, + DailyScheduleDetails, + Date, + TimeOfDay +) + +# Create with daily schedule +advanced_job_instance = chronicle.create_integration_job_instance( + integration_name="MyIntegration", + job_id="456", + display_name="Daily Backup at 2 AM", + interval_seconds=86400, + enabled=True, + advanced=True, + advanced_config=AdvancedConfig( + time_zone="America/New_York", + schedule_type=ScheduleType.DAILY, + daily_schedule=DailyScheduleDetails( + start_date=Date(year=2025, month=1, day=1), + time=TimeOfDay(hours=2, minutes=0), + interval=1 # Every 1 day + ) + ), + agent="agent-123" # For remote execution +) +``` + +Create a job instance with weekly schedule: + +```python +from secops.chronicle.models import ( + AdvancedConfig, + ScheduleType, + WeeklyScheduleDetails, + DayOfWeek, + Date, + TimeOfDay +) + +# Run every Monday and Friday at 9 AM +weekly_job_instance = chronicle.create_integration_job_instance( + integration_name="MyIntegration", + job_id="456", + display_name="Weekly Report", + interval_seconds=604800, # 1 week + enabled=True, + advanced=True, + advanced_config=AdvancedConfig( + time_zone="UTC", + schedule_type=ScheduleType.WEEKLY, + weekly_schedule=WeeklyScheduleDetails( + start_date=Date(year=2025, month=1, day=1), + days=[DayOfWeek.MONDAY, DayOfWeek.FRIDAY], + time=TimeOfDay(hours=9, minutes=0), + interval=1 # Every 1 week + ) + ) +) +``` + +Create a job instance with monthly schedule: + +```python +from secops.chronicle.models import ( + AdvancedConfig, + ScheduleType, + MonthlyScheduleDetails, + Date, + TimeOfDay +) + +# Run on the 1st of every month at midnight +monthly_job_instance = chronicle.create_integration_job_instance( + integration_name="MyIntegration", + job_id="456", + display_name="Monthly Cleanup", + interval_seconds=2592000, # ~30 days + enabled=True, + advanced=True, + advanced_config=AdvancedConfig( + time_zone="America/Los_Angeles", + schedule_type=ScheduleType.MONTHLY, + monthly_schedule=MonthlyScheduleDetails( + start_date=Date(year=2025, month=1, day=1), + day=1, # Day of month (1-31) + time=TimeOfDay(hours=0, minutes=0), + interval=1 # Every 1 month + ) + ) +) +``` + +Create a one-time job instance: + +```python +from secops.chronicle.models import ( + AdvancedConfig, + ScheduleType, + OneTimeScheduleDetails, + Date, + TimeOfDay +) + +# Run once at a specific date and time +onetime_job_instance = chronicle.create_integration_job_instance( + integration_name="MyIntegration", + job_id="456", + display_name="One-Time Migration", + interval_seconds=0, # Not used for one-time + enabled=True, + advanced=True, + advanced_config=AdvancedConfig( + time_zone="Europe/London", + schedule_type=ScheduleType.ONCE, + one_time_schedule=OneTimeScheduleDetails( + start_date=Date(year=2025, month=12, day=25), + time=TimeOfDay(hours=10, minutes=30) + ) + ) +) +``` + +Update a job instance: + +```python +from secops.chronicle.models import IntegrationJobInstanceParameter + +# Update scheduling and enable/disable +updated_instance = chronicle.update_integration_job_instance( + integration_name="MyIntegration", + job_id="456", + job_instance_id="ji1", + display_name="Updated Sync Job", + interval_seconds=43200, # 12 hours + enabled=False +) + +# Update parameters +updated_instance = chronicle.update_integration_job_instance( + integration_name="MyIntegration", + job_id="456", + job_instance_id="ji1", + parameters=[ + IntegrationJobInstanceParameter(value="staging"), + IntegrationJobInstanceParameter(value="https://staging-api.example.com") + ] +) + +# Update to use advanced scheduling +from secops.chronicle.models import ( + AdvancedConfig, + ScheduleType, + DailyScheduleDetails, + Date, + TimeOfDay +) + +updated_instance = chronicle.update_integration_job_instance( + integration_name="MyIntegration", + job_id="456", + job_instance_id="ji1", + advanced=True, + advanced_config=AdvancedConfig( + time_zone="UTC", + schedule_type=ScheduleType.DAILY, + daily_schedule=DailyScheduleDetails( + start_date=Date(year=2025, month=1, day=1), + time=TimeOfDay(hours=12, minutes=0), + interval=1 + ) + ) +) + +# Update only specific fields +updated_instance = chronicle.update_integration_job_instance( + integration_name="MyIntegration", + job_id="456", + job_instance_id="ji1", + enabled=True, + update_mask="enabled" +) +``` + +Delete a job instance: + +```python +chronicle.delete_integration_job_instance( + integration_name="MyIntegration", + job_id="456", + job_instance_id="ji1" +) +``` + +Run a job instance on demand: + +```python +# Run immediately without waiting for schedule +result = chronicle.run_integration_job_instance_on_demand( + integration_name="MyIntegration", + job_id="456", + job_instance_id="ji1" +) +print(f"Job execution started: {result}") + +# Run with parameter overrides +result = chronicle.run_integration_job_instance_on_demand( + integration_name="MyIntegration", + job_id="456", + job_instance_id="ji1", + parameters=[ + IntegrationJobInstanceParameter(id=1, value="test-mode") + ] +) +``` + +### Job Context Properties + +List all context properties for a job: + +```python +# Get all context properties for a job +context_properties = chronicle.list_job_context_properties( + integration_name="MyIntegration", + job_id="456" +) +for prop in context_properties.get("contextProperties", []): + print(f"Key: {prop.get('key')}, Value: {prop.get('value')}") + +# Get all context properties as a list +context_properties = chronicle.list_job_context_properties( + integration_name="MyIntegration", + job_id="456", + as_list=True +) + +# Filter context properties +context_properties = chronicle.list_job_context_properties( + integration_name="MyIntegration", + job_id="456", + filter_string='key = "api-token"', + order_by="key" +) +``` + +Get a specific context property: + +```python +property_value = chronicle.get_job_context_property( + integration_name="MyIntegration", + job_id="456", + context_property_id="api-endpoint" +) +print(f"Value: {property_value.get('value')}") +``` + +Create a new context property: + +```python +# Create with auto-generated key +new_property = chronicle.create_job_context_property( + integration_name="MyIntegration", + job_id="456", + value="https://api.example.com/v2" +) +print(f"Created property: {new_property.get('key')}") + +# Create with custom key (must be 4-63 chars, match /[a-z][0-9]-/) +new_property = chronicle.create_job_context_property( + integration_name="MyIntegration", + job_id="456", + value="my-secret-token", + key="apitoken" +) +``` + +Update a context property: + +```python +# Update the value of an existing property +updated_property = chronicle.update_job_context_property( + integration_name="MyIntegration", + job_id="456", + context_property_id="api-endpoint", + value="https://api.example.com/v3" +) +print(f"Updated to: {updated_property.get('value')}") +``` + +Delete a context property: + +```python +chronicle.delete_job_context_property( + integration_name="MyIntegration", + job_id="456", + context_property_id="api-endpoint" +) +``` + +Delete all context properties: + +```python +# Clear all context properties for a job +chronicle.delete_all_job_context_properties( + integration_name="MyIntegration", + job_id="456" +) + +# Clear all properties for a specific context ID +chronicle.delete_all_job_context_properties( + integration_name="MyIntegration", + job_id="456", + context_id="mycontext" +) +``` + +### Job Instance Logs + +List all execution logs for a job instance: + +```python +# Get all logs for a job instance +logs = chronicle.list_job_instance_logs( + integration_name="MyIntegration", + job_id="456", + job_instance_id="ji1" +) +for log in logs.get("logs", []): + print(f"Log ID: {log.get('name')}, Status: {log.get('status')}") + print(f"Start: {log.get('startTime')}, End: {log.get('endTime')}") + +# Get all logs as a list +logs = chronicle.list_job_instance_logs( + integration_name="MyIntegration", + job_id="456", + job_instance_id="ji1", + as_list=True +) + +# Filter logs by status +logs = chronicle.list_job_instance_logs( + integration_name="MyIntegration", + job_id="456", + job_instance_id="ji1", + filter_string="status = SUCCESS", + order_by="startTime desc" +) +``` + +Get a specific log entry: + +```python +log_entry = chronicle.get_job_instance_log( + integration_name="MyIntegration", + job_id="456", + job_instance_id="ji1", + log_id="log123" +) +print(f"Status: {log_entry.get('status')}") +print(f"Start Time: {log_entry.get('startTime')}") +print(f"End Time: {log_entry.get('endTime')}") +print(f"Output: {log_entry.get('output')}") +``` + +Browse historical execution logs to monitor job performance: + +```python +# Get recent logs for monitoring +recent_logs = chronicle.list_job_instance_logs( + integration_name="MyIntegration", + job_id="456", + job_instance_id="ji1", + order_by="startTime desc", + page_size=10, + as_list=True +) + +# Check for failures +for log in recent_logs: + if log.get("status") == "FAILED": + print(f"Failed execution at {log.get('startTime')}") + log_details = chronicle.get_job_instance_log( + integration_name="MyIntegration", + job_id="456", + job_instance_id="ji1", + log_id=log.get("name").split("/")[-1] + ) + print(f"Error output: {log_details.get('output')}") +``` + +Monitor job reliability and performance: + +```python +# Get all logs to calculate success rate +all_logs = chronicle.list_job_instance_logs( + integration_name="MyIntegration", + job_id="456", + job_instance_id="ji1", + as_list=True +) + +successful = sum(1 for log in all_logs if log.get("status") == "SUCCESS") +failed = sum(1 for log in all_logs if log.get("status") == "FAILED") +total = len(all_logs) + +if total > 0: + success_rate = (successful / total) * 100 + print(f"Success Rate: {success_rate:.2f}%") + print(f"Total Executions: {total}") + print(f"Successful: {successful}, Failed: {failed}") +``` + ## Rule Management The SDK provides comprehensive support for managing Chronicle detection rules: diff --git a/api_module_mapping.md b/api_module_mapping.md index bcfa632d..3d006a93 100644 --- a/api_module_mapping.md +++ b/api_module_mapping.md @@ -7,10 +7,643 @@ Following shows mapping between SecOps [REST Resource](https://cloud.google.com/ ## Implementation Statistics - **v1:** 17 endpoints implemented -- **v1alpha:** 113 endpoints implemented +- **v1beta:** 88 endpoints implemented +- **v1alpha:** 203 endpoints implemented ## Endpoint Mapping +| REST Resource | Version | secops-wrapper module | CLI Command | +|--------------------------------------------------------------------------------|---------|------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------| +| dataAccessLabels.create | v1 | | | +| dataAccessLabels.delete | v1 | | | +| dataAccessLabels.get | v1 | | | +| dataAccessLabels.list | v1 | | | +| dataAccessLabels.patch | v1 | | | +| dataAccessScopes.create | v1 | | | +| dataAccessScopes.delete | v1 | | | +| dataAccessScopes.get | v1 | | | +| dataAccessScopes.list | v1 | | | +| dataAccessScopes.patch | v1 | | | +| get | v1 | | | +| operations.cancel | v1 | | | +| operations.delete | v1 | | | +| operations.get | v1 | | | +| operations.list | v1 | | | +| referenceLists.create | v1 | chronicle.reference_list.create_reference_list | secops reference-list create | +| referenceLists.get | v1 | chronicle.reference_list.get_reference_list | secops reference-list get | +| referenceLists.list | v1 | chronicle.reference_list.list_reference_lists | secops reference-list list | +| referenceLists.patch | v1 | chronicle.reference_list.update_reference_list | secops reference-list update | +| rules.create | v1 | chronicle.rule.create_rule | secops rule create | +| rules.delete | v1 | chronicle.rule.delete_rule | secops rule delete | +| rules.deployments.list | v1 | | | +| rules.get | v1 | chronicle.rule.get_rule | secops rule get | +| rules.getDeployment | v1 | | | +| rules.list | v1 | chronicle.rule.list_rules | secops rule list | +| rules.listRevisions | v1 | | | +| rules.patch | v1 | chronicle.rule.update_rule | secops rule update | +| rules.retrohunts.create | v1 | chronicle.rule_retrohunt.create_retrohunt | secops rule-retrohunt create | +| rules.retrohunts.get | v1 | chronicle.rule_retrohunt.get_retrohunt | secops rule-retrohunt get | +| rules.retrohunts.list | v1 | chronicle.rule_retrohunt.list_retrohunts | secops rule-retrohunt list | +| rules.updateDeployment | v1 | chronicle.rule.enable_rule | secops rule enable | +| watchlists.create | v1 | chronicle.watchlist.create_watchlist | secops watchlist create | +| watchlists.delete | v1 | chronicle.watchlist.delete_watchlist | secops watchlist delete | +| watchlists.get | v1 | chronicle.watchlist.get_watchlist | secops watchlist get | +| watchlists.list | v1 | chronicle.watchlist.list_watchlists | secops watchlist list | +| watchlists.patch | v1 | chronicle.watchlist.update_watchlist | secops watchlist update | +| dataAccessLabels.create | v1beta | | | +| dataAccessLabels.delete | v1beta | | | +| dataAccessLabels.get | v1beta | | | +| dataAccessLabels.list | v1beta | | | +| dataAccessLabels.patch | v1beta | | | +| dataAccessScopes.create | v1beta | | | +| dataAccessScopes.delete | v1beta | | | +| dataAccessScopes.get | v1beta | | | +| dataAccessScopes.list | v1beta | | | +| dataAccessScopes.patch | v1beta | | | +| get | v1beta | | | +| integrations.create | v1beta | | | +| integrations.delete | v1beta | chronicle.integration.integrations.delete_integration | secops integration integrations delete | +| integrations.download | v1beta | chronicle.integration.integrations.download_integration | secops integration integrations download | +| integrations.downloadDependency | v1beta | chronicle.integration.integrations.download_integration_dependency | secops integration integrations download-dependency | +| integrations.exportIntegrationItems | v1beta | chronicle.integration.integrations.export_integration_items | secops integration integrations export-items | +| integrations.fetchAffectedItems | v1beta | chronicle.integration.integrations.get_integration_affected_items | secops integration integrations get-affected-items | +| integrations.fetchAgentIntegrations | v1beta | chronicle.integration.integrations.get_agent_integrations | secops integration integrations get-agent | +| integrations.fetchCommercialDiff | v1beta | chronicle.integration.integrations.get_integration_diff | secops integration integrations get-diff | +| integrations.fetchDependencies | v1beta | chronicle.integration.integrations.get_integration_dependencies | secops integration integrations get-dependencies | +| integrations.fetchRestrictedAgents | v1beta | chronicle.integration.integrations.get_integration_restricted_agents | secops integration integrations get-restricted-agents | +| integrations.get | v1beta | chronicle.integration.integrations.get_integration | secops integration integrations get | +| integrations.getFetchProductionDiff | v1beta | chronicle.integration.integrations.get_integration_diff(diff_type=DiffType.PRODUCTION) | secops integration integrations get-diff | +| integrations.getFetchStagingDiff | v1beta | chronicle.integration.integrations.get_integration_diff(diff_type=DiffType.STAGING) | secops integration integrations get-diff | +| integrations.import | v1beta | | | +| integrations.importIntegrationDependency | v1beta | | | +| integrations.importIntegrationItems | v1beta | | | +| integrations.list | v1beta | chronicle.integration.integrations.list_integrations | secops integration integrations list | +| integrations.patch | v1beta | | | +| integrations.pushToProduction | v1beta | chronicle.integration.integrations.transition_integration(target_mode=TargetMode.PRODUCTION) | secops integration integrations transition | +| integrations.pushToStaging | v1beta | chronicle.integration.integrations.transition_integration(target_mode=TargetMode.STAGING) | secops integration integrations transition | +| integrations.updateCustomIntegration | v1beta | | | +| integrations.upload | v1beta | | | +| integrations.actions.create | v1beta | chronicle.integration.actions.create_integration_action | secops integration actions create | +| integrations.actions.delete | v1beta | chronicle.integration.actions.delete_integration_action | secops integration actions delete | +| integrations.actions.executeTest | v1beta | chronicle.integration.actions.execute_integration_action_test | secops integration actions test | +| integrations.actions.fetchActionsByEnvironment | v1beta | chronicle.integration.actions.get_integration_actions_by_environment | | +| integrations.actions.fetchTemplate | v1beta | chronicle.integration.actions.get_integration_action_template | secops integration actions template | +| integrations.actions.get | v1beta | chronicle.integration.actions.get_integration_action | secops integration actions get | +| integrations.actions.list | v1beta | chronicle.integration.actions.list_integration_actions | secops integration actions list | +| integrations.actions.patch | v1beta | chronicle.integration.actions.update_integration_action | secops integration actions update | +| integrations.actions.revisions.create | v1beta | chronicle.integration.action_revisions.create_integration_action_revision | secops integration action-revisions create | +| integrations.actions.revisions.delete | v1beta | chronicle.integration.action_revisions.delete_integration_action_revision | secops integration action-revisions delete | +| integrations.actions.revisions.list | v1beta | chronicle.integration.action_revisions.list_integration_action_revisions | secops integration action-revisions list | +| integrations.actions.revisions.rollback | v1beta | chronicle.integration.action_revisions.rollback_integration_action_revision | secops integration action-revisions rollback | +| integrations.connectors.create | v1beta | chronicle.integration.connectors.create_integration_connector | secops integration connectors create | +| integrations.connectors.delete | v1beta | chronicle.integration.connectors.delete_integration_connector | secops integration connectors delete | +| integrations.connectors.executeTest | v1beta | chronicle.integration.connectors.execute_integration_connector_test | secops integration connectors test | +| integrations.connectors.fetchTemplate | v1beta | chronicle.integration.connectors.get_integration_connector_template | secops integration connectors template | +| integrations.connectors.get | v1beta | chronicle.integration.connectors.get_integration_connector | secops integration connectors get | +| integrations.connectors.list | v1beta | chronicle.integration.connectors.list_integration_connectors | secops integration connectors list | +| integrations.connectors.patch | v1beta | chronicle.integration.connectors.update_integration_connector | secops integration connectors update | +| integrations.connectors.revisions.create | v1beta | chronicle.integration.connector_revisions.create_integration_connector_revision | secops integration connector-revisions create | +| integrations.connectors.revisions.delete | v1beta | chronicle.integration.connector_revisions.delete_integration_connector_revision | secops integration connector-revisions delete | +| integrations.connectors.revisions.list | v1beta | chronicle.integration.connector_revisions.list_integration_connector_revisions | secops integration connector-revisions list | +| integrations.connectors.revisions.rollback | v1beta | chronicle.integration.connector_revisions.rollback_integration_connector_revision | secops integration connector-revisions rollback| +| integrations.connectors.contextProperties.clearAll | v1beta | chronicle.integration.connector_context_properties.delete_all_connector_context_properties | secops integration connector-context-properties delete-all | +| integrations.connectors.contextProperties.create | v1beta | chronicle.integration.connector_context_properties.create_connector_context_property | secops integration connector-context-properties create | +| integrations.connectors.contextProperties.delete | v1beta | chronicle.integration.connector_context_properties.delete_connector_context_property | secops integration connector-context-properties delete | +| integrations.connectors.contextProperties.get | v1beta | chronicle.integration.connector_context_properties.get_connector_context_property | secops integration connector-context-properties get | +| integrations.connectors.contextProperties.list | v1beta | chronicle.integration.connector_context_properties.list_connector_context_properties | secops integration connector-context-properties list | +| integrations.connectors.contextProperties.patch | v1beta | chronicle.integration.connector_context_properties.update_connector_context_property | secops integration connector-context-properties update | +| integrations.connectors.connectorInstances.logs.get | v1beta | chronicle.integration.connector_instance_logs.get_connector_instance_log | secops integration connector-instance-logs get | +| integrations.connectors.connectorInstances.logs.list | v1beta | chronicle.integration.connector_instance_logs.list_connector_instance_logs | secops integration connector-instance-logs list| +| integrations.connectors.connectorInstances.create | v1beta | chronicle.integration.connector_instances.create_connector_instance | secops integration connector-instances create | +| integrations.connectors.connectorInstances.delete | v1beta | chronicle.integration.connector_instances.delete_connector_instance | secops integration connector-instances delete | +| integrations.connectors.connectorInstances.fetchLatestDefinition | v1beta | chronicle.integration.connector_instances.get_connector_instance_latest_definition | secops integration connector-instances get-latest-definition | +| integrations.connectors.connectorInstances.get | v1beta | chronicle.integration.connector_instances.get_connector_instance | secops integration connector-instances get | +| integrations.connectors.connectorInstances.list | v1beta | chronicle.integration.connector_instances.list_connector_instances | secops integration connector-instances list | +| integrations.connectors.connectorInstances.patch | v1beta | chronicle.integration.connector_instances.update_connector_instance | secops integration connector-instances update | +| integrations.connectors.connectorInstances.runOnDemand | v1beta | chronicle.integration.connector_instances.run_connector_instance_on_demand | secops integration connector-instances run-on-demand | +| integrations.connectors.connectorInstances.setLogsCollection | v1beta | chronicle.integration.connector_instances.set_connector_instance_logs_collection | secops integration connector-instances set-logs-collection | +| integrations.integrationInstances.create | v1beta | chronicle.integration.integration_instances.create_integration_instance | secops integration instances create | +| integrations.integrationInstances.delete | v1beta | chronicle.integration.integration_instances.delete_integration_instance | secops integration instances delete | +| integrations.integrationInstances.executeTest | v1beta | chronicle.integration.integration_instances.execute_integration_instance_test | secops integration instances test | +| integrations.integrationInstances.fetchAffectedItems | v1beta | chronicle.integration.integration_instances.get_integration_instance_affected_items | secops integration instances get-affected-items| +| integrations.integrationInstances.fetchDefaultInstance | v1beta | chronicle.integration.integration_instances.get_default_integration_instance | secops integration instances get-default | +| integrations.integrationInstances.get | v1beta | chronicle.integration.integration_instances.get_integration_instance | secops integration instances get | +| integrations.integrationInstances.list | v1beta | chronicle.integration.integration_instances.list_integration_instances | secops integration instances list | +| integrations.integrationInstances.patch | v1beta | chronicle.integration.integration_instances.update_integration_instance | secops integration instances update | +| integrations.jobs.create | v1beta | chronicle.integration.jobs.create_integration_job | secops integration jobs create | +| integrations.jobs.delete | v1beta | chronicle.integration.jobs.delete_integration_job | secops integration jobs delete | +| integrations.jobs.executeTest | v1beta | chronicle.integration.jobs.execute_integration_job_test | secops integration jobs test | +| integrations.jobs.fetchTemplate | v1beta | chronicle.integration.jobs.get_integration_job_template | secops integration jobs template | +| integrations.jobs.get | v1beta | chronicle.integration.jobs.get_integration_job | secops integration jobs get | +| integrations.jobs.list | v1beta | chronicle.integration.jobs.list_integration_jobs | secops integration jobs list | +| integrations.jobs.patch | v1beta | chronicle.integration.jobs.update_integration_job | secops integration jobs update | +| integrations.managers.create | v1beta | chronicle.integration.managers.create_integration_manager | secops integration managers create | +| integrations.managers.delete | v1beta | chronicle.integration.managers.delete_integration_manager | secops integration managers delete | +| integrations.managers.fetchTemplate | v1beta | chronicle.integration.managers.get_integration_manager_template | secops integration managers template | +| integrations.managers.get | v1beta | chronicle.integration.managers.get_integration_manager | secops integration managers get | +| integrations.managers.list | v1beta | chronicle.integration.managers.list_integration_managers | secops integration managers list | +| integrations.managers.patch | v1beta | chronicle.integration.managers.update_integration_manager | secops integration managers update | +| integrations.managers.revisions.create | v1beta | chronicle.integration.manager_revisions.create_integration_manager_revision | secops integration manager-revisions create | +| integrations.managers.revisions.delete | v1beta | chronicle.integration.manager_revisions.delete_integration_manager_revision | secops integration manager-revisions delete | +| integrations.managers.revisions.get | v1beta | chronicle.integration.manager_revisions.get_integration_manager_revision | secops integration manager-revisions get | +| integrations.managers.revisions.list | v1beta | chronicle.integration.manager_revisions.list_integration_manager_revisions | secops integration manager-revisions list | +| integrations.managers.revisions.rollback | v1beta | chronicle.integration.manager_revisions.rollback_integration_manager_revision | secops integration manager-revisions rollback | +| integrations.jobs.revisions.create | v1beta | chronicle.integration.job_revisions.create_integration_job_revision | secops integration job-revisions create | +| integrations.jobs.revisions.delete | v1beta | chronicle.integration.job_revisions.delete_integration_job_revision | secops integration job-revisions delete | +| integrations.jobs.revisions.list | v1beta | chronicle.integration.job_revisions.list_integration_job_revisions | secops integration job-revisions list | +| integrations.jobs.revisions.rollback | v1beta | chronicle.integration.job_revisions.rollback_integration_job_revision | secops integration job-revisions rollback | +| integrations.jobs.jobInstances.create | v1beta | chronicle.integration.job_instances.create_integration_job_instance | secops integration job-instances create | +| integrations.jobs.jobInstances.delete | v1beta | chronicle.integration.job_instances.delete_integration_job_instance | secops integration job-instances delete | +| integrations.jobs.jobInstances.get | v1beta | chronicle.integration.job_instances.get_integration_job_instance | secops integration job-instances get | +| integrations.jobs.jobInstances.list | v1beta | chronicle.integration.job_instances.list_integration_job_instances | secops integration job-instances list | +| integrations.jobs.jobInstances.patch | v1beta | chronicle.integration.job_instances.update_integration_job_instance | secops integration job-instances update | +| integrations.jobs.jobInstances.runOnDemand | v1beta | chronicle.integration.job_instances.run_integration_job_instance_on_demand | secops integration job-instances run-on-demand | +| integrations.jobs.contextProperties.clearAll | v1beta | chronicle.integration.job_context_properties.delete_all_job_context_properties | secops integration job-context-properties delete-all | +| integrations.jobs.contextProperties.create | v1beta | chronicle.integration.job_context_properties.create_job_context_property | secops integration job-context-properties create | +| integrations.jobs.contextProperties.delete | v1beta | chronicle.integration.job_context_properties.delete_job_context_property | secops integration job-context-properties delete | +| integrations.jobs.contextProperties.get | v1beta | chronicle.integration.job_context_properties.get_job_context_property | secops integration job-context-properties get | +| integrations.jobs.contextProperties.list | v1beta | chronicle.integration.job_context_properties.list_job_context_properties | secops integration job-context-properties list | +| integrations.jobs.contextProperties.patch | v1beta | chronicle.integration.job_context_properties.update_job_context_property | secops integration job-context-properties update | +| integrations.jobs.jobInstances.logs.get | v1beta | chronicle.integration.job_instance_logs.get_job_instance_log | secops integration job-instance-logs get | +| integrations.jobs.jobInstances.logs.list | v1beta | chronicle.integration.job_instance_logs.list_job_instance_logs | secops integration job-instance-logs list | +| marketplaceIntegrations.get | v1beta | chronicle.marketplace_integrations.get_marketplace_integration | secops integration marketplace get | +| marketplaceIntegrations.getDiff | v1beta | chronicle.marketplace_integrations.get_marketplace_integration_diff | secops integration marketplace diff | +| marketplaceIntegrations.install | v1beta | chronicle.marketplace_integrations.install_marketplace_integration | secops integration marketplace install | +| marketplaceIntegrations.list | v1beta | chronicle.marketplace_integrations.list_marketplace_integrations | secops integration marketplace list | +| marketplaceIntegrations.uninstall | v1beta | chronicle.marketplace_integrations.uninstall_marketplace_integration | secops integration marketplace uninstall | +| operations.cancel | v1beta | | | +| operations.delete | v1beta | | | +| operations.get | v1beta | | | +| operations.list | v1beta | | | +| referenceLists.create | v1beta | | | +| referenceLists.get | v1beta | | | +| referenceLists.list | v1beta | | | +| referenceLists.patch | v1beta | | | +| rules.create | v1beta | | | +| rules.delete | v1beta | | | +| rules.deployments.list | v1beta | | | +| rules.get | v1beta | | | +| rules.getDeployment | v1beta | | | +| rules.list | v1beta | | | +| rules.listRevisions | v1beta | | | +| rules.patch | v1beta | | | +| rules.retrohunts.create | v1beta | | | +| rules.retrohunts.get | v1beta | | | +| rules.retrohunts.list | v1beta | | | +| rules.updateDeployment | v1beta | | | +| watchlists.create | v1beta | | | +| watchlists.delete | v1beta | | | +| watchlists.get | v1beta | | | +| watchlists.list | v1beta | | | +| watchlists.patch | v1beta | | | +| analytics.entities.analyticValues.list | v1alpha | | | +| analytics.list | v1alpha | | | +| batchValidateWatchlistEntities | v1alpha | | | +| bigQueryAccess.provide | v1alpha | | | +| bigQueryExport.provision | v1alpha | | | +| cases.countPriorities | v1alpha | | | +| contentHub.featuredContentRules.list | v1alpha | chronicle.featured_content_rules.list_featured_content_rules | secops featured-content-rules list | +| curatedRuleSetCategories.curatedRuleSets.curatedRuleSetDeployments.batchUpdate | v1alpha | chronicle.rule_set.batch_update_curated_rule_set_deployments | | +| curatedRuleSetCategories.curatedRuleSets.curatedRuleSetDeployments.patch | v1alpha | chronicle.rule_set.update_curated_rule_set_deployment | secops curated-rule rule-set-deployment update | +| curatedRuleSetCategories.curatedRuleSets.curatedRuleSetDeployments.list | v1alpha | chronicle.rule_set.list_curated_rule_set_deployments | secops curated-rule rule-set-deployment list | +| curatedRuleSetCategories.curatedRuleSets.curatedRuleSetDeployments.get | v1alpha | chronicle.rule_set.get_curated_rule_set_deployment
chronicle.rule_set.get_curated_rule_set_deployment_by_name | secops curated-rule rule-set-deployment get | +| curatedRuleSetCategories.curatedRuleSets.get | v1alpha | chronicle.rule_set.get_curated_rule_set | secops curated-rule rule-set get | +| curatedRuleSetCategories.curatedRuleSets.list | v1alpha | chronicle.rule_set.list_curated_rule_sets | secops curated-rule rule-set list | +| curatedRuleSetCategories.get | v1alpha | chronicle.rule_set.get_curated_rule_set_category | secops curated-rule rule-set-category get | +| curatedRuleSetCategories.list | v1alpha | chronicle.rule_set.list_curated_rule_set_categories | secops curated-rule rule-set-category list | +| curatedRules.get | v1alpha | chronicle.rule_set.get_curated_rule
chronicle.rule_set.get_curated_rule_by_name | secops curated-rule rule get | +| curatedRules.list | v1alpha | chronicle.rule_set.list_curated_rules | secops curated-rule rule list | +| dashboardCharts.batchGet | v1alpha | | | +| dashboardCharts.get | v1alpha | chronicle.dashboard.get_chart | secops dashboard get-chart | +| dashboardQueries.execute | v1alpha | chronicle.dashboard_query.execute_query | secops dashboard-query execute | +| dashboardQueries.get | v1alpha | chronicle.dashboard_query.get_execute_query | secops dashboard-query get | +| dashboards.copy | v1alpha | | | +| dashboards.create | v1alpha | | | +| dashboards.delete | v1alpha | | | +| dashboards.get | v1alpha | | | +| dashboards.list | v1alpha | | | +| dataAccessLabels.create | v1alpha | | | +| dataAccessLabels.delete | v1alpha | | | +| dataAccessLabels.get | v1alpha | | | +| dataAccessLabels.list | v1alpha | | | +| dataAccessLabels.patch | v1alpha | | | +| dataAccessScopes.create | v1alpha | | | +| dataAccessScopes.delete | v1alpha | | | +| dataAccessScopes.get | v1alpha | | | +| dataAccessScopes.list | v1alpha | | | +| dataAccessScopes.patch | v1alpha | | | +| dataExports.cancel | v1alpha | chronicle.data_export.cancel_data_export | secops export cancel | +| dataExports.create | v1alpha | chronicle.data_export.create_data_export | secops export create | +| dataExports.fetchavailablelogtypes | v1alpha | chronicle.data_export.fetch_available_log_types | secops export log-types | +| dataExports.get | v1alpha | chronicle.data_export.get_data_export | secops export status | +| dataExports.list | v1alpha | chronicle.data_export.list_data_export | secops export list | +| dataExports.patch | v1alpha | chronicle.data_export.update_data_export | secops export update | +| dataTableOperationErrors.get | v1alpha | | | +| dataTables.create | v1alpha | chronicle.data_table.create_data_table | secops data-table create | +| dataTables.dataTableRows.bulkCreate | v1alpha | chronicle.data_table.create_data_table_rows | secops data-table add-rows | +| dataTables.dataTableRows.bulkCreateAsync | v1alpha | | | +| dataTables.dataTableRows.bulkGet | v1alpha | | | +| dataTables.dataTableRows.bulkReplace | v1alpha | chronicle.data_table.replace_data_table_rows | secops data-table replace-rows | +| dataTables.dataTableRows.bulkReplaceAsync | v1alpha | | | +| dataTables.dataTableRows.bulkUpdate | v1alpha | chronicle.data_table.update_data_table_rows | secops data-table update-rows | +| dataTables.dataTableRows.bulkUpdateAsync | v1alpha | | | +| dataTables.dataTableRows.create | v1alpha | | | +| dataTables.dataTableRows.delete | v1alpha | chronicle.data_table.delete_data_table_rows | secops data-table delete-rows | +| dataTables.dataTableRows.get | v1alpha | | | +| dataTables.dataTableRows.list | v1alpha | chronicle.data_table.list_data_table_rows | secops data-table list-rows | +| dataTables.dataTableRows.patch | v1alpha | | | +| dataTables.delete | v1alpha | chronicle.data_table.delete_data_table | secops data-table delete | +| dataTables.get | v1alpha | chronicle.data_table.get_data_table | secops data-table get | +| dataTables.list | v1alpha | chronicle.data_table.list_data_tables | secops data-table list | +| dataTables.patch | v1alpha | | | +| dataTables.upload | v1alpha | | | +| dataTaps.create | v1alpha | | | +| dataTaps.delete | v1alpha | | | +| dataTaps.get | v1alpha | | | +| dataTaps.list | v1alpha | | | +| dataTaps.patch | v1alpha | | | +| delete | v1alpha | | | +| enrichmentControls.create | v1alpha | | | +| enrichmentControls.delete | v1alpha | | | +| enrichmentControls.get | v1alpha | | | +| enrichmentControls.list | v1alpha | | | +| entities.get | v1alpha | | | +| entities.import | v1alpha | chronicle.log_ingest.import_entities | secops entity import | +| entities.modifyEntityRiskScore | v1alpha | | | +| entities.queryEntityRiskScoreModifications | v1alpha | | | +| entityRiskScores.query | v1alpha | | | +| errorNotificationConfigs.create | v1alpha | | | +| errorNotificationConfigs.delete | v1alpha | | | +| errorNotificationConfigs.get | v1alpha | | | +| errorNotificationConfigs.list | v1alpha | | | +| errorNotificationConfigs.patch | v1alpha | | | +| events.batchGet | v1alpha | | | +| events.get | v1alpha | | | +| events.import | v1alpha | chronicle.log_ingest.ingest_udm | secops log ingest-udm | +| extractSyslog | v1alpha | | | +| federationGroups.create | v1alpha | | | +| federationGroups.delete | v1alpha | | | +| federationGroups.get | v1alpha | | | +| federationGroups.list | v1alpha | | | +| federationGroups.patch | v1alpha | | | +| feedPacks.get | v1alpha | | | +| feedPacks.list | v1alpha | | | +| feedServiceAccounts.fetchServiceAccountForCustomer | v1alpha | | | +| feedSourceTypeSchemas.list | v1alpha | | | +| feedSourceTypeSchemas.logTypeSchemas.list | v1alpha | | | +| feeds.create | v1alpha | chronicle.feeds.create_feed | secops feed create | +| feeds.delete | v1alpha | chronicle.feeds.delete_feed | secops feed delete | +| feeds.disable | v1alpha | chronicle.feeds.disable_feed | secops feed disable | +| feeds.enable | v1alpha | chronicle.feeds.enable_feed | secops feed enable | +| feeds.generateSecret | v1alpha | chronicle.feeds.generate_secret | secops feed secret | +| feeds.get | v1alpha | chronicle.feeds.get_feed | secops feed get | +| feeds.importPushLogs | v1alpha | | | +| feeds.list | v1alpha | chronicle.feeds.list_feeds | secops feed list | +| feeds.patch | v1alpha | chronicle.feeds.update_feed | secops feed update | +| feeds.scheduleTransfer | v1alpha | | | +| fetchFederationAccess | v1alpha | | | +| findEntity | v1alpha | | | +| findEntityAlerts | v1alpha | | | +| findRelatedEntities | v1alpha | | | +| findUdmFieldValues | v1alpha | | | +| findingsGraph.exploreNode | v1alpha | | | +| findingsGraph.initializeGraph | v1alpha | | | +| findingsRefinements.computeFindingsRefinementActivity | v1alpha | chronicle.rule_exclusion.compute_rule_exclusion_activity | secops rule-exclusion compute-activity | +| findingsRefinements.create | v1alpha | chronicle.rule_exclusion.create_rule_exclusion | secops rule-exclusion create | +| findingsRefinements.get | v1alpha | chronicle.rule_exclusion.get_rule_exclusion | secops rule-exclusion get | +| findingsRefinements.getDeployment | v1alpha | chronicle.rule_exclusion.get_rule_exclusion_deployment | secops rule-exclusion get-deployment | +| findingsRefinements.list | v1alpha | chronicle.rule_exclusion.list_rule_exclusions | secops rule-exclusion list | +| findingsRefinements.patch | v1alpha | chronicle.rule_exclusion.patch_rule_exclusion | secops rule-exclusion update | +| findingsRefinements.updateDeployment | v1alpha | chronicle.rule_exclusion.update_rule_exclusion_deployment | secops rule-exclusion update-deployment | +| forwarders.collectors.create | v1alpha | | | +| forwarders.collectors.delete | v1alpha | | | +| forwarders.collectors.get | v1alpha | | | +| forwarders.collectors.list | v1alpha | | | +| forwarders.collectors.patch | v1alpha | | | +| forwarders.create | v1alpha | chronicle.log_ingest.create_forwarder | secops forwarder create | +| forwarders.delete | v1alpha | chronicle.log_ingest.delete_forwarder | secops forwarder delete | +| forwarders.generateForwarderFiles | v1alpha | | | +| forwarders.get | v1alpha | chronicle.log_ingest.get_forwarder | secops forwarder get | +| forwarders.importStatsEvents | v1alpha | | | +| forwarders.list | v1alpha | chronicle.log_ingest.list_forwarder | secops forwarder list | +| forwarders.patch | v1alpha | chronicle.log_ingest.update_forwarder | secops forwarder update | +| generateCollectionAgentAuth | v1alpha | | | +| generateSoarAuthJwt | v1alpha | | | +| generateUdmKeyValueMappings | v1alpha | | | +| generateWorkspaceConnectionToken | v1alpha | | | +| get | v1alpha | | | +| getBigQueryExport | v1alpha | | | +| getMultitenantDirectory | v1alpha | | | +| getRiskConfig | v1alpha | | | +| ingestionLogLabels.get | v1alpha | | | +| ingestionLogLabels.list | v1alpha | | | +| ingestionLogNamespaces.get | v1alpha | | | +| ingestionLogNamespaces.list | v1alpha | | | +| integrations.create | v1alpha | | | +| integrations.delete | v1alpha | chronicle.integration.integrations.delete_integration(api_version=APIVersion.V1ALPHA) | secops integration integrations delete | +| integrations.download | v1alpha | chronicle.integration.integrations.download_integration(api_version=APIVersion.V1ALPHA) | secops integration integrations download | +| integrations.downloadDependency | v1alpha | chronicle.integration.integrations.download_integration_dependency(api_version=APIVersion.V1ALPHA) | secops integration integrations download-dependency | +| integrations.exportIntegrationItems | v1alpha | chronicle.integration.integrations.export_integration_items(api_version=APIVersion.V1ALPHA) | secops integration integrations export-items | +| integrations.fetchAffectedItems | v1alpha | chronicle.integration.integrations.get_integration_affected_items(api_version=APIVersion.V1ALPHA) | secops integration integrations get-affected-items | +| integrations.fetchAgentIntegrations | v1alpha | chronicle.integration.integrations.get_agent_integrations(api_version=APIVersion.V1ALPHA) | secops integration integrations get-agent | +| integrations.fetchCommercialDiff | v1alpha | chronicle.integration.integrations.get_integration_diff(api_version=APIVersion.V1ALPHA) | secops integration integrations get-diff | +| integrations.fetchDependencies | v1alpha | chronicle.integration.integrations.get_integration_dependencies(api_version=APIVersion.V1ALPHA) | secops integration integrations get-dependencies | +| integrations.fetchRestrictedAgents | v1alpha | chronicle.integration.integrations.get_integration_restricted_agents(api_version=APIVersion.V1ALPHA) | secops integration integrations get-restricted-agents | +| integrations.get | v1alpha | chronicle.integration.integrations.get_integration(api_version=APIVersion.V1ALPHA) | secops integration integrations get | +| integrations.getFetchProductionDiff | v1alpha | chronicle.integration.integrations.get_integration_diff(api_version=APIVersion.V1ALPHA, diff_type=DiffType.PRODUCTION) | secops integration integrations get-diff | +| integrations.getFetchStagingDiff | v1alpha | chronicle.integration.integrations.get_integration_diffapi_version=APIVersion.V1ALPHA, (diff_type=DiffType.STAGING) | secops integration integrations get-diff | +| integrations.import | v1alpha | | | +| integrations.importIntegrationDependency | v1alpha | | | +| integrations.importIntegrationItems | v1alpha | | | +| integrations.list | v1alpha | chronicle.integration.integrations.list_integrations(api_version=APIVersion.V1ALPHA) | secops integration integrations list | +| integrations.patch | v1alpha | | | +| integrations.pushToProduction | v1alpha | chronicle.integration.integrations.transition_integration(api_version=APIVersion.V1ALPHA, target_mode=TargetMode.PRODUCTION) | secops integration integrations transition | +| integrations.pushToStaging | v1alpha | chronicle.integration.integrations.transition_integration(api_version=APIVersion.V1ALPHA, target_mode=TargetMode.STAGING) | secops integration integrations transition | +| integrations.updateCustomIntegration | v1alpha | | | +| integrations.upload | v1alpha | | | +| integrations.actions.create | v1alpha | chronicle.integration.actions.create_integration_action(api_version=APIVersion.V1ALPHA) | secops integration actions create | +| integrations.actions.delete | v1alpha | chronicle.integration.actions.delete_integration_action(api_version=APIVersion.V1ALPHA) | secops integration actions delete | +| integrations.actions.executeTest | v1alpha | chronicle.integration.actions.execute_integration_action_test(api_version=APIVersion.V1ALPHA) | secops integration actions test | +| integrations.actions.fetchActionsByEnvironment | v1alpha | chronicle.integration.actions.get_integration_actions_by_environment(api_version=APIVersion.V1ALPHA) | | +| integrations.actions.fetchTemplate | v1alpha | chronicle.integration.actions.get_integration_action_template(api_version=APIVersion.V1ALPHA) | secops integration actions template | +| integrations.actions.get | v1alpha | chronicle.integration.actions.get_integration_action(api_version=APIVersion.V1ALPHA) | secops integration actions get | +| integrations.actions.list | v1alpha | chronicle.integration.actions.list_integration_actions(api_version=APIVersion.V1ALPHA) | secops integration actions list | +| integrations.actions.patch | v1alpha | chronicle.integration.actions.update_integration_action(api_version=APIVersion.V1ALPHA) | secops integration actions update | +| integrations.actions.revisions.create | v1alpha | chronicle.integration.action_revisions.create_integration_action_revision(api_version=APIVersion.V1ALPHA) | secops integration action-revisions create | +| integrations.actions.revisions.delete | v1alpha | chronicle.integration.action_revisions.delete_integration_action_revision(api_version=APIVersion.V1ALPHA) | secops integration action-revisions delete | +| integrations.actions.revisions.list | v1alpha | chronicle.integration.action_revisions.list_integration_action_revisions(api_version=APIVersion.V1ALPHA) | secops integration action-revisions list | +| integrations.actions.revisions.rollback | v1alpha | chronicle.integration.action_revisions.rollback_integration_action_revision(api_version=APIVersion.V1ALPHA) | secops integration action-revisions rollback | +| integrations.connectors.create | v1alpha | chronicle.integration.connectors.create_integration_connector(api_version=APIVersion.V1ALPHA) | secops integration connectors create | +| integrations.connectors.delete | v1alpha | chronicle.integration.connectors.delete_integration_connector(api_version=APIVersion.V1ALPHA) | secops integration connectors delete | +| integrations.connectors.executeTest | v1alpha | chronicle.integration.connectors.execute_integration_connector_test(api_version=APIVersion.V1ALPHA) | secops integration connectors test | +| integrations.connectors.fetchTemplate | v1alpha | chronicle.integration.connectors.get_integration_connector_template(api_version=APIVersion.V1ALPHA) | secops integration connectors template | +| integrations.connectors.get | v1alpha | chronicle.integration.connectors.get_integration_connector(api_version=APIVersion.V1ALPHA) | secops integration connectors get | +| integrations.connectors.list | v1alpha | chronicle.integration.connectors.list_integration_connectors(api_version=APIVersion.V1ALPHA) | secops integration connectors list | +| integrations.connectors.patch | v1alpha | chronicle.integration.connectors.update_integration_connector(api_version=APIVersion.V1ALPHA) | secops integration connectors update | +| integrations.connectors.revisions.create | v1alpha | chronicle.integration.connector_revisions.create_integration_connector_revision(api_version=APIVersion.V1ALPHA) | secops integration connector-revisions create | +| integrations.connectors.revisions.delete | v1alpha | chronicle.integration.connector_revisions.delete_integration_connector_revision(api_version=APIVersion.V1ALPHA) | secops integration connector-revisions delete | +| integrations.connectors.revisions.list | v1alpha | chronicle.integration.connector_revisions.list_integration_connector_revisions(api_version=APIVersion.V1ALPHA) | secops integration connector-revisions list | +| integrations.connectors.revisions.rollback | v1alpha | chronicle.integration.connector_revisions.rollback_integration_connector_revision(api_version=APIVersion.V1ALPHA) | secops integration connector-revisions rollback| +| integrations.connectors.contextProperties.clearAll | v1alpha | chronicle.integration.connector_context_properties.delete_all_connector_context_properties(api_version=APIVersion.V1ALPHA) | secops integration connector-context-properties delete-all | +| integrations.connectors.contextProperties.create | v1alpha | chronicle.integration.connector_context_properties.create_connector_context_property(api_version=APIVersion.V1ALPHA) | secops integration connector-context-properties create | +| integrations.connectors.contextProperties.delete | v1alpha | chronicle.integration.connector_context_properties.delete_connector_context_property(api_version=APIVersion.V1ALPHA) | secops integration connector-context-properties delete | +| integrations.connectors.contextProperties.get | v1alpha | chronicle.integration.connector_context_properties.get_connector_context_property(api_version=APIVersion.V1ALPHA) | secops integration connector-context-properties get | +| integrations.connectors.contextProperties.list | v1alpha | chronicle.integration.connector_context_properties.list_connector_context_properties(api_version=APIVersion.V1ALPHA) | secops integration connector-context-properties list | +| integrations.connectors.contextProperties.patch | v1alpha | chronicle.integration.connector_context_properties.update_connector_context_property(api_version=APIVersion.V1ALPHA) | secops integration connector-context-properties update | +| integrations.connectors.connectorInstances.logs.get | v1alpha | chronicle.integration.connector_instance_logs.get_connector_instance_log(api_version=APIVersion.V1ALPHA) | secops integration connector-instance-logs get | +| integrations.connectors.connectorInstances.logs.list | v1alpha | chronicle.integration.connector_instance_logs.list_connector_instance_logs(api_version=APIVersion.V1ALPHA) | secops integration connector-instance-logs list| +| integrations.connectors.connectorInstances.create | v1alpha | chronicle.integration.connector_instances.create_connector_instance(api_version=APIVersion.V1ALPHA) | secops integration connector-instances create | +| integrations.connectors.connectorInstances.delete | v1alpha | chronicle.integration.connector_instances.delete_connector_instance(api_version=APIVersion.V1ALPHA) | secops integration connector-instances delete | +| integrations.connectors.connectorInstances.fetchLatestDefinition | v1alpha | chronicle.integration.connector_instances.get_connector_instance_latest_definition(api_version=APIVersion.V1ALPHA) | secops integration connector-instances get-latest-definition | +| integrations.connectors.connectorInstances.get | v1alpha | chronicle.integration.connector_instances.get_connector_instance(api_version=APIVersion.V1ALPHA) | secops integration connector-instances get | +| integrations.connectors.connectorInstances.list | v1alpha | chronicle.integration.connector_instances.list_connector_instances(api_version=APIVersion.V1ALPHA) | secops integration connector-instances list | +| integrations.connectors.connectorInstances.patch | v1alpha | chronicle.integration.connector_instances.update_connector_instance(api_version=APIVersion.V1ALPHA) | secops integration connector-instances update | +| integrations.connectors.connectorInstances.runOnDemand | v1alpha | chronicle.integration.connector_instances.run_connector_instance_on_demand(api_version=APIVersion.V1ALPHA) | secops integration connector-instances run-on-demand | +| integrations.connectors.connectorInstances.setLogsCollection | v1alpha | chronicle.integration.connector_instances.set_connector_instance_logs_collection(api_version=APIVersion.V1ALPHA) | secops integration connector-instances set-logs-collection | +| integrations.integrationInstances.create | v1alpha | chronicle.integration.integration_instances.create_integration_instance(api_version=APIVersion.V1ALPHA) | secops integration instances create | +| integrations.integrationInstances.delete | v1alpha | chronicle.integration.integration_instances.delete_integration_instance(api_version=APIVersion.V1ALPHA) | secops integration instances delete | +| integrations.integrationInstances.executeTest | v1alpha | chronicle.integration.integration_instances.execute_integration_instance_test(api_version=APIVersion.V1ALPHA) | secops integration instances test | +| integrations.integrationInstances.fetchAffectedItems | v1alpha | chronicle.integration.integration_instances.get_integration_instance_affected_items(api_version=APIVersion.V1ALPHA) | secops integration instances get-affected-items| +| integrations.integrationInstances.fetchDefaultInstance | v1alpha | chronicle.integration.integration_instances.get_default_integration_instance(api_version=APIVersion.V1ALPHA) | secops integration instances get-default | +| integrations.integrationInstances.get | v1alpha | chronicle.integration.integration_instances.get_integration_instance(api_version=APIVersion.V1ALPHA) | secops integration instances get | +| integrations.integrationInstances.list | v1alpha | chronicle.integration.integration_instances.list_integration_instances(api_version=APIVersion.V1ALPHA) | secops integration instances list | +| integrations.integrationInstances.patch | v1alpha | chronicle.integration.integration_instances.update_integration_instance(api_version=APIVersion.V1ALPHA) | secops integration instances update | +| integrations.transformers.create | v1alpha | chronicle.integration.transformers.create_integration_transformer | secops integration transformers create | +| integrations.transformers.delete | v1alpha | chronicle.integration.transformers.delete_integration_transformer | secops integration transformers delete | +| integrations.transformers.executeTest | v1alpha | chronicle.integration.transformers.execute_integration_transformer_test | secops integration transformers test | +| integrations.transformers.fetchTemplate | v1alpha | chronicle.integration.transformers.get_integration_transformer_template | secops integration transformers template | +| integrations.transformers.get | v1alpha | chronicle.integration.transformers.get_integration_transformer | secops integration transformers get | +| integrations.transformers.list | v1alpha | chronicle.integration.transformers.list_integration_transformers | secops integration transformers list | +| integrations.transformers.patch | v1alpha | chronicle.integration.transformers.update_integration_transformer | secops integration transformers update | +| integrations.transformers.revisions.create | v1alpha | chronicle.integration.transformer_revisions.create_integration_transformer_revision | secops integration transformer-revisions create| +| integrations.transformers.revisions.delete | v1alpha | chronicle.integration.transformer_revisions.delete_integration_transformer_revision | secops integration transformer-revisions delete| +| integrations.transformers.revisions.list | v1alpha | chronicle.integration.transformer_revisions.list_integration_transformer_revisions | secops integration transformer-revisions list | +| integrations.transformers.revisions.rollback | v1alpha | chronicle.integration.transformer_revisions.rollback_integration_transformer_revision | secops integration transformer-revisions rollback| +| integrations.logicalOperators.create | v1alpha | chronicle.integration.logical_operators.create_integration_logical_operator | secops integration logical-operators create | +| integrations.logicalOperators.delete | v1alpha | chronicle.integration.logical_operators.delete_integration_logical_operator | secops integration logical-operators delete | +| integrations.logicalOperators.executeTest | v1alpha | chronicle.integration.logical_operators.execute_integration_logical_operator_test | secops integration logical-operators test | +| integrations.logicalOperators.fetchTemplate | v1alpha | chronicle.integration.logical_operators.get_integration_logical_operator_template | secops integration logical-operators template | +| integrations.logicalOperators.get | v1alpha | chronicle.integration.logical_operators.get_integration_logical_operator | secops integration logical-operators get | +| integrations.logicalOperators.list | v1alpha | chronicle.integration.logical_operators.list_integration_logical_operators | secops integration logical-operators list | +| integrations.logicalOperators.patch | v1alpha | chronicle.integration.logical_operators.update_integration_logical_operator | secops integration logical-operators update | +| integrations.logicalOperators.revisions.create | v1alpha | chronicle.integration.logical_operator_revisions.create_integration_logical_operator_revision | secops integration logical-operator-revisions create | +| integrations.logicalOperators.revisions.delete | v1alpha | chronicle.integration.logical_operator_revisions.delete_integration_logical_operator_revision | secops integration logical-operator-revisions delete | +| integrations.logicalOperators.revisions.list | v1alpha | chronicle.integration.logical_operator_revisions.list_integration_logical_operator_revisions | secops integration logical-operator-revisions list | +| integrations.logicalOperators.revisions.rollback | v1alpha | chronicle.integration.logical_operator_revisions.rollback_integration_logical_operator_revision | secops integration logical-operator-revisions rollback | +| integrations.jobs.create | v1alpha | chronicle.integration.jobs.create_integration_job(api_version=APIVersion.V1ALPHA) | secops integration jobs create | +| integrations.jobs.delete | v1alpha | chronicle.integration.jobs.delete_integration_job(api_version=APIVersion.V1ALPHA) | secops integration jobs delete | +| integrations.jobs.executeTest | v1alpha | chronicle.integration.jobs.execute_integration_job_test(api_version=APIVersion.V1ALPHA) | secops integration jobs test | +| integrations.jobs.fetchTemplate | v1alpha | chronicle.integration.jobs.get_integration_job_template(api_version=APIVersion.V1ALPHA) | secops integration jobs template | +| integrations.jobs.get | v1alpha | chronicle.integration.jobs.get_integration_job(api_version=APIVersion.V1ALPHA) | secops integration jobs get | +| integrations.jobs.list | v1alpha | chronicle.integration.jobs.list_integration_jobs(api_version=APIVersion.V1ALPHA) | secops integration jobs list | +| integrations.jobs.patch | v1alpha | chronicle.integration.jobs.update_integration_job(api_version=APIVersion.V1ALPHA) | secops integration jobs update | +| integrations.managers.create | v1alpha | chronicle.integration.managers.create_integration_manager(api_version=APIVersion.V1ALPHA) | secops integration managers create | +| integrations.managers.delete | v1alpha | chronicle.integration.managers.delete_integration_manager(api_version=APIVersion.V1ALPHA) | secops integration managers delete | +| integrations.managers.fetchTemplate | v1alpha | chronicle.integration.managers.get_integration_manager_template(api_version=APIVersion.V1ALPHA) | secops integration managers template | +| integrations.managers.get | v1alpha | chronicle.integration.managers.get_integration_manager(api_version=APIVersion.V1ALPHA) | secops integration managers get | +| integrations.managers.list | v1alpha | chronicle.integration.managers.list_integration_managers(api_version=APIVersion.V1ALPHA) | secops integration managers list | +| integrations.managers.patch | v1alpha | chronicle.integration.managers.update_integration_manager(api_version=APIVersion.V1ALPHA) | secops integration managers update | +| integrations.managers.revisions.create | v1alpha | chronicle.integration.manager_revisions.create_integration_manager_revision(api_version=APIVersion.V1ALPHA) | secops integration manager-revisions create | +| integrations.managers.revisions.delete | v1alpha | chronicle.integration.manager_revisions.delete_integration_manager_revision(api_version=APIVersion.V1ALPHA) | secops integration manager-revisions delete | +| integrations.managers.revisions.get | v1alpha | chronicle.integration.manager_revisions.get_integration_manager_revision(api_version=APIVersion.V1ALPHA) | secops integration manager-revisions get | +| integrations.managers.revisions.list | v1alpha | chronicle.integration.manager_revisions.list_integration_manager_revisions(api_version=APIVersion.V1ALPHA) | secops integration manager-revisions list | +| integrations.managers.revisions.rollback | v1alpha | chronicle.integration.manager_revisions.rollback_integration_manager_revision(api_version=APIVersion.V1ALPHA) | secops integration manager-revisions rollback | +| integrations.jobs.revisions.create | v1alpha | chronicle.integration.job_revisions.create_integration_job_revision(api_version=APIVersion.V1ALPHA) | secops integration job-revisions create | +| integrations.jobs.revisions.delete | v1alpha | chronicle.integration.job_revisions.delete_integration_job_revision(api_version=APIVersion.V1ALPHA) | secops integration job-revisions delete | +| integrations.jobs.revisions.list | v1alpha | chronicle.integration.job_revisions.list_integration_job_revisions(api_version=APIVersion.V1ALPHA) | secops integration job-revisions list | +| integrations.jobs.revisions.rollback | v1alpha | chronicle.integration.job_revisions.rollback_integration_job_revision(api_version=APIVersion.V1ALPHA) | secops integration job-revisions rollback | +| integrations.jobs.jobInstances.create | v1alpha | chronicle.integration.job_instances.create_integration_job_instance(api_version=APIVersion.V1ALPHA) | secops integration job-instances create | +| integrations.jobs.jobInstances.delete | v1alpha | chronicle.integration.job_instances.delete_integration_job_instance(api_version=APIVersion.V1ALPHA) | secops integration job-instances delete | +| integrations.jobs.jobInstances.get | v1alpha | chronicle.integration.job_instances.get_integration_job_instance(api_version=APIVersion.V1ALPHA) | secops integration job-instances get | +| integrations.jobs.jobInstances.list | v1alpha | chronicle.integration.job_instances.list_integration_job_instances(api_version=APIVersion.V1ALPHA) | secops integration job-instances list | +| integrations.jobs.jobInstances.patch | v1alpha | chronicle.integration.job_instances.update_integration_job_instance(api_version=APIVersion.V1ALPHA) | secops integration job-instances update | +| integrations.jobs.jobInstances.runOnDemand | v1alpha | chronicle.integration.job_instances.run_integration_job_instance_on_demand(api_version=APIVersion.V1ALPHA) | secops integration job-instances run-on-demand | +| integrations.jobs.contextProperties.clearAll | v1alpha | chronicle.integration.job_context_properties.delete_all_job_context_properties(api_version=APIVersion.V1ALPHA) | secops integration job-context-properties delete-all | +| integrations.jobs.contextProperties.create | v1alpha | chronicle.integration.job_context_properties.create_job_context_property(api_version=APIVersion.V1ALPHA) | secops integration job-context-properties create | +| integrations.jobs.contextProperties.delete | v1alpha | chronicle.integration.job_context_properties.delete_job_context_property(api_version=APIVersion.V1ALPHA) | secops integration job-context-properties delete | +| integrations.jobs.contextProperties.get | v1alpha | chronicle.integration.job_context_properties.get_job_context_property(api_version=APIVersion.V1ALPHA) | secops integration job-context-properties get | +| integrations.jobs.contextProperties.list | v1alpha | chronicle.integration.job_context_properties.list_job_context_properties(api_version=APIVersion.V1ALPHA) | secops integration job-context-properties list | +| integrations.jobs.contextProperties.patch | v1alpha | chronicle.integration.job_context_properties.update_job_context_property(api_version=APIVersion.V1ALPHA) | secops integration job-context-properties update | +| integrations.jobs.jobInstances.logs.get | v1alpha | chronicle.integration.job_instance_logs.get_job_instance_log(api_version=APIVersion.V1ALPHA) | secops integration job-instance-logs get | +| integrations.jobs.jobInstances.logs.list | v1alpha | chronicle.integration.job_instance_logs.list_job_instance_logs(api_version=APIVersion.V1ALPHA) | secops integration job-instance-logs list | +| investigations.fetchAssociated | v1alpha | chronicle.investigations.fetch_associated_investigations | secops investigation fetch-associated | +| investigations.get | v1alpha | chronicle.investigations.get_investigation | secops investigation get | +| investigations.list | v1alpha | chronicle.investigations.list_investigations | secops investigation list | +| investigations.trigger | v1alpha | chronicle.investigations.trigger_investigation | secops investigation trigger | +| iocs.batchGet | v1alpha | | | +| iocs.findFirstAndLastSeen | v1alpha | | | +| iocs.get | v1alpha | | | +| iocs.getIocState | v1alpha | | | +| iocs.searchCuratedDetectionsForIoc | v1alpha | | | +| iocs.updateIocState | v1alpha | | | +| legacy.legacyBatchGetCases | v1alpha | chronicle.case.get_cases_from_list | secops case | +| legacy.legacyBatchGetCollections | v1alpha | | | +| legacy.legacyCreateOrUpdateCase | v1alpha | | | +| legacy.legacyCreateSoarAlert | v1alpha | | | +| legacy.legacyFetchAlertsView | v1alpha | chronicle.alert.get_alerts | secops alert | +| legacy.legacyFetchUdmSearchCsv | v1alpha | chronicle.udm_search.fetch_udm_search_csv | secops search --csv | +| legacy.legacyFetchUdmSearchView | v1alpha | chronicle.udm_search.fetch_udm_search_view | secops udm-search-view | +| legacy.legacyFindAssetEvents | v1alpha | | | +| legacy.legacyFindRawLogs | v1alpha | | | +| legacy.legacyFindUdmEvents | v1alpha | | | +| legacy.legacyGetAlert | v1alpha | chronicle.rule_alert.get_alert | | +| legacy.legacyGetCuratedRulesTrends | v1alpha | | | +| legacy.legacyGetDetection | v1alpha | | | +| legacy.legacyGetEventForDetection | v1alpha | | | +| legacy.legacyGetRuleCounts | v1alpha | | | +| legacy.legacyGetRulesTrends | v1alpha | | | +| legacy.legacyListCases | v1alpha | chronicle.case.get_cases | secops case --ids | +| legacy.legacyRunTestRule | v1alpha | chronicle.rule.run_rule_test | secops rule validate | +| legacy.legacySearchArtifactEvents | v1alpha | | | +| legacy.legacySearchArtifactIoCDetails | v1alpha | | | +| legacy.legacySearchAssetEvents | v1alpha | | | +| legacy.legacySearchCuratedDetections | v1alpha | | | +| legacy.legacySearchCustomerStats | v1alpha | | | +| legacy.legacySearchDetections | v1alpha | chronicle.rule_detection.list_detections | | +| legacy.legacySearchDomainsRecentlyRegistered | v1alpha | | | +| legacy.legacySearchDomainsTimingStats | v1alpha | | | +| legacy.legacySearchEnterpriseWideAlerts | v1alpha | | | +| legacy.legacySearchEnterpriseWideIoCs | v1alpha | chronicle.ioc.list_iocs | secops iocs | +| legacy.legacySearchFindings | v1alpha | | | +| legacy.legacySearchIngestionStats | v1alpha | | | +| legacy.legacySearchIoCInsights | v1alpha | | | +| legacy.legacySearchRawLogs | v1alpha | | | +| legacy.legacySearchRuleDetectionCountBuckets | v1alpha | | | +| legacy.legacySearchRuleDetectionEvents | v1alpha | | | +| legacy.legacySearchRuleResults | v1alpha | | | +| legacy.legacySearchRulesAlerts | v1alpha | chronicle.rule_alert.search_rule_alerts | | +| legacy.legacySearchUserEvents | v1alpha | | | +| legacy.legacyStreamDetectionAlerts | v1alpha | | | +| legacy.legacyTestRuleStreaming | v1alpha | | | +| legacy.legacyUpdateAlert | v1alpha | chronicle.rule_alert.update_alert | | +| listAllFindingsRefinementDeployments | v1alpha | | | +| logProcessingPipelines.associateStreams | v1alpha | chronicle.log_processing_pipelines.associate_streams | secops log-processing associate-streams | +| logProcessingPipelines.create | v1alpha | chronicle.log_processing_pipelines.create_log_processing_pipeline | secops log-processing create | +| logProcessingPipelines.delete | v1alpha | chronicle.log_processing_pipelines.delete_log_processing_pipeline | secops log-processing delete | +| logProcessingPipelines.dissociateStreams | v1alpha | chronicle.log_processing_pipelines.dissociate_streams | secops log-processing dissociate-streams | +| logProcessingPipelines.fetchAssociatedPipeline | v1alpha | chronicle.log_processing_pipelines.fetch_associated_pipeline | secops log-processing fetch-associated | +| logProcessingPipelines.fetchSampleLogsByStreams | v1alpha | chronicle.log_processing_pipelines.fetch_sample_logs_by_streams | secops log-processing fetch-sample-logs | +| logProcessingPipelines.get | v1alpha | chronicle.log_processing_pipelines.get_log_processing_pipeline | secops log-processing get | +| logProcessingPipelines.list | v1alpha | chronicle.log_processing_pipelines.list_log_processing_pipelines | secops log-processing list | +| logProcessingPipelines.patch | v1alpha | chronicle.log_processing_pipelines.update_log_processing_pipeline | secops log-processing update | +| logProcessingPipelines.testPipeline | v1alpha | chronicle.log_processing_pipelines.test_pipeline | secops log-processing test | +| logTypes.create | v1alpha | | | +| logTypes.generateEventTypesSuggestions | v1alpha | | | +| logTypes.get | v1alpha | | | +| logTypes.getLogTypeSetting | v1alpha | | | +| logTypes.legacySubmitParserExtension | v1alpha | | | +| logTypes.list | v1alpha | | | +| logTypes.logs.export | v1alpha | | | +| logTypes.logs.get | v1alpha | | | +| logTypes.logs.import | v1alpha | chronicle.log_ingest.ingest_log | secops log ingest | +| logTypes.logs.list | v1alpha | | | +| logTypes.parserExtensions.activate | v1alpha | chronicle.parser_extension.activate_parser_extension | secops parser-extension activate | +| logTypes.parserExtensions.create | v1alpha | chronicle.parser_extension.create_parser_extension | secops parser-extension create | +| logTypes.parserExtensions.delete | v1alpha | chronicle.parser_extension.delete_parser_extension | secops parser-extension delete | +| logTypes.parserExtensions.extensionValidationReports.get | v1alpha | | | +| logTypes.parserExtensions.extensionValidationReports.list | v1alpha | | | +| logTypes.parserExtensions.extensionValidationReports.validationErrors.list | v1alpha | | | +| logTypes.parserExtensions.get | v1alpha | chronicle.parser_extension.get_parser_extension | secops parser-extension get | +| logTypes.parserExtensions.list | v1alpha | chronicle.parser_extension.list_parser_extensions | secops parser-extension list | +| logTypes.parserExtensions.validationReports.get | v1alpha | | | +| logTypes.parserExtensions.validationReports.parsingErrors.list | v1alpha | | | +| logTypes.parsers.activate | v1alpha | chronicle.parser.activate_parser | secops parser activate | +| logTypes.parsers.activateReleaseCandidateParser | v1alpha | chronicle.parser.activate_release_candidate | secops parser activate-rc | +| logTypes.parsers.copy | v1alpha | chronicle.parser.copy_parser | secops parser copy | +| logTypes.parsers.create | v1alpha | chronicle.parser.create_parser | secops parser create | +| logTypes.parsers.deactivate | v1alpha | chronicle.parser.deactivate_parser | secops parser deactivate | +| logTypes.parsers.delete | v1alpha | chronicle.parser.delete_parser | secops parser delete | +| logTypes.parsers.get | v1alpha | chronicle.parser.get_parser | secops parser get | +| logTypes.parsers.list | v1alpha | chronicle.parser.list_parsers | secops parser list | +| logTypes.parsers.validationReports.get | v1alpha | | | +| logTypes.parsers.validationReports.parsingErrors.list | v1alpha | | | +| logTypes.patch | v1alpha | | | +| logTypes.runParser | v1alpha | chronicle.parser.run_parser | secops parser run | +| logTypes.updateLogTypeSetting | v1alpha | | | +| logs.classify | v1alpha | chronicle.log_types.classify_logs | secops log classify | +| marketplaceIntegrations.get | v1alpha | chronicle.marketplace_integrations.get_marketplace_integration(api_version=APIVersion.V1ALPHA) | secops integration marketplace get | +| marketplaceIntegrations.getDiff | v1alpha | chronicle.marketplace_integrations.get_marketplace_integration_diff(api_version=APIVersion.V1ALPHA) | secops integration marketplace diff | +| marketplaceIntegrations.install | v1alpha | chronicle.marketplace_integrations.install_marketplace_integration(api_version=APIVersion.V1ALPHA) | secops integration marketplace install | +| marketplaceIntegrations.list | v1alpha | chronicle.marketplace_integrations.list_marketplace_integrations(api_version=APIVersion.V1ALPHA) | secops integration marketplace list | +| marketplaceIntegrations.uninstall | v1alpha | chronicle.marketplace_integrations.uninstall_marketplace_integration(api_version=APIVersion.V1ALPHA) | secops integration marketplace uninstall | +| nativeDashboards.addChart | v1alpha | chronicle.dashboard.add_chart | secops dashboard add-chart | +| nativeDashboards.create | v1alpha | chronicle.dashboard.create_dashboard | secops dashboard create | +| nativeDashboards.delete | v1alpha | chronicle.dashboard.delete_dashboard | secops dashboard delete | +| nativeDashboards.duplicate | v1alpha | chronicle.dashboard.duplicate_dashboard | secops dashboard duplicate | +| nativeDashboards.duplicateChart | v1alpha | | | +| nativeDashboards.editChart | v1alpha | chronicle.dashboard.edit_chart | secops dashboard edit-chart | +| nativeDashboards.export | v1alpha | chronicle.dashboard.export_dashboard | secops dashboard export | +| nativeDashboards.get | v1alpha | chronicle.dashboard.get_dashboard | secops dashboard get | +| nativeDashboards.import | v1alpha | chronicle.dashboard.import_dashboard | secops dashboard import | +| nativeDashboards.list | v1alpha | chronicle.dashboard.list_dashboards | secops dashboard list | +| nativeDashboards.patch | v1alpha | chronicle.dashboard.update_dashboard | secops dashboard update | +| nativeDashboards.removeChart | v1alpha | chronicle.dashboard.remove_chart | secops dashboard remove-chart | +| operations.cancel | v1alpha | | | +| operations.delete | v1alpha | | | +| operations.get | v1alpha | | | +| operations.list | v1alpha | | | +| operations.streamSearch | v1alpha | | | +| queryProductSourceStats | v1alpha | | | +| referenceLists.create | v1alpha | | | +| referenceLists.get | v1alpha | | | +| referenceLists.list | v1alpha | | | +| referenceLists.patch | v1alpha | | | +| report | v1alpha | | | +| ruleExecutionErrors.list | v1alpha | chronicle.rule_detection.list_errors | | +| rules.create | v1alpha | | | +| rules.delete | v1alpha | | | +| rules.deployments.list | v1alpha | | | +| rules.get | v1alpha | | | +| rules.getDeployment | v1alpha | | | +| rules.list | v1alpha | | | +| rules.listRevisions | v1alpha | | | +| rules.patch | v1alpha | | | +| rules.retrohunts.create | v1alpha | | | +| rules.retrohunts.get | v1alpha | | | +| rules.retrohunts.list | v1alpha | | | +| rules.updateDeployment | v1alpha | | | +| searchEntities | v1alpha | | | +| searchRawLogs | v1alpha | | | +| summarizeEntitiesFromQuery | v1alpha | chronicle.entity.summarize_entity | secops entity | +| summarizeEntity | v1alpha | chronicle.entity.summarize_entity | | +| testFindingsRefinement | v1alpha | | | +| translateUdmQuery | v1alpha | chronicle.nl_search.translate_nl_to_udm | | +| translateYlRule | v1alpha | | | +| udmSearch | v1alpha | chronicle.search.search_udm | secops search | +| undelete | v1alpha | | | +| updateBigQueryExport | v1alpha | | | +| updateRiskConfig | v1alpha | | | +| users.clearConversationHistory | v1alpha | | | +| users.conversations.create | v1alpha | chronicle.gemini.create_conversation | | +| users.conversations.delete | v1alpha | | | +| users.conversations.get | v1alpha | | | +| users.conversations.list | v1alpha | | | +| users.conversations.messages.create | v1alpha | chronicle.gemini.query_gemini | secops gemini | +| users.conversations.messages.delete | v1alpha | | | +| users.conversations.messages.get | v1alpha | | | +| users.conversations.messages.list | v1alpha | | | +| users.conversations.messages.patch | v1alpha | | | +| users.conversations.patch | v1alpha | | | +| users.getPreferenceSet | v1alpha | chronicle.gemini.opt_in_to_gemini | secops gemini --opt-in | +| users.searchQueries.create | v1alpha | | | +| users.searchQueries.delete | v1alpha | | | +| users.searchQueries.get | v1alpha | | | +| users.searchQueries.list | v1alpha | | | +| users.searchQueries.patch | v1alpha | | | +| users.updatePreferenceSet | v1alpha | | | +| validateQuery | v1alpha | chronicle.validate.validate_query | | +| verifyReferenceList | v1alpha | | | +| verifyRuleText | v1alpha | chronicle.rule_validation.validate_rule | secops rule validate | +| watchlists.create | v1alpha | | | +| watchlists.delete | v1alpha | | | +| watchlists.entities.add | v1alpha | | | +| watchlists.entities.batchAdd | v1alpha | | | +| watchlists.entities.batchRemove | v1alpha | | | +| watchlists.entities.remove | v1alpha | | | +| watchlists.get | v1alpha | | | +| watchlists.list | v1alpha | | | +| watchlists.listEntities | v1alpha | | | +| watchlists.patch | v1alpha | | | | REST Resource | Version | secops-wrapper module | CLI Command | |--------------------------------------------------------------------------------|---------|-------------------------------------------------------------------------------------------------------------------|------------------------------------------------| | dataAccessLabels.create | v1 | | | diff --git a/src/secops/chronicle/__init__.py b/src/secops/chronicle/__init__.py index 15320ac9..e8f80e33 100644 --- a/src/secops/chronicle/__init__.py +++ b/src/secops/chronicle/__init__.py @@ -98,27 +98,43 @@ search_log_types, ) from secops.chronicle.models import ( + AdvancedConfig, AlertCount, AlertState, Case, CaseList, + DailyScheduleDetails, DataExport, DataExportStage, DataExportStatus, + Date, + DayOfWeek, DetectionType, + DiffType, Entity, EntityMetadata, EntityMetrics, EntitySummary, FileMetadataAndProperties, InputInterval, + IntegrationJobInstanceParameter, + IntegrationParam, + IntegrationParamType, + IntegrationType, ListBasis, + MonthlyScheduleDetails, + OneTimeScheduleDetails, PrevalenceData, + PythonVersion, + ScheduleType, SoarPlatformInfo, + TargetMode, TileType, TimeInterval, Timeline, TimelineBucket, + TimeOfDay, + WeeklyScheduleDetails, WidgetMetadata, ) from secops.chronicle.nl_search import translate_nl_to_udm @@ -198,6 +214,41 @@ create_watchlist, update_watchlist, ) +from secops.chronicle.integration.jobs import ( + list_integration_jobs, + get_integration_job, + delete_integration_job, + create_integration_job, + update_integration_job, + execute_integration_job_test, + get_integration_job_template, +) +from secops.chronicle.integration.job_revisions import ( + list_integration_job_revisions, + delete_integration_job_revision, + create_integration_job_revision, + rollback_integration_job_revision, +) +from secops.chronicle.integration.job_instances import ( + list_integration_job_instances, + get_integration_job_instance, + delete_integration_job_instance, + create_integration_job_instance, + update_integration_job_instance, + run_integration_job_instance_on_demand, +) +from secops.chronicle.integration.job_context_properties import ( + list_job_context_properties, + get_job_context_property, + delete_job_context_property, + create_job_context_property, + update_job_context_property, + delete_all_job_context_properties, +) +from secops.chronicle.integration.job_instance_logs import ( + list_job_instance_logs, + get_job_instance_log, +) __all__ = [ # Client @@ -315,21 +366,31 @@ "execute_query", "get_execute_query", # Models + "AdvancedConfig", + "AlertCount", + "AlertState", + "Case", + "CaseList", + "DailyScheduleDetails", + "Date", + "DayOfWeek", "Entity", "EntityMetadata", "EntityMetrics", + "EntitySummary", + "FileMetadataAndProperties", + "IntegrationJobInstanceParameter", + "MonthlyScheduleDetails", + "OneTimeScheduleDetails", + "PrevalenceData", + "ScheduleType", + "SoarPlatformInfo", "TimeInterval", - "TimelineBucket", "Timeline", + "TimelineBucket", + "TimeOfDay", + "WeeklyScheduleDetails", "WidgetMetadata", - "EntitySummary", - "AlertCount", - "AlertState", - "Case", - "SoarPlatformInfo", - "CaseList", - "PrevalenceData", - "FileMetadataAndProperties", "ValidationResult", "GeminiResponse", "Block", @@ -367,4 +428,34 @@ "delete_watchlist", "create_watchlist", "update_watchlist", + # Integration Jobs + "list_integration_jobs", + "get_integration_job", + "delete_integration_job", + "create_integration_job", + "update_integration_job", + "execute_integration_job_test", + "get_integration_job_template", + # Integration Job Revisions + "list_integration_job_revisions", + "delete_integration_job_revision", + "create_integration_job_revision", + "rollback_integration_job_revision", + # Integration Job Instances + "list_integration_job_instances", + "get_integration_job_instance", + "delete_integration_job_instance", + "create_integration_job_instance", + "update_integration_job_instance", + "run_integration_job_instance_on_demand", + # Job Context Properties + "list_job_context_properties", + "get_job_context_property", + "delete_job_context_property", + "create_job_context_property", + "update_job_context_property", + "delete_all_job_context_properties", + # Job Instance Logs + "list_job_instance_logs", + "get_job_instance_log", ] diff --git a/src/secops/chronicle/client.py b/src/secops/chronicle/client.py index 9b892272..749476c2 100644 --- a/src/secops/chronicle/client.py +++ b/src/secops/chronicle/client.py @@ -13,6 +13,7 @@ # limitations under the License. # """Chronicle API client.""" + import ipaddress import re from collections.abc import Iterator @@ -22,140 +23,147 @@ from google.auth.transport import requests as google_auth_requests +# pylint: disable=line-too-long from secops import auth as secops_auth from secops.auth import RetryConfig from secops.chronicle.alert import get_alerts as _get_alerts from secops.chronicle.case import get_cases_from_list -from secops.chronicle.dashboard import DashboardAccessType, DashboardView -from secops.chronicle.dashboard import add_chart as _add_chart -from secops.chronicle.dashboard import create_dashboard as _create_dashboard -from secops.chronicle.dashboard import delete_dashboard as _delete_dashboard from secops.chronicle.dashboard import ( + DashboardAccessType, + DashboardView, + add_chart as _add_chart, + create_dashboard as _create_dashboard, + delete_dashboard as _delete_dashboard, duplicate_dashboard as _duplicate_dashboard, + edit_chart as _edit_chart, + export_dashboard as _export_dashboard, + get_chart as _get_chart, + get_dashboard as _get_dashboard, + import_dashboard as _import_dashboard, + list_dashboards as _list_dashboards, + remove_chart as _remove_chart, + update_dashboard as _update_dashboard, ) -from secops.chronicle.dashboard import edit_chart as _edit_chart -from secops.chronicle.dashboard import export_dashboard as _export_dashboard -from secops.chronicle.dashboard import get_chart as _get_chart -from secops.chronicle.dashboard import get_dashboard as _get_dashboard -from secops.chronicle.dashboard import import_dashboard as _import_dashboard -from secops.chronicle.dashboard import list_dashboards as _list_dashboards -from secops.chronicle.dashboard import remove_chart as _remove_chart -from secops.chronicle.dashboard import update_dashboard as _update_dashboard from secops.chronicle.dashboard_query import ( execute_query as _execute_dashboard_query, -) -from secops.chronicle.dashboard_query import ( get_execute_query as _get_execute_query, ) from secops.chronicle.data_export import ( cancel_data_export as _cancel_data_export, -) -from secops.chronicle.data_export import ( create_data_export as _create_data_export, -) -from secops.chronicle.data_export import ( fetch_available_log_types as _fetch_available_log_types, -) -from secops.chronicle.data_export import get_data_export as _get_data_export -from secops.chronicle.data_export import list_data_export as _list_data_export -from secops.chronicle.data_export import ( + get_data_export as _get_data_export, + list_data_export as _list_data_export, update_data_export as _update_data_export, ) -from secops.chronicle.data_table import DataTableColumnType -from secops.chronicle.data_table import create_data_table as _create_data_table from secops.chronicle.data_table import ( + DataTableColumnType, + create_data_table as _create_data_table, create_data_table_rows as _create_data_table_rows, -) -from secops.chronicle.data_table import delete_data_table as _delete_data_table -from secops.chronicle.data_table import ( + delete_data_table as _delete_data_table, delete_data_table_rows as _delete_data_table_rows, -) -from secops.chronicle.data_table import get_data_table as _get_data_table -from secops.chronicle.data_table import ( + get_data_table as _get_data_table, list_data_table_rows as _list_data_table_rows, -) -from secops.chronicle.data_table import list_data_tables as _list_data_tables -from secops.chronicle.data_table import ( + list_data_tables as _list_data_tables, replace_data_table_rows as _replace_data_table_rows, -) -from secops.chronicle.data_table import update_data_table as _update_data_table -from secops.chronicle.data_table import ( + update_data_table as _update_data_table, update_data_table_rows as _update_data_table_rows, ) -from secops.chronicle.entity import _detect_value_type_for_query -from secops.chronicle.entity import summarize_entity as _summarize_entity -from secops.chronicle.feeds import CreateFeedModel, UpdateFeedModel -from secops.chronicle.feeds import create_feed as _create_feed -from secops.chronicle.feeds import delete_feed as _delete_feed -from secops.chronicle.feeds import disable_feed as _disable_feed -from secops.chronicle.feeds import enable_feed as _enable_feed -from secops.chronicle.feeds import generate_secret as _generate_secret -from secops.chronicle.feeds import get_feed as _get_feed -from secops.chronicle.feeds import list_feeds as _list_feeds -from secops.chronicle.feeds import update_feed as _update_feed -from secops.chronicle.gemini import GeminiResponse -from secops.chronicle.gemini import opt_in_to_gemini as _opt_in_to_gemini -from secops.chronicle.gemini import query_gemini as _query_gemini -from secops.chronicle.ioc import list_iocs as _list_iocs -from secops.chronicle.investigations import ( - fetch_associated_investigations as _fetch_associated_investigations, +from secops.chronicle.entity import ( + _detect_value_type_for_query, + summarize_entity as _summarize_entity, ) -from secops.chronicle.investigations import ( - get_investigation as _get_investigation, +from secops.chronicle.featured_content_rules import ( + list_featured_content_rules as _list_featured_content_rules, ) -from secops.chronicle.investigations import ( - list_investigations as _list_investigations, +from secops.chronicle.feeds import ( + CreateFeedModel, + UpdateFeedModel, + create_feed as _create_feed, + delete_feed as _delete_feed, + disable_feed as _disable_feed, + enable_feed as _enable_feed, + generate_secret as _generate_secret, + get_feed as _get_feed, + list_feeds as _list_feeds, + update_feed as _update_feed, +) +from secops.chronicle.gemini import ( + GeminiResponse, + opt_in_to_gemini as _opt_in_to_gemini, + query_gemini as _query_gemini, ) from secops.chronicle.investigations import ( + fetch_associated_investigations as _fetch_associated_investigations, + get_investigation as _get_investigation, + list_investigations as _list_investigations, trigger_investigation as _trigger_investigation, ) -from secops.chronicle.log_ingest import create_forwarder as _create_forwarder -from secops.chronicle.log_ingest import delete_forwarder as _delete_forwarder -from secops.chronicle.log_ingest import get_forwarder as _get_forwarder +from secops.chronicle.ioc import list_iocs as _list_iocs from secops.chronicle.log_ingest import ( + create_forwarder as _create_forwarder, + delete_forwarder as _delete_forwarder, + get_forwarder as _get_forwarder, get_or_create_forwarder as _get_or_create_forwarder, + import_entities as _import_entities, + ingest_log as _ingest_log, + ingest_udm as _ingest_udm, + list_forwarders as _list_forwarders, + update_forwarder as _update_forwarder, ) -from secops.chronicle.log_ingest import import_entities as _import_entities -from secops.chronicle.log_ingest import ingest_log as _ingest_log -from secops.chronicle.log_ingest import ingest_udm as _ingest_udm -from secops.chronicle.log_ingest import list_forwarders as _list_forwarders -from secops.chronicle.log_ingest import update_forwarder as _update_forwarder -from secops.chronicle.log_types import classify_logs as _classify_logs -from secops.chronicle.log_types import get_all_log_types as _get_all_log_types -from secops.chronicle.log_types import ( - get_log_type_description as _get_log_type_description, -) -from secops.chronicle.log_types import is_valid_log_type as _is_valid_log_type -from secops.chronicle.log_types import search_log_types as _search_log_types from secops.chronicle.log_processing_pipelines import ( associate_streams as _associate_streams, -) -from secops.chronicle.log_processing_pipelines import ( create_log_processing_pipeline as _create_log_processing_pipeline, -) -from secops.chronicle.log_processing_pipelines import ( delete_log_processing_pipeline as _delete_log_processing_pipeline, -) -from secops.chronicle.log_processing_pipelines import ( dissociate_streams as _dissociate_streams, -) -from secops.chronicle.log_processing_pipelines import ( fetch_associated_pipeline as _fetch_associated_pipeline, -) -from secops.chronicle.log_processing_pipelines import ( fetch_sample_logs_by_streams as _fetch_sample_logs_by_streams, -) -from secops.chronicle.log_processing_pipelines import ( get_log_processing_pipeline as _get_log_processing_pipeline, -) -from secops.chronicle.log_processing_pipelines import ( list_log_processing_pipelines as _list_log_processing_pipelines, -) -from secops.chronicle.log_processing_pipelines import ( + test_pipeline as _test_pipeline, update_log_processing_pipeline as _update_log_processing_pipeline, ) -from secops.chronicle.log_processing_pipelines import ( - test_pipeline as _test_pipeline, +from secops.chronicle.log_types import ( + classify_logs as _classify_logs, + get_all_log_types as _get_all_log_types, + get_log_type_description as _get_log_type_description, + is_valid_log_type as _is_valid_log_type, + search_log_types as _search_log_types, +) +from secops.chronicle.integration.jobs import ( + create_integration_job as _create_integration_job, + delete_integration_job as _delete_integration_job, + execute_integration_job_test as _execute_integration_job_test, + get_integration_job as _get_integration_job, + get_integration_job_template as _get_integration_job_template, + list_integration_jobs as _list_integration_jobs, + update_integration_job as _update_integration_job, +) +from secops.chronicle.integration.job_revisions import ( + create_integration_job_revision as _create_integration_job_revision, + delete_integration_job_revision as _delete_integration_job_revision, + list_integration_job_revisions as _list_integration_job_revisions, + rollback_integration_job_revision as _rollback_integration_job_revision, +) +from secops.chronicle.integration.job_instances import ( + create_integration_job_instance as _create_integration_job_instance, + delete_integration_job_instance as _delete_integration_job_instance, + get_integration_job_instance as _get_integration_job_instance, + list_integration_job_instances as _list_integration_job_instances, + run_integration_job_instance_on_demand as _run_integration_job_instance_on_demand, + update_integration_job_instance as _update_integration_job_instance, +) +from secops.chronicle.integration.job_context_properties import ( + create_job_context_property as _create_job_context_property, + delete_all_job_context_properties as _delete_all_job_context_properties, + delete_job_context_property as _delete_job_context_property, + get_job_context_property as _get_job_context_property, + list_job_context_properties as _list_job_context_properties, + update_job_context_property as _update_job_context_property, +) +from secops.chronicle.integration.job_instance_logs import ( + get_job_instance_log as _get_job_instance_log, + list_job_instance_logs as _list_job_instance_logs, ) from secops.chronicle.models import ( APIVersion, @@ -164,104 +172,73 @@ DashboardQuery, EntitySummary, InputInterval, + JobParameter, TileType, ) -from secops.chronicle.nl_search import nl_search as _nl_search -from secops.chronicle.nl_search import translate_nl_to_udm -from secops.chronicle.parser import activate_parser as _activate_parser +from secops.chronicle.nl_search import ( + nl_search as _nl_search, + translate_nl_to_udm, +) from secops.chronicle.parser import ( + activate_parser as _activate_parser, activate_release_candidate_parser as _activate_release_candidate_parser, + copy_parser as _copy_parser, + create_parser as _create_parser, + deactivate_parser as _deactivate_parser, + delete_parser as _delete_parser, + get_parser as _get_parser, + list_parsers as _list_parsers, + run_parser as _run_parser, ) -from secops.chronicle.parser import copy_parser as _copy_parser -from secops.chronicle.parser import create_parser as _create_parser -from secops.chronicle.parser import deactivate_parser as _deactivate_parser -from secops.chronicle.parser import delete_parser as _delete_parser -from secops.chronicle.parser import get_parser as _get_parser -from secops.chronicle.parser import list_parsers as _list_parsers -from secops.chronicle.parser import run_parser as _run_parser -from secops.chronicle.parser_extension import ParserExtensionConfig from secops.chronicle.parser_extension import ( + ParserExtensionConfig, activate_parser_extension as _activate_parser_extension, -) -from secops.chronicle.parser_extension import ( create_parser_extension as _create_parser_extension, -) -from secops.chronicle.parser_extension import ( delete_parser_extension as _delete_parser_extension, -) -from secops.chronicle.parser_extension import ( get_parser_extension as _get_parser_extension, -) -from secops.chronicle.parser_extension import ( list_parser_extensions as _list_parser_extensions, ) from secops.chronicle.reference_list import ( ReferenceListSyntaxType, ReferenceListView, -) -from secops.chronicle.reference_list import ( create_reference_list as _create_reference_list, -) -from secops.chronicle.reference_list import ( get_reference_list as _get_reference_list, -) -from secops.chronicle.reference_list import ( list_reference_lists as _list_reference_lists, -) -from secops.chronicle.reference_list import ( update_reference_list as _update_reference_list, ) - -# Import rule functions -from secops.chronicle.rule import create_rule as _create_rule -from secops.chronicle.rule import delete_rule as _delete_rule -from secops.chronicle.rule import enable_rule as _enable_rule -from secops.chronicle.rule import get_rule as _get_rule -from secops.chronicle.rule import get_rule_deployment as _get_rule_deployment from secops.chronicle.rule import ( + create_rule as _create_rule, + delete_rule as _delete_rule, + enable_rule as _enable_rule, + get_rule as _get_rule, + get_rule_deployment as _get_rule_deployment, list_rule_deployments as _list_rule_deployments, -) -from secops.chronicle.rule import list_rules as _list_rules -from secops.chronicle.rule import run_rule_test -from secops.chronicle.rule import search_rules as _search_rules -from secops.chronicle.rule import set_rule_alerting as _set_rule_alerting -from secops.chronicle.rule import update_rule as _update_rule -from secops.chronicle.rule import ( + list_rules as _list_rules, + run_rule_test, + search_rules as _search_rules, + set_rule_alerting as _set_rule_alerting, + update_rule as _update_rule, update_rule_deployment as _update_rule_deployment, ) from secops.chronicle.rule_alert import ( bulk_update_alerts as _bulk_update_alerts, -) -from secops.chronicle.rule_alert import get_alert as _get_alert -from secops.chronicle.rule_alert import ( + get_alert as _get_alert, search_rule_alerts as _search_rule_alerts, + update_alert as _update_alert, +) +from secops.chronicle.rule_detection import ( + list_detections as _list_detections, + list_errors as _list_errors, ) -from secops.chronicle.rule_alert import update_alert as _update_alert -from secops.chronicle.rule_detection import list_detections as _list_detections -from secops.chronicle.rule_detection import list_errors as _list_errors from secops.chronicle.rule_exclusion import ( RuleExclusionType, UpdateRuleDeployment, -) -from secops.chronicle.rule_exclusion import ( compute_rule_exclusion_activity as _compute_rule_exclusion_activity, -) -from secops.chronicle.rule_exclusion import ( create_rule_exclusion as _create_rule_exclusion, -) -from secops.chronicle.rule_exclusion import ( get_rule_exclusion as _get_rule_exclusion, -) -from secops.chronicle.rule_exclusion import ( get_rule_exclusion_deployment as _get_rule_exclusion_deployment, -) -from secops.chronicle.rule_exclusion import ( list_rule_exclusions as _list_rule_exclusions, -) -from secops.chronicle.rule_exclusion import ( patch_rule_exclusion as _patch_rule_exclusion, -) -from secops.chronicle.rule_exclusion import ( update_rule_exclusion_deployment as _update_rule_exclusion_deployment, ) from secops.chronicle.rule_retrohunt import ( @@ -270,72 +247,45 @@ list_retrohunts as _list_retrohunts, ) from secops.chronicle.rule_set import ( - batch_update_curated_rule_set_deployments as _batch_update_curated_rule_set_deployments, # pylint: disable=line-too-long -) -from secops.chronicle.rule_set import get_curated_rule as _get_curated_rule -from secops.chronicle.rule_set import ( + batch_update_curated_rule_set_deployments as _batch_update_curated_rule_set_deployments, + get_curated_rule as _get_curated_rule, get_curated_rule_by_name as _get_curated_rule_by_name, -) -from secops.chronicle.rule_set import ( get_curated_rule_set as _get_curated_rule_set, -) -from secops.chronicle.rule_set import ( get_curated_rule_set_category as _get_curated_rule_set_category, -) -from secops.chronicle.rule_set import ( get_curated_rule_set_deployment as _get_curated_rule_set_deployment, -) -from secops.chronicle.rule_set import ( - get_curated_rule_set_deployment_by_name as _get_curated_rule_set_deployment_by_name, # pylint: disable=line-too-long -) -from secops.chronicle.rule_set import ( + get_curated_rule_set_deployment_by_name as _get_curated_rule_set_deployment_by_name, list_curated_rule_set_categories as _list_curated_rule_set_categories, -) -from secops.chronicle.rule_set import ( list_curated_rule_set_deployments as _list_curated_rule_set_deployments, -) -from secops.chronicle.rule_set import ( list_curated_rule_sets as _list_curated_rule_sets, -) -from secops.chronicle.rule_set import list_curated_rules as _list_curated_rules -from secops.chronicle.rule_set import ( + list_curated_rules as _list_curated_rules, search_curated_detections as _search_curated_detections, -) -from secops.chronicle.rule_set import ( update_curated_rule_set_deployment as _update_curated_rule_set_deployment, ) -from secops.chronicle.featured_content_rules import ( - list_featured_content_rules as _list_featured_content_rules, -) from secops.chronicle.rule_validation import validate_rule as _validate_rule from secops.chronicle.search import search_udm as _search_udm from secops.chronicle.log_search import search_raw_logs as _search_raw_logs from secops.chronicle.stats import get_stats as _get_stats -from secops.chronicle.udm_mapping import RowLogFormat from secops.chronicle.udm_mapping import ( + RowLogFormat, generate_udm_key_value_mappings as _generate_udm_key_value_mappings, ) - -# Import functions from the new modules from secops.chronicle.udm_search import ( fetch_udm_search_csv as _fetch_udm_search_csv, -) -from secops.chronicle.udm_search import ( fetch_udm_search_view as _fetch_udm_search_view, -) -from secops.chronicle.udm_search import ( find_udm_field_values as _find_udm_field_values, ) from secops.chronicle.validate import validate_query as _validate_query from secops.chronicle.watchlist import ( - list_watchlists as _list_watchlists, - get_watchlist as _get_watchlist, - delete_watchlist as _delete_watchlist, create_watchlist as _create_watchlist, + delete_watchlist as _delete_watchlist, + get_watchlist as _get_watchlist, + list_watchlists as _list_watchlists, update_watchlist as _update_watchlist, ) from secops.exceptions import SecOpsError +# pylint: enable=line-too-long + class ValueType(Enum): """Chronicle API value types.""" @@ -761,6 +711,1088 @@ def update_watchlist( update_mask, ) + # ------------------------------------------------------------------------- + # Integration Job methods + # ------------------------------------------------------------------------- + + def list_integration_jobs( + self, + integration_name: str, + page_size: int | None = None, + page_token: str | None = None, + filter_string: str | None = None, + order_by: str | None = None, + exclude_staging: bool | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + as_list: bool = False, + ) -> dict[str, Any] | list[dict[str, Any]]: + """List all jobs defined for a specific integration. + + Use this method to browse the available background and scheduled + automation capabilities provided by a third-party connection. + + Args: + integration_name: Name of the integration to list jobs for. + page_size: Maximum number of jobs to return. + page_token: Page token from a previous call to retrieve the + next page. + filter_string: Filter expression to filter jobs. Allowed + filters are: id, custom, system, author, version, + integration. + order_by: Field to sort the jobs by. + exclude_staging: Whether to exclude staging jobs from the + response. By default, staging jobs are included. + api_version: API version to use for the request. Default is + V1BETA. + as_list: If True, return a list of jobs instead of a dict + with jobs list and nextPageToken. + + Returns: + If as_list is True: List of jobs. + If as_list is False: Dict with jobs list and nextPageToken. + + Raises: + APIError: If the API request fails. + """ + return _list_integration_jobs( + self, + integration_name, + page_size=page_size, + page_token=page_token, + filter_string=filter_string, + order_by=order_by, + exclude_staging=exclude_staging, + api_version=api_version, + as_list=as_list, + ) + + def get_integration_job( + self, + integration_name: str, + job_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Get a single job for a given integration. + + Use this method to retrieve the Python script, execution + parameters, and versioning information for a background + automation task. + + Args: + integration_name: Name of the integration the job belongs + to. + job_id: ID of the job to retrieve. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing details of the specified IntegrationJob. + + Raises: + APIError: If the API request fails. + """ + return _get_integration_job( + self, + integration_name, + job_id, + api_version=api_version, + ) + + def delete_integration_job( + self, + integration_name: str, + job_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> None: + """Delete a specific custom job from a given integration. + + Only custom jobs can be deleted; commercial and system jobs + are immutable. + + Args: + integration_name: Name of the integration the job belongs + to. + job_id: ID of the job to delete. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + None + + Raises: + APIError: If the API request fails. + """ + return _delete_integration_job( + self, + integration_name, + job_id, + api_version=api_version, + ) + + def create_integration_job( + self, + integration_name: str, + display_name: str, + script: str, + version: int, + enabled: bool, + custom: bool, + description: str | None = None, + parameters: list[dict[str, Any] | JobParameter] | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Create a new custom job for a given integration. + + Each job must have a unique display name and a functional + Python script for its background execution. + + Args: + integration_name: Name of the integration to create the job + for. + display_name: Job's display name. Maximum 400 characters. + Required. + script: Job's Python script. Required. + version: Job's version. Required. + enabled: Whether the job is enabled. Required. + custom: Whether the job is custom or commercial. Required. + description: Job's description. Optional. + parameters: List of JobParameter instances or dicts. + Optional. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing the newly created IntegrationJob resource. + + Raises: + APIError: If the API request fails. + """ + return _create_integration_job( + self, + integration_name, + display_name, + script, + version, + enabled, + custom, + description=description, + parameters=parameters, + api_version=api_version, + ) + + def update_integration_job( + self, + integration_name: str, + job_id: str, + display_name: str | None = None, + script: str | None = None, + version: int | None = None, + enabled: bool | None = None, + custom: bool | None = None, + description: str | None = None, + parameters: list[dict[str, Any] | JobParameter] | None = None, + update_mask: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Update an existing custom job for a given integration. + + Use this method to modify the Python script or adjust the + parameter definitions for a job. + + Args: + integration_name: Name of the integration the job belongs + to. + job_id: ID of the job to update. + display_name: Job's display name. Maximum 400 characters. + script: Job's Python script. + version: Job's version. + enabled: Whether the job is enabled. + custom: Whether the job is custom or commercial. + description: Job's description. + parameters: List of JobParameter instances or dicts. + update_mask: Comma-separated list of fields to update. If + omitted, the mask is auto-generated from whichever + fields are provided. Example: "displayName,script". + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing the updated IntegrationJob resource. + + Raises: + APIError: If the API request fails. + """ + return _update_integration_job( + self, + integration_name, + job_id, + display_name=display_name, + script=script, + version=version, + enabled=enabled, + custom=custom, + description=description, + parameters=parameters, + update_mask=update_mask, + api_version=api_version, + ) + + def execute_integration_job_test( + self, + integration_name: str, + job: dict[str, Any], + agent_identifier: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Execute a test run of an integration job's Python script. + + Use this method to verify background automation logic and + connectivity before deploying the job to an instance for + recurring execution. + + Args: + integration_name: Name of the integration the job belongs + to. + job: Dict containing the IntegrationJob to test. + agent_identifier: Agent identifier for remote testing. + Optional. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing the test execution results with the + following fields: + - output: The script output. + - debugOutput: The script debug output. + - resultObjectJson: The result JSON if it exists + (optional). + - resultName: The script result name (optional). + - resultValue: The script result value (optional). + + Raises: + APIError: If the API request fails. + """ + return _execute_integration_job_test( + self, + integration_name, + job, + agent_identifier=agent_identifier, + api_version=api_version, + ) + + def get_integration_job_template( + self, + integration_name: str, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Retrieve a default Python script template for a new + integration job. + + Use this method to rapidly initialize the development of a new + job. + + Args: + integration_name: Name of the integration to fetch the + template for. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing the IntegrationJob template. + + Raises: + APIError: If the API request fails. + """ + return _get_integration_job_template( + self, + integration_name, + api_version=api_version, + ) + + # ------------------------------------------------------------------------- + # Integration Job Revisions methods + # ------------------------------------------------------------------------- + + def list_integration_job_revisions( + self, + integration_name: str, + job_id: str, + page_size: int | None = None, + page_token: str | None = None, + filter_string: str | None = None, + order_by: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + as_list: bool = False, + ) -> dict[str, Any] | list[dict[str, Any]]: + """List all revisions for a specific integration job. + + Use this method to browse the version history of a job and + identify previous functional states. + + Args: + integration_name: Name of the integration the job belongs + to. + job_id: ID of the job to list revisions for. + page_size: Maximum number of revisions to return. + page_token: Page token from a previous call to retrieve the + next page. + filter_string: Filter expression to filter revisions. + order_by: Field to sort the revisions by. + api_version: API version to use for the request. Default is + V1BETA. + as_list: If True, return a list of revisions instead of a + dict with revisions list and nextPageToken. + + Returns: + If as_list is True: List of revisions. + If as_list is False: Dict with revisions list and + nextPageToken. + + Raises: + APIError: If the API request fails. + """ + return _list_integration_job_revisions( + self, + integration_name, + job_id, + page_size=page_size, + page_token=page_token, + filter_string=filter_string, + order_by=order_by, + api_version=api_version, + as_list=as_list, + ) + + def delete_integration_job_revision( + self, + integration_name: str, + job_id: str, + revision_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> None: + """Delete a specific revision for a given integration job. + + Use this method to clean up obsolete snapshots and manage the + historical record of jobs. + + Args: + integration_name: Name of the integration the job belongs + to. + job_id: ID of the job the revision belongs to. + revision_id: ID of the revision to delete. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + None + + Raises: + APIError: If the API request fails. + """ + return _delete_integration_job_revision( + self, + integration_name, + job_id, + revision_id, + api_version=api_version, + ) + + def create_integration_job_revision( + self, + integration_name: str, + job_id: str, + job: dict[str, Any], + comment: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Create a new revision snapshot of the current integration + job. + + Use this method to establish a recovery point before making + significant updates to a job. + + Args: + integration_name: Name of the integration the job belongs + to. + job_id: ID of the job to create a revision for. + job: Dict containing the IntegrationJob to snapshot. + comment: Comment describing the revision. Maximum 400 + characters. Optional. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing the newly created IntegrationJobRevision + resource. + + Raises: + APIError: If the API request fails. + """ + return _create_integration_job_revision( + self, + integration_name, + job_id, + job, + comment=comment, + api_version=api_version, + ) + + def rollback_integration_job_revision( + self, + integration_name: str, + job_id: str, + revision_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Revert the current job definition to a previously saved + revision. + + Use this method to rapidly recover a functional state if an + update causes operational issues in scheduled or background + automation. + + Args: + integration_name: Name of the integration the job belongs + to. + job_id: ID of the job to rollback. + revision_id: ID of the revision to rollback to. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing the IntegrationJobRevision rolled back to. + + Raises: + APIError: If the API request fails. + """ + return _rollback_integration_job_revision( + self, + integration_name, + job_id, + revision_id, + api_version=api_version, + ) + + # ------------------------------------------------------------------------- + # Integration Job Instances methods + # ------------------------------------------------------------------------- + + def list_integration_job_instances( + self, + integration_name: str, + job_id: str, + page_size: int | None = None, + page_token: str | None = None, + filter_string: str | None = None, + order_by: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + as_list: bool = False, + ) -> dict[str, Any] | list[dict[str, Any]]: + """List all job instances for a specific integration job. + + Use this method to browse the active job instances and their + last execution status. + + Args: + integration_name: Name of the integration the job belongs + to. + job_id: ID of the job to list instances for. + page_size: Maximum number of job instances to return. + page_token: Page token from a previous call to retrieve the + next page. + filter_string: Filter expression to filter job instances. + order_by: Field to sort the job instances by. + api_version: API version to use for the request. Default is + V1BETA. + as_list: If True, return a list of job instances instead of + a dict with job instances list and nextPageToken. + + Returns: + If as_list is True: List of job instances. + If as_list is False: Dict with job instances list and + nextPageToken. + + Raises: + APIError: If the API request fails. + """ + return _list_integration_job_instances( + self, + integration_name, + job_id, + page_size=page_size, + page_token=page_token, + filter_string=filter_string, + order_by=order_by, + api_version=api_version, + as_list=as_list, + ) + + def get_integration_job_instance( + self, + integration_name: str, + job_id: str, + job_instance_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Get a single job instance for a specific integration job. + + Use this method to retrieve configuration details and the + current schedule settings for a job instance. + + Args: + integration_name: Name of the integration the job belongs + to. + job_id: ID of the job the instance belongs to. + job_instance_id: ID of the job instance to retrieve. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing details of the specified + IntegrationJobInstance. + + Raises: + APIError: If the API request fails. + """ + return _get_integration_job_instance( + self, + integration_name, + job_id, + job_instance_id, + api_version=api_version, + ) + + def delete_integration_job_instance( + self, + integration_name: str, + job_id: str, + job_instance_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> None: + """Delete a specific job instance for a given integration job. + + Use this method to remove scheduled or configured job instances + that are no longer needed. + + Args: + integration_name: Name of the integration the job belongs + to. + job_id: ID of the job the instance belongs to. + job_instance_id: ID of the job instance to delete. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + None + + Raises: + APIError: If the API request fails. + """ + return _delete_integration_job_instance( + self, + integration_name, + job_id, + job_instance_id, + api_version=api_version, + ) + + def create_integration_job_instance( + self, + integration_name: str, + job_id: str, + display_name: str, + interval_seconds: int, + enabled: bool, + advanced: bool, + description: str | None = None, + parameters: list[dict[str, Any]] | None = None, + agent: str | None = None, + advanced_config: dict[str, Any] | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Create a new job instance for a given integration job. + + Use this method to schedule a job to run at regular intervals + or with advanced cron-style scheduling. + + Args: + integration_name: Name of the integration the job belongs + to. + job_id: ID of the job to create an instance for. + display_name: Display name for the job instance. + interval_seconds: Interval in seconds between job runs. + enabled: Whether the job instance is enabled. + advanced: Whether advanced scheduling is used. + description: Description of the job instance. Optional. + parameters: List of parameter values for the job instance. + Optional. + agent: Agent identifier for remote execution. Optional. + advanced_config: Advanced scheduling configuration. + Optional. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing the newly created IntegrationJobInstance + resource. + + Raises: + APIError: If the API request fails. + """ + return _create_integration_job_instance( + self, + integration_name, + job_id, + display_name, + interval_seconds, + enabled, + advanced, + description=description, + parameters=parameters, + agent=agent, + advanced_config=advanced_config, + api_version=api_version, + ) + + def update_integration_job_instance( + self, + integration_name: str, + job_id: str, + job_instance_id: str, + display_name: str | None = None, + description: str | None = None, + interval_seconds: int | None = None, + enabled: bool | None = None, + advanced: bool | None = None, + parameters: list[dict[str, Any]] | None = None, + advanced_config: dict[str, Any] | None = None, + update_mask: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Update an existing job instance for a given integration job. + + Use this method to modify scheduling, parameters, or enable/ + disable a job instance. + + Args: + integration_name: Name of the integration the job belongs + to. + job_id: ID of the job the instance belongs to. + job_instance_id: ID of the job instance to update. + display_name: Display name for the job instance. Optional. + description: Description of the job instance. Optional. + interval_seconds: Interval in seconds between job runs. + Optional. + enabled: Whether the job instance is enabled. Optional. + advanced: Whether advanced scheduling is used. Optional. + parameters: List of parameter values for the job instance. + Optional. + advanced_config: Advanced scheduling configuration. + Optional. + update_mask: Comma-separated field paths to update. If not + provided, will be auto-generated. Optional. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing the updated IntegrationJobInstance. + + Raises: + APIError: If the API request fails. + """ + return _update_integration_job_instance( + self, + integration_name, + job_id, + job_instance_id, + display_name=display_name, + description=description, + interval_seconds=interval_seconds, + enabled=enabled, + advanced=advanced, + parameters=parameters, + advanced_config=advanced_config, + update_mask=update_mask, + api_version=api_version, + ) + + def run_integration_job_instance_on_demand( + self, + integration_name: str, + job_id: str, + job_instance_id: str, + parameters: list[dict[str, Any]] | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Run a job instance immediately without waiting for the next + scheduled execution. + + Use this method to manually trigger a job instance for testing + or immediate data collection. + + Args: + integration_name: Name of the integration the job belongs + to. + job_id: ID of the job the instance belongs to. + job_instance_id: ID of the job instance to run. + parameters: Optional parameter overrides for this run. + Optional. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing the result of the on-demand run. + + Raises: + APIError: If the API request fails. + """ + return _run_integration_job_instance_on_demand( + self, + integration_name, + job_id, + job_instance_id, + parameters=parameters, + api_version=api_version, + ) + + # ------------------------------------------------------------------------- + # Job Context Properties methods + # ------------------------------------------------------------------------- + + def list_job_context_properties( + self, + integration_name: str, + job_id: str, + page_size: int | None = None, + page_token: str | None = None, + filter_string: str | None = None, + order_by: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + as_list: bool = False, + ) -> dict[str, Any] | list[dict[str, Any]]: + """List all context properties for a specific integration job. + + Use this method to discover all custom data points associated + with a job. + + Args: + integration_name: Name of the integration the job belongs + to. + job_id: ID of the job to list context properties for. + page_size: Maximum number of context properties to return. + page_token: Page token from a previous call to retrieve the + next page. + filter_string: Filter expression to filter context + properties. + order_by: Field to sort the context properties by. + api_version: API version to use for the request. Default is + V1BETA. + as_list: If True, return a list of context properties + instead of a dict with context properties list and + nextPageToken. + + Returns: + If as_list is True: List of context properties. + If as_list is False: Dict with context properties list and + nextPageToken. + + Raises: + APIError: If the API request fails. + """ + return _list_job_context_properties( + self, + integration_name, + job_id, + page_size=page_size, + page_token=page_token, + filter_string=filter_string, + order_by=order_by, + api_version=api_version, + as_list=as_list, + ) + + def get_job_context_property( + self, + integration_name: str, + job_id: str, + context_property_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Get a single context property for a specific integration + job. + + Use this method to retrieve the value of a specific key within + a job's context. + + Args: + integration_name: Name of the integration the job belongs + to. + job_id: ID of the job the context property belongs to. + context_property_id: ID of the context property to + retrieve. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing details of the specified ContextProperty. + + Raises: + APIError: If the API request fails. + """ + return _get_job_context_property( + self, + integration_name, + job_id, + context_property_id, + api_version=api_version, + ) + + def delete_job_context_property( + self, + integration_name: str, + job_id: str, + context_property_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> None: + """Delete a specific context property for a given integration + job. + + Use this method to remove a custom data point that is no longer + relevant to the job's context. + + Args: + integration_name: Name of the integration the job belongs + to. + job_id: ID of the job the context property belongs to. + context_property_id: ID of the context property to delete. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + None + + Raises: + APIError: If the API request fails. + """ + return _delete_job_context_property( + self, + integration_name, + job_id, + context_property_id, + api_version=api_version, + ) + + def create_job_context_property( + self, + integration_name: str, + job_id: str, + value: str, + key: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Create a new context property for a specific integration + job. + + Use this method to attach custom data to a job's context. + Property keys must be unique within their context. + + Args: + integration_name: Name of the integration the job belongs + to. + job_id: ID of the job to create the context property for. + value: The property value. Required. + key: The context property ID to use. Must be 4-63 + characters and match /[a-z][0-9]-/. Optional. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing the newly created ContextProperty resource. + + Raises: + APIError: If the API request fails. + """ + return _create_job_context_property( + self, + integration_name, + job_id, + value, + key=key, + api_version=api_version, + ) + + def update_job_context_property( + self, + integration_name: str, + job_id: str, + context_property_id: str, + value: str, + update_mask: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Update an existing context property for a given integration + job. + + Use this method to modify the value of a previously saved key. + + Args: + integration_name: Name of the integration the job belongs + to. + job_id: ID of the job the context property belongs to. + context_property_id: ID of the context property to update. + value: The new property value. Required. + update_mask: Comma-separated list of fields to update. Only + "value" is supported. If omitted, defaults to "value". + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing the updated ContextProperty resource. + + Raises: + APIError: If the API request fails. + """ + return _update_job_context_property( + self, + integration_name, + job_id, + context_property_id, + value, + update_mask=update_mask, + api_version=api_version, + ) + + def delete_all_job_context_properties( + self, + integration_name: str, + job_id: str, + context_id: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> None: + """Delete all context properties for a specific integration + job. + + Use this method to quickly clear all supplemental data from a + job's context. + + Args: + integration_name: Name of the integration the job belongs + to. + job_id: ID of the job to clear context properties from. + context_id: The context ID to remove context properties + from. Must be 4-63 characters and match /[a-z][0-9]-/. + Optional. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + None + + Raises: + APIError: If the API request fails. + """ + return _delete_all_job_context_properties( + self, + integration_name, + job_id, + context_id=context_id, + api_version=api_version, + ) + + # ------------------------------------------------------------------------- + # Job Instance Logs methods + # ------------------------------------------------------------------------- + + def list_job_instance_logs( + self, + integration_name: str, + job_id: str, + job_instance_id: str, + page_size: int | None = None, + page_token: str | None = None, + filter_string: str | None = None, + order_by: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + as_list: bool = False, + ) -> dict[str, Any] | list[dict[str, Any]]: + """List all execution logs for a specific job instance. + + Use this method to browse the historical performance and + reliability of a background automation schedule. + + Args: + integration_name: Name of the integration the job belongs + to. + job_id: ID of the job the instance belongs to. + job_instance_id: ID of the job instance to list logs for. + page_size: Maximum number of logs to return. + page_token: Page token from a previous call to retrieve the + next page. + filter_string: Filter expression to filter logs. + order_by: Field to sort the logs by. + api_version: API version to use for the request. Default is + V1BETA. + as_list: If True, return a list of logs instead of a dict + with logs list and nextPageToken. + + Returns: + If as_list is True: List of logs. + If as_list is False: Dict with logs list and nextPageToken. + + Raises: + APIError: If the API request fails. + """ + return _list_job_instance_logs( + self, + integration_name, + job_id, + job_instance_id, + page_size=page_size, + page_token=page_token, + filter_string=filter_string, + order_by=order_by, + api_version=api_version, + as_list=as_list, + ) + + def get_job_instance_log( + self, + integration_name: str, + job_id: str, + job_instance_id: str, + log_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, + ) -> dict[str, Any]: + """Get a single log entry for a specific job instance. + + Use this method to retrieve the detailed output message, + start/end times, and final status of a specific background task + execution. + + Args: + integration_name: Name of the integration the job belongs + to. + job_id: ID of the job the instance belongs to. + job_instance_id: ID of the job instance the log belongs to. + log_id: ID of the log entry to retrieve. + api_version: API version to use for the request. Default is + V1BETA. + + Returns: + Dict containing details of the specified JobInstanceLog. + + Raises: + APIError: If the API request fails. + """ + return _get_job_instance_log( + self, + integration_name, + job_id, + job_instance_id, + log_id, + api_version=api_version, + ) + def get_stats( self, query: str, diff --git a/src/secops/chronicle/entity.py b/src/secops/chronicle/entity.py index 429d4393..84e5060a 100644 --- a/src/secops/chronicle/entity.py +++ b/src/secops/chronicle/entity.py @@ -15,6 +15,7 @@ """ Provides entity search, analysis and summarization functionality for Chronicle. """ + import ipaddress import re from datetime import datetime diff --git a/src/secops/chronicle/feeds.py b/src/secops/chronicle/feeds.py index b9ed7f22..8030b753 100644 --- a/src/secops/chronicle/feeds.py +++ b/src/secops/chronicle/feeds.py @@ -15,6 +15,7 @@ """ Provides ingestion feed management functionality for Chronicle. """ + import json import os import sys diff --git a/src/secops/chronicle/gemini.py b/src/secops/chronicle/gemini.py index abed52cb..eee42374 100644 --- a/src/secops/chronicle/gemini.py +++ b/src/secops/chronicle/gemini.py @@ -16,6 +16,7 @@ Provides access to Chronicle's Gemini conversational AI interface. """ + import re from typing import Any diff --git a/src/secops/chronicle/integration/__init__.py b/src/secops/chronicle/integration/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/src/secops/chronicle/integration/job_context_properties.py b/src/secops/chronicle/integration/job_context_properties.py new file mode 100644 index 00000000..de40a6f8 --- /dev/null +++ b/src/secops/chronicle/integration/job_context_properties.py @@ -0,0 +1,298 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration job context property functionality for Chronicle.""" + +from typing import Any, TYPE_CHECKING + +from secops.chronicle.models import APIVersion +from secops.chronicle.utils.format_utils import ( + format_resource_id, + build_patch_body, +) +from secops.chronicle.utils.request_utils import ( + chronicle_paginated_request, + chronicle_request, +) + +if TYPE_CHECKING: + from secops.chronicle.client import ChronicleClient + + +def list_job_context_properties( + client: "ChronicleClient", + integration_name: str, + job_id: str, + page_size: int | None = None, + page_token: str | None = None, + filter_string: str | None = None, + order_by: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + as_list: bool = False, +) -> dict[str, Any] | list[dict[str, Any]]: + """List all context properties for a specific integration job. + + Use this method to discover all custom data points associated with a job. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the job belongs to. + job_id: ID of the job to list context properties for. + page_size: Maximum number of context properties to return. + page_token: Page token from a previous call to retrieve the next page. + filter_string: Filter expression to filter context properties. + order_by: Field to sort the context properties by. + api_version: API version to use for the request. Default is V1BETA. + as_list: If True, return a list of context properties instead of a + dict with context properties list and nextPageToken. + + Returns: + If as_list is True: List of context properties. + If as_list is False: Dict with context properties list and + nextPageToken. + + Raises: + APIError: If the API request fails. + """ + extra_params = { + "filter": filter_string, + "orderBy": order_by, + } + + # Remove keys with None values + extra_params = {k: v for k, v in extra_params.items() if v is not None} + + return chronicle_paginated_request( + client, + api_version=api_version, + path=( + f"integrations/{format_resource_id(integration_name)}/" + f"jobs/{job_id}/contextProperties" + ), + items_key="contextProperties", + page_size=page_size, + page_token=page_token, + extra_params=extra_params, + as_list=as_list, + ) + + +def get_job_context_property( + client: "ChronicleClient", + integration_name: str, + job_id: str, + context_property_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Get a single context property for a specific integration job. + + Use this method to retrieve the value of a specific key within a job's + context. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the job belongs to. + job_id: ID of the job the context property belongs to. + context_property_id: ID of the context property to retrieve. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing details of the specified ContextProperty. + + Raises: + APIError: If the API request fails. + """ + return chronicle_request( + client, + method="GET", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"jobs/{job_id}/contextProperties/{context_property_id}" + ), + api_version=api_version, + ) + + +def delete_job_context_property( + client: "ChronicleClient", + integration_name: str, + job_id: str, + context_property_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> None: + """Delete a specific context property for a given integration job. + + Use this method to remove a custom data point that is no longer relevant + to the job's context. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the job belongs to. + job_id: ID of the job the context property belongs to. + context_property_id: ID of the context property to delete. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + None + + Raises: + APIError: If the API request fails. + """ + chronicle_request( + client, + method="DELETE", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"jobs/{job_id}/contextProperties/{context_property_id}" + ), + api_version=api_version, + ) + + +def create_job_context_property( + client: "ChronicleClient", + integration_name: str, + job_id: str, + value: str, + key: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Create a new context property for a specific integration job. + + Use this method to attach custom data to a job's context. Property keys + must be unique within their context. Key values must be 4-63 characters + and match /[a-z][0-9]-/. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the job belongs to. + job_id: ID of the job to create the context property for. + value: The property value. Required. + key: The context property ID to use. Must be 4-63 characters and + match /[a-z][0-9]-/. Optional. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the newly created ContextProperty resource. + + Raises: + APIError: If the API request fails. + """ + body = {"value": value} + + if key is not None: + body["key"] = key + + return chronicle_request( + client, + method="POST", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"jobs/{job_id}/contextProperties" + ), + api_version=api_version, + json=body, + ) + + +def update_job_context_property( + client: "ChronicleClient", + integration_name: str, + job_id: str, + context_property_id: str, + value: str, + update_mask: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Update an existing context property for a given integration job. + + Use this method to modify the value of a previously saved key. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the job belongs to. + job_id: ID of the job the context property belongs to. + context_property_id: ID of the context property to update. + value: The new property value. Required. + update_mask: Comma-separated list of fields to update. Only "value" + is supported. If omitted, defaults to "value". + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the updated ContextProperty resource. + + Raises: + APIError: If the API request fails. + """ + body, params = build_patch_body( + field_map=[ + ("value", "value", value), + ], + update_mask=update_mask, + ) + + return chronicle_request( + client, + method="PATCH", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"jobs/{job_id}/contextProperties/{context_property_id}" + ), + api_version=api_version, + json=body, + params=params, + ) + + +def delete_all_job_context_properties( + client: "ChronicleClient", + integration_name: str, + job_id: str, + context_id: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> None: + """Delete all context properties for a specific integration job. + + Use this method to quickly clear all supplemental data from a job's + context. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the job belongs to. + job_id: ID of the job to clear context properties from. + context_id: The context ID to remove context properties from. Must be + 4-63 characters and match /[a-z][0-9]-/. Optional. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + None + + Raises: + APIError: If the API request fails. + """ + body = {} + + if context_id is not None: + body["contextId"] = context_id + + chronicle_request( + client, + method="POST", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"jobs/{job_id}/contextProperties:clearAll" + ), + api_version=api_version, + json=body, + ) diff --git a/src/secops/chronicle/integration/job_instance_logs.py b/src/secops/chronicle/integration/job_instance_logs.py new file mode 100644 index 00000000..f58d568f --- /dev/null +++ b/src/secops/chronicle/integration/job_instance_logs.py @@ -0,0 +1,125 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration job instances functionality for Chronicle.""" + +from typing import Any, TYPE_CHECKING + +from secops.chronicle.models import APIVersion +from secops.chronicle.utils.format_utils import format_resource_id +from secops.chronicle.utils.request_utils import ( + chronicle_paginated_request, + chronicle_request, +) + +if TYPE_CHECKING: + from secops.chronicle.client import ChronicleClient + + +def list_job_instance_logs( + client: "ChronicleClient", + integration_name: str, + job_id: str, + job_instance_id: str, + page_size: int | None = None, + page_token: str | None = None, + filter_string: str | None = None, + order_by: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + as_list: bool = False, +) -> dict[str, Any] | list[dict[str, Any]]: + """List all execution logs for a specific job instance. + + Use this method to browse the historical performance and reliability of a + background automation schedule. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the job belongs to. + job_id: ID of the job the instance belongs to. + job_instance_id: ID of the job instance to list logs for. + page_size: Maximum number of logs to return. + page_token: Page token from a previous call to retrieve the next page. + filter_string: Filter expression to filter logs. + order_by: Field to sort the logs by. + api_version: API version to use for the request. Default is V1BETA. + as_list: If True, return a list of logs instead of a dict with logs + list and nextPageToken. + + Returns: + If as_list is True: List of logs. + If as_list is False: Dict with logs list and nextPageToken. + + Raises: + APIError: If the API request fails. + """ + extra_params = { + "filter": filter_string, + "orderBy": order_by, + } + + # Remove keys with None values + extra_params = {k: v for k, v in extra_params.items() if v is not None} + + return chronicle_paginated_request( + client, + api_version=api_version, + path=( + f"integrations/{format_resource_id(integration_name)}/" + f"jobs/{job_id}/jobInstances/{job_instance_id}/logs" + ), + items_key="logs", + page_size=page_size, + page_token=page_token, + extra_params=extra_params, + as_list=as_list, + ) + + +def get_job_instance_log( + client: "ChronicleClient", + integration_name: str, + job_id: str, + job_instance_id: str, + log_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Get a single log entry for a specific job instance. + + Use this method to retrieve the detailed output message, start/end times, + and final status of a specific background task execution. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the job belongs to. + job_id: ID of the job the instance belongs to. + job_instance_id: ID of the job instance the log belongs to. + log_id: ID of the log entry to retrieve. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing details of the specified JobInstanceLog. + + Raises: + APIError: If the API request fails. + """ + return chronicle_request( + client, + method="GET", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"jobs/{job_id}/jobInstances/{job_instance_id}/logs/{log_id}" + ), + api_version=api_version, + ) diff --git a/src/secops/chronicle/integration/job_instances.py b/src/secops/chronicle/integration/job_instances.py new file mode 100644 index 00000000..c64705ee --- /dev/null +++ b/src/secops/chronicle/integration/job_instances.py @@ -0,0 +1,399 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration job instances functionality for Chronicle.""" + +from typing import Any, TYPE_CHECKING + +from secops.chronicle.models import ( + APIVersion, + AdvancedConfig, + IntegrationJobInstanceParameter, +) +from secops.chronicle.utils.format_utils import ( + format_resource_id, + build_patch_body, +) +from secops.chronicle.utils.request_utils import ( + chronicle_paginated_request, + chronicle_request, +) + +if TYPE_CHECKING: + from secops.chronicle.client import ChronicleClient + + +def list_integration_job_instances( + client: "ChronicleClient", + integration_name: str, + job_id: str, + page_size: int | None = None, + page_token: str | None = None, + filter_string: str | None = None, + order_by: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + as_list: bool = False, +) -> dict[str, Any] | list[dict[str, Any]]: + """List all job instances for a specific integration job. + + Use this method to browse the active job instances and their last + execution status. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the job belongs to. + job_id: ID of the job to list instances for. + page_size: Maximum number of job instances to return. + page_token: Page token from a previous call to retrieve the next page. + filter_string: Filter expression to filter job instances. + order_by: Field to sort the job instances by. + api_version: API version to use for the request. Default is V1BETA. + as_list: If True, return a list of job instances instead of a dict + with job instances list and nextPageToken. + + Returns: + If as_list is True: List of job instances. + If as_list is False: Dict with job instances list and nextPageToken. + + Raises: + APIError: If the API request fails. + """ + extra_params = { + "filter": filter_string, + "orderBy": order_by, + } + + # Remove keys with None values + extra_params = {k: v for k, v in extra_params.items() if v is not None} + + return chronicle_paginated_request( + client, + api_version=api_version, + path=( + f"integrations/{format_resource_id(integration_name)}/jobs/" + f"{job_id}/jobInstances" + ), + items_key="jobInstances", + page_size=page_size, + page_token=page_token, + extra_params=extra_params, + as_list=as_list, + ) + + +def get_integration_job_instance( + client: "ChronicleClient", + integration_name: str, + job_id: str, + job_instance_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Get a single job instance for a specific integration job. + + Use this method to retrieve the execution status, last run time, and + active schedule for a specific background task. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the job belongs to. + job_id: ID of the job the instance belongs to. + job_instance_id: ID of the job instance to retrieve. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing details of the specified IntegrationJobInstance. + + Raises: + APIError: If the API request fails. + """ + return chronicle_request( + client, + method="GET", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/jobs/" + f"{job_id}/jobInstances/{job_instance_id}" + ), + api_version=api_version, + ) + + +def delete_integration_job_instance( + client: "ChronicleClient", + integration_name: str, + job_id: str, + job_instance_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> None: + """Delete a specific job instance for a given integration job. + + Use this method to permanently stop and remove a scheduled background task. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the job belongs to. + job_id: ID of the job the instance belongs to. + job_instance_id: ID of the job instance to delete. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + None + + Raises: + APIError: If the API request fails. + """ + chronicle_request( + client, + method="DELETE", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/jobs/" + f"{job_id}/jobInstances/{job_instance_id}" + ), + api_version=api_version, + ) + + +# pylint: disable=line-too-long +def create_integration_job_instance( + client: "ChronicleClient", + integration_name: str, + job_id: str, + display_name: str, + interval_seconds: int, + enabled: bool, + advanced: bool, + description: str | None = None, + parameters: ( + list[dict[str, Any] | IntegrationJobInstanceParameter] | None + ) = None, + advanced_config: dict[str, Any] | AdvancedConfig | None = None, + agent: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + # pylint: enable=line-too-long + """Create a new job instance for a specific integration job. + + Use this method to schedule a new recurring background job. You must + provide a valid execution interval and any required script parameters. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the job belongs to. + job_id: ID of the job to create an instance for. + display_name: Job instance display name. Required. + interval_seconds: Job execution interval in seconds. Minimum 60. + Required. + enabled: Whether the job instance is enabled. Required. + advanced: Whether the job instance uses advanced scheduling. Required. + description: Job instance description. Optional. + parameters: List of IntegrationJobInstanceParameter instances or + dicts. Optional. + advanced_config: Advanced scheduling configuration. Accepts an + AdvancedConfig instance or a raw dict. Optional. + agent: Agent identifier for remote job execution. Cannot be patched + after creation. Optional. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the newly created IntegrationJobInstance resource. + + Raises: + APIError: If the API request fails. + """ + resolved_parameters = ( + [ + p.to_dict() if isinstance(p, IntegrationJobInstanceParameter) else p + for p in parameters + ] + if parameters is not None + else None + ) + resolved_advanced_config = ( + advanced_config.to_dict() + if isinstance(advanced_config, AdvancedConfig) + else advanced_config + ) + + body = { + "displayName": display_name, + "intervalSeconds": interval_seconds, + "enabled": enabled, + "advanced": advanced, + "description": description, + "parameters": resolved_parameters, + "advancedConfig": resolved_advanced_config, + "agent": agent, + } + + # Remove keys with None values + body = {k: v for k, v in body.items() if v is not None} + + return chronicle_request( + client, + method="POST", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}" + f"/jobs/{job_id}/jobInstances" + ), + api_version=api_version, + json=body, + ) + + +# pylint: disable=line-too-long +def update_integration_job_instance( + client: "ChronicleClient", + integration_name: str, + job_id: str, + job_instance_id: str, + display_name: str | None = None, + interval_seconds: int | None = None, + enabled: bool | None = None, + advanced: bool | None = None, + description: str | None = None, + parameters: ( + list[dict[str, Any] | IntegrationJobInstanceParameter] | None + ) = None, + advanced_config: dict[str, Any] | AdvancedConfig | None = None, + update_mask: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + # pylint: enable=line-too-long + """Update an existing job instance for a given integration job. + + Use this method to modify the execution interval, enable/disable the job + instance, or adjust the parameters passed to the background script. + + Note: The agent field cannot be updated after creation. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the job belongs to. + job_id: ID of the job the instance belongs to. + job_instance_id: ID of the job instance to update. + display_name: Job instance display name. + interval_seconds: Job execution interval in seconds. Minimum 60. + enabled: Whether the job instance is enabled. + advanced: Whether the job instance uses advanced scheduling. + description: Job instance description. + parameters: List of IntegrationJobInstanceParameter instances or + dicts. + advanced_config: Advanced scheduling configuration. Accepts an + AdvancedConfig instance or a raw dict. + update_mask: Comma-separated list of fields to update. If omitted, + the mask is auto-generated from whichever fields are provided. + Example: "displayName,intervalSeconds". + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the updated IntegrationJobInstance resource. + + Raises: + APIError: If the API request fails. + """ + resolved_parameters = ( + [ + p.to_dict() if isinstance(p, IntegrationJobInstanceParameter) else p + for p in parameters + ] + if parameters is not None + else None + ) + resolved_advanced_config = ( + advanced_config.to_dict() + if isinstance(advanced_config, AdvancedConfig) + else advanced_config + ) + + body, params = build_patch_body( + field_map=[ + ("displayName", "displayName", display_name), + ("intervalSeconds", "intervalSeconds", interval_seconds), + ("enabled", "enabled", enabled), + ("advanced", "advanced", advanced), + ("description", "description", description), + ("parameters", "parameters", resolved_parameters), + ("advancedConfig", "advancedConfig", resolved_advanced_config), + ], + update_mask=update_mask, + ) + + return chronicle_request( + client, + method="PATCH", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"jobs/{job_id}/jobInstances/{job_instance_id}" + ), + api_version=api_version, + json=body, + params=params, + ) + + +# pylint: disable=line-too-long +def run_integration_job_instance_on_demand( + client: "ChronicleClient", + integration_name: str, + job_id: str, + job_instance_id: str, + parameters: ( + list[dict[str, Any] | IntegrationJobInstanceParameter] | None + ) = None, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + # pylint: enable=line-too-long + """Execute a job instance immediately, bypassing its normal schedule. + + Use this method to trigger an on-demand run of a job for synchronization + or troubleshooting purposes. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the job belongs to. + job_id: ID of the job the instance belongs to. + job_instance_id: ID of the job instance to run on demand. + parameters: List of IntegrationJobInstanceParameter instances or + dicts. Optional. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing a success boolean indicating whether the job run + completed successfully. + + Raises: + APIError: If the API request fails. + """ + resolved_parameters = ( + [ + p.to_dict() if isinstance(p, IntegrationJobInstanceParameter) else p + for p in parameters + ] + if parameters is not None + else None + ) + + body = {} + if resolved_parameters is not None: + body["parameters"] = resolved_parameters + + return chronicle_request( + client, + method="POST", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}" + f"/jobs/{job_id}/jobInstances/{job_instance_id}:runOnDemand" + ), + api_version=api_version, + json=body, + ) diff --git a/src/secops/chronicle/integration/job_revisions.py b/src/secops/chronicle/integration/job_revisions.py new file mode 100644 index 00000000..391daacb --- /dev/null +++ b/src/secops/chronicle/integration/job_revisions.py @@ -0,0 +1,204 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration job revisions functionality for Chronicle.""" + +from typing import Any, TYPE_CHECKING + +from secops.chronicle.models import APIVersion +from secops.chronicle.utils.format_utils import ( + format_resource_id, +) +from secops.chronicle.utils.request_utils import ( + chronicle_paginated_request, + chronicle_request, +) + +if TYPE_CHECKING: + from secops.chronicle.client import ChronicleClient + + +def list_integration_job_revisions( + client: "ChronicleClient", + integration_name: str, + job_id: str, + page_size: int | None = None, + page_token: str | None = None, + filter_string: str | None = None, + order_by: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + as_list: bool = False, +) -> dict[str, Any] | list[dict[str, Any]]: + """List all revisions for a specific integration job. + + Use this method to browse the version history and identify previous + configurations of a recurring job. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the job belongs to. + job_id: ID of the job to list revisions for. + page_size: Maximum number of revisions to return. + page_token: Page token from a previous call to retrieve the next page. + filter_string: Filter expression to filter revisions. + order_by: Field to sort the revisions by. + api_version: API version to use for the request. Default is V1BETA. + as_list: If True, return a list of revisions instead of a dict with + revisions list and nextPageToken. + + Returns: + If as_list is True: List of revisions. + If as_list is False: Dict with revisions list and nextPageToken. + + Raises: + APIError: If the API request fails. + """ + extra_params = { + "filter": filter_string, + "orderBy": order_by, + } + + # Remove keys with None values + extra_params = {k: v for k, v in extra_params.items() if v is not None} + + return chronicle_paginated_request( + client, + api_version=api_version, + path=( + f"integrations/{format_resource_id(integration_name)}/" + f"jobs/{job_id}/revisions" + ), + items_key="revisions", + page_size=page_size, + page_token=page_token, + extra_params=extra_params, + as_list=as_list, + ) + + +def delete_integration_job_revision( + client: "ChronicleClient", + integration_name: str, + job_id: str, + revision_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> None: + """Delete a specific revision for a given integration job. + + Use this method to clean up obsolete snapshots and manage the historical + record of background automation tasks. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the job belongs to. + job_id: ID of the job the revision belongs to. + revision_id: ID of the revision to delete. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + None + + Raises: + APIError: If the API request fails. + """ + chronicle_request( + client, + method="DELETE", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"jobs/{job_id}/revisions/{revision_id}" + ), + api_version=api_version, + ) + + +def create_integration_job_revision( + client: "ChronicleClient", + integration_name: str, + job_id: str, + job: dict[str, Any], + comment: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Create a new revision snapshot of the current integration job. + + Use this method to establish a recovery point before making significant + changes to a background job's script or parameters. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the job belongs to. + job_id: ID of the job to create a revision for. + job: Dict containing the IntegrationJob to snapshot. + comment: Comment describing the revision. Maximum 400 characters. + Optional. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the newly created IntegrationJobRevision resource. + + Raises: + APIError: If the API request fails. + """ + body = {"job": job} + + if comment is not None: + body["comment"] = comment + + return chronicle_request( + client, + method="POST", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"jobs/{job_id}/revisions" + ), + api_version=api_version, + json=body, + ) + + +def rollback_integration_job_revision( + client: "ChronicleClient", + integration_name: str, + job_id: str, + revision_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Revert the current job definition to a previously saved revision. + + Use this method to rapidly recover a functional automation state if an + update causes operational issues. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the job belongs to. + job_id: ID of the job to rollback. + revision_id: ID of the revision to rollback to. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the IntegrationJobRevision rolled back to. + + Raises: + APIError: If the API request fails. + """ + return chronicle_request( + client, + method="POST", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"jobs/{job_id}/revisions/{revision_id}:rollback" + ), + api_version=api_version, + ) diff --git a/src/secops/chronicle/integration/jobs.py b/src/secops/chronicle/integration/jobs.py new file mode 100644 index 00000000..b7600a76 --- /dev/null +++ b/src/secops/chronicle/integration/jobs.py @@ -0,0 +1,371 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration jobs functionality for Chronicle.""" + +from typing import Any, TYPE_CHECKING + +from secops.chronicle.models import APIVersion, JobParameter +from secops.chronicle.utils.format_utils import ( + format_resource_id, + build_patch_body, +) +from secops.chronicle.utils.request_utils import ( + chronicle_paginated_request, + chronicle_request, +) + +if TYPE_CHECKING: + from secops.chronicle.client import ChronicleClient + + +def list_integration_jobs( + client: "ChronicleClient", + integration_name: str, + page_size: int | None = None, + page_token: str | None = None, + filter_string: str | None = None, + order_by: str | None = None, + exclude_staging: bool | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, + as_list: bool = False, +) -> dict[str, Any] | list[dict[str, Any]]: + """List all jobs defined for a specific integration. + + Use this method to browse the available background and scheduled automation + capabilities provided by a third-party connection. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration to list jobs for. + page_size: Maximum number of jobs to return. + page_token: Page token from a previous call to retrieve the next page. + filter_string: Filter expression to filter jobs. Allowed filters are: + id, custom, system, author, version, integration. + order_by: Field to sort the jobs by. + exclude_staging: Whether to exclude staging jobs from the response. + By default, staging jobs are included. + api_version: API version to use for the request. Default is V1BETA. + as_list: If True, return a list of jobs instead of a dict with jobs + list and nextPageToken. + + Returns: + If as_list is True: List of jobs. + If as_list is False: Dict with jobs list and nextPageToken. + + Raises: + APIError: If the API request fails. + """ + extra_params = { + "filter": filter_string, + "orderBy": order_by, + "excludeStaging": exclude_staging, + } + + # Remove keys with None values + extra_params = {k: v for k, v in extra_params.items() if v is not None} + + return chronicle_paginated_request( + client, + api_version=api_version, + path=f"integrations/{format_resource_id(integration_name)}/jobs", + items_key="jobs", + page_size=page_size, + page_token=page_token, + extra_params=extra_params, + as_list=as_list, + ) + + +def get_integration_job( + client: "ChronicleClient", + integration_name: str, + job_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Get a single job for a given integration. + + Use this method to retrieve the Python script, execution parameters, and + versioning information for a background automation task. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the job belongs to. + job_id: ID of the job to retrieve. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing details of the specified IntegrationJob. + + Raises: + APIError: If the API request fails. + """ + return chronicle_request( + client, + method="GET", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"jobs/{job_id}" + ), + api_version=api_version, + ) + + +def delete_integration_job( + client: "ChronicleClient", + integration_name: str, + job_id: str, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> None: + """Delete a specific custom job from a given integration. + + Only custom jobs can be deleted; commercial and system jobs are immutable. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the job belongs to. + job_id: ID of the job to delete. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + None + + Raises: + APIError: If the API request fails. + """ + chronicle_request( + client, + method="DELETE", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"jobs/{job_id}" + ), + api_version=api_version, + ) + + +def create_integration_job( + client: "ChronicleClient", + integration_name: str, + display_name: str, + script: str, + version: int, + enabled: bool, + custom: bool, + description: str | None = None, + parameters: list[dict[str, Any] | JobParameter] | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Create a new custom job for a given integration. + + Each job must have a unique display name and a functional Python script + for its background execution. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration to create the job for. + display_name: Job's display name. Maximum 400 characters. Required. + script: Job's Python script. Required. + version: Job's version. Required. + enabled: Whether the job is enabled. Required. + custom: Whether the job is custom or commercial. Required. + description: Job's description. Optional. + parameters: List of JobParameter instances or dicts. Optional. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the newly created IntegrationJob resource. + + Raises: + APIError: If the API request fails. + """ + resolved_parameters = ( + [p.to_dict() if isinstance(p, JobParameter) else p for p in parameters] + if parameters is not None + else None + ) + + body = { + "displayName": display_name, + "script": script, + "version": version, + "enabled": enabled, + "custom": custom, + "description": description, + "parameters": resolved_parameters, + } + + # Remove keys with None values + body = {k: v for k, v in body.items() if v is not None} + + return chronicle_request( + client, + method="POST", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/jobs" + ), + api_version=api_version, + json=body, + ) + + +def update_integration_job( + client: "ChronicleClient", + integration_name: str, + job_id: str, + display_name: str | None = None, + script: str | None = None, + version: int | None = None, + enabled: bool | None = None, + custom: bool | None = None, + description: str | None = None, + parameters: list[dict[str, Any] | JobParameter] | None = None, + update_mask: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Update an existing custom job for a given integration. + + Use this method to modify the Python script or adjust the parameter + definitions for a job. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the job belongs to. + job_id: ID of the job to update. + display_name: Job's display name. Maximum 400 characters. + script: Job's Python script. + version: Job's version. + enabled: Whether the job is enabled. + custom: Whether the job is custom or commercial. + description: Job's description. + parameters: List of JobParameter instances or dicts. + update_mask: Comma-separated list of fields to update. If omitted, + the mask is auto-generated from whichever fields are provided. + Example: "displayName,script". + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the updated IntegrationJob resource. + + Raises: + APIError: If the API request fails. + """ + resolved_parameters = ( + [p.to_dict() if isinstance(p, JobParameter) else p for p in parameters] + if parameters is not None + else None + ) + + body, params = build_patch_body( + field_map=[ + ("displayName", "displayName", display_name), + ("script", "script", script), + ("version", "version", version), + ("enabled", "enabled", enabled), + ("custom", "custom", custom), + ("description", "description", description), + ("parameters", "parameters", resolved_parameters), + ], + update_mask=update_mask, + ) + + return chronicle_request( + client, + method="PATCH", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"jobs/{job_id}" + ), + api_version=api_version, + json=body, + params=params, + ) + + +def execute_integration_job_test( + client: "ChronicleClient", + integration_name: str, + job: dict[str, Any], + agent_identifier: str | None = None, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Execute a test run of an integration job's Python script. + + Use this method to verify background automation logic and connectivity + before deploying the job to an instance for recurring execution. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration the job belongs to. + job: Dict containing the IntegrationJob to test. + agent_identifier: Agent identifier for remote testing. Optional. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the test execution results with the following fields: + - output: The script output. + - debugOutput: The script debug output. + - resultObjectJson: The result JSON if it exists (optional). + - resultName: The script result name (optional). + - resultValue: The script result value (optional). + + Raises: + APIError: If the API request fails. + """ + body = {"job": job} + + if agent_identifier is not None: + body["agentIdentifier"] = agent_identifier + + return chronicle_request( + client, + method="POST", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"jobs:executeTest" + ), + api_version=api_version, + json=body, + ) + + +def get_integration_job_template( + client: "ChronicleClient", + integration_name: str, + api_version: APIVersion | None = APIVersion.V1BETA, +) -> dict[str, Any]: + """Retrieve a default Python script template for a new integration job. + + Use this method to rapidly initialize the development of a new job. + + Args: + client: ChronicleClient instance. + integration_name: Name of the integration to fetch the template for. + api_version: API version to use for the request. Default is V1BETA. + + Returns: + Dict containing the IntegrationJob template. + + Raises: + APIError: If the API request fails. + """ + return chronicle_request( + client, + method="GET", + endpoint_path=( + f"integrations/{format_resource_id(integration_name)}/" + f"jobs:fetchTemplate" + ), + api_version=api_version, + ) diff --git a/src/secops/chronicle/models.py b/src/secops/chronicle/models.py index 0074bc53..06d81da9 100644 --- a/src/secops/chronicle/models.py +++ b/src/secops/chronicle/models.py @@ -13,6 +13,7 @@ # limitations under the License. # """Data models for Chronicle API responses.""" + import json import sys from dataclasses import asdict, dataclass, field @@ -73,6 +74,686 @@ class DetectionType(StrEnum): CASE = "DETECTION_TYPE_CASE" +class PythonVersion(str, Enum): + """Python version for compatibility checks.""" + + UNSPECIFIED = "PYTHON_VERSION_UNSPECIFIED" + PYTHON_2_7 = "V2_7" + PYTHON_3_7 = "V3_7" + PYTHON_3_11 = "V3_11" + + +class DiffType(str, Enum): + """Type of diff to retrieve.""" + + COMMERCIAL = "Commercial" + PRODUCTION = "Production" + STAGING = "Staging" + + +class TargetMode(str, Enum): + """Target mode for integration transition.""" + + PRODUCTION = "Production" + STAGING = "Staging" + + +class IntegrationType(str, Enum): + """Type of integration.""" + + UNSPECIFIED = "INTEGRATION_TYPE_UNSPECIFIED" + RESPONSE = "RESPONSE" + EXTENSION = "EXTENSION" + + +class IntegrationParamType(str, Enum): + """Type of integration parameter.""" + + PARAM_TYPE_UNSPECIFIED = "PARAM_TYPE_UNSPECIFIED" + BOOLEAN = "BOOLEAN" + INT = "INT" + STRING = "STRING" + PASSWORD = "PASSWORD" + IP = "IP" + IP_OR_HOST = "IP_OR_HOST" + URL = "URL" + DOMAIN = "DOMAIN" + EMAIL = "EMAIL" + VALUES_LIST = "VALUES_LIST" + VALUES_AS_SEMICOLON_SEPARATED_STRING = ( + "VALUES_AS_SEMICOLON_SEPARATED_STRING" + ) + MULTI_VALUES_SELECTION = "MULTI_VALUES_SELECTION" + SCRIPT = "SCRIPT" + FILTER_LIST = "FILTER_LIST" + + +@dataclass +class IntegrationParam: + """A parameter definition for a Chronicle SOAR integration. + + Attributes: + display_name: Human-readable label shown in the UI. + property_name: The programmatic key used in code/config. + type: The data type of the parameter (see IntegrationParamType). + description: Optional. Explanation of what the parameter is for. + mandatory: Whether the parameter must be supplied. Defaults to False. + default_value: Optional. Pre-filled value shown in the UI. + """ + + display_name: str + property_name: str + type: IntegrationParamType + mandatory: bool + description: str | None = None + default_value: str | None = None + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + data: dict = { + "displayName": self.display_name, + "propertyName": self.property_name, + "type": str(self.type.value), + "mandatory": self.mandatory, + } + if self.description is not None: + data["description"] = self.description + if self.default_value is not None: + data["defaultValue"] = self.default_value + return data + + +class ActionParamType(str, Enum): + """Action parameter types for Chronicle SOAR integration actions.""" + + STRING = "STRING" + BOOLEAN = "BOOLEAN" + WFS_REPOSITORY = "WFS_REPOSITORY" + USER_REPOSITORY = "USER_REPOSITORY" + STAGES_REPOSITORY = "STAGES_REPOSITORY" + CLOSE_CASE_REASON_REPOSITORY = "CLOSE_CASE_REASON_REPOSITORY" + CLOSE_CASE_ROOT_CAUSE_REPOSITORY = "CLOSE_CASE_ROOT_CAUSE_REPOSITORY" + PRIORITIES_REPOSITORY = "PRIORITIES_REPOSITORY" + EMAIL_CONTENT = "EMAIL_CONTENT" + CONTENT = "CONTENT" + PASSWORD = "PASSWORD" + ENTITY_TYPE = "ENTITY_TYPE" + MULTI_VALUES = "MULTI_VALUES" + LIST = "LIST" + CODE = "CODE" + MULTIPLE_CHOICE_PARAMETER = "MULTIPLE_CHOICE_PARAMETER" + + +class ActionType(str, Enum): + """Action types for Chronicle SOAR integration actions.""" + + UNSPECIFIED = "ACTION_TYPE_UNSPECIFIED" + STANDARD = "STANDARD" + AI_AGENT = "AI_AGENT" + + +@dataclass +class ActionParameter: + """A parameter definition for a Chronicle SOAR integration action. + + Attributes: + display_name: The parameter's display name. Maximum 150 characters. + type: The parameter's type. + description: The parameter's description. Maximum 150 characters. + mandatory: Whether the parameter is mandatory. + default_value: The default value of the parameter. + Maximum 150 characters. + optional_values: Parameter's optional values. Maximum 50 items. + """ + + display_name: str + type: ActionParamType + description: str + mandatory: bool + default_value: str | None = None + optional_values: list[str] | None = None + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + data: dict = { + "displayName": self.display_name, + "type": str(self.type.value), + "description": self.description, + "mandatory": self.mandatory, + } + if self.default_value is not None: + data["defaultValue"] = self.default_value + if self.optional_values is not None: + data["optionalValues"] = self.optional_values + return data + + +class ParamType(str, Enum): + """Parameter types for Chronicle SOAR integration functions.""" + + UNSPECIFIED = "PARAM_TYPE_UNSPECIFIED" + BOOLEAN = "BOOLEAN" + INT = "INT" + STRING = "STRING" + PASSWORD = "PASSWORD" + IP = "IP" + IP_OR_HOST = "IP_OR_HOST" + URL = "URL" + DOMAIN = "DOMAIN" + EMAIL = "EMAIL" + VALUES_LIST = "VALUES_LIST" + VALUES_AS_SEMICOLON_SEPARATED_STRING = ( + "VALUES_AS_SEMICOLON_SEPARATED_STRING" + ) + MULTI_VALUES_SELECTION = "MULTI_VALUES_SELECTION" + SCRIPT = "SCRIPT" + FILTER_LIST = "FILTER_LIST" + NUMERICAL_VALUES = "NUMERICAL_VALUES" + + +class ConnectorParamMode(str, Enum): + """Parameter modes for Chronicle SOAR integration connectors.""" + + UNSPECIFIED = "PARAM_MODE_UNSPECIFIED" + REGULAR = "REGULAR" + CONNECTIVITY = "CONNECTIVITY" + SCRIPT = "SCRIPT" + + +class ConnectorRuleType(str, Enum): + """Rule types for Chronicle SOAR integration connectors.""" + + UNSPECIFIED = "RULE_TYPE_UNSPECIFIED" + ALLOW_LIST = "ALLOW_LIST" + BLOCK_LIST = "BLOCK_LIST" + + +@dataclass +class ConnectorParameter: + """A parameter definition for a Chronicle SOAR integration connector. + + Attributes: + display_name: The parameter's display name. + type: The parameter's type. + mode: The parameter's mode. + mandatory: Whether the parameter is mandatory for configuring a + connector instance. + default_value: The default value of the parameter. Required for + boolean and mandatory parameters. + description: The parameter's description. + advanced: The parameter's advanced flag. + """ + + display_name: str + type: ParamType + mode: ConnectorParamMode + mandatory: bool + default_value: str | None = None + description: str | None = None + advanced: bool | None = None + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + data: dict = { + "displayName": self.display_name, + "type": str(self.type.value), + "mode": str(self.mode.value), + "mandatory": self.mandatory, + } + if self.default_value is not None: + data["defaultValue"] = self.default_value + if self.description is not None: + data["description"] = self.description + if self.advanced is not None: + data["advanced"] = self.advanced + return data + + +@dataclass +class IntegrationJobInstanceParameter: + """A parameter instance for a Chronicle SOAR integration job instance. + + Note: Most fields are output-only and will be populated by the API. + Only value needs to be provided when configuring a job instance. + + Attributes: + value: The value of the parameter. + """ + + value: str | None = None + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + data: dict = {} + if self.value is not None: + data["value"] = self.value + return data + + +class ScheduleType(str, Enum): + """Schedule types for Chronicle SOAR integration job + instance advanced config.""" + + UNSPECIFIED = "SCHEDULE_TYPE_UNSPECIFIED" + ONCE = "ONCE" + DAILY = "DAILY" + WEEKLY = "WEEKLY" + MONTHLY = "MONTHLY" + + +class DayOfWeek(str, Enum): + """Days of the week for Chronicle SOAR weekly schedule details.""" + + UNSPECIFIED = "DAY_OF_WEEK_UNSPECIFIED" + MONDAY = "MONDAY" + TUESDAY = "TUESDAY" + WEDNESDAY = "WEDNESDAY" + THURSDAY = "THURSDAY" + FRIDAY = "FRIDAY" + SATURDAY = "SATURDAY" + SUNDAY = "SUNDAY" + + +@dataclass +class Date: + """A calendar date for Chronicle SOAR schedule details. + + Attributes: + year: The year. + month: The month of the year (1-12). + day: The day of the month (1-31). + """ + + year: int + month: int + day: int + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + return {"year": self.year, "month": self.month, "day": self.day} + + +@dataclass +class TimeOfDay: + """A time of day for Chronicle SOAR schedule details. + + Attributes: + hours: The hour of the day (0-23). + minutes: The minute of the hour (0-59). + seconds: The second of the minute (0-59). + nanos: The nanoseconds of the second (0-999999999). + """ + + hours: int + minutes: int + seconds: int = 0 + nanos: int = 0 + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + return { + "hours": self.hours, + "minutes": self.minutes, + "seconds": self.seconds, + "nanos": self.nanos, + } + + +@dataclass +class OneTimeScheduleDetails: + """One-time schedule details for a Chronicle SOAR job instance. + + Attributes: + start_date: The date to run the job. + time: The time to run the job. + """ + + start_date: Date + time: TimeOfDay + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + return { + "startDate": self.start_date.to_dict(), + "time": self.time.to_dict(), + } + + +@dataclass +class DailyScheduleDetails: + """Daily schedule details for a Chronicle SOAR job instance. + + Attributes: + start_date: The start date. + time: The time to run the job. + interval: The day interval. + """ + + start_date: Date + time: TimeOfDay + interval: int + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + return { + "startDate": self.start_date.to_dict(), + "time": self.time.to_dict(), + "interval": self.interval, + } + + +@dataclass +class WeeklyScheduleDetails: + """Weekly schedule details for a Chronicle SOAR job instance. + + Attributes: + start_date: The start date. + days: The days of the week to run the job. + time: The time to run the job. + interval: The week interval. + """ + + start_date: Date + days: list[DayOfWeek] + time: TimeOfDay + interval: int + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + return { + "startDate": self.start_date.to_dict(), + "days": [d.value for d in self.days], + "time": self.time.to_dict(), + "interval": self.interval, + } + + +@dataclass +class MonthlyScheduleDetails: + """Monthly schedule details for a Chronicle SOAR job instance. + + Attributes: + start_date: The start date. + day: The day of the month to run the job. + time: The time to run the job. + interval: The month interval. + """ + + start_date: Date + day: int + time: TimeOfDay + interval: int + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + return { + "startDate": self.start_date.to_dict(), + "day": self.day, + "time": self.time.to_dict(), + "interval": self.interval, + } + + +@dataclass +class AdvancedConfig: + """Advanced scheduling configuration for a Chronicle SOAR job instance. + + Exactly one of the schedule detail fields should be provided, corresponding + to the schedule_type. + + Attributes: + time_zone: The zone id. + schedule_type: The schedule type. + one_time_schedule: One-time schedule details. Use with ONCE. + daily_schedule: Daily schedule details. Use with DAILY. + weekly_schedule: Weekly schedule details. Use with WEEKLY. + monthly_schedule: Monthly schedule details. Use with MONTHLY. + """ + + time_zone: str + schedule_type: ScheduleType + one_time_schedule: OneTimeScheduleDetails | None = None + daily_schedule: DailyScheduleDetails | None = None + weekly_schedule: WeeklyScheduleDetails | None = None + monthly_schedule: MonthlyScheduleDetails | None = None + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + data: dict = { + "timeZone": self.time_zone, + "scheduleType": str(self.schedule_type.value), + } + if self.one_time_schedule is not None: + data["oneTimeSchedule"] = self.one_time_schedule.to_dict() + if self.daily_schedule is not None: + data["dailySchedule"] = self.daily_schedule.to_dict() + if self.weekly_schedule is not None: + data["weeklySchedule"] = self.weekly_schedule.to_dict() + if self.monthly_schedule is not None: + data["monthlySchedule"] = self.monthly_schedule.to_dict() + return data + + +@dataclass +class JobParameter: + """A parameter definition for a Chronicle SOAR integration job. + + Attributes: + id: The parameter's id. + display_name: The parameter's display name. + description: The parameter's description. + mandatory: Whether the parameter is mandatory. + type: The parameter's type. + default_value: The default value of the parameter. + """ + + id: int + display_name: str + description: str + mandatory: bool + type: ParamType + default_value: str | None = None + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + data: dict = { + "id": self.id, + "displayName": self.display_name, + "description": self.description, + "mandatory": self.mandatory, + "type": str(self.type.value), + } + if self.default_value is not None: + data["defaultValue"] = self.default_value + return data + + +class IntegrationParameterType(str, Enum): + """Parameter types for Chronicle SOAR integration instances.""" + + UNSPECIFIED = "INTEGRATION_PARAMETER_TYPE_UNSPECIFIED" + BOOLEAN = "BOOLEAN" + INT = "INT" + STRING = "STRING" + PASSWORD = "PASSWORD" + IP = "IP" + IP_OR_HOST = "IP_OR_HOST" + URL = "URL" + DOMAIN = "DOMAIN" + EMAIL = "EMAIL" + VALUES_LIST = "VALUES_LIST" + VALUES_AS_SEMICOLON_SEPARATED_STRING = ( + "VALUES_AS_SEMICOLON_SEPARATED_STRING" + ) + MULTI_VALUES_SELECTION = "MULTI_VALUES_SELECTION" + SCRIPT = "SCRIPT" + FILTER_LIST = "FILTER_LIST" + + +@dataclass +class IntegrationInstanceParameter: + """A parameter instance for a Chronicle SOAR integration instance. + + Note: Most fields are output-only and will be populated by the API. + Only value needs to be provided when configuring an integration instance. + + Attributes: + value: The parameter's value. + """ + + value: str | None = None + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + data: dict = {} + if self.value is not None: + data["value"] = self.value + return data + + +class ConnectorConnectivityStatus(str, Enum): + """Connectivity status for Chronicle SOAR connector instances.""" + + LIVE = "LIVE" + NOT_LIVE = "NOT_LIVE" + + +@dataclass +class ConnectorInstanceParameter: + """A parameter instance for a Chronicle SOAR connector instance. + + Note: Most fields are output-only and will be populated by the API. + Only value needs to be provided when configuring a connector instance. + + Attributes: + value: The value of the parameter. + """ + + value: str | None = None + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + data: dict = {} + if self.value is not None: + data["value"] = self.value + return data + + +class TransformerType(str, Enum): + """Transformer types for Chronicle SOAR integration transformers.""" + + UNSPECIFIED = "TRANSFORMER_TYPE_UNSPECIFIED" + BUILT_IN = "BUILT_IN" + CUSTOM = "CUSTOM" + + +@dataclass +class TransformerDefinitionParameter: + """A parameter definition for a Chronicle SOAR transformer definition. + + Attributes: + display_name: The parameter's display name. May contain letters, + numbers, and underscores. Maximum 150 characters. + mandatory: Whether the parameter is mandatory for configuring a + transformer instance. + id: The parameter's id. Server-generated on creation; must be + provided when updating an existing parameter. + default_value: The default value of the parameter. Required for + boolean and mandatory parameters. + description: The parameter's description. Maximum 2050 characters. + """ + + display_name: str + mandatory: bool + id: str | None = None + default_value: str | None = None + description: str | None = None + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + data: dict = { + "displayName": self.display_name, + "mandatory": self.mandatory, + } + if self.id is not None: + data["id"] = self.id + if self.default_value is not None: + data["defaultValue"] = self.default_value + if self.description is not None: + data["description"] = self.description + return data + + +class LogicalOperatorType(str, Enum): + """Logical operator types for Chronicle SOAR + integration logical operators.""" + + UNSPECIFIED = "LOGICAL_OPERATOR_TYPE_UNSPECIFIED" + BUILT_IN = "BUILT_IN" + CUSTOM = "CUSTOM" + + +@dataclass +class IntegrationLogicalOperatorParameter: + """A parameter definition for a Chronicle SOAR logical operator. + + Attributes: + display_name: The parameter's display name. May contain letters, + numbers, and underscores. Maximum 150 characters. + mandatory: Whether the parameter is mandatory for configuring a + logical operator instance. + id: The parameter's id. Server-generated on creation; must be + provided when updating an existing parameter. + default_value: The default value of the parameter. Required for + boolean and mandatory parameters. + order: The parameter's order in the parameters list. + description: The parameter's description. Maximum 2050 characters. + """ + + display_name: str + mandatory: bool + id: str | None = None + default_value: str | None = None + order: int | None = None + description: str | None = None + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + data: dict = { + "displayName": self.display_name, + "mandatory": self.mandatory, + } + if self.id is not None: + data["id"] = self.id + if self.default_value is not None: + data["defaultValue"] = self.default_value + if self.order is not None: + data["order"] = self.order + if self.description is not None: + data["description"] = self.description + return data + + +@dataclass +class ConnectorRule: + """A rule definition for a Chronicle SOAR integration connector. + + Attributes: + display_name: Connector's rule data name. + type: Connector's rule data type. + """ + + display_name: str + type: ConnectorRuleType + + def to_dict(self) -> dict: + """Serialize to the dict shape expected by the Chronicle API.""" + return { + "displayName": self.display_name, + "type": str(self.type.value), + } + + @dataclass class TimeInterval: """Time interval with start and end times.""" diff --git a/src/secops/chronicle/stats.py b/src/secops/chronicle/stats.py index 99b46309..42e31aba 100644 --- a/src/secops/chronicle/stats.py +++ b/src/secops/chronicle/stats.py @@ -13,6 +13,7 @@ # limitations under the License. # """Statistics functionality for Chronicle searches.""" + from datetime import datetime from typing import Any, TYPE_CHECKING diff --git a/src/secops/chronicle/utils/format_utils.py b/src/secops/chronicle/utils/format_utils.py index b6567528..126ae503 100644 --- a/src/secops/chronicle/utils/format_utils.py +++ b/src/secops/chronicle/utils/format_utils.py @@ -65,3 +65,34 @@ def parse_json_list( except ValueError as e: raise APIError(f"Invalid {field_name} JSON") from e return value + + +# pylint: disable=line-too-long +def build_patch_body( + field_map: list[tuple[str, str, Any]], + update_mask: str | None = None, +) -> tuple[dict[str, Any], dict[str, Any] | None]: + """Build a request body and params dict for a PATCH request. + + Args: + field_map: List of (api_key, mask_key, value) tuples for + each optional field. + update_mask: Explicit update mask. If provided, + overrides the auto-generated mask. + + Returns: + Tuple of (body, params) where params contains the updateMask or is None. + """ + body = { + api_key: value for api_key, _, value in field_map if value is not None + } + mask_fields = [ + mask_key for _, mask_key, value in field_map if value is not None + ] + + resolved_mask = update_mask or ( + ",".join(mask_fields) if mask_fields else None + ) + params = {"updateMask": resolved_mask} if resolved_mask else None + + return body, params diff --git a/src/secops/chronicle/utils/request_utils.py b/src/secops/chronicle/utils/request_utils.py index 43f2d885..c3b2cd8a 100644 --- a/src/secops/chronicle/utils/request_utils.py +++ b/src/secops/chronicle/utils/request_utils.py @@ -14,7 +14,7 @@ # """Helper functions for Chronicle.""" -from typing import TYPE_CHECKING, Any +from typing import TYPE_CHECKING, Any, Optional import requests from google.auth.exceptions import GoogleAuthError @@ -297,3 +297,66 @@ def chronicle_request( ) return data + + +def chronicle_request_bytes( + client: "ChronicleClient", + method: str, + endpoint_path: str, + *, + api_version: str = APIVersion.V1, + params: Optional[dict[str, Any]] = None, + headers: Optional[dict[str, Any]] = None, + expected_status: int | set[int] | tuple[int, ...] | list[int] = 200, + error_message: str | None = None, + timeout: int | None = None, +) -> bytes: + base = f"{client.base_url(api_version)}/{client.instance_id}" + + if endpoint_path.startswith(":"): + url = f"{base}{endpoint_path}" + else: + url = f'{base}/{endpoint_path.lstrip("/")}' + + try: + response = client.session.request( + method=method, + url=url, + params=params, + headers=headers, + timeout=timeout, + stream=True, + ) + except GoogleAuthError as exc: + base_msg = error_message or "Google authentication failed" + raise APIError(f"{base_msg}: authentication_error={exc}") from exc + except requests.RequestException as exc: + base_msg = error_message or "API request failed" + raise APIError( + f"{base_msg}: method={method}, url={url}, " + f"request_error={exc.__class__.__name__}, detail={exc}" + ) from exc + + if isinstance(expected_status, (set, tuple, list)): + status_ok = response.status_code in expected_status + else: + status_ok = response.status_code == expected_status + + if not status_ok: + # try json for detail, else preview text + try: + data = response.json() + raise APIError( + f"{error_message or 'API request failed'}: method={method}, url={url}, " + f"status={response.status_code}, response={data}" + ) from None + except ValueError: + preview = _safe_body_preview( + getattr(response, "text", ""), limit=MAX_BODY_CHARS + ) + raise APIError( + f"{error_message or 'API request failed'}: method={method}, url={url}, " + f"status={response.status_code}, response_text={preview}" + ) from None + + return response.content diff --git a/src/secops/cli/cli_client.py b/src/secops/cli/cli_client.py index 4c483656..65b787f2 100644 --- a/src/secops/cli/cli_client.py +++ b/src/secops/cli/cli_client.py @@ -39,6 +39,9 @@ from secops.cli.commands.udm_search import setup_udm_search_view_command from secops.cli.commands.watchlist import setup_watchlist_command from secops.cli.commands.rule_retrohunt import setup_rule_retrohunt_command +from secops.cli.commands.integration.integration_client import ( + setup_integrations_command, +) from secops.cli.utils.common_args import add_chronicle_args, add_common_args from secops.cli.utils.config_utils import load_config from secops.exceptions import AuthenticationError, SecOpsError @@ -189,6 +192,7 @@ def build_parser() -> argparse.ArgumentParser: setup_dashboard_query_command(subparsers) setup_watchlist_command(subparsers) setup_rule_retrohunt_command(subparsers) + setup_integrations_command(subparsers) return parser diff --git a/src/secops/cli/commands/__init__.py b/src/secops/cli/commands/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/src/secops/cli/commands/integration/__init__.py b/src/secops/cli/commands/integration/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/src/secops/cli/commands/integration/integration_client.py b/src/secops/cli/commands/integration/integration_client.py new file mode 100644 index 00000000..c95933ad --- /dev/null +++ b/src/secops/cli/commands/integration/integration_client.py @@ -0,0 +1,40 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Top level arguments for integration commands""" + +from secops.cli.commands.integration import ( + jobs, + job_revisions, + job_context_properties, + job_instance_logs, + job_instances, +) + + +def setup_integrations_command(subparsers): + """Setup integration command""" + integrations_parser = subparsers.add_parser( + "integration", help="Manage SecOps integrations" + ) + lvl1 = integrations_parser.add_subparsers( + dest="integrations_command", help="Integrations command" + ) + + # Setup all subcommands under `integration` + jobs.setup_jobs_command(lvl1) + job_revisions.setup_job_revisions_command(lvl1) + job_context_properties.setup_job_context_properties_command(lvl1) + job_instance_logs.setup_job_instance_logs_command(lvl1) + job_instances.setup_job_instances_command(lvl1) diff --git a/src/secops/cli/commands/integration/job_context_properties.py b/src/secops/cli/commands/integration/job_context_properties.py new file mode 100644 index 00000000..5da5cdb3 --- /dev/null +++ b/src/secops/cli/commands/integration/job_context_properties.py @@ -0,0 +1,354 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Google SecOps CLI job context properties commands""" + +import sys + +from secops.cli.utils.formatters import output_formatter +from secops.cli.utils.common_args import ( + add_pagination_args, + add_as_list_arg, +) + + +def setup_job_context_properties_command(subparsers): + """Setup job context properties command""" + properties_parser = subparsers.add_parser( + "job-context-properties", + help="Manage job context properties", + ) + lvl1 = properties_parser.add_subparsers( + dest="job_context_properties_command", + help="Job context properties command", + ) + + # list command + list_parser = lvl1.add_parser("list", help="List job context properties") + list_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + list_parser.add_argument( + "--job-id", + type=str, + help="ID of the job", + dest="job_id", + required=True, + ) + list_parser.add_argument( + "--context-id", + type=str, + help="Context ID to filter properties", + dest="context_id", + ) + add_pagination_args(list_parser) + add_as_list_arg(list_parser) + list_parser.add_argument( + "--filter-string", + type=str, + help="Filter string for listing properties", + dest="filter_string", + ) + list_parser.add_argument( + "--order-by", + type=str, + help="Order by string for listing properties", + dest="order_by", + ) + list_parser.set_defaults(func=handle_job_context_properties_list_command) + + # get command + get_parser = lvl1.add_parser( + "get", help="Get a specific job context property" + ) + get_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + get_parser.add_argument( + "--job-id", + type=str, + help="ID of the job", + dest="job_id", + required=True, + ) + get_parser.add_argument( + "--context-id", + type=str, + help="Context ID of the property", + dest="context_id", + required=True, + ) + get_parser.add_argument( + "--property-id", + type=str, + help="ID of the property to get", + dest="property_id", + required=True, + ) + get_parser.set_defaults(func=handle_job_context_properties_get_command) + + # delete command + delete_parser = lvl1.add_parser( + "delete", help="Delete a job context property" + ) + delete_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + delete_parser.add_argument( + "--job-id", + type=str, + help="ID of the job", + dest="job_id", + required=True, + ) + delete_parser.add_argument( + "--context-id", + type=str, + help="Context ID of the property", + dest="context_id", + required=True, + ) + delete_parser.add_argument( + "--property-id", + type=str, + help="ID of the property to delete", + dest="property_id", + required=True, + ) + delete_parser.set_defaults( + func=handle_job_context_properties_delete_command + ) + + # create command + create_parser = lvl1.add_parser( + "create", help="Create a new job context property" + ) + create_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + create_parser.add_argument( + "--job-id", + type=str, + help="ID of the job", + dest="job_id", + required=True, + ) + create_parser.add_argument( + "--context-id", + type=str, + help="Context ID for the property", + dest="context_id", + required=True, + ) + create_parser.add_argument( + "--key", + type=str, + help="Key for the property", + dest="key", + required=True, + ) + create_parser.add_argument( + "--value", + type=str, + help="Value for the property", + dest="value", + required=True, + ) + create_parser.set_defaults( + func=handle_job_context_properties_create_command + ) + + # update command + update_parser = lvl1.add_parser( + "update", help="Update a job context property" + ) + update_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + update_parser.add_argument( + "--job-id", + type=str, + help="ID of the job", + dest="job_id", + required=True, + ) + update_parser.add_argument( + "--context-id", + type=str, + help="Context ID of the property", + dest="context_id", + required=True, + ) + update_parser.add_argument( + "--property-id", + type=str, + help="ID of the property to update", + dest="property_id", + required=True, + ) + update_parser.add_argument( + "--value", + type=str, + help="New value for the property", + dest="value", + required=True, + ) + update_parser.set_defaults( + func=handle_job_context_properties_update_command + ) + + # clear-all command + clear_parser = lvl1.add_parser( + "clear-all", help="Delete all job context properties" + ) + clear_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + clear_parser.add_argument( + "--job-id", + type=str, + help="ID of the job", + dest="job_id", + required=True, + ) + clear_parser.add_argument( + "--context-id", + type=str, + help="Context ID to clear all properties for", + dest="context_id", + required=True, + ) + clear_parser.set_defaults(func=handle_job_context_properties_clear_command) + + +def handle_job_context_properties_list_command(args, chronicle): + """Handle job context properties list command""" + try: + out = chronicle.list_job_context_properties( + integration_name=args.integration_name, + job_id=args.job_id, + context_id=args.context_id, + page_size=args.page_size, + page_token=args.page_token, + filter_string=args.filter_string, + order_by=args.order_by, + as_list=args.as_list, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error listing job context properties: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_job_context_properties_get_command(args, chronicle): + """Handle job context property get command""" + try: + out = chronicle.get_job_context_property( + integration_name=args.integration_name, + job_id=args.job_id, + context_id=args.context_id, + context_property_id=args.property_id, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error getting job context property: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_job_context_properties_delete_command(args, chronicle): + """Handle job context property delete command""" + try: + chronicle.delete_job_context_property( + integration_name=args.integration_name, + job_id=args.job_id, + context_id=args.context_id, + context_property_id=args.property_id, + ) + print(f"Job context property {args.property_id} deleted successfully") + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error deleting job context property: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_job_context_properties_create_command(args, chronicle): + """Handle job context property create command""" + try: + out = chronicle.create_job_context_property( + integration_name=args.integration_name, + job_id=args.job_id, + context_id=args.context_id, + key=args.key, + value=args.value, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error creating job context property: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_job_context_properties_update_command(args, chronicle): + """Handle job context property update command""" + try: + out = chronicle.update_job_context_property( + integration_name=args.integration_name, + job_id=args.job_id, + context_id=args.context_id, + context_property_id=args.property_id, + value=args.value, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error updating job context property: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_job_context_properties_clear_command(args, chronicle): + """Handle clear all job context properties command""" + try: + chronicle.delete_all_job_context_properties( + integration_name=args.integration_name, + job_id=args.job_id, + context_id=args.context_id, + ) + print( + f"All job context properties for context " + f"{args.context_id} cleared successfully" + ) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error clearing job context properties: {e}", file=sys.stderr) + sys.exit(1) diff --git a/src/secops/cli/commands/integration/job_instance_logs.py b/src/secops/cli/commands/integration/job_instance_logs.py new file mode 100644 index 00000000..d18e2ad4 --- /dev/null +++ b/src/secops/cli/commands/integration/job_instance_logs.py @@ -0,0 +1,140 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Google SecOps CLI job instance logs commands""" + +import sys + +from secops.cli.utils.formatters import output_formatter +from secops.cli.utils.common_args import ( + add_pagination_args, + add_as_list_arg, +) + + +def setup_job_instance_logs_command(subparsers): + """Setup job instance logs command""" + logs_parser = subparsers.add_parser( + "job-instance-logs", + help="View job instance logs", + ) + lvl1 = logs_parser.add_subparsers( + dest="job_instance_logs_command", + help="Job instance logs command", + ) + + # list command + list_parser = lvl1.add_parser("list", help="List job instance logs") + list_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + list_parser.add_argument( + "--job-id", + type=str, + help="ID of the job", + dest="job_id", + required=True, + ) + list_parser.add_argument( + "--job-instance-id", + type=str, + help="ID of the job instance", + dest="job_instance_id", + required=True, + ) + add_pagination_args(list_parser) + add_as_list_arg(list_parser) + list_parser.add_argument( + "--filter-string", + type=str, + help="Filter string for listing logs", + dest="filter_string", + ) + list_parser.add_argument( + "--order-by", + type=str, + help="Order by string for listing logs", + dest="order_by", + ) + list_parser.set_defaults(func=handle_job_instance_logs_list_command) + + # get command + get_parser = lvl1.add_parser("get", help="Get a specific job instance log") + get_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + get_parser.add_argument( + "--job-id", + type=str, + help="ID of the job", + dest="job_id", + required=True, + ) + get_parser.add_argument( + "--job-instance-id", + type=str, + help="ID of the job instance", + dest="job_instance_id", + required=True, + ) + get_parser.add_argument( + "--log-id", + type=str, + help="ID of the log to get", + dest="log_id", + required=True, + ) + get_parser.set_defaults(func=handle_job_instance_logs_get_command) + + +def handle_job_instance_logs_list_command(args, chronicle): + """Handle job instance logs list command""" + try: + out = chronicle.list_job_instance_logs( + integration_name=args.integration_name, + job_id=args.job_id, + job_instance_id=args.job_instance_id, + page_size=args.page_size, + page_token=args.page_token, + filter_string=args.filter_string, + order_by=args.order_by, + as_list=args.as_list, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error listing job instance logs: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_job_instance_logs_get_command(args, chronicle): + """Handle job instance log get command""" + try: + out = chronicle.get_job_instance_log( + integration_name=args.integration_name, + job_id=args.job_id, + job_instance_id=args.job_instance_id, + job_instance_log_id=args.log_id, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error getting job instance log: {e}", file=sys.stderr) + sys.exit(1) diff --git a/src/secops/cli/commands/integration/job_instances.py b/src/secops/cli/commands/integration/job_instances.py new file mode 100644 index 00000000..53c9a202 --- /dev/null +++ b/src/secops/cli/commands/integration/job_instances.py @@ -0,0 +1,407 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Google SecOps CLI integration job instances commands""" + +import json +import sys + +from secops.cli.utils.formatters import output_formatter +from secops.cli.utils.common_args import ( + add_pagination_args, + add_as_list_arg, +) + + +def setup_job_instances_command(subparsers): + """Setup integration job instances command""" + instances_parser = subparsers.add_parser( + "job-instances", + help="Manage job instances", + ) + lvl1 = instances_parser.add_subparsers( + dest="job_instances_command", + help="Job instances command", + ) + + # list command + list_parser = lvl1.add_parser("list", help="List job instances") + list_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + list_parser.add_argument( + "--job-id", + type=str, + help="ID of the job", + dest="job_id", + required=True, + ) + add_pagination_args(list_parser) + add_as_list_arg(list_parser) + list_parser.add_argument( + "--filter-string", + type=str, + help="Filter string for listing instances", + dest="filter_string", + ) + list_parser.add_argument( + "--order-by", + type=str, + help="Order by string for listing instances", + dest="order_by", + ) + list_parser.set_defaults(func=handle_job_instances_list_command) + + # get command + get_parser = lvl1.add_parser("get", help="Get a specific job instance") + get_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + get_parser.add_argument( + "--job-id", + type=str, + help="ID of the job", + dest="job_id", + required=True, + ) + get_parser.add_argument( + "--job-instance-id", + type=str, + help="ID of the job instance to get", + dest="job_instance_id", + required=True, + ) + get_parser.set_defaults(func=handle_job_instances_get_command) + + # delete command + delete_parser = lvl1.add_parser("delete", help="Delete a job instance") + delete_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + delete_parser.add_argument( + "--job-id", + type=str, + help="ID of the job", + dest="job_id", + required=True, + ) + delete_parser.add_argument( + "--job-instance-id", + type=str, + help="ID of the job instance to delete", + dest="job_instance_id", + required=True, + ) + delete_parser.set_defaults(func=handle_job_instances_delete_command) + + # create command + create_parser = lvl1.add_parser("create", help="Create a new job instance") + create_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + create_parser.add_argument( + "--job-id", + type=str, + help="ID of the job", + dest="job_id", + required=True, + ) + create_parser.add_argument( + "--environment", + type=str, + help="Environment for the job instance", + dest="environment", + required=True, + ) + create_parser.add_argument( + "--display-name", + type=str, + help="Display name for the job instance", + dest="display_name", + required=True, + ) + create_parser.add_argument( + "--schedule", + type=str, + help="Cron schedule for the job instance", + dest="schedule", + ) + create_parser.add_argument( + "--timeout-seconds", + type=int, + help="Timeout in seconds for job execution", + dest="timeout_seconds", + ) + create_parser.add_argument( + "--enabled", + action="store_true", + help="Enable the job instance", + dest="enabled", + ) + create_parser.add_argument( + "--parameters", + type=str, + help="JSON string of job parameters", + dest="parameters", + ) + create_parser.set_defaults(func=handle_job_instances_create_command) + + # update command + update_parser = lvl1.add_parser("update", help="Update a job instance") + update_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + update_parser.add_argument( + "--job-id", + type=str, + help="ID of the job", + dest="job_id", + required=True, + ) + update_parser.add_argument( + "--job-instance-id", + type=str, + help="ID of the job instance to update", + dest="job_instance_id", + required=True, + ) + update_parser.add_argument( + "--display-name", + type=str, + help="New display name for the job instance", + dest="display_name", + ) + update_parser.add_argument( + "--schedule", + type=str, + help="New cron schedule for the job instance", + dest="schedule", + ) + update_parser.add_argument( + "--timeout-seconds", + type=int, + help="New timeout in seconds for job execution", + dest="timeout_seconds", + ) + update_parser.add_argument( + "--enabled", + type=str, + choices=["true", "false"], + help="Enable or disable the job instance", + dest="enabled", + ) + update_parser.add_argument( + "--parameters", + type=str, + help="JSON string of new job parameters", + dest="parameters", + ) + update_parser.add_argument( + "--update-mask", + type=str, + help="Comma-separated list of fields to update", + dest="update_mask", + ) + update_parser.set_defaults(func=handle_job_instances_update_command) + + # run-ondemand command + run_parser = lvl1.add_parser( + "run-ondemand", + help="Run a job instance on demand", + ) + run_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + run_parser.add_argument( + "--job-id", + type=str, + help="ID of the job", + dest="job_id", + required=True, + ) + run_parser.add_argument( + "--job-instance-id", + type=str, + help="ID of the job instance to run", + dest="job_instance_id", + required=True, + ) + run_parser.add_argument( + "--parameters", + type=str, + help="JSON string of parameters for this run", + dest="parameters", + ) + run_parser.set_defaults(func=handle_job_instances_run_ondemand_command) + + +def handle_job_instances_list_command(args, chronicle): + """Handle job instances list command""" + try: + out = chronicle.list_integration_job_instances( + integration_name=args.integration_name, + job_id=args.job_id, + page_size=args.page_size, + page_token=args.page_token, + filter_string=args.filter_string, + order_by=args.order_by, + as_list=args.as_list, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error listing job instances: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_job_instances_get_command(args, chronicle): + """Handle job instance get command""" + try: + out = chronicle.get_integration_job_instance( + integration_name=args.integration_name, + job_id=args.job_id, + job_instance_id=args.job_instance_id, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error getting job instance: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_job_instances_delete_command(args, chronicle): + """Handle job instance delete command""" + try: + chronicle.delete_integration_job_instance( + integration_name=args.integration_name, + job_id=args.job_id, + job_instance_id=args.job_instance_id, + ) + print(f"Job instance {args.job_instance_id} deleted successfully") + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error deleting job instance: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_job_instances_create_command(args, chronicle): + """Handle job instance create command""" + try: + # Parse parameters if provided + parameters = None + if args.parameters: + parameters = json.loads(args.parameters) + + out = chronicle.create_integration_job_instance( + integration_name=args.integration_name, + job_id=args.job_id, + environment=args.environment, + display_name=args.display_name, + schedule=args.schedule, + timeout_seconds=args.timeout_seconds, + enabled=args.enabled, + parameters=parameters, + ) + output_formatter(out, getattr(args, "output", "json")) + except json.JSONDecodeError as e: + print(f"Error parsing parameters JSON: {e}", file=sys.stderr) + sys.exit(1) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error creating job instance: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_job_instances_update_command(args, chronicle): + """Handle job instance update command""" + try: + # Parse parameters if provided + parameters = None + if args.parameters: + parameters = json.loads(args.parameters) + + # Convert enabled string to boolean if provided + enabled = None + if args.enabled: + enabled = args.enabled.lower() == "true" + + out = chronicle.update_integration_job_instance( + integration_name=args.integration_name, + job_id=args.job_id, + job_instance_id=args.job_instance_id, + display_name=args.display_name, + schedule=args.schedule, + timeout_seconds=args.timeout_seconds, + enabled=enabled, + parameters=parameters, + update_mask=args.update_mask, + ) + output_formatter(out, getattr(args, "output", "json")) + except json.JSONDecodeError as e: + print(f"Error parsing parameters JSON: {e}", file=sys.stderr) + sys.exit(1) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error updating job instance: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_job_instances_run_ondemand_command(args, chronicle): + """Handle run job instance on demand command""" + try: + # Parse parameters if provided + parameters = None + if args.parameters: + parameters = json.loads(args.parameters) + + # Get the job instance first + job_instance = chronicle.get_integration_job_instance( + integration_name=args.integration_name, + job_id=args.job_id, + job_instance_id=args.job_instance_id, + ) + + out = chronicle.run_integration_job_instance_on_demand( + integration_name=args.integration_name, + job_id=args.job_id, + job_instance_id=args.job_instance_id, + job_instance=job_instance, + parameters=parameters, + ) + output_formatter(out, getattr(args, "output", "json")) + except json.JSONDecodeError as e: + print(f"Error parsing parameters JSON: {e}", file=sys.stderr) + sys.exit(1) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error running job instance on demand: {e}", file=sys.stderr) + sys.exit(1) diff --git a/src/secops/cli/commands/integration/job_revisions.py b/src/secops/cli/commands/integration/job_revisions.py new file mode 100644 index 00000000..36b24850 --- /dev/null +++ b/src/secops/cli/commands/integration/job_revisions.py @@ -0,0 +1,213 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Google SecOps CLI integration job revisions commands""" + +import sys + +from secops.cli.utils.formatters import output_formatter +from secops.cli.utils.common_args import ( + add_pagination_args, + add_as_list_arg, +) + + +def setup_job_revisions_command(subparsers): + """Setup integration job revisions command""" + revisions_parser = subparsers.add_parser( + "job-revisions", + help="Manage integration job revisions", + ) + lvl1 = revisions_parser.add_subparsers( + dest="job_revisions_command", + help="Integration job revisions command", + ) + + # list command + list_parser = lvl1.add_parser("list", help="List integration job revisions") + list_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + list_parser.add_argument( + "--job-id", + type=str, + help="ID of the job", + dest="job_id", + required=True, + ) + add_pagination_args(list_parser) + add_as_list_arg(list_parser) + list_parser.add_argument( + "--filter-string", + type=str, + help="Filter string for listing revisions", + dest="filter_string", + ) + list_parser.add_argument( + "--order-by", + type=str, + help="Order by string for listing revisions", + dest="order_by", + ) + list_parser.set_defaults(func=handle_job_revisions_list_command) + + # delete command + delete_parser = lvl1.add_parser( + "delete", help="Delete an integration job revision" + ) + delete_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + delete_parser.add_argument( + "--job-id", + type=str, + help="ID of the job", + dest="job_id", + required=True, + ) + delete_parser.add_argument( + "--revision-id", + type=str, + help="ID of the revision to delete", + dest="revision_id", + required=True, + ) + delete_parser.set_defaults(func=handle_job_revisions_delete_command) + + # create command + create_parser = lvl1.add_parser( + "create", help="Create a new integration job revision" + ) + create_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + create_parser.add_argument( + "--job-id", + type=str, + help="ID of the job", + dest="job_id", + required=True, + ) + create_parser.add_argument( + "--comment", + type=str, + help="Comment describing the revision", + dest="comment", + ) + create_parser.set_defaults(func=handle_job_revisions_create_command) + + # rollback command + rollback_parser = lvl1.add_parser( + "rollback", help="Rollback job to a previous revision" + ) + rollback_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + rollback_parser.add_argument( + "--job-id", + type=str, + help="ID of the job", + dest="job_id", + required=True, + ) + rollback_parser.add_argument( + "--revision-id", + type=str, + help="ID of the revision to rollback to", + dest="revision_id", + required=True, + ) + rollback_parser.set_defaults(func=handle_job_revisions_rollback_command) + + +def handle_job_revisions_list_command(args, chronicle): + """Handle integration job revisions list command""" + try: + out = chronicle.list_integration_job_revisions( + integration_name=args.integration_name, + job_id=args.job_id, + page_size=args.page_size, + page_token=args.page_token, + filter_string=args.filter_string, + order_by=args.order_by, + as_list=args.as_list, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error listing job revisions: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_job_revisions_delete_command(args, chronicle): + """Handle integration job revision delete command""" + try: + chronicle.delete_integration_job_revision( + integration_name=args.integration_name, + job_id=args.job_id, + revision_id=args.revision_id, + ) + print(f"Job revision {args.revision_id} deleted successfully") + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error deleting job revision: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_job_revisions_create_command(args, chronicle): + """Handle integration job revision create command""" + try: + # Get the current job to create a revision + job = chronicle.get_integration_job( + integration_name=args.integration_name, + job_id=args.job_id, + ) + out = chronicle.create_integration_job_revision( + integration_name=args.integration_name, + job_id=args.job_id, + job=job, + comment=args.comment, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error creating job revision: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_job_revisions_rollback_command(args, chronicle): + """Handle integration job revision rollback command""" + try: + out = chronicle.rollback_integration_job_revision( + integration_name=args.integration_name, + job_id=args.job_id, + revision_id=args.revision_id, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error rolling back job revision: {e}", file=sys.stderr) + sys.exit(1) diff --git a/src/secops/cli/commands/integration/jobs.py b/src/secops/cli/commands/integration/jobs.py new file mode 100644 index 00000000..4cd04e8c --- /dev/null +++ b/src/secops/cli/commands/integration/jobs.py @@ -0,0 +1,356 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Google SecOps CLI integration jobs commands""" + +import json +import sys + +from secops.cli.utils.formatters import output_formatter +from secops.cli.utils.common_args import ( + add_pagination_args, + add_as_list_arg, +) + + +def setup_jobs_command(subparsers): + """Setup integration jobs command""" + jobs_parser = subparsers.add_parser( + "jobs", + help="Manage integration jobs", + ) + lvl1 = jobs_parser.add_subparsers( + dest="jobs_command", help="Integration jobs command" + ) + + # list command + list_parser = lvl1.add_parser("list", help="List integration jobs") + list_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + add_pagination_args(list_parser) + add_as_list_arg(list_parser) + list_parser.add_argument( + "--filter-string", + type=str, + help="Filter string for listing jobs", + dest="filter_string", + ) + list_parser.add_argument( + "--order-by", + type=str, + help="Order by string for listing jobs", + dest="order_by", + ) + list_parser.add_argument( + "--exclude-staging", + action="store_true", + help="Exclude staging jobs from the list", + dest="exclude_staging", + ) + list_parser.set_defaults(func=handle_jobs_list_command) + + # get command + get_parser = lvl1.add_parser("get", help="Get integration job details") + get_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + get_parser.add_argument( + "--job-id", + type=str, + help="ID of the job to get", + dest="job_id", + required=True, + ) + get_parser.set_defaults(func=handle_jobs_get_command) + + # delete command + delete_parser = lvl1.add_parser("delete", help="Delete an integration job") + delete_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + delete_parser.add_argument( + "--job-id", + type=str, + help="ID of the job to delete", + dest="job_id", + required=True, + ) + delete_parser.set_defaults(func=handle_jobs_delete_command) + + # create command + create_parser = lvl1.add_parser( + "create", + help="Create a new integration job", + ) + create_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + create_parser.add_argument( + "--display-name", + type=str, + help="Display name for the job", + dest="display_name", + required=True, + ) + create_parser.add_argument( + "--code", + type=str, + help="Python code for the job", + dest="code", + required=True, + ) + create_parser.add_argument( + "--description", + type=str, + help="Description of the job", + dest="description", + ) + create_parser.add_argument( + "--job-id", + type=str, + help="Custom ID for the job", + dest="job_id", + ) + create_parser.add_argument( + "--parameters", + type=str, + help="JSON string of job parameters", + dest="parameters", + ) + create_parser.set_defaults(func=handle_jobs_create_command) + + # update command + update_parser = lvl1.add_parser("update", help="Update an integration job") + update_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + update_parser.add_argument( + "--job-id", + type=str, + help="ID of the job to update", + dest="job_id", + required=True, + ) + update_parser.add_argument( + "--display-name", + type=str, + help="New display name for the job", + dest="display_name", + ) + update_parser.add_argument( + "--code", + type=str, + help="New Python code for the job", + dest="code", + ) + update_parser.add_argument( + "--description", + type=str, + help="New description for the job", + dest="description", + ) + update_parser.add_argument( + "--parameters", + type=str, + help="JSON string of new job parameters", + dest="parameters", + ) + update_parser.add_argument( + "--update-mask", + type=str, + help="Comma-separated list of fields to update", + dest="update_mask", + ) + update_parser.set_defaults(func=handle_jobs_update_command) + + # test command + test_parser = lvl1.add_parser( + "test", help="Execute an integration job test" + ) + test_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + test_parser.add_argument( + "--job-id", + type=str, + help="ID of the job to test", + dest="job_id", + required=True, + ) + test_parser.set_defaults(func=handle_jobs_test_command) + + # template command + template_parser = lvl1.add_parser( + "template", + help="Get a template for creating a job", + ) + template_parser.add_argument( + "--integration-name", + type=str, + help="Name of the integration", + dest="integration_name", + required=True, + ) + template_parser.set_defaults(func=handle_jobs_template_command) + + +def handle_jobs_list_command(args, chronicle): + """Handle integration jobs list command""" + try: + out = chronicle.list_integration_jobs( + integration_name=args.integration_name, + page_size=args.page_size, + page_token=args.page_token, + filter_string=args.filter_string, + order_by=args.order_by, + exclude_staging=args.exclude_staging, + as_list=args.as_list, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error listing integration jobs: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_jobs_get_command(args, chronicle): + """Handle integration job get command""" + try: + out = chronicle.get_integration_job( + integration_name=args.integration_name, + job_id=args.job_id, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error getting integration job: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_jobs_delete_command(args, chronicle): + """Handle integration job delete command""" + try: + chronicle.delete_integration_job( + integration_name=args.integration_name, + job_id=args.job_id, + ) + print(f"Job {args.job_id} deleted successfully") + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error deleting integration job: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_jobs_create_command(args, chronicle): + """Handle integration job create command""" + try: + # Parse parameters if provided + parameters = None + if args.parameters: + parameters = json.loads(args.parameters) + + out = chronicle.create_integration_job( + integration_name=args.integration_name, + display_name=args.display_name, + code=args.code, + description=args.description, + job_id=args.job_id, + parameters=parameters, + ) + output_formatter(out, getattr(args, "output", "json")) + except json.JSONDecodeError as e: + print(f"Error parsing parameters JSON: {e}", file=sys.stderr) + sys.exit(1) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error creating integration job: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_jobs_update_command(args, chronicle): + """Handle integration job update command""" + try: + # Parse parameters if provided + parameters = None + if args.parameters: + parameters = json.loads(args.parameters) + + out = chronicle.update_integration_job( + integration_name=args.integration_name, + job_id=args.job_id, + display_name=args.display_name, + code=args.code, + description=args.description, + parameters=parameters, + update_mask=args.update_mask, + ) + output_formatter(out, getattr(args, "output", "json")) + except json.JSONDecodeError as e: + print(f"Error parsing parameters JSON: {e}", file=sys.stderr) + sys.exit(1) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error updating integration job: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_jobs_test_command(args, chronicle): + """Handle integration job test command""" + try: + # First get the job to test + job = chronicle.get_integration_job( + integration_name=args.integration_name, + job_id=args.job_id, + ) + out = chronicle.execute_integration_job_test( + integration_name=args.integration_name, + job_id=args.job_id, + job=job, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error testing integration job: {e}", file=sys.stderr) + sys.exit(1) + + +def handle_jobs_template_command(args, chronicle): + """Handle get job template command""" + try: + out = chronicle.get_integration_job_template( + integration_name=args.integration_name, + ) + output_formatter(out, getattr(args, "output", "json")) + except Exception as e: # pylint: disable=broad-exception-caught + print(f"Error getting job template: {e}", file=sys.stderr) + sys.exit(1) diff --git a/tests/chronicle/integration/__init__.py b/tests/chronicle/integration/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/tests/chronicle/integration/test_job_context_properties.py b/tests/chronicle/integration/test_job_context_properties.py new file mode 100644 index 00000000..5fdce61c --- /dev/null +++ b/tests/chronicle/integration/test_job_context_properties.py @@ -0,0 +1,506 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Tests for Chronicle integration job context properties functions.""" + +from unittest.mock import Mock, patch + +import pytest + +from secops.chronicle.client import ChronicleClient +from secops.chronicle.models import APIVersion +from secops.chronicle.integration.job_context_properties import ( + list_job_context_properties, + get_job_context_property, + delete_job_context_property, + create_job_context_property, + update_job_context_property, + delete_all_job_context_properties, +) +from secops.exceptions import APIError + + +@pytest.fixture +def chronicle_client(): + """Create a Chronicle client for testing.""" + with patch("secops.auth.SecOpsAuth") as mock_auth: + mock_session = Mock() + mock_session.headers = {} + mock_auth.return_value.session = mock_session + return ChronicleClient( + customer_id="test-customer", + project_id="test-project", + default_api_version=APIVersion.V1BETA, + ) + + +# -- list_job_context_properties tests -- + + +def test_list_job_context_properties_success(chronicle_client): + """Test list_job_context_properties delegates to paginated request.""" + expected = { + "contextProperties": [{"key": "prop1"}, {"key": "prop2"}], + "nextPageToken": "t", + } + + with patch( + "secops.chronicle.integration.job_context_properties.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated, patch( + "secops.chronicle.integration.job_context_properties.format_resource_id", + return_value="My Integration", + ): + result = list_job_context_properties( + chronicle_client, + integration_name="My Integration", + job_id="j1", + page_size=10, + page_token="next-token", + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert "jobs/j1/contextProperties" in kwargs["path"] + assert kwargs["items_key"] == "contextProperties" + assert kwargs["page_size"] == 10 + assert kwargs["page_token"] == "next-token" + + +def test_list_job_context_properties_default_args(chronicle_client): + """Test list_job_context_properties with default args.""" + expected = {"contextProperties": []} + + with patch( + "secops.chronicle.integration.job_context_properties.chronicle_paginated_request", + return_value=expected, + ): + result = list_job_context_properties( + chronicle_client, + integration_name="test-integration", + job_id="j1", + ) + + assert result == expected + + +def test_list_job_context_properties_with_filters(chronicle_client): + """Test list_job_context_properties with filter and order_by.""" + expected = {"contextProperties": [{"key": "prop1"}]} + + with patch( + "secops.chronicle.integration.job_context_properties.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_job_context_properties( + chronicle_client, + integration_name="test-integration", + job_id="j1", + filter_string='key = "prop1"', + order_by="key", + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert kwargs["extra_params"] == { + "filter": 'key = "prop1"', + "orderBy": "key", + } + + +def test_list_job_context_properties_as_list(chronicle_client): + """Test list_job_context_properties returns list when as_list=True.""" + expected = [{"key": "prop1"}, {"key": "prop2"}] + + with patch( + "secops.chronicle.integration.job_context_properties.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_job_context_properties( + chronicle_client, + integration_name="test-integration", + job_id="j1", + as_list=True, + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert kwargs["as_list"] is True + + +def test_list_job_context_properties_error(chronicle_client): + """Test list_job_context_properties raises APIError on failure.""" + with patch( + "secops.chronicle.integration.job_context_properties.chronicle_paginated_request", + side_effect=APIError("Failed to list context properties"), + ): + with pytest.raises(APIError) as exc_info: + list_job_context_properties( + chronicle_client, + integration_name="test-integration", + job_id="j1", + ) + assert "Failed to list context properties" in str(exc_info.value) + + +# -- get_job_context_property tests -- + + +def test_get_job_context_property_success(chronicle_client): + """Test get_job_context_property issues GET request.""" + expected = { + "name": "contextProperties/prop1", + "key": "prop1", + "value": "test-value", + } + + with patch( + "secops.chronicle.integration.job_context_properties.chronicle_request", + return_value=expected, + ) as mock_request: + result = get_job_context_property( + chronicle_client, + integration_name="test-integration", + job_id="j1", + context_property_id="prop1", + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["method"] == "GET" + assert "jobs/j1/contextProperties/prop1" in kwargs["endpoint_path"] + assert kwargs["api_version"] == APIVersion.V1BETA + + +def test_get_job_context_property_error(chronicle_client): + """Test get_job_context_property raises APIError on failure.""" + with patch( + "secops.chronicle.integration.job_context_properties.chronicle_request", + side_effect=APIError("Failed to get context property"), + ): + with pytest.raises(APIError) as exc_info: + get_job_context_property( + chronicle_client, + integration_name="test-integration", + job_id="j1", + context_property_id="prop1", + ) + assert "Failed to get context property" in str(exc_info.value) + + +# -- delete_job_context_property tests -- + + +def test_delete_job_context_property_success(chronicle_client): + """Test delete_job_context_property issues DELETE request.""" + with patch( + "secops.chronicle.integration.job_context_properties.chronicle_request", + return_value=None, + ) as mock_request: + delete_job_context_property( + chronicle_client, + integration_name="test-integration", + job_id="j1", + context_property_id="prop1", + ) + + _, kwargs = mock_request.call_args + assert kwargs["method"] == "DELETE" + assert "jobs/j1/contextProperties/prop1" in kwargs["endpoint_path"] + assert kwargs["api_version"] == APIVersion.V1BETA + + +def test_delete_job_context_property_error(chronicle_client): + """Test delete_job_context_property raises APIError on failure.""" + with patch( + "secops.chronicle.integration.job_context_properties.chronicle_request", + side_effect=APIError("Failed to delete context property"), + ): + with pytest.raises(APIError) as exc_info: + delete_job_context_property( + chronicle_client, + integration_name="test-integration", + job_id="j1", + context_property_id="prop1", + ) + assert "Failed to delete context property" in str(exc_info.value) + + +# -- create_job_context_property tests -- + + +def test_create_job_context_property_value_only(chronicle_client): + """Test create_job_context_property with value only.""" + expected = {"name": "contextProperties/new", "value": "test-value"} + + with patch( + "secops.chronicle.integration.job_context_properties.chronicle_request", + return_value=expected, + ) as mock_request: + result = create_job_context_property( + chronicle_client, + integration_name="test-integration", + job_id="j1", + value="test-value", + ) + + assert result == expected + + mock_request.assert_called_once_with( + chronicle_client, + method="POST", + endpoint_path=( + "integrations/test-integration/jobs/j1/contextProperties" + ), + api_version=APIVersion.V1BETA, + json={"value": "test-value"}, + ) + + +def test_create_job_context_property_with_key(chronicle_client): + """Test create_job_context_property with key specified.""" + expected = {"name": "contextProperties/mykey", "value": "test-value"} + + with patch( + "secops.chronicle.integration.job_context_properties.chronicle_request", + return_value=expected, + ) as mock_request: + result = create_job_context_property( + chronicle_client, + integration_name="test-integration", + job_id="j1", + value="test-value", + key="mykey", + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["json"]["value"] == "test-value" + assert kwargs["json"]["key"] == "mykey" + + +def test_create_job_context_property_error(chronicle_client): + """Test create_job_context_property raises APIError on failure.""" + with patch( + "secops.chronicle.integration.job_context_properties.chronicle_request", + side_effect=APIError("Failed to create context property"), + ): + with pytest.raises(APIError) as exc_info: + create_job_context_property( + chronicle_client, + integration_name="test-integration", + job_id="j1", + value="test-value", + ) + assert "Failed to create context property" in str(exc_info.value) + + +# -- update_job_context_property tests -- + + +def test_update_job_context_property_success(chronicle_client): + """Test update_job_context_property issues PATCH request.""" + expected = {"name": "contextProperties/prop1", "value": "updated-value"} + + with patch( + "secops.chronicle.integration.job_context_properties.chronicle_request", + return_value=expected, + ) as mock_request, patch( + "secops.chronicle.integration.job_context_properties.build_patch_body", + return_value=( + {"value": "updated-value"}, + {"updateMask": "value"}, + ), + ): + result = update_job_context_property( + chronicle_client, + integration_name="test-integration", + job_id="j1", + context_property_id="prop1", + value="updated-value", + ) + + assert result == expected + + mock_request.assert_called_once_with( + chronicle_client, + method="PATCH", + endpoint_path=( + "integrations/test-integration/jobs/j1/contextProperties/prop1" + ), + api_version=APIVersion.V1BETA, + json={"value": "updated-value"}, + params={"updateMask": "value"}, + ) + + +def test_update_job_context_property_with_update_mask(chronicle_client): + """Test update_job_context_property with explicit update_mask.""" + expected = {"name": "contextProperties/prop1", "value": "updated-value"} + + with patch( + "secops.chronicle.integration.job_context_properties.chronicle_request", + return_value=expected, + ) as mock_request, patch( + "secops.chronicle.integration.job_context_properties.build_patch_body", + return_value=( + {"value": "updated-value"}, + {"updateMask": "value"}, + ), + ): + result = update_job_context_property( + chronicle_client, + integration_name="test-integration", + job_id="j1", + context_property_id="prop1", + value="updated-value", + update_mask="value", + ) + + assert result == expected + + +def test_update_job_context_property_error(chronicle_client): + """Test update_job_context_property raises APIError on failure.""" + with patch( + "secops.chronicle.integration.job_context_properties.chronicle_request", + side_effect=APIError("Failed to update context property"), + ), patch( + "secops.chronicle.integration.job_context_properties.build_patch_body", + return_value=({"value": "updated"}, {"updateMask": "value"}), + ): + with pytest.raises(APIError) as exc_info: + update_job_context_property( + chronicle_client, + integration_name="test-integration", + job_id="j1", + context_property_id="prop1", + value="updated", + ) + assert "Failed to update context property" in str(exc_info.value) + + +# -- delete_all_job_context_properties tests -- + + +def test_delete_all_job_context_properties_success(chronicle_client): + """Test delete_all_job_context_properties issues POST request.""" + with patch( + "secops.chronicle.integration.job_context_properties.chronicle_request", + return_value=None, + ) as mock_request: + delete_all_job_context_properties( + chronicle_client, + integration_name="test-integration", + job_id="j1", + ) + + mock_request.assert_called_once_with( + chronicle_client, + method="POST", + endpoint_path=( + "integrations/test-integration/" + "jobs/j1/contextProperties:clearAll" + ), + api_version=APIVersion.V1BETA, + json={}, + ) + + +def test_delete_all_job_context_properties_with_context_id(chronicle_client): + """Test delete_all_job_context_properties with context_id specified.""" + with patch( + "secops.chronicle.integration.job_context_properties.chronicle_request", + return_value=None, + ) as mock_request: + delete_all_job_context_properties( + chronicle_client, + integration_name="test-integration", + job_id="j1", + context_id="mycontext", + ) + + _, kwargs = mock_request.call_args + assert kwargs["method"] == "POST" + assert "contextProperties:clearAll" in kwargs["endpoint_path"] + assert kwargs["json"]["contextId"] == "mycontext" + + +def test_delete_all_job_context_properties_error(chronicle_client): + """Test delete_all_job_context_properties raises APIError on failure.""" + with patch( + "secops.chronicle.integration.job_context_properties.chronicle_request", + side_effect=APIError("Failed to delete all context properties"), + ): + with pytest.raises(APIError) as exc_info: + delete_all_job_context_properties( + chronicle_client, + integration_name="test-integration", + job_id="j1", + ) + assert "Failed to delete all context properties" in str( + exc_info.value + ) + + +# -- API version tests -- + + +def test_list_job_context_properties_custom_api_version(chronicle_client): + """Test list_job_context_properties with custom API version.""" + expected = {"contextProperties": []} + + with patch( + "secops.chronicle.integration.job_context_properties.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_job_context_properties( + chronicle_client, + integration_name="test-integration", + job_id="j1", + api_version=APIVersion.V1ALPHA, + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert kwargs["api_version"] == APIVersion.V1ALPHA + + +def test_get_job_context_property_custom_api_version(chronicle_client): + """Test get_job_context_property with custom API version.""" + expected = {"name": "contextProperties/prop1"} + + with patch( + "secops.chronicle.integration.job_context_properties.chronicle_request", + return_value=expected, + ) as mock_request: + result = get_job_context_property( + chronicle_client, + integration_name="test-integration", + job_id="j1", + context_property_id="prop1", + api_version=APIVersion.V1ALPHA, + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["api_version"] == APIVersion.V1ALPHA + diff --git a/tests/chronicle/integration/test_job_instance_logs.py b/tests/chronicle/integration/test_job_instance_logs.py new file mode 100644 index 00000000..ad456e79 --- /dev/null +++ b/tests/chronicle/integration/test_job_instance_logs.py @@ -0,0 +1,256 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Tests for Chronicle integration job instance logs functions.""" + +from unittest.mock import Mock, patch + +import pytest + +from secops.chronicle.client import ChronicleClient +from secops.chronicle.models import APIVersion +from secops.chronicle.integration.job_instance_logs import ( + list_job_instance_logs, + get_job_instance_log, +) +from secops.exceptions import APIError + + +@pytest.fixture +def chronicle_client(): + """Create a Chronicle client for testing.""" + with patch("secops.auth.SecOpsAuth") as mock_auth: + mock_session = Mock() + mock_session.headers = {} + mock_auth.return_value.session = mock_session + return ChronicleClient( + customer_id="test-customer", + project_id="test-project", + default_api_version=APIVersion.V1BETA, + ) + + +# -- list_job_instance_logs tests -- + + +def test_list_job_instance_logs_success(chronicle_client): + """Test list_job_instance_logs delegates to paginated request.""" + expected = { + "logs": [{"name": "log1"}, {"name": "log2"}], + "nextPageToken": "t", + } + + with patch( + "secops.chronicle.integration.job_instance_logs.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated, patch( + "secops.chronicle.integration.job_instance_logs.format_resource_id", + return_value="My Integration", + ): + result = list_job_instance_logs( + chronicle_client, + integration_name="My Integration", + job_id="j1", + job_instance_id="ji1", + page_size=10, + page_token="next-token", + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert "jobs/j1/jobInstances/ji1/logs" in kwargs["path"] + assert kwargs["items_key"] == "logs" + assert kwargs["page_size"] == 10 + assert kwargs["page_token"] == "next-token" + + +def test_list_job_instance_logs_default_args(chronicle_client): + """Test list_job_instance_logs with default args.""" + expected = {"logs": []} + + with patch( + "secops.chronicle.integration.job_instance_logs.chronicle_paginated_request", + return_value=expected, + ): + result = list_job_instance_logs( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + ) + + assert result == expected + + +def test_list_job_instance_logs_with_filters(chronicle_client): + """Test list_job_instance_logs with filter and order_by.""" + expected = {"logs": [{"name": "log1"}]} + + with patch( + "secops.chronicle.integration.job_instance_logs.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_job_instance_logs( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + filter_string="status = SUCCESS", + order_by="startTime desc", + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert kwargs["extra_params"] == { + "filter": "status = SUCCESS", + "orderBy": "startTime desc", + } + + +def test_list_job_instance_logs_as_list(chronicle_client): + """Test list_job_instance_logs returns list when as_list=True.""" + expected = [{"name": "log1"}, {"name": "log2"}] + + with patch( + "secops.chronicle.integration.job_instance_logs.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_job_instance_logs( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + as_list=True, + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert kwargs["as_list"] is True + + +def test_list_job_instance_logs_error(chronicle_client): + """Test list_job_instance_logs raises APIError on failure.""" + with patch( + "secops.chronicle.integration.job_instance_logs.chronicle_paginated_request", + side_effect=APIError("Failed to list job instance logs"), + ): + with pytest.raises(APIError) as exc_info: + list_job_instance_logs( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + ) + assert "Failed to list job instance logs" in str(exc_info.value) + + +# -- get_job_instance_log tests -- + + +def test_get_job_instance_log_success(chronicle_client): + """Test get_job_instance_log issues GET request.""" + expected = { + "name": "logs/log1", + "status": "SUCCESS", + "startTime": "2026-03-08T10:00:00Z", + "endTime": "2026-03-08T10:05:00Z", + } + + with patch( + "secops.chronicle.integration.job_instance_logs.chronicle_request", + return_value=expected, + ) as mock_request: + result = get_job_instance_log( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + log_id="log1", + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["method"] == "GET" + assert "jobs/j1/jobInstances/ji1/logs/log1" in kwargs["endpoint_path"] + assert kwargs["api_version"] == APIVersion.V1BETA + + +def test_get_job_instance_log_error(chronicle_client): + """Test get_job_instance_log raises APIError on failure.""" + with patch( + "secops.chronicle.integration.job_instance_logs.chronicle_request", + side_effect=APIError("Failed to get job instance log"), + ): + with pytest.raises(APIError) as exc_info: + get_job_instance_log( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + log_id="log1", + ) + assert "Failed to get job instance log" in str(exc_info.value) + + +# -- API version tests -- + + +def test_list_job_instance_logs_custom_api_version(chronicle_client): + """Test list_job_instance_logs with custom API version.""" + expected = {"logs": []} + + with patch( + "secops.chronicle.integration.job_instance_logs.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_job_instance_logs( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + api_version=APIVersion.V1ALPHA, + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert kwargs["api_version"] == APIVersion.V1ALPHA + + +def test_get_job_instance_log_custom_api_version(chronicle_client): + """Test get_job_instance_log with custom API version.""" + expected = {"name": "logs/log1"} + + with patch( + "secops.chronicle.integration.job_instance_logs.chronicle_request", + return_value=expected, + ) as mock_request: + result = get_job_instance_log( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + log_id="log1", + api_version=APIVersion.V1ALPHA, + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["api_version"] == APIVersion.V1ALPHA + diff --git a/tests/chronicle/integration/test_job_instances.py b/tests/chronicle/integration/test_job_instances.py new file mode 100644 index 00000000..3e8ca386 --- /dev/null +++ b/tests/chronicle/integration/test_job_instances.py @@ -0,0 +1,733 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Tests for Chronicle marketplace integration job instances functions.""" + +from unittest.mock import Mock, patch + +import pytest + +from secops.chronicle.client import ChronicleClient +from secops.chronicle.models import ( + APIVersion, + IntegrationJobInstanceParameter, + AdvancedConfig, + ScheduleType, + DailyScheduleDetails, + Date, + TimeOfDay, +) +from secops.chronicle.integration.job_instances import ( + list_integration_job_instances, + get_integration_job_instance, + delete_integration_job_instance, + create_integration_job_instance, + update_integration_job_instance, + run_integration_job_instance_on_demand, +) +from secops.exceptions import APIError + + +@pytest.fixture +def chronicle_client(): + """Create a Chronicle client for testing.""" + with patch("secops.auth.SecOpsAuth") as mock_auth: + mock_session = Mock() + mock_session.headers = {} + mock_auth.return_value.session = mock_session + return ChronicleClient( + customer_id="test-customer", + project_id="test-project", + default_api_version=APIVersion.V1BETA, + ) + + +# -- list_integration_job_instances tests -- + + +def test_list_integration_job_instances_success(chronicle_client): + """Test list_integration_job_instances delegates to chronicle_paginated_request.""" + expected = { + "jobInstances": [{"name": "ji1"}, {"name": "ji2"}], + "nextPageToken": "t", + } + + with patch( + "secops.chronicle.integration.job_instances.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated, patch( + "secops.chronicle.integration.job_instances.format_resource_id", + return_value="My Integration", + ): + result = list_integration_job_instances( + chronicle_client, + integration_name="My Integration", + job_id="j1", + page_size=10, + page_token="next-token", + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert "jobs/j1/jobInstances" in kwargs["path"] + assert kwargs["items_key"] == "jobInstances" + assert kwargs["page_size"] == 10 + assert kwargs["page_token"] == "next-token" + + +def test_list_integration_job_instances_default_args(chronicle_client): + """Test list_integration_job_instances with default args.""" + expected = {"jobInstances": []} + + with patch( + "secops.chronicle.integration.job_instances.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_job_instances( + chronicle_client, + integration_name="test-integration", + job_id="j1", + ) + + assert result == expected + + +def test_list_integration_job_instances_with_filters(chronicle_client): + """Test list_integration_job_instances with filter and order_by.""" + expected = {"jobInstances": [{"name": "ji1"}]} + + with patch( + "secops.chronicle.integration.job_instances.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_job_instances( + chronicle_client, + integration_name="test-integration", + job_id="j1", + filter_string="enabled = true", + order_by="displayName", + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert kwargs["extra_params"] == { + "filter": "enabled = true", + "orderBy": "displayName", + } + + +def test_list_integration_job_instances_as_list(chronicle_client): + """Test list_integration_job_instances returns list when as_list=True.""" + expected = [{"name": "ji1"}, {"name": "ji2"}] + + with patch( + "secops.chronicle.integration.job_instances.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_job_instances( + chronicle_client, + integration_name="test-integration", + job_id="j1", + as_list=True, + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert kwargs["as_list"] is True + + +def test_list_integration_job_instances_error(chronicle_client): + """Test list_integration_job_instances raises APIError on failure.""" + with patch( + "secops.chronicle.integration.job_instances.chronicle_paginated_request", + side_effect=APIError("Failed to list job instances"), + ): + with pytest.raises(APIError) as exc_info: + list_integration_job_instances( + chronicle_client, + integration_name="test-integration", + job_id="j1", + ) + assert "Failed to list job instances" in str(exc_info.value) + + +# -- get_integration_job_instance tests -- + + +def test_get_integration_job_instance_success(chronicle_client): + """Test get_integration_job_instance issues GET request.""" + expected = { + "name": "jobInstances/ji1", + "displayName": "My Job Instance", + "intervalSeconds": 300, + "enabled": True, + } + + with patch( + "secops.chronicle.integration.job_instances.chronicle_request", + return_value=expected, + ) as mock_request: + result = get_integration_job_instance( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["method"] == "GET" + assert "jobs/j1/jobInstances/ji1" in kwargs["endpoint_path"] + assert kwargs["api_version"] == APIVersion.V1BETA + + +def test_get_integration_job_instance_error(chronicle_client): + """Test get_integration_job_instance raises APIError on failure.""" + with patch( + "secops.chronicle.integration.job_instances.chronicle_request", + side_effect=APIError("Failed to get job instance"), + ): + with pytest.raises(APIError) as exc_info: + get_integration_job_instance( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + ) + assert "Failed to get job instance" in str(exc_info.value) + + +# -- delete_integration_job_instance tests -- + + +def test_delete_integration_job_instance_success(chronicle_client): + """Test delete_integration_job_instance issues DELETE request.""" + with patch( + "secops.chronicle.integration.job_instances.chronicle_request", + return_value=None, + ) as mock_request: + delete_integration_job_instance( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + ) + + _, kwargs = mock_request.call_args + assert kwargs["method"] == "DELETE" + assert "jobs/j1/jobInstances/ji1" in kwargs["endpoint_path"] + assert kwargs["api_version"] == APIVersion.V1BETA + + +def test_delete_integration_job_instance_error(chronicle_client): + """Test delete_integration_job_instance raises APIError on failure.""" + with patch( + "secops.chronicle.integration.job_instances.chronicle_request", + side_effect=APIError("Failed to delete job instance"), + ): + with pytest.raises(APIError) as exc_info: + delete_integration_job_instance( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + ) + assert "Failed to delete job instance" in str(exc_info.value) + + +# -- create_integration_job_instance tests -- + + +def test_create_integration_job_instance_required_fields_only(chronicle_client): + """Test create_integration_job_instance sends only required fields.""" + expected = {"name": "jobInstances/new", "displayName": "My Job Instance"} + + with patch( + "secops.chronicle.integration.job_instances.chronicle_request", + return_value=expected, + ) as mock_request: + result = create_integration_job_instance( + chronicle_client, + integration_name="test-integration", + job_id="j1", + display_name="My Job Instance", + interval_seconds=300, + enabled=True, + advanced=False, + ) + + assert result == expected + + mock_request.assert_called_once_with( + chronicle_client, + method="POST", + endpoint_path="integrations/test-integration/jobs/j1/jobInstances", + api_version=APIVersion.V1BETA, + json={ + "displayName": "My Job Instance", + "intervalSeconds": 300, + "enabled": True, + "advanced": False, + }, + ) + + +def test_create_integration_job_instance_with_optional_fields(chronicle_client): + """Test create_integration_job_instance includes optional fields when provided.""" + expected = {"name": "jobInstances/new"} + + with patch( + "secops.chronicle.integration.job_instances.chronicle_request", + return_value=expected, + ) as mock_request: + result = create_integration_job_instance( + chronicle_client, + integration_name="test-integration", + job_id="j1", + display_name="My Job Instance", + interval_seconds=300, + enabled=True, + advanced=False, + description="Test job instance", + parameters=[{"id": 1, "value": "test"}], + agent="agent-123", + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["json"]["description"] == "Test job instance" + assert kwargs["json"]["parameters"] == [{"id": 1, "value": "test"}] + assert kwargs["json"]["agent"] == "agent-123" + + +def test_create_integration_job_instance_with_dataclass_params(chronicle_client): + """Test create_integration_job_instance converts dataclass parameters.""" + expected = {"name": "jobInstances/new"} + + param = IntegrationJobInstanceParameter(value="test-value") + + with patch( + "secops.chronicle.integration.job_instances.chronicle_request", + return_value=expected, + ) as mock_request: + result = create_integration_job_instance( + chronicle_client, + integration_name="test-integration", + job_id="j1", + display_name="My Job Instance", + interval_seconds=300, + enabled=True, + advanced=False, + parameters=[param], + ) + + assert result == expected + + _, kwargs = mock_request.call_args + params_sent = kwargs["json"]["parameters"] + assert len(params_sent) == 1 + assert params_sent[0]["value"] == "test-value" + + +def test_create_integration_job_instance_with_advanced_config(chronicle_client): + """Test create_integration_job_instance with AdvancedConfig dataclass.""" + expected = {"name": "jobInstances/new"} + + advanced_config = AdvancedConfig( + time_zone="America/New_York", + schedule_type=ScheduleType.DAILY, + daily_schedule=DailyScheduleDetails( + start_date=Date(year=2026, month=3, day=8), + time=TimeOfDay(hours=2, minutes=0), + interval=1 + ) + ) + + with patch( + "secops.chronicle.integration.job_instances.chronicle_request", + return_value=expected, + ) as mock_request: + result = create_integration_job_instance( + chronicle_client, + integration_name="test-integration", + job_id="j1", + display_name="My Job Instance", + interval_seconds=300, + enabled=True, + advanced=True, + advanced_config=advanced_config, + ) + + assert result == expected + + _, kwargs = mock_request.call_args + config_sent = kwargs["json"]["advancedConfig"] + assert config_sent["timeZone"] == "America/New_York" + assert config_sent["scheduleType"] == "DAILY" + assert "dailySchedule" in config_sent + + +def test_create_integration_job_instance_error(chronicle_client): + """Test create_integration_job_instance raises APIError on failure.""" + with patch( + "secops.chronicle.integration.job_instances.chronicle_request", + side_effect=APIError("Failed to create job instance"), + ): + with pytest.raises(APIError) as exc_info: + create_integration_job_instance( + chronicle_client, + integration_name="test-integration", + job_id="j1", + display_name="My Job Instance", + interval_seconds=300, + enabled=True, + advanced=False, + ) + assert "Failed to create job instance" in str(exc_info.value) + + +# -- update_integration_job_instance tests -- + + +def test_update_integration_job_instance_single_field(chronicle_client): + """Test update_integration_job_instance updates a single field.""" + expected = {"name": "jobInstances/ji1", "displayName": "Updated Instance"} + + with patch( + "secops.chronicle.integration.job_instances.chronicle_request", + return_value=expected, + ) as mock_request, patch( + "secops.chronicle.integration.job_instances.build_patch_body", + return_value=( + {"displayName": "Updated Instance"}, + {"updateMask": "displayName"}, + ), + ) as mock_build_patch: + result = update_integration_job_instance( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + display_name="Updated Instance", + ) + + assert result == expected + + mock_build_patch.assert_called_once() + mock_request.assert_called_once_with( + chronicle_client, + method="PATCH", + endpoint_path=( + "integrations/test-integration/jobs/j1/jobInstances/ji1" + ), + api_version=APIVersion.V1BETA, + json={"displayName": "Updated Instance"}, + params={"updateMask": "displayName"}, + ) + + +def test_update_integration_job_instance_multiple_fields(chronicle_client): + """Test update_integration_job_instance updates multiple fields.""" + expected = {"name": "jobInstances/ji1"} + + with patch( + "secops.chronicle.integration.job_instances.chronicle_request", + return_value=expected, + ) as mock_request, patch( + "secops.chronicle.integration.job_instances.build_patch_body", + return_value=( + { + "displayName": "Updated", + "intervalSeconds": 600, + "enabled": False, + }, + {"updateMask": "displayName,intervalSeconds,enabled"}, + ), + ): + result = update_integration_job_instance( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + display_name="Updated", + interval_seconds=600, + enabled=False, + ) + + assert result == expected + + +def test_update_integration_job_instance_with_dataclass_params(chronicle_client): + """Test update_integration_job_instance converts dataclass parameters.""" + expected = {"name": "jobInstances/ji1"} + + param = IntegrationJobInstanceParameter(value="updated-value") + + with patch( + "secops.chronicle.integration.job_instances.chronicle_request", + return_value=expected, + ) as mock_request, patch( + "secops.chronicle.integration.job_instances.build_patch_body", + return_value=( + {"parameters": [{"value": "updated-value"}]}, + {"updateMask": "parameters"}, + ), + ): + result = update_integration_job_instance( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + parameters=[param], + ) + + assert result == expected + + +def test_update_integration_job_instance_with_advanced_config(chronicle_client): + """Test update_integration_job_instance with AdvancedConfig dataclass.""" + expected = {"name": "jobInstances/ji1"} + + advanced_config = AdvancedConfig( + time_zone="UTC", + schedule_type=ScheduleType.DAILY, + daily_schedule=DailyScheduleDetails( + start_date=Date(year=2026, month=3, day=8), + time=TimeOfDay(hours=0, minutes=0), + interval=1 + ) + ) + + with patch( + "secops.chronicle.integration.job_instances.chronicle_request", + return_value=expected, + ) as mock_request, patch( + "secops.chronicle.integration.job_instances.build_patch_body", + return_value=( + { + "advancedConfig": { + "timeZone": "UTC", + "scheduleType": "DAILY", + "dailySchedule": { + "startDate": {"year": 2026, "month": 3, "day": 8}, + "time": {"hours": 0, "minutes": 0}, + "interval": 1 + } + } + }, + {"updateMask": "advancedConfig"}, + ), + ): + result = update_integration_job_instance( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + advanced_config=advanced_config, + ) + + assert result == expected + + +def test_update_integration_job_instance_with_update_mask(chronicle_client): + """Test update_integration_job_instance respects explicit update_mask.""" + expected = {"name": "jobInstances/ji1"} + + with patch( + "secops.chronicle.integration.job_instances.chronicle_request", + return_value=expected, + ) as mock_request, patch( + "secops.chronicle.integration.job_instances.build_patch_body", + return_value=( + {"displayName": "Updated"}, + {"updateMask": "displayName"}, + ), + ): + result = update_integration_job_instance( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + display_name="Updated", + update_mask="displayName", + ) + + assert result == expected + + +def test_update_integration_job_instance_error(chronicle_client): + """Test update_integration_job_instance raises APIError on failure.""" + with patch( + "secops.chronicle.integration.job_instances.chronicle_request", + side_effect=APIError("Failed to update job instance"), + ), patch( + "secops.chronicle.integration.job_instances.build_patch_body", + return_value=({"enabled": False}, {"updateMask": "enabled"}), + ): + with pytest.raises(APIError) as exc_info: + update_integration_job_instance( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + enabled=False, + ) + assert "Failed to update job instance" in str(exc_info.value) + + +# -- run_integration_job_instance_on_demand tests -- + + +def test_run_integration_job_instance_on_demand_success(chronicle_client): + """Test run_integration_job_instance_on_demand issues POST request.""" + expected = {"success": True} + + with patch( + "secops.chronicle.integration.job_instances.chronicle_request", + return_value=expected, + ) as mock_request: + result = run_integration_job_instance_on_demand( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + ) + + assert result == expected + + mock_request.assert_called_once_with( + chronicle_client, + method="POST", + endpoint_path=( + "integrations/test-integration/jobs/j1/jobInstances/ji1:runOnDemand" + ), + api_version=APIVersion.V1BETA, + json={}, + ) + + +def test_run_integration_job_instance_on_demand_with_params(chronicle_client): + """Test run_integration_job_instance_on_demand with parameters.""" + expected = {"success": True} + + with patch( + "secops.chronicle.integration.job_instances.chronicle_request", + return_value=expected, + ) as mock_request: + result = run_integration_job_instance_on_demand( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + parameters=[{"id": 1, "value": "override"}], + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["json"]["parameters"] == [{"id": 1, "value": "override"}] + + +def test_run_integration_job_instance_on_demand_with_dataclass(chronicle_client): + """Test run_integration_job_instance_on_demand converts dataclass parameters.""" + expected = {"success": True} + + param = IntegrationJobInstanceParameter(value="test") + + with patch( + "secops.chronicle.integration.job_instances.chronicle_request", + return_value=expected, + ) as mock_request: + result = run_integration_job_instance_on_demand( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + parameters=[param], + ) + + assert result == expected + + _, kwargs = mock_request.call_args + params_sent = kwargs["json"]["parameters"] + assert len(params_sent) == 1 + assert params_sent[0]["value"] == "test" + + +def test_run_integration_job_instance_on_demand_error(chronicle_client): + """Test run_integration_job_instance_on_demand raises APIError on failure.""" + with patch( + "secops.chronicle.integration.job_instances.chronicle_request", + side_effect=APIError("Failed to run job instance on demand"), + ): + with pytest.raises(APIError) as exc_info: + run_integration_job_instance_on_demand( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + ) + assert "Failed to run job instance on demand" in str(exc_info.value) + + +# -- API version tests -- + + +def test_list_integration_job_instances_custom_api_version(chronicle_client): + """Test list_integration_job_instances with custom API version.""" + expected = {"jobInstances": []} + + with patch( + "secops.chronicle.integration.job_instances.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_job_instances( + chronicle_client, + integration_name="test-integration", + job_id="j1", + api_version=APIVersion.V1ALPHA, + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert kwargs["api_version"] == APIVersion.V1ALPHA + + +def test_get_integration_job_instance_custom_api_version(chronicle_client): + """Test get_integration_job_instance with custom API version.""" + expected = {"name": "jobInstances/ji1"} + + with patch( + "secops.chronicle.integration.job_instances.chronicle_request", + return_value=expected, + ) as mock_request: + result = get_integration_job_instance( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job_instance_id="ji1", + api_version=APIVersion.V1ALPHA, + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["api_version"] == APIVersion.V1ALPHA + diff --git a/tests/chronicle/integration/test_job_revisions.py b/tests/chronicle/integration/test_job_revisions.py new file mode 100644 index 00000000..3a81682c --- /dev/null +++ b/tests/chronicle/integration/test_job_revisions.py @@ -0,0 +1,378 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Tests for Chronicle marketplace integration job revisions functions.""" + +from unittest.mock import Mock, patch + +import pytest + +from secops.chronicle.client import ChronicleClient +from secops.chronicle.models import APIVersion +from secops.chronicle.integration.job_revisions import ( + list_integration_job_revisions, + delete_integration_job_revision, + create_integration_job_revision, + rollback_integration_job_revision, +) +from secops.exceptions import APIError + + +@pytest.fixture +def chronicle_client(): + """Create a Chronicle client for testing.""" + with patch("secops.auth.SecOpsAuth") as mock_auth: + mock_session = Mock() + mock_session.headers = {} + mock_auth.return_value.session = mock_session + return ChronicleClient( + customer_id="test-customer", + project_id="test-project", + default_api_version=APIVersion.V1BETA, + ) + + +# -- list_integration_job_revisions tests -- + + +def test_list_integration_job_revisions_success(chronicle_client): + """Test list_integration_job_revisions delegates to chronicle_paginated_request.""" + expected = { + "revisions": [{"name": "r1"}, {"name": "r2"}], + "nextPageToken": "t", + } + + with patch( + "secops.chronicle.integration.job_revisions.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated, patch( + "secops.chronicle.integration.job_revisions.format_resource_id", + return_value="My Integration", + ): + result = list_integration_job_revisions( + chronicle_client, + integration_name="My Integration", + job_id="j1", + page_size=10, + page_token="next-token", + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert "jobs/j1/revisions" in kwargs["path"] + assert kwargs["items_key"] == "revisions" + assert kwargs["page_size"] == 10 + assert kwargs["page_token"] == "next-token" + + +def test_list_integration_job_revisions_default_args(chronicle_client): + """Test list_integration_job_revisions with default args.""" + expected = {"revisions": []} + + with patch( + "secops.chronicle.integration.job_revisions.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_job_revisions( + chronicle_client, + integration_name="test-integration", + job_id="j1", + ) + + assert result == expected + + +def test_list_integration_job_revisions_with_filters(chronicle_client): + """Test list_integration_job_revisions with filter and order_by.""" + expected = {"revisions": [{"name": "r1"}]} + + with patch( + "secops.chronicle.integration.job_revisions.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_job_revisions( + chronicle_client, + integration_name="test-integration", + job_id="j1", + filter_string='version = "1.0"', + order_by="createTime", + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert kwargs["extra_params"] == { + "filter": 'version = "1.0"', + "orderBy": "createTime", + } + + +def test_list_integration_job_revisions_as_list(chronicle_client): + """Test list_integration_job_revisions returns list when as_list=True.""" + expected = [{"name": "r1"}, {"name": "r2"}] + + with patch( + "secops.chronicle.integration.job_revisions.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_job_revisions( + chronicle_client, + integration_name="test-integration", + job_id="j1", + as_list=True, + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert kwargs["as_list"] is True + + +def test_list_integration_job_revisions_error(chronicle_client): + """Test list_integration_job_revisions raises APIError on failure.""" + with patch( + "secops.chronicle.integration.job_revisions.chronicle_paginated_request", + side_effect=APIError("Failed to list job revisions"), + ): + with pytest.raises(APIError) as exc_info: + list_integration_job_revisions( + chronicle_client, + integration_name="test-integration", + job_id="j1", + ) + assert "Failed to list job revisions" in str(exc_info.value) + + +# -- delete_integration_job_revision tests -- + + +def test_delete_integration_job_revision_success(chronicle_client): + """Test delete_integration_job_revision issues DELETE request.""" + with patch( + "secops.chronicle.integration.job_revisions.chronicle_request", + return_value=None, + ) as mock_request: + delete_integration_job_revision( + chronicle_client, + integration_name="test-integration", + job_id="j1", + revision_id="r1", + ) + + _, kwargs = mock_request.call_args + assert kwargs["method"] == "DELETE" + assert "jobs/j1/revisions/r1" in kwargs["endpoint_path"] + assert kwargs["api_version"] == APIVersion.V1BETA + + +def test_delete_integration_job_revision_error(chronicle_client): + """Test delete_integration_job_revision raises APIError on failure.""" + with patch( + "secops.chronicle.integration.job_revisions.chronicle_request", + side_effect=APIError("Failed to delete job revision"), + ): + with pytest.raises(APIError) as exc_info: + delete_integration_job_revision( + chronicle_client, + integration_name="test-integration", + job_id="j1", + revision_id="r1", + ) + assert "Failed to delete job revision" in str(exc_info.value) + + +# -- create_integration_job_revision tests -- + + +def test_create_integration_job_revision_required_fields_only( + chronicle_client, +): + """Test create_integration_job_revision with required fields only.""" + expected = {"name": "revisions/new", "job": {"displayName": "My Job"}} + job_dict = { + "displayName": "My Job", + "script": "print('hello')", + "version": 1, + "enabled": True, + "custom": True, + } + + with patch( + "secops.chronicle.integration.job_revisions.chronicle_request", + return_value=expected, + ) as mock_request: + result = create_integration_job_revision( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job=job_dict, + ) + + assert result == expected + + mock_request.assert_called_once_with( + chronicle_client, + method="POST", + endpoint_path=( + "integrations/test-integration/jobs/j1/revisions" + ), + api_version=APIVersion.V1BETA, + json={"job": job_dict}, + ) + + +def test_create_integration_job_revision_with_comment(chronicle_client): + """Test create_integration_job_revision includes comment when provided.""" + expected = {"name": "revisions/new"} + job_dict = { + "displayName": "My Job", + "script": "print('hello')", + "version": 1, + "enabled": True, + "custom": True, + } + + with patch( + "secops.chronicle.integration.job_revisions.chronicle_request", + return_value=expected, + ) as mock_request: + result = create_integration_job_revision( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job=job_dict, + comment="Backup before major update", + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["json"]["comment"] == "Backup before major update" + assert kwargs["json"]["job"] == job_dict + + +def test_create_integration_job_revision_error(chronicle_client): + """Test create_integration_job_revision raises APIError on failure.""" + job_dict = { + "displayName": "My Job", + "script": "print('hello')", + "version": 1, + "enabled": True, + "custom": True, + } + + with patch( + "secops.chronicle.integration.job_revisions.chronicle_request", + side_effect=APIError("Failed to create job revision"), + ): + with pytest.raises(APIError) as exc_info: + create_integration_job_revision( + chronicle_client, + integration_name="test-integration", + job_id="j1", + job=job_dict, + ) + assert "Failed to create job revision" in str(exc_info.value) + + +# -- rollback_integration_job_revision tests -- + + +def test_rollback_integration_job_revision_success(chronicle_client): + """Test rollback_integration_job_revision issues POST request.""" + expected = { + "name": "revisions/r1", + "job": { + "displayName": "My Job", + "script": "print('hello')", + }, + } + + with patch( + "secops.chronicle.integration.job_revisions.chronicle_request", + return_value=expected, + ) as mock_request: + result = rollback_integration_job_revision( + chronicle_client, + integration_name="test-integration", + job_id="j1", + revision_id="r1", + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["method"] == "POST" + assert "jobs/j1/revisions/r1:rollback" in kwargs["endpoint_path"] + assert kwargs["api_version"] == APIVersion.V1BETA + + +def test_rollback_integration_job_revision_error(chronicle_client): + """Test rollback_integration_job_revision raises APIError on failure.""" + with patch( + "secops.chronicle.integration.job_revisions.chronicle_request", + side_effect=APIError("Failed to rollback job revision"), + ): + with pytest.raises(APIError) as exc_info: + rollback_integration_job_revision( + chronicle_client, + integration_name="test-integration", + job_id="j1", + revision_id="r1", + ) + assert "Failed to rollback job revision" in str(exc_info.value) + + +# -- API version tests -- + + +def test_list_integration_job_revisions_custom_api_version(chronicle_client): + """Test list_integration_job_revisions with custom API version.""" + expected = {"revisions": []} + + with patch( + "secops.chronicle.integration.job_revisions.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_job_revisions( + chronicle_client, + integration_name="test-integration", + job_id="j1", + api_version=APIVersion.V1ALPHA, + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert kwargs["api_version"] == APIVersion.V1ALPHA + + +def test_delete_integration_job_revision_custom_api_version(chronicle_client): + """Test delete_integration_job_revision with custom API version.""" + with patch( + "secops.chronicle.integration.job_revisions.chronicle_request", + return_value=None, + ) as mock_request: + delete_integration_job_revision( + chronicle_client, + integration_name="test-integration", + job_id="j1", + revision_id="r1", + api_version=APIVersion.V1ALPHA, + ) + + _, kwargs = mock_request.call_args + assert kwargs["api_version"] == APIVersion.V1ALPHA + diff --git a/tests/chronicle/integration/test_jobs.py b/tests/chronicle/integration/test_jobs.py new file mode 100644 index 00000000..a318a890 --- /dev/null +++ b/tests/chronicle/integration/test_jobs.py @@ -0,0 +1,594 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Tests for Chronicle marketplace integration jobs functions.""" + +from unittest.mock import Mock, patch + +import pytest + +from secops.chronicle.client import ChronicleClient +from secops.chronicle.models import APIVersion, JobParameter, ParamType +from secops.chronicle.integration.jobs import ( + list_integration_jobs, + get_integration_job, + delete_integration_job, + create_integration_job, + update_integration_job, + execute_integration_job_test, + get_integration_job_template, +) +from secops.exceptions import APIError + + +@pytest.fixture +def chronicle_client(): + """Create a Chronicle client for testing.""" + with patch("secops.auth.SecOpsAuth") as mock_auth: + mock_session = Mock() + mock_session.headers = {} + mock_auth.return_value.session = mock_session + return ChronicleClient( + customer_id="test-customer", + project_id="test-project", + default_api_version=APIVersion.V1BETA, + ) + + +# -- list_integration_jobs tests -- + + +def test_list_integration_jobs_success(chronicle_client): + """Test list_integration_jobs delegates to chronicle_paginated_request.""" + expected = {"jobs": [{"name": "j1"}, {"name": "j2"}], "nextPageToken": "t"} + + with patch( + "secops.chronicle.integration.jobs.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated, patch( + "secops.chronicle.integration.jobs.format_resource_id", + return_value="My Integration", + ): + result = list_integration_jobs( + chronicle_client, + integration_name="My Integration", + page_size=10, + page_token="next-token", + ) + + assert result == expected + + mock_paginated.assert_called_once_with( + chronicle_client, + api_version=APIVersion.V1BETA, + path="integrations/My Integration/jobs", + items_key="jobs", + page_size=10, + page_token="next-token", + extra_params={}, + as_list=False, + ) + + +def test_list_integration_jobs_default_args(chronicle_client): + """Test list_integration_jobs with default args.""" + expected = {"jobs": []} + + with patch( + "secops.chronicle.integration.jobs.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_jobs( + chronicle_client, + integration_name="test-integration", + ) + + assert result == expected + + +def test_list_integration_jobs_with_filters(chronicle_client): + """Test list_integration_jobs with filter and order_by.""" + expected = {"jobs": [{"name": "j1"}]} + + with patch( + "secops.chronicle.integration.jobs.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_jobs( + chronicle_client, + integration_name="test-integration", + filter_string="custom=true", + order_by="displayName", + exclude_staging=True, + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert kwargs["extra_params"] == { + "filter": "custom=true", + "orderBy": "displayName", + "excludeStaging": True, + } + + +def test_list_integration_jobs_as_list(chronicle_client): + """Test list_integration_jobs returns list when as_list=True.""" + expected = [{"name": "j1"}, {"name": "j2"}] + + with patch( + "secops.chronicle.integration.jobs.chronicle_paginated_request", + return_value=expected, + ) as mock_paginated: + result = list_integration_jobs( + chronicle_client, + integration_name="test-integration", + as_list=True, + ) + + assert result == expected + + _, kwargs = mock_paginated.call_args + assert kwargs["as_list"] is True + + +def test_list_integration_jobs_error(chronicle_client): + """Test list_integration_jobs raises APIError on failure.""" + with patch( + "secops.chronicle.integration.jobs.chronicle_paginated_request", + side_effect=APIError("Failed to list integration jobs"), + ): + with pytest.raises(APIError) as exc_info: + list_integration_jobs( + chronicle_client, + integration_name="test-integration", + ) + assert "Failed to list integration jobs" in str(exc_info.value) + + +# -- get_integration_job tests -- + + +def test_get_integration_job_success(chronicle_client): + """Test get_integration_job issues GET request.""" + expected = { + "name": "jobs/j1", + "displayName": "My Job", + "script": "print('hello')", + } + + with patch( + "secops.chronicle.integration.jobs.chronicle_request", + return_value=expected, + ) as mock_request: + result = get_integration_job( + chronicle_client, + integration_name="test-integration", + job_id="j1", + ) + + assert result == expected + + mock_request.assert_called_once_with( + chronicle_client, + method="GET", + endpoint_path="integrations/test-integration/jobs/j1", + api_version=APIVersion.V1BETA, + ) + + +def test_get_integration_job_error(chronicle_client): + """Test get_integration_job raises APIError on failure.""" + with patch( + "secops.chronicle.integration.jobs.chronicle_request", + side_effect=APIError("Failed to get integration job"), + ): + with pytest.raises(APIError) as exc_info: + get_integration_job( + chronicle_client, + integration_name="test-integration", + job_id="j1", + ) + assert "Failed to get integration job" in str(exc_info.value) + + +# -- delete_integration_job tests -- + + +def test_delete_integration_job_success(chronicle_client): + """Test delete_integration_job issues DELETE request.""" + with patch( + "secops.chronicle.integration.jobs.chronicle_request", + return_value=None, + ) as mock_request: + delete_integration_job( + chronicle_client, + integration_name="test-integration", + job_id="j1", + ) + + mock_request.assert_called_once_with( + chronicle_client, + method="DELETE", + endpoint_path="integrations/test-integration/jobs/j1", + api_version=APIVersion.V1BETA, + ) + + +def test_delete_integration_job_error(chronicle_client): + """Test delete_integration_job raises APIError on failure.""" + with patch( + "secops.chronicle.integration.jobs.chronicle_request", + side_effect=APIError("Failed to delete integration job"), + ): + with pytest.raises(APIError) as exc_info: + delete_integration_job( + chronicle_client, + integration_name="test-integration", + job_id="j1", + ) + assert "Failed to delete integration job" in str(exc_info.value) + + +# -- create_integration_job tests -- + + +def test_create_integration_job_required_fields_only(chronicle_client): + """Test create_integration_job sends only required fields when optionals omitted.""" + expected = {"name": "jobs/new", "displayName": "My Job"} + + with patch( + "secops.chronicle.integration.jobs.chronicle_request", + return_value=expected, + ) as mock_request: + result = create_integration_job( + chronicle_client, + integration_name="test-integration", + display_name="My Job", + script="print('hi')", + version=1, + enabled=True, + custom=True, + ) + + assert result == expected + + mock_request.assert_called_once_with( + chronicle_client, + method="POST", + endpoint_path="integrations/test-integration/jobs", + api_version=APIVersion.V1BETA, + json={ + "displayName": "My Job", + "script": "print('hi')", + "version": 1, + "enabled": True, + "custom": True, + }, + ) + + +def test_create_integration_job_with_optional_fields(chronicle_client): + """Test create_integration_job includes optional fields when provided.""" + expected = {"name": "jobs/new"} + + with patch( + "secops.chronicle.integration.jobs.chronicle_request", + return_value=expected, + ) as mock_request: + result = create_integration_job( + chronicle_client, + integration_name="test-integration", + display_name="My Job", + script="print('hi')", + version=1, + enabled=True, + custom=True, + description="Test job", + parameters=[{"id": 1, "displayName": "p1", "type": "STRING"}], + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["json"]["description"] == "Test job" + assert kwargs["json"]["parameters"] == [ + {"id": 1, "displayName": "p1", "type": "STRING"} + ] + + +def test_create_integration_job_with_dataclass_parameters(chronicle_client): + """Test create_integration_job converts JobParameter dataclasses.""" + expected = {"name": "jobs/new"} + + param = JobParameter( + id=1, + display_name="API Key", + description="API key for authentication", + type=ParamType.STRING, + mandatory=True, + ) + + with patch( + "secops.chronicle.integration.jobs.chronicle_request", + return_value=expected, + ) as mock_request: + result = create_integration_job( + chronicle_client, + integration_name="test-integration", + display_name="My Job", + script="print('hi')", + version=1, + enabled=True, + custom=True, + parameters=[param], + ) + + assert result == expected + + _, kwargs = mock_request.call_args + params_sent = kwargs["json"]["parameters"] + assert len(params_sent) == 1 + assert params_sent[0]["id"] == 1 + assert params_sent[0]["displayName"] == "API Key" + assert params_sent[0]["type"] == "STRING" + + +def test_create_integration_job_error(chronicle_client): + """Test create_integration_job raises APIError on failure.""" + with patch( + "secops.chronicle.integration.jobs.chronicle_request", + side_effect=APIError("Failed to create integration job"), + ): + with pytest.raises(APIError) as exc_info: + create_integration_job( + chronicle_client, + integration_name="test-integration", + display_name="My Job", + script="print('hi')", + version=1, + enabled=True, + custom=True, + ) + assert "Failed to create integration job" in str(exc_info.value) + + +# -- update_integration_job tests -- + + +def test_update_integration_job_with_explicit_update_mask(chronicle_client): + """Test update_integration_job passes through explicit update_mask.""" + expected = {"name": "jobs/j1", "displayName": "New Name"} + + with patch( + "secops.chronicle.integration.jobs.chronicle_request", + return_value=expected, + ) as mock_request: + result = update_integration_job( + chronicle_client, + integration_name="test-integration", + job_id="j1", + display_name="New Name", + update_mask="displayName", + ) + + assert result == expected + + mock_request.assert_called_once_with( + chronicle_client, + method="PATCH", + endpoint_path="integrations/test-integration/jobs/j1", + api_version=APIVersion.V1BETA, + json={"displayName": "New Name"}, + params={"updateMask": "displayName"}, + ) + + +def test_update_integration_job_auto_update_mask(chronicle_client): + """Test update_integration_job auto-generates updateMask based on fields.""" + expected = {"name": "jobs/j1"} + + with patch( + "secops.chronicle.integration.jobs.chronicle_request", + return_value=expected, + ) as mock_request: + result = update_integration_job( + chronicle_client, + integration_name="test-integration", + job_id="j1", + enabled=False, + version=2, + ) + + assert result == expected + + assert mock_request.call_count == 1 + _, kwargs = mock_request.call_args + + assert kwargs["method"] == "PATCH" + assert kwargs["endpoint_path"] == "integrations/test-integration/jobs/j1" + assert kwargs["api_version"] == APIVersion.V1BETA + + assert kwargs["json"] == {"enabled": False, "version": 2} + + update_mask = kwargs["params"]["updateMask"] + assert set(update_mask.split(",")) == {"enabled", "version"} + + +def test_update_integration_job_with_parameters(chronicle_client): + """Test update_integration_job with parameters field.""" + expected = {"name": "jobs/j1"} + + param = JobParameter( + id=2, + display_name="Auth Token", + description="Authentication token", + type=ParamType.PASSWORD, + mandatory=True, + ) + + with patch( + "secops.chronicle.integration.jobs.chronicle_request", + return_value=expected, + ) as mock_request: + result = update_integration_job( + chronicle_client, + integration_name="test-integration", + job_id="j1", + parameters=[param], + ) + + assert result == expected + + _, kwargs = mock_request.call_args + params_sent = kwargs["json"]["parameters"] + assert len(params_sent) == 1 + assert params_sent[0]["id"] == 2 + assert params_sent[0]["displayName"] == "Auth Token" + + +def test_update_integration_job_error(chronicle_client): + """Test update_integration_job raises APIError on failure.""" + with patch( + "secops.chronicle.integration.jobs.chronicle_request", + side_effect=APIError("Failed to update integration job"), + ): + with pytest.raises(APIError) as exc_info: + update_integration_job( + chronicle_client, + integration_name="test-integration", + job_id="j1", + display_name="New Name", + ) + assert "Failed to update integration job" in str(exc_info.value) + + +# -- execute_integration_job_test tests -- + + +def test_execute_integration_job_test_success(chronicle_client): + """Test execute_integration_job_test sends POST request with job.""" + expected = { + "output": "Success", + "debugOutput": "Debug info", + "resultObjectJson": {"status": "ok"}, + } + + job = { + "displayName": "Test Job", + "script": "print('test')", + "enabled": True, + } + + with patch( + "secops.chronicle.integration.jobs.chronicle_request", + return_value=expected, + ) as mock_request: + result = execute_integration_job_test( + chronicle_client, + integration_name="test-integration", + job=job, + ) + + assert result == expected + + mock_request.assert_called_once_with( + chronicle_client, + method="POST", + endpoint_path="integrations/test-integration/jobs:executeTest", + api_version=APIVersion.V1BETA, + json={"job": job}, + ) + + +def test_execute_integration_job_test_with_agent_identifier(chronicle_client): + """Test execute_integration_job_test includes agent_identifier when provided.""" + expected = {"output": "Success"} + + job = {"displayName": "Test", "script": "print('test')"} + + with patch( + "secops.chronicle.integration.jobs.chronicle_request", + return_value=expected, + ) as mock_request: + result = execute_integration_job_test( + chronicle_client, + integration_name="test-integration", + job=job, + agent_identifier="agent-123", + ) + + assert result == expected + + _, kwargs = mock_request.call_args + assert kwargs["json"]["agentIdentifier"] == "agent-123" + + +def test_execute_integration_job_test_error(chronicle_client): + """Test execute_integration_job_test raises APIError on failure.""" + with patch( + "secops.chronicle.integration.jobs.chronicle_request", + side_effect=APIError("Failed to execute job test"), + ): + with pytest.raises(APIError) as exc_info: + execute_integration_job_test( + chronicle_client, + integration_name="test-integration", + job={"displayName": "Test"}, + ) + assert "Failed to execute job test" in str(exc_info.value) + + +# -- get_integration_job_template tests -- + + +def test_get_integration_job_template_success(chronicle_client): + """Test get_integration_job_template issues GET request.""" + expected = { + "script": "# Template script\nprint('hello')", + "displayName": "Template Job", + } + + with patch( + "secops.chronicle.integration.jobs.chronicle_request", + return_value=expected, + ) as mock_request: + result = get_integration_job_template( + chronicle_client, + integration_name="test-integration", + ) + + assert result == expected + + mock_request.assert_called_once_with( + chronicle_client, + method="GET", + endpoint_path="integrations/test-integration/jobs:fetchTemplate", + api_version=APIVersion.V1BETA, + ) + + +def test_get_integration_job_template_error(chronicle_client): + """Test get_integration_job_template raises APIError on failure.""" + with patch( + "secops.chronicle.integration.jobs.chronicle_request", + side_effect=APIError("Failed to get job template"), + ): + with pytest.raises(APIError) as exc_info: + get_integration_job_template( + chronicle_client, + integration_name="test-integration", + ) + assert "Failed to get job template" in str(exc_info.value) + diff --git a/tests/chronicle/utils/test_format_utils.py b/tests/chronicle/utils/test_format_utils.py index c71bda40..5610c2da 100644 --- a/tests/chronicle/utils/test_format_utils.py +++ b/tests/chronicle/utils/test_format_utils.py @@ -18,6 +18,7 @@ import pytest from secops.chronicle.utils.format_utils import ( + build_patch_body, format_resource_id, parse_json_list, ) @@ -98,3 +99,107 @@ def test_parse_json_list_handles_empty_json_array() -> None: def test_parse_json_list_handles_empty_list_input() -> None: result = parse_json_list([], "filters") assert result == [] + + +def test_build_patch_body_all_fields_set_builds_body_and_mask() -> None: + # All three fields provided — body and mask should include all of them + body, params = build_patch_body([ + ("displayName", "display_name", "My Rule"), + ("enabled", "enabled", True), + ("severity", "severity", "HIGH"), + ]) + + assert body == {"displayName": "My Rule", "enabled": True, "severity": "HIGH"} + assert params == {"updateMask": "display_name,enabled,severity"} + + +def test_build_patch_body_partial_fields_omits_none_values() -> None: + # Only non-None values should appear in body and mask + body, params = build_patch_body([ + ("displayName", "display_name", "New Name"), + ("enabled", "enabled", None), + ("severity", "severity", None), + ]) + + assert body == {"displayName": "New Name"} + assert params == {"updateMask": "display_name"} + + +def test_build_patch_body_no_fields_set_returns_empty_body_and_none_params() -> None: + # All values are None — body should be empty and params should be None + body, params = build_patch_body([ + ("displayName", "display_name", None), + ("enabled", "enabled", None), + ]) + + assert body == {} + assert params is None + + +def test_build_patch_body_empty_field_map_returns_empty_body_and_none_params() -> None: + # Empty field_map — nothing to build + body, params = build_patch_body([]) + + assert body == {} + assert params is None + + +def test_build_patch_body_explicit_update_mask_overrides_auto_generated() -> None: + # An explicit update_mask should always win, even when fields are set + body, params = build_patch_body( + [ + ("displayName", "display_name", "Name"), + ("enabled", "enabled", True), + ], + update_mask="display_name", + ) + + assert body == {"displayName": "Name", "enabled": True} + assert params == {"updateMask": "display_name"} + + +def test_build_patch_body_explicit_update_mask_with_no_fields_set_still_applies() -> None: + # Explicit mask should appear even when all values are None (caller's intent) + body, params = build_patch_body( + [ + ("displayName", "display_name", None), + ], + update_mask="display_name", + ) + + assert body == {} + assert params == {"updateMask": "display_name"} + + +def test_build_patch_body_false_and_zero_are_not_treated_as_none() -> None: + # False-like but non-None values (False, 0, "") should be included in the body + body, params = build_patch_body([ + ("enabled", "enabled", False), + ("count", "count", 0), + ("label", "label", ""), + ]) + + assert body == {"enabled": False, "count": 0, "label": ""} + assert params == {"updateMask": "enabled,count,label"} + + +def test_build_patch_body_single_field_produces_single_entry_mask() -> None: + body, params = build_patch_body([ + ("severity", "severity", "LOW"), + ]) + + assert body == {"severity": "LOW"} + assert params == {"updateMask": "severity"} + + +def test_build_patch_body_mask_order_matches_field_map_order() -> None: + # The mask field order should mirror the order of field_map entries + body, params = build_patch_body([ + ("z", "z_key", "z_val"), + ("a", "a_key", "a_val"), + ("m", "m_key", "m_val"), + ]) + + assert params == {"updateMask": "z_key,a_key,m_key"} + assert list(body.keys()) == ["z", "a", "m"] + diff --git a/tests/chronicle/utils/test_request_utils.py b/tests/chronicle/utils/test_request_utils.py index 6f8687a2..c4e8b5b9 100644 --- a/tests/chronicle/utils/test_request_utils.py +++ b/tests/chronicle/utils/test_request_utils.py @@ -26,6 +26,7 @@ from secops.chronicle.utils.request_utils import ( DEFAULT_PAGE_SIZE, chronicle_request, + chronicle_request_bytes, chronicle_paginated_request, ) from secops.exceptions import APIError @@ -655,3 +656,181 @@ def test_chronicle_request_non_json_error_body_is_truncated(client: Mock) -> Non assert "status=500" in msg # Should not include the full 5000 chars, should include truncation marker assert "truncated" in msg + + +# --------------------------------------------------------------------------- +# chronicle_request_bytes() tests +# --------------------------------------------------------------------------- + +def test_chronicle_request_bytes_success_returns_content_and_stream_true(client: Mock) -> None: + resp = _mock_response(status_code=200, json_value={"ignored": True}) + resp.content = b"PK\x03\x04...zip-bytes..." # ZIP magic prefix in real life + client.session.request.return_value = resp + + out = chronicle_request_bytes( + client=client, + method="GET", + endpoint_path="integrations/foo:export", + api_version=APIVersion.V1BETA, + params={"alt": "media"}, + headers={"Accept": "application/zip"}, + ) + + assert out == b"PK\x03\x04...zip-bytes..." + + client.base_url.assert_called_once_with(APIVersion.V1BETA) + client.session.request.assert_called_once_with( + method="GET", + url="https://example.test/chronicle/instances/instance-1/integrations/foo:export", + params={"alt": "media"}, + headers={"Accept": "application/zip"}, + timeout=None, + stream=True, + ) + + +def test_chronicle_request_bytes_builds_url_for_rpc_colon_prefix(client: Mock) -> None: + resp = _mock_response(status_code=200, json_value={"ok": True}) + resp.content = b"binary" + client.session.request.return_value = resp + + out = chronicle_request_bytes( + client=client, + method="POST", + endpoint_path=":exportSomething", + api_version=APIVersion.V1ALPHA, + ) + + assert out == b"binary" + + _, kwargs = client.session.request.call_args + assert kwargs["url"] == "https://example.test/chronicle/instances/instance-1:exportSomething" + assert kwargs["stream"] is True + + +def test_chronicle_request_bytes_accepts_multiple_expected_statuses_set(client: Mock) -> None: + resp = _mock_response(status_code=204, json_value=None) + resp.content = b"" + client.session.request.return_value = resp + + out = chronicle_request_bytes( + client=client, + method="DELETE", + endpoint_path="something", + api_version=APIVersion.V1ALPHA, + expected_status={200, 204}, + ) + + assert out == b"" + + +def test_chronicle_request_bytes_status_mismatch_with_json_includes_json(client: Mock) -> None: + resp = _mock_response(status_code=400, json_value={"error": "bad"}) + resp.content = b"" + client.session.request.return_value = resp + + with pytest.raises( + APIError, + match=r"API request failed: method=GET, " + r"url=https://example\.test/chronicle/instances/instance-1/curatedRules" + r", status=400, response={'error': 'bad'}", + ): + chronicle_request_bytes( + client=client, + method="GET", + endpoint_path="curatedRules", + api_version=APIVersion.V1ALPHA, + ) + + +def test_chronicle_request_bytes_status_mismatch_non_json_includes_text(client: Mock) -> None: + resp = _mock_response(status_code=500, json_raises=True, text="boom") + resp.content = b"" + client.session.request.return_value = resp + + with pytest.raises( + APIError, + match=r"API request failed: method=GET, " + r"url=https://example\.test/chronicle/instances/instance-1/curatedRules, " + r"status=500, response_text=boom", + ): + chronicle_request_bytes( + client=client, + method="GET", + endpoint_path="curatedRules", + api_version=APIVersion.V1ALPHA, + ) + + +def test_chronicle_request_bytes_custom_error_message_used(client: Mock) -> None: + resp = _mock_response(status_code=404, json_value={"message": "not found"}) + resp.content = b"" + client.session.request.return_value = resp + + with pytest.raises( + APIError, + match=r"Failed to download export: method=GET, " + r"url=https://example\.test/chronicle/instances/instance-1/integrations/foo:export, " + r"status=404, response={'message': 'not found'}", + ): + chronicle_request_bytes( + client=client, + method="GET", + endpoint_path="integrations/foo:export", + api_version=APIVersion.V1BETA, + error_message="Failed to download export", + ) + + +def test_chronicle_request_bytes_wraps_requests_exception(client: Mock) -> None: + client.session.request.side_effect = requests.RequestException("no route to host") + + with pytest.raises(APIError) as exc_info: + chronicle_request_bytes( + client=client, + method="GET", + endpoint_path="curatedRules", + api_version=APIVersion.V1ALPHA, + ) + + msg = str(exc_info.value) + assert "API request failed" in msg + assert "method=GET" in msg + assert "url=https://example.test/chronicle/instances/instance-1/curatedRules" in msg + assert "request_error=RequestException" in msg + + +def test_chronicle_request_bytes_wraps_google_auth_error(client: Mock) -> None: + client.session.request.side_effect = GoogleAuthError("invalid_grant") + + with pytest.raises(APIError) as exc_info: + chronicle_request_bytes( + client=client, + method="GET", + endpoint_path="curatedRules", + api_version=APIVersion.V1ALPHA, + ) + + msg = str(exc_info.value) + assert "Google authentication failed" in msg + assert "authentication_error=" in msg + + +def test_chronicle_request_bytes_non_json_error_body_is_truncated(client: Mock) -> None: + long_text = "x" * 5000 + resp = _mock_response(status_code=500, json_raises=True, text=long_text) + resp.content = b"" + resp.headers = {"Content-Type": "text/plain"} + client.session.request.return_value = resp + + with pytest.raises(APIError) as exc_info: + chronicle_request_bytes( + client=client, + method="GET", + endpoint_path="curatedRules", + api_version=APIVersion.V1ALPHA, + ) + + msg = str(exc_info.value) + assert "status=500" in msg + assert "truncated" in msg \ No newline at end of file