Expand v1alpha coverage; Add packaging and a CLI

[dandye]

Install the CLI

make install 

CLI Commands and Subcommands

# chronicle --help # top-level subcommands chronicle detect --help # Detection API commands. chronicle ingestion --help # Ingestion API commands. chronicle iocs --help # IoCs API commands. chronicle lists --help # Lists API commands. chronicle search --help # Search API commands. # chronicle detect --help chronicle detect alerts --help # Alert management commands. chronicle detect detections --help # Detection management commands. chronicle detect errors --help # Error management commands. chronicle detect retrohunts --help # Retrohunt management commands. chronicle detect rules --help # Rule management commands. chronicle detect rulesets --help # Rule set deployment commands. # chronicle detect alerts --help chronicle detect alerts bulk-update --help # Bulk update alerts matching a filter. chronicle detect alerts get --help # Get an alert by ID. chronicle detect alerts update --help # Update an alert. # chronicle detect detections --help chronicle detect detections get --help # Get a detection by ID. chronicle detect detections list --help # List detections. chronicle detect errors list --help # chronicle detect retrohunts --help chronicle detect retrohunts create --help # Create a new retrohunt. chronicle detect retrohunts get --help # Get a retrohunt by ID. # chronicle detect rules --help chronicle detect rules create --help # Create a new rule. chronicle detect rules delete --help # Delete a rule. chronicle detect rules enable --help # Enable a rule. chronicle detect rules get --help # Get a rule by ID. chronicle detect rules list --help # List rules. # chronicle detect rulesets --help chronicle detect rulesets batch-update --help # Batch update rule set deployments. # chronicle ingestion --help chronicle ingestion batch-get-events --help # Batch get events by IDs. chronicle ingestion get-event --help # Get event details by ID. chronicle ingestion import-events --help # Import events into Chronicle. # chronicle iocs --help chronicle iocs batch-get --help # Get multiple IoCs by their values. chronicle iocs get --help # Get a single IoC by its value. chronicle iocs get-state --help # Get the state of an IoC by its value. # chronicle lists --help chronicle lists create --help # Create a new list. chronicle lists get --help # Get a list by ID. chronicle lists patch --help # Update an existing list. # chronicle search --help chronicle search find-asset-events --help # Find asset events within a time range. chronicle search find-raw-logs --help # Find raw logs based on search criteria. chronicle search find-udm-events --help # Find UDM events based on tokens or event IDs. chronicle search get-search-query --help # Get a search query by ID. 

New API resources

Help on CLI for chronicle detect detections get

❯ chronicle detect detections get --help Usage: chronicle detect detections get [OPTIONS] Get a detection by ID. Options: --region TEXT Region in which the target project is located. Can also be set via CHRONICLE_REGION env var. --project-instance TEXT Customer ID (uuid with dashes) for the Chronicle instance. Can also be set via CHRONICLE_INSTANCE env var. --project-id TEXT GCP project id or number. Can also be set via CHRONICLE_PROJECT_ID env var. --credentials-file TEXT Path to service account credentials file. Can also be set via CHRONICLE_CREDENTIALS_FILE env var. --env-file TEXT Path to .env file containing configuration variables. --detection-id TEXT Identifier for the detection. [required] --rule-id TEXT Identifier for the rule that created the detection. 

CLI Usage example for chronicle detect detections get

❯ chronicle detect detections get \ --detection-id "de_92092e71-3baa-0ebf-f230-4aacc5952c63" \ --rule-id "ru_bf30236c-13af-4a85-a3af-5d58205e10f0"{"type": "RULE_DETECTION", "detection": [{"ruleName": "ttp_powershell_decodebase64_ns139797", ... 

Help for detect.v1alpha.get_detection

❯ python3 -m detect.v1alpha.get_detection --help usage: get_detection.py [-h] [-c CREDENTIALS_FILE] -i PROJECT_INSTANCE -p PROJECT_ID [-r{asia-northeast1,asia-south1,asia-southeast1,australia-southeast1,eu,europe,europe-west12,europe-west2,europe-west3,europe-west6,europe-west9,me-central1,me-central2,me-west1,northamerica-northeast2,southamerica-east1,us}] --detection_id DETECTION_ID --rule_id RULE_ID options: -h, --help show this help message and exit -c CREDENTIALS_FILE, --credentials_file CREDENTIALS_FILE credentials file path (default: '/Users/dandye/.chronicle_credentials.json') -i PROJECT_INSTANCE, --project_instance PROJECT_INSTANCE Customer ID for Chronicle instance -p PROJECT_ID, --project_id PROJECT_ID Your BYOP, project id -r{asia-northeast1,asia-south1,asia-southeast1,australia-southeast1,eu,europe,europe-west12,europe-west2,europe-west3,europe-west6,europe-west9,me-central1,me-central2,me-west1,northamerica-northeast2,southamerica-east1,us}, --region{asia-northeast1,asia-south1,asia-southeast1,australia-southeast1,eu,europe,europe-west12,europe-west2,europe-west3,europe-west6,europe-west9,me-central1,me-central2,me-west1,northamerica-northeast2,southamerica-east1,us} the region where the customer is located (default: us) --detection_id DETECTION_ID Identifier for the detection --rule_id RULE_ID Identifier for the rule that created the detection 

Usage example

❯ PROJECT_INSTANCE=7e977ce4-f45d-43b2-aea0-52f8b66acd80 PROJECT_ID=dandye-0324-chronicle python3 -m detect.v1alpha.get_detection \ --project_instance=$PROJECT_INSTANCE \ --project_id=$PROJECT_ID \ --detection_id "de_92092e71-3baa-0ebf-f230-4aacc5952c63" \ --rule_id "ru_bf30236c-13af-4a85-a3af-5d58205e10f0"{"type": "RULE_DETECTION", "detection": [{"ruleName": "ttp_powershell_decodebase64_ns139797",