New search API samples.

Daniel Abraham · copybara-github · commit 046108aca8e5 · 2021-06-10T21:07:01.000-07:00
PiperOrigin-RevId: 378797442
diff --git a/common/datetime_converter.py b/common/datetime_converter.py
@@ -34,6 +34,12 @@ def iso8601_datetime_utc(utc_date_time: str) -> datetime.datetime:
   Raises:
     ValueError: Invalid input value.
   """
+  # Work-around fixable issues in user-specified timestamps.
+  utc_date_time = re.sub(r"(\d{2}-\d{2}-\d{2})\s+(\d)", r"\1T\2",
+                         utc_date_time).upper()
+  if utc_date_time[-1] != "Z":
+    utc_date_time += "Z"
+
   # Append the suffix "+0000" in order to produce a timezone-aware UTC datetime,
   # because strptime's "%z" does not recognize the meaning of the "Z" suffix.
   try:
diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,2 @@
-google-api-python-client>=1.7.11
 google-auth
-google-auth-httplib2>=0.0.3
 requests
diff --git a/search/__init__.py b/search/__init__.py
@@ -0,0 +1,14 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
diff --git a/search/list_alerts.py b/search/list_alerts.py
@@ -0,0 +1,168 @@
+#!/usr/bin/env python3
+
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+"""Executable and reusable sample for listing asset- and user-based alerts."""
+
+import argparse
+import datetime
+import json
+import sys
+from typing import Any, Mapping, Optional, Sequence
+
+from google.auth.transport import requests
+
+from common import chronicle_auth
+from common import datetime_converter
+
+CHRONICLE_API_BASE_URL = "https://backstory.googleapis.com"
+
+
+def initialize_command_line_args(
+    args: Optional[Sequence[str]] = None) -> Optional[argparse.Namespace]:
+  """Initializes and checks all the command-line arguments."""
+  parser = argparse.ArgumentParser()
+  chronicle_auth.add_argument_credentials_file(parser)
+  parser.add_argument(
+      "-ts",
+      "--start_time",
+      type=datetime_converter.iso8601_datetime_utc,
+      help=("beginning of time range, as an ISO 8601 string " +
+            "('yyyy-mm-ddThh:mm:ss')"))
+  parser.add_argument(
+      "-te",
+      "--end_time",
+      type=datetime_converter.iso8601_datetime_utc,
+      help=("end of time range, as an ISO 8601 string ('yyyy-mm-ddThh:mm:ss')"))
+  parser.add_argument(
+      "-tl",
+      "--local_time",
+      action="store_true",
+      help=("times are specified in the system's local timezone " +
+            "(default = UTC)"))
+
+  # Sanity checks for the command-line arguments.
+  parsed_args = parser.parse_args(args)
+  s, e = parsed_args.start_time, parsed_args.end_time
+  if parsed_args.local_time:
+    s = s.replace(tzinfo=None).astimezone(datetime.timezone.utc)
+    e = e.replace(tzinfo=None).astimezone(datetime.timezone.utc)
+  if s > datetime.datetime.now().astimezone(datetime.timezone.utc):
+    print("Error: start time should not be in the future")
+    return None
+  if e > datetime.datetime.now().astimezone(datetime.timezone.utc):
+    print("Error: end time should not be in the future")
+    return None
+  if s >= e:
+    print("Error: start time should not be same as or later than end time")
+    return None
+
+  return parsed_args
+
+
+def list_alerts(
+    http_session: requests.AuthorizedSession,
+    start_time: datetime.datetime,
+    end_time: datetime.datetime,
+    page_size: Optional[int] = 100000) -> Mapping[str, Sequence[Any]]:
+  """Lists up to 100,000 asset- and user-based alerts in the given time range.
+
+  If you receive the maximum number of results, there might still be more
+  discovered within the specified time range. You might want to narrow the time
+  range and issue the call again to ensure you have visibility on the results.
+
+  Args:
+    http_session: Authorized session for HTTP requests.
+    start_time: The inclusive beginning of the time range of alerts to return,
+      with any timezone (even a timezone-unaware datetime object, i.e. local
+      time).
+    end_time: The exclusive end of the time range of alerts to return, with any
+      timezone (even a timezone-unaware datetime object, i.e. local time).
+    page_size: Maximum number of alerts to return, up to 100,000 (default =
+      100,000).
+
+  Returns:
+    {
+      "alerts": [
+        ...One or more asset alerts (if zero, no "alerts" field at all)...
+      ],
+      "userAlerts": [
+        ...One or more user alerts (if zero, no "userAlerts" field at all)...
+      ]
+    }
+
+  Asset alert structure:
+    {
+      "asset": {
+        "hostname": "..." <-- Or IP address, MAC address, product ID
+      },
+      "alertInfos": [
+        ...One or more alert infos...
+      ]
+    }
+
+  User alert structure:
+    {
+      "user": {
+        "email": "..." <-- Or user name, Windows SID, employee ID, LDAP ID
+      },
+      "alertInfos": [
+        ...One or more alert infos...
+      ]
+    }
+
+  Alert info structure:
+    {
+      "name": "...",
+      "sourceProduct": "...",
+      "timestamp": "yyyy-mm-ddThh:mm:ssZ",
+      "rawLog": "...", <-- Base64 encoded
+      "uri": [
+        "https://customer.backstory.chronicle.security/..."
+      ],
+      "udmEvent": {
+        ...
+      }
+    }
+
+  Raises:
+    requests.exceptions.HTTPError: HTTP request resulted in an error
+    (response.status_code >= 400).
+  """
+  url = f"{CHRONICLE_API_BASE_URL}/v1/alert/listalerts"
+  params = {
+      "start_time": datetime_converter.strftime(start_time),
+      "end_time": datetime_converter.strftime(end_time),
+      "page_size": page_size
+  }
+  response = http_session.request("GET", url, params=params)
+
+  if response.status_code >= 400:
+    print(response.text)
+  response.raise_for_status()
+  return response.json()
+
+
+if __name__ == "__main__":
+  cli = initialize_command_line_args()
+  if not cli:
+    sys.exit(1)  # A sanity check failed.
+
+  start, end = cli.start_time, cli.end_time
+  if cli.local_time:
+    start, end = start.replace(tzinfo=None), end.replace(tzinfo=None)
+
+  session = chronicle_auth.initialize_http_session(cli.credentials_file)
+  print(json.dumps(list_alerts(session, start, end), indent=2))
diff --git a/search/list_alerts_test.py b/search/list_alerts_test.py
@@ -0,0 +1,92 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+"""Tests for the "list_alerts" module."""
+
+import datetime
+import unittest
+from unittest import mock
+
+from google.auth.transport import requests
+
+from . import list_alerts
+
+
+class ListAlertsTest(unittest.TestCase):
+
+  def test_initialize_command_line_args_local_time(self):
+    actual = list_alerts.initialize_command_line_args([
+        "--start_time=2021-05-07T11:22:33", "--end_time=2021-05-08T11:22:33",
+        "--local_time"
+    ])
+    self.assertIsNotNone(actual)
+
+  def test_initialize_command_line_args_utc(self):
+    actual = list_alerts.initialize_command_line_args(
+        ["-ts=2021-05-07T11:22:33Z", "-te=2021-05-08T11:22:33Z"])
+    self.assertIsNotNone(actual)
+
+  def test_initialize_command_line_args_future_start(self):
+    start_time = datetime.datetime.utcnow().astimezone(datetime.timezone.utc)
+    start_time += datetime.timedelta(days=2)
+    end_time = start_time + datetime.timedelta(days=1)
+    actual = list_alerts.initialize_command_line_args([
+        start_time.strftime("-ts=%Y-%m-%dT%H:%M:%SZ"),
+        end_time.strftime("-te=%Y-%m-%dT%H:%M:%SZ")
+    ])
+    self.assertIsNone(actual)
+
+  def test_initialize_command_line_args_future_end(self):
+    start_time = datetime.datetime.utcnow().astimezone(datetime.timezone.utc)
+    start_time -= datetime.timedelta(days=2)
+    end_time = start_time + datetime.timedelta(days=4)
+    actual = list_alerts.initialize_command_line_args([
+        start_time.strftime("-ts=%Y-%m-%dT%H:%M:%SZ"),
+        end_time.strftime("-te=%Y-%m-%dT%H:%M:%SZ")
+    ])
+    self.assertIsNone(actual)
+
+  def test_initialize_command_line_args_empty_range(self):
+    start_time = datetime.datetime.utcnow().astimezone(datetime.timezone.utc)
+    start_time -= datetime.timedelta(days=2)
+    actual = list_alerts.initialize_command_line_args([
+        start_time.strftime("-ts=%Y-%m-%dT%H:%M:%SZ"),
+        start_time.strftime("-te=%Y-%m-%dT%H:%M:%SZ")
+    ])
+    self.assertIsNone(actual)
+
+  def test_initialize_command_line_args_negative_range(self):
+    start_time = datetime.datetime.utcnow().astimezone(datetime.timezone.utc)
+    start_time -= datetime.timedelta(days=2)
+    end_time = start_time - datetime.timedelta(days=4)
+    actual = list_alerts.initialize_command_line_args([
+        start_time.strftime("-ts=%Y-%m-%dT%H:%M:%SZ"),
+        end_time.strftime("-te=%Y-%m-%dT%H:%M:%SZ"),
+    ])
+    self.assertIsNone(actual)
+
+  @mock.patch.object(requests, "AuthorizedSession", autospec=True)
+  @mock.patch.object(requests.requests, "Response", autospec=True)
+  def test_list_alerts(self, mock_response, mock_session):
+    mock_session.request.return_value = mock_response
+    type(mock_response).status_code = mock.PropertyMock(return_value=200)
+    mock_response.json.return_value = {"mock": "json"}
+    actual = list_alerts.list_alerts(mock_session,
+                                     datetime.datetime(2021, 5, 7, 11, 22, 33),
+                                     datetime.datetime(2021, 5, 8, 11, 22, 33))
+    self.assertEqual(actual, {"mock": "json"})
+
+
+if __name__ == "__main__":
+  unittest.main()
diff --git a/search/list_iocs.py b/search/list_iocs.py
diff --git a/search/list_iocs_test.py b/search/list_iocs_test.py
