chronicle
diff --git a/‎detect/v1alpha/get_alert.py‎
Lines changed: 122 additions & 0 deletions b/‎detect/v1alpha/get_alert.py‎
Lines changed: 122 additions & 0 deletions
@@ -0,0 +1,122 @@
+#!/usr/bin/env python3
+
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+r"""Executable and reusable sample for getting a Reference List.
+
+Usage:
+  python -m alerts.v1alpha.get_alert \
+    --project_id=<PROJECT_ID>   \
+    --project_instance=<PROJECT_INSTANCE> \
+    --alert_id=<ALERT_ID>
+
+API reference:
+  https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacyGetAlert
+
+"""
+
+import argparse
+import json
+from typing import Any, Mapping
+
+from common import chronicle_auth
+from common import project_id
+from common import project_instance
+from common import regions
+
+from google.auth.transport import requests
+
+CHRONICLE_API_BASE_URL = "https://chronicle.googleapis.com"
+SCOPES = [
+    "https://www.googleapis.com/auth/cloud-platform",
+]
+
+
+def get_alert(
+    http_session: requests.AuthorizedSession,
+    proj_id: str,
+    proj_instance: str,
+    proj_region: str,
+    alert_id: str,
+    include_detections: bool = False,
+) -> Mapping[str, Any]:
+  """Gets an Alert.
+
+  Args:
+    http_session: Authorized session for HTTP requests.
+    proj_id: GCP project id or number to which the target instance belongs.
+    proj_instance: Customer ID (uuid with dashes) for the Chronicle instance.
+    proj_region: region in which the target project is located.
+    alert_id: Identifier for the alert.
+    include_detections: Flag to include detections.
+
+  Returns:
+    Dictionary representation of the Alert
+
+  Raises:
+    requests.exceptions.HTTPError: HTTP request resulted in an error
+      (response.status_code >= 400).
+  """
+  base_url_with_region = regions.url_always_prepend_region(
+      CHRONICLE_API_BASE_URL,
+      proj_region
+  )
+  # pylint: disable-next=line-too-long
+  parent = f"projects/{proj_id}/locations/{proj_region}/instances/{proj_instance}"
+
+  query_params = {"alertId": alert_id}
+  if include_detections:
+    query_params["includeDetections"] = True
+
+  url = f"{base_url_with_region}/v1alpha/{parent}/legacy:legacyGetAlert"
+
+  response = http_session.request("GET", url, params=query_params)
+  # Expected server response is described in:
+  # https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacyGetAlert
+  if response.status_code >= 400:
+    print(response.text)
+  response.raise_for_status()
+  return response.json()
+
+
+if __name__ == "__main__":
+  parser = argparse.ArgumentParser()
+  chronicle_auth.add_argument_credentials_file(parser)
+  project_instance.add_argument_project_instance(parser)
+  project_id.add_argument_project_id(parser)
+  regions.add_argument_region(parser)
+  parser.add_argument(
+      "--alert_id", type=str, required=True,
+      help="identifier for the alert"
+  )
+  parser.add_argument(
+      "-d", "--include-detections", type=bool, default=False, required=False,
+      help="flag to include detections"
+  )
+  args = parser.parse_args()
+
+  auth_session = chronicle_auth.initialize_http_session(
+      args.credentials_file,
+      SCOPES,
+  )
+  alert = get_alert(
+      auth_session,
+      args.project_id,
+      args.project_instance,
+      args.region,
+      args.alert_id,
+      args.include_detections,
+  )
+  print(json.dumps(alert, indent=2))