client

package
v0.0.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 4, 2024 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

View Source
const (
	BigQueryAPIEnvVar     = "CHRONICLE_BIGQUERY_CREDENTIALS"
	BackstoryAPIEnvVar    = "CHRONICLE_BACKSTORY_CREDENTIALS"
	IngestionAPIEnvVar    = "CHRONICLE_INGESTION_CREDENTIALS"
	ForwarderAPIEnvVar    = "CHRONICLE_FORWARDER_CREDENTIALS"
	ChronicleRegionEnvVar = "CHRONICLE_REGION"
)
View Source
const (
	RegionUS             = "us"
	RegionEurope         = "europe"
	RegionEuropeWest2    = "europe-west2"
	RegionAsiaSouthEast1 = "asia-southeast1"
)
View Source
const (
	SearchAPIKey          = "SerachAPI"
	DetectionEngineAPIKey = "DetectionEngineAPI"
	FeedManagementAPIKey  = "FeedManagementAPI"
	IngestionAPIKey       = "IngestionAPI"
	GCTIAPIKey            = "GCTIAPI"
	RBACAPIKey            = "RBACAPI"
	ReferenceListsAPIKey  = "ReferenceListsAPI"
)
View Source
const (
	EventsBasePathKey   = "Events"
	AlertBasePathKey    = "Alert"
	ArtifactBasePathKey = "Artifact"
	AliasBasePathKey    = "Alias"
	AssetBasePathKey    = "Asset"
	IOCBasePathKey      = "IOC"

	RuleBasePathKey           = "rules"
	FeedManagementBasePathKey = "Feed"

	SubjectsBasePathKey = "Subjects"

	ReferenceListsPathKey = "ReferenceLists"
)
View Source
const (
	FeedSourceTypeAPI            = "API"
	FeedSourceTypeAzureBlobStore = "AZURE_BLOBSTORE"
	FeedSourceTypeGCS            = "GOOGLE_CLOUD_STORAGE"
	FeedSourceTypeS3             = "AMAZON_S3"
	FeedSourceTypeSQS            = "AMAZON_SQS"
	FeedSourceTypeHTTP           = "HTTP"
)
View Source
const APIDomain = "googleapis.com"
View Source
const (
	AzureBlobStoreFeedConfigurationPropertyKey = "azureBlobStoreSettings"
)
View Source
const (
	GCPBucketFeedConfigurationPropertyKey = "gcsSettings"
)
View Source
const (
	MicrosoftOffice365ManagementActivityFeedLogType = "OFFICE_365"
)
View Source
const (
	OktaSystemLogFeedLogType = "OKTA"
)
View Source
const (
	OktaUsersFeedLogType = "OKTA_USER_CONTEXT"
)
View Source
const (
	ProofpointSIEMFeedLogType = "PROOFPOINT_MAIL"
)
View Source
const (
	QualysVMFeedLogType = "QUALYS_VM"
)
View Source
const (
	ThinkstCanaryFeedLogType = "THINKST_CANARY"
)

Variables

View Source
var RegionalSubDomains = map[string]map[string]string{
	SearchAPIKey: {
		RegionUS:             "backstory",
		RegionEurope:         "europe-backstory",
		RegionEuropeWest2:    "europe-west2-backstory",
		RegionAsiaSouthEast1: "asia-southeast1-backstory",
	},
	DetectionEngineAPIKey: {
		RegionUS:             "backstory",
		RegionEurope:         "europe-backstory",
		RegionEuropeWest2:    "europe-west2-backstory",
		RegionAsiaSouthEast1: "asia-southeast1-backstory",
	},
	FeedManagementAPIKey: {
		RegionUS:             "backstory",
		RegionEurope:         "europe-backstory",
		RegionEuropeWest2:    "europe-west2-backstory",
		RegionAsiaSouthEast1: "asia-southeast1-backstory",
	},
	IngestionAPIKey: {
		RegionUS:             "malachiteingestion-pa",
		RegionEurope:         "europe-malachiteingestion-pa",
		RegionEuropeWest2:    "europe-west2-malachiteingestion-pa",
		RegionAsiaSouthEast1: "asia-southeast1-malachiteingestion-pa",
	},
	GCTIAPIKey: {
		RegionUS:             "backstory",
		RegionEurope:         "backstory",
		RegionEuropeWest2:    "backstory",
		RegionAsiaSouthEast1: "backstory",
	},
	RBACAPIKey: {
		RegionUS:             "backstory",
		RegionEurope:         "europe-backstory",
		RegionEuropeWest2:    "europe-west2-backstory",
		RegionAsiaSouthEast1: "asia-southeast1-backstory",
	},
	ReferenceListsAPIKey: {
		RegionUS:             "backstory",
		RegionEurope:         "europe-backstory",
		RegionEuropeWest2:    "europe-west2-backstory",
		RegionAsiaSouthEast1: "asia-southeast1-backstory",
	},
}

Functions

func CreateReferenceListUpdateMask

func CreateReferenceListUpdateMask(updateLines, updateDescription bool) string

func GenerateDefaultBasePaths

func GenerateDefaultBasePaths(region string) map[string]string

Types

type AzureBlobStoreFeedConfiguration

type AzureBlobStoreFeedConfiguration struct {
	URI                 string                               `json:"azureUri,omitempty"`
	SourceType          string                               `json:"sourceType,omitempty"`
	SourceDeleteOptions string                               `json:"sourceDeletionOption,omitempty"`
	Authentication      AzureBlobStoreFeedFeedAuthentication `json:"authentication,omitempty"`
}

type AzureBlobStoreFeedFeedAuthentication

type AzureBlobStoreFeedFeedAuthentication struct {
	SharedKey string `json:"sharedKey,omitempty"`
	SASToken  string `json:"sasToken,omitempty"`
}

type BaseFeed

type BaseFeed struct {
	Name        string      `json:"name,omitempty"`
	DisplayName string      `json:"display_name,omitempty"`
	Details     FeedDetails `json:"details,omitempty"`
	State       string      `json:"feedState,omitempty"`
}

type ChronicleAPIError

type ChronicleAPIError struct {
	Message        string `json:"message"`
	Result         string `json:"result"`
	HTTPStatusCode int
}

func (*ChronicleAPIError) Error

func (c *ChronicleAPIError) Error() string

type Client

type Client struct {
	EventsBasePath         string
	AlertBasePath          string
	ArtifactBasePath       string
	AliasBasePath          string
	AssetBasePath          string
	IOCBasePath            string
	RuleBasePath           string
	FeedManagementBasePath string
	SubjectsBasePath       string
	ReferenceListsBasePath string
	// contains filtered or unexported fields
}

func NewClient

func NewClient(region string, userAgent string, ctx context.Context, opts ...Option) (*Client, error)

func (*Client) ChangeAlertingRule

func (cli *Client) ChangeAlertingRule(id string, alertingEnabled bool) error

func (*Client) ChangeEnableFeed

func (cli *Client) ChangeEnableFeed(id string, enabled bool) error

func (*Client) ChangeLiveRule

func (cli *Client) ChangeLiveRule(id string, liveEnabled bool) error

func (*Client) CreateFeed

func (cli *Client) CreateFeed(displayName, logType, namespace string, labels []Label, concreteFeedConfiguration ConcreteFeedConfiguration) (string, error)

func (*Client) CreateReferenceList

func (cli *Client) CreateReferenceList(referenceList ReferenceList) (string, error)

func (*Client) CreateRule

func (cli *Client) CreateRule(rule Rule) (string, error)

func (*Client) CreateRuleVersion

func (cli *Client) CreateRuleVersion(rule Rule) error

func (*Client) CreateSubject

func (cli *Client) CreateSubject(subject Subject) error

func (*Client) DeleteRule

func (cli *Client) DeleteRule(id string) error

func (*Client) DeleteSubject

func (cli *Client) DeleteSubject(name string) error

func (*Client) DestroyFeed

func (cli *Client) DestroyFeed(name string) error

func (*Client) GetCredentials

func (cli *Client) GetCredentials(clientScopes []string, accessToken, credentials, envVariable string) (*googleoauth.Credentials, error)

func (*Client) GetReferenceList

func (cli *Client) GetReferenceList(name string) (*ReferenceList, error)

func (*Client) GetRule

func (cli *Client) GetRule(id string) (*Rule, error)

func (*Client) GetSubject

func (cli *Client) GetSubject(name string) (*Subject, error)

func (*Client) ReadFeed

func (cli *Client) ReadFeed(name string) (*BaseFeed, *ConcreteFeedConfiguration, error)

func (*Client) UpdateFeed

func (cli *Client) UpdateFeed(name, displayName, logType, namespace string, labels []Label, conf ConcreteFeedConfiguration) error

func (*Client) UpdateReferenceList

func (cli *Client) UpdateReferenceList(referenceList ReferenceList, updateLines, updateDescription bool) (*ReferenceList, error)

func (*Client) UpdateSubject

func (cli *Client) UpdateSubject(subject Subject) error

func (*Client) VerifyYARARule

func (cli *Client) VerifyYARARule(yaraRule string) (bool, error)

func (*Client) WithAlertBasePath

func (cli *Client) WithAlertBasePath(uri string) *Client

func (*Client) WithAliasBasePath

func (cli *Client) WithAliasBasePath(uri string) *Client

func (*Client) WithArtifactBasePath

func (cli *Client) WithArtifactBasePath(uri string) *Client

func (*Client) WithAssetBasePath

func (cli *Client) WithAssetBasePath(uri string) *Client

func (*Client) WithEventsBasePath

func (cli *Client) WithEventsBasePath(uri string) *Client

func (*Client) WithFeedManagementBasePath

func (cli *Client) WithFeedManagementBasePath(uri string) *Client

func (*Client) WithIOCBasePath

func (cli *Client) WithIOCBasePath(uri string) *Client

func (*Client) WithRuleBasePath

func (cli *Client) WithRuleBasePath(uri string) *Client

func (*Client) WithSubjectsBasePath

func (cli *Client) WithSubjectsBasePath(uri string) *Client

type ClientRateLimiters

type ClientRateLimiters struct {
	FeedManagementCreateFeed *rate.Limiter
	FeedManagementGetFeed    *rate.Limiter
	FeedManagementListFeeds  *rate.Limiter
	FeedManagementUpdateFeed *rate.Limiter
	FeedManagementDeleteFeed *rate.Limiter
	FeedManagementEnableFeed *rate.Limiter

	DetectionCreateRule         *rate.Limiter
	DetectionCreateRuleVersion  *rate.Limiter
	DetectionGetRule            *rate.Limiter
	DetectionUpdateRule         *rate.Limiter
	DetectionDeleteRule         *rate.Limiter
	DetectionEnableLiveRule     *rate.Limiter
	DetectionEnableAlertingRule *rate.Limiter
	DetectionVerifyYARARule     *rate.Limiter

	RBACCreateSubject *rate.Limiter
	RBACGetSubject    *rate.Limiter
	RBACUpdateSubject *rate.Limiter
	RBACDeleteSubject *rate.Limiter

	ReferenceListsCreateList *rate.Limiter
	ReferenceListsGetList    *rate.Limiter
	ReferenceListsUpdateList *rate.Limiter
}

func NewClientRateLimiters

func NewClientRateLimiters() *ClientRateLimiters

type ConcreteFeedConfiguration

type ConcreteFeedConfiguration interface {
	// contains filtered or unexported methods
}

type FeedDetails

type FeedDetails struct {
	SourceType string  `json:"feedSourceType,omitempty"`
	LogType    string  `json:"logType,omitempty"`
	Namespace  string  `json:"namespace,omitempty"`
	Labels     []Label `json:"labels,omitempty"`
}

type GCPBucketFeedConfiguration

type GCPBucketFeedConfiguration struct {
	URI                 string `json:"bucketUri,omitempty"`
	SourceType          string `json:"sourceType,omitempty"`
	SourceDeleteOptions string `json:"sourceDeletionOption,omitempty"`
}

type Label

type Label struct {
	Key   string `json:"key,omitempty"`
	Value string `json:"value,omitempty"`
}

type MicrosoftOffice365ManagementActivityFeedAuthentication

type MicrosoftOffice365ManagementActivityFeedAuthentication struct {
	ClientID     string `json:"clientId,omitempty"`
	ClientSecret string `json:"clientSecret,omitempty"`
}

type MicrosoftOffice365ManagementActivityFeedConfiguration

type MicrosoftOffice365ManagementActivityFeedConfiguration struct {
	TenantID       string                                                 `json:"tenantId,omitempty"`
	ContentType    string                                                 `json:"contentType,omitempty"`
	Hostname       string                                                 `json:"hostname,omitempty"`
	Authentication MicrosoftOffice365ManagementActivityFeedAuthentication `json:"authentication,omitempty"`
}

type OktaSystemLogAuthenticationHeaderKeyValues

type OktaSystemLogAuthenticationHeaderKeyValues struct {
	Key   string `json:"key,omitempty"`
	Value string `json:"value,omitempty"`
}

type OktaSystemLogFeedAuthentication

type OktaSystemLogFeedAuthentication struct {
	HeaderKeyValues []OktaSystemLogAuthenticationHeaderKeyValues `json:"headerKeyValues,omitempty"`
}

type OktaSystemLogFeedConfiguration

type OktaSystemLogFeedConfiguration struct {
	Hostname       string                          `json:"hostname,omitempty"`
	Authentication OktaSystemLogFeedAuthentication `json:"authentication,omitempty"`
}

type OktaUsersAuthenticationHeaderKeyValues

type OktaUsersAuthenticationHeaderKeyValues struct {
	Key   string `json:"key,omitempty"`
	Value string `json:"value,omitempty"`
}

type OktaUsersFeedAuthentication

type OktaUsersFeedAuthentication struct {
	HeaderKeyValues []OktaUsersAuthenticationHeaderKeyValues `json:"headerKeyValues,omitempty"`
}

type OktaUsersFeedConfiguration

type OktaUsersFeedConfiguration struct {
	Hostname                string                      `json:"hostname,omitempty"`
	ManagerIDReferenceField string                      `json:"managerIdReferenceField,omitempty"`
	Authentication          OktaUsersFeedAuthentication `json:"authentication,omitempty"`
}

type Option

type Option func(*Client) error

func WithBackstoryAPIAccessToken

func WithBackstoryAPIAccessToken(accesstoken string) Option

func WithBackstoryAPICredentials

func WithBackstoryAPICredentials(credentials string) Option

func WithBackstoryAPIEnvVar

func WithBackstoryAPIEnvVar() Option

func WithBigQueryAPIAccessToken

func WithBigQueryAPIAccessToken(accesstoken string) Option

func WithBigQueryAPICredentials

func WithBigQueryAPICredentials(credentials string) Option

func WithBigQueryAPIEnvVar

func WithBigQueryAPIEnvVar() Option

func WithForwarderAPIAccessToken

func WithForwarderAPIAccessToken(accesstoken string) Option

func WithForwarderAPICredentials

func WithForwarderAPICredentials(credentials string) Option

func WithForwarderAPIEnvVar

func WithForwarderAPIEnvVar() Option

func WithIngestionAPIAccessToken

func WithIngestionAPIAccessToken(accesstoken string) Option

func WithIngestionAPICredentials

func WithIngestionAPICredentials(credentials string) Option

func WithIngestionAPIEnvVar

func WithIngestionAPIEnvVar() Option

func WithRequestAttempts

func WithRequestAttempts(attempts uint) Option

func WithRequestTimeout

func WithRequestTimeout(timeout time.Duration) Option

type Permission

type Permission struct {
	Name        string `json:"name"`
	Title       string `json:"title,omitempty"`
	Description string `json:"description,omitempty"`
	CreateTime  string `json:"createtime,omitempty"`
}

type ProofpointSIEMFeedAuthentication

type ProofpointSIEMFeedAuthentication struct {
	User   string `json:"user,omitempty"`
	Secret string `json:"secret,omitempty"`
}

type ProofpointSIEMFeedConfiguration

type ProofpointSIEMFeedConfiguration struct {
	Authentication ProofpointSIEMFeedAuthentication `json:"authentication,omitempty"`
}

type QualysVMFeedAuthentication

type QualysVMFeedAuthentication struct {
	User   string `json:"user,omitempty"`
	Secret string `json:"secret,omitempty"`
}

type QualysVMFeedConfiguration

type QualysVMFeedConfiguration struct {
	Hostname       string                     `json:"hostname,omitempty"`
	Authentication QualysVMFeedAuthentication `json:"authentication,omitempty"`
}

type ReferenceList

type ReferenceList struct {
	Name        string                   `json:"name"`
	Description string                   `json:"description,omitempty"`
	Lines       []string                 `json:"lines,omitempty"`
	ContentType ReferenceListContentType `json:"content_type,omitempty"`
	CreateTime  string                   `json:"create_time,omitempty"`
}

type ReferenceListContentType

type ReferenceListContentType string
const ReferenceListContentTypeCIDR ReferenceListContentType = "CIDR"
const ReferenceListContentTypeDefault ReferenceListContentType = "CONTENT_TYPE_DEFAULT_STRING"
const ReferenceListContentTypeREGEX ReferenceListContentType = "REGEX"

type ReferenceListResponseContenType

type ReferenceListResponseContenType struct {
	ContentType ReferenceListContentType `json:"contentType,omitempty"`
}

type ReferenceListResponseCreateTime

type ReferenceListResponseCreateTime struct {
	CreateTime string `json:"createTime,omitempty"`
}

type Role

type Role struct {
	Name        string       `json:"name"`
	Title       string       `json:"title,omitempty"`
	Description string       `json:"description,omitempty"`
	CreateTime  string       `json:"createtime,omitempty"`
	IsDefault   string       `json:"isdefeault,omitempty"`
	Permissions []Permission `json:"permissions,omitempty"`
}

type Rule

type Rule struct {
	Text              string            `json:"ruleText"`
	ID                string            `json:"ruleId,omitempty"`
	VersionID         string            `json:"versionId,omitempty"`
	Name              string            `json:"ruleName,omitempty"`
	Metadata          map[string]string `json:"metadata,omitempty"`
	Type              string            `json:"ruleType,omitempty"`
	VersionCreateTime string            `json:"versionCreateTime,omitempty"`
	CompilationState  string            `json:"compilationState,omitempty"`
	CompilationError  string            `json:"compilationError,omitempty"`
	LiveEnabled       bool              `json:"liveRuleEnabled,omitempty"`
	AlertingEnabled   bool              `json:"alertingEnabled,omitempty"`
}

type S3FeedAuthentication

type S3FeedAuthentication struct {
	Region          string `json:"region,omitempty"`
	AccessKeyID     string `json:"accessKeyId,omitempty"`
	SecretAccessKey string `json:"secretAccessKey,omitempty"`
}

type S3FeedConfiguration

type S3FeedConfiguration struct {
	URI                 string               `json:"s3Uri,omitempty"`
	SourceType          string               `json:"sourceType,omitempty"`
	SourceDeleteOptions string               `json:"sourceDeletionOption,omitempty"`
	Authentication      S3FeedAuthentication `json:"authentication,omitempty"`
}

type SQSFeedAuthentication

type SQSFeedAuthentication struct {
	SQSAuthentication SQSFeedAuthenticationCred  `json:"sqsAccessKeySecretAuth,omitempty"`
	S3Authentication  *SQSFeedAuthenticationCred `json:"additionalS3AccessKeySecretAuth,omitempty"`
}

type SQSFeedAuthenticationCred

type SQSFeedAuthenticationCred struct {
	AccessKeyID     string `json:"accessKeyId"`
	SecretAccessKey string `json:"secretAccessKey"`
}

type SQSFeedConfiguration

type SQSFeedConfiguration struct {
	Queue               string                `json:"queue,omitempty"`
	Region              string                `json:"region,omitempty"`
	AccountNumber       string                `json:"accountNumber,omitempty"`
	SourceDeleteOptions string                `json:"sourceDeletionOption,omitempty"`
	Authentication      SQSFeedAuthentication `json:"authentication,omitempty"`
}

type Subject

type Subject struct {
	Name  string `json:"name"`
	Type  string `json:"type"`
	Roles []Role `json:"roles,omitempty"`
}

type ThinkstCanaryAuthenticationHeaderKeyValues

type ThinkstCanaryAuthenticationHeaderKeyValues struct {
	Key   string `json:"key,omitempty"`
	Value string `json:"value,omitempty"`
}

type ThinkstCanaryFeedAuthentication

type ThinkstCanaryFeedAuthentication struct {
	HeaderKeyValues []ThinkstCanaryAuthenticationHeaderKeyValues `json:"headerKeyValues,omitempty"`
}

type ThinkstCanaryFeedConfiguration

type ThinkstCanaryFeedConfiguration struct {
	Hostname       string                          `json:"hostname,omitempty"`
	Authentication ThinkstCanaryFeedAuthentication `json:"authentication,omitempty"`
}

type YARALValidation

type YARALValidation struct {
	Valid   bool   `json:"success"`
	Context string `json:"context"`
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL