Documentation
¶
Overview ¶
Package qradar provides an API client for the QRadar API. See examples of the usage in the examples folder.
Index ¶
- Constants
- Variables
- func CheckResponse(r *http.Response) error
- func SetHTTPClient(httpClient *http.Client) func(*Client) error
- func SetSECKey(key string) func(*Client) error
- type ArielService
- func (a *ArielService) NewSearchResultsScroller(ctx context.Context, searchID string) (*SearchResultsScroller, error)
- func (a *ArielService) ScrollByQuery(ctx context.Context, sqlQuery string) (*SearchResultsScroller, *SearchMetadata, error)
- func (a *ArielService) SearchByQuery(ctx context.Context, sqlQuery string) (*Search, error)
- func (a *ArielService) SearchMetadata(ctx context.Context, searchID string) (*SearchMetadata, error)
- func (a *ArielService) SearchStatus(ctx context.Context, searchID string) (string, int, error)
- func (a *ArielService) WaitForSearchID(ctx context.Context, searchID string, status JobStatus, seconds int) (int, error)
- type Client
- type ConfigService
- type Domain
- type ErrorMessage
- type Event
- type JobStatus
- type Offense
- type SIEMService
- type Search
- type SearchColumn
- type SearchMetadata
- type SearchResult
- type SearchResultsScroller
Constants ¶
const (
ErrUnauthorized = "unathorized"
)Variables ¶
var SearchResultsWindow = 50
SearchResultsWindow is a default window for scrolling results of the query.
Functions ¶
func CheckResponse ¶
CheckResponse checks the API response for errors.
func SetHTTPClient ¶
SetHTTPClient sets an HTTP client.
Types ¶
type ArielService ¶
type ArielService service
ArielService handles communication with the search-related methods of the QRadar API.
func (*ArielService) NewSearchResultsScroller ¶
func (a *ArielService) NewSearchResultsScroller(ctx context.Context, searchID string) (*SearchResultsScroller, error)
NewSearchResultsScroller initializes struct to scroll the records.
func (*ArielService) ScrollByQuery ¶ added in v1.0.0
func (a *ArielService) ScrollByQuery(ctx context.Context, sqlQuery string) (*SearchResultsScroller, *SearchMetadata, error)
ScrollByQuery events in the QRadar API. Recommended way to retrieve large amount of events.
func (*ArielService) SearchByQuery ¶
SearchByQuery events in the QRadar API. It's caller responsibility to wait for results and get the final data.
func (*ArielService) SearchMetadata ¶
func (a *ArielService) SearchMetadata(ctx context.Context, searchID string) (*SearchMetadata, error)
SearchMetadata represents a metadata retriever.
func (*ArielService) SearchStatus ¶
SearchStatus returns a status and count of the records of the search.
func (*ArielService) WaitForSearchID ¶ added in v1.0.0
func (a *ArielService) WaitForSearchID(ctx context.Context, searchID string, status JobStatus, seconds int) (int, error)
WaitForSearchID returns amount of records and the error.
type Client ¶
type Client struct { Client *http.Client BaseURL *url.URL UserAgent string SECKey string Ariel *ArielService SIEM *SIEMService Config *ConfigService // contains filtered or unexported fields }
Client manages communication with the QRadar API.
func (*Client) Do ¶
Do sends an API request and returns the API response. The API response is JSON decoded and stored in the value pointed to by v, or returned as an error if an API error has occurred. If v implements the io.Writer interface, the raw response body will be written to v, without attempting to first decode it.
The provided ctx must be non-nil. If it is canceled or times out, ctx.Err() will be returned.
type ConfigService ¶ added in v1.0.0
type ConfigService service
ConfigService represents config endpoint.
type Domain ¶ added in v1.0.0
type Domain struct { AssetScannerIds []int `json:"asset_scanner_ids"` CustomProperties []struct { CaptureResult string `json:"capture_result"` ID int `json:"id"` } `json:"custom_properties"` Deleted bool `json:"deleted"` Description string `json:"description"` EventCollectorIds []int `json:"event_collector_ids"` FlowCollectorIds []int `json:"flow_collector_ids"` FlowSourceIds []int `json:"flow_source_ids"` FlowVlanIds []int `json:"flow_vlan_ids"` ID int `json:"id"` LogSourceGroupIds []int `json:"log_source_group_ids"` LogSourceIds []int `json:"log_source_ids"` Name string `json:"name"` QvmScannerIds []int `json:"qvm_scanner_ids"` TenantID int `json:"tenant_id"` }
Domain represents QRadar domains.
type ErrorMessage ¶
type ErrorMessage struct { Code json.Number `json:"code,omitempty"` Contexts []string `json:"contexts,omitempty"` Message string `json:"message,omitempty"` Description string `json:"description,omitempty"` Severity string `json:"severity,omitempty"` Details struct { Reason string `json:"reason,omitempty"` Code int `json:"code,omitempty"` StartIndex int `json:"start_index,omitempty"` LineNumber int `json:"line_number,omitempty"` QueryString string `json:"query_string,omitempty"` TokenText string `json:"token_text,omitempty"` } `json:"details,omitempty"` // contains filtered or unexported fields }
ErrorMessage represents generic error message by the QRadar API.
func (*ErrorMessage) Error ¶
func (e *ErrorMessage) Error() string
Error satisfies the error interface.
type JobStatus ¶
type JobStatus string
JobStatus represents status of the job: search, etc.
const ( // StatusWait wait StatusWait JobStatus = "WAIT" // StatusExecute executing StatusExecute JobStatus = "EXECUTE" // StatusSorting sorting StatusSorting JobStatus = "SORTING" // StatusCompleted completed StatusCompleted JobStatus = "COMPLETED" // StatusCanceled canceled StatusCanceled JobStatus = "CANCELED" // StatusError errored StatusError JobStatus = "ERROR" )
type Offense ¶
type Offense struct { UsernameCount int `json:"username_count,omitempty"` Description string `json:"description,omitempty"` Rules []struct { ID int `json:"id,omitempty"` Type string `json:"type,omitempty"` } `json:"rules,omitempty"` EventCount int `json:"event_count,omitempty"` FlowCount int `json:"flow_count,omitempty"` AssignedTo string `json:"assigned_to,omitempty"` SecurityCategoryCount int `json:"security_category_count,omitempty"` FollowUp bool `json:"follow_up,omitempty"` SourceAddressIds []int `json:"source_address_ids,omitempty"` SourceCount int `json:"source_count,omitempty"` Inactive bool `json:"inactive,omitempty"` Protected bool `json:"protected,omitempty"` CategoryCount int `json:"category_count,omitempty"` SourceNetwork string `json:"source_network,omitempty"` DestinationNetworks []string `json:"destination_networks,omitempty"` ClosingUser string `json:"closing_user,omitempty"` CloseTime int `json:"close_time,omitempty"` RemoteDestinationCount int `json:"remote_destination_count,omitempty"` StartTime int `json:"start_time,omitempty"` LastUpdatedTime int `json:"last_updated_time,omitempty"` Credibility int `json:"credibility,omitempty"` Magnitude int `json:"magnitude,omitempty"` ID int `json:"id,omitempty"` Categories []string `json:"categories,omitempty"` Severity int `json:"severity,omitempty"` PolicyCategoryCount int `json:"policy_category_count,omitempty"` DeviceCount int `json:"device_count,omitempty"` ClosingReasonID int `json:"closing_reason_id,omitempty"` OffenseType int `json:"offense_type,omitempty"` Relevance int `json:"relevance,omitempty"` DomainID int `json:"domain_id,omitempty"` OffenseSource string `json:"offense_source,omitempty"` LocalDestinationAddressIds []int `json:"local_destination_address_ids,omitempty"` LocalDestinationCount int `json:"local_destination_count,omitempty"` Status string `json:"status,omitempty"` }
Offense represents QRadar's generated offense.
type SIEMService ¶ added in v1.0.0
type SIEMService service
SIEMService handles communication with siem path-related methods of the QRadar API.
type Search ¶
type Search struct { CursorID string `json:"cursor_id"` CompressedDataFileCount int `json:"compressed_data_file_count"` CompressedDataTotalSize int `json:"compressed_data_total_size"` DataFileCount int `json:"data_file_count"` DataTotalSize int `json:"data_total_size"` IndexFileCount int `json:"index_file_count"` IndexTotalSize int `json:"index_total_size"` ProcessedRecordCount int `json:"processed_record_count"` ErrorMessages []ErrorMessage `json:"error_messages"` DesiredRetentionTimeMsec int `json:"desired_retention_time_msec"` Progress int `json:"progress"` ProgressDetails []int `json:"progress_details"` QueryExecutionTime int `json:"query_execution_time"` QueryString string `json:"query_string"` RecordCount int `json:"record_count"` SaveResults bool `json:"save_results"` Status string `json:"status"` Snapshot struct { Events []Event `json:"events"` } `json:"snapshot"` SubsearchIds []string `json:"subsearch_ids"` SearchID string `json:"search_id"` }
Search represent Ariel search state.
type SearchColumn ¶
type SearchColumn struct { ArgumentType string `json:"argument_type"` Indexable bool `json:"indexable"` Name string `json:"name"` Nullable bool `json:"nullable"` ObjectValueType string `json:"object_value_type"` ProviderName string `json:"provider_name"` }
SearchColumn represents found column and it's properties.
type SearchMetadata ¶
type SearchMetadata struct {
Columns []SearchColumn `json:"columns"`
}
SearchMetadata represents search metadata.
type SearchResult ¶
type SearchResult struct {
Events []Event `json:"events"`
}
SearchResult represents search result.
type SearchResultsScroller ¶
type SearchResultsScroller struct {
// contains filtered or unexported fields
}
SearchResultsScroller represents a scroller for the results of the query.
func (*SearchResultsScroller) Length ¶
func (s *SearchResultsScroller) Length() int
Length returns the overall events count.
func (*SearchResultsScroller) Next ¶
func (s *SearchResultsScroller) Next(ctx context.Context) bool
Next returns true if an event is still available to be consumed by the Result() method.
func (*SearchResultsScroller) Result ¶
func (s *SearchResultsScroller) Result() Event
Result returns the event iterated by the Next.