### Setup Development Environment Source: https://github.com/google/secops-wrapper/blob/main/TESTING.md Clones the repository, creates a virtual environment, and installs the package with testing dependencies. ```bash # Clone the repository git clone https://github.com/google/secops-wrapper.git cd secops-wrapper # Create and activate a virtual environment python -m venv venv source venv/bin/activate # Install the package in development mode with testing dependencies pip install -e ".[test]" ``` -------------------------------- ### Development Environment Setup Source: https://github.com/google/secops-wrapper/blob/main/AUTHORING_GUIDE.md Commands to clone the repository, create a virtual environment, and install dependencies. ```bash # Clone repository and setup development environment git clone https://github.com/google/secops-wrapper.git cd secops-wrapper # Create virtual environment python -m venv venv source venv/bin/activate # Install package dependencies pip install -r requirements.txt ``` -------------------------------- ### Manage marketplace integrations Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Commands to list, get details, diff, or install marketplace integrations. ```bash # List all marketplace integration (returns dict with pagination metadata) secops integration marketplace list # List marketplace integration as a direct list (fetches all pages automatically) secops integration marketplace list --as-list ``` ```bash secops integration marketplace get --integration-name "AWSSecurityHub" ``` ```bash secops integration marketplace diff --integration-name "AWSSecurityHub" ``` ```bash # Install with default settings secops integration marketplace install --integration-name "AWSSecurityHub" # Install to staging environment and override any existing ontology mappings secops integration marketplace install --integration-name "AWSSecurityHub" --staging --override-mapping # Installing a currently installed integration with no specified version # number will update it to the latest version secops integration marketplace install --integration-name "AWSSecurityHub" ``` -------------------------------- ### Install and Authenticate Packages Source: https://github.com/google/secops-wrapper/blob/main/colab.ipynb Installs necessary packages and authenticates with Google Cloud. Ensure you have the required permissions for authentication. ```python !pip uninstall secops -y !pip install secops !pip install pandas plotly from google.colab import auth from google.auth import default import google.auth.transport.requests # Authenticate auth.authenticate_user() creds, _ = google.auth.default() auth_req = google.auth.transport.requests.Request() creds.refresh(auth_req) print("✅ Authentication successful!") ``` -------------------------------- ### Install Marketplace Integration Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Installs a specific version of a marketplace integration. ```bash secops integration marketplace install --integration-name "AWSSecurityHub" --version "5.0" ``` -------------------------------- ### Install SecOps Wrapper Source: https://github.com/google/secops-wrapper/blob/main/README.md Install the SecOps wrapper package using pip. ```bash pip install secops ``` -------------------------------- ### Get Agent Integrations Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Lists integrations installed on a specific agent. ```bash secops integration integrations agent-integrations --agent-id "my-agent-id" ``` -------------------------------- ### Install Package in Development Mode Source: https://github.com/google/secops-wrapper/blob/main/TESTING.md Use this command to install the package with test dependencies to resolve Module Not Found errors. ```bash pip install -e ".[test]" ``` -------------------------------- ### GET /integrations Source: https://github.com/google/secops-wrapper/blob/main/api_module_mapping.md List all available integrations. ```APIDOC ## GET /integrations ### Description Retrieves a list of all integrations available in the system. ### Method GET ### Endpoint /integrations ``` -------------------------------- ### Install Marketplace Integration Source: https://github.com/google/secops-wrapper/blob/main/README.md Installs or updates a marketplace integration. Supports installation to staging environments and overriding existing mappings. ```APIDOC ## Install Marketplace Integration ### Description Installs or updates a marketplace integration. Supports installation to staging environments and overriding existing mappings. ### Method POST (assumed) ### Endpoint /v1/soar/integrations/marketplace/{integration_name}/install (assumed) ### Parameters #### Path Parameters - **integration_name** (string) - Required - The name of the marketplace integration to install or update. #### Query Parameters - **version** (string) - Optional - The specific version of the integration to install. - **staging** (boolean) - Optional - If true, installs to the staging environment. - **override_mapping** (boolean) - Optional - If true, overrides existing ontology mappings. ### Response #### Success Response (200) - **integration** (object) - Details of the installed or updated integration. ``` -------------------------------- ### Python Example Service Method Imports Source: https://github.com/google/secops-wrapper/blob/main/GEMINI.md This snippet shows example imports for a service functionality module, including standard library types, custom exceptions, and project-specific clients. ```python """Example service functionality module.""" from typing import Dict, Any, Optional from datetime import datetime from secops.chronicle import ChronicleClient from secops.exceptions import APIError, SecOpsError ``` -------------------------------- ### List Integrations Source: https://github.com/google/secops-wrapper/blob/main/README.md Lists all currently installed integrations. Supports ordering and returning as a list. ```APIDOC ## List Integrations ### Description Lists all currently installed integrations. Supports ordering and returning as a list. ### Method GET (assumed) ### Endpoint /v1/soar/integrations (assumed) ### Parameters #### Query Parameters - **as_list** (boolean) - Optional - If true, returns integrations as a list. - **order_by** (string) - Optional - Field to order the integrations by (e.g., "displayName"). ### Response #### Success Response (200) - **integrations** (array) - A list of installed integrations. - **identifier** (string) - The unique identifier of the integration. - **displayName** (string) - The display name of the integration. - **type** (string) - The type of the integration. ``` -------------------------------- ### Get rule deployment details Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Retrieve details for a specific rule deployment. ```bash secops rule get-deployment --id "ru_12345" ``` -------------------------------- ### Stream query configuration Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Example JSON file structure for stream queries. ```json { "logType": "WINEVTLOG" } ``` -------------------------------- ### List Installed Integrations Source: https://github.com/google/secops-wrapper/blob/main/README.md Retrieves a list of all currently installed SOAR integrations, with options to get them as a list, order them, or retrieve detailed parameters. Useful for inventory and management. ```python # Get all integrations integrations = chronicle.soar.list_integrations() for i in integrations.get("integrations", []): integration_id = i["identifier"] integration_display_name = i["displayName"] integration_type = i["type"] # Get all integrations as a list integrations = chronicle.soar.list_integrations(as_list=True) for i in integrations: integration = chronicle.soar.get_integration(i["identifier"]) if integration.get("parameters"): print(json.dumps(integration, indent=2)) # Get integrations ordered by display name integrations = chronicle.soar.list_integrations(order_by="displayName", as_list=True) ``` -------------------------------- ### Get Agent Integrations Source: https://github.com/google/secops-wrapper/blob/main/README.md Retrieves the list of integrations currently installed on a specific agent. ```APIDOC ## get_agent_integrations ### Description Retrieves the list of integrations currently installed on a specific agent. ### Method chronicle.soar.get_agent_integrations ### Parameters - **agent_id** (string) - Required - The ID of the agent. ``` -------------------------------- ### Example Workflow: Create, Configure, Test, and Deploy Integration Source: https://github.com/google/secops-wrapper/blob/main/CLI.md A comprehensive workflow demonstrating the lifecycle of a custom integration, from creation to deployment and backup. ```bash # 1. Create a new custom integration in staging secops integration integrations create \ --display-name "My Custom SIEM Connector" \ --description "Custom connector for internal SIEM" \ --python-version "V3_11" \ --integration-type "RESPONSE" \ --staging ``` ```bash # 2. Check its dependencies secops integration integrations dependencies \ --integration-id "MyCustomSIEMConnector" ``` ```bash # 3. View the diff before pushing to production secops integration integrations diff \ --integration-id "MyCustomSIEMConnector" \ --diff-type "Production" ``` ```bash # 4. Check for restricted agents secops integration integrations restricted-agents \ --integration-id "MyCustomSIEMConnector" \ --required-python-version "V3_11" \ --push-request ``` ```bash # 5. Push to production secops integration integrations transition \ --integration-id "MyCustomSIEMConnector" \ --target-mode "Production" ``` ```bash # 6. Download a backup secops integration integrations download \ --integration-id "MyCustomSIEMConnector" \ --output-file "/tmp/my-siem-connector-backup.zip" ``` ```bash # 7. Export specific items for sharing secops integration integrations export-items \ --integration-id "MyCustomSIEMConnector" \ --output-file "/tmp/siem-actions.zip" \ --actions "PingAction" "FetchEvents" ``` -------------------------------- ### Get Integration Source: https://github.com/google/secops-wrapper/blob/main/README.md Retrieves detailed information about a specific installed integration using its identifier. ```APIDOC ## Get Integration ### Description Retrieves detailed information about a specific installed integration using its identifier. ### Method GET (assumed) ### Endpoint /v1/soar/integrations/{integration_identifier} (assumed) ### Parameters #### Path Parameters - **integration_identifier** (string) - Required - The unique identifier of the integration. ### Response #### Success Response (200) - **integration** (object) - Detailed information about the specified integration, including its parameters. ``` -------------------------------- ### Complete Parser Workflow Example Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Demonstrates retrieving an OKTA parser, running it against sample logs, and ingesting the parsed UDM event. ```bash # Step 1: List OKTA parsers to find an active one secops parser list --log-type "OKTA" > okta_parsers.json # Extract the first parser ID (you can use jq or grep) PARSER_ID=$(cat okta_parsers.json | jq -r '.[0].name' | awk -F'/' '{print $NF}') echo "Using parser: $PARSER_ID" # Step 2: Get the parser details and save to a file secops parser get --log-type "OKTA" --id "$PARSER_ID" > parser_details.json # Extract and decode the parser code (base64 encoded in 'cbn' field) cat parser_details.json | jq -r '.cbn' | base64 -d > okta_parser.conf ``` -------------------------------- ### Create Custom Integration Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Initializes a new custom integration with various configuration options. ```bash # Create a basic integration secops integration integrations create --display-name "My Custom Integration" # Create in staging mode secops integration integrations create \ --display-name "My Custom Integration" \ --staging # Create with all options secops integration integrations create \ --display-name "My Custom Integration" \ --description "Custom integration for internal tooling" \ --python-version "V3_11" \ --integration-type "RESPONSE" \ --staging ``` -------------------------------- ### Complete Parser Workflow Example Source: https://github.com/google/secops-wrapper/blob/main/README.md Demonstrates retrieving a parser, running it against a log, and ingesting the parsed UDM event. Useful for testing parsers, understanding log transformation, re-processing logs, and debugging. ```python # Step 1: List and retrieve an OKTA parser parsers = chronicle.list_parsers(log_type="OKTA") parser_id = parsers[0]["name"].split("/")[-1] parser_details = chronicle.get_parser(log_type="OKTA", id=parser_id) # Extract and decode parser code import base64 parser_code = base64.b64decode(parser_details["cbn"]).decode('utf-8') # Step 2: Run the parser against a sample log okta_log = { "actor": {"alternateId": "user@example.com", "displayName": "Test User"}, "eventType": "user.account.lock", "outcome": {"result": "FAILURE", "reason": "LOCKED_OUT"}, "published": "2025-06-19T21:51:50.116Z" # ... other OKTA log fields } result = chronicle.run_parser( log_type="OKTA", parser_code=parser_code, parser_extension_code=None, logs=[json.dumps(okta_log)] ) # Step 3: Extract and ingest the parsed UDM event if result["runParserResults"][0]["parsedEvents"]: # parsedEvents is a dict with 'events' key containing the actual events list parsed_events_data = result["runParserResults"][0]["parsedEvents"] if isinstance(parsed_events_data, dict) and "events" in parsed_events_data: events = parsed_events_data["events"] if events and len(events) > 0: # Extract the first event if "event" in events[0]: udm_event = events[0]["event"] else: udm_event = events[0] # Ingest the parsed UDM event back into Chronicle ingest_result = chronicle.ingest_udm(udm_events=udm_event) print(f"UDM event ingested: {ingest_result}") ``` -------------------------------- ### Download Integration Package Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Exports an integration as a ZIP file. ```bash # Download integration as a ZIP file secops integration integrations download \ --integration-id "MyIntegration" \ --output-file "/tmp/my-integration.zip" ``` -------------------------------- ### Get Integrations on a Specific Agent Source: https://github.com/google/secops-wrapper/blob/main/README.md Retrieve a list of integrations currently installed on a specified agent using its ID. ```python agent_integrations = chronicle.soar.get_agent_integrations(agent_id="my-agent-id") ``` -------------------------------- ### Get Marketplace Integration Diff Source: https://github.com/google/secops-wrapper/blob/main/README.md Calculates and returns the difference between the currently installed version and the latest available version of a marketplace integration. ```APIDOC ## Get Marketplace Integration Diff ### Description Calculates and returns the difference between the currently installed version and the latest available version of a marketplace integration. ### Method GET (assumed) ### Endpoint /v1/soar/integrations/marketplace/{integration_name}/diff (assumed) ### Parameters #### Path Parameters - **integration_name** (string) - Required - The name of the marketplace integration. ### Response #### Success Response (200) - **diff** (object) - An object detailing the differences between versions. ``` -------------------------------- ### View Global Configuration Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Display the current global configuration settings. ```bash secops config view ``` -------------------------------- ### Get Specific Integration Details Source: https://github.com/google/secops-wrapper/blob/main/README.md Fetches detailed information about a single installed integration using its identifier. This provides access to parameters, configuration, and other metadata. ```python integration = chronicle.soar.get_integration("AWSSecurityHub") ``` -------------------------------- ### Create a Forwarder with Optional Configuration Source: https://github.com/google/secops-wrapper/blob/main/README.md Create a forwarder with advanced configurations including metadata, upload compression, HTTP settings, and server enablement. Use `upload_compression=True` for efficiency. ```python # Create a forwarder with optional configuration forwarder = chronicle.create_forwarder( display_name="ProductionForwarder", metadata={"labels": {"env": "prod"}}, upload_compression=True, # Enable upload compression for efficiency enable_server=False, # Server functionality disabled, http_settings={ "port":8080, "host":"192.168.0.100", "routeSettings":{ "availableStatusCode": 200, "readyStatusCode": 200, "unreadyStatusCode": 500 } } ) print(f"Created forwarder with ID: {forwarder['name'].split('/')[-1]}") ``` -------------------------------- ### Get Marketplace Integration Diff Source: https://github.com/google/secops-wrapper/blob/main/README.md Compares the currently installed version of a marketplace integration with the latest available version. Useful for understanding what changes will be applied during an update. ```python diff = chronicle.soar.get_marketplace_integration_diff("AWSSecurityHub") ``` -------------------------------- ### Create Data Table and Reference List Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Create a data table for tracking suspicious IPs and a reference list for trusted domains. ```bash # Create a data table for suspicious IP address tracking secops data-table create \ --name "suspicious_ips" \ --description "IP addresses with suspicious activity" \ --header '{"ip_address":"CIDR","detection_count":"STRING","last_seen":"STRING"}' \ --rows '[["192.168.1.100","5","2023-08-15"],["10.0.0.5","12","2023-08-16"]] # Create a reference list with trusted domains secops reference-list create \ --name "trusted_domains" \ --description "Internal trusted domains" \ --entries "internal.example.com,trusted.example.org,secure.example.net" \ --syntax-type "STRING" ``` -------------------------------- ### Create Integration Instance Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Use to create a new integration instance. Can specify display name, environment, description, instance ID, and configuration. ```bash # Create basic integration instance secops integration instances create \ --integration-name "MyIntegration" \ --display-name "Production Instance" \ --environment "production" ``` ```bash # Create with description and custom ID secops integration instances create \ --integration-name "MyIntegration" \ --display-name "Test Instance" \ --environment "test" \ --description "Testing environment instance" \ --instance-id "test-inst-001" ``` ```bash # Create with configuration secops integration instances create \ --integration-name "MyIntegration" \ --display-name "Configured Instance" \ --environment "production" \ --config '{"api_key":"secret123","region":"us-east1"}' ``` -------------------------------- ### Generic GET Endpoint Source: https://github.com/google/secops-wrapper/blob/main/api_module_mapping.md A generic GET endpoint, purpose not specified in the provided text. ```APIDOC ## GET / ### Description This is a generic GET endpoint. Its specific function is not detailed in the provided documentation. ### Method GET ### Endpoint / ### Response #### Success Response (200) - **status** (string) - Indicates the status of the endpoint. #### Response Example ```json { "status": "OK" } ``` ``` -------------------------------- ### Transition Integration Environment Source: https://github.com/google/secops-wrapper/blob/main/README.md Transition an integration to either the staging or production environment. Ensure the integration is ready before transitioning to production. ```python from secops.chronicle.models import TargetMode # Transition to staging environment chronicle.soar.transition_integration( integration_name="AWSSecurityHub", target_mode=TargetMode.STAGING, ) # Transition to production environment chronicle.soar.transition_integration( integration_name="AWSSecurityHub", target_mode=TargetMode.PRODUCTION, ) ``` -------------------------------- ### Create Forwarder Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Initialize a new log forwarder configuration. ```bash secops forwarder create --display-name "my-custom-forwarder" ``` -------------------------------- ### Set Start and End Times Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Set the default start and end times for queries in ISO 8601 format. ```bash secops config set --start-time "2023-07-01T00:00:00Z" --end-time "2023-07-02T00:00:00Z" ``` -------------------------------- ### Chronicle Client Initialization Source: https://github.com/google/secops-wrapper/blob/main/README.md Shows how to initialize the Chronicle-specific client after creating a SecOpsClient. ```APIDOC ## Chronicle Client Initialization ### Description Initializes the Chronicle client using an existing SecOpsClient instance. Requires Chronicle instance ID, GCP project ID, and the API region. ### Method Initialization ### Parameters #### Path Parameters - **customer_id** (string) - Required - Your Chronicle instance ID. - **project_id** (string) - Required - Your GCP project ID. - **region** (string) - Required - Chronicle API region. - **default_api_version** (string) - Optional - Default API version for the client (e.g., 'v1alpha', 'v1', 'v1beta'). Defaults to 'v1alpha'. ### Request Example ```python # Initialize Chronicle client chronicle = client.chronicle( customer_id="your-chronicle-instance-id", project_id="your-project-id", region="us" ) ``` ``` -------------------------------- ### POST /integrations/{id}/push-to-production Source: https://github.com/google/secops-wrapper/blob/main/api_module_mapping.md Transition an integration to production mode. ```APIDOC ## POST /integrations/{id}/push-to-production ### Description Transitions the specified integration to the production environment. ### Method POST ### Endpoint /integrations/{id}/push-to-production ### Parameters #### Path Parameters - **id** (string) - Required - The unique identifier of the integration. ``` -------------------------------- ### Get CVE Information Source: https://github.com/google/secops-wrapper/blob/main/README.md Retrieve detailed information about a specific CVE by querying Gemini. This snippet demonstrates how to get the textual explanation of the CVE. ```python # Ask about a CVE cve_response = chronicle.gemini("tell me about CVE-2021-44228") # Get the explanation cve_explanation = cve_response.get_text_content() print("CVE explanation:", cve_explanation) ``` -------------------------------- ### Implement example_service Operation Source: https://github.com/google/secops-wrapper/blob/main/GEMINI.md Performs a GET request to a resource endpoint with validation and error handling. Requires a configured ChronicleClient instance. ```python def example_service( client: "ChronicleClient", resource_id: str, params: Optional[Dict[str, Any]] = None, ) -> Dict[str, Any]: """Performs an example service operation with proper error handling. Args: client: ChronicleClient instance for API requests resource_id: Unique identifier for the target resource params: Optional parameters to include in the request Returns: Dictionary containing the processed service response with: - status: Operation result status - data: The returned resource data - timestamp: Processing timestamp Raises: APIError: If the API request fails or returns an error status SecOpsError: If input validation fails or processing error occurs ValueError: If resource_id is empty or invalid """ # Input validation if not resource_id or not isinstance(resource_id, str): raise ValueError("resource_id must be a non-empty string") # Prepare request parameters request_params = {"format": "json", "sort": DEFAULT_SORT} if params: request_params.update(params) try: # Construct the API endpoint URL url = f"{client.base_url}/resources/{resource_id}" # Execute the API request response = client.session.get( url, params=request_params, ) # Handle error responses if response.status_code != 200: print(f"Service request failed with status {response.status_code}") raise APIError(f"Service request failed: {response.text}") # Process successful response result = response.json() # Perform additional processing if needed processed_result = { "status": "success", "data": result, "timestamp": datetime.utcnow().isoformat(), } return processed_result except Exception as error: # Log the error with appropriate context print(f"Unexpected error in example_service for resource {resource_id}: {error}") raise ``` -------------------------------- ### Get Reference List Details Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Retrieves details for a specific reference list. Use --view "BASIC" to get only metadata. ```bash secops reference-list get --name "malicious_domains" ``` ```bash secops reference-list get --name "malicious_domains" --view "BASIC" # Metadata only ``` -------------------------------- ### SecOpsClient Initialization with Retry Configuration Source: https://github.com/google/secops-wrapper/blob/main/README.md Demonstrates how to initialize the SecOpsClient with custom retry configurations or disable retries. ```APIDOC ## SecOpsClient Initialization with Retry Configuration ### Description Initializes the SecOpsClient with built-in retry functionality to handle transient errors. Customization options include the total number of retries, specific HTTP status codes and methods to retry, and a backoff factor. Retries can also be completely disabled. ### Method Initialization ### Parameters #### Retry Configuration - **total** (int) - Optional - Maximum number of retries (default: 5). - **retry_status_codes** (list[int]) - Optional - HTTP status codes to retry. - **allowed_methods** (list[str]) - Optional - HTTP methods to retry. - **backoff_factor** (float) - Optional - Backoff factor (default: 0.3). ### Request Example ```python from secops import SecOpsClient from secops.auth import RetryConfig # Define retry configurations retry_config = RetryConfig( total=3, retry_status_codes=[429, 500, 502, 503, 504], allowed_methods=["GET", "DELETE"], backoff_factor=0.5 ) # Initialize with custom retry config client = SecOpsClient(retry_config=retry_config) # Disable retry completely client = SecOpsClient(retry_config=False) ``` ``` -------------------------------- ### Initialize SecOps Client with Environment Proxies Source: https://github.com/google/secops-wrapper/blob/main/PROXIES.md After setting proxy environment variables, the `SecOpsClient` will automatically use them. No additional configuration is needed for the client initialization itself. ```python from secops import SecOpsClient # The client will automatically use the configured proxy client = SecOpsClient() chronicle = client.chronicle(region="us") ``` -------------------------------- ### Get Staging Diff for SecOps Integration Source: https://github.com/google/secops-wrapper/blob/main/api_module_mapping.md Use this function to get the staging difference for a SecOps integration. Specify the API version and diff type. ```python chronicle.soar.integration.integrations.get_integration_diffapi_version=APIVersion.V1ALPHA, (diff_type=DiffType.STAGING) ``` -------------------------------- ### Get Production Diff for SecOps Integration Source: https://github.com/google/secops-wrapper/blob/main/api_module_mapping.md Use this function to get the production difference for a SecOps integration. Specify the API version and diff type. ```python chronicle.soar.integration.integrations.get_integration_diff(api_version=APIVersion.V1ALPHA, diff_type=DiffType.PRODUCTION) ``` -------------------------------- ### Initialize Chronicle Client Source: https://github.com/google/secops-wrapper/blob/main/colab.ipynb Initializes the Chronicle client with customer and project IDs. Sets a time range for subsequent queries. Replace placeholder IDs with your actual credentials. ```python from datetime import datetime, timedelta, timezone from secops import SecOpsClient import pandas as pd import plotly.express as px import plotly.graph_objects as go # Initialize client client = SecOpsClient() chronicle = client.chronicle( customer_id="c3c6260c1c9340dcbbb802603bbfffff", # not a real customer id project_id="725716779999", region="us", ) # Set time range for queries end_time = datetime.now(timezone.utc) start_time = end_time - timedelta(hours=24) print("📊 Analyzing security data from:") print( f" {start_time.strftime('%Y-%m-%d %H:%M:%S')} to {end_time.strftime('%Y-%m-%d %H:%M:%S')} UTC" ) ``` -------------------------------- ### POST /integrations.pushToStaging Source: https://github.com/google/secops-wrapper/blob/main/api_module_mapping.md Transitions an integration to the staging environment. ```APIDOC ## POST /integrations.pushToStaging ### Description Transitions a specified integration to the staging environment using the TargetMode.STAGING configuration. ### Method POST ### Endpoint /integrations.pushToStaging ``` -------------------------------- ### Install or Update Marketplace Integration Source: https://github.com/google/secops-wrapper/blob/main/README.md Installs a new marketplace integration or updates an existing one to the latest version. Supports options like staging and overriding mappings. Specify a version for precise control. ```python # Install an integration with the default settings integration_name = "AWSSecurityHub" integration = chronicle.soar.install_marketplace_integration(integration_name) # Install to staging environment and override any existing ontology mappings integration = chronicle.soar.install_marketplace_integration( integration_name, staging=True, override_mapping=True, ) # Installing a currently installed integration with no specified version # number will update it to the latest version integration = chronicle.soar.install_marketplace_integration(integration_name) # Or you can specify a specific version to install integration = chronicle.soar.install_marketplace_integration( integration_name, version="5.0", ) ``` -------------------------------- ### Create a Pipeline Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Creates a pipeline using inline JSON or a configuration file. ```bash # Create from inline JSON secops log-processing create --pipeline '{"displayName":"My Pipeline","description":"Filters error logs","processors":[{"filterProcessor":{"include":{"logMatchType":"REGEXP","logBodies":[".*error.*"]},"errorMode":"IGNORE"}}]}' # Create from JSON file secops log-processing create --pipeline pipeline_config.json ``` ```json { "displayName": "Production Pipeline", "description": "Filters and transforms production logs", "processors": [ { "filterProcessor": { "include": { "logMatchType": "REGEXP", "logBodies": [".*error.*", ".*warning.*"] }, "errorMode": "IGNORE" } } ], "customMetadata": [ {"key": "environment", "value": "production"}, {"key": "team", "value": "security"} ] } ``` -------------------------------- ### GET /nativeDashboards.list Source: https://github.com/google/secops-wrapper/blob/main/api_module_mapping.md Lists all available native dashboards. ```APIDOC ## GET nativeDashboards.list ### Description Retrieves a list of all native dashboards. ### Method GET ### Endpoint nativeDashboards.list ``` -------------------------------- ### Create Minimal Dashboard Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Use this command to create a basic dashboard with a display name, description, and access type. ```bash secops dashboard create --display-name "Security Overview" \ --description "Security monitoring dashboard" \ --access-type PRIVATE ``` -------------------------------- ### GET /logTypes/list Source: https://github.com/google/secops-wrapper/blob/main/api_module_mapping.md Lists all available log types. ```APIDOC ## GET /logTypes/list ### Description Retrieves a list of all log types. ### Method GET ### Endpoint /logTypes/list ``` -------------------------------- ### Import Dashboard with Chart and Query from Files Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Import a dashboard along with its associated chart and query definitions by specifying separate files for each component. ```bash secops dashboard import --dashboard-data-file dashboard_data.json --chart-file chart.json --query-file query.json ``` -------------------------------- ### Configure SecOpsClient with Proxy Source: https://github.com/google/secops-wrapper/blob/main/PROXIES.md Sets environment variables for HTTPS proxy and CA bundle before initializing the client. Requires the secops package and appropriate network configuration. ```python import os import logging from secops import SecOpsClient from secops.exceptions import SecOpsError # Configure logging logging.basicConfig(level=logging.INFO) logger = logging.getLogger(__name__) # Configure proxy os.environ['HTTPS_PROXY'] = 'http://proxy.example.com:3128' os.environ['REQUESTS_CA_BUNDLE'] = '/path/to/cert.pem' try: # Initialize client client = SecOpsClient() # Initialize Chronicle chronicle = client.chronicle(region="us") # Test connection response = chronicle.list_rules() logger.info("Successfully connected through proxy") except SecOpsError as e: logger.error(f"Failed to connect: {e}") ``` -------------------------------- ### GET /errorNotificationConfigs.list Source: https://github.com/google/secops-wrapper/blob/main/api_module_mapping.md Lists all error notification configurations. ```APIDOC ## GET /errorNotificationConfigs.list ### Description Retrieves a list of all error notification configurations. ### Method GET ### Endpoint /errorNotificationConfigs.list ``` -------------------------------- ### List Integration Instances Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Use to list integration instances. Supports filtering, pagination, and fetching all results as a list. ```bash # List all instances for an integration secops integration instances list --integration-name "MyIntegration" ``` ```bash # List instances as a direct list (fetches all pages automatically) secops integration instances list --integration-name "MyIntegration" --as-list ``` ```bash # List with pagination secops integration instances list --integration-name "MyIntegration" --page-size 50 ``` ```bash # List with filtering secops integration instances list --integration-name "MyIntegration" --filter-string "enabled = true" ``` -------------------------------- ### GET /enrichmentControls.list Source: https://github.com/google/secops-wrapper/blob/main/api_module_mapping.md Lists all available enrichment controls. ```APIDOC ## GET /enrichmentControls.list ### Description Lists all enrichment controls configured in the system. ### Method GET ### Endpoint /enrichmentControls.list ``` -------------------------------- ### GET /entities.get Source: https://github.com/google/secops-wrapper/blob/main/api_module_mapping.md Retrieves details for a specific entity. ```APIDOC ## GET /entities.get ### Description Retrieves information about a specific entity. ### Method GET ### Endpoint /entities.get ``` -------------------------------- ### Get Default Integration Instance Source: https://github.com/google/secops-wrapper/blob/main/README.md Retrieve the system default configuration for a commercial product's integration instance. ```python # Get the system default configuration for a commercial product default_instance = chronicle.soar.get_default_integration_instance( integration_name="AWSSecurityHub", ) print(f"Default Instance: {default_instance.get('displayName')}") print(f"Environment: {default_instance.get('environment')}") ``` -------------------------------- ### GET users.getPreferenceSet Source: https://github.com/google/secops-wrapper/blob/main/api_module_mapping.md Retrieves the preference set for a user. ```APIDOC ## GET users.getPreferenceSet ### Description Retrieves the current preference set for the specified user. ### Method GET ### Endpoint users.getPreferenceSet ``` -------------------------------- ### View Local Configuration Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Display the current local configuration settings for the project using the --local flag. ```bash secops config view --local ``` -------------------------------- ### Get Watchlist by ID Source: https://github.com/google/secops-wrapper/blob/main/README.md Retrieves a specific watchlist by its ID. ```python watchlist = chronicle.get_watchlist("acb-123-def") ``` -------------------------------- ### Create Integration Instance Source: https://github.com/google/secops-wrapper/blob/main/README.md Create a new integration instance. Can be done with only required fields or with all fields including display name, description, parameters, and agent. ```python from secops.chronicle.models import IntegrationInstanceParameter # Create instance with required fields only new_instance = chronicle.soar.create_integration_instance( integration_name="MyIntegration", environment="production", ) # Create instance with all fields new_instance = chronicle.soar.create_integration_instance( integration_name="MyIntegration", environment="production", display_name="Production Instance", description="Main production integration instance", parameters=[ IntegrationInstanceParameter(value="api_key_value"), IntegrationInstanceParameter(value="https://api.example.com"), ], agent="agent-123", ) ``` -------------------------------- ### GET /logTypes/get Source: https://github.com/google/secops-wrapper/blob/main/api_module_mapping.md Retrieves details for a specific log type. ```APIDOC ## GET /logTypes/get ### Description Retrieves information for a specific log type. ### Method GET ### Endpoint /logTypes/get ``` -------------------------------- ### GET /dataTables Source: https://github.com/google/secops-wrapper/blob/main/api_module_mapping.md Retrieves a list of available data tables. ```APIDOC ## GET /dataTables ### Description Retrieves a list of all data tables available in the system. ### Method GET ### Endpoint dataTables.list ``` -------------------------------- ### GET /integrations/{id} Source: https://github.com/google/secops-wrapper/blob/main/api_module_mapping.md Retrieve details for a specific integration. ```APIDOC ## GET /integrations/{id} ### Description Fetches the configuration and details of a specific integration by its ID. ### Method GET ### Endpoint /integrations/{id} ### Parameters #### Path Parameters - **id** (string) - Required - The unique identifier of the integration. ``` -------------------------------- ### List curated rule set deployments Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Retrieve all curated rule set deployments. ```bash secops curated-rule rule-set-deployment list ``` ```bash secops curated-rule rule-set-deployment list --as-list ``` -------------------------------- ### List rule deployments Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Retrieve rule deployments with support for pagination and filtering. ```bash secops rule list-deployments ``` ```bash secops rule list-deployments --page-size 10 --page-token "token" ``` ```bash secops rule list-deployments --filter "enabled=true" ``` -------------------------------- ### General Get Endpoint Source: https://github.com/google/secops-wrapper/blob/main/api_module_mapping.md A general endpoint for retrieving resources. ```APIDOC ## GET /get ### Description A general endpoint for retrieving resources. ### Method GET ### Endpoint /get ``` -------------------------------- ### Create a Basic Forwarder Source: https://github.com/google/secops-wrapper/blob/main/README.md Create a new Chronicle forwarder with just a display name. This is the simplest way to provision a forwarder. ```python # Create a basic forwarder with just a display name forwarder = chronicle.create_forwarder(display_name="MyAppForwarder") ``` -------------------------------- ### Uninstall Marketplace Integration Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Removes a previously installed marketplace integration. ```bash secops integration marketplace uninstall --integration-name "AWSSecurityHub" ``` -------------------------------- ### Initialize Chronicle Client Source: https://github.com/google/secops-wrapper/blob/main/README.md Initialize the Chronicle client using an existing SecOpsClient instance, providing your Chronicle instance ID, GCP project ID, and the API region. ```python # Initialize Chronicle client chronicle = client.chronicle( customer_id="your-chronicle-instance-id", # Your Chronicle instance ID project_id="your-project-id", # Your GCP project ID region="us" # Chronicle API region ) ``` -------------------------------- ### Get Integration Dependencies Source: https://github.com/google/secops-wrapper/blob/main/README.md Retrieves the list of dependencies for a given integration. ```APIDOC ## get_integration_dependencies ### Description Retrieves the list of dependencies for a given integration. ### Method chronicle.soar.get_integration_dependencies ### Parameters - **integration_name** (string) - Required - The name of the integration to get dependencies for. ``` -------------------------------- ### GET /legacy/legacySearchRulesAlerts Source: https://github.com/google/secops-wrapper/blob/main/api_module_mapping.md Searches for rule alerts within the legacy system. ```APIDOC ## GET /legacy/legacySearchRulesAlerts ### Description Searches for rule alerts using the chronicle.rule_alert.search_rule_alerts method. ### Method GET ### Endpoint /legacy/legacySearchRulesAlerts ``` -------------------------------- ### Create Dashboard with Filters and Charts Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Create a dashboard with specified filters and charts. Ensure the filters-file and charts JSON are correctly formatted. ```bash secops dashboard create --display-name "Security Overview" \ --description "Security monitoring dashboard" \ --access-type PRIVATE \ --filters-file filters.json \ --charts '[{"dashboardChart": "projects//locations//instances//dashboardCharts/", "chartLayout": {"startX": 0, "spanX": 48, "startY": 0, "spanY": 26}, "filtersIds": ["GlobalTimeFilter"]}]' ``` -------------------------------- ### GET /investigation/get Source: https://github.com/google/secops-wrapper/blob/main/CLI.md Retrieves details for a specific investigation by its unique identifier. ```APIDOC ## GET /investigation/get ### Description Fetches details for a specific investigation. ### Parameters #### Query Parameters - **id** (string) - Required - The unique ID of the investigation ```