rules

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 15, 2021 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client provides an easy to use Go client to the Rules API

func New 

func New(url string, tenantID string) *Client

New returns a new Client, ready for use

func NewWithClient 

func NewWithClient(url string, tenantID string, client *client.Client) *Client

NewWithClient returns a new Client which uses the given client

func (*Client) AddFilterToRule 

func (c *Client) AddFilterToRule(ruleID string, filter RuleFilterInput) (RuleFilter, error)

AddFilterToRule will add the provided filter to the rule with the given ID

func (*Client) AddFilterToRuleCtx 

func (c *Client) AddFilterToRuleCtx(ctx context.Context, ruleID string, filter RuleFilterInput) (RuleFilter, error)

AddFilterToRuleCtx will add the provided filter to the rule with the given ID

func (*Client) CreateRedQLRule 

func (c *Client) CreateRedQLRule(input RuleInput, redQLFilter RuleRedQLFilterInput) (Rule, error)

CreateRedQLRule will create the given new rule with a redql filter

func (*Client) CreateRedQLRuleCtx 

func (c *Client) CreateRedQLRuleCtx(ctx context.Context, input RuleInput, redQLFilter RuleRedQLFilterInput) (Rule, error)

CreateRedQLRuleCtx will create the given new rule with a redql filter

func (*Client) CreateRule 

func (c *Client) CreateRule(input RuleInput, filters []RuleFilterInput) (Rule, error)

CreateRule will create the given new rule, with optional filters

func (*Client) CreateRuleCtx 

func (c *Client) CreateRuleCtx(ctx context.Context, input RuleInput, filters []RuleFilterInput) (Rule, error)

CreateRuleCtx will create the given new rule, with optional filters

func (*Client) DeleteFilter 

func (c *Client) DeleteFilter(filterID string) (RuleFilter, error)

DeleteFilter will delete the given Regex filter, and return it

func (*Client) DeleteFilterCtx 

func (c *Client) DeleteFilterCtx(ctx context.Context, filterID string) (RuleFilter, error)

DeleteFilterCtx will delete the given Regex filter, and return it

func (*Client) DeleteRule 

func (c *Client) DeleteRule(ruleID string) (Rule, error)

DeleteRule will delete the given rule

func (*Client) DeleteRuleCtx 

func (c *Client) DeleteRuleCtx(ctx context.Context, ruleID string) (Rule, error)

DeleteRuleCtx will delete the given rule

func (*Client) DisableRule 

func (c *Client) DisableRule(id string) (Rule, error)

DisableRule will disable the rule with the given ID

func (*Client) DisableRuleCtx 

func (c *Client) DisableRuleCtx(ctx context.Context, id string) (Rule, error)

DisableRuleCtx will disable the rule with the given ID

func (*Client) EnableRule 

func (c *Client) EnableRule(id string) (Rule, error)

EnableRule will enable the rule with the given ID

func (*Client) EnableRuleCtx 

func (c *Client) EnableRuleCtx(ctx context.Context, id string) (Rule, error)

EnableRuleCtx will enable the rule with the given ID

func (*Client) GetChangesSince 

func (c *Client) GetChangesSince(timestamp time.Time, eventType *RuleEventType, ruleType *RuleType) ([]*Rule, error)

GetChangesSince will return all rules that changed since the given time.

The provided time will be compared to the updated at time of the rules and if any of those are greater than the provided time, that rule (and its filters) will be returned.

The event type, if provided, will limit the returned rules to those for that event type.

If no rules or filters have changed since that time, nothing will be returned.

This can be used by clients to easily see when rules have been edited by polling this endpoint periodically, passing in the last time they checked.

func (*Client) GetChangesSinceCtx 

func (c *Client) GetChangesSinceCtx(ctx context.Context, timestamp time.Time, eventType *RuleEventType, ruleType *RuleType) ([]*Rule, error)

GetChangesSinceCtx will return all rules that changed since the given time.

The provided time will be compared to the updated at time of the rules and if any of those are greater than the provided time, that rule (and its filters) will be returned.

The event type, if provided, will limit the returned rules to those for that event type.

If no rules or filters have changed since that time, nothing will be returned.

This can be used by clients to easily see when rules have been edited by polling this endpoint periodically, passing in the last time they checked.

func (*Client) GetDeletedRules 

func (c *Client) GetDeletedRules(page *int, count *int, ruleType *RuleType) ([]*Rule, error)

GetDeletedRules will return deleted rules

func (*Client) GetDeletedRulesCtx 

func (c *Client) GetDeletedRulesCtx(ctx context.Context, page *int, count *int, ruleType *RuleType) ([]*Rule, error)

GetDeletedRulesCtx will return deleted rules

func (*Client) GetFilterKeys 

func (c *Client) GetFilterKeys(eventType RuleEventType) ([]string, error)

GetFilterKeys will return a list of all valid filter keys for the given event type

func (*Client) GetFilterKeysCtx 

func (c *Client) GetFilterKeysCtx(ctx context.Context, eventType RuleEventType) ([]string, error)

GetFilterKeysCtx will return a list of all valid filter keys for the given event type

func (*Client) GetRule 

func (c *Client) GetRule(id string) (*Rule, error)

GetRule will get the rule with this ID

func (*Client) GetRuleCtx 

func (c *Client) GetRuleCtx(ctx context.Context, id string) (*Rule, error)

GetRuleCtx will get the rule with this ID

func (*Client) GetRules 

func (c *Client) GetRules(page *int, count *int, ruleType *RuleType) ([]*Rule, error)

GetRules will return pages of all rules, sorted by descending updated at date

func (*Client) GetRulesCount 

func (c *Client) GetRulesCount(ruleType *RuleType) (int, error)

GetRulesCount will return a count of all rules

func (*Client) GetRulesCountCtx 

func (c *Client) GetRulesCountCtx(ctx context.Context, ruleType *RuleType) (int, error)

GetRulesCountCtx will return a count of all rules

func (*Client) GetRulesCtx 

func (c *Client) GetRulesCtx(ctx context.Context, page *int, count *int, ruleType *RuleType) ([]*Rule, error)

GetRulesCtx will return pages of all rules, sorted by descending updated at date

func (*Client) GetRulesForEvent 

func (c *Client) GetRulesForEvent(params *GetRulesForEventArguments) ([]*Rule, error)

GetRulesForEvent will return pages of rules for the given event type, sorted by descending updated at date

func (*Client) GetRulesForEventCount 

func (c *Client) GetRulesForEventCount(eventType RuleEventType, ruleType *RuleType) (int, error)

GetRulesForEventCount will return a count of all rules for the given event type

func (*Client) GetRulesForEventCountCtx 

func (c *Client) GetRulesForEventCountCtx(ctx context.Context, eventType RuleEventType, ruleType *RuleType) (int, error)

GetRulesForEventCountCtx will return a count of all rules for the given event type

func (*Client) GetRulesForEventCtx 

func (c *Client) GetRulesForEventCtx(ctx context.Context, params *GetRulesForEventArguments) ([]*Rule, error)

GetRulesForEventCtx will return pages of rules for the given event type, sorted by descending updated at date

func (*Client) UpdateFilter 

func (c *Client) UpdateFilter(filterID string, filter RuleFilterInput) (RuleFilter, error)

UpdateFilter will update the given filter

func (*Client) UpdateFilterCtx 

func (c *Client) UpdateFilterCtx(ctx context.Context, filterID string, filter RuleFilterInput) (RuleFilter, error)

UpdateFilterCtx will update the given filter

func (*Client) UpdateRedQLFilter 

func (c *Client) UpdateRedQLFilter(filterID string, redQLFilter RuleRedQLFilterInput) (RuleRedQLFilter, error)

UpdateRedQLFilter will update the given RedQL Filter

func (*Client) UpdateRedQLFilterCtx 

func (c *Client) UpdateRedQLFilterCtx(ctx context.Context, filterID string, redQLFilter RuleRedQLFilterInput) (RuleRedQLFilter, error)

UpdateRedQLFilterCtx will update the given RedQL Filter

func (*Client) UpdateRule 

func (c *Client) UpdateRule(ruleID string, rule RuleInput) (Rule, error)

UpdateRule will update the given rule, without changing the filters

func (*Client) UpdateRuleCtx 

func (c *Client) UpdateRuleCtx(ctx context.Context, ruleID string, rule RuleInput) (Rule, error)

UpdateRuleCtx will update the given rule, without changing the filters

type GetChangesSinceClient 

type GetChangesSinceClient interface {
	GetChangesSince(timestamp time.Time, eventType *RuleEventType, ruleType *RuleType) ([]*Rule, error)
}

GetChangesSinceClient represents things that implement the GetChangesSince method, which would normally be the Client.

type GetRulesForEventArguments 

type GetRulesForEventArguments struct {
	EventType RuleEventType `json:"eventType"`
	Page      *int          `json:"page"`
	Count     *int          `json:"count"`
	RuleType  *RuleType     `json:"ruleType"`
}

GetRulesForEventArguments is the parameters for GetRulesForEvent

type Rule 

type Rule struct {
	ID               string                 `json:"id"`
	TenantID         string                 `json:"tenantID"`
	UserID           string                 `json:"userID"`
	EventType        RuleEventType          `json:"eventType"`
	Name             string                 `json:"name"`
	Description      string                 `json:"description"`
	Visibility       RuleVisibility         `json:"visibility"`
	ResultVisibility RuleVisibility         `json:"resultVisibility"`
	Severity         float32                `json:"severity"`
	Confidence       float32                `json:"confidence"`
	Enabled          bool                   `json:"enabled"`
	CreateAlert      bool                   `json:"createAlert"`
	Tags             []string               `json:"tags"`
	DestinationTopic *string                `json:"destinationTopic"`
	AttackCategories []string               `json:"attackCategories"`
	EndpointPlatform []RuleEndpointPlatform `json:"endpointPlatform"`
	References       []RuleReference        `json:"references"`
	Deleted          bool                   `json:"deleted"`
	CreatedAt        time.Time              `json:"createdAt"`
	UpdatedAt        time.Time              `json:"updatedAt"`
	Filters          []RuleFilter           `json:"filters"`
	RedQLFilter      *RuleRedQLFilter       `json:"redQLFilter"`
}

Rule is a named container for filters with some metadata

type RuleCountComparison 

type RuleCountComparison string

The comparison operator used for counting filters 

const (
	RuleCountComparisonGreaterThan RuleCountComparison = "greater_than"
	RuleCountComparisonLessThan    RuleCountComparison = "less_than"
	RuleCountComparisonEqualTo     RuleCountComparison = "equal_to"
)

type RuleDailyCount 

type RuleDailyCount struct {
	Count int    `json:"count"`
	Date  string `json:"date"`
}

type RuleEndpointPlatform 

type RuleEndpointPlatform string

The possible platforms a rule can apply to 

const (
	RuleEndpointPlatformPlatformWindows RuleEndpointPlatform = "PLATFORM_WINDOWS"
	RuleEndpointPlatformPlatformLinux   RuleEndpointPlatform = "PLATFORM_LINUX"
	RuleEndpointPlatformPlatformMac     RuleEndpointPlatform = "PLATFORM_MAC"
	RuleEndpointPlatformPlatformUnknown RuleEndpointPlatform = "PLATFORM_UNKNOWN"
)

type RuleEventData 

type RuleEventData struct {
	Key   string `json:"key"`
	Value string `json:"value"`
}

RuleEventData represents a single field in an event returned when testing rules

type RuleEventType 

type RuleEventType string

The type of event a rule is intended to filter 

const (
	RuleEventTypeAuth            RuleEventType = "auth"
	RuleEventTypeDnsquery        RuleEventType = "dnsquery"
	RuleEventTypeFilemod         RuleEventType = "filemod"
	RuleEventTypeHTTP            RuleEventType = "http"
	RuleEventTypeManagementEvent RuleEventType = "management_event"
	RuleEventTypeNetflow         RuleEventType = "netflow"
	RuleEventTypeNids            RuleEventType = "nids"
	RuleEventTypeObservation     RuleEventType = "observation"
	RuleEventTypeObservationV2   RuleEventType = "observation_v2"
	RuleEventTypePersistence     RuleEventType = "persistence"
	RuleEventTypeProcess         RuleEventType = "process"
	RuleEventTypeRegistry        RuleEventType = "registry"
	RuleEventTypeScriptBlock     RuleEventType = "script_block"
	RuleEventTypeThreadInjection RuleEventType = "thread_injection"
)

type RuleFilter 

type RuleFilter struct {
	ID            string         `json:"id"`
	RuleID        string         `json:"ruleID"`
	Key           string         `json:"key"`
	Pattern       string         `json:"pattern"`
	Inverted      bool           `json:"inverted"`
	CaseSensitive bool           `json:"caseSensitive"`
	Count         *RuleTermCount `json:"count"`
	TestShould    []string       `json:"testShould"`
	TestShouldNot []string       `json:"testShouldNot"`
	CreatedAt     time.Time      `json:"createdAt"`
	UpdatedAt     time.Time      `json:"updatedAt"`
}

RuleFilter is a regular expression which should be applied to an event field

type RuleFilterInput 

type RuleFilterInput struct {
	Key           string              `json:"key"`
	Pattern       string              `json:"pattern"`
	Inverted      *bool               `json:"inverted"`
	CaseSensitive *bool               `json:"caseSensitive"`
	Count         *RuleTermCountInput `json:"count"`
	TestShould    []string            `json:"testShould"`
	TestShouldNot []string            `json:"testShouldNot"`
}

type RuleInput 

type RuleInput struct {
	ID               *string                `json:"id"`
	EventType        *RuleEventType         `json:"eventType"`
	Name             *string                `json:"name"`
	Description      *string                `json:"description"`
	Visibility       *RuleVisibility        `json:"visibility"`
	ResultVisibility *RuleVisibility        `json:"resultVisibility"`
	Severity         *float32               `json:"severity"`
	Confidence       *float32               `json:"confidence"`
	CreateAlert      *bool                  `json:"createAlert"`
	Tags             []string               `json:"tags"`
	DestinationTopic *string                `json:"destinationTopic"`
	AttackCategories []string               `json:"attackCategories"`
	EndpointPlatform []RuleEndpointPlatform `json:"endpointPlatform"`
	References       []RuleReferenceInput   `json:"references"`
}

type RuleMetrics 

type RuleMetrics struct {
	Last30DaysCount int              `json:"last30DaysCount"`
	DailyCounts     []RuleDailyCount `json:"dailyCounts"`
	LastHitDate     string           `json:"lastHitDate"`
}

type RuleRedQLFilter 

type RuleRedQLFilter struct {
	ID            string                `json:"id"`
	RuleID        string                `json:"ruleID"`
	Query         string                `json:"query"`
	CreatedAt     time.Time             `json:"createdAt"`
	UpdatedAt     time.Time             `json:"updatedAt"`
	TestShould    []RuleRedQLFilterTest `json:"testShould"`
	TestShouldNot []RuleRedQLFilterTest `json:"testShouldNot"`
}

RedQLFilter is a redql query string that is applied to events.

type RuleRedQLFilterInput 

type RuleRedQLFilterInput struct {
	Query         string                     `json:"query"`
	TestShould    []RuleRedQLFilterTestInput `json:"testShould"`
	TestShouldNot []RuleRedQLFilterTestInput `json:"testShouldNot"`
}

type RuleRedQLFilterTest 

type RuleRedQLFilterTest struct {
	FieldName  string `json:"fieldName"`
	FieldValue string `json:"fieldValue"`
}

RedQLFilterTest is key/value pair used to validate redql filters.

type RuleRedQLFilterTestInput 

type RuleRedQLFilterTestInput struct {
	FieldName  string `json:"fieldName"`
	FieldValue string `json:"fieldValue"`
}

type RuleReference 

type RuleReference struct {
	Description string `json:"description"`
	URL         string `json:"url"`
}

RuleReference refers to an exploit or security threat associated with this rule

type RuleReferenceInput 

type RuleReferenceInput struct {
	Description string `json:"description"`
	URL         string `json:"url"`
}

type RuleSampleEvent 

type RuleSampleEvent struct {
	Data []RuleEventData `json:"data"`
}

RuleSampleEvent is an event that was found when testing a rule that represents the kind of event the rule matches.

type RuleTermCount 

type RuleTermCount struct {
	Comparison RuleCountComparison `json:"comparison"`
	Value      int                 `json:"value"`
}

RuleTermCount is used for filters which are supposed to count the number of matches

type RuleTermCountInput 

type RuleTermCountInput struct {
	Comparison RuleCountComparison `json:"comparison"`
	Value      int                 `json:"value"`
}

type RuleTestMatchStep 

type RuleTestMatchStep struct {
	Filter   RuleFilter        `json:"filter"`
	Total    int               `json:"total"`
	Matches  int               `json:"matches"`
	Duration string            `json:"duration"`
	Samples  []RuleSampleEvent `json:"samples"`
}

RuleTestMatchStep is a step in the evaluation of a rule which corresponds to a filter and shows how many total events were filtered into the matched events and also provides the duration of time the filter operation took as well as some sample events to show the sort of events that matched.

type RuleType 

type RuleType string

The type of rule; old rules are regex, new rules are redql 

const (
	RuleTypeRegex RuleType = "REGEX"
	RuleTypeRedql RuleType = "REDQL"
)

type RuleVisibility 

type RuleVisibility string

The visibility of global rules 

const (
	RuleVisibilityVisible RuleVisibility = "visible"
	RuleVisibilityHidden  RuleVisibility = "hidden"
)

type RuleWatchCallback 

type RuleWatchCallback func(rules []*Rule)

RuleWatchCallback is a callback function which will get called when some modified rules have been found by the RuleWatcher.

type RuleWatcher 

type RuleWatcher struct {
	// contains filtered or unexported fields
}

RuleWatcher will watch the API for rule changes and notify a callback with modified rules.

func NewRuleWatcher 

func NewRuleWatcher(args RuleWatcherArgs) (*RuleWatcher, error)

NewRuleWatcher builds a RuleWatcher which will use the Client provided in the args to poll the API every HowOften, and will call the provided Callback with any new or updated rules. The RuleType and EventType are optional, and if set will be sent to the GetChangesSince method of the provided Client.

The HowOften value must be 1 minute or larger, otherwise an error is returned.

func (*RuleWatcher) Shutdown 

func (w *RuleWatcher) Shutdown(ctx context.Context) (err error)

Shutdown will shutdown the watcher.

func (*RuleWatcher) Watch 

func (w *RuleWatcher) Watch()

Watch will start the rule watcher watching for rule changes.

type RuleWatcherArgs 

type RuleWatcherArgs struct {
	Client    GetChangesSinceClient
	HowOften  time.Duration
	Callback  RuleWatchCallback
	RuleType  *RuleType
	EventType *RuleEventType
	// contains filtered or unexported fields
}

RuleWatcherArgs represents the arguments needed when running RuleWatcher.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.