Created
May 13, 2022 21:08
-
-
Save myoung34/4d12bf8daa02e9af9aab479733564698 to your computer and use it in GitHub Desktop.
uptycs create event rule
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "fmt" | |
| "os" | |
| "github.com/myoung34/uptycs-client-go/uptycs" | |
| ) | |
| func main() { | |
| c, _ := uptycs.NewClient(uptycs.UptycsConfig{ | |
| Host: os.Getenv("UPTYCS_HOST"), | |
| ApiKey: os.Getenv("UPTYCS_API_KEY"), | |
| ApiSecret: os.Getenv("UPTYCS_API_SECRET"), | |
| CustomerID: os.Getenv("UPTYCS_CUSTOMER_ID"), | |
| }) | |
| rule, err := c.CreateEventRule(uptycs.EventRule{ | |
| Name: "marcus test", | |
| Description: "marcus test", | |
| Grouping: "MITRE", | |
| GroupingL2: "Impact", | |
| GroupingL3: "T1560", | |
| ScriptConfig: uptycs.ScriptConfig{ | |
| TableName: "foo", | |
| }, | |
| SQLConfig: uptycs.SQLConfig{ | |
| IntervalSeconds: 3600, | |
| }, | |
| BuilderConfig: uptycs.BuilderConfig{ | |
| TableName: "process_file_events", | |
| Added: true, | |
| MatchesFilter: true, | |
| Filters: uptycs.BuilderConfigFilter{ | |
| And: []uptycs.BuilderConfigFilter{ | |
| uptycs.BuilderConfigFilter{ | |
| Or: []uptycs.BuilderConfigFilter{ | |
| uptycs.BuilderConfigFilter{ | |
| Not: false, | |
| Name: "path", | |
| Value: uptycs.ArrayOrString{"/usr/local/sbin/"}, | |
| IsDate: false, | |
| Operator: "STARTS_WITH", | |
| CaseInsensitive: true, | |
| }, | |
| uptycs.BuilderConfigFilter{ | |
| Not: false, | |
| Name: "path", | |
| Value: uptycs.ArrayOrString{"/usr/local/bin/"}, | |
| IsDate: false, | |
| Operator: "STARTS_WITH", | |
| CaseInsensitive: true, | |
| }, | |
| uptycs.BuilderConfigFilter{ | |
| Not: false, | |
| Name: "path", | |
| Value: uptycs.ArrayOrString{"/usr/sbin/"}, | |
| IsDate: false, | |
| Operator: "STARTS_WITH", | |
| CaseInsensitive: true, | |
| }, | |
| uptycs.BuilderConfigFilter{ | |
| Not: false, | |
| Name: "path", | |
| Value: uptycs.ArrayOrString{"/usr/bin/"}, | |
| IsDate: false, | |
| Operator: "STARTS_WITH", | |
| CaseInsensitive: true, | |
| }, | |
| uptycs.BuilderConfigFilter{ | |
| Not: false, | |
| Name: "path", | |
| Value: uptycs.ArrayOrString{"/sbin/"}, | |
| IsDate: false, | |
| Operator: "STARTS_WITH", | |
| CaseInsensitive: true, | |
| }, | |
| uptycs.BuilderConfigFilter{ | |
| Not: false, | |
| Name: "path", | |
| Value: uptycs.ArrayOrString{"/bin/"}, | |
| IsDate: false, | |
| Operator: "STARTS_WITH", | |
| CaseInsensitive: true, | |
| }, | |
| uptycs.BuilderConfigFilter{ | |
| Not: false, | |
| Name: "path", | |
| Value: uptycs.ArrayOrString{"/usr/games/"}, | |
| IsDate: false, | |
| Operator: "STARTS_WITH", | |
| CaseInsensitive: true, | |
| }, | |
| uptycs.BuilderConfigFilter{ | |
| Not: false, | |
| Name: "path", | |
| Value: uptycs.ArrayOrString{"/usr/local/games/"}, | |
| IsDate: false, | |
| Operator: "STARTS_WITH", | |
| CaseInsensitive: true, | |
| }, | |
| uptycs.BuilderConfigFilter{ | |
| Not: false, | |
| Name: "path", | |
| Value: uptycs.ArrayOrString{"/snap/bin/"}, | |
| IsDate: false, | |
| Operator: "STARTS_WITH", | |
| CaseInsensitive: true, | |
| }, | |
| uptycs.BuilderConfigFilter{ | |
| And: []uptycs.BuilderConfigFilter{ | |
| uptycs.BuilderConfigFilter{ | |
| Or: []uptycs.BuilderConfigFilter{ | |
| uptycs.BuilderConfigFilter{ | |
| Not: false, | |
| Name: "path", | |
| Value: uptycs.ArrayOrString{"/home/"}, | |
| IsDate: false, | |
| Operator: "STARTS_WITH", | |
| IsVersion: false, | |
| IsWordMatch: false, | |
| CaseInsensitive: true, | |
| }, | |
| uptycs.BuilderConfigFilter{ | |
| Not: false, | |
| Name: "path", | |
| Value: uptycs.ArrayOrString{"/root/"}, | |
| IsDate: false, | |
| Operator: "STARTS_WITH", | |
| IsVersion: false, | |
| IsWordMatch: false, | |
| CaseInsensitive: true, | |
| }, | |
| }, | |
| }, | |
| uptycs.BuilderConfigFilter{ | |
| Or: []uptycs.BuilderConfigFilter{ | |
| uptycs.BuilderConfigFilter{ | |
| Not: false, | |
| Name: "path", | |
| Value: uptycs.ArrayOrString{"/Downloads/"}, | |
| IsDate: false, | |
| Operator: "CONTAINS", | |
| IsVersion: false, | |
| IsWordMatch: false, | |
| CaseInsensitive: true, | |
| }, | |
| uptycs.BuilderConfigFilter{ | |
| Not: false, | |
| Name: "path", | |
| Value: uptycs.ArrayOrString{"/Download/"}, | |
| IsDate: false, | |
| Operator: "CONTAINS", | |
| IsVersion: false, | |
| IsWordMatch: false, | |
| CaseInsensitive: true, | |
| }, | |
| uptycs.BuilderConfigFilter{ | |
| Not: false, | |
| Name: "path", | |
| Value: uptycs.ArrayOrString{"/downloads/"}, | |
| IsDate: false, | |
| Operator: "CONTAINS", | |
| IsVersion: false, | |
| IsWordMatch: false, | |
| CaseInsensitive: true, | |
| }, | |
| uptycs.BuilderConfigFilter{ | |
| Not: false, | |
| Name: "path", | |
| Value: uptycs.ArrayOrString{"/download/"}, | |
| IsDate: false, | |
| Operator: "CONTAINS", | |
| IsVersion: false, | |
| IsWordMatch: false, | |
| CaseInsensitive: true, | |
| }, | |
| }, | |
| }, | |
| }, | |
| }, | |
| }, | |
| }, | |
| }, | |
| }, | |
| Severity: "medium", | |
| Key: "Path", | |
| ValueField: "path", | |
| AutoAlertConfig: uptycs.AutoAlertConfig{}, | |
| }, | |
| Code: "test_marc", | |
| Type: "sql", | |
| Rule: "select * from processes limit 1 :to;", | |
| }) | |
| if err != nil { | |
| fmt.Println(err) | |
| return | |
| } | |
| fmt.Println(fmt.Sprintf("Created Rule '%s' with id %s", rule.Name, rule.ID)) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment