In a recent Community Post, I demonstrated how to use the new Google SecOps API Wrapper SDK to query Google SecOps for network connections that are consistent with outbound data transfer. In this post, I'll show you how to use the SDK to perform a natural language search against data in Google SecOps.
The SecOps Wrapper SDK has extensive documentation including examples in the associated GitHub repo. I suggest reviewing the repository and being familiar with the different methods that the SDK exposes.
One of cool features of the SDK is that we can leverage natural language to conduct queries. That is to say we can construct an arbitrary query in natural language (much like the text in this community post) and have it be translated to a UDM query before being subsequently passed to SecOps.
Let's try it out. In our scenario, let's say our goal is to find logs from BigQuery. We'll create our boilerplate code for authenticating to the SDK and then implement the method for translating a natural language query into UDM.
# This script demonstrates running a natural language search against Google SecOps.
# Prior to running this script, remember to establish authentication with gcloud auth application-default login or an alternate supported method.
# Google SecOps SDK and all associated documentation by raybrian@ This tutorial script by vaskenh@
#!/usr/bin/env python3
from datetime import datetime, timedelta, timezone
from secops import SecOpsClient
from secops.exceptions import SecOpsError, AuthenticationError, APIError
client = SecOpsClient()
chronicle = client.chronicle(
customer_id="you-can-find-this-value-on-the-secops-overview-page",
project_id="vaskenh-chronicle",
region="us"
)
end_time = datetime.now(timezone.utc)
start_time = end_time - timedelta(hours=48)
udm_query = chronicle.translate_nl_to_udm("Show me logs from BigQuery")
print(f"The translated UDM Query is: {udm_query}")
results = chronicle.search_udm(
query=udm_query,
start_time=start_time,
end_time=end_time
)
print(results)
From this example, we can see that the SecOps Wrapper SDK gives us an easy and intuitive way to run these types of queries programmatically.
Here are a few things to think about related to natural language search in SecOps
- Can you come up with one or more other examples of natural language queries that are effective? Feel free to share them here if you do!
- In this example, we used a method that translates a natural language query to UDM, but the SecOps Wrapper SDK supports an additional method related to natural language searching. What is the method called?
I know!