Merge pull request #20 from mpegman-scwx/queries_v2

update to queries v2
secureworks · Mar 29, 2024 · 65021ac · 65021ac
2 parents b12c1a7 + fbe5ebf
commit 65021ac
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 29 deletions.
diff --git a/taegis_magic/_version.py b/taegis_magic/_version.py
@@ -1,2 +1,3 @@
-"""Version idenitier."""
-__version__ = "2023.9.15"
+"""Version identifier."""
+
+__version__ = "2024.03.29"
diff --git a/taegis_magic/commands/alerts.py b/taegis_magic/commands/alerts.py
@@ -1,4 +1,5 @@
 """Taegis Magic alerts commands."""
+
 import logging
 from dataclasses import asdict, dataclass, field
 from pprint import pprint
@@ -141,6 +142,10 @@ def query_identifier(self) -> Optional[str]:
         if self._query_id:
             return self._query_id
 
+        if self.raw_results[0].query_id:
+            self._query_id = self.raw_results[0].query_id
+            return self._query_id
+
         if not self.query:
             raise ValueError("No query found to generate query id")
 
@@ -313,6 +318,9 @@ def search(
                 cql_query=cell,
                 offset=0,
                 limit=limit,
+                metadata={
+                    "callerName": "Taegis Magic",
+                },
             ),
         )
 

diff --git a/taegis_magic/commands/events.py b/taegis_magic/commands/events.py
@@ -1,4 +1,5 @@
 """Taegis Magic events commands."""
+
 import inspect
 import logging
 from dataclasses import asdict, dataclass, field
@@ -148,10 +149,14 @@ def query_identifier(self) -> str:
         if self._query_id:
             return self._query_id
 
+        if self.raw_results[0].query_id:
+            self._query_id = self.raw_results[0].query_id
+            return self._query_id
+
         if not self.query:
-            raise ValueError("No query found to generate query id")
+            raise None
 
-        query_name = query if self.is_saved else "cql"
+        query_name = self.query if self.is_saved else "cql"
         data = {
             "query": None,
             "name": query_name,

diff --git a/taegis_magic/commands/investigations.py b/taegis_magic/commands/investigations.py
@@ -1,4 +1,5 @@
 """Taegis Magic investigations commands."""
+
 import inspect
 import logging
 import re
@@ -50,6 +51,7 @@
     DeleteInvestigationFileInput,
     InitInvestigationFileUploadInput,
 )
+from taegis_sdk_python.services.queries.types import QLQueriesInput
 from taegis_sdk_python.services.sharelinks.types import ShareLinkCreateInput
 from typing_extensions import Annotated
 
@@ -417,31 +419,12 @@ def create(
 
     # verify and save valid search queries
     if not dry_run:
-        valid_search_queries = []
-        for search_query in search_queries or []:
-            query = get_query(service, search_query)
-            if query.get("error"):
-                log.error(f"Error finding search query: {search_query}")
-                continue
-
-            if query.get("id"):
-                query_update = {
-                    "name": query.get("description", f"{title} Query"),
-                    "metadata": query.get("metadata", {}),
-                }
-                for metadata in query_update.get("metadata", []):
-                    if metadata.get("id", "") == "isSaved":
-                        metadata["value"] == "true"
-
-                query = update_query(service, search_query, query_update)
-                if query.get("error"):
-                    log.error(
-                        f"Error saving search query::{search_query}::{query.get('error')}"
-                    )
-                    continue
-
-                valid_search_queries.append(search_query)
-        search_queries = valid_search_queries or None
+        if search_queries:
+            queries = service.queries.query.ql_queries(
+                QLQueriesInput(rns=search_queries)
+            )
+
+        search_queries = [query.rn for query in queries.queries]
 
     create_investigation_input = CreateInvestigationInput(
         alerts=alerts,