update to queries v2

Signed-off-by: Micah Pegman <[email protected]>
secureworks · Mar 15, 2024 · b53bb57 · b53bb57
1 parent b12c1a7
commit b53bb57
Showing 3 changed files with 12 additions and 86 deletions.
diff --git a/taegis_magic/commands/alerts.py b/taegis_magic/commands/alerts.py
@@ -1,4 +1,5 @@
 """Taegis Magic alerts commands."""
+
 import logging
 from dataclasses import asdict, dataclass, field
 from pprint import pprint
@@ -138,37 +139,7 @@ def query_identifier(self) -> Optional[str]:
         if not self.raw_results:
             return None
 
-        if self._query_id:
-            return self._query_id
-
-        if not self.query:
-            raise ValueError("No query found to generate query id")
-
-        query_name = "Taegis Query Magic" if self.is_saved else "alert"
-        data = {
-            "query": None,
-            "name": query_name,
-            "description": self.query,
-            "query_source": "alert",
-            "metadata": [
-                {"id": "start"},
-                {"id": "dateOption", "value": "custom"},
-                {"id": "timeDescription"},
-                {"id": "searchTerms"},
-                {"id": "isSaved", "value": str(self.is_saved).lower()},
-                {"id": "isRedql", "value": "true"},
-                {"id": "isAlerts2", "value": "true"},
-            ],
-        }
-        service = get_service(environment=self.region, tenant_id=self.tenant_id)
-        query_id = create_query(service, data).get("id")
-
-        if not query_id:
-            log.error("No query id returned from Query API")
-
-        self._query_id = query_id
-
-        return self._query_id
+        return self.raw_results[0].query_id
 
     @property
     def shareable_url(self) -> str:
@@ -313,6 +284,9 @@ def search(
                 cql_query=cell,
                 offset=0,
                 limit=limit,
+                metadata={
+                    "callerName": "Taegis Magic",
+                },
             ),
         )
 

diff --git a/taegis_magic/commands/events.py b/taegis_magic/commands/events.py
@@ -1,4 +1,5 @@
 """Taegis Magic events commands."""
+
 import inspect
 import logging
 from dataclasses import asdict, dataclass, field
@@ -145,36 +146,7 @@ def query_identifier(self) -> str:
         if not self.raw_results:
             return None
 
-        if self._query_id:
-            return self._query_id
-
-        if not self.query:
-            raise ValueError("No query found to generate query id")
-
-        query_name = query if self.is_saved else "cql"
-        data = {
-            "query": None,
-            "name": query_name,
-            "description": self.query,
-            "query_source": "cql",
-            "metadata": [
-                {"id": "start"},
-                {"id": "dateOption", "value": "custom"},
-                {"id": "timeDescription"},
-                {"id": "searchTerms"},
-                {"id": "isSaved", "value": str(self.is_saved).lower()},
-                {"id": "isRedql", "value": "true"},
-            ],
-        }
-        service = get_service(environment=self.region, tenant_id=self.tenant_id)
-        query_id = create_query(service, data).get("id")
-
-        if not query_id:
-            raise ValueError("No query id returned from Query API")
-
-        self._query_id = query_id
-
-        return self._query_id
+        return self.raw_results[0].query_id
 
     @property
     def shareable_url(self) -> str:

diff --git a/taegis_magic/commands/investigations.py b/taegis_magic/commands/investigations.py
@@ -1,4 +1,5 @@
 """Taegis Magic investigations commands."""
+
 import inspect
 import logging
 import re
@@ -417,31 +418,10 @@ def create(
 
     # verify and save valid search queries
     if not dry_run:
-        valid_search_queries = []
-        for search_query in search_queries or []:
-            query = get_query(service, search_query)
-            if query.get("error"):
-                log.error(f"Error finding search query: {search_query}")
-                continue
-
-            if query.get("id"):
-                query_update = {
-                    "name": query.get("description", f"{title} Query"),
-                    "metadata": query.get("metadata", {}),
-                }
-                for metadata in query_update.get("metadata", []):
-                    if metadata.get("id", "") == "isSaved":
-                        metadata["value"] == "true"
-
-                query = update_query(service, search_query, query_update)
-                if query.get("error"):
-                    log.error(
-                        f"Error saving search query::{search_query}::{query.get('error')}"
-                    )
-                    continue
-
-                valid_search_queries.append(search_query)
-        search_queries = valid_search_queries or None
+        if search_queries:
+            queries = service.queries.query.ql_queries(rns=search_queries)
+
+        search_queries = [query.rn for query in queries.queries]
 
     create_investigation_input = CreateInvestigationInput(
         alerts=alerts,