Reference Lists API
How to authenticate with the Google Security Operations API
This Google Security Operations API uses the OAuth 2.0 protocol for authentication and authorization. Your application can complete these tasks using either of the following implementations:
Using the Google API Client Library for your computer language.
Directly interfacing with the OAuth 2.0 system using HTTP.
See the reference documentation for the Google Authentication library in Python.
Google Authentication libraries are a subset of the Google API client libraries. See other language implementations.
Getting API authentication credentials
Your Google Security Operations representative will provide you with a Google Developer Service Account Credential to enable the API client to communicate with the API.
You also must provide the Auth Scope when initializing your API client. OAuth 2.0 uses a scope to limit an application's access to an account. When an application requests a scope, the access token issued to the application is limited to the scope granted.
Use the following scope to initialize your Google API client:
https://www.googleapis.com/auth/chronicle-backstory
Python example
The following Python example demonstrates how to use the OAuth2 credentials
and HTTP client using google.oauth2
and googleapiclient
.
# Imports required for the sample - Google Auth and API Client Library Imports.
# Get these packages from https://pypi.org/project/google-api-python-client/ or run $ pip
# install google-api-python-client from your terminal
from google.auth.transport import requests
from google.oauth2 import service_account
SCOPES = ['https://www.googleapis.com/auth/chronicle-backstory']
# The apikeys-demo.json file contains the customer's OAuth 2 credentials.
# SERVICE_ACCOUNT_FILE is the full path to the apikeys-demo.json file
# ToDo: Replace this with the full path to your OAuth2 credentials
SERVICE_ACCOUNT_FILE = '/customer-keys/apikeys-demo.json'
# Create a credential using Google Developer Service Account Credential and Google Security Operations API
# Scope.
credentials = service_account.Credentials.from_service_account_file(SERVICE_ACCOUNT_FILE, scopes=SCOPES)
# Build a requests Session Object to make authorized OAuth requests.
http_session = requests.AuthorizedSession(credentials)
# Your endpoint GET|POST|PATCH|etc. code will vary below
# Reference List example (for US region)
url = 'https://backstory.googleapis.com/v2/lists/COLDRIVER_SHA256'
# You might need another regional endpoint for your API call; see
# https://cloud.google.com/chronicle/docs/reference/ingestion-api#regional_endpoints
# requests GET example
response = http_session.request("GET", url)
# POST example uses json
body = {
"foo": "bar"
}
response = http_session.request("POST", url, json=body)
# PATCH example uses params and json
params = {
"foo": "bar"
}
response = http_session.request("PATCH", url, params=params, json=body)
# For more complete examples, see:
# https://github.com/chronicle/api-samples-python/
Google Security Operations Reference Lists API
This document describes the Google Security Operations Reference List API methods. See Reference Lists for more information about how Reference Lists work.
Python samples for using the Reference Lists API can be found in this GitHub repo.
CreateReferenceList
Creates a list.
Request
POST https://backstory.googleapis.com/v2/lists
Request Body
{
"name": "<list name here>",
"description": "<list description here>",
"lines": ["<line item 1>", "<line item 2>", ..., "<line item n>"],
"content_type": "<list content type>",
}
Parameters
Parameter Name | Type | Description |
name
|
string
|
Unique name for the list. |
description
|
string
|
Description of the list. |
lines
|
[]string
|
List of line items. |
content_type
|
enum
|
(optional) Type of list content: "CONTENT_TYPE_DEFAULT_STRING", "REGEX", "CIDR". If omitted, defaults to "CONTENT_TYPE_DEFAULT_STRING". |
Sample Request
https://backstory.googleapis.com/v2/lists
{
"name": "list_name",
"description": "description of the list",
"lines": ["line_item_1", "// comment", "line_item_2"],
// omit content_type, which lets it default to "CONTENT_TYPE_DEFAULT_STRING".
}
Sample Response
{
"name": "list_name",
"description": "description of the list",
"lines": ["line_item_1", "// comment", "line_item_2"],
"create_time": "2020-11-20T17:18:20.409247Z",
// content_type is omitted, which indicates the type is CONTENT_TYPE_DEFAULT_STRING.
}
GetReferenceList
Returns the specified reference list.
Request
Specify the name of the list to retrieve:
GET https://backstory.googleapis.com/v2/lists/{list_name}
The view
parameter specifies how much of each reference list to view:
GET https://backstory.googleapis.com/v2/lists/{list_name}?view={view}
Parameters
Parameter Name | Type | Description |
list_name
|
string
|
Unique name for the list. |
view
|
enum
|
(Optional) How much of each reference list to view. BASIC returns the metadata for the list, but not the full contents. FULL returns everything. FULL is the default. |
Sample Response
{
"name": "sample_ref_list",
"description": "description of the list",
// Note that "lines" is NOT included in the BASIC view.
"create_time": "2020-11-20T17:18:20.409247Z",
// content_type is omitted, which indicates the type is CONTENT_TYPE_DEFAULT_STRING.
}
ListReferenceLists
Enumerates lists.
Request
Get a list of reference lists:
GET https://backstory.googleapis.com/v2/lists
The page_size
parameter controls the maximum number of reference
lists to retrieve in a single request:
GET https://backstory.googleapis.com/v2/lists?page_size={page_size}
The page_token
parameter specifies the page token received from the
previous call, which is then used to retrieve the subsequent page:
GET https://backstory.googleapis.com/v2/lists?page_token={page_token}
The view
parameter specifies how much of each reference list to view:
GET https://backstory.googleapis.com/v2/lists?view={view}
Parameters
Parameter Name | Type | Description |
page_size
|
int
|
(Optional) Maximum number of lists to return in this page of reference lists. The default is 100. |
page_token
|
string
|
(Optional) Page token received from a previous call. Use to retrieve the next page. |
view
|
enum
|
(Optional) How much of each reference list to view. BASIC returns the metadata for the list, but not the full contents. FULL returns everything. BASIC is the default. |
Sample Request
https://backstory.googleapis.com/v2/lists
Sample Response
{
"next_page_token": "EgwI3YO4gwYQmLDprwMaAnE4",
"lists": [
{
"createTime": "2020-11-20T17:18:20.409247Z",
"description": "description of list 1",
"name": "list_name"
// content_type is omitted, which indicates the type is CONTENT_TYPE_DEFAULT_STRING.
},
{
"createTime": "2020-11-20T16:18:20.409247Z",
"description": "description of list 2",
"name": "regex_list_name"
"content_type": "REGEX",
}
]
}
UpdateReferenceList
Updates an existing list.
Request
PATCH https://backstory.googleapis.com/v2/lists?update_mask=<update_mask>
Request Body
{
"name": "<list name here>",
"description": "<list description here>",
"lines": ["<line item 1>", "<line item 2>", ..., "<line item n>"],
"content_type": "<list content type>",
}
Parameters
Parameter Name | Type | Description |
name
|
string
|
Unique name for the list. |
description
|
string
|
Description of the list. |
lines
|
[]string
|
List of line items. |
update_mask
|
[]string
|
Mask that identifies which fields on the list to update.The following fields are valid:
|
content_type
|
enum
|
(optional) Type of list content: "CONTENT_TYPE_DEFAULT_STRING", "REGEX", "CIDR". Must match the type of the existing list you are updating. If omitted, defaults to "CONTENT_TYPE_DEFAULT_STRING". |
Sample Request
https://backstory.googleapis.com/v2/lists?update_mask=list.description,list.lines
{
"name": "list_name",
"description": "description of the list",
"lines": ["1.2.3.4/24", "// comment", "5.6.7.8/24"],
"content_type": "CIDR",
}
Sample Response
{
"name": "list_name",
"description": "description of the list",
"lines": ["1.2.3.4/24", "// comment", "5.6.7.8/24"],
"create_time": "2020-11-20T17:18:20.409247Z",
"content_type": "CIDR",
}
VerifyReferenceList
Validates list content and returns line errors, if any.
Request
POST https://backstory.googleapis.com/v2/lists:verifyReferenceList
Request Body
{
"content_type": "<list content type>",
"lines": ["<line item 1>", "<line item 2>", ..., "<line item n>"],
}
Parameters
Parameter Name | Type | Description |
content_type
|
enum
|
(optional) Type of list content: "CONTENT_TYPE_DEFAULT_STRING", "REGEX", "CIDR". If omitted, defaults to "CONTENT_TYPE_DEFAULT_STRING". |
lines
|
[]string
|
List of line items. |
Sample Request
https://backstory.googleapis.com/v2/lists:verifyReferenceList
{
"content_type": "CIDR",
"lines": ["invalidCIDR", "1.2.3.4/24"]
}
Sample Response
{
"errors": [
{
"lineNumber": 1,
"errorMessage": "invalid cidr pattern invalidCIDR"
}
]
}