Merge pull request #30 from JupiterOne/KNO-483

add alert rule methods
JupiterOne · Oct 22, 2024 · 537de37 · 537de37
2 parents ad62b53 + 48b302f
commit 537de37
Show file tree

Hide file tree

Showing 2 changed files with 162 additions and 21 deletions.
diff --git a/jupiterone/client.py b/jupiterone/client.py
@@ -37,8 +37,10 @@
     CREATE_SMARTCLASS_QUERY,
     EVALUATE_SMARTCLASS,
     GET_SMARTCLASS_DETAILS,
+    J1QL_FROM_NATURAL_LANGUAGE,
     LIST_RULE_INSTANCES,
-    J1QL_FROM_NATURAL_LANGUAGE
+    CREATE_RULE_INSTANCE,
+    DELETE_RULE_INSTANCE
 )
 
 
@@ -434,10 +436,7 @@ def delete_relationship(self, relationship_id: str = None):
         response = self._execute_query(DELETE_RELATIONSHIP, variables=variables)
         return response["data"]["deleteRelationship"]
 
-    def create_integration_instance(self,
-                                    instance_name: str = None,
-                                    instance_description: str = None,
-                                    integration_definition_id: str = "8013680b-311a-4c2e-b53b-c8735fd97a5c"):
+    def create_integration_instance(self, instance_name: str = None, instance_description: str = None, integration_definition_id: str = "8013680b-311a-4c2e-b53b-c8735fd97a5c"):
         """Creates a new Custom Integration Instance.
 
         args:
@@ -696,18 +695,6 @@ def get_smartclass_details(self, smartclass_id: str = None):
 
         return response['data']['smartClass']
 
-    def list_configured_alert_rules(self):
-        """List defined Alert Rules configured in J1 account
-
-        """
-        variables = {
-                    "limit": 100
-        }
-
-        response = self._execute_query(LIST_RULE_INSTANCES, variables=variables)
-
-        return response['data']['listRuleInstances']
-
     def generate_j1ql(self, natural_language_prompt: str = None):
         """Generate J1QL query syntax from natural language user input.
 
@@ -723,3 +710,89 @@ def generate_j1ql(self, natural_language_prompt: str = None):
         response = self._execute_query(J1QL_FROM_NATURAL_LANGUAGE, variables=variables)
 
         return response['data']['j1qlFromNaturalLanguage']
+
+    def list_alert_rules(self):
+        """List defined Alert Rules configured in J1 account
+
+        """
+        response = self._execute_query(LIST_RULE_INSTANCES)
+
+        return response['data']['listRuleInstances']
+
+    def create_alert_rule(self, name: str = None, description: str = None, tags: List[str] = None, polling_interval: str = None, severity: str = None, j1ql: str = None, action_configs: Dict = None):
+        """Create Alert Rule Configuration in J1 account
+
+        """
+
+        variables = {
+          "instance": {
+            "name": name,
+            "description": description,
+            "notifyOnFailure": True,
+            "triggerActionsOnNewEntitiesOnly": True,
+            "ignorePreviousResults": False,
+            "operations": [
+              {
+                "when": {
+                  "type": "FILTER",
+                  "condition": [
+                    "AND",
+                    [
+                      "queries.query0.total",
+                      ">",
+                      0
+                    ]
+                  ]
+                },
+                "actions": [
+                  {
+                    "type": "SET_PROPERTY",
+                    "targetProperty": "alertLevel",
+                    "targetValue": severity
+                  },
+                  {
+                    "type": "CREATE_ALERT"
+                  }
+                ]
+              }
+            ],
+            "outputs": [
+              "alertLevel"
+            ],
+            "pollingInterval": polling_interval,
+            "question": {
+              "queries": [
+                {
+                  "query": j1ql,
+                  "name": "query0",
+                  "version": "v1",
+                  "includeDeleted": False
+                }
+              ]
+            },
+            "specVersion": 1,
+            "tags": tags,
+            "templates": {}
+          }
+        }
+
+        if action_configs:
+            variables['instance']['operations'][0]['actions'].append(action_configs)
+
+        print(variables)
+
+        response = self._execute_query(CREATE_RULE_INSTANCE, variables=variables)
+
+        return response['data']['createInlineQuestionRuleInstance']
+
+    def delete_alert_rule(self, rule_id: str = None):
+        """Delete a single Alert Rule configured in J1 account
+
+        """
+        variables = {
+            "id": rule_id
+        }
+
+        response = self._execute_query(DELETE_RULE_INSTANCE, variables=variables)
+
+        return response['data']['deleteRuleInstance']
diff --git a/jupiterone/constants.py b/jupiterone/constants.py
@@ -331,6 +331,14 @@
     }
 """
 
+J1QL_FROM_NATURAL_LANGUAGE = """
+    query j1qlFromNaturalLanguage($input: J1qlFromNaturalLanguageInput!) {
+        j1qlFromNaturalLanguage(input: $input) {
+            j1ql
+        }
+    }
+"""
+
 LIST_RULE_INSTANCES = """
     query listRuleInstances(
         $limit: Int, 
@@ -399,10 +407,70 @@
     }
 """
 
-J1QL_FROM_NATURAL_LANGUAGE = """
-    query j1qlFromNaturalLanguage($input: J1qlFromNaturalLanguageInput!) {
-        j1qlFromNaturalLanguage(input: $input) {
-            j1ql
+CREATE_RULE_INSTANCE = """
+    mutation createInlineQuestionRuleInstance($instance: CreateInlineQuestionRuleInstanceInput!) {
+      createInlineQuestionRuleInstance(instance: $instance) {
+        ...RuleInstanceFields
+        __typename
+      }
+    }
+    
+    fragment RuleInstanceFields on QuestionRuleInstance {
+      id
+      accountId
+      name
+      description
+      version
+      lastEvaluationStartOn
+      lastEvaluationEndOn
+      evaluationStep
+      specVersion
+      notifyOnFailure
+      triggerActionsOnNewEntitiesOnly
+      ignorePreviousResults
+      pollingInterval
+      templates
+      outputs
+      labels {
+        labelName
+        labelValue
+        __typename
+      }
+      question {
+        queries {
+          query
+          name
+          includeDeleted
+          __typename
         }
+        __typename
+      }
+      questionId
+      latest
+      deleted
+      type
+      operations {
+        when
+        actions
+        __typename
+      }
+      latestAlertId
+      latestAlertIsActive
+      state {
+        actions
+        __typename
+      }
+      tags
+      remediationSteps
+      __typename
+    }
+"""
+
+DELETE_RULE_INSTANCE = """
+    mutation deleteRuleInstance($id: ID!) {
+      deleteRuleInstance(id: $id) {
+        id
+        __typename
+      }
     }
 """