Python command-line interface for Scanner API
Project description
scanner-cli
This is a Python CLI for the Scanner API.
Usage
To install the CLI, run
pip install scanner-cli
Environment Variables
For various commands, you will need to supply some Scanner configuration values.
For run-tests, validate, and sync, you will need these values:
- Scanner API URL
- Scanner API key
For sync, you will also need this value:
- Scanner Team ID
You can find these values in Settings > General and Settings > API Keys in your Scanner account.
You can either set these values as environment variables:
# required for run-tests, validate, sync commands:
export SCANNER_API_URL=<Scanner API URL>
export SCANNER_API_KEY=<Scanner API key>
# required for sync command:
export SCANNER_TEAM_ID=<Scanner Team ID>
or provide them as arguments to the CLI:
scanner-cli <command> \
--api-url=<Scanner API URL> \
--api-key=<Scanner API key> \
--team-id=<Scanner Team ID> \
...
Commands
Available commands are
run-tests- run tests on detection rules as codevalidate- validate detection rules as codesync- sync detection rules to Scannermigrate-elastic-rules- migrate Elastic SIEM detection rules to Scanner YAML rules
run-tests and validate
To validate or run tests on files:
scanner-cli validate -f detections/errors.yaml -f detections/unauthorized_logins.yaml
scanner-cli run-tests -f detections/errors.yaml -f detections/unauthorized_logins.yaml
To validate or run tests on directories:
scanner-cli validate -d detections
scanner-cli run-tests -d detections
To recursively validate or run-tests on a directory, use -r or --recursive:
scanner-cli validate -r -d detections
scanner-cli run-tests -r -d detections
scanner-cli validate --recursive -d detections
scanner-cli run-tests --recursive -d detections
This will only validate or run tests on YAML files with the correct schema header.
A file or directory must be provided. Multiple files and/or directories can be provided.
sync
This command syncs detection rules to your Scanner account.
You can sync individual files or full directories.
scanner-cli sync -f detections/errors.yaml -f detections/unauthorized_logins.yaml
scanner-cli sync -r -d detections
sync_key
Each detection rule must have the sync_key field defined. This is a unique
identifier for the rule and can be any string you wish, as long as it is
unique.
event_sink_keys
If your detection rules have event_sink_keys defined, you must provide a sync
configuration file in YAML format using the --sync-config-file flag.
This file allows you to map event_sink_keys in your detection rules (eg.
low_severity_alerts, high_severity_alerts, etc.) to specific Scanner event
sinks (eg. "Custom webhook", "Slack alerts channel", etc.)
scanner-cli sync --sync-config-file sync_config.yaml -r -d detections/
Where is what the sync configuration file looks like:
event_sink_keys:
low_severity_alerts:
- sink_id: "5098b2bd-065c-4c0d-9f11-685e88808fc2"
medium_severity_alerts:
- sink_id: "5098b2bd-065c-4c0d-9f11-685e88808fc2"
- sink_id: "62741ace-ea22-4255-8a36-b921a282d61e"
high_severity_alerts:
- sink_id: "5098b2bd-065c-4c0d-9f11-685e88808fc2"
- sink_id: "62741ace-ea22-4255-8a36-b921a282d61e"
- sink_id: "2313eb73-0020-4814-9b35-864e3d3439e0"
In this example, the low_severity_alerts event sink key is mapped to a single
event sink, while the medium_severity_alerts and high_severity_alerts event
sink keys are mapped to multiple event sinks.
For instance, you might send low severity alerts to a SOAR webhook, but send medium and high severity alerts to a high-priority Slack channel and multiple webhooks.
To find the Sink ID for a specific event sink, visit Settings > Event Sinks and click on the event sink you want to use.
migrate-elastic-rules
This command migrates an ndjson file containing Elastic SIEM detection rules to Scanner YAML rules.
For each rule in the ndjson file, a YAML file will be created in the output directory.
scanner-cli migrate-elastic-rules --elastic-files-rule elastic_rules.ndjson --output-dir scanner_rules/
Optionally, you can provide a migrate config file in YAML format.
The migrate config file allows you to map Elastic Data View IDs to Scanner query terms. This way, the queries in your Scanner detection rules can be more selective about which logs they check against.
scanner-cli migrate-elastic-rules \
--migrate-config-file elastic_to_scanner_config.yaml \
--elastic-files-rule elastic_rules.ndjson \
--output-dir scanner_rules/
Here is an example migrate config file with a few mappings:
- Map from an Elastic Data View ID to a Scanner index.
- Map from an Elastic Data View wildcard name to a Scanner query for a specific source type.
- Map from an Elastic Data View wildcard name to a Scanner query with multiple terms.
data_view_id_to_query_term:
e9874b58-5cee-40e0-8b49-5c3739572ea2: |-
@index={ 0f75b7fd-ea1e-421a-b4ee-007ac8570a20 | "application_logs" }
log-sources:aws:cloudtrail:*: |-
%ingest.source_type="aws:cloudtrail"
log-sources:non-prod-app-logs:*: |-
my_env=("staging" or "dev") and my_type="app_logs"
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file scanner_cli-0.1.0-py3-none-any.whl.
File metadata
- Download URL: scanner_cli-0.1.0-py3-none-any.whl
- Upload date:
- Size: 16.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
69212ace78eee14fe151d72e93b42d7a59a9f116277f8ce8d6b5d2c7bfcada30
|
|
| MD5 |
2d7281e7d5436d7744097d9025b898f4
|
|
| BLAKE2b-256 |
862424a6e0d92b9c9091b7fde6c301f107b08bf97d892758bbea3bea839b4610
|
