Skip to content

feat(platform): add IOC (indicator) support#32

Open
olli-kauppinen-wolt wants to merge 3 commits into
PaloAltoNetworks:mainfrom
olli-kauppinen-wolt:feat/platform-indicators
Open

feat(platform): add IOC (indicator) support#32
olli-kauppinen-wolt wants to merge 3 commits into
PaloAltoNetworks:mainfrom
olli-kauppinen-wolt:feat/platform-indicators

Conversation

@olli-kauppinen-wolt

Copy link
Copy Markdown

Summary

Adds first-class support for /public_api/v1/indicators/{insert,get,delete} to the platform module:

  • New Indicator and IndicatorFilter types with the nine write-allowed fields plus five read-only fields the live API returns (creation_time, modification_time, status, source, number_of_issues).
  • New Client.InsertIndicators (upsert via rule_id), Client.ListIndicators, Client.DeleteIndicators, and convenience helpers Client.FindIndicatorByName / Client.FindIndicatorByID.
  • New enums package additions: IndicatorType, IndicatorSeverity, IndicatorReputation, IndicatorReliability (string-aliased) with canonical-set helpers. Includes URL and SEV_050_CRITICAL, which the live API accepts even though the OpenAPI insert enums omit them.

Test plan

  • go test ./platform/... — 15 unit sub-tests covering the three endpoints, the structured errors[{index,status}] shape, the no-reply wrapper on success, JSON-null reliability, and both FindIndicatorBy* helpers.
  • go test -tags=acceptance -run TestAccIndicator ./platform/... — four lifecycle / URL+critical-severity / idempotent-delete / boolean-filter tests against a live tenant; all green, tenant left clean.
  • go vet ./platform/... ./types/... ./enums/... clean.

Models the JSON shapes of /public_api/v1/indicators/{insert,get,delete}:

  * Indicator: nine writable fields accepted by /insert, plus five
    read-only fields surfaced by /get (creation_time, modification_time,
    status, source, number_of_issues).
  * IndicatorFilter, ListIndicatorsRequest, DeleteIndicatorsRequest.
  * InsertIndicatorsResponse with added_objects, updated_objects, and
    errors (the live API returns errors as objects with {index, status},
    not strings as documented).
  * Listing and delete response wrappers.

Adds an enums package mirror with IndicatorType, IndicatorSeverity,
IndicatorReputation, and IndicatorReliability typed-string aliases plus
canonical-set helpers. The type set includes URL and the severity set
includes SEV_050_CRITICAL, both accepted by the live API despite being
absent from the documented enums.
Adds three endpoint constants and Client methods for /public_api/v1/
indicators/{insert,get,delete}:

  * InsertIndicators is the upsert path — submit with no rule_id to
    create, or include rule_id to overwrite a matching record. Per-record
    failures surface in resp.Errors[{index, status}].
  * ListIndicators is the filter-bodied read.
  * DeleteIndicators is the filter-bodied delete; returns the deleted
    rule_ids, and is idempotent (empty slice on no match, no error).
  * FindIndicatorByName and FindIndicatorByID are convenience helpers
    for the common "single record" lookup pattern. FindIndicatorByID
    filters on rule_id, which is undocumented in the OpenAPI field enum
    but accepted by the live API on EQ.

Success responses are top-level (no `reply` wrapper). Errors come back
with the usual `reply.err_extra` wrapper that the internal client maps
into CortexCloudAPIError before unmarshal.
  * indicators_test.go: 15 sub-tests covering Insert (create/update/
    structured errors/top-level body), List (read-only fields, JSON null
    reliability, empty result), Delete (returns ids, idempotent), and
    FindIndicatorBy{Name,ID}.
  * indicators_acc_test.go: four //go:build acceptance tests against a
    live tenant — full lifecycle (create→read→update→delete),
    idempotent delete, URL+SEV_050_CRITICAL round-trip, and a JSON-bool
    filter check for default_expiration_enabled.

Acceptance tests follow the existing env-var contract
(TEST_CORTEX_API_URL, TEST_CORTEX_API_KEY, TEST_CORTEX_API_KEY_ID) and
reuse setupAcceptanceTest from asset_group_acc_test.go.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant