Add Chronicle Findings Refinement to terraform (#17659)

nimam · web-flow · commit 9280b8097827 · 2026-05-28T23:17:13.000Z
diff --git a/mmv1/products/chronicle/FindingsRefinement.yaml b/mmv1/products/chronicle/FindingsRefinement.yaml
@@ -0,0 +1,142 @@
+# Copyright 2026 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+name: FindingsRefinement
+description: Represents a set of logic conditions used to refine various types of findings such as curated rule detections.
+references:
+  guides:
+    'Google SecOps Guides': 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
+  api: 'https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.findingsRefinements'
+min_version: 'beta'
+
+base_url: projects/{{project}}/locations/{{location}}/instances/{{instance}}/findingsRefinements
+self_link: projects/{{project}}/locations/{{location}}/instances/{{instance}}/findingsRefinements/{{name}}
+create_url: projects/{{project}}/locations/{{location}}/instances/{{instance}}/findingsRefinements
+id_format: projects/{{project}}/locations/{{location}}/instances/{{instance}}/findingsRefinements/{{name}}
+update_mask: true
+update_verb: PATCH
+# The API does not support deletion of FindingsRefinements.
+exclude_delete: true
+import_format:
+  - projects/{{project}}/locations/{{location}}/instances/{{instance}}/findingsRefinements/{{name}}
+autogen_status: RmluZGluZ3NSZWZpbmVtZW50
+
+examples:
+  - name: 'chronicle_findings_refinement_basic'
+    primary_resource_id: 'findings_refinement_example'
+    test_env_vars:
+      chronicle_id: 'CHRONICLE_ID'
+    vars:
+      display_name: findings_refinement_display_name
+
+samples:
+  - name: 'chronicle_findings_refinement_update'
+    primary_resource_id: 'findings_refinement_example'
+    min_version: beta
+    steps:
+      - name: 'chronicle_findings_refinement_full'
+        test_env_vars:
+          chronicle_id: 'CHRONICLE_ID'
+        resource_id_vars:
+          display_name: findings_refinement_display_name
+        vars:
+          query: "network.dns.response = true"
+          outcome_variable: "risk_score"
+          outcome_filter_operator: "EQUAL"
+          outcome_value: "value1"
+      - name: 'chronicle_findings_refinement_full'
+        test_env_vars:
+          chronicle_id: 'CHRONICLE_ID'
+        resource_id_vars:
+          display_name: findings_refinement_display_name
+        vars:
+          query: "network.dns.response = true"
+          outcome_variable: "risk_score"
+          outcome_filter_operator: "CONTAINS"
+          outcome_value: "value2"
+
+parameters:
+  - name: location
+    type: String
+    required: true
+    description: Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
+    immutable: true
+    url_param_only: true
+  - name: instance
+    type: String
+    required: true
+    description: Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
+    immutable: true
+    url_param_only: true
+properties:
+  - name: createTime
+    type: String
+    description: The timestamp of when the findings refinement was created.
+    output: true
+  - name: displayName
+    type: String
+    description: Display name of the findings refinement.
+  - name: name
+    type: String
+    output: true
+    custom_flatten: 'templates/terraform/custom_flatten/name_from_self_link.tmpl'
+    description: |-
+      Full resource name for the findings refinement.
+      Format:
+      projects/{project}/locations/{location}/instances/{instance}/findingsRefinements/{findings_refinement}
+  - name: outcomeFilters
+    type: Array
+    description: |-
+      The outcome filters for the findings refinement. These allow you to specify
+      filters that are applied to the outcome variables in the detection.
+      All filters must be true for a detection to match the findings refinement.
+    item_type:
+      type: NestedObject
+      properties:
+        - name: outcomeFilterOperator
+          type: String
+          required: true
+          description: |-
+            The operator to be applied to the outcome variable.
+            Possible values:
+            EQUAL
+            CONTAINS
+            MATCHES_REGEX
+            MATCHES_CIDR
+        - name: outcomeValue
+          type: String
+          required: true
+          description: The value of the outcome variable to match.
+        - name: outcomeVariable
+          type: String
+          required: true
+          description: The outcome variable name.
+  - name: query
+    type: String
+    description: |-
+      The query for the findings refinement. Works in conjunction with the type
+      field to determine the findings refinement behavior. The syntax of this
+      query is the same as a UDM search string. See the following for more
+      information:
+      https://cloud.google.com/chronicle/docs/investigation/udm-search
+  - name: type
+    type: String
+    description: |-
+      DETECTION_EXCLUSION is the only supported type of findings refinement.
+      Possible values:
+      DETECTION_EXCLUSION
+  - name: updateTime
+    type: String
+    description: The timestamp of when the findings refinement was last updated.
+    output: true
diff --git a/mmv1/templates/terraform/examples/chronicle_findings_refinement_basic.tf.tmpl b/mmv1/templates/terraform/examples/chronicle_findings_refinement_basic.tf.tmpl
@@ -0,0 +1,13 @@
+resource "google_chronicle_findings_refinement" "{{$.PrimaryResourceId}}" {
+  provider = google-beta
+  location = "us"
+  instance = "{{index $.TestEnvVars "chronicle_id"}}"
+  display_name = "{{index $.Vars "display_name"}}" 
+  type = "DETECTION_EXCLUSION" 
+  query = "network.dns.response = true" 
+  outcome_filters {
+    outcome_variable = "risk_score"
+    outcome_filter_operator = "EQUAL"
+    outcome_value = "value"
+  }
+}
diff --git a/mmv1/templates/terraform/samples/services/chronicle/chronicle_findings_refinement_full.tf.tmpl b/mmv1/templates/terraform/samples/services/chronicle/chronicle_findings_refinement_full.tf.tmpl
@@ -0,0 +1,13 @@
+resource "google_chronicle_findings_refinement" "{{$.PrimaryResourceId}}" {
+  provider = google-beta
+  location = "us"
+  instance = "{{index $.TestEnvVars "chronicle_id"}}"
+  display_name = "{{index $.ResourceIdVars "display_name"}}" 
+  type = "DETECTION_EXCLUSION" 
+  query = "{{index $.Vars "query"}}"  
+  outcome_filters {
+    outcome_variable = "{{index $.Vars "query"}}"
+    outcome_filter_operator = "{{index $.Vars "outcome_filter_operator"}}"
+    outcome_value = "{{index $.Vars "outcome_value"}}"
+  }
+}
