def get_cb_defense_object(args):
if args.verbose:
logging.basicConfig()
logging.getLogger("cbapi").setLevel(logging.DEBUG)
logging.getLogger("__main__").setLevel(logging.DEBUG)
if args.cburl and args.apitoken:
cb = CbDefenseAPI(url=args.cburl,
token=args.apitoken,
ssl_verify=(not args.no_ssl_verify))
else:
cb = CbDefenseAPI(profile=args.profile)
return cb
def start(self):
poll_interval = self.args.poll
# Start the flask web server
web = get_flask_server(self.datastore)
web.start()
# Start the thread to listen to notifications
if self.args.synthetic:
notification_thread = SyntheticNotificationGenerator(
self.args.synthetic,
self.datastore,
poll_interval=poll_interval)
else:
siem_cb = CbDefenseAPI(profile=self.args.siemprofile)
notification_thread = NotificationListener(
siem_cb, self.datastore, poll_interval=poll_interval)
notification_thread.start()
# Start five threads to listen for work and do the Live Response
for i in range(5):
worker_thread = CollectContextWorker(self.cb, self.datastore)
worker_thread.start()
# Sleep forever so our worker threads do all the work in the background. Listen for a keyboard
# interrupt to exit cleanly
try:
while True:
time.sleep(1)
except KeyboardInterrupt:
# uncomment below to dump out the current state of the database:
# self.datastore.dump_info()
return
def main():
# First we create a command line parser to collect our configuration.
# We use the built in ``build_cli_parser`` in ``cbapi.example_helpers`` to build
# the basic command line parser, then augment with a few parameters specific to
# this script.
parser = build_cli_parser(
"Example CB PSC & Response Live Response automation")
parser.add_argument(
"--synthetic",
help="Generate synthetic notifications with given Device ID",
metavar="DEVICE_ID")
parser.add_argument("--poll",
help="Poll interval for the Notifications API",
type=int,
default=30)
parser.add_argument(
"--siemprofile",
help="CB Profile for SIEM API key (required to poll for notifications)",
default="siem")
args = parser.parse_args()
log.info("Starting")
datastore = DataStore()
# Start the thread to listen to notifications
if args.synthetic:
notification_thread = SyntheticNotificationGenerator(
args.synthetic, datastore, poll_interval=args.poll)
else:
siem_cb = CbDefenseAPI(profile=args.siemprofile)
notification_thread = NotificationListener(siem_cb,
datastore,
poll_interval=args.poll)
notification_thread.daemon = True
notification_thread.start()
cb = get_cb_defense_object(args)
orchestrator = LiveResponseOrchestrator(cb, get_lr_session_psc,
CollectContextWorker, datastore)
orchestrator.start()
def get_cb_defense_object(args):
# api_token = API_SECRET_KEY + "/" + API_ID
# if args.cburl and args.apitoken:
cb = CbDefenseAPI(profile=args.profile)
# cb = CbDefenseAPI(url=CB_URL, token=api_token, org_key=ORG_KEY, ssl_verify=True)
return cb
def get_cb_response_object(args):
# lr_token = API_LR_SECRET_KEY + "/" + API_LR_ID
# print(lr_token)
cb = CbDefenseAPI(profile=args.profile)
# cb = CbDefenseAPI(url=CB_URL, token=lr_token, org_key=ORG_KEY, ssl_verify=True)
return cb