def run_suppressions(squelch_name):
    log.info(f"{squelch_name} processing...")
    metadata = {
        'QUERY_NAME': squelch_name,
        'RUN_ID': RUN_ID,
        'ATTEMPTS': 1,
        'START_TIME': datetime.datetime.utcnow(),
    }

    ctx = db.connect()

    try:
        suppression_count = run_suppression_query(squelch_name)
        log.info(f"{squelch_name} updated {suppression_count} rows.")
        metadata['ROW_COUNT'] = {'SUPPRESSED': suppression_count}
        log.metadata_record(ctx, metadata, table=QUERY_METADATA_TABLE)

    except Exception as e:
        log_failure(ctx, squelch_name, e)
        metadata['ROW_COUNT'] = {'SUPPRESSED': 0}
        log.metadata_record(ctx, metadata, table=QUERY_METADATA_TABLE, e=e)

    METADATA_HISTORY.append(metadata)
    log.info(f"{squelch_name} done.")
Beispiel #2
0
def get_rules():
    if not hmac.compare_digest(request.cookies.get("sid", ""), SECRET):
        return jsonify(rules=[])

    rule_type = request.args.get('type', '%').upper()
    rule_target = request.args.get('target', '%').upper()

    logger.info(f'Fetching {rule_target}_{rule_type} rules...')

    oauth = json.loads(request.headers.get('Authorization') or '{}')
    if not oauth and not dbconfig.PRIVATE_KEY:
        return jsonify(success=False, message='please log in')

    ctx = db.connect(oauth=oauth, run_preflight_checks=False)
    rules = db.fetch(ctx, f"SHOW VIEWS LIKE '%_{rule_target}\_{rule_type}' IN {RULES_SCHEMA};")
    return jsonify(
        rules=[
            {
                "title": re.sub('_(alert|violation|policy)_(query|suppression|definition)$', '', rule['name'], flags=re.I),
                "target": rule['name'].split('_')[-2].upper(),
                "type": rule['name'].split('_')[-1].upper(),
                "body": rule['text'],
                "results": (
                    list(db.fetch(ctx, f"SELECT * FROM {RULES_SCHEMA}.{rule['name']};"))
                    if rule['name'].endswith("_POLICY_DEFINITION")
                    else None
                ),
            } for rule in rules if (
                rule['name'].endswith("_ALERT_QUERY")
                or rule['name'].endswith("_ALERT_SUPPRESSION")
                or rule['name'].endswith("_VIOLATION_QUERY")
                or rule['name'].endswith("_VIOLATION_SUPPRESSION")
                or rule['name'].endswith("_POLICY_DEFINITION")
            )
        ]
    )
Beispiel #3
0
        load_data(data['messages'])

        if params['offset'] == 9900:  # Maximum offset is 9900
            params = {
                'start_date': get_newest_timestamp(),
                'limit': 100,
                'offset': 0
            }

        elif len(data['messages']) == params[
                'limit']:  # if we got the limit of messages, get the next page
            params['offset'] += params['limit']
        else:
            break


def main():
    reqenv = {'AGARI_TOKEN', 'AGARI_SECRET', 'AGARI_TABLE'}
    missingenv = reqenv - set(environ)
    if missingenv:
        log.fatal(f"missing env vars: {missingenv}")

    for url in URLS:
        process_endpoint(url)


if __name__ == '__main__':
    if db.connect():
        main()
Beispiel #4
0
 def wrapper(*args, **kwargs):
     oauth = json.loads(request.headers.get('Authorization') or '{}')
     if not oauth and not dbconfig.PRIVATE_KEY:
         return jsonify(success=False, message='please log in')
     db.connect(oauth=oauth, set_cache=True)
     return f(*args, **kwargs)
Beispiel #5
0
def setup():
    db.connect()
    db.execute(TEST_QUERY)
    db.execute(TEST_SUPPRESSION)
    db.execute(TEST_INVALID_QUERY)
Beispiel #6
0
def main():
    ctx = db.connect()
    alert_rows = list(get_new_alerts(ctx))
    log.info(f'Found {len(alert_rows)} new alerts to handle.')

    for alert_row in alert_rows:
        alert = alert_row['ALERT']
        results = []

        handlers = alert.get('HANDLERS')
        if handlers is None:
            handlers = 'jira'
        if isinstance(handlers, (str, dict)):
            handlers = [handlers]

        for handler in handlers:
            if handler is None:
                results.append(None)

            else:
                if type(handler) is str:
                    handler = {'type': handler}

                if 'type' not in handler:
                    result = {
                        'success': False,
                        'error': 'missing type key',
                        'details': handler,
                    }

                else:
                    handler_type = handler['type']

                    handler_kwargs = handler.copy()
                    handler_kwargs.update({
                        'alert':
                        alert,
                        'correlation_id':
                        alert_row.get('CORRELATION_ID'),
                        'alert_count':
                        alert_row['COUNTER'],
                    })

                    try:
                        handler_module = importlib.import_module(
                            f'runners.handlers.{handler_type}')
                        result = {
                            'success':
                            True,
                            'details':
                            apply_some(handler_module.handle,
                                       **handler_kwargs),
                        }

                    except Exception as e:
                        result = {'success': False, 'details': e}

                results.append(result)

        record_status(results, alert['ALERT_ID'])

    try:
        if CLOUDWATCH_METRICS:
            log.metric('Run', 'SnowAlert', [{
                'Name': 'Component',
                'Value': 'Alert Handler'
            }], 1)
    except Exception as e:
        log.error("Cloudwatch metric logging failed", e)