def __init__(self, context):
"""Initializer
Args:
context (dict): An AWS context object which provides metadata on the currently
executing lambda function.
"""
# Load the config. Validation occurs during load, which will
# raise exceptions on any ConfigError
StreamAlert.config = StreamAlert.config or config.load_config(validate=True)
# Load the environment from the context arn
self.env = config.parse_lambda_arn(context.invoked_function_arn)
# Instantiate the send_alerts here to handle sending the triggered alerts to the
# alert processor
self.alert_forwarder = AlertForwarder()
# Instantiate a classifier that is used for this run
self.classifier = StreamClassifier(config=self.config)
self._failed_record_count = 0
self._processed_record_count = 0
self._processed_size = 0
self._alerts = []
rule_import_paths = [item for location in {'rule_locations', 'matcher_locations'}
for item in self.config['global']['general'][location]]
# Create an instance of the RulesEngine class that gets cached in the
# StreamAlert class as an instance property
self._rules_engine = RulesEngine(self.config, *rule_import_paths)
# Firehose client attribute
self._firehose_client = None
def test_parse_lambda_arn():
"""Shared - Config - Parse Lambda ARN"""
context = get_mock_context()
env = parse_lambda_arn(context.invoked_function_arn)
assert_equal(env['region'], 'us-east-1')
assert_equal(env['account_id'], '123456789012')
assert_equal(env['function_name'],
'corp-prefix_prod_streamalert_rule_processor')
assert_equal(env['qualifier'], 'development')
def _load_config(function_arn):
"""Load the Threat Intel Downloader configuration from conf/lambda.json file
Returns:
(dict): Configuration for Threat Intel Downloader
Raises:
ConfigError: For invalid or missing configuration files.
"""
base_config = parse_lambda_arn(function_arn)
config = load_config(include={'lambda.json'})['lambda']
base_config.update(config.get('threat_intel_downloader_config', {}))
return base_config
def handler(event, context):
"""Lambda handler"""
lambda_config = load_config(include={'lambda.json'})['lambda']
config = lambda_config.get('threat_intel_downloader_config')
config.update(parse_lambda_arn(context.invoked_function_arn))
threat_stream = ThreatStream(config)
intelligence, next_url, continue_invoke = threat_stream.runner(event)
if intelligence:
LOGGER.info('Write %d IOCs to DynamoDB table', len(intelligence))
threat_stream.write_to_dynamodb_table(intelligence)
if context.get_remaining_time_in_millis(
) > END_TIME_BUFFER * 1000 and continue_invoke:
invoke_lambda_function(next_url, config)
LOGGER.debug("Time remaining (MS): %s",
context.get_remaining_time_in_millis())