def get_user_defined_properties(cls):
"""Get properties that must be assigned by the user when configuring a new Lambda
output. This should be sensitive or unique information for this use-case that needs
to come from the user.
Every output should return a dict that contains a 'descriptor' with a description of the
integration being configured.
Sending to Lambda also requires a user provided Lambda function name and optional qualifier
(if applicable for the user's use case). A fully-qualified AWS ARN is also acceptable for
this value. This value should not be masked during input and is not a credential requirement
that needs encrypted.
Returns:
OrderedDict: Contains various OutputProperty items
"""
return OrderedDict([
('descriptor',
OutputProperty(
description=
'a short and unique descriptor for this Lambda function '
'configuration (ie: abbreviated name)')),
('aws_value',
OutputProperty(
description='the AWS Lambda function name, with the optional '
'qualifier (aka \'alias\'), to use for this '
'configuration (ie: output_function:qualifier)',
input_restrictions={' '})),
])
def get_user_defined_properties(cls):
"""Gets Output configuration properties.
Get properties that must be assigned by the user when configuring a new Demisto
output. This should be sensitive or unique information for this use-case that needs
to come from the user.
Returns:
OrderedDict: Contains various OutputProperty items
"""
return OrderedDict([
('descriptor',
OutputProperty(
description='a short and unique descriptor for this'
' demisto output')),
('url',
OutputProperty(
description='URL to the Demisto server [https://hostname]',
mask_input=False,
input_restrictions={' '},
cred_requirement=True)),
('token',
OutputProperty(description='Demisto API token',
mask_input=True,
cred_requirement=True)),
])
def get_user_defined_properties(cls):
"""Properties assigned by the user when configuring a new SES output.
Returns:
OrderedDict: With 'descriptor' and 'aws_value' OutputProperty tuples
"""
return OrderedDict([
(
"descriptor",
OutputProperty(
description=
"a short and unique descriptor for this SES Output."),
),
(
"from_email",
OutputProperty(
description="the SES Verified email address to send from",
cred_requirement=True,
),
),
(
"to_emails",
OutputProperty(
description=
"the SES Verified recipient email addresses, comma-seperated",
cred_requirement=True,
),
),
])
def get_user_defined_properties(cls):
"""Get properties that must be assigned by the user when configuring a new Komand
output. This should be sensitive or unique information for this use-case that needs
to come from the user.
Every output should return a dict that contains a 'descriptor' with a description of the
integration being configured.
Returns:
OrderedDict: Contains various OutputProperty items
"""
return OrderedDict([
('descriptor',
OutputProperty(
description='a short and unique descriptor for this '
'Komand integration')),
('komand_auth_token',
OutputProperty(
description='the auth token for this Komand integration. '
'Example: 00000000-0000-0000-0000-000000000000',
mask_input=True,
cred_requirement=True)),
('url',
OutputProperty(
description='the endpoint url for this Komand integration. '
'Example: https://YOUR-KOMAND-HOST.com/v2/triggers/GUID/events',
mask_input=True,
cred_requirement=True))
])
def get_user_defined_properties(cls):
"""Get properties that must be assigned by the user when configuring a new Phantom
output. This should be sensitive or unique information for this use-case that needs
to come from the user.
Every output should return a dict that contains a 'descriptor' with a description of the
integration being configured.
Phantom also requires a ph_auth_token that represnts an authorization token for this
integration and a user provided url to use for alert dispatching. These values should be
masked during input and are credential requirements.
Returns:
OrderedDict: Contains various OutputProperty items
"""
return OrderedDict([
('descriptor',
OutputProperty(
description='a short and unique descriptor for this '
'Phantom integration')),
('ph_auth_token',
OutputProperty(
description='the auth token for this Phantom integration',
mask_input=True,
cred_requirement=True)),
('url',
OutputProperty(
description='the endpoint url for this Phantom integration',
mask_input=True,
cred_requirement=True))
])
def get_user_defined_properties(cls):
"""Get properties that must be assigned by the user when configuring a new Slack
output. This should be sensitive or unique information for this use-case that needs
to come from the user.
Every output should return a dict that contains a 'descriptor' with a description of the
integration being configured.
Slack also requires a user provided 'webhook' url that is comprised of the slack api url
and the unique integration key for this output. This value should be should be masked
during input and is a credential requirement.
Returns:
OrderedDict: Contains various OutputProperty items
"""
return OrderedDict([
('descriptor',
OutputProperty(
description=
'a short and unique descriptor for this Slack integration '
'(ie: channel, group, etc)')),
('url',
OutputProperty(
description='the full Slack webhook url, including the secret',
mask_input=True,
input_restrictions={' '},
cred_requirement=True))
])
def get_user_defined_properties(cls):
"""Get properties that must be assigned by the user when configuring a new Microsoft Teams
output. This should be sensitive or unique information for this use-case that needs
to come from the user.
Every output should return a dict that contains a 'descriptor' with a description of the
integration being configured.
Microsoft Teams also requires a user provided 'webhook' url that is composed of the Team's
api url and the unique integration key for this output. This value should be should be
masked during input and is a credential requirement.
Returns:
OrderedDict: Contains various OutputProperty items
"""
return OrderedDict([
(
"descriptor",
OutputProperty(
description=
"a short and unique descriptor for this service configuration "
"(ie: name of Team the webhook relates too)"),
),
(
"url",
OutputProperty(
description=
"the full teams webhook url, including the secret",
mask_input=True,
cred_requirement=True,
),
),
])
def get_user_defined_properties(cls):
"""Get properties that must be assigned by the user when configuring a new Github output."""
return OrderedDict([
('descriptor',
OutputProperty(
description='a short and unique descriptor for this'
' Github integration')),
('repository',
OutputProperty(description='the repository for this integration '
'in the form :username/:repository',
cred_requirement=True,
mask_input=False)),
('labels',
OutputProperty(description='a comma separated list of labels to '
'apply to issues when they are created',
cred_requirement=True,
mask_input=False)),
('username',
OutputProperty(description='the username for this integration',
cred_requirement=True,
mask_input=False)),
('access_token',
OutputProperty(description='the access token for the integration',
cred_requirement=True,
mask_input=True))
])
def get_user_defined_properties(cls):
"""Get properties that must be assigned by the user when configuring a new S3
output. This should be sensitive or unique information for this use-case that needs
to come from the user.
Every output should return a dict that contains a 'descriptor' with a description of the
integration being configured.
S3 also requires a user provided bucket name to be used for this service output. This
value should not be masked during input and is not a credential requirement
that needs encrypted.
Returns:
OrderedDict: Contains various OutputProperty items
"""
return OrderedDict([
('descriptor',
OutputProperty(
description=
'a short and unique descriptor for this S3 bucket (ie: bucket name)'
)),
('aws_value',
OutputProperty(
description=
'the AWS S3 bucket name to use for this S3 configuration'))
])
def get_user_defined_properties(cls):
"""Properties assigned by the user when configuring a new SQS output.
Returns:
OrderedDict: With 'descriptor' and 'aws_value' OutputProperty tuples
"""
return OrderedDict([
('descriptor',
OutputProperty(
description='a short and unique descriptor for this SQS queue'
)), ('aws_value', OutputProperty(description='SQS queue name'))
])
def test_aws_format_output_config(self):
"""AWSOutput - Format Output Config"""
props = {
'descriptor':
OutputProperty('short_descriptor', 'descriptor_value'),
'aws_value':
OutputProperty('unique arn value, bucket, etc', 'bucket.value')
}
formatted_config = AWSOutput.format_output_config(CONFIG, props)
assert_equal(len(formatted_config), 2)
assert_is_not_none(formatted_config.get('descriptor_value'))
assert_is_not_none(formatted_config.get('unit_test_bucket'))
def test_output_property_default():
"""OutputProperty defaults"""
prop = OutputProperty()
assert_equal(prop.description, '')
assert_equal(prop.value, '')
assert_equal(prop.input_restrictions, {' ', ':'})
assert_equal(prop.mask_input, False)
assert_equal(prop.cred_requirement, False)
def get_user_defined_properties(cls):
"""Properties assigned by the user when configuring a new Firehose output
Every output should return a dict that contains a 'descriptor' with a description of the
integration being configured.
Returns:
OrderedDict: Contains various OutputProperty items
"""
return OrderedDict([
('descriptor',
OutputProperty(
description=
'a short and unique descriptor for this Firehose Delivery Stream'
)),
('aws_value',
OutputProperty(description='the Firehose Delivery Stream name'))
])
def get_user_defined_properties(cls):
"""Get properties that must be assigned by the user when configuring a new Lambda
output. This should be sensitive or unique information for this use-case that needs
to come from the user.
Every output should return a dict that contains a 'descriptor' with a description of the
integration being configured.
Sending to Lambda also requires a user provided Lambda function name and optional qualifier
(if applicable for the user's use case). A fully-qualified AWS ARN is also acceptable for
this value. This value should not be masked during input and is not a credential requirement
that needs encrypted.
When invoking a Lambda function in a different AWS account, the Alert Processor will have
to first assume a role in the target account. Both the Alert Processor and the destination
role will need AssumeRole IAM policies to allow this:
@see https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/
Returns:
OrderedDict: Contains various OutputProperty items
"""
return OrderedDict([
('descriptor',
OutputProperty(
description=
'a short and unique descriptor for this Lambda function '
'configuration (ie: abbreviated name)')),
('lambda_function_arn',
OutputProperty(
description='The ARN of the AWS Lambda function to Invoke',
input_restrictions={' '},
cred_requirement=True)),
('function_qualifier',
OutputProperty(
description='The function qualifier/alias to invoke.',
input_restrictions={' '},
cred_requirement=True)),
('assume_role_arn',
OutputProperty(
description='When provided, will use AssumeRole with this ARN',
input_restrictions={' '},
cred_requirement=True)),
])
def test_format_output_config(self):
"""OutputDispatcher - Format Output Config"""
with patch.object(OutputDispatcher, '__service__', 'slack'):
props = {'descriptor': OutputProperty('test_desc', 'test_channel')}
formatted = self._dispatcher.format_output_config(CONFIG, props)
assert_equal(len(formatted), 2)
assert_equal(formatted[0], 'unit_test_channel')
assert_equal(formatted[1], 'test_channel')
def get_user_defined_properties(cls):
"""Properties assigned by the user when configuring a new SNS output.
Publishing:
By default this output sets a default subject and sends a message body that is the
JSON-serialized publication including indents/newlines. You can override this behavior:
- @aws-sns.topic (str):
Sends a custom subject
- @aws-sns.message (str);
Send a custom message body.
Returns:
OrderedDict: With 'descriptor' and 'aws_value' OutputProperty tuples
"""
return OrderedDict([
('descriptor',
OutputProperty(
description='a short and unique descriptor for this SNS topic'
)), ('aws_value', OutputProperty(description='SNS topic name'))
])
def test_save_and_load_credentials(self):
"""OutputCredentials - Save and Load Credentials
Not only tests how save_credentials() interacts with load_credentials(), but also tests
that cred_requirement=False properties are not saved. Also tests that default values
are merged into the final credentials dict as appropriate."""
descriptor = 'test_save_and_load_credentials'
props = OrderedDict([
('property1',
OutputProperty(
description=
'This is a property and not a cred so it will not save')),
('property2', OutputProperty(description='Neither will this')),
('credential1',
OutputProperty(description='Hello world',
value='this is a super secret secret, shhhh!',
mask_input=True,
cred_requirement=True)),
('credential2',
OutputProperty(description='This appears too!',
value='where am i?',
mask_input=True,
cred_requirement=True)),
])
# Save credential
assert_true(
self._provider.save_credentials(descriptor, KMS_ALIAS, props))
# Pull it out
creds_dict = self._provider.load_credentials(descriptor)
expectation = {
'property2': 'abcdef',
'credential1': 'this is a super secret secret, shhhh!',
'credential2': 'where am i?',
}
assert_equal(creds_dict, expectation)
def get_user_defined_properties(cls):
"""Get properties that must be assigned by the user when configuring a new Lambda
Publishing:
By default this output sends the current publication in JSON to CloudWatch.
There is no "magic" field to "override" it: Simply publish what you want to send!
Returns:
OrderedDict: Contains various OutputProperty items
"""
return OrderedDict([
('descriptor',
OutputProperty(
description=
'a short and unique descriptor for the cloudwatch log')),
])
def get_user_defined_properties(cls):
"""Get properties that must be assigned by the user when configuring a new Jira
output. This should be sensitive or unique information for this use-case that needs
to come from the user.
Every output should return a dict that contains a 'descriptor' with a description of the
integration being configured.
Jira requires a username, password, URL, project key, and issue type for alert dispatching.
These values should be masked during input and are credential requirements.
An additional parameter 'aggregate' is used to determine if alerts are aggregated into a
single Jira issue based on the StreamAlert rule.
Returns:
OrderedDict: Contains various OutputProperty items
"""
return OrderedDict([
('descriptor',
OutputProperty(
description='a short and unique descriptor for this '
'Jira integration')),
('username',
OutputProperty(description='the Jira username',
mask_input=True,
cred_requirement=True)),
('password',
OutputProperty(description='the Jira password',
mask_input=True,
cred_requirement=True)),
('url',
OutputProperty(description='the Jira url',
mask_input=True,
cred_requirement=True)),
('project_key',
OutputProperty(description='the Jira project key',
mask_input=False,
cred_requirement=True)),
('issue_type',
OutputProperty(description='the Jira issue type',
mask_input=False,
cred_requirement=True)),
('aggregate',
OutputProperty(
description='the Jira aggregation behavior to aggregate '
'alerts by rule name (yes/no)',
mask_input=False,
cred_requirement=True))
])
def test_load_credentials_multiple(self):
"""OutputCredentials - Load Credentials Loads from Cache Driver
This test ensures that we only hit S3 once during, and that subsequent calls are routed
to the Cache driver. Currently the cache driver is configured as Ephemeral."""
descriptor = 'test_load_credentials_pulls_from_cache'
props = OrderedDict([
('credential1',
OutputProperty(description='Hello world',
value='there is no cow level',
mask_input=True,
cred_requirement=True)),
])
# Save credential
self._provider.save_credentials(descriptor, KMS_ALIAS, props)
# Pull it out (Normal expected behavior)
creds_dict = self._provider.load_credentials(descriptor)
expectation = {
'credential1': 'there is no cow level',
'property2': 'abcdef'
}
assert_equal(creds_dict, expectation)
# Now we yank the SSM driver out of the driver pool
# FIXME (derek.wang): Another way to do this is to install a spy on moto and make assertions
# on the number of times it is called.
assert_is_instance(self._provider._drivers[1], SSMDriver)
self._provider._drivers[1] = None
self._provider._core_driver = None
# Load again and see if it still is able to load without SSM
assert_equal(self._provider.load_credentials(descriptor), expectation)
# Double-check; Examine the Driver guts and make sure that the EphemeralDriver has the
# value cached.
ep_driver = self._provider._drivers[0]
assert_is_instance(ep_driver, EphemeralUnencryptedDriver)
assert_true(ep_driver.has_credentials(descriptor))
creds = ep_driver.load_credentials(descriptor)
assert_equal(
json.loads(creds.data())['credential1'], 'there is no cow level')
