def _run():
    """
    Run through Splunk. This is how the Splunk app gathers security detection events from the Code42 server(s).
    For each user, we gather all events for 
    """
    server, config_dict = common.setup()
    events_dir = os.path.join(common.app_home(), 'events')
    # The file at 'minTs_file_path' holds the 'min timestamp' to be used for a particular device the next time
    # the script runs. This is updated IFF all pages are gathered for a particular device during a single run of the script.
    minTs_file_path = os.path.join(events_dir, 'security-lastRun')
    # The file at 'cursor path' is used to hold the 'latest cursor' for a particular plan on a page by page basis.
    # i.e. every time we finish retrieving a plan, we save the new 'latest cursor' to ensure that we can restart
    # from the correct page in the case the connection to the C42 server goes down before we retrieve all pages.
    cursor_path = os.path.join(events_dir, 'security-interrupted-lastCursor')
    if not os.path.exists(events_dir):
        os.makedirs(events_dir)

    devices = config_dict['devices']
    device_guids = c42api.devices(server, devices)

    timestamp_dict = _try_read_timestamp(minTs_file_path)
    event_filters = []
    for device_guid in device_guids:
        try:
            minTs = timestamp_dict[device_guid]
            event_filter = c42api.create_filter_by_iso_minTs_and_now(minTs)
            event_filters.append(event_filter)
        except (KeyError, TypeError):
            event_filter = c42api.create_filter_by_utc_datetime(
                datetime.utcfromtimestamp(0), datetime.utcnow())
            event_filters.append(event_filter)

    guids_and_filters = zip(device_guids, event_filters)

    timestamp_dict = timestamp_dict if timestamp_dict else {}
    for guid, new_minTs in c42api.fetch_detection_events(
            server, guids_and_filters, cursor_path):
        if not new_minTs:
            continue
        timestamp_dict[guid] = new_minTs

    _write_min_timestamps(minTs_file_path, timestamp_dict)
Ejemplo n.º 2
0
def _run():
    """Initializes the state for the script based on command line input."""
    arg_parser = argparse.ArgumentParser()
    args = _setup_args(arg_parser)
    if args.logfile:
        c42api.set_log_file(args.logfile)

    if args.output or args.logfile:
        c42api.set_log_level(logging.DEBUG)
    else:
        c42api.set_log_level(logging.ERROR)
    server = argutil.server_from_args(args)
    is_json = args.format == 'json'
    device_guids = c42api.devices(server, args.device)

    def generate_detection_events():
        """
        Since write_json() wants to take a generator and fetch_detection_events()
        returns tuples, where the detection events are an array in the tuple, we use
        this auxilary function to allow us to stream the events to write_json()
        """
        event_filters = [
            c42api.create_filter_by_utc_datetime(args.min_date, args.max_date)
        ] * len(device_guids)
        guids_and_filters = zip(device_guids, event_filters)
        for _, _, detection_events in c42api.fetch_detection_events(
                server, guids_and_filters):
            for event in detection_events:
                yield event

    with c42api.common.smart_open(args.output, overwrite=True) as out:
        if is_json:
            c42api.write_json(out, generate_detection_events())
        else:
            c42api.write_csv(out,
                             generate_detection_events(),
                             args.header,
                             shallow=True)
Ejemplo n.º 3
0
def _run():
    """Initializes the state for the script based on command line input."""
    arg_parser = argparse.ArgumentParser()
    args = _setup_args(arg_parser)
    if not args.device:
        raise ValueError("Device is required.")
    if args.format != 'custom' and not args.output:
        # Writing non-custom output to STDOUT, so boost the log message level.
        c42api.set_log_level(logging.ERROR)
    _outline(args)
    server = argutil.server_from_args(args)

    devices = c42api.devices(server, args.device)
    if len(devices) != 1:
        raise ValueError("*** THIS SCRIPT ONLY SUPPORTS A SINGLE DEVICE ***")

    events = c42api.calculate_delta(server, devices[0], args.date1, args.date2)
    with c42api.common.smart_open(args.output, overwrite=True) as out:
        if args.format == 'custom':
            _custom_output(out, events, allow_color=args.color)
        elif args.format == 'json':
            c42api.write_json(out, events)
        elif args.format == 'csv':
            c42api.write_csv(out, events, header=args.header)
Ejemplo n.º 4
0
def _run():
    """Initializes the state for the script based on command line input."""
    arg_parser = argparse.ArgumentParser()
    args = _setup_args(arg_parser)
    if not args.device:
        raise ValueError("Device is required.")
    if args.format != 'custom' and not args.output:
        # Writing non-custom output to STDOUT, so boost the log message level.
        c42api.set_log_level(logging.ERROR)
    _outline(args)
    server = argutil.server_from_args(args)

    devices = c42api.devices(server, args.device)
    if len(devices) != 1:
        raise ValueError("*** THIS SCRIPT ONLY SUPPORTS A SINGLE DEVICE ***")

    events = c42api.calculate_delta(server, devices[0], args.date1, args.date2)
    with c42api.common.smart_open(args.output, overwrite=True) as out:
        if args.format == 'custom':
            _custom_output(out, events, allow_color=args.color)
        elif args.format == 'json':
            c42api.write_json(out, events)
        elif args.format == 'csv':
            c42api.write_csv(out, events, header=args.header)
Ejemplo n.º 5
0
def _run():
    """
    Run through Splunk
    """
    server, config_dict = common.setup()
    events_dir = os.path.join(common.app_home(), 'events')
    cursor_path = os.path.join(events_dir, 'security-lastRun')
    if not os.path.exists(events_dir):
        os.makedirs(events_dir)

    devices = config_dict['devices']

    device_guids = c42api.devices(server, devices)

    cursors_dict = _try_read_cursor(cursor_path)
    event_filters = []
    for device_guid in device_guids:
        try:
            cursor = cursors_dict[device_guid]
            event_filter = c42api.create_filter_by_cursor(cursor)
            event_filters.append(event_filter)
        except (KeyError, TypeError):
            event_filter = c42api.create_filter_by_utc_datetime(datetime.utcfromtimestamp(0), datetime.utcnow())
            event_filters.append(event_filter)

    guids_and_filters = zip(device_guids, event_filters)

    cursors_dict = cursors_dict if cursors_dict else {}
    for guid, cursor, detection_events in c42api.fetch_detection_events(server, guids_and_filters):
        if not cursor or not detection_events:
            continue
        cursors_dict[guid] = cursor

        c42api.write_json_splunk(sys.stdout, detection_events)

    _write_cursor(cursor_path, cursors_dict)