def selftest_function(opts):
"""
Placeholder for selftest function. An example use would be to test package api connectivity.
Suggested return values are be unimplemented, success, or failure.
"""
options = opts.get("fn_symantec_dlp", {})
try:
# Ensure the shared class_vars_loaded var is False so the init of DLPSoapClient isin't skipped
DLPSoapClient.class_vars_loaded = False
# Init the DLPSoapClient, this will try to validate the WSDL
soap_client = DLPSoapClient(app_configs=options)
# Assert the DLPSoapClient is connected
assert soap_client.is_connected
# Make the a call to incident_list in the DLPSoapClient.
# This will validate that the saved report id is provided as well as the authentication pieces.
soap_client.incident_list(
saved_report_id=options.get("sdlp_savedreportid"),
incident_creation_date_later_than=datetime.datetime.now() -
datetime.timedelta(days=int(
options.get("sdlp_incident_creation_date_later_than", 14))))
return {"state": "success"}
# For the selftest, we want to catch ANY issue found when setting up the soap_client, then print out the issue.
except Exception as self_test_ex:
# Put the traceback into DEBUG
log.debug(traceback.format_exc())
# Log the Connection error to the user
log.error(u"Problem: %s", repr(self_test_ex))
log.error(
u"[Symantec DLP] Encountered an exception when running the selftest"
)
return {"state": "failure"}
def start_poller(self):
"""start_poller begins the Polling process for DLP to search for any Incidents to bring to Resilient
It calls all the other functions in this class as it filters out duplicate incidents, prepares new Incidents and uploads attachments
"""
LOG.debug("Started Poller")
# Gather the sdlp_incident_creation_date_later_than if its set or use the default value
incident_creation_date_later_than = datetime.datetime.now(
) - datetime.timedelta(days=int(
self.dlp_opts.get("sdlp_incident_creation_date_later_than",
DEFAULT_NUM_OF_DAYS)))
LOG.info("Searching for Incidents which were created after %s",
incident_creation_date_later_than)
try:
# gather the list of incidents from a saved report
res = DLPSoapClient.incident_list(
saved_report_id=DLPSoapClient.dlp_saved_report_id,
incident_creation_date_later_than=
incident_creation_date_later_than)
except Fault as caught_exc:
# Log the Connection error to the user
LOG.error(u"Problem: %s", repr(caught_exc))
errMsg = u"[Symantec DLP] Encountered an exception when querying the Incident List with Report ID {}".format(
DLPSoapClient.dlp_saved_report_id)
LOG.error(errMsg)
raise ValueError(errMsg)
# gather the incident_details for incidents returned
incidents = DLPSoapClient.incident_detail(
incident_id=res['incidentLongId'])
LOG.info(
"Now filtering out Incidents which already have a Resilient Incident ID"
)
LOG.info("Number of Incidents before filtering: %d", len(incidents))
if 'resilient_incident_id' not in self.soap_client.list_custom_attributes(
):
LOG.warning(
"The Custom Attribute 'resilient_incident_id' was not found on your DLP Instance, this may result in duplicate Incidents being found in Resilient as no filtering will be done on the DLP Side"
)
else:
# Drop all incidents which have a res_id custom attribute
incidents = list(filter(self.filter_existing_incidents, incidents))
if incidents: # If theres more than one incident after first filter
# Due to the possibility of a timeout, on each polling event, grab a rest_client for dlp_listener.
# The rest_client function returns a 'connected' instance of SimpleClient, so if the session is still valid, reuse that.
self.res_rest_client = ResilientComponent.rest_client(self)
LOG.info(
"Number of Incidents after filtering out any Incident which has a value for the `resilient_incident_id` custom attribute: %d",
len(incidents))
# Get the sdlp_incident_id field
sdlp_id_type = self.res_rest_client.get('/types/{}/fields/{}'.format(
"incident", "sdlp_incident_id"))
# Log a info message if sdlp_should_search_res is not set
if not self.should_search_res:
LOG.info(
"sdlp_should_search_res app.config value is False or not set. Duplicate Resilient Incidents may be created if the poller cannot update the DLP Incident with its new corresponding Resilient ID or the Resilient ID in the SDLP incident has been removed"
)
for incident in incidents:
# For each incident; Take in Incident ID's and check if theres an existing resilient incident
if not self.does_incident_exist_in_res(sdlp_id_type,
incident['incidentId']):
# There is no resilient incident with the given DLP Incident ID
# Create the incident
LOG.info(
"Found no Resilient Incident with given DLP Incident ID %d, creating an incident.",
incident['incidentId'])
payload = self.prepare_incident_dto(
incident,
notes_to_be_added=self.gather_incident_notes(incident))
# Create the Incident
new_incident = self.res_rest_client.post(
'/incidents', json.loads(payload, strict=False))
LOG.info(
"Created new Resilient Incident with ID %d for DLP Incident with ID %d",
new_incident['id'], incident['incidentId'])
self.upload_dlp_binaries(incident, new_incident['id'])
self.submit_summary_note(payload, incident, new_incident['id'])
self.send_res_id_to_dlp(new_incident, incident['incidentId'])
else:
LOG.info(
u"Incident was found in Resilient with sdlp_incident_id %s field. SDLP Incident will not be imported into Resilient",
incident['incidentId'])
LOG.info("Finished processing all Incidents in Saved Report %s",
self.soap_client.dlp_saved_report_id)