def test_event(self):
events = EventManager(
time_range="CUSTOM",
start_time=datetime.now() - timedelta(days=QUERY_TIMERANGE),
end_time=datetime.now() + timedelta(days=1),
limit=1,
)
events.load_data()
event = events[0]
event_from_ips_get_alert_data = Event(id=event["IPSIDAlertID"])
self.assertEqual(
event["IPSIDAlertID"],
"|".join([
str(event_from_ips_get_alert_data["ipsId"]["id"]),
str(event_from_ips_get_alert_data["alertId"]),
]),
)
if NitroSession().api_v == 2:
print("CREATING EVENT MANUALLY FROM ID")
data = Event().data_from_id(id=event["IPSIDAlertID"],
use_query=True)
event_from_direct_id_query = Event(data)
print("EVENT RETREIVED : {}".format(event_from_direct_id_query))
print("ORIGINAL EVENT : {}".format(event))
self.assertEqual(event_from_direct_id_query, data)
def test_api_cmd_get_api_docs(self):
s=NitroSession()
help_page = etree.parse(BytesIO(requests.get('https://{esm_url}/rs/esm/v2/help'.format(esm_url=s.config.host), verify=s.config.ssl_verify).text.encode()))
endpoints = [e.get('name') for e in help_page.iter() if 'esmCommand' in e.tag and e.get('name')]
for index, line in enumerate(api_cmd_get_api_docs().splitlines()):
self.assertIn(endpoints[index], line, "API ---list option broken")
def api_cmd_get_params_docs():
"""
Get a list of all possible API calls with paramaters interpolation
TODO: write a test
"""
s = NitroSession()
docs = ""
for k, v in s.PARAMS.items():
name = "{}".format(k)
keywords = []
params = ""
endpoint = "{}".format(
urlparse(v[0] if not isinstance(v[0], Template) else v[0].template
).path)
if isinstance(v[0], Template):
keywords += [
s[1] or s[2] for s in Template.pattern.findall(v[0].template)
if s[1] or s[2]
]
if isinstance(v[1], Template):
keywords += [
s[1] or s[2] for s in Template.pattern.findall(v[1].template)
if s[1] or s[2]
]
params = " ".join(["{}=<value>".format(k) for k in keywords])
docs += "msiem api --method '{}' {} # Call {} \n".format(
name, '--args ' + params if params else params, endpoint)
return docs
def api_cmd(args):
"""
Quickly make API requests to any enpoints with any data. Print resposne to sdtout as JSON.
Request v2/alarmGetTriggeredAlarms:
$ msiem api --method "v2/alarmGetTriggeredAlarms?triggeredTimeRange=LAST_24_HOURS&status=&pageSize=500&pageNumber=1"
"""
s = NitroSession()
s.login()
if args.list:
print("All possible SIEM requests: ")
print(api_cmd_get_api_docs())
print("Requests with API parameters interpolation")
print(api_cmd_get_params_docs())
exit(0)
if args.method:
if args.method in s.PARAMS.keys():
res = s.request(args.method,
**api_cmd_parse_interpolated_args(args.args))
else:
res = s.api_request(args.method, api_cmd_get_data(args.data))
pprint_json(res)
def api_cmd_get_api_docs():
"""
Get a list of all possible API calls
"""
s = NitroSession()
help_page = etree.parse(
BytesIO(
requests.get('https://{esm_url}/rs/esm/v2/help'.format(
esm_url=s.config.host),
verify=s.config.ssl_verify).text.encode()))
endpoints = [
e.get('name') for e in help_page.iter()
if 'esmCommand' in e.tag and e.get('name')
]
docs = ""
for endp in endpoints:
docs += "msiem api --method v2/{} --data <JSON string or file>\n".format(
endp)
return docs
def NitroSession(self):
return NitroSession(
NitroConfig(path=self._confDir + 'esmclient.config'))
import pprint from msiempy import NitroSession session = NitroSession() pprint.pprint(session.PARAMS)
from msiempy.__version__ import __version__
from msiempy import NitroSession
session = NitroSession()
print("msiempy verison: {}".format(__version__))
print("ESM version: {}".format(session.request("build_stamp")["buildStamp"]))
from msiempy import NitroSession
import pprint
session = NitroSession()
filters = session.request("get_possible_filters")
fields = session.request("get_possible_fields",
type="EVENT",
groupType="NO_GROUP")
print()
print()
print("FIELDS NAMES S:\n{}".format(pprint.pformat(fields)))
print()
print()
print("FIELDS NAMES YOU CAN USE IN FILTERS:\n{}".format(
pprint.pformat(filters)))
print()
print()
print("FIELDS NAMES SUMMARY:\n{}".format([field["name"] for field in fields]))
print()
print()
print("FIELDS NAMES YOU CAN USE IN FILTERS SUMMARY:\n{}".format(
[field["name"] for field in filters]))
from msiempy import NitroSession
import pprint
session = NitroSession()
filters = session.request('get_possible_filters')
fields = session.request('get_possible_fields',
type='EVENT',
groupType='NO_GROUP')
print()
print()
print('FIELDS NAMES S:\n{}'.format(pprint.pformat(fields)))
print()
print()
print('FIELDS NAMES YOU CAN USE IN FILTERS:\n{}'.format(
pprint.pformat(filters)))
print()
print()
print('FIELDS NAMES SUMMARY:\n{}'.format([field['name'] for field in fields]))
print()
print()
print('FIELDS NAMES YOU CAN USE IN FILTERS SUMMARY:\n{}'.format(
[field['name'] for field in filters]))
from msiempy.__version__ import __version__
from msiempy import NitroSession
session=NitroSession()
print('msiempy verison: {}'.format(__version__))
print('ESM version: {}'.format(session.request('build_stamp')['buildStamp']))
def dstools(pargs):
"""
Add datasources from CSV or INI files, list, search, remove.
"""
global devtree
devtree = DevTree()
if pargs.add:
ds_dir = pargs.add
new_files = None
if os.path.isfile(ds_dir):
new_files = [ds_dir]
else:
dsdir_path = verify_dir(ds_dir)
new_files = scan_dir(dsdir_path)
if not new_files:
print("No datasource files found.")
sys.exit(0)
ds_lod = convert_ds_files(new_files)
ds_to_verify = []
for ds in ds_lod:
if ds['name'] in devtree:
print('Duplicate datasource Name. Datasource not '
'added: {} - {}.'.format(ds['name'], ds['ds_ip']))
continue
if ds['ds_ip'] in devtree:
print('Duplicate datasource IP. Datasource not '
'added: {} - {}.'.format(ds['name'], ds['ds_ip']))
continue
try:
if ds.get('client', None):
print("Adding Client Datasource: {}".format(ds))
resp = devtree.add_client(ds)
else:
print("Adding Datasource: {}".format(ds))
resp = devtree.add(ds)
if not resp:
print('Something went wrong, Datasource {} not added.')
continue
else:
# Wait for the add DS query to execuite ...
time.sleep(1)
ds_status = NitroSession().api_request('dsAddDataSourcesStatus', {"jobId": resp}, retry=0)
if not isinstance(ds_status, dict):
print('Something went wrong, Datasource {} not added.\n{}'.format(ds['name'], ds_status))
continue
while not ds_status['jobStatus'] == 'COMPLETE':
time.sleep(1)
ds_status = NitroSession().api_request('dsAddDataSourcesStatus', {"jobId": resp}, retry=0)
if len(ds_status['unsuccessfulDatasources'])>0:
print('Something went wrong, Datasource {} not added. {}'.format(ds['name'], ds_status['unsuccessfulDatasources'][0]))
continue
else:
ds_to_verify.append(ds['name'])
devtree.refresh()
except Exception:
print('Something went wrong, Datasource {} not added.\n{}'.format(ds['name'], traceback.format_exc() ))
continue
if len(ds_to_verify)>0:
time.sleep(3)
devtree.refresh()
for ds in ds_to_verify:
if search(ds, devtree):
print('DataSource successfully added: {}'.format(ds))
else:
print("Unknown issue occured while adding datasource {} and it was not added.".format(ds))
if pargs.search:
print(search(pargs.search, devtree))
if pargs.delete:
for ds_id in pargs.delete:
ds = list(devtree.search_ds_group(field='ds_id', term=ds_id))
if len(ds):
ds=ds[0]
if pargs.force or input("Delete the datasource and all the data? \n{}\n[y/n]".format(ds)).lower().startswith('y'):
ds.delete()
else:
print("Datasource not deleted")
else:
print("Datasource {} not found".format(ds_id))
if pargs.deleteclients:
for ds_id in pargs.deletelients:
ds = list(devtree.search_ds_group(field='ds_id', term=ds_id))
if len(ds):
if pargs.force or input("Delete the datasource's clients and all the data. \n{}\n[y/n]".format(ds)).lower().startswith('y'):
ds.delete_client()
else:
print("Datasource client not deleted")
else:
print("Datasource {} not found".format(ds_id))
if pargs.list:
print(devtree.get_text(fields=['name', 'ds_ip', 'ds_id', 'parent_id', 'client', 'type_id', 'type','last_time']))