def _run():
"""
Run through Splunk. This is how the Splunk app gathers security detection events from the Code42 server(s).
For each user, we gather all events for
"""
server, config_dict = common.setup()
events_dir = os.path.join(common.app_home(), 'events')
# The file at 'minTs_file_path' holds the 'min timestamp' to be used for a particular device the next time
# the script runs. This is updated IFF all pages are gathered for a particular device during a single run of the script.
minTs_file_path = os.path.join(events_dir, 'security-lastRun')
# The file at 'cursor path' is used to hold the 'latest cursor' for a particular plan on a page by page basis.
# i.e. every time we finish retrieving a plan, we save the new 'latest cursor' to ensure that we can restart
# from the correct page in the case the connection to the C42 server goes down before we retrieve all pages.
cursor_path = os.path.join(events_dir, 'security-interrupted-lastCursor')
if not os.path.exists(events_dir):
os.makedirs(events_dir)
devices = config_dict['devices']
device_guids = c42api.devices(server, devices)
timestamp_dict = _try_read_timestamp(minTs_file_path)
event_filters = []
for device_guid in device_guids:
try:
minTs = timestamp_dict[device_guid]
event_filter = c42api.create_filter_by_iso_minTs_and_now(minTs)
event_filters.append(event_filter)
except (KeyError, TypeError):
event_filter = c42api.create_filter_by_utc_datetime(
datetime.utcfromtimestamp(0), datetime.utcnow())
event_filters.append(event_filter)
guids_and_filters = zip(device_guids, event_filters)
timestamp_dict = timestamp_dict if timestamp_dict else {}
for guid, new_minTs in c42api.fetch_detection_events(
server, guids_and_filters, cursor_path):
if not new_minTs:
continue
timestamp_dict[guid] = new_minTs
_write_min_timestamps(minTs_file_path, timestamp_dict)
def _run():
"""Initializes the state for the script based on command line input."""
arg_parser = argparse.ArgumentParser()
args = _setup_args(arg_parser)
if args.logfile:
c42api.set_log_file(args.logfile)
if args.output or args.logfile:
c42api.set_log_level(logging.DEBUG)
else:
c42api.set_log_level(logging.ERROR)
server = argutil.server_from_args(args)
is_json = args.format == 'json'
device_guids = c42api.devices(server, args.device)
def generate_detection_events():
"""
Since write_json() wants to take a generator and fetch_detection_events()
returns tuples, where the detection events are an array in the tuple, we use
this auxilary function to allow us to stream the events to write_json()
"""
event_filters = [
c42api.create_filter_by_utc_datetime(args.min_date, args.max_date)
] * len(device_guids)
guids_and_filters = zip(device_guids, event_filters)
for _, _, detection_events in c42api.fetch_detection_events(
server, guids_and_filters):
for event in detection_events:
yield event
with c42api.common.smart_open(args.output, overwrite=True) as out:
if is_json:
c42api.write_json(out, generate_detection_events())
else:
c42api.write_csv(out,
generate_detection_events(),
args.header,
shallow=True)
def _run():
"""Initializes the state for the script based on command line input."""
arg_parser = argparse.ArgumentParser()
args = _setup_args(arg_parser)
if not args.device:
raise ValueError("Device is required.")
if args.format != 'custom' and not args.output:
# Writing non-custom output to STDOUT, so boost the log message level.
c42api.set_log_level(logging.ERROR)
_outline(args)
server = argutil.server_from_args(args)
devices = c42api.devices(server, args.device)
if len(devices) != 1:
raise ValueError("*** THIS SCRIPT ONLY SUPPORTS A SINGLE DEVICE ***")
events = c42api.calculate_delta(server, devices[0], args.date1, args.date2)
with c42api.common.smart_open(args.output, overwrite=True) as out:
if args.format == 'custom':
_custom_output(out, events, allow_color=args.color)
elif args.format == 'json':
c42api.write_json(out, events)
elif args.format == 'csv':
c42api.write_csv(out, events, header=args.header)
def _run():
"""Initializes the state for the script based on command line input."""
arg_parser = argparse.ArgumentParser()
args = _setup_args(arg_parser)
if not args.device:
raise ValueError("Device is required.")
if args.format != 'custom' and not args.output:
# Writing non-custom output to STDOUT, so boost the log message level.
c42api.set_log_level(logging.ERROR)
_outline(args)
server = argutil.server_from_args(args)
devices = c42api.devices(server, args.device)
if len(devices) != 1:
raise ValueError("*** THIS SCRIPT ONLY SUPPORTS A SINGLE DEVICE ***")
events = c42api.calculate_delta(server, devices[0], args.date1, args.date2)
with c42api.common.smart_open(args.output, overwrite=True) as out:
if args.format == 'custom':
_custom_output(out, events, allow_color=args.color)
elif args.format == 'json':
c42api.write_json(out, events)
elif args.format == 'csv':
c42api.write_csv(out, events, header=args.header)
def _run():
"""
Run through Splunk
"""
server, config_dict = common.setup()
events_dir = os.path.join(common.app_home(), 'events')
cursor_path = os.path.join(events_dir, 'security-lastRun')
if not os.path.exists(events_dir):
os.makedirs(events_dir)
devices = config_dict['devices']
device_guids = c42api.devices(server, devices)
cursors_dict = _try_read_cursor(cursor_path)
event_filters = []
for device_guid in device_guids:
try:
cursor = cursors_dict[device_guid]
event_filter = c42api.create_filter_by_cursor(cursor)
event_filters.append(event_filter)
except (KeyError, TypeError):
event_filter = c42api.create_filter_by_utc_datetime(datetime.utcfromtimestamp(0), datetime.utcnow())
event_filters.append(event_filter)
guids_and_filters = zip(device_guids, event_filters)
cursors_dict = cursors_dict if cursors_dict else {}
for guid, cursor, detection_events in c42api.fetch_detection_events(server, guids_and_filters):
if not cursor or not detection_events:
continue
cursors_dict[guid] = cursor
c42api.write_json_splunk(sys.stdout, detection_events)
_write_cursor(cursor_path, cursors_dict)
