def _run():
"""
The script's body. Creates/Updates Splunk computer lookup table.
"""
app_home = common.app_home()
lookups_dir = os.path.join(app_home, "lookups")
old_computer_lookup_table = os.path.join(lookups_dir,
"computer_lookup.csv")
tmp_computer_lookup_table = os.path.join(lookups_dir,
"computer_lookup_tmp.csv")
if not os.path.exists(lookups_dir):
os.makedirs(lookups_dir)
server, _ = common.setup()
# write computer lookup table
params = {'active': 'true', 'incBackupUsage': False, 'incHistory': False}
computer_results = c42api.fetch_computers(server,
params,
insert_schema_version=True)
splunk_lookup_table.write_lookup_table(old_computer_lookup_table,
tmp_computer_lookup_table,
computer_results, COMPUTER_UID_KEY,
COMPUTER_KEYS_TO_IGNORE, TIME_KEY)
def _run():
"""
The script's body. Creates/Updates Splunk user lookup table.
"""
app_home = common.app_home()
lookups_dir = os.path.join(app_home, "lookups")
old_user_lookup_table = os.path.join(lookups_dir, "user_lookup.csv")
tmp_user_lookup_table = os.path.join(lookups_dir, "user_lookup_tmp.csv")
if not os.path.exists(lookups_dir):
os.makedirs(lookups_dir)
server, _ = common.setup()
# write user lookup table
user_results = c42api.fetch_users(server)
splunk_lookup_table.write_lookup_table(old_user_lookup_table, tmp_user_lookup_table, user_results,
USER_UID_KEY, USER_KEYS_TO_IGNORE, TIME_KEY)
def _run():
"""
Run through Splunk. This is how the Splunk app gathers security detection events from the Code42 server(s).
For each user, we gather all events for
"""
server, config_dict = common.setup()
events_dir = os.path.join(common.app_home(), 'events')
# The file at 'minTs_file_path' holds the 'min timestamp' to be used for a particular device the next time
# the script runs. This is updated IFF all pages are gathered for a particular device during a single run of the script.
minTs_file_path = os.path.join(events_dir, 'security-lastRun')
# The file at 'cursor path' is used to hold the 'latest cursor' for a particular plan on a page by page basis.
# i.e. every time we finish retrieving a plan, we save the new 'latest cursor' to ensure that we can restart
# from the correct page in the case the connection to the C42 server goes down before we retrieve all pages.
cursor_path = os.path.join(events_dir, 'security-interrupted-lastCursor')
if not os.path.exists(events_dir):
os.makedirs(events_dir)
devices = config_dict['devices']
device_guids = c42api.devices(server, devices)
timestamp_dict = _try_read_timestamp(minTs_file_path)
event_filters = []
for device_guid in device_guids:
try:
minTs = timestamp_dict[device_guid]
event_filter = c42api.create_filter_by_iso_minTs_and_now(minTs)
event_filters.append(event_filter)
except (KeyError, TypeError):
event_filter = c42api.create_filter_by_utc_datetime(
datetime.utcfromtimestamp(0), datetime.utcnow())
event_filters.append(event_filter)
guids_and_filters = zip(device_guids, event_filters)
timestamp_dict = timestamp_dict if timestamp_dict else {}
for guid, new_minTs in c42api.fetch_detection_events(
server, guids_and_filters, cursor_path):
if not new_minTs:
continue
timestamp_dict[guid] = new_minTs
_write_min_timestamps(minTs_file_path, timestamp_dict)
def _run():
"""
The script's body. Creates/Updates Splunk computer lookup table.
"""
app_home = common.app_home()
lookups_dir = os.path.join(app_home, "lookups")
old_computer_lookup_table = os.path.join(lookups_dir, "computer_lookup.csv")
tmp_computer_lookup_table = os.path.join(lookups_dir, "computer_lookup_tmp.csv")
if not os.path.exists(lookups_dir):
os.makedirs(lookups_dir)
server, _ = common.setup()
# write computer lookup table
params = {'active': 'true',
'incBackupUsage': False,
'incHistory': False}
computer_results = c42api.fetch_computers(server, params, insert_schema_version=True)
splunk_lookup_table.write_lookup_table(old_computer_lookup_table, tmp_computer_lookup_table, computer_results,
COMPUTER_UID_KEY, COMPUTER_KEYS_TO_IGNORE, TIME_KEY)
def _run():
"""
Run through Splunk
"""
server, config_dict = common.setup()
events_dir = os.path.join(common.app_home(), 'events')
cursor_path = os.path.join(events_dir, 'security-lastRun')
if not os.path.exists(events_dir):
os.makedirs(events_dir)
devices = config_dict['devices']
device_guids = c42api.devices(server, devices)
cursors_dict = _try_read_cursor(cursor_path)
event_filters = []
for device_guid in device_guids:
try:
cursor = cursors_dict[device_guid]
event_filter = c42api.create_filter_by_cursor(cursor)
event_filters.append(event_filter)
except (KeyError, TypeError):
event_filter = c42api.create_filter_by_utc_datetime(datetime.utcfromtimestamp(0), datetime.utcnow())
event_filters.append(event_filter)
guids_and_filters = zip(device_guids, event_filters)
cursors_dict = cursors_dict if cursors_dict else {}
for guid, cursor, detection_events in c42api.fetch_detection_events(server, guids_and_filters):
if not cursor or not detection_events:
continue
cursors_dict[guid] = cursor
c42api.write_json_splunk(sys.stdout, detection_events)
_write_cursor(cursor_path, cursors_dict)
