def _run(): """ The script's body. Creates/Updates Splunk computer lookup table. """ app_home = common.app_home() lookups_dir = os.path.join(app_home, "lookups") old_computer_lookup_table = os.path.join(lookups_dir, "computer_lookup.csv") tmp_computer_lookup_table = os.path.join(lookups_dir, "computer_lookup_tmp.csv") if not os.path.exists(lookups_dir): os.makedirs(lookups_dir) server, _ = common.setup() # write computer lookup table params = {'active': 'true', 'incBackupUsage': False, 'incHistory': False} computer_results = c42api.fetch_computers(server, params, insert_schema_version=True) splunk_lookup_table.write_lookup_table(old_computer_lookup_table, tmp_computer_lookup_table, computer_results, COMPUTER_UID_KEY, COMPUTER_KEYS_TO_IGNORE, TIME_KEY)
def _run(): """ The script's body. Creates/Updates Splunk user lookup table. """ app_home = common.app_home() lookups_dir = os.path.join(app_home, "lookups") old_user_lookup_table = os.path.join(lookups_dir, "user_lookup.csv") tmp_user_lookup_table = os.path.join(lookups_dir, "user_lookup_tmp.csv") if not os.path.exists(lookups_dir): os.makedirs(lookups_dir) server, _ = common.setup() # write user lookup table user_results = c42api.fetch_users(server) splunk_lookup_table.write_lookup_table(old_user_lookup_table, tmp_user_lookup_table, user_results, USER_UID_KEY, USER_KEYS_TO_IGNORE, TIME_KEY)
def _run(): """ Run through Splunk. This is how the Splunk app gathers security detection events from the Code42 server(s). For each user, we gather all events for """ server, config_dict = common.setup() events_dir = os.path.join(common.app_home(), 'events') # The file at 'minTs_file_path' holds the 'min timestamp' to be used for a particular device the next time # the script runs. This is updated IFF all pages are gathered for a particular device during a single run of the script. minTs_file_path = os.path.join(events_dir, 'security-lastRun') # The file at 'cursor path' is used to hold the 'latest cursor' for a particular plan on a page by page basis. # i.e. every time we finish retrieving a plan, we save the new 'latest cursor' to ensure that we can restart # from the correct page in the case the connection to the C42 server goes down before we retrieve all pages. cursor_path = os.path.join(events_dir, 'security-interrupted-lastCursor') if not os.path.exists(events_dir): os.makedirs(events_dir) devices = config_dict['devices'] device_guids = c42api.devices(server, devices) timestamp_dict = _try_read_timestamp(minTs_file_path) event_filters = [] for device_guid in device_guids: try: minTs = timestamp_dict[device_guid] event_filter = c42api.create_filter_by_iso_minTs_and_now(minTs) event_filters.append(event_filter) except (KeyError, TypeError): event_filter = c42api.create_filter_by_utc_datetime( datetime.utcfromtimestamp(0), datetime.utcnow()) event_filters.append(event_filter) guids_and_filters = zip(device_guids, event_filters) timestamp_dict = timestamp_dict if timestamp_dict else {} for guid, new_minTs in c42api.fetch_detection_events( server, guids_and_filters, cursor_path): if not new_minTs: continue timestamp_dict[guid] = new_minTs _write_min_timestamps(minTs_file_path, timestamp_dict)
def _run(): """ The script's body. Prints out backup usage data to stdout, which will be captured by Splunk. """ server, _ = common.setup() params = {'active': 'true', 'incBackupUsage': True, 'incHistory': True} results = c42api.fetch_computers(server, params, insert_schema_version=True) timestamp = datetime.datetime.now().isoformat() for result in results: guid = result['guid'] schema_version = result['schema_version'] backup_usage_array = result['backupUsage'] for backup_usage in backup_usage_array: backup_usage['guid'] = guid backup_usage['timestamp'] = timestamp backup_usage['schema_version'] = schema_version c42api.write_json_splunk(sys.stdout, backup_usage_array)
def _run(): """ Run through Splunk """ server, config_dict = common.setup() events_dir = os.path.join(common.app_home(), 'events') cursor_path = os.path.join(events_dir, 'security-lastRun') if not os.path.exists(events_dir): os.makedirs(events_dir) devices = config_dict['devices'] device_guids = c42api.devices(server, devices) cursors_dict = _try_read_cursor(cursor_path) event_filters = [] for device_guid in device_guids: try: cursor = cursors_dict[device_guid] event_filter = c42api.create_filter_by_cursor(cursor) event_filters.append(event_filter) except (KeyError, TypeError): event_filter = c42api.create_filter_by_utc_datetime(datetime.utcfromtimestamp(0), datetime.utcnow()) event_filters.append(event_filter) guids_and_filters = zip(device_guids, event_filters) cursors_dict = cursors_dict if cursors_dict else {} for guid, cursor, detection_events in c42api.fetch_detection_events(server, guids_and_filters): if not cursor or not detection_events: continue cursors_dict[guid] = cursor c42api.write_json_splunk(sys.stdout, detection_events) _write_cursor(cursor_path, cursors_dict)