def do_command(self):
client = QRadarAdvisorClient(qradar_host=self.system_host,
qradar_token=self.system_token,
advisor_app_id=self.opts_dict["app_id"],
cafile=False,
log=logging)
offense_id = self.opts_dict["offense_id"]
restart_if_existed = self.opts_dict.get("restart_if_exist",
"False") == "True"
stix_json = client.offense_analysis(
offense_id=offense_id, restart_if_existed=restart_if_existed)
print(json.dumps(stix_json))
def test_offense_analysis(self, mocked_get_search_result,
mocked_perform_search, mocked_get_session):
#
# First verify that if there is no CSRF token, the full_search
# function will call get_csrf_token to get one
#
mocked_cookies = Mock()
# Use this to mock the member variables
mocked_session = Mock(cookies=mocked_cookies)
mocked_get_session.return_value = mocked_session
client = QRadarAdvisorClient(qradar_host=QRADAR_HOST,
advisor_app_id=QRADAR_APP_ID,
qradar_token=QRADAR_TOKEN,
cafile=QRADAR_VERIFY,
log=logging)
#
# when a QRadarAdvisorClient is instantiated, its http_info shall
# has no csrf token
#
assert not client.http_info.xsrf_token
try:
mocked_session.get.return_value = _generate_response({}, 400)
client.offense_analysis(123456)
assert False
except CsrfTokenError:
#
# because the CSRF token is None, full_search has to call get_csrf_token
# to get it. Since we returned 400 above, the full_search call
# shall throw this exception
#
assert True
#
# Now put a CSRF token
#
client.http_info.xsrf_token = CSRF_TOKEN
ret_cookies = {"XSRF-TOKEN": CSRF_TOKEN}
mocked_cookies.get_dict.return_value = ret_cookies
#
# This time offense_analysis shall call the QRadarOffenseAnalysis
#
stix_json = {"type": "bundles"}
mocked_get_search_result.return_value = stix_json
mocked_perform_search.return_value = stix_json
offense_id = 12345
ret = client.offense_analysis(offense_id, restart_if_existed=False)
assert ret == stix_json
# because we set restart_if_existed=False, verify we call get_search_result
# directly
mocked_get_search_result.assert_called_with(offense_id)
ret = client.offense_analysis(offense_id, restart_if_existed=True)
assert ret == stix_json
# because we set restart_if_existed=True, verify we call perform_search
# to start a new analysis
mocked_perform_search.assert_called_with(offense_id)
def _qradar_advisor_offense_analysis_function(self, event, *args, **kwargs):
"""Function:
This function performs two tasks:
1. call the QRadar Advisor REST API to retrieve insights for a given QRadar offense
2. call the QRadar Advisor REST API to perform analysis on the QRadar offense
The input is qradar_offense_id in the input.
The reply from QRadar Advisor analysis is in stix format. This function then
1. extract the observables from the stix objects
2. generate a html representation for the stix
The return to Resilient server includes the above two, together with the raw replies for
offense insights and offense analysis."""
try:
# Get the function parameters:
qradar_offense_id = kwargs.get("qradar_offense_id") # text
qradar_advisor_result_stage = self.get_select_param(kwargs.get("qradar_advisor_result_stage")) # select, values: "stage1", "stage2", "stage3"
qradar_analysis_restart_if_existed = kwargs.get("qradar_analysis_restart_if_existed") # boolean
log = logging.getLogger(__name__)
log.info("qradar_offense_id: %s", qradar_offense_id)
log.info("qradar_advisor_result_stage: %s", qradar_advisor_result_stage)
log.info("qradar_analysis_restart_if_existed: %s", qradar_analysis_restart_if_existed)
qradar_verify_cert = True
if "verify_cert" in self.options and self.options["verify_cert"] == "false":
qradar_verify_cert = False
yield StatusMessage("starting...")
if qradar_analysis_restart_if_existed:
# User wants restart a new analysis. Warn him/her it could take some time
yield StatusMessage("Restarting a new analysis. It could take up to 15 minutes...")
offense_analysis_timeout = int(self.options.get("offense_analysis_timeout", 1200))
offense_analysis_period = int(self.options.get("offense_analysis_period", 5))
log.debug("Using timeout: {}".format(str(offense_analysis_timeout)))
log.debug("Using period: {}".format(str(offense_analysis_period)))
client = QRadarAdvisorClient(qradar_host=self.options["qradar_host"],
qradar_token=self.options["qradar_advisor_token"],
advisor_app_id=self.options["qradar_advisor_app_id"],
cafile=qradar_verify_cert,
log=log)
stix_json = client.offense_analysis(offense_id=qradar_offense_id,
restart_if_existed=qradar_analysis_restart_if_existed,
return_stage=qradar_advisor_result_stage,
timeout=offense_analysis_timeout,
period=offense_analysis_period)
#
# extract list of observables from this stix bundle
#
observables = stix_utils.get_observables(stix_json=stix_json,
log=log)
#
# generate a folder-tree like structure in html for this stix bundle
#
html_str = stix_tree.get_html(stix_json, log)
#
# get the insights for this offense
#
insights = client.offense_insights(offense_id=qradar_offense_id)
yield StatusMessage("done...")
yield StatusMessage("Returning {} observables".format(str(len(observables))))
results = {
"observables": observables,
"note": html_str,
"insights": insights, # Return the raw insights dict
"stix": stix_json # Return the raw stix2 dict
}
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception as e:
log.error(str(e))
yield FunctionError(str(e))