def __init__(self, connection, configuration):
self.logger = logger.set_logger(__name__)
self.endpoint_start = ''
headers = dict()
host_port = connection.get('host') + ':' + str(
connection.get('port', ''))
headers['accept'] = 'application/json'
auth = configuration.get('auth')
if auth is not None and auth.get('token', None) is not None:
headers['Authorization'] = 'token {}'.format(auth.get('token'))
url_modifier_function = None
headers['user-agent'] = _USER_AGENT
self.timeout = connection['options'].get('timeout')
self.result_limit = connection['options'].get('result_limit')
if self.result_limit > _MAX_RESULT:
self.logger.warning(
"The length exceeds length limit. Use default length: %s",
_MAX_RESULT)
self.result_limit = _MAX_RESULT
self.client = RestApiClient(host_port,
None,
headers,
url_modifier_function,
cert_verify=connection.get(
'selfSignedCert', True),
sni=connection.get('sni', None))
class APIClient():
PING_ENDPOINT = 'sensor'
PROCESS_ENDPOINT = 'process'
def __init__(self, connection, configuration):
self.endpoint_start = 'api/v1/'
auth = configuration.get('auth')
headers = dict()
headers['X-Auth-Token'] = auth.get('token')
self.client = RestApiClient(connection.get('host'),
connection.get('port'),
headers,
cert_verify=connection.get(
'selfSignedCert', True),
sni=connection.get('sni', None))
self.timeout = connection['options'].get('timeout')
def ping_box(self):
endpoint = self.endpoint_start + self.PING_ENDPOINT
return self.client.call_api(endpoint, 'GET', timeout=self.timeout)
def run_search(self, query_expression, start=0, rows=10):
headers = dict()
endpoint = self.endpoint_start + self.PROCESS_ENDPOINT
data = [("q", query_expression), ("start", start), ("rows", rows)]
sort_by = 'start asc' # The purpose of this is to maintain order stability when doing paging
data.append(("sort", sort_by))
return self.client.call_api(endpoint,
'GET',
headers,
urldata=data,
timeout=self.timeout)
def parse_query(self, data):
proxy_host = self.options['proxy_host']
proxy_port = self.options['proxy_port']
connection, configuration = unwrap_connection_options(self.options)
client = RestApiClient(
proxy_host,
proxy_port,
url_modifier_function=lambda host_port, endpoint, headers:
f'https://{host_port}{endpoint}',
cert_verify=self.options.get('proxy_cert'))
response = client.call_api('/parse_query',
'POST',
data=json.dumps({
'module':
connection['type'],
'data_source': {},
'data':
data,
'options':
connection['options']
}),
timeout=self.options.get('timeout'))
return json.loads(response.bytes)
def translate_results(self, data_source, data):
# A proxy translation call passes the entire data source connection object in as the options
# Top-most connection host and port are for the proxy
proxy_host = self.options['proxy_host']
proxy_port = self.options['proxy_port']
connection, configuration = unwrap_connection_options(self.options)
client = RestApiClient(
proxy_host,
proxy_port,
url_modifier_function=lambda host_port, endpoint, headers:
f'http://{host_port}{endpoint}')
response = client.call_api('/translate_results',
'POST',
data=json.dumps({
'module':
connection['type'],
"data_source":
data_source,
"results":
data,
"options":
connection['options']
}),
timeout=self.options.get('timeout'))
return json.loads(response.bytes)
def __init__(self, connection, configuration):
"""Initialization.
:param connection: dict, connection dict
:param configuration: dict,config dict"""
headers = dict()
url_modifier_function = None
default_api_version = 'v1.0'
auth = configuration.get('auth')
self.endpoint = '{api_version}/security/alerts'.format(
api_version=default_api_version)
self.host = connection.get('host')
self.search_timeout = connection['options'].get('timeout')
if auth:
if 'access_token' in auth:
headers['Authorization'] = "Bearer " + auth['access_token']
self.client = RestApiClient(
connection.get('host'),
connection.get('port', None),
headers,
url_modifier_function=url_modifier_function,
cert_verify=connection.get('selfSignedCert', True),
sni=connection.get('sni', None))
def __init__(self, connection, configuration):
headers = dict()
url_modifier_function = None
auth = configuration.get('auth')
self.indices = configuration.get('elastic_ecs',
{}).get('indices', None)
if isinstance(self.indices, list): # Get list of all indices
self.indices = ",".join(self.indices)
if self.indices:
self.endpoint = self.indices + '/' + '_search'
else:
self.endpoint = '_search'
if auth:
if 'username' in auth and 'password' in auth:
headers['Authorization'] = b"Basic " + base64.b64encode(
(auth['username'] + ':' +
auth['password']).encode('ascii'))
elif 'api_key' in auth and 'id' in auth:
headers['Authorization'] = b"ApiKey " + base64.b64encode(
(auth['id'] + ':' + auth['api_key']).encode('ascii'))
elif 'access_token' in auth:
headers['Authorization'] = "Bearer " + auth['access_token']
self.client = RestApiClient(
connection.get('host'),
connection.get('port'),
connection.get('cert', None),
headers,
url_modifier_function=url_modifier_function,
cert_verify=connection.get('selfSignedCert', True),
mutual_auth=connection.get('use_securegateway', False),
sni=connection.get('sni', None))
class APIClient():
PING_TIMEOUT_IN_SECONDS = 10
def __init__(self, connection, configuration):
self.endpoint_start = 'alertflex-ctrl/rest/stix-alerts'
headers = dict()
auth = configuration.get('auth')
headers['Authorization'] = b"Basic " + base64.b64encode(
(auth['username'] + ':' + auth['password']).encode('ascii'))
url_modifier_function = None
self.client = RestApiClient(connection.get('host'),
connection.get('port'),
headers,
url_modifier_function,
cert_verify=connection.get(
'selfSignedCert', False))
def ping_data_source(self):
endpoint = self.endpoint_start + '/status'
return self.client.call_api(endpoint,
'GET',
timeout=self.PING_TIMEOUT_IN_SECONDS)
def get_search_results(self, query_expression, offset=None, length=None):
endpoint = self.endpoint_start + '/search'
data = {'query': query_expression}
result = self.client.call_api(endpoint, 'GET', urldata=data)
return result
def delete_search(self, search_id):
# Optional since this may not be supported by the data source API
# Delete the search
return {"code": 200, "success": True}
def __init__(self, connection, configuration):
self.auth = configuration.get('auth')
self.logger = logger.set_logger(__name__)
nonce = "".join([
secrets.choice(string.ascii_letters + string.digits)
for _ in range(64)
])
timestamp = int(datetime.now(timezone.utc).timestamp()) * 1000
self.auth = configuration.get('auth')
auth_key = f"{self.auth['api_key']}{nonce}{timestamp}"
auth_key = auth_key.encode("utf-8")
api_key_hash = hashlib.sha256(auth_key).hexdigest()
headers = {
"x-xdr-timestamp": str(timestamp),
"x-xdr-nonce": nonce,
"x-xdr-auth-id": str(self.auth['api_key_id']),
"Authorization": api_key_hash
}
self.client = RestApiClient(
connection.get('host'),
connection.get('port', None),
headers,
url_modifier_function=None,
)
self.result_limit = connection['options'].get('result_limit')
self.timeout = connection['options']['timeout']
self.quota_threshold = connection['quota_threshold']
self.connector = __name__.split('.')[1]
class APIClient:
"""API Client to handle all calls."""
PING_TIMEOUT_IN_SECONDS = 10
def __init__(self, connection, configuration):
"""Initialization.
:param connection: dict, connection dict
:param configuration: dict,config dict"""
headers = dict()
url_modifier_function = None
auth = configuration.get('auth')
self.endpoint = 'api/advancedqueries/run'
self.host = connection.get('host')
if auth:
if 'access_token' in auth:
headers['Authorization'] = "Bearer " + auth['access_token']
self.client = RestApiClient(
connection.get('host'),
connection.get('port', None),
connection.get('cert', None),
headers,
url_modifier_function=url_modifier_function,
cert_verify=connection.get('selfSignedCert', True),
mutual_auth=connection.get('use_securegateway', False),
sni=connection.get('sni', None))
def ping_box(self):
"""Ping the endpoint."""
endpoint = '/api'
return self.client.call_api(endpoint,
'GET',
timeout=self.PING_TIMEOUT_IN_SECONDS)
def run_search(self,
query_expression,
offset=DEFAULT_OFFSET,
length=DEFAULT_LIMIT):
"""get the response from MSatp endpoints
:param query_expression: str, search_id
:param offset: int,offset value
:param length: int,length value
:return: response, json object"""
serialize = '| serialize rn = row_number() | where rn >= {offset} | limit {length}'
headers = dict()
headers['Content-Type'] = 'application/json'
headers['Accept'] = 'application/json'
endpoint = self.endpoint
query_expression = query_expression + serialize.format(offset=offset,
length=length)
query_expression = json.dumps({
'Query': query_expression
}).encode("utf-8")
return self.client.call_api(endpoint,
'POST',
headers=headers,
data=query_expression)
def __init__(self, connection, configuration):
self.auth = configuration.get('auth')
headers = {'Accept': 'application/json'}
self.client = RestApiClient(connection.get('host'),
connection.get('port'),
headers,
cert_verify=connection.get(
'selfSignedCert', True))
class APIClient:
"""API Client to handle all calls."""
def __init__(self, connection, configuration):
"""Initialization.
:param connection: dict, connection dict
:param configuration: dict,config dict"""
headers = dict()
url_modifier_function = None
default_api_version = 'v1.0'
auth = configuration.get('auth')
self.endpoint = '{api_version}/security/alerts'.format(api_version=default_api_version)
self.host = connection.get('host')
self.timeout = connection['options'].get('timeout')
if auth:
if 'access_token' in auth:
headers['Authorization'] = "Bearer " + auth['access_token']
self.client = RestApiClient(connection.get('host'),
connection.get('port', None),
headers,
url_modifier_function=url_modifier_function,
cert_verify=connection.get('selfSignedCert', True),
sni=connection.get('sni', None)
)
def ping_box(self):
"""Ping the endpoint."""
params = dict()
params['$top'] = 1
return self.client.call_api(self.endpoint, 'GET', urldata=params, timeout=self.timeout)
def run_search(self, query_expression, length):
"""get the response from azure_sentinel endpoints
:param query_expression: str, search_id
:param length: int,length value
:return: response, json object"""
headers = dict()
headers['Accept'] = 'application/json'
params = dict()
params['$filter'] = query_expression
params['$top'] = length
return self.client.call_api(self.endpoint, 'GET', headers, urldata=params, timeout=self.timeout)
def next_page_run_search(self, next_page_url):
"""get the response from azure_sentinel endpoints
:param next_page_url: str, search_id
:return: response, json object"""
headers = dict()
headers['Accept'] = 'application/json'
url = next_page_url.split('?', maxsplit=1)[1]
endpoint = self.endpoint + '?' + url
return self.client.call_api(endpoint, 'GET', headers, timeout=self.timeout)
def __init__(self, connection, configuration):
self.logger = logger.set_logger(__name__)
headers = {'Content-Type': 'application/json'}
url_modifier_function = None
self.auth = configuration.get('auth')
self.client = RestApiClient(
connection.get('host'),
connection.get('port', None),
headers,
url_modifier_function=url_modifier_function)
self.timeout = connection['options'].get('timeout')
def __init__(self, connection, configuration):
self.logger = logger.set_logger(__name__)
headers = {}
url_modifier_function = None
self.auth = configuration.get('auth')
self.client = RestApiClient(
connection.get('host'),
port=None,
headers=headers,
cert_verify=False,
url_modifier_function=url_modifier_function)
def __init__(self, connection, configuration):
self.endpoint_start = 'api/v1/'
auth = configuration.get('auth')
headers = dict()
headers['X-Auth-Token'] = auth.get('token')
self.client = RestApiClient(connection.get('host'),
connection.get('port'),
headers,
cert_verify=connection.get(
'selfSignedCert', True),
sni=connection.get('sni', None))
self.timeout = connection['options'].get('timeout')
def __init__(self, connection, configuration):
self.connection = connection
self.configuration = configuration
self.timeout = connection['options'].get('timeout')
self.bundle_url = self.connection.get('url')
auth = None
conf_auth = configuration.get('auth', {})
if 'username' in conf_auth and 'password' in conf_auth:
auth = (conf_auth['username'], conf_auth['password'])
self.client = RestApiClient(None,
auth=auth,
url_modifier_function=lambda host_port, endpoint, headers: f'{endpoint}')
def __init__(self, connection, configuration):
headers = dict()
self.auth = configuration.get('auth')
self.api_key = "ApiToken " + self.auth.get('apitoken')
headers['Authorization'] = self.api_key
headers['Content-type'] = 'application/json'
self.timeout = connection['options']['timeout']
self.client = RestApiClient(connection.get('host'),
connection.get('port', None),
headers,
url_modifier_function=None)
def __init__(self, connection, configuration):
self.request_http_path = "https://{}:{}".format(
connection['options']['proxy_host'],
connection['options']['proxy_port'])
self.timeout = connection['options']['timeout']
self.connection, self.configuration = self._unwrap_connection_options(
copy.deepcopy(connection), copy.deepcopy(configuration))
self.client = RestApiClient(
connection['options']['proxy_host'],
connection['options']['proxy_port'],
url_modifier_function=lambda host_port, endpoint, headers:
f'https://{host_port}{endpoint}',
cert_verify=connection['options'].get('proxy_cert'))
def __init__(self, connection, configuration):
self.endpoint_start = 'api/v1/'
auth = configuration.get('auth')
headers = dict()
headers['X-Auth-Token'] = auth.get('token')
self.client = RestApiClient(
connection.get('host'),
connection.get('port'),
connection.get('cert', None),
headers,
cert_verify=connection.get('selfSignedCert', True),
mutual_auth=connection.get('use_securegateway', False),
sni=connection.get('sni', None))
def __init__(self, connection, configuration):
self.endpoint_start = 'alertflex-ctrl/rest/stix-alerts'
headers = dict()
auth = configuration.get('auth')
headers['Authorization'] = b"Basic " + base64.b64encode(
(auth['username'] + ':' + auth['password']).encode('ascii'))
url_modifier_function = None
self.client = RestApiClient(connection.get('host'),
connection.get('port'),
headers,
url_modifier_function,
cert_verify=connection.get(
'selfSignedCert', False))
def __init__(self, connection, configuration):
self.endpoint_start_v1 = 'api/v1/' # Uses API v1 for `ping` and `processes search` endpoints.
self.endpoint_start_v4 = 'api/v4/' # Uses API v4 for `events search` endpoint.
auth = configuration.get('auth')
headers = dict()
headers['X-Auth-Token'] = auth.get('token')
self.client = RestApiClient(connection.get('host'),
connection.get('port'),
headers,
cert_verify=connection.get(
'selfSignedCert', True),
sni=connection.get('sni', None))
self.timeout = connection['options'].get('timeout')
class APIClient():
PING_ENDPOINT = 'sensor'
PROCESS_ENDPOINT = 'process'
def __init__(self, connection, configuration):
self.endpoint_start_v1 = 'api/v1/' # Uses API v1 for `ping` and `processes search` endpoints.
self.endpoint_start_v4 = 'api/v4/' # Uses API v4 for `events search` endpoint.
auth = configuration.get('auth')
headers = dict()
headers['X-Auth-Token'] = auth.get('token')
self.client = RestApiClient(connection.get('host'),
connection.get('port'),
headers,
cert_verify=connection.get(
'selfSignedCert', True),
sni=connection.get('sni', None))
self.timeout = connection['options'].get('timeout')
def ping_box(self):
endpoint = self.endpoint_start_v1 + self.PING_ENDPOINT
return self.client.call_api(endpoint, 'GET', timeout=self.timeout)
def run_processes_search(self, query_expression, start=0, rows=10):
"""
https://developer.carbonblack.com/reference/enterprise-response/6.3/rest-api/#process-search
Processes search using `/api/v1/process`
"""
headers = dict()
process_endpoint = self.endpoint_start_v1 + self.PROCESS_ENDPOINT
data = [("q", query_expression), ("start", start), ("rows", rows),
("sort", 'start asc')]
return self.client.call_api(process_endpoint,
'GET',
headers,
urldata=data,
timeout=self.timeout)
def run_events_search(self, process_id, segment_id):
"""
https://developer.carbonblack.com/reference/enterprise-response/6.3/rest-api/#process-event-details
Event details search for process X at segment Y using `/api/v4/process/(process_id)/(segment_id)/event`
"""
headers = dict()
event_endpoint = self.endpoint_start_v4 + self.PROCESS_ENDPOINT + '/{}/{}/event'.format(
process_id, segment_id)
data = []
return self.client.call_api(event_endpoint,
'GET',
headers,
urldata=data,
timeout=self.timeout)
def __init__(self, connection, configuration):
# Uncomment when implementing data source API client.
auth = configuration.get('auth')
headers = dict()
if auth:
if 'principal' in auth and 'secret' in auth:
headers['Authorization'] = b"Basic " + base64.b64encode(
(auth['principal'] + ':' + auth['secret']).encode('ascii'))
self.client = RestApiClient(connection.get('host'),
port=None,
headers=headers,
url_modifier_function=None,
cert_verify=True,
sni=None,
auth=None)
def __init__(self, connection, configuration):
auth = configuration.get('auth')
headers = dict()
headers['X-Auth-Token'] = auth.get('token')
headers['Accept'] = 'application/json'
headers['Content-Type'] = 'application/json'
self.org_key = auth.get('org_key')
self.client = RestApiClient(connection.get('host'),
connection.get('port'),
headers,
cert_verify=connection.get(
'selfSignedCert', True),
sni=connection.get('sni', None))
self.timeout = connection['options'].get('timeout')
self.result_limit = connection['options'].get('result_limit')
def __init__(self, params, host, port, headers, url_modifier_function,
cert_verify, sni, auth):
self.client = RestApiClient(host, port, headers, url_modifier_function,
cert_verify, sni, auth)
self.logger = logger.set_logger(__name__)
self.url = params["url"]
self.secret = params["client_secret"]
self.user = params["config_uname"]
self.password = params["config_pass"]
self.client_id = params["client_id"]
self.token_target = 'oauth/token'
self.report_target = 'restAPI/online_report'
self.qs_target = 'restAPI/quick_search'
self.fields_target = 'restAPI/fieldsTitles'
self.fields = {}
self.get_token()
def get_events(self):
payload = "{\"name\": \"Secret Server Events Logs\", \"parameters\": [{\"name\": \"startDate\", \"value\": '%s'} , {\"name\":\"endDate\",\"value\": '%s'}]}" % (
self.startDate, self.endDate)
headers = {
'Authorization': self.accessToken,
'Content-Type': 'application/json'
}
endpoint = "SecretServer/api/v1/reports/execute"
response = RestApiClient.call_api(self,
endpoint,
'POST',
headers=headers,
data=payload,
urldata=None,
timeout=None)
return_obj = {}
if response.code != 200:
response_txt = response.response.text
ErrorResponder.fill_error(return_obj, message=response_txt)
raise Exception(return_obj)
collection = []
json_data = response.response.text
eventData = json.loads(json_data)
col = eventData['columns']
for obj in eventData['rows']:
obj = dict(zip(col, obj))
collection.append(obj)
return collection
def get_Secret(self):
eventDetail = self.get_events()
secretIdList = []
secretCollection = []
for obj in eventDetail:
item = (obj['ItemId'])
secretIdList.append(item)
unique = set(secretIdList)
for id in unique:
secret_server_user_url = self.secret_detail + "/%s" % id
headers = {
'Authorization': self.accessToken,
'Content-Type': 'application/json'
}
payload = {}
response = RestApiClient.call_api(self,
secret_server_user_url,
'GET',
headers=headers,
data=payload,
urldata=None,
timeout=None)
secretCollection.append(response.response.text)
json_data = json.dumps(secretCollection)
collection = json.loads(json_data)
return collection
def get_api_client(self):
api_client = RestApiClient(self.connection.get('host'),
self.connection.get('port'),
self.headers,
cert_verify=self.connection.get(
'selfSignedCert', True),
sni=self.connection.get('sni', None))
return api_client
def __init__(self, connection, configuration):
# Uncomment when implementing data source API client.
auth_values = configuration.get('auth')
auth = (auth_values['username'], auth_values['password'])
headers = dict()
headers['Accept'] = 'application/json'
connection['host'] = 'data.reversinglabs.com'
url_modifier_function = None
self.client = RestApiClient(
host=connection.get('host'),
port=None,
headers=headers,
url_modifier_function=url_modifier_function,
auth=auth)
self.connection = connection
self.namespace = connection.get('namespace')
def __init__(self, connection, configuration):
# This version of the ariel APIClient is designed to function with
# version 6.0 of the ariel API.
self.endpoint_start = 'api/ariel/'
self.urldata = {}
headers = dict()
host_port = connection.get('host') + ':' + \
str(connection.get('port', ''))
headers['version'] = '8.0'
headers['accept'] = 'application/json'
auth = configuration.get('auth')
if auth != None and auth.get('SEC', None) != None:
headers['sec'] = auth.get('SEC')
url_modifier_function = None
proxy = connection.get('proxy')
if proxy is not None:
proxy_url = proxy.get('url')
proxy_auth = proxy.get('auth')
if (proxy_url is not None and proxy_auth is not None):
headers['proxy'] = proxy_url
headers['proxy-authorization'] = 'Basic ' + proxy_auth
if proxy.get('x_forward_proxy', None) is not None:
headers['x-forward-url'] = 'https://' + \
host_port + '/' # + endpoint, is set by 'add_endpoint_to_url_header'
host_port = proxy.get('x_forward_proxy')
if proxy.get('x_forward_proxy_auth', None) is not None:
headers['x-forward-auth'] = proxy.get(
'x_forward_proxy_auth')
headers['user-agent'] = 'UDS'
url_modifier_function = self.add_endpoint_to_url_header
self.data_lake = connection.get('data_lake')
if self.data_lake:
print('QRadar Cloud Data Lake enabled')
self.client = RestApiClient(
host_port,
None,
connection.get('cert', None),
headers,
url_modifier_function,
cert_verify=connection.get('selfSignedCert', True),
mutual_auth=connection.get('use_securegateway', False),
sni=connection.get('sni', None))
class APIClient():
def __init__(self, connection, configuration):
# Uncomment when implementing data source API client.
auth = configuration.get('auth')
headers = dict()
if auth:
if 'principal' in auth and 'secret' in auth:
headers['Authorization'] = b"Basic " + base64.b64encode(
(auth['principal'] + ':' + auth['secret']).encode('ascii'))
self.client = RestApiClient(connection.get('host'),
port=None,
headers=headers,
url_modifier_function=None,
cert_verify=True,
sni=None,
auth=None)
def ping_data_source(self):
# Pings the data source
endpoint = ENDPOINT_ALL + "?format=json&sinceSeconds=3600"
pingresult = self.client.call_api(endpoint=endpoint, method='GET')
return pingresult
def create_search(self, query_expression):
# Queries the data source
return {"code": 200, "query_id": query_expression}
def get_search_status(self, search_id):
# Check the current status of the search
return {"code": 200, "status": "COMPLETED"}
def get_search_results(self, search_id):
# Return the search results. Results must be in JSON format before being translated into STIX
#resultdata = self.client.call_api(endpoint=ENDPOINT_ALL+search_id, method='GET')#working
endpoint = ENDPOINT_ALL + "?format=json"
resultdata = self.client.call_api(endpoint=endpoint,
method='GET',
urldata=search_id)
# Check the current status of the search
return resultdata
def delete_search(self, search_id):
# Optional since this may not be supported by the data source API
# Delete the search
return {"code": 200, "success": True}
