def _delete_domain_function(self, event, *args, **kwargs):
"""Function: This is a function implementation that uses the Cisco API to delete a domain from the shared customer’s domain list."""
try:
validate_fields(['cisco_domain'], kwargs)
# Get the function parameters:
cisco_domain = kwargs.get("cisco_domain") # text
self.log.info(u'Deleting {} from list'.format(cisco_domain))
rp = ResultPayload(SECTION_NAME, **kwargs)
url = '/'.join(
(self.options['url'], 'domains', '{}?customerKey={}'))
url = url.format(cisco_domain.strip(), self.apikey)
self.log.debug(url)
rc = RequestsCommon(self.opts, self.options)
content, msg = rc.execute_call_v2("delete", url, callback=callback)
if msg:
yield StatusMessage(msg)
else:
yield StatusMessage(
u"Delete domain for '{}' was successful".format(
cisco_domain))
# Return the results
results = rp.done(False if msg else True, None if msg else content,
msg)
# backward compatibility
results['value'] = None if msg else content
yield FunctionResult(results)
except Exception as err:
self.log.error(err)
yield FunctionError()
def __init__(self, opts):
"""constructor provides access to the configuration options"""
super(FunctionComponent, self).__init__(opts)
self.opts = opts
self.options = opts.get("fn_qradar_integration", {})
required_fields = ["host", "verify_cert"]
validate_fields(required_fields, self.options)
def _ansible_tower_list_job_templates_function(self, event, *args,
**kwargs):
"""Function: List available job templates"""
try:
# validate key app.config settings
validate_fields(("url"), self.options)
# Get the function parameters:
tower_project = kwargs.get("tower_project") # text
template_pattern = kwargs.get("tower_template_pattern") # text
log = logging.getLogger(__name__)
log.info("tower_project: %s", tower_project)
log.info("tower_template_pattern: %s", template_pattern)
result = ResultPayload(SECTION_HDR, **kwargs)
# PUT YOUR FUNCTION IMPLEMENTATION CODE HERE
yield StatusMessage("starting...")
json_templates = get_job_template_by_project(
self.opts, self.options, tower_project, template_pattern)
result_payload = result.done(True, json_templates)
yield StatusMessage("done...")
# Produce a FunctionResult with the results
yield FunctionResult(result_payload)
except Exception:
yield FunctionError()
def __init__(self, opts):
"""constructor provides access to the configuration options"""
super(FunctionComponent, self).__init__(opts)
self.incident_data = {}
self.mail_data = {}
self.opts = opts
self.smtp_config_section = self.opts.get(CONFIG_DATA_SECTION, {})
validate_fields(["smtp_server", "smtp_port"], self.smtp_config_section)
self.template_file_path = self.smtp_config_section.get('template_file')
self.smtp_port_choice = str(self.smtp_config_section.get("smtp_"))
self.smtp_user = self.smtp_config_section.get("smtp_user")
if self.template_file_path and not os.path.exists(
self.template_file_path):
log.warning(u"Template file '%s' not found.",
self.template_file_path)
self.template_file_path = None
self.mail_context = {
"mail_from": "",
"mail_to": [],
"mail_cc": [],
"mail_bcc": [],
'mail_subject': '',
"attachment_list": []
}
def _fn_aws_iam_delete_login_profile_function(self, event, *args, **kwargs):
"""Function: Delete the password for the specified IAM user, which terminates the user's ability
to access AWS services through the AWS Management Console.
param aws_iam_user_name: An IAM user name.
"""
try:
params = transform_kwargs(kwargs) if kwargs else {}
# Instantiate result payload object
rp = ResultPayload(CONFIG_DATA_SECTION, **kwargs)
# Get the function parameters:
aws_iam_user_name = kwargs.get("aws_iam_user_name") # text
LOG.info("aws_iam_user_name: %s", aws_iam_user_name)
validate_fields(["aws_iam_user_name"], kwargs)
iam_cli = AwsIamClient(self.options)
rtn = iam_cli.post("delete_login_profile", **params)
results = rp.done(True, rtn)
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception as aws_err:
LOG.exception("ERROR with Exception '%s' in Resilient Function for AWS IAM.", aws_err.__repr__())
yield FunctionError()
def _fn_proofpoint_trap_delete_list_member_function(
self, event, *args, **kwargs):
"""Function: Delete the member of a list."""
try:
params = transform_kwargs(kwargs) if kwargs else {}
rp = ResultPayload(CONFIG_DATA_SECTION, **kwargs)
# Get the function parameters:
trap_list_id = kwargs.get("trap_list_id") # number
trap_member_id = kwargs.get("trap_member_id") # number
LOG.info("trap_list_id: %s", trap_list_id)
LOG.info("trap_member_id: %s", trap_member_id)
validate_fields(["trap_list_id", "trap_member_id"], kwargs)
pptr = PPTRClient(self.opts, self.options)
rtn = pptr.delete_list_member(**params)
results = rp.done(True, rtn)
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
LOG.exception(
"Exception in Resilient Function for Proofpoint TRAP.")
yield FunctionError()
def _load_profiles(self, opts, options):
"""load the app.config profiles for sentinel. Each profile represents a different workspace
to pull incidents from.
Raises:
KeyError: [error when a named profile is not found in app.config]
"""
sentinel_profiles = options["sentinel_profiles"]
# confirm all profiles are valid
profiles = {}
profile_list = [item.strip() for item in sentinel_profiles.split(",")]
for profile in profile_list:
profile_name = u"{}:{}".format(PACKAGE_NAME, profile)
profile_data = opts.get(profile_name)
if not profile_data:
raise KeyError(u"Unable to find Sentinel profile: {}".format(
profile_name))
# check each profile for the correct settings
validate_fields(REQUIRED_PROFILE_FIELDS, profile_data)
profiles[profile] = profile_data
return profiles
def _load_options(self, opts):
"""Read options from config"""
self.opts = opts
self.options = opts.get(CONFIG_DATA_SECTION, {})
# Validate required fields in app.config are set
required_fields = [
"base_url", "username", "password", "query_limit",
"query_ticket_grouping_types", "polling_interval"
]
validate_fields(required_fields, self.options)
self.polling_interval = int(
self.options.get("polling_interval", DEFAULT_POLL_SECONDS))
# If close_codes are defined in the app.config, then turn them into a list of string
close_codes = self.options.get("close_codes", None)
if close_codes:
self.close_codes = [
code.strip() for code in close_codes.split(',')
]
else:
self.close_codes = None
# Create Secureworks client
self.scwx_client = SCWXClient(self.opts, self.options)
def __init__(self, opts):
"""constructor provides access to the configuration options"""
super(FunctionComponent, self).__init__(opts)
self.res_options = opts.get("resilient", {})
self.options = opts.get("pagerduty", {})
validate_fields(['api_token', 'from_email'], self.options)
self.log = logging.getLogger(__name__)
def _exchange_online_delete_email_function(self, event, *args, **kwargs):
"""Function: Delete a message in the specified user's mailbox."""
try:
# Initialize the results payload
rp = ResultPayload(CONFIG_DATA_SECTION, **kwargs)
# Validate fields
validate_fields(['exo_email_address', 'exo_messages_id'], kwargs)
# Get the function parameters
email_address = kwargs.get('exo_email_address') # text
mailfolders_id = kwargs.get('exo_mailfolders_id') # text
messages_id = kwargs.get('exo_messages_id') # text
LOG.info(u"exo_email_address: %s", email_address)
LOG.info(u"exo_mailfolders_id: %s", mailfolders_id)
LOG.info(u"exo_messages_id: %s", messages_id)
yield StatusMessage(
u"Starting delete message for email address: {}".format(
email_address))
# Get the MS Graph helper class
MS_graph_helper = MSGraphHelper(
self.options.get("microsoft_graph_token_url"),
self.options.get("microsoft_graph_url"),
self.options.get("tenant_id"), self.options.get("client_id"),
self.options.get("client_secret"),
self.options.get("max_messages"),
self.options.get("max_users"),
self.options.get("max_retries_total", MAX_RETRIES_TOTAL),
self.options.get("max_retries_backoff_factor",
MAX_RETRIES_BACKOFF_FACTOR),
self.options.get("max_batched_requests", MAX_BATCHED_REQUESTS),
RequestsCommon(self.opts, self.options).get_proxies())
# Call MS Graph API to get the user profile
response = MS_graph_helper.delete_message(email_address,
mailfolders_id,
messages_id)
# If message was deleted a 204 code is returned.
if response.status_code == 204:
success = True
response_json = {'value': success}
else:
success = False
response_json = response.json()
results = rp.done(success, response_json)
yield StatusMessage(
u"Returning delete results for email address: {}".format(
email_address))
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception as err:
LOG.error(err)
yield FunctionError(err)
def _fn_proofpoint_trap_get_list_members_function(self, event, *args,
**kwargs):
"""Function: Retrieve all the members of a Threat Response list."""
try:
params = transform_kwargs(kwargs) if kwargs else {}
rp = ResultPayload(CONFIG_DATA_SECTION, **kwargs)
# Get the function parameters:
trap_list_id = kwargs.get("trap_list_id") # number
trap_member_id = kwargs.get("trap_member_id ") # number
trap_members_type = self.get_select_param(
kwargs.get(
"trap_members_type")) # select, values: "members.json"
LOG.info("trap_list_id: %s", trap_list_id)
LOG.info("trap_member_id: %s", trap_member_id)
LOG.info("trap_members_type: %s", trap_members_type)
validate_fields(["trap_list_id", "trap_members_type"], kwargs)
pptr = PPTRClient(self.opts, self.options)
rtn = pptr.get_list_members(**params)
results = rp.done(True, rtn)
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
LOG.exception(
"Exception in Resilient Function for Proofpoint TRAP.")
yield FunctionError()
def _reload(self, event, opts):
"""Configuration options have changed, save new values"""
self.options = opts.get("fn_aws_guardduty", {})
self.opts = opts
validate_fields(config.REQUIRED_CONFIG_SETTINGS, self.options)
config.STOP_THREAD = True
self.poller_setup()
def _fn_aws_iam_update_access_key_function(self, event, *args, **kwargs):
"""Function: Update status of an IAM user access key.
Change the status of an access key from Active to Inactive, or vice versa.
param aws_iam_user_name: An IAM user name.
param aws_iam_access_key_id: An IAM user access key id.
param aws_iam_status: An IAM user access key taget status.
"""
try:
params = transform_kwargs(kwargs) if kwargs else {}
# Instantiate result payload object
rp = ResultPayload(CONFIG_DATA_SECTION, **kwargs)
# Get the function parameters:
aws_iam_user_name = kwargs.get("aws_iam_user_name") # text
aws_iam_access_key_id = kwargs.get("aws_iam_access_key_id") # text
aws_iam_status = \
self.get_select_param(kwargs.get("aws_iam_status")) # select, values: "Active", "Inactive"
LOG.info("aws_iam_user_name: %s", aws_iam_user_name)
LOG.info("aws_iam_access_key_id: %s", aws_iam_access_key_id)
LOG.info("aws_iam_status: %s", aws_iam_status)
validate_fields(["aws_iam_user_name", "aws_iam_access_key_id", "aws_iam_status"], kwargs)
iam_cli = AwsIamClient(self.options)
rtn = iam_cli.post("update_access_key", **params)
results = rp.done(True, rtn)
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception as aws_err:
LOG.exception("ERROR with Exception '%s' in Resilient Function for AWS IAM.", aws_err.__repr__())
yield FunctionError()
def _bit9_approval_request_get_function(self, event, *args, **kwargs):
"""Function: Get an approval request by ID"""
try:
validate_fields(["bit9_approval_request_id"], kwargs)
# Get the function parameters:
bit9_approval_request_id = kwargs.get(
"bit9_approval_request_id") # number
log.info(u"bit9_approval_request_id: %s", bit9_approval_request_id)
bit9_client = CbProtectClient(self.options)
results = bit9_client.get_approval_request(
bit9_approval_request_id)
results[
"details_url"] = u"https://{}/approval-request-details.php?request_id={}".format(
bit9_client.server, bit9_approval_request_id)
log.info(u"Request Status :%d", results.get("status"))
log.debug(results)
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception as err:
log.error(err)
yield FunctionError(err)
def __init__(self, opts=None, function_options=None):
"""
Class constructor.
"""
if not isinstance(opts, dict) and not opts:
raise ValueError("The 'opts' parameter is not set correctly.")
if not isinstance(function_options, dict) and not function_options:
raise ValueError(
"The 'function_options' parameter is not set correctly.")
validate_fields(config.REQUIRED_CONFIG_SETTINGS, function_options)
self.opts = opts
self.function_opts = function_options
self.aws_gd_master_region = function_options.get(
"aws_gd_master_region")
# Strip quotes from self.aws_gd_regions regex
self.aws_gd_regions = function_options.get("aws_gd_regions").strip(
"'\"")
# Test self.aws_gd_regions is a valid regex expression.
self.proxies = RequestsCommon(opts, function_options).get_proxies()
self.startup = True
self.available_regions = []
if not is_regex(self.aws_gd_regions):
raise ValueError(
"The query filter '{}' is not a valid regular expression.".
format(repr(self.aws_gd_regions)))
self._get_clients()
# Unset startup flag
self.startup = False
def _fn_sep_get_file_content_as_base64_function(self, event, *args, **kwargs):
"""Function: Get the contents of an uploaded binary file, in base64 format."""
try:
params = transform_kwargs(kwargs) if kwargs else {}
# Instantiate result payload object.
rp = ResultPayload(CONFIG_DATA_SECTION, **kwargs)
# Get the function parameters:
sep_file_id = kwargs.get("sep_file_id") # text
LOG.info("sep_file_id: %s", sep_file_id)
validate_fields(["sep_file_id"], kwargs)
yield StatusMessage("Running Symantec SEP Get File Content as Base64 ...")
sep = Sepclient(self.options, params)
rtn = base64.b64encode(sep.get_file_content(**params)).decode("utf-8")
results = rp.done(True, rtn)
yield StatusMessage("Returning 'Symantec SEP Get File Content as Base64' results")
LOG.debug(json.dumps(results["content"]))
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
LOG.exception("Exception in Resilient Function for Symantec SEP.")
yield FunctionError()
def _fn_aws_iam_list_user_access_key_ids_function(self, event, *args,
**kwargs):
"""Function: Get information about the access key IDs associated with the specified IAM user.
param aws_iam_user_name: An IAM user name.
"""
try:
params = transform_kwargs(kwargs) if kwargs else {}
# Instantiate result payload object
rp = ResultPayload(CONFIG_DATA_SECTION, **kwargs)
# Get the function parameters:
aws_iam_user_name = kwargs.get("aws_iam_user_name") # text
LOG.info("aws_iam_user_name: %s", aws_iam_user_name)
validate_fields(["aws_iam_user_name"], kwargs)
iam_cli = AwsIamClient(self.options)
rtn = iam_cli.get("list_access_keys", paginate=True, **params)
for j in range(len(rtn)):
rtn[j]["key_last_used"] = \
iam_cli.get("get_access_key_last_used",
AccessKeyId=rtn[j]['AccessKeyId'])
results = rp.done(True, rtn)
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception as aws_err:
LOG.exception(
"ERROR with Exception '%s' in Resilient Function for AWS IAM.",
aws_err.__repr__())
yield FunctionError()
def _fn_aws_iam_delete_user_function(self, event, *args, **kwargs):
"""Function: Delete the specified IAM user.
Note: When deleting an IAM user programmatically, you must delete the items attached
to the user or the deletion fails.
param aws_iam_user_name: An IAM user name.
"""
try:
params = transform_kwargs(kwargs) if kwargs else {}
# Instantiate result payload object
rp = ResultPayload(CONFIG_DATA_SECTION, **kwargs)
# Get the function parameters:
aws_iam_user_name = kwargs.get("aws_iam_user_name") # text
LOG.info("aws_iam_user_name: %s", aws_iam_user_name)
validate_fields(["aws_iam_user_name"], kwargs)
iam_cli = AwsIamClient(self.options)
rtn = iam_cli.post("delete_user", **params)
results = rp.done(True, rtn)
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception as aws_err:
LOG.exception(
"ERROR with Exception '%s' in Resilient Function for AWS IAM.",
aws_err.__repr__())
yield FunctionError()
def _bit9_file_instance_update_function(self, event, *args, **kwargs):
"""Function: Update the approval state of a file instance"""
try:
validate_fields(
["bit9_file_instance_id", "bit9_file_instance_localstate"],
kwargs)
# Get the function parameters:
bit9_file_instance_id = kwargs.get(
"bit9_file_instance_id") # number
bit9_file_instance_localstate = kwargs.get(
"bit9_file_instance_localstate") # number
log.info(u"bit9_file_instance_id: %s", bit9_file_instance_id)
log.info(u"bit9_file_instance_localstate: %s",
bit9_file_instance_localstate)
payload = {"localState": bit9_file_instance_localstate}
bit9_client = CbProtectClient(self.options)
results = bit9_client.update_file_instance(bit9_file_instance_id,
payload)
log.info("Done")
log.debug(results)
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception as err:
log.error(err)
yield FunctionError(err)
def _url_to_dns_function(self, event, *args, **kwargs):
"""Function: url_to_dns parses a URL string and returns a string containing DNS value"""
try:
# Initialize the results payload
rp = ResultPayload(PACKAGE_NAME, **kwargs)
# Validate fields
validate_fields(['urltodns_url'], kwargs)
# Get the function parameters:
urltodns_url = kwargs.get("urltodns_url") # text
LOG.info("urltodns_url: %s", urltodns_url)
yield StatusMessage("starting...")
url = urlparse(urltodns_url)
dns = "{}".format(url.netloc)
yield StatusMessage("Integration Complete")
content = {"dns": dns}
results = rp.done(True, content)
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception as err:
LOG.error(err)
yield FunctionError(err)
def _fn_proofpoint_trap_get_incident_details_function(
self, event, *args, **kwargs):
"""Function: Fetch Incident Details from Proofpoint TRAP"""
try:
params = transform_kwargs(kwargs) if kwargs else {}
rp = ResultPayload(CONFIG_DATA_SECTION, **kwargs)
# Get the function parameters:
trap_incident_id = kwargs.get("trap_incident_id") # number
LOG.info("trap_incident_id: %s", trap_incident_id)
validate_fields(["trap_incident_id"], kwargs)
pptr = PPTRClient(self.opts, self.options)
rtn = pptr.get_incident_details(**params)
if isinstance(rtn, dict) and "error" in rtn:
results = rtn
else:
results = rp.done(True, rtn)
results["data"] = rtn["data"]
results["href"] = rtn["href"]
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
LOG.exception(
"Exception in Resilient Function for Proofpoint TRAP.")
yield FunctionError()
def _build_transitionIssue_appDict(self, kwargs):
'''
build the dictionary used for the transition api request
:param kwargs:
:return: dictionary of values to use
'''
# test for required fields
validate_fields(['jira_url', 'jira_transition_id'], kwargs)
appDict = {
'user': self.options['user'],
'password': self.options['password'],
'url': kwargs['jira_url'],
'verifyFlag': str_to_bool(self.options.get('verify_cert', 'True')),
'transitionId': kwargs['jira_transition_id'],
}
if kwargs.get('jira_resolution'):
appDict['resolution'] = kwargs['jira_resolution']
# optional
if kwargs.get('jira_comment', None):
html2markdwn = MarkdownParser(strikeout=constants.STRIKEOUT_CHAR,
bold=constants.BOLD_CHAR,
underline=constants.UNDERLINE_CHAR,
italic=constants.ITALIC_CHAR)
appDict['comment'] = html2markdwn.convert(kwargs['jira_comment'])
return appDict
def _bit9_file_delete_function(self, event, *args, **kwargs):
"""Function: Delete a file from all systems or a specific system"""
try:
validate_fields(["bit9_file_action"], kwargs)
# Get the function parameters:
yield StatusMessage("Deleting file...")
bit9_file_action = self.get_select_param(
kwargs.get("bit9_file_action")) # select
bit9_computer_id = kwargs.get("bit9_computer_id") # number
bit9_file_catalog_id = kwargs.get("bit9_file_catalog_id") # number
bit9_file_hash = kwargs.get("bit9_file_hash") # text
bit9_file_name = kwargs.get("bit9_file_name") # text
if not bit9_file_catalog_id and not bit9_file_hash and not bit9_file_name:
raise FunctionError(
"bit9_file_catalog_id, bit9_file_hash, or bit9_file_name mush be set in order to "
"run this function.")
log.info("bit9_file_action: %s", bit9_file_action)
log.info("bit9_computer_id: %s", bit9_computer_id)
log.info("bit9_file_catalog_id: %s", bit9_file_catalog_id)
log.info("bit9_file_hash: %s", bit9_file_hash)
log.info("bit9_file_name: %s", bit9_file_name)
# Supported file actions
supported_file_actions = {
"DeleteFileByName": 8,
"DeleteFileByHash": 9
}
payload = {}
if bit9_file_catalog_id:
payload["fileCatalogId"] = bit9_file_catalog_id
if bit9_computer_id is not None:
payload["computerId"] = bit9_computer_id
if bit9_file_action in supported_file_actions:
payload["action"] = supported_file_actions.get(
bit9_file_action)
else:
raise FunctionError(
u"{} is not one of the support file actions: {}".format(
bit9_file_name, list(supported_file_actions.keys())))
if bit9_file_hash:
payload["hash"] = bit9_file_hash
if bit9_file_name:
payload["fileName"] = bit9_file_name
log.debug("uPayload: {}".format(payload))
bit9_client = CbProtectClient(self.options)
results = bit9_client.delete_file(payload)
log.info("Done")
yield StatusMessage("File deleted...")
log.debug(results)
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception as err:
log.error(err)
yield FunctionError(err)
def _reload(self, event, opts):
"""Configuration options have changed, save new values"""
self.options = opts.get("fn_rsa_netwitness", {})
# Validate app.config fields
validate_fields([
"nw_log_server_url", "nw_log_server_user", "nw_log_server_password"
], self.options)
def _fn_sep_move_endpoint_function(self, event, *args, **kwargs):
"""Function: Checks and moves a client computer to a specified group."""
try:
params = transform_kwargs(kwargs) if kwargs else {}
# Instantiate result payload object.
rp = ResultPayload(CONFIG_DATA_SECTION, **kwargs)
# Get the function parameters:
sep_groupid = kwargs.get("sep_groupid") # text
sep_hardwarekey = kwargs.get("sep_hardwarekey") # text
LOG.info("sep_groupid: %s", sep_groupid)
LOG.info("sep_hardwarekey: %s", sep_hardwarekey)
validate_fields(["sep_groupid", "sep_hardwarekey"], kwargs)
yield StatusMessage("Running Symantec SEP Move Endpoint action...")
sep = Sepclient(self.options, params)
rtn = sep.move_endpoint(**params)
results = rp.done(True, rtn)
yield StatusMessage(
"Returning 'Symantec SEP Move Endpoint' results")
LOG.debug(json.dumps(results["content"]))
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
LOG.exception("Exception in Resilient Function for Symantec SEP.")
yield FunctionError()
def _mcafee_epo_find_a_system_function(self, event, *args, **kwargs):
"""Function: Find an ePO system based on property such as system name, tag, IP address, MAC address, etc."""
try:
# Get the function parameters:
validate_fields(["mcafee_epo_systems"], kwargs)
mcafee_epo_systems = kwargs.get("mcafee_epo_systems") # text
client = init_client(self.opts, self.options)
log = logging.getLogger(__name__)
log.info("mcafee_epo_systems: %s", mcafee_epo_systems)
yield StatusMessage("Starting")
rc = ResultPayload(PACKAGE_NAME, **kwargs)
params = {"searchText": mcafee_epo_systems.strip()}
response = client.request("system.find", params)
yield StatusMessage("Finished")
results = rc.done(True, response)
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
yield FunctionError()
def _greynoise_ip_query_function(self, event, *args, **kwargs):
"""Function: Perform IP Address analysis"""
try:
# Get the function parameters:
greynoise_value = kwargs.get("greynoise_value") # text
greynoise_type = self.get_select_param(kwargs.get("greynoise_type")) # select
log = logging.getLogger(__name__)
log.info("greynoise_value: %s", greynoise_value)
log.info("greynoise_type: %s", greynoise_type)
# validate input
validate_fields(("greynoise_type", "greynoise_value"), kwargs)
validate_fields(("api_key"), self.options)
yield StatusMessage("starting...")
# build result
result_payload = ResultPayload(SECTION_HEADER, **kwargs)
greynoise_result = call_greynoise(self.opts, self.options, greynoise_type, greynoise_value)
results = result_payload.done(True, greynoise_result)
yield StatusMessage("done...")
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
yield FunctionError()
def _query_staxx_indicator(self, event, *args, **kwargs):
"""Function: """
try:
validate_fields(['staxx_ip', 'staxx_port', 'staxx_user', 'staxx_password'], self.options)
validate_fields(["staxx_indicator"], kwargs)
rc = ResultPayload(STAXX_SECTION, **kwargs)
# Get the function parameters:
staxx_indicator = kwargs.get("staxx_indicator") # text
staxx_max_results = kwargs.get("staxx_max_results", DEFAULT_MAX_RESULTS) # text
log = logging.getLogger(__name__)
yield StatusMessage(u"Querying for indicator {}".format(staxx_indicator))
staxx = StaxxClient("https://{}:{}".format(self.staxx_ip,self.staxx_port),
self.staxx_user,
self.staxx_password,
RequestsCommon(self.opts, self.options)
)
query = u"value = '{}'".format(staxx_indicator)
try:
staxx_response = staxx.query(query=query, size=staxx_max_results)
except Exception as err:
err = "Error Staxx query: {}".format(str(err))
raise FunctionError(err)
results = rc.done(True, staxx_response, reason=None)
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
yield FunctionError()
def _fn_aws_iam_list_signing_certs_function(self, event, *args, **kwargs):
"""Function: List the signing certificates associated with an IAM user.
param aws_iam_user_name: An IAM user name.
"""
try:
params = transform_kwargs(kwargs) if kwargs else {}
# Instantiate result payload object
rp = ResultPayload(CONFIG_DATA_SECTION, **kwargs)
aws_iam_user_name = kwargs.get("aws_iam_user_name") # text
LOG.info("aws_iam_user_name: %s", aws_iam_user_name)
validate_fields(["aws_iam_user_name"], kwargs)
iam_cli = AwsIamClient(self.options)
rtn = iam_cli.get("list_signing_certificates",
paginate=True,
**params)
results = rp.done(True, rtn)
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception as aws_err:
LOG.exception(
"ERROR with Exception '%s' in Resilient Function for AWS IAM.",
aws_err.__repr__())
yield FunctionError()
def _bit9_file_rule_query_function(self, event, *args, **kwargs):
"""Function: Return file rules that match the given criteria."""
try:
validate_fields(["bit9_query"], kwargs)
# Get the function parameters:
bit9_query = kwargs.get("bit9_query") # text
log.info(u"bit9_query: %s", bit9_query)
# Query example: 'id:6' (see https://<server>/api/bit9platform/v1 for details)
bit9_client = CbProtectClient(self.options)
results = bit9_client.query_file_rule(bit9_query)
# Query results should be a list
if isinstance(results, list):
log.info("%d results", len(results))
results = {"count": len(results), "items": results}
log.debug(results)
else:
log.warn(u"Expected a list but received:")
log.warn(results)
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception as err:
log.error(err)
yield FunctionError(err)
