def lambda_handler(event, lambda_context):
return socless_bootstrap(
event,
lambda_context,
handle_state,
include_event=True,
)
def lambda_handler(event, context):
# Disclaimer: having the handle_state in the lambda_handler is a quick & dirty solution to the problem of exposing the lambda 'context' object to the handle_state function
# so that the `create_events` function can use it. There should probably be a better way to do so.
def handle_state(
event_context,
event_type: str,
details: List[dict],
playbook="",
dedup_keys: list = [],
data_types: dict = {},
add_to_details: dict = {},
):
"""
Creates a new event in Socless using the socless_create_events api from the socless_python library
Args:
event_type (str): Human Readable Event name e.g 'Investigate Login'
details (list): List of dictionaries containing the event details
playbook (str): The name of the playbook to execute
dedup_keys (list): The keys to use to deduplicate the event
data_types (dict): A mapping of what datatypes are contained in the event details
add_to_details (dict): A dictionary containing additional keys to add to each details dict
Returns:
A dict containing a boolean status code and, if successful, the investigation id assigned to the created event.
"""
execution_id = event_context.get("execution_id", "n/a")
for each in details:
each.update(add_to_details)
events = {
"event_type": event_type,
"details": details,
"data_types": data_types,
"playbook": playbook,
"dedup_keys": dedup_keys,
"event_meta": {
"data source": f"Execution: {execution_id}",
"description": "Event created from within a Playbook",
},
}
create_events(events, context)
return {"completed": True}
return socless_bootstrap(event, context, handle_state, include_event=True)
def lambda_handler(event, context):
return socless_bootstrap(event, context, handle_state)
def lambda_handler(event, context):
# warm start
if event.get('_keepwarm') is True:
return {}
return socless_bootstrap(event, context, handle_state, include_event=True)
def lambda_handler(event, ctx):
# Nest handle_state inside lambda_handler to access raw ctx object
def handle_state(
context: dict,
investigation_escalated: bool,
findings: str,
metadata: dict = {},
):
"""
Create a log file and upload it to SOCless logging bucket.
Args:
investigation_escalated (bool) : Did the investigation require handoff to a human in order to complete?
findings (str): The investigation's findings or outcome state.
metadata (obj) Any additional info for logging. Any variable type that's JSON serializable
Env:
SOCLESS_Logs (str): The name of the bucket where you want to upload logs to
Returns:
A dict containing the file_id (S3 Object path) and vault_id (Socless logging bucket
reference) of the saved content
"""
bucket_name = os.environ.get("SOCLESS_Logs")
log_type = "findings"
log_source = ctx.invoked_function_arn
aws_region = log_source.split(":")[3]
aws_account = log_source.split(":")[4]
event_type = context["artifacts"]["event"]["event_type"]
playbook_name = context["artifacts"]["event"]["playbook"]
execution_id = context["execution_id"]
execution_arn = "arn:aws:states:{}:{}:execution:{}:{}".format(
aws_region, aws_account, playbook_name, execution_id)
investigation_id = context["artifacts"]["event"]["investigation_id"]
event_payload = context["artifacts"]["event"]["details"]
utc_time = datetime.utcnow()
utc_time_iso = utc_time.isoformat() + "Z"
year = utc_time.year
month = utc_time.month
day = utc_time.day
uuid = gen_id()
file_id = "{}/{}/{}/{}/{}/{}.json".format(log_type, year, month, day,
playbook_name, uuid)
log = {
"log_type": log_type,
"log_source": log_source,
"timestamp": utc_time_iso,
"execution_arn": execution_arn,
"investigation_id": investigation_id,
"event_type": event_type,
"event_payload": event_payload,
"investigation_escalated": investigation_escalated,
"metadata": metadata,
}
try:
findings = socless_template_string(urllib.parse.unquote(findings),
context)
except Exception as e:
print(
f"unable to parse socless_template_string. Error: {e}. Findings: {findings}"
)
raise
log["findings"] = findings
return save_to_s3(file_id, log, bucket_name, False)
return socless_bootstrap(event, ctx, handle_state, include_event=True)
