def observe_observables():
observables = get_observables()
g.bundle = Bundle()
key = get_key()
if key is None:
raise AuthenticationRequiredError
url = current_app.config['AVOTX_URL']
headers = {'User-Agent': current_app.config['CTR_USER_AGENT']}
client = Client(key, url, headers=headers)
limit = current_app.config['CTR_ENTITIES_LIMIT']
for observable in observables:
observable = Observable.instance_for(**observable)
if observable is None:
continue
bundle = observable.observe(client, limit=limit)
g.bundle |= bundle
data = g.bundle.json()
return jsonify_data(data)
def observe_observables():
input_observables = get_observables()
g.bundle = Bundle()
key = get_key()
if key is None:
raise AuthenticationRequiredError
url = current_app.config['AVOTX_URL']
headers = {'User-Agent': current_app.config['CTR_USER_AGENT']}
client = Client(key, url, headers=headers)
limit = current_app.config['CTR_ENTITIES_LIMIT']
prepared_observables = []
for input_observable in input_observables:
prepared_observable = Observable.instance_for(**input_observable)
if prepared_observable is not None:
prepared_observables.append(prepared_observable)
def make_bundle(observable):
return observable.observe(client, limit=limit)
with ThreadPoolExecutor(
max_workers=get_workers(prepared_observables)) as executor:
bundles = executor.map(make_bundle, prepared_observables)
for bundle in bundles:
g.bundle |= bundle
data = g.bundle.json()
return jsonify_data(data)
def test_delete_segment(self, test_segment_data):
client = Client()
client.login()
response = client.create_segment(test_segment_data)
segment_id = response.json()['id']
response = client.delete_segment(segment_id)
assert response.status_code == 204
def auth_client(request):
url = request.config.getoption("--base-url")
username = request.config.getoption("--username")
password = request.config.getoption("--password")
client = Client(url=url)
client.set_cookies(UserData(username=username, password=password))
return client
def test_not_authorized(connection, added_user_del):
"""Test that without called /login we have no access to api."""
user = gen_user()
with added_user_del(user):
res = Client().add_user(user.username, user.password, user.email)
assert not connection.get_user(user.username)
assert res.status_code == Codes.NOT_AUTHORIZED
def health():
credentials = get_jwt()
url = 'https://api.securitycenter.windows.com/api/exposureScore'
client = Client(credentials)
client.open_session()
client.call_api(url)
client.close_session()
return jsonify_data({'status': 'ok'})
def api_client(mysql_orm_client, mysql_worker, logger_api):
username = next(gen)
password = f'{username}_pass'
email = f'{username}@mail.ru'
client = User(username=username, password=password, email=email, access=1, active=0) # это запись в базу
mysql_orm_client.session.add(client)
mysql_orm_client.session.query(User.id).count() # любой запрос в базу
yield Client(username, password, email, logger_api) # это клиент API
mysql_orm_client.session.delete(client)
mysql_orm_client.session.query(User.id).count()
def client(request):
setup()
logger.setLevel('INFO')
url = request.config.getoption("--base-url")
user = request.config.getoption("--username")
password = request.config.getoption("--password")
client = Client(url)
data = UserData(user, password)
client.authorize(data)
return client
def health():
key = get_key()
if key is None:
raise AuthenticationRequiredError
url = current_app.config['AVOTX_URL']
headers = {'User-Agent': current_app.config['CTR_USER_AGENT']}
client = Client(key, url, headers=headers)
_ = client.query('/api/v1/user/me')
return jsonify_data({'status': 'ok'})
def test_delete_self_user(self, api_client, mysql_worker, logger_api):
'''
Тест на удаление несуществующего пользователя
Возвращает 404, как и ожидалось
'''
username = next(gen)
r = api_client.add_user(username=username, email=f'{username}@mail.ru',
password='******')
new_user_for_deleting_himself = Client(username, '12345678', f'{username}@mail.ru', logger_api)
assert mysql_worker.find_count_by_name(username) == 1
r = new_user_for_deleting_himself.delete_user(username)
assert r.status_code == 204
assert mysql_worker.find_count_by_name(username) == 0
def test_use_user_with_little_name(self, api_client, logger_api):
'''
Тест на каки-нибудь действия пользователя с логином <6 символов
апи клиент создает такого пользователя, после чего этот пользователь пытается заблокировать апи клиента
Ожидается что это получится (код 200), однако на самом деле будет код 401
По итогам, как и в ui с таким коротким логином ничего нельзя сделать
'''
username = '******'
r = api_client.add_user(username=username, email=f'{username}@mail.ru',
password='******')
new_user_with_little_name = Client(username, '12345678', f'{username}@mail.ru', logger_api)
r = new_user_with_little_name.block_user(api_client.username)
api_client.delete_user(username)
assert r.status_code == 200, f"Expected code 200, got {r.status_code}"
def create_test():
url = '114.212.87.52:2376'
version = '1.21'
volume = None
network = None
client = Client(url, version)
dic = {}
dic['image'] = 'training/webapp'
# dic['container_name'] = 'test'
# dic['command'] = '/bin/sleep 30'
dic['hostname'] = 'testhostname'
dic['mem_limit'] = '24m'
dic['ports'] = [80, 8000]
dic['cpu_shares'] = 3
volume = Volume(['/home/monkey/fuli:/fuli:rw', '/home/monkey/fire:/fire'])
network = Network('test', 'bridge')
dic['privileged'] = True
con = Container(client, dic, volume, network)
con.create()
return con
def api_client():
email = EMAIL
password = PASSWORD
return Client(email, password)
def api_client(config):
return Client(config['username'], config['password'])
import click
from api.client import Client
c = Client()
@click.group()
def main():
"""Simple CLI for querying data"""
@main.command()
@click.argument('pk')
def get(pk):
"""Get score from pk"""
score = c.get_score(pk)
click.echo(score)
@main.command()
@click.argument('directory')
def update(directory):
"""Update database with jsonl in directory"""
status = c.update_data(directory)
click.echo(status)
if __name__ == "__main__":
main()
def api_client(config, add_user):
name, email = add_user
return Client(name, config['default_password'])
def client():
client = Client(host)
return client
def client(added_user):
client = Client()
user = gen_user()
with added_user(user) as user:
client.login(user.username, user.password)
yield client
def unauth_client(request):
url = request.config.getoption("--base-url")
return Client(url=url)
def __init__(self):
self._key = self._get_stack_key()
self._url = "https://api.stackexchange.com"
self._site = "stackoverflow"
self._client = Client()
def observe_observables():
observables, error = get_observables()
if error:
return jsonify_errors(error)
observables = group_observables(observables)
if not observables:
return jsonify_data({})
data = {}
g.sightings = []
credentials = get_jwt()
client = Client(credentials)
for observable in observables:
client.open_session()
response = get_alert(client, observable)
if not response or not response.get('value'):
alerts = []
else:
alerts = response['value']
alerts.sort(key=lambda x: x['alertCreationTime'], reverse=True)
count = len(alerts)
if count >= current_app.config['CTR_ENTITIES_LIMIT']:
alerts = alerts[:current_app.config['CTR_ENTITIES_LIMIT']]
events = []
else:
events = call_advanced_hunting(
client, observable['value'], observable['type'],
current_app.config['CTR_ENTITIES_LIMIT'] - count)
count = count + len(events)
events.sort(key=lambda x: x['Timestamp'], reverse=True)
mapping = Mapping(client, observable, count)
if alerts:
with ThreadPoolExecutor(max_workers=min(len(alerts),
cpu_count() or 1) *
5) as executor:
alerts = executor.map(mapping.build_sighting_from_alert,
alerts)
[g.sightings.append(alert) for alert in alerts if alert]
if events:
with ThreadPoolExecutor(max_workers=min(len(events),
cpu_count() or 1) *
5) as executor:
events = executor.map(mapping.build_sighting_from_ah, events)
[g.sightings.append(event) for event in events if event]
client.close_session()
if g.sightings:
data['sightings'] = format_docs(g.sightings)
return jsonify_data(data)
def test_create_segment(self, test_segment_data):
client = Client()
client.login()
response = client.create_segment(test_segment_data)
assert response.status_code == 200
def client():
return Client()
def respond_trigger():
mapping_by_type = {
'sha1': 'FileSha1',
'sha256': 'FileSha256',
'ip': 'IpAddress',
'ipv6': 'IpAddress',
'domain': 'DomainName'
}
data, error = get_action_form_params()
if error:
return jsonify_errors(error)
title = 'From SecureX Threat Response'
description = 'This indicator was added via SecureX Threat Response ' \
'by the UI or API response actions'
if data['observable_type'] == 'ms_machine_id':
comment = 'Performed via SecureX Threat Response'
actions = {
'microsoft-defender-FullIsolation': {
'url':
'{base_url}/machines/{machine_id}/isolate'.format(
base_url=current_app.config['BASE_URL'],
machine_id=data['observable_value']),
'method':
'POST',
'data': {
'Comment': comment,
'IsolationType': 'Full'
}
},
'microsoft-defender-SelectiveIsolation': {
'url':
'{base_url}/machines/{machine_id}/isolate'.format(
base_url=current_app.config['BASE_URL'],
machine_id=data['observable_value']),
'method':
'POST',
'data': {
'Comment': comment,
'IsolationType': 'Selective'
}
},
'microsoft-defender-Unisolate': {
'url':
'{base_url}/machines/{machine_id}/unisolate'.format(
base_url=current_app.config['BASE_URL'],
machine_id=data['observable_value']),
'method':
'POST',
'data': {
'Comment': comment
}
},
'microsoft-defender-RestrictCodeExecution': {
'url':
'{base_url}/machines/{machine_id}'
'/restrictCodeExecution'.format(
base_url=current_app.config['BASE_URL'],
machine_id=data['observable_value']),
'method':
'POST',
'data': {
'Comment': comment
}
},
'microsoft-defender-UnrestrictCodeExecution': {
'url':
'{base_url}/machines/{machine_id}'
'/unrestrictCodeExecution'.format(
base_url=current_app.config['BASE_URL'],
machine_id=data['observable_value']),
'method':
'POST',
'data': {
'Comment': comment
}
},
'microsoft-defender-RunAntiVirusScanQuick': {
'url':
'{base_url}/machines/{machine_id}'
'/runAntiVirusScan'.format(
base_url=current_app.config['BASE_URL'],
machine_id=data['observable_value']),
'method':
'POST',
'data': {
'Comment': comment,
'ScanType': 'Quick'
}
},
'microsoft-defender-RunAntiVirusScanFull': {
'url':
'{base_url}/machines/{machine_id}'
'/runAntiVirusScan'.format(
base_url=current_app.config['BASE_URL'],
machine_id=data['observable_value']),
'method':
'POST',
'data': {
'Comment': comment,
'ScanType': 'Full'
}
},
'microsoft-defender-CollectInvestigationPackage': {
'url':
'{base_url}/machines/{machine_id}'
'/collectInvestigationPackage'.format(
base_url=current_app.config['BASE_URL'],
machine_id=data['observable_value']),
'method':
'POST',
'data': {
'Comment': comment
}
},
'microsoft-defender-InitiateInvestigation': {
'url':
'{base_url}/machines/{machine_id}'
'/startInvestigation'.format(
base_url=current_app.config['BASE_URL'],
machine_id=data['observable_value']),
'method':
'POST',
'data': {
'Comment': comment
}
}
}
else:
actions = {
'microsoft-defender-add-indicator-alert': {
'url': current_app.config['INDICATOR_URL'],
'method': 'POST',
'data': {
'indicatorValue': data['observable_value'],
'indicatorType':
mapping_by_type.get(data['observable_type']),
'action': 'Alert',
'title': title,
'description': description,
'severity': 'High'
}
},
'microsoft-defender-add-indicator-alert-and-block': {
'url': current_app.config['INDICATOR_URL'],
'method': 'POST',
'data': {
'indicatorValue': data['observable_value'],
'indicatorType':
mapping_by_type.get(data['observable_type']),
'action': 'AlertAndBlock',
'title': title,
'description': description,
'severity': 'High'
}
},
'microsoft-defender-add-indicator-allowed': {
'url': current_app.config['INDICATOR_URL'],
'method': 'POST',
'data': {
'indicatorValue': data['observable_value'],
'indicatorType':
mapping_by_type.get(data['observable_type']),
'action': 'Allowed',
'title': title,
'description': description
}
},
'microsoft-defender'
'-remove-indicator': {
'url':
current_app.config['INDICATOR_URL'] + '/' +
str(data.get('indicator_id', '')),
'method':
'DELETE',
'data': {}
}
}
result = {'data': {'status': 'success'}}
item = actions.get(data['action-id'])
if not item:
result['data']['status'] = 'failure'
result['errors'] = [
CTRBadRequestError("Unsupported action.").json,
]
return jsonify(result)
if data['observable_type'] != 'ms_machine_id' and \
not item['data']['indicatorType']:
raise UnsupportedTypeError(data['observable_type'])
if item['data']:
action = json.dumps(item['data']).encode('utf-8')
else:
action = None
credentials = get_jwt()
client = Client(credentials)
client.open_session()
response, error = client.call_api(item['url'], item['method'], data=action)
client.close_session()
if error is not None:
result['data']['status'] = 'failure'
result['errors'] = [
CTRBadRequestError(error).json,
]
return jsonify(result)
def respond_observables():
observables, error = get_observables()
if error:
return jsonify_errors(error)
observables = group_observables(observables, 'respond')
if not observables:
return jsonify_data([])
g.actions = []
credentials = get_jwt()
client = Client(credentials)
client.open_session()
for observable in observables:
query_params = {
'observable_type': observable['type'],
'observable_value': observable['value']
}
if observable['type'] == 'ms_machine_id':
_actions = get_supported_actions(client, observable['value'])
_actions = get_reverse_actions(client, observable['value'],
_actions)
actions = []
for item in _actions:
action = {}
action['id'] = \
f'microsoft-defender-{_TR_SUPPORTED_ACTIONS[item]}'
action['title'] = item
action['description'] = item
action['categories'] = [
'Microsoft Defender for Endpoint', 'Machine Actions'
]
action['query-params'] = query_params
actions.append(action)
else:
params = "$filter=indicatorValue+eq+'{value}'&$top=1".format(
value=observable['value']).encode('utf-8')
response, error = client.call_api(
current_app.config['INDICATOR_URL'], params=params)
if response and response.get('value'):
obj = response['value'][0]
human_action = 'Alert and Block' \
if obj['action'] == 'AlertAndBlock' else obj['action']
query_params['indicator_id'] = obj['id']
actions = [
{
'id':
'microsoft-defender-remove-indicator',
'title':
'Remove indicator: {action} - {title}'.format(
action=human_action, title=obj['title']),
'description':
f'Remove indicator with {human_action} '
f'action for {observable["value"]}',
'categories': [
'Microsoft Defender for Endpoint',
'Remove Indicator'
],
'query-params':
query_params
},
]
else:
actions = [{
'id':
'microsoft-defender-add-indicator-alert',
'title':
'Add indicator: Alert',
'description':
f'Add indicator with Alert action '
f'for {observable["value"]}',
'categories':
['Microsoft Defender for Endpoint', 'Add Indicator'],
'query-params':
query_params
}, {
'id':
'microsoft-defender-'
'add-indicator-alert-and-block',
'title':
'Add indicator: Alert and Block',
'description':
f'Add indicator with '
f'Alert and Block action'
f' for {observable["value"]}',
'categories':
['Microsoft Defender for Endpoint', 'Add Indicator'],
'query-params':
query_params
}, {
'id':
'microsoft-defender-add-indicator-allowed',
'title':
'Add indicator: Allow',
'description':
f'Add indicator with Allow action '
f'for {observable["value"]}',
'categories':
['Microsoft Defender for Endpoint', 'Add Indicator'],
'query-params':
query_params
}]
g.actions.extend(actions)
client.close_session()
return jsonify_data(g.actions)
def api(request):
client = Client(host=get_option(request, "host"))
return client
def test_fail_auth(self):
wrong_data = ('*****@*****.**', 'password42')
client = Client(wrong_data)
with pytest.raises(WrongAuthData):
client.login()
def test_auth(self):
client = Client()
assert client.login() == 200