def respond_observables():
relay_input = get_observables()
observables = filter_observables(relay_input)
api_client = ReferenceDataClient(get_credentials(), current_app.config)
params = {
'filter': 'element_type = "IP"',
'fields': 'number_of_elements, name'
}
result = api_client.get_reference_sets(params)
actions = []
securex_set_absent = True
for observable in observables:
for set_ in result:
if set_['name'] == current_app.config['SECUREX_SET_NAME']:
securex_set_absent = False
if set_['number_of_elements'] > 0:
data = api_client.get_reference_set_data(set_['name'])
if observable in str(data):
actions.append(remove_from(observable, set_['name']))
continue
else:
actions.append(add_to(observable, set_['name']))
if securex_set_absent:
actions.append(add_and_create(observable))
securex_set_absent = True
actions.sort(key=lambda item: item['title'])
return jsonify_data(actions)
def health():
credentials = get_credentials()
client = XForceClient(current_app.config['API_URL'], credentials,
current_app.config['USER_AGENT'])
_ = client.usage()
return jsonify_data({'status': 'ok'})
def observe_observables():
credentials = get_credentials()
observables = get_observables()
client = XForceClient(current_app.config['API_URL'], credentials,
current_app.config['USER_AGENT'])
ui_url = current_app.config['UI_URL']
number_of_days_verdict_valid = int(
current_app.config['NUMBER_OF_DAYS_VERDICT_IS_VALID'])
number_of_days_judgement_valid = int(
current_app.config['NUMBER_OF_DAYS_JUDGEMENT_IS_VALID'])
number_of_days_indicator_valid = int(
current_app.config['NUMBER_OF_DAYS_INDICATOR_IS_VALID'])
limit = current_app.config['CTR_ENTITIES_LIMIT']
g.bundle = Bundle()
try:
for observable in observables:
refer_link = client.refer_link(ui_url, observable)
mapping = Mapping.for_(observable, source_uri=refer_link)
if mapping:
if limit > 0:
report = client.report(observable)
if report:
report_bundle = mapping.process_report_data(
report, number_of_days_verdict_valid,
number_of_days_judgement_valid,
number_of_days_indicator_valid, limit)
limit -= len(report_bundle.get(SIGHTING))
g.bundle.merge(report_bundle)
if limit > 0 and isinstance(mapping, DNSInformationMapping):
resolutions_bundle = mapping.process_resolutions(
client.resolve(observable))
limit -= len(resolutions_bundle.get(SIGHTING))
g.bundle.merge(resolutions_bundle)
if limit > 0:
api_linkage = client.api_linkage(observable)
if api_linkage:
api_linkage_bundle = mapping.process_api_linkage(
api_linkage, ui_url,
number_of_days_indicator_valid, limit)
g.bundle.merge(api_linkage_bundle)
except KeyError:
add_error(XForceKeyError())
return jsonify_result()
def refer_observables():
relay_input = get_observables()
observables = filter_observables(relay_input)
if not observables:
return jsonify_data([])
_ = get_credentials()
relay_output = []
for observable in observables:
relay_output.append(get_search_pivots(observable))
return jsonify_data(relay_output)
def observe_observables():
def query_qradar(obs):
query_with_observables = arial_query.build(
observable=obs,
names=names,
time=get_time_intervals(),
limit=current_app.config['CTR_ENTITIES_LIMIT'])
if not query_with_observables:
return jsonify_data({})
search_id, status = api_client.create_search(query_with_observables)
start_time = time()
while status != 'COMPLETED':
if (time() - start_time <
current_app.config['SEARCH_TIMOUT_IN_SEC']):
status = api_client.get_search(search_id)['status']
else:
raise QRadarTimeoutError
return api_client.get_search_results(search_id)['events']
relay_input = get_observables()
observables = filter_observables(relay_input)
if not observables:
return jsonify_data({})
api_client = ArielSearchClient(get_credentials(), current_app.config)
arial_query = ArielQuery()
params = {
'fields': 'columns (name)',
'filter': 'object_value_type = "Host"'
}
names = api_client.get_metadata(params)
g.sightings = []
for observable in observables:
response = query_qradar(observable)
for event in response:
mapping = Mapping()
g.sightings.append(mapping.sighting(observable, event))
return jsonify_result()
def respond_trigger():
add_status('failure')
params = get_action_form_params()
client = ReferenceDataClient(get_credentials(), current_app.config)
action_map = {
ADD_ACTION_ID: client.add_to_reference_set,
REMOVE_ACTION_ID: client.remove_from_reference_set,
ADD_AND_CRETE_ACTION_ID: client.add_and_create_reference_set
}
action = action_map.get(params['action-id'])
if not action:
raise InvalidArgumentError('Unsupported action.')
action(params['reference_set_name'], params['observable_value'])
add_status('success')
return jsonify_result()
def deliberate_observables():
def deliberate(observable):
mapping = Mapping.for_(observable)
client_data = client.report(observable)
if client_data:
return mapping.extract_verdict(client_data,
number_of_days_verdict_valid)
credentials = get_credentials()
observables = get_observables()
observables = [
ob for ob in observables if ob['type'] in XFORCE_OBSERVABLE_TYPES
]
client = XForceClient(current_app.config['API_URL'], credentials,
current_app.config['USER_AGENT'])
number_of_days_verdict_valid = int(
current_app.config['NUMBER_OF_DAYS_VERDICT_IS_VALID'])
g.bundle = Bundle()
try:
with ThreadPoolExecutor(
max_workers=min(len(observables) or 1, (cpu_count() or 1) *
5)) as executor:
iterator = executor.map(deliberate, observables)
g.bundle = Bundle(
*[verdict for verdict in iterator if verdict is not None])
except KeyError:
add_error(XForceKeyError())
return jsonify_result()
def health():
creds = get_credentials()
_ = events(True, 1, creds)
return jsonify_data({'status': 'ok'})
def health():
api_client = ArielSearchClient(get_credentials(), current_app.config)
api_client.get_searches(range_start=0, range_end=5)
return jsonify_data({'status': 'ok'})