Esempio n. 1
0
def _run():
    """
    The script's body. Creates/Updates Splunk computer lookup table.
    """
    app_home = common.app_home()

    lookups_dir = os.path.join(app_home, "lookups")
    old_computer_lookup_table = os.path.join(lookups_dir,
                                             "computer_lookup.csv")
    tmp_computer_lookup_table = os.path.join(lookups_dir,
                                             "computer_lookup_tmp.csv")

    if not os.path.exists(lookups_dir):
        os.makedirs(lookups_dir)

    server, _ = common.setup()

    # write computer lookup table
    params = {'active': 'true', 'incBackupUsage': False, 'incHistory': False}
    computer_results = c42api.fetch_computers(server,
                                              params,
                                              insert_schema_version=True)
    splunk_lookup_table.write_lookup_table(old_computer_lookup_table,
                                           tmp_computer_lookup_table,
                                           computer_results, COMPUTER_UID_KEY,
                                           COMPUTER_KEYS_TO_IGNORE, TIME_KEY)
Esempio n. 2
0
def _run():
    """
    The script's body. Creates/Updates Splunk user lookup table.
    """
    app_home = common.app_home()

    lookups_dir = os.path.join(app_home, "lookups")
    old_user_lookup_table = os.path.join(lookups_dir, "user_lookup.csv")
    tmp_user_lookup_table = os.path.join(lookups_dir, "user_lookup_tmp.csv")

    if not os.path.exists(lookups_dir):
        os.makedirs(lookups_dir)

    server, _ = common.setup()

    # write user lookup table
    user_results = c42api.fetch_users(server)
    splunk_lookup_table.write_lookup_table(old_user_lookup_table, tmp_user_lookup_table, user_results,
                                           USER_UID_KEY, USER_KEYS_TO_IGNORE, TIME_KEY)
def _run():
    """
    Run through Splunk. This is how the Splunk app gathers security detection events from the Code42 server(s).
    For each user, we gather all events for 
    """
    server, config_dict = common.setup()
    events_dir = os.path.join(common.app_home(), 'events')
    # The file at 'minTs_file_path' holds the 'min timestamp' to be used for a particular device the next time
    # the script runs. This is updated IFF all pages are gathered for a particular device during a single run of the script.
    minTs_file_path = os.path.join(events_dir, 'security-lastRun')
    # The file at 'cursor path' is used to hold the 'latest cursor' for a particular plan on a page by page basis.
    # i.e. every time we finish retrieving a plan, we save the new 'latest cursor' to ensure that we can restart
    # from the correct page in the case the connection to the C42 server goes down before we retrieve all pages.
    cursor_path = os.path.join(events_dir, 'security-interrupted-lastCursor')
    if not os.path.exists(events_dir):
        os.makedirs(events_dir)

    devices = config_dict['devices']
    device_guids = c42api.devices(server, devices)

    timestamp_dict = _try_read_timestamp(minTs_file_path)
    event_filters = []
    for device_guid in device_guids:
        try:
            minTs = timestamp_dict[device_guid]
            event_filter = c42api.create_filter_by_iso_minTs_and_now(minTs)
            event_filters.append(event_filter)
        except (KeyError, TypeError):
            event_filter = c42api.create_filter_by_utc_datetime(
                datetime.utcfromtimestamp(0), datetime.utcnow())
            event_filters.append(event_filter)

    guids_and_filters = zip(device_guids, event_filters)

    timestamp_dict = timestamp_dict if timestamp_dict else {}
    for guid, new_minTs in c42api.fetch_detection_events(
            server, guids_and_filters, cursor_path):
        if not new_minTs:
            continue
        timestamp_dict[guid] = new_minTs

    _write_min_timestamps(minTs_file_path, timestamp_dict)
Esempio n. 4
0
def _run():
    """
    The script's body. Creates/Updates Splunk computer lookup table.
    """
    app_home = common.app_home()

    lookups_dir = os.path.join(app_home, "lookups")
    old_computer_lookup_table = os.path.join(lookups_dir, "computer_lookup.csv")
    tmp_computer_lookup_table = os.path.join(lookups_dir, "computer_lookup_tmp.csv")

    if not os.path.exists(lookups_dir):
        os.makedirs(lookups_dir)

    server, _ = common.setup()

    # write computer lookup table
    params = {'active': 'true',
              'incBackupUsage': False,
              'incHistory': False}
    computer_results = c42api.fetch_computers(server, params, insert_schema_version=True)
    splunk_lookup_table.write_lookup_table(old_computer_lookup_table, tmp_computer_lookup_table, computer_results,
                                           COMPUTER_UID_KEY, COMPUTER_KEYS_TO_IGNORE, TIME_KEY)
def _run():
    """
    Run through Splunk
    """
    server, config_dict = common.setup()
    events_dir = os.path.join(common.app_home(), 'events')
    cursor_path = os.path.join(events_dir, 'security-lastRun')
    if not os.path.exists(events_dir):
        os.makedirs(events_dir)

    devices = config_dict['devices']

    device_guids = c42api.devices(server, devices)

    cursors_dict = _try_read_cursor(cursor_path)
    event_filters = []
    for device_guid in device_guids:
        try:
            cursor = cursors_dict[device_guid]
            event_filter = c42api.create_filter_by_cursor(cursor)
            event_filters.append(event_filter)
        except (KeyError, TypeError):
            event_filter = c42api.create_filter_by_utc_datetime(datetime.utcfromtimestamp(0), datetime.utcnow())
            event_filters.append(event_filter)

    guids_and_filters = zip(device_guids, event_filters)

    cursors_dict = cursors_dict if cursors_dict else {}
    for guid, cursor, detection_events in c42api.fetch_detection_events(server, guids_and_filters):
        if not cursor or not detection_events:
            continue
        cursors_dict[guid] = cursor

        c42api.write_json_splunk(sys.stdout, detection_events)

    _write_cursor(cursor_path, cursors_dict)