def _queryThread(self, results, envName, env, iocType, iocName, info,
isCaseInsensitive, isWithWildcards, limit, isPerIoc):
try:
lc = Manager(env['oid'], env['api_key'])
try:
isInsightEnabled = lc.isInsightEnabled()
except:
isInsightEnabled = False
if not isInsightEnabled:
self._safePrint("Skipping %s (%s) as Insight is not enabled." %
(
envName,
env['oid'],
))
return
result = lc.getObjectInformation(
iocType,
iocName,
info,
isCaseSensitive=not isCaseInsensitive,
isWithWildcards=isWithWildcards,
limit=limit,
isPerObject=isPerIoc)
if result and 0 != len(result):
results.put({
'env': envName,
'oid': env['oid'],
'result': result
})
except:
self._safePrint(traceback.format_exc())
def do_list(args):
rules = Manager(None, None).rules(args.namespace)
for rule in rules.values():
rule.pop('detect', None)
rule.pop('respond', None)
rule.pop('name', None)
rule.pop('oid', None)
printData({
ruleName: rule
for ruleName, rule in rules.items() if not ruleName.startswith('_')
})
def do_get(args):
if args.ruleName is None:
reportError('No rule name specified.')
rule = Manager(None, None).rules(args.namespace).get(args.ruleName, None)
if rule is None:
reportError('Rule not found.')
printData(rule)
def main_getOriginal(sourceArgs=None):
import argparse
parser = argparse.ArgumentParser(prog='limacharlie artifacts get_original')
parser.add_argument('payloadid',
type=str,
help='unique identifier of the artifact uploaded.')
parser.add_argument('destination',
type=str,
help='file path where to download the artifact.')
args = parser.parse_args(sourceArgs)
logs = Logs(Manager())
response = logs.getOriginal(args.payloadid, filePath=args.destination)
print(json.dumps(response))
def do_add(args):
ruleFile = args.ruleFile
if ruleFile is None:
reportError('No rule file not specified.')
try:
with open(ruleFile, 'rb') as f:
ruleFile = yaml.safe_load(f.read())
except Exception as e:
reportError('Error reading rule file yaml: %s' % e)
detect = ruleFile.get('detect', None)
if detect is None:
reportError('No detect component in rule file.')
response = ruleFile.get('respond', None)
if response is None:
reportError('No respond component in rule file.')
Manager(None, None).add_rule(args.ruleName,
detect,
response,
args.isReplace,
namespace=args.namespace)
printData('Added')
def main():
import argparse
parser = argparse.ArgumentParser(prog='limacharlie.io logs')
parser.add_argument('log_file',
type=str,
help='path to the log file to upload.')
parser.add_argument(
'--source',
type=str,
required=False,
dest='source',
default=None,
help='name of the log source to associate with upload.')
parser.add_argument(
'--original-path',
type=str,
required=False,
dest='originalPath',
default=None,
help='override the original path recorded for the log.')
parser.add_argument('--hint',
type=str,
required=False,
dest='hint',
default='auto',
help='log type hint of the upload.')
parser.add_argument(
'--payload-id',
type=str,
required=False,
dest='payloadId',
default=None,
help=
'unique identifier of the log uploaded, can be used to de-duplicate logs.'
)
parser.add_argument('--access-token',
type=uuid.UUID,
required=False,
dest='accessToken',
default=None,
help='access token to upload.')
parser.add_argument('--oid',
type=lambda o: str(uuid.UUID(o)),
required=False,
dest='oid',
default=None,
help='organization id to upload for.')
args = parser.parse_args()
logs = Logs(Manager(args.oid, None), args.accessToken)
originalPath = args.originalPath
if args.originalPath is None:
originalPath = args.log_file
response = logs.upload(args.log_file,
source=args.source,
hint=args.hint,
payloadId=args.payloadId,
allowMultipart=False,
originalPath=originalPath)
print(json.dumps(response))
def main_upload(sourceArgs=None):
import argparse
parser = argparse.ArgumentParser(prog='limacharlie artifacts upload')
parser.add_argument('artifact_file',
type=str,
help='path to the artifacts file to upload.')
parser.add_argument('--source',
type=str,
required=False,
dest='source',
default=None,
help='name of the source to associate with upload.')
parser.add_argument(
'--original-path',
type=str,
required=False,
dest='originalPath',
default=None,
help='override the original path recorded for the artifacts.')
parser.add_argument('--hint',
type=str,
required=False,
dest='hint',
default='auto',
help='artifacts type hint of the upload.')
parser.add_argument(
'--payload-id',
type=str,
required=False,
dest='payloadId',
default=None,
help=
'unique identifier of the artifacts uploaded, can be used to de-duplicate artifacts.'
)
parser.add_argument('--access-token',
type=uuid.UUID,
required=False,
dest='accessToken',
default=None,
help='access token to upload.')
parser.add_argument('--oid',
type=lambda o: str(uuid.UUID(o)),
required=False,
dest='oid',
default=None,
help='organization id to upload for.')
parser.add_argument('--days-retention',
type=int,
required=False,
dest='retention',
default=None,
help='number of days of retention for the data.')
args = parser.parse_args(sourceArgs)
logs = Logs(Manager(args.oid, None, jwt=""), args.accessToken)
originalPath = args.originalPath
if args.originalPath is None:
originalPath = args.artifact_file
response = logs.upload(args.artifact_file,
source=args.source,
hint=args.hint,
payloadId=args.payloadId,
allowMultipart=False,
originalPath=originalPath,
nDaysRetention=args.retention)
print(json.dumps(response))
def do_remove(args):
Manager(None, None).del_rule(args.ruleName, namespace=args.namespace)
printData('Removed')