def pull_okta_logs(minutes_before):
logger.info('retrieving secrets for Okta')
secrets = secret.get_secret('ngsiem-aca-logstash-api',
['okta_auth', 'sns_api_error_arn', 'okta_url'])
current_time = datetime.datetime.utcnow()
if minutes_before > 0:
current_time = current_time - \
datetime.timedelta(minutes=minutes_before)
fifteen_minutes_ago = (current_time - datetime.timedelta(minutes=15)).isoformat()
twenty_minutes_ago = (current_time - datetime.timedelta(minutes=20)).isoformat()
url = f"{secrets['okta_url']}/api/v1/logs?since={twenty_minutes_ago}&until={fifteen_minutes_ago}"
auth_token = f'SSWS {secrets["okta_auth"]}'
headers = {'Accept': 'application/json', 'Content-Type': 'application/json', 'Authorization': auth_token}
try:
r = requests.get(url, headers=headers)
if r.status_code == 200:
return r.json()
else:
logger.error(f"The API query for Okta is not returning a 200: {r.status_code}")
sns.generate_sns("okta")
return None
except Exception as e:
logger.error(f"Error occurred when querying for Okta logs: {e}")
sns.generate_sns("okta")
return None
def pull_pp_trap_logs(minutes_before, cluster):
logger.info('retrieving secrets for pp_trap')
current_time = datetime.datetime.utcnow()
if minutes_before > 0:
current_time = current_time - \
datetime.timedelta(minutes=minutes_before)
fifteen_minutes_ago = (current_time - datetime.timedelta(minutes=15)
).strftime('%Y-%m-%dT%H:%M:%S.%f')[:-4] + "Z"
twenty_minutes_ago = (current_time - datetime.timedelta(minutes=20)
).strftime('%Y-%m-%dT%H:%M:%S.%f')[:-4] + "Z"
qs = {
"created_after": twenty_minutes_ago,
"created_before": fifteen_minutes_ago,
"expand_events": "false"
}
try:
r = requests.get(f'{cluster}/api/incidents',
params=qs,
headers={'Authorization': prod.pp_trap_api_key},
verify=False)
print(r.status_code)
json_object = r.json()
print(json_object)
return json_object
except Exception as e:
sns.generate_sns("proofpoint_trap")
logger.error(f"Error for TRAP API call: {str(e)}")
def pull_pp_siem_logs():
url = 'https://tap-api-v2.proofpoint.com/v2/siem/all'
headers = {
'content-type': 'application/json',
'Accept': 'application/json'
}
qs = {"sinceSeconds": 300, "format": "JSON"}
logger.info('retrieving secrets for pp_siem')
secrets = secret.get_secret('ngsiem-aca-logstash-api', [
'proofpoint_tap_user', 'proofpoint_tap_password', 'sns_api_error_arn'
])
try:
r = requests.get(url,
auth=(secrets['proofpoint_tap_user'],
secrets['proofpoint_tap_password']),
headers=headers,
params=qs)
print(r.content)
return r.json()
except Exception as e:
sns.generate_sns("proofpoint_siem")
logger.error(f"Error for SIEM API call: {str(e)}")