def lambda_handler(event, lambda_context): return socless_bootstrap( event, lambda_context, handle_state, include_event=True, )
def lambda_handler(event, context): # Disclaimer: having the handle_state in the lambda_handler is a quick & dirty solution to the problem of exposing the lambda 'context' object to the handle_state function # so that the `create_events` function can use it. There should probably be a better way to do so. def handle_state( event_context, event_type: str, details: List[dict], playbook="", dedup_keys: list = [], data_types: dict = {}, add_to_details: dict = {}, ): """ Creates a new event in Socless using the socless_create_events api from the socless_python library Args: event_type (str): Human Readable Event name e.g 'Investigate Login' details (list): List of dictionaries containing the event details playbook (str): The name of the playbook to execute dedup_keys (list): The keys to use to deduplicate the event data_types (dict): A mapping of what datatypes are contained in the event details add_to_details (dict): A dictionary containing additional keys to add to each details dict Returns: A dict containing a boolean status code and, if successful, the investigation id assigned to the created event. """ execution_id = event_context.get("execution_id", "n/a") for each in details: each.update(add_to_details) events = { "event_type": event_type, "details": details, "data_types": data_types, "playbook": playbook, "dedup_keys": dedup_keys, "event_meta": { "data source": f"Execution: {execution_id}", "description": "Event created from within a Playbook", }, } create_events(events, context) return {"completed": True} return socless_bootstrap(event, context, handle_state, include_event=True)
def lambda_handler(event, context): return socless_bootstrap(event, context, handle_state)
def lambda_handler(event, context): # warm start if event.get('_keepwarm') is True: return {} return socless_bootstrap(event, context, handle_state, include_event=True)
def lambda_handler(event, ctx): # Nest handle_state inside lambda_handler to access raw ctx object def handle_state( context: dict, investigation_escalated: bool, findings: str, metadata: dict = {}, ): """ Create a log file and upload it to SOCless logging bucket. Args: investigation_escalated (bool) : Did the investigation require handoff to a human in order to complete? findings (str): The investigation's findings or outcome state. metadata (obj) Any additional info for logging. Any variable type that's JSON serializable Env: SOCLESS_Logs (str): The name of the bucket where you want to upload logs to Returns: A dict containing the file_id (S3 Object path) and vault_id (Socless logging bucket reference) of the saved content """ bucket_name = os.environ.get("SOCLESS_Logs") log_type = "findings" log_source = ctx.invoked_function_arn aws_region = log_source.split(":")[3] aws_account = log_source.split(":")[4] event_type = context["artifacts"]["event"]["event_type"] playbook_name = context["artifacts"]["event"]["playbook"] execution_id = context["execution_id"] execution_arn = "arn:aws:states:{}:{}:execution:{}:{}".format( aws_region, aws_account, playbook_name, execution_id) investigation_id = context["artifacts"]["event"]["investigation_id"] event_payload = context["artifacts"]["event"]["details"] utc_time = datetime.utcnow() utc_time_iso = utc_time.isoformat() + "Z" year = utc_time.year month = utc_time.month day = utc_time.day uuid = gen_id() file_id = "{}/{}/{}/{}/{}/{}.json".format(log_type, year, month, day, playbook_name, uuid) log = { "log_type": log_type, "log_source": log_source, "timestamp": utc_time_iso, "execution_arn": execution_arn, "investigation_id": investigation_id, "event_type": event_type, "event_payload": event_payload, "investigation_escalated": investigation_escalated, "metadata": metadata, } try: findings = socless_template_string(urllib.parse.unquote(findings), context) except Exception as e: print( f"unable to parse socless_template_string. Error: {e}. Findings: {findings}" ) raise log["findings"] = findings return save_to_s3(file_id, log, bucket_name, False) return socless_bootstrap(event, ctx, handle_state, include_event=True)