from needs import es, request, Resource, Namespace, timefunc, lastPath, catchurl
filedown = Namespace(name='filedown', description="About filedown 이벤트")
# 아직 회사내 컴퓨터에서 알람기능을 추가안함 곧 할예정
@filedown.route("/filestream")
class alert(Resource):
def post(self):
daysago = request.json.get("date")
result = []
body = {
"size": 10000,
"query": {
"bool": {
"must": [{
"match": {
"data.win.system.eventID": 15
}
}, {
"regexp": {
"data.win.eventdata.targetFilename":
".+Zone.Identifier"
}
}, {
"regexp": {
"data.win.eventdata.contents": ".+HostUrl.+"
}
}, {
"range": {
"@timestamp": {
from needs import es, request, Resource, Namespace, timefunc, lastPath
wificonnection = Namespace(
name="wificonnection",
description=
"네트워크 연결 호스트 이름과 함께 출력된 이벤트를 가져옵니다. channel이 NetworProfile 이벤트입니다")
@wificonnection.route('/wifi')
class userlist(Resource):
def post(self):
"""wi-fi(사실 랜연결도 잡음)연결 감지이벤트불러오기"""
daysago = request.json.get("date")
body = {
"query": {
"bool": {
"must": [{
"match": {
"data.win.system.channel":
"Microsoft-Windows-NetworkProfile/Operational"
}
}, {
"range": {
"@timestamp": {
"gte": "now-" + str(daysago) + "d/d",
"lt": "now"
}
}
}]
}
}
}
from needs import es, request, Resource, Namespace, timefunc, datetime
from wazuhapi import userlist
networkConnection = Namespace(name='networkConnection',
description="About networkConnection 이벤트")
@networkConnection.route("/process")
class process(Resource):
def post(self):
"""Network connection 정보 하루날짜-agent이름- image로 얻어옵니다."""
daysago = request.json.get("date")
result = []
agents = []
cnt = 0
for a in userlist.get(self):
agents.append(a["name"])
print(daysago)
print(agents)
for d in range(0, int(daysago)):
for a in agents:
body = {
"size": 0,
"query": {
"bool": {
"must": [{
"match": {
"data.win.system.eventID": 3
}
}, {
"match": {
from needs import es, request, Resource, Namespace, timefunc, lastPath
alert = Namespace(
name="service", description="시스템 이벤트를 불러오는 라우팅 서비스가 설치될때 이벤트 7045 등 에 의해서 그 목록들을 불러옵니다")
@alert.route('/get')
class userlist(Resource):
def get(self):
"""7045이벤트(서비스 설치관련 이벤트임) 불러오기"""
body = {
"size": 10000,
"query": {
"match_all": {
}
}
}
result = []
return es.search(index=".opendistro-alerting-config", body="body")
from needs import es, request, Resource, Namespace, timefunc, lastPath, requests
# 크롤링 때문에 임포트
ProcessCreate = Namespace(name="ProcessCreate", description="test")
@ProcessCreate.route('/getEvent')
class userlist(Resource):
def post(self):
"""ProcessCreate이벤트 정보를 다 받아옵니다!"""
daysago = request.json.get("date")
result = []
body = {
"size": 10000,
"query": {
"bool": {
"must": [
{
"match": {
"data.win.system.eventID": 1
}
},
{
"range": {
"@timestamp": {
"gte": "now-"+str(daysago)+"d/d",
"lt": "now"
}
}
}
]
}
from needs import es, request, Resource, Namespace, timefunc, lastPath, callWazuhApi, wazuhlogin
wazuh = Namespace(
name="wazuh", description="get wazuh db!")
@wazuh.route('/agents')
class userlist(Resource):
def get(self):
"""get Agent info => ip,name,status!"""
wazuhlogin()
agents = []
for r in callWazuhApi("/agents")["data"]["affected_items"]:
# Manage PC는 제외
if r["id"] == '000' or r["status"] == "never_connected":
continue
agents.append(
{"name": r["name"], "ip": r["ip"], "status": r["status"]})
return agents
# flask모듈을 import
from needs import es, request, Resource, Namespace, timefunc, callWazuhApi, wazuhlogin, datetime
import pandas as pd
import numpy as np
driverload = Namespace(name='driverload', description="About DriverLoad 이벤트")
# 아직 회사내 컴퓨터에서 알람기능을 추가안함 곧 할예정
@driverload.route("/count")
class count(Resource):
def post(self):
"""agent-날짜 로 count해서 chart에 뿌릴 데이터를 로드합니다"""
agents = []
daysago = request.json.get("date")
# get agentlist from wazuh
wazuhlogin()
for r in callWazuhApi("/agents")["data"]["affected_items"]:
agents.append(r["name"])
print(agents)
result = [] # query result
chartdata = []
for a in agents:
body = {
"size": 10000,
"query": {
"bool": {
"must": [{
"match": {
"data.win.system.eventID": 6
from needs import es, request, Resource, Namespace, timefunc, lastPath, getAgentData, wazuhlogin, callWazuhApi, pd, np
AgentDash = Namespace(
name="AgentDash",
description="AGENT 대시보드에 관한 필요한 정보를 불러오는 주소입니다.(/agentdash)")
@AgentDash.route('/scanPortData')
class scanPortData(Resource):
def post(self):
"""Agent의 이름을 받아서 사용중인 PortData를 가져옵니다!"""
wazuhlogin()
agentName = request.json.get("agent")
result = []
agentid = ""
for r in callWazuhApi("/agents")["data"]["affected_items"]:
if r["name"] == agentName:
agentid = r["id"]
break
apiResult = callWazuhApi("/syscollector/" + agentid +
"/ports")["data"]["affected_items"]
for r in apiResult:
if "state" in r:
result.append({
"InnerIP": r["local"]["ip"],
"InnerPort": r["local"]["port"],
"OutIP": r["remote"]["ip"],
"OutPort": r["remote"]["port"],
"status": r["state"],
"protocol": r["protocol"],
"process": r["process"]
from needs import es, request, Resource, Namespace
createThread = Namespace(name='createThread',
description="create Thread 이벤트")
@createThread.route("/thread")
class alert(Resource):
def post(self):
"""SQL문으로 createThread 정보를 얻어옵니다."""
body = body = {
"size": 10000,
"query": {
"bool": {
"must": [
{
"match": {
"data.win.system.eventID": 15
}
},
{
"range": {
"@timestamp": {
"gte": "now-"+str(daysago)+"d/d",
"lt": "now"
}
}
}
]
}
},
"sort": [
from needs import es, request, Resource, Namespace, timefunc, lastPath, getAgentData, wazuhlogin, callWazuhApi, pd, np
mainDash = Namespace(name="mainDash",
description="메인 대시보드에 관한 필요한 정보를 불러오는 주소입니다.(/maindash)")
@mainDash.route('/agentactive')
class agentactive(Resource):
def post(self):
"""모든 agent에 대해 agodate만큼의 Active에 대한내용을 전부 불러옴."""
agents = getAgentData()
daysago = request.json.get("date")
result = []
for agent in agents:
body = {
"size": 10000,
"query": {
"bool": {
"must": [{
"match": {
"name": agent
}
}, {
"range": {
"timestamp": {
"gte": "now-" + str(daysago) + "d/d",
"lt": "now"
}
}
}]
}
},
from needs import es, request, Resource, Namespace, timefunc, lastPath, requests
dnsquery = Namespace(name='dnsquery', description="About dnsquery 이벤트")
@dnsquery.route("/dnsquery")
class alert(Resource):
def post(self):
result = []
daysago = request.json.get("date")
body = {
"size": 10000,
"query": {
"bool": {
"must": [{
"match": {
"data.win.system.eventID": 22
}
}, {
"range": {
"@timestamp": {
"gte": "now-" + str(daysago) + "d/d",
"lt": "now"
}
}
}]
}
},
"sort": [{
"timestamp": "desc"
}]
}
from needs import es, request, Resource, Namespace, timefunc, datetime
timeout = Namespace(name='timeout', description="About timeout 이벤트")
@timeout.route("/")
class alert(Resource):
def post(self):
"""근무 시간 외에 사용하고있는가? 를 감지."""
# get wazuh agents!
resultApi = []
agodays = request.json.get('data')["date"]
for i in range(0, int(agodays)): # 일주일 로그를 수집하기위한 i
endday = str(datetime.datetime.now() -
datetime.timedelta(days=(i + 1)))[0:10]
startday = str(datetime.datetime.now() -
datetime.timedelta(days=(i)))[0:10]
starttime = startday + " " + request.json.get('data')["start"]
endtime = endday + " " + request.json.get('data')["end"]
print(endtime, starttime)
body = {
"query": {
"bool": {
"must": [{
"match_phrase": {
"status": "active"
}
}, {
"range": {
"timestamp": {
"time_zone": "+09:00",