def query_loggings(query_data):
'''
This function handles all the querying of Cortex Logging service
'''
api_url = demisto.getIntegrationContext().get('api_url', 'https://api.us.paloaltonetworks.com')
credentials = Credentials(
access_token=get_access_token()
)
logging_service = LoggingService(
url=api_url,
credentials=credentials
)
query_result = logging_service.query(query_data).json()
try:
query_id = query_result['queryId'] # access 'queryId' from 'query' response
except Exception as e:
raise Exception('Received error %s when querying logs. Please check if your authentication token is valid' % e)
poll_params = { # Prepare 'poll' params
"maxWaitTime": 3000 # waiting for response up to 3000ms
}
# we poll the logging service until we have a complete response
full_response = logging_service.poll(query_id, 0, poll_params)
# delete the query from the service
logging_service.delete(query_id)
return full_response
def initial_logging_service():
api_url = demisto.getIntegrationContext().get(
'api_url', 'https://api.us.paloaltonetworks.com')
credentials = Credentials(access_token=get_access_token(), verify=USE_SSL)
logging_service = LoggingService(url=api_url, credentials=credentials)
return logging_service
def query_loggings(query_data):
"""
This function handles all the querying of Cortex Logging service
"""
api_url = demisto.getIntegrationContext().get(
'api_url', 'https://api.us.paloaltonetworks.com')
credentials = Credentials(access_token=get_access_token(), verify=USE_SSL)
logging_service = LoggingService(url=api_url, credentials=credentials)
response = logging_service.query(query_data)
query_result = response.json()
if not response.ok:
status_code = query_result.get('statusCode', '')
error = query_result.get('error', '')
message = query_result.get('payload', {}).get('message', '')
raise Exception(
f"Error in query to Cortex [{status_code}] - {error}: {message}")
try:
query_id = query_result[
'queryId'] # access 'queryId' from 'query' response
except Exception as e:
raise Exception('Received error %s when querying logs.' % e)
poll_params = { # Prepare 'poll' params
"maxWaitTime": 3000 # waiting for response up to 3000ms
}
# we poll the logging service until we have a complete response
full_response = logging_service.poll(query_id, 0, poll_params)
# delete the query from the service
logging_service.delete(query_id)
return full_response
def query_loggings(query_data):
'''
This function handles all the querying of Cortex Logging service
'''
api_url = demisto.getIntegrationContext().get(
'api_url', 'https://api.us.paloaltonetworks.com')
credentials = Credentials(access_token=get_access_token())
logging_service = LoggingService(url=api_url, credentials=credentials)
query_result = logging_service.query(query_data).json()
try:
query_id = query_result[
'queryId'] # access 'queryId' from 'query' response
except Exception as e:
raise Exception(
'Received error %s when querying logs. Please check if your authentication token is valid'
% e)
poll_params = { # Prepare 'poll' params
"maxWaitTime": 3000 # waiting for response up to 3000ms
}
# we poll the logging service until we have a complete response
full_response = logging_service.poll(query_id, 0, poll_params)
# delete the query from the service
logging_service.delete(query_id)
return full_response
def query_loggings(query_data):
"""
This function handles all the querying of Cortex Logging service
"""
api_url = demisto.getIntegrationContext().get('api_url', 'https://api.us.paloaltonetworks.com')
credentials = Credentials(
access_token=get_access_token(),
verify=USE_SSL
)
logging_service = LoggingService(
url=api_url,
credentials=credentials
)
response = logging_service.query(query_data)
query_result = response.json()
if not response.ok:
status_code = query_result.get('statusCode', '')
error = query_result.get('error', '')
message = query_result.get('payload', {}).get('message', '')
raise Exception(f"Error in query to Cortex [{status_code}] - {error}: {message}")
try:
query_id = query_result['queryId'] # access 'queryId' from 'query' response
except Exception as e:
raise Exception('Received error %s when querying logs.' % e)
poll_params = { # Prepare 'poll' params
"maxWaitTime": 3000 # waiting for response up to 3000ms
}
# we poll the logging service until we have a complete response
full_response = logging_service.poll(query_id, 0, poll_params)
# delete the query from the service
logging_service.delete(query_id)
return full_response
#!/usr/bin/env python
from pancloud import LoggingService, Credentials
from math import floor
from time import time
from json import dumps, loads
ls = LoggingService(url="https://api.us.paloaltonetworks.com",
credentials=Credentials())
q = ls.query({
"query":
"select dst, app, misc, name-of-threatid from panw.threat where subtype='wildfire-virus' limit 5",
"startTime": 0, # 1970
"endTime": floor(time()), # now
"maxWaitTime": 30000
})
print(dumps(loads(q.text), indent=4, sort_keys=True))
curpath = os.path.dirname(os.path.abspath(__file__))
sys.path[:0] = [os.path.join(curpath, os.pardir)]
from pancloud import LoggingService
url = 'https://apigw-stg4.us.paloaltonetworks.com'
# `export ACCESS_TOKEN=<access token>`
access_token = os.environ['ACCESS_TOKEN']
print(access_token)
# Create Logging Service instance
ls = LoggingService(url=url,
headers={
'Authorization': 'Bearer {}'.format(access_token),
"Content-Type": "application/json",
"Accept": "application/json"
})
data = { # Prepare 'query' data
"query": "select * from panw.traffic limit 1",
"startTime": 0, # 1970
"endTime": 1609459200, # 2021
"maxWaitTime": 0 # no logs in initial response
}
# Generate new 'query'
q = ls.query(data)
print("\nQUERY: {}\n".format(q.text))
import os
import sys
curpath = os.path.dirname(os.path.abspath(__file__))
sys.path[:0] = [os.path.join(curpath, os.pardir)]
from pancloud import HTTPClient, LoggingService, EventService, \
DirectorySyncService, Credentials
url = 'https://api.us.paloaltonetworks.com'
c = Credentials()
session = HTTPClient(url=url, credentials=c)
ls = LoggingService(session=session)
dss = DirectorySyncService(session=session)
es = EventService(session=session)
f = es.get_filters('EventFilter')
print("\nGET EVENT FILTERS...")
print("STATUS_CODE: {}, RESULT: \n\n{}\n".format(f.status_code, f.text))
a = dss.attributes()
print("\nGET ATTRIBUTES...")
print("STATUS_CODE: {}, RESULT: \n\n{}\n".format(a.status_code, a.text))
data = { # Prepare 'query' data
"query": "SELECT * FROM panw.traffic LIMIT 1",
"startTime": 0, # 1970
"endTime": 1609459200, # 2021
"""Logging Service example using query, poll, delete."""
import os
import sys
curpath = os.path.dirname(os.path.abspath(__file__))
sys.path[:0] = [os.path.join(curpath, os.pardir)]
from pancloud import LoggingService, Credentials
url = 'https://api.us.paloaltonetworks.com'
c = Credentials()
# Create Logging Service instance
ls = LoggingService(url=url, credentials=c)
query = { # Prepare 'query' data
"query": "SELECT * FROM panw.traffic LIMIT 1",
"startTime": 0, # 1970
"endTime": 1609459200, # 2021
"maxWaitTime": 0 # no logs in initial response
}
# Generate new 'query'
q = ls.query(json=query)
print("\nQUERY: {}\n".format(q.text))
query_id = q.json()['queryId'] # access 'queryId' from 'query' response
def logging(options, session):
def query(api, options):
k = 'LoggingService.query'
R = options['R']
if R['R1_obj'][k] is None:
x = {}
else:
x = R['R1_obj'][k].copy()
if ('startTime' not in x and options['start_seconds'] is not None):
x['startTime'] = options['start_seconds']
if ('endTime' not in x and options['end_seconds'] is not None):
x['endTime'] = options['end_seconds']
if options['debug'] > 1:
if 'startTime' in x:
t = datetime.utcfromtimestamp(x['startTime'])
print('startTime:', t, file=sys.stderr)
if 'endTime' in x:
t = datetime.utcfromtimestamp(x['endTime'])
print('endTime:', t, file=sys.stderr)
if options['debug'] > 2:
print(pprint.pformat(x, indent=INDENT), file=sys.stderr)
if not x and R['R1_obj'][k] is None:
x = None # preserve None if no parameters added
try:
r = api.query(json=x, **R['R2_obj'][k])
except Exception as e:
print_exception(k, e)
sys.exit(1)
print_status(k, r, options)
json_ = print_response(r, options, k)
exit_for_http_status(r)
if json_ is not None and options['id'] is None and 'queryId' in json_:
options['id'] = json_['queryId']
def poll(api, options):
k = 'LoggingService.poll'
R = options['R']
try:
r = api.poll(query_id=options['id'],
sequence_no=options['seq'],
params=R['R1_obj'][k],
**R['R2_obj'][k])
except Exception as e:
print_exception(k, e)
sys.exit(1)
print_status(k, r, options)
print_response(r, options, k)
exit_for_http_status(r)
def xpoll(api, options):
k = 'LoggingService.xpoll'
R = options['R']
try:
for x in api.xpoll(query_id=options['id'],
sequence_no=options['seq'],
delete_query=options['delete'],
params=R['R1_obj'][k],
**R['R2_obj'][k]):
print_response_json(options, k, x)
except Exception as e:
print_exception(k, e)
sys.exit(1)
def delete(api, options):
k = 'LoggingService.delete'
R = options['R']
try:
r = api.delete(query_id=options['id'], **R['R2_obj'][k])
except Exception as e:
print_exception(k, e)
sys.exit(1)
print_status(k, r, options)
print_response(r, options, k)
exit_for_http_status(r)
def write(api, options):
k = 'LoggingService.write'
R = options['R']
try:
# XXX use R2 to specify "log_type"
r = api.write(vendor_id=options['id'],
json=R['R1_obj'][k],
**R['R2_obj'][k])
except Exception as e:
print_exception(k, e)
sys.exit(1)
print_status(k, r, options)
print_response(r, options, k)
exit_for_http_status(r)
k = 'LoggingService'
R = options['R']
try:
api = LoggingService(session=session, **R['R0_obj'][k])
except Exception as e:
print_exception(k, e)
sys.exit(1)
if options['debug'] > 0:
print(api, file=sys.stderr)
if options['query']:
query(api, options)
if options['poll']:
poll(api, options)
if options['xpoll']:
try:
xpoll(api, options)
except KeyboardInterrupt:
sys.exit(1)
if options['delete'] and not options['xpoll']:
delete(api, options)
if options['write']:
write(api, options)
setters(options, api)
methods(options, api)
from time import time
curpath = os.path.dirname(os.path.abspath(__file__))
sys.path[:0] = [os.path.join(curpath, os.pardir)]
from pancloud import LoggingService, Credentials
VENDOR_ID = 'vendor'
LOG_TYPE = 'log_type'
url = 'https://api.us.paloaltonetworks.com'
c = Credentials()
# Create Logging Service instance
ls = LoggingService(url=url, credentials=c)
logs = [{
'generatedTime': time(),
'uuid': str(uuid4()),
'user': '******',
'action': 'drop',
'subType': 'brute-force',
'name': 'anvil',
'repeatCnt': 5
}]
q = ls.write(vendor_id=VENDOR_ID, log_type=LOG_TYPE, json=logs)
print("\nWRITE: {}\n".format(q.text))
"""Example interaction with Logging Service using iter_poll."""
import os
import sys
curpath = os.path.dirname(os.path.abspath(__file__))
sys.path[:0] = [os.path.join(curpath, os.pardir)]
from pancloud import LoggingService, Credentials
url = 'https://api.us.paloaltonetworks.com'
c = Credentials()
# Create Logging Service instance
ls = LoggingService(url=url, credentials=c)
query = { # Prepare 'query' data
"query": "SELECT * FROM panw.traffic LIMIT 5",
"startTime": 0, # 1970
"endTime": 1609459200, # 2021
"maxWaitTime": 0 # no logs in initial response
}
# Generate new 'query'
q = ls.query(json=query)
print("\nQUERY: {}\n".format(q.text))
query_id = q.json()['queryId'] # access 'queryId' from 'query' response
url = 'https://apigw-stg4.us.paloaltonetworks.com'
# `export ACCESS_TOKEN=<access token>`
access_token = os.environ['ACCESS_TOKEN']
session = HTTPClient(url=url,
max_retries=5,
pool_maxsize=30,
headers={
'Authorization': 'Bearer {}'.format(access_token),
"Content-Type": "application/json",
"Accept": "application/json"
})
ls = LoggingService(session=session)
dss = DirectorySyncService(session=session)
es = EventService(session=session)
filters = { # Prepare 'filter' data
"filters": [{
"panw.threat": "SELECT * FROM panw.threat"
}, {
"panw.traffic": "SELECT * FROM panw.traffic"
}, {
"panw.system": "SELECT * FROM panw.system"
}, {
"panw.config": "SELECT * FROM panw.config"
}]
}