def add_filters_to_jinja(self): """add_filters_to_jinja used to setup the jinja filters as a part of the environment """ ds_filter = { "regex_escape": DLPListener.regex_escape, "dt_to_milli_epoch": DLPListener.dt_to_milli_epoch } env = template_functions.environment() env.globals.update(ds_filter)
def __init__(self): # Add the timestamp-parse function to the global JINJA environment env = environment() env.globals.update({ "resilient_datetimeformat": jinja_resilient_datetimeformat, "resilient_substitute": jinja_resilient_substitute }) env.filters.update({ "resilient_datetimeformat": jinja_resilient_datetimeformat, "resilient_substitute": jinja_resilient_substitute })
def add_methods_to_global(): # Add ds_to_millis to global env so it can be used in filters ds_filter = { "ds_to_millis": ds_to_millis, "is_valid_ipv4_addr": is_valid_ipv4_addr, "is_valid_ipv6_addr": is_valid_ipv6_addr, "custom_regex_escape": regex_escape, "is_list": is_list, "represents_int": represents_int } env = environment() env.globals.update(ds_filter)
def main(self): options = self.options if int(options.get("esm_polling_interval", 0)) > 0: # Add ds_to_millis to global for use in filters ds_filter = {"ds_to_millis": ds_to_millis} env = environment() env.globals.update(ds_filter) # Create and start polling thread thread = Thread(target=self.esm_polling_thread) thread.daemon = True thread.start() log.info("Polling for cases in ESM is occurring") else: log.info("Polling for cases in ESM is not occurring")
def polling_main(self): """Spawn second thread to query alerts from the Microsoft Security Graph API and create incidents in the Resilient platform if they do not already exist""" options = self.options if int(options.get("msg_polling_interval", 0)) > 0: # Add ds_to_millis to global for use in Jinja templates ds_filter = {"ds_to_millis": ds_to_millis} env = environment() env.globals.update(ds_filter) # Create and start polling thread thread = Thread(target=self.msg_polling_thread) thread.daemon = True thread.start() log.info("Polling for alerts in Microsoft Security Graph is occurring.") else: log.info("Polling for alerts in Microsoft Security Graph is not occurring.")
def __init__(self, opts): """constructor provides access to the configuration options""" super(Bit9PollComponent, self).__init__(opts) self.log = logging.getLogger(__name__) self._load_options(opts) # Add the timestamp-parse function to the global JINJA environment env = environment() env.globals.update({"timestamp_to_millis": timestamp_to_millis}) env.filters.update({"timestamp_to_millis": timestamp_to_millis}) # Set up a one-off timer for polling the first time if self.escalation_interval: self.log.info( u"CbProtect escalation initialized, polling interval %s seconds", self.escalation_interval) Timer(min((self.escalation_interval, 5)), Poll(), persist=False).register(self)
def test_build_incident_dto(self): ds_filter = {"ds_to_millis": ds_to_millis} env = environment() env.globals.update(ds_filter) alert_data = {"eventDateTime": "2018-11-01T19:48:16.3432936Z", "lastModifiedDateTime": "2018-11-01T19:51:19.0619566Z", "malwareStates": [], "networkConnections": [], "fileStates": [], "registryKeyStates": [], "description": "Sign-in from an anonymous IP address (e.g. Tor browser, anonymizer VPNs)", "createdDateTime": "2018-11-01T19:48:16.3432936Z", "title": "Anonymous IP address", "assignedTo": "", "cloudAppStates": [], "recommendedActions": [], "id": "ea1921b334a655056acfa2b7f4f5d5679dc0976a29e55882edf8e58f9e390c55", "riskScore": "", "severity": "medium", "processes": [], "comments": [], "hostStates": [], "confidence": 0, "vendorInformation": {"providerVersion": "3.0", "provider": "IPC", "vendor": "Microsoft"}, "azureTenantId": "07218a5e-c310-4a41-8eaf-f6b542f1ef5c", "triggers": [], "tags": [], "azureSubscriptionId": "", "vulnerabilityStates": [], "userStates": [{"logonIp": "51.15.43.205", "logonLocation": "Santpoort-Zuid, Noord-Holland, NL", "accountName": "brian_admin", "emailRole": "unknown", "riskScore": "0", "userPrincipalName": "*****@*****.**"}], "detectionIds": [], "category": "AnonymousLogin", "sourceMaterials": [], "status": "newAlert"} inc_dto = build_incident_dto(alert_data) expected = { "description": { "format": "html", "content": "Sign-in from an anonymous IP address (e.g. Tor browser, anonymizer VPNs)" }, "discovered_date": 1541101696000, "name": "Microsoft Security Graph Alert: 2018-11-01T19:48:16.3432936Z", "properties": { "microsoft_security_graph_alert_id": "ea1921b334a655056acfa2b7f4f5d5679dc0976a29e55882edf8e58f9e390c55" } } assert json.loads(inc_dto) == expected
def __init__(self, opts): """constructor provides access to the configuration options""" super(SecureworksCTPPollComponent, self).__init__(opts) self._load_options(opts) if not self.polling_interval: LOG.info( u"Secureworks CTP escalation interval is not configured. Automated escalation is disabled." ) return # Add the timestamp-parse function to the global JINJA environment env = environment() env.globals.update({"readable_datetime": readable_datetime}) env.filters.update({"readable_datetime": readable_datetime}) # If close_codes are defined in the app.config, then load them into the select input list. if self.close_codes: response = self._init_close_codes(self.close_codes) LOG.info(u"Secureworks CTP escalation initiated, polling interval %s", self.polling_interval) Timer(self.polling_interval, Poll(), persist=False).register(self)
def add_methods_to_global(): # Add ds_to_millis to global env so it can be used in filters ds_filter = {"ds_to_millis": ds_to_millis} env = environment() env.globals.update(ds_filter)