def merge_site_members(api, data): print('Merging users...') # Get existing site users keys = ['user'] src = api.get_site_members() users = filter_data(src['data'], keys) # Get existing corp users in case user needs to be added keys = ['email'] src = api.get_corp_users() corp_users = [user['email'] for user in filter_data(src['data'], keys)] # Loop through the users to add for item in data: for user in users: # Skip users that exist in the site if item['user']['email'] == user['user']['email']: print(' Skipping %s (exists)' % item['user']['email']) break else: if item['user']['email'] not in corp_users: # User does not exist in corp so invite it to the corp and add # it to the site print(' %s (New user - Corp role: %s, API user: %s)' % (item['user']['email'], item['role'], item['user']['apiUser'])) add_new_user(api, item['user']['email'], item['role'], item['user']['apiUser']) else: # Add missing user print(' Adding %s' % item['user']['email']) role = {'role': item['role']} api.update_site_member(item['user']['email'], role)
def generate_advanced_rules_request(api, source, data): print('Merging advanced rules...') # Get the existing advanced rules src = api.get_advanced_rules() rules = filter_data(src.get('data', []), ['shortName']) rule_names = [r['shortName'] for r in rules] email = '\nEmail [email protected] with the following...\n' email += ('Please copy the following advanced rules from %s/%s to %s/%s:' % (source['corp'], source['site'], api.corp, api.site)) make_request = False skipped = [] for item in data: if item['shortName'] not in rule_names: email += '\n %s (ID %s)' % (item['shortName'], item['id']) make_request = True else: skipped.append(item['shortName']) for item in skipped: print(' Skipping %s (exists)' % item) if make_request: print(email)
def merge_integrations(api, data): print('Merging integrations...') # Get existing integrations keys = ['id', 'name', 'type', 'url', 'events'] src = api.get_integrations() integs = filter_data(src['data'], keys) # Loop through integrations to add/update for item in data: for integ in integs: if item['url'] == integ['url'] and item['type'] == integ['type']: # Integration exists, see if it needs updating if sorted(item['events']) == sorted(integ['events']): # Integration events are the same, skip print(' Skipping %s (exists)' % item['name']) break else: # Integration events are different, updating print(' Updating %s' % item['name']) api.update_integration(integ['id'], item) break else: # Add missing integration print(' Adding %s' % item['name']) try: api.add_integration(item) except Exception as e: # pylint: disable=broad-except print(' Failed: %s' % e)
def get_request_rules(api): keys = [ 'enabled', 'groupOperator', 'conditions', 'action', 'signal', 'reason', 'expiration' ] data = api.get_request_rules() return filter_data(data['data'], keys)
def merge_signal_rules(api, data): print('Merging signal rules...') # Get the existing signal rules keys = [ 'enabled', 'groupOperator', 'conditions', 'signal', 'reason', ] src = api.get_signal_rules() rules = filter_data(src['data'], keys) for item in data: for rule in rules: if equal_rules(rule, item, signal_rule=True): print(' Skipping %s (exists)' % item['reason']) break else: print(' Adding %s' % item['reason']) try: api.add_signal_rules(item) except Exception as e: # pylint: disable=broad-except print(' Failed: %s' % e)
def merge_advanced_rules(api, source, data): print('Merging advanced rules...') # Get the existing advanced rules src = api.get_advanced_rules() rules = filter_data(src.get('data', []), ['shortName']) rule_names = [r['shortName'] for r in rules] not_copied = [] for item in data: if item['shortName'] not in rule_names: try: response = api.copy_advanced_rule(item['shortName'], source['site']) or item print(' Adding %s (ID %s)' % (response['shortName'], response['id'])) except Exception as e: # pylint: disable=broad-except not_copied.append(item) else: print(' Skipping %s (exists)' % item) if not_copied: print('\nEmail [email protected] with the following...\n' 'Please copy the following advanced rules from %s/%s to %s/%s:' % (source['corp'], source['site'], api.corp, api.site)) for item in not_copied: print(' %s (ID %s)' % (item['shortName'], item['id']))
def add_site_members(api, data): print('Adding users...') # Get existing corp users in case user needs to be added keys = ['email'] src = api.get_corp_users() users = [user['email'] for user in filter_data(src['data'], keys)] for item in data: if item['user']['email'] not in users: # User does not exist in corp so invite it to the corp and add it # to the site print(' %s (New user - Corp role: %s, API user: %s)' % (item['user']['email'], item['role'], item['user']['apiUser'])) add_new_user(api, item['user']['email'], item['role'], item['user']['apiUser']) elif item['role'] == 'owner': # Owners are auto-added at site creation continue else: # User exists in corp and is not an owner to add it to the site print(' %s' % item['user']['email']) role = {'role': item['role']} api.update_site_member(item['user']['email'], role)
def get_site_rules(api): keys = [ 'type', 'enabled', 'groupOperator', 'conditions', 'actions', 'reason', 'expiration' ] optional_alert_keys = ['signal'] data = api.get_site_rules() return filter_data(data['data'], keys, optional_keys=optional_alert_keys)
def get_advanced_rules(api): keys = [ 'id', 'shortName', 'enabled', 'initRule', 'preEarlyRule', 'preRule', 'preLateRule', 'postEarlyRule', 'postRule', 'postLateRule', 'sampleRequest', 'sampleResponse' ] data = api.get_advanced_rules() return filter_data(data.get('data', []), keys)
def get_templated_rules(api): detection_keys = ['name', 'fields', 'enabled'] alert_keys = ['longName', 'interval', 'threshold', 'skipNotifications', 'enabled', 'action'] data = api.get_templated_rules() ret = {} for rule in data['data']: if not rule['detections']: # Skip empty rules continue # Reformat the retrieved data into the structure needed for adding the # templated rule to a clean site. ret[rule['name']] = {'detectionAdds': [], 'alertAdds': []} ret[rule['name']]['detectionAdds'] += filter_data( rule['detections'], detection_keys) ret[rule['name']]['alertAdds'] += filter_data( rule['alerts'], alert_keys) return ret
def generate_advanced_rules_request(api, source, data): # Get the existing advanced rules src = api.get_advanced_rules() rules = filter_data(src['data'], ['shortName']) rule_names = [r['shortName'] for r in rules] email = '\n\nEmail [email protected] with the following...\n' email += ('Please copy the following advanced rules from %s/%s to %s/%s:' % (source['corp'], source['site'], api.corp, api.site)) make_request = False for item in data: if item['shortName'] not in rule_names: email += '\n %s (ID %s)' % (item['shortName'], item['id']) make_request = True if make_request: print(email)
def merge_custom_signals(api, data): print('Merging custom signals...') # Get the existing custom signals keys = ['tagName'] src = api.get_custom_signals() lists = filter_data(src['data'], keys) for item in data: for existing in lists: if existing['tagName'] == item['tagName']: print(' Skipping %s (exists)' % item['shortName']) break else: # List iteration ended without breaking on a tag match so add # the signal as a new one print(' Adding %s' % item['shortName']) api.add_custom_signals(item)
def merge_site_members(api, data): print('Merging users...') # Get existing users keys = ['user'] src = api.get_site_members() users = filter_data(src['data'], keys) # Loop through the users to add for item in data: for user in users: # Skip users that exist in the site if item['user']['email'] == user['user']['email']: print(' Skipping %s (exists)' % item['user']['email']) break else: # Add missing user print(' Adding %s' % item['user']['email']) role = {'role': item['role']} api.update_site_member(item['user']['email'], role)
def merge_custom_alerts(api, data): print('Merging custom alerts...') # Get existing alerts keys = [ 'id', 'tagName', 'longName', 'interval', 'threshold', 'enabled', 'action' ] src = api.get_custom_alerts() alerts = filter_data(src['data'], keys) for item in data: if item['action'] == 'siteMetricInfo': # Default agent alerts are added at site creation continue for alert in alerts: if (item['tagName'] == alert['tagName'] and item['longName'] == alert['longName']): if (not alert['enabled'] and (item['interval'] != alert['interval'] or item['threshold'] != alert['threshold'] or item['enabled'] != alert['enabled'] or item['action'] != alert['action'])): # Alert with same tag and description exists but is not # enabled so update to match the source alert. print(' Updating %s' % item['longName']) api.update_custom_alert(alert['id'], item) break else: # Alert with same tag and description exists and is enabled # or has the same values as the source alert so don't touch # it. print(' Skipping %s (exists)' % item['longName']) break else: print(' Adding %s' % item['longName']) api.add_custom_alert(item)
def merge_rule_lists(api, data): print('Merging lists...') # Get the existing lists keys = ['id', 'name', 'type', 'entries'] src = api.get_rule_lists() lists = filter_data(src['data'], keys) # Loop through the lists to merge in for item in data: existing = _find_match(item, lists, ['name', 'type']) if existing: # Found an existing list with same name and type _merge_lists(api, item, existing) # Go on to the next item continue existing = _find_match(item, lists, ['name']) if existing: # Found an existing list with the same name but different type. # Set the name to be the original name with the new type appended. # Names can only be 32 characters so need to leave space for the # type. item['name'] = '%s-%s' % (item['name'][0:31 - len(item['type'])], item['type']) # Make sure this new name doesn't already exist. If it does that # means it was already created on a previous merge and so will be # covered on another iteration through the existing lists. exist = _find_match(item, lists, ['name']) if not exist: _add_list(api, item) # Go on to the next item continue # No matching list was found to exist so add the list as a new one _add_list(api, item)
def get_integrations(api): keys = ['name', 'type', 'url', 'events'] data = api.get_integrations() return filter_data(data['data'], keys)
def get_advanced_rules(api): keys = ['id', 'shortName'] data = api.get_advanced_rules() return filter_data(data.get('data', []), keys)
def get_site_members(api): keys = ['user', 'role'] data = api.get_site_members() return filter_data(data['data'], keys)
def get_custom_alerts(api): keys = [ 'tagName', 'longName', 'interval', 'threshold', 'enabled', 'action' ] data = api.get_custom_alerts() return filter_data(data['data'], keys)
def get_site(api): keys = ['agentLevel', 'blockDurationSeconds', 'blockHTTPCode'] data = api.get_corp_site(api.site) return filter_data(data, keys)
def get_custom_signals(api): keys = ['tagName', 'shortName', 'description'] data = api.get_custom_signals() return filter_data(data['data'], keys)
def get_rule_lists(api): keys = ['name', 'type', 'description', 'entries'] data = api.get_rule_lists() return filter_data(data['data'], keys)