def __init__(self):
"""Initialize the end-to-end test object."""
self.api = api_client.TimesketchApi(
host_uri=HOST_URI, username=USERNAME, password=PASSWORD)
self.sketch = self.api.create_sketch(name=self.NAME)
self.assertions = unittest.TestCase()
self._counter = collections.Counter()
def get_cli_context():
"""Return a CLI context object using a mock config."""
api_client = client.TimesketchApi("http://127.0.0.1", "test", "test")
with tempfile.NamedTemporaryFile(mode="w") as fw:
fw.write(TEST_CONFIG)
fw.seek(0)
return TimesketchCli(api_client=api_client,
sketch_from_flag=1,
conf_file=fw.name)
def get_api_client(host: str,
username: str,
password: str = '',
client_id: str = '',
client_secret: str = '',
run_local: bool = False) -> client.TimesketchApi:
"""Returns a Timesketch API client.
Args:
host (str): the Timesketch host.
username (str): the username to authenticate with.
password (str): optional used if OAUTH is not the authentication
mechanism.
client_id (str): if OAUTH is used then a client ID needs to be set.
client_secret (str): if OAUTH is used then a client secret needs to be
set.
run_local (bool): if OAUTH is used to authenticate and set to True
then the authentication URL is printed on screen
instead of starting a web server, this suits well
if the connection is over a SSH connection for
instance.
Raises:
TypeError: If a non supported authentication mode is passed in.
Returns:
A Timesketch API client object.
"""
if run_local and client_secret:
auth_mode = 'oauth_local'
elif client_secret:
auth_mode = 'oauth'
elif password:
auth_mode = 'timesketch'
else:
raise TypeError('Neither password nor client secret provided, unable '
'to authenticate')
if not host.startswith('http'):
host = 'https://{0:s}'.format(host)
api_client = client.TimesketchApi(host_uri=host,
username=username,
password=password,
client_id=client_id,
client_secret=client_secret,
auth_mode=auth_mode)
return api_client
def run(yeti_api, arguments):
"""Fetches information on a file in Yeti."""
if not (arguments.id or arguments.name):
print("Please specify at least an entity --id or --name.")
exit(-1)
if arguments.id:
entity = yeti_api.entity_get(arguments.id)
else:
entities = yeti_api.entity_search(name=arguments.name)
if len(entities) != 1:
print("More than one entity matches your query:")
for e in entities:
print(" {0:s}: {1:<30s}".format(e['name'], e['id']))
print("Rerun the command specifing an --id parameter.")
exit(-1)
entity = entities[0]
indicators = yeti_api.related_indicators(entity)['data']
print("Found {0:d} indicators for entity {1:s} ({2:s})".format(
len(indicators), entity['name'], entity['id']))
for i in indicators:
print(" Name: {0:s}, Pattern: {1:s}".format(i['name'],
repr(i['pattern'])))
c = client.TimesketchApi(arguments.endpoint, arguments.username,
arguments.password)
sketch = c.get_sketch(arguments.sketch_id)
for i in indicators:
query_string = build_timesketch_query_string(i)
response = sketch.explore(query_string=query_string)
events = response['objects']
if events:
print("[!] Found {0:d} matching events for {1:s}".format(
len(events), i['name']))
for e in events:
timestamp = e['_source']['datetime']
description = e['_source']['timestamp_desc']
message = e['_source']['message']
labels = e['_source']['label']
print("{0:s} {1:<30s} {2:s} {3:s}".format(
timestamp, description, message, labels))
if arguments.tag:
sketch.label_events(events, "yeti")