def main(): ts = TruStar(config_role="trustar") token = ts.get_token() if do_latest_reports: print("Getting Latest Accessible Reports...") results = ts.get_latest_reports(token) for result in results: print("\t%s, %s, %s" % (result['id'], result['distributionType'], result['title'])) print() if do_correlated: print("Querying Accessible Correlated Reports...") results = ts.get_correlated_reports(token, search_string) print("%d report(s) correlated with indicators '%s':\n" % (len(results), search_string)) print("\n".join(results)) print() if do_latest_indicators: print("Get Latest Indicators (first 100)") results = ts.query_latest_indicators(token, source='INCIDENT_REPORT', indicator_types='ALL', interval_size=24, limit=100) if 'indicators' in results: for ioc_type, value in results['indicators'].items(): if len(value) > 0: print("\t%s: %s" % (ioc_type, ','.join(value))) print() if do_report_details: print("Get Report Details") reports = ts.get_latest_reports(token) for report in reports: result = ts.get_report_details(token, report['id']) print("Getting Report Details using '%s': \n%s" % (report['id'], json.dumps(result, indent=4))) print() if do_query_indicators: print( "Querying correlated indicators with search string '%s' (first 100)" % search_string) results = ts.query_indicators(token, search_string, '100') indicator_hits = list(results["indicators"]) if len(indicator_hits) > 0: print("Correlated Incident Report Indicators:") for indicator_type, indicator_list in list( results["indicators"].items()): print("\n%s:\n\t%s" % (indicator_type, "\n\t".join( ['{}'.format(value) for value in indicator_list]))) print() os_hits = list(results["openSourceCorrelations"]) if len(os_hits) > 0: print("Correlated Open Source Documents:") for os_url in os_hits: print("\t%s" % os_url) print() exint_hits = list(results["externalIntelligence"]) if len(exint_hits) > 0: print("External Intelligence hits:") print('\t'.join(exint_hits)) print() # Submit simple test report to community if do_comm_submissions: community_response = ts.submit_report(token, submit_indicators, "COMMUNITY API SUBMISSION TEST", began_time="2017-02-01T01:23:45") print("\tURL: %s\n" % ts.get_report_url(community_response['reportId'])) if 'reportIndicators' in community_response: print("Extracted the following community indicators: \n%s\n" % json.dumps(community_response['reportIndicators'], indent=2)) # Submit simple test report to your enclave if do_enclave_submissions: enclave_response = ts.submit_report(token, submit_indicators, "ENCLAVE API SUBMISSION TEST ", enclave=True) print("\tURL: %s\n" % ts.get_report_url(enclave_response['reportId'])) print(enclave_response) if 'reportIndicators' in enclave_response: print("Extracted the following enclave indicators: \n%s\n" % json.dumps(enclave_response['reportIndicators'], indent=2))
def main(): role = "trustar" if len(sys.argv) > 1: role = sys.argv[1] ts = TruStar(config_file="trustar.conf", config_role=role) # generate random id to use as external_id external_id = str(randint(1, 100000)) # or use a specific external_id # external_id = "321" report_guid = None current_time = int(time.time()) * 1000 yesterday_time = current_time - to_milliseconds(days=1) if do_latest_reports: logger.info("Getting Latest Accessible Incident Reports Since 24 hours ago ...") try: # get each successive page of reports report_generator = ts.get_reports(from_time=yesterday_time, to_time=current_time, is_enclave=True, enclave_ids=ts.enclave_ids) for report in report_generator: logger.info(report) except Exception as e: logger.error('Could not get latest reports, error: %s' % e) print('') if do_reports_by_community: two_days_ago = current_time - to_milliseconds(days=2) logger.info("Getting community only reports for the previous day ...") try: reports = ts.get_reports(from_time=two_days_ago, to_time=yesterday_time, is_enclave=False) for report in reports: logger.info(report) except Exception as e: logger.error('Could not get community reports, error: %s' % e) print('') if do_reports_by_enclave: a_week_ago = current_time - to_milliseconds(days=7) logger.info("Getting enclave only reports for the previous week ...") try: reports = ts.get_reports(from_time=a_week_ago, to_time=current_time, is_enclave=True, enclave_ids=ts.enclave_ids) for report in reports: logger.info(report) except Exception as e: logger.error('Could not get community reports, error: %s' % e) print('') if do_correlated: logger.info("Querying Accessible Correlated Reports...") try: report_ids = ts.get_correlated_report_ids(search_string) logger.info(report_ids) logger.info("%d report(s) correlated with indicators '%s':\n" % (len(report_ids), search_string)) logger.info("\n".join(report_ids)) except Exception as e: logger.error('Could not get correlated reports, error: %s' % e) print('') if do_community_trends: logger.info("Get community trends...") try: indicators = ts.get_community_trends(indicator_type=None, days_back=1) for indicator in indicators: logger.info(indicator) except Exception as e: logger.error('Could not get community trends, error: %s' % e) print('') if do_query_indicators: try: logger.info("Getting related indicators...") indicators = ts.get_related_indicators(indicators=search_string) for indicator in indicators: logger.info(indicator) except Exception as e: logger.error('Could not get related indicators, error: %s' % e) # Submit simple test report to community if do_comm_submissions: logger.info("Submit New Community Incident Report") try: report = Report(title="COMMUNITY API SUBMISSION TEST", body=submit_indicators, time_began="2017-02-01T01:23:45", is_enclave=False) report = ts.submit_report(report) logger.info("\tURL: %s\n" % ts.get_report_url(report.id)) except Exception as e: logger.error('Could not submit community report, error: %s' % e) print('') # Submit simple test report to your enclave if do_enclave_submissions: logger.info("Submit New Enclave Incident Report") try: report = Report(title="ENCLAVE API SUBMISSION TEST ", body=submit_indicators, time_began="2017-02-01T01:23:45", enclave_ids=ts.enclave_ids) report = ts.submit_report(report) logger.info("\tURL: %s\n" % ts.get_report_url(report.id)) logger.info(report) except Exception as e: logger.error('Could not submit enclave report, error: %s' % e) print('') # Submit a test report and retrieve it if do_submit_report: logger.info("Submit New Enclave Incident Report with External ID") try: report = Report(title="Sample SDK Test Report", body=submit_indicators, time_began="2017-02-01T01:23:45", is_enclave=True, enclave_ids=ts.enclave_ids, external_id=external_id) report = ts.submit_report(report) logger.info("Report Submitted") logger.info("\texternalTrackingId: %s" % report.external_id) logger.info("\tURL: %s\n" % ts.get_report_url(report.id)) except Exception as e: logger.error('Could not submit report, error: %s' % e) print('') # Get test report previously submitted if do_report_details_by_ext_id: logger.info("Get Incident Report By External ID") try: report = ts.get_report_details(report_id=external_id, id_type=Report.ID_TYPE_EXTERNAL) logger.info("\ttitle: %s" % report.title) logger.info("\texternalTrackingId: %s" % report.external_id) logger.info("\tURL: %s\n" % ts.get_report_url(report.id)) report_guid = report.id except Exception as e: logger.error('Could not get report, error: %s' % e) print('') # Update a test report and test with get report if do_update_report_by_ext_id: logger.info("Update Incident Report By External ID") try: report = Report(title="Updated Sample Title", body="updated report body: 21.22.23.24", external_id=external_id, enclave_ids=ts.enclave_ids) report = ts.update_report(report) logger.info("\texternalTrackingId: %s" % report.external_id) logger.info("\tURL: %s\n" % ts.get_report_url(report.id)) except Exception as e: logger.error('Could not update report, error: %s' % e) print('') # Get test report previously submitted if do_report_details_by_guid: logger.info("Get Incident Report Details by GUID (TruSTAR internal ID)") try: report = ts.get_report_details(report_guid) logger.info("\ttitle: %s" % report.title) logger.info("\texternalTrackingId: %s" % report.external_id) logger.info("\tURL: %s\n" % ts.get_report_url(report.id)) except Exception as e: logger.error('Could not get report, error: %s' % e) print('') # Update a test report and test with get report if do_update_report_by_guid: logger.info("Update Incident Report by GUID (TruSTAR internal ID)") try: report = Report(id=report_guid, title="New Sample Title", body="new sample body - 7.8.9.10", enclave_ids=ts.enclave_ids) report = ts.update_report(report) logger.info("Updated Report using GUID") logger.info("\texternalTrackingId: %s" % report.external_id) logger.info("\tURL: %s\n" % ts.get_report_url(report.id)) except Exception as e: logger.error('Could not update report, error: %s' % e) print('') # Get test report previously submitted if do_report_details_by_guid: logger.info("Get Report by GUID (TruSTAR internal ID)") try: report = ts.get_report_details(report_guid) logger.info("\ttitle: %s" % report.title) logger.info("\texternalTrackingId: %s" % report.external_id) logger.info("\tURL: %s\n" % ts.get_report_url(report.id)) except Exception as e: logger.error('Could not get report, error: %s' % e) print('') # Release report to community if do_release_report_by_ext_id: logger.info("Release Incident Report by External ID") try: report = Report(external_id=external_id, is_enclave=False) report = ts.update_report(report) logger.info("Report Released using External ID:") logger.info("\texternalTrackingId: %s" % report.external_id) logger.info("\tURL: %s\n" % ts.get_report_url(report.id)) except Exception as e: logger.error('Could not release report, error: %s' % e) print('') # Get test report previously submitted if do_report_details_by_ext_id_2: logger.info("Get Incident Report Details by External ID") try: report = ts.get_report_details(report_id=external_id, id_type=Report.ID_TYPE_EXTERNAL) logger.info("\ttitle: %s" % report.title) logger.info("\texternalTrackingId: %s" % report.external_id) logger.info("\tURL: %s\n" % ts.get_report_url(report.id)) except Exception as e: logger.error('Could not get report, error: %s' % e) print('') # Delete test report previously submitted if do_delete_report_by_ext_id: logger.info("Delete Incident Report by External ID") try: ts.delete_report(report_id=external_id, id_type=Report.ID_TYPE_EXTERNAL) logger.info("Report Deleted using External ID\n") except Exception as e: logger.error('Could not delete report, error: %s' % e) print('') # Add an enclave tag to a newly created report if do_add_enclave_tag: logger.info("Add enclave tag to incident report") try: # submit report report = Report(title="Enclave report with tag", body=submit_indicators, is_enclave=True, enclave_ids=ts.enclave_ids) report = ts.submit_report(report) logger.info("\tId of new report %s\n" % report.id) # get back report details, including the enclave it's in report = ts.get_report_details(report_id=report.id) enclave_id = report.enclave_ids[0] # add an enclave tag tag_id = ts.add_enclave_tag(report_id=report.id, name="triage", enclave_id=enclave_id) # logger.info the added enclave tag logger.info("\tId of new enclave tag %s\n" % tag_id) # add another enclave tag tag_id = ts.add_enclave_tag(report_id=report.id, name="resolved", enclave_id=enclave_id) # logger.info the added enclave tag logger.info("\tId of new enclave tag %s\n" % tag_id) # Get enclave tag info if do_get_enclave_tags: logger.info("Get enclave tags for report") tags = ts.get_enclave_tags(report.id) logger.info("\tEnclave tags for report %s\n" % report.id) logger.info(tags) # delete enclave tag by name if do_delete_enclave_tag: logger.info("Delete enclave tag from report") response = ts.delete_enclave_tag(report.id, tag_id) logger.info("\tDeleted enclave tag for report %s\n" % report.id) logger.info(response) # add it back ts.add_enclave_tag(report_id=report.id, name="triage", enclave_id=enclave_id) # List all enclave tags tags = ts.get_all_enclave_tags(enclave_ids=ts.enclave_ids) logger.info("List of enclave tags for enclave %s\n" % enclave_id) logger.info(tags) # Search report by tag logger.info("Getting reports tagged 'triage'.") reports = ts.get_reports(from_time=yesterday_time, to_time=current_time, enclave_ids=ts.enclave_ids, tag="triage") for report in reports: logger.info(report) except Exception as e: logger.error('Could not handle enclave tag operation, error: %s' % e) print('') # search for reports containing term "abc" if do_search_reports: try: logger.info("Searching reports:") reports = ts.search_reports("abc") for report in reports: logger.info(report) except Exception as e: logger.error("Could not search reports, error: %s" % e) print('') # search for indicators matching pattern "abc" if do_search_indicators: try: logger.info("Searching indicators:") indicators = ts.search_indicators("abc") for indicator in indicators: logger.info(indicator) except Exception as e: logger.error("Could not search indicators, error: %s" % e) print('') if do_redact_report: try: logger.info("Redacting report:") redacted_report = ts.redact_report(title="amazon phishing scam", report_body="apple, microsoft, and amazon suffered " "from a phishing scam via [email protected]") logger.info(redacted_report) except Exception as e: logger.error("Could not redact report, error: %s" % e) print('')
class TestReportSubmit: body = 'test body' title = 'test title' external_url = 'https://testurl.com' external_id = 'test_ext_id' def __init__( self, config_file_path, # type: str config_stanza): # type: (..., str) -> None configs = ConfigLoader.from_(config_file_path, config_stanza) # type: Dict configs = {k.lower(): v for k, v in configs.items()} configs[ 'client_metatag'] = TruStarGuardDutyLambdaHandler.CLIENT_METATAG self.ts = TruStar(config=configs) self.ts.logger.setLevel("DEBUG") """ ch = StreamHandler() ch.setLevel("DEBUG") self.ts.logger.addHandler(ch) """ self.enclave_id = configs['enclave_id'] def go(self): time_begans = [ '1577865600000', 1577865600456, '1577865600', 1577865601, '2020-02-01T00:00:01+00:00', '2020-02-01T00:00:01.12345+00:00', '2020-02-01T00:00:01.74839+00:00', #datetime.now() - timedelta(days=5) ] test_reports = [] # type: List[Report] for i, t in enumerate(time_begans): test_reports.append(self.build_test_report(i, t)) for r in test_reports: try: self.ts.delete_report(r.external_id, id_type=IdType.EXTERNAL) except: pass _ = self.ts.submit_report(r) logger.info("Sleeping 20 seconds.") sleep(20) for r in test_reports: report = self.ts.get_report_details( r.external_id, id_type=IdType.EXTERNAL) # type: Report if not report.body == r.body: logger.error("body") if not report.title == r.title: logger.error("title") if not report.external_url == r.external_url: logger.error("external_url") if not report.external_id == r.external_id: logger.error("external_id") if not report.time_began == r.time_began: logger.error("time_began submitted: '{}', retrieved: " "'{}'".format(r.time_began, report.time_began)) def build_test_report(self, i, time_began): r = Report() r.body = self.body r.title = self.title r.external_id = self.external_id + str(i) r.external_url = self.external_url r.enclave_ids = [self.enclave_id] #r.set_time_began(time_began) r.time_began = time_began return r