def enable_import_findings_for_product(): test = Configurations.get_arn() try: aws_connection().enable_import_findings_for_product(ProductArn=test) except (aws_connection().exceptions.ResourceConflictException, botocore.exceptions.ReadTimeoutError) as exception: if type(exception) == botocore.exceptions.ReadTimeoutError: logger.error(exception) elif type(exception) == aws_connection( ).exceptions.ResourceConflictException: logger.info( 'Account Already has enabled import findings for this product')
def map_sql_to_asff(): try: event_list, partitions = get_events('AWSUpdateDate') if bool(partitions): event_list, partitions = get_events('AWSUpdateDate') findings = [] for partition in partitions: for row in event_list: policy_events = execute_policy_events(partition, row[0]) for policy in policy_events: extra_data_sql = ExtraData() event_data = query_events(partition, row[0]) service_id = event_data[0].SERVICE_ID source_id = event_data[0].SOURCE_ID user_data = query_users(source_id) domain_id = user_data[0].DOMAIN_ID services_data = query_services(service_id) destination_data = query_destinations_users( partition, row[0]) asff_date = __iso8601_format( json.dumps(event_data[0].INSERT_DATE, indent=4, sort_keys=True, default=str)[1:-4]) findings_object = Finding() findings_object.GeneratorId = str(event_data[0].ID) findings_object.AwsAccountId = Configurations.get_configurations( )['AwsAccountId'][:12] findings_object.CreatedAt = asff_date findings_object.Description = event_data[ 0].SUBJECT or "Description Not found" network_object = Network() network_object.Protocol = services_data[ 0].PROTOCOL_ID.split("_")[1] if domain_id is not None: network_object.SourceDomain = query_domains( domain_id)[0].NAME else: network_object.SourceDomain = 'none' network_object.SourceIpV4 = user_data[0].IP network_object.SourcePort = event_data[0].PORT if destination_data[0][0].DOMAIN_ID is not None: network_object.DestinationDomain = query_domains( destination_data[0][0].DOMAIN_ID)[0].NAME else: network_object.DestinationDomain = 'none' network_object.DestinationIpV4 = destination_data[0][ 0].IP network_object.DestinationPort = destination_data[0][ 0].PORT findings_object.ProductArn = Configurations.get_arn() related_findings_object = RelatedFinding() related_findings_object.Id = event_data[0].EXTERNAL_ID related_findings_object.ProductArn = Configurations.get_arn( ) findings_object.SchemaVersion = '2018-10-08' findings_object.Title = 'Forcepoint DLP Incident' findings_object.Types = [ 'Sensitive Data Identifications/Security/ForcepointDLP' ] findings_object.UpdatedAt = asff_date resource_object = Resource() details_object = Details() product_fields_object = ProductFields() product_fields_object.ForcepointDLPSourceIP = user_data[ 0].IP product_fields_object.Text = services_data[ 0].CHANNEL_NAME product_fields_object.UpdatedAt = asff_date product_fields_object.UpdatedBy = services_data[ 0].AGENT_NAME extra_data_sql.extra_data_handler([ query_policy_categories( policy.POLICY_CATEGORY_ID)[0].NAME ], 'RuleName') extra_data_sql.extra_data_handler([user_data[0].EMAIL], 'SourceEmail') extra_data_sql.extra_data_handler( [user_data[0].EXTRA_DATA], 'SourceExtraData') extra_data_sql.extra_data_handler( [user_data[0].FULL_NAME], 'SourceFullName') extra_data_sql.extra_data_handler( [user_data[0].HOSTNAME], 'SourceHostname') extra_data_sql.extra_data_handler( [user_data[0].LOGIN_NAME], 'SourceLoginName') # extra_data_sql.extra_data_handler([user_data[0].Username], 'SourceUsername') for i in range(len(destination_data)): extra_data_sql.extra_data_handler( [destination_data[i][0].COMMON_NAME], 'DestinationCommonName') # user_defined_extras['DestinationUsername.' + str(i + 1)] extra_data_sql.extra_data_handler( [destination_data[i][0].HOSTNAME], 'DestinationHostname') extra_data_sql.extra_data_handler( [destination_data[i][0].EMAIL], 'DestinationEmail') extra_data_sql.extra_data_handler( [destination_data[i][0].EXTRA_DATA], 'DestinationExtraData') if i >= 1: if destination_data[i][ 0].DOMAIN_ID is not None: extra_data_sql.extra_data_handler([ query_domains(destination_data[i] [0].DOMAIN_ID)[0].NAME ], 'DestinationDomain') else: network_object.DestinationDomain = 'none' extra_data_sql.extra_data_handler( [destination_data[i][0].IP], 'DestinationIpV4') extra_data_sql.extra_data_handler( [destination_data[i][0].PORT], 'DestinationPort') resource_object.Type = 'Forcepoint DLP' resource_object.Details = details_object.__dict__ severity_object = Severity() findings_object.Id = 'incident_Id-%s-rule_id-%s' % ( row[0], policy[0]) severity_object.Normalized = policy.SEVERITY severity_object.Product = policy.SEVERITY severity_object.Label = 'none' resource_object.Id = str( query_policy_categories( policy.POLICY_CATEGORY_ID)[0].ID) findings_object.Resources = [resource_object.__dict__] findings_object.Severity = severity_object.__dict__ findings_object.Network = network_object.__dict__ findings_object.RelatedFindings = [ related_findings_object.__dict__ ] details_object.Other = product_fields_object.__dict__ details_other = extra_data_sql.take(50) details_object.Other.update(details_other) extra_data_sql.remove_dups(details_other) product_fields = extra_data_sql.take(50) findings_object.ProductFields = product_fields findings.append(findings_object.__dict__) asff_object = JsonFormatClass() asff_object.findings = findings cleaned_findings = remove_null_items(asff_object.findings) for i in range(len(cleaned_findings)): pos = i - 1 if cleaned_findings[pos]['Severity']['Normalized']: if not (Configurations.get_configurations( )[__normalized_severity_from_db( cleaned_findings[pos]['Severity']['Normalized'])]): del cleaned_findings[pos] for i in range(len(cleaned_findings)): cleaned_findings[i]['Severity']['Label'] = __severity_label( cleaned_findings[i]['Severity']['Normalized']) cleaned_findings[i]['Severity']['Normalized'] = ( __normalized_severity( __normalized_severity_from_db( cleaned_findings[i]['Severity']['Normalized']))) if cleaned_findings.__len__() >= 1: date_time_obj = datetime.datetime.strptime( cleaned_findings[-1]["CreatedAt"], '%Y-%m-%dT%H:%M:%SZ') offset_time = date_time_obj + datetime.timedelta(seconds=1) return cleaned_findings, str(offset_time) return cleaned_findings, None else: return None, 'None' except Exception as e: raise e
def map_xml_to_asff(event): findings_array_length = int(event['evt:event']['evt:rules']['evt:Count']) findings = [] keys = Configurations() for i in range(findings_array_length): extra_data = ExtraData() findings_object = Finding() findings_object.GeneratorId = event['evt:event']['evt:event_info'][ 'evt:incidentId'] findings_object.AwsAccountId = keys.get_configurations( )['AwsAccountId'][:12] findings_object.CreatedAt = __iso8601_format( event['evt:event']['evt:event_info']['evt:insert_date']) findings_object.Description = event['evt:event']['evt:event_info'][ 'evt:subject'] or "Description Not found" network_object = Network() network_object.Protocol = event['evt:event']['evt:event_info'][ 'evt:channel']['evt:protocol'].split("_")[1] network_object.SourceDomain = event['evt:event']['evt:event_info'][ 'evt:source']['evt:event_user']['evt:domain'] network_object.SourceIpV4 = event['evt:event']['evt:event_info'][ 'evt:source']['evt:event_user']['evt:ip'] network_object.SourcePort = event['evt:event']['evt:event_info'][ 'evt:source']['evt:event_user']['evt:port'] findings_object.ProductArn = keys.get_arn() related_findings_object = RelatedFinding() related_findings_object.Id = event['evt:event']['evt:event_info'][ 'evt:eventId'][:512] related_findings_object.ProductArn = keys.get_arn() findings_object.RelatedFindings = [related_findings_object.__dict__] findings_object.SchemaVersion = '2018-10-08' findings_object.Title = 'Forcepoint DLP Incident' findings_object.Types = [ 'Sensitive Data Identifications/Security/ForcepointDLP' ] findings_object.UpdatedAt = __iso8601_format( event['evt:event']['evt:event_info']['evt:insert_date']) resource_object = Resource() details_object = Details() product_fields_object = ProductFields() product_fields_object.ForcepointDLPSourceIP = \ event['evt:event']['evt:event_info']['evt:source']['evt:event_user']['evt:ip'] product_fields_object.Text = event['evt:event']['evt:event_info'][ 'evt:channel']['evt:service_name'] product_fields_object.UpdatedAt = __iso8601_format( event['evt:event']['evt:event_info']['evt:insert_date']) product_fields_object.UpdatedBy = event['evt:event']['evt:event_info'][ 'evt:channel']['evt:agent_name'] extra_data.extra_data_handler([ event['evt:event']['evt:event_info']['evt:source'] ['evt:event_user']['evt:email'] ], 'SourceEmail') extra_data.extra_data_handler([ event['evt:event']['evt:event_info']['evt:source'] ['evt:event_user']['evt:extra_data'] ], 'SourceExtraData') extra_data.extra_data_handler([ event['evt:event']['evt:event_info']['evt:source'] ['evt:event_user']['evt:full_name'] ], 'SourceFullName') extra_data.extra_data_handler([ event['evt:event']['evt:event_info']['evt:source'] ['evt:event_user']['evt:hostname'] ], 'SourceHostname') extra_data.extra_data_handler([ event['evt:event']['evt:event_info']['evt:source'] ['evt:event_user']['evt:login_name'] ], 'SourceLoginName') extra_data.extra_data_handler([ event['evt:event']['evt:event_info']['evt:source'] ['evt:event_user']['evt:username'] ], 'SourceUsername') network_destinations_object, extra_data = destinations_mapping( event, extra_data) network_object.__dict__.update(network_destinations_object) details_object.Other = product_fields_object.__dict__ resource_object.Type = 'Other' resource_object.Details = details_object.__dict__ severity_object = Severity() if int((event['evt:event']['evt:rules']['evt:Count'])) == 1: findings_object.Id = 'incident_Id:' + event['evt:event']['evt:event_info']['evt:incidentId'][ :512] + '-rule_id:' + \ event['evt:event']['evt:rules']['evt:rule']['evt:rule_id'] severity_object.Normalized = event['evt:event']['evt:rules'][ 'evt:rule']['evt:severity'] or 'LOW' resource_object.Id = event['evt:event']['evt:rules']['evt:rule'][ 'evt:policy_name'] extra_data.extra_data_handler([ event['evt:event']['evt:rules']['evt:rule']['evt:rule_name'] [:512] ], 'RuleName') elif int(event['evt:event']['evt:rules']['evt:Count']) > 1: findings_object.Id = 'incident_Id:' + event['evt:event']['evt:event_info']['evt:incidentId'][ :512] + '-rule_id:' + \ event['evt:event']['evt:rules']['evt:rule'][i]['evt:rule_id'] severity_object.Normalized = event['evt:event']['evt:rules'][ 'evt:rule'][i]['evt:severity'] or 'LOW' resource_object.Id = event['evt:event']['evt:rules']['evt:rule'][ i]['evt:policy_name'] extra_data.extra_data_handler([ event['evt:event']['evt:rules']['evt:rule'][i]['evt:rule_name'] [:512] ], 'Rule_name') findings_object.Severity = severity_object.__dict__ details_object.Other.update(extra_data.extra_data_storage) findings_object.Network = network_object.__dict__ findings_object.Resources = [resource_object.__dict__] findings.append(findings_object.__dict__) asff_object = JsonFormatClass() asff_object.findings = findings cleaned_findings = remove_null_items(asff_object.findings) for finding in cleaned_findings: i = 0 if finding['Severity']['Normalized']: if not (keys.get_configurations()[finding['Severity'] ['Normalized']]): del cleaned_findings[i] i += 1 for i in range(len(cleaned_findings)): cleaned_findings[i]['Severity']['Normalized'] = (__normalized_severity( cleaned_findings[i]['Severity']['Normalized'])) return cleaned_findings