def _do_http(self, method, path, **kwargs):
options = kwargs
crypto = CryptoUtils()
config = ServiceNowConfiguration()
url = urljoin(self.config['instance_url'], path)
user = self.config.get('username', '')
pwd = self.config.get('password', '')
if pwd:
pwd = crypto.decrypt(pwd, config.get_key())
options["auth"] = (user, pwd)
proxy_user = self.config.get('proxy_username', '')
proxy_password = self.config.get('proxy_password', '')
if proxy_password:
proxy_password = crypto.decrypt(proxy_password, config.get_key())
proxy_url = self.config.get('proxy_url', '')
proxy_url = proxy_url.strip()
if proxy_url:
if "://" not in proxy_url:
proxy_url = "http://{0}".format(proxy_url)
if proxy_user and proxy_password:
proxy_url = proxy_url.replace("://", "://{0}:{1}@").format(
proxy_user, proxy_password)
options["proxies"] = {"http": proxy_url, "https": proxy_url}
options["verify"] = not self.config.get('accept_all_certs', False)
resp = requests.request(method, url, **options)
if resp.status_code < 200 or resp.status_code > 300:
qpylib.log('Encountered unsuccessful response code: {0}'.format(
resp.status_code))
return None
return resp.json()
def _do_post(self, resource, params):
response = qpylib.REST('POST',
resource,
headers=self.headers,
params=params)
if response.status_code != 201 and response.status_code != 200:
qpylib.log('Encountered unsuccessful response code: {0}'.format(
response.status_code))
return None
return response.json()
def _to_security_incident(self, offense):
offense_url = 'https://{0}/console/qradar/jsp/QRadar.jsp?appName=Sem&pageId=OffenseSummary&summaryId={1}' \
.format(qpylib.get_console_address(), offense['id'])
incident_map = {
'contact_type': 'siem',
'correlation_id': offense['id'],
'correlation_display': 'QRadar',
'external_url': offense_url
}
for key, value in self.config['offense_map'].iteritems():
tpl = Template(value)
try:
formatted = tpl.render(offense=offense)
except TemplateError:
qpylib.log(
'Encountered error parsing QRadar value for key: {0}'.
format([key]))
formatted = ''
incident_map[key] = formatted
return incident_map
def handle_auto_sync():
while not ctrl_event.is_set():
snconfig = ServiceNowConfiguration()
snconfig.read_configuration()
ctrl_event.wait(snconfig.config.get("auto_sync_frequency", 60))
if not all((
snconfig.config.get('instance_url', False),
snconfig.config.get('username', False),
snconfig.config.get('password', False),
snconfig.config.get('svc_account_token', False),
)):
continue
if snconfig.config.get(
'auto_create_incidents') and snconfig.config.get(
'incident_filter'):
try:
qpylib.log("Checking for new offenses in QRadar")
sn = ServiceNow(snconfig.config, use_svc_token=True)
current_max = sn.qradar.get_max_offense_id(
snconfig.config.get('last_max', 0))
inc = sn.create_incidents(current_max)
snconfig.read_configuration()
snconfig.config['last_max'] = current_max
snconfig.save_configuration()
if inc is not None and len(inc):
qpylib.log("Created {0} incidents".format(
len(inc)))
else:
qpylib.log("No incidents created")
except:
qpylib.log("Caught exception creating incidents: " +
str(sys.exc_info()[0]))
qpylib.log(traceback.format_exc())
if snconfig.config.get('auto_close_offenses'):
try:
qpylib.log(
"Checking for incidents recently closed in ServiceNow"
)
sn = ServiceNow(snconfig.config, use_svc_token=True)
closed_incidents = sn.get_resolved_incidents()
offenses_closed = sn.qradar.close_offenses(
closed_incidents)
if offenses_closed is not None and len(
offenses_closed):
qpylib.log("Closed {0} offenses".format(
len(offenses_closed)))
else:
qpylib.log("No offenses closed")
except:
qpylib.log("Caught exception closing offenses: " +
str(sys.exc_info()[0]))
qpylib.log(traceback.format_exc())