def main():
# Get arguments
args, kwargs = splunk.Intersplunk.getKeywordsAndOptions()
# Enable debugging by passing 'debug=yes' as an argument of
# the command on the Splunk searchbar.
debug = common.check_debug(kwargs)
if len(args) < 2:
logger.error("pancontentpack: Wrong number of arguments: %s, expected 2.\n" % len(args))
usage()
if args[1] == "apps":
logger.info("Getting apps from content pack on Palo Alto Networks device at %s..." % args[0])
elif args[1] == "threats":
logger.info("Getting threats from content pack on Palo Alto Networks device at %s..." % args[0])
else:
usage()
# Results contains the data from the search results and settings
# contains the sessionKey that we can use to talk to Splunk
# Ignore the results
results, unused1, settings = splunk.Intersplunk.getOrganizedResults()
# Get the sessionKey
sessionKey = settings['sessionKey']
log(debug, "Begin get API key")
# Get the API key from the Splunk store or from the device at hostname if no apikey is stored
apikey = common.apikey(sessionKey, args[0], debug)
device = pandevice.base.PanDevice(args[0], api_key=apikey)
device.refresh_system_info()
try:
if args[1] == "apps":
device.xapi.get("/config/predefined/application")
app_xml = device.xapi.xml_document
csv = parse_apps(app_xml)
else:
if device._version_info >= (8, 0, 0):
threat_xml = device.op(
'show predefined xpath "/predefined/threats"',
xml=True, cmd_xml=True,
)
else:
device.xapi.get("/config/predefined/threats")
threat_xml = device.xapi.xml_document
csv = parse_threats(threat_xml)
except pan.xapi.PanXapiError as e:
common.exit_with_error(str(e))
# output results
splunk.Intersplunk.outputResults(csv)
def main():
# Get arguments
args, kwargs = splunk.Intersplunk.getKeywordsAndOptions()
# Enable debugging by passing 'debug=yes' as an argument of
# the command on the Splunk searchbar.
debug = common.check_debug(kwargs)
if len(args) < 2:
logger.error(
"pancontentpack: Wrong number of arguments: %s, expected 2.\n" %
len(args))
usage()
if args[1] == "apps":
logger.info(
"Getting apps from content pack on Palo Alto Networks device at %s..."
% args[0])
elif args[1] == "threats":
logger.info(
"Getting threats from content pack on Palo Alto Networks device at %s..."
% args[0])
else:
usage()
# Results contains the data from the search results and settings
# contains the sessionKey that we can use to talk to Splunk
# Ignore the results
results, unused1, settings = splunk.Intersplunk.getOrganizedResults()
# Get the sessionKey
sessionKey = settings['sessionKey']
log(debug, "Begin get API key")
# Get the API key from the Splunk store or from the device at hostname if no apikey is stored
apikey = common.apikey(sessionKey, args[0], debug)
device = pandevice.base.PanDevice(args[0], api_key=apikey)
try:
if args[1] == "apps":
device.xapi.get("/config/predefined/application")
app_xml = device.xapi.xml_document
csv = parse_apps(app_xml)
else:
device.xapi.get("/config/predefined/threats")
threat_xml = device.xapi.xml_document
csv = parse_threats(threat_xml)
except pan.xapi.PanXapiError as e:
common.exit_with_error(str(e))
# output results
splunk.Intersplunk.outputResults(csv)
def parse(self, skey, req):
# Initialize all config.
self.skey = skey
#sc = common.SplunkConnector(self.skey, logger)
self.hostname = req['query']['host']
self.search_time = req['query']['stime']
self.serial = req['query'].get('serial', None)
self.pcap_id = req['query']['pid']
if self.pcap_id <= 0:
raise ValueError('{0} is not a valid pcap ID'.format(self.pcap_id))
self.api_key = common.apikey(self.skey, self.hostname)
def parse(self, skey, req):
# Initialize all config.
self.skey = skey
#sc = common.SplunkConnector(self.skey, logger)
self.hostname = req['query']['host']
self.search_time = req['query']['stime']
self.serial = req['query'].get('serial', None)
self.pcap_id = req['query']['pid']
if self.pcap_id <= 0:
raise ValueError('{0} is not a valid pcap ID'.format(self.pcap_id))
self.api_key = common.apikey(self.skey, self.hostname)
def main_splunk():
# Get arguments
args, kwargs = splunk.Intersplunk.getKeywordsAndOptions()
# Enable debugging by passing 'debug=yes' as an argument of
# the command on the Splunk searchbar.
debug = common.check_debug(kwargs)
# kwargs contains important parameters.
# parameters from splunk searchbar include:
# action
# device
# panorama
# serial
# vsys
# tag
# tag_field
# ip_field
# debug
# Verify required args were passed to command
log(debug, "Determining if required arguments are present")
if 'device' not in kwargs and 'panorama' not in kwargs:
common.exit_with_error("Missing required command argument: device or panorama", 3)
if 'tag' not in kwargs and 'tag_field' not in kwargs:
common.exit_with_error("Missing required command argument: tag or tag_field", 3)
# Assign defaults to fields that aren't specified
action = kwargs['action'] if 'action' in kwargs else "addip"
vsys = kwargs['vsys'] if 'vsys' in kwargs else None
ip_field = kwargs['ip_field'] if 'ip_field' in kwargs else "src_ip"
user_field = kwargs['user_field'] if 'user_field' in kwargs else "src_user"
# Support 'field' argument (legacy syntax)
if 'field' in kwargs and not 'ip_field' in kwargs:
ip_field = kwargs['field']
tag = kwargs['tag'] if 'tag' in kwargs else None
tag_field = kwargs['tag_field'] if 'tag_field' in kwargs else None
# Determine if device hostname or serial was provided as argument or should be pulled from entries
log(debug, "Determining how firewalls should be contacted based on arguments")
use_panorama = False
hostname = None
serial = None
if "device" in kwargs:
hostname = kwargs['device']
if vsys is None:
vsys = "vsys1"
elif "panorama" in kwargs:
use_panorama = True
hostname = kwargs['panorama']
if "serial" in kwargs:
serial = kwargs['serial']
if vsys is None:
vsys = "vsys1"
else:
common.exit_with_error("Missing required command argument: device or panorama", 3)
log(debug, "Use Panorama: %s" % use_panorama)
log(debug, "VSys: %s" % vsys)
log(debug, "Hostname: %s" % hostname)
if use_panorama and serial is not None:
log(debug, "Device Serial: %s" % serial)
else:
log(debug, "Using serials from logs")
# Results contains the data from the search results and settings
# contains the sessionKey that we can use to talk to Splunk
results, unused1, settings = splunk.Intersplunk.getOrganizedResults()
# Get the sessionKey
sessionKey = settings['sessionKey']
log(debug, "Begin get API key")
# Get the API key from the Splunk store or from the device at hostname if no apikey is stored
apikey = common.apikey(sessionKey, hostname, debug)
# Create the connection to the firewall or Panorama
panorama = None
if use_panorama:
# For Panorama, create the Panorama object, and the firewall if only one serial
panorama = Panorama(hostname, api_key=apikey)
if serial is not None:
firewall = {'firewall': Firewall(serial=serial, vsys=vsys)}
panorama.add(firewall['firewall'])
firewall['firewall'].userid.batch_start()
else:
firewall = {}
else:
firewall = {'firewall': Firewall(hostname, api_key=apikey, vsys=vsys)}
firewall['firewall'].userid.batch_start()
# Collect all the ip addresses and tags into firewall batch requests
for result in results:
## Find the serial (if not a single firewall)
if use_panorama and serial is None:
try:
this_serial = result['serial_number']
this_vsys = result['vsys']
except KeyError as e:
result['status'] = "ERROR: Unable to determine serial number or vsys of device"
continue
else:
## Create the firewall object if using multiple serials
if this_serial in firewall:
this_firewall = firewall[(this_serial, this_vsys)]
else:
# Create the firewall object for this serial
firewall[(this_serial, this_vsys)] = Firewall(serial=this_serial, vsys=this_vsys)
this_firewall = firewall[(this_serial, this_vsys)]
panorama.add(this_firewall)
this_firewall.userid.batch_start()
else:
this_firewall = firewall['firewall']
## Find the tag (if a tag_field was specified)
this_tag = []
if tag_field is not None:
try:
this_tag.append(result[tag_field])
except KeyError as e:
result['status'] = "ERROR: Unable to determine tag from field: %s" % tag_field
continue
if tag is not None:
this_tag.append(tag)
## Find the field
try:
if action in ("adduser", "removeuser"):
this_field = result[user_field]
else:
this_field = result[ip_field]
except KeyError as e:
result['status'] = "ERROR: Unable to determine value from field: %s" % this_field
## Create a request in the batch user-id update for the firewall
## No API call to the firewall happens until all batch requests are created.
if action in ("add", "addip"):
log(debug, "Registering tags on firewall %s: %s - %s" % (this_firewall, this_field, this_tag))
this_firewall.userid.register(this_field, this_tag)
elif action in ("remove", "removeip"):
log(debug, "Unregistering tags on firewall %s: %s - %s" % (this_firewall, this_field, this_tag))
this_firewall.userid.unregister(this_field, this_tag)
elif action == "adduser":
log(debug, "Registering tags on firewall %s: %s - %s" % (this_firewall, this_field, this_tag))
this_firewall.userid.tag_user(this_field, this_tag)
elif action == "removeuser":
log(debug, "Unregistering tags on firewall %s: %s - %s" % (this_firewall, this_field, this_tag))
this_firewall.userid.untag_user(this_field, this_tag)
result['status'] = "Submitted successfully"
## Make the API calls to the User-ID API of each firewall
try:
for fw in list(firewall.values()):
fw.userid.batch_end()
except pan.xapi.PanXapiError as e:
common.exit_with_error(str(e))
except Exception as e:
common.exit_with_error(str(e))
# output results
splunk.Intersplunk.outputResults(results)
def main_splunk():
# Get arguments
args, kwargs = splunk.Intersplunk.getKeywordsAndOptions()
# Enable debugging by passing 'debug=yes' as an argument of
# the command on the Splunk searchbar.
debug = common.check_debug(kwargs)
# kwargs contains important parameters.
# parameters from splunk searchbar include:
# action
# device
# panorama
# serial
# vsys
# user_field
# ip_field
# debug
# Verify required args were passed to command
log(debug, "Determining if required arguments are present")
if "device" not in kwargs and "panorama" not in kwargs:
common.exit_with_error("Missing required command argument: device or panorama", 3)
if "panorama" in kwargs and "serial" not in kwargs:
common.exit_with_error("Found 'panorama' arguments, but missing 'serial' argument", 3)
# Assign defaults to fields that aren't specified
action = kwargs["action"] if "action" in kwargs else "login"
vsys = kwargs["vsys"] if "vsys" in kwargs else "vsys1"
ip_field = kwargs["ip_field"] if "ip_field" in kwargs else "src_ip"
user_field = kwargs["tag_field"] if "tag_field" in kwargs else "user"
# Determine if device hostname or serial was provided as argument or should be pulled from entries
log(debug, "Determining how firewalls should be contacted based on arguments")
use_panorama = False
hostname = None
serial = None
if "device" in kwargs:
hostname = kwargs["device"]
elif "panorama" in kwargs:
use_panorama = True
hostname = kwargs["panorama"]
serial = kwargs["serial"]
else:
common.exit_with_error("Missing required command argument: device or panorama", 3)
log(debug, "Use Panorama: %s" % use_panorama)
log(debug, "VSys: %s" % vsys)
log(debug, "Hostname: %s" % hostname)
if use_panorama and serial is not None:
log(debug, "Device Serial: %s" % serial)
# Results contains the data from the search results and settings
# contains the sessionKey that we can use to talk to Splunk
results, unused1, settings = splunk.Intersplunk.getOrganizedResults()
# Get the sessionKey
sessionKey = settings["sessionKey"]
log(debug, "Begin get API key")
# Get the API key from the Splunk store or from the device at hostname if no apikey is stored
apikey = common.apikey(sessionKey, hostname, debug)
# Create the connection to the firewall or Panorama
panorama = None
if use_panorama:
# For Panorama, create the Panorama object, and the firewall object
panorama = Panorama(hostname, api_key=apikey)
firewall = Firewall(panorama=panorama, serial=serial, vsys=vsys)
firewall.userid.batch_start()
else:
# No Panorama, so just create the firewall object
firewall = Firewall(hostname, api_key=apikey, vsys=vsys)
firewall.userid.batch_start()
# Collect all the ip addresses and tags into firewall batch requests
for result in results:
## Find the tag (if a tag_field was specified)
try:
this_user = result[user_field]
except KeyError as e:
result["status"] = "ERROR: Unable to determine user from field: %s" % user_field
continue
## Find the IP
try:
this_ip = result[ip_field]
except KeyError as e:
result["status"] = "ERROR: Unable to determine ip from field: %s" % ip_field
## Create a request in the batch user-id update for the firewall
## No API call to the firewall happens until all batch requests are created.
if action == "login":
log(debug, "Login event on firewall %s: %s - %s" % (firewall, this_ip, this_user))
firewall.userid.login(this_user, this_ip)
else:
log(debug, "Logout event on firewall %s: %s - %s" % (firewall, this_ip, this_user))
firewall.userid.logout(this_user, this_ip)
result["status"] = "Submitted successfully"
## Make the API calls to the User-ID API of each firewall
try:
firewall.userid.batch_end()
except pan.xapi.PanXapiError as e:
common.exit_with_error(str(e))
except Exception as e:
common.exit_with_error(str(e))
# output results
splunk.Intersplunk.outputResults(results)
def main_splunk():
# Get arguments
args, kwargs = splunk.Intersplunk.getKeywordsAndOptions()
# Enable debugging by passing 'debug=yes' as an argument of
# the command on the Splunk searchbar.
debug = common.check_debug(kwargs)
# kwargs contains important parameters.
# parameters from splunk searchbar include:
# action
# device
# panorama
# serial
# vsys
# tag
# tag_field
# ip_field
# debug
# Verify required args were passed to command
log(debug, "Determining if required arguments are present")
if 'device' not in kwargs and 'panorama' not in kwargs:
common.exit_with_error("Missing required command argument: device or panorama", 3)
if 'tag' not in kwargs and 'tag_field' not in kwargs:
common.exit_with_error("Missing required command argument: tag or tag_field", 3)
# Assign defaults to fields that aren't specified
action = kwargs['action'] if 'action' in kwargs else "add"
vsys = kwargs['vsys'] if 'vsys' in kwargs else None
ip_field = kwargs['ip_field'] if 'ip_field' in kwargs else "src_ip"
# Support 'field' argument (legacy syntax)
if 'field' in kwargs and not 'ip_field' in kwargs:
ip_field = kwargs['field']
tag = kwargs['tag'] if 'tag' in kwargs else None
tag_field = kwargs['tag_field'] if 'tag_field' in kwargs else None
# Determine if device hostname or serial was provided as argument or should be pulled from entries
log(debug, "Determining how firewalls should be contacted based on arguments")
use_panorama = False
hostname = None
serial = None
if "device" in kwargs:
hostname = kwargs['device']
if vsys is None:
vsys = "vsys1"
elif "panorama" in kwargs:
use_panorama = True
hostname = kwargs['panorama']
if "serial" in kwargs:
serial = kwargs['serial']
if vsys is None:
vsys = "vsys1"
else:
common.exit_with_error("Missing required command argument: device or panorama", 3)
log(debug, "Use Panorama: %s" % use_panorama)
log(debug, "VSys: %s" % vsys)
log(debug, "Hostname: %s" % hostname)
if use_panorama and serial is not None:
log(debug, "Device Serial: %s" % serial)
else:
log(debug, "Using serials from logs")
# Results contains the data from the search results and settings
# contains the sessionKey that we can use to talk to Splunk
results, unused1, settings = splunk.Intersplunk.getOrganizedResults()
# Get the sessionKey
sessionKey = settings['sessionKey']
log(debug, "Begin get API key")
# Get the API key from the Splunk store or from the device at hostname if no apikey is stored
apikey = common.apikey(sessionKey, hostname, debug)
# Create the connection to the firewall or Panorama
panorama = None
if use_panorama:
# For Panorama, create the Panorama object, and the firewall if only one serial
panorama = Panorama(hostname, api_key=apikey)
if serial is not None:
firewall = {'firewall': Firewall(panorama=panorama, serial=serial, vsys=vsys)}
firewall['firewall'].userid.batch_start()
else:
firewall = {}
else:
firewall = {'firewall': Firewall(hostname, api_key=apikey, vsys=vsys)}
firewall['firewall'].userid.batch_start()
# Collect all the ip addresses and tags into firewall batch requests
for result in results:
## Find the serial (if not a single firewall)
if use_panorama and serial is None:
try:
this_serial = result['serial_number']
this_vsys = result['vsys']
except KeyError as e:
result['status'] = "ERROR: Unable to determine serial number or vsys of device"
continue
else:
## Create the firewall object if using multiple serials
if this_serial in firewall:
this_firewall = firewall[(this_serial, this_vsys)]
else:
# Create the firewall object for this serial
firewall[(this_serial, this_vsys)] = Firewall(panorama=panorama, serial=this_serial, vsys=this_vsys)
this_firewall = firewall[(this_serial, this_vsys)]
this_firewall.userid.batch_start()
else:
this_firewall = firewall['firewall']
## Find the tag (if a tag_field was specified)
this_tag = []
if tag_field is not None:
try:
this_tag.append(result[tag_field])
except KeyError as e:
result['status'] = "ERROR: Unable to determine tag from field: %s" % tag_field
continue
if tag is not None:
this_tag.append(tag)
## Find the IP
try:
this_ip = result[ip_field]
except KeyError as e:
result['status'] = "ERROR: Unable to determine ip from field: %s" % ip_field
## Create a request in the batch user-id update for the firewall
## No API call to the firewall happens until all batch requests are created.
if action == "add":
log(debug, "Registering tags on firewall %s: %s - %s" % (this_firewall, this_ip, this_tag))
this_firewall.userid.register(this_ip, this_tag)
else:
log(debug, "Unregistering tags on firewall %s: %s - %s" % (this_firewall, this_ip, this_tag))
this_firewall.userid.unregister(this_ip, this_tag)
result['status'] = "Submitted successfully"
## Make the API calls to the User-ID API of each firewall
try:
for fw in firewall.values():
fw.userid.batch_end()
except pan.xapi.PanXapiError as e:
common.exit_with_error(str(e))
except Exception as e:
common.exit_with_error(str(e))
# output results
splunk.Intersplunk.outputResults(results)
def main_splunk():
# Get arguments
args, kwargs = splunk.Intersplunk.getKeywordsAndOptions()
# Enable debugging by passing 'debug=yes' as an argument of
# the command on the Splunk searchbar.
debug = common.check_debug(kwargs)
# kwargs contains important parameters.
# parameters from splunk searchbar include:
# action
# device
# panorama
# serial
# vsys
# user_field
# ip_field
# debug
# Verify required args were passed to command
log(debug, "Determining if required arguments are present")
if 'device' not in kwargs and 'panorama' not in kwargs:
common.exit_with_error(
"Missing required command argument: device or panorama", 3)
if 'panorama' in kwargs and 'serial' not in kwargs:
common.exit_with_error(
"Found 'panorama' arguments, but missing 'serial' argument", 3)
# Assign defaults to fields that aren't specified
action = kwargs['action'] if 'action' in kwargs else "login"
vsys = kwargs['vsys'] if 'vsys' in kwargs else "vsys1"
ip_field = kwargs['ip_field'] if 'ip_field' in kwargs else "src_ip"
user_field = kwargs['user_field'] if 'user_field' in kwargs else "user"
# Determine if device hostname or serial was provided as argument or should be pulled from entries
log(debug,
"Determining how firewalls should be contacted based on arguments")
use_panorama = False
hostname = None
serial = None
if "device" in kwargs:
hostname = kwargs['device']
elif "panorama" in kwargs:
use_panorama = True
hostname = kwargs['panorama']
serial = kwargs['serial']
else:
common.exit_with_error(
"Missing required command argument: device or panorama", 3)
log(debug, "Use Panorama: %s" % use_panorama)
log(debug, "VSys: %s" % vsys)
log(debug, "Hostname: %s" % hostname)
if use_panorama and serial is not None:
log(debug, "Device Serial: %s" % serial)
# Results contains the data from the search results and settings
# contains the sessionKey that we can use to talk to Splunk
results, unused1, settings = splunk.Intersplunk.getOrganizedResults()
# Get the sessionKey
sessionKey = settings['sessionKey']
log(debug, "Begin get API key")
# Get the API key from the Splunk store or from the device at hostname if no apikey is stored
apikey = common.apikey(sessionKey, hostname, debug)
# Create the connection to the firewall or Panorama
panorama = None
if use_panorama:
# For Panorama, create the Panorama object, and the firewall object
panorama = Panorama(hostname, api_key=apikey)
firewall = Firewall(panorama=panorama, serial=serial, vsys=vsys)
firewall.userid.batch_start()
else:
# No Panorama, so just create the firewall object
firewall = Firewall(hostname, api_key=apikey, vsys=vsys)
firewall.userid.batch_start()
# Collect all the ip addresses and users into firewall batch requests
for result in results:
## Find the user (if a user_field was specified)
try:
this_user = result[user_field]
except KeyError as e:
result[
'status'] = "ERROR: Unable to determine user from field: %s" % user_field
continue
## Find the IP
try:
this_ip = result[ip_field]
except KeyError as e:
result[
'status'] = "ERROR: Unable to determine ip from field: %s" % ip_field
## Create a request in the batch user-id update for the firewall
## No API call to the firewall happens until all batch requests are created.
if action == "login":
log(
debug, "Login event on firewall %s: %s - %s" %
(firewall, this_ip, this_user))
firewall.userid.login(this_user, this_ip)
else:
log(
debug, "Logout event on firewall %s: %s - %s" %
(firewall, this_ip, this_user))
firewall.userid.logout(this_user, this_ip)
result['status'] = "Submitted successfully"
## Make the API calls to the User-ID API of each firewall
try:
firewall.userid.batch_end()
except pan.xapi.PanXapiError as e:
common.exit_with_error(str(e))
except Exception as e:
common.exit_with_error(str(e))
# output results
splunk.Intersplunk.outputResults(results)