def report(program_state, arg, days, start_date, end_date, active_only,
outfile):
"""
Generate report that lists models or breaches per model
\b
Arguments:
all Create Excel report that contains all models within Darktrace
breach-summary Create Excel report that contains breach statistics per model
"""
end_date, start_date = determine_date_range(days, end_date, start_date)
if not outfile:
outfile = f'./models_{arg}_{dt.datetime.now():%Y-%m-%d_%H.%M.%S}.xlsx'
if arg == 'all':
report_models(program_state.api,
active_only=active_only,
outfile=outfile)
if arg == 'breach-summary':
breach_summary(program_state.api,
outfile=outfile,
start_date=start_date,
end_date=end_date)
def input_diff(program_state, arg, infile, days, start_date, end_date,
enhanced_only, active_only, outfile):
"""
List differences in models based on a input list. Input list must contain full model names
with one name per line.
\b
Example file contents:
Anomalous Connection::Data Sent to Rare Domain
SaaS::AWS::Anonymous S3 File Download
\b
Arguments:
new Models present in Darktrace but not in the input list
deleted Models present in the input list but not in Darktrace
changed Models in the input list that have been modified within date range
"""
end_date, start_date = determine_date_range(days, end_date, start_date)
diff_by_type = {
'new': get_new_models,
'deleted': get_deleted_models,
'changed': get_models_with_changes
}
output = diff_by_type[arg](program_state.api,
enhanced_only,
active_only,
infile,
start_date=start_date,
end_date=end_date)
process_output(output, outfile)
def message_details(program_state, text, days, start_date, end_date, outfile):
"""
Get notice event details for a specified message. Typically used to specify user credential strings.
Example: USER123
"""
end_date, start_date = determine_date_range(days, end_date, start_date)
output = get_message_details(program_state.api, text, start_date, end_date)
process_output(output, outfile)
def host_details(program_state, hostname, days, start_date, end_date, outfile):
"""Time sorted list of connections and events for an EXTERNAL host"""
if not (is_valid_domain(hostname) or is_valid_hostname(hostname)):
raise click.UsageError('Hostname contains invalid characters')
end_date, start_date = determine_date_range(days, end_date, start_date)
output = get_host_details(program_state.api, hostname, start_date,
end_date)
process_output(output, outfile)
def test_determine_date_range():
# Somewhat of an integration test
end_date, start_date = determine_date_range(5, None, None)
assert end_date == current_date() + dt.timedelta(hours=23, minutes=59, seconds=59)
assert start_date == current_date() - days_to_timedelta(5)
end_date, start_date = determine_date_range(0, None, None)
assert end_date == current_date() + dt.timedelta(hours=23, minutes=59, seconds=59)
assert start_date == current_date() - days_to_timedelta(0)
start_date_dt = current_date() - dt.timedelta(days=5, hours=23, minutes=59, seconds=59)
end_date, start_date = determine_date_range(None, None, start_date_dt)
assert end_date == current_date() + dt.timedelta(hours=23, minutes=59, seconds=59)
assert start_date == start_date_dt
with pytest.raises(TypeError) as exc_info:
end_date, start_date = determine_date_range(None, None, None)
assert isinstance(exc_info.value, TypeError)
def connection_details(program_state, uid, days, start_date, end_date,
outfile):
"""
Time sorted list of events for a connection
\b
Example: CcdXo43n8B75cdYyI5
"""
end_date, start_date = determine_date_range(days, end_date, start_date)
output = get_connection_details(program_state.api, uid, start_date,
end_date)
process_output(output, outfile)
def report(program_state, arg, days, start_date, end_date, outfile, template,
output):
"""
Generate reports for Darktrace model breaches
\b
Arguments:
brief Brief report with summary statistics of model breaches
commented Only report breaches with comments from analysts
acknowledged Only report acknowledged breaches
"""
end_date, start_date = determine_date_range(days, end_date, start_date)
if not outfile:
outfile = f'./breaches_{arg}_{dt.datetime.now():%Y-%m-%d_%H.%M.%S}.{output}'
report_breaches(program_state, arg, start_date, end_date, outfile,
template, output)
def list_breaches(program_state, acknowledged_only, include_acknowledged, tags,
minimal, minscore, pid, days, start_date, end_date, outfile):
"""List Darktrace model breaches"""
end_date, start_date = determine_date_range(days, end_date, start_date)
if minscore > 1.0:
minscore = 1.0
if minscore < 0.0:
minscore = 0.0
minscore = round(minscore, 1)
if acknowledged_only:
include_acknowledged = True
output = get_breaches(program_state.api, acknowledged_only,
include_acknowledged, tags, minimal, minscore, pid,
start_date, end_date)
process_output(output, outfile)
def issues(program_state, days, start_date, end_date, outfile, log, cef):
"""Information about Darktrace system issues"""
end_date, start_date = determine_date_range(days, end_date, start_date)
output = get_system_issues(program_state.api, start_date, end_date)
append = False
to_json = True
if log or cef:
append = True
to_json = False
if log:
output = convert_json_to_log_lines(output)
if cef:
cef_object = Cef(device_event_class_id=130, name='System Issue')
output = cef_object.generate_logs(output)
process_output(output, outfile, append, to_json)
def packet_loss(program_state, days, start_date, end_date, outfile, log, cef):
"""Information about reported packet loss per system"""
end_date, start_date = determine_date_range(days, end_date, start_date)
output = get_packet_loss(program_state.api, start_date, end_date)
append = False
to_json = True
if log or cef:
append = True
to_json = False
if log:
output = convert_json_to_log_lines(output)
if cef:
cef_object = Cef(device_event_class_id=110, name='Packet Loss')
output = cef_object.generate_logs(output)
process_output(output, outfile, append, to_json)
def device_details(program_state, did, days, start_date, end_date, outfile):
"""Time sorted list of connections and events for a device"""
end_date, start_date = determine_date_range(days, end_date, start_date)
output = get_device_details(program_state.api, did, start_date, end_date)
process_output(output, outfile)