def getLogs():
global poll_time
console_ip = qpylib.get_console_address()
# Get logs starting from 60 seconds ago through right now
min_time= str(int(round(time.time() * 1000)) - poll_time)
max_time = str(int(round(time.time() * 1000)))
payload = {'mintime': min_time, 'maxtime': max_time}
# Make the request
r = requests.get('https://api.example.com', params=payload)
# Change the JSON string into a JSON object
jsonObject = json.loads(r.text)
# This assumes the valid logs will include "response"
# And invalid logs include "code"
# Modify as needed
if "response" in jsonObject:
resp = jsonObject["response"]
# Convert the logs to syslog and feed to QRadar
for MESSAGE in resp['authlogs']:
sock = socket.socket(socket.AF_INET, # Internet
socket.SOCK_DGRAM) # UDP
sock.sendto(json.dumps(MESSAGE), (console_ip, 514))
elif "code" in jsonObject:
# Feed the errors to QRadar
sock = socket.socket(socket.AF_INET, # Internet
socket.SOCK_DGRAM) # UDP
sock.sendto(json.dumps(jsonObject['message']), (console_ip, 514))
poll_time = poll_time + 30000
else:
def getIP():
try:
console_ip = qpylib.get_console_address()
return jsonify(console=console_ip)
except Exception as e:
qpylib.log( "Error " + str(e) )
raise
return jsonify(console=console_ip)
def run_job():
global poll_time
console_ip = qpylib.get_console_address()
while True:
getLogs()
sock = socket.socket(socket.AF_INET, # Internet
socket.SOCK_DGRAM) # UDP
sock.sendto(json.dumps('Heartbeat'), (console_ip, 514))
time.sleep(poll_time/1000)
def index():
"""
API GET / or /index end point.
Allows getting an index page from app.
@param: None.
@return: a HTML home page.
@usage: curl -i -u admin:q1d3m0 -k http://localhost:5000/
curl -i -u admin:q1d3m0 -k http://localhost:5000/index
"""
return render_template("index.html", console=qpylib.get_console_address())
def get_certificate_management_app():
params = {
'filter':
'manifest(name)="QRadar Certificate Management" and application_state(status)="RUNNING"',
'fields': 'application_state'
}
response = qpylib.REST(rest_action='GET',
request_url='/api/gui_app_framework/applications',
params=params)
if not response.status_code == 200:
qpylib.log('Failed to get Certificate Management App')
jsonResult = response.json()
address = ""
if len(jsonResult) > 0:
for app_id in jsonResult:
cert_management_id = app_id['application_state']['application_id']
console_ip = qpylib.get_console_address()
address = "https://{0}/console/plugins/{1}/app_proxy/#/browse/uploadRoot".format(
console_ip, cert_management_id)
return address
def getLogs():
global poll_time
console_ip = qpylib.get_console_address()
# Get logs starting from 60 seconds ago through right now
min_time= str(int(round(time.time() * 1000)) - poll_time)
max_time = str(int(round(time.time() * 1000)))
payload = {'mintime': min_time, 'maxtime': max_time}
duo = sign('GET', 'api-########.duosecurity.com', '/admin/v2/logs/authentication', payload, 'enter-skey-here', 'enter-ikey-here')
duo_auth = duo['Authorization']
duo_date = duo['Date']
# Make the request
r = requests.get('https://api-########.duosecurity.com/admin/v2/logs/authentication', params=payload, headers={'Authorization': duo_auth, "Date":duo_date,'Content-Type':'application/x-www-form-urlencoded'})
# Change the JSON string into a JSON object
jsonObject = json.loads(r.text)
if "response" in jsonObject:
resp = jsonObject["response"]
# Print the logs
for MESSAGE in resp['authlogs']:
sock = socket.socket(socket.AF_INET, # Internet
socket.SOCK_DGRAM) # UDP
sock.sendto(json.dumps(MESSAGE), (console_ip, 514))
elif "code" in jsonObject:
# Print the errors
sock = socket.socket(socket.AF_INET, # Internet
socket.SOCK_DGRAM) # UDP
sock.sendto(json.dumps(jsonObject['message']), (console_ip, 514))
poll_time = poll_time + 30000
else:
def test_get_console_address_with_env_var_missing():
with pytest.raises(
KeyError,
match='Environment variable QRADAR_CONSOLE_IP is not set'):
qpylib.get_console_address()
def test_get_console_address_with_env_var_set(env_qradar_console_ip):
assert qpylib.get_console_address() == '9.123.234.101'
def test_get_console_address_returns_default_when_field_missing_from_manifest(
mock_root_path, mock_get_manifest_location):
assert qpylib.get_console_address() == '127.0.0.1'
def test_get_console_address_returns_value_from_manifest(
mock_root_path, mock_get_manifest_location):
assert qpylib.get_console_address() == "9.123.234.101"
import threading
import datetime
import config as CONFIG
from thread_utils import terminate_thread
from scorecard import Company
from writers import CompanyWriter
from splunk_utils import build_portfolio
from helper import Helper
stop_polling_requested = False
# import pdb
# pdb.set_trace()
# logger for LEEF data
console_address = qpylib.get_console_address()
leef_logger = logging.getLogger('LEEF')
leef_formatter = logging.Formatter("%(asctime)s SECURITYSCORECARD %(message)s",
"%b %d %H:%M:%S")
leef_logger.setLevel(logging.DEBUG)
syslog_handler = logging.handlers.SysLogHandler(
address=(console_address, 514),
facility=logging.handlers.SysLogHandler.LOG_LOCAL1,
)
syslog_handler.setFormatter(leef_formatter)
leef_logger.addHandler(syslog_handler)
class QRadarThread(threading.Thread):