def lambda_handler(event, context):
alert_payload = json.loads(event['body'])
event_details = {
'event_type': alert_payload['alert_name'],
'playbook': alert_payload['response_plan'],
'details': alert_payload['details']
}
try:
create_events(event_details, context)
except Exception as e:
return {"statusCode": 400, "body": f"{e}"}
return {"statusCode": 200}
def lambda_handler(event, context):
try:
# Populate event_details object with approriate fields
event_details = {
"event_type": "...", # event name
"playbook": "...", # Playbook to Execute
"details": [
{...}, # alert finding
{...}, # alert finding
],
}
# Register event and start playbook
create_events(event_details, context)
except Exception as e:
return {"statusCode": 400, "body": f"{e}"}
return {"statusCode": 200}
def handle_state(
event_context,
event_type: str,
details: List[dict],
playbook="",
dedup_keys: list = [],
data_types: dict = {},
add_to_details: dict = {},
):
"""
Creates a new event in Socless using the socless_create_events api from the socless_python library
Args:
event_type (str): Human Readable Event name e.g 'Investigate Login'
details (list): List of dictionaries containing the event details
playbook (str): The name of the playbook to execute
dedup_keys (list): The keys to use to deduplicate the event
data_types (dict): A mapping of what datatypes are contained in the event details
add_to_details (dict): A dictionary containing additional keys to add to each details dict
Returns:
A dict containing a boolean status code and, if successful, the investigation id assigned to the created event.
"""
execution_id = event_context.get("execution_id", "n/a")
for each in details:
each.update(add_to_details)
events = {
"event_type": event_type,
"details": details,
"data_types": data_types,
"playbook": playbook,
"dedup_keys": dedup_keys,
"event_meta": {
"data source": f"Execution: {execution_id}",
"description": "Event created from within a Playbook",
},
}
create_events(events, context)
return {"completed": True}
def lambda_handler(event, context):
ingest = json.loads(event['body'])
if isinstance(ingest['details'], str):
ingest['details'] = json.loads(ingest['details'])
event_data = {}
event_data['event_type'] = ingest.get('name')
event_data['data_types'] = ingest.get('data_types')
event_data['event_meta'] = ingest.get('event_meta')
event_data['playbook'] = ingest.get('playbook')
event_data['dedup_keys'] = ingest.get('dedup_keys')
event_data['details'] = ingest.get('details')
resp = create_events(event_data, context)
if not resp.get('status'):
return {"statusCode": 200, "body": json.dumps(resp.get('message'))}
return {"statusCode": 200}