class ProcessSearchCommand(GeneratingCommand):
"""Generates a process search result from Carbon Black from a given IP or search query
| processsearch query=${ip}
"""
query = Option(name="query", require=True)
field_names = [
'cmdline', 'comms_ip', 'hostname', 'id', 'interface_ip', 'last_update',
'os_type', 'parent_md5', 'parent_name', 'parent_pid',
'parent_unique_id', 'path', 'process_md5', 'process_name',
'process_pid', 'regmod_count', 'segment_id', 'sensor_id', 'start',
'unique_id', 'username', 'childproc_count', 'crossproc_count',
'modload_count', 'netconn_count', 'filemod_count', 'group', 'host_type'
]
def prepare(self):
configuration_dict = splunk.clilib.cli_common.getConfStanza(
'carbonblack', 'cbserver')
self.cb_server = configuration_dict['cburl']
self.token = configuration_dict['cbapikey']
self.cb = CbApi(self.cb_server, token=self.token, ssl_verify=False)
def generate(self):
self.logger.info("query %s" % self.query)
i = 0
for bindata in self.cb.process_search_iter(self.query):
i += 1
if i > 1000:
# TODO: let's stop at 1,000 results for now?
self.finish()
return
temp = dict((field_name, bindata[field_name])
for field_name in self.field_names)
temp['sourcetype'] = 'bit9:carbonblack:json'
#
# Sometimes we have seen 'start' be equal to -1
#
try:
temp['_time'] = int(
time.mktime(
dateutil.parser.parse(bindata['start']).timetuple()))
except Exception as e:
self.logger.exception('parsing bindata["start"] %s' %
bindata['start'])
temp['_time'] = 0
temp['link_process'] = self.cb_server + '/#/analyze/' + bindata[
'id'] + "/1"
temp['source'] = 'cbapi'
temp['_raw'] = json.dumps(temp)
yield temp
if i % 10 == 0:
self.flush()
class CBQuery(object):
def __init__(self, url, token, ssl_verify):
self.cb = CbApi(url, token=token, ssl_verify=ssl_verify)
self.cb_url = url
def report(self, hostname, user_dictionary):
print ""
print "%s | %s : %s" % ("Hostname", "Process Count", "Username")
print "--------------------------------------------"
for key,value in user_dictionary.items():
print "%s | %s = %s" % (hostname, value, key)
def check(self, hostname):
# print a legend
print ""
print "USER REPORT FOR %s:" % (hostname)
print "--------------------------------------------"
# build the query string
q = "hostname:%s" % (hostname)
#define dictionary
user_dictionary = dict()
# loop over the entire result set
for result in self.cb.process_search_iter(q):
user_name = result.get("username", "<unknown>")
if user_name not in user_dictionary.keys():
print "NEW USER found on %s : %s" % (hostname, user_name)
user_dictionary[user_name] = 1
else:
user_dictionary[user_name] = user_dictionary[user_name] + 1
self.report(hostname, user_dictionary)
class CBQuery(object):
def __init__(self, url, token, ssl_verify):
self.cb = CbApi(url, token=token, ssl_verify=ssl_verify)
self.cb_url = url
def report(self, hostname, user_dictionary):
print ""
print "%s | %s : %s" % ("Hostname", "Process Count", "Username")
print "--------------------------------------------"
for key, value in user_dictionary.items():
print "%s | %s = %s" % (hostname, value, key)
def check(self, hostname):
# print a legend
print ""
print "USER REPORT FOR %s:" % (hostname)
print "--------------------------------------------"
# build the query string
q = "hostname:%s" % (hostname)
#define dictionary
user_dictionary = dict()
# loop over the entire result set
for result in self.cb.process_search_iter(q):
user_name = result.get("username", "<unknown>")
if user_name not in user_dictionary.keys():
print "NEW USER found on %s : %s" % (hostname, user_name)
user_dictionary[user_name] = 1
else:
user_dictionary[user_name] = user_dictionary[user_name] + 1
self.report(hostname, user_dictionary)
class CBQuery(object):
def __init__(self, url, token, ssl_verify):
self.cb = CbApi(url, token=token, ssl_verify=ssl_verify)
self.cb_url = url
def report(self, rundll_query, dll_dictionary, search_match_count):
# CALLED BY: self.report(regex, regex_match_dictionary, search_match_count)
print "--------------------------------------------"
print "%s Command Line Matches:" % (search_match_count)
print "%s : %s" % ("Search Match Count", "Command Line Match")
print "--------------------------------------------"
#ordered_dll_dictionary = collections.OrderedDict(sorted(dll_dictionary.items()))
ordered_dll_dictionary = sorted(dll_dictionary.items(),
key=operator.itemgetter(1))
for value in ordered_dll_dictionary:
print "%s : %s" % (value[1], value[0])
def check(self, regex, ignore_case, group_reference_to_match, count_flag,
matches_only_flag):
# CALLED BY: cb.check(opts.regex, opts.ignore_case, opts.group_reference_to_match, opts.count_flag, opts.matches_only_flag)
# print a legend
print ""
print "Displaying Report for Commandline regular expression matches"
print ""
print "Command Line Strings Matching REGEX: %s" % (regex)
print "============================================================"
print ""
# build the query string
q = "cmdline:*"
#define dictionary
regex_match_dictionary = dict()
search_match_count = 0
#define regexp
# check if we need to ignore case, if so, update regexp
if ignore_case:
regexp = re.compile(regex, re.IGNORECASE)
else:
regexp = re.compile(regex)
for result in self.cb.process_search_iter(q):
cmdline = result.get("cmdline", "<unknown>")
# print "CMD: %s" % (cmdline,)
#SEARCH FOR REGEX IN STRING!!
if matches_only_flag:
# print "-----MATCHES ONLY"
search_match_result = regexp.match(cmdline)
else:
# print "-----EVERYTHING"
search_match_result = regexp.search(cmdline)
if search_match_result is not None:
# print "cmdline: %s" % (cmdline)
# print "result: %s" % (search_match_result)
# print "------------------------------------"
# Iterate TOTAL Search Match Count
search_match_count = search_match_count + 1
# On Match, add to dictionary
# 1st Check group_reference_to_match flag to see if we need to add a specific Group Reference or just the entire Command Line as the regex match
if group_reference_to_match:
# print "cmdline: %s" % (cmdline)
# print"matching GROUP: %s" % (group_reference_to_match)
# print"search_match_result: %s" % (search_match_result)
regex_match_group_reference = search_match_result.group(
int(group_reference_to_match))
if regex_match_group_reference not in regex_match_dictionary.keys(
):
print "%s" % (regex_match_group_reference)
regex_match_dictionary[regex_match_group_reference] = 1
else:
regex_match_dictionary[
regex_match_group_reference] = regex_match_dictionary[
regex_match_group_reference] + 1
else:
if cmdline not in regex_match_dictionary.keys():
print "%s" % (cmdline)
regex_match_dictionary[cmdline] = 1
else:
regex_match_dictionary[
cmdline] = regex_match_dictionary[cmdline] + 1
self.report(regex, regex_match_dictionary, search_match_count)
class ProcessSearchCommand(GeneratingCommand):
"""Generates a process search result from Carbon Black from a given IP or search query
| processsearch query=${ip}
"""
query = Option(name="query", require=True)
field_names = ['cmdline',
'comms_ip',
'hostname',
'id',
'interface_ip',
'last_update',
'os_type',
'parent_md5',
'parent_name',
'parent_pid',
'parent_unique_id',
'path',
'process_md5',
'process_name',
'process_pid',
'regmod_count',
'segment_id',
'sensor_id',
'start',
'unique_id',
'username',
'childproc_count',
'crossproc_count',
'modload_count',
'netconn_count',
'filemod_count',
'group',
'host_type']
def prepare(self):
configuration_dict = splunk.clilib.cli_common.getConfStanza('carbonblack', 'cbserver')
self.cb_server = configuration_dict['cburl']
self.token = configuration_dict['cbapikey']
self.cb = CbApi(self.cb_server, token=self.token, ssl_verify=False)
def generate(self):
self.logger.info("query %s" % self.query)
i = 0
for bindata in self.cb.process_search_iter(self.query):
i += 1
if i > 1000:
# TODO: let's stop at 1,000 results for now?
self.finish()
return
temp = dict((field_name, bindata[field_name]) for field_name in self.field_names)
temp['sourcetype'] = 'bit9:carbonblack:json'
#
# Sometimes we have seen 'start' be equal to -1
#
try:
temp['_time'] = int(time.mktime(dateutil.parser.parse(bindata['start']).timetuple()))
except Exception as e:
self.logger.exception('parsing bindata["start"] %s' % bindata['start'])
temp['_time'] = 0
temp['link_process'] = self.cb_server + '/#/analyze/' + bindata['id'] + "/1"
temp['source'] = 'cbapi'
temp['_raw'] = json.dumps(temp)
yield temp
if i % 10 == 0:
self.flush()
class CBQuery(object):
def __init__(self, url, token, ssl_verify):
self.cb = CbApi(url, token=token, ssl_verify=ssl_verify)
self.cb_url = url
def report(self, rundll_query, dll_dictionary, search_match_count):
# CALLED BY: self.report(regex, regex_match_dictionary, search_match_count)
print "--------------------------------------------"
print "%s Command Line Matches:" % (search_match_count)
print "%s : %s" % ("Search Match Count", "Command Line Match")
print "--------------------------------------------"
#ordered_dll_dictionary = collections.OrderedDict(sorted(dll_dictionary.items()))
ordered_dll_dictionary = sorted(dll_dictionary.items(), key=operator.itemgetter(1))
for value in ordered_dll_dictionary:
print "%s : %s" % (value[1], value[0])
def check(self, regex, ignore_case, group_reference_to_match, count_flag, matches_only_flag):
# CALLED BY: cb.check(opts.regex, opts.ignore_case, opts.group_reference_to_match, opts.count_flag, opts.matches_only_flag)
# print a legend
print ""
print "Displaying Report for Commandline regular expression matches"
print ""
print "Command Line Strings Matching REGEX: %s" % (regex)
print "============================================================"
print ""
# build the query string
q = "cmdline:*"
#define dictionary
regex_match_dictionary = dict()
search_match_count = 0
#define regexp
# check if we need to ignore case, if so, update regexp
if ignore_case:
regexp = re.compile(regex, re.IGNORECASE)
else:
regexp = re.compile(regex)
for result in self.cb.process_search_iter(q):
cmdline = result.get("cmdline", "<unknown>")
# print "CMD: %s" % (cmdline,)
#SEARCH FOR REGEX IN STRING!!
if matches_only_flag:
# print "-----MATCHES ONLY"
search_match_result = regexp.match(cmdline)
else:
# print "-----EVERYTHING"
search_match_result = regexp.search(cmdline)
if search_match_result is not None:
# print "cmdline: %s" % (cmdline)
# print "result: %s" % (search_match_result)
# print "------------------------------------"
# Iterate TOTAL Search Match Count
search_match_count = search_match_count + 1
# On Match, add to dictionary
# 1st Check group_reference_to_match flag to see if we need to add a specific Group Reference or just the entire Command Line as the regex match
if group_reference_to_match:
# print "cmdline: %s" % (cmdline)
# print"matching GROUP: %s" % (group_reference_to_match)
# print"search_match_result: %s" % (search_match_result)
regex_match_group_reference = search_match_result.group(int(group_reference_to_match))
if regex_match_group_reference not in regex_match_dictionary.keys():
print "%s" % (regex_match_group_reference)
regex_match_dictionary[regex_match_group_reference] = 1
else:
regex_match_dictionary[regex_match_group_reference] = regex_match_dictionary[regex_match_group_reference] + 1
else:
if cmdline not in regex_match_dictionary.keys():
print "%s" % (cmdline)
regex_match_dictionary[cmdline] = 1
else:
regex_match_dictionary[cmdline] = regex_match_dictionary[cmdline] + 1
self.report(regex, regex_match_dictionary, search_match_count)