def _create_host_entities(data, geoip):
"""Create Host and IP Entities with GeoIP info."""
for row in data.itertuples():
host, ip_addr = row.Index
if not host:
continue
host_ent = entities.Host(HostName=host)
if not ip_addr:
yield host_ent
continue
# If we have an IP address - get the IpAddress entity(ies)
_, ip_entities = geoip.lookup_ip(ip_addr) if geoip else (None, [])
if not ip_entities:
host_ent.IpAddress = entities.IpAddress(Address=ip_addr)
host_ent.IpAddress.FirstSeen = row.FirstSeen
host_ent.IpAddress.LastSeen = row.LastSeen
elif len(ip_entities) == 1:
host_ent.IpAddress = ip_entities[0]
host_ent.IpAddress.FirstSeen = row.FirstSeen
host_ent.IpAddress.LastSeen = row.LastSeen
else:
host_ent.IpAddresses = []
for ip_ent in ip_entities:
ip_ent.FirstSeen = row.FirstSeen
ip_ent.LastSeen = row.LastSeen
host_ent.IpAddresses.append(ip_ent)
yield host_ent
def _create_host_entity(host_name=None, host_ip=None):
host_entity = entities.Host()
if host_name:
host_entity.HostName = host_name
if host_ip:
ip_entity = entities.IpAddress(Address=host_ip)
host_entity.IpAddress = ip_entity
return host_entity
def _format_ip_entity(ip_loc, row, ip_col):
ip_entity = entities.IpAddress(Address=row[ip_col])
ip_loc.lookup_ip(ip_entity=ip_entity)
if "L7Protocol" in row:
ip_entity.AdditionalData["protocol"] = row.L7Protocol
if "severity" in row:
ip_entity.AdditionalData["threat severity"] = row["severity"]
if "Details" in row:
ip_entity.AdditionalData["threat details"] = row["Details"]
return ip_entity
def _create_ip_entities(data, geoip):
"""Create IP Entities with GeoIP info."""
for row in data.itertuples():
if row.Index:
if not geoip:
ip_ent = entities.IpAddress(Address=row.Index)
ip_ent.FirstSeen = row.FirstSeen
ip_ent.LastSeen = row.LastSeen
yield ip_ent
else:
_, ip_entities = geoip.lookup_ip(row.Index)
for ip_ent in ip_entities:
ip_ent.FirstSeen = row.FirstSeen
ip_ent.LastSeen = row.LastSeen
yield ip_ent
def _extract_heartbeat(ip_hb, host_entity):
if not host_entity.HostName:
host_entity.HostName = ip_hb["Computer"] # type: ignore
host_entity.SourceComputerId = ip_hb["SourceComputerId"] # type: ignore
host_entity.OSFamily = (
entities.OSFamily.Windows
if ip_hb["OSType"] == "Windows"
else entities.OSFamily.Linux
)
host_entity.OSName = ip_hb["OSName"] # type: ignore
host_entity.OSVMajorVersion = ip_hb["OSMajorVersion"] # type: ignore
host_entity.OSVMinorVersion = ip_hb["OSMinorVersion"] # type: ignore
host_entity.Environment = ip_hb["ComputerEnvironment"] # type: ignore
host_entity.AgentId = ip_hb["SourceComputerId"]
host_entity.OmsSolutions = [ # type: ignore
sol.strip() for sol in ip_hb["Solutions"].split(",")
]
host_entity.VMUUID = ip_hb["VMUUID"] # type: ignore
if host_entity.Environment == "Azure":
host_entity.AzureDetails = { # type: ignore
"SubscriptionId": ip_hb["SubscriptionId"],
"ResourceProvider": ip_hb["ResourceProvider"],
"ResourceType": ip_hb["ResourceType"],
"ResourceGroup": ip_hb["ResourceGroup"],
"ResourceId": ip_hb["ResourceId"],
}
# Populate IP data
ip_entity = entities.IpAddress(Address=ip_hb["ComputerIP"])
geoloc_entity = entities.GeoLocation() # type: ignore
geoloc_entity.CountryName = ip_hb["RemoteIPCountry"] # type: ignore
geoloc_entity.Longitude = ip_hb["RemoteIPLongitude"] # type: ignore
geoloc_entity.Latitude = ip_hb["RemoteIPLatitude"] # type: ignore
ip_entity.Location = geoloc_entity # type: ignore
host_entity.IpAddress = ip_entity # type: ignore
return ip_entity