Exemplo n.º 1
0
def query_loggings(query_data):
    '''
    This function handles all the querying of Cortex Logging service
    '''
    api_url = demisto.getIntegrationContext().get('api_url', 'https://api.us.paloaltonetworks.com')
    credentials = Credentials(
        access_token=get_access_token()
    )
    logging_service = LoggingService(
        url=api_url,
        credentials=credentials
    )

    query_result = logging_service.query(query_data).json()

    try:
        query_id = query_result['queryId']  # access 'queryId' from 'query' response
    except Exception as e:
        raise Exception('Received error %s when querying logs. Please check if your authentication token is valid' % e)
    poll_params = {  # Prepare 'poll' params
        "maxWaitTime": 3000  # waiting for response up to 3000ms
    }

    # we poll the logging service until we have a complete response
    full_response = logging_service.poll(query_id, 0, poll_params)

    # delete the query from the service
    logging_service.delete(query_id)

    return full_response
Exemplo n.º 2
0
def initial_logging_service():
    api_url = demisto.getIntegrationContext().get(
        'api_url', 'https://api.us.paloaltonetworks.com')
    credentials = Credentials(access_token=get_access_token(), verify=USE_SSL)
    logging_service = LoggingService(url=api_url, credentials=credentials)

    return logging_service
def query_loggings(query_data):
    """
    This function handles all the querying of Cortex Logging service
    """
    api_url = demisto.getIntegrationContext().get(
        'api_url', 'https://api.us.paloaltonetworks.com')
    credentials = Credentials(access_token=get_access_token(), verify=USE_SSL)
    logging_service = LoggingService(url=api_url, credentials=credentials)

    response = logging_service.query(query_data)
    query_result = response.json()

    if not response.ok:
        status_code = query_result.get('statusCode', '')
        error = query_result.get('error', '')
        message = query_result.get('payload', {}).get('message', '')
        raise Exception(
            f"Error in query to Cortex [{status_code}] - {error}: {message}")

    try:
        query_id = query_result[
            'queryId']  # access 'queryId' from 'query' response
    except Exception as e:
        raise Exception('Received error %s when querying logs.' % e)
    poll_params = {  # Prepare 'poll' params
        "maxWaitTime": 3000  # waiting for response up to 3000ms
    }

    # we poll the logging service until we have a complete response
    full_response = logging_service.poll(query_id, 0, poll_params)

    # delete the query from the service
    logging_service.delete(query_id)

    return full_response
Exemplo n.º 4
0
def query_loggings(query_data):
    '''
    This function handles all the querying of Cortex Logging service
    '''
    api_url = demisto.getIntegrationContext().get(
        'api_url', 'https://api.us.paloaltonetworks.com')
    credentials = Credentials(access_token=get_access_token())
    logging_service = LoggingService(url=api_url, credentials=credentials)

    query_result = logging_service.query(query_data).json()

    try:
        query_id = query_result[
            'queryId']  # access 'queryId' from 'query' response
    except Exception as e:
        raise Exception(
            'Received error %s when querying logs. Please check if your authentication token is valid'
            % e)
    poll_params = {  # Prepare 'poll' params
        "maxWaitTime": 3000  # waiting for response up to 3000ms
    }

    # we poll the logging service until we have a complete response
    full_response = logging_service.poll(query_id, 0, poll_params)

    # delete the query from the service
    logging_service.delete(query_id)

    return full_response
Exemplo n.º 5
0
def query_loggings(query_data):
    """
    This function handles all the querying of Cortex Logging service
    """
    api_url = demisto.getIntegrationContext().get('api_url', 'https://api.us.paloaltonetworks.com')
    credentials = Credentials(
        access_token=get_access_token(),
        verify=USE_SSL
    )
    logging_service = LoggingService(
        url=api_url,
        credentials=credentials
    )

    response = logging_service.query(query_data)
    query_result = response.json()

    if not response.ok:
        status_code = query_result.get('statusCode', '')
        error = query_result.get('error', '')
        message = query_result.get('payload', {}).get('message', '')
        raise Exception(f"Error in query to Cortex [{status_code}] - {error}: {message}")

    try:
        query_id = query_result['queryId']  # access 'queryId' from 'query' response
    except Exception as e:
        raise Exception('Received error %s when querying logs.' % e)
    poll_params = {  # Prepare 'poll' params
        "maxWaitTime": 3000  # waiting for response up to 3000ms
    }

    # we poll the logging service until we have a complete response
    full_response = logging_service.poll(query_id, 0, poll_params)

    # delete the query from the service
    logging_service.delete(query_id)

    return full_response
#!/usr/bin/env python

from pancloud import LoggingService, Credentials
from math import floor
from time import time
from json import dumps, loads

ls = LoggingService(url="https://api.us.paloaltonetworks.com",
                    credentials=Credentials())

q = ls.query({
    "query":
    "select dst, app, misc, name-of-threatid from panw.threat where subtype='wildfire-virus' limit 5",
    "startTime": 0,  # 1970
    "endTime": floor(time()),  # now
    "maxWaitTime": 30000
})

print(dumps(loads(q.text), indent=4, sort_keys=True))
Exemplo n.º 7
0
curpath = os.path.dirname(os.path.abspath(__file__))
sys.path[:0] = [os.path.join(curpath, os.pardir)]

from pancloud import LoggingService

url = 'https://apigw-stg4.us.paloaltonetworks.com'

# `export ACCESS_TOKEN=<access token>`
access_token = os.environ['ACCESS_TOKEN']
print(access_token)

# Create Logging Service instance
ls = LoggingService(url=url,
                    headers={
                        'Authorization': 'Bearer {}'.format(access_token),
                        "Content-Type": "application/json",
                        "Accept": "application/json"
                    })

data = {  # Prepare 'query' data
    "query": "select * from panw.traffic limit 1",
    "startTime": 0,  # 1970
    "endTime": 1609459200,  # 2021
    "maxWaitTime": 0  # no logs in initial response
}

# Generate new 'query'
q = ls.query(data)

print("\nQUERY: {}\n".format(q.text))
Exemplo n.º 8
0
import os
import sys

curpath = os.path.dirname(os.path.abspath(__file__))
sys.path[:0] = [os.path.join(curpath, os.pardir)]

from pancloud import HTTPClient, LoggingService, EventService, \
    DirectorySyncService, Credentials

url = 'https://api.us.paloaltonetworks.com'

c = Credentials()

session = HTTPClient(url=url, credentials=c)

ls = LoggingService(session=session)
dss = DirectorySyncService(session=session)
es = EventService(session=session)

f = es.get_filters('EventFilter')
print("\nGET EVENT FILTERS...")
print("STATUS_CODE: {}, RESULT: \n\n{}\n".format(f.status_code, f.text))

a = dss.attributes()
print("\nGET ATTRIBUTES...")
print("STATUS_CODE: {}, RESULT: \n\n{}\n".format(a.status_code, a.text))

data = {  # Prepare 'query' data
    "query": "SELECT * FROM panw.traffic LIMIT 1",
    "startTime": 0,  # 1970
    "endTime": 1609459200,  # 2021
Exemplo n.º 9
0
"""Logging Service example using query, poll, delete."""

import os
import sys

curpath = os.path.dirname(os.path.abspath(__file__))
sys.path[:0] = [os.path.join(curpath, os.pardir)]

from pancloud import LoggingService, Credentials

url = 'https://api.us.paloaltonetworks.com'

c = Credentials()

# Create Logging Service instance
ls = LoggingService(url=url, credentials=c)

query = {  # Prepare 'query' data
    "query": "SELECT * FROM panw.traffic LIMIT 1",
    "startTime": 0,  # 1970
    "endTime": 1609459200,  # 2021
    "maxWaitTime": 0  # no logs in initial response
}

# Generate new 'query'
q = ls.query(json=query)

print("\nQUERY: {}\n".format(q.text))

query_id = q.json()['queryId']  # access 'queryId' from 'query' response
Exemplo n.º 10
0
def logging(options, session):
    def query(api, options):
        k = 'LoggingService.query'

        R = options['R']
        if R['R1_obj'][k] is None:
            x = {}
        else:
            x = R['R1_obj'][k].copy()
        if ('startTime' not in x and options['start_seconds'] is not None):
            x['startTime'] = options['start_seconds']
        if ('endTime' not in x and options['end_seconds'] is not None):
            x['endTime'] = options['end_seconds']

        if options['debug'] > 1:
            if 'startTime' in x:
                t = datetime.utcfromtimestamp(x['startTime'])
                print('startTime:', t, file=sys.stderr)
            if 'endTime' in x:
                t = datetime.utcfromtimestamp(x['endTime'])
                print('endTime:', t, file=sys.stderr)

        if options['debug'] > 2:
            print(pprint.pformat(x, indent=INDENT), file=sys.stderr)

        if not x and R['R1_obj'][k] is None:
            x = None  # preserve None if no parameters added

        try:
            r = api.query(json=x, **R['R2_obj'][k])
        except Exception as e:
            print_exception(k, e)
            sys.exit(1)

        print_status(k, r, options)
        json_ = print_response(r, options, k)
        exit_for_http_status(r)

        if json_ is not None and options['id'] is None and 'queryId' in json_:
            options['id'] = json_['queryId']

    def poll(api, options):
        k = 'LoggingService.poll'

        R = options['R']
        try:
            r = api.poll(query_id=options['id'],
                         sequence_no=options['seq'],
                         params=R['R1_obj'][k],
                         **R['R2_obj'][k])
        except Exception as e:
            print_exception(k, e)
            sys.exit(1)

        print_status(k, r, options)
        print_response(r, options, k)
        exit_for_http_status(r)

    def xpoll(api, options):
        k = 'LoggingService.xpoll'

        R = options['R']
        try:
            for x in api.xpoll(query_id=options['id'],
                               sequence_no=options['seq'],
                               delete_query=options['delete'],
                               params=R['R1_obj'][k],
                               **R['R2_obj'][k]):
                print_response_json(options, k, x)

        except Exception as e:
            print_exception(k, e)
            sys.exit(1)

    def delete(api, options):
        k = 'LoggingService.delete'

        R = options['R']
        try:
            r = api.delete(query_id=options['id'], **R['R2_obj'][k])
        except Exception as e:
            print_exception(k, e)
            sys.exit(1)

        print_status(k, r, options)
        print_response(r, options, k)
        exit_for_http_status(r)

    def write(api, options):
        k = 'LoggingService.write'

        R = options['R']
        try:
            # XXX use R2 to specify "log_type"
            r = api.write(vendor_id=options['id'],
                          json=R['R1_obj'][k],
                          **R['R2_obj'][k])
        except Exception as e:
            print_exception(k, e)
            sys.exit(1)

        print_status(k, r, options)
        print_response(r, options, k)
        exit_for_http_status(r)

    k = 'LoggingService'

    R = options['R']
    try:
        api = LoggingService(session=session, **R['R0_obj'][k])
    except Exception as e:
        print_exception(k, e)
        sys.exit(1)

    if options['debug'] > 0:
        print(api, file=sys.stderr)

    if options['query']:
        query(api, options)

    if options['poll']:
        poll(api, options)

    if options['xpoll']:
        try:
            xpoll(api, options)
        except KeyboardInterrupt:
            sys.exit(1)

    if options['delete'] and not options['xpoll']:
        delete(api, options)

    if options['write']:
        write(api, options)

    setters(options, api)
    methods(options, api)
Exemplo n.º 11
0
from time import time

curpath = os.path.dirname(os.path.abspath(__file__))
sys.path[:0] = [os.path.join(curpath, os.pardir)]

from pancloud import LoggingService, Credentials

VENDOR_ID = 'vendor'
LOG_TYPE = 'log_type'

url = 'https://api.us.paloaltonetworks.com'

c = Credentials()

# Create Logging Service instance
ls = LoggingService(url=url, credentials=c)

logs = [{
    'generatedTime': time(),
    'uuid': str(uuid4()),
    'user': '******',
    'action': 'drop',
    'subType': 'brute-force',
    'name': 'anvil',
    'repeatCnt': 5
}]

q = ls.write(vendor_id=VENDOR_ID, log_type=LOG_TYPE, json=logs)

print("\nWRITE: {}\n".format(q.text))
Exemplo n.º 12
0
"""Example interaction with Logging Service using iter_poll."""

import os
import sys

curpath = os.path.dirname(os.path.abspath(__file__))
sys.path[:0] = [os.path.join(curpath, os.pardir)]

from pancloud import LoggingService, Credentials

url = 'https://api.us.paloaltonetworks.com'

c = Credentials()

# Create Logging Service instance
ls = LoggingService(url=url, credentials=c)

query = {  # Prepare 'query' data
    "query": "SELECT * FROM panw.traffic LIMIT 5",
    "startTime": 0,  # 1970
    "endTime": 1609459200,  # 2021
    "maxWaitTime": 0  # no logs in initial response
}

# Generate new 'query'
q = ls.query(json=query)

print("\nQUERY: {}\n".format(q.text))

query_id = q.json()['queryId']  # access 'queryId' from 'query' response
Exemplo n.º 13
0
url = 'https://apigw-stg4.us.paloaltonetworks.com'

# `export ACCESS_TOKEN=<access token>`
access_token = os.environ['ACCESS_TOKEN']

session = HTTPClient(url=url,
                     max_retries=5,
                     pool_maxsize=30,
                     headers={
                         'Authorization': 'Bearer {}'.format(access_token),
                         "Content-Type": "application/json",
                         "Accept": "application/json"
                     })

ls = LoggingService(session=session)
dss = DirectorySyncService(session=session)
es = EventService(session=session)

filters = {  # Prepare 'filter' data
    "filters": [{
        "panw.threat": "SELECT * FROM panw.threat"
    }, {
        "panw.traffic": "SELECT * FROM panw.traffic"
    }, {
        "panw.system": "SELECT * FROM panw.system"
    }, {
        "panw.config": "SELECT * FROM panw.config"
    }]
}