def selftest_function(opts): """ Placeholder for selftest function. An example use would be to test package api connectivity. Suggested return values are be unimplemented, success, or failure. """ options = opts.get("fn_google_cloud_dlp", {}) # When the helper is instantiated, we make a connection to Google Cloud by also instantiating the DLP Class # If credentials aren't set right this will fail helper = GCPHelper(options, res_client=get_resilient_client(opts=opts)) # Config Appears to be okay and can make A connection to google # Now to test if we can inspect a string of content try: helper.inspect_string(content_string="Test", info_types=[]) except Exception as dlp_exception: log.error( u"Encountered Exception when interfacing with DLP; Exception: {}". format(dlp_exception)) return {"state": "failure", "reason": dlp_exception} return {"state": "success"}
def rest_client(self): """Return a connected instance of the :class:`resilient.SimpleClient` that can be used to access the Resilient REST API. """ self.reset_idle_timer() return get_resilient_client(self.opts)
def triggered_job(incident_id, object_id, row_id, scheduler_label, rule_name, rule_id, rule_object_type_id, rule_params, opts, **kwargs): """ This function is called when a scheduled rule is triggered. It is run asynchronous of the create_scheduled_rule process. It's role is to build the api call-back to Resilient to run the rule. In addition to invoking a rule, a note is added to the incideent to indicate that a scheduled rule was run. :param incident_id: :param object_id: task_id, note_id, artifact_id, etc. :param row_id: used when object_id is a datatable_id :param scheduler_label: :param rule_name: :param rule_id: :param rule_object_type_id: internal id referring to incident, task, artifact, etc. :param rule_params: :param opts: contains [resilient] parameters needed to connect back to Resilient for API calls :param kwargs: catch all for additional arguments as necessary :return: None """ log.debug(incident_id) log.debug(rule_id) log.debug(rule_object_type_id) log.debug(rule_params) log.debug(kwargs) # get the rest client rest_client = get_resilient_client(opts) scheduler = ResilientScheduler.get_scheduler() # make sure the incident is still open and not deleted try: resp = get_incident(rest_client, incident_id) except SimpleHTTPException: resp = None if not resp or resp['end_date'] is not None: log.warning( u"Incident %s is not found or closed. Removing scheduled rule: %s", incident_id, rule_name) scheduler.remove_job(scheduler_label) return # make sure the rule is still enabled try: get_rule_by_id(rest_client, rule_id) except KeyError as err: # remove rules which no longer exist log.error(u"Rule '%s' not found and schedule will be removed.", rule_name) add_comment( rest_client, incident_id, u"Error running rule '{}': {}".format(scheduler_label, str(err))) scheduler.remove_job(scheduler_label) return # build url for invoking a rule rule_type = lookup_object_type(rest_client, rule_object_type_id) if rule_type == "tasks": url = "/{}/{}".format(rule_type, object_id) else: url = "/incidents/{}".format(incident_id) if rule_type != '': url = url + "/{}/{}".format(rule_type, object_id) if row_id: url = url + "/row_data/{}".format(row_id) url = url + "/action_invocations" # build the JSON for rule payload = {"action_id": rule_id, "properties": rule_params} log.info("Executing Rule '{}:{}' for Incident {}".format( scheduler_label, rule_name, incident_id)) # run the rule try: resp = rest_client.post(url, payload) log.debug(resp) except SimpleHTTPException as err: # is the object removed? if "Not Found" in str(err): log.error( "Object not found and schedule will be removed for rule '%s'", rule_id) add_comment( rest_client, incident_id, u"Error running rule '{}': {}".format(scheduler_label, str(err))) scheduler.remove_job(scheduler_label) return if rule_type: add_comment( rest_client, incident_id, u"Scheduled job '{}' run on {}: {}".format(rule_name, rule_type, object_id)) else: add_comment(rest_client, incident_id, u"Scheduled job '{}' run on incident".format(rule_name))
def get_connected_resilient_client(config): opts = config.get("opts") client = get_resilient_client(opts) client.connect(opts.email, opts.password) return client
def get_connected_resilient_client(config): opts = config.get("opts") client = get_resilient_client(opts) return client
def test(): """Test some basic functionality""" from resilient_circuits.rest_helper import get_resilient_client from resilient_circuits.actions_component import ActionMessage import time opts = vars( resilient.ArgumentParser( config_file=os.environ.get("APP_CONFIG_FILE")).parse_args()) client = get_resilient_client(opts) action_event = None result = Disposition(client, "new_incident").call(action_event, { "name": "new test incident", "discovered_date": 0 }) LOG.debug(result) assert result["id"] > 0 print("Created incident {}".format(result["id"])) incident = result action_event = ActionMessage(message={"incident": incident}) result = Disposition(client, "new_task").call(action_event, {"name": "new task"}) LOG.debug(result) assert result["id"] > 0 action_event.task = result result = Disposition(client, "update_task").call(action_event, {"name": "updated task"}) LOG.info(result) result = Disposition(client, "new_note").call(action_event, {"text": "new note"}) LOG.debug(result) assert result["id"] > 0 action_event.note = result result = Disposition(client, "update_note").call(action_event, {"text": "updated note"}) LOG.info(result) t_now = int(time.time() * 1000) result = Disposition(client, "new_milestone").call(action_event, { "date": t_now, "title": "new milestone" }) LOG.debug(result) assert result["id"] > 0 action_event.milestone = result result = Disposition(client, "update_milestone").call( action_event, {"title": "updated milestone"}) LOG.info(result) result = Disposition(client, "new_artifact").call(action_event, { "type": "DNS Name", "value": "rtfm.mit.edu" }) LOG.debug(result) assert result[0]["id"] > 0 action_event.artifact = result[0] result = Disposition(client, "update_artifact").call( action_event, {"description": "updated artifact"}) LOG.info(result) result = Disposition(client, "new_attachment").call( action_event, "string value\nfor attachment") result = Disposition(client, "new_attachment").call( action_event, u"unicode value\nfor attachment") result = Disposition(client, "new_attachment").call( action_event, b"bytes value\nfor attachment") result = Disposition(client, "new_attachment").call( action_event, {"value": "json value\nfor attachment"})