def main():
ts = TruStar(config_role="trustar")
token = ts.get_token()
if do_latest_reports:
print("Getting Latest Accessible Reports...")
results = ts.get_latest_reports(token)
for result in results:
print("\t%s, %s, %s" %
(result['id'], result['distributionType'], result['title']))
print()
if do_correlated:
print("Querying Accessible Correlated Reports...")
results = ts.get_correlated_reports(token, search_string)
print("%d report(s) correlated with indicators '%s':\n" %
(len(results), search_string))
print("\n".join(results))
print()
if do_latest_indicators:
print("Get Latest Indicators (first 100)")
results = ts.query_latest_indicators(token,
source='INCIDENT_REPORT',
indicator_types='ALL',
interval_size=24,
limit=100)
if 'indicators' in results:
for ioc_type, value in results['indicators'].items():
if len(value) > 0:
print("\t%s: %s" % (ioc_type, ','.join(value)))
print()
if do_report_details:
print("Get Report Details")
reports = ts.get_latest_reports(token)
for report in reports:
result = ts.get_report_details(token, report['id'])
print("Getting Report Details using '%s': \n%s" %
(report['id'], json.dumps(result, indent=4)))
print()
if do_query_indicators:
print(
"Querying correlated indicators with search string '%s' (first 100)"
% search_string)
results = ts.query_indicators(token, search_string, '100')
indicator_hits = list(results["indicators"])
if len(indicator_hits) > 0:
print("Correlated Incident Report Indicators:")
for indicator_type, indicator_list in list(
results["indicators"].items()):
print("\n%s:\n\t%s" % (indicator_type, "\n\t".join(
['{}'.format(value) for value in indicator_list])))
print()
os_hits = list(results["openSourceCorrelations"])
if len(os_hits) > 0:
print("Correlated Open Source Documents:")
for os_url in os_hits:
print("\t%s" % os_url)
print()
exint_hits = list(results["externalIntelligence"])
if len(exint_hits) > 0:
print("External Intelligence hits:")
print('\t'.join(exint_hits))
print()
# Submit simple test report to community
if do_comm_submissions:
community_response = ts.submit_report(token,
submit_indicators,
"COMMUNITY API SUBMISSION TEST",
began_time="2017-02-01T01:23:45")
print("\tURL: %s\n" %
ts.get_report_url(community_response['reportId']))
if 'reportIndicators' in community_response:
print("Extracted the following community indicators: \n%s\n" %
json.dumps(community_response['reportIndicators'], indent=2))
# Submit simple test report to your enclave
if do_enclave_submissions:
enclave_response = ts.submit_report(token,
submit_indicators,
"ENCLAVE API SUBMISSION TEST ",
enclave=True)
print("\tURL: %s\n" % ts.get_report_url(enclave_response['reportId']))
print(enclave_response)
if 'reportIndicators' in enclave_response:
print("Extracted the following enclave indicators: \n%s\n" %
json.dumps(enclave_response['reportIndicators'], indent=2))
def main():
role = "trustar"
if len(sys.argv) > 1:
role = sys.argv[1]
ts = TruStar(config_file="trustar.conf", config_role=role)
# generate random id to use as external_id
external_id = str(randint(1, 100000))
# or use a specific external_id
# external_id = "321"
report_guid = None
current_time = int(time.time()) * 1000
yesterday_time = current_time - to_milliseconds(days=1)
if do_latest_reports:
logger.info("Getting Latest Accessible Incident Reports Since 24 hours ago ...")
try:
# get each successive page of reports
report_generator = ts.get_reports(from_time=yesterday_time,
to_time=current_time,
is_enclave=True,
enclave_ids=ts.enclave_ids)
for report in report_generator:
logger.info(report)
except Exception as e:
logger.error('Could not get latest reports, error: %s' % e)
print('')
if do_reports_by_community:
two_days_ago = current_time - to_milliseconds(days=2)
logger.info("Getting community only reports for the previous day ...")
try:
reports = ts.get_reports(from_time=two_days_ago,
to_time=yesterday_time,
is_enclave=False)
for report in reports:
logger.info(report)
except Exception as e:
logger.error('Could not get community reports, error: %s' % e)
print('')
if do_reports_by_enclave:
a_week_ago = current_time - to_milliseconds(days=7)
logger.info("Getting enclave only reports for the previous week ...")
try:
reports = ts.get_reports(from_time=a_week_ago,
to_time=current_time,
is_enclave=True,
enclave_ids=ts.enclave_ids)
for report in reports:
logger.info(report)
except Exception as e:
logger.error('Could not get community reports, error: %s' % e)
print('')
if do_correlated:
logger.info("Querying Accessible Correlated Reports...")
try:
report_ids = ts.get_correlated_report_ids(search_string)
logger.info(report_ids)
logger.info("%d report(s) correlated with indicators '%s':\n" % (len(report_ids), search_string))
logger.info("\n".join(report_ids))
except Exception as e:
logger.error('Could not get correlated reports, error: %s' % e)
print('')
if do_community_trends:
logger.info("Get community trends...")
try:
indicators = ts.get_community_trends(indicator_type=None,
days_back=1)
for indicator in indicators:
logger.info(indicator)
except Exception as e:
logger.error('Could not get community trends, error: %s' % e)
print('')
if do_query_indicators:
try:
logger.info("Getting related indicators...")
indicators = ts.get_related_indicators(indicators=search_string)
for indicator in indicators:
logger.info(indicator)
except Exception as e:
logger.error('Could not get related indicators, error: %s' % e)
# Submit simple test report to community
if do_comm_submissions:
logger.info("Submit New Community Incident Report")
try:
report = Report(title="COMMUNITY API SUBMISSION TEST",
body=submit_indicators,
time_began="2017-02-01T01:23:45",
is_enclave=False)
report = ts.submit_report(report)
logger.info("\tURL: %s\n" % ts.get_report_url(report.id))
except Exception as e:
logger.error('Could not submit community report, error: %s' % e)
print('')
# Submit simple test report to your enclave
if do_enclave_submissions:
logger.info("Submit New Enclave Incident Report")
try:
report = Report(title="ENCLAVE API SUBMISSION TEST ",
body=submit_indicators,
time_began="2017-02-01T01:23:45",
enclave_ids=ts.enclave_ids)
report = ts.submit_report(report)
logger.info("\tURL: %s\n" % ts.get_report_url(report.id))
logger.info(report)
except Exception as e:
logger.error('Could not submit enclave report, error: %s' % e)
print('')
# Submit a test report and retrieve it
if do_submit_report:
logger.info("Submit New Enclave Incident Report with External ID")
try:
report = Report(title="Sample SDK Test Report",
body=submit_indicators,
time_began="2017-02-01T01:23:45",
is_enclave=True,
enclave_ids=ts.enclave_ids,
external_id=external_id)
report = ts.submit_report(report)
logger.info("Report Submitted")
logger.info("\texternalTrackingId: %s" % report.external_id)
logger.info("\tURL: %s\n" % ts.get_report_url(report.id))
except Exception as e:
logger.error('Could not submit report, error: %s' % e)
print('')
# Get test report previously submitted
if do_report_details_by_ext_id:
logger.info("Get Incident Report By External ID")
try:
report = ts.get_report_details(report_id=external_id, id_type=Report.ID_TYPE_EXTERNAL)
logger.info("\ttitle: %s" % report.title)
logger.info("\texternalTrackingId: %s" % report.external_id)
logger.info("\tURL: %s\n" % ts.get_report_url(report.id))
report_guid = report.id
except Exception as e:
logger.error('Could not get report, error: %s' % e)
print('')
# Update a test report and test with get report
if do_update_report_by_ext_id:
logger.info("Update Incident Report By External ID")
try:
report = Report(title="Updated Sample Title",
body="updated report body: 21.22.23.24",
external_id=external_id,
enclave_ids=ts.enclave_ids)
report = ts.update_report(report)
logger.info("\texternalTrackingId: %s" % report.external_id)
logger.info("\tURL: %s\n" % ts.get_report_url(report.id))
except Exception as e:
logger.error('Could not update report, error: %s' % e)
print('')
# Get test report previously submitted
if do_report_details_by_guid:
logger.info("Get Incident Report Details by GUID (TruSTAR internal ID)")
try:
report = ts.get_report_details(report_guid)
logger.info("\ttitle: %s" % report.title)
logger.info("\texternalTrackingId: %s" % report.external_id)
logger.info("\tURL: %s\n" % ts.get_report_url(report.id))
except Exception as e:
logger.error('Could not get report, error: %s' % e)
print('')
# Update a test report and test with get report
if do_update_report_by_guid:
logger.info("Update Incident Report by GUID (TruSTAR internal ID)")
try:
report = Report(id=report_guid,
title="New Sample Title",
body="new sample body - 7.8.9.10",
enclave_ids=ts.enclave_ids)
report = ts.update_report(report)
logger.info("Updated Report using GUID")
logger.info("\texternalTrackingId: %s" % report.external_id)
logger.info("\tURL: %s\n" % ts.get_report_url(report.id))
except Exception as e:
logger.error('Could not update report, error: %s' % e)
print('')
# Get test report previously submitted
if do_report_details_by_guid:
logger.info("Get Report by GUID (TruSTAR internal ID)")
try:
report = ts.get_report_details(report_guid)
logger.info("\ttitle: %s" % report.title)
logger.info("\texternalTrackingId: %s" % report.external_id)
logger.info("\tURL: %s\n" % ts.get_report_url(report.id))
except Exception as e:
logger.error('Could not get report, error: %s' % e)
print('')
# Release report to community
if do_release_report_by_ext_id:
logger.info("Release Incident Report by External ID")
try:
report = Report(external_id=external_id,
is_enclave=False)
report = ts.update_report(report)
logger.info("Report Released using External ID:")
logger.info("\texternalTrackingId: %s" % report.external_id)
logger.info("\tURL: %s\n" % ts.get_report_url(report.id))
except Exception as e:
logger.error('Could not release report, error: %s' % e)
print('')
# Get test report previously submitted
if do_report_details_by_ext_id_2:
logger.info("Get Incident Report Details by External ID")
try:
report = ts.get_report_details(report_id=external_id, id_type=Report.ID_TYPE_EXTERNAL)
logger.info("\ttitle: %s" % report.title)
logger.info("\texternalTrackingId: %s" % report.external_id)
logger.info("\tURL: %s\n" % ts.get_report_url(report.id))
except Exception as e:
logger.error('Could not get report, error: %s' % e)
print('')
# Delete test report previously submitted
if do_delete_report_by_ext_id:
logger.info("Delete Incident Report by External ID")
try:
ts.delete_report(report_id=external_id, id_type=Report.ID_TYPE_EXTERNAL)
logger.info("Report Deleted using External ID\n")
except Exception as e:
logger.error('Could not delete report, error: %s' % e)
print('')
# Add an enclave tag to a newly created report
if do_add_enclave_tag:
logger.info("Add enclave tag to incident report")
try:
# submit report
report = Report(title="Enclave report with tag",
body=submit_indicators,
is_enclave=True,
enclave_ids=ts.enclave_ids)
report = ts.submit_report(report)
logger.info("\tId of new report %s\n" % report.id)
# get back report details, including the enclave it's in
report = ts.get_report_details(report_id=report.id)
enclave_id = report.enclave_ids[0]
# add an enclave tag
tag_id = ts.add_enclave_tag(report_id=report.id, name="triage", enclave_id=enclave_id)
# logger.info the added enclave tag
logger.info("\tId of new enclave tag %s\n" % tag_id)
# add another enclave tag
tag_id = ts.add_enclave_tag(report_id=report.id, name="resolved", enclave_id=enclave_id)
# logger.info the added enclave tag
logger.info("\tId of new enclave tag %s\n" % tag_id)
# Get enclave tag info
if do_get_enclave_tags:
logger.info("Get enclave tags for report")
tags = ts.get_enclave_tags(report.id)
logger.info("\tEnclave tags for report %s\n" % report.id)
logger.info(tags)
# delete enclave tag by name
if do_delete_enclave_tag:
logger.info("Delete enclave tag from report")
response = ts.delete_enclave_tag(report.id, tag_id)
logger.info("\tDeleted enclave tag for report %s\n" % report.id)
logger.info(response)
# add it back
ts.add_enclave_tag(report_id=report.id, name="triage", enclave_id=enclave_id)
# List all enclave tags
tags = ts.get_all_enclave_tags(enclave_ids=ts.enclave_ids)
logger.info("List of enclave tags for enclave %s\n" % enclave_id)
logger.info(tags)
# Search report by tag
logger.info("Getting reports tagged 'triage'.")
reports = ts.get_reports(from_time=yesterday_time,
to_time=current_time,
enclave_ids=ts.enclave_ids,
tag="triage")
for report in reports:
logger.info(report)
except Exception as e:
logger.error('Could not handle enclave tag operation, error: %s' % e)
print('')
# search for reports containing term "abc"
if do_search_reports:
try:
logger.info("Searching reports:")
reports = ts.search_reports("abc")
for report in reports:
logger.info(report)
except Exception as e:
logger.error("Could not search reports, error: %s" % e)
print('')
# search for indicators matching pattern "abc"
if do_search_indicators:
try:
logger.info("Searching indicators:")
indicators = ts.search_indicators("abc")
for indicator in indicators:
logger.info(indicator)
except Exception as e:
logger.error("Could not search indicators, error: %s" % e)
print('')
if do_redact_report:
try:
logger.info("Redacting report:")
redacted_report = ts.redact_report(title="amazon phishing scam",
report_body="apple, microsoft, and amazon suffered "
"from a phishing scam via [email protected]")
logger.info(redacted_report)
except Exception as e:
logger.error("Could not redact report, error: %s" % e)
print('')
class TestReportSubmit:
body = 'test body'
title = 'test title'
external_url = 'https://testurl.com'
external_id = 'test_ext_id'
def __init__(
self,
config_file_path, # type: str
config_stanza): # type: (..., str) -> None
configs = ConfigLoader.from_(config_file_path,
config_stanza) # type: Dict
configs = {k.lower(): v for k, v in configs.items()}
configs[
'client_metatag'] = TruStarGuardDutyLambdaHandler.CLIENT_METATAG
self.ts = TruStar(config=configs)
self.ts.logger.setLevel("DEBUG")
"""
ch = StreamHandler()
ch.setLevel("DEBUG")
self.ts.logger.addHandler(ch)
"""
self.enclave_id = configs['enclave_id']
def go(self):
time_begans = [
'1577865600000',
1577865600456,
'1577865600',
1577865601,
'2020-02-01T00:00:01+00:00',
'2020-02-01T00:00:01.12345+00:00',
'2020-02-01T00:00:01.74839+00:00',
#datetime.now() - timedelta(days=5)
]
test_reports = [] # type: List[Report]
for i, t in enumerate(time_begans):
test_reports.append(self.build_test_report(i, t))
for r in test_reports:
try:
self.ts.delete_report(r.external_id, id_type=IdType.EXTERNAL)
except:
pass
_ = self.ts.submit_report(r)
logger.info("Sleeping 20 seconds.")
sleep(20)
for r in test_reports:
report = self.ts.get_report_details(
r.external_id, id_type=IdType.EXTERNAL) # type: Report
if not report.body == r.body:
logger.error("body")
if not report.title == r.title:
logger.error("title")
if not report.external_url == r.external_url:
logger.error("external_url")
if not report.external_id == r.external_id:
logger.error("external_id")
if not report.time_began == r.time_began:
logger.error("time_began submitted: '{}', retrieved: "
"'{}'".format(r.time_began, report.time_began))
def build_test_report(self, i, time_began):
r = Report()
r.body = self.body
r.title = self.title
r.external_id = self.external_id + str(i)
r.external_url = self.external_url
r.enclave_ids = [self.enclave_id]
#r.set_time_began(time_began)
r.time_began = time_began
return r
