def parse(message, settings):
"""
Takes a message and returns a pipeline event
{
'bookmark': 1500145643,
'message': {
'version': 1,
'messageType': 4,
'length': 42,
'data': '<binary>',
'sequence': 4356
},
'record': {
'recordType': 400,
...
}
}
"""
event = {'bookmark': -1, 'message': message, 'record': None}
try:
parser = Binary(message)
if _shouldHandle(parser.record, settings, True):
parser.parse()
if 'archiveTimestamp' in parser.record:
event['bookmark'] = parser.record['archiveTimestamp']
# Setting event['record'] means that we want to process, decorate and
# output this event. If it is not set then the event will ultimately
# be thrown away - but see below regarding sequencing.
event['record'] = parser.record
except estreamer.EncoreException as ex:
# We want to catch EncoreExceptions here. Left to propagate further up
# the stack, this will potentially impacts hundreds of messages in a
# batched queue. EncoreExceptions are not ideal here, but they're far
# from FATAL. So warn and carry on.
logger = logging.getLogger(__name__)
logger.warning(ex)
encodedMessage = estreamer.adapters.base64.dumps(message)
logger.warning('Additional data: {0}'.format(encodedMessage))
except Exception as ex:
# If an error has occurred here, it's bad. It's most likely that the FMC
# has sent us incorrect data - although could conceivably be a bad
# message definition - although that will only be in development.
#
# In any case, if it's a bad message, then we need to file a defect with
# the BU and ideally carry on. But log an error.
logger = logging.getLogger(__name__)
logger.exception(ex)
encodedMessage = estreamer.adapters.base64.dumps(message)
logger.error('Additional data: {0}'.format(encodedMessage))
# Always return the event even if we don't have a parsed record. The
# message contains sequence numbers which are required for re-assembling
# the correct order of events. Even if we ultimately throw this message
# away, without it re-ordering cannot occur as too much information is lost.
return event
def create(self):
"""Creates a dictionary with all appropriate record decorations"""
if 'recordType' not in self.record:
return {}
# This method is long. There are possible some things which could be done to
# make it a bit shorter, but not that much. And it probably wouldn't help all
# that much anyway. But there are rules:
# * the source record stays untouched. DO NOT change it at all. If the calling
# method does so, then fine. But not here.
# * all data gets written to self.data
# * all references to self.data are through CONSTANTS - no strings
# * record types are in ascending numerical order and commented with that number
record = self.record
recordTypeId = record['recordType']
self.data[View.REC_TYPE_SIMPLE] = definitions.RECORDS[recordTypeId][
'category']
self.data[View.REC_TYPE_DESCRIPTION] = definitions.RECORDS[
recordTypeId]['name']
# Take care of automatic lookups here
self.__automap(record)
# Now deal with all the other special cases
if recordTypeId == definitions.RECORD_INTRUSION_IMPACT_ALERT:
# 9
impact = record['description']['data']
# Gets '23' from '[Impact: 23]'
match = re.search(r'\[Impact:\s(.+?)\]', impact)
if match != None:
self.data[View.DESCRIPTION] = match.group(1)
else:
self.data[View.DESCRIPTION] = impact.replace('"', "'")
self.data[View.IMPACT] = Binary.getImpact(record['impact'])
elif recordTypeId == definitions.METADATA_CORRELATION_POLICY:
# 69
self.__addValueIfAvailable(
View.CORRELATION_RULE,
[Cache.CORRELATION_RULES, record['id'], 'name'])
elif recordTypeId == definitions.RECORD_RNA_CONNECTION_STATISTICS:
# 71
self.__addValueIfAvailable(
View.IP_PROTOCOL, [Cache.IP_PROTOCOLS, record['protocol']])
self.__addValueIfAvailable(
View.WEB_APP, [Cache.PAYLOADS, record['webApplicationId']])
self.__addValueIfAvailable(
View.CLIENT_APP,
[Cache.CLIENT_APPLICATIONS, record['clientApplicationId']])
self.__addValueIfAvailable(
View.APP_PROTO,
[Cache.APPLICATION_PROTOCOLS, record['applicationId']])
self.__addValueIfAvailable(View.SEC_INTEL_IP, [
Cache.SI_SRC_DESTS,
record['securityIntelligenceSourceDestination']
])
if record['securityIntelligenceSourceDestination'] == 0:
self.data[View.SEC_INTEL_EVENT] = 'No'
else:
self.data[View.SEC_INTEL_EVENT] = 'Yes'
self.__addValueIfAvailable(View.SEC_INTEL_LIST1, [
Cache.SI_LISTS_DISCOVERY, record['securityIntelligenceList1'],
record['policyRevision']
])
self.__addValueIfAvailable(View.SEC_INTEL_LIST2, [
Cache.SI_LISTS_DISCOVERY, record['securityIntelligenceList2'],
record['policyRevision']
])
self.__addValueIfAvailable(
View.URL_CATEGORY,
[Cache.URL_CATEGORIES, record['urlCategory']])
self.__addValueIfAvailable(
View.URL_REPUTATION,
[Cache.URL_REPUTATIONS, record['urlReputation']])
self.__addValueIfAvailable(
View.FW_RULE,
[Cache.FW_RULES, record['policyRevision'], record['ruleId']])
self.__addValueIfAvailable(
View.FW_RULE_ACTION,
[Cache.FIREWALL_RULE_ACTIONS, record['ruleAction']])
self.__addValueIfAvailable(
View.FW_RULE_REASON,
[Cache.FIREWALL_RULE_REASONS, record['ruleReason']])
self.__addValueIfAvailable(View.FW_POLICY, [
Cache.ACCESS_CONTROL_POLICIES, record['deviceId'],
record['policyRevision']
])
self.__addValueIfAvailable(
View.IFACE_INGRESS,
[Cache.INTERFACES, record['ingressInterface']])
self.__addValueIfAvailable(
View.IFACE_EGRESS,
[Cache.INTERFACES, record['egressInterface']])
self.__addValueIfAvailable(
View.SEC_ZONE_INGRESS,
[Cache.SECURITY_ZONES, record['ingressZone']])
self.__addValueIfAvailable(
View.SEC_ZONE_EGRESS,
[Cache.SECURITY_ZONES, record['egressZone']])
self.__addValueIfAvailable(
View.SOURCE_IP_COUNTRY,
[Cache.GEOLOCATIONS, record['initiatorCountry']])
self.__addValueIfAvailable(
View.DESTINATION_IP_COUNTRY,
[Cache.GEOLOCATIONS, record['responderCountry']])
self.__addValueIfAvailable(View.USER,
[Cache.USERS, record['userId']])
self.__addValueIfAvailable(
View.DNS_RECORD_NAME,
[Cache.DNS_RECORDS, record['dnsRecordType'], 'name'])
self.__addValueIfAvailable(
View.DNS_RECORD_DESCRIPTION,
[Cache.DNS_RECORDS, record['dnsRecordType'], 'description'])
self.__addValueIfAvailable(
View.DNS_RESPONSE_NAME,
[Cache.DNS_RESPONSES, record['dnsResponseType'], 'name'])
self.__addValueIfAvailable(View.DNS_RESPONSE_DESCRIPTION, [
Cache.DNS_RESPONSES, record['dnsResponseType'], 'description'
])
self.__addValueIfAvailable(
View.SINKHOLE, [Cache.SINKHOLES, record['sinkholeUuid']])
self.__addValueIfAvailable(
View.IOC_CATEGORY,
[Cache.IOC, record['iocNumber'], 'category'])
self.__addValueIfAvailable(
View.SSL_ACTUAL_ACTION,
[Cache.SSL_ACTIONS, record['sslActualAction']])
self.__addValueIfAvailable(
View.SSL_EXPECTED_ACTION,
[Cache.SSL_ACTIONS, record['sslExpectedAction']])
self.__addValueIfAvailable(
View.SSL_FLOW_FLAGS,
[Cache.SSL_FLOW_FLAGS, record['sslFlowFlags']])
self.__addValueIfAvailable(
View.SSL_FLOW_MESSAGES,
[Cache.SSL_FLOW_MESSAGES, record['sslFlowMessages']])
self.__addValueIfAvailable(
View.SSL_FLOW_STATUS,
[Cache.SSL_FLOWS_STATUSES, record['sslFlowStatus']])
self.__addValueIfAvailable(View.SSL_SERVER_CERT_STATUS, [
Cache.SSL_CERT_STATUSES, record['sslServerCertificateStatus']
])
self.__addValueIfAvailable(
View.SSL_CIPHER_SUITE,
[Cache.SSL_CIPHER_SUITES, record['sslCipherSuite']])
self.__addValueIfAvailable(
View.SSL_VERSION, [Cache.SSL_VERSIONS, record['sslVersion']])
self.__addValueIfAvailable(
View.SSL_URL_CATEGORY,
[Cache.SSL_URL_CATEGORIES, record['sslUrlCategory']])
for index in range(1, 8):
inputField = 'monitorRule{0}'.format(index)
outputField = View.MONITOR_RULE.format(index)
value = record[inputField]
if value == 0:
self.data[outputField] = 'N/A'
self.__addValueIfAvailable(
outputField,
[Cache.FW_RULES, record['policyRevision'], value])
elif recordTypeId == definitions.RUA_EVENT_NEW_USER:
# 94
self.__addValueIfAvailable(View.USER,
[Cache.USERS, record['user']['userId']])
elif recordTypeId == definitions.RECORD_RUA_USER:
# 98
self.__addValueIfAvailable(
View.IP_PROTOCOL, [Cache.IP_PROTOCOLS, record['protocol']])
elif recordTypeId == definitions.RECORD_RNA_NEW_OS:
# 101
self.__addValueIfAvailable(
View.SOURCE_TYPE,
[Cache.SOURCE_TYPES, record['osfingerprint']['sourceType']])
elif recordTypeId == definitions.RECORD_RNA_CHANGE_IDENTITY_TIMEOUT:
# 103
self.__addValueIfAvailable(
View.SOURCE_TYPE,
[Cache.SOURCE_TYPES, record['identity']['sourceType']])
self.__addValueIfAvailable(
View.IP_PROTOCOL,
[Cache.IP_PROTOCOLS, record['identity']['protocol']])
elif recordTypeId == definitions.RECORD_RNA_CHANGE_CLIENT_APP_UPDATE:
# 107
self.__addValueIfAvailable(View.APP_PROTO, [
Cache.APPLICATION_PROTOCOLS,
record['client']['applicationProto']
])
elif recordTypeId == definitions.RECORD_INTRUSION_EXTRA_DATA:
# 110
self.data[View.DATA] = record['blob']['data']
self.__addValueIfAvailable(View.TYPE,
[Cache.XDATA_TYPES, record['type']])
elif recordTypeId == definitions.RECORD_CORRELATION_EVENT:
# 112
self.__addValueIfAvailable(
View.EVENT_TYPE,
[Cache.CORRELATION_EVENT_TYPES, record['eventType']])
self.__addValueIfAvailable(View.MSG, [
Cache.IDS_RULES, record['signatureGeneratorId'],
record['signatureId']
])
self.__addValueIfAvailable(
View.CORRELATION_RULE,
[Cache.CORRELATION_RULES, record['ruleId'], 'name'])
self.__addValueIfAvailable(View.CORRELATION_POLICY,
[Cache.POLICIES, record['policyId']])
self.__addValueIfAvailable(
View.SOURCE_CRITICALITY,
[Cache.CORRELATION_CRITICALITY, record['sourceCriticality']])
self.__addValueIfAvailable(View.DESTINATION_CRITICALITY, [
Cache.CORRELATION_CRITICALITY, record['destinationCriticality']
])
self.__addValueIfAvailable(
View.SOURCE_HOSTTYPE,
[Cache.CORRELATION_HOST_TYPE, record['sourceHostType']])
self.__addValueIfAvailable(
View.DESTINATION_HOSTTYPE,
[Cache.CORRELATION_HOST_TYPE, record['destinationHostType']])
self.__addValueIfAvailable(View.PRIORITY,
[Cache.PRIORITIES, record['priority']])
self.__addValueIfAvailable(View.BLOCKED,
[Cache.BLOCKED, record['blocked']])
self.__addValueIfAvailable(
View.IP_PROTOCOL, [Cache.IP_PROTOCOLS, record['ipProtocol']])
self.__addValueIfAvailable(
View.NET_PROTO, [Cache.NET_PROTOS, record['networkProtocol']])
self.__addValueIfAvailable(
View.DESTINATION_APP_PROTO,
[Cache.APPLICATION_PROTOCOLS, record['destinationServerId']])
self.__addValueIfAvailable(
View.SOURCE_APP_PROTO,
[Cache.APPLICATION_PROTOCOLS, record['sourceServerId']])
self.__addValueIfAvailable(
View.IFACE_INGRESS,
[Cache.INTERFACES, record['ingressIntefaceUuid']])
self.__addValueIfAvailable(
View.IFACE_EGRESS,
[Cache.INTERFACES, record['egressIntefaceUuid']])
self.__addValueIfAvailable(
View.SEC_ZONE_INGRESS,
[Cache.SECURITY_ZONES, record['ingressZoneUuid']])
self.__addValueIfAvailable(
View.SEC_ZONE_EGRESS,
[Cache.SECURITY_ZONES, record['egressZoneUuid']])
self.__addValueIfAvailable(View.SOURCE_OS_NAME, [
Cache.OS_FINGERPRINTS,
record['sourceOperatingSystemFingerprintUuid'], 'os'
])
self.__addValueIfAvailable(View.SOURCE_OS_VENDOR, [
Cache.OS_FINGERPRINTS,
record['sourceOperatingSystemFingerprintUuid'], 'vendor'
])
self.__addValueIfAvailable(View.SOURCE_OS_VERSION, [
Cache.OS_FINGERPRINTS,
record['sourceOperatingSystemFingerprintUuid'], 'ver'
])
self.__addValueIfAvailable(View.DESTINATION_OS_NAME, [
Cache.OS_FINGERPRINTS,
record['destinationOperatingSystemFingerprintUuid'], 'os'
])
self.__addValueIfAvailable(View.DESTINATION_OS_VENDOR, [
Cache.OS_FINGERPRINTS,
record['destinationOperatingSystemFingerprintUuid'], 'vendor'
])
self.__addValueIfAvailable(View.DESTINATION_OS_VERSION, [
Cache.OS_FINGERPRINTS,
record['destinationOperatingSystemFingerprintUuid'], 'ver'
])
self.__addValueIfAvailable(
View.SOURCE_IP_COUNTRY,
[Cache.GEOLOCATIONS, record['sourceCountry']])
self.__addValueIfAvailable(
View.DESTINATION_IP_COUNTRY,
[Cache.GEOLOCATIONS, record['destinationCountry']])
self.__addValueIfAvailable(View.SOURCE_USER,
[Cache.USERS, record['sourceUserId']])
self.__addValueIfAvailable(
View.DESTINATION_USER,
[Cache.USERS, record['destinationUserId']])
self.__addValueIfAvailable(
View.SEC_INTEL_POLICY,
[Cache.SI_LISTS_GENERAL, record['securityIntelligenceUuid']])
self.__addValueIfAvailable(
View.SSL_ACTUAL_ACTION,
[Cache.SSL_ACTIONS, record['sslActualAction']])
self.__addValueIfAvailable(
View.SSL_FLOW_STATUS,
[Cache.SSL_FLOWS_STATUSES, record['sslFlowStatus']])
self.__addValueIfAvailable(
View.URL_REPUTATION,
[Cache.URL_REPUTATIONS, record['urlReputation']])
self.__addValueIfAvailable(
View.URL_CATEGORY,
[Cache.URL_CATEGORIES, record['urlCategory']])
if 'eventImpactFlags' in record:
self.data[View.IMPACT] = Binary.getImpact(
record['eventImpactFlags'])
# Don't know why, but this exists
self.data[View.DESCRIPTION] = ''
# Let's "fix" the IP fields for consistency
if 'sourceIpv6Address' in record \
and record['sourceIp'] == '0.0.0.0' \
and record['sourceIpv6Address'] != '::':
self.data[View.SOURCE_IP] = record['sourceIpv6Address']
if 'destinationIpv6Address' in record \
and record['destinationIp'] == '0.0.0.0' \
and record['destinationIpv6Address'] != '::':
self.data[
View.DESTINATION_IP] = record['destinationIpv6Address']
elif recordTypeId == definitions.METADATA_ACCESS_CONTROL_RULE_ID:
# 119
# This may need to use the uuid instead in which case
# add an additional mapping (see policy_uuid below)
# This used to be "revision"
if 'ruleId' in record:
self.__addValueIfAvailable(View.FW_POLICY,
['policies', record['ruleId']])
elif recordTypeId == definitions.RECORD_MALWARE_EVENT:
# 125
self.__addValueIfAvailable(View.CLOUD,
[Cache.CLOUDS, record['cloudUuid']])
self.__addValueIfAvailable(
View.MALWARE_EVENT_TYPE,
[Cache.MALWARE_EVENT_TYPES, record['eventTypeId']])
self.__addValueIfAvailable(
View.MALWARE_EVENT_SUBTYPE,
[Cache.FIREAMP_SUBTYPES, record['eventSubtypeId']])
self.__addValueIfAvailable(View.FILE_ACTION,
[Cache.FILE_ACTIONS, record['action']])
if record['detectionName']['data'] == '':
self.__addValueIfAvailable(
View.DETECTION_NAME,
[Cache.FILE_SHAS, record['fileShaHash']['data']])
self.__addValueIfAvailable(
View.PARENT_DETECTION,
[Cache.FILE_SHAS, record['parentShaHash']['data']])
self.__addValueIfAvailable(
View.TYPE, [Cache.FIREAMP_TYPES, record['eventTypeId']])
self.__addValueIfAvailable(
View.SUBTYPE,
[Cache.FIREAMP_SUBTYPES, record['eventSubtypeId']])
self.__addValueIfAvailable(
View.DETECTOR, [Cache.FIREAMP_DETECTORS, record['detectorId']])
self.__addValueIfAvailable(
View.IP_PROTOCOL, [Cache.IP_PROTOCOLS, record['protocol']])
self.__addValueIfAvailable(
View.DISPOSITION,
[Cache.FILE_DISPOSITIONS, record['disposition']])
self.__addValueIfAvailable(
View.RETRO_DISPOSITION,
[Cache.FILE_DISPOSITIONS, record['retroDisposition']])
self.__addValueIfAvailable(View.FILE_TYPE,
[Cache.FILE_TYPES, record['fileType']])
self.__addValueIfAvailable(
View.WEB_APP, [Cache.PAYLOADS, record['webApplicationId']])
self.__addValueIfAvailable(
View.CLIENT_APP,
[Cache.CLIENT_APPLICATIONS, record['clientApplicationId']])
self.__addValueIfAvailable(
View.APP_PROTO,
[Cache.APPLICATION_PROTOCOLS, record['applicationId']])
self.__addValueIfAvailable(
View.FILE_POLICY,
[Cache.POLICIES, record['accessControlPolicyUuid']])
self.__addValueIfAvailable(View.DIRECTION,
[Cache.DIRECTIONS, record['direction']])
self.__addValueIfAvailable(
View.SOURCE_IP_COUNTRY,
[Cache.GEOLOCATIONS, record['sourceCountry']])
self.__addValueIfAvailable(
View.DESTINATION_IP_COUNTRY,
[Cache.GEOLOCATIONS, record['destinationCountry']])
self.__addValueIfAvailable(View.AGENT_USER,
[Cache.USERS, record['userId']])
self.__addValueIfAvailable(View.USER,
[Cache.USERS, record['user']['data']])
self.__addValueIfAvailable(
View.IOC_CATEGORY,
[Cache.IOC, record['iocNumber'], 'category'])
self.__addValueIfAvailable(
View.SSL_ACTUAL_ACTION,
[Cache.SSL_ACTIONS, record['sslActualAction']])
self.__addValueIfAvailable(
View.SSL_FLOW_STATUS,
[Cache.SSL_FLOWS_STATUSES, record['sslFlowStatus']])
elif recordTypeId == definitions.METADATA_ICMP_TYPE:
# 260
self.__addValueIfAvailable(
View.IP_PROTOCOL, [Cache.IP_PROTOCOLS, record['protocol']])
elif recordTypeId == definitions.METADATA_ICMP_CODE:
# 270
self.__addValueIfAvailable(
View.IP_PROTOCOL, [Cache.IP_PROTOCOLS, record['protocol']])
elif recordTypeId == definitions.METADATA_SECURITY_INTELLIGENCE_CATEGORY_DISCOVERY:
# 280
self.__addValueIfAvailable(
View.FW_POLICY,
[Cache.POLICIES, record['accessControlPolicyUuid']])
elif recordTypeId == definitions.RECORD_INTRUSION_EVENT:
# 400
self.__addValueIfAvailable(
View.MSG,
[Cache.IDS_RULES, record['generatorId'], record['ruleId']])
self.__addValueIfAvailable(View.RENDERED_ID, [
Cache.IDS_RULES_RENDERED, record['generatorId'],
record['ruleId']
])
self.__addValueIfAvailable(
View.CLASSIFICATION_DESCRIPTION,
[Cache.CLASSIFICATIONS, record['classificationId'], 'desc'])
self.__addValueIfAvailable(
View.CLASSIFICATION_NAME,
[Cache.CLASSIFICATIONS, record['classificationId'], 'name'])
self.__addValueIfAvailable(View.IDS_POLICY,
[Cache.POLICIES, record['policyUuid']])
self.__addValueIfAvailable(View.FW_RULE, [
Cache.FW_RULES, record['accessControlPolicyUuid'],
record['accessControlRuleId']
])
self.__addValueIfAvailable(View.FW_POLICY, [
Cache.ACCESS_CONTROL_POLICIES, record['deviceId'],
record['accessControlPolicyUuid']
])
self.__addValueIfAvailable(
View.PRIORITY, [Cache.PRIORITIES, record['priorityId']])
self.__addValueIfAvailable(View.BLOCKED,
[Cache.BLOCKED, record['blocked']])
self.__addValueIfAvailable(
View.IP_PROTOCOL, [Cache.IP_PROTOCOLS, record['ipProtocolId']])
self.__addValueIfAvailable(
View.WEB_APP, [Cache.PAYLOADS, record['webApplicationId']])
self.__addValueIfAvailable(
View.CLIENT_APP,
[Cache.CLIENT_APPLICATIONS, record['clientApplicationId']])
self.__addValueIfAvailable(
View.APP_PROTO,
[Cache.APPLICATION_PROTOCOLS, record['applicationId']])
self.__addValueIfAvailable(
View.IFACE_INGRESS,
[Cache.INTERFACES, record['interfaceIngressUuid']])
self.__addValueIfAvailable(
View.IFACE_EGRESS,
[Cache.INTERFACES, record['interfaceEgressUuid']])
self.__addValueIfAvailable(
View.SEC_ZONE_INGRESS,
[Cache.SECURITY_ZONES, record['securityZoneIngressUuid']])
self.__addValueIfAvailable(
View.SEC_ZONE_EGRESS,
[Cache.SECURITY_ZONES, record['securityZoneEgressUuid']])
self.__addValueIfAvailable(
View.SOURCE_IP_COUNTRY,
[Cache.GEOLOCATIONS, record['sourceCountry']])
self.__addValueIfAvailable(
View.DESTINATION_IP_COUNTRY,
[Cache.GEOLOCATIONS, record['destinationCountry']])
self.__addValueIfAvailable(View.USER,
[Cache.USERS, record['userId']])
self.__addValueIfAvailable(
View.IOC_CATEGORY,
[Cache.IOC, record['iocNumber'], 'category'])
self.__addValueIfAvailable(
View.SSL_ACTUAL_ACTION,
[Cache.SSL_ACTIONS, record['sslActualAction']])
self.__addValueIfAvailable(
View.SSL_FLOW_STATUS,
[Cache.SSL_FLOWS_STATUSES, record['sslFlowStatus']])
self.data[View.IMPACT] = Binary.getImpact(record['impactFlags'])
self.__addValueIfAvailable(View.IMPACT_DESCRIPTION,
[Cache.IMPACT, record['impact']])
self.__addValueIfAvailable(
View.NETWORK_ANALYSIS_POLICY,
[Cache.POLICIES, record['networkAnalysisPolicyUuid']])
elif recordTypeId == definitions.RECORD_FILELOG_EVENT or \
recordTypeId == definitions.RECORD_FILELOG_MALWARE_EVENT:
# 500 or 502
self.__addValueIfAvailable(
View.FILE_POLICY,
[Cache.POLICIES, record['accessControlPolicyUuid']])
self.__addValueIfAvailable(View.FILE_ACTION,
[Cache.FILE_ACTIONS, record['action']])
self.__addValueIfAvailable(View.DETECTION,
[Cache.FILE_SHAS, record['shaHash']])
self.__addValueIfAvailable(
View.IP_PROTOCOL, [Cache.IP_PROTOCOLS, record['protocol']])
self.__addValueIfAvailable(
View.DISPOSITION,
[Cache.FILE_DISPOSITIONS, record['disposition']])
self.__addValueIfAvailable(
View.SPERO_DISPOSITION,
[Cache.FILE_DISPOSITIONS, record['speroDisposition']])
self.__addValueIfAvailable(
View.FILE_STORAGE_STATUS,
[Cache.FILE_STORAGES, record['fileStorageStatus']])
self.__addValueIfAvailable(
View.FILE_ANALYSIS_STATUS,
[Cache.FILE_STATIC_ANALYSES, record['fileAnalysisStatus']])
self.__addValueIfAvailable(
View.FILE_TYPE, [Cache.FILE_TYPES, record['fileTypeId']])
self.__addValueIfAvailable(
View.WEB_APP, [Cache.PAYLOADS, record['webApplicationId']])
self.__addValueIfAvailable(
View.CLIENT_APP,
[Cache.CLIENT_APPLICATIONS, record['clientApplicationId']])
self.__addValueIfAvailable(
View.APP_PROTO,
[Cache.APPLICATION_PROTOCOLS, record['applicationId']])
self.__addValueIfAvailable(View.DIRECTION,
[Cache.DIRECTIONS, record['direction']])
self.__addValueIfAvailable(
View.SOURCE_IP_COUNTRY,
[Cache.GEOLOCATIONS, record['sourceCountry']])
self.__addValueIfAvailable(
View.DESTINATION_IP_COUNTRY,
[Cache.GEOLOCATIONS, record['destinationCountry']])
self.__addValueIfAvailable(View.USER,
[Cache.USERS, record['userId']])
self.__addValueIfAvailable(
View.SSL_ACTUAL_ACTION,
[Cache.SSL_ACTIONS, record['sslActualAction']])
self.__addValueIfAvailable(
View.SSL_FLOW_STATUS,
[Cache.SSL_FLOWS_STATUSES, record['sslFlowStatus']])
self.__addValueIfAvailable(View.MALWARE_ANALYSIS_STATUS, [
Cache.MALWARE_ANALYSIS_STATUS,
record['localMalwareAnalysisStatus']
])
self.__addValueIfAvailable(
View.ARCHIVE_FILE_STATUS,
[Cache.FILE_ARCHIVE_STATUS, record['archiveFileStatus']])
elif recordTypeId == definitions.METADATA_FILELOG_SHA:
# 511
self.__addValueIfAvailable(
View.DISPOSITION,
[Cache.FILE_DISPOSITIONS, record['disposition']])
# Now do the general cases
if 'sensorId' in record:
self.data[View.SENSOR] = self.cache.get(
[Cache.DEVICES, record['sensorId']])
if 'deviceId' in record:
self.data[View.SENSOR] = self.cache.get(
[Cache.DEVICES, record['deviceId']])
if 'eventType' in record:
eventType = record['eventType']
if 'eventSubtype' in record:
eventSubtype = record['eventSubtype']
if eventType in definitions.RNA_TYPE_NAMES and \
eventSubtype in definitions.RNA_TYPE_NAMES[ eventType ]:
self.data[ View.EVENT_DESC ] = \
definitions.RNA_TYPE_NAMES[ eventType ][ eventSubtype ]
if 'sourceId' in record:
# None of these are mapped from RNA records
self.__addValueIfAvailable(
View.SOURCE, [Cache.SOURCE_APPLICATIONS, record['sourceId']])
eventSec = 0
eventUsec = 0
# See if we can find the timestamps
if 'eventSecond' in record:
eventSec = record['eventSecond']
if 'eventMicrosecond' in record:
eventUsec = record['eventMicrosecond']
elif 'fileEventTimestamp' in record:
eventSec = record['fileEventTimestamp']
elif 'triggerEventSecond' in record:
eventSec = record['triggerEventSecond']
if 'triggerEventMicrosecond' in record:
eventUsec = record['triggerEventMicrosecond']
elif 'timestamp' in record:
eventSec = record['timestamp']
# If not timestamp exists, let's try the archive timestamp
if eventSec == 0:
eventSec = record['archiveTimestamp']
# Push the timestamp fields in where applicable
if eventSec > 0:
self.data[View.EVENT_SEC] = eventSec
timestamp = eventSec + (eventUsec / 1000000.0)
eventDateTime = datetime.datetime.fromtimestamp(timestamp)
self.data[View.EVENT_TIMESTAMP] = eventDateTime.isoformat()
if eventUsec > 0:
self.data[View.EVENT_USEC] = eventUsec
return self.data