def _queryThread(self, results, envName, env, iocType, iocName, info, isCaseInsensitive, isWithWildcards, limit, isPerIoc): try: lc = Manager(env['oid'], env['api_key']) try: isInsightEnabled = lc.isInsightEnabled() except: isInsightEnabled = False if not isInsightEnabled: self._safePrint("Skipping %s (%s) as Insight is not enabled." % ( envName, env['oid'], )) return result = lc.getObjectInformation( iocType, iocName, info, isCaseSensitive=not isCaseInsensitive, isWithWildcards=isWithWildcards, limit=limit, isPerObject=isPerIoc) if result and 0 != len(result): results.put({ 'env': envName, 'oid': env['oid'], 'result': result }) except: self._safePrint(traceback.format_exc())
def do_list(args): rules = Manager(None, None).rules(args.namespace) for rule in rules.values(): rule.pop('detect', None) rule.pop('respond', None) rule.pop('name', None) rule.pop('oid', None) printData({ ruleName: rule for ruleName, rule in rules.items() if not ruleName.startswith('_') })
def do_get(args): if args.ruleName is None: reportError('No rule name specified.') rule = Manager(None, None).rules(args.namespace).get(args.ruleName, None) if rule is None: reportError('Rule not found.') printData(rule)
def main_getOriginal(sourceArgs=None): import argparse parser = argparse.ArgumentParser(prog='limacharlie artifacts get_original') parser.add_argument('payloadid', type=str, help='unique identifier of the artifact uploaded.') parser.add_argument('destination', type=str, help='file path where to download the artifact.') args = parser.parse_args(sourceArgs) logs = Logs(Manager()) response = logs.getOriginal(args.payloadid, filePath=args.destination) print(json.dumps(response))
def do_add(args): ruleFile = args.ruleFile if ruleFile is None: reportError('No rule file not specified.') try: with open(ruleFile, 'rb') as f: ruleFile = yaml.safe_load(f.read()) except Exception as e: reportError('Error reading rule file yaml: %s' % e) detect = ruleFile.get('detect', None) if detect is None: reportError('No detect component in rule file.') response = ruleFile.get('respond', None) if response is None: reportError('No respond component in rule file.') Manager(None, None).add_rule(args.ruleName, detect, response, args.isReplace, namespace=args.namespace) printData('Added')
def main(): import argparse parser = argparse.ArgumentParser(prog='limacharlie.io logs') parser.add_argument('log_file', type=str, help='path to the log file to upload.') parser.add_argument( '--source', type=str, required=False, dest='source', default=None, help='name of the log source to associate with upload.') parser.add_argument( '--original-path', type=str, required=False, dest='originalPath', default=None, help='override the original path recorded for the log.') parser.add_argument('--hint', type=str, required=False, dest='hint', default='auto', help='log type hint of the upload.') parser.add_argument( '--payload-id', type=str, required=False, dest='payloadId', default=None, help= 'unique identifier of the log uploaded, can be used to de-duplicate logs.' ) parser.add_argument('--access-token', type=uuid.UUID, required=False, dest='accessToken', default=None, help='access token to upload.') parser.add_argument('--oid', type=lambda o: str(uuid.UUID(o)), required=False, dest='oid', default=None, help='organization id to upload for.') args = parser.parse_args() logs = Logs(Manager(args.oid, None), args.accessToken) originalPath = args.originalPath if args.originalPath is None: originalPath = args.log_file response = logs.upload(args.log_file, source=args.source, hint=args.hint, payloadId=args.payloadId, allowMultipart=False, originalPath=originalPath) print(json.dumps(response))
def main_upload(sourceArgs=None): import argparse parser = argparse.ArgumentParser(prog='limacharlie artifacts upload') parser.add_argument('artifact_file', type=str, help='path to the artifacts file to upload.') parser.add_argument('--source', type=str, required=False, dest='source', default=None, help='name of the source to associate with upload.') parser.add_argument( '--original-path', type=str, required=False, dest='originalPath', default=None, help='override the original path recorded for the artifacts.') parser.add_argument('--hint', type=str, required=False, dest='hint', default='auto', help='artifacts type hint of the upload.') parser.add_argument( '--payload-id', type=str, required=False, dest='payloadId', default=None, help= 'unique identifier of the artifacts uploaded, can be used to de-duplicate artifacts.' ) parser.add_argument('--access-token', type=uuid.UUID, required=False, dest='accessToken', default=None, help='access token to upload.') parser.add_argument('--oid', type=lambda o: str(uuid.UUID(o)), required=False, dest='oid', default=None, help='organization id to upload for.') parser.add_argument('--days-retention', type=int, required=False, dest='retention', default=None, help='number of days of retention for the data.') args = parser.parse_args(sourceArgs) logs = Logs(Manager(args.oid, None, jwt=""), args.accessToken) originalPath = args.originalPath if args.originalPath is None: originalPath = args.artifact_file response = logs.upload(args.artifact_file, source=args.source, hint=args.hint, payloadId=args.payloadId, allowMultipart=False, originalPath=originalPath, nDaysRetention=args.retention) print(json.dumps(response))
def do_remove(args): Manager(None, None).del_rule(args.ruleName, namespace=args.namespace) printData('Removed')