def _validate(self, args):
if not self._doc_class.validation_url:
return
url = self._doc_class.validation_url.format(
self._cb.credentials.org_key)
validated = self._cb.get_object(url, query_parameters=args)
if not validated.get("valid"):
raise ApiError("Invalid query: {}: {}".format(
args, validated["invalid_message"]))
def __init__(self, cb, initial_data=None):
if not initial_data:
raise ApiError(
"ReportSeverity can only be initialized from initial_data")
super(ReportSeverity, self).__init__(cb,
model_unique_id=initial_data.get(
self.primary_key),
initial_data=initial_data,
force_init=False,
full_doc=True)
def policy_ids(self, policy_ids):
"""
Restricts this LiveQuery run to the given policy IDs.
:param policy_ids: list of ints
:return: This instance
"""
if not all(isinstance(policy_id, int) for policy_id in policy_ids):
raise ApiError("One or more invalid policy IDs")
self._device_filter["policy_ids"] = policy_ids
return self
def __init__(self, cb, model_unique_id=None, initial_data=None, report_id=None):
"""Creates a new IOC instance.
:raise ApiError: if `initial_data` is `None`
"""
if not initial_data:
raise ApiError("IOC can only be initialized from initial_data")
super(IOC, self).__init__(cb, model_unique_id=model_unique_id, initial_data=initial_data,
force_init=False, full_doc=True)
self._report_id = report_id
def set_threat_ids(self, threats):
"""
Restricts the alerts that this query is performed on to the specified
threat ID values.
:param threats list: list of string threat ID values
:return: This instance
"""
if not all(isinstance(t, str) for t in threats):
raise ApiError("One or more invalid threat ID values")
self._update_criteria("threat_id", threats)
return self
def set_tags(self, tags):
"""
Restricts the alerts that this query is performed on to the specified
tag values.
:param tags list: list of string tag values
:return: This instance
"""
if not all(isinstance(tag, str) for tag in tags):
raise ApiError("One or more invalid tags")
self._update_criteria("tag", tags)
return self
def set_process_sha256(self, shas):
"""
Restricts the alerts that this query is performed on to the specified
process SHA-256 hash values.
:param shas list: list of string process SHA-256 hash values
:return: This instance
"""
if not all(isinstance(n, str) for n in shas):
raise ApiError("One or more invalid SHA256 values")
self._update_criteria("process_sha256", shas)
return self
def set_device_ids(self, device_ids):
"""
Restricts the alerts that this query is performed on to the specified
device IDs.
:param device_ids list: list of integer device IDs
:return: This instance
"""
if not all(isinstance(device_id, int) for device_id in device_ids):
raise ApiError("One or more invalid device IDs")
self._update_criteria("device_id", device_ids)
return self
def device_ids(self, device_ids):
"""
Restricts the devices that this LiveQuery run is performed on
to the given IDs.
:param device_ids: list of ints
:return: This instance
"""
if not all(isinstance(device_id, int) for device_id in device_ids):
raise ApiError("One or more invalid device IDs")
self._device_filter["device_ids"] = device_ids
return self
def set_reason_code(self, reason):
"""
Restricts the alerts that this query is performed on to the specified
reason codes (enum values).
:param reason list: List of string reason codes to look for.
:return: This instance.
"""
if not all(isinstance(t, str) for t in reason):
raise ApiError("One or more invalid reason code values")
self._update_criteria("reason_code", reason)
return self
def set_device_username(self, users):
"""
Restricts the alerts that this query is performed on to the specified
user names.
:param users list: List of string user names.
:return: This instance
"""
if not all(isinstance(u, str) for u in users):
raise ApiError("One or more invalid user names")
self._update_criteria("device_username", users)
return self
def set_device_os_versions(self, device_os_versions):
"""
Restricts the alerts that this query is performed on to the specified
device operating system versions.
:param device_os_versions list: List of string operating system versions.
:return: This instance
"""
if not all(isinstance(n, str) for n in device_os_versions):
raise ApiError("One or more invalid device OS versions")
self._update_criteria("device_os_version", device_os_versions)
return self
def _submit(self):
if self._query_token:
raise ApiError("Query already submitted: token {0}".format(self._query_token))
args = self._get_query_parameters()
self._validate(args)
query_start = self._cb.post_object("/pscr/query/v1/start", body={"search_params": args})
self._query_token = query_start.json().get("query_id")
self._timed_out = False
self._submit_time = time.time() * 1000
def _lr_post_command(self, data):
retries = self.MAX_RETRY_COUNT
if "name" in data and data["name"] not in self.session_data["supported_commands"]:
raise ApiError("Command {0} not supported by this sensor".format(data["name"]))
while retries:
try:
data["session_id"] = self.session_id
resp = self._cb.post_object("/api/v1/cblr/session/{0}/command".format(self.session_id), data)
except ObjectNotFoundError as e:
if e.message.startswith("Sensor") or e.message.startswith("Session"):
self.session_id, self.session_data = self._lr_scheduler._get_or_create_session(self.sensor_id)
retries -= 1
continue
else:
raise ApiError("Received 404 error from server: {0}".format(e.message))
else:
return resp
raise ApiError("Command {0} failed after {1} retries".format(data["name"], self.MAX_RETRY_COUNT))
def set_watchlist_ids(self, ids):
"""
Restricts the alerts that this query is performed on to the specified
watchlist ID values.
:param ids list: list of string watchlist ID values
:return: This instance
"""
if not all(isinstance(t, str) for t in ids):
raise ApiError("One or more invalid watchlist IDs")
self._update_criteria("watchlist_id", ids)
return self
def set_legacy_alert_ids(self, alert_ids):
"""
Restricts the alerts that this query is performed on to the specified
legacy alert IDs.
:param alert_ids list: List of string legacy alert IDs.
:return: This instance
"""
if not all(isinstance(v, str) for v in alert_ids):
raise ApiError("One or more invalid alert ID values")
self._update_criteria("legacy_alert_id", alert_ids)
return self
def set_watchlist_names(self, names):
"""
Restricts the alerts that this query is performed on to the specified
watchlist name values.
:param names list: list of string watchlist name values
:return: This instance
"""
if not all(isinstance(name, str) for name in names):
raise ApiError("One or more invalid watchlist names")
self._update_criteria("watchlist_name", names)
return self
def set_policy_ids(self, policy_ids):
"""
Restricts the alerts that this query is performed on to the specified
policy IDs.
:param policy_ids list: list of integer policy IDs
:return: This instance
"""
if not all(isinstance(policy_id, int) for policy_id in policy_ids):
raise ApiError("One or more invalid policy IDs")
self._update_criteria("policy_id", policy_ids)
return self
def _perform_query(self, rows=0):
if self._run_id is None:
raise ApiError("Can't retrieve results without a run ID")
url = self._doc_class.urlobject.format(self._cb.credentials.org_key,
self._run_id)
request = self._build_request(rows)
resp = self._cb.post_object(url, body=request)
result = resp.json()
results = result.get("terms", [])
for item in results:
yield self._doc_class(self._cb, item)
def set_process_names(self, process_names):
"""
Restricts the alerts that this query is performed on to the specified
process names.
:param process_names list: list of string process names
:return: This instance
"""
if not all(isinstance(n, str) for n in process_names):
raise ApiError("One or more invalid process names")
self._update_criteria("process_name", process_names)
return self
def set_group_ids(self, groupids):
"""
Restricts the alerts that this query is performed on to the specified
AppDefense-assigned alarm group IDs.
:param groupids list: List of (integer) AppDefense-assigned alarm group IDs.
:return: This instance.
"""
if not all(isinstance(groupid, int) for groupid in groupids):
raise ApiError("One or more invalid alarm group IDs")
self._update_criteria("group_id", groupids)
return self
def set_exclude_sensor_versions(self, sensor_versions):
"""
Restricts the devices that this query is performed on to exclude specified
sensor versions.
:param sensor_versions: List of sensor versions to exclude
:return: This instance
"""
if not all(isinstance(v, str) for v in sensor_versions):
raise ApiError("One or more invalid sensor versions")
self._update_exclusions("sensor_version", sensor_versions)
return self
def _lr_post_command(self, data):
retries = self.MAX_RETRY_COUNT
if "name" in data and data["name"] not in self.session_data[
"supported_commands"]:
raise ApiError("Command {0} not supported by this sensor".format(
data["name"]))
while retries:
try:
data["session_id"] = self.session_id
resp = self._cb.post_object(
"{cblr_base}/session/{0}/command".format(
self.session_id, cblr_base=self.cblr_base), data)
except ObjectNotFoundError as e:
if e.message.startswith("Sensor") or e.message.startswith(
"Session"):
self.session_id, self.session_data = self._cblr_manager._get_or_create_session(
self.sensor_id)
retries -= 1
continue
else:
try:
error_message = json.loads(e.message)
if error_message["status"] == "NOT_FOUND":
self.session_id, self.session_data = self._cblr_manager._get_or_create_session(
self.sensor_id)
retries -= 1
continue
except:
pass
raise ApiError(
"Received 404 error from server: {0}".format(
e.message))
else:
return resp
raise TimeoutError(
message="Command {0} failed after {1} retries".format(
data["name"], self.MAX_RETRY_COUNT))
def or_(self, q=None, **kwargs):
"""Add a disjunctive filter to this query.
:param q: `solrq.Q` object
:param kwargs: Arguments to construct a `solrq.Q` with
:return: Query object
:rtype: :py:class:`Query`
"""
if not q and not kwargs:
raise ApiError(".or_() expects a solrq.Q or kwargs")
self._query_builder.or_(q, **kwargs)
return self
def set_categories(self, categories):
"""
Restricts the alerts that this query is performed on to the specified categories.
:param categories list: List of categories to be restricted to. Valid categories are
"THREAT", "MONITORED", "INFO", "MINOR", "SERIOUS", and "CRITICAL."
:return: This instance
"""
if not all(
(c in BaseAlertSearchQuery.VALID_CATEGORIES) for c in categories):
raise ApiError("One or more invalid category values")
self._update_criteria("category", categories)
return self
def __init__(self, cb, model_unique_id):
if not validators.sha256(model_unique_id):
raise ApiError("model_unique_id must be a valid SHA256")
url = self.urlobject_single.format(cb.credentials.org_key,
model_unique_id)
item = cb.get_object(url)
super(Binary, self).__init__(cb,
model_unique_id=model_unique_id,
initial_data=item,
force_init=False,
full_doc=True)
def _submit(self):
if self._query_token:
raise ApiError("Query already submitted: token {0}".format(self._query_token))
args = self._get_query_parameters()
self._validate(args)
url = "/threathunter/search/v1/orgs/{}/processes/search_jobs".format(self._cb.credentials.org_key)
query_start = self._cb.post_object(url, body={"search_params": args})
self._query_token = query_start.json().get("query_id")
self._timed_out = False
self._submit_time = time.time() * 1000
def set_run_states(self, states):
"""
Restricts the alerts that this query is performed on to the specified run states.
:param states list: List of run states to look for. Valid values are "DID_NOT_RUN", "RAN",
and "UNKNOWN".
:return: This instance.
"""
if not all((s in CBAnalyticsAlertSearchQuery.VALID_RUN_STATES)
for s in states):
raise ApiError("One or more invalid run states")
self._update_criteria("run_state", states)
return self
def device_types(self, device_types):
"""
Restricts the devices that this LiveQuery run is performed on
to the given device types.
:param device_types: list of strs
:return: This instance
"""
if not all(
isinstance(device_type, str) for device_type in device_types):
raise ApiError("One or more invalid device types")
self._device_filter["device_types"] = device_types
return self
def set_sensor_actions(self, actions):
"""
Restricts the alerts that this query is performed on to the specified sensor actions.
:param actions list: List of sensor actions to look for. Valid values are "POLICY_NOT_APPLIED",
"ALLOW", "ALLOW_AND_LOG", "TERMINATE", and "DENY".
:return: This instance.
"""
if not all((action in CBAnalyticsAlertSearchQuery.VALID_SENSOR_ACTIONS)
for action in actions):
raise ApiError("One or more invalid sensor actions")
self._update_criteria("sensor_action", actions)
return self