def selftest_function(opts):
"""
Simple test to verify McAfee ESM connectivity.
"""
options = opts.get("fn_mcafee_esm", {})
try:
# Instantiate RequestsCommon object
rc = RequestsCommon(opts=opts, function_opts=options)
# Check config file and change trust_cert to Boolean
options = check_config(options)
url = options["esm_url"] + "/rs/esm/v2/caseGetCaseList"
headers = get_authenticated_headers(rc, options["esm_url"],
options["esm_username"],
options["esm_password"],
options["trust_cert"])
r = rc.execute_call_v2('post',
url,
headers=headers,
verify=options["trust_cert"],
proxies=rc.get_proxies())
if r.status_code == 200:
return {"state": "success", "status_code": r.status_code}
else:
return {"state": "failure", "status_code": r.status_code}
except Exception as e:
return {"state": "failure", "status_code": e}
def alarm_get_triggered_alarms(rc, options, params):
url = options["esm_url"] + "/rs/esm/v2/alarmGetTriggeredAlarms"
headers = get_authenticated_headers(rc, options["esm_url"], options["esm_username"],
options["esm_password"], options["trust_cert"])
r = rc.execute_call_v2('post', url, headers=headers, params=params, verify=options["trust_cert"],
proxies=rc.get_proxies())
check_status_code(r.status_code)
return r.json()
def case_get_case_list(options):
url = options["esm_url"] + "/rs/esm/v2/caseGetCaseList"
headers = get_authenticated_headers(options["esm_url"],
options["esm_username"],
options["esm_password"],
options["trust_cert"])
r = requests.post(url, headers=headers, verify=options["trust_cert"])
check_status_code(r.status_code)
return r.json()
def _mcafee_esm_get_case_detail_function(self, event, *args, **kwargs):
"""Function: Calls the caseGetCaseDetail endpoint and returns all the details of a case."""
try:
start_time = time.time()
yield StatusMessage("starting...")
options = self.options
# Instantiate RequestsCommon object
rc = RequestsCommon(opts=self.opts, function_opts=self.options)
authenticated_headers = get_authenticated_headers(
rc, options["esm_url"], options["esm_username"],
options["esm_password"], options["trust_cert"])
# Get the function parameters:
mcafee_esm_case_id = kwargs.get("mcafee_esm_case_id") # number
log = logging.getLogger(__name__)
if not mcafee_esm_case_id:
raise ValueError("mcafee_esm_case_id is required")
log.info("mcafee_esm_case_id: %s", mcafee_esm_case_id)
# Get case details
details = case_get_case_detail(rc, options, authenticated_headers,
mcafee_esm_case_id)
end_time = time.time()
results = {
"inputs": {
"mcafee_esm_case_id": mcafee_esm_case_id
},
"metrics": {
"execution_time":
str(end_time - start_time),
"function":
"mcafee_esm_get_case_detail",
"thread":
current_thread().name,
"timestamp":
datetime.fromtimestamp(end_time).strftime(
"%Y-%m-%d %H:%M:%S")
},
"details": details
}
yield StatusMessage("done...")
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception as e:
yield FunctionError(e)
def alarm_get_triggered_alarms(options, params):
url = options["esm_url"] + "/rs/esm/v2/alarmGetTriggeredAlarms"
headers = get_authenticated_headers(options["esm_url"],
options["esm_username"],
options["esm_password"],
options["trust_cert"])
r = requests.post(url,
headers=headers,
params=params,
verify=options["trust_cert"])
check_status_code(r.status_code)
return r.json()
def case_get_case_events_details(options, ids):
url = options["esm_url"] + "/rs/esm/v2/caseGetCaseEventsDetail"
headers = get_authenticated_headers(options["esm_url"],
options["esm_username"],
options["esm_password"],
options["trust_cert"])
payload = {"eventIds": {"list": [ids]}}
r = requests.post(url,
headers=headers,
data=json.dumps(payload),
verify=options["trust_cert"])
check_status_code(r.status_code)
return r.json()
def case_get_case_list(rc, options):
url = options["esm_url"] + "/rs/esm/v2/caseGetCaseList"
headers = get_authenticated_headers(rc, options["esm_url"],
options["esm_username"],
options["esm_password"],
options["trust_cert"])
r = rc.execute_call_v2('post',
url,
headers=headers,
verify=options["trust_cert"],
proxies=rc.get_proxies())
check_status_code(r.status_code)
return r.json()
def case_edit_case_details(rc, options, dict_payload, case_id):
headers = get_authenticated_headers(rc, options["esm_url"], options["esm_username"],
options["esm_password"], options["trust_cert"])
case_details = case_get_case_detail(rc, options, headers, case_id)
case_assigned_dict = dict(caseDetail={})
case_assigned_dict["caseDetail"]["assignedTo"] = case_details.get("assignedTo")
case_assigned_dict["caseDetail"]["orgId"] = case_details.get("orgId")
dict_payload["caseDetail"] = merge_two_dicts(case_details, dict_payload["caseDetail"])
url = options["esm_url"] + "/rs/esm/v2/caseEditCase"
r = rc.execute_call_v2('post', url, headers=headers, data=json.dumps(dict_payload), verify=options["trust_cert"],
proxies=rc.get_proxies())
check_status_code(r.status_code)
def test_get_authenticated_headers(self, mocked_requests_post):
ops = check_config(t_config_data)
content = {"status": "success"}
mocked_requests_post.return_value = generate_response(content, 200)
expected_headers = {
"content-type": "application/json",
"cache-control": "no-cache",
"Cookie": "JWTToken=mock_cookie_token",
"X-Xsrf-Token": "mock_header_token"
}
actual_headers = get_authenticated_headers(ops.get("esm_url"),
ops.get("esm_username"),
ops.get("esm_password"),
ops.get("verify_cert"))
assert expected_headers == actual_headers
def esm_polling_thread(self):
while True:
case_list = case_get_case_list(self.options)
headers = get_authenticated_headers(self.options["esm_url"],
self.options["esm_username"],
self.options["esm_password"],
self.options["trust_cert"])
# Check cases in incidents
for case in case_list:
# If case is not currently an incident create one
if len(self._find_resilient_incident_for_req(case["id"])) == 0:
incident_payload = self.build_incident_dto(
headers, case["id"])
self.create_incident(incident_payload)
# Amount of time (seconds) to wait to check cases again, defaults to 10 mins if not set
time.sleep(int(self.options.get("esm_polling_interval", 600)))
def _mcafee_esm_query_logs_function(self, event, *args, **kwargs):
"""Function: Queries McAfee ESM."""
try:
start_time = time.time()
yield StatusMessage("starting...")
options = self.options
# Instantiate RequestsCommon object
rc = RequestsCommon(opts=self.opts, function_opts=self.options)
authenticated_headers = get_authenticated_headers(
rc, options["esm_url"], options["esm_username"],
options["esm_password"], options["trust_cert"])
# Get inputs
mcafee_esm_qry_type = self.get_select_param(
kwargs.get("mcafee_esm_qry_type", "EVENT")) # select
mcafee_esm_qry_config = self.get_textarea_param(
kwargs.get("mcafee_esm_qry_config")) # textarea
# Log inputs
if mcafee_esm_qry_type:
log.info("mcafee_esm_qry_type: %s", mcafee_esm_qry_type)
else:
raise FunctionError("mcafee_esm_qry_type needs to be set")
if mcafee_esm_qry_config:
log.info("mcafee_esm_qry_config: %s", mcafee_esm_qry_config)
else:
raise FunctionError("mcafee_esm_qry_config needs to be set")
# Query Logs
qconf_json, total_records = query_esm(rc, options,
authenticated_headers,
mcafee_esm_qry_config,
mcafee_esm_qry_type)
query_result = None
if total_records:
yield StatusMessage("{} records".format(str(total_records)))
query_result = get_results(rc, options, authenticated_headers,
qconf_json)
else:
yield StatusMessage("No results returned")
end_time = time.time()
results = {
"inputs": {
"mcafee_esm_qry_type": mcafee_esm_qry_type,
"mcafee_esm_qry_config": mcafee_esm_qry_config
},
"metrics": {
"execution_time":
str(end_time - start_time),
"function":
"mcafee_esm_query_logs",
"thread":
current_thread().name,
"timestamp":
datetime.fromtimestamp(end_time).strftime(
"%Y-%m-%d %H:%M:%S")
},
"result": query_result
}
yield StatusMessage("done...")
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception as e:
yield FunctionError(e)