def do_command(self):
client = QRadarAdvisorClient(qradar_host=self.system_host,
qradar_token=self.system_token,
advisor_app_id=self.opts_dict["app_id"],
cafile=False,
log=logging)
resp = client.quick_search(self.opts_dict["search"])
print(str(resp))
def _qradar_advisor_quick_search_function(self, event, *args, **kwargs):
"""Function:
Perform a QRadar Advisor quick search for an indicator.
The indicator is given as qradar_advisor_search_value in the input.
The QRadar Advisor reply is in json format.
This function forwards the QRadar Advisor reply to Resilient server, so
that user can process it in post-process script. """
try:
# Get the function parameters:
qradar_advisor_search_value = kwargs.get(
"qradar_advisor_search_value") # text
log = logging.getLogger(__name__)
log.info("qradar_advisor_search_value: %s",
qradar_advisor_search_value)
qradar_verify_cert = True
if "verify_cert" in self.options and self.options[
"verify_cert"] == "false":
qradar_verify_cert = False
yield StatusMessage("starting...")
client = QRadarAdvisorClient(
qradar_host=self.options["qradar_host"],
qradar_token=self.options["qradar_advisor_token"],
advisor_app_id=self.options["qradar_advisor_app_id"],
cafile=qradar_verify_cert,
log=log,
opts=self.opts,
function_opts=self.options)
ret_json = client.quick_search(qradar_advisor_search_value)
yield StatusMessage("done...")
log.debug("Return json is:{}".format(json.dumps(ret_json)))
results = ret_json
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception as e:
log.error(str(e))
yield FunctionError(str(e))
def test_quick_search(self, mocked_get_session, mocked_update_session):
#
# First verify that if there is no CSRF token, the full_search
# function will call get_csrf_token to get one
#
mocked_cookies = Mock()
# Use this to mock the member variables
mocked_session = Mock(cookies=mocked_cookies)
mocked_get_session.return_value = mocked_session
client = QRadarAdvisorClient(qradar_host=QRADAR_HOST,
advisor_app_id=QRADAR_APP_ID,
qradar_token=QRADAR_TOKEN,
cafile=QRADAR_VERIFY,
log=logging)
#
# when a QRadarAdvisorClient is instantiated, its http_info shall
# has no csrf token
#
assert not client.http_info.xsrf_token
try:
mocked_session.get.return_value = _generate_response({}, 400)
client.quick_search("Not matter here")
assert False
except CsrfTokenError:
#
# because the CSRF token is None, full_search has to call get_csrf_token
# to get it. Since we returned 400 above, the full_search call
# shall throw this exception
#
assert True
#
# Now put a CSRF token
#
client.http_info.xsrf_token = CSRF_TOKEN
ret_cookies = {"XSRF-TOKEN": CSRF_TOKEN}
mocked_cookies.get_dict.return_value = ret_cookies
url = QRADAR_API_BASE_URL + "/search/quick"
search_value = "user:jsmith"
search_dict = {"indicator": search_value}
dict_str = json.dumps(search_dict)
quick_search_result = {
"suspicious_observables": [],
"other_observables": []
}
mocked_session.post.return_value = _generate_response(
quick_search_result, 200)
ret = client.quick_search(search_value)
assert ret == quick_search_result
mocked_session.post.assert_called_with(url=url,
data=dict_str,
verify=QRADAR_VERIFY)
#
# Verify status_code other than 200 shall result in exception
#
mocked_session.post.return_value = _generate_response(
quick_search_result, 422)
try:
client.quick_search(search_value)
assert False
except QuickSearchError:
assert True
#
# Verify exception of post call
#
mocked_session.post.side_effect = Exception("Some error exception")
try:
client.quick_search(search_value)
assert False
except QuickSearchError:
assert True