def selftest_function(opts):
"""
Placeholder for selftest function. An example use would be to test package api connectivity.
Suggested return values are be unimplemented, success, or failure.
"""
options = opts.get("fn_google_cloud_dlp", {})
# When the helper is instantiated, we make a connection to Google Cloud by also instantiating the DLP Class
# If credentials aren't set right this will fail
helper = GCPHelper(options, res_client=get_resilient_client(opts=opts))
# Config Appears to be okay and can make A connection to google
# Now to test if we can inspect a string of content
try:
helper.inspect_string(content_string="Test", info_types=[])
except Exception as dlp_exception:
log.error(
u"Encountered Exception when interfacing with DLP; Exception: {}".
format(dlp_exception))
return {"state": "failure", "reason": dlp_exception}
return {"state": "success"}
def rest_client(self):
"""Return a connected instance of the :class:`resilient.SimpleClient`
that can be used to access the Resilient REST API.
"""
self.reset_idle_timer()
return get_resilient_client(self.opts)
def triggered_job(incident_id, object_id, row_id, scheduler_label, rule_name,
rule_id, rule_object_type_id, rule_params, opts, **kwargs):
"""
This function is called when a scheduled rule is triggered. It is run asynchronous of the create_scheduled_rule process.
It's role is to build the api call-back to Resilient to run the rule.
In addition to invoking a rule, a note is added to the incideent to indicate that a scheduled rule was run.
:param incident_id:
:param object_id: task_id, note_id, artifact_id, etc.
:param row_id: used when object_id is a datatable_id
:param scheduler_label:
:param rule_name:
:param rule_id:
:param rule_object_type_id: internal id referring to incident, task, artifact, etc.
:param rule_params:
:param opts: contains [resilient] parameters needed to connect back to Resilient for API calls
:param kwargs: catch all for additional arguments as necessary
:return: None
"""
log.debug(incident_id)
log.debug(rule_id)
log.debug(rule_object_type_id)
log.debug(rule_params)
log.debug(kwargs)
# get the rest client
rest_client = get_resilient_client(opts)
scheduler = ResilientScheduler.get_scheduler()
# make sure the incident is still open and not deleted
try:
resp = get_incident(rest_client, incident_id)
except SimpleHTTPException:
resp = None
if not resp or resp['end_date'] is not None:
log.warning(
u"Incident %s is not found or closed. Removing scheduled rule: %s",
incident_id, rule_name)
scheduler.remove_job(scheduler_label)
return
# make sure the rule is still enabled
try:
get_rule_by_id(rest_client, rule_id)
except KeyError as err:
# remove rules which no longer exist
log.error(u"Rule '%s' not found and schedule will be removed.",
rule_name)
add_comment(
rest_client, incident_id,
u"Error running rule '{}': {}".format(scheduler_label, str(err)))
scheduler.remove_job(scheduler_label)
return
# build url for invoking a rule
rule_type = lookup_object_type(rest_client, rule_object_type_id)
if rule_type == "tasks":
url = "/{}/{}".format(rule_type, object_id)
else:
url = "/incidents/{}".format(incident_id)
if rule_type != '':
url = url + "/{}/{}".format(rule_type, object_id)
if row_id:
url = url + "/row_data/{}".format(row_id)
url = url + "/action_invocations"
# build the JSON for rule
payload = {"action_id": rule_id, "properties": rule_params}
log.info("Executing Rule '{}:{}' for Incident {}".format(
scheduler_label, rule_name, incident_id))
# run the rule
try:
resp = rest_client.post(url, payload)
log.debug(resp)
except SimpleHTTPException as err:
# is the object removed?
if "Not Found" in str(err):
log.error(
"Object not found and schedule will be removed for rule '%s'",
rule_id)
add_comment(
rest_client, incident_id,
u"Error running rule '{}': {}".format(scheduler_label,
str(err)))
scheduler.remove_job(scheduler_label)
return
if rule_type:
add_comment(
rest_client, incident_id,
u"Scheduled job '{}' run on {}: {}".format(rule_name, rule_type,
object_id))
else:
add_comment(rest_client, incident_id,
u"Scheduled job '{}' run on incident".format(rule_name))
def get_connected_resilient_client(config):
opts = config.get("opts")
client = get_resilient_client(opts)
client.connect(opts.email, opts.password)
return client
def get_connected_resilient_client(config):
opts = config.get("opts")
client = get_resilient_client(opts)
return client
def test():
"""Test some basic functionality"""
from resilient_circuits.rest_helper import get_resilient_client
from resilient_circuits.actions_component import ActionMessage
import time
opts = vars(
resilient.ArgumentParser(
config_file=os.environ.get("APP_CONFIG_FILE")).parse_args())
client = get_resilient_client(opts)
action_event = None
result = Disposition(client, "new_incident").call(action_event, {
"name": "new test incident",
"discovered_date": 0
})
LOG.debug(result)
assert result["id"] > 0
print("Created incident {}".format(result["id"]))
incident = result
action_event = ActionMessage(message={"incident": incident})
result = Disposition(client, "new_task").call(action_event,
{"name": "new task"})
LOG.debug(result)
assert result["id"] > 0
action_event.task = result
result = Disposition(client, "update_task").call(action_event,
{"name": "updated task"})
LOG.info(result)
result = Disposition(client, "new_note").call(action_event,
{"text": "new note"})
LOG.debug(result)
assert result["id"] > 0
action_event.note = result
result = Disposition(client, "update_note").call(action_event,
{"text": "updated note"})
LOG.info(result)
t_now = int(time.time() * 1000)
result = Disposition(client, "new_milestone").call(action_event, {
"date": t_now,
"title": "new milestone"
})
LOG.debug(result)
assert result["id"] > 0
action_event.milestone = result
result = Disposition(client, "update_milestone").call(
action_event, {"title": "updated milestone"})
LOG.info(result)
result = Disposition(client, "new_artifact").call(action_event, {
"type": "DNS Name",
"value": "rtfm.mit.edu"
})
LOG.debug(result)
assert result[0]["id"] > 0
action_event.artifact = result[0]
result = Disposition(client, "update_artifact").call(
action_event, {"description": "updated artifact"})
LOG.info(result)
result = Disposition(client, "new_attachment").call(
action_event, "string value\nfor attachment")
result = Disposition(client, "new_attachment").call(
action_event, u"unicode value\nfor attachment")
result = Disposition(client, "new_attachment").call(
action_event, b"bytes value\nfor attachment")
result = Disposition(client, "new_attachment").call(
action_event, {"value": "json value\nfor attachment"})
