def search(cluster_name,
username,
api_key,
query,
scope=SEARCH_ALL,
sort_by='-timestamp',
offset=0,
limit=1000):
if not scope:
log.debug('search scope not set, defaulting to all')
scope = SEARCH_ALL
if scope not in _search_types:
log.error('Unsupported search scope: %s', scope)
raise ValueError('Unsupported search scope: %s' % scope)
if not query:
log.error('Missing query')
raise ValueError('Missing query')
validate_basic_params(cluster_name, username, api_key)
url = 'https://%s%s' % (cluster_name, _search_uris[scope])
params = {
'q': query,
'offset': offset,
'limit': limit,
'sort_by': sort_by,
'username': username,
'api_key': api_key
}
response = requests.get(url, params=params)
response.raise_for_status()
parsed = response.json()
return parsed.get('meta', {}).get('total', 0), parsed.get('objects', [])
def update_metadata(cluster_name, username, api_key, asset_ip, metadata_dict, section_name=None):
validate_basic_params(cluster_name, username, api_key)
if not asset_ip or not metadata_dict:
log.error('asset_ip or metadata_dict not specified')
raise ValueError('asset_ip and metadata_dict are required')
url = 'https://%s/api/asset/%s/metadata' % (cluster_name, asset_ip)
if section_name: url = 'https://%s/api/asset/%s/metadata/section/%s' % (cluster_name, asset_ip, section_name)
response = requests.put(url, params={'username': username, 'api_key': api_key}, json=metadata_dict, verify=False)
response.raise_for_status()
def get_asset_detail(cluster_name, username, api_key, asset_ip):
validate_basic_params(cluster_name, username, api_key)
if not asset_ip:
log.error('Asset IP not specified')
raise ValueError('asset_ip is is required')
url = 'https://%s/api/asset/ip/%s' % (cluster_name, asset_ip)
response = requests.get(url, params={'username': username, 'api_key': api_key}, verify=False)
response.raise_for_status()
return response.json()
def get_details(cluster_name, username, api_key, resource_uri):
if not resource_uri:
log.error('Missing resource_uri')
raise ValueError('Missing resource_uri')
validate_basic_params(cluster_name, username, api_key)
params = {'username': username, 'api_key': api_key}
url = 'https://%s%s' % (cluster_name, resource_uri)
response = requests.get(url, params=params)
response.raise_for_status()
return response.json()
def delete_metadata(cluster_name, username, api_key, asset_ip, section_name=None, key=None):
validate_basic_params(cluster_name, username, api_key)
if not asset_ip:
log.error('Asset IP not specified')
raise ValueError('asset_ip is is required')
url = 'https://%s/api/asset/%s/metadata' % (cluster_name, asset_ip)
if section_name and key:
url += '/%s/%s' % (section_name, key)
elif section_name:
url += '/section/' + section_name
elif key:
url += '/' + key
response = requests.delete(url, params={'username': username, 'api_key': api_key}, verify=False)
response.raise_for_status()
def add_network_blocks_from_csv(cluster, username, api_key, filename):
if not filename:
log.error('Filename not specified')
raise ValueError('Filename not specified')
validate_basic_params(cluster, username, api_key)
batch = []
with open(filename, 'rb') as csvfile:
csvreader = csv.DictReader(csvfile)
for row in csvreader:
batch.append({
'address_block': row.get('address_block'),
'label': row.get('label')
})
if len(batch) % 25 == 0:
_submit_network_blocks(cluster, username, api_key, batch)
batch = []
if batch: _submit_network_blocks(cluster, username, api_key, batch)
def threat_intel_from_csv(cluster, username, api_key, filename,
default_confidence):
if not filename:
log.error('Filename not specified')
raise ValueError('Filename not specified')
validate_basic_params(cluster, username, api_key)
results = []
with open(filename, 'rb') as csvfile:
csvreader = csv.DictReader(csvfile)
intel_fields = [
'value', 'confidence', 'source', 'tags', 'ttl', 'override_ttl'
]
for row in csvreader:
(value, confidence, source, tags, ttl,
override_ttl) = (row.get(f) for f in intel_fields)
if confidence and is_int_string(confidence):
confidence = int(confidence)
if ttl and is_int_string(ttl):
ttl = int(ttl)
results.append({
'value':
value,
'confidence':
confidence or default_confidence,
'source':
source or 'User Import',
'tags':
tags.split(',') if tags else [],
'ttl':
ttl or None,
'active':
True,
'override_ttl':
True if
(override_ttl and override_ttl.lower() == 'true') else False
})
intel = {'objects': results}
params = {'username': username, 'api_key': api_key}
url = 'https://%s/api/intelligence' % cluster
response = requests.post(url, json=intel, params=params)
response.raise_for_status()
def list_users(cluster_name, username, api_key):
validate_basic_params(cluster_name, username, api_key)
url = 'https://%s/api/user' % cluster_name
return get_simple_list(url, username, api_key)