├── .gitignore
├── LICENSE
├── MANIFEST.in
├── README.md
├── requirements.txt
├── setup.py
└── sophos_central_api_connector
    ├── config
        ├── intelix_config.ini
        ├── misp_config.ini
        ├── sophos_central_api_config.py
        ├── sophos_config.ini
        └── splunk_config.ini
    ├── docs
        ├── alerts.md
        ├── get_admins.md
        ├── get_firewall_groups.md
        ├── get_firewalls.md
        ├── get_roles.md
        ├── intelix.md
        ├── intelix_configuration.md
        ├── inventory.md
        ├── ioc_hunter.md
        ├── local_sites.md
        ├── misp_configuration.md
        ├── sophos_configuration.md
        └── splunk_configuration.md
    ├── get_admins.py
    ├── get_firewall_groups.py
    ├── get_firewalls.py
    ├── get_roles.py
    ├── ioc_hunter.py
    ├── queries
        ├── live_discover_queries
        │   └── ld_ioc_hunter.sql
        └── xdr_queries
        │   └── xdr_ioc_hunter.sql
    ├── sophos_central_api_auth.py
    ├── sophos_central_api_awssecrets.py
    ├── sophos_central_api_connector_utils.py
    ├── sophos_central_api_delete_data.py
    ├── sophos_central_api_get_data.py
    ├── sophos_central_api_intelix.py
    ├── sophos_central_api_live_discover.py
    ├── sophos_central_api_output.py
    ├── sophos_central_api_polling.py
    ├── sophos_central_api_tenants.py
    ├── sophos_central_hec_splunk.py
    └── sophos_central_main.py


/.gitignore:
--------------------------------------------------------------------------------
  1 | # Byte-compiled / optimized / DLL files
  2 | __pycache__/
  3 | *.py[cod]
  4 | *$py.class
  5 | 
  6 | # C extensions
  7 | *.so
  8 | 
  9 | # Distribution / packaging
 10 | .Python
 11 | build/
 12 | develop-eggs/
 13 | dist/
 14 | downloads/
 15 | eggs/
 16 | .eggs/
 17 | lib/
 18 | lib64/
 19 | parts/
 20 | sdist/
 21 | var/
 22 | wheels/
 23 | *.egg-info/
 24 | .installed.cfg
 25 | *.egg
 26 | MANIFEST
 27 | 
 28 | # PyInstaller
 29 | #  Usually these files are written by a python script from a template
 30 | #  before PyInstaller builds the exe, so as to inject date/other infos into it.
 31 | *.manifest
 32 | *.spec
 33 | 
 34 | # Installer logs
 35 | pip-log.txt
 36 | pip-delete-this-directory.txt
 37 | 
 38 | # Unit test / coverage reports
 39 | htmlcov/
 40 | .tox/
 41 | .coverage
 42 | .coverage.*
 43 | .cache
 44 | nosetests.xml
 45 | coverage.xml
 46 | *.cover
 47 | .hypothesis/
 48 | .pytest_cache/
 49 | 
 50 | # Translations
 51 | *.mo
 52 | *.pot
 53 | 
 54 | # Django stuff:
 55 | *.log
 56 | local_settings.py
 57 | db.sqlite3
 58 | 
 59 | # Flask stuff:
 60 | instance/
 61 | .webassets-cache
 62 | 
 63 | # Scrapy stuff:
 64 | .scrapy
 65 | 
 66 | # Sphinx documentation
 67 | sophos_central_api_connector/docs/_build/
 68 | 
 69 | # PyBuilder
 70 | target/
 71 | 
 72 | # Jupyter Notebook
 73 | .ipynb_checkpoints
 74 | 
 75 | # pyenv
 76 | .python-version
 77 | 
 78 | # celery beat schedule file
 79 | celerybeat-schedule
 80 | 
 81 | # SageMath parsed files
 82 | *.sage.py
 83 | 
 84 | # Environments
 85 | .env
 86 | .venv
 87 | env/
 88 | venv/
 89 | ENV/
 90 | env.bak/
 91 | venv.bak/
 92 | 
 93 | # Spyder project settings
 94 | .spyderproject
 95 | .spyproject
 96 | 
 97 | # Rope project settings
 98 | .ropeproject
 99 | 
100 | # mkdocs documentation
101 | /site
102 | 
103 | # mypy
104 | .mypy_cache/
105 | .DS_Store


--------------------------------------------------------------------------------
/MANIFEST.in:
--------------------------------------------------------------------------------
1 | recursive-include sophos_central_api_connector *.ini *.py *.md *.sqlite


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Sophos Central API Connector
  2 | Python library to utilise many of the features in Sophos Central API across multiple or single tenants
  3 | 
  4 | * [Documentation: Sophos Central API](https://developer.sophos.com/)
  5 | * [Documentation: Sophos Central API Connector](https://github.com/sophos-cybersecurity/sophos-central-api-connector/tree/master/sophos_central_api_connector/docs)
  6 | 
  7 | ![Python](https://img.shields.io/badge/python-v3.6+-blue.svg)
  8 | [![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)
  9 | [![Generic badge](https://img.shields.io/badge/version-0.1.6-green.svg)](https://shields.io/)
 10 |    ___
 11 | 
 12 | ## Table of contents: 
 13 | 
 14 | - [Sophos Central API Connector](#sophos-central-api-connector)
 15 |   * [Features](#features)
 16 |   * [Quick start](#quick-start)
 17 |       - [**Important!**](#--important---)
 18 |   * [Prerequisites](#prerequisites)
 19 |   * [Install](#install)
 20 |   * [Authentication](#authentication)
 21 |     + [Static Credentials](#static-credentials)
 22 |     + [AWS Secrets Manager](#aws-secrets-manager)
 23 |   * [Basic Examples](#basic-examples)
 24 |     + [Help](#help)
 25 |     + [Tenants List](#tenants-list)
 26 |     + [Inventory](#inventory)
 27 |     + [Alerts/Event Information](#alerts-event-information)
 28 |     + [Local Site](#local-site)
 29 |   * [Output Options](#output-options)
 30 |   * [Troubleshooting](#troubleshooting)
 31 |   * [Structure](#structure)
 32 |   
 33 |    ___
 34 | 
 35 | ## Features
 36 | All features can be run against single or multiple tenants
 37 | * Gather tenant system inventory 
 38 |   * Output to stdout, json, Splunk
 39 | * Gather alerts
 40 |    * Alert polling
 41 |    * Output to stdout, json, Splunk
 42 | * Local Sites
 43 |    * Clean up Global exclusions
 44 |       * Compare exclusions to SophosLabs Intelix
 45 |    * Generate report
 46 | * IOC Hunting - Utilising Live Discover or XDR DataLake
 47 |    * MISP Attribute hunting (eventId, tags)
 48 |    * RAW JSON input
 49 |    * Saved search
 50 |     
 51 | ___
 52 | 
 53 | ## Quick start
 54 | Want to test as quickly as possible? Follow the below quick start steps to begin looking at your Sophos Central data!
 55 | 1. Install latest version of Python 3
 56 | 1. Create a folder e.g "sophos_test"
 57 | 1. Open a command prompt/terminal
 58 | 1. Create a Python Virtual Environment:
 59 |    ```commandline
 60 |    python -m venv <folder_name>
 61 |    ```
 62 | 1. Activate the Python Virtual Environment:
 63 |    ```commandline
 64 |    <path_to_folder>\Scripts\activate
 65 |    ```
 66 | 1. Install the Sophos Central API Connector (this will also install the requirements):
 67 |    ```commandline
 68 |    pip install sophos-central-api-connector
 69 |    ```
 70 | 1. Once it has finished installing browse to:
 71 |    ```commandline
 72 |    cd <path_to_folder>\Lib\site-packages\sophos_central_api_connector
 73 |    ```
 74 | 1. Run the following command to view help to begin:
 75 |    ```commandline
 76 |    python sophos_central_main.py --help
 77 |    ```
 78 | 1. Add your Sophos Central API id and secret to the sophos_config.ini under the folder: \Lib\site-packages\sophos_central_api_connector\config
 79 | 
 80 |    > #### **Important!**
 81 |    > We would recommend that the static entry is only used for testing purposes and the token is stored and accessed securely.
 82 |    > Please reference the authentication section
 83 | ___
 84 | 
 85 | ## Prerequisites
 86 | In order to use the package you will require a valid API key from your Sophos Central tenant. To obtain a valid API key please reference the documentation [here](https://developer.sophos.com/intro)
 87 | ___
 88 | 
 89 | ## Install
 90 | ```commandline
 91 | pip install --user sophos_central_api_connector
 92 | ```
 93 | ___
 94 | 
 95 | ## Authentication
 96 | There are two options for authentication, the setting used here will be used for all areas of authentication. As mentioned under the configuration section we recommend using the AWS Secrets Manager for storing these credentials. Only use the static credentials for testing purposes.
 97 | 
 98 | ### Static Credentials
 99 | To specify using the static credentials which are in the \*config.ini files you can use the following:
100 | `python3 sophos_central_main.py --auth static`
101 | 
102 | ### AWS Secrets Manager
103 | To specify using the AWS settings which are in the \*config.ini files to retrieve the secrets and token you can use the following:
104 | `python3 sophos_central_main.py --auth aws`
105 | ___
106 | 
107 | ## Basic Examples
108 | 
109 | ### Help
110 | To get information on the CLI commands when using the `sophos_central_main.py` run:
111 | 
112 | ```commandline
113 | python sophos_central_main.py --help
114 | ```
115 | 
116 | ### Tenants List
117 | To get a list of tenants:
118 | 
119 | ```commandline
120 | python sophos_central_main.py --auth <auth_option> --get tenants
121 | ```
122 | 
123 | ### Inventory
124 | To get inventory data:
125 | ```commandline
126 | python sophos_central_main.py --auth <auth_option> --get inventory --output <output_option>
127 | ```
128 | 
129 | ### Alerts/Event Information
130 | To get alert data:
131 | ```commandline
132 | python sophos_central_main.py --auth <auth_option> --get alerts --days <integer: 1-90> --output <output_option>
133 | ```
134 | 
135 | ### Local Site
136 | To get a list of local site data:
137 | ```commandline
138 | python sophos_central_main.py --auth <auth_option> --get local-sites --output <output_option>
139 | ```
140 |    ___
141 | 
142 | ## Output Options
143 | There are four output options available for the inventory, simply add one of the following after `--output`:
144 | - **stdout:** Print the information to the console.
145 | - **json:** Save the output of the request to a json file
146 | - **splunk:** This will send the data to Splunk with no changes made. This will apply the settings made in the transform files.
147 | - **splunk_trans:** Using this output will apply the information set in the splunk_config.ini for the host, source and sourcetype. This will overrun the settings in the transform files in Splunk but not the Index that the data should be sent to.
148 | 
149 | ___
150 | 
151 | ## Troubleshooting
152 | All logging is done via the python `logging` library. Valid logging levels are:
153 | 
154 | - INFO
155 | - DEBUG
156 | - CRITICAL
157 | - WARNING
158 | - ERROR
159 | 
160 | For basic feedback set the logging level to `INFO`
161 | ___
162 | 
163 | ## Structure
164 | Below is the structure after installing through pip:
165 | ```
166 | sophos_central_api_connector
167 | |   .gitignore
168 | |   LICENSE
169 | |   MANIFEST.in
170 | |   README.md
171 | |   requirements.txt
172 | |   setup.py
173 | |___docs
174 | |       alerts.md
175 | |       intelix.md
176 | |       intelix_configuration.md
177 | |       inventory.md
178 | |       ioc_hunter.md
179 | |       local_sites.md
180 | |       misp_configuration.md
181 | |       sophos_configuration.md
182 | |       splunk_configuration.md
183 | |___queries
184 | |       |___live_discover_queries
185 | |               ld_ioc_hunter.sql
186 | |       |___xdr_queries
187 | |               xdr_ioc_hunter.sql
188 | |___sophos_central_api_connector
189 | |       ioc_hunter.py
190 | |       sophos_central_api_live_discover.py
191 | |       sophos_central_api_auth.py
192 | |       sophos_central_api_awssecrets.py
193 | |       sophos_central_api_connector_utils.py
194 | |       sophos_central_api_delete_data.py
195 | |       sophos_central_api_get_data.py
196 | |       sophos_central_api_intelix.py
197 | |       sophos_central_api_output.py
198 | |       sophos_central_api_polling.py
199 | |       sophos_central_api_tenants.py
200 | |       sophos_central_api_hec_splunk.py
201 | |       sophos_central_main.py
202 | |       get_admins.py
203 | |       get_roles.py
204 | |       get_firewall_groups.py
205 | |       get_firewalls.py
206 | |___config
207 | |       intelix_config.ini
208 | |       misp_config.ini
209 | |       sophos_central_api_config.py
210 | |       sophos_config.ini
211 | |       splunk_config.ini
212 | ```
213 | 
214 | Below is the structure with all the files that are created through different mechanisms:
215 | ```
216 | sophos_central_api_connector
217 | |   .gitignore
218 | |   LICENSE
219 | |   MANIFEST.in
220 | |   README.md
221 | |   requirements.txt
222 | |   setup.py
223 | |___sophos_central_api_connector
224 | |   |___docs
225 | |   |       alerts.md
226 | |   |       intelix.md
227 | |   |       intelix_configuration.md
228 | |   |       inventory.md
229 | |   |       ioc_hunter.md
230 | |   |       local_sites.md
231 | |   |       misp_configuration.md
232 | |   |       sophos_configuration.md
233 | |   |       splunk_configuration.md
234 | |___queries
235 | |       |___live_discover_queries
236 | |               ld_ioc_hunter.sql
237 | |       |___xdr_queries
238 | |               xdr_ioc_hunter.sql
239 | |       ioc_hunter.py
240 | |       sophos_central_api_live_discover.py
241 | |       sophos_central_api_auth.py
242 | |       sophos_central_api_awssecrets.py
243 | |       sophos_central_api_connector_utils.py
244 | |       sophos_central_api_delete_data.py
245 | |       sophos_central_api_get_data.py
246 | |       sophos_central_api_intelix.py
247 | |       sophos_central_api_output.py
248 | |       sophos_central_api_polling.py
249 | |       sophos_central_api_tenants.py
250 | |       sophos_central_api_hec_splunk.py
251 | |       sophos_central_main.py
252 | |       get_admins.py
253 | |       get_roles.py
254 | |       get_firewall_groups.py
255 | |       get_firewalls.py
256 | |___config
257 | |       intelix_config.ini
258 | |       misp_config.ini
259 | |       sophos_central_api_config.py
260 | |       sophos_config.ini
261 | |       splunk_config.ini
262 | |___logs
263 | |       failed_events.json
264 | |___output
265 | |   |___get_alerts
266 | |   |       <tenant_name>_<tenant_id>.json
267 | |   |       ...
268 | |   |___get_inventory
269 | |   |       <tenant_name>_<tenant_id>.json
270 | |   |       ...
271 | |   |___get_local_sites
272 | |   |       <tenant_name>_<tenant_id>.json
273 | |   |       ...
274 | |   |___admin_data
275 | |   |       <tenant_name>_<tenant_id>.json
276 | |   |       ...	
277 | |   |___roles_data
278 | |   |       <tenant_name>_<tenant_id>.json
279 | |   |       ...
280 | |   |_firewall_groups
281 | |   |       <tenant_name>_<tenant_id>.json
282 | |   |       ...
283 | |   |_firewall_inventory
284 | |   |       <tenant_name>_<tenant_id>.json
285 | |   |       ...
286 | |   |___intelix
287 | |       |___delete_local_sites
288 | |           <date>_<time>_deletion_details.json
289 | |           <date>_<time>_deletion_report.json
290 | |           ...
291 | |       <date>_<time>_intelix_results.json
292 | |       <date>_<time>_results_combined.json
293 | |       <tenant_id>_<date>_<time>_<risk_level>_dry_run_report.json
294 | |       ...
295 | |   |___query_results
296 | |       <xdr_datalake/live-discover>_query_list.json
297 | |       <xdr_datalake/live-discover>_search_data_<timestamp>.json
298 | |       <xdr_datalake/live-discover>_result_data_<timestamp>.json
299 | |       live-discover_endpoint_data_<timestamp>.json
300 | |___polling
301 | |       poll_config.json
302 | |       alert_ids.json
303 | |       temp_alert_ids.json
304 | ```
305 | 


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
 1 | boto3>=1.17.105
 2 | botocore>=1.20.105
 3 | certifi>=2021.5.30
 4 | chardet>=4.0.0
 5 | configparser>=5.0.2
 6 | docutils>=0.17.1
 7 | intelix>=0.1.2
 8 | jmespath>=0.10.0
 9 | python-dateutil>=2.8.1
10 | requests>=2.25.1
11 | s3transfer>=0.4.2
12 | six>=1.16.0
13 | urllib3>=1.26.6
14 | 


--------------------------------------------------------------------------------
/setup.py:
--------------------------------------------------------------------------------
 1 | import setuptools
 2 | from os import path
 3 | 
 4 | # read the contents of your README file
 5 | this_directory = path.abspath(path.dirname(__file__))
 6 | with open(path.join(this_directory, 'README.md'), encoding='utf-8') as f:
 7 |     long_description = f.read()
 8 | 
 9 | setuptools.setup(name='sophos_central_api_connector',
10 |                  version='0.1.6',
11 |                  description='Sophos Central API Connector',
12 |                  author='Mark Lanczak-Faulds',
13 |                  author_email='mark.lanczak-faulds@sophos.com',
14 |                  long_description=long_description,
15 |                  long_description_content_type='text/markdown',
16 |                  classifiers=[
17 |                      "Programming Language :: Python :: 3",
18 |                      "License :: OSI Approved :: GNU General Public License v3 (GPLv3)",
19 |                      "Operating System :: OS Independent",
20 |                  ],
21 |                  url="https://github.com/sophos-cybersecurity/sophos-central-api-connector",
22 |                  setup_requires=["setuptools_scm"],
23 |                  packages=['sophos_central_api_connector', 'sophos_central_api_connector.config'],
24 |                  package_data={'sophos_central_api_connector': ['config/*']},
25 |                  python_requires='>=3.6',
26 |                  install_requires=['boto3>=1.17.21',
27 |                                    'botocore>=1.20.21',
28 |                                    'certifi>=2020.12.5',
29 |                                    'chardet>=4.0.0',
30 |                                    'configparser>=5.0.2',
31 |                                    'docutils>=0.16',
32 |                                    'intelix>=0.1.2',
33 |                                    'jmespath>=0.10.0',
34 |                                    'python-dateutil>=2.8.1',
35 |                                    'requests>=2.25.1',
36 |                                    's3transfer>=0.3.4',
37 |                                    'six>=1.15.0',
38 |                                    'urllib3>=1.26.3'],
39 |                  include_package_data=True)
40 | 


--------------------------------------------------------------------------------
/sophos_central_api_connector/config/intelix_config.ini:
--------------------------------------------------------------------------------
 1 | # Intelix AWS secret information
 2 | 
 3 | [intelix]
 4 | secret_name:
 5 | region_name:
 6 | client_id_key:
 7 | client_secret_key:
 8 | 
 9 | #The static config is for when you want to enter the plain text of the Client ID and Client Secret
10 | #we recommend you only use this on a test environment and destroy the API key afterwards
11 | [static]
12 | client_id:
13 | client_secret:
14 | 
15 | # This config file allows you to set the risk against the ip categories returned from SophosLabs intelix to allow
16 | # ease of managing local-site clean-up. This aims to align the 'riskLevel' for the url_lookup for the ip_lookup
17 | 
18 | # riskLevel entries for url_lookup. Number is set to get equivalent for ip_lookup
19 | # UNCLASSIFIED: Threat is unknown. - 0
20 | # TRUSTED: Url is a trusted one. No threat appears. - 1
21 | # LOW: Threat is low for a given url. - 2
22 | # MEDIUM: Threat is medium for a given url. - 3
23 | # HIGH: Threat is high for a given url. - 4
24 | 
25 | # anything not in the below list will set as unclassified
26 | 
27 | # Current categories for IP lookup:
28 | # malware:	         Known source of malware
29 | # botnet:	         Known FUR, TFX and RIP bot proxy IP
30 | # spam_mta:	         Known spam source / network
31 | # psh	             Known source of phishing
32 | # spammers:	         Known FUR and RIP spam network
33 | # enduser_network:	 Known dynamic IP
34 | # bot:          	 Known bot proxy IP
35 | # generic_mta:  	 Known mail server
36 | # clean_mta:    	 Known whitelisted mail server
37 | # free_mta:     	 Known free email service provider
38 | # bulk_mta:     	 Known bulk email service provider
39 | # isp_mta:      	 Known ISP's outbound mail server
40 | # biz_mta:      	 Known corporate email service provider
41 | # bulk_mta_grey:   	 Known grey bulk email service provider
42 | # news_mta:     	 Known newsletter provider
43 | # notifications_mta: Notification alert
44 | # illegal:         	 Suspected criminal source
45 | 
46 | [ip_lookup_risk]
47 | malware: 4
48 | botnet: 4
49 | spam_mta: 4
50 | psh: 4
51 | spammers: 4
52 | enduser_network: 2
53 | bot: 4
54 | generic_mta: 2
55 | clean_mta: 1
56 | free_mta: 2
57 | bulk_mta: 3
58 | isp_mta: 2
59 | biz_mta: 2
60 | bulk_mta_grey: 3
61 | news_mta: 2
62 | notifications_mta: 2
63 | illegal: 4
64 | unclassified: 0


--------------------------------------------------------------------------------
/sophos_central_api_connector/config/misp_config.ini:
--------------------------------------------------------------------------------
 1 | #This is the config file for accessing your MISP instance
 2 | 
 3 | #The awsSecret section allows you to specify your AWS Secrets Manager
 4 | #information to utilise the safe keeping of your API key
 5 | #The api_key are the names you use for the 'Secret Key'
 6 | #when you created a new secret to store the MISP API key
 7 | [aws]
 8 | secret_name:
 9 | region_name:
10 | api_key:
11 | 
12 | #Add the url for your MISP instance
13 | [url]
14 | misp_instance: https://<misp_instance_name>/attributes/restSearch


--------------------------------------------------------------------------------
/sophos_central_api_connector/config/sophos_central_api_config.py:
--------------------------------------------------------------------------------
 1 | from pathlib import PurePath
 2 | 
 3 | # Static URI Variables
 4 | auth_uri = 'https://id.sophos.com/api/v2/oauth2/token'
 5 | whoami_uri = 'https://api.central.sophos.com/whoami/v1'
 6 | tenants_ptr_uri = 'https://api.central.sophos.com/partner/v1/tenants'
 7 | tenants_org_uri = 'https://api.central.sophos.com/organization/v1/tenants'
 8 | alerts_uri = '/common/v1/alerts'
 9 | endpoints_uri = '/endpoint/v1/endpoints'
10 | directory_uri = '/common/v1/directory'
11 | settings_uri = '/endpoint/v1/settings'
12 | livediscover_uri = '/live-discover/v1/queries'
13 | xdr_uri = '/xdr-query/v1/queries'
14 | firewall_uri = '/firewall/v1/firewalls'
15 | fw_grps_uri = '/firewall/v1/firewall-groups'
16 | admins_uri = '/common/v1/admins'
17 | roles_uri = '/common/v1/roles'
18 | 
19 | 
20 | # Default Value
21 | max_alerts_page = 100
22 | max_inv_page = 500
23 | max_localsite_page = 100
24 | max_fw_page = 1000
25 | max_fw_grps_page = 100
26 | max_admins_page = 100
27 | 
28 | # Regex Variables
29 | uuid_regex = '[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}'
30 | 
31 | # Path locations
32 | sophos_conf_path = PurePath("/config/sophos_config.ini")
33 | splunk_conf_path = PurePath("/config/splunk_config.ini")
34 | intelix_conf_path = PurePath("/config/intelix_config.ini")
35 | misp_conf_path = PurePath("/config/misp_config.ini")
36 | output_inv_path = PurePath("/output/get_inventory")
37 | output_al_path = PurePath("/output/get_alerts")
38 | output_ls_path = PurePath("/output/get_local_sites")
39 | output_intx_path = PurePath("/output/intelix")
40 | output_intx_del_path = PurePath("/output/intelix/delete_local_sites")
41 | output_queries_path = PurePath("/output/query_results")
42 | output_fw_path = PurePath("/output/firewall_inventory")
43 | output_fw_grps_path = PurePath("/output/firewall_groups")
44 | output_admins_path = PurePath("/output/admin_data")
45 | output_roles_path = PurePath("/output/roles_data")
46 | poll_conf_path = PurePath("/polling/poll_config.json")
47 | poll_alerts_path = PurePath("/polling/alert_ids.json")
48 | poll_temp_path = PurePath("/polling/temp_alert_ids.json")
49 | poll_path = PurePath("/polling")
50 | logging_path = PurePath("/logs/failed_events.json")
51 | temp_path = PurePath("/tmp")
52 | 


--------------------------------------------------------------------------------
/sophos_central_api_connector/config/sophos_config.ini:
--------------------------------------------------------------------------------
 1 | #This is the config file for sophos_central_main.py
 2 | 
 3 | #The awsSecret section allows you to specify your AWS Secrets Manager
 4 | #information to utilise the safe keeping of your Client ID and Client Secret
 5 | #The client_id_key and client_secret_key are the names you use for the 'Secret Key'
 6 | #when you created a new secret to store the Sophos Central API Client ID and Client Secret
 7 | [aws]
 8 | secret_name:
 9 | region_name:
10 | client_id_key:
11 | client_secret_key:
12 | 
13 | #The static config is for when you want to enter the plain text of the Client ID and Client Secret
14 | #we recommend you only use this on a test environment and destroy the API key afterwards
15 | [static]
16 | client_id:
17 | client_secret:
18 | 
19 | #Add in a positive number to the below configs. These stipulate the size of the page requested for the
20 | #inventory and alerts in the Sophos Central API.
21 | #Either use a ':' or '=' followed by your desired page size
22 | [page_size]
23 | inventory_ps: 500
24 | alerts_ps: 100
25 | settings_ps: 100
26 | ld_query: 250
27 | ld_results: 1000
28 | firewall: 100
29 | fw_grps: 100
30 | admin_ps: 100


--------------------------------------------------------------------------------
/sophos_central_api_connector/config/splunk_config.ini:
--------------------------------------------------------------------------------
 1 | # This is the awsSecret information for your Splunk HEC setup.
 2 | [splunk_aws]
 3 | splunk_aws:
 4 | secret_name:
 5 | region_name:
 6 | token_key:
 7 | 
 8 | # This is the Splunk HEC (HTTP Event Collector) token to be used for sending data to Splunk
 9 | # We recommend you only use this on a test environment and destroy the token afterwards and
10 | # that is restricted to a test index
11 | [splunk_static]
12 | token:
13 | 
14 | # Information on how to configure HEC can be found at the following Splunk URI:
15 | # https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector
16 | # The splunk host is uri to your splunk instance that runs HEC and the HEC port
17 | # Valid entries for splunk_ack_enabled and verify_ack_result are 0 or 1.
18 | # Further information on what this setting does can be found here:
19 | # https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/AboutHECIDXAck
20 | # The channel requires to be a UUID, follow the above link for more information on this setting
21 | # The ack_batch_size is how many events will be processed before indexer acknowledgements are checked.
22 | [splunk_hec]
23 | splunk_url: https://<your_splunk_url>:8088/services/collector
24 | splunk_ack_enabled:
25 | verify_ack_result:
26 | channel:
27 | ack_batch_size:
28 | 
29 | # Using the following configs will override settings for HEC config set. If nothing is set it will use the
30 | # settings on the config in Splunk
31 | [splunk_transform]
32 | host:
33 | source:
34 | sourcetype:


--------------------------------------------------------------------------------
/sophos_central_api_connector/docs/alerts.md:
--------------------------------------------------------------------------------
 1 | ## Alert/Event Information
 2 | 
 3 | To gather alerts for your tenants you can pass the alerts option when running the --get parameter. Some additional options are available
 4 | when gathering alerts above calling the inventory of machines:
 5 | 
 6 | - --days
 7 | - --poll_alerts
 8 | - --reset
 9 | 
10 | As with calling the inventory option, you can pull alerts for a specific tenant or all of the tenants. In addition you can specify the number of days of events you would like to pull back by using the days parameter.
11 | 
12 | Sophos Central holds event data for 90 days, so when calling the days parameter you can specifiy days as an integer from 1-90. If no days parameter is passed a default of 1 day is set. below is an example of passing the days parameter:
13 | ```python
14 | python sophos_central_main.py --auth <auth_option> --get alerts --days <integer: 1-90> --output <output_option>
15 | ```
16 | 
17 | ### Polling Alert Information
18 | The polling option is available for alert events. This is so you can gather alerts over a period of time and maintain a list of events in Splunk.
19 | 
20 | The correct syntax to poll for alert events is as follows:
21 | ```python
22 | python sophos_central_main.py --auth <auth_option> --get alerts --days <integer: 1-90> --poll_alerts --output <splunk or splunk_trans>
23 | ```
24 | On the initial run of this syntax the following files will be created:
25 | - poll_config.json
26 | - alert_ids.json
27 | 
28 | The poll_config.json maintains the results of the last poll attempt and also from when the next poll should get events from and to. Along with maintaining the state of the current run and logging whether any failures have occurred.
29 | 
30 | When running the poll_alerts for a second time a new file will be generated called:
31 | - temp_alert_ids.json
32 | 
33 | This file maintains a list of events which have already been successfully sent to Splunk and will be removed from the alerts obtained from the Sophos Central API.
34 | 
35 | ### Resetting Polling
36 | If you need to reset the polling and start re-pulling in events you can pass the reset parameter to initiate this. Along with the reset parameter you can also pass the days parameter in order to specify how many days should be pulled using the API. Syntax on how to pass this is as follows:
37 | 
38 | ```python
39 | python sophos_central_main.py --auth <auth_option> --get alerts --days <integer: 1-90> --reset --poll_alerts --output <splunk or splunk_trans>
40 | ```
41 | 
42 | Running this syntax will delete the files:
43 | - poll_config.json
44 | - alert_ids.json
45 | - temp_alert_ids.json


--------------------------------------------------------------------------------
/sophos_central_api_connector/docs/get_admins.md:
--------------------------------------------------------------------------------
 1 | ## Get Admins (get_admins.py)
 2 | 
 3 | This is based on following Sophos Central documentation page: 
 4 | https://developer.sophos.com/docs/common-v1/1/routes/admins/get
 5 | 
 6 | To simplify the workflow of gathering various aspects of Central this is a separate script to gather the admins from
 7 | your Sophos Central tenants. You do not need to pass parameters to run the script. However, there are some global 
 8 | variables which can be changed to adjust tenant, output and page size.
 9 | 
10 | Global variables that can be changed:
11 | - page_size
12 | - tenant
13 | - output
14 | 
15 | page_size:
16 | The default setting is set to `50` this can be changed in line with the api documentation value limits for `pageSize`
17 | 
18 | You still have control of how the data is saved:
19 | - JSON
20 | - STDOUT
21 | - Splunk
22 | 
23 | The default setting is `STDOUT`, if you change the setting to `JSON` the files will be saved under the `output` folder:
24 | ```
25 | sophos_central_api_connector
26 | |___output
27 | |   |___admin_data
28 | |   |       <tenant_name>_<tenant_id>.json
29 | |   |       ...	
30 | ```
31 | 
32 | The log level can be adjusted under the main function for the variable: `log_level` to gather more granular feedback when
33 | running the script.


--------------------------------------------------------------------------------
/sophos_central_api_connector/docs/get_firewall_groups.md:
--------------------------------------------------------------------------------
 1 | ## Get Firewall Groups (get_firewall_groups.py)
 2 | 
 3 | This is based on following Sophos Central documentation page: 
 4 | https://developer.sophos.com/docs/firewall-v1/1/routes/firewall-groups/get
 5 | 
 6 | To simplify the workflow of gathering various aspects of Central this is a separate script to gather the firewall groups
 7 | from your Sophos Central tenants. You do not need to pass parameters to run the script. However, there are some global 
 8 | variables which can be changed to adjust tenant, output and page size.
 9 | 
10 | Global variables that can be changed:
11 | - page_size
12 | - tenant
13 | - output
14 | 
15 | page_size:
16 | The default setting is set to `100` this can be changed in line with the api documentation value limits for `pageSize`
17 | 
18 | You still have control of how the data is saved:
19 | - JSON
20 | - STDOUT
21 | - Splunk
22 | 
23 | The default setting is `STDOUT`, if you change the setting to `JSON` the files will be saved under the `output` folder:
24 | ```
25 | sophos_central_api_connector
26 | |___output
27 | |   |_firewall_groups
28 | |   |       <tenant_name>_<tenant_id>.json
29 | |   |       ...
30 | ```
31 | 
32 | The log level can be adjusted under the main function for the variable: `log_level` to gather more granular feedback when
33 | running the script.


--------------------------------------------------------------------------------
/sophos_central_api_connector/docs/get_firewalls.md:
--------------------------------------------------------------------------------
 1 | ## Get Firewalls (get_firewalls.py)
 2 | 
 3 | This is based on following Sophos Central documentation page: 
 4 | https://developer.sophos.com/docs/firewall-v1/1/routes/firewalls/get
 5 | 
 6 | To simplify the workflow of gathering various aspects of Central this is a separate script to gather the firewalls from
 7 | your Sophos Central tenants. You do not need to pass parameters to run the script. However, there are some global 
 8 | variables which can be changed to adjust tenant, output and page size.
 9 | 
10 | Global variables that can be changed:
11 | - page_size
12 | - tenant
13 | - output
14 | 
15 | page_size:
16 | The default setting is set to `100` this can be changed in line with the api documentation value limits for `pageSize`
17 | 
18 | You still have control of how the data is saved:
19 | - JSON
20 | - STDOUT
21 | - Splunk
22 | 
23 | The default setting is `STDOUT`, if you change the setting to `JSON` the files will be saved under the `output` folder:
24 | ```
25 | sophos_central_api_connector
26 | |___output
27 | |   |_firewall_inventory
28 | |   |       <tenant_name>_<tenant_id>.json
29 | |   |       ...
30 | ```
31 | 
32 | The log level can be adjusted under the main function for the variable: `log_level` to gather more granular feedback when
33 | running the script.


--------------------------------------------------------------------------------
/sophos_central_api_connector/docs/get_roles.md:
--------------------------------------------------------------------------------
 1 | ## Get Roles (get_roles.py)
 2 | 
 3 | This is based on following Sophos Central documentation page: 
 4 | https://developer.sophos.com/docs/common-v1/1/routes/roles/get
 5 | 
 6 | To simplify the workflow of gathering various aspects of Central this is a separate script to gather the roles from
 7 | your Sophos Central tenants. You do not need to pass parameters to run the script. However, there are some global 
 8 | variables which can be changed to adjust tenant, output.
 9 | 
10 | Global variables that can be changed:
11 | - tenant
12 | - output
13 | 
14 | You still have control of how the data is saved:
15 | - JSON
16 | - STDOUT
17 | - Splunk
18 | 
19 | The default setting is `STDOUT`, if you change the setting to `JSON` the files will be saved under the `output` folder:
20 | ```
21 | sophos_central_api_connector
22 | |___output
23 | |   |___roles_data
24 | |   |       <tenant_name>_<tenant_id>.json
25 | |   |       ...
26 | ```
27 | 
28 | The log level can be adjusted under the main function for the variable: `log_level` to gather more granular feedback when
29 | running the script.


--------------------------------------------------------------------------------
/sophos_central_api_connector/docs/intelix.md:
--------------------------------------------------------------------------------
 1 | ## Intelix
 2 | 
 3 | We have incorporated the SophosLabs Intelix API to assist with cleaning up local site information which can be obtained from the global settings mentioned above.
 4 | 
 5 | If you have not used or signed up for the Intelix API further information can be found here: https://api.labs.sophos.com/doc/index.html#registration-howto
 6 | 
 7 | We use the Intelix API package as a base: https://github.com/sophos-cybersecurity/intelix
 8 | 
 9 | There are a number of options available.
10 | 
11 | #### Test
12 | You can run a test to ensure that your configuration is working without the need to run the full commands.
13 | ```python
14 | python sophos_central_main.py --auth <auth_option> --intelix test
15 | ```
16 | 
17 | #### Report
18 | 
19 | Running the intelix command in report mode will gather the local site information (all or one tenant) and check Intelix API to see if SophosLabs detect the site.
20 | 
21 | As part of the process we automatically dedupe the URLs queried with Intelix to reduce the api calls made.
22 | 
23 | It will automatically generate JSON files for the reports. One which is combined Intelix and local site data: `<date>_<time>_results_combined.json` and another for just the
24 | Intelix results: `<date>_<time>_intelix_results.json`
25 | 
26 | ```python
27 | python sophos_central_main.py --auth <auth_option> --intelix report
28 | ```
29 | 
30 | #### Clean_ls
31 | 
32 | Running the intelix command with clean_ls will go through the process of checking the sites against the Intelix API and proceed to delete the local-site entry in
33 | the global settings in Sophos Central.
34 | 
35 | In addition to the clean_ls command you must specify a clean-level to specify which sites that Intelix has a risk level for will be deleted from local-sites. Below are the
36 | accepted risks for the command
37 | 
38 | - ALL
39 | - HIGH
40 | - HIGH_MEDIUM
41 | - MEDIUM
42 | - LOW
43 | 
44 | We do not delete sites which have not been categorised by SophosLabs.
45 | 
46 | Before running the clean_ls command and actively deleting the local sites from Central we highly recommend using the '--dry_run' switch. This will generate a report of what would have
47 | been deleted based on the parameters passed:
48 | ```python
49 | python sophos_central_main.py --auth <auth_option> --intelix clean_ls --clean_level <level> --dry_run
50 | ```
51 | 
52 | Please review the dry run report carefully before running the active clean command. The report is: `<tenantId>_<date>_<time>_<clean_level>_dry_run_report.json`
53 | 
54 | Once you are happy with the dry-run results you can go forward and commit the changes by running the command without the dry-run switch:
55 | ```python
56 | python sophos_central_main.py --auth <auth_option> --intelix clean_ls --clean_level <level>
57 | ```
58 | 
59 | Once complete two files will be created. One is a report on the count of deletions etc. for each tenant: `<date>_<time>_deletion_report.json` and another
60 | which is more details on the sites which were sent for deletion, their deletion status and the time of the transaction. This is covered under the file:
61 | `<date>_<time>_deletion_details.json`


--------------------------------------------------------------------------------
/sophos_central_api_connector/docs/intelix_configuration.md:
--------------------------------------------------------------------------------
 1 | ## SophosLabs Intelix Configuration
 2 | > ### **Important!**
 3 | > Whilst you are able to set static API credentials in this configuration we strongly advise that this is only done for testing purposes.
 4 | > Where possible use AWS Secrets Manager to store your credential id and token
 5 | > Please reference the authentication section under advanced usage to use the correct parameter
 6 | 
 7 | The AWS secret credentials follows the same format as the sophos_config.ini.
 8 | 
 9 | There is an additional section in regards to the IP lookup categorisation. To align with the URL riskLevel we have provided the ability to set the IP categories against the risk level. The values already set
10 | and should be reviewed and amended to prevent deleting sites incorrectly from the local sites settings in Central.


--------------------------------------------------------------------------------
/sophos_central_api_connector/docs/inventory.md:
--------------------------------------------------------------------------------
 1 | ## Endpoint Information
 2 | 
 3 | Gathering the inventory information can be done for all of your tenants or one specific tenant. There are various methods on how this data can be presented. The output methods are stdout, json or sending the data to Splunk. More detailed example are covered under the Advanced Usage section.
 4 | 
 5 | There are various products which can utilise data from stdout such as running a script in Splunk and indexing the data dynamically. Also this can be used as a response in automation to provide further details on a systems health etc.
 6 | 
 7 | The syntax to use when requesting to get inventory is the following:
 8 | ```python
 9 | python sophos_central_main.py --auth <auth_option> --get inventory --output <output_option>
10 | ```


--------------------------------------------------------------------------------
/sophos_central_api_connector/docs/ioc_hunter.md:
--------------------------------------------------------------------------------
  1 | ## IOC Hunter
  2 | 
  3 | The IOC Hunter script provides the ability to search your estate for IOCs using variables. This is available for both Live Discover and XDR DataLake!
  4 | 
  5 | Follow the instructions [here](https://docs.sophos.com/central/Customer/help/en-us/central/Customer/learningContents/LiveDiscover.html) to create a custom query from the ioc_hunter.sql file for the perspective method.
  6 | 
  7 | ### Logging
  8 | All logging is done via the python `logging` library. Pass the switch `--log_level` or `-ll`
  9 | 
 10 | Valid logging levels are:
 11 | 
 12 | - INFO
 13 | - DEBUG
 14 | - CRITICAL
 15 | - WARNING
 16 | - ERROR
 17 | 
 18 | For basic feedback set the logging level to `INFO`. No logging returned if the `--log_level` parameter is not passed
 19 | 
 20 | ### Authentication
 21 | Providing no authentication parameter will result in being prompted during the running of the script.
 22 | 
 23 | ### Usage
 24 | To obtain help information on how to call the various commands run the following:
 25 | ```commandline
 26 | ioc_hunter.py --help
 27 | ```
 28 | 
 29 | Using the IOC Hunter you can search for IOCs by either:
 30 | * Passing RAW JSON in arguments
 31 | * MISP attributes (eventIds or tags)
 32 |     * Follow the MISP Configuration documents to utilise this feature [here](https://github.com/sophos-cybersecurity/sophos-central-api-connector/blob/master/sophos_central_api_connector/docs/misp_configuration.md)
 33 | 
 34 | By passing MISP attributes the JSON is automatically generated to work with the saved query.
 35 | 
 36 | Passing RAW JSON requires the correct schema in order to be parsed by the Live Discover query. 
 37 | The correct schema is as follows:
 38 | ```json
 39 | {   "ioc_data": [
 40 |       {
 41 |         "indicator_type": "<type>",
 42 |         "data": "<ioc_data>"
 43 |       }
 44 |     ]
 45 | }
 46 | ```
 47 | 
 48 | The two arguments that need prior setup are:
 49 | * filter: This determines which systems the saved query will run on (LiveDiscover ONLY)
 50 | * variables: These are the variables that the saved query is expecting
 51 | 
 52 | ### Filter (LiveDiscover)
 53 | For the filter argument the skeleton of the schema is already in place. You just need to provide the filter details. Below are some examples.
 54 | 
 55 | When passing the argument you need to escape the quotes
 56 | 
 57 | #### Specific endpoints
 58 | To run the query on specific systems you can pass the following in the `--filter` argument:
 59 | ```commandline
 60 | --filter "{\"ids\": [\"74125749-6a48-48e1-bf41-243b227e444c\"]}"
 61 | ```
 62 | 
 63 | #### Windows platform
 64 | ```commandline
 65 | --filter "{\"os\": [{\"platform\": \"windows\"}]}"
 66 | ```
 67 | 
 68 | You can build these filters using the schema [here](https://developer.sophos.com/docs/live-discover-v1/1/routes/queries/runs/post)
 69 | 
 70 | ### Variables
 71 | LiveDiscover and XDR DataLake take slightly different variables. LiveDiscover expects 3, whereas XDR only expects 1.
 72 | 
 73 | #### LiveDiscover
 74 | * Number of Hours of activity to search
 75 |   * Be conscious how wide this is set. If the span is too wide the query may be terminated
 76 | * IOC JSON
 77 |   * If you are using MISP attributes you can simply enter `%`
 78 |   * Follow the schema above when passing RAW JSON in this variable
 79 | * Start Search From
 80 |   * This follows the format: `%Y-%m-%dT%H:%M:%S`
 81 |   
 82 | #### XDR DataLake
 83 | * IOC JSON
 84 |   * Follow the schema above when passing RAW JSON in this variable
 85 | 
 86 | The values in the saved search will be used if no variables are passed
 87 | 
 88 | ### Examples
 89 | Below are some example commands to begin searching your estate
 90 | 
 91 | #### LiveDiscover
 92 | 
 93 | List queries from tenants to stdout
 94 | ```commandline
 95 | ioc_hunter.py --api ld --search_type list
 96 | ```
 97 | 
 98 | Outputting query list to JSON
 99 | ```commandline
100 | ioc_hunter.py --api ld --search_type list --output json
101 | ```
102 | 
103 | Hunt using a MISP eventId
104 | ```commandline
105 | ioc_hunter.py --api ld --search_type saved --search_input IOC_Hunter --filter "{\"ids\": [\"74125749-6a48-48e1-bf41-243b227e444c\"]}" --variables 24 % 2021-03-01T00:00:00 --misp true --misp_type eventid --misp_val int
106 | ```
107 | 
108 | Hunt using a MISP tag
109 | ```commandline
110 | ioc_hunter.py --api ld --search_type saved --search_input IOC_Hunter --filter "{\"ids\": [\"74125749-6a48-48e1-bf41-243b227e444c\"]}" --variables 24 % 2021-03-01T00:00:00 --misp true --misp_type tag --misp_val str
111 | ```
112 | 
113 | Hunt using a search with no variables
114 | ```commandline
115 | ioc_hunter.py --api ld --search_type saved --search_input IOC_Hunter --filter "{\"ids\": [\"74125749-6a48-48e1-bf41-243b227e444c\"]}"
116 | ```
117 | 
118 | Hunt using a RAW JSON
119 | ```commandline
120 | ioc_hunter.py --api ld --search_type saved --search_input IOC_Hunter --filter "{\"ids\": [\"74125749-6a48-48e1-bf41-243b227e444c\"]}" --variables 24 "{   \"ioc_data\": [     {       \"indicator_type\": \"url\",       \"data\": \"%sophos.com%\"     },     {       \"indicator_type\": \"ip\",       \"data\": \"%192.%\"     },     {       \"indicator_type\": \"filepath\",       \"data\": \"C:\\Windows\\System32\\%\"     }   ] }" 2021-03-01T00:00:00
121 | ```
122 | 
123 | Running standard saved search
124 | ```commandline
125 | ioc_hunter.py --api ld --search_type saved --search_input "CPU information" --filter "{\"ids\": [\"74125749-6a48-48e1-bf41-243b227e444c\"]}"
126 | ```
127 | 
128 | #### XDR DataLake
129 | 
130 | List queries from tenants to stdout
131 | ```commandline
132 | ioc_hunter.py --api xdr --search_type list
133 | ```
134 | 
135 | Outputting query list to JSON
136 | ```commandline
137 | ioc_hunter.py --api xdr --search_type list --output json
138 | ```
139 | 
140 | Hunt using a MISP eventId
141 | ```commandline
142 | ioc_hunter.py --api xdr --search_type saved --search_input IOC_Hunter --misp true --misp_type eventid --misp_val <int>
143 | ```
144 | 
145 | Hunt using a MISP tag
146 | ```commandline
147 | ioc_hunter.py --api xdr --search_type saved --search_input IOC_Hunter --misp true --misp_type tag --misp_val <str>
148 | ```
149 | 
150 | Hunt using a search with no variables
151 | ```commandline
152 | ioc_hunter.py --api xdr --search_type saved --search_input IOC_Hunter
153 | ```
154 | 
155 | Hunt using a RAW JSON
156 | ```commandline
157 | ioc_hunter.py --api xdr --search_type saved --search_input IOC_Hunter --variables "{   \"ioc_data\": [     {       \"indicator_type\": \"url\",       \"data\": \"%sophos.com%\"     },     {       \"indicator_type\": \"ip\",       \"data\": \"%192.%\"     },     {       \"indicator_type\": \"filepath\",       \"data\": \"C:\\Windows\\System32\\%\"     }   ] }"
158 | ```
159 | 
160 | Running standard saved search
161 | ```commandline
162 | ioc_hunter.py --api xdr --search_type saved --search_input "BitLocker info"
163 | ```
164 | 
165 | ### Output
166 | When running the LiveDiscover API three JSON files will be put into the query folder, whereas two for XDR API:
167 | 
168 | #### LiveDiscover & XDR
169 | * <api>_result_data_<timestamp>.json
170 |   * This contains any hits on the IOCs or provides details on the outcome of the saved search run 
171 | * <api>_search_data_<timestamp>.json
172 |   * This contains details on the search run and on which tenants. It contains information on the overall outcome of the search
173 |   
174 | #### LiveDiscover
175 | * <api>_endpoint_data_<timestamp>.json
176 |   * This contains details on the endpoints that the query was run on 
177 | 


--------------------------------------------------------------------------------
/sophos_central_api_connector/docs/local_sites.md:
--------------------------------------------------------------------------------
1 | ## Local Site Information
2 | 
3 | You can review the sites which have been added to Global Settings > Website Management using the API.
4 | 
5 | As with previous abilities you can pull the sites for a specific tenant or for all tenants for review. It will automatically reference
6 | the category integer to a human readable category. This can be output to all the available options.
7 | ```python
8 | python sophos_central_main.py --auth <auth_option> --get local-sites --output <output_option>
9 | ```


--------------------------------------------------------------------------------
/sophos_central_api_connector/docs/misp_configuration.md:
--------------------------------------------------------------------------------
 1 | ## MISP Configuration
 2 | 
 3 | This configuration file is to provide details for accessing your API Key for MISP.
 4 | 
 5 | Details on obtaining the correct URL and API Key please follow the documentation:
 6 | * [MISP URL](https://www.circl.lu/doc/misp/automation/#automation-url)
 7 | * [MISP API Key](https://www.circl.lu/doc/misp/automation/#automation-key)
 8 | 
 9 | We are moving away from you having the ability to place your credentials in the configuration in plain text.
10 | 
11 | You can access your AWS secrets by configuring your details as below:
12 | - **secret_name:** \<secret_name\>
13 | - **region_name:** \<aws_region\>
14 | - **api_key:** \<specified_key_name\>
15 | 
16 | If no details are entered here, when running the tool you will be prompted for your details using `getpass`
17 | 
18 | Additionally set your MISP instance URL for where you will obtain your attributes with `/attributes/restSearch`
19 | 


--------------------------------------------------------------------------------
/sophos_central_api_connector/docs/sophos_configuration.md:
--------------------------------------------------------------------------------
 1 | ## Sophos Configuration
 2 | The following configuration files can be changed to reflect your environment and also your needs.
 3 | 
 4 | ### sophos_central_api_config.py
 5 | Majority of the variables contained in this config file are to remain static in order to maintain the correct functionality of the Sophos Central API Connector. However, there are two variables which can be changed if you would like default behaviour to be different.
 6 | 
 7 | #### DEFAULT_OUTPUT
 8 | This variable is set to `stdout` so in the event that no output parameter is passed to the CLI then results will be returned to the console. You can change this to be another valid parameter value if desired.
 9 | 
10 | #### DEFAULT_DAYS
11 | This variable is set to `1` in the event that no days parameter is passed in certain scenarios. This default is also used for the default number of days passed for polling alert events.
12 | 
13 | ### sophos_config.ini
14 | > #### **Important!**
15 | > Whilst you are able to set static API credentials in this configuration we strongly advise that this is only done for testing purposes.
16 | > Where possible use AWS Secrets Manager to store your credential id and token
17 | > Please reference the authentication section under advanced usage to use the correct parameter
18 | 
19 | You can access your AWS secrets by configuring your details as below:
20 | - **secret_name:** \<secret_name\>
21 | - **region_name:** \<aws_region\>
22 | - **client_id_key:** \<specified_key_name\>
23 | - **client_secret_key:** \<specified_key_name\>
24 | 
25 | The page size configuration is the number of events you would like to appear per page when querying the Sophos Central API. There are maximum sizes which are checked during the execution of the connector. If these are left blank they will use the default page sizes as determined by the API


--------------------------------------------------------------------------------
/sophos_central_api_connector/docs/splunk_configuration.md:
--------------------------------------------------------------------------------
 1 | ## Splunk Configuration
 2 | This config is solely for users who are sending the events and inventory directly to Splunk. There are options for both static token information or there is also an option to use the AWS Secrets Manager.
 3 | 
 4 | > #### **Important!**
 5 | > We would recommend that the static entry is only used for testing purposes and the token is stored and accessed securely.
 6 | > Please reference the authentication section under advanced usage to use the correct parameter
 7 | 
 8 | #### splunk_aws
 9 | To enable the use of the token from the AWS Secrets Manager set : `1`
10 | 
11 | Setting this option to `0` will allow the use of the static token entry. The 'splunk_hec' section determines the correct settings to where to send the events to Splunk
12 | 
13 | #### splunk_url
14 | This is the URL to your Splunk instance: `http(s)://<your_splunk_url>:8088/services/collector`
15 | 
16 | Information on how to configure HEC (HTTP Event Collector) can be found at the following Splunk URL: https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector
17 | 
18 | #### splunk_ack_enabled
19 | If you have set Splunk Index Acknowledgements when creating your HEC token, you will need to set this value to '1'. If you have not set the indexer acknowledgements to `0`. This will ensure that the correct URL is used when sending events to Splunk.
20 | 
21 | #### verify_ack_result
22 | This is not currently in use
23 | 
24 | #### channel
25 | If you have the index acknowledgements checked in your HEC token you will need to provide a channel GUID. These can be anything you like as long as they are unique to your HEC token environment. Further information on setting the channel and enabling Index Acknowledgements
26 | can be found on the Splunk website: https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/AboutHECIDXAck
27 | 
28 | #### ack_batch_size
29 | This is not currently in use
30 | 
31 | #### splunk_transform
32 | This section of the config allows you to override the details for source, host and sourcetype when the events are sent to Splunk. If this setting is not set then it will use the data that is contained in the transforms file on the indexer. This is not able to override the index that the data is sent to.


--------------------------------------------------------------------------------
/sophos_central_api_connector/get_admins.py:
--------------------------------------------------------------------------------
 1 | import logging
 2 | from sophos_central_api_connector import sophos_central_api_auth as api_auth
 3 | from sophos_central_api_connector import sophos_central_api_awssecrets as awssecret
 4 | from sophos_central_api_connector import sophos_central_api_connector_utils as api_utils
 5 | from sophos_central_api_connector import sophos_central_api_get_data as get_api
 6 | from sophos_central_api_connector import sophos_central_api_output as api_output
 7 | 
 8 | 
 9 | # Global variables
10 | page_size = "50" #change in line with documentation
11 | api = "admins" #do not change
12 | tenant = None
13 | output = "stdout"
14 | sourcetype_value = None
15 | 
16 | 
17 | 
18 | def get_admins(tenant_url_data, output, page_size, tenant):
19 |     # Validate page size set
20 |     page_size = api_utils.validate_page_size(page_size, api)
21 | 
22 |     # Generate events and send them to output
23 |     for ten_id, ten_item in tenant_url_data.items():
24 |         # Pass the ten_url_data and gather the alerts
25 |         logging.info("Attempting to get admin information")
26 |         tenant_id = ten_id
27 |         # get data information for the tenant in the loop
28 |         json_data = get_api.get_data(tenant_url_data, page_size, tenant_id, api)
29 |         # process data by the output parameter
30 |         events = api_output.process_output(output, json_data, tenant_url_data, tenant_id, api, sourcetype_value)
31 |     else:
32 |         # Completed gathering data for this tenant
33 |         logging.info("Completed processing for Tenant ID: {0}".format(tenant_id))
34 | 
35 | 
36 | def main():
37 |     log_level="INFO"
38 |     if log_level is None:
39 |         logging.disable(True)
40 |     else:
41 |         logging.disable(False)
42 |         log_name = log_level
43 |         level = getattr(logging, log_name)
44 |         log_fmt = '%(asctime)s: [%(levelname)s]: %(message)s'
45 |         logging.basicConfig(level=level, format=log_fmt, datefmt='%d/%m/%Y %I:%M:%S %p')
46 | 
47 |     logging.info("Start of Logging")
48 | 
49 |     # Auth and get tenant information
50 |     tenant_info = api_auth.ten_auth()
51 | 
52 |     # Generate tenant url data
53 |     tenant_url_data = api_utils.generate_tenant_urls(tenant_info, page_size, api, from_str=None, to_str=None)
54 | 
55 |     for key, value in tenant_url_data.items():
56 |         # If a tenant has been passed in the CLI arguments it checks whether it exists in the tenants obtained
57 |         if tenant == key:
58 |             # The tenant passed has been found
59 |             logging.info("Tenant ID passed: '{0}'".format(key))
60 |             tenant_url_data = {key: value}
61 |         else:
62 |             pass
63 | 
64 |     get_admins(tenant_url_data, output, page_size, tenant)
65 | 
66 |     logging.info("Script complete")
67 |     exit(0)
68 | 
69 | 
70 | if __name__ == "__main__":
71 |     main()


--------------------------------------------------------------------------------
/sophos_central_api_connector/get_firewall_groups.py:
--------------------------------------------------------------------------------
 1 | import logging
 2 | from sophos_central_api_connector import sophos_central_api_auth as api_auth
 3 | from sophos_central_api_connector import sophos_central_api_awssecrets as awssecret
 4 | from sophos_central_api_connector import sophos_central_api_connector_utils as api_utils
 5 | from sophos_central_api_connector import sophos_central_api_get_data as get_api
 6 | from sophos_central_api_connector import sophos_central_api_output as api_output
 7 | 
 8 | 
 9 | # Global variables
10 | page_size = "100"
11 | api = "firewall_groups" # do not change
12 | tenant= None
13 | output = "stdout"
14 | sourcetype_value = None
15 | 
16 | 
17 | def get_firewall_groups(tenant_url_data, output, page_size, tenant):
18 |     # Validate page size set
19 |     page_size = api_utils.validate_page_size(page_size, api)
20 | 
21 |     # Generate events and send them to output
22 |     for ten_id, ten_item in tenant_url_data.items():
23 |         # Pass the ten_url_data and gather the alerts
24 |         logging.info("Attempting to get firewall group information")
25 |         tenant_id = ten_id
26 |         # get data information for the tenant in the loop
27 |         json_data = get_api.get_data(tenant_url_data, page_size, tenant_id, api)
28 |         # process data by the output parameter
29 |         events = api_output.process_output(output, json_data, tenant_url_data, tenant_id, api, sourcetype_value)
30 |     else:
31 |         # Completed gathering data for this tenant
32 |         logging.info("Completed processing for Tenant ID: {0}".format(tenant_id))
33 | 
34 | 
35 | def main():
36 |     log_level="INFO"
37 |     if log_level is None:
38 |         logging.disable(True)
39 |     else:
40 |         logging.disable(False)
41 |         log_name = log_level
42 |         level = getattr(logging, log_name)
43 |         log_fmt = '%(asctime)s: [%(levelname)s]: %(message)s'
44 |         logging.basicConfig(level=level, format=log_fmt, datefmt='%d/%m/%Y %I:%M:%S %p')
45 | 
46 |     logging.info("Start of Logging")
47 | 
48 |     # Auth and get tenant information
49 |     tenant_info = api_auth.ten_auth()
50 | 
51 |     # Generate tenant url data
52 |     tenant_url_data = api_utils.generate_tenant_urls(tenant_info, page_size, api, from_str=None, to_str=None)
53 | 
54 |     for key, value in tenant_url_data.items():
55 |         # If a tenant has been passed in the CLI arguments it checks whether it exists in the tenants obtained
56 |         if tenant == key:
57 |             # The tenant passed has been found
58 |             logging.info("Tenant ID passed: '{0}'".format(key))
59 |             tenant_url_data = {key: value}
60 |         else:
61 |             pass
62 | 
63 |     get_firewall_groups(tenant_url_data, output, page_size, tenant)
64 | 
65 |     logging.info("Script complete")
66 |     exit(0)
67 | 
68 | 
69 | if __name__ == "__main__":
70 |     main()


--------------------------------------------------------------------------------
/sophos_central_api_connector/get_firewalls.py:
--------------------------------------------------------------------------------
 1 | import logging
 2 | from sophos_central_api_connector import sophos_central_api_auth as api_auth
 3 | from sophos_central_api_connector import sophos_central_api_awssecrets as awssecret
 4 | from sophos_central_api_connector import sophos_central_api_connector_utils as api_utils
 5 | from sophos_central_api_connector import sophos_central_api_get_data as get_api
 6 | from sophos_central_api_connector import sophos_central_api_output as api_output
 7 | 
 8 | 
 9 | # Global variables
10 | page_size = "100"
11 | api = "firewall" # do not change
12 | tenant= None
13 | output = "stdout"
14 | sourcetype_value = None
15 | 
16 | 
17 | def get_firewalls(tenant_url_data, output, page_size, tenant):
18 |     # Validate page size set
19 |     page_size = api_utils.validate_page_size(page_size, api)
20 | 
21 |     # Generate events and send them to output
22 |     for ten_id, ten_item in tenant_url_data.items():
23 |         # Pass the ten_url_data and gather the alerts
24 |         logging.info("Attempting to get firewall information")
25 |         tenant_id = ten_id
26 |         # get data information for the tenant in the loop
27 |         json_data = get_api.get_data(tenant_url_data, page_size, tenant_id, api)
28 |         # process data by the output parameter
29 |         events = api_output.process_output(output, json_data, tenant_url_data, tenant_id, api, sourcetype_value)
30 |     else:
31 |         # Completed gathering data for this tenant
32 |         logging.info("Completed processing for Tenant ID: {0}".format(tenant_id))
33 | 
34 | 
35 | def main():
36 |     log_level="INFO"
37 |     if log_level is None:
38 |         logging.disable(True)
39 |     else:
40 |         logging.disable(False)
41 |         log_name = log_level
42 |         level = getattr(logging, log_name)
43 |         log_fmt = '%(asctime)s: [%(levelname)s]: %(message)s'
44 |         logging.basicConfig(level=level, format=log_fmt, datefmt='%d/%m/%Y %I:%M:%S %p')
45 | 
46 |     logging.info("Start of Logging")
47 | 
48 |     # Auth and get tenant information
49 |     tenant_info = api_auth.ten_auth()
50 | 
51 |     # Generate tenant url data
52 |     tenant_url_data = api_utils.generate_tenant_urls(tenant_info, page_size, api, from_str=None, to_str=None)
53 | 
54 |     for key, value in tenant_url_data.items():
55 |         # If a tenant has been passed in the CLI arguments it checks whether it exists in the tenants obtained
56 |         if tenant == key:
57 |             # The tenant passed has been found
58 |             logging.info("Tenant ID passed: '{0}'".format(key))
59 |             tenant_url_data = {key: value}
60 |         else:
61 |             pass
62 | 
63 |     get_firewalls(tenant_url_data, output, page_size, tenant)
64 | 
65 |     logging.info("Script complete")
66 |     exit(0)
67 | 
68 | 
69 | if __name__ == "__main__":
70 |     main()


--------------------------------------------------------------------------------
/sophos_central_api_connector/get_roles.py:
--------------------------------------------------------------------------------
 1 | import logging
 2 | from sophos_central_api_connector import sophos_central_api_auth as api_auth
 3 | from sophos_central_api_connector import sophos_central_api_awssecrets as awssecret
 4 | from sophos_central_api_connector import sophos_central_api_connector_utils as api_utils
 5 | from sophos_central_api_connector import sophos_central_api_get_data as get_api
 6 | from sophos_central_api_connector import sophos_central_api_output as api_output
 7 | 
 8 | 
 9 | # Global variables
10 | page_size = None # do not change
11 | api = "roles" # do not change
12 | tenant= None
13 | output = "stdout"
14 | sourcetype_value = None
15 | 
16 | 
17 | def get_roles(tenant_url_data, output, page_size, tenant):
18 |     # Generate events and send them to output
19 |     for ten_id, ten_item in tenant_url_data.items():
20 |         # Pass the ten_url_data and gather the alerts
21 |         logging.info("Attempting to get role information")
22 |         tenant_id = ten_id
23 |         # get data information for the tenant in the loop
24 |         json_data = get_api.get_data(tenant_url_data, page_size, tenant_id, api)
25 |         # process data by the output parameter
26 |         logging.info("Adding Tenant Information")
27 |         for json_id, json_item in json_data.items():
28 |             json_item['tenant_id'] = tenant_id
29 |         events = api_output.process_output(output, json_data, tenant_url_data, tenant_id, api, sourcetype_value)
30 |     else:
31 |         # Completed gathering data for this tenant
32 |         logging.info("Completed processing for Tenant ID: {0}".format(tenant_id))
33 | 
34 | 
35 | def main():
36 |     log_level="INFO"
37 |     if log_level is None:
38 |         logging.disable(True)
39 |     else:
40 |         logging.disable(False)
41 |         log_name = log_level
42 |         level = getattr(logging, log_name)
43 |         log_fmt = '%(asctime)s: [%(levelname)s]: %(message)s'
44 |         logging.basicConfig(level=level, format=log_fmt, datefmt='%d/%m/%Y %I:%M:%S %p')
45 | 
46 |     logging.info("Start of Logging")
47 | 
48 |     # Auth and get tenant information
49 |     tenant_info = api_auth.ten_auth()
50 | 
51 |     # Generate tenant url data
52 |     tenant_url_data = api_utils.generate_tenant_urls(tenant_info, page_size, api, from_str=None, to_str=None)
53 | 
54 |     for key, value in tenant_url_data.items():
55 |         # If a tenant has been passed in the CLI arguments it checks whether it exists in the tenants obtained
56 |         if tenant == key:
57 |             # The tenant passed has been found
58 |             logging.info("Tenant ID passed: '{0}'".format(key))
59 |             tenant_url_data = {key: value}
60 |         else:
61 |             pass
62 | 
63 |     get_roles(tenant_url_data, output, page_size, tenant)
64 | 
65 |     logging.info("Script complete")
66 |     exit(0)
67 | 
68 | 
69 | if __name__ == "__main__":
70 |     main()


--------------------------------------------------------------------------------
/sophos_central_api_connector/ioc_hunter.py:
--------------------------------------------------------------------------------
  1 | import datetime
  2 | import logging
  3 | import getpass
  4 | import json
  5 | import argparse as ap
  6 | import re
  7 | import configparser as cp
  8 | from sys import getsizeof
  9 | from sophos_central_api_connector import sophos_central_api_auth as api_auth
 10 | from sophos_central_api_connector import sophos_central_api_awssecrets as awssecret
 11 | from sophos_central_api_connector import sophos_central_api_connector_utils as api_utils
 12 | from sophos_central_api_connector.config import sophos_central_api_config as api_conf
 13 | from sophos_central_api_connector import sophos_central_api_output as api_output
 14 | from sophos_central_api_connector import sophos_central_api_live_discover as sld
 15 | 
 16 | 
 17 | # Global variables
 18 | page_size = "250"
 19 | 
 20 | 
 21 | def main(params):
 22 |     # set params to variables
 23 |     log_level = params.log_level
 24 |     tenant = params.tenant
 25 |     search_filter = params.filter
 26 |     search_variables = params.variables
 27 |     search_type = params.search_type
 28 |     search_val = params.search_input
 29 |     misp_attr = params.misp
 30 |     api = params.api
 31 |     output = params.output
 32 | 
 33 |     if log_level is None:
 34 |         logging.disable(True)
 35 |     else:
 36 |         logging.disable(False)
 37 |         log_name = log_level
 38 |         level = getattr(logging, log_name)
 39 |         log_fmt = '%(asctime)s: [%(levelname)s]: %(message)s'
 40 |         logging.basicConfig(level=level, format=log_fmt, datefmt='%d/%m/%Y %I:%M:%S %p')
 41 | 
 42 |     logging.info("Start of Logging")
 43 | 
 44 |     if api == "ld":
 45 |         api = "live-discover"
 46 |     elif api == "xdr":
 47 |         api = "xdr-datalake"
 48 |     else:
 49 |         logging.error("No api passed, exiting")
 50 |         exit(1)
 51 | 
 52 |     if misp_attr:
 53 |         misp_conf_path = api_conf.misp_conf_path
 54 |         misp_final_path = api_utils.get_file_location(misp_conf_path)
 55 | 
 56 |         misp_conf = cp.ConfigParser(allow_no_value=True)
 57 |         misp_conf.read(misp_final_path)
 58 |         secret_name = misp_conf.get('aws', 'secret_name')
 59 |         region_name = misp_conf.get('aws', 'region_name')
 60 |         misp_tok = misp_conf.get('aws', 'api_key')
 61 |         misp_url = misp_conf.get('url', 'misp_instance')
 62 | 
 63 |         # Get attributes for iocs to search
 64 |         misp_type = params.misp_type
 65 |         misp_val = params.misp_val
 66 | 
 67 |         if not misp_type or not misp_val:
 68 |             logging.error("You must specify a MISP type and value")
 69 |             exit(1)
 70 |         else:
 71 |             pass
 72 | 
 73 |         if misp_tok:
 74 |             try:
 75 |                 # Pull the credentials from AWS Secret Manager and pass to initialise misp
 76 |                 misp_secret = awssecret.get_secret(secret_name, region_name)
 77 |                 misp_tok = misp_secret['{0}'.format(misp_tok)]
 78 |                 logging.info("MISP auth token applied")
 79 |             except Exception as aws_exception:
 80 |                 # Return the exception raised from the aws secrets script
 81 |                 raise aws_exception
 82 |             finally:
 83 |                 attributes = sld.get_misp_attributes(misp_url, misp_type, misp_val, misp_tok, wildcard=True)
 84 |         else:
 85 |             logging.info("No AWS creds set in config. Requesting MISP API token")
 86 |             misp_tok = getpass.getpass(prompt="Provide MISP token: ", stream=None)
 87 |             if misp_tok:
 88 |                 attributes = sld.get_misp_attributes(misp_url, misp_type, misp_val, misp_tok, wildcard=True)
 89 |             else:
 90 |                 logging.error("No MISP token provided. Exiting")
 91 |                 exit(1)
 92 | 
 93 |         if not attributes:
 94 |             logging.critical("No attributes found, exiting")
 95 |             exit(1)
 96 |         else:
 97 |             logging.info("MISP attributes obtained")
 98 | 
 99 |             pass
100 |     else:
101 |         pass
102 | 
103 |     # format the filter variable to remove escape characters and pass as json
104 |     if search_filter:
105 |         try:
106 |             search_filter = json.loads(re.sub('[\\?]', '', search_filter))
107 |         except ValueError as err:
108 |             logging.error("JSON malformed: {0}".format(search_filter))
109 |             raise err
110 |         else:
111 |             pass
112 |     elif search_type == "list":
113 |         pass
114 |     elif api == "xdr-datalake":
115 |         pass
116 |     else:
117 |         logging.critical("No filter passed, A filter must be provided")
118 |         exit(1)
119 | 
120 |     if (search_variables and misp_attr) or (misp_attr and api == "xdr-datalake"):
121 |         if api == "live-discover":
122 |             # Format the search date
123 |             date_frmt = "{0}.000Z".format(search_variables[2])
124 |         else:
125 |             pass
126 | 
127 |         # estimated size of variables
128 |         ioc_size = getsizeof(attributes)
129 |         if ioc_size < 1 or ioc_size > 5000:
130 |             logging.critical(
131 |                 "Size of IOC JSON must be in the range of 1 - 5000. Current estimated size is: {0}".format(ioc_size))
132 |             exit(1)
133 |         else:
134 |             pass
135 | 
136 |         # Build JSON
137 |         if api == "live-discover":
138 |             variables_json = [
139 |                 {
140 |                     "name": "Number of Hours of activity to search",
141 |                     "dataType": "text",
142 |                     "value": "{0}".format(search_variables[0])
143 |                 },
144 |                 {
145 |                     "name": "IOC JSON",
146 |                     "dataType": "text",
147 |                     "value": attributes
148 |                 },
149 |                 {
150 |                     "name": "Start Search From",
151 |                     "dataType": "dateTime",
152 |                     "value": "{0}".format(date_frmt)
153 |                 }
154 |             ]
155 |         elif api == "xdr-datalake":
156 |             variables_json = [
157 |                 {
158 |                     "name": "IOC_JSON",
159 |                     "dataType": "text",
160 |                     "value": attributes
161 |                 }
162 |             ]
163 |     elif search_variables:
164 |         if api == "live-discover":
165 |             # Format the search date
166 |             date_frmt = "{0}.000Z".format(search_variables[2])
167 |         else:
168 |             pass
169 | 
170 |         # esitmated size of variables
171 |         ioc_size = getsizeof(search_variables)
172 |         if ioc_size < 1 or ioc_size > 5000:
173 |             logging.critical(
174 |                 "Size of IOC JSON must be in the range of 1 - 5000. Current estimated size is: {0}".format(ioc_size))
175 |             exit(1)
176 |         else:
177 |             pass
178 | 
179 |         # Build JSON
180 |         if api == "live-discover":
181 |             variables_json = [
182 |                 {
183 |                     "name": "Number of Hours of activity to search",
184 |                     "dataType": "text",
185 |                     "value": "{0}".format(search_variables[0])
186 |                 },
187 |                 {
188 |                     "name": "IOC JSON",
189 |                     "dataType": "text",
190 |                     "value": search_variables[1]
191 |                 },
192 |                 {
193 |                     "name": "Start Search From",
194 |                     "dataType": "dateTime",
195 |                     "value": "{0}".format(date_frmt)
196 |                 }
197 |             ]
198 |         elif api == "xdr-datalake":
199 |             variables_json = [
200 |                 {
201 |                     "name": "IOC_JSON",
202 |                     "dataType": "text",
203 |                     "value": search_variables[0]
204 |                 }
205 |             ]
206 |     else:
207 |         logging.info("No variables passed")
208 |         variables_json = None
209 | 
210 |     # Auth and get tenant information
211 |     tenant_info = api_auth.ten_auth()
212 | 
213 |     # Generate tenant url data
214 |     tenant_url_data = api_utils.generate_tenant_urls(tenant_info, page_size, api, from_str=None, to_str=None)
215 | 
216 |     for key, value in tenant_url_data.items():
217 |         # If a tenant has been passed in the CLI arguments it checks whether it exists in the tenants obtained
218 |         if tenant == key:
219 |             # The tenant passed has been found
220 |             logging.info("Tenant ID passed: '{0}'".format(key))
221 |             tenant_url_data = {key: value}
222 |         else:
223 |             pass
224 | 
225 |     # kick off live discover search
226 |     if search_type == "list":
227 |         query_data = sld.live_discover(tenant_url_data, search_type, search_val, search_filter, variables_json, api)
228 |         if output == 'json':
229 |             api_output.process_output_json(query_data, "{0}_query_list.json".format(api), api)
230 |         else:
231 |             for key, value in query_data.items():
232 |                 print(json.dumps(value, indent=2))
233 |     else:
234 |         ld_data, ep_data, res_data = sld.live_discover(tenant_url_data, search_type, search_val, search_filter,
235 |                                                        variables_json, api)
236 |         # output results to temp
237 | 
238 |         # get datetime for files
239 |         filetime = datetime.datetime.utcnow()
240 |         filetimestamp = filetime.timestamp()
241 | 
242 |         if ep_data:
243 |             api_output.process_output_json(ep_data, "{0}_endpoint_data_{1}.json".format(api, filetimestamp), api)
244 |         else:
245 |             logging.info("No EP data to output")
246 | 
247 |         api_output.process_output_json(ld_data, "{0}_search_data_{1}.json".format(api, filetimestamp), api)
248 |         api_output.process_output_json(res_data, "{0}_result_data_{1}.json".format(api, filetimestamp), api)
249 | 
250 |     logging.info("Script complete")
251 |     exit(0)
252 | 
253 | 
254 | if __name__ == "__main__":
255 |     def set_bool_val(arg_val):
256 |         if isinstance(arg_val, bool):
257 |             return arg_val
258 |         if arg_val.lower() in ('yes', 'true', 't', 'y', '1'):
259 |             return True
260 |         elif arg_val.lower() in ('no', 'false', 'f', 'n', '0'):
261 |             return False
262 |         else:
263 |             raise ap.ArgumentTypeError('Boolean value expected')
264 | 
265 | 
266 |     # Parse the various parameters to be used when calling the main script.
267 |     parser = ap.ArgumentParser(formatter_class=ap.RawTextHelpFormatter,
268 |                                description="This script allows you to pass IOC lists and perform queries in Live "
269 |                                            "Discover and generate a report")
270 |     parser.add_argument('-t', '--tenant', nargs='?', help="Allows to specify one tenant\nIf this argument is not "
271 |                                                           "specified all tenants will apply.")
272 |     parser.add_argument('-st', '--search_type', choices=["saved", "adhoc", "list"], required=True,
273 |                         help="Must specify if the search to be run is a saved or adhoc search. Alternatively you "
274 |                              "can list the saved queries available in the tenants (name, description, variables "
275 |                              "and tenant)")
276 |     parser.add_argument('-si', '--search_input', nargs='?', help="Enter input based on selected search type")
277 |     parser.add_argument('-f', '--filter', nargs='?', help="Not setting a search filter will default to the pre-compiled"
278 |                                                           " filter. You can set a custom JSON filter following the "
279 |                                                           "documentation. \nEncapsulate your filter in single quotes, "
280 |                                                           "''")
281 |     parser.add_argument('-v', '--variables', nargs='+', help="Add the following values for the variables in order for "
282 |                                                              "live-discover:\n"
283 |                                                              "[0] Number of Hours of activity to search\n"
284 |                                                              "[1] IOC JSON\n"
285 |                                                              "[2] Start Search From\n"
286 |                                                              "For XDR, only IOC JSON is required")
287 |     parser.add_argument('-m', '--misp', type=set_bool_val, nargs='?', const=True, default=False, help="Enable MISP "
288 |                                                                                                       "attributes. "
289 |                                                                                                       "Boolean")
290 |     parser.add_argument('-mt', '--misp_type', choices=["eventid", "tag"], help="Specify whether you want to get "
291 |                                                                                "attributes for an event ID or tag")
292 |     parser.add_argument('-mv', '--misp_val', help="The value to pass according to the misp attribute type to search for")
293 |     parser.add_argument('-a', '--api', choices=["ld", "xdr"], required=True,
294 |                         help="[ld] - This will perform the search directly on endpoints which are put in the filter\n"
295 |                              "[xdr] - This will perform the search on the DataLake")
296 |     parser.add_argument('-ll', '--log_level', choices=['INFO', 'DEBUG', 'CRITICAL', 'WARNING', 'ERROR'],
297 |                         help="Set logging level mode for more detailed error information, default is disabled")
298 |     parser.add_argument('-o', '--output', choices=['stdout', 'json'], default="stdout",
299 |                         help="Allows you to specify an output method for the query list retrieved. If no option is "
300 |                              "selected it will default to stdout.")
301 | 
302 |     # parse the argument values to the arg variable
303 |     args = parser.parse_args()
304 | 
305 |     # Go to main with the arguments
306 |     main(args)
307 | 


--------------------------------------------------------------------------------
/sophos_central_api_connector/queries/live_discover_queries/ld_ioc_hunter.sql:
--------------------------------------------------------------------------------
  1 | /**********************************************************************\
  2 | | Parse the IOC JSON into useable objects                              |
  3 | \**********************************************************************/
  4 | 
  5 | WITH full_Key_Value AS
  6 |   (SELECT fullkey,
  7 |           value
  8 |    FROM json_tree(LOWER('$$IOC JSON$$'))
  9 |    WHERE TYPE NOT IN('array',
 10 |                      'object') ),
 11 |      fkv AS
 12 |   (SELECT SUBSTR(fullkey, INSTR(fullkey, "["), INSTR(fullkey, "]")-INSTR(fullkey, "[")+1) AS idx,
 13 |           CASE
 14 |               WHEN fullkey LIKE "%.indicator_type" THEN CAST(value AS TEXT)
 15 |           END AS indicator_type,
 16 |           CASE
 17 |               WHEN fullkey LIKE "%.data" THEN CAST(value AS TEXT)
 18 |           END AS ioc_data/*,
 19 |           CASE
 20 |               WHEN fullkey LIKE "%.note" THEN CAST(value AS TEXT)
 21 |           END AS ioc_description*/
 22 |    FROM full_Key_Value),
 23 |      ioc AS
 24 |   (SELECT a.idx AS aa,
 25 |           a.indicator_type AS indicator_type,
 26 |           b.ioc_data AS ioc_data/*,
 27 |           c.ioc_description AS ioc_description*/
 28 |    FROM fkv a
 29 |    INNER JOIN fkv b ON a.idx=b.idx
 30 |    /*INNER JOIN fkv c ON b.idx=c.idx*/
 31 |    WHERE a.indicator_type IS NOT NULL
 32 |      AND b.ioc_data IS NOT NULL
 33 |      /*AND c.ioc_description IS NOT NULL*/),
 34 | 
 35 | /**********************************************************************\
 36 | | The admin may want to search a large amount of data in the tables so |
 37 | | split time into 20 min chunks given the number hours specified       |
 38 | \**********************************************************************/
 39 | 
 40 | t_tbl(t_chunk) AS (
 41 |    VALUES ( (CAST ($$Start Search From$$ AS INT) ) )
 42 |    UNION ALL
 43 |    SELECT t_chunk+1200 FROM t_tbl WHERE t_chunk < (CAST ($$Start Search From$$ AS INT) + CAST( ($$Number of Hours of activity to search$$ * 3600) AS INT)))
 44 | 
 45 | /****************************************************************************\
 46 | | Check for matching domain or URL info seen in the specified lookback period|
 47 | \****************************************************************************/
 48 | 
 49 | SELECT
 50 |  CAST( datetime(spa.time,'unixepoch') AS TEXT) DATE_TIME,
 51 |  'MATCH FOUND' Detection,
 52 |  'sophos_process_activity' tbl_name,
 53 |  ioc.indicator_type,
 54 |  ioc.ioc_data,
 55 |  /*ioc.ioc_description,*/
 56 |  spa.subject,
 57 |  spa.SophosPID,
 58 |  CAST ( (select replace(spa.pathname, rtrim(spa.pathname, replace(spa.pathname, '\', '')), '')) AS TEXT) process_name,
 59 |  spa.action,
 60 |  spa.object,
 61 |  spa.url
 62 | FROM t_tbl
 63 |  LEFT JOIN ioc ON LOWER(ioc.indicator_type) IN ('domain', 'url')
 64 |  LEFT JOIN sophos_process_activity spa ON spa.subject IN ('Http','Url','Network') AND spa.time >= t_tbl.t_chunk and spa.time <= t_tbl.t_chunk+1200
 65 | WHERE spa.url LIKE ioc.ioc_data
 66 | 
 67 | UNION ALL
 68 | 
 69 | /****************************************************************************\
 70 | | Check for matching IP info seen in the specified lookback period           |
 71 | \****************************************************************************/
 72 | 
 73 | SELECT
 74 |  CAST( datetime(spa.time,'unixepoch') AS TEXT) DATE_TIME,
 75 |  'MATCH FOUND' Detection,
 76 |  'sophos_process_activity' tbl_name,
 77 |  ioc.indicator_type,
 78 |  ioc.ioc_data,
 79 |  /*ioc.ioc_description,*/
 80 |  spa.subject,
 81 |  spa.SophosPID,
 82 |  CAST ( (select replace(spa.pathname, rtrim(spa.pathname, replace(spa.pathname, '\', '')), '')) AS TEXT) process_name,
 83 |  spa.action,
 84 |  spa.object,
 85 |  spa.url
 86 | FROM t_tbl
 87 |  LEFT JOIN ioc ON LOWER(ioc.indicator_type) IN('ip')
 88 |  LEFT JOIN sophos_process_activity spa ON spa.subject IN ('Http','Ip','Network') AND spa.time >= t_tbl.t_chunk and spa.time <= t_tbl.t_chunk+1200
 89 | WHERE spa.source LIKE ioc.ioc_data OR spa.destination LIKE ioc.ioc_data
 90 | 
 91 | UNION ALL
 92 | 
 93 | /***********************************************************************************\
 94 | | Check for matching port info seen in the specified lookback period                |
 95 | \***********************************************************************************/
 96 | 
 97 | SELECT
 98 |  CAST( datetime(spa.time,'unixepoch') AS TEXT) DATE_TIME,
 99 |  'MATCH FOUND' Detection,
100 |  'sophos_process_activity' tbl_name,
101 |  ioc.indicator_type,
102 |  ioc.ioc_data,
103 |  /*ioc.ioc_description,*/
104 |  spa.subject,
105 |  spa.SophosPID,
106 |  CAST ( (select replace(spa.pathname, rtrim(spa.pathname, replace(spa.pathname, '\', '')), '')) AS TEXT) process_name,
107 |  spa.action,
108 |  spa.object,
109 |  spa.destinationPort
110 | FROM t_tbl
111 |  LEFT JOIN ioc ON LOWER(ioc.indicator_type) IN('port')
112 |  LEFT JOIN sophos_process_activity spa ON spa.subject IN ('Http','Ip','Network') AND spa.time >= t_tbl.t_chunk and spa.time <= t_tbl.t_chunk+1200
113 | WHERE spa.destinationPort LIKE ioc.ioc_data
114 | 
115 | UNION ALL
116 | 
117 | /***********************************************************************************\
118 | | Check for matching sha256 info seen in the specified lookback period              |
119 | \***********************************************************************************/
120 | 
121 | SELECT
122 |  CAST( datetime(spj.time,'unixepoch') AS TEXT) DATE_TIME,
123 |  'MATCH FOUND' Detection,
124 |  'sophos_process_journal' tbl_name,
125 |  ioc.indicator_type,
126 |  ioc.ioc_data,
127 |  /*ioc.ioc_description,*/
128 |  'sophos_process_journal',
129 |  spj.SophosPID,
130 |  CAST ( (select replace(spj.pathname, rtrim(spj.pathname, replace(spj.pathname, '\', '')), '')) AS TEXT) process_name,
131 |  spj.eventtype,
132 |  'process execution',
133 |  spj.sha256
134 | FROM t_tbl
135 |  LEFT JOIN ioc ON LOWER(ioc.indicator_type) IN('sha256')
136 |  LEFT JOIN sophos_process_journal spj ON spj.time >= t_tbl.t_chunk and spj.time <= t_tbl.t_chunk+1200
137 | WHERE LOWER(spj.sha256) LIKE LOWER(ioc.ioc_data)
138 | 
139 | UNION ALL
140 | 
141 | /***********************************************************************************\
142 | | Check for matching process activity info seen in the specified lookback period|
143 | \***********************************************************************************/
144 | 
145 | SELECT
146 |  CAST( datetime(spa.time,'unixepoch') AS TEXT) DATE_TIME,
147 |  'MATCH FOUND' Detection,
148 |  'sophos_process_activity' tbl_name,
149 |  ioc.indicator_type,
150 |  ioc.ioc_data,
151 |  /*ioc.ioc_description,*/
152 |  spa.subject,
153 |  spa.SophosPID,
154 |  CAST ( (select replace(spa.pathname, rtrim(spa.pathname, replace(spa.pathname, '\', '')), '')) AS TEXT) process_name,
155 |  spa.action,
156 |  spa.object,
157 |  spa.pathname
158 | FROM t_tbl
159 |  LEFT JOIN ioc ON LOWER(ioc.indicator_type) IN('pathname', 'file_path', 'file_path_name', 'filename')
160 |  LEFT JOIN sophos_process_activity spa ON spa.subject IN ('Image','Process') AND spa.time >= t_tbl.t_chunk and spa.time <= t_tbl.t_chunk+1200
161 | WHERE LOWER(spa.pathname) LIKE LOWER(ioc.ioc_data) OR LOWER(spa.object) LIKE LOWER(ioc.ioc_data)
162 | 
163 | UNION ALL
164 | 
165 | /***********************************************************************************\
166 | | Check for matching file/directory on the CURRENT SATE of the device               |
167 | \***********************************************************************************/
168 | 
169 | SELECT DISTINCT
170 |  CAST( datetime(file.btime,'unixepoch') AS TEXT) DATE_TIME,
171 |  'MATCH FOUND' Detection,
172 |  'sophos_process_activity' tbl_name,
173 |  ioc.indicator_type,
174 |  ioc.ioc_data,
175 |  /*ioc.ioc_description,*/
176 |  'File_system',
177 |  '' ,
178 |  file.filename,
179 |  'on disk',
180 |  file.path,
181 |  ''
182 | FROM ioc
183 |  LEFT JOIN file ON LOWER(ioc.indicator_type) IN('pathname', 'file_path', 'file_path_name', 'filename') AND file.path LIKE ioc.ioc_data
184 | WHERE DATE_TIME <> ''


--------------------------------------------------------------------------------
/sophos_central_api_connector/queries/xdr_queries/xdr_ioc_hunter.sql:
--------------------------------------------------------------------------------
 1 | WITH RECURSIVE
 2 |    -- Decompose the JSON structure into a temporary table
 3 |    Extract_from_JSON(idata, ind_type, ind_data, entry) AS (
 4 |       VALUES (lower('$$IOC_JSON$$'), json_extract_scalar('$$IOC_JSON$$', '$.ioc_data[0].indicator_type'), json_extract_scalar('$$IOC_JSON$$', '$.ioc_data[0].data'), 0)
 5 |       UNION ALL
 6 |       SELECT
 7 |          idata,
 8 |          json_extract_scalar(idata, '$.ioc_data['||CAST(entry+1 AS VARCHAR)||'].indicator_type'),
 9 |          json_extract_scalar(idata, '$.ioc_data['||CAST(entry+1 AS VARCHAR)||'].data'), entry + 1
10 |       FROM Extract_from_JSON
11 |       WHERE json_extract_scalar(idata, '$.ioc_data['||CAST(entry+1 AS VARCHAR)||'].indicator_type') > ''
12 |    ),
13 | 
14 |    ioc_list (indicator_type, ioc_data) AS (
15 |       SELECT
16 |          LOWER(ind_type) ind_type,
17 |          LOWER(REPLACE(ind_data,'\\','\')) ind_data  -- Convert path info with \\ to simply one \
18 |       FROM
19 |          Extract_from_JSON
20 |       ORDER by entry ASC
21 |    ),
22 | Detections (timestamps, time, indicator_type, ioc_data, Detection_Type, ep_name, os_name, os_platform, os_version, name, path, sha1, sha256, destination_ip, domain, query_name) AS (
23 |    SELECT
24 |        timestamps AS time,
25 |        time,
26 |        ioc_list.indicator_type,
27 |        ioc_list.ioc_data,
28 |        CASE indicator_type
29 |           WHEN 'ip' THEN (SELECT 'Destination IP MATCH' WHERE LOWER(destination_ip) LIKE ioc_data )
30 |           WHEN 'domain' THEN (SELECT 'DOMAIN MATCH' WHERE LOWER(domain) LIKE ioc_data )
31 |           WHEN 'url' THEN (SELECT 'DOMAIN MATCH' WHERE LOWER(domain) LIKE ioc_data )
32 |           WHEN 'filepath' THEN (SELECT 'FilePath MATCH' WHERE LOWER(path) LIKE ioc_data )
33 |           WHEN 'file_path' THEN (SELECT 'FilePath MATCH' WHERE LOWER(path) LIKE ioc_data )
34 |           WHEN 'file_path_name' THEN (SELECT 'FilePath MATCH' WHERE LOWER(path) LIKE ioc_data )
35 |           WHEN 'pathname' THEN (SELECT 'FilePath MATCH' WHERE LOWER(path) LIKE ioc_data )
36 |           WHEN 'filename' THEN (SELECT 'FileName MATCH' WHERE LOWER(name) LIKE ioc_data )
37 |           WHEN 'sha1' THEN (SELECT 'SHA1 MATCH' WHERE LOWER(sha1) LIKE ioc_data )
38 |           WHEN 'sha256' THEN (SELECT 'SHA256 MATCH' WHERE LOWER(sha256) LIKE ioc_data )
39 |           ELSE 'UNKNOWN MATCH METHOD'
40 |        END Detection_Type,
41 |        LOWER(meta_hostname) AS ep_name,
42 |        meta_os_name AS os_name,
43 |        meta_os_platform AS os_platform,
44 |        meta_os_version AS os_version,
45 |        name,
46 |        path,
47 |        sha1,
48 |        sha256,
49 |        destination_ip,
50 |        domain,
51 |        query_name
52 |    FROM
53 |       xdr_data
54 |    JOIN ioc_list ON
55 |       LOWER(domain) LIKE ioc_data OR
56 |       LOWER(destination_ip) LIKE ioc_data  OR
57 |       LOWER(path) LIKE ioc_data OR
58 |       LOWER(sha1) LIKE ioc_data OR
59 |       LOWER(sha256) LIKE ioc_data OR
60 | 	  LOWER(name) LIKE ioc_data
61 |    )
62 | SELECT
63 |        *
64 | FROM
65 |      Detections
66 | WHERE
67 |       Detection_Type > ''


--------------------------------------------------------------------------------
/sophos_central_api_connector/sophos_central_api_auth.py:
--------------------------------------------------------------------------------
  1 | import requests
  2 | import logging
  3 | import getpass
  4 | import json
  5 | import configparser as cp
  6 | import sophos_central_api_connector.config.sophos_central_api_config as api_conf
  7 | import sophos_central_api_connector.sophos_central_api_tenants as api_tenant
  8 | import sophos_central_api_connector.sophos_central_api_connector_utils as api_utils
  9 | import sophos_central_api_connector.sophos_central_api_awssecrets as awssecret
 10 | 
 11 | 
 12 | def ten_auth():
 13 |     sophos_conf_path = api_conf.sophos_conf_path
 14 |     sophos_final_path = api_utils.get_file_location(sophos_conf_path)
 15 | 
 16 |     sophos_conf = cp.ConfigParser(allow_no_value=True)
 17 |     sophos_conf.read(sophos_final_path)
 18 |     secret_name = sophos_conf.get('aws', 'secret_name')
 19 |     region_name = sophos_conf.get('aws', 'region_name')
 20 | 
 21 |     if secret_name and region_name:
 22 |         try:
 23 |             # Pull the credentials from AWS Secret Manager and pass to initialise Sophos Central API
 24 |             aws_secret = awssecret.get_secret(secret_name, region_name)
 25 |             client_id = aws_secret['client_id']
 26 |             client_secret = aws_secret['client_secret']
 27 |             logging.info(
 28 |                 "Values have been applied to the credential variables, attempt to initialize Sophos Central API")
 29 |         except Exception as aws_exception:
 30 |             # Return the exception raised from the aws secrets script
 31 |             raise aws_exception
 32 |     else:
 33 |         logging.info("No AWS creds set in config. Requesting client_id and client_secret")
 34 |         client_id = getpass.getpass(prompt="Provide Sophos Central API Client ID: ", stream=None)
 35 |         if client_id:
 36 |             client_secret = getpass.getpass(prompt="Provide Sophos Central API Client Secret: ", stream=None)
 37 |         else:
 38 |             logging.critical("No Client ID provided. Exiting")
 39 |             exit(1)
 40 | 
 41 |     # Set authorisation and whoami URLs
 42 |     auth_url = api_conf.auth_uri
 43 |     whoami_url = api_conf.whoami_uri
 44 |     partner_url = api_conf.tenants_ptr_uri
 45 |     organization_url = api_conf.tenants_org_uri
 46 | 
 47 |     # Get Sophos Central API Bearer Token for authorisation
 48 |     sophos_access_token = get_bearer_tok(client_id, client_secret, auth_url)
 49 | 
 50 |     # Construct id_headers
 51 |     headers = validate_id_headers(sophos_access_token)
 52 | 
 53 |     # Lookup up the unique ID assigned to the business entity for Sophos Central API
 54 |     whoami_id, whoami_type, whoami_data = get_whoami_data(headers, whoami_url)
 55 | 
 56 |     # Obtain correct whoami uri/header based on the whoami type
 57 |     header_type, tenant_url = validate_whoami_type(whoami_type, whoami_data, partner_url, organization_url)
 58 | 
 59 |     # Construct tenant headers
 60 |     tenant_headers = api_tenant.gen_tenant_headers(headers, whoami_id, whoami_type, header_type)
 61 | 
 62 |     # Check and gather tenant information
 63 |     if whoami_type == "tenant":
 64 |         tenant_info = api_tenant.type_tenant(tenant_headers, whoami_id, tenant_url, sophos_access_token)
 65 |     else:
 66 |         tenant_info = api_tenant.get_tenant_info(headers, tenant_url, sophos_access_token)
 67 | 
 68 |     return tenant_info
 69 | 
 70 | 
 71 | def get_bearer_tok(client_id, client_secret, auth_url):
 72 |     # Call the auth section by passing the client_id and client_secret information
 73 |     logging.info("Beginning authorisation process")
 74 |     # construct url for obtaining access_token
 75 |     logging.info("Obtaining Sophos Central API Authorisation URI")
 76 |     # set the initial header information
 77 |     logging.info("Setting basic header information for Sophos Central API")
 78 |     # set the headers
 79 |     headers = {"Content-Type": "application/x-www-form-urlencoded"}
 80 |     data_tok = "grant_type=client_credentials&client_id={0}&client_secret={1}&scope=token".format(client_id,
 81 |                                                                                                   client_secret)
 82 | 
 83 |     # post the url and api key information to obtain access_token
 84 |     logging.info("Getting the bearer token for Sophos Central API")
 85 |     res = requests.post(auth_url, headers=headers, data=data_tok)
 86 |     res_code = res.status_code
 87 |     res_data = res.json()
 88 |     # Check the response and act accordingly
 89 |     if res_code == 200:
 90 |         # Send back the access token and headers
 91 |         sophos_access_token = res_data['access_token']
 92 |         logging.info("Successfully obtained the bearer token")
 93 |         return sophos_access_token
 94 |     else:
 95 |         # Failed to obtain a bearer token
 96 |         logging.error("Failed to obtain the bearer token")
 97 |         res_error_code = res_data['errorCode']
 98 |         res_message = "Response Code: {0} Message: {1}".format(res_code, res_data['message'])
 99 |         return None, res_message, res_error_code
100 | 
101 | 
102 | def validate_id_headers(sophos_access_token):
103 |     # Check whether we have a valid bearer token
104 |     if sophos_access_token[0] is not None:
105 |         # apply the bearer token to the headers and start getting org_id
106 |         logging.info("Applying the bearer token to the 'Authorization' headers")
107 |         headers = {
108 |             "Authorization": "Bearer {0}".format(sophos_access_token),
109 |             "Accept": "application/json"
110 |         }
111 |         return headers
112 |     else:
113 |         # print the response code and message along with the error code
114 |         logging.error("There is no valid bearer token present")
115 |         logging.error(sophos_access_token[1])
116 |         logging.error(sophos_access_token[2])
117 |         exit(1)
118 | 
119 | 
120 | def get_whoami_data(headers, whoami_url):
121 |     # construct the url for obtaining the organisation uuid
122 | 
123 |     # send the request to get the whoami id details
124 |     logging.info("Attempting to get whoami ID")
125 |     try:
126 |         res_whoami = requests.get(whoami_url, headers=headers)
127 |         res_whoami.raise_for_status()
128 |     except requests.exceptions.RequestException as res_exception:
129 |         logging.error("Failed to obtain the whoami ID")
130 |         whoami_data = res_whoami.json()
131 |         logging.error(res_exception)
132 |         logging.error(json.dumps(whoami_data, indent=2))
133 |         exit(1)
134 |     else:
135 |         whoami_data = res_whoami.json()
136 |         whoami_id = whoami_data['id']
137 |         whoami_type = whoami_data['idType']
138 |         logging.info("Successfully obtained whoami ID")
139 |         return whoami_id, whoami_type, whoami_data
140 | 
141 | 
142 | def validate_whoami_type(whoami_type, whoami_data, partner_url, organization_url):
143 |     # apply the uuid to the variable and add it to the correct header type
144 |     if whoami_type == "partner":
145 |         logging.info("whoami type is 'partner'")
146 |         header_type = "X-Partner-ID"
147 |         tenant_url = partner_url
148 |         return header_type, tenant_url
149 |     elif whoami_type == "organization":
150 |         logging.info("whoami type is 'organization'")
151 |         header_type = "X-Organization-ID"
152 |         tenant_url = organization_url
153 |         return header_type, tenant_url
154 |     elif whoami_type == "tenant":
155 |         logging.info("whoami type is 'tenant'")
156 |         header_type = "X-Tenant-ID"
157 |         tenant_url = whoami_data['apiHosts']['dataRegion']
158 |         return header_type, tenant_url
159 | 


--------------------------------------------------------------------------------
/sophos_central_api_connector/sophos_central_api_awssecrets.py:
--------------------------------------------------------------------------------
 1 | # Use this code snippet in your app.
 2 | # If you need more information about configurations or implementing the sample code, visit the AWS docs:   
 3 | # https://aws.amazon.com/developers/getting-started/python/
 4 | 
 5 | import json
 6 | import boto3
 7 | import base64
 8 | import logging
 9 | from botocore.exceptions import ClientError
10 | 
11 | 
12 | def get_secret(secret_name, region_name):
13 |     # Create a Secrets Manager client
14 |     session = boto3.session.Session()
15 |     client = session.client(
16 |         service_name='secretsmanager',
17 |         region_name=region_name
18 |     )
19 | 
20 |     # In this sample we only handle the specific exceptions for the 'GetSecretValue' API.
21 |     # See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
22 |     # We rethrow the exception by default.
23 | 
24 |     try:
25 |         get_secret_value_response = client.get_secret_value(
26 |             SecretId=secret_name
27 |         )
28 |     except ClientError as e:
29 |         if e.response['Error']['Code'] == 'DecryptionFailureException':
30 |             # Secrets Manager can't decrypt the protected secret text using the provided KMS key.
31 |             # Deal with the exception here, and/or rethrow at your discretion.
32 |             raise e
33 |         elif e.response['Error']['Code'] == 'InternalServiceErrorException':
34 |             # An error occurred on the server side.
35 |             # Deal with the exception here, and/or rethrow at your discretion.
36 |             raise e
37 |         elif e.response['Error']['Code'] == 'InvalidParameterException':
38 |             # You provided an invalid value for a parameter.
39 |             # Deal with the exception here, and/or rethrow at your discretion.
40 |             raise e
41 |         elif e.response['Error']['Code'] == 'InvalidRequestException':
42 |             # You provided a parameter value that is not valid for the current state of the resource.
43 |             # Deal with the exception here, and/or rethrow at your discretion.
44 |             raise e
45 |         elif e.response['Error']['Code'] == 'ResourceNotFoundException':
46 |             # We can't find the resource that you asked for.
47 |             # Deal with the exception here, and/or rethrow at your discretion.
48 |             raise e
49 |         elif e.response['Error']['Code'] == 'ExpiredTokenException':
50 |             # If you are using a SAML to AWS STS Keys or another token.
51 |             # This error is raised to advise the token is expired
52 |             raise e
53 |     else:
54 |         # Decrypts secret using the associated KMS CMK.
55 |         # Depending on whether the secret is a string or binary, one of these fields will be populated.
56 |         if 'SecretString' in get_secret_value_response:
57 |             logging.info("Got some aws secret info!")
58 |             secret = json.loads(get_secret_value_response['SecretString'])
59 |             return secret
60 |         else:
61 |             logging.info("Got some aws secret info!")
62 |             secret = base64.b64decode(get_secret_value_response['SecretBinary'])
63 |             return secret
64 | 


--------------------------------------------------------------------------------
/sophos_central_api_connector/sophos_central_api_connector_utils.py:
--------------------------------------------------------------------------------
  1 | import logging
  2 | import requests
  3 | import shutil
  4 | import json
  5 | from requests.utils import requote_uri
  6 | from datetime import datetime, timedelta
  7 | from time import sleep
  8 | from os import path
  9 | from sophos_central_api_connector.config import sophos_central_api_config as api_conf
 10 | 
 11 | # static global entries for the urls of the apis for Sophos Central
 12 | endpoint_url = api_conf.endpoints_uri
 13 | alerts_url = api_conf.alerts_uri
 14 | settings_url = api_conf.settings_uri
 15 | livediscover_url = api_conf.livediscover_uri
 16 | xdr_url = api_conf.xdr_uri
 17 | firewall_url = api_conf.firewall_uri
 18 | firewall_grp_url = api_conf.fw_grps_uri
 19 | admins_url = api_conf.admins_uri
 20 | roles_url = api_conf.roles_uri
 21 | 
 22 | 
 23 | def gather_category_data(tenant_info):
 24 |     # create url for the category information
 25 |     logging.info("Gathering categorization data")
 26 |     url_values = tenant_info.values()
 27 |     url_iter = iter(url_values)
 28 |     cat_url = next(url_iter)
 29 |     pageurl = "{0}{1}{2}".format(cat_url["page_url"], settings_url, "/web-control/categories")
 30 |     headers = dict(cat_url['headers'])
 31 | 
 32 |     try:
 33 |         cat_res = requests.get(pageurl, headers=headers)
 34 |     except requests.exceptions.HTTPError as err_http:
 35 |         logging.error("HTTP Error:", err_http)
 36 |         logging.info(err_http)
 37 |     # if rate limit is hit then attempt to restrict
 38 |     if cat_res.status_code == 429:
 39 |         error = True
 40 |         logging.info("Error {0}: Backing off!".format(cat_res.status_code))
 41 |         while error:
 42 |             try:
 43 |                 ep_res = requests.get(pageurl, headers=headers)
 44 |             except requests.exceptions.HTTPError as err_http:
 45 |                 logging.error("HTTP Error:", err_http)
 46 |                 logging.info(err_http)
 47 |                 if cat_res.status_code == 200:
 48 |                     ep_data = cat_res.json()
 49 |                     return ep_data
 50 |                 elif cat_res.status_code == 429:
 51 |                     logging.error("Still hitting the rate limit!")
 52 |                     sleep(delay_time)
 53 |                     delay_time = delay_time * 2
 54 |                     logging.info("Delayed by: {0}".format(delay_time))
 55 |                 elif cat_res.status_code != 200:
 56 |                     logging.error("Response code is not 200")
 57 |                     raise Exception('API response: {0}'.format(cat_res.status_code))
 58 |     elif cat_res.status_code == 200:
 59 |         # success response pass back data to build json
 60 |         logging.debug(cat_res.headers)
 61 |         ep_data = cat_res.json()
 62 |         return ep_data
 63 |     else:
 64 |         # details on the response code and error
 65 |         logging.error("Response Code: {0}".format(cat_res.status_code))
 66 |         logging.error("Error Details: {0}".format(cat_res.content))
 67 | 
 68 | 
 69 | def generate_tenant_urls(tenant_info, page_size, api, from_str, to_str):
 70 |     # dependent on the api type passed this will generate the appropriate headers
 71 |     logging.info("Generating tenant URL data")
 72 |     # create a dictionary ready to apply the headers for each of the tenants
 73 |     tenant_url_data = dict()
 74 |     if api == "endpoint":
 75 |         # api for endpoint has been passed. For loop to generate the headers for each of the tenant ids
 76 |         for ten_id, ten_item in tenant_info.items():
 77 |             tenant_url_data[ten_id] = {
 78 |                 "filename": "{0}{1}{2}{3}".format(ten_item["name"], "_", ten_id, ".json"),
 79 |                 "orig_url": "{0}{1}".format(ten_item["page_url"], endpoint_url),
 80 |                 "pageurl": "{0}{1}?pageSize={2}".format(ten_item['page_url'], endpoint_url, page_size),
 81 |                 "headers": ten_item["headers"]
 82 |             }
 83 |         return tenant_url_data
 84 |     elif api == "common":
 85 |         # api for common has been passed. For loop to generate the headers for each of the tenant ids
 86 |         for ten_id, ten_item in tenant_info.items():
 87 |             # decoded orig_url
 88 |             decoded_orig_url = str("{0}{1}?from={2}&to={3}".format(ten_item["page_url"], alerts_url, from_str, to_str))
 89 |             # a decoded url is constructed from the variables
 90 |             decoded_url = str("{0}{1}?from={2}&to={3}&pageSize={4}".format(ten_item["page_url"],
 91 |                                                                            alerts_url, from_str, to_str, page_size))
 92 |             # the decoded urls are encoded so they are valid urls to be passed
 93 |             pageurl = requote_uri(decoded_url)
 94 |             orig_url = requote_uri(decoded_orig_url)
 95 |             tenant_url_data[ten_id] = {
 96 |                 "filename": "{0}{1}{2}{3}".format(ten_item["name"], "_", ten_id, ".json"),
 97 |                 "url": "{0}".format(ten_item["page_url"]),
 98 |                 "orig_url": orig_url,
 99 |                 "pageurl": pageurl,
100 |                 "headers": ten_item["headers"]
101 |             }
102 |         return tenant_url_data
103 |     elif api == "local-sites":
104 |         # api for local sites has been passed. For loop to generate the headers for each of the tenant ids
105 |         for ten_id, ten_item in tenant_info.items():
106 |             tenant_url_data[ten_id] = {
107 |                 "filename": "{0}{1}{2}{3}".format(ten_item["name"], "_", ten_id, ".json"),
108 |                 "orig_url": "{0}{1}{2}".format(ten_item["page_url"], settings_url, "/web-control/local-sites"),
109 |                 "pageurl": "{0}{1}{2}?pageSize={3}".format(ten_item['page_url'], settings_url,
110 |                                                            "/web-control/local-sites", page_size),
111 |                 "headers": ten_item["headers"]
112 |             }
113 |         return tenant_url_data
114 |     elif api == "live-discover":
115 |         # api for live discover has been passed. For loop to generate the headers for each of the tenant ids
116 |         for ten_id, ten_item in tenant_info.items():
117 |             tenant_url_data[ten_id] = {
118 |                 "filename": "{0}{1}{2}{3}".format(ten_item["name"], "_", ten_id, ".json"),
119 |                 "url": "{0}".format(ten_item["page_url"]),
120 |                 "orig_url": "{0}{1}".format(ten_item["page_url"], livediscover_url),
121 |                 "pageurl": "{0}{1}?pageSize={2}".format(ten_item['page_url'], livediscover_url, page_size),
122 |                 "name": "{0}".format(ten_item["name"]),
123 |                 "headers": ten_item["headers"]
124 |             }
125 |         return tenant_url_data
126 |     elif api == "xdr-datalake":
127 |         # api for xdr has been passed. For loop to generate the headers for each of the tenant ids
128 |         for ten_id, ten_item in tenant_info.items():
129 |             tenant_url_data[ten_id] = {
130 |                 "filename": "{0}{1}{2}{3}".format(ten_item["name"], "_", ten_id, ".json"),
131 |                 "url": "{0}".format(ten_item["page_url"]),
132 |                 "orig_url": "{0}{1}".format(ten_item["page_url"], xdr_url),
133 |                 "pageurl": "{0}{1}?pageSize={2}".format(ten_item['page_url'], xdr_url, page_size),
134 |                 "name": "{0}".format(ten_item["name"]),
135 |                 "headers": ten_item["headers"]
136 |             }
137 |         return tenant_url_data
138 |     elif api == "firewall":
139 |         # api for firewalls has been passed. For loop to generate the headers for each of the tenant ids
140 |         for ten_id, ten_item in tenant_info.items():
141 |             tenant_url_data[ten_id] = {
142 |             "filename": "{0}{1}{2}{3}".format(ten_item["name"], "_", ten_id, ".json"),
143 |             "orig_url": "{0}{1}".format(ten_item["page_url"], firewall_url),
144 |             "pageurl": "{0}{1}?pageSize={2}".format(ten_item['page_url'], firewall_url, page_size),
145 |             "headers": ten_item["headers"]
146 |             }
147 |         return tenant_url_data
148 |     elif api == "firewall_groups":
149 |         # api for firewall groups has been passed. For loop to generate the headers for each of the tenant ids
150 |         for ten_id, ten_item in tenant_info.items():
151 |             tenant_url_data[ten_id] = {
152 |             "filename": "{0}{1}{2}{3}".format(ten_item["name"], "_", ten_id, ".json"),
153 |             "orig_url": "{0}{1}".format(ten_item["page_url"], firewall_grp_url),
154 |             "pageurl": "{0}{1}?pageSize={2}".format(ten_item['page_url'], firewall_grp_url, page_size),
155 |             "headers": ten_item["headers"]
156 |             }
157 |         return tenant_url_data
158 |     elif api == "admins":
159 |         # api for admins has been passed. For loop to generate the headers for each of the tenant ids
160 |         for ten_id, ten_item in tenant_info.items():
161 |             tenant_url_data[ten_id] = {
162 |             "filename": "{0}{1}{2}{3}".format(ten_item["name"], "_", ten_id, ".json"),
163 |             "orig_url": "{0}{1}".format(ten_item["page_url"], admins_url),
164 |             "pageurl": "{0}{1}?pageSize={2}".format(ten_item['page_url'], admins_url, page_size),
165 |             "headers": ten_item["headers"]
166 |             }
167 |         return tenant_url_data
168 |     elif api == "roles":
169 |         # api for roles has been passed. For loop to generate the headers for each of the tenant ids
170 |         for ten_id, ten_item in tenant_info.items():
171 |             tenant_url_data[ten_id] = {
172 |             "filename": "{0}{1}{2}{3}".format(ten_item["name"], "_", ten_id, ".json"),
173 |             "orig_url": "{0}{1}".format(ten_item["page_url"], roles_url),
174 |             "pageurl": "{0}{1}?pageSize={2}".format(ten_item['page_url'], roles_url, page_size),
175 |             "headers": ten_item["headers"]
176 |             }
177 |         return tenant_url_data
178 |     else:
179 |         # this is return if an invalid api variable is supplied
180 |         logging.critical("The {0} API does not appear to exist.".format(api))
181 |         exit(1)
182 | 
183 | 
184 | def build_json_data(ep_item_data, json_items, event_count):
185 |     # from the item data retrieved build json with event count
186 |     for item in ep_item_data:
187 |         event_count += 1
188 |         json_items[event_count] = item
189 |     return json_items, event_count
190 | 
191 | 
192 | def calculate_from_to(days, poll_date):
193 |     # dependent on whether polling has been selected and the number of days passed to calculate the from/to dates
194 |     def calc_from(polling_date, delta_calc, time_now):
195 |         # This calculates the from date based on the information in the poll config date passed
196 |         if polling_date:
197 |             less_delta = (polling_date - delta_calc)
198 |             start = '{0:%Y-%m-%dT%H:%M:%S.%fZ}'.format(less_delta)
199 |             # Need to remove milliseconds from the calculated date so it is accepted by Sophos Central API
200 |             start = start[:-4]
201 |             start = "{0}Z".format(start)
202 |             return start
203 |         else:
204 |             # calculate the from date by the value of delta
205 |             less_delta = (time_now - delta_calc)
206 |             pre_start = datetime.combine(less_delta, datetime.min.time())
207 |             new_start = pre_start.strftime('%Y-%m-%dT%H:%M:%S.%f')
208 |             # Need to remove milliseconds from the calculated date so it is accepted by Sophos Central API
209 |             new_start = new_start[:-3]
210 |             new_start = "{0}Z".format(new_start)
211 |             return new_start
212 | 
213 |     # calculate the datetime now
214 |     now = datetime.utcnow()
215 |     time = "days"
216 |     # delta is calculated by the number of days passed
217 |     delta = timedelta(**{time: days})
218 |     logging.debug("now={0}, time={1}, delta={2}".format(now, time, delta))
219 |     # send to calc_from function to get formatted datetime
220 |     from_str = calc_from(poll_date, delta, now)
221 | 
222 |     # calculate the to date from now.
223 |     new_to = now.strftime('%Y-%m-%dT%H:%M:%S.%f')
224 |     # Need to remove milliseconds from the calculated date so it is accepted by Sophos Central API
225 |     new_to = new_to[:-3]
226 |     to_str = "{0}Z".format(new_to)
227 |     logging.debug("to_str={0}, from_str={1}".format(to_str, from_str))
228 |     return to_str, from_str
229 | 
230 | 
231 | def validate_page_size(page_size, api):
232 |     # The sophos central api has a number page size which can be retrieved. The max is set in the
233 |     # sophos_central_api_config.py. Below verifies that the sizes set in sophos_config.ini are within limits
234 |     if api == "endpoint":
235 |         # Verify the page sizes for the endpoint api
236 |         logging.info("Verifying page size requested")
237 |         if page_size == "":
238 |             # if no value is set then a default value is passed for this variable
239 |             logging.info("No value set in the config. Apply default.")
240 |             page_size = 50
241 |         elif int(page_size) > api_conf.max_inv_page:
242 |             # Returns an error if the size of the page passed is greater than the max
243 |             logging.error("Inventory page size has a max of: {0}".format(api_conf.max_inv_page))
244 |             logging.critical("Please ensure that the value in config.ini is less than or equal to this")
245 |             exit(1)
246 |         elif int(page_size) <= api_conf.max_inv_page:
247 |             # Continues if the page size set is less than or equal to the max
248 |             logging.info("Applying setting from config. Setting is less than or equal to the maximum allowed")
249 |             pass
250 |     elif api == "common":
251 |         # Verify the page sizes for the common api
252 |         if page_size == "":
253 |             # set a limit if no page_size is passed
254 |             logging.info("No value set in the config. Apply default.")
255 |             page_size = 50
256 |         elif int(page_size) <= api_conf.max_alerts_page:
257 |             # Continues if the page size set is less than or equal to the max
258 |             logging.info("Applying setting from config. Setting is less than or equal to the maximum allowed")
259 |             pass
260 |         elif int(page_size) > api_conf.max_alerts_page:
261 |             # Returns an error if the size of the page passed is greater than the max
262 |             logging.error("Alerts page size has a max of: {0}".format(api_conf.max_alerts_page))
263 |             logging.critical("Please ensure that the value in config.ini is less than or equal to this")
264 |             exit(1)
265 |     elif api == "local-sites":
266 |         # Verify the page sizes for the local sites api
267 |         if page_size == "":
268 |             # set a limit if no page_size is passed
269 |             logging.info("No value set in the config. Apply default.")
270 |             page_size = 50
271 |         elif int(page_size) <= api_conf.max_localsite_page:
272 |             # Continues if the page size set is less than or equal to the max
273 |             logging.info("Applying setting from config. Setting is less than or equal to the maximum allowed")
274 |             pass
275 |         elif int(page_size) > api_conf.max_localsite_page:
276 |             # Returns an error if the size of the page passed is greater than the max
277 |             logging.error("Local Sites page size has a max of: {0}".format(api_conf.max_localsite_page))
278 |             logging.critical("Please ensure that the value in config.ini is less than or equal to this")
279 |             exit(1)
280 |     elif api == "firewall":
281 |             # Verify the page sizes for the firewall api
282 |             logging.info("Verifying page size requested")
283 |             if page_size == "":
284 |                 # if no value is set then a default value is passed for this variable
285 |                 logging.info("No value set in the config. Apply default.")
286 |                 page_size = 100
287 |             elif int(page_size) > api_conf.max_fw_page:
288 |                 # Returns an error if the size of the page passed is greater than the max
289 |                 logging.error("Inventory page size has a max of: {0}".format(api_conf.max_fw_page))
290 |                 logging.critical("Please ensure that the value in config.ini is less than or equal to this")
291 |                 exit(1)
292 |             elif int(page_size) <= api_conf.max_fw_page:
293 |                 # Continues if the page size set is less than or equal to the max
294 |                 logging.info("Applying setting from config. Setting is less than or equal to the maximum allowed")
295 |                 pass
296 |     elif api == "firewall_groups":
297 |             # Verify the page sizes for the firewall groups api
298 |             logging.info("Verifying page size requested")
299 |             if page_size == "":
300 |                 # if no value is set then a default value is passed for this variable
301 |                 logging.info("No value set in the config. Apply default.")
302 |                 page_size = 100
303 |             elif int(page_size) > api_conf.max_fw_grps_page:
304 |                 # Returns an error if the size of the page passed is greater than the max
305 |                 logging.error("Inventory page size has a max of: {0}".format(api_conf.max_fw_grps_page))
306 |                 logging.critical("Please ensure that the value in config.ini is less than or equal to this")
307 |                 exit(1)
308 |             elif int(page_size) <= api_conf.max_fw_grps_page:
309 |                 # Continues if the page size set is less than or equal to the max
310 |                 logging.info("Applying setting from config. Setting is less than or equal to the maximum allowed")
311 |                 pass
312 |     elif api == "admins":
313 |             # Verify the page sizes for the admin api
314 |             logging.info("Verifying page size requested")
315 |             if page_size == "":
316 |                 # if no value is set then a default value is passed for this variable
317 |                 logging.info("No value set in the config. Apply default.")
318 |                 page_size = 100
319 |             elif int(page_size) > api_conf.max_admins_page:
320 |                 # Returns an error if the size of the page passed is greater than the max
321 |                 logging.error("Inventory page size has a max of: {0}".format(api_conf.max_admins_page))
322 |                 logging.critical("Please ensure that the value in config.ini is less than or equal to this")
323 |                 exit(1)
324 |             elif int(page_size) <= api_conf.max_admins_page:
325 |                 # Continues if the page size set is less than or equal to the max
326 |                 logging.info("Applying setting from config. Setting is less than or equal to the maximum allowed")
327 |                 pass
328 | 
329 |     return page_size
330 | 
331 | 
332 | def get_file_location(process_path):
333 |     dir_name = path.dirname(path.abspath(__file__))
334 |     final_path = "{0}{1}".format(dir_name, process_path)
335 |     return final_path
336 | 
337 | 
338 | def open_tmp_json(file):
339 |     # Open json file if available
340 |     try:
341 |         tmp_path = api_conf.temp_path
342 |         final_tmp_path = get_file_location(tmp_path)
343 |         with open(path.join(final_tmp_path, file), "r", encoding='utf-8') as tmp_file:
344 |             file = tmp_file.read()
345 | 
346 |         file_data = json.loads(file)
347 |     except IOError:
348 |         logging.error("Unable to open file: {0}".format(final_tmp_path))
349 | 
350 |     return file_data
351 | 
352 | 
353 | def clean_up():
354 |     tmp_path = api_conf.temp_path
355 |     final_tmp_path = get_file_location(tmp_path)
356 |     if not path.exists(final_tmp_path):
357 |         logging.info("Nothing to clean up")
358 |     else:
359 |         logging.info("Deleting: {0}".format(final_tmp_path))
360 |         try:
361 |             shutil.rmtree(final_tmp_path)
362 |         except OSError as err:
363 |             logging.error("Error: {0} - {1}".format(err.filename, err.strerror))
364 |         else:
365 |             logging.info("{0} dir and contents successfully deleted".format(final_tmp_path))
366 | 


--------------------------------------------------------------------------------
/sophos_central_api_connector/sophos_central_api_delete_data.py:
--------------------------------------------------------------------------------
 1 | import logging
 2 | import requests
 3 | 
 4 | 
 5 | def delete_local_site(del_dict, tenant_url_data):
 6 |     logging.info("Delete selected sites from local site data")
 7 |     processed_del_dict = dict()
 8 | 
 9 |     for ten_id, ten_item in tenant_url_data.items():
10 |         tenant_id = ten_id
11 |         logging.info("Deleting local sites for tenant: {0}".format(tenant_id))
12 |         for site_id, site_item in del_dict.items():
13 |             tenant_ref = site_item['tenantId']
14 |             if tenant_ref == tenant_id:
15 |                 orig_url = ten_item['orig_url']
16 |                 headers = ten_item['headers']
17 |                 ls_url = "{0}/{1}".format(orig_url, site_id)
18 |                 del_ls = requests.delete(ls_url, headers=headers)
19 |                 del_data = del_ls.json()
20 |                 del_status = del_data['deleted']
21 |                 del_date = del_ls.headers['date']
22 |                 logging.debug("Local Site ID: {0}, Deletion Status: {1}".format(site_id, del_status))
23 |             processed_del_dict[site_id] = {"tenantId": site_item['tenantId'], "intelixRisk": site_item['intelixRisk'],
24 |                                            "url": site_item['url'], "delStatus": del_status, "date": del_date}
25 |         logging.info("Completed deletion of local sites for tenant: {0}".format(tenant_id))
26 |     return processed_del_dict
27 | 


--------------------------------------------------------------------------------
/sophos_central_api_connector/sophos_central_api_get_data.py:
--------------------------------------------------------------------------------
  1 | import logging
  2 | import requests
  3 | from urllib.parse import quote_plus
  4 | from urllib3.util.retry import Retry
  5 | from requests.adapters import HTTPAdapter
  6 | from sophos_central_api_connector import sophos_central_api_connector_utils as api_utils
  7 | 
  8 | 
  9 | def get_data(tenant_url_data, page_size, tenant_id, api):
 10 |     # start the process to get the information from the api, this is standard function and is based on the url
 11 |     # the calculation is done through building the urls in sophos_central_api_connector_utils.py
 12 |     logging.debug("get data tenant info orig_url: {0}".format(tenant_url_data[tenant_id]['orig_url']))
 13 |     pageurl = tenant_url_data[tenant_id]['pageurl']
 14 |     orig_url = tenant_url_data[tenant_id]['orig_url']
 15 |     headers = tenant_url_data[tenant_id]['headers']
 16 |     logging.debug("Tenant URL data: {0}".format(tenant_url_data))
 17 |     json_items = dict()
 18 | 
 19 |     # gather page total information
 20 |     if api == "common":
 21 |         logging.info("No page totals available for this api: {0}".format(api))
 22 |         pg_total = None
 23 |     else:
 24 |         logging.info("Getting page totals for api: {0}".format(api))
 25 |         pagetotal_url = "{0}?pageTotal=true&pageSize={1}".format(orig_url, page_size)
 26 |         logging.info("page total url: {0}".format(pagetotal_url))
 27 |         pg_total = get_page_totals(pagetotal_url, headers)
 28 | 
 29 |     # get the first page of data from central api
 30 |     if api == "roles":
 31 |         ep_data = get_page(orig_url, headers)
 32 |     else:
 33 |         ep_data = get_page(pageurl, headers)
 34 | 
 35 |     # attribute the retrieved data from the json to item and page data variables
 36 |     if not ep_data or ep_data.get('error'):
 37 |         ep_item_data = None
 38 |     else:
 39 |         ep_item_data = ep_data['items']
 40 |         logging.debug(ep_item_data)
 41 |         ep_page_data = ep_data.get('pages')
 42 |         logging.debug("ep_page_data: {0}".format(ep_page_data))
 43 | 
 44 |         if isinstance(ep_page_data, dict):
 45 |             if "current" in ep_page_data:
 46 |                 page_no = ep_page_data['current']
 47 |             else:
 48 |                 page_no = None
 49 |         else:
 50 |             page_no = None
 51 | 
 52 |     if not ep_item_data:
 53 |         # Checks if any events have been obtained. If not then sets the next key to false
 54 |         logging.info("No data returned for this Tenant ID: '{0}'".format(tenant_id))
 55 |         next_key = False
 56 |         logging.debug(next_key)
 57 |     elif len(ep_item_data) == 0:
 58 |         # Checks if any events have been obtained. If not then sets the next key to false
 59 |         logging.info("There are no pages to process for this Tenant ID: '{0}'".format(tenant_id))
 60 |         next_key = False
 61 |         logging.debug(next_key)
 62 |     elif page_no == pg_total and (page_no is not None and pg_total is not None):
 63 |         # Checks if any events have been obtained. If not then sets the next key to false
 64 |         logging.info("There are no further pages to process for this Tenant ID: '{0}'".format(tenant_id))
 65 |         next_key = False
 66 |         logging.debug(next_key)
 67 |     else:
 68 |         # Does further checks if there is data. to verify whether we need to send for the next page of events
 69 |         if isinstance(ep_page_data, dict):
 70 |             findkey = 'nextKey'
 71 |             if findkey in ep_page_data:
 72 |                 # Only if the nextkey is present will we send further requests for data
 73 |                 logging.debug("Another page to process")
 74 |                 next_key = True
 75 |                 logging.debug(next_key)
 76 |             elif page_no is not None and page_no < pg_total:
 77 |                 # If the api does not contain a nextkey check whether it has more pages to process
 78 |                 logging.debug("Current page is lower than the total number of pages. Continue processing")
 79 |                 next_key = True
 80 |                 logging.debug(next_key)
 81 |             else:
 82 |                 # No nextkey is present we set next_key to false
 83 |                 logging.debug("There is no 'next' key present")
 84 |                 next_key = False
 85 |                 logging.debug(next_key)
 86 |         else:
 87 |             logging.info("There is no 'next' key present")
 88 |             next_key = False
 89 | 
 90 |     # set the event count to 0
 91 |     event_count = 0
 92 |     # build the json data for the items retrieved
 93 |     if not ep_item_data:
 94 |         pass
 95 |     else:
 96 |         json_items, event_count = api_utils.build_json_data(ep_item_data, json_items, event_count)
 97 |         logging.debug("Length of json: {0}".format(len(json_items)))
 98 | 
 99 |     # Check if there is a next page to process
100 |     while next_key:
101 |         # this will only trigger if the next_key variable is True
102 |         # send the relevant information to obtain the next page
103 |         next_key, pageurl = process_next_page(ep_page_data, page_size, orig_url, page_no, pg_total, api)
104 |         logging.debug("ep_page_data: {0}".format(ep_page_data))
105 |         if pageurl:
106 |             # will only run if the pageurl is not None
107 |             ep_data = get_page(pageurl, headers)
108 |             logging.debug(ep_data)
109 |             ep_item_data = ep_data.get('items')
110 |             ep_page_data = ep_data.get('pages')
111 |             if 'current' in ep_page_data.keys():
112 |                 page_no = ep_data.get('pages', {}).get('current')
113 |             else:
114 |                 page_no = None
115 |             # add the events obtained to the json data dictionary
116 |             json_items, event_count = api_utils.build_json_data(ep_item_data, json_items, event_count)
117 |             logging.debug("Length of json: {0}".format(len(json_items)))
118 |         else:
119 |             logging.info("No further pages to process")
120 | 
121 |     # Once the next_key is false return the json_items retrieved
122 |     logging.debug("JSON Data from get data: {0}".format(json_items))
123 |     return json_items
124 | 
125 | 
126 | def get_page(pageurl, headers):
127 |     # attempt to get data from sophos central api
128 |     logging.debug("get_page url passed: {0}".format(pageurl))
129 |     res_sess = requests.session()
130 |     retries = Retry(total=10, backoff_factor=0.1, status_forcelist=[500, 502, 503, 504, 429])
131 |     #retries = Retry(total=10, backoff_factor=0.1, status_forcelist=[502, 503, 504, 429])
132 |     res_sess.mount('https://', HTTPAdapter(max_retries=retries))
133 |     try:
134 |         logging.debug("Attempting to get page: {0}".format(pageurl))
135 |         ep_res = res_sess.get(pageurl, headers=headers)
136 |         ep_res.raise_for_status()
137 |         logging.info(ep_res.headers)
138 |     except requests.exceptions.HTTPError as err_http:
139 |         if ep_res.status_code == 403:
140 |             logging.error(ep_res.json)
141 |             resp_json = ep_res.json()
142 |             resp_msg = resp_json.get('message')
143 |             logging.error(resp_msg)
144 |             pass
145 |         else:
146 |             logging.error("Error Code: {0}".format(err_http.response))
147 |             logging.error("Error Message: {0}".format(ep_res.json()))
148 |     except requests.exceptions.ConnectionError as conn_err:
149 |         logging.error(conn_err)
150 |     finally:
151 |         # success response pass back data to build json
152 |         if ep_res:
153 |             ep_data = ep_res.json()
154 |         else:
155 |             ep_data = None
156 | 
157 |         ep_res.close()
158 |         return ep_data
159 | 
160 | 
161 | def process_next_page(ep_page_data, page_size, orig_url, page_no, pg_total, api):
162 |     # if a next_key has been provided the process next page function is called to construct the url based on api type
163 |     if 'nextKey' in ep_page_data.keys():
164 |         # builds new url is next_key present
165 |         d_ep_nextkey = ep_page_data['nextKey']
166 |         # encode next key
167 |         ep_nextkey = quote_plus(d_ep_nextkey)
168 |         logging.info(
169 |             "There is another page to process, resending request with new page from key: {0}".format(ep_nextkey))
170 |         if api == "common":
171 |             pageurl = "{0}&pageFromKey={1}&pageSize={2}".format(orig_url, ep_nextkey, page_size)
172 |         elif api == "endpoint":
173 |             pageurl = "{0}?pageFromKey={1}&pageSize={2}&view=full".format(orig_url, ep_nextkey, page_size)
174 |         else:
175 |             pageurl = "{0}?pageFromKey={1}&pageSize={2}".format(orig_url, ep_nextkey, page_size)
176 |         logging.debug(pageurl)
177 |         next_key = True
178 |         return next_key, pageurl
179 |     elif page_no is not None and page_no < pg_total:
180 |         # builds new url if page no. hasn't reached page total
181 |         page_no += 1
182 |         pageurl = "{0}?page={1}&pageSize={2}".format(orig_url, page_no, page_size)
183 |         logging.info("There is another page to process, resending request with new page value: {0}".format(page_no))
184 |         next_key = True
185 |         return next_key, pageurl
186 |     else:
187 |         # if there is no next_key then returns the next page as false to break out of while loop
188 |         next_key = False
189 |         pageurl = None
190 |         return next_key, pageurl
191 | 
192 | 
193 | def get_page_totals(url, headers):
194 |     logging.info("start gathering page totals")
195 |     try:
196 |         pagetotal_res = requests.get(url, headers=headers)
197 |         pagetotal_res.raise_for_status()
198 |     except requests.exceptions.HTTPError as http_err:
199 |         if pagetotal_res.status_code == 403:
200 |             logging.error(http_err)
201 |             logging.error(pagetotal_res.json())
202 |             pass
203 |         elif pagetotal_res.status_code == 500:
204 |             logging.error(http_err)
205 |             logging.error(pagetotal_res.json())
206 |             pass
207 |         else:
208 |             logging.error(http_err)
209 |             pg_total = None
210 |             return pg_total
211 |     else:
212 |         pg_info = pagetotal_res.json()
213 |         pg_data = pg_info.get('pages')
214 |         logging.debug("pg_data info: {0}".format(pg_data))
215 |         if pg_data:
216 |             pg_total = pg_data.get('total')
217 |             logging.debug("page total data: {0}".format(pg_data))
218 |             return pg_total
219 |         else:
220 |             pg_total = None
221 |             return pg_total
222 | 


--------------------------------------------------------------------------------
/sophos_central_api_connector/sophos_central_api_intelix.py:
--------------------------------------------------------------------------------
  1 | import intelix
  2 | import logging
  3 | import configparser as cp
  4 | from urllib.parse import quote_plus
  5 | from datetime import datetime
  6 | from ipaddress import ip_address
  7 | from sophos_central_api_connector import sophos_central_api_output as api_output, sophos_central_api_connector_utils \
  8 |     as api_utils
  9 | from sophos_central_api_connector.config import sophos_central_api_config as api_conf
 10 | 
 11 | 
 12 | def local_site_check(intelix_client_id, intelix_client_secret, request_data, tenant_id):
 13 |     logging.info("Checking local-sites against SophosLabs Intelix API")
 14 |     # dedup the urls from the data so we dont get site data twice
 15 |     output_data = dedup_url(request_data)
 16 | 
 17 |     # initiate authentication with intelix api
 18 |     logging.info("Authenticating with Intelix API")
 19 |     intx = intelix.client(intelix_client_id, intelix_client_secret)
 20 | 
 21 |     # iterate through the dictionary of urls and output
 22 |     intelix_dict = dict()
 23 | 
 24 |     logging.info("Pass URL data to Intelix for evaluation")
 25 |     for url_id, url_value in output_data.items():
 26 |         # check if the url_value is an ip
 27 |         try:
 28 |             ip_address(url_value)
 29 |             ip_val = True
 30 |         except:
 31 |             ip_val = False
 32 | 
 33 |         logging.debug("ip_value: {0}, url: {1}".format(ip_val, url_value))
 34 |         if ip_val:
 35 |             # send to ip_lookup
 36 |             intx.ip_lookup(url_value)
 37 |             ip_cat = intx.category
 38 |             maxRisk = get_ip_category_risk(ip_cat)
 39 |             intx_data = {"lookup_type": "ip", "requestId": intx.requestId, "ipCategory": intx.category, "riskLevel":
 40 |                 maxRisk}
 41 |             intelix_dict[url_value] = intx_data
 42 |         elif not ip_val:
 43 |             # urlencode the url to lookup
 44 |             encoded_url_value = quote_plus(url_value)
 45 |             # send_url_lookup
 46 |             intx.url_lookup(encoded_url_value)
 47 |             intx_data = {"lookup_type": "url", "requestId": intx.requestId,
 48 |                          "productivityCategory": intx.productivityCategory,
 49 |                          "securityCategory": intx.securityCategory, "riskLevel": intx.riskLevel,
 50 |                          "prod_cat": intx.productivityCategory, "sec_cat": intx.securityCategory}
 51 |             intelix_dict[url_value] = intx_data
 52 |         else:
 53 |             pass
 54 | 
 55 |     # keep record of results from intelix lookups
 56 |     date = datetime.now().strftime('%Y%m%d_%H%M%S')
 57 |     intx_filename = "{0}_intelix_results.json".format(date)
 58 |     logging.info("Saving JSON of Intelix results")
 59 |     api_output.process_output_json(intelix_dict, filename=intx_filename, api="intelix")
 60 | 
 61 |     # compare against site list
 62 |     compared_dict = site_comparison(intelix_dict, request_data, tenant_id)
 63 |     return compared_dict
 64 | 
 65 | 
 66 | def get_ip_category_risk(ip_cat):
 67 |     # get config information
 68 |     intelix_conf_path = api_conf.intelix_conf_path
 69 |     intelix_final_path = api_utils.get_file_location(intelix_conf_path)
 70 |     intelix_conf = cp.ConfigParser(allow_no_value=True)
 71 |     intelix_conf.read(intelix_final_path)
 72 | 
 73 |     if type(ip_cat) == str:
 74 |         maxRisk = intelix_conf.get('ip_lookup_risk', ip_cat)
 75 |     elif type(ip_cat) == list:
 76 |         ip_risk_dict = dict()
 77 |         for item in ip_cat:
 78 |             riskLevel = intelix_conf.get('ip_lookup_risk', item)
 79 |             ip_risk_dict[item] = riskLevel
 80 |         maxRisk = max(ip_risk_dict.values())
 81 | 
 82 |     # determine the risk as a string
 83 |     if maxRisk == "0":
 84 |         maxRisk = "UNCLASSIFIED"
 85 |     elif maxRisk == "1":
 86 |         maxRisk = "TRUSTED"
 87 |     elif maxRisk == "2":
 88 |         maxRisk = "LOW"
 89 |     elif maxRisk == "3":
 90 |         maxRisk = "MEDIUM"
 91 |     elif maxRisk == "4":
 92 |         maxRisk = "HIGH"
 93 | 
 94 |     return maxRisk
 95 | 
 96 | 
 97 | def dedup_url(request_data):
 98 |     logging.info("Deduplicating URLs from tenants")
 99 |     output_data = dict()
100 |     for key, value in request_data.items():
101 |         if value['url'] not in output_data.values():
102 |             output_data[key] = value['url']
103 | 
104 |     return output_data
105 | 
106 | 
107 | def site_comparison(intelix_dict, site_dict, tenant_id):
108 |     # add details to the site dictionary from intelix output
109 |     logging.info("Combine Intelix and Local-Sites information")
110 |     combined_dict = dict()
111 |     for site_key, site_val in site_dict.items():
112 |         for intx_key, intx_val in intelix_dict.items():
113 |             if site_val['url'] == intx_key:
114 |                 if intx_val['lookup_type'] == 'url':
115 |                     intx_data = {"local-site": site_val}, {"intelix": {"intelixCategory": intx_val.setdefault(
116 |                         'productivityCategory', 'null'), "intelixRisk": intx_val.setdefault('riskLevel', 'null'),
117 |                         "intelixSecurity": intx_val.setdefault('securityCategory', 'null')}}
118 |                     combined_dict[site_key] = intx_data
119 |                 elif intx_val['lookup_type'] == 'ip':
120 |                     intx_data = {"local-site": site_val}, {"intelix": {"intelixCategory": intx_val.setdefault(
121 |                         'ipCategory', 'null'), "intelixRisk": intx_val.setdefault('riskLevel', 'null')}}
122 |                     combined_dict[site_key] = intx_data
123 |                 else:
124 |                     pass
125 |             else:
126 |                 pass
127 | 
128 |     date = datetime.now().strftime('%Y%m%d_%H%M%S')
129 |     filename = "{0}_results_combined.json".format(date)
130 |     logging.info("Saving JSON of Intelix and local-site results combined")
131 |     api_output.process_output_json(combined_dict, filename=filename, api="intelix")
132 |     return combined_dict
133 | 
134 | 
135 | def intelix_report_info(intelix_results, intelix, intx_clean_level, intx_dry_run):
136 |     # set main values
137 |     report_dict = dict()
138 |     high_risk = 0
139 |     medium_risk = 0
140 |     low_risk = 0
141 |     trusted_risk = 0
142 |     unclass_risk = 0
143 |     total_risk = 0
144 |     null_risk = 0
145 | 
146 |     for site_val in intelix_results.values():
147 |         if intelix == "report":
148 |             intx_data = site_val[1]['intelix']
149 |             ls_data = site_val[0]['local-site']
150 |             risk = intx_data.get('intelixRisk')
151 |             tenant_id = ls_data.get('tenantId')
152 |         elif intx_dry_run:
153 |             risk = site_val.get('intelixRisk')
154 |             tenant_id = site_val.get('tenantId')
155 | 
156 |         if risk == "HIGH":
157 |             total_risk += 1
158 |             high_risk += 1
159 |         elif risk == "MEDIUM":
160 |             total_risk += 1
161 |             medium_risk += 1
162 |         elif risk == "LOW":
163 |             total_risk += 1
164 |             low_risk += 1
165 |         elif risk == "TRUSTED":
166 |             total_risk += 1
167 |             trusted_risk += 1
168 |         elif risk == "UNCLASSIFIED":
169 |             total_risk += 1
170 |             unclass_risk += 1
171 |         elif risk is None:
172 |             total_risk += 1
173 |             null_risk += 1
174 |         else:
175 |             total_risk += 1
176 |             null_risk += 1
177 |         report_data = {"Totals": {"High Risk": high_risk, "Medium Risk": medium_risk,
178 |                                   "Low Risk": low_risk, "Trusted": trusted_risk,
179 |                                   "Unclassified": unclass_risk, "NULL": null_risk,
180 |                                   "Total": total_risk}}
181 | 
182 |     if intelix == "report":
183 |         logging.info("Generating report for Intelix results")
184 |         intx_filename = "{0}_intelix_report.json".format(tenant_id)
185 |         report_dict.update(report_data)
186 |         api_output.process_output_json(report_dict, filename=intx_filename, api="intelix")
187 |         return report_dict
188 |     elif intx_dry_run:
189 |         date = datetime.now().strftime('%Y%m%d_%H%M%S')
190 |         intx_filename = "{0}_{1}_{2}_dry_run_report.json".format(tenant_id, date, intx_clean_level)
191 |         dryrun_dict = {**intelix_results, **report_data}
192 |         api_output.process_output_json(dryrun_dict, filename=intx_filename, api="intelix")
193 |         return dryrun_dict
194 |     else:
195 |         pass
196 | 
197 | 
198 | def intelix_del_info(deletion_data, tenant_url_data):
199 |     logging.info("Generate outcome of local site deletion")
200 |     del_report = dict()
201 |     deleted = 0
202 |     failed = 0
203 |     unknown = 0
204 |     for ten_id, ten_item in tenant_url_data.items():
205 |         tenant_id = ten_id
206 |         for site_id, site_value in deletion_data.items():
207 |             tenant_ref = site_value['tenantId']
208 |             if tenant_ref == tenant_id:
209 |                 del_status = site_value['delStatus']
210 |                 if del_status == "True":
211 |                     deleted += 1
212 |                 elif del_status == "False":
213 |                     failed += 1
214 |                 else:
215 |                     unknown += 1
216 |         del_report[tenant_id] = {"Deleted": deleted, "Failed": failed, "Unknown": unknown}
217 | 
218 |     date = datetime.now().strftime('%Y%m%d_%H%M%S')
219 |     del_filename = "{0}_deletion_details.json".format(date)
220 |     del_report_filename = "{0}_deletion_report.json".format(date)
221 |     api_output.process_output_json(deletion_data, filename=del_filename, api="intelix_del")
222 |     api_output.process_output_json(del_report, filename=del_report_filename, api="intelix_del")
223 | 
224 | 
225 | def test(intelix_client_id, intelix_client_secret, test_url):
226 |     intx = intelix.client(intelix_client_id, intelix_client_secret)
227 | 
228 |     # check if the url_value is an ip
229 |     try:
230 |         ip_address(test_url)
231 |         ip_val = True
232 |     except:
233 |         ip_val = False
234 | 
235 |     if ip_val:
236 |         # send to ip_lookup
237 |         intx.ip_lookup(test_url)
238 |         intx_data = {"requestId": intx.requestId, "ipCategory": intx.category}
239 |     elif not ip_val:
240 |         # send_url_lookup
241 |         intx.url_lookup(test_url)
242 |         intx_data = {"requestId": intx.requestId, "productivityCategory": intx.productivityCategory,
243 |                      "securityCategory": intx.securityCategory, "riskLevel": intx.riskLevel}
244 | 
245 |     logging.info(intx_data)
246 | 
247 | 
248 | def prepare_del_dict(intx_clean_level, combined_results):
249 |     # go through the combined list and extract the entries which match clean-level
250 |     del_dict = dict()
251 |     logging.info("Prepare the dictionary for local-site clean up")
252 |     logging.info("Option to delete '{0}' has been passed".format(intx_clean_level))
253 |     for site_key, site_val in combined_results.items():
254 |         intx_data = site_val[1]
255 |         ls_data = site_val[0]
256 |         risk = intx_data['intelix']['intelixRisk']
257 |         url = ls_data['local-site']['url']
258 |         tenant_id = ls_data['local-site']['tenantId']
259 |         if intx_clean_level == "ALL":
260 |             # gather all of the valid entries bar unclassified and null. These should remain
261 |             if risk == "HIGH" or risk == "MEDIUM" or risk == "LOW" or risk == "TRUSTED":
262 |                 del_dict[site_key] = {"tenantId": tenant_id, "intelixRisk": risk, "url": url}
263 |             else:
264 |                 pass
265 |         elif intx_clean_level == "HIGH":
266 |             if risk == "HIGH":
267 |                 del_dict[site_key] = {"tenantId": tenant_id, "intelixRisk": risk, "url": url}
268 |             else:
269 |                 pass
270 |         elif intx_clean_level == "HIGH_MEDIUM":
271 |             if risk == "HIGH" or risk == "MEDIUM":
272 |                 del_dict[site_key] = {"tenantId": tenant_id, "intelixRisk": risk, "url": url}
273 |             else:
274 |                 pass
275 |         elif intx_clean_level == "MEDIUM":
276 |             if risk == "MEDIUM":
277 |                 del_dict[site_key] = {"tenantId": tenant_id, "intelixRisk": risk, "url": url}
278 |             else:
279 |                 pass
280 |         elif intx_clean_level == "LOW":
281 |             if risk == "LOW":
282 |                 del_dict[site_key] = {"tenantId": tenant_id, "intelixRisk": risk, "url": url}
283 |             else:
284 |                 pass
285 |         else:
286 |             pass
287 | 
288 |     return del_dict
289 | 


--------------------------------------------------------------------------------
/sophos_central_api_connector/sophos_central_api_live_discover.py:
--------------------------------------------------------------------------------
  1 | import logging
  2 | import json
  3 | import requests
  4 | from datetime import datetime, timedelta
  5 | from urllib3.util.retry import Retry
  6 | from time import sleep
  7 | from sophos_central_api_connector import sophos_central_api_get_data as get_api
  8 | 
  9 | page_size = "250"
 10 | 
 11 | 
 12 | def live_discover(tenant_data, input_type, input_value, search_filter, variables, api):
 13 |     def gather_ld():
 14 |         # build the payload to post
 15 |         logging.info("Building payload information for saved search")
 16 |         payload_dict = build_json_payload(input_type, input_value, query_det, search_filter, variables, api)
 17 | 
 18 |         # post run
 19 |         logging.info("Start posting saved queries")
 20 |         post_dict = post_ld_run(tenant_data, payload_dict)
 21 |         logging.debug("post dict: {0}".format(post_dict))
 22 | 
 23 |         # run checker
 24 |         logging.info("Start checking query status")
 25 |         run_info = multi_query_run_checker(tenant_data, post_dict, api)
 26 |         logging.debug("Run info: {0}".format(run_info))
 27 | 
 28 |         # get endpoint data
 29 |         if api == "live-discover":
 30 |             logging.info("Gather endpoint information")
 31 |             ep_info = get_ld_endpoints(tenant_data, run_info, api)
 32 |             logging.debug("Endpoint information: {0}".format(ep_info))
 33 |         elif api == "xdr-datalake":
 34 |             ep_info = None
 35 | 
 36 |         # get run results
 37 |         logging.info("Gather results based on run ids")
 38 |         size = 1000
 39 |         result_dict = get_run_results(tenant_data, run_info, size, api)
 40 |         logging.debug("Result data: {0}".format(result_dict))
 41 | 
 42 |         return run_info, ep_info, result_dict
 43 | 
 44 |     if input_type == "saved":
 45 |         # Get saved query details
 46 |         logging.info("Getting saved search details")
 47 |         query_det = get_queries(tenant_data, True, input_value, api)
 48 |         if not variables:
 49 |             for s_id, val in query_det.items():
 50 |                 for t_id, s_val in val.items():
 51 |                     if s_val['template_variables']:
 52 |                         variables = s_val['template_variables']
 53 |                     else:
 54 |                         pass
 55 |         else:
 56 |             pass
 57 | 
 58 |         ld_data, ep_data, result_data = gather_ld()
 59 |         return ld_data, ep_data, result_data
 60 | 
 61 |     elif input_type == "adhoc":
 62 |         logging.info("Coming soon")
 63 |         # todo: check the size of the adhoc query
 64 |         exit(1)
 65 |     elif input_type == "list":
 66 |         query_list = get_queries(tenant_data, False, None, api)
 67 |         return query_list
 68 | 
 69 | 
 70 | def get_queries(tenant_url_data, query_find, query_det, api):
 71 |     def find_query(query_dict, query_info, tenant, fdict):
 72 |         logging.info("Looking for saved query in dictionary")
 73 | 
 74 |         for num, item in query_dict.items():
 75 |             if item.get('name') == query_info:
 76 |                 q_id = item['id']
 77 |                 logging.info("Found saved query: '{0}' for tenant: {1}".format(query_det, tenant))
 78 |                 logging.info("Search ID: {0}".format(q_id))
 79 |                 if item['variables']:
 80 |                     if fdict.get(tenant):
 81 |                         fdict.update({
 82 |                             tenant: {
 83 |                                 q_id: {
 84 |                                     "name": item['name'],
 85 |                                     "description": item['description'],
 86 |                                     "template_variables": item['variables']
 87 |                                 }
 88 |                             }
 89 |                         })
 90 |                     else:
 91 |                         fdict[tenant] = {
 92 |                             q_id: {
 93 |                                 "name": item['name'],
 94 |                                 "description": item['description'],
 95 |                                 "template_variables": item['variables']
 96 |                             }
 97 |                         }
 98 |                 else:
 99 |                     if fdict.get(tenant):
100 |                         fdict[tenant] = {
101 |                             q_id: {
102 |                                 "name": item['name'],
103 |                                 "description": item['description'],
104 |                                 "template_variables": None
105 |                             }
106 |                         }
107 |                     else:
108 |                         fdict.update({
109 |                             tenant: {
110 |                                 q_id: {
111 |                                     "name": item['name'],
112 |                                     "description": item['description'],
113 |                                     "template_variables": None
114 |                                 }
115 |                             }
116 |                         })
117 |                 logging.debug("Query details: {0}".format(fdict))
118 |             else:
119 |                 pass
120 | 
121 |         return fdict
122 | 
123 |     def list_queries(query_list, tenant, qdict):
124 |         for key, val in query_list.items():
125 |             q_id = val.get('id')
126 |             q_name = val.get('name')
127 |             q_desc = val.get('description')
128 |             q_var = val.get('variables')
129 |             qdict[q_id] = {"name": q_name, "description": q_desc, "variables": q_var, "tenant_id": tenant}
130 | 
131 |         return qdict
132 | 
133 |     # Gather the queries for the tenants
134 |     new_dict = dict()
135 |     logging.info("Attempting to get queries")
136 | 
137 |     for ten_id, ten_item in tenant_url_data.items():
138 |         # Pass the ten_url_data and gather the queries
139 |         tenant_id = ten_id
140 |         # get data information for the tenant in the loop
141 |         json_data = get_api.get_data(tenant_url_data, page_size, tenant_id, api)
142 |         # Check if query name passed is valid and present
143 |         if query_find:
144 |             new_dict = find_query(json_data, query_det, tenant_id, new_dict)
145 |         else:
146 |             # Print list of available queries
147 |             new_dict = list_queries(json_data, tenant_id, new_dict)
148 | 
149 |     return new_dict
150 | 
151 | 
152 | def build_json_payload(input_type, input_value, query_data, filters, variables, api):
153 |     # Open find query json if available
154 |     rebuild_dict = dict()
155 | 
156 |     for k, v in query_data.items():
157 |         for s_id, s_det in v.items():
158 |             q_name = s_det['name']
159 |             q_desc = s_det['description']
160 |             if variables:
161 |                 try:
162 |                     if input_type == "saved" and api == "live-discover":
163 |                         con_json = {
164 |                             "matchEndpoints": {
165 |                                 "filters": [filters]
166 |                             },
167 |                             "savedQuery": {
168 |                                 "queryId": s_id
169 |                             },
170 |                             "variables": variables
171 |                         }
172 |                     elif input_type == "saved" and api == "xdr-datalake":
173 |                         con_json = {
174 |                             "savedQuery": {
175 |                                 "queryId": s_id
176 |                             },
177 |                             "variables": variables
178 |                         }
179 |                     elif input_type == "adhoc":
180 |                         con_json = {
181 |                             "matchEndpoints": {
182 |                                 "filters": [
183 |                                     filters
184 |                                 ]
185 |                             },
186 |                             "adHocQuery": {
187 |                                 "template": input_value
188 |                             },
189 |                             "variables": variables
190 |                         }
191 |                     else:
192 |                         logging.critical("Input type is not valid, please review variables passed")
193 |                         exit(1)
194 | 
195 |                     json.dumps(con_json)
196 |                 except ValueError as err:
197 |                     logging.error("JSON has failed validation test")
198 |                     logging.error(con_json)
199 |                     raise err
200 |                 else:
201 |                     logging.info("JSON has been validated successfully")
202 |                     logging.debug("JSON Passed: {0}".format(con_json))
203 |                     logging.info("Adding payload to query dict")
204 |                     rebuild_dict[k] = {
205 |                         s_id: {
206 |                             "name": q_name,
207 |                             "description": q_desc,
208 |                             "payload": con_json
209 |                         }
210 |                     }
211 |             elif not variables:
212 |                 try:
213 |                     if input_type == "saved" and api == "live-discover":
214 |                         con_json = {
215 |                             "matchEndpoints": {
216 |                                 "filters": [filters]},
217 |                             "savedQuery": {
218 |                                 "queryId": s_id
219 |                             }
220 |                         }
221 |                     elif input_type == "saved" and api == "xdr-datalake":
222 |                         con_json = {
223 |                             "savedQuery": {
224 |                                 "queryId": s_id
225 |                             }
226 |                         }
227 |                     elif input_type == "adhoc":
228 |                         con_json = {
229 |                             "matchEndpoints": {
230 |                                 "filters": [filters]
231 |                             },
232 |                             "adHocQuery": {
233 |                                 "template": input_value
234 |                             }
235 |                         }
236 |                     else:
237 |                         logging.critical("Input type is not valid, please review variables passed")
238 |                         exit(1)
239 | 
240 |                     json.dumps(con_json)
241 |                 except ValueError as err:
242 |                     logging.error("JSON has failed validation test")
243 |                     logging.error(con_json)
244 |                     raise err
245 |                 else:
246 |                     logging.info("JSON has been validated successfully")
247 |                     logging.info("Adding payload to query dict")
248 |                     rebuild_dict[k] = {
249 |                         s_id: {
250 |                             "name": q_name,
251 |                             "description": q_desc,
252 |                             "payload": con_json
253 |                         }
254 |                     }
255 |             else:
256 |                 pass
257 | 
258 |     return rebuild_dict
259 | 
260 | 
261 | def post_ld_run(tenant_url_data, ld_dict):
262 |     def post_query(query_data, url, headers):
263 |         q_payload = query_data['payload']
264 |         try:
265 |             logging.info("Posting query")
266 |             post_res = requests.post(url, headers=headers, json=q_payload)
267 |             post_res.raise_for_status()
268 |         except requests.exceptions.HTTPError:
269 |             if post_res.status_code == 404:
270 |                 logging.error("Item not found. Please verify filter for this query id")
271 |                 p_data = post_res.json()
272 |                 logging.debug(json.dumps(p_data, indent=2))
273 |                 return p_data
274 |             elif post_res.status_code == 400:
275 |                 logging.error(post_res.text)
276 |                 p_data = post_res.json()
277 |                 logging.debug(json.dumps(p_data, indent=2))
278 |                 return p_data
279 |                 # raise http_err
280 |             else:
281 |                 logging.error("Error whilst posting search query, response: {0}".format(post_res.status_code))
282 |                 p_data = post_res.json()
283 |                 logging.debug(json.dumps(p_data, indent=2))
284 |                 return p_data
285 |                 # raise http_err
286 |         else:
287 |             logging.info("Post successful, making note of post id")
288 |             p_data = post_res.json()
289 |             logging.debug(json.dumps(p_data, indent=2))
290 |             return p_data
291 | 
292 |     # Prep for posting queries to live discover
293 |     post_url = "/runs"
294 |     pq_dict = dict()
295 | 
296 |     for key, value in tenant_url_data.items():
297 |         pq_url = "{0}{1}".format(value['orig_url'], post_url)
298 |         tenant = key
299 |         p_headers = value['headers']
300 |         p_headers['Content-Type'] = "application/json"
301 |         for k, v in ld_dict.items():
302 |             for q_key, q_val in v.items():
303 |                 if tenant == k:
304 |                     ten_id = k
305 |                     logging.info("Search found for tenant: {0}, search name: {1}".format(ten_id, q_val['name']))
306 |                     logging.info("Search ID: {0}".format(q_key))
307 |                     post_data = post_query(q_val, pq_url, p_headers)
308 |                     if post_data.get('id'):
309 |                         pq_id = post_data['id']
310 |                         pq_created = post_data['createdAt']
311 |                         pq_status = post_data['status']
312 |                         ep_count = post_data.get('endpointCounts', {}).get('total')
313 |                         pq_dict[k] = {
314 |                             q_key: {
315 |                                 "name": q_val['name'],
316 |                                 "description": q_val['description'],
317 |                                 "payload": q_val['payload'],
318 |                                 "post_data": {
319 |                                     "pq_id": pq_id,
320 |                                     "createdAt": pq_created,
321 |                                     "status": pq_status,
322 |                                     "ep_count": ep_count
323 |                                 }
324 |                             }
325 |                         }
326 |                     elif post_data.get('error'):
327 |                         pq_err = post_data['error']
328 |                         pq_errmsg = post_data.get('message', None)
329 |                         r_id = post_data['requestId']
330 |                         pq_dict[k] = {
331 |                             q_key: {
332 |                                 "name": q_val['name'],
333 |                                 "description": q_val['description'],
334 |                                 "payload": q_val['payload'],
335 |                                 "post_data": {
336 |                                     "r_id": r_id,
337 |                                     "error": pq_err,
338 |                                     "error_message": pq_errmsg
339 |                                 }
340 |                             }
341 |                         }
342 |                 else:
343 |                     logging.debug("No searches found in list for tenant: {0}".format(tenant))
344 | 
345 |     return pq_dict
346 | 
347 | 
348 | def multi_query_run_checker(tenant_url_data, ld_dict, api):
349 |     def loop_check():
350 |         logging.debug("loop check")
351 |         run_check = True
352 |         for t_key, pval in ld_dict.items():
353 |             for sid, val in pval.items():
354 |                 if val.get('post_data').get('pq_id'):
355 |                     new_status = val.get('post_data').get('status')
356 |                     t_remaining = val.get('post_data').get('time_remaining')
357 |                     if new_status != "finished":
358 |                         if t_remaining <= 0:
359 |                             logging.error("Max query duration reached. Query '{0}' will be terminated".format(sid))
360 |                             val['post_data']['terminated'] = True
361 |                             pass
362 |                         else:
363 |                             val['post_data']['terminated'] = False
364 |                             logging.info("Time remaining before query, {0}: {1}, is automatically terminated: {2} "
365 |                                          "seconds".format(val['name'], sid, t_remaining))
366 |                             run_check = False
367 | 
368 |         return run_check
369 | 
370 |     # Check the run status of the queries being run
371 |     q_fin = False
372 |     logging.info("Checking status of run(s). Check every 10s until all have finished")
373 |     while not q_fin:
374 |         # For loop to go through dict and check all run ids
375 |         for ten_key, vals in ld_dict.items():
376 |             for s_id, s_vals in vals.items():
377 |                 if s_vals.get('post_data').get('pq_id'):
378 |                     run_id = s_vals['post_data']['pq_id']
379 |                     run_status = get_ld_run_status(tenant_url_data, ten_key, run_id)
380 |                     if run_status:
381 |                         status = run_status.get('status')
382 |                         logging.debug("run status: {0}".format(status))
383 |                         s_vals['post_data']['status'] = status
384 |                         if api == "live-discover":
385 |                             s_vals['post_data']['time_remaining'] = run_status['timeRemainingInSeconds']
386 |                         elif api == "xdr-datalake":
387 |                             # XDR searches timeout after 15mins
388 |                             created_time = run_status['createdAt']
389 |                             dt_created_round = created_time[:-5]
390 |                             # convert to datetime
391 |                             dt_created = datetime.strptime(dt_created_round, '%Y-%m-%dT%H:%M:%S')
392 |                             # convert the createdAt time to epoch
393 |                             xdr_ctime_epoch = datetime.timestamp(dt_created)
394 |                             # get the time now in epoch
395 |                             now = datetime.utcnow().replace(microsecond=0).timestamp()
396 |                             calc_time_diff = int(now - xdr_ctime_epoch)
397 |                             calc_time_remaining = 900 - calc_time_diff
398 |                             s_vals['post_data']['time_remaining'] = calc_time_remaining
399 |                         s_vals['post_data']['finishedAt'] = run_status.get('finishedAt', None)
400 |                         s_vals['post_data']['statuses'] = run_status.get('endpointCounts', {}).get('statuses')
401 |                         s_vals['post_data']['result'] = run_status.get('result')
402 |                     else:
403 |                         logging.info("No run status information for search id: {0}".format(run_id))
404 | 
405 |         q_fin = loop_check()
406 |         if not q_fin:
407 |             logging.debug("Sleep for 10s")
408 |             sleep(10)
409 |     else:
410 |         logging.info("All query runs have finished")
411 |         return ld_dict
412 | 
413 | 
414 | def get_ld_run_status(tenant_url_data, tenant, run_id):
415 |     url_ext = "/runs/{0}".format(run_id)
416 | 
417 |     for key, value in tenant_url_data.items():
418 |         if key == tenant:
419 |             url = "{0}{1}".format(value['orig_url'], url_ext)
420 |             headers = value['headers']
421 |             headers['Content-Type'] = "application/json"
422 |             logging.info("Check run id: {0}".format(run_id))
423 |             run_status = get_api.get_page(url, headers)
424 |         else:
425 |             pass
426 | 
427 |     return run_status
428 | 
429 | 
430 | def get_ld_endpoints(tenant_url_data, run_data, api):
431 |     def get_runid_eps():
432 |         for key, value in tenant_url_data.items():
433 |             if key == tenant:
434 |                 url = "{0}{1}".format(value['orig_url'], url_ext)
435 |                 pagetotal_url = "{0}?pageSize={1}&pageTotal=true".format(url, page_size)
436 |                 headers = value['headers']
437 |                 headers['Content-Type'] = "application/json"
438 |                 ten_data = dict()
439 |                 ten_data[key] = {'filename': value['filename'], 'url': value['url'], 'orig_url': url,
440 |                                  'pageurl': pagetotal_url, 'name': value['name'], 'headers': headers}
441 |                 # Get the page totals
442 |                 logging.debug("get_runid_eps loop ten info orig_url: {0}".format(ten_data[key]['orig_url']))
443 |                 page_data = get_api.get_data(ten_data, page_size, tenant, api)
444 |                 logging.debug("get_runid_eps loop, page data: {0}".format(page_data))
445 |                 return page_data
446 | 
447 |     ld_ep_dict = dict()
448 | 
449 |     for t_key, v in run_data.items():
450 |         for s_id, r_value in v.items():
451 |             if r_value.get('post_data').get('pq_id'):
452 |                 run_id = r_value['post_data']['pq_id']
453 |                 tenant = t_key
454 |                 url_ext = "/runs/{0}/endpoints".format(run_id)
455 |                 pg_info = get_runid_eps()
456 |                 ld_ep_dict[run_id] = pg_info
457 | 
458 |     return ld_ep_dict
459 | 
460 | 
461 | def get_run_results(tenant_url_data, run_data, size, api):
462 |     def get_results():
463 |         for key, value in tenant_url_data.items():
464 |             if key == tenant:
465 |                 url = "{0}{1}".format(value['orig_url'], url_ext)
466 |                 pagetotal_url = "{0}?pageSize={1}&pageTotal=true".format(url, size)
467 |                 headers = value['headers']
468 |                 headers['Content-Type'] = "application/json"
469 |                 ten_data = dict()
470 |                 ten_data[key] = {'filename': value['filename'], 'url': value['url'], 'orig_url': url,
471 |                                  'pageurl': pagetotal_url, 'name': value['name'], 'headers': headers}
472 |                 # Get the page totals
473 |                 logging.info("Gather page data for results")
474 |                 page_data = get_api.get_data(ten_data, size, tenant, api)
475 |                 return page_data
476 | 
477 |     q_res_dict = dict()
478 | 
479 |     # For loop to go through the dict and check all run ids
480 |     for ten_key, val in run_data.items():
481 |         for s_id, s_vals in val.items():
482 |             if s_vals.get('post_data', {}).get('pq_id'):
483 |                 run_id = s_vals['post_data']['pq_id']
484 |                 url_ext = "/runs/{0}/results".format(run_id)
485 |                 if api == "live-discover":
486 |                     success_withdata = s_vals['post_data']['statuses']['finished']['succeeded']['withData']
487 |                     failed_withdata = s_vals['post_data']['statuses']['finished']['failed']['withData']
488 |                     timedout_withdata = s_vals['post_data']['statuses']['finished']['timedOut']['withData']
489 |                     if success_withdata > 0:
490 |                         withdata = True
491 |                     elif failed_withdata > 0:
492 |                         withdata = True
493 |                     elif timedout_withdata > 0:
494 |                         withdata = True
495 |                     else:
496 |                         withdata = False
497 |                 elif api == "xdr-datalake":
498 |                     withdata = True
499 |                 # status = s_vals.get('post_data', {}).get('status')
500 |                 # result = s_vals.get('post_data', {}).get('result')
501 |                 terminated = s_vals.get('post_data').get('terminated')
502 |                 logging.info("Checking whether any endpoints completed with data")
503 |                 if withdata:
504 |                     logging.info("Some endpoints have returned data")
505 |                     if api == "live-discover":
506 |                         logging.info("Waiting 2 minutes to start gathering results")
507 |                         sleep(120)
508 |                     else:
509 |                         pass
510 |                     tenant = ten_key
511 |                     res_data = get_results()
512 |                     if q_res_dict.get(run_id):
513 |                         logging.info("Results gathered")
514 |                         q_res_dict.update({run_id: {res_data}})
515 |                     else:
516 |                         logging.info("Results gathered")
517 |                         q_res_dict[run_id] = res_data
518 |                 elif not withdata and terminated:
519 |                     logging.info("This query was terminated, with no results. Skipping")
520 |                 else:
521 |                     logging.info("No results have been returned for this run id: '{0}'".format(run_id))
522 |                     if q_res_dict.get(run_id):
523 |                         q_res_dict.update({run_id: {"tenant": ten_key, "results": "No EPs completed with data"}})
524 |                     else:
525 |                         q_res_dict[run_id] = {"tenant": ten_key, "results": "No EPs completed with data"}
526 |             else:
527 |                 logging.info("No results have been returned")
528 |                 r_id = s_vals.get('post_data', {}).get('r_id')
529 |                 if q_res_dict.get(run_id):
530 |                     q_res_dict.update({r_id: {"tenant": ten_key, "results": "No EPs completed with data"}})
531 |                 else:
532 |                     q_res_dict[r_id] = {"tenant": ten_key, "results": "No EPs completed with data"}
533 | 
534 |     return q_res_dict
535 | 
536 | 
537 | def build_run_report():
538 |     logging.info("Coming soon")
539 |     exit(1)
540 |     # todo: Based on the results build a report
541 | 
542 | 
543 | def get_misp_attributes(misp_url, search_type, search_val, misp_tok, wildcard):
544 |     logging.debug("MISP Search Type: {0}".format(search_type))
545 |     # create body to search for the attributes
546 |     if search_type == "eventid":
547 |         http_body = {"returnFormat": "json", "eventid": "{0}".format(search_val), "type": {"OR": ["ip-src", "ip-dst",
548 |                                                                                                   "md5", "sha256",
549 |                                                                                                   "filename", "domain",
550 |                                                                                                   "uri", "hostname"]}}
551 |     elif search_type == "tag":
552 |         http_body = {"returnFormat": "json", "tags": "{0}".format(search_val), "type": {"OR": ["ip-src", "ip-dst",
553 |                                                                                                "md5", "sha256",
554 |                                                                                                "filename", "domain",
555 |                                                                                                "uri", "hostname"]}}
556 |     else:
557 |         logging.error("Search type not yet set. Update function: 'get_misp_attributes' with new type")
558 |         return None
559 | 
560 |     logging.debug("HTTP Body: {0}".format(http_body))
561 | 
562 |     misp_headers = dict()
563 |     misp_headers["Authorization"] = "{0}".format(misp_tok)
564 |     misp_headers["Accept"] = "application/json"
565 |     misp_headers["Content-Type"] = "application/json"
566 | 
567 |     res_sess = requests.session()
568 |     retries = Retry(total=10, backoff_factor=0.1, status_forcelist=[500, 502, 503, 504, 429])
569 |     res_sess.mount('https://', requests.adapters.HTTPAdapter(max_retries=retries))
570 | 
571 |     try:
572 |         logging.info("Posting request to gather MISP Attributes")
573 |         misp_res = res_sess.post(misp_url, headers=misp_headers, json=http_body)
574 |         misp_res.raise_for_status()
575 |     except requests.exceptions.HTTPError as http_err:
576 |         logging.critical(http_err)
577 |         exit(1)
578 |     finally:
579 |         attr_list = list()
580 |         attr_dict = dict()
581 |         json_res = misp_res.json()
582 |         json_resp = json_res['response']
583 |         json_att = json_resp['Attribute']
584 |         logging.debug("Attribute data:")
585 |         logging.debug("")
586 |         logging.debug(json_att)
587 |         for item in json_att:
588 |             if item['type'] == "ip-src" or item['type'] == "ip-dst":
589 |                 ind_type = "ip"
590 |             elif item['type'] == "uri":
591 |                 ind_type = "url"
592 |             elif item['type'] == "hostname":
593 |                 ind_type = "domain"
594 |             else:
595 |                 ind_type = item['type']
596 |             if wildcard:
597 |                 attr_list.append(
598 |                     {"indicator_type": ind_type, "misp_type": item['type'], "data": "%{0}%".format(item['value'])})
599 |             else:
600 |                 attr_list.append(
601 |                     {"indicator_type": ind_type, "misp_type": item['type'], "data": "{0}".format(item['value'])})
602 | 
603 |         logging.debug("Length of attribute list: {0}".format(len(attr_list)))
604 |         if len(attr_list) > 0:
605 |             attr_dict['ioc_data'] = attr_list
606 |             attrib = json.dumps(attr_dict)
607 |         else:
608 |             logging.critical("No MISP attributes have been returned")
609 |             logging.critical("Exiting script")
610 |             exit(1)
611 | 
612 |         res_sess.close()
613 | 
614 |         logging.debug("MISP attributes being returned:")
615 |         logging.debug(attrib)
616 | 
617 |         return attrib
618 | 


--------------------------------------------------------------------------------
/sophos_central_api_connector/sophos_central_api_output.py:
--------------------------------------------------------------------------------
  1 | import json
  2 | import logging
  3 | import os
  4 | import configparser as cp
  5 | from sophos_central_api_connector.config import sophos_central_api_config as api_conf
  6 | from sophos_central_api_connector import sophos_central_api_connector_utils as api_utils
  7 | 
  8 | 
  9 | def process_output(output, json_items, tenant_url_data, tenant_id, api, sourcetype_value):
 10 |     # verifies which output argument has been passed and directs it to the correct function for processing
 11 |     logging.info("Verifying output parameter passed")
 12 |     logging.debug(output)
 13 |     if output == "stdout":
 14 |         # the results will be sent to stdout to print out the results to the terminal
 15 |         process_output_stdout(json_items)
 16 |         # we return no events as no further action is required
 17 |         events = None
 18 |         return events
 19 |     elif output == "json":
 20 |         # json has been specified to output to file
 21 |         # the filename is constructed from the tenant name and id so the files are unique
 22 |         filename = tenant_url_data[tenant_id]['filename']
 23 |         process_output_json(json_items, filename, api)
 24 |         # we return no events as no further action is required
 25 |         events = None
 26 |         return events
 27 |     elif output == "splunk" or output == "splunk_trans":
 28 |         # the events need to be processed for sending the events to splunk
 29 |         events = process_output_splunk(json_items, output, sourcetype_value)
 30 |         # events are returned after processing
 31 |         return events
 32 |     elif None:
 33 |         pass
 34 | 
 35 | 
 36 | def process_output_json(json_items, filename, api):
 37 |     if api == "endpoint":
 38 |         logging.debug("JSON file output, appending inventory data")
 39 |         # a new folder is created to store the files
 40 |         inv_path = api_conf.output_inv_path
 41 |         final_inv_path = api_utils.get_file_location(inv_path)
 42 |         if not os.path.exists(final_inv_path):
 43 |             os.makedirs(final_inv_path)
 44 |         with open(os.path.join(final_inv_path, filename), "w", encoding='utf-8') as ep_file:
 45 |             json.dump(json_items, ep_file, ensure_ascii=False, indent=2)
 46 |     elif api == "common":
 47 |         al_path = api_conf.output_al_path
 48 |         final_al_path = api_utils.get_file_location(al_path)
 49 |         logging.debug("JSON file output, appending alerts data")
 50 |         # a new folder is created to store the files
 51 |         if not os.path.exists(final_al_path):
 52 |             os.makedirs(final_al_path)
 53 |         with open(os.path.join(final_al_path, filename), "w", encoding='utf-8') as ep_file:
 54 |             json.dump(json_items, ep_file, ensure_ascii=False, indent=2)
 55 |     elif api == "local-sites":
 56 |         ls_path = api_conf.output_ls_path
 57 |         final_ls_path = api_utils.get_file_location(ls_path)
 58 |         logging.debug("JSON file output, appending local-sites data")
 59 |         # a new folder is created to store the files
 60 |         if not os.path.exists(final_ls_path):
 61 |             os.makedirs(final_ls_path)
 62 |         with open(os.path.join(final_ls_path, filename), "w", encoding='utf-8') as ls_file:
 63 |             json.dump(json_items, ls_file, ensure_ascii=False, indent=2)
 64 |     elif api == "intelix":
 65 |         intx_path = api_conf.output_intx_path
 66 |         final_intx_path = api_utils.get_file_location(intx_path)
 67 |         logging.debug("JSON file output, intelix local site check")
 68 |         # a new folder is created to store the files
 69 |         if not os.path.exists(final_intx_path):
 70 |             os.makedirs(final_intx_path)
 71 |         with open(os.path.join(final_intx_path, filename), "w", encoding='utf-8') as intx_file:
 72 |             json.dump(json_items, intx_file, ensure_ascii=False, indent=2)
 73 |     elif api == "intelix_del":
 74 |         del_path = api_conf.output_intx_del_path
 75 |         final_intx_del_path = api_utils.get_file_location(del_path)
 76 |         if not os.path.exists(final_intx_del_path):
 77 |             os.makedirs(final_intx_del_path)
 78 |         with open(os.path.join(final_intx_del_path, filename), "w", encoding='utf-8') as intx_del_file:
 79 |             json.dump(json_items, intx_del_file, ensure_ascii=False, indent=2)
 80 |     elif api == "xdr-datalake" or api == "live-discover":
 81 |         q_path = api_conf.output_queries_path
 82 |         final_q_path = api_utils.get_file_location(q_path)
 83 |         if not os.path.exists(final_q_path):
 84 |             os.makedirs(final_q_path)
 85 |         with open(os.path.join(final_q_path, filename), "w", encoding='utf-8') as q_res_file:
 86 |             json.dump(json_items, q_res_file, ensure_ascii=False, indent=2)
 87 |     elif api == "firewall":
 88 |         logging.debug("JSON file output, appending firewall inventory data")
 89 |         # a new folder is created to store the files
 90 |         fw_path = api_conf.output_fw_path
 91 |         final_fw_path = api_utils.get_file_location(fw_path)
 92 |         if not os.path.exists(final_fw_path):
 93 |             os.makedirs(final_fw_path)
 94 |         with open(os.path.join(final_fw_path, filename), "w", encoding='utf-8') as fw_file:
 95 |             json.dump(json_items, fw_file, ensure_ascii=False, indent=2)
 96 |     elif api == "firewall_groups":
 97 |         logging.debug("JSON file output, appending firewall group data")
 98 |         # a new folder is created to store the files
 99 |         fw_grp_path = api_conf.output_fw_grps_path
100 |         final_fw_grps_path = api_utils.get_file_location(fw_grp_path)
101 |         if not os.path.exists(final_fw_grps_path):
102 |             os.makedirs(final_fw_grps_path)
103 |         with open(os.path.join(final_fw_grps_path, filename), "w", encoding='utf-8') as fw_grps_file:
104 |             json.dump(json_items, fw_grps_file, ensure_ascii=False, indent=2)
105 |     elif api == "admins":
106 |         logging.debug("JSON file output, appending admin data")
107 |         # a new folder is created to store the files
108 |         admins_path = api_conf.output_admins_path
109 |         final_admins_path = api_utils.get_file_location(admins_path)
110 |         if not os.path.exists(final_admins_path):
111 |             os.makedirs(final_admins_path)
112 |         with open(os.path.join(final_admins_path, filename), "w", encoding='utf-8') as admins_file:
113 |             json.dump(json_items, admins_file, ensure_ascii=False, indent=2)
114 |     elif api == "roles":
115 |         logging.debug("JSON file output, appending role data")
116 |         # a new folder is created to store the files
117 |         role_path = api_conf.output_roles_path
118 |         final_role_path = api_utils.get_file_location(role_path)
119 |         if not os.path.exists(final_role_path):
120 |             os.makedirs(final_role_path)
121 |         with open(os.path.join(final_role_path, filename), "w", encoding='utf-8') as roles_file:
122 |             json.dump(json_items, roles_file, ensure_ascii=False, indent=2)
123 |     else:
124 |         logging.error("API Output Data Not Found")
125 | 
126 | 
127 | def process_output_stdout(json_items):
128 |     logging.debug(type(json_items))
129 |     if len(json_items) == 0:
130 |         # if there are no events then this process is passed.
131 |         pass
132 |     else:
133 |         # if there are events these are printed to the terminal
134 |         for item in json_items.values():
135 |             print(json.dumps(item, indent=2))
136 | 
137 | 
138 | def process_output_splunk(json_items, output, sourcetype_value):
139 |     logging.debug("Send to Splunk: Building dictionary")
140 | 
141 |     def splunk_output(spl_events):
142 |         # No changes are required to the event. Information in the transforms will be used.
143 |         processed_events = dict()
144 |         event_count = 0
145 |         logging.debug("Standard Splunk output selected.")
146 |         for event in spl_events.values():
147 |             # construct new event
148 |             pre_event = {"event": event}
149 |             event_count += 1
150 |             # add the constructed event to the processed_events dictionary
151 |             processed_events["{0}".format(event_count)] = pre_event
152 |         # return the processed events
153 |         return processed_events
154 | 
155 |     def splunk_trans_output(spl_events, transforms_source):
156 |         # apply the new transform information to the events
157 |         logging.debug("Transformation selected. Applying settings from config to event.")
158 |         processed_events = dict()
159 |         event_count = 0
160 | 
161 |         # load and read the config file
162 |         logging.info("Parsing the Splunk Configuration")
163 |         splunk_conf_path = api_conf.splunk_conf_path
164 |         splunk_final_path = api_utils.get_file_location(splunk_conf_path)
165 |         splunk_conf = cp.ConfigParser()
166 |         splunk_conf.read(splunk_final_path)
167 | 
168 |         # splunk_trans config info
169 |         host = splunk_conf.get('splunk_transform', 'host')
170 |         source = splunk_conf.get('splunk_transform', 'source')
171 |         sourcetype = splunk_conf.get('splunk_transform', 'sourcetype')
172 | 
173 |         for event in spl_events.values():
174 |             logging.debug("Standard Splunk output selected.")
175 |             # construct new event
176 |             pre_event = {"host": host, "source": source, "sourcetype": "{0}{1}".format(sourcetype, transforms_source),
177 |                          "event": event}
178 |             event_count += 1
179 |             # add the constructed event to the processed_events dictionary
180 |             processed_events["{0}".format(event_count)] = pre_event
181 |         return processed_events
182 | 
183 |     # Determine which splunk action is required before returning the events to be sent to splunk
184 |     if output == "splunk":
185 |         splunk_events = splunk_output(json_items)
186 |     elif output == "splunk_trans":
187 |         splunk_events = splunk_trans_output(json_items, sourcetype_value)
188 | 
189 |     return splunk_events
190 | 
191 | 
192 | def process_output_temp(tmp_dict, filename):
193 |     try:
194 |         tmp_path = api_conf.temp_path
195 |         final_tmp_path = api_utils.get_file_location(tmp_path)
196 |         # noinspection PyPep8
197 |         logging.info("Attempting to write file: {0}\{1}".format(final_tmp_path, filename))
198 |         if not os.path.exists(final_tmp_path):
199 |             os.makedirs(final_tmp_path)
200 |         with open(os.path.join(final_tmp_path, filename), "w", encoding='utf-8') as tmp_file:
201 |             json.dump(tmp_dict, tmp_file, ensure_ascii=False, indent=2)
202 |     except IOError:
203 |         logging.error("Unable to write file: {0}\{1}".format(final_tmp_path, filename))
204 |         return False
205 |     else:
206 |         tmp_file.close()
207 |         return True
208 | 


--------------------------------------------------------------------------------
/sophos_central_api_connector/sophos_central_api_polling.py:
--------------------------------------------------------------------------------
  1 | import json
  2 | import logging
  3 | from datetime import datetime
  4 | from os import path, remove, makedirs
  5 | from sophos_central_api_connector import sophos_central_api_connector_utils as api_utils
  6 | from sophos_central_api_connector.config import sophos_central_api_config as api_conf
  7 | 
  8 | 
  9 | def polling_alerts(alerts_exists, temp_exists, reset_flag, day_flag, days):
 10 |     # Polling argument has been passed. Need to determine what the current state of polling is
 11 |     if not alerts_exists:
 12 |         # What to do if there is no polling config file present
 13 |         logging.info("Polling not previously run, creating config")
 14 |         # calculate the to and from dates
 15 |         to_str, from_str = api_utils.calculate_from_to(days, poll_date=None)
 16 |         # generate the new polling config
 17 |         alerts_exists = create_poll_config(to_str)
 18 |     elif alerts_exists is True and day_flag is True and reset_flag is True:
 19 |         # the correct parameters have been passed to reset the polling config. Understood that this may produce dupes
 20 |         logging.info("Polling config exits. Applying reset parameter")
 21 |         # calculate the to and from dates
 22 |         to_str, from_str = api_utils.calculate_from_to(days, poll_date=None)
 23 |         logging.debug("from: {0}, to: {1}".format(from_str, to_str))
 24 |         # recreate the polling config
 25 |         alerts_exists = create_poll_config(to_str)
 26 |         poll_tf_path = api_conf.poll_temp_path
 27 |         poll_temp_path = get_file_location(poll_tf_path)
 28 |         if alerts_exists and reset_flag:
 29 |             # If the polling config is set and the reset flag is passed. Prepare for the next run
 30 |             logging.info("Deleting alert_ids log")
 31 |             # delete the old alert_ids.json. This will remove the last events successfully sent
 32 |             poll_alerts = api_conf.poll_alerts_path
 33 |             final_poll_alerts_path = get_file_location(poll_alerts)
 34 |             remove(final_poll_alerts_path)
 35 |         if temp_exists and reset_flag:
 36 |             # If the temp file exists then it will be deleted if the reset flag is set
 37 |             logging.info("Deleting temp_alert_ids log")
 38 |             remove(poll_temp_path)
 39 |         logging.info("Setting reset_flag to 'False'")
 40 |         # set the reset_flag to false to avoid it being reset again on the next pass
 41 |         reset_flag = False
 42 |     elif alerts_exists is True and reset_flag is False:
 43 |         # Determines that polling has been run previously with no reset passed.
 44 |         logging.info("Poll config already exists and no reset flag has been set.")
 45 |         # determine when to poll alerts from to calculate the to and from datetime
 46 |         to_str, from_str = polling_from(days)
 47 |     elif alerts_exists is True and day_flag is True and reset_flag is False:
 48 |         # In order to pass the days flag with polling it must be run with the reset flag
 49 |         logging.error("You must raise a reset flag to pass days with poll_alerts when a poll config already exists")
 50 |         exit(1)
 51 |     elif alerts_exists is True and reset_flag is True and day_flag is False:
 52 |         # Required to pass days flag when reset and polling are passed to calculate correctly the datetimes
 53 |         logging.error("You must raise a days flag to pass reset with poll_alerts when a poll config already exists")
 54 |         exit(1)
 55 | 
 56 |     if alerts_exists:
 57 |         # only return the variables if the polling config exists
 58 |         return to_str, from_str, reset_flag
 59 |     else:
 60 |         exit(1)
 61 | 
 62 | 
 63 | def create_poll_config(to_str):
 64 |     # create the polling config
 65 |     poll_path = api_conf.poll_conf_path
 66 |     final_poll_conf_path = get_file_location(poll_path)
 67 |     poll_dir = api_conf.poll_path
 68 |     poll_dir = get_file_location(poll_dir)
 69 |     if not path.exists(poll_dir):
 70 |         makedirs(poll_dir)
 71 |     poll_dict = {'last_run_datetime': '{0}'.format(to_str),
 72 |                  'firsttime_run': 'True', 'last_run_success_bool': '', 'last_run_success_datetime': '',
 73 |                  'first_loop': 'True', 'failures_seen': 'False'}
 74 |     with open(final_poll_conf_path, 'w', encoding='utf-8') as pa_file:
 75 |         json.dump(poll_dict, pa_file, ensure_ascii=False, indent=2)
 76 | 
 77 |     # re-check whether the polling config is set in order to return correctly
 78 |     alerts_exists = path.isfile(final_poll_conf_path)
 79 |     return alerts_exists
 80 | 
 81 | 
 82 | def polling_from(days):
 83 |     # If the polling config is already available checks are made to determine the last state of the run to correctly
 84 |     poll_path = api_conf.poll_conf_path
 85 |     final_poll_conf_path = get_file_location(poll_path)
 86 |     # determine the from and to datetimes
 87 |     with open(final_poll_conf_path) as pa_file:
 88 |         poll_dict = json.loads(pa_file.read())
 89 |         if poll_dict['last_run_success_bool'] == 'False':
 90 |             # If the last run was not successful it uses the last successful datetime for the from datetime
 91 |             poll_date = datetime.strptime(poll_dict['last_run_success_datetime'], '%Y-%m-%dT%H:%M:%S.%fZ')
 92 |             to_str, from_str = api_utils.calculate_from_to(days, poll_date)
 93 |         elif poll_dict['last_run_success_bool'] == 'True' and poll_dict['firsttime_run'] == 'False':
 94 |             # if the last run was succesful and it isnt the first time polling has been run then it will use the last
 95 |             # run datetime for from
 96 |             poll_date = datetime.strptime(poll_dict['last_run_datetime'], '%Y-%m-%dT%H:%M:%S.%fZ')
 97 |             logging.debug("poll_date={0}".format(poll_date))
 98 |             to_str, from_str = api_utils.calculate_from_to(days, poll_date)
 99 |         elif poll_dict['last_run_success_bool'] == '':
100 |             # If there is no information on the last successful run time then it will use the last run datetime
101 |             poll_date = datetime.strptime(poll_dict['last_run_datetime'], '%Y-%m-%dT%H:%M:%S.%fZ')
102 |             # this is then passed to calculate the correct datetime
103 |             to_str, from_str = api_utils.calculate_from_to(days, poll_date)
104 |     return to_str, from_str
105 | 
106 | 
107 | def prepare_poll(events, temp_exists, from_str):
108 |     poll_al_ids_path = api_conf.poll_alerts_path
109 |     poll_alerts_path = get_file_location(poll_al_ids_path)
110 |     # re-check whether the alert_ids json file exists
111 |     alertids_exists = path.isfile(poll_alerts_path)
112 |     logging.info("Does the alert_ids.json file exist? {0}".format(alertids_exists))
113 | 
114 |     # Open the poll config to configure polling
115 |     poll_path = api_conf.poll_conf_path
116 |     final_poll_conf_path = get_file_location(poll_path)
117 |     with open(final_poll_conf_path, 'r') as pa_file:
118 |         poll_dict = json.load(pa_file)
119 | 
120 |     if not alertids_exists:
121 |         # If the alert_ids file does not already exist return unless not first time run or loop
122 |         if poll_dict['firsttime_run'] == "True" and poll_dict['first_loop'] == "True":
123 |             # Set the first loop to false if it is the first time run and the first loop
124 |             logging.info("Polling not previously run")
125 |             # set the first loop to false to determine behaviour on next loop
126 |             poll_dict.update({"first_loop": "False"})
127 | 
128 |             with open(final_poll_conf_path, 'w+') as pa_file:
129 |                 json.dump(poll_dict, pa_file, ensure_ascii=False, indent=2)
130 | 
131 |             return events
132 |         elif poll_dict['firsttime_run'] == "False" and poll_dict['first_loop'] == "False":
133 |             # send the events to be checked if this isnt the first time that polling has been run and is not the first loop
134 |             logging.info("alert_ids.json file doesnt exist. Polling config shows this is not the first time run"
135 |                          " and is not the first loop")
136 |             # send for checks
137 |             spl_events = alert_file_checks(poll_dict, events, temp_exists, from_str)
138 |             # return the checked events for processing
139 |             return spl_events
140 |         elif poll_dict['first_loop'] == "False":
141 |             # just return the events
142 |             return events
143 |     elif alertids_exists:
144 |         # If the file exists, check existing alerts sent returned and prepared to ensure duplicates are not sent
145 |         logging.info("alert_ids file found, running checks")
146 |         logging.debug("First time run: {0}".format(poll_dict['firsttime_run']))
147 |         logging.debug("First loop: {0}".format(poll_dict['first_loop']))
148 |         # send for checks
149 |         spl_events = alert_file_checks(poll_dict, events, temp_exists, from_str)
150 |         return spl_events
151 | 
152 | 
153 | def alert_file_checks(poll_dict, events, temp_exists, from_str):
154 |     poll_path = api_conf.poll_conf_path
155 |     final_poll_conf_path = get_file_location(poll_path)
156 |     # only run checks if the alert_ids file exists
157 |     if poll_dict['firsttime_run'] == "True" and poll_dict['first_loop'] == "True":
158 |         poll_dict.update({"first_loop": "False"})
159 |         with open(final_poll_conf_path, 'w+') as pa_file:
160 |             json.dump(poll_dict, pa_file, ensure_ascii=False, indent=2)
161 |         # if this is the firstime run and first loop, then just return the events
162 |         return events
163 |     elif poll_dict['firsttime_run'] == "True" and poll_dict['first_loop'] == "False":
164 |         logging.debug("First time run is: {0}".format(poll_dict['firsttime_run']))
165 |         # if this is the firstime run then just return the events
166 |         return events
167 |     elif poll_dict['firsttime_run'] == "False" and poll_dict['first_loop'] == "True":
168 |         logging.debug("First time run is: {0} and first loop: {1}".format(poll_dict['firsttime_run'],
169 |                                                                           poll_dict['first_loop']))
170 | 
171 |         # Prep first loop to get events and calculate datetime.
172 |         from_datetime, process_alerts = first_loop_prep(temp_exists, from_str)
173 | 
174 |         # Go through existing alerts and delete events older than time frame being gathered
175 |         processed_existing_events = remove_old_alert_ids(from_datetime, process_alerts)
176 | 
177 |         # Write the necessary events to file
178 |         poll_tf_path = api_conf.poll_temp_path
179 |         poll_temp_path = get_file_location(poll_tf_path)
180 |         with open(poll_temp_path, 'w+', encoding='utf-8') as new_id_file:
181 |             json.dump(processed_existing_events, new_id_file, ensure_ascii=False, indent=2)
182 | 
183 |         # Reset first loop to ensure events are maintained on next pass
184 |         poll_dict.update({"first_loop": "False"})
185 |         with open(final_poll_conf_path, 'w+') as pa_file:
186 |             json.dump(poll_dict, pa_file, ensure_ascii=False, indent=2)
187 | 
188 |         logging.info("deleting alert_ids.json")
189 |         poll_al_ids_path = api_conf.poll_alerts_path
190 |         poll_alerts_path = get_file_location(poll_al_ids_path)
191 |         remove(poll_alerts_path)
192 | 
193 |         # Go through events gathered from Sophos Central and remove entries already sent
194 |         spl_events = process_poll_events(events)
195 | 
196 |         return spl_events
197 |     elif poll_dict['firsttime_run'] == "False" and poll_dict['first_loop'] == "False":
198 |         logging.info("Continue to process poll events")
199 |         # Go through events gathered from Sophos Central and remove entries already sent
200 |         spl_events = process_poll_events(events)
201 | 
202 |         return spl_events
203 | 
204 | 
205 | def first_loop_prep(temp_exists, from_str):
206 |     # Check whether the temp alert file has been already created from previous run
207 |     if temp_exists:
208 |         # if the file exists clear it down for this new run
209 |         logging.info("temp alerts file exists, clear it down")
210 |         poll_tf_path = api_conf.poll_temp_path
211 |         poll_temp_path = get_file_location(poll_tf_path)
212 |         with open(poll_temp_path, 'w', encoding='utf-8') as reset_temp:
213 |             temp_dict = {}
214 |             json.dump(temp_dict, reset_temp)
215 | 
216 |     # Open the alert ids and load into json for checking
217 |     poll_al_ids_path = api_conf.poll_alerts_path
218 |     poll_alerts_path = get_file_location(poll_al_ids_path)
219 |     with open(poll_alerts_path, 'r', encoding='utf-8') as existing_alerts:
220 |         # Load the file as json
221 |         process_alerts = json.load(existing_alerts)
222 |         logging.debug(process_alerts)
223 |         logging.info("Length of events from alert_ids.json: {0}".format(len(process_alerts)))
224 | 
225 |         # Set the correct from string to a datetime and create new list and reset the count
226 |         logging.debug(from_str)
227 |         from_datetime = datetime.strptime(from_str, '%Y-%m-%dT%H:%M:%S.%fZ')
228 |         return from_datetime, process_alerts
229 | 
230 | 
231 | def remove_old_alert_ids(from_datetime, process_alerts):
232 |     # Loop through the id_alerts and compare the datetime. If the alert is greater or equal to the
233 |     # from string then keep this alert id and append to new list
234 |     new_ids = {}
235 |     for (event_id, event_value) in process_alerts.items():
236 |         logging.debug("key: {0}, value: {1}".format(event_id, event_value))
237 |         value_date = datetime.strptime(event_value['raised_at'], '%Y-%m-%dT%H:%M:%S.%fZ')
238 |         logging.debug("{0} >= {1}".format(value_date, from_datetime))
239 |         if value_date >= from_datetime:
240 |             id_data = {event_id: {'raised_at': event_value['raised_at'], 'tenant_id': event_value['tenant_id']}}
241 |             new_ids.update(id_data)
242 | 
243 |     logging.info("Length of events from alert_ids.json after old ones removed: {0}".format(len(new_ids)))
244 | 
245 |     return new_ids
246 | 
247 | 
248 | def process_poll_events(events):
249 |     # Search and remove any ids which have already been sent and build new json
250 |     poll_tf_path = api_conf.poll_temp_path
251 |     poll_temp_path = get_file_location(poll_tf_path)
252 |     logging.info("Begin processing events...")
253 |     with open(poll_temp_path, 'r') as check_alerts:
254 |         temp_alert_ids = json.load(check_alerts)
255 |         new_spl_events = {}
256 | 
257 |     # check for matching ids and only add missing ones
258 |     for (new_event_id, new_event_value) in events.items():
259 |         if new_event_value.get('event', {}).get('id') or new_event_value.get('id', None) in temp_alert_ids.keys():
260 |             # if the id matches the key then skip
261 |             pass
262 |         else:
263 |             # if there is no match add event to new_spl_events
264 |             new_ev = {new_event_id: new_event_value}
265 |             new_spl_events.update(new_ev)
266 | 
267 |     logging.info("Length of new_spl_events: {0}".format(len(new_spl_events)))
268 |     logging.debug("new_spl_events type is: {0}".format(type(new_spl_events)))
269 | 
270 |     # determine length of the new alerts after checking
271 |     if len(new_spl_events) > 0 or len(new_spl_events) != "0":
272 |         # if the number of alerts is not zero then return the events
273 |         return new_spl_events
274 |     else:
275 |         # if the number of events is zero then set the new_spl_events to None so it is dealt with accordingly
276 |         logging.info("No events to send")
277 |         new_spl_events = None
278 |         return new_spl_events
279 | 
280 | 
281 | def gen_idalerts(event_data):
282 |     # When an event has been successfully sent to splunk the event data is written to file
283 |     poll_al_ids_path = api_conf.poll_alerts_path
284 |     poll_alerts_path = get_file_location(poll_al_ids_path)
285 |     alertids_exists = path.isfile(poll_alerts_path)
286 |     if alertids_exists:
287 |         # if the alert_ids.json file already exists load the existing information to a variable
288 |         with open(poll_alerts_path, 'r') as alerts_file:
289 |             alert_ids = json.load(alerts_file)
290 | 
291 |         alerts_file.close()
292 | 
293 |         # update the dictionary with the new event information that was successfully sent to
294 |         alert_ids.update(event_data)
295 |         with open(poll_alerts_path, 'w', encoding='utf-8') as id_file:
296 |             json.dump(alert_ids, id_file, ensure_ascii=False, indent=2)
297 | 
298 |     else:
299 |         # if the file doesnt yet exist then create it with the event data
300 |         with open(poll_alerts_path, 'w', encoding='utf-8') as alerts_file:
301 |             json.dump(event_data, alerts_file, ensure_ascii=False, indent=2)
302 | 
303 | 
304 | def finalise_polling(poll, to_str):
305 |     poll_path = api_conf.poll_conf_path
306 |     final_poll_conf_path = get_file_location(poll_path)
307 |     poll_al_ids_path = api_conf.poll_alerts_path
308 |     poll_alerts_path = get_file_location(poll_al_ids_path)
309 |     poll_tf_path = api_conf.poll_temp_path
310 |     poll_temp_path = get_file_location(poll_tf_path)
311 |     # once there are no further events to process for all of the tenants need to finalise the polling information
312 |     # ready for the next run
313 |     exists = path.isfile(final_poll_conf_path)
314 |     temp_exists = path.isfile(poll_temp_path)
315 |     main_exists = path.isfile(poll_alerts_path)
316 | 
317 |     def get_old_alerts():
318 |         # gather the old sent alerts from the temp file if any
319 |         if temp_exists:
320 |             with open(poll_temp_path, 'r') as check_alerts:
321 |                 temp_alert_ids = json.load(check_alerts)
322 |             return temp_alert_ids
323 |         else:
324 |             temp_alert_ids = None
325 |             return temp_alert_ids
326 | 
327 |     def get_new_alerts():
328 |         # gather the new events that have been sent if any
329 |         if main_exists:
330 |             with open(poll_alerts_path, 'r') as new_alerts:
331 |                 alerts = json.load(new_alerts)
332 |             return alerts
333 |         else:
334 |             alerts = None
335 |             return alerts
336 | 
337 |     if temp_exists:
338 |         # combine the new and old events into one file if temp exists
339 |         logging.info("Combining old and new events into new alert_ids.json file")
340 |         # gather old events
341 |         old_alerts = get_old_alerts()
342 |         logging.debug("old_alerts type: {0}".format(type(old_alerts)))
343 |         # gather new events
344 |         new_alerts = get_new_alerts()
345 |         logging.debug("new_alerts type: {0}".format(type(new_alerts)))
346 | 
347 |         if new_alerts is None:
348 |             # if there are no new alerts then just dump the old alerts to alert_ids.json
349 |             with open(poll_alerts_path, 'w', encoding='utf-8') as maintain_alerts:
350 |                 json.dump(old_alerts, maintain_alerts, ensure_ascii=False, indent=2)
351 |         else:
352 |             # if there are new alerts then go through old alerts and add them to the new events in alert_ids.json
353 |             for (old_id, old_id_value) in old_alerts.items():
354 |                 old_ev = {old_id: old_id_value}
355 |                 new_alerts.update(old_ev)
356 | 
357 |             with open(poll_alerts_path, 'w', encoding='utf-8') as combined_alerts:
358 |                 json.dump(new_alerts, combined_alerts, ensure_ascii=False, indent=2)
359 |     else:
360 |         # if the temp file doesnt exist then skip this part
361 |         pass
362 | 
363 |     if exists and poll:
364 |         # if the polling config exists and the polling is set then update the config according to the result of the pass
365 |         logging.info("Update poll_config information")
366 |         with open(final_poll_conf_path, 'r') as pa_file:
367 |             poll_dict = json.load(pa_file)
368 | 
369 |             logging.debug(poll_dict)
370 | 
371 |             if poll_dict['failures_seen'] == "False":
372 |                 # if there were no failures seen then update the relevant entries for success
373 |                 logging.info("No failures seen")
374 |                 poll_dict['last_run_success_bool'] = 'True'
375 |                 poll_dict['last_run_success_datetime'] = to_str
376 |                 poll_dict['first_loop'] = 'True'
377 |                 poll_dict['firsttime_run'] = 'False'
378 |                 poll_dict['last_run_datetime'] = to_str
379 |             elif poll_dict['failures_seen'] == "True":
380 |                 # if there were failures seen then update the relevant entries for failure so we capture them in the
381 |                 # next pass
382 |                 logging.info("Failures seen, setting config")
383 |                 poll_dict['last_run_success_bool'] = 'False'
384 |                 poll_dict['first_loop'] = 'True'
385 |                 poll_dict['firsttime_run'] = 'False'
386 | 
387 |         # write the changes to the polling config
388 |         with open(final_poll_conf_path, 'w') as pa_file:
389 |             json.dump(poll_dict, pa_file, indent=2)
390 |     else:
391 |         pass
392 | 
393 | 
394 | def get_file_location(process_path):
395 |     dir_name = path.dirname(__file__)
396 |     final_path = "{0}{1}".format(dir_name, process_path)
397 |     return final_path
398 | 


--------------------------------------------------------------------------------
/sophos_central_api_connector/sophos_central_api_tenants.py:
--------------------------------------------------------------------------------
  1 | import requests
  2 | import logging
  3 | 
  4 | 
  5 | def gen_tenant_headers(headers, whoami_id, whoami_type, header_type):
  6 |     # Check whether we have received a valid uuid
  7 |     if whoami_id is not None:
  8 |         logging.info("Applying the uuid to the header")
  9 |         # Apply the uuid to the variable and add it to the correct header
 10 |         headers[header_type] = whoami_id
 11 |         if whoami_type == "tenant":
 12 |             # the type is tenant so just return the data to gather the events
 13 |             logging.info("uuid is tenant only. Applying to the tenant headers")
 14 |             logging.info("Skipping collecting further information on the tenant ids")
 15 |             tenant_headers = {
 16 |                 "{0}".format(header_type): "{0}".format(whoami_id)
 17 |             }
 18 |             return tenant_headers
 19 |         else:
 20 |             # return that the type is not tenant so the tenant information can be gathered
 21 |             logging.info("whoami type is not tenant. Need to gather tenant information")
 22 |             tenant_headers = None
 23 |             return tenant_headers
 24 |     else:
 25 |         # Return the response code and error information and exit the script
 26 |         logging.error("Response Code: {0} Error Code: {1}".format(whoami_type, header_type))
 27 |         exit(1)
 28 | 
 29 | 
 30 | # This function will get the page total and pass the data to get_page function to gather the tenant information
 31 | def get_tenant_info(headers, tenant_url, sophos_access_token):
 32 |     # Get the total number of pages
 33 |     page_total_url = "{0}{1}".format(tenant_url, "?pageTotal=true")
 34 |     res_tenant = requests.get(page_total_url, headers=headers)
 35 |     res_tenant_code = res_tenant.status_code
 36 |     tenant_data = res_tenant.json()
 37 | 
 38 |     # Check the response and if good pass to get_page
 39 |     if res_tenant_code == 200:
 40 |         logging.info("Total tenant page information gathered")
 41 |         tenant_page_total = tenant_data['pages']['total']
 42 |         tenant_info = dict()
 43 |         # Call get_page function
 44 |         get_next_page(tenant_url, headers, tenant_page_total, sophos_access_token, tenant_info)
 45 |         return tenant_info
 46 |     else:
 47 |         # If the connection is not successful then pass back errors
 48 |         logging.error("Failed to get tenant information")
 49 |         res_tenant_error_code = tenant_data['error']
 50 |         logging.error("{0}: {1}".format(res_tenant_error_code, res_tenant_code))
 51 |         exit(1)
 52 | 
 53 | 
 54 | def get_next_page(tenant_url, headers, tenant_page_total, sophos_access_token, tenant_info):
 55 |     # This function constructs the url to gather pages of tenant information
 56 |     next_page = 1
 57 |     paged_url = "{0}{1}{2}".format(tenant_url, "?page=", next_page)
 58 |     # while page_url is not null it will calculate the next page and append tenant info to tenant_list
 59 |     while paged_url:
 60 |         res_tenant = requests.get(paged_url, headers=headers)
 61 |         tenant_data = res_tenant.json()
 62 |         # from the tenant data construct the headers to connect to the correct api url
 63 |         for item in tenant_data['items']:
 64 |             tenant_id = "{0}".format(item['id'])
 65 |             tenant_headers = {
 66 |                 "X-Tenant-ID": tenant_id,
 67 |                 "Authorization": "Bearer {0}".format(sophos_access_token),
 68 |                 "Accept": "application/json"
 69 |             }
 70 |             tenant_item = {
 71 |                 item['id']: {
 72 |                     "name": item['name'],
 73 |                     "headers": tenant_headers,
 74 |                     "page_url": item['apiHost']
 75 |                 }
 76 |             }
 77 |             tenant_info.update(tenant_item)
 78 | 
 79 |         next_page += 1
 80 |         # checks if the next_page value is less than or equal to total pages. If so create next url for pass
 81 |         if next_page <= tenant_page_total:
 82 |             paged_url = "{0}{1}{2}".format(tenant_url, "?page=", next_page)
 83 |         else:
 84 |             paged_url = False
 85 | 
 86 | 
 87 | def type_tenant(tenant_headers, whoami_id, tenant_url, sophos_access_token):
 88 |     # Creates a tenant object if the whoami is solely a tenant object. This will not construct headers for Partner or
 89 |     # Organisation
 90 |     tenant_headers["Authorization"] = "Bearer {0}".format(sophos_access_token)
 91 |     tenant_headers["Accept"] = "application/json"
 92 |     tenant_info = {
 93 |         whoami_id: {
 94 |             "name": "tenant",
 95 |             "headers": tenant_headers,
 96 |             "page_url": tenant_url
 97 |         }
 98 |     }
 99 |     return tenant_info
100 | 


--------------------------------------------------------------------------------
/sophos_central_api_connector/sophos_central_hec_splunk.py:
--------------------------------------------------------------------------------
  1 | import requests
  2 | import json
  3 | import logging
  4 | import configparser as cp
  5 | from time import sleep
  6 | from os import path
  7 | from sys import exit
  8 | from sophos_central_api_connector import sophos_central_api_polling as api_poll
  9 | from sophos_central_api_connector.config import sophos_central_api_config as api_conf
 10 | 
 11 | 
 12 | def send_to_splunk(api, splunk_events, splunk_creds, sourcetype_value, tenant_id, from_str, to_str, alerts_exists,
 13 |                    temp_exists, alertids_exists, poll):
 14 |     # Generate the Splunk URL to be used to send the data to.
 15 |     splunk_conf_path = api_conf.splunk_conf_path
 16 |     splunk_final_path = get_file_location(splunk_conf_path)
 17 |     splunk_conf = cp.ConfigParser()
 18 |     splunk_conf.read(splunk_final_path)
 19 |     main_splunk_url, channel = set_main_splunk_url()
 20 |     splunk_headers = {"Authorization": "Splunk {0}".format(splunk_creds)}
 21 | 
 22 |     # Check indexer acknowledgement settings
 23 |     request_ack = splunk_conf.get('splunk_hec', 'verify_ack_result')
 24 | 
 25 |     if api == "common":
 26 |         # if the api is common post the alerts to splunk
 27 |         logging.info("Length of splunk events passed to post_alerts: {0}".format(len(splunk_events)))
 28 |         post_alerts(from_str, temp_exists, poll, splunk_events, main_splunk_url, request_ack, channel, splunk_headers,
 29 |                     tenant_id)
 30 |     elif api == "endpoint":
 31 |         # if the api is endpoint post the inventory data to splunk
 32 |         logging.info("Length of splunk events passed to post_inventory: {0}".format(len(splunk_events)))
 33 |         post_inventory(splunk_events, main_splunk_url, request_ack, channel, splunk_headers, poll)
 34 |     else:
 35 |         logging.error("No api function available for: {0}".format(api))
 36 | 
 37 | 
 38 | def set_main_splunk_url():
 39 |     splunk_conf_path = api_conf.splunk_conf_path
 40 |     splunk_final_path = get_file_location(splunk_conf_path)
 41 |     splunk_conf = cp.ConfigParser()
 42 |     splunk_conf.read(splunk_final_path)
 43 |     # construct the main splunk url from the config information
 44 |     splunk_url = splunk_conf.get('splunk_hec', 'splunk_url')
 45 |     channel = splunk_conf.get('splunk_hec', 'channel')
 46 |     splunk_ack_enabled = splunk_conf.get('splunk_hec', 'splunk_ack_enabled')
 47 | 
 48 |     if splunk_ack_enabled == "1":
 49 |         # if the token has the splunk acknowledgement enabled we need to pass a channel GUID to be successful
 50 |         # this is provided from the splunk_config.ini file
 51 |         logging.info("Indexer Acknowledgement set on HEC token, applying correct URI")
 52 |         main_splunk_url = "{0}?channel={1}".format(splunk_url, channel)
 53 |     elif splunk_ack_enabled == "0":
 54 |         # if no splunk acknowledgement is set then simply use the base splunk url provided in the config
 55 |         logging.info("No Indexer Acknowledgement set on HEC token, applying correct URI")
 56 |         main_splunk_url = splunk_url
 57 | 
 58 |     return main_splunk_url, channel
 59 | 
 60 | 
 61 | def post_alerts(from_str, temp_exists, poll, spl_events, main_splunk_url, request_ack, channel, splunk_headers,
 62 |                 tenant_id):
 63 |     if poll:
 64 |         # If polling is set prepare the events to be sent to Splunk
 65 |         logging.info("Prep alert events for polling")
 66 |         spl_events = api_poll.prepare_poll(spl_events, temp_exists, from_str)
 67 |     else:
 68 |         # if no polling parameter has been passed then this is skipped
 69 |         logging.info("No alert polling set")
 70 | 
 71 |     if spl_events is None:
 72 |         # if there are no events to process then we return to process the next tenant if any
 73 |         logging.info("spl_events is 'None'")
 74 |         return
 75 |     elif len(spl_events) == 0:
 76 |         # if there are no events to process then we return to process the next tenant if any
 77 |         logging.info("Length of spl_events is: 0")
 78 |         return
 79 |     else:
 80 |         # if there are events we run a for loop to send the events to splunk
 81 |         logging.info("Length of splunk events being passed to splunk: {0}".format(len(spl_events)))
 82 | 
 83 |     # Go through the list of events and attempt to send to Splunk
 84 |     send_count = 0
 85 |     logging.info("Iterating through events and sending to Splunk...")
 86 |     logging.info("Length of events sent: {0}".format(len(spl_events)))
 87 |     for spl_event in spl_events.values():
 88 |         # Extract the events id. tenant and raised at values
 89 |         logging.debug(spl_event)
 90 |         event_id = spl_event['event']['id']
 91 |         event_tenant_id = spl_event['event']['tenant']['id']
 92 |         raised_at = spl_event['event']['raisedAt']
 93 |         event_data = {event_id: {"raised_at": raised_at, "tenant_id": event_tenant_id}}
 94 |         spl_event = json.dumps(spl_event)
 95 |         send_count += 1
 96 |         # send the extracted information to splunk
 97 |         hec_response_code, failed_id = post_events_to_splunk(spl_event, splunk_headers,
 98 |                                                              main_splunk_url, send_count,
 99 |                                                              request_ack, event_data,
100 |                                                              event_id, poll, channel)
101 | 
102 | 
103 | def post_inventory(splunk_events, main_splunk_url, request_ack, channel, splunk_headers, poll):
104 |     # Go through the list of events and attempt to send to Splunk
105 |     send_count = 0
106 |     raised_at = None
107 |     logging.info("Iterating through events and sending to Splunk...")
108 |     logging.info("Length of events sent: {0}".format(len(splunk_events)))
109 |     for spl_event in splunk_events.values():
110 |         # Extract the events id. tenant and raised at values
111 |         logging.debug(spl_event)
112 |         event_id = spl_event['event']['id']
113 |         event_tenant_id = spl_event['event']['tenant']['id']
114 |         event_data = {event_id: {"tenant_id": event_tenant_id}}
115 |         spl_event = json.dumps(spl_event)
116 |         send_count += 1
117 |         hec_response_code, failed_id = post_events_to_splunk(spl_event, splunk_headers,
118 |                                                              main_splunk_url, send_count,
119 |                                                              request_ack, event_data,
120 |                                                              event_id, poll, channel)
121 | 
122 | 
123 | def post_events_to_splunk(spl_event, splunk_headers, main_splunk_url, send_count, request_ack, event_data, event_id,
124 |                           poll, channel):
125 |     logging.debug("Event data content in post: {0}".format(event_data))
126 |     try:
127 |         # attempt to send the event to splunk
128 |         hec_res = requests.post(main_splunk_url, headers=splunk_headers, data=spl_event)
129 |         logging.debug(hec_res.status_code)
130 |         hec_data = hec_res.json()
131 |         logging.debug(hec_data)
132 |         hec_response_code = hec_data['code']
133 |         hec_response_text = hec_data['text']
134 |         logging.debug(hec_data['text'])
135 |         # If the sending of the data is successful to Splunk evaluate whether to check indexer acknowledgement
136 |         if hec_response_code == 0:
137 |             # if the event is successfully sent then check if the polling parameter has been passed to add the event id
138 |             logging.debug("EventID: '{0}' has been sent to splunk".format(event_id))
139 |             failed_id = None
140 |             if poll:
141 |                 # add the event data to the alert_ids.json
142 |                 api_poll.gen_idalerts(event_data)
143 |             else:
144 |                 pass
145 |             return hec_response_code, failed_id
146 |         elif hec_response_code == 8 or hec_response_code == 9:
147 |             logging.error("Event failed to send to Splunk with error: {0}".format(hec_response_text))
148 |             logging.debug(splunk_headers)
149 |             # if the server is busy then send for a retry
150 |             hec_retry_code, failed_id = hec_post_retry(spl_event, main_splunk_url, splunk_headers, event_id)
151 |             return hec_response_code, failed_id
152 |         elif hec_response_code != 0:
153 |             failed_id = True
154 |             # send to failure
155 |             event_failure(spl_event, poll, failed_id)
156 |     except requests.exceptions.HTTPError as err_http:
157 |         logging.error("HTTP Error:", err_http)
158 |     exit(1)
159 | 
160 | 
161 | def hec_post_retry(spl_event, main_splunk_url, splunk_headers, event_id):
162 |     # We will only try to resend the event a max of three times
163 |     logging.debug(splunk_headers)
164 |     max_retries = 3
165 |     retries = 0
166 |     retry = True
167 |     while retry is True:
168 |         # Attempt to send the event to Splunk again
169 |         logging.info("Retrying to send ID: '{0}' to splunk. Attempt: {1}".format(event_id, retries))
170 |         sleep(1)
171 |         retries += 1
172 |         logging.debug("Retry: {0}".format(retries))
173 |         hec_res = requests.post(main_splunk_url, headers=splunk_headers, data=spl_event)
174 |         hec_retry_data = hec_res.json()
175 |         hec_retry_code = hec_retry_data['code']
176 |         hec_retry_text = hec_retry_data['text']
177 |         logging.debug(hec_retry_data)
178 |         if hec_retry_code == 0:
179 |             # If successful set the retry to false to break out of the loop
180 |             logging.info("Retry successfully sent to Splunk ID: '{0}'".format(event_id))
181 |             retry = False
182 |             failed_id = False
183 |             return hec_retry_code, failed_id
184 |         elif retries == max_retries:
185 |             logging.error("ID: '{0}' failed to send to Splunk. "
186 |                           "This will be sent to the event failure def".format(event_id))
187 |             retry = False
188 |             failed_id = True
189 |             return hec_retry_code, failed_id
190 |         elif hec_retry_code == 8 or hec_retry_code == 9:
191 |             # Retry sending back to the start of the loop
192 |             retry = True
193 |         elif hec_retry_code != 8 or hec_retry_code != 9:
194 |             # This is due to a major failure so we need to break out completely
195 |             logging.error("Failed to send the event failing out: {0}".format(hec_retry_text))
196 |             exit(1)
197 | 
198 | 
199 | def event_failure(spl_event, poll, failed_id):
200 |     poll_path = api_conf.poll_conf_path
201 |     final_poll_conf_path = get_file_location(poll_path)
202 |     # if the event failure is true check whether the polling config exists
203 |     exists = path.isfile(final_poll_conf_path)
204 |     if exists and poll:
205 |         # if the polling config exists and the polling parameter is true then write failure to the config
206 |         try:
207 |             with open(final_poll_conf_path, 'r') as pa_file:
208 |                 poll_dict = json.load(pa_file)
209 |                 for item in poll_dict:
210 |                     if item['last_run_success_bool'] in ['True']:
211 |                         item['last_run_success_bool'] = 'False'
212 |                     if item['failures_seen'] in ['True']:
213 |                         item['failures_seen'] = 'True'
214 |             with open(final_poll_conf_path, 'w') as pa_file:
215 |                 json.dump(poll_dict, pa_file, indent=2)
216 |         except Exception as exc:
217 |             print("Exception raised: {0}".format(exc))
218 |     else:
219 |         log_path = api_conf.logging_path
220 |         final_logging_path = get_file_location(log_path)
221 |         # Set the failed event to a file for retry later or just report
222 |         with open(final_logging_path, 'r') as fail_file:
223 |             failed_events = json.load(fail_file)
224 | 
225 |         # update the dictionary with the new event information that failed
226 |         failed_events.update(failed_id)
227 |         with open(final_logging_path, 'w') as new_fails:
228 |             json.dump(failed_events, new_fails, ensure_ascii=False, indent=2)
229 | 
230 | 
231 | def get_file_location(process_path):
232 |     dir_name = path.dirname(__file__)
233 |     final_path = "{0}{1}".format(dir_name, process_path)
234 |     return final_path
235 | 


--------------------------------------------------------------------------------