Skip to content

Instantly share code, notes, and snippets.

@CollectiveHealth-gists

CollectiveHealth-gists/endpoint_ops.py

Created September 7, 2017 18:23
Show Gist options
  • Save CollectiveHealth-gists/bd097c2c4874b4cf4eed71bc56573939 to your computer and use it in GitHub Desktop.
Save CollectiveHealth-gists/bd097c2c4874b4cf4eed71bc56573939 to your computer and use it in GitHub Desktop.
Download ZIP
Example Lambda runbook
Raw
endpoint_ops.py
#!/usr/bin/env python
""" Example Lambda function for Security ChatOPs"""
__author__ = 'Jacolon Walker'
__email__ = '[email protected]'
from urlparse import parse_qs
from ConfigParser import SafeConfigParser
import logging
from sentinel_core import AUTH, count_agents, fetch_agent_logs, login, threats_summary, blacklist_hash
import requests
LOGGER = logging.getLogger()
LOGGER.setLevel(logging.INFO)
# Global variables setup
PARSER = SafeConfigParser()
PARSER.read('config.ini')
WEBHOOK = PARSER.get('slack_dev', 'webhook')
NOTIFY = PARSER.get('slack_dev', 'notify')
BOTNAME = PARSER.get('slack_dev', 'botname')
GOOD_STATUS = {"statusCode" : 200, "headers": {}, "body": "Success!"}
BAD_STATUS = {"statusCode" : 500, "headers": {}, "body": "Failed!"}
UNSUPPORTED_CMD = {"statusCode" : 200, "headers": {}, "body": "Unsupported command!"}
def main_handler(event, context):
""" Main handler execution for endpoint logic """
print type(event)
print event
slack_uri = str(event['body'])
body_field = parse_qs(slack_uri)
cmd_opts = body_field['text']
cmd_opts = ' '.join(cmd_opts)
cmd_opts = cmd_opts.split()
requested_by = "Requested by: %s.\n" %(body_field['user_name'][0])
auth_token = login(req_auth=AUTH)
if cmd_opts[0] == 'agent_count':
results = count_agents(headers=auth_token)
count = results.json()['count']
text = "There are %s registered endpoints.\n" %(count)
text += requested_by
payload = {
"channel": NOTIFY,
"username": BOTNAME,
"text": text,
}
r = requests.post(WEBHOOK, json=payload)
if r.status_code == 200:
return GOOD_STATUS
else:
return BAD_STATUS
elif cmd_opts[0] == 'blacklist':
hash_list = cmd_opts[1:]
for item in hash_list:
blacklist_hash(headers=auth_token, ioc=item)
text = "Blocking IOC: %s\n" %(",".join(hash_list))
text += requested_by
payload = {
"channel": NOTIFY,
"username": BOTNAME,
"text" : text,
}
r = requests.post(WEBHOOK, json=payload)
if r.status_code == 200:
return GOOD_STATUS
else:
return BAD_STATUS
elif cmd_opts[0] == 'fetch':
agents = cmd_opts[1:]
print agents
for agent in agents:
alog_resp = fetch_agent_logs(headers=auth_token, query=agent)
print alog_resp
text = "Agent logs for request: %s\n" %(agent)
text += "Can be found @ https://prod.endpoint-mgmt.tld/#/activity\n"
text += requested_by
payload = {
"channel": NOTIFY,
"username": BOTNAME,
"text": text,
}
r = requests.post(WEBHOOK, json=payload)
if r.status_code == 200:
return GOOD_STATUS
else:
return BAD_STATUS
elif cmd_opts[0] == 'health':
results = threats_summary(headers=auth_token)
mitigated = results.json()['mitigated']
suspect = results.json()['suspicious']
blocked = results.json()['blocked']
text = "Threats that have been mitigated and need resolving: %d\n" %(mitigated)
text += "Suspicious threats: %d\n" %(suspect)
text += "Blocked threats: %d\n" %(blocked)
text += requested_by
payload = {
"channel": NOTIFY,
"username": BOTNAME,
"text": text,
}
r = requests.post(WEBHOOK, json=payload)
if r.status_code == 200:
return GOOD_STATUS
else:
return BAD_STATUS
else:
return UNSUPPORTED_CMD
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment