def get_alerts(customer_name, status, quiet=False):
""" gets alerts """
# There are 3 other v1 posts passed per customer with varying payloads.The dictionary below is required to return
# the necessary data; modifying it can break the request (needs more testing). I know it is not pep8 (too long)
data_dict = {"name":"time","min_doc_count":0,"size":5,"type":"date_range","field":"last_behavior","date_ranges":[{"from":"now-1h","to":"now","label":"Last hour"},{"from":"now-24h","to":"now","label":"Last day"},{"from":"now-7d","to":"now","label":"Last week"},{"from":"now-30d","to":"now","label":"Last 30 days"},{"from":"now-90d","to":"now","label":"Last 90 days"}]},{"name":"status","min_doc_count":0,"size":5,"type":"terms","field":"status"},{"name":"severity","min_doc_count":0,"size":5,"type":"range","field":"max_severity","ranges":[{"from":80,"to":101,"label":"Critical","id":4},{"from":60,"to":80,"label":"High","id":3},{"from":40,"to":60,"label":"Medium","id":2},{"from":20,"to":40,"label":"Low","id":1},{"from":0,"to":20,"label":"Informational","id":0}]},{"name":"scenario","min_doc_count":0,"size":0,"type":"terms","field":"behaviors.scenario"},{"name":"assigned_to_uid","min_doc_count":1,"size":5,"type":"terms","field":"assigned_to_uid","missing":"Unassigned"},{"name":"host","min_doc_count":1,"size":5,"type":"terms","field":"device.hostname.raw","missing":"Unknown"},{"name":"triggering_file","min_doc_count":1,"size":5,"type":"terms","field":"behaviors.filename.raw"}
s10 = falcon.post('https://falcon.crowdstrike.com/api2/detects/aggregates/detects/GET/v1', headers=header,
data=json.dumps(data_dict))
try:
if len(s10.json()['resources']) > 0:
# print(json.dumps(s10.json(), indent=4)) # full json data set!
cust_data = s10.json()
for bucket in cust_data['resources']:
if bucket['name'] == 'status':
for value in bucket['buckets']:
if value['label'] in status:
if 'count' in value and value['count'] > 0:
alert_str = info_format('alert', '{0}{1}{2} alert(s) detected!\n'.format(
Fore.LIGHTRED_EX, value['count'], Fore.LIGHTWHITE_EX))
alert_str += '----> {0}{1}{2}'.format(Fore.LIGHTGREEN_EX, customer_name, Style.RESET_ALL)
# print(json.dumps(bucket['buckets'], indent=4)) # for testing!
return alert_str
except KeyError:
if not quiet:
return info_format('alert', 'There was an issue retrieving alerts for {0}. Skipping...'.format(customer_name))
else:
return None
评论列表
文章目录
