This repository has been archived by the owner on Jul 20, 2022. It is now read-only.
forked from secops4thewin/TA-canary
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathTA-canary.aob_meta
1 lines (1 loc) · 55.8 KB
/
TA-canary.aob_meta
1
{"basic_builder": {"appname": "TA-canary", "author": "Mickey Perre", "tab_build_no": "12", "visible": false, "build_no": 2, "large_icon": "iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAYAAABV7bNHAAAH+klEQVR4Xu2ce3BUVxnAf3d3834175JAkoGkgdIpOHQGGmiDRLAEahWogCEqD2slQO1jlGnrVNNMMY0tplZJBAcUDbRRB6ylLRVEywg6zAjSQCAJBtOQJ3mS176uc3ZTmpBs9m5yb3Y38P255zvfOd/vfue753VXApBlOQk4DMwAfMRvt7F0AkeAdZIkmaV+OP+9jYE4cr1TkqRQAegccP8dQMMSWCkAGe8MK4fh8a4AJA8sNstWftbwAe+1nuOGpQ+ZQcVeE2g6JPIT1rAgNNXe57Y2yM2FM2egqwskCcLCIDMTcnLA3384304MAXSw+TSF9e+D5DUshu3og8HT+ElCFjpJB3V1kJ0Nzc3DOzVzJuzZAwEBt5YPBfRw2cuYsHg3HeDd1OeIMASD2QyrVkF19cg+LVgAhYWg1w/UGwpoQVkuFqxeDShY588H07+PTgyjkydhyxbn/gjdoiKYO3dkQPPLcrF6OaCvRDzA9yYttzsqhtb5884BCY30dHsUfSZDI2giAHomdimPR/VHwrx50NurDFBSEhw6NPEBbYpayMbYhXZHly2D2lplgGbPhn37Jj6g9NDp/HjKGruju3ZBcbEyQE89BevXT3xAYg504t4X8JEM0NQES5aIBefIkEJC7MMrMnLiAxIe7k7axH1Bk+3OHjgA+fmOAYk3WEkJzBBr9UEyMZO0cDHSEMyB5C2E6P3t0XP0KOTlQadYrA+QuDjYuRNS+2fctwsg4edDwam8mrj2M5fF2+zyZWhsBJ0O4uNh2jT75FBE0VCZuBH0qa8z/OJ5PSmLMH0A0vAQbKqNpg5+3vAhP5q80vNzkEiyOnS2jlqwjHm5HK4P5MnYDBaF3keQ3hepf6EpFuJiQV56/TQl108RqPPjT6nPeCYgP3yYFTSFJ2IWMTOwP7nadzup7Kvnjy1nOH2jknpj+5gW0mL5MckQDpJMrbF10KCKNoR6HiARLVtjl/Dl8Dn46X1uPt3hEoJFtlLZ20Bpyz95r+0c1jHH1uBWPA5Qkl8Ue6c+gb/Od+Q5yjCl3ZY+dtQe5i8dF8YUUQNNexSgWQEJ5CesJcwwZA9GMSyrLHO842N21r1Pi6VLcT1Hih4DKFofwlv3bCVgFJEznHMt5hvUGduQJHtqt8pWeq1mOq09iLIDzaeoMbU4BegRgMReTUlyDtE+IU47PBYFkdyNspl/3ahie81bivKVRwB6LSGLtJCUsfiuqO7+ppOUXP8HbZZuRfpCye2ANkansynm84o77IqiyEdd1l52NR7jSOs5+mSTK9Vtum4FFGEIojR5G4F6P5c77qzCxe5rvHLtMFeNzZjk0e+nuxXQt2IWsj4qfcTpvjMQjsq/UVXE5d760Va/Wc9tgPTo+HD6dgL0rs93nHndazXxhYs7VDlocBugRaEzyZu8SpPo+XXTRxQ1HnPGUVG5WwCJpcTf7/0BenGAp4Gsq/wFVX2Nqlh2C6DJvhGUpmxTxYFbjXRYesgsL1BleLntLfb8pEd5NGKOJoDOdl3lO9V7VbM97hEkNs0PJucQ5xuumhMDDf2q8a/safqbarbHHZAYXm8nb9UkOQsqX614gxqj8zWWUoLjCkjs2q0If4Dn4pYp7Z9LembZwkMXXnapjjPlcQO0NOx+vh2TQbRPqP0CgQbSbTGSUf6KqpY1ByRQbI/7EsvDP4d4vWsp7eZuHrn0qqpNaApIDKmcmMVkRaep2mlHxlrMXSy7VKBqW5oBEnCyo+fzZHSGZgn5VhKt5i4yvQGQgLMtdglroh5U9Wk6MyYmiV8sH+E42ZmBYco1iaAtsYtZG5mmWTJ25KfRaib9Yt4oMDiuojqg1ZHzbNFjuyjpBtlcvZd/d11VrWX1AMkwIyCO3VM3abYIVeL10bbzvPTJHzzv2MdXMvBO6rOE6kd/ZKMEgDOdqp4Gsq/sUu34UJUIMqDnzaSvMyso0Vn/NS9vNnXy2OXXFZ1YKOnM2AHJ8N27H2F11Dwl7Wmu02ruZvmlAs8BtC4qjc0xi8dtruOMcIOxnRUVP/UMQHOCktiZmI2PNOgmujMfNC0v77nGhiu/dH8O8pd8eDtlm+anoa7SPN5exgs1pW5+i8nwYvxjZN4122OG1qcgX/xfKcc6y1zl6lB/VEk62TeG/SmbVeuEWobMVjMPX8xTbXiJfrkESGxWzA++h4LEr6nlk6p2ao0trKp4Q1WbigHpJcifspa5wdPctowYyXNxc+PZq7/jVFfl+APKuLCD4qkbSPaPVbVxNY3V9bWxpupN2/UWNUVRBB1pPcvSu2Z5XEIeCKKg7s+2S51qiyJAajeqtr1Gk5gcFiIudKotXg9I5J6VFYXUmdrUZmOz5/WAiuqPsa/5IwdfDYydmVcDquyp55tXdttu3mslXguow9zD4xWFdFgVflo5SoJeCUicoG6t/g1nu9XbWnXEz+sAiY35l2p/z4mO8lHGhGvVvAqQuFq3vqqYaqODf0twzXdF2l4DSMx1Nl7ZQ5OpU7M31nDEYgxhHE59emDR0A/qFKHWUOk/3TU8Xf1buuQ+jU/3hzqRFpzCa4lZnglIJOPj7R+TW3tIhU/oXH+CgTpfipM2kBxwt+cBum7qZMe1d2wfzI23iG2dBL8ofhi/gpTBcERXbEOsA9D2y5Lx9lq99vYLQAeB1erZnFCWpghABkBc9LsTRYOf7fOSJO24eQ1MluUVwAYgaELFgOvO1AACziei6v8B5HBiPf7B0ccAAAAASUVORK5CYII=", "version": "1.1.0", "theme": "#59db8a", "description": "", "friendly_name": "Thinkst Canary AddOn For Splunk", "tab_version": "2.2.0", "small_icon": "iVBORw0KGgoAAAANSUhEUgAAACQAAAAkCAYAAADhAJiYAAAC5klEQVRYR82YXUhTYRjH/0cFJ2tEyXRGLHCk0iIFYaDiUrtKCJLhhSF+RJS7EakuSkonmRBBkfRhkZRBF4EXXZRXC0JSIbwwWJ1EJxZ6sZphWjjd2XnjTLb26Z7tbOp7Of7P//md532e97xnHGPsGIBP2AWLkxZjjO0CFh+C4AfqXXyNt8tTKWW7mFeL+v0GwGQC7PbNXEYj0N/vz+sHKvtsSSmMZD6htwCdncDISHCulhago8P72/YDlZSEP3hGBjA5uYuAlEpgbGyHgEZHgfb24CoNDgKlpdsPVJylxUD+WYDngeZmIDMTGB4GcnN3pqmlrAUKDYZ0bX4AkYlonXuMIZ05ORXiANzWnkGFqsCf5Kd7Ba1zT7Ak/CFPrncC5U5ZoSIPz3UXoib1MA+q+D4IzBMTTDZQdroKb4ouxUwUKpj6+w3m+WdhcbKBfAZUIrvrBxpnHwLSHkdYsoBe6NpwWKEhsYiMoeJLT0xt4kAMmDhKf800zNzH/IYzdUBdB+pwcl9xzASSgIGh3NYTdZsCTRKu0PiRbnBclEYIwRREDyr5GyT4hIA4cBjXd5MSSCL7ugONs49I+riBzDk1aFIbSeY+0dXvr/B+lSfFxAV0PqcarerjJONAUf1MPxY2fpHiyECXNbUwZRtIpqGiAYcVQ84PpFgSkFFViFvaBpJhJNGaZwM1X/tI8TGB0pCGMX0XySyaSPp+KCccilJ8TKB4xjvlQNaiK1CmK2RVx3swJqNCtXuLcf1gnWwYycAprODU9B2SV8QtM+ecQJO6kmRAEZXZLKTXRsQe+rhqh0Glo+QhadZFN6r4myRtRCByJFF4evouHMJvojrClJEjCcJ3yzZcWxwmKP9LwnoorugtxC7Rjeo4tspnlRIgtyjAyPcm9GxJB7KtLeCc/SmIV6Ug6MBrjez/h6TD74HDipdLm9/miax7h5pg2JPvDZUNlAjAVi3ovYsyxtwAMpJsHq+di+O4rH9AmJmgh874lgAAAABJRU5ErkJggg=="}, "sourcetype_builder": {"canary_device": {"metadata": {"extractions_count": 0, "data_input_name": null, "event_count": 0, "cims_count": 0}}, "canary_daily_poll": {"metadata": {"extractions_count": 0, "data_input_name": "canary_daily_poll", "event_count": 0, "cims_count": 0}}}, "alert_action_builder": {"modular_alerts": [{"description": "DELETE request that permanently removes an incident. It will no longer exist after this action.", "parameters": [{"format_type": "text", "value": "incident:devicedied:99b9d31de2946ad89c8938d3::1520814341", "type": "", "name": "incident_id", "help_string": "Id field in incident data.", "label": "Incident id", "default_value": "", "required": false}, {"format_type": "text", "value": "main", "type": "", "name": "index_name", "help_string": "Index to output results of actions to.", "label": "Index Name", "default_value": "", "required": false}], "code": "\n# encoding = utf-8\n\ndef process_event(helper, *args, **kwargs):\n \"\"\"\n # IMPORTANT\n # Do not remove the anchor macro:start and macro:end lines.\n # These lines are used to generate sample code. If they are\n # removed, the sample code will not be updated when configurations\n # are updated.\n\n [sample_code_macro:start]\n\n # The following example gets the setup parameters and prints them to the log\n canary_domain = helper.get_global_setting(\"canary_domain\")\n helper.log_info(\"canary_domain={}\".format(canary_domain))\n api_key = helper.get_global_setting(\"api_key\")\n helper.log_info(\"api_key={}\".format(api_key))\n\n # The following example sends rest requests to some endpoint\n # response is a response object in python requests library\n response = helper.send_http_request(\"http://www.splunk.com\", \"GET\", parameters=None,\n payload=None, headers=None, cookies=None, verify=True, cert=None, timeout=None, use_proxy=True)\n # get the response headers\n r_headers = response.headers\n # get the response body as text\n r_text = response.text\n # get response body as json. If the body text is not a json string, raise a ValueError\n r_json = response.json()\n # get response cookies\n r_cookies = response.cookies\n # get redirect history\n historical_responses = response.history\n # get response status code\n r_status = response.status_code\n # check the response status, if the status is not sucessful, raise requests.HTTPError\n response.raise_for_status()\n\n\n # The following example gets and sets the log level\n helper.set_log_level(helper.log_level)\n\n # The following example gets the alert action parameters and prints them to the log\n incident_id = helper.get_param(\"incident_id\")\n helper.log_info(\"incident_id={}\".format(incident_id))\n\n index_name = helper.get_param(\"index_name\")\n helper.log_info(\"index_name={}\".format(index_name))\n\n\n # The following example adds two sample events (\"hello\", \"world\")\n # and writes them to Splunk\n # NOTE: Call helper.writeevents() only once after all events\n # have been added\n helper.addevent(\"hello\", sourcetype=\"sample_sourcetype\")\n helper.addevent(\"world\", sourcetype=\"sample_sourcetype\")\n helper.writeevents(index=\"summary\", host=\"localhost\", source=\"localhost\")\n\n # The following example gets the events that trigger the alert\n events = helper.get_events()\n for event in events:\n helper.log_info(\"event={}\".format(event))\n\n # helper.settings is a dict that includes environment configuration\n # Example usage: helper.settings[\"server_uri\"]\n helper.log_info(\"server_uri={}\".format(helper.settings[\"server_uri\"]))\n [sample_code_macro:end]\n \"\"\"\n import json\n import time\n helper.log_info(\"Alert action canary_delete_an_incident started.\")\n \n domain = helper.get_global_setting('canary_domain')\n api_key = helper.get_global_setting(\"api_key\")\n \n #Check to see if proxy setting is configured\n proxy = helper.get_proxy()\n \n if proxy:\n use_proxy = True\n else:\n use_proxy = False\n \n #Set a custom useragent header for Splunk API so Canary.tools can see the use of the product\n headers = {'User-Agent': 'Splunk API Call'}\n \n #Get ID of Incident\n incident_id = helper.get_param(\"incident_id\")\n \n #Get Index Name\n index_name = helper.get_param(\"index_name\")\n \n #Get current time for testing purposes. \n current_time = time.time()\n \n #Pass the domain and the api key to the url.\n url = \"https://{}.canary.tools/api/v1/incident/delete?auth_token={}&incident={}\".format(domain,api_key,incident_id)\n \n #Set the method of Get to the console\n method = \"DELETE\"\n \n \n \n #Try the first connection to see if it works.\n response = helper.send_http_request(url, method, parameters=None,payload=canary_data, headers=headers, cookies=None, verify=True, cert=None, timeout=None, use_proxy=use_proxy)\n \n try:\n response \n except Exception as e:\n helper.log_error(\"Error occured with canary.tools Acknowledging an incident. Error Message: {}\".format(e))\n sys.exit()\n \n if response.status_code == 200:\n #Successfull Connection\n helper.log_info(\"Successfully deleted incident\")\n \n data = response.json()\n data['api_call'] = 'Incident Acknowledged'\n data['_time'] = current_time\n json_data = json.dumps(data)\n \n helper.addevent(json_data, sourcetype=\"canarytools:ar\")\n \n helper.writeevents(source=\"canary_toolsapi\", index=index_name, host=\"adaptive_response\")\n \n else:\n data = response.json()\n data['api_call'] = 'Incident Deleted'\n data['_time'] = current_time\n json_data = json.dumps(data)\n helper.addevent(json_data, sourcetype=\"canarytools:ar\")\n helper.writeevents(source=\"canary_toolsapi\", index=index_name, host=\"adaptive_response\")\n helper.log_error(\"Error with deleting incident.\") \n\n # TODO: Implement your alert action logic here\n return 0\n", "largeIcon": "iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAYAAABV7bNHAAAH+klEQVR4Xu2ce3BUVxnAf3d3834175JAkoGkgdIpOHQGGmiDRLAEahWogCEqD2slQO1jlGnrVNNMMY0tplZJBAcUDbRRB6ylLRVEywg6zAjSQCAJBtOQJ3mS176uc3ZTmpBs9m5yb3Y38P255zvfOd/vfue753VXApBlOQk4DMwAfMRvt7F0AkeAdZIkmaV+OP+9jYE4cr1TkqRQAegccP8dQMMSWCkAGe8MK4fh8a4AJA8sNstWftbwAe+1nuOGpQ+ZQcVeE2g6JPIT1rAgNNXe57Y2yM2FM2egqwskCcLCIDMTcnLA3384304MAXSw+TSF9e+D5DUshu3og8HT+ElCFjpJB3V1kJ0Nzc3DOzVzJuzZAwEBt5YPBfRw2cuYsHg3HeDd1OeIMASD2QyrVkF19cg+LVgAhYWg1w/UGwpoQVkuFqxeDShY588H07+PTgyjkydhyxbn/gjdoiKYO3dkQPPLcrF6OaCvRDzA9yYttzsqhtb5884BCY30dHsUfSZDI2giAHomdimPR/VHwrx50NurDFBSEhw6NPEBbYpayMbYhXZHly2D2lplgGbPhn37Jj6g9NDp/HjKGruju3ZBcbEyQE89BevXT3xAYg504t4X8JEM0NQES5aIBefIkEJC7MMrMnLiAxIe7k7axH1Bk+3OHjgA+fmOAYk3WEkJzBBr9UEyMZO0cDHSEMyB5C2E6P3t0XP0KOTlQadYrA+QuDjYuRNS+2fctwsg4edDwam8mrj2M5fF2+zyZWhsBJ0O4uNh2jT75FBE0VCZuBH0qa8z/OJ5PSmLMH0A0vAQbKqNpg5+3vAhP5q80vNzkEiyOnS2jlqwjHm5HK4P5MnYDBaF3keQ3hepf6EpFuJiQV56/TQl108RqPPjT6nPeCYgP3yYFTSFJ2IWMTOwP7nadzup7Kvnjy1nOH2jknpj+5gW0mL5MckQDpJMrbF10KCKNoR6HiARLVtjl/Dl8Dn46X1uPt3hEoJFtlLZ20Bpyz95r+0c1jHH1uBWPA5Qkl8Ue6c+gb/Od+Q5yjCl3ZY+dtQe5i8dF8YUUQNNexSgWQEJ5CesJcwwZA9GMSyrLHO842N21r1Pi6VLcT1Hih4DKFofwlv3bCVgFJEznHMt5hvUGduQJHtqt8pWeq1mOq09iLIDzaeoMbU4BegRgMReTUlyDtE+IU47PBYFkdyNspl/3ahie81bivKVRwB6LSGLtJCUsfiuqO7+ppOUXP8HbZZuRfpCye2ANkansynm84o77IqiyEdd1l52NR7jSOs5+mSTK9Vtum4FFGEIojR5G4F6P5c77qzCxe5rvHLtMFeNzZjk0e+nuxXQt2IWsj4qfcTpvjMQjsq/UVXE5d760Va/Wc9tgPTo+HD6dgL0rs93nHndazXxhYs7VDlocBugRaEzyZu8SpPo+XXTRxQ1HnPGUVG5WwCJpcTf7/0BenGAp4Gsq/wFVX2Nqlh2C6DJvhGUpmxTxYFbjXRYesgsL1BleLntLfb8pEd5NGKOJoDOdl3lO9V7VbM97hEkNs0PJucQ5xuumhMDDf2q8a/safqbarbHHZAYXm8nb9UkOQsqX614gxqj8zWWUoLjCkjs2q0If4Dn4pYp7Z9LembZwkMXXnapjjPlcQO0NOx+vh2TQbRPqP0CgQbSbTGSUf6KqpY1ByRQbI/7EsvDP4d4vWsp7eZuHrn0qqpNaApIDKmcmMVkRaep2mlHxlrMXSy7VKBqW5oBEnCyo+fzZHSGZgn5VhKt5i4yvQGQgLMtdglroh5U9Wk6MyYmiV8sH+E42ZmBYco1iaAtsYtZG5mmWTJ25KfRaib9Yt4oMDiuojqg1ZHzbNFjuyjpBtlcvZd/d11VrWX1AMkwIyCO3VM3abYIVeL10bbzvPTJHzzv2MdXMvBO6rOE6kd/ZKMEgDOdqp4Gsq/sUu34UJUIMqDnzaSvMyso0Vn/NS9vNnXy2OXXFZ1YKOnM2AHJ8N27H2F11Dwl7Wmu02ruZvmlAs8BtC4qjc0xi8dtruOMcIOxnRUVP/UMQHOCktiZmI2PNOgmujMfNC0v77nGhiu/dH8O8pd8eDtlm+anoa7SPN5exgs1pW5+i8nwYvxjZN4122OG1qcgX/xfKcc6y1zl6lB/VEk62TeG/SmbVeuEWobMVjMPX8xTbXiJfrkESGxWzA++h4LEr6nlk6p2ao0trKp4Q1WbigHpJcifspa5wdPctowYyXNxc+PZq7/jVFfl+APKuLCD4qkbSPaPVbVxNY3V9bWxpupN2/UWNUVRBB1pPcvSu2Z5XEIeCKKg7s+2S51qiyJAajeqtr1Gk5gcFiIudKotXg9I5J6VFYXUmdrUZmOz5/WAiuqPsa/5IwdfDYydmVcDquyp55tXdttu3mslXguow9zD4xWFdFgVflo5SoJeCUicoG6t/g1nu9XbWnXEz+sAiY35l2p/z4mO8lHGhGvVvAqQuFq3vqqYaqODf0twzXdF2l4DSMx1Nl7ZQ5OpU7M31nDEYgxhHE59emDR0A/qFKHWUOk/3TU8Xf1buuQ+jU/3hzqRFpzCa4lZnglIJOPj7R+TW3tIhU/oXH+CgTpfipM2kBxwt+cBum7qZMe1d2wfzI23iG2dBL8ofhi/gpTBcERXbEOsA9D2y5Lx9lq99vYLQAeB1erZnFCWpghABkBc9LsTRYOf7fOSJO24eQ1MluUVwAYgaELFgOvO1AACziei6v8B5HBiPf7B0ccAAAAASUVORK5CYII=", "uuid": "2edea305e3c94915b4b849b593dab1e2", "label": "Delete an incident", "short_name": "canary_delete_an_incident", "smallIcon": "iVBORw0KGgoAAAANSUhEUgAAACQAAAAkCAYAAADhAJiYAAAC5klEQVRYR82YXUhTYRjH/0cFJ2tEyXRGLHCk0iIFYaDiUrtKCJLhhSF+RJS7EakuSkonmRBBkfRhkZRBF4EXXZRXC0JSIbwwWJ1EJxZ6sZphWjjd2XnjTLb26Z7tbOp7Of7P//md532e97xnHGPsGIBP2AWLkxZjjO0CFh+C4AfqXXyNt8tTKWW7mFeL+v0GwGQC7PbNXEYj0N/vz+sHKvtsSSmMZD6htwCdncDISHCulhago8P72/YDlZSEP3hGBjA5uYuAlEpgbGyHgEZHgfb24CoNDgKlpdsPVJylxUD+WYDngeZmIDMTGB4GcnN3pqmlrAUKDYZ0bX4AkYlonXuMIZ05ORXiANzWnkGFqsCf5Kd7Ba1zT7Ak/CFPrncC5U5ZoSIPz3UXoib1MA+q+D4IzBMTTDZQdroKb4ouxUwUKpj6+w3m+WdhcbKBfAZUIrvrBxpnHwLSHkdYsoBe6NpwWKEhsYiMoeJLT0xt4kAMmDhKf800zNzH/IYzdUBdB+pwcl9xzASSgIGh3NYTdZsCTRKu0PiRbnBclEYIwRREDyr5GyT4hIA4cBjXd5MSSCL7ugONs49I+riBzDk1aFIbSeY+0dXvr/B+lSfFxAV0PqcarerjJONAUf1MPxY2fpHiyECXNbUwZRtIpqGiAYcVQ84PpFgSkFFViFvaBpJhJNGaZwM1X/tI8TGB0pCGMX0XySyaSPp+KCccilJ8TKB4xjvlQNaiK1CmK2RVx3swJqNCtXuLcf1gnWwYycAprODU9B2SV8QtM+ecQJO6kmRAEZXZLKTXRsQe+rhqh0Glo+QhadZFN6r4myRtRCByJFF4evouHMJvojrClJEjCcJ3yzZcWxwmKP9LwnoorugtxC7Rjeo4tspnlRIgtyjAyPcm9GxJB7KtLeCc/SmIV6Ug6MBrjez/h6TD74HDipdLm9/miax7h5pg2JPvDZUNlAjAVi3ovYsyxtwAMpJsHq+di+O4rH9AmJmgh874lgAAAABJRU5ErkJggg==", "active_response": {"technology": [{"vendor": "Thinkst", "version": ["1.0.0"], "product": "Canary API"}], "subject": ["endpoint"], "category": ["Incident Workflow"], "task": ["Delete"], "supports_adhoc": true}}, {"uuid": "44fde63ca95d47d18150cdb3c2daf8b4", "parameters": [{"format_type": "text", "value": "incident:sshlogin:bbbbd2b8f63ad0181e83977f:192.168.1.107:1521681176", "type": "", "name": "incident_id", "help_string": "id field in incident data.", "label": "Incident ID", "default_value": "", "required": true}, {"format_type": "text", "value": "main", "type": "", "name": "index_name", "help_string": "Index to output results of actions to.", "label": "Index Name", "default_value": "main", "required": true}], "code": "\n# encoding = utf-8\n\ndef process_event(helper, *args, **kwargs):\n \"\"\"\n # IMPORTANT\n # Do not remove the anchor macro:start and macro:end lines.\n # These lines are used to generate sample code. If they are\n # removed, the sample code will not be updated when configurations\n # are updated.\n\n [sample_code_macro:start]\n\n # The following example sends rest requests to some endpoint\n # response is a response object in python requests library\n response = helper.send_http_request(\"http://www.splunk.com\", \"GET\", parameters=None,\n payload=None, headers=None, cookies=None, verify=True, cert=None, timeout=None, use_proxy=True)\n # get the response headers\n r_headers = response.headers\n # get the response body as text\n r_text = response.text\n # get response body as json. If the body text is not a json string, raise a ValueError\n r_json = response.json()\n # get response cookies\n r_cookies = response.cookies\n # get redirect history\n historical_responses = response.history\n # get response status code\n r_status = response.status_code\n # check the response status, if the status is not sucessful, raise requests.HTTPError\n response.raise_for_status()\n\n\n # The following example gets the setup parameters and prints them to the log\n canary_domain = helper.get_global_setting(\"canary_domain\")\n helper.log_info(\"canary_domain={}\".format(canary_domain))\n api_key = helper.get_global_setting(\"api_key\")\n helper.log_info(\"api_key={}\".format(api_key))\n\n # The following example gets and sets the log level\n helper.set_log_level(helper.log_level)\n\n # The following example gets the alert action parameters and prints them to the log\n incident_id = helper.get_param(\"incident_id\")\n helper.log_info(\"incident_id={}\".format(incident_id))\n\n index_name = helper.get_param(\"index_name\")\n helper.log_info(\"index_name={}\".format(index_name))\n\n\n # The following example adds two sample events (\"hello\", \"world\")\n # and writes them to Splunk\n # NOTE: Call helper.writeevents() only once after all events\n # have been added\n helper.addevent(\"hello\", sourcetype=\"sample_sourcetype\")\n helper.addevent(\"world\", sourcetype=\"sample_sourcetype\")\n helper.writeevents(index=\"summary\", host=\"localhost\", source=\"localhost\")\n\n # The following example gets the events that trigger the alert\n events = helper.get_events()\n for event in events:\n helper.log_info(\"event={}\".format(event))\n\n # helper.settings is a dict that includes environment configuration\n # Example usage: helper.settings[\"server_uri\"]\n helper.log_info(\"server_uri={}\".format(helper.settings[\"server_uri\"]))\n [sample_code_macro:end]\n \"\"\"\n import json\n import time\n helper.log_info(\"Alert action canary_acknowledge_incident started.\")\n \n domain = helper.get_global_setting('canary_domain')\n api_key = helper.get_global_setting(\"api_key\")\n \n #Check to see if proxy setting is configured\n proxy = helper.get_proxy()\n \n if proxy:\n use_proxy = True\n else:\n use_proxy = False\n \n #Set a custom useragent header for Splunk API so Canary.tools can see the use of the product\n headers = {'User-Agent': 'Splunk API Call'}\n \n #Get ID of Incident\n incident_id = helper.get_param(\"incident_id\")\n \n #Get Index Name\n index_name = helper.get_param(\"index_name\")\n \n #Get current time for testing purposes. \n current_time = time.time()\n \n #Post Data\n #post_data = \"incident={}\".format(incident_id)\n post_data = \"incident={}\".format(incident_id)\n \n #Pass the domain and the api key to the url.\n url = \"https://{}.canary.tools/api/v1/incident/acknowledge?auth_token={}\".format(domain,api_key)\n \n #Set the method of Get to the console\n method = \"POST\"\n \n #Try the first connection to see if it works.\n response = helper.send_http_request(url, method, parameters=post_data,payload=None, headers=headers, cookies=None, verify=True, cert=None, timeout=None, use_proxy=use_proxy)\n \n \n try:\n response \n \n except Exception as e:\n helper.log_error(\"Error occured with canary.tools Acknowledging an incident. Error Message: {}, Attempted URL: {}\".format(e,url))\n sys.exit()\n \n if response.status_code == 200:\n #Successfull Connection\n helper.log_info(\"Successfully acknowledged incident\")\n \n data = response.json()\n data['api_call'] = 'Incident Acknowledged'\n data['_time'] = current_time\n json_data = json.dumps(data)\n \n helper.addevent(json_data, sourcetype=\"canarytools:ar\")\n \n helper.writeevents(source=\"canary_toolsapi\", index=index_name, host=\"adaptive_response\")\n \n else:\n data = response.json()\n data['api_call'] = 'Incident Acknowledged'\n data['_time'] = current_time\n data['url'] = url\n json_data = json.dumps(data)\n helper.addevent(json_data, sourcetype=\"canarytools:ar\")\n helper.writeevents(source=\"canary_toolsapi\", index=index_name, host=\"adaptive_response\")\n helper.log_error(\"Error occured with canary.tools Acknowledging an incident. Attempted URL: {}\".format(url))\n \n # TODO: Implement your alert action logic here\n return 0\n", "largeIcon": "iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAYAAABV7bNHAAAH+klEQVR4Xu2ce3BUVxnAf3d3834175JAkoGkgdIpOHQGGmiDRLAEahWogCEqD2slQO1jlGnrVNNMMY0tplZJBAcUDbRRB6ylLRVEywg6zAjSQCAJBtOQJ3mS176uc3ZTmpBs9m5yb3Y38P255zvfOd/vfue753VXApBlOQk4DMwAfMRvt7F0AkeAdZIkmaV+OP+9jYE4cr1TkqRQAegccP8dQMMSWCkAGe8MK4fh8a4AJA8sNstWftbwAe+1nuOGpQ+ZQcVeE2g6JPIT1rAgNNXe57Y2yM2FM2egqwskCcLCIDMTcnLA3384304MAXSw+TSF9e+D5DUshu3og8HT+ElCFjpJB3V1kJ0Nzc3DOzVzJuzZAwEBt5YPBfRw2cuYsHg3HeDd1OeIMASD2QyrVkF19cg+LVgAhYWg1w/UGwpoQVkuFqxeDShY588H07+PTgyjkydhyxbn/gjdoiKYO3dkQPPLcrF6OaCvRDzA9yYttzsqhtb5884BCY30dHsUfSZDI2giAHomdimPR/VHwrx50NurDFBSEhw6NPEBbYpayMbYhXZHly2D2lplgGbPhn37Jj6g9NDp/HjKGruju3ZBcbEyQE89BevXT3xAYg504t4X8JEM0NQES5aIBefIkEJC7MMrMnLiAxIe7k7axH1Bk+3OHjgA+fmOAYk3WEkJzBBr9UEyMZO0cDHSEMyB5C2E6P3t0XP0KOTlQadYrA+QuDjYuRNS+2fctwsg4edDwam8mrj2M5fF2+zyZWhsBJ0O4uNh2jT75FBE0VCZuBH0qa8z/OJ5PSmLMH0A0vAQbKqNpg5+3vAhP5q80vNzkEiyOnS2jlqwjHm5HK4P5MnYDBaF3keQ3hepf6EpFuJiQV56/TQl108RqPPjT6nPeCYgP3yYFTSFJ2IWMTOwP7nadzup7Kvnjy1nOH2jknpj+5gW0mL5MckQDpJMrbF10KCKNoR6HiARLVtjl/Dl8Dn46X1uPt3hEoJFtlLZ20Bpyz95r+0c1jHH1uBWPA5Qkl8Ue6c+gb/Od+Q5yjCl3ZY+dtQe5i8dF8YUUQNNexSgWQEJ5CesJcwwZA9GMSyrLHO842N21r1Pi6VLcT1Hih4DKFofwlv3bCVgFJEznHMt5hvUGduQJHtqt8pWeq1mOq09iLIDzaeoMbU4BegRgMReTUlyDtE+IU47PBYFkdyNspl/3ahie81bivKVRwB6LSGLtJCUsfiuqO7+ppOUXP8HbZZuRfpCye2ANkansynm84o77IqiyEdd1l52NR7jSOs5+mSTK9Vtum4FFGEIojR5G4F6P5c77qzCxe5rvHLtMFeNzZjk0e+nuxXQt2IWsj4qfcTpvjMQjsq/UVXE5d760Va/Wc9tgPTo+HD6dgL0rs93nHndazXxhYs7VDlocBugRaEzyZu8SpPo+XXTRxQ1HnPGUVG5WwCJpcTf7/0BenGAp4Gsq/wFVX2Nqlh2C6DJvhGUpmxTxYFbjXRYesgsL1BleLntLfb8pEd5NGKOJoDOdl3lO9V7VbM97hEkNs0PJucQ5xuumhMDDf2q8a/safqbarbHHZAYXm8nb9UkOQsqX614gxqj8zWWUoLjCkjs2q0If4Dn4pYp7Z9LembZwkMXXnapjjPlcQO0NOx+vh2TQbRPqP0CgQbSbTGSUf6KqpY1ByRQbI/7EsvDP4d4vWsp7eZuHrn0qqpNaApIDKmcmMVkRaep2mlHxlrMXSy7VKBqW5oBEnCyo+fzZHSGZgn5VhKt5i4yvQGQgLMtdglroh5U9Wk6MyYmiV8sH+E42ZmBYco1iaAtsYtZG5mmWTJ25KfRaib9Yt4oMDiuojqg1ZHzbNFjuyjpBtlcvZd/d11VrWX1AMkwIyCO3VM3abYIVeL10bbzvPTJHzzv2MdXMvBO6rOE6kd/ZKMEgDOdqp4Gsq/sUu34UJUIMqDnzaSvMyso0Vn/NS9vNnXy2OXXFZ1YKOnM2AHJ8N27H2F11Dwl7Wmu02ruZvmlAs8BtC4qjc0xi8dtruOMcIOxnRUVP/UMQHOCktiZmI2PNOgmujMfNC0v77nGhiu/dH8O8pd8eDtlm+anoa7SPN5exgs1pW5+i8nwYvxjZN4122OG1qcgX/xfKcc6y1zl6lB/VEk62TeG/SmbVeuEWobMVjMPX8xTbXiJfrkESGxWzA++h4LEr6nlk6p2ao0trKp4Q1WbigHpJcifspa5wdPctowYyXNxc+PZq7/jVFfl+APKuLCD4qkbSPaPVbVxNY3V9bWxpupN2/UWNUVRBB1pPcvSu2Z5XEIeCKKg7s+2S51qiyJAajeqtr1Gk5gcFiIudKotXg9I5J6VFYXUmdrUZmOz5/WAiuqPsa/5IwdfDYydmVcDquyp55tXdttu3mslXguow9zD4xWFdFgVflo5SoJeCUicoG6t/g1nu9XbWnXEz+sAiY35l2p/z4mO8lHGhGvVvAqQuFq3vqqYaqODf0twzXdF2l4DSMx1Nl7ZQ5OpU7M31nDEYgxhHE59emDR0A/qFKHWUOk/3TU8Xf1buuQ+jU/3hzqRFpzCa4lZnglIJOPj7R+TW3tIhU/oXH+CgTpfipM2kBxwt+cBum7qZMe1d2wfzI23iG2dBL8ofhi/gpTBcERXbEOsA9D2y5Lx9lq99vYLQAeB1erZnFCWpghABkBc9LsTRYOf7fOSJO24eQ1MluUVwAYgaELFgOvO1AACziei6v8B5HBiPf7B0ccAAAAASUVORK5CYII=", "description": "This alert action allows you to acknowledge an incident.", "label": "Acknowledge Incident", "short_name": "canary_acknowledge_incident", "smallIcon": "iVBORw0KGgoAAAANSUhEUgAAACQAAAAkCAYAAADhAJiYAAAC5klEQVRYR82YXUhTYRjH/0cFJ2tEyXRGLHCk0iIFYaDiUrtKCJLhhSF+RJS7EakuSkonmRBBkfRhkZRBF4EXXZRXC0JSIbwwWJ1EJxZ6sZphWjjd2XnjTLb26Z7tbOp7Of7P//md532e97xnHGPsGIBP2AWLkxZjjO0CFh+C4AfqXXyNt8tTKWW7mFeL+v0GwGQC7PbNXEYj0N/vz+sHKvtsSSmMZD6htwCdncDISHCulhago8P72/YDlZSEP3hGBjA5uYuAlEpgbGyHgEZHgfb24CoNDgKlpdsPVJylxUD+WYDngeZmIDMTGB4GcnN3pqmlrAUKDYZ0bX4AkYlonXuMIZ05ORXiANzWnkGFqsCf5Kd7Ba1zT7Ak/CFPrncC5U5ZoSIPz3UXoib1MA+q+D4IzBMTTDZQdroKb4ouxUwUKpj6+w3m+WdhcbKBfAZUIrvrBxpnHwLSHkdYsoBe6NpwWKEhsYiMoeJLT0xt4kAMmDhKf800zNzH/IYzdUBdB+pwcl9xzASSgIGh3NYTdZsCTRKu0PiRbnBclEYIwRREDyr5GyT4hIA4cBjXd5MSSCL7ugONs49I+riBzDk1aFIbSeY+0dXvr/B+lSfFxAV0PqcarerjJONAUf1MPxY2fpHiyECXNbUwZRtIpqGiAYcVQ84PpFgSkFFViFvaBpJhJNGaZwM1X/tI8TGB0pCGMX0XySyaSPp+KCccilJ8TKB4xjvlQNaiK1CmK2RVx3swJqNCtXuLcf1gnWwYycAprODU9B2SV8QtM+ecQJO6kmRAEZXZLKTXRsQe+rhqh0Glo+QhadZFN6r4myRtRCByJFF4evouHMJvojrClJEjCcJ3yzZcWxwmKP9LwnoorugtxC7Rjeo4tspnlRIgtyjAyPcm9GxJB7KtLeCc/SmIV6Ug6MBrjez/h6TD74HDipdLm9/miax7h5pg2JPvDZUNlAjAVi3ovYsyxtwAMpJsHq+di+O4rH9AmJmgh874lgAAAABJRU5ErkJggg==", "active_response": {"technology": [{"vendor": "Thinkst", "version": ["1.0.0"], "product": "Canary API"}], "subject": ["endpoint"], "category": ["Incident Workflow"], "task": ["Acknowledge"], "supports_adhoc": true}}]}, "data_input_builder": {"datainputs": [{"sourcetype": "canary_api", "uuid": "a954a0a126ed4f95a748c8bfc099484d", "parameters": [{"possible_values": [{"label": "Enabled", "value": "enabled"}, {"label": "Disabled", "value": "disabled"}], "format_type": "dropdownlist", "value": "disabled", "help_string": "For future use. Not implemented.", "name": "debug_mode", "placeholder": "", "label": "Debug Mode", "type": "dropdownlist", "default_value": "disabled", "required": true}], "interval": "60", "use_external_validation": true, "type": "customized", "streaming_mode_xml": true, "customized_options": [{"name": "debug_mode", "value": "disabled"}], "description": "This collection script is used to collect data from the Canary API for any recent events where the last updated time has been modified. This includes incidents, devices and tokens.", "sample_count": 0, "code": "\n# encoding = utf-8\n\nimport sys\nimport time\nimport json\n'''\n IMPORTANT\n Edit only the validate_input and collect_events functions.\n Do not edit any other part in this file.\n This file is generated only once when creating the modular input.\n'''\n'''\n# For advanced users, if you want to create single instance mod input, uncomment this method.\ndef use_single_instance_mode():\n return True\n'''\n\ndef validate_input(helper, definition):\n \"\"\"Implement your own validation logic to validate the input stanza configurations\"\"\"\n pass\n\ndef collect_events(helper, ew):\n domain = helper.get_global_setting('canary_domain')\n api_key = helper.get_global_setting(\"api_key\")\n incident_limit = 20\n\n #Check to see if proxy setting is configured\n proxy = helper.get_proxy()\n\n if proxy:\n use_proxy = True\n else:\n use_proxy = False\n\n #Set a custom useragent header for Splunk API so Canary.tools can measure the use of the product\n headers = {'User-Agent': 'Splunk API Call'}\n\n #Pass the domain and the api key to the url.\n url = \"https://{}.canary.tools/api/v1/ping?auth_token={}\".format(domain,api_key)\n\n #Set the method of Get to the console\n method = \"GET\"\n #Try the first connection to see if it works.\n response = helper.send_http_request(url, method,headers=headers, verify=True, timeout=60, use_proxy=use_proxy)\n\n try:\n response\n except Exception as e:\n helper.log_error(\"Error occured with canary.tools API call. Error Message: {}\".format(e))\n sys.exit()\n\n if response.status_code == 200:\n #Successfull Connection\n helper.log_info(\"Successfully connected to Canary.tools API\")\n\n #Get current time for testing purposes.\n current_time = time.time()\n\n #Collect All incidents from Canary Tools\n url_allIncidents = \"https://{}.canary.tools/api/v1/incidents/all?auth_token={}&tz=UTC&limit={}\".format(domain,api_key,incident_limit)\n helper.log_info(\"Checking last_seen_time\")\n if helper.get_check_point('last_seen_time'):\n url_allIncidents += '&newer_than={}'.format(time.strftime(\"%Y-%m-%d-%H:%M:%S\", time.gmtime(helper.get_check_point('last_seen_time'))))\n helper.log_info(\"last_seen_time URL is {}\".format(url_allIncidents))\n url_cursorIncidents = \"https://{}.canary.tools/api/v1/incidents/all?auth_token={}&tz=UTC&cursor=\".format(domain,api_key)\n\n #Collect All Registered Devices from Canary Tools\n url_regDevices = \"https://{}.canary.tools/api/v1/devices/all?auth_token={}&tz=UTC\".format(domain,api_key)\n\n #Collect All Canary Tokens from Canary Tools\n url_canarytokens_fetch = \"https://{}.canary.tools/api/v1/canarytokens/fetch?auth_token={}\".format(domain,api_key)\n\n #Issue a new response to the Registered DevicesAPI\n response_regDevices = helper.send_http_request(url_regDevices, method,headers=headers, verify=True, timeout=60, use_proxy=use_proxy)\n\n #Issue a new response to the Canary Tokens API\n response_canarytokens_fetch = helper.send_http_request(url_canarytokens_fetch, method,headers=headers, verify=True, timeout=60, use_proxy=use_proxy)\n\n #Try to connect to the url for registered devices\n try:\n response_regDevices\n #Throw an exception if it fails\n except Exception as e:\n helper.log_error(\"Error occured with canary.tools API call to retrieve all registered devices. Error Message: {}\".format(e))\n sys.exit()\n #Try to connect to the url for canary tokens\n try:\n response_canarytokens_fetch\n #Throw an exception if it fails\n except Exception as e:\n helper.log_error(\"Error occured with canary.tools API call to retrieve all canary tokens. Error Message: {}\".format(e))\n sys.exit()\n #Issue a new response to the All Incidents API\n response_allIncidents = helper.send_http_request(url_allIncidents, method,headers=headers, verify=True, timeout=60, use_proxy=use_proxy)\n\n #Try to connect to the url for All Incidents\n try:\n response_allIncidents\n #Throw an exception if it fails\n except Exception as e:\n helper.log_error(\"Error occured with canary.tools API call to retrieve all Incidents. Error Message: {}\".format(e))\n sys.exit()\n #Set the most recent timestamp to the current time.\n most_recent_timestamp = current_time\n \n \n while response_allIncidents.status_code == 200:\n #If we receive a 200 response from the all incidents API\n #Output the results to json\n data = response_allIncidents.json()\n\n if len(data['incidents']) >0:\n for a in data['incidents']:\n #Add current time of server to timestamp\n a['_time'] = current_time\n #Convert data to a string\n data_dump = json.dumps(a)\n #Write the event to the destination index\n event = helper.new_event(data_dump, source=helper.get_input_type(), index=helper.get_output_index(),sourcetype=\"canarytools:incidents\")\n ew.write_event(event)\n try:\n created_timestamp = long(a['description']['created'])\n if created_timestamp > most_recent_timestamp:\n most_recent_timestamp = created_timestamp\n except (KeyError, ValueError) as e:\n helper.log_error(\"Error updating timestamp {}\".format(e))\n\n else:\n #If no incidents have been logged\n #Add current time of server to timestamp\n helper.log_info(\"No incidents have been logged. Successful connection to canaryapi\")\n \n if not data['cursor']['next']:\n break\n\n response_allIncidents = helper.send_http_request(url_cursorIncidents+data['cursor']['next'], method,headers=headers, verify=True, timeout=60, use_proxy=use_proxy)\n #If the resposne code from querying the Incidents is not 200\n else:\n helper.log_error(\"Error occured with canary.tools API call. Error Message: {}\".format(response_allIncidents.json()))\n\n if most_recent_timestamp:\n helper.save_check_point('last_seen_time', most_recent_timestamp)\n helper.log_debug(\"Setting last_seen_time checkpoint to {}\".format(most_recent_timestamp))\n\n #If we receive a 200 response from the registered devices API\n if response_regDevices.status_code == 200:\n #Output the results to json\n data = response_regDevices.json()\n if len(data['devices']) >0:\n for a in data['devices']:\n #Only create a device event for new or changed devices\n check_point_key = 'device:'+a['id']\n saved_data = helper.get_check_point(check_point_key)\n if not saved_data:\n saved_data = {}\n\n monitor_fields = ['name', 'description', 'ip_address', 'live', 'version']\n fields_changed = False\n for field in monitor_fields:\n if a.get(field, None) != saved_data.get(field, None):\n fields_changed = True\n break\n if not fields_changed:\n continue\n helper.save_check_point(check_point_key, a)\n\n\n #Add current time of server to timestamp\n a['_time'] = current_time\n #Convert data to a string\n data_dump = json.dumps(a)\n #Write the event to the destination index\n event = helper.new_event(data_dump, source=helper.get_input_type(), index=helper.get_output_index(),sourcetype=\"canarytools:devices\")\n ew.write_event(event)\n else:\n #If no devices have been registered\n #Add current time of server to timestamp\n helper.log_info(\"No devices have been registered. Successful connection to canaryapi\")\n \n #If the resposne code from querying the Registered devices is not 200\n else:\n helper.log_error(\"Error occured with canary.tools API call. Error Message: {}\".format(response_regDevices.json()))\n\n #If we receive a 200 response from the canary tokens API\n if response_canarytokens_fetch.status_code == 200:\n #Output the results to json\n data = response_canarytokens_fetch.json()\n \n if len(data['tokens']) >0:\n for a in data['tokens']:\n #Only create a token event for new or changed tokens\n check_point_key = 'token:'+a['node_id']\n saved_data = helper.get_check_point(check_point_key)\n if not saved_data:\n saved_data = {}\n\n monitor_fields = ['memo','enabled']\n fields_changed = False\n for field in monitor_fields:\n if a.get(field, None) != saved_data.get(field, None):\n fields_changed = True\n break\n if not fields_changed:\n continue\n helper.save_check_point(check_point_key, a)\n\n\n #Add current time of server to timestamp\n a['_time'] = current_time\n #Convert data to a string\n data_dump = json.dumps(a)\n #Write the event to the destination index\n event = helper.new_event(data_dump, source=helper.get_input_type(), index=helper.get_output_index(),sourcetype=\"canarytools:tokens\")\n ew.write_event(event)\n else:\n #If no tokens have been registered\n #Add current time of server to timestamp\n helper.log_info(\"No tokens have been regiestered. Successful connection to canaryapi\")\n \n \n else:\n helper.log_error(\"Error occured with canary.tools API call. Error Message: {}\".format(response_canarytokens_fetch.json()))\n \n \n else:\n helper.log_error(\"Error occured with canary.tools API call. Error Message: {}\".format(response.json()))\n \n \"\"\"Implement your data collection logic here\n # The following examples get the arguments of this input.\n # Note, for single instance mod input, args will be returned as a dict.\n # For multi instance mod input, args will be returned as a single value.\n opt_domain = helper.get_arg('domain')\n # In single instance mode, to get arguments of a particular input, use\n opt_domain = helper.get_arg('domain', stanza_name)\n # get input type\n helper.get_input_type()\n # The following examples get input stanzas.\n # get all detailed input stanzas\n helper.get_input_stanza()\n # get specific input stanza with stanza name\n helper.get_input_stanza(stanza_name)\n # get all stanza names\n helper.get_input_stanza_names()\n # The following examples get options from setup page configuration.\n # get the loglevel from the setup page\n loglevel = helper.get_log_level()\n # get proxy setting configuration\n proxy_settings = helper.get_proxy()\n # get account credentials as dictionary\n account = helper.get_user_credential_by_username(\"username\")\n account = helper.get_user_credential_by_id(\"account id\")\n # get global variable configuration\n global_api_key = helper.get_global_setting(\"api_key\")\n # The following examples show usage of logging related helper functions.\n # write to the log for this modular input using configured global log level or INFO as default\n helper.log(\"log message\")\n # write to the log using specified log level\n helper.log_debug(\"log message\")\n helper.log_info(\"log message\")\n helper.log_warning(\"log message\")\n helper.log_error(\"log message\")\n helper.log_critical(\"log message\")\n # set the log level for this modular input\n # (log_level can be \"debug\", \"info\", \"warning\", \"error\" or \"critical\", case insensitive)\n helper.set_log_level(log_level)\n # The following examples send rest requests to some endpoint.\n response = helper.send_http_request(url, method, parameters=None, payload=None,\n headers=None, cookies=None, verify=True, cert=None,\n timeout=None, use_proxy=True)\n # get the response headers\n r_headers = response.headers\n # get the response body as text\n r_text = response.text\n # get response body as json. If the body text is not a json string, raise a ValueError\n r_json = response.json()\n # get response cookies\n r_cookies = response.cookies\n # get redirect history\n historical_responses = response.history\n # get response status code\n r_status = response.status_code\n # check the response status, if the status is not sucessful, raise requests.HTTPError\n response.raise_for_status()\n # The following examples show usage of check pointing related helper functions.\n # save checkpoint\n helper.save_check_point(key, state)\n # delete checkpoint\n helper.delete_check_point(key)\n # get checkpoint\n state = helper.get_check_point(key)\n # To create a splunk event\n helper.new_event(data, time=None, host=None, index=None, source=None, sourcetype=None, done=True, unbroken=True)\n \"\"\"\n\n '''\n # The following example writes a random number as an event. (Multi Instance Mode)\n # Use this code template by default.\n import random\n data = str(random.randint(0,100))\n event = helper.new_event(source=helper.get_input_type(), index=helper.get_output_index(), sourcetype=helper.get_sourcetype(), data=data)\n ew.write_event(event)\n '''\n\n '''\n # The following example writes a random number as an event for each input config. (Single Instance Mode)\n # For advanced users, if you want to create single instance mod input, please use this code template.\n # Also, you need to uncomment use_single_instance_mode() above.\n import random\n input_type = helper.get_input_type()\n for stanza_name in helper.get_input_stanza_names():\n data = str(random.randint(0,100))\n event = helper.new_event(source=input_type, index=helper.get_output_index(stanza_name), sourcetype=helper.get_sourcetype(stanza_name), data=data)\n ew.write_event(event)\n '''", "name": "canary_api", "data_inputs_options": [{"possible_values": [{"label": "Enabled", "value": "enabled"}, {"label": "Disabled", "value": "disabled"}], "name": "debug_mode", "format_type": "dropdownlist", "required_on_edit": false, "required_on_create": true, "description": "For future use. Not implemented.", "placeholder": "", "title": "Debug Mode", "type": "customized_var", "default_value": "disabled"}], "title": "Canary API", "index": "default"}, {"sourcetype": "canary_daily_poll", "streaming_mode_xml": true, "interval": "86400", "use_external_validation": true, "type": "customized", "parameters": [{"possible_values": [{"label": "True", "value": "true"}, {"label": "False", "value": "false"}], "format_type": "dropdownlist", "value": "false", "help_string": "Reserved for future use.", "name": "debug_mode", "placeholder": "", "label": "Debug Mode", "type": "dropdownlist", "default_value": "false", "required": false}], "customized_options": [{"name": "debug_mode", "value": "false"}], "name": "canary_daily_poll", "sample_count": 0, "code": "\n# encoding = utf-8\n\nimport sys\nimport time\nimport json\n'''\n IMPORTANT\n Edit only the validate_input and collect_events functions.\n Do not edit any other part in this file.\n This file is generated only once when creating the modular input.\n'''\n'''\n# For advanced users, if you want to create single instance mod input, uncomment this method.\ndef use_single_instance_mode():\n return True\n'''\n\ndef validate_input(helper, definition):\n \"\"\"Implement your own validation logic to validate the input stanza configurations\"\"\"\n pass\n\ndef collect_events(helper, ew):\n domain = helper.get_global_setting('canary_domain')\n api_key = helper.get_global_setting(\"api_key\")\n incident_limit = 20\n\n #Check to see if proxy setting is configured\n proxy = helper.get_proxy()\n\n if proxy:\n use_proxy = True\n else:\n use_proxy = False\n\n #Set a custom useragent header for Splunk API so Canary.tools can measure the use of the product\n headers = {'User-Agent': 'Splunk API Call'}\n\n #Pass the domain and the api key to the url.\n url = \"https://{}.canary.tools/api/v1/ping?auth_token={}\".format(domain,api_key)\n\n #Set the method of Get to the console\n method = \"GET\"\n #Try the first connection to see if it works.\n response = helper.send_http_request(url, method,headers=headers, verify=True, timeout=60, use_proxy=use_proxy)\n\n try:\n response\n except Exception as e:\n helper.log_error(\"Error occured with canary.tools Device poll API call. Error Message: {}\".format(e))\n sys.exit()\n\n if response.status_code == 200:\n #Successfull Connection\n helper.log_info(\"Successfully connected to Canary.tools API\")\n\n #Get current time for testing purposes.\n current_time = time.time()\n \n #Collect All unacknowledged incidents from Canary Tools\n url_unacknowledgedIncidents = \"https://{}.canary.tools/api/v1/incidents/unacknowledged?auth_token={}&tz=UTC&limit={}\".format(domain,api_key,incident_limit)\n\n url_cursorIncidents = \"https://{}.canary.tools/api/v1/incidents/unacknowledged?auth_token={}&tz=UTC&cursor=\".format(domain,api_key)\n \n #Collect All Registered Devices from Canary Tools\n url_regDevices = \"https://{}.canary.tools/api/v1/devices/all?auth_token={}&tz=UTC\".format(domain,api_key)\n\n #Collect All Canary Tokens from Canary Tools\n url_canarytokens_fetch = \"https://{}.canary.tools/api/v1/canarytokens/fetch?auth_token={}\".format(domain,api_key)\n\n #Issue a new response to the Registered DevicesAPI\n response_regDevices = helper.send_http_request(url_regDevices, method,headers=headers, verify=True, timeout=60, use_proxy=use_proxy)\n\n #Issue a new response to the Canary Tokens API\n response_canarytokens_fetch = helper.send_http_request(url_canarytokens_fetch, method,headers=headers, verify=True, timeout=60, use_proxy=use_proxy)\n\n #Issue a new response to the All Incidents API\n response_unacknowledgedIncidents = helper.send_http_request(url_unacknowledgedIncidents, method,headers=headers, verify=True, timeout=60, use_proxy=use_proxy)\n\n #Try to connect to the url for All Incidents\n try:\n response_unacknowledgedIncidents\n #Throw an exception if it fails\n except Exception as e:\n helper.log_error(\"Error occured with canary.tools API call to retrieve all unacknowledged Incidents. Error Message: {}\".format(e))\n sys.exit()\n #Set the most recent timestamp to the current time.\n most_recent_timestamp = current_time\n\n #Try to connect to the url for registered devices\n try:\n response_regDevices\n #Throw an exception if it fails\n except Exception as e:\n helper.log_error(\"Error occured with canary.tools API call to retrieve all registered devices. Error Message: {}\".format(e))\n sys.exit()\n #Try to connect to the url for canary tokens\n try:\n response_canarytokens_fetch\n #Throw an exception if it fails\n except Exception as e:\n helper.log_error(\"Error occured with canary.tools API call to retrieve all canary tokens. Error Message: {}\".format(e))\n sys.exit()\n\n #If we receive a 200 response from the registered devices API\n if response_regDevices.status_code == 200:\n #Output the results to json\n data = response_regDevices.json()\n if len(data['devices']) >0:\n for a in data['devices']:\n #Add current time of server to timestamp\n a['_time'] = current_time\n #Convert data to a string\n data_dump = json.dumps(a)\n #Write the event to the destination index\n event = helper.new_event(data_dump, source=helper.get_input_type(), index=helper.get_output_index(),sourcetype=\"canarytools:devices\")\n ew.write_event(event)\n else:\n #If no devices have been registered\n helper.log_info(\"No devices have been registered. Successful connection to canaryapi\")\n \n #If the resposne code from querying the Registered devices is not 200\n else:\n helper.log_error(\"Error occured with canary.tools API call. Error Message: {}\".format(response_regDevices.json()))\n\n #If we receive a 200 response from the canary tokens API\n if response_canarytokens_fetch.status_code == 200:\n #Output the results to json\n data = response_canarytokens_fetch.json()\n \n if len(data['tokens']) >0:\n for a in data['tokens']:\n #Add current time of server to timestamp\n a['_time'] = current_time\n #Convert data to a string\n data_dump = json.dumps(a)\n #Write the event to the destination index\n event = helper.new_event(data_dump, source=helper.get_input_type(), index=helper.get_output_index(),sourcetype=\"canarytools:tokens\")\n ew.write_event(event)\n else:\n #If no tokens have been registered\n helper.log_info(\"No tokens have been regiestered. Successful connection to canaryapi\")\n \n \n else:\n helper.log_error(\"Error occured with canary.tools API call. Error Message: {}\".format(response_canarytokens_fetch.json()))\n \n while response_unacknowledgedIncidents.status_code == 200:\n #If we receive a 200 response from the all incidents API\n #Output the results to json\n data = response_unacknowledgedIncidents.json()\n\n if len(data['incidents']) >0:\n for a in data['incidents']:\n #Add current time of server to timestamp\n a['_time'] = current_time\n #Convert data to a string\n data_dump = json.dumps(a)\n #Write the event to the destination index\n event = helper.new_event(data_dump, source=helper.get_input_type(), index=helper.get_output_index(),sourcetype=\"canarytools:incidents\")\n ew.write_event(event)\n try:\n created_timestamp = long(a['description']['created'])\n if created_timestamp > most_recent_timestamp:\n most_recent_timestamp = created_timestamp\n except (KeyError, ValueError) as e:\n helper.log_error(\"Error updating timestamp {}\".format(e))\n\n else:\n #If no incidents have been logged\n helper.log_info(\"No incidents have been logged. Successful connection to canaryapi\")\n \n if not data['cursor']['next']:\n break\n\n response_unacknowledgedIncidents = helper.send_http_request(url_cursorIncidents+data['cursor']['next'], method,headers=headers, verify=True, timeout=60, use_proxy=use_proxy)\n #If the resposne code from querying the Incidents is not 200\n else:\n helper.log_error(\"Error occured with canary.tools API call. Error Message: {}\".format(response_unacknowledgedIncidents.json()))\n \n else:\n helper.log_error(\"Error occured with canary.tools device API call. Error Message: {}\".format(response.json()))\n \n \"\"\"Implement your data collection logic here\n # The following examples get the arguments of this input.\n # Note, for single instance mod input, args will be returned as a dict.\n # For multi instance mod input, args will be returned as a single value.\n opt_domain = helper.get_arg('domain')\n # In single instance mode, to get arguments of a particular input, use\n opt_domain = helper.get_arg('domain', stanza_name)\n # get input type\n helper.get_input_type()\n # The following examples get input stanzas.\n # get all detailed input stanzas\n helper.get_input_stanza()\n # get specific input stanza with stanza name\n helper.get_input_stanza(stanza_name)\n # get all stanza names\n helper.get_input_stanza_names()\n # The following examples get options from setup page configuration.\n # get the loglevel from the setup page\n loglevel = helper.get_log_level()\n # get proxy setting configuration\n proxy_settings = helper.get_proxy()\n # get account credentials as dictionary\n account = helper.get_user_credential_by_username(\"username\")\n account = helper.get_user_credential_by_id(\"account id\")\n # get global variable configuration\n global_api_key = helper.get_global_setting(\"api_key\")\n # The following examples show usage of logging related helper functions.\n # write to the log for this modular input using configured global log level or INFO as default\n helper.log(\"log message\")\n # write to the log using specified log level\n helper.log_debug(\"log message\")\n helper.log_info(\"log message\")\n helper.log_warning(\"log message\")\n helper.log_error(\"log message\")\n helper.log_critical(\"log message\")\n # set the log level for this modular input\n # (log_level can be \"debug\", \"info\", \"warning\", \"error\" or \"critical\", case insensitive)\n helper.set_log_level(log_level)\n # The following examples send rest requests to some endpoint.\n response = helper.send_http_request(url, method, parameters=None, payload=None,\n headers=None, cookies=None, verify=True, cert=None,\n timeout=None, use_proxy=True)\n # get the response headers\n r_headers = response.headers\n # get the response body as text\n r_text = response.text\n # get response body as json. If the body text is not a json string, raise a ValueError\n r_json = response.json()\n # get response cookies\n r_cookies = response.cookies\n # get redirect history\n historical_responses = response.history\n # get response status code\n r_status = response.status_code\n # check the response status, if the status is not sucessful, raise requests.HTTPError\n response.raise_for_status()\n # The following examples show usage of check pointing related helper functions.\n # save checkpoint\n helper.save_check_point(key, state)\n # delete checkpoint\n helper.delete_check_point(key)\n # get checkpoint\n state = helper.get_check_point(key)\n # To create a splunk event\n helper.new_event(data, time=None, host=None, index=None, source=None, sourcetype=None, done=True, unbroken=True)\n \"\"\"\n\n '''\n # The following example writes a random number as an event. (Multi Instance Mode)\n # Use this code template by default.\n import random\n data = str(random.randint(0,100))\n event = helper.new_event(source=helper.get_input_type(), index=helper.get_output_index(), sourcetype=helper.get_sourcetype(), data=data)\n ew.write_event(event)\n '''\n\n '''\n # The following example writes a random number as an event for each input config. (Single Instance Mode)\n # For advanced users, if you want to create single instance mod input, please use this code template.\n # Also, you need to uncomment use_single_instance_mode() above.\n import random\n input_type = helper.get_input_type()\n for stanza_name in helper.get_input_stanza_names():\n data = str(random.randint(0,100))\n event = helper.new_event(source=input_type, index=helper.get_output_index(stanza_name), sourcetype=helper.get_sourcetype(stanza_name), data=data)\n ew.write_event(event)\n '''", "uuid": "b4478b0f55a04b2f9977ed2999773623", "data_inputs_options": [{"possible_values": [{"label": "True", "value": "true"}, {"label": "False", "value": "false"}], "name": "debug_mode", "format_type": "dropdownlist", "required_on_edit": false, "required_on_create": false, "description": "Reserved for future use.", "placeholder": "", "title": "Debug Mode", "type": "customized_var", "default_value": "false"}], "description": "This collection script is used to collect canary devices, canary tokens and unacknowledged incidents once a day.", "index": "default", "title": "Canary Daily Poll"}]}, "global_settings_builder": {"global_settings": {"proxy_settings": {"proxy_type": "http"}, "customized_settings": [{"format_type": "text", "value": "baa8e916", "placeholder": "", "help_string": "The hostname of your Canary Console. If your Canary Console is at https://bae818968.canary.tools, then this field must contain just 'bae818968.canary.tools'.", "name": "canary_domain", "type": "text", "label": "Canary Domain", "default_value": "", "required": true}, {"format_type": "text", "value": "4595ab133515be6c606dcd221f6e2e0a", "placeholder": "", "help_string": "API Key found on the Settings page of your Canary Console.", "name": "api_key", "type": "text", "label": "API Key", "default_value": "", "required": true}], "log_settings": {"log_level": "DEBUG"}}}, "field_extraction_builder": {"canarytools:incidents": {"data_format": "json"}, "canarytools:tokens": {"data_format": "json"}, "canarytools_tokens": {"data_format": "json"}, "canarytools_incidents": {"data_format": "json"}, "canarytools:devices": {"data_format": "json"}, "canarytools_devices": {"data_format": "json"}}, "validation": {"validators": ["best_practice_validation", "data_model_mapping_validation", "field_extract_validation", "app_cert_validation"], "validation_id": "v_1520841837_72", "progress": 1.0, "status": "job_finished"}}