paulmataruso/main
1
0
Fork 0
mirror of https://github.com/socfortress/Wazuh-Rules.git synced 2025-11-03 13:23:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
47e4b66215adf45702ea2c506bd4fab5e4f7fc0c
main/Trend Micro/trendmicro.py
SOCFortress a836f078a6 Update trendmicro.py
2022-08-15 11:15:53 -05:00

64 lines
2.8 KiB
Python
Raw Blame History

#!/var/ossec/framework/python/bin/python3
import sys
import time
import requests
import json
from pathlib import Path
from datetime import datetime, timedelta
#File to store the alerts
output_file = '/tmp/trendmicro.json'
#Function to append new lines to output file
def append_new_line(text_to_append):
"""Append given text as a new line at the end of file"""
# Open the file in append & read mode ('a+')
with open(output_file, "a+") as file_object:
# Move read cursor to the start of file.
file_object.seek(0)
# If file is not empty then append '\n'
data = file_object.read(100)
if len(data) > 0:
file_object.write("\n")
# Append text at the end of file
file_object.write(text_to_append)
#TRENDMICRO API Details
url_base = 'https://api.xdr.trendmicro.com'
url_path = '/v3.0/workbench/alerts'
token = 'replace with your API token'
#Pass Query Param - Start Date = An hour ago
d = datetime.today() - timedelta(hours=1, minutes=0)
startDateTime = d.strftime("%Y-%m-%dT%H:%M:%SZ")
query_params = "startDateTime="f"{startDateTime}"
headers = {'Authorization': 'Bearer ' + token}
#Initialise Output Array
alert_output = {}
#API CALL and Append Response
r = requests.get(url_base + url_path, params=query_params, headers=headers)
if 'application/json' in r.headers.get('Content-Type', '') and len(r.content):
if r.status_code == 200:
r_json = r.json()
try:
total_count = r_json["totalCount"]
except IndexError:
sys.exit()
for c in range(total_count):
entities_count = len(r_json["items"][c]["impactScope"]["entities"])
#Wait 0.2 secs before next loop (avoid flooding the queue)
time.sleep(0.2)
for e in range(entities_count):
alert_output["id"] = r_json["items"][c]["id"]
alert_output["investigationStatus"] = r_json["items"][c]["investigationStatus"]
alert_output["score"] = r_json["items"][c]["score"]
alert_output["severity"] = r_json["items"][c]["severity"]
alert_output["createdDateTime"] = r_json["items"][c]["createdDateTime"]
alert_output["updatedDateTime"] = r_json["items"][c]["updatedDateTime"]
alert_output["severity"] = r_json["items"][c]["severity"]
alert_output["description"] = r_json["items"][c]["description"]
alert_output["indicators"] = len(r_json["items"][c]["indicators"])
alert_output["entityType"] = r_json["items"][c]["impactScope"]["entities"][e]["entityType"]
alert_output["entityValue"] = r_json["items"][c]["impactScope"]["entities"][e]["entityValue"]
append_new_line(json.dumps(alert_output))
else:
sys.exit()
else:
sys.exit()
Reference in New Issue View Git Blame Copy Permalink