Strona główna Odkrywaj Pomoc
Zaloguj się
tum
/
soc
Obserwuj 1
Polub 0
Forkuj 0
Kod Problemy 0 Oczekujące zmiany 0 Commity 8 Wydania 0 Wiki

Brak opisu

Drzewo: f14e344bb5
Gałęzie Tagi
soc
/
soc-integrator
/
app
/
adapters
/
wazuh.py

wazuh.py 4.7KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132 
  1. from typing import Any
    2. 

  2. 

  3. import httpx
    4. 

  4. 

  5. 

  6. class WazuhAdapter:
    7. 

  7.     def __init__(
    8. 

  8.         self,
    9. 

  9.         base_url: str,
    10. 

  10.         username: str,
    11. 

  11.         password: str,
    12. 

  12.         indexer_url: str | None = None,
    13. 

  13.         indexer_username: str | None = None,
    14. 

  14.         indexer_password: str | None = None,
    15. 

  15.     ) -> None:
    16. 

  16.         self.base_url = base_url.rstrip("/")
    17. 

  17.         self.username = username
    18. 

  18.         self.password = password
    19. 

  19.         self.indexer_url = (indexer_url or "").rstrip("/")
    20. 

  20.         self.indexer_username = indexer_username
    21. 

  21.         self.indexer_password = indexer_password
    22. 

  22. 

  23.     async def _authenticate(self, client: httpx.AsyncClient) -> str:
    24. 

  24.         auth_url = f"{self.base_url}/security/user/authenticate?raw=true"
    25. 

  25.         response = await client.post(auth_url, auth=(self.username, self.password))
    26. 

  26.         response.raise_for_status()
    27. 

  27.         token = response.text.strip()
    28. 

  28.         if not token:
    29. 

  29.             raise RuntimeError("Wazuh authentication returned an empty token.")
    30. 

  30.         return token
    31. 

  31. 

  32.     async def _get_with_bearer(
    33. 

  33.         self,
    34. 

  34.         client: httpx.AsyncClient,
    35. 

  35.         token: str,
    36. 

  36.         path: str,
    37. 

  37.         params: dict[str, Any] | None = None,
    38. 

  38.     ) -> dict[str, Any]:
    39. 

  39.         url = f"{self.base_url}{path}"
    40. 

  40.         response = await client.get(
    41. 

  41.             url,
    42. 

  42.             headers={"Authorization": f"Bearer {token}"},
    43. 

  43.             params=params,
    44. 

  44.         )
    45. 

  45.         response.raise_for_status()
    46. 

  46.         return response.json() if response.content else {"status_code": response.status_code}
    47. 

  47. 

  48.     async def auth_test(self) -> dict[str, Any]:
    49. 

  49.         async with httpx.AsyncClient(verify=False, timeout=15.0) as client:
    50. 

  50.             token = await self._authenticate(client)
    51. 

  51.             return {"authenticated": True, "token_prefix": token[:12]}
    52. 

  52. 

  53.     async def get_version(self) -> dict[str, Any]:
    54. 

  54.         async with httpx.AsyncClient(verify=False, timeout=15.0) as client:
    55. 

  55.             token = await self._authenticate(client)
    56. 

  56. 

  57.             # API root should return API metadata when authenticated.
    58. 

  58.             try:
    59. 

  59.                 return await self._get_with_bearer(client, token, "/")
    60. 

  60.             except httpx.HTTPStatusError:
    61. 

  61.                 # Fallback endpoint for environments restricting root access.
    62. 

  62.                 return await self._get_with_bearer(client, token, "/manager/info")
    63. 

  63. 

  64.     async def get_manager_info(self) -> dict[str, Any]:
    65. 

  65.         async with httpx.AsyncClient(verify=False, timeout=15.0) as client:
    66. 

  66.             token = await self._authenticate(client)
    67. 

  67.             return await self._get_with_bearer(client, token, "/manager/info")
    68. 

  68. 

  69.     async def list_agents(
    70. 

  70.         self, limit: int = 50, offset: int = 0, select: str | None = None
    71. 

  71.     ) -> dict[str, Any]:
    72. 

  72.         params: dict[str, Any] = {"limit": limit, "offset": offset}
    73. 

  73.         if select:
    74. 

  74.             params["select"] = select
    75. 

  75.         async with httpx.AsyncClient(verify=False, timeout=20.0) as client:
    76. 

  76.             token = await self._authenticate(client)
    77. 

  77.             return await self._get_with_bearer(client, token, "/agents", params=params)
    78. 

  78. 

  79.     async def list_manager_logs(
    80. 

  80.         self,
    81. 

  81.         limit: int = 50,
    82. 

  82.         offset: int = 0,
    83. 

  83.         q: str | None = None,
    84. 

  84.         sort: str | None = None,
    85. 

  85.     ) -> dict[str, Any]:
    86. 

  86.         params: dict[str, Any] = {"limit": limit, "offset": offset}
    87. 

  87.         if q:
    88. 

  88.             params["q"] = q
    89. 

  89.         if sort:
    90. 

  90.             params["sort"] = sort
    91. 

  91.         async with httpx.AsyncClient(verify=False, timeout=20.0) as client:
    92. 

  92.             token = await self._authenticate(client)
    93. 

  93.             return await self._get_with_bearer(client, token, "/manager/logs", params=params)
    94. 

  94. 

  95.     async def search_alerts(
    96. 

  96.         self,
    97. 

  97.         query: str,
    98. 

  98.         limit: int = 50,
    99. 

  99.         minutes: int = 120,
    100. 

  100.     ) -> dict[str, Any]:
    101. 

  101.         if not self.indexer_url:
    102. 

  102.             raise RuntimeError("Wazuh indexer URL is not configured.")
    103. 

  103. 

  104.         body: dict[str, Any] = {
    105. 

  105.             "size": limit,
    106. 

  106.             "sort": [{"@timestamp": {"order": "desc"}}],
    107. 

  107.             "query": {
    108. 

  108.                 "bool": {
    109. 

  109.                     "must": [{"query_string": {"query": query}}],
    110. 

  110.                     "filter": [
    111. 

  111.                         {
    112. 

  112.                             "range": {
    113. 

  113.                                 "@timestamp": {
    114. 

  114.                                     "gte": f"now-{minutes}m",
    115. 

  115.                                     "lte": "now",
    116. 

  116.                                 }
    117. 

  117.                             }
    118. 

  118.                         }
    119. 

  119.                     ],
    120. 

  120.                 }
    121. 

  121.             },
    122. 

  122.         }
    123. 

  123. 

  124.         async with httpx.AsyncClient(
    125. 

  125.             verify=False,
    126. 

  126.             timeout=20.0,
    127. 

  127.             auth=(self.indexer_username, self.indexer_password),
    128. 

  128.         ) as client:
    129. 

  129.             response = await client.post(f"{self.indexer_url}/wazuh-alerts-*/_search", json=body)
    130. 

  130.             response.raise_for_status()
    131. 

  131.             return response.json()
    132. 

  132.