-
Notifications
You must be signed in to change notification settings - Fork 4
/
qradar.go
352 lines (309 loc) · 9.96 KB
/
qradar.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
// Package qradar provides an API client for the QRadar API.
// See examples of the usage in the examples folder.
package qradar
import (
"bytes"
"context"
"encoding/json"
"fmt"
"io"
"io/ioutil"
"net/http"
"net/url"
"strings"
)
const (
libraryVersion = "1.3.3"
defaultAPIVersion = "12.0"
userAgent = "go-qradar/" + libraryVersion
// ErrUnauthorized assigned on 401 http error.
ErrUnauthorized = "unathorized"
)
// JobStatus represents status of the job: search, etc.
type JobStatus string
const (
// StatusWait wait
StatusWait JobStatus = "WAIT"
// StatusExecute executing
StatusExecute JobStatus = "EXECUTE"
// StatusSorting sorting
StatusSorting JobStatus = "SORTING"
// StatusCompleted completed
StatusCompleted JobStatus = "COMPLETED"
// StatusCanceled canceled
StatusCanceled JobStatus = "CANCELED"
// StatusError errored
StatusError JobStatus = "ERROR"
)
// Client manages communication with the QRadar API.
type Client struct {
Client *http.Client
BaseURL *url.URL
UserAgent string
SECKey string
APIv string
common service
Ariel *ArielService
BuildingBlock *BuildingBlockService
BuildingBlockWithData *BuildingBlockWithDataService
EventCollector *EventCollectorService
Offense *OffenseService
OffenseType *OffenseTypeService
Domain *DomainService
DSM *DSMService
QID *QIDService
LowLevelCategory *LowLevelCategoryService
HighLevelCategory *HighLevelCategoryService
RegexProperty *RegexPropertyService
Tenant *TenantService
Rule *RuleService
RuleWithData *RuleWithDataService
RuleGroup *RuleGroupService
NetworkHierarchy *NetworkHierarchyService
PropertyExpression *PropertyExpressionService
PropertyJSONExpression *PropertyJSONExpressionService
PropertyLEEFExpression *PropertyLEEFExpressionService
PropertyCEFExpression *PropertyCEFExpressionService
ProperetyNVPExpression *PropertyNVPExpressionService
PropertyGenericListExpression *PropertyGenericListExpressionService
PropertyXMLExpression *PropertyXMLExpressionService
LogSourceExtension *LogSourceExtensionService
LogSourceType *LogSourceTypeService
LogSourceGroup *LogSourceGroupService
LogSource *LogSourceService
ReferenceMapOfSets *ReferenceMapOfSetsService
ReferenceMap *ReferenceMapService
ReferenceSet *ReferenceSetService
ReferenceTable *ReferenceTableService
}
type service struct {
client *Client
}
// NewClient returns a new QRadar API client.
func NewClient(baseurl string, opts ...func(*Client) error) (*Client, error) {
u, err := url.Parse(baseurl)
if err != nil {
return nil, err
}
c := &Client{
Client: http.DefaultClient,
UserAgent: userAgent,
BaseURL: u,
APIv: defaultAPIVersion,
}
c.common.client = c
c.Ariel = (*ArielService)(&c.common)
c.BuildingBlock = (*BuildingBlockService)(&c.common)
c.BuildingBlockWithData = (*BuildingBlockWithDataService)(&c.common)
c.EventCollector = (*EventCollectorService)(&c.common)
c.Offense = (*OffenseService)(&c.common)
c.OffenseType = (*OffenseTypeService)(&c.common)
c.Domain = (*DomainService)(&c.common)
c.DSM = (*DSMService)(&c.common)
c.QID = (*QIDService)(&c.common)
c.RegexProperty = (*RegexPropertyService)(&c.common)
c.Rule = (*RuleService)(&c.common)
c.RuleWithData = (*RuleWithDataService)(&c.common)
c.RuleGroup = (*RuleGroupService)(&c.common)
c.PropertyExpression = (*PropertyExpressionService)(&c.common)
c.PropertyJSONExpression = (*PropertyJSONExpressionService)(&c.common)
c.PropertyGenericListExpression = (*PropertyGenericListExpressionService)(&c.common)
c.PropertyLEEFExpression = (*PropertyLEEFExpressionService)(&c.common)
c.PropertyCEFExpression = (*PropertyCEFExpressionService)(&c.common)
c.ProperetyNVPExpression = (*PropertyNVPExpressionService)(&c.common)
c.PropertyXMLExpression = (*PropertyXMLExpressionService)(&c.common)
c.LogSourceExtension = (*LogSourceExtensionService)(&c.common)
c.LogSourceType = (*LogSourceTypeService)(&c.common)
c.LogSourceGroup = (*LogSourceGroupService)(&c.common)
c.LogSource = (*LogSourceService)(&c.common)
c.LowLevelCategory = (*LowLevelCategoryService)(&c.common)
c.HighLevelCategory = (*HighLevelCategoryService)(&c.common)
c.Tenant = (*TenantService)(&c.common)
c.ReferenceMapOfSets = (*ReferenceMapOfSetsService)(&c.common)
c.ReferenceMap = (*ReferenceMapService)(&c.common)
c.ReferenceSet = (*ReferenceSetService)(&c.common)
c.ReferenceTable = (*ReferenceTableService)(&c.common)
c.NetworkHierarchy = (*NetworkHierarchyService)(&c.common)
for _, f := range opts {
err := f(c)
if err != nil {
return c, err
}
}
return c, nil
}
// SetHTTPClient sets an HTTP client.
func SetHTTPClient(httpClient *http.Client) func(*Client) error {
return func(c *Client) error {
c.Client = httpClient
return nil
}
}
// SetSECKey sets a key to auth on the QRadar API
func SetSECKey(key string) func(*Client) error {
return func(c *Client) error {
c.SECKey = key
return nil
}
}
// SetAPIversion sets a version of QRadar API
func SetAPIversion(api string) func(*Client) error {
return func(c *Client) error {
c.APIv = api
return nil
}
}
func (c *Client) requestHelp(method, urlStr, fields, filter string, from, to int, id *int, body interface{}) (*http.Request, error) {
if id != nil {
urlStr = fmt.Sprintf("%s/%d", urlStr, *id)
}
req, err := c.NewRequest(method, urlStr, body)
if err != nil {
return nil, err
}
if from == 0 && to != 0 {
req.Header.Add("Range", fmt.Sprintf("items=%d-%d", from, to))
}
q := req.URL.Query()
if fields != "" {
q.Add("fields", fields)
}
if filter != "" {
q.Add("filter", filter)
}
req.URL.RawQuery = q.Encode()
return req, nil
}
// NewRequest constructs and new request to send.
func (c *Client) NewRequest(method, urlStr string, body interface{}) (*http.Request, error) {
if !strings.HasSuffix(c.BaseURL.Path, "/") {
return nil, fmt.Errorf("BaseURL must have a trailing slash, but %q does not", c.BaseURL)
}
u, err := c.BaseURL.Parse(urlStr)
if err != nil {
return nil, err
}
var buf io.ReadWriter
if body != nil {
buf = new(bytes.Buffer)
enc := json.NewEncoder(buf)
enc.SetEscapeHTML(false)
err := enc.Encode(body)
if err != nil {
return nil, err
}
// QRadar reference_data API errors if json has a trailing new line
if strings.HasPrefix(urlStr, "api/reference_data") && strings.Contains(urlStr, "/bulk_load/") {
bs, err := ioutil.ReadAll(buf)
if err != nil {
return nil, err
}
buf = bytes.NewBuffer(bs[:len(bs)-1])
}
}
req, err := http.NewRequest(method, u.String(), buf)
if err != nil {
return nil, err
}
req.Header.Set("Accept", "application/json")
if c.APIv == "" {
req.Header.Set("Version", defaultAPIVersion)
} else {
req.Header.Set("Version", c.APIv)
}
if buf != nil {
req.Header.Set("Content-Type", "application/json")
}
if c.SECKey != "" {
req.Header.Set("SEC", c.SECKey)
}
if c.UserAgent != "" {
req.Header.Set("User-Agent", c.UserAgent)
}
return req, nil
}
// Do sends an API request and returns the API response. The API response is
// JSON decoded and stored in the value pointed to by v, or returned as an
// error if an API error has occurred. If v implements the io.Writer
// interface, the raw response body will be written to v, without attempting to
// first decode it.
//
// The provided ctx must be non-nil. If it is canceled or times out,
// ctx.Err() will be returned.
func (c *Client) Do(ctx context.Context, req *http.Request, v interface{}) (*http.Response, error) {
req = req.WithContext(ctx)
resp, err := c.Client.Do(req)
if err != nil {
// If we got an error, and the context has been canceled,
// the context's error is probably more useful.
select {
case <-ctx.Done():
return nil, ctx.Err()
default:
}
return nil, err
}
defer resp.Body.Close()
err = CheckResponse(resp)
if err != nil {
return resp, err
}
if v != nil {
if w, ok := v.(io.Writer); ok {
io.Copy(w, resp.Body)
} else {
decErr := json.NewDecoder(resp.Body).Decode(v)
if decErr == io.EOF {
decErr = nil // ignore EOF errors caused by empty response body
}
if decErr != nil {
err = decErr
}
}
}
return resp, err
}
// CheckResponse checks the API response for errors.
func CheckResponse(r *http.Response) error {
switch r.StatusCode {
case http.StatusOK, http.StatusCreated, http.StatusAccepted, http.StatusNoContent:
return nil
case http.StatusUnauthorized:
return fmt.Errorf("%s %d: %s", r.Request.URL.Path, r.StatusCode, ErrUnauthorized)
case http.StatusNotFound, http.StatusConflict, http.StatusUnprocessableEntity, http.StatusBadRequest,
http.StatusInternalServerError, http.StatusServiceUnavailable, http.StatusForbidden:
var v ErrorMessage
err := json.NewDecoder(r.Body).Decode(&v)
if err != nil {
return fmt.Errorf("%s %d: %s", r.Request.URL.Path, r.StatusCode, err.Error())
}
v.resp = r
return &v
default:
return fmt.Errorf("%s %d: unknown error", r.Request.URL.Path, r.StatusCode)
}
}
// ErrorMessage represents generic error message by the QRadar API.
type ErrorMessage struct {
resp *http.Response
Code json.Number `json:"code,omitempty"`
Contexts []string `json:"contexts,omitempty"`
Message string `json:"message,omitempty"`
Description string `json:"description,omitempty"`
Severity string `json:"severity,omitempty"`
Details struct {
Reason string `json:"reason,omitempty"`
Code int `json:"code,omitempty"`
StartIndex int `json:"start_index,omitempty"`
LineNumber int `json:"line_number,omitempty"`
QueryString string `json:"query_string,omitempty"`
TokenText string `json:"token_text,omitempty"`
} `json:"details,omitempty"`
}
// Error satisfies the error interface.
func (e *ErrorMessage) Error() string {
return fmt.Sprintf(
"%s %d: %s [%s]",
e.resp.Request.URL.Path, e.resp.StatusCode, e.Message, string(e.Code),
)
}