Feature/INTEG-950 alert polling (#51)

Co-authored-by: Alan Grgic <[email protected]>

Author: timabrmsn

CHANGELOG.md

@@ -12,6 +12,7 @@ how a consumer would use the library (e.g. adding unit tests, updating documenta
 
 ### Added
 
+- Ability to search/poll for alerts with checkpointing and sending to console, a file, or a server in json format.
 - `code42 alert-rules` commands:
     - `add-user` with parameters `--rule-id` and `--username`.
     - `remove-user` that takes a rule ID and optionally `--username`.

setup.py

@@ -21,10 +21,10 @@
     package_dir={"": "src"},
     python_requires=">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, <4",
     install_requires=[
-        "c42eventextractor==0.2.9",
+        "c42eventextractor==0.3.0b1",
         "keyring==18.0.1",
         "keyrings.alt==3.2.0",
-        "py42>=1.1.1",
+        "py42>=1.1.3",
     ],
     license="MIT",
     include_package_data=True,

src/code42cli/args.py

@@ -18,6 +18,7 @@ def __init__(self, *args, **kwargs):
             u"help": kwargs.get(u"help"),
             u"options_list": list(args),
             u"nargs": kwargs.get(u"nargs"),
+            u"metavar": kwargs.get(u"metavar"),
             u"required": kwargs.get(u"required"),
         }
 

src/code42cli/cmds/alerts/extraction.py

@@ -0,0 +1,95 @@
+from c42eventextractor.extractors import AlertExtractor
+from py42.sdk.queries.alerts.filters import (
+    Actor,
+    AlertState,
+    Severity,
+    DateObserved,
+    Description,
+    RuleName,
+    RuleId,
+    RuleType,
+)
+
+import code42cli.cmds.search_shared.enums as enums
+import code42cli.errors as errors
+from code42cli.cmds.search_shared.cursor_store import AlertCursorStore
+from code42cli.cmds.search_shared.extraction import (
+    verify_begin_date_requirements,
+    create_handlers,
+    exit_if_advanced_query_used_with_other_search_args,
+    create_time_range_filter,
+)
+from code42cli.logger import get_main_cli_logger
+
+logger = get_main_cli_logger()
+
+
+def extract(sdk, profile, output_logger, args):
+    """Extracts alerts using the given command-line arguments.
+
+        Args:
+            sdk (py42.sdk.SDKClient): The py42 sdk.
+            profile (Code42Profile): The profile under which to execute this command.
+            output_logger (Logger): The logger specified by which subcommand you use. For example,
+                print: uses a logger that streams to stdout.
+                write-to: uses a logger that logs to a file.
+                send-to: uses a logger that sends logs to a server.
+            args: Command line args used to build up alert query filters.
+    """
+    store = AlertCursorStore(profile.name) if args.incremental else None
+    handlers = create_handlers(output_logger, store, event_key=u"alerts", sdk=sdk)
+    extractor = AlertExtractor(sdk, handlers)
+    if args.advanced_query:
+        exit_if_advanced_query_used_with_other_search_args(args)
+        extractor.extract_advanced(args.advanced_query)
+    else:
+        verify_begin_date_requirements(args, store)
+        _verify_alert_state(args.state)
+        _verify_alert_severity(args.severity)
+        filters = _create_alert_filters(args)
+        extractor.extract(*filters)
+    if handlers.TOTAL_EVENTS == 0 and not errors.ERRORED:
+        logger.print_info(u"No results found\n")
+
+
+def _verify_alert_state(alert_state):
+    options = list(enums.AlertState())
+    if alert_state and alert_state not in options:
+        logger.print_and_log_error(
+            u"'{0}' is not a valid alert state, options are {1}.".format(alert_state, options)
+        )
+        exit(1)
+
+
+def _verify_alert_severity(severity):
+    if severity is None:
+        return
+    options = list(enums.AlertSeverity())
+    for s in severity:
+        if s not in options:
+            logger.print_and_log_error(
+                u"'{0}' is not a valid alert severity, options are {1}".format(s, options)
+            )
+            exit(1)
+
+
+def _create_alert_filters(args):
+    filters = []
+    alert_timestamp_filter = create_time_range_filter(DateObserved, args.begin, args.end)
+    not alert_timestamp_filter or filters.append(alert_timestamp_filter)
+    not args.actor or filters.append(Actor.is_in(args.actor))
+    not args.actor_contains or [filters.append(Actor.contains(arg)) for arg in args.actor_contains]
+    not args.exclude_actor or filters.append(Actor.not_in(args.exclude_actor))
+    not args.exclude_actor_contains or [
+        filters.append(Actor.not_contains(arg)) for arg in args.exclude_actor_contains
+    ]
+    not args.rule_name or filters.append(RuleName.is_in(args.rule_name))
+    not args.exclude_rule_name or filters.append(RuleName.not_in(args.exclude_rule_name))
+    not args.rule_id or filters.append(RuleId.is_in(args.rule_id))
+    not args.exclude_rule_id or filters.append(RuleId.not_in(args.exclude_rule_id))
+    not args.rule_type or filters.append(RuleType.is_in(args.rule_type))
+    not args.exclude_rule_type or filters.append(RuleType.not_in(args.exclude_rule_type))
+    not args.description or filters.append(Description.contains(args.description))
+    not args.severity or filters.append(Severity.is_in(args.severity))
+    not args.state or filters.append(AlertState.eq(args.state))
+    return filters

src/code42cli/cmds/alerts/main.py

@@ -0,0 +1,189 @@
+from code42cli.args import ArgConfig
+from code42cli.commands import Command
+from code42cli.cmds.alerts.extraction import extract
+from code42cli.cmds.search_shared import args, logger_factory
+from code42cli.cmds.search_shared.enums import (
+    AlertFilterArguments,
+    AlertState,
+    AlertSeverity,
+    ServerProtocol,
+    RuleType,
+)
+from code42cli.cmds.search_shared.cursor_store import AlertCursorStore
+
+
+def load_subcommands():
+    """Sets up the `alerts` subcommand with all of its subcommands."""
+    usage_prefix = u"code42 alerts"
+
+    print_func = Command(
+        u"print",
+        u"Print alerts to stdout",
+        u"{} {}".format(usage_prefix, u"print <optional-args>"),
+        handler=print_out,
+        arg_customizer=_load_search_args,
+        use_single_arg_obj=True,
+    )
+
+    write = Command(
+        u"write-to",
+        u"Write alerts to the file with the given name.",
+        u"{} {}".format(usage_prefix, u"write-to <filename> <optional-args>"),
+        handler=write_to,
+        arg_customizer=_load_write_to_args,
+        use_single_arg_obj=True,
+    )
+
+    send = Command(
+        u"send-to",
+        u"Send alerts to the given server address.",
+        u"{} {}".format(usage_prefix, u"send-to <server-address> <optional-args>"),
+        handler=send_to,
+        arg_customizer=_load_send_to_args,
+        use_single_arg_obj=True,
+    )
+
+    clear = Command(
+        u"clear-checkpoint",
+        u"Remove the saved alert checkpoint from 'incremental' (-i) mode.",
+        u"{} {}".format(usage_prefix, u"clear-checkpoint <optional-args>"),
+        handler=clear_checkpoint,
+    )
+
+    return [print_func, write, send, clear]
+
+
+def clear_checkpoint(sdk, profile):
+    """Removes the stored checkpoint that keeps track of the last alert retrieved for the given profile..
+        To use, run `code42 alerts clear-checkpoint`.
+        This affects `incremental` mode by causing it to behave like it has never been run before.
+    """
+    AlertCursorStore(profile.name).replace_stored_cursor_timestamp(None)
+
+
+def print_out(sdk, profile, args):
+    """Activates 'print' command. It gets alerts and prints them to stdout."""
+    logger = logger_factory.get_logger_for_stdout(args.format)
+    extract(sdk, profile, logger, args)
+
+
+def write_to(sdk, profile, args):
+    """Activates 'write-to' command. It gets alerts and writes them to the given file."""
+    logger = logger_factory.get_logger_for_file(args.output_file, args.format)
+    extract(sdk, profile, logger, args)
+
+
+def send_to(sdk, profile, args):
+    """Activates 'send-to' command. It getsalerts and logs them to the given server."""
+    logger = logger_factory.get_logger_for_server(args.server, args.protocol, args.format)
+    extract(sdk, profile, logger, args)
+
+
+def _load_write_to_args(arg_collection):
+    output_file = ArgConfig(u"output_file", help=u"The name of the local file to send output to.")
+    arg_collection.append(u"output_file", output_file)
+    _load_search_args(arg_collection)
+
+
+def _load_send_to_args(arg_collection):
+    send_to_args = {
+        u"server": ArgConfig(u"server", help=u"The server address to send output to."),
+        u"protocol": ArgConfig(
+            u"-p",
+            u"--protocol",
+            choices=ServerProtocol(),
+            default=ServerProtocol.UDP,
+            help=u"Protocol used to send logs to server.",
+        ),
+    }
+
+    arg_collection.extend(send_to_args)
+    _load_search_args(arg_collection)
+
+
+def _load_search_args(arg_collection):
+    filter_args = {
+        AlertFilterArguments.SEVERITY: ArgConfig(
+            u"--{}".format(AlertFilterArguments.SEVERITY),
+            nargs=u"+",
+            help=u"Filter alerts by severity. Defaults to returning all severities. Available choices={0}".format(
+                list(AlertSeverity())
+            ),
+        ),
+        AlertFilterArguments.STATE: ArgConfig(
+            u"--{}".format(AlertFilterArguments.STATE),
+            help=u"Filter alerts by state. Defaults to returning all states. Available choices={0}".format(
+                list(AlertState())
+            ),
+        ),
+        AlertFilterArguments.ACTOR: ArgConfig(
+            u"--{}".format(AlertFilterArguments.ACTOR.replace("_", "-")),
+            metavar=u"ACTOR",
+            help=u"Filter alerts by including the given actor(s) who triggered the alert. Args must match actor username exactly.",
+            nargs=u"+",
+        ),
+        AlertFilterArguments.ACTOR_CONTAINS: ArgConfig(
+            u"--{}".format(AlertFilterArguments.ACTOR_CONTAINS.replace("_", "-")),
+            metavar=u"ACTOR",
+            help=u"Filter alerts by including actor(s) whose username contains the given string.",
+            nargs=u"+",
+        ),
+        AlertFilterArguments.EXCLUDE_ACTOR: ArgConfig(
+            u"--{}".format(AlertFilterArguments.EXCLUDE_ACTOR.replace("_", "-")),
+            metavar=u"ACTOR",
+            help=u"Filter alerts by excluding the given actor(s) who triggered the alert. Args must match actor username exactly.",
+            nargs=u"+",
+        ),
+        AlertFilterArguments.EXCLUDE_ACTOR_CONTAINS: ArgConfig(
+            u"--{}".format(AlertFilterArguments.EXCLUDE_ACTOR_CONTAINS.replace("_", "-")),
+            metavar=u"ACTOR",
+            help=u"Filter alerts by excluding actor(s) whose username contains the given string.",
+            nargs=u"+",
+        ),
+        AlertFilterArguments.RULE_NAME: ArgConfig(
+            u"--{}".format(AlertFilterArguments.RULE_NAME.replace("_", "-")),
+            metavar=u"RULE_NAME",
+            help=u"Filter alerts by including the given rule name(s).",
+            nargs=u"+",
+        ),
+        AlertFilterArguments.EXCLUDE_RULE_NAME: ArgConfig(
+            u"--{}".format(AlertFilterArguments.EXCLUDE_RULE_NAME.replace("_", "-")),
+            metavar=u"RULE_NAME",
+            help=u"Filter alerts by excluding the given rule name(s).",
+            nargs=u"+",
+        ),
+        AlertFilterArguments.RULE_ID: ArgConfig(
+            u"--{}".format(AlertFilterArguments.RULE_ID.replace("_", "-")),
+            metavar=u"RULE_ID",
+            help=u"Filter alerts by including the given rule id(s).",
+            nargs=u"+",
+        ),
+        AlertFilterArguments.EXCLUDE_RULE_ID: ArgConfig(
+            u"--{}".format(AlertFilterArguments.EXCLUDE_RULE_ID.replace("_", "-")),
+            metavar=u"RULE_ID",
+            help=u"Filter alerts by excluding the given rule id(s).",
+            nargs=u"+",
+        ),
+        AlertFilterArguments.RULE_TYPE: ArgConfig(
+            u"--{}".format(AlertFilterArguments.RULE_TYPE.replace("_", "-")),
+            metavar=u"RULE_TYPE",
+            help=u"Filter alerts by including the given rule type(s). Available choices={0}".format(
+                list(RuleType())
+            ),
+            nargs=u"+",
+        ),
+        AlertFilterArguments.EXCLUDE_RULE_TYPE: ArgConfig(
+            u"--{}".format(AlertFilterArguments.EXCLUDE_RULE_TYPE.replace("_", "-")),
+            metavar=u"RULE_TYPE",
+            help=u"Filter alerts by excluding the given rule type(s). Available choices={0}".format(
+                list(RuleType())
+            ),
+            nargs=u"+",
+        ),
+        AlertFilterArguments.DESCRIPTION: ArgConfig(
+            u"--{}".format(AlertFilterArguments.DESCRIPTION),
+            help=u"Filter alerts by description. Does fuzzy search by default.",
+        ),
+    }
+    search_args = args.create_search_args(search_for=u"alerts", filter_args=filter_args)
+    arg_collection.extend(search_args)

src/code42cli/cmds/alerts/util.py

@@ -0,0 +1,14 @@
+from code42cli.compat import range
+
+_BATCH_SIZE = 500
+
+
+def get_alert_details(sdk, alert_summary_list):
+    alert_ids = [alert[u"id"] for alert in alert_summary_list]
+    batches = [alert_ids[i : i + _BATCH_SIZE] for i in range(0, len(alert_ids), _BATCH_SIZE)]
+    results = []
+    for batch in batches:
+        r = sdk.alerts.get_details(batch)
+        results.extend(r[u"alerts"])
+    results = sorted(results, key=lambda x: x[u"createdAt"], reverse=True)
+    return results

src/code42cli/cmds/detectionlists/__init__.py

@@ -59,7 +59,7 @@ def __init__(self, add=None, remove=None, load_add=None):
 class DetectionList(object):
     """An object representing a Code42 detection list. Use this class by passing in handlers for 
     adding and removing employees. This class will handle the bulk-related commands and some 
-    shared help texts.
+    search_shared help texts.
     
     Args:
         list_name (str or unicode): An option from the DetectionLists enum. For convenience, use one of the 

src/code42cli/cmds/shared/__init__.py renamed to src/code42cli/cmds/search_shared/__init__.py

@@ -0,0 +1,52 @@
+from code42cli.cmds.search_shared.enums import SearchArguments, OutputFormat, AlertOutputFormat
+from code42cli.args import ArgConfig
+
+
+def create_search_args(search_for, filter_args):
+    search_args = {
+        SearchArguments.ADVANCED_QUERY: ArgConfig(
+            u"--{}".format(SearchArguments.ADVANCED_QUERY.replace(u"_", u"-")),
+            metavar=u"QUERY_JSON",
+            help=u"A raw JSON {0} query. "
+            u"Useful for when the provided query parameters do not satisfy your requirements.\n"
+            u"WARNING: Using advanced queries is incompatible with other query-building args.".format(
+                search_for
+            ),
+        ),
+        SearchArguments.BEGIN_DATE: ArgConfig(
+            u"-b",
+            u"--{}".format(SearchArguments.BEGIN_DATE),
+            metavar=u"DATE",
+            help=u"The beginning of the date range in which to look for {1}, "
+            u"can be a date/time in yyyy-MM-dd (UTC) or yyyy-MM-dd HH:MM:SS (UTC+24-hr time) format "
+            u"where the 'time' portion of the string can be partial (e.g. '2020-01-01 12' or '2020-01-01 01:15') "
+            u"or a short value representing days (30d), hours (24h) or minutes (15m) from current "
+            u"time.".format(u"beginning", search_for),
+        ),
+        SearchArguments.END_DATE: ArgConfig(
+            u"-e",
+            u"--{}".format(SearchArguments.END_DATE),
+            metavar=u"DATE",
+            help=u"The end of the date range in which to look for {0}, "
+            u"argument format options are the same as --begin.".format(search_for),
+        ),
+    }
+    format_enum = AlertOutputFormat() if search_for == "alerts" else OutputFormat()
+    format_and_incremental_args = {
+        u"format": ArgConfig(
+            u"-f",
+            u"--format",
+            choices=format_enum,
+            default=format_enum.JSON,
+            help=u"The format used for outputting {0}.".format(search_for),
+        ),
+        u"incremental": ArgConfig(
+            u"-i",
+            u"--incremental",
+            action=u"store_true",
+            help=u"Only get {0} that were not previously retrieved.".format(search_for),
+        ),
+    }
+    search_args.update(filter_args)
+    search_args.update(format_and_incremental_args)
+    return search_args