Created
May 27, 2021 07:39
-
-
Save sherwind/679b556a431977dbde2f4a39d975f8b4 to your computer and use it in GitHub Desktop.
Pulls an alarm and its events from AT&T's Alienvault USM Anywhere
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Pulls an alarm and its events from AT&T's Alienvault USM Anywhere | |
| # by Sherwin Daganato, 20210523 | |
| # | |
| # USAGE: | |
| # ./alienvault-get_alarm.sh https://<usm-host>.alienvault.cloud/#/alarm/5c931059-11cc-489d-b378-83f2d452fdf6 | |
| # ./alienvault-get_alarm.sh 5c931059-11cc-489d-b378-83f2d452fdf6 | |
| # | |
| # Requires API Client credentials which can be created by: | |
| # | |
| # FROM https://cybersecurity.att.com/documentation/api/alienvault-apis.htm | |
| # Create a New API Client in USM Anywhere: | |
| # To get your client ID and secret code | |
| # - Click the icon and select Profile Settings. | |
| # - On the Profile page select the API Clients tab. | |
| # Click New Client. | |
| # Enter an alphanumeric name for the client and click Create Client. | |
| # | |
| # The system generates the secret code. | |
| # =-=-=-=-=-=- | |
| host="$USM_HOST" | |
| credentials="$USM_API_CLIENT:$USM_API_SECRET" | |
| # =-=-=--==-=- | |
| if [ -z "$1" ]; then echo "Alarm UUID is required!"; exit; fi | |
| uuid=${1##*/} | |
| access_token="$(curl -s --config - -X POST "https://$host.alienvault.cloud/api/2.0/oauth/token?grant_type=client_credentials" <<< 'user = "'"$credentials"'"' | jq -r .access_token)" | |
| alarm_json="$(curl -s -X GET "https://$host.alienvault.cloud/api/2.0/alarms/${uuid}" -H "Authorization: Bearer $access_token")" | |
| # If json is invalid, assumme "log" value is broken. Fix it by reencoding to json | |
| if ! echo "$alarm_json" | jq -c &>/dev/null | |
| then | |
| alarm_json=$(echo "$alarm_json" | perl -MJSON::PP=encode_json -p -e 's/("log" ?: ?)"(.*?)",$/$1 . encode_json($2) . ","/e') | |
| fi | |
| #echo "$alarm_json" | |
| echo "ALARM: " | |
| echo "$alarm_json" | jq --argjson keys '["uuid", "priority", "timestamp_occured_iso8601", "timestamp_received_iso8601", "rule_attack_tactic", "rule_attack_technique", "rule_dictionary", "rule_id", "rule_intent", "rule_method", "rule_strategy", "source_name", "source_username", "source_organisation", "source_country", "destination_name"]' '.highlight_fields += $keys | (.highlight_fields | unique) as $fields | with_entries( select( .key as $k | $fields | index($k) ) )' | |
| echo | |
| echo "EVENTS: " | |
| echo "$alarm_json" | jq '.events[] | .highlight_fields += ["uuid", "event_name", "timestamp_occured_iso8601", "timestamp_received_iso8601", "source_name", "destination_name", "suppressed", "source_country", "source_city", "plugin", "received_from", "log"] | (.highlight_fields | unique) as $fields | with_entries( select( .key as $k | $fields | index($k) ) ) | if has("access_key_id") then .access_key_id |= .[0:3] + "..." + .[-3:] else . end | if (.source_name|test("^[.0-9]+$")) then .source_name |= .[0:5] + "..." + .[-5:] else . end' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment