How to use resilient - 10 common examples

To help you get started, we’ve selected a few resilient examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github ibmresilient / resilient-community-apps / older / rc-shell-runner / shell_runner / lib / disposition.py View on Github external
def test():
    """Test some basic functionality"""
    from resilient_circuits.rest_helper import get_resilient_client
    from resilient_circuits.actions_component import ActionMessage
    import time

    opts = vars(resilient.ArgumentParser(config_file=os.environ.get("APP_CONFIG_FILE")).parse_args())
    client = get_resilient_client(opts)

    action_event = None
    result = Disposition(client, "new_incident").call(action_event, {"name": "new test incident", "discovered_date": 0})
    LOG.debug(result)
    assert result["id"] > 0
    print("Created incident {}".format(result["id"]))
    incident = result

    action_event = ActionMessage(message={"incident": incident})
    result = Disposition(client, "new_task").call(action_event, {"name": "new task"})
    LOG.debug(result)
    assert result["id"] > 0
    action_event.task = result
    result = Disposition(client, "update_task").call(action_event, {"name": "updated task"})
    LOG.info(result)
github ibmresilient / resilient-community-apps / fn_risk_fabric / fn_risk_fabric / util / create_incidents_action_plans.py View on Github external
def main():
    """
    program main
    """

    config_file = resilient.get_config_file()
    parser = ExampleArgumentParser(config_file)
    opts = parser.parse_args()

    inc_types = opts["itype"]
    inc_queue = opts["queue"]

    # Create SimpleClient for a REST connection to the Resilient services
    client = resilient.get_client(opts)

    # Discovered Date will be set to the current time
    time_now = int(time.time() * 1000)

    try:
        uri = '/incidents'

        rf_config = configparser.ConfigParser()
github ibmresilient / resilient-community-apps / fn_risk_fabric / fn_risk_fabric / util / create_incidents_risk_models.py View on Github external
def main():
    """
    program main
    """

    config_file = resilient.get_config_file()
    parser = ExampleArgumentParser(config_file)
    opts = parser.parse_args()

    inc_types = opts["itype"]
    inc_limit = opts["limit"]

    # Create SimpleClient for a REST connection to the Resilient services
    client = resilient.get_client(opts)

    # Discovered Date will be set to the current time
    time_now = int(time.time() * 1000)

    try:
        uri = '/incidents'

        rf_config = configparser.ConfigParser()
github ibmresilient / resilient-community-apps / fn_machine_learning / fn_machine_learning / bin / res_ml.py View on Github external
def __init__(self, config_file=None):
        self.config_file = config_file or resilient.get_config_file()
        super(OptParser, self).__init__(config_file=self.config_file)
        #
        #   Note this is a trick used by resilient-circuits. resilient.ArgumentParser will
        #   validate the arguments of the command line. Since we use command line
        #   argument of input/output files, we don't want that validation, so we
        #   erase them before we call parse_args(). So parse_args() only
        #   reads from app.config
        #
        sys.argv = sys.argv[0:1]
        self.opts = self.parse_args()

        if self.config:
            for section in self.config.sections():
                #
                # Handle sections other than [resilient] in app.config
                #
github ibmresilient / resilient-community-apps / fn_machine_learning / fn_machine_learning / bin / res_ml.py View on Github external
requests.packages.urllib3.disable_warnings()
                verify = False
            elif os.path.isfile(cafile):
                #
                #   User specified a cafile for trusted certificate
                #
                verify = cafile
        except:
            verify = True

        args = {"base_url": url,
                "verify": verify,
                "org_name": org}

        resilient_client = resilient.SimpleClient(**args)
        session = resilient_client.connect(email, password)
        max_count = None
        if opt_parser.getopt(MACHINE_LEARNING_SECTION, "max_count"):
            max_count = int(opt_parser.getopt(MACHINE_LEARNING_SECTION, "max_count"))

        time_start = opt_parser.getopt(MACHINE_LEARNING_SECTION, "time_start")
        time_end = opt_parser.getopt(MACHINE_LEARNING_SECTION, "time_end")
        res_filter = IncidentTimeFilter(time_start=time_start,
                                        time_end=time_end,
                                        in_log=LOG)

        # get_incidents is going to download all the incidents using this resilient_client
        # The optional max_count controls how many samples to process. The conversion from
        # json to CSV will stop once reaches this limit.
        num_inc = resilient_utils.get_incidents(res_client=resilient_client,
                                                filename=csv_file,
github ibmresilient / resilient-community-apps / rc-data-feed / rc_data_feed / components / feed_ingest.py View on Github external
# ensure the incident is found
        try:
            incident = self.rest_client_helper.get("/incidents/{}".format(inc_id))
            for object_type in object_type_names:
                if not self.lookup.get(object_type):
                    LOG.error("Method for synchronization not found: %s", object_type)
                else:
                    try:
                        type_info = type_info_index.get(object_type, None)  # datatables will not have a type_info object at this time

                        sync_count = self.lookup[object_type](self.rest_client_helper, inc_id, type_info)
                        LOG.debug("inc_id: %s %s : %s", inc_id, object_type, sync_count)
                    except AttributeError:
                        LOG.error("Query error for synchronization method: %s", object_type)
        except SimpleHTTPException:
            pass
github ibmresilient / resilient-community-apps / fn_proofpoint_trap / fn_proofpoint_trap / components / fn_proofpoint_trap_polling.py View on Github external
:param data: Content to be added as note
        :return: Response from Resilient for debug
        """
        try:
            uri = '/incidents/{}/comments'.format(incident_id)
            resilient_client = self.rest_client()
            heading = "Raw Proofpoint TRAP Event Payload:\n"
            note = {
                'format': 'text',
                'content': '{}{}'.format(heading, pprint.pformat(data, indent=4))
            }
            payload = {'text': note}
            comment_response = resilient_client.post(uri=uri, payload=payload)
            return comment_response

        except SimpleHTTPException as ex:
            LOG.error("Failed to add note for incident %d: %s", incident_id, ex)
github ibmresilient / resilient-community-apps / older / rc-query-runner / query_runner / lib / query_update.py View on Github external
def _get_incident_fields(res_client):
    try:
        fields = res_client.get('/types/incident/fields')
        if fields:
            fields = {field["name"]: field["input_type"] for field in fields}
            return fields
        else:
            LOG.error("Failed to get incident fields from Resilient")
            raise Exception("Failed to get incident fields from Resilient")
    except SimpleHTTPException as error:
        LOG.exception("Failed to get incident fields from Resilient")
        raise
github ibmresilient / resilient-community-apps / fn_proofpoint_tap / fn_proofpoint_tap / components / fn_pp_threat_polling.py View on Github external
},
                    {
                        'field_name': 'plan_status',
                        'method': 'equals',
                        'value': 'A'
                    }
                ]
            }],
            'sorts': [{
                'field_name': 'create_date',
                'type': 'desc'
            }]
        }
        try:
            r_incidents = resilient_client.post(query_uri, query)
        except SimpleHTTPException:
            # Some versions of Resilient 30.2 onward have a bug that prevents query for numeric fields.
            # To work around this issue, let's try a different query, and filter the results. (Expensive!)
            query_uri = '/incidents/query?return_level=normal&field_handle={}'.format(threat_id)
            query = {
                'filters': [{
                    'conditions': [
                        {
                            'field_name': 'properties.{}'.format(idtype),
                            'method': 'has_a_value'
                        },
                        {
                            'field_name': 'plan_status',
                            'method': 'equals',
                            'value': 'A'
                        }
                    ]
github ibmresilient / resilient-community-apps / fn_risk_fabric / fn_risk_fabric / util / create_incidents_action_plans.py View on Github external
"discovered_date": time_now}

                # Create the incident
                incident = client.post(uri, new_incident)
                inc_id = incident["id"]

                params = {
                    'ActionPlanGUID': ActionPlanGUID,
                    'Comment': "Created Resilient Incident ID #" + str(inc_id)
                }
                result = set_action_plan_comment(rf_opts, params)

                print("Created incident {}".format(inc_id))


    except resilient.SimpleHTTPException as ecode:
        print("create failed : {}".format(ecode))