in Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SentinelToDefender/sentinel.py [0:0]
def get_indicators_from_sentinel(self):
"""To get indicators from Microsoft Sentinel threat intelligence."""
try:
__method_name = inspect.currentframe().f_code.co_name
applogger.info(
"{}(method={}) : {} : "
"Started fetching cofense indicators from Microsoft Sentinel Threat Intelligence.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.SENTINEL_TO_DEFENDER,
)
)
retry_count_429 = 0
retry_count_401 = 0
while retry_count_429 <= 3 and retry_count_401 <= 1:
query_indicator_url = consts.QUERY_SENTINEL_INDICATORS_URL.format(
subscriptionId=consts.AZURE_SUBSCRIPTION_ID,
resourceGroupName=consts.AZURE_RESOURCE_GROUP,
workspaceName=consts.AZURE_WORKSPACE_NAME,
)
headers = {
"Content-Type": "application/json",
"Authorization": "Bearer {}".format(self.bearer_token),
}
body = {
"pageSize": consts.QUERY_SENTINEL_PAGESIZE,
"keywords": "Cofense",
"sortBy": [
{"itemKey": "lastUpdatedTimeUtc", "sortOrder": "descending"}
],
"skipToken": self.sentinel_skiptoken,
}
utils_obj = Utils(azure_function_name=consts.SENTINEL_TO_DEFENDER)
get_indicator_response = utils_obj.make_http_request(
url=query_indicator_url,
method="POST",
body=json.dumps(body),
headers=headers,
)
# If response status code is 200 to 299.
if (
get_indicator_response.status_code >= 200
and get_indicator_response.status_code <= 299
):
sentinel_indicator_json = json.loads(get_indicator_response.text)
sentinel_indicator_json_list = sentinel_indicator_json.get(
"value", []
)
# Posting indicators into defender.
post_indicators_return = self.post_indicators(
sentinel_json_indicator_list=sentinel_indicator_json_list,
defender_object=self.defender_object,
)
applogger.info(
"{}(method={}) : {}. "
"In current page, Processed total Cofense Indicators - {}, Successfully created indicator(s) - {}, Failed indicator(s) - {}."
" Failed indicator list: {}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.SENTINEL_TO_DEFENDER,
self.indicator_count,
(self.indicator_count - self.failed_indicator_count),
self.failed_indicator_count,
self.failed_indicator_list,
)
)
self.indicator_count = 0
self.failed_indicator_count = 0
self.failed_indicator_list = []
applogger.info(
"{}(method={}) : {}. "
"In current function execution, Processed total Cofense Indicators - {}, Successfully created indicator(s) - {}, Failed indicator(s) - {}."
" Failed indicator list: {}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.SENTINEL_TO_DEFENDER,
self.total_indicator_count,
(
self.total_indicator_count
- self.total_failed_indicator_count
),
self.total_failed_indicator_count,
self.total_failed_indicator_list,
)
)
# If return is False, it means no more indicator to fetch. So exit the python file.
if post_indicators_return is False:
applogger.warning(
"{}(method={}) : {}: url: {}, Status Code : {} : "
"No more indicators to fetch from Microsoft Sentinel. Exiting the function app.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.SENTINEL_TO_DEFENDER,
query_indicator_url,
get_indicator_response.status_code,
)
)
# Exit from function app.
return True
# Updating the checkpoint.
if self.new_execution_flag == "False":
sentinel_indicator_nextlink = sentinel_indicator_json.get(
"nextLink", ""
)
self.update_checkpoint(sentinel_indicator_nextlink)
# response status code is 429.
elif get_indicator_response.status_code == 429:
retry_count_429 += 1
applogger.error(
"{}(method={}) : {}: url: {}, Status Code : {} : "
"Getting 429 from sentinel get indicators api call. Retrying again after {} seconds.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.SENTINEL_TO_DEFENDER,
query_indicator_url,
get_indicator_response.status_code,
consts.SENTINEL_429_SLEEP,
)
)
applogger.debug(
"{}(method={}) : {}: url: {}, Status Code : {}, Response reason: {}, Response: {} : "
"Getting 429 from sentinel get indicators api call. Retry count: {}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.SENTINEL_TO_DEFENDER,
query_indicator_url,
get_indicator_response.status_code,
get_indicator_response.reason,
get_indicator_response.text,
retry_count_429,
)
)
# sleep for 60 seconds.
time.sleep(consts.SENTINEL_429_SLEEP)
# response is 401, access token is expired.
elif get_indicator_response.status_code == 401:
retry_count_401 = retry_count_401 + 1
applogger.error(
"{}(method={}) : {} : url: {}, Status Code : {}: Error Reason: {} : "
"Sentinel access token expired, generating new access token.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.SENTINEL_TO_DEFENDER,
query_indicator_url,
get_indicator_response.status_code,
get_indicator_response.reason,
)
)
applogger.debug(
"{}(method={}) : {} : url: {}, Status Code : {}, Error Reason: {}, Response: {} : Sentinel"
" access token expired, generating new access token. Retry count: {}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.SENTINEL_TO_DEFENDER,
query_indicator_url,
get_indicator_response.status_code,
get_indicator_response.reason,
get_indicator_response.text,
retry_count_401,
)
)
self.bearer_token = self.utils_obj.auth_sentinel()
# response status code is not 200 to 299, 429 and 401.
else:
applogger.error(
"{}(method={}) : {} : url: {}, Status Code : {} : Error while fetching indicators"
" from sentinel threat intelligence. Error Reason: {}".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.SENTINEL_TO_DEFENDER,
query_indicator_url,
get_indicator_response.status_code,
get_indicator_response.reason,
)
)
applogger.debug(
"{}(method={}) : {} : url: {}, Status Code : {}, Error Reason: {}, Response: {} :"
" Error while fetching indicators from sentinel threat intelligence.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.SENTINEL_TO_DEFENDER,
query_indicator_url,
get_indicator_response.status_code,
get_indicator_response.reason,
get_indicator_response.text,
)
)
# raise the exception to exit the function app.
raise CofenseIntelligenceException()
# retry count exceeded.
applogger.error(
"{}(method={}) : {} : Max retries exceeded for fetching indicators from sentinel.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.SENTINEL_TO_DEFENDER,
)
)
# raising the exception to exit the function app.
raise CofenseIntelligenceException()
except CofenseIntelligenceException:
raise CofenseIntelligenceException()