in Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/NonCofenseBasedIndicatorCreatorToCofense/sentinel.py [0:0]
def get_indicators_from_sentinel(self):
"""To get indicators from Microsoft Sentinel threat intelligence."""
try:
__method_name = inspect.currentframe().f_code.co_name
applogger.info(
"{}(method={}) : {} : "
"Started fetching indicators from Microsoft Sentinel Threat Intelligence.".format(
LOGS_STARTS_WITH,
__method_name,
SENTINEL_TO_COFENSE,
)
)
retry_count_429 = 0
retry_count_401 = 0
while retry_count_429 <= 3 and retry_count_401 <= 1:
query_indicator_url = QUERY_SENTINEL_INDICATORS_URL.format(
subscriptionId=AZURE_SUBSCRIPTION_ID,
resourceGroupName=AZURE_RESOURCE_GROUP,
workspaceName=AZURE_WORKSPACE_NAME,
)
headers = {
"Content-Type": "application/json",
"Authorization": "Bearer {}".format(self.bearer_token),
}
body = {
"pageSize": self.page_size,
"sortBy": [
{"itemKey": "lastUpdatedTimeUtc", "sortOrder": "descending"}
],
"skipToken": self.sentinel_skiptoken,
}
get_indicator_response = make_rest_call(
url=query_indicator_url,
method="POST",
azure_function_name=SENTINEL_TO_COFENSE,
payload=json.dumps(body),
headers=headers,
)
# If response status code is 200 to 299.
if (
get_indicator_response.status_code >= 200
and get_indicator_response.status_code <= 299
):
sentinel_indicator_json = json.loads(get_indicator_response.text)
sentinel_indicator_json_list = sentinel_indicator_json.get(
"value", []
)
# Posting indicators into cofense.
post_indicators_return = self.post_indicators(
sentinel_json_indicator_list=sentinel_indicator_json_list,
cofense_object=self.cofense_object,
)
applogger.info(
"{}(method={}) : {} : "
"Completed the execution of total {} indicators from Microsoft Sentinel"
" to Cofense Triage.".format(
LOGS_STARTS_WITH,
__method_name,
SENTINEL_TO_COFENSE,
self.indicator_count,
)
)
# If return is False, it means no more indicator to fetch. So exit the python file.
if post_indicators_return is False:
applogger.warning(
"{}(method={}) : {}: url: {}, Status Code : {} : "
"No more indicators to fetch from Microsoft Sentinel. Exiting the function.".format(
LOGS_STARTS_WITH,
__method_name,
SENTINEL_TO_COFENSE,
query_indicator_url,
get_indicator_response.status_code,
)
)
# Exit from function app.
return True
# Updating the checkpoint.
if self.new_execution_flag == "False":
sentinel_indicator_nextlink = sentinel_indicator_json.get(
"nextLink", ""
)
self.update_checkpoint(sentinel_indicator_nextlink)
if self.throttle_flag:
applogger.warning(
"{}(method={}) : {}: url: {}, Status Code : {} : "
"Throttle limit reached. Exiting the function.".format(
LOGS_STARTS_WITH,
__method_name,
SENTINEL_TO_COFENSE,
query_indicator_url,
get_indicator_response.status_code,
)
)
return True
# response status code is 429.
elif get_indicator_response.status_code == 429:
retry_count_429 += 1
applogger.error(
"{}(method={}) : {}: url: {}, Status Code : {} : "
"Getting 429 from sentinel get indicators api call. Retrying again after {} seconds.".format(
LOGS_STARTS_WITH,
__method_name,
SENTINEL_TO_COFENSE,
query_indicator_url,
get_indicator_response.status_code,
SENTINEL_429_SLEEP,
)
)
applogger.debug(
"{}(method={}) : {}: url: {}, Status Code : {}, Response reason: {}, Response: {} : "
"Getting 429 from sentinel get indicators api call. Retry count: {}.".format(
LOGS_STARTS_WITH,
__method_name,
SENTINEL_TO_COFENSE,
query_indicator_url,
get_indicator_response.status_code,
get_indicator_response.reason,
get_indicator_response.text,
retry_count_429,
)
)
# sleep for 60 seconds.
time.sleep(SENTINEL_429_SLEEP)
# response is 401, access token is expired.
elif get_indicator_response.status_code == 401:
retry_count_401 = retry_count_401 + 1
applogger.error(
"{}(method={}) : {} : url: {}, Status Code : {}: Error Reason: {} : "
"Sentinel access token expired, generating new access token.".format(
LOGS_STARTS_WITH,
__method_name,
SENTINEL_TO_COFENSE,
query_indicator_url,
get_indicator_response.status_code,
get_indicator_response.reason,
)
)
applogger.debug(
"{}(method={}) : {} : url: {}, Status Code : {}, Error Reason: {}, Response: {} : Sentinel"
" access token expired, generating new access token. Retry count: {}.".format(
LOGS_STARTS_WITH,
__method_name,
SENTINEL_TO_COFENSE,
query_indicator_url,
get_indicator_response.status_code,
get_indicator_response.reason,
get_indicator_response.text,
retry_count_401,
)
)
self.bearer_token = auth_sentinel(SENTINEL_TO_COFENSE)
# response status code is not 200 to 299, 429 and 401.
else:
applogger.error(
"{}(method={}) : {} : url: {}, Status Code : {} : Error while fetching indicators"
" from sentinel threat intelligence. Error Reason: {}".format(
LOGS_STARTS_WITH,
__method_name,
SENTINEL_TO_COFENSE,
query_indicator_url,
get_indicator_response.status_code,
get_indicator_response.reason,
)
)
applogger.debug(
"{}(method={}) : {} : url: {}, Status Code : {}, Error Reason: {}, Response: {} :"
" Error while fetching indicators from sentinel threat intelligence.".format(
LOGS_STARTS_WITH,
__method_name,
SENTINEL_TO_COFENSE,
query_indicator_url,
get_indicator_response.status_code,
get_indicator_response.reason,
get_indicator_response.text,
)
)
# raise the exception to exit the function app.
raise CofenseException()
# retry count exceeded.
applogger.error(
"{}(method={}) : {} : Max retries exceeded for fetching indicators from sentinel.".format(
LOGS_STARTS_WITH,
__method_name,
SENTINEL_TO_COFENSE,
)
)
# raising the exception to exit the function app.
raise CofenseException()
except CofenseException:
raise CofenseException()