Python-Control-Assurance/ca_elastic.py at main · utsecnet/Python-Control-Assurance · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
#!/usr/bin/python3
# -*- coding: utf-8 -*-

''' Pull control assurance measures from Elasticsearch into MySQl DB

THIS IS NOT COMPLETE! It barely even authenticates yet!

API Documentation
Get Token
* https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-token.html

using the elasticsearch module
https://elasticsearch-py.readthedocs.io/en/v7.17.9/

'''

__file__ = "ca_jamfpro.py"
__authors__ = ["Rich Johnson", "Austin Pratt"]
__date__ = "2022-12-22"
__depricated__ = "False"
__maintainer__ = "Austin Pratt"
__status__ = "Production"
__version__ = "1.0"

# TODO: There are some extention atributes we may wish to pull down and place
#       into 3rd-normal-form tables so that we can do advanced corelation
#       between endpoints.

# Standard Python libraries
import base64
from calendar import weekheader
import ssl
import datetime
import logging
import json
import math

# Third party Python libraries
import requests
from requests.auth import HTTPBasicAuth
import mysql.connector
from elasticsearch import Elasticsearch

# Custom libraries
from modules.secrets import SECRETS
from modules.dbConn import *

########################
# FUNCTIONS
########################

# Data retention - Delete data from tables older than X months
def data_retention():

    logging.debug("entered function: data_retention")

    # Delete data older than X months
    limit = 12

    sql = ("DELETE FROM sentinelone_rollup WHERE date <= CURDATE() - INTERVAL %s MONTH")

    data = (limit, )

    try:
        ret = db.doExec(sql,data)
        logging.info('Purged data older than %s months from table "%s".', limit, table_metrics_rollup)
    except mysql.connector.Error as err:
        logging.error(err)

    # Close function data_retention

########################
# Global Variables
########################

# Valid log levels include:
# INFO
# WARNING
# ERROR
# CRITICAL
# DEBUG

# Logging options
#log_File = '/opt/scripts/logs/ca_jamfpro.log'
log_File = 'elasticsearch.txt'
logging.basicConfig(format='%(asctime)s %(levelname)s %(message)s', datefmt='%Y-%m-%d %H:%M:%S', filename=log_File, level=logging.DEBUG, filemode='w')

# Define the URL that we will use throughout this script
# And pull in the credentials from the secrets.json file
if 'elasticsearch' in SECRETS:

    # Build the base URL that will be passed into the API calls
    baseUrl = 'https://{0}'.format(SECRETS['elasticsearch']['host'])
    logging.debug('baseUrl: %s', baseUrl)

    # Credentials used to request the Token
    user = '{0}'.format(SECRETS['elasticsearch']['user'])
    password = '{0}'.format(SECRETS['elasticsearch']['password'])

    # Retreive the API token
    es = Elasticsearch([baseUrl],http_auth=(user,password))
    #url = '{0}/_security/oauth2/token'.format(baseUrl)
    request = requests.post(url, auth=HTTPBasicAuth(user, password), verify=False)
    response = request.json()

    print(response)
    token = response['token']
    token_string = "Bearer " + token

db = dbConn(
    '{0}'.format(SECRETS['mysql']['host']),
    '{0}'.format(SECRETS['mysql']['user']),
    '{0}'.format(SECRETS['mysql']['password']),
    '{0}'.format(SECRETS['mysql']['database'])
)

# Define the MySQL tables
table_asset = "jamfpro_asset"
table_mdm = "jamfpro_mdm"
table_asset_tag = "jamfpro_asset_tag"
table_tag = "jamfpro_tag"
table_metrics_rollup = "jamfpro_rollup"

# Used to set the date in the date column of the MySQL tables
ymd = '%Y-%m-%d'

# Define the format of the date that SentinelOne presents via the API
# Some dates are formated with a %f, others are not - we need to accomodate both
iso = '%Y-%m-%dT%H:%M:%S.%fZ'
iso2 = '%Y-%m-%dT%H:%M:%SZ'

# We will take the date format from SentinelOnes's API and convert it to a
# format that we can then insert into MySQL
mysqliso = '%Y-%m-%d %H:%M:%S'

# Today's date e.g.: 2022-01-25
#today = datetime.datetime.strptime(datetime.datetime.strftime(datetime.date.today(), ymd), ymd).date()
today = datetime.datetime.strftime(datetime.datetime.today(), ymd)

# Timestamp e.g.: 2022-01-25 12:34:24
timestamp = datetime.datetime.strftime(datetime.datetime.now(), mysqliso)

# These tables will be purged of data older than X months from the
# data_retention function
cleanUp = [table_metrics_rollup]

# We pass this NULL value so MySQL can AUTO_INCREMENT the primary key
rowId = None

########################
# ACTION!
########################


# # Run this last
# data_retention()