diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml new file mode 100644 index 0000000..6f15b22 --- /dev/null +++ b/.github/workflows/linting.yml @@ -0,0 +1,11 @@ +name: Linting +on: [push, pull_request] +jobs: + lint: + # Run per push for internal contributers. This isn't possible for forked pull requests, + # so we'll need to run on PR events for external contributers. + # String comparison below is case insensitive. + if: github.event_name == 'push' || github.event.pull_request.head.repo.fork + runs-on: ubuntu-latest + steps: + - uses: 'phantomcyber/dev-cicd-tools/github-actions/lint@main' diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 0000000..23d31c5 --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,28 @@ +name: Semgrep +on: + pull_request_target: + branches: + - next + - main + push: + branches: + - next + - main +jobs: + semgrep: + runs-on: ubuntu-latest + steps: + - if: github.event_name == 'push' + run: | + echo "REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV + echo "REF=${{ github.REF }}" >> $GITHUB_ENV + - if: github.event_name == 'pull_request_target' + run: | + echo "REPOSITORY=${{ github.event.pull_request.head.repo.full_name }}" >> $GITHUB_ENV + echo "REF=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV + - uses: 'phantomcyber/dev-cicd-tools/github-actions/semgrep@main' + with: + SEMGREP_DEPLOYMENT_ID: ${{ secrets.SEMGREP_DEPLOYMENT_ID }} + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} + REPOSITORY: ${{ github.repository }} + REF: ${{ github.ref }} diff --git a/.github/workflows/start-release.yml b/.github/workflows/start-release.yml new file mode 100644 index 0000000..7bbce79 --- /dev/null +++ b/.github/workflows/start-release.yml @@ -0,0 +1,13 @@ +name: Start Release +on: + workflow_dispatch: + push: + tags: + - '*-beta*' +jobs: + start-release: + runs-on: ubuntu-latest + steps: + - uses: 'phantomcyber/dev-cicd-tools/github-actions/start-release@main' + with: + GITHUB_TOKEN: ${{ secrets.SOAR_APPS_TOKEN }} diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml deleted file mode 100644 index 38e1594..0000000 --- a/.gitlab-ci.yml +++ /dev/null @@ -1,3 +0,0 @@ -include: - - project: 'phantom/appscript' - file: 'gitlab-ci/.gitlab-ci.yml' diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..062ede5 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,11 @@ +repos: +- repo: https://github.com/phantomcyber/dev-cicd-tools + rev: v1.9 + hooks: + - id: org-hook + - id: package-app-dependencies +- repo: https://github.com/Yelp/detect-secrets + rev: v1.1.0 + hooks: + - id: detect-secrets + args: ['--no-verify', '--exclude-files', '^awsinspector.json$'] diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..b3cc507 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,2 @@ +# Contributing +For more information about contributing to Splunk SOAR Apps please take a look at our app [Contribution Guide](https://github.com/splunk-soar-connectors/.github/blob/main/.github/CONTRIBUTING.md)! diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..f9b71ef --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright (c) 2019-2022 Splunk Inc. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file diff --git a/Makefile b/Makefile deleted file mode 100644 index 7af3212..0000000 --- a/Makefile +++ /dev/null @@ -1,81 +0,0 @@ -# Makefile for Phantom apps CI -# created oct-2018 by michellel & jacobd at splunk -# -# Usage: -# make local - to bring up docker for local dev -# make - pipeline targets build / upload -# make secrets - list any required secret values -# -# Credentials can be passed as environment variables or docker secret files -# under /run/secrets - - -# Variables set by GitLab -WORKSPACE ?= $(shell grep WORKSPACE: docker-compose.yml | cut -d : -f 2) -CI_COMMIT_REF_NAME ?= $(shell git branch | grep "\*" | cut -d ' ' -f 2) - -# Git variables -GIT_SERVER ?= cd.splunkdev.com -RELEASE_GROUP ?= phantom -RELEASE_REPO ?= app_release -RELEASE_DIR := $(WORKSPACE)/$(RELEASE_REPO) - -# Docker variables -export IMAGE_TAG ?= $(shell grep ^image: .gitlab-ci.yml | cut -d : -f 3) - -# Variables sent to app_release for test/build/release scripts -export APP_DIR ?= $(shell pwd) -export APP_REPO_NAME ?= $(shell basename $(APP_DIR)) -export APP_BRANCH ?= $(CI_COMMIT_REF_NAME) -export TEST_BRANCH ?= master - -# Pipeline secrets -SECRETS = app_artf_token gitlab_api_token app_deploy_key -ifneq ($(wildcard /run/secrets/.),) - # Load secrets if specified in filesystem rather than variables - export GITLAB_API_TOKEN ?= $(shell cat /run/secrets/gitlab_api_token) - export APP_ARTF_TOKEN ?= $(shell cat /run/secrets/app_artf_token) - export APP_DEPLOY_KEY ?= $(shell cat /run/secrets/app_deploy_key) -endif - -APP_RELEASE_TARGETS = test upload build release -.PHONY: checkout local secrets list_secrets $(APP_RELEASE_TARGETS) - -checkout: $(RELEASE_DIR) -$(RELEASE_DIR): /tmp/ssh-agent - $(info Clone the $(RELEASE_REPO) repo into $(RELEASE_DIR)) - @git clone git@$(GIT_SERVER):$(RELEASE_GROUP)/$(RELEASE_REPO).git $(RELEASE_DIR) - $(info Checkout the test branch: $(TEST_BRANCH)) - @cd $(RELEASE_DIR) && git checkout $(TEST_BRANCH) - -$(APP_RELEASE_TARGETS): checkout - @cd $(RELEASE_DIR) && make $@ - -local: secrets - $(info Setting up local development instance) - $(info Make sure you have run:) - $(info docker login repo.splunk.com) - docker-compose up -d - $(info Working directory is mapped to $(DOCKER_WORK). To connect:) - $(info docker exec -it -w $(DOCKER_WORK) local_qa-local_1 bash) - -/tmp/ssh-agent: - $(info Starting ssh agent) - @mkdir -p -m 700 ~/.ssh - @ssh-keyscan -p 22 $(GIT_SERVER) >> ~/.ssh/known_hosts - @eval $(shell ssh-agent -s >$@) - @if [ -s /run/secrets/app_deploy_key ]; then \ - cp /run/secrets/app_deploy_key ~/.ssh/id_rsa && \ - source $@ && ssh-add ~/.ssh/id_rsa; \ - else \ - cp ~/.ssh/app_deploy_key ~/.ssh/id_rsa && \ - chmod 600 ~/.ssh/id_rsa && \ - cat $@ && \ - source $@ && ssh-add ~/.ssh/id_rsa; \ - fi - -SECRET_FILES = $(foreach I,$(SECRETS),~/.docker/secrets/$I) -secrets: list_secrets $(SECRET_FILES) -list_secrets: - $(info From .docker/secrets these files are loaded:) - $(info $(SECRETS)) diff --git a/NOTICE b/NOTICE new file mode 100644 index 0000000..9f24a26 --- /dev/null +++ b/NOTICE @@ -0,0 +1,39 @@ +Splunk SOAR AWS Inspector +Copyright (c) 2019-2022 Splunk Inc. + +Third-party Software Attributions: + +Library: boto3 +Version: 1.17.30 +License: Apache 2.0 +Copyright 2013-2017 Amazon.com, Inc + +Library: botocore +Version: 1.20.30 +License: Apache 2.0 +Copyright 2008-2011 Andrey Petrov and contributors +Copyright 2012 Kenneth Reitz +Copyright 2012-2017 Amazon.com, Inc +Copyright 2013 Kenneth Reitz + +Library: docutils +Version: 0.16 +License: Public Domain +Copyright 2011 Günter Milde, + +Library: python-dateutil +Version: 2.8.1 +License: Apache 2.0 +License: BSD 3 +Copyright 2003-2011 - Gustavo Niemeyer +Copyright 2012-2014 - Tomi Pieviläinen +Copyright 2014-2016 - Yaron de Leeuw +Copyright 2015 - Paul Ganssle +Copyright 2015 - dateutil contributors (see AUTHORS file) +Copyright 2017 Paul Ganssle +Copyright 2017 dateutil contributors (see AUTHORS file) + +Library: requests +Version: 2.25.0 +License: Apache 2.0 +Kenneth Reitz diff --git a/README.md b/README.md new file mode 100644 index 0000000..51e2b82 --- /dev/null +++ b/README.md @@ -0,0 +1,300 @@ +[comment]: # "Auto-generated SOAR connector documentation" +# AWS Inspector + +Publisher: Splunk +Connector Version: 2\.2\.10 +Product Vendor: AWS +Product Name: Inspector +Product Version Supported (regex): "\.\*" +Minimum Product Version: 5\.2\.0 + +This app integrates with AWS Inspector to perform security assessment actions + +[comment]: # " File: README.md" +[comment]: # " Copyright (c) 2019-2022 Splunk Inc." +[comment]: # "" +[comment]: # "Licensed under the Apache License, Version 2.0 (the 'License');" +[comment]: # "you may not use this file except in compliance with the License." +[comment]: # "You may obtain a copy of the License at" +[comment]: # "" +[comment]: # " http://www.apache.org/licenses/LICENSE-2.0" +[comment]: # "" +[comment]: # "Unless required by applicable law or agreed to in writing, software distributed under" +[comment]: # "the License is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND," +[comment]: # "either express or implied. See the License for the specific language governing permissions" +[comment]: # "and limitations under the License." +[comment]: # "" +## Asset Configuration + +There are two ways to configure an AWS Inspector asset. The first is to configure the **access_key** +, **secret_key** and **region** variables. If it is preferred to use a role and Phantom is running +as an EC2 instance, the **use_role** checkbox can be checked instead. This will allow the role that +is attached to the instance to be used. Please see the [AWS EC2 and IAM +documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) +for more information. + +## Assumed Role Credentials + +The optional **credentials** action parameter consists of temporary **assumed role** credentials +that will be used to perform the action instead of those that are configured in the **asset** . The +parameter is not designed to be configured manually, but should instead be used in conjunction with +the Phantom AWS Security Token Service app. The output of the **assume_role** action of the STS app +with data path **assume_role\_\:action_result.data.\*.Credentials** consists of a dictionary +containing the **AccessKeyId** , **SecretAccessKey** , **SessionToken** and **Expiration** key/value +pairs. This dictionary can be passed directly into the credentials parameter in any of the following +actions within a playbook. For more information, please see the [AWS Identity and Access Management +documentation](https://docs.aws.amazon.com/iam/index.html) . + + +### Configuration Variables +The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Inspector asset in SOAR. + +VARIABLE | REQUIRED | TYPE | DESCRIPTION +-------- | -------- | ---- | ----------- +**access\_key** | optional | password | Access Key +**secret\_key** | optional | password | Secret Key +**region** | required | string | Default Region +**use\_role** | optional | boolean | Use attached role when running Phantom in EC2 + +### Supported Actions +[test connectivity](#action-test-connectivity) - Validate the asset configuration for connectivity using supplied configuration +[add target](#action-add-target) - Create a new assessment target using the ARN of the resource group +[delete target](#action-delete-target) - Delete the assessment target +[list templates](#action-list-templates) - List the assessment templates of assessment targets +[list targets](#action-list-targets) - List the assessment target ARNs within the AWS account +[run assessment](#action-run-assessment) - Start the assessment run specified by the assessment template ARN +[get findings](#action-get-findings) - List and describe the findings generated by the assessment runs + +## action: 'test connectivity' +Validate the asset configuration for connectivity using supplied configuration + +Type: **test** +Read only: **True** + +#### Action Parameters +No parameters are required for this action + +#### Action Output +No Output + +## action: 'add target' +Create a new assessment target using the ARN of the resource group + +Type: **generic** +Read only: **False** + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**target\_name** | required | Name of the target | string | `aws inspector target name` +**resource\_group\_arn** | optional | Resource Group ARN used for creating the assessment target | string | `aws inspector resource group arn` `aws arn` +**credentials** | optional | Assumed role credentials | string | `aws credentials` + +#### Action Output +DATA PATH | TYPE | CONTAINS +--------- | ---- | -------- +action\_result\.status | string | +action\_result\.parameter\.resource\_group\_arn | string | `aws inspector resource group arn` `aws arn` +action\_result\.parameter\.target\_name | string | `aws inspector target name` +action\_result\.data\.\*\.assessmentTargetArn | string | `aws inspector target arn` `aws arn` +action\_result\.summary\.total\_target\_arn | numeric | +action\_result\.message | string | +summary\.total\_objects | numeric | +summary\.total\_objects\_successful | numeric | +action\_result\.parameter\.credentials | string | `aws credentials` + +## action: 'delete target' +Delete the assessment target + +Type: **generic** +Read only: **False** + +Deleting an assessment target will also delete corresponding templates, runs, and findings\. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**target\_arn** | required | ARN of the assessment target | string | `aws inspector target arn` `aws arn` +**credentials** | optional | Assumed role credentials | string | `aws credentials` + +#### Action Output +DATA PATH | TYPE | CONTAINS +--------- | ---- | -------- +action\_result\.status | string | +action\_result\.parameter\.target\_arn | string | `aws inspector target arn` `aws arn` +action\_result\.data | string | +action\_result\.summary | string | +action\_result\.message | string | +summary\.total\_objects | numeric | +summary\.total\_objects\_successful | numeric | +action\_result\.parameter\.credentials | string | `aws credentials` + +## action: 'list templates' +List the assessment templates of assessment targets + +Type: **investigate** +Read only: **True** + +In the parameter template\_name, the user can specify an explicit value or a string that contains a wildcard to match the value of the assessment template name\. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**target\_arns** | optional | List of target ARNs | string | `aws inspector target arn` `aws arn` +**template\_name** | optional | Assessment template name pattern | string | +**limit** | optional | Maximum number of templates to be fetched | numeric | +**credentials** | optional | Assumed role credentials | string | `aws credentials` + +#### Action Output +DATA PATH | TYPE | CONTAINS +--------- | ---- | -------- +action\_result\.status | string | +action\_result\.parameter\.limit | numeric | +action\_result\.parameter\.target\_arns | string | `aws inspector target arn` `aws arn` +action\_result\.parameter\.template\_name | string | +action\_result\.data\.\*\.arn | string | +action\_result\.data\.\*\.assessmentRunCount | numeric | +action\_result\.data\.\*\.assessmentTargetArn | string | `aws inspector target arn` `aws arn` +action\_result\.data\.\*\.createdAt | string | +action\_result\.data\.\*\.durationInSeconds | numeric | +action\_result\.data\.\*\.name | string | +action\_result\.data\.\*\.rulesPackageArns | string | +action\_result\.summary\.total\_templates | numeric | +action\_result\.message | string | +summary\.total\_objects | numeric | +summary\.total\_objects\_successful | numeric | +action\_result\.parameter\.credentials | string | `aws credentials` + +## action: 'list targets' +List the assessment target ARNs within the AWS account + +Type: **investigate** +Read only: **True** + +In the parameter target\_name, the user can specify an explicit value or a string that contains a wildcard to match the value of the assessment target name\. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**target\_name** | optional | Assessment target name pattern | string | `aws inspector target name` +**limit** | optional | Maximum number of targets to be fetched | numeric | +**credentials** | optional | Assumed role credentials | string | `aws credentials` + +#### Action Output +DATA PATH | TYPE | CONTAINS +--------- | ---- | -------- +action\_result\.status | string | +action\_result\.parameter\.limit | numeric | +action\_result\.parameter\.target\_name | string | `aws inspector target name` +action\_result\.data\.\*\.createdAt | string | +action\_result\.data\.\*\.name | string | `aws inspector target name` +action\_result\.data\.\*\.arn | string | `aws inspector target arn` `aws arn` +action\_result\.data\.\*\.updatedAt | string | +action\_result\.summary\.total\_targets | numeric | +action\_result\.message | string | +summary\.total\_objects | numeric | +summary\.total\_objects\_successful | numeric | +action\_result\.parameter\.credentials | string | `aws credentials` + +## action: 'run assessment' +Start the assessment run specified by the assessment template ARN + +Type: **generic** +Read only: **False** + +While an assessment run is in the COLLECTING\_DATA state then, all other assessment runs will fail\. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**template\_arn** | required | Assessment template ARN to start the assessment run of | string | `aws inspector template arn` `aws arn` +**assessment\_run\_name** | optional | Name of the assessment run | string | +**credentials** | optional | Assumed role credentials | string | `aws credentials` + +#### Action Output +DATA PATH | TYPE | CONTAINS +--------- | ---- | -------- +action\_result\.status | string | +action\_result\.parameter\.assessment\_run\_name | string | +action\_result\.parameter\.template\_arn | string | `aws inspector template arn` `aws arn` +action\_result\.data\.\*\.arn | string | `aws inspector assessment run arn` `aws arn` +action\_result\.data\.\*\.assessmentTemplateArn | string | `aws inspector template arn` `aws arn` +action\_result\.data\.\*\.createdAt | string | +action\_result\.data\.\*\.dataCollected | boolean | +action\_result\.data\.\*\.durationInSeconds | numeric | +action\_result\.data\.\*\.name | string | +action\_result\.data\.\*\.rulesPackageArns | string | +action\_result\.data\.\*\.startedAt | string | +action\_result\.data\.\*\.state | string | +action\_result\.data\.\*\.stateChangedAt | string | +action\_result\.data\.\*\.stateChanges\.\*\.state | string | +action\_result\.data\.\*\.stateChanges\.\*\.stateChangedAt | string | +action\_result\.summary\.assessment\_run\_arn | numeric | `aws inspector assessment run arn` `aws arn` +action\_result\.message | string | +summary\.total\_objects | numeric | +summary\.total\_objects\_successful | numeric | +action\_result\.parameter\.credentials | string | `aws credentials` + +## action: 'get findings' +List and describe the findings generated by the assessment runs + +Type: **investigate** +Read only: **True** + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**assessment\_run\_arns** | optional | List of the assessment runs ARNs \(Max Limit\: 50\) | string | `aws inspector assessment run arn` `aws arn` +**severities** | optional | List of severity values \(case\-sensitive\) \(Max Limit\: 50\) | string | +**limit** | optional | Maximum number of findings to be fetched | numeric | +**credentials** | optional | Assumed role credentials | string | `aws credentials` + +#### Action Output +DATA PATH | TYPE | CONTAINS +--------- | ---- | -------- +action\_result\.status | string | +action\_result\.parameter\.assessment\_run\_arns | string | `aws inspector assessment run arn` `aws arn` +action\_result\.parameter\.limit | numeric | +action\_result\.parameter\.severities | string | +action\_result\.data\.\*\.arn | string | +action\_result\.data\.\*\.assetAttributes\.agentId | string | `aws ec2 instance id` +action\_result\.data\.\*\.assetAttributes\.amiId | string | +action\_result\.data\.\*\.assetAttributes\.hostname | string | `host name` +action\_result\.data\.\*\.assetAttributes\.networkInterfaces\.\*\.networkInterfaceId | string | +action\_result\.data\.\*\.assetAttributes\.networkInterfaces\.\*\.privateDnsName | string | +action\_result\.data\.\*\.assetAttributes\.networkInterfaces\.\*\.privateIpAddress | string | `ip` +action\_result\.data\.\*\.assetAttributes\.networkInterfaces\.\*\.privateIpAddresses\.\*\.privateDnsName | string | +action\_result\.data\.\*\.assetAttributes\.networkInterfaces\.\*\.privateIpAddresses\.\*\.privateIpAddress | string | `ip` +action\_result\.data\.\*\.assetAttributes\.networkInterfaces\.\*\.publicDnsName | string | +action\_result\.data\.\*\.assetAttributes\.networkInterfaces\.\*\.publicIp | string | `ip` +action\_result\.data\.\*\.assetAttributes\.networkInterfaces\.\*\.securityGroups\.\*\.groupId | string | +action\_result\.data\.\*\.assetAttributes\.networkInterfaces\.\*\.securityGroups\.\*\.groupName | string | +action\_result\.data\.\*\.assetAttributes\.networkInterfaces\.\*\.subnetId | string | +action\_result\.data\.\*\.assetAttributes\.networkInterfaces\.\*\.vpcId | string | `aws ec2 vpc id` +action\_result\.data\.\*\.assetAttributes\.schemaVersion | numeric | +action\_result\.data\.\*\.assetAttributes\.tags\.\*\.key | string | +action\_result\.data\.\*\.assetAttributes\.tags\.\*\.value | string | `email` +action\_result\.data\.\*\.assetType | string | +action\_result\.data\.\*\.attributes\.\*\.key | string | +action\_result\.data\.\*\.attributes\.\*\.value | string | +action\_result\.data\.\*\.confidence | numeric | +action\_result\.data\.\*\.createdAt | string | +action\_result\.data\.\*\.description | string | +action\_result\.data\.\*\.id | string | +action\_result\.data\.\*\.indicatorOfCompromise | boolean | +action\_result\.data\.\*\.numericSeverity | numeric | +action\_result\.data\.\*\.recommendation | string | +action\_result\.data\.\*\.schemaVersion | numeric | +action\_result\.data\.\*\.service | string | +action\_result\.data\.\*\.serviceAttributes\.assessmentRunArn | string | +action\_result\.data\.\*\.serviceAttributes\.rulesPackageArn | string | +action\_result\.data\.\*\.serviceAttributes\.schemaVersion | numeric | +action\_result\.data\.\*\.severity | string | +action\_result\.data\.\*\.title | string | +action\_result\.data\.\*\.updatedAt | string | +action\_result\.summary\.total\_findings | numeric | +action\_result\.summary\.total\_templates | numeric | +action\_result\.message | string | +summary\.total\_objects | numeric | +summary\.total\_objects\_successful | numeric | +action\_result\.parameter\.credentials | string | `aws credentials` \ No newline at end of file diff --git a/__init__.py b/__init__.py index be3feae..f7ee2da 100644 --- a/__init__.py +++ b/__init__.py @@ -1,5 +1,14 @@ # File: __init__.py -# Copyright (c) 2019-2021 Splunk Inc. # -# SPLUNK CONFIDENTIAL - Use or disclosure of this material in whole or in part -# without a valid written license from Splunk Inc. is PROHIBITED. +# Copyright (c) 2019-2022 Splunk Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed under +# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, +# either express or implied. See the License for the specific language governing permissions +# and limitations under the License. diff --git a/awsinspector.json b/awsinspector.json index dd98c99..92f6b42 100644 --- a/awsinspector.json +++ b/awsinspector.json @@ -9,12 +9,13 @@ "product_name": "Inspector", "product_version_regex": ".*", "publisher": "Splunk", - "license": "Copyright (c) 2019-2021 Splunk Inc.", - "app_version": "2.2.7", - "utctime_updated": "2021-08-27T00:29:00.000000Z", + "license": "Copyright (c) 2019-2022 Splunk Inc.", + "app_version": "2.2.10", + "utctime_updated": "2022-01-07T21:56:46.000000Z", "package_name": "phantom_awsinspector", "main_module": "awsinspector_connector.py", - "min_phantom_version": "4.9.39220", + "min_phantom_version": "5.2.0", + "fips_compliant": true, "latest_tested_versions": [ "Cloud tested on July 29th, 2021" ], @@ -31,20 +32,44 @@ "input_file": "wheels/botocore-1.20.30-py2.py3-none-any.whl" }, { - "module": "s3transfer", - "input_file": "wheels/s3transfer-0.2.0-py2.py3-none-any.whl" + "module": "certifi", + "input_file": "wheels/certifi-2021.10.8-py2.py3-none-any.whl" + }, + { + "module": "chardet", + "input_file": "wheels/chardet-3.0.4-py2.py3-none-any.whl" }, { "module": "docutils", "input_file": "wheels/docutils-0.16-py2.py3-none-any.whl" }, + { + "module": "idna", + "input_file": "wheels/idna-2.10-py2.py3-none-any.whl" + }, { "module": "jmespath", - "input_file": "wheels/jmespath-0.9.3-py2.py3-none-any.whl" + "input_file": "wheels/jmespath-0.10.0-py2.py3-none-any.whl" + }, + { + "module": "python_dateutil", + "input_file": "wheels/python_dateutil-2.8.1-py2.py3-none-any.whl" + }, + { + "module": "requests", + "input_file": "wheels/requests-2.25.0-py2.py3-none-any.whl" + }, + { + "module": "s3transfer", + "input_file": "wheels/s3transfer-0.3.7-py2.py3-none-any.whl" + }, + { + "module": "six", + "input_file": "wheels/six-1.16.0-py2.py3-none-any.whl" }, { "module": "urllib3", - "input_file": "wheels/urllib3-1.26.6-py2.py3-none-any.whl" + "input_file": "wheels/urllib3-1.26.7-py2.py3-none-any.whl" } ] }, diff --git a/awsinspector_connector.py b/awsinspector_connector.py index 9bf3ee4..76f8e11 100644 --- a/awsinspector_connector.py +++ b/awsinspector_connector.py @@ -1,25 +1,35 @@ # File: awsinspector_connector.py -# Copyright (c) 2019-2021 Splunk Inc. # -# SPLUNK CONFIDENTIAL - Use or disclosure of this material in whole or in part -# without a valid written license from Splunk Inc. is PROHIBITED. +# Copyright (c) 2019-2022 Splunk Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed under +# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, +# either express or implied. See the License for the specific language governing permissions +# and limitations under the License. +# # - - # Phantom App imports -import phantom.app as phantom -from phantom.base_connector import BaseConnector -from phantom.action_result import ActionResult -from awsinspector_consts import * +import ast +import datetime +import json +import sys +import phantom.app as phantom # Usage of the consts file is recommended import requests -import json -import datetime -from boto3 import client, Session +from boto3 import Session, client from botocore.config import Config from dateutil.tz import tzlocal -import ast +from phantom.action_result import ActionResult +from phantom.base_connector import BaseConnector + +from awsinspector_consts import * class RetVal(tuple): @@ -239,8 +249,8 @@ def _handle_list_targets(self, param): else: failure_code = res.get('failedItems', {}).get(target, {}).get('failureCode') error_message = failure_code if failure_code else 'Unknown error' - return action_result.set_status( - phantom.APP_ERROR, 'Error occurred while fetching the details of the assessment target: {0}. Error: {1}'.format(target, error_message)) + return action_result.set_status(phantom.APP_ERROR, + 'Error occurred while fetching the details of the assessment target: {0}. Error: {1}'.format(target, error_message)) for key, value in list(assessment_target.items()): if isinstance(value, datetime.datetime): @@ -301,8 +311,8 @@ def _handle_list_templates(self, param): else: failure_code = res.get('failedItems', {}).get(template, {}).get('failureCode') error_message = failure_code if failure_code else 'Unknown error' - return action_result.set_status( - phantom.APP_ERROR, 'Error occurred while fetching the details of the assessment template: {0}. Error: {1}'.format(template, error_message)) + return action_result.set_status(phantom.APP_ERROR, + 'Error occurred while fetching the details of the assessment template: {0}. Error: {1}'.format(template, error_message)) for key, value in list(assessment_template.items()): if isinstance(value, datetime.datetime): @@ -316,6 +326,7 @@ def _handle_list_templates(self, param): summary = action_result.update_summary({}) summary['total_templates'] = action_result.get_data_size() + self.save_progress("Handle list templates succeeded") return action_result.set_status(phantom.APP_SUCCESS) def _handle_add_target(self, param): @@ -356,6 +367,7 @@ def _handle_add_target(self, param): summary = action_result.update_summary({}) summary['total_target_arn'] = action_result.get_data_size() + self.save_progress("Handle add target succeeded") return action_result.set_status(phantom.APP_SUCCESS, "Target successfully added") def _handle_run_assessment(self, param): @@ -401,8 +413,8 @@ def _handle_run_assessment(self, param): else: failure_code = res.get('failedItems', {}).get(assessment_run_arn, {}).get('failureCode') error_message = failure_code if failure_code else 'Unknown error' - return action_result.set_status( - phantom.APP_ERROR, 'Error occurred while fetching the details of the assessment run: {0}. Error: {1}'.format(assessment_run_arn, error_message)) + return action_result.set_status(phantom.APP_ERROR, + 'Error occurred while fetching the details of the assessment run: {0}. Error: {1}'.format(assessment_run_arn, error_message)) for key, value in list(assessment_run.items()): if isinstance(value, datetime.datetime): @@ -424,6 +436,7 @@ def _handle_run_assessment(self, param): summary = action_result.update_summary({}) summary['assessment_run_arn'] = assessment_run_arn + self.save_progress("Handle run assessment succeeded") return action_result.set_status(phantom.APP_SUCCESS) def _handle_get_findings(self, param): @@ -484,8 +497,8 @@ def _handle_get_findings(self, param): if isinstance(value, datetime.datetime): finding[key] = str(value) else: - return action_result.set_status( - phantom.APP_ERROR, 'Error occurred while fetching the details of the findings: {0}'.format(str(list_findings[:min(10, len(list_findings))]))) + return action_result.set_status(phantom.APP_ERROR, + 'Error occurred while fetching the details of the findings: {0}'.format(str(list_findings[:min(10, len(list_findings))]))) for finding_detail in findings: action_result.add_data(finding_detail) @@ -495,6 +508,7 @@ def _handle_get_findings(self, param): summary = action_result.update_summary({}) summary['total_findings'] = action_result.get_data_size() + self.save_progress("Handle get findings succeeded") return action_result.set_status(phantom.APP_SUCCESS) def _handle_delete_target(self, param): @@ -528,6 +542,7 @@ def _handle_delete_target(self, param): action_result.add_data(response) + self.save_progress("Handle delete target succeeded") return action_result.set_status(phantom.APP_SUCCESS, "Target is deleted successfully") def _paginator(self, method_name, limit, action_result, **kwargs): @@ -605,9 +620,10 @@ def handle_action(self, param): if __name__ == '__main__': - import pudb import argparse + import pudb + pudb.set_trace() argparser = argparse.ArgumentParser() @@ -615,12 +631,14 @@ def handle_action(self, param): argparser.add_argument('input_test_json', help='Input Test JSON file') argparser.add_argument('-u', '--username', help='username', required=False) argparser.add_argument('-p', '--password', help='password', required=False) + argparser.add_argument('-v', '--verify', action='store_true', help='verify', required=False, default=False) args = argparser.parse_args() session_id = None username = args.username password = args.password + verify = args.verify if (username is not None and password is None): @@ -632,7 +650,7 @@ def handle_action(self, param): login_url = BaseConnector._get_phantom_base_url() + "login" try: print("Accessing the Login page") - response = requests.get(login_url, verify=False) + response = requests.get(login_url, verify=verify, timeout=AWSINSPECTOR_DEFAULT_TIMEOUT) csrftoken = response.cookies['csrftoken'] data = dict() @@ -645,11 +663,11 @@ def handle_action(self, param): headers['Referer'] = login_url print("Logging into Platform to get the session id") - r2 = requests.post(login_url, verify=False, data=data, headers=headers) + r2 = requests.post(login_url, verify=verify, data=data, headers=headers, timeout=AWSINSPECTOR_DEFAULT_TIMEOUT) session_id = r2.cookies['sessionid'] except Exception as e: print("Unable to get session id from the platform. Error: {0}".format(str(e))) - exit(1) + sys.exit(1) with open(args.input_test_json) as f: in_json = f.read() @@ -666,4 +684,4 @@ def handle_action(self, param): ret_val = connector._handle_action(json.dumps(in_json), None) print(json.dumps(json.loads(ret_val), indent=4)) - exit(0) + sys.exit(0) diff --git a/awsinspector_consts.py b/awsinspector_consts.py index a4b9a5f..6325a9a 100644 --- a/awsinspector_consts.py +++ b/awsinspector_consts.py @@ -1,8 +1,19 @@ # File: awsinspector_consts.py -# Copyright (c) 2019-2021 Splunk Inc. # -# SPLUNK CONFIDENTIAL - Use or disclosure of this material in whole or in part -# without a valid written license from Splunk Inc. is PROHIBITED. +# Copyright (c) 2019-2022 Splunk Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed under +# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, +# either express or implied. See the License for the specific language governing permissions +# and limitations under the License. +# +# # Define your constants here AWSINSPECTOR_INVALID_LIMIT = 'Please provide non-zero positive integer in limit' AWSINSPECTOR_MAX_PER_PAGE_LIMIT = 500 @@ -23,3 +34,4 @@ } AWSINSPECTOR_BAD_ASSET_CONFIG_MSG = 'Please provide access keys or select assume role check box in asset configuration' AWSINSPECTOR_ROLE_CREDENTIALS_FAILURE_MSG = 'Failed to retrieve EC2 role credentials from instance' +AWSINSPECTOR_DEFAULT_TIMEOUT = 30 diff --git a/awsinspector_get_findings.html b/awsinspector_get_findings.html index 202e2bd..326eb7b 100644 --- a/awsinspector_get_findings.html +++ b/awsinspector_get_findings.html @@ -10,10 +10,18 @@ {% block widget_content %}