@mike_rinehart much appreciated! I tried that adjusted code and this was the log output:
rapid7/Python 3 Script:2.0.4. Step name: run
Input: (below)
{'end': 1646370000, 'start': 1646283600}
Function: (below)
def run(params):
import requests
start = params['start']
end = params['end']
# Setup authentication headers for the request
headers = {"Accept": "application/json",
"x-aims-auth-token": "<API Key>"}
# Define the base URL for the API call. Don't include querystring here, since this will be included below
url = "https://api.cloudinsight.alertlogic.com/iris/v3/<Org Code>/incidents_by_time"
# query_string is used to limit the returned results to just a subset.
query_string = {
"start": 1577836800, # Replace with an input param if needed
"end": 1577923200, # Replace with an input param if needed
"return_value": "acknowledge_status,"
"attackers,"
"class_name,"
"closed_type,"
"devices,"
"victims,"
"threat_rating,"
"summary,"
"incident_id"}
# Send the API request with the URL, authentication headers, query string parameters, and timeout
s = requests.get(url,
params=query_string,
headers=headers,
timeout=(3.05, 120))
# Get the entire response, as a dictionary, from the API response
results = s.json()
newl = []
# The API returns a list of incidents, so this code will now loop through those incidents (for result in results)
for result in results:
# Valen - here is where you may want to use a tool like PostMan (https://www.postman.com/)
# to make a sample request to their API and then examine the output. It's not very clear from their
# documentation on what the response all contains, so looking at real output and then manipulating/extracting
# the data based off that may work better.
for ip in result['attackers']:
ipsplitt = ip.split(".")
ipsplit = []
for temp in ipsplitt:
try:
ipsplit.append(int(temp))
except:
# must be ipv6 - don't check for private ip addresses
ipsplit = ipsplitt
continue
if (len(ipsplit) == 4):
if (ipsplit[0] == 10 or (ipsplit[0] == 192 and ipsplit[1] == 168) or (ipsplit[0] == 172 and (
ipsplit[1] in [16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31]))):
# attacker from private, is victim public?
for ipv in result['victims']:
ipvsplitt = ip.split(".")
ipvsplit = []
for tempv in ipvsplitt:
try:
ipvsplit.append(int(tempv))
except:
# must be ipv6 - don't check for private ip addresses
continue
if (len(ipvsplit) == 4):
if (ipvsplit[0] == 10 or (ipvsplit[0] == 192 and ipvsplit[1] == 168) or (
ipvsplit[0] == 172 and (
ipvsplit[1] in [16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30,
31]))):
pass
else:
# attacker and victim reversed
result['attackers'].remove(result)
result['attackers'].append(ipv)
newl.append(result)
result = {}
result['incident_list'] = newl
return result
print(run({"start": "1565395200", "end": "1565913600"}))
Could not run supplied script. Error: Expecting value: line 1 column 1 (char 0)
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/python_3_script_rapid7_plugin-2.0.4-py3.7.egg/komand_python_3_script/actions/run/action.py", line 20, in run
exec(func) # noqa: B102
File "<string>", line 83, in <module>
File "<string>", line 34, in run
File "/usr/local/lib/python3.7/site-packages/requests-2.22.0-py3.7.egg/requests/models.py", line 897, in json
return complexjson.loads(self.text, **kwargs)
File "/usr/local/lib/python3.7/json/__init__.py", line 348, in loads
return _default_decoder.decode(s)
File "/usr/local/lib/python3.7/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/local/lib/python3.7/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/komand-1.0.1-py3.7.egg/komand/plugin.py", line 311, in handle_step
output = self.start_step(input_message['body'], 'action', logger, log_stream, is_test, is_debug)
File "/usr/local/lib/python3.7/site-packages/komand-1.0.1-py3.7.egg/komand/plugin.py", line 419, in start_step
output = func(params)
File "/usr/local/lib/python3.7/site-packages/python_3_script_rapid7_plugin-2.0.4-py3.7.egg/komand_python_3_script/actions/run/action.py", line 24, in run
raise Exception("Could not run supplied script. Error: " + str(e))
Exception: Could not run supplied script. Error: Expecting value: line 1 column 1 (char 0)
I was comparing it to some of the old Python outputs and I think it wasn’t seeing the tab usage in certain places in the input when I copied and pasted. I went through and put it all in by hand and got this error back;
Could not run supplied script. Error: 'return' outside function (<string>, line 60)
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/python_3_script_rapid7_plugin-2.0.4-py3.7.egg/komand_python_3_script/actions/run/action.py", line 20, in run
exec(func) # noqa: B102
File "<string>", line 60
SyntaxError: 'return' outside function
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/komand-1.0.1-py3.7.egg/komand/plugin.py", line 311, in handle_step
output = self.start_step(input_message['body'], 'action', logger, log_stream, is_test, is_debug)
File "/usr/local/lib/python3.7/site-packages/komand-1.0.1-py3.7.egg/komand/plugin.py", line 419, in start_step
output = func(params)
File "/usr/local/lib/python3.7/site-packages/python_3_script_rapid7_plugin-2.0.4-py3.7.egg/komand_python_3_script/actions/run/action.py", line 24, in run
raise Exception("Could not run supplied script. Error: " + str(e))
Exception: Could not run supplied script. Error: 'return' outside function (<string>, line 60)