cyberhaven-incidents 0.4.1 → 0.5.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -1
  3. data/README.md +7 -9
  4. data/cyberhaven-incidents.gemspec +1 -0
  5. data/lib/cyberhaven/incidents/policy.rb +254 -0
  6. data/lib/cyberhaven/incidents/user.rb +2 -1
  7. data/lib/cyberhaven/incidents/version.rb +1 -1
  8. data/lib/cyberhaven/incidents.rb +1 -0
  9. metadata +3 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 117a00860ffb6bcb9995a8cd5873f19fc79e59a4ce145c1dccf388f37d4148ab
4
- data.tar.gz: 0ba9dcedfa1bd2b20eeb23c46ff1c6951ebd06b0c9796ee54ccc531bfe405ded
3
+ metadata.gz: 7985905cb033dfe71fcb962f4be2ea680ca583df1e315fbc636a9beb2b38ec9d
4
+ data.tar.gz: 7d5d1d6b9fe260476a73a6e8ccf3e9cbee1cd5bd5002be83ea8178b5e2b17165
5
5
  SHA512:
6
- metadata.gz: 14708bcbd39f466f0d5de88bb13a29163abec446df9b69de2b585a9d60d07b62e8596db33966ac8919c0eb3b9354aa54d09fb65d7b45ec5ee9558984c016cad0
7
- data.tar.gz: 684d1cef9121a450e57fdfc9e9f3bdb09101145d0a79cb768be38e4ac30ec6fd5f3ad4d77f8db6b3112550de90517617e88b494b0500c5eaffbd72d944d004ad
6
+ metadata.gz: ccc5c00bd83dea570da1ba935074e87942b0b253e16ca716d447de05936d7d20b9559bb61bb9abde4fee7389df7d6f1f2e79240f72024fcc90e634382327d581
7
+ data.tar.gz: 672d631b289b7ac1df005c2c988bebcd429bdb77aec2cdfe6d918c56241cf5b0e9f47f3a11347a660c7efb1867ef51c3b14f07b428c348684f63f287920c2d6b
data/CHANGELOG.md CHANGED
@@ -1,6 +1,9 @@
1
1
 
2
+ ## 0.5.0
3
+ Add: Add incidents by policy name
4
+
2
5
  ## 0.4.1
3
- Add: add user civ
6
+ Add: add user csv export
4
7
  Fixed: pagination on user events
5
8
 
6
9
  ## 0.4.0
data/README.md CHANGED
@@ -38,24 +38,22 @@ Cyberhaven::Incidents::totalIgnoredIncidents
38
38
  Cyberhaven::Incidents::totalInProgressIncidents
39
39
  Cyberhaven::Incidents::totalResolvedIncidents
40
40
 
41
- ## Detailed Incident details by ID
41
+ ## Detailed Incident by ID
42
42
  Cyberhaven::Incidents::Id::DetailedJson("incidentID")
43
43
  Cyberhaven::Incidents::Id::DetailedYaml("incidentID")
44
44
  Cyberhaven::Incidents::Id::DetailedReport("incidentID")
45
45
 
46
- ## Summaried Incidents details by ID
46
+ ## Summarized Incident details by ID
47
47
  Cyberhaven::Incidents::Id::SummaryJson("incidentID")
48
48
  Cyberhaven::Incidents::Id::SummaryYaml("incidentID")
49
49
  Cyberhaven::Incidents::Id::SummaryReport("incidentID")
50
50
 
51
51
  ## Incident details by user
52
- puts Cyberhaven::Incidents::User::DetailedRaw("username", "status", numberOfEvents)
53
- puts Cyberhaven::Incidents::User::DetailedJson("username", "status", numberOfEvents)
54
-
55
- #example
56
- puts Cyberhaven::Incidents::User::DetailedJson("joedaily", "unresolved", 100)
57
-
58
- • status options are: "ignored", "in_progress", "resolved", or "unresolved"
52
+ puts Cyberhaven::Incidents::User::TotalIncidents("username")
53
+ puts Cyberhaven::Incidents::User::AllIncidents("username")
54
+ Cyberhaven::Incidents::User::AllIncidentsCSV("username")
55
+ puts Cyberhaven::Incidents::User::AllIncidentsJson("username")
56
+ puts Cyberhaven::Incidents::User::AllIncidentsYaml("username")
59
57
  ```
60
58
 
61
59
  ---
data/cyberhaven-incidents.gemspec CHANGED
@@ -3,6 +3,7 @@
3
3
  require_relative "lib/cyberhaven/incidents/version"
4
4
  require_relative "lib/cyberhaven/incidents/id"
5
5
  require_relative "lib/cyberhaven/incidents/user"
6
+ require_relative "lib/cyberhaven/incidents/policy"
6
7
 
7
8
  Gem::Specification.new do |spec|
8
9
  spec.name = "cyberhaven-incidents"
data/lib/cyberhaven/incidents/policy.rb ADDED
@@ -0,0 +1,254 @@
1
+ # frozen_string_literal: true
2
+
3
+
4
+ require 'etc'
5
+ require 'csv'
6
+
7
+
8
+ module Cyberhaven
9
+ module Incidents
10
+ module Policy
11
+ def self.TotalPolicyIncidents(policyName)
12
+
13
+ $pageToken = "1"
14
+ loop do
15
+ unless $pageToken.empty?
16
+
17
+ if $pageToken == "1"
18
+ $pageToken = ""
19
+ end
20
+
21
+ $query ={
22
+ "filters":{
23
+ "category_names": [
24
+ "#{policyName}"
25
+ ],
26
+ },
27
+ "sort_by": "event_time",
28
+ "page_id": "#{$pageToken}",
29
+ "sort_desc": true
30
+ }.to_json
31
+
32
+ url = URI("https://#{$deployment}/api/rest/v1/incidents/list")
33
+ https = Net::HTTP.new(url.host, url.port)
34
+ https.use_ssl = true
35
+ request = Net::HTTP::Get.new(url)
36
+ request["Content-Type"] = "application/json"
37
+ request["Authorization"] = "Bearer #{$bearerToken}"
38
+ request.body = $query
39
+ response = https.request(request)
40
+ status = response.code
41
+ results = JSON.parse(response.read_body)
42
+
43
+ puts results["total"]
44
+ else
45
+ break
46
+ end
47
+ end
48
+ end
49
+
50
+ def self.AllIncidentsResults(policyName)
51
+
52
+ $incidentArray = []
53
+
54
+ $pageToken = "1"
55
+ loop do
56
+ unless $pageToken.empty?
57
+
58
+ if $pageToken == "1"
59
+ $pageToken = ""
60
+ end
61
+
62
+ $query ={
63
+ "filters":{
64
+ "resolution_statuses":[
65
+ "unresolved", "ignored", "in_progress", "resolved"
66
+ ],
67
+ "category_names": [
68
+ "#{policyName}"
69
+ ],
70
+ },
71
+ "sort_by": "event_time",
72
+ "page_id": "#{$pageToken}",
73
+ "page_size": 1000,
74
+ "sort_desc": true
75
+ }.to_json
76
+
77
+ url = URI("https://#{$deployment}/api/rest/v1/incidents/list")
78
+ https = Net::HTTP.new(url.host, url.port)
79
+ https.use_ssl = true
80
+ request = Net::HTTP::Get.new(url)
81
+ request["Content-Type"] = "application/json"
82
+ request["Authorization"] = "Bearer #{$bearerToken}"
83
+ request.body = $query
84
+ response = https.request(request)
85
+ status = response.code
86
+ results = JSON.parse(response.read_body)
87
+
88
+ $pageToken = results["next_page_id"]
89
+ results["incidents"].each do |item|
90
+ $incidentArray.push(item)
91
+ end
92
+ else
93
+ break
94
+ end
95
+ end
96
+ end
97
+
98
+ def self.AllIncidents(policyName)
99
+ AllIncidentsResults("#{policyName}")
100
+ return $incidentArray
101
+ end
102
+
103
+ def self.AllIncidentsCSV(policyName)
104
+ now_date = DateTime.now
105
+ datetime = now_date.strftime('%Y%m%d')
106
+ $currentUser = ENV['USER']
107
+ $reportPath="/Users/#{$currentUser}/Desktop/#{datetime}_#{policyName}_report.csv"
108
+
109
+ $pageToken = "1"
110
+ $incidentArray = []
111
+
112
+ loop do
113
+ unless $pageToken.empty?
114
+
115
+ if $pageToken == "1"
116
+ $pageToken = ""
117
+ end
118
+
119
+ $query ={
120
+ "filters":{
121
+ "resolution_statuses":[
122
+ "unresolved", "ignored", "in_progress", "resolved"
123
+ ],
124
+ "category_names": [
125
+ "#{policyName}"
126
+ ],
127
+ },
128
+ "page_id": "#{$pageToken}",
129
+ "sort_by": "event_time",
130
+ "page_size": 1000,
131
+ "sort_desc": true
132
+ }.to_json
133
+
134
+ url = URI("https://dailypay.cyberhaven.io/api/rest/v1/incidents/list")
135
+ https = Net::HTTP.new(url.host, url.port)
136
+ https.use_ssl = true
137
+ request = Net::HTTP::Get.new(url)
138
+ request["Content-Type"] = "application/json"
139
+ request["Authorization"] = "Bearer #{$bearerToken}"
140
+ request.body = $query
141
+ response = https.request(request)
142
+ status = response.code
143
+ results = JSON.parse(response.read_body)
144
+
145
+ $pageToken = results["next_page_id"]
146
+ # puts results["total"]
147
+ # puts results["next_page_id"]
148
+
149
+ array = []
150
+ results["incidents"].each do |item|
151
+ $incident_hash = {
152
+ "Event Time" => "#{item["event_time"]}",
153
+ "Trigger Time" => "#{item["trigger_time"]}",
154
+ "ID" => "#{item["id"]}",
155
+ "Incident Risk Score" => "#{item["risk_score"]}",
156
+ "Policy Name" => "#{item["category"]["name"]}",
157
+ "Policy Severity" => "#{item["category"]["severity"]}",
158
+ "User" => "#{item["user"]}",
159
+ "Assignee" => "#{item["assignee"]}",
160
+ "Status" => "#{item["resolution_status"]}",
161
+ "Severity" => "#{item["severity"]}",
162
+ "Dataset Name" => "#{item["dataset"]["name"]}",
163
+ "Category Severity" => "#{item["category"]["severity"]}",
164
+ "File" => "#{item["file"]}",
165
+ "Data Path" => "#{item["data"]["path"]}",
166
+ "Source Path" => "#{item["source_data"]["path"]}",
167
+ "Content Tags" => "#{item["content_tags"]}",
168
+ "Source Path " => "#{item["edge"]["source"]["path"]}",
169
+ "Source Extension" => "#{item["edge"]["source"]["extension"]}",
170
+ "Source Url" => "#{item["edge"]["source"]["url"]}",
171
+ "Source Browser Url" => "#{item["edge"]["source"]["browser_page_url"]}",
172
+ "Source Domain" => "#{item["edge"]["source"]["browser_page_domain"]}",
173
+ "Source Browser Title" => "#{item["edge"]["source"]["browser_page_title"]}",
174
+ "Source Hostname" => "#{item["edge"]["source"]["hostname"]}",
175
+ "Source URI" => "#{item["edge"]["source"]["content_uri"]}",
176
+ "Source Location" => "#{item["edge"]["source"]["location"]}",
177
+ "Source Location Outline" => "#{item["edge"]["source"]["location_outline"]}",
178
+ "Source Category" => "#{item["edge"]["source"]["category"]}",
179
+ "Source Links" => "#{item["edge"]["source"]["links"]}",
180
+ "Source ID" => "#{item["edge"]["source"]["links"]}",
181
+ "Tags Applied" => "#{item["edge"]["source"]["tags_applied"]}",
182
+ "Source Upload URI" => "#{item["edge"]["source"]["content_upload_uri"]}",
183
+ "Source Report URI" => "#{item["edge"]["source"]["content_report_uri"]}",
184
+ "Source Event Type" => "#{item["edge"]["source"]["event_type"]}",
185
+ "Source Sensor Name" => "#{item["edge"]["source"]["sensor_name"]}",
186
+ "Source Local User" => "#{item["edge"]["source"]["local_user_name"]}",
187
+ "Source Local User ID" => "#{item["edge"]["source"]["local_user_sid"]}",
188
+ "Source Local Time" => "#{item["edge"]["source"]["local_time"]}",
189
+ "Source Local Machine" => "#{item["edge"]["source"]["local_machine_name"]}",
190
+ "Source Endpoint ID" => "#{item["edge"]["source"]["endpoint_id"]}",
191
+ "Source Local ID" => "#{item["edge"]["source"]["local_id"]}",
192
+ "Destination Path" => "#{item["edge"]["destination"]["path"]}",
193
+ "Destination Extension" => "#{item["edge"]["destination"]["extension"]}",
194
+ "Destination Upload File ID" => "#{item["edge"]["destination"]["upload_file_id"]}",
195
+ "Destination Browser Page Title" => "#{item["edge"]["destination"]["browser_page_title"]}",
196
+ "Destination Hostname" => "#{item["edge"]["destination"]["hostname"]}",
197
+ "Destination MD5" => "#{item["edge"]["destination"]["md5_hash"]}",
198
+ "Destination File Size" => "#{item["edge"]["destination"]["file_size"]}",
199
+ "Destination Path Components" => "#{item["edge"]["destination"]["path_components"]}",
200
+ "Destination Path Basename" => "#{item["edge"]["destination"]["path_basename"]}",
201
+ "Destination Domain" => "#{item["edge"]["destination"]["domain"]}",
202
+ "Destination URI" => "#{item["edge"]["destination"]["content_uri"]}",
203
+ "Destination Location" => "#{item["edge"]["destination"]["location"]}",
204
+ "Destination Location Outline" => "#{item["edge"]["destination"]["location_outline"]}",
205
+ "Destination Category" => "#{item["edge"]["destination"]["category"]}",
206
+ "Destination Links" => "#{item["edge"]["destination"]["links"]}",
207
+ "Destination Event Type" => "#{item["edge"]["destination"]["event_type"]}",
208
+ "Destination Sensor Name" => "#{item["edge"]["destination"]["sensor_name"]}",
209
+ "Destination Local User" => "#{item["edge"]["destination"]["local_user_name"]}",
210
+ "Destination Local User ID" => "#{item["edge"]["destination"]["local_user_sid"]}",
211
+ "Destination Local Time" => "#{item["edge"]["destination"]["local_time"]}",
212
+ "Destination Local Machine" => "#{item["edge"]["destination"]["local_machine_name"]}",
213
+ "Destination Endpoint ID" => "#{item["edge"]["destination"]["endpoint_id"]}",
214
+ "Destination Local ID" => "#{item["edge"]["destination"]["local_id"]}",
215
+ "Destination Blocked" => "#{item["edge"]["destination"]["blocked"]}",
216
+ "Destination Data Size" => "#{item["edge"]["destination"]["data_size"]}",
217
+ "Destination Google Drive ID" => "#{item["edge"]["destination"]["gdrive_file_id"]}",
218
+ "Destination Cloud Provider" => "#{item["edge"]["destination"]["cloud_provider"]}",
219
+ "Destination Cloud App" => "#{item["edge"]["destination"]["cloud_app"]}",
220
+ "Destination Cloud Account" => "#{item["edge"]["destination"]["cloud_app_account"]}",
221
+ "Destination Scan ID" => "#{item["edge"]["destination"]["dlp_scan_linking_id"]}"
222
+ }
223
+ $incidentArray.push($incident_hash)
224
+ end
225
+ else
226
+ break
227
+ end
228
+ end
229
+
230
+ CSV.open("#{$reportPath}", 'w') do |csv|
231
+ # Write the header based on the keys of the first hash
232
+ csv << $incidentArray.first.keys
233
+
234
+ # Write each hash as a row in the CSV file
235
+ $incidentArray.each do |hash|
236
+ csv << hash.values
237
+ end
238
+ end
239
+ puts "Finished writting report: #{$reportPath}"
240
+ end
241
+
242
+ def self.AllIncidentsJson(policyName)
243
+ AllIncidentsResults("#{policyName}")
244
+ return $incidentArray.to_json
245
+ end
246
+
247
+ def self.AllIncidentsYaml(policyName)
248
+ AllIncidentsResults("#{policyName}")
249
+ return $incidentArray.to_yaml
250
+ end
251
+
252
+ end
253
+ end
254
+ end
data/lib/cyberhaven/incidents/user.rb CHANGED
@@ -3,7 +3,7 @@
3
3
 
4
4
  require 'etc'
5
5
  require 'csv'
6
- require "set"
6
+ # require "set"
7
7
 
8
8
 
9
9
  module Cyberhaven
@@ -156,6 +156,7 @@ module Cyberhaven
156
156
  "Event Time" => "#{item["event_time"]}",
157
157
  "Trigger Time" => "#{item["trigger_time"]}",
158
158
  "ID" => "#{item["id"]}",
159
+ "Incident Risk Score" => "#{item["risk_score"]}",
159
160
  "Policy Name" => "#{item["category"]["name"]}",
160
161
  "Policy Severity" => "#{item["category"]["severity"]}",
161
162
  "User" => "#{item["user"]}",
data/lib/cyberhaven/incidents/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Cyberhaven
4
4
  module Incidents
5
- VERSION = "0.4.1"
5
+ VERSION = "0.5.0"
6
6
  end
7
7
  end
data/lib/cyberhaven/incidents.rb CHANGED
@@ -9,6 +9,7 @@ require 'base64'
9
9
  require_relative "incidents/version"
10
10
  require_relative "incidents/id"
11
11
  require_relative "incidents/user"
12
+ require_relative "incidents/policy"
12
13
 
13
14
  module Cyberhaven
14
15
  module Incidents
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cyberhaven-incidents
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.1
4
+ version: 0.5.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - nic scott
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2024-01-07 00:00:00.000000000 Z
11
+ date: 2024-01-20 00:00:00.000000000 Z
12
12
  dependencies: []
13
13
  description:
14
14
  email:
@@ -24,6 +24,7 @@ files:
24
24
  - cyberhaven-incidents.gemspec
25
25
  - lib/cyberhaven/incidents.rb
26
26
  - lib/cyberhaven/incidents/id.rb
27
+ - lib/cyberhaven/incidents/policy.rb
27
28
  - lib/cyberhaven/incidents/user.rb
28
29
  - lib/cyberhaven/incidents/version.rb
29
30
  - sig/cyberhaven/incidents.rbs