#!/usr/bin/env python3
#
# Copyright 2019, Mischa Peters <mischa AT netskope DOT com>, Netskope.
# Version 1.0 - 20191107
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
# Requires:
#   - Python 3.x
#       
import os
import sys
import json
import time
import re
import logging
import urllib.parse
import requests

NTSKP_TENANT = 'https://astrazeneca.eu.goskope.com'
NTSKP_TOKEN = '604d0a3b26ea9b22c3ec42130ebbfa8e'
NTSKP_PERIOD = '2592000'
cct_list = ["Cloud Storage", "Webmail"]
ccl_list = ["low", "poor"]
whitelist = re.compile("yahoo")
ioc_list = []

ZS_MAX_DOMAINS = 2
headers = {'Content-Type': 'application/json', 'Cache-Control': 'no-cache', 'User-Agent': 'Netskope_ZscalerImporter1.0'}
PROXY=''

logging.basicConfig(level=logging.DEBUG)
logging = logging.getLogger('zsc')

def ntskp_get_domains(headers):
	uri = f"{NTSKP_TENANT}/api/v1/events?token={NTSKP_TOKEN}&type=page&timeperiod={NTSKP_PERIOD}"
	try:
		r = requests.get(uri, headers=headers, proxies=PROXY)
		r.raise_for_status()
	except Exception as e:
		logging.error('Error: ' + str(e))
		sys.exit(1)
	json = r.json()
	limit = (len(json['data']))
	
	for item in json['data']:
		if not "domain" in item:
			domain = urllib.parse.urlparse(item['url']).netloc
		else:
			domain = item['domain']
		if whitelist.search(domain):
			continue
		if item['category'] in cct_list:
			if item['ccl'] in ccl_list:
				if domain not in ioc_list:
					print(f"{domain:<50s} {item['ccl']}")
					endtime = item['timestamp']
					ioc_list.append(domain)
	print(limit)
	print(endtime)
	starttime = endtime - (10 * 60)
	print(ioc_list[:ZS_MAX_DOMAINS])
	return ioc_list[:ZS_MAX_DOMAINS]


ntskp_get_domains(headers)

now = int(time.time() * 1000)
print(now)
#print(str(time.ctime(int(time.time()))))