netskope/Netskope_APIEvents-08.py
2022-07-18 17:28:22 +02:00

81 lines
2.4 KiB
Python
Executable File

#!/usr/bin/env python3
#
# Copyright 2019, Mischa Peters <mischa AT netskope DOT com>, Netskope.
# Version 1.0 - 20191107
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
# Requires:
# - Python 3.x
#
import os
import sys
import json
import time
import re
import logging
import urllib.parse
import requests
NTSKP_TENANT = 'https://astrazeneca.eu.goskope.com'
NTSKP_TOKEN = '604d0a3b26ea9b22c3ec42130ebbfa8e'
NTSKP_PERIOD = '2592000'
cct_list = ["Cloud Storage", "Webmail"]
ccl_list = ["low", "poor"]
whitelist = re.compile("yahoo")
ioc_list = []
ZS_MAX_DOMAINS = 2
headers = {'Content-Type': 'application/json', 'Cache-Control': 'no-cache', 'User-Agent': 'Netskope_ZscalerImporter1.0'}
PROXY=''
logging.basicConfig(level=logging.DEBUG)
logging = logging.getLogger('zsc')
def ntskp_get_domains(headers):
uri = f"{NTSKP_TENANT}/api/v1/events?token={NTSKP_TOKEN}&type=page&timeperiod={NTSKP_PERIOD}"
try:
r = requests.get(uri, headers=headers, proxies=PROXY)
r.raise_for_status()
except Exception as e:
logging.error('Error: ' + str(e))
sys.exit(1)
json = r.json()
limit = (len(json['data']))
for item in json['data']:
if not "domain" in item:
domain = urllib.parse.urlparse(item['url']).netloc
else:
domain = item['domain']
if whitelist.search(domain):
continue
if item['category'] in cct_list:
if item['ccl'] in ccl_list:
if domain not in ioc_list:
print(f"{domain:<50s} {item['ccl']}")
endtime = item['timestamp']
ioc_list.append(domain)
print(limit)
print(endtime)
starttime = endtime - (10 * 60)
print(ioc_list[:ZS_MAX_DOMAINS])
return ioc_list[:ZS_MAX_DOMAINS]
ntskp_get_domains(headers)
now = int(time.time() * 1000)
print(now)
#print(str(time.ctime(int(time.time()))))