sherwind · May 27, 2021 07:39
diff --git a/alienvault-get_alarm.sh b/alienvault-get_alarm.sh
 #!/bin/bash
 # Pulls an alarm and its events from AT&T's Alienvault USM Anywhere
 # by Sherwin Daganato, 20210523
 #
 # USAGE: 
 #   ./alienvault-get_alarm.sh https://<usm-host>.alienvault.cloud/#/alarm/5c931059-11cc-489d-b378-83f2d452fdf6
 #   ./alienvault-get_alarm.sh 5c931059-11cc-489d-b378-83f2d452fdf6
 #
 # Requires API Client credentials which can be created by:
 #
 # FROM https://cybersecurity.att.com/documentation/api/alienvault-apis.htm
 # Create a New API Client in USM Anywhere:
 #   To get your client ID and secret code
 #     - Click the  icon and select Profile Settings.
 #     - On the Profile page select the API Clients tab.
 #       Click New Client.
 #       Enter an alphanumeric name for the client and click Create Client.
 #
 #     The system generates the secret code.


 # =-=-=-=-=-=-

 host="$USM_HOST"
 credentials="$USM_API_CLIENT:$USM_API_SECRET"

 # =-=-=--==-=-


 if [ -z "$1" ]; then echo "Alarm UUID is required!"; exit; fi
 uuid=${1##*/}


 access_token="$(curl -s --config - -X POST "https://$host.alienvault.cloud/api/2.0/oauth/token?grant_type=client_credentials" <<< 'user = "'"$credentials"'"' | jq -r .access_token)"
 alarm_json="$(curl -s -X GET "https://$host.alienvault.cloud/api/2.0/alarms/${uuid}" -H "Authorization: Bearer $access_token")"


 # If json is invalid, assumme "log" value is broken. Fix it by reencoding to json
 if ! echo "$alarm_json"  | jq -c &>/dev/null
 then
    alarm_json=$(echo "$alarm_json" | perl -MJSON::PP=encode_json -p -e 's/("log" ?: ?)"(.*?)",$/$1 .  encode_json($2) . ","/e')
 fi

 #echo "$alarm_json"

 echo "ALARM: "

 echo "$alarm_json" | jq --argjson keys '["uuid", "priority", "timestamp_occured_iso8601", "timestamp_received_iso8601", "rule_attack_tactic", "rule_attack_technique", "rule_dictionary", "rule_id", "rule_intent", "rule_method", "rule_strategy", "source_name", "source_username", "source_organisation", "source_country", "destination_name"]' '.highlight_fields += $keys | (.highlight_fields | unique) as $fields | with_entries( select( .key as $k | $fields | index($k) ) )'

 echo
 echo "EVENTS: "

 echo "$alarm_json" | jq '.events[] | .highlight_fields += ["uuid", "event_name", "timestamp_occured_iso8601", "timestamp_received_iso8601", "source_name", "destination_name", "suppressed", "source_country", "source_city", "plugin", "received_from", "log"] | (.highlight_fields | unique) as $fields | with_entries( select( .key as $k | $fields | index($k) ) ) | if has("access_key_id") then .access_key_id |= .[0:3] + "..." + .[-3:] else . end | if (.source_name|test("^[.0-9]+$")) then .source_name |= .[0:5] + "..." + .[-5:] else . end'
	#!/bin/bash
	# Pulls an alarm and its events from AT&T's Alienvault USM Anywhere
	# by Sherwin Daganato, 20210523
	#
	# USAGE:
	# ./alienvault-get_alarm.sh https://<usm-host>.alienvault.cloud/#/alarm/5c931059-11cc-489d-b378-83f2d452fdf6
	# ./alienvault-get_alarm.sh 5c931059-11cc-489d-b378-83f2d452fdf6
	#
	# Requires API Client credentials which can be created by:
	#
	# FROM https://cybersecurity.att.com/documentation/api/alienvault-apis.htm
	# Create a New API Client in USM Anywhere:
	# To get your client ID and secret code
	# - Click the icon and select Profile Settings.
	# - On the Profile page select the API Clients tab.
	# Click New Client.
	# Enter an alphanumeric name for the client and click Create Client.
	#
	# The system generates the secret code.


	# =-=-=-=-=-=-

	host="$USM_HOST"
	credentials="$USM_API_CLIENT:$USM_API_SECRET"

	# =-=-=--==-=-


	if [ -z "$1" ]; then echo "Alarm UUID is required!"; exit; fi
	uuid=${1##*/}


	access_token="$(curl -s --config - -X POST "https://$host.alienvault.cloud/api/2.0/oauth/token?grant_type=client_credentials" <<< 'user = "'"$credentials"'"' \| jq -r .access_token)"
	alarm_json="$(curl -s -X GET "https://$host.alienvault.cloud/api/2.0/alarms/${uuid}" -H "Authorization: Bearer $access_token")"


	# If json is invalid, assumme "log" value is broken. Fix it by reencoding to json
	if ! echo "$alarm_json" \| jq -c &>/dev/null
	then
	alarm_json=$(echo "$alarm_json" \| perl -MJSON::PP=encode_json -p -e 's/("log" ?: ?)"(.*?)",$/$1 . encode_json($2) . ","/e')
	fi

	#echo "$alarm_json"

	echo "ALARM: "

	echo "$alarm_json" \| jq --argjson keys '["uuid", "priority", "timestamp_occured_iso8601", "timestamp_received_iso8601", "rule_attack_tactic", "rule_attack_technique", "rule_dictionary", "rule_id", "rule_intent", "rule_method", "rule_strategy", "source_name", "source_username", "source_organisation", "source_country", "destination_name"]' '.highlight_fields += $keys \| (.highlight_fields \| unique) as $fields \| with_entries( select( .key as $k \| $fields \| index($k) ) )'

	echo
	echo "EVENTS: "

	echo "$alarm_json" \| jq '.events[] \| .highlight_fields += ["uuid", "event_name", "timestamp_occured_iso8601", "timestamp_received_iso8601", "source_name", "destination_name", "suppressed", "source_country", "source_city", "plugin", "received_from", "log"] \| (.highlight_fields \| unique) as $fields \| with_entries( select( .key as $k \| $fields \| index($k) ) ) \| if has("access_key_id") then .access_key_id \|= .[0:3] + "..." + .[-3:] else . end \| if (.source_name\|test("^[.0-9]+$")) then .source_name \|= .[0:5] + "..." + .[-5:] else . end'