Перейти к основному содержимому
Версия: 4.5.X

Интеграции со сторонними системами

Для интеграции со сторонними системами можно использовать API/gRPC/прямые запросы в базу.

Прямой запрос в PostgreSQL

Количество подключенных источников (целое число):

-- SELECT
-- COUNT(*)::int
-- FROM preferences.collectors
-- WHERE preferences.collectors.enabled = True

Количество запущенных директив (целое число):


-- SELECT
-- COUNT(*)::int
-- FROM corrdisp.realtime_correlators
-- WHERE corrdisp.realtime_correlators.active = True

Есть ID инцидента, необходимо получить все поля из инцидента из каждой колонки:

-- SELECT
-- id,
-- directive_id,
-- assigned_to,
-- is_retro,
-- initial_time,
-- registration_time,
-- close_time,
-- status,
-- severity,
-- event_doc_keys,
-- gossopka_sending_status,
-- security_label,
-- tenant_id,
-- correlator_ids,
-- recommendation,
-- has_errors,
-- updated_at,
-- comments,
-- status_reason,
-- histories,
-- gossopka_incident_type,
-- gossopka_incident_id,
-- response_stage,
-- description,
-- asset_ips,
-- threats_array,
-- gossopka_incident_category
-- FROM incman.incidents
-- WHERE id = 16

Все поля по инциденту и директиве:

-- SELECT
-- id,
-- -- directives START
-- directive_id,
-- name,
-- directive_severity,
-- directive_assigned_to,
-- reaction_script_filename,
-- reaction_is_enabled,
-- created_at,
-- directive_updated_at,
-- aggregate_in,
-- aggregated_min_count,
-- group_id,
-- gossopka,
-- directive_recommendation,
-- aggregate_greedily_count,
-- directive_gossopka_incident_type,
-- rule,
-- deleted_at,
-- risk_score,
-- author,
-- reference_url,
-- note,
-- timestamp_override,
-- rule_edit_state,
-- produce_incident,
-- produce_aggregated_event,
-- store_keys_in_event,
-- directive_threats_array,
-- directive_gossopka_incident_category,
-- -- END
-- assigned_to,
-- is_retro,
-- initial_time,
-- registration_time,
-- close_time,
-- status,
-- severity,
-- event_doc_keys,
-- gossopka_sending_status,
-- security_label,
-- tenant_id,
-- correlator_ids,
-- recommendation,
-- has_errors,
-- updated_at,
-- comments,
-- status_reason,
-- histories,
-- gossopka_incident_type,
-- gossopka_incident_id,
-- response_stage,
-- description,
-- asset_ips,
-- threats_array,
-- gossopka_incident_category
-- FROM incman.incidents
-- JOIN (
-- SELECT
-- id as dir_id,
-- name,
-- severity as directive_severity,
-- assigned_to as directive_assigned_to,
-- reaction_script_filename,
-- reaction_is_enabled,
-- created_at,
-- updated_at as directive_updated_at,
-- aggregate_in,
-- aggregated_min_count,
-- group_id,
-- gossopka,
-- recommendation as directive_recommendation,
-- aggregate_greedily_count,
-- gossopka_incident_type as directive_gossopka_incident_type,
-- rule,
-- deleted_at,
-- risk_score,
-- author,
-- reference_url,
-- note,
-- timestamp_override,
-- rule_edit_state,
-- produce_incident,
-- produce_aggregated_event,
-- store_keys_in_event,
-- threats_array as directive_threats_array,
-- gossopka_incident_category as directive_gossopka_incident_category
-- FROM corrdisp.directives
-- ) AS directive
-- ON directive_id = directive.dir_id
-- WHERE incman.incidents.id = 16

Прямой запрос в ClickHouse

Количество событий в секунду (целое число, необходимо обновлять раз в 5 сек)

-- SELECT
-- COUNT(*)
-- FROM komrad_events.events
-- WHERE dateDiff('second', events.w_time, now()) <= 1

Среднее значение за час в секунду

-- SELECT
-- COUNT(*) / (1 * 60 * 60)
-- FROM komrad_events.events
-- WHERE dateDiff('second', events.w_time, now()) <= 1 * 60 * 60

Число событий в минуту (epm), количество событий по протоколам

SELECT
'total_events_count_by_collector_type_last_24h' AS name,
count() as value,
'count events by collector type last 24 hours' AS help,
map('collector_type', collector_type) AS labels,
'counter' AS type
FROM events
WHERE key_time >= timestamp_sub(HOUR, 24, now())
GROUP BY collector_type

SELECT
'total_events_count_by_collector_type_last_hour' AS name,
count() as value,
'count events by collector type last hour' AS help,
map('collector_type', collector_type) AS labels,
'counter' AS type
FROM events
WHERE key_time >= timestamp_sub(HOUR, 1, now())
GROUP BY collector_type

Запросы в формате Prometheus

SELECT * FROM  komrad_events.view_widgets FORMAT Prometheus

Число событий в минуту (epm), количество событий по протоколам в prometheus формате для отображения в Grafana

CREATE OR REPLACE VIEW komrad_events.view_widgets
(
`name` String,
`value` Float64,
`help` String,
`labels` Map(String, String),
`type` String
) AS
SELECT names as name, value, help, labels, type from (
SELECT
'total_events_count' AS names,
total_rows as value,
'total IS events' AS help,
map('total_events_count', '') AS labels,
'counter' AS type
FROM system.tables
WHERE database = 'komrad_events' AND tables.name = 'events'
)
UNION ALL
SELECT
'total_events_count_by_collector_type_last_24h' AS name,
count() as value,
'count events by collector type last 24 hours' AS help,
map('collector_type', collector_type) AS labels,
'counter' AS type
FROM events
WHERE key_time >= timestamp_sub(HOUR, 24, now())
GROUP BY collector_type
UNION ALL
SELECT
'total_events_count_by_collector_type_last_hour' AS name,
count() as value,
'count events by collector type last hour' AS help,
map('collector_type', collector_type) AS labels,
'counter' AS type
FROM events
WHERE key_time >= timestamp_sub(HOUR, 1, now())
GROUP BY collector_type
UNION ALL
SELECT
'asset_ip_count' AS name,
count() as value,
'top asset_ips count last 24 hours' AS help,
map('asset_ip', arrayJoin(asset_ips)) AS labels,
'counter' AS type
FROM events
WHERE key_time >= timestamp_sub(HOUR, 24, now())
GROUP BY arrayJoin(asset_ips)
ORDER BY value DESC
LIMIT 10

API

Авторизация

Для авторизации необходимы:

  • Логин
  • Пароль
  • Корневой сертификат

Получение токена

  • Логин и сохранение токена (куки) в файл cookie_file.txt
curl --cacert ./ca.pem -i -H "Accept: application/json" -H "Content-Type: application/json" --data '{"Login":"admin","Password":"admin"}' -c cookie_file.txt https://[ip_komrad]/api/v1/login
  • Проверка сессии по файлу с токеном cookie_file.txt
curl --cacert ./ca.pem -i -H "Accept: application/json" -H "Content-Type: application/json" -X GET -b cookie_file.txt https://[ip_komrad]/api/v1/me
  • Пример получения данных по инциденту с использованием файла с токеном
curl --cacert ./ca.pem -i -H "Accept: application/json" -H "Content-Type: application/json" -X GET -b cookie_file.txt https://[ip_komrad]/api/v1/incidents/{\ID\}
осторожно

Проводите периодические проверки доступности сессии, время сессии указывается в конфигурации <div>`pauth-server`</div>

Запросы

Инциденты

Список инцидентов: /api/incidents (с пагинацией и фильтрацией) - можно получить все в списке, включая:

  • Тип инцидента (Status) /api/incidents/\{ID\}
  • Критичность инцидента (Severity) /api/incidents/\{ID\}
  • Статус реагирования (В работе/завершено и т.д.) - ГосСОПКА (GosSOPKASendingStatus) /api/incidents/\{ID\}

События

События за период:

/api/filtered-events?$sort=GenerationTime&$order=desc&$page=1&$search=&$limit=25&$format=list&From=2023-02-01T11:13:00.000Z&To=2023-02-01T13:13:00.000Z&Query=&CustomFields=CollectorID,GenerationTime,Raw,CollectorType

Технические сведения (IP, доменное имя, url, порт, протокол) (incman-incidents: asset_ips) <div>`/api/filtered-events/\{EventKey\}`</div>

Технические сведения о вредоносной системе (IP, доменное имя, url, порт, протокол, описание используемой уязвимости) /api/filtered-events/\{EventKey\}

Источники

Количество подключенных источников (целое число) /api/scanner-assets с пагинацией

Пример:

curl --cacert ./ca.pem "Accept: application/json" -H "Content-Type: application/json" -X GET -b  'https://[ip_komrad]/api/scanner-assets?$sort=CreatedAt&$order=desc&$page=1&$limit=25&$format=list'

Директивы

Количество запущенных директив(целое число) (/api/directives с пагинацией и фильтрацией

(DB: realtime_correlators))

curl -X 'GET' 'https://[ip_komrad]/api/directives?$page=1&$limit=25&$format=list' --cacert ./ca.pem -b cookie_file.txt -v