7. V-Stream API Examples¶
7.1. Authentication¶
7.1.1. LOGIN¶
To authenticate with the HAWK V-Stream Interface, you must follow the normal process for authenticating to the API.
#!/usr/bin/env python
import requests
import json
import datetime
import time
import hashlib
from hawkAPI.lib.core.hawkcore import hawkcore
from hawkAPI.lib.core.hawkapi import hawkapi
from hawkAPI.lib.core.hawklib import hawklib
url = "https://10.14.0.13:8080/API/1.1/"
username = "admin"
password = "password"
hawk = hawkcore(url)
hawk.logfile("/var/log/hawk/hawk-test-api.log")
hawk.SSLVerify(False)
try:
hawk.logit("info", "Logging into API")
hawk.login(username, password)
except Exception, e:
hawk.logit("critical", 'Unable to login to API, how can we continue?')
sys.exit(-1)
api = hawkapi(hawk)
This will properly authenticate you with the API and allow for further communications.
7.2. Stream Search¶
7.2.1. Submit Search¶
To submit your widgets for analysis, simple follow the format found in the example code below with an array of widgets.
#!/usr/bin/env python
import requests
import json
import datetime
import time
import hashlib
from hawkAPI.lib.core.hawkcore import hawkcore
from hawkAPI.lib.core.hawkapi import hawkapi
from hawkAPI.lib.core.hawklib import hawklib
url = "https://10.14.0.13:8080/API/1.1/"
username = "admin"
password = "password"
hawk = None
running = False
master_id = None
def onOpen(ws):
# setup request and send
running = True
def run(*args):
while running:
# send every 10 seconds
time.sleep(10)
obj = { 'action' : 'search:events:status', 'args' : { 'master_id' : master_id } }
try:
hawk.websocket_send(r, obj)
except Exception as e:
print "Error: ", e
#print "done, stopped run..."
thread.exit()
return;
def onData(*args):
try:
obj = json.loads(args[1])
except Exception as e:
raise Exception("onData: failed to handle data, unable to continue: %s, %s" % (e, msg))
if 'action' not in obj:
return
if obj['action'] == 'ready':
# send our query
begin = "2016-12-15 00:00:00"
end = "2016-12-15 01:00:00"
searchQuery = [{"column":["alerts_type_name","count alerts_type_name"],"group_by":"alerts_type_name","order_by":"","where":[],"limit":"10","begin": begin ,"job_id":"admin:236:0148411a-1586-f57d-afa1-c0b708f37f6f"},{"column":["priority","count priority","count priority"],"group_by":"priority","order_by":"priority ASC","where":[],"limit":"10","begin": begin,"job_id":"admin:237:1e28083f-cd5e-f4a8-48af-5881616dc32f"},{"column":["weight","alert_name","priority","alerts_type_name","ip_src","ip_dst","avg weight","count priority","distinct count ip_src","distinct count ip_dst"],"group_by":"alert_name","order_by":"weight_avg DESC","where":[],"limit":"5000","begin": begin, "end" : end, "job_id":"admin:238:d2ff9944-ad44-3562-ebc7-c831abeb580d"}]
obj = { 'action' : 'search:events:start', 'args' : searchQuery }
try:
hawk.websocket_send(args[0], obj)
except Exception as e:
print e
print obj
raise Exception('Error sending start response for report: %s, %s' % (json.dumps(obj), e))
elif obj['action'] == 'search:events:confirm':
if 'args in obj' and 'master_id' in obj['args']:
master_id = obj['args']['master_id']
elif obj['action'] == 'search:events:result':
# print "Received data!"
print obj
elif obj['action'] == 'search:events:status':
# print "Received data!"
print obj
def onError(*data):
print data
def onDone(ws):
print "Done found..."
running = False
hawk = hawkcore(url)
hawk.logfile("/var/log/hawk/hawk-test-api.log")
hawk.SSLVerify(False)
try:
hawk.logit("info", "Logging into API")
hawk.login(username, password)
except Exception, e:
hawk.logit("critical", 'Unable to login to API, how can we continue?')
sys.exit(-1)
api = hawkapi(hawk)
print '\n\nVStream\r\n\r\n'
ws_ret = hawk.websocket(onOpen, onData, onError, onDone)
hawk.websocket_start(ws_ret)
This will submit your request to the v-stream engine