V-Stream API Examples ------------------ Authentication """""""""""""" LOGIN +++++ To authenticate with the HAWK V-Stream Interface, you must follow the normal process for authenticating to the API. .. code:: #!/usr/bin/env python import requests import json import datetime import time import hashlib from hawkAPI.lib.core.hawkcore import hawkcore from hawkAPI.lib.core.hawkapi import hawkapi from hawkAPI.lib.core.hawklib import hawklib url = "https://10.14.0.13:8080/API/1.1/" username = "admin" password = "password" hawk = hawkcore(url) hawk.logfile("/var/log/hawk/hawk-test-api.log") hawk.SSLVerify(False) try: hawk.logit("info", "Logging into API") hawk.login(username, password) except Exception, e: hawk.logit("critical", 'Unable to login to API, how can we continue?') sys.exit(-1) api = hawkapi(hawk) This will properly authenticate you with the API and allow for further communications. Stream Search """""""""""""" Submit Search +++++ To submit your widgets for analysis, simple follow the format found in the example code below with an array of widgets. .. code:: #!/usr/bin/env python import requests import json import datetime import time import hashlib from hawkAPI.lib.core.hawkcore import hawkcore from hawkAPI.lib.core.hawkapi import hawkapi from hawkAPI.lib.core.hawklib import hawklib url = "https://10.14.0.13:8080/API/1.1/" username = "admin" password = "password" hawk = None running = False master_id = None def onOpen(ws): # setup request and send running = True def run(*args): while running: # send every 10 seconds time.sleep(10) obj = { 'action' : 'search:events:status', 'args' : { 'master_id' : master_id } } try: hawk.websocket_send(r, obj) except Exception as e: print "Error: ", e #print "done, stopped run..." thread.exit() return; def onData(*args): try: obj = json.loads(args[1]) except Exception as e: raise Exception("onData: failed to handle data, unable to continue: %s, %s" % (e, msg)) if 'action' not in obj: return if obj['action'] == 'ready': # send our query begin = "2016-12-15 00:00:00" end = "2016-12-15 01:00:00" searchQuery = [{"column":["alerts_type_name","count alerts_type_name"],"group_by":"alerts_type_name","order_by":"","where":[],"limit":"10","begin": begin ,"job_id":"admin:236:0148411a-1586-f57d-afa1-c0b708f37f6f"},{"column":["priority","count priority","count priority"],"group_by":"priority","order_by":"priority ASC","where":[],"limit":"10","begin": begin,"job_id":"admin:237:1e28083f-cd5e-f4a8-48af-5881616dc32f"},{"column":["weight","alert_name","priority","alerts_type_name","ip_src","ip_dst","avg weight","count priority","distinct count ip_src","distinct count ip_dst"],"group_by":"alert_name","order_by":"weight_avg DESC","where":[],"limit":"5000","begin": begin, "end" : end, "job_id":"admin:238:d2ff9944-ad44-3562-ebc7-c831abeb580d"}] obj = { 'action' : 'search:events:start', 'args' : searchQuery } try: hawk.websocket_send(args[0], obj) except Exception as e: print e print obj raise Exception('Error sending start response for report: %s, %s' % (json.dumps(obj), e)) elif obj['action'] == 'search:events:confirm': if 'args in obj' and 'master_id' in obj['args']: master_id = obj['args']['master_id'] elif obj['action'] == 'search:events:result': # print "Received data!" print obj elif obj['action'] == 'search:events:status': # print "Received data!" print obj def onError(*data): print data def onDone(ws): print "Done found..." running = False hawk = hawkcore(url) hawk.logfile("/var/log/hawk/hawk-test-api.log") hawk.SSLVerify(False) try: hawk.logit("info", "Logging into API") hawk.login(username, password) except Exception, e: hawk.logit("critical", 'Unable to login to API, how can we continue?') sys.exit(-1) api = hawkapi(hawk) print '\n\nVStream\r\n\r\n' ws_ret = hawk.websocket(onOpen, onData, onError, onDone) hawk.websocket_start(ws_ret) This will submit your request to the v-stream engine