Documentation
¶
Index ¶
Constants ¶
View Source
const RUDOLPH_DIRECT_SOURCE = "rudolph-direct"
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type EventPayload ¶
type EventPayload struct {
FileSHA string `json:"file_sha256"`
UnixTime float64 `json:"execution_time"`
Content json.RawMessage `json:"-"`
}
EventPayload represents derived metadata for events uploaded with the UploadEvent endpoint.
type EventUploadEvent ¶
type EventUploadEvent struct {
ParentName string `json:"parent_name"`
FilePath string `json:"file_path"`
QuarantineTimestamp int `json:"quarantine_timestamp"`
LoggedInUsers []string `json:"logged_in_users"`
SigningChain []SigningEntry `json:"signing_chain"`
SigningIDs string `json:"signing_id"`
TeamID string `json:"team_id"`
BundleID string `json:"bundle_id"`
CDHash string `json:"cdhash"`
ParentProcessID int `json:"ppid"`
ExecutingUser string `json:"executing_user"`
FileName string `json:"file_name"`
ExecutionTime float64 `json:"execution_time"`
FileSHA256 string `json:"file_sha256"`
Decision string `json:"decision"`
ProcessID int `json:"pid"`
CurrentSessions []string `json:"current_sessions"`
FileBundleID string `json:"file_bundle_id,omitempty"`
FileBundlePath string `json:"file_bundle_path,omitempty"`
FileBundleExecutableRelPath string `json:"file_bundle_executable_rel_path,omitempty"`
FileBundleName string `json:"file_bundle_name,omitempty"`
FileBundleVersion string `json:"file_bundle_version,omitempty"`
FileBundleShortVersionString string `json:"file_bundle_version_string,omitempty"`
FileBundleHash string `json:"file_bundle_hash,omitempty"`
FileBundleHashMilliseconds float64 `json:"file_bundle_hash_millis,omitempty"`
FileBundleBinaryCount int64 `json:"file_bundle_binary_count,omitempty"`
}
EventUploadEvent is a single event entry
type EventUploadRequest ¶
type EventUploadRequest struct {
Events []EventUploadEvent `json:"events"`
}
EventUploadRequest encapsulation of an /eventupload POST body sent by a Santa sensor
type ForwardedEventUploadEvent ¶
type ForwardedEventUploadEvent struct {
MachineID string `json:"machine_id"`
EventUploadEvent
}
ForwardedEventUploadEvent is a single event entry that appends the MachineID with the EventUploadEvent details and is send to Firehose
type PostEventuploadHandler ¶
type PostEventuploadHandler struct {
// contains filtered or unexported fields
}
func (*PostEventuploadHandler) Boot ¶
func (h *PostEventuploadHandler) Boot() (err error)
func (*PostEventuploadHandler) Handle ¶
func (h *PostEventuploadHandler) Handle(request events.APIGatewayProxyRequest) (*events.APIGatewayProxyResponse, error)
func (*PostEventuploadHandler) Handles ¶
func (h *PostEventuploadHandler) Handles(request events.APIGatewayProxyRequest) bool
type SigningEntry ¶
type SigningEntry struct {
CertificateName string `json:"cn"`
ValidUntil int `json:"valid_until"`
Organization string `json:"org"`
ValidFrom int `json:"valid_from"`
OrganizationalUnit string `json:"ou"`
SHA256 string `json:"sha256"`
}
SigningEntry is optionally present when an event includes a binary that is signed
Source Files
Click to show internal directories.
Click to hide internal directories.