analysis

package
v1.10.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 15, 2020 License: AGPL-3.0 Imports: 0 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Config

type Config struct {
	AnalysisType              string              `yaml:"AnalysisType"`
	AutoRemediationID         string              `yaml:"AutoRemediationID"`
	AutoRemediationParameters map[string]string   `yaml:"AutoRemediationParameters"`
	DedupPeriodMinutes        int                 `yaml:"DedupPeriodMinutes"`
	Description               string              `yaml:"Description"`
	DisplayName               string              `yaml:"DisplayName"`
	Enabled                   bool                `yaml:"Enabled"`
	Filename                  string              `yaml:"Filename"`
	GlobalID                  string              `yaml:"GlobalID"`
	LogTypes                  []string            `yaml:"LogTypes"`
	OutputIds                 []string            `yaml:"OutputIds"`
	PolicyID                  string              `yaml:"PolicyID"`
	Reference                 string              `yaml:"Reference"`
	Reports                   map[string][]string `yaml:"Reports"`
	ResourceTypes             []string            `yaml:"ResourceTypes"`
	RuleID                    string              `yaml:"RuleID"`
	Runbook                   string              `yaml:"Runbook"`
	Severity                  string              `yaml:"Severity"`
	Suppressions              []string            `yaml:"Suppressions"`
	Tags                      []string            `yaml:"Tags"`
	Tests                     []Test              `yaml:"Tests"`
	Threshold                 int                 `yaml:"Threshold"`
}

Config defines the file format when parsing a bulk upload.

YAML tags required because the YAML unmarshaller needs them JSON tags not present because the JSON unmarshaller is easy

type Event

type Event struct {
	Data interface{} `json:"data"`
	ID   string      `json:"id"`
}

Event is a security log to be analyzed, e.g. a CloudTrail event.

type EventAnalysis

type EventAnalysis struct {
	ID         string        `json:"id"`
	Errored    []PolicyError `json:"errored"`
	Matched    []string      `json:"matched"`    // set of rule IDs which returned True
	NotMatched []string      `json:"notMatched"` // set of rule IDs which returned False
}

EventAnalysis is the python evaluation for a single event in the input.

func (EventAnalysis) ToResult added in v1.6.0

func (e EventAnalysis) ToResult() Result

ToResult normalizes an event analysis rule result into a Result. Since rule and policy analysis result are quite similar, this allows them to be handled consistently.

type Policy

type Policy struct {
	Body          string   `json:"body"`
	ID            string   `json:"id"`
	ResourceTypes []string `json:"resourceTypes"`
}

Policy is a subset of the policy fields needed for analysis, returns True if compliant.

type PolicyEngineInput

type PolicyEngineInput struct {
	Policies  []Policy   `json:"policies"`
	Resources []Resource `json:"resources"`
}

PolicyEngineInput is the request format for invoking the panther-policy-engine Lambda function.

type PolicyEngineOutput

type PolicyEngineOutput struct {
	Resources []Result `json:"resources"`
}

PolicyEngineOutput is the response format returned by the panther-policy-engine Lambda function.

type PolicyError

type PolicyError struct {
	ID      string `json:"id"`      // policy ID which caused runtime error
	Message string `json:"message"` // error message
}

PolicyError indicates an error when evaluating a policy.

type Resource

type Resource struct {
	Attributes interface{} `json:"attributes"`
	ID         string      `json:"id"`
	Type       string      `json:"type"`
}

Resource is a subset of the resource fields needed for analysis.

type Result

type Result struct {
	ID      string        `json:"id"` // resourceID
	Errored []PolicyError `json:"errored"`
	Failed  []string      `json:"failed"` // set of non-compliant policy IDs
	Passed  []string      `json:"passed"` // set of compliant policy IDs
}

Result is the analysis result for a single resource.

type Rule

type Rule struct {
	Body     string   `json:"body"`
	ID       string   `json:"id"`
	LogTypes []string `json:"logTypes"`
}

Rule evaluates streaming logs, returning True if an alert should be triggered.

type RulesEngineInput

type RulesEngineInput struct {
	Rules  []Rule  `json:"rules"`
	Events []Event `json:"events"`
}

RulesEngineInput is the request format when doing event-driven log analysis.

type RulesEngineOutput

type RulesEngineOutput struct {
	Events []EventAnalysis `json:"events"`
}

RulesEngineOutput is the response returned when invoking in log analysis mode.

type Test

type Test struct {
	ExpectedResult bool        `yaml:"ExpectedResult"`
	Log            interface{} `yaml:"Log"`
	LogType        string      `yaml:"LogType"`
	Name           string      `yaml:"Name"`
	Resource       interface{} `yaml:"Resource"`
	ResourceType   string      `yaml:"ResourceType"`
}

Test is a unit test definition when parsing policies in a bulk upload.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL