limacharlie

package module
v0.0.0-...-86135eb Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 9, 2025 License: Apache-2.0 Imports: 35 Imported by: 10

Documentation

Index

Constants

View Source 
const (
	OrgConfigLatestVersion = 3
)

Variables

View Source 
var ArchitectureStrings = map[uint32]string{
	Architectures.X86:       "x86",
	Architectures.X64:       "x64",
	Architectures.ARM:       "arm",
	Architectures.ARM64:     "arm64",
	Architectures.Alpine64:  "alpine64",
	Architectures.Chrome:    "chromium",
	Architectures.WireGuard: "wireguard",
	Architectures.ARML:      "arml",

	Architectures.USPAdapter: "usp_adapter",
}
View Source 
var Architectures = struct {
	X86        uint32
	X64        uint32
	ARM        uint32
	ARM64      uint32
	Alpine64   uint32
	Chrome     uint32
	WireGuard  uint32
	ARML       uint32
	USPAdapter uint32
}{
	X86:       0x00000001,
	X64:       0x00000002,
	ARM:       0x00000003,
	ARM64:     0x00000004,
	Alpine64:  0x00000005,
	Chrome:    0x00000006,
	WireGuard: 0x00000007,
	ARML:      0x00000008,

	USPAdapter: 0x00000009,
}
View Source 
var ErrorNoAPIKeyConfigured = errors.New("no api key configured")

ErrorNoAPIKeyConfigured is returned when no api key is given to a client

View Source 
var ErrorNotImplemented = errors.New("not implemented")

Returned for a feature that is not yet implemented to parity with the Python SDK.

View Source 
var ErrorResourceNotFound = errors.New("resource not found")

ErrorResourceNotFound is returned when querying for a resource that does not exist or that the client does not have the permission to see

View Source 
var InsightObjectTypeInfoTypes = struct {
	Summary  InsightObjectTypeInfoType
	Location InsightObjectTypeInfoType
}{
	Summary:  "summary",
	Location: "locations",
}
View Source 
var InsightObjectTypes = struct {
	Domain      InsightObjectType
	Username    InsightObjectType
	IP          InsightObjectType
	FileHash    InsightObjectType
	FilePath    InsightObjectType
	FileName    InsightObjectType
	ServiceName InsightObjectType
	PackageName InsightObjectType
}{
	Domain:      "domain",
	Username:    "user",
	IP:          "ip",
	FileHash:    "file_hash",
	FilePath:    "file_path",
	FileName:    "file_name",
	ServiceName: "service_name",
	PackageName: "package_name",
}
View Source 
var KnownHives = []string{
	"dr-general",
	"dr-managed",
	"dr-service",
	"fp",
	"cloud_sensor",
	"extension_config",
	"yara",
	"secret",
	"lookup",
	"query",
	"model",
	"playbook",
}
View Source 
var OrgSyncOperationElementType = struct {
	DRRule          string
	FPRule          string
	Output          string
	Resource        string
	Extension       string
	Integrity       string
	ExfilEvent      string
	ExfilWatch      string
	Artifact        string
	NetPolicy       string
	OrgValue        string
	Hives           string
	InstallationKey string
	YaraRule        string
	YaraSource      string
}{
	DRRule:          "dr-rule",
	FPRule:          "fp-rule",
	Output:          "output",
	Resource:        "resource",
	Extension:       "extension",
	Integrity:       "integrity",
	ExfilEvent:      "exfil-list",
	ExfilWatch:      "exfil-watch",
	Artifact:        "artifact",
	OrgValue:        "org-value",
	Hives:           "hives",
	InstallationKey: "installation-key",
	YaraRule:        "yara-rule",
	YaraSource:      "yara-source",
}
View Source 
var OutputDataTypes = []OutputDataType{
	OutputType.Event,
	OutputType.Detect,
	OutputType.Audit,
	OutputType.Deployment,
	OutputType.Artifact,
}

OutputDataTypes is slice of all supported type of data

View Source 
var OutputType = struct {
	Event      OutputDataType
	Detect     OutputDataType
	Audit      OutputDataType
	Deployment OutputDataType
	Artifact   OutputDataType
	Tailored   OutputDataType
	Billing    OutputDataType
}{
	Event:      "event",
	Detect:     "detect",
	Audit:      "audit",
	Deployment: "deployment",
	Artifact:   "artifact",
	Tailored:   "tailored",
	Billing:    "billing",
}

OutputType is all supported type of data

View Source 
var OutputTypes = struct {
	S3               OutputModuleType
	GCS              OutputModuleType
	Pubsub           OutputModuleType
	BigQuery         OutputModuleType
	SCP              OutputModuleType
	SFTP             OutputModuleType
	Slack            OutputModuleType
	Syslog           OutputModuleType
	Webhook          OutputModuleType
	WebhookBulk      OutputModuleType
	SMTP             OutputModuleType
	Humio            OutputModuleType
	Kafka            OutputModuleType
	AzureStorageBlob OutputModuleType
	AzureEventHub    OutputModuleType
	Elastic          OutputModuleType
	Tines            OutputModuleType
	Torq             OutputModuleType
	DataDog          OutputModuleType
	OpenSearch       OutputModuleType
	Websocket        OutputModuleType
}{
	S3:               "s3",
	GCS:              "gcs",
	Pubsub:           "pubsub",
	BigQuery:         "bigquery",
	SCP:              "scp",
	SFTP:             "sftp",
	Slack:            "slack",
	Syslog:           "syslog",
	Webhook:          "webhook",
	WebhookBulk:      "webhook_bulk",
	SMTP:             "smtp",
	Humio:            "humio",
	Kafka:            "kafka",
	AzureStorageBlob: "azure_storage_blog",
	AzureEventHub:    "azure_event_hub",
	Elastic:          "elastic",
	Tines:            "tines",
	Torq:             "torq",
	DataDog:          "datadog",
	OpenSearch:       "opensearch",
	Websocket:        "websocket",
}

OutputTypes is all supported modules

View Source 
var PlatformStrings = map[uint32]string{
	Platforms.Windows:  "windows",
	Platforms.Linux:    "linux",
	Platforms.MacOS:    "macos",
	Platforms.IOS:      "ios",
	Platforms.Android:  "android",
	Platforms.ChromeOS: "chrome",
	Platforms.VPN:      "vpn",

	Platforms.Text:              "text",
	Platforms.JSON:              "json",
	Platforms.GCP:               "gcp",
	Platforms.AWS:               "aws",
	Platforms.CarbonBlack:       "carbon_black",
	Platforms.OnePassword:       "1password",
	Platforms.Office365:         "office365",
	Platforms.Sophos:            "sophos",
	Platforms.ITGlue:            "itglue",
	Platforms.K8sPods:           "k8spods",
	Platforms.Zeek:              "zeek",
	Platforms.MacUnifiedLogging: "mac_unified_logging",
	Platforms.Crowdstrike:       "crowdstrike",
	Platforms.Xml:               "xml",
	Platforms.Wel:               "wel",
	Platforms.MsDefender:        "msdefender",
	Platforms.Duo:               "duo",
	Platforms.Okta:              "okta",
	Platforms.SentinelOne:       "sentinel_one",
	Platforms.GitHub:            "github",
	Platforms.Slack:             "slack",
	Platforms.CEF:               "cef",
	Platforms.LCEvent:           "lc_event",
	Platforms.AzureAD:           "azure_ad",
	Platforms.AzureMonitor:      "azure_monitor",
	Platforms.CanaryToken:       "canary_token",
	Platforms.GuardDuty:         "guard_duty",
}
View Source 
var Platforms = struct {
	Windows  uint32
	Linux    uint32
	MacOS    uint32
	IOS      uint32
	Android  uint32
	ChromeOS uint32
	VPN      uint32

	// USP Formats
	Text              uint32
	JSON              uint32
	GCP               uint32
	AWS               uint32
	CarbonBlack       uint32
	OnePassword       uint32
	Office365         uint32
	Sophos            uint32
	ITGlue            uint32
	K8sPods           uint32
	Zeek              uint32
	MacUnifiedLogging uint32
	Crowdstrike       uint32
	Xml               uint32
	Wel               uint32
	MsDefender        uint32
	Duo               uint32
	Okta              uint32
	SentinelOne       uint32
	GitHub            uint32
	Slack             uint32
	CEF               uint32
	LCEvent           uint32
	AzureAD           uint32
	AzureMonitor      uint32
	CanaryToken       uint32
	GuardDuty         uint32
}{
	Windows:  0x10000000,
	Linux:    0x20000000,
	MacOS:    0x30000000,
	IOS:      0x40000000,
	Android:  0x50000000,
	ChromeOS: 0x60000000,
	VPN:      0x70000000,

	Text:              0x80000000,
	JSON:              0x90000000,
	GCP:               0xA0000000,
	AWS:               0xB0000000,
	CarbonBlack:       0xC0000000,
	OnePassword:       0xD0000000,
	Office365:         0xE0000000,
	Sophos:            0xF0000000,
	ITGlue:            0x11000000,
	K8sPods:           0x12000000,
	Zeek:              0x13000000,
	MacUnifiedLogging: 0x14000000,
	Crowdstrike:       0x01000000,
	Xml:               0x02000000,
	Wel:               0x03000000,
	MsDefender:        0x04000000,
	Duo:               0x05000000,
	Okta:              0x06000000,
	SentinelOne:       0x07000000,
	GitHub:            0x08000000,
	Slack:             0x09000000,
	CEF:               0x0A000000,
	LCEvent:           0x0B000000,
	AzureAD:           0x0C000000,
	AzureMonitor:      0x0D000000,
	CanaryToken:       0x0E000000,
	GuardDuty:         0x0F000000,
}
View Source 
var ResourceCategories = struct {
	API       string
	Replicant string
	Service   string
}{
	API:       "api",
	Replicant: "replicant",
	Service:   "service",
}
View Source 
var StringToArchitecture = map[string]uint32{
	"x86":       Architectures.X86,
	"x64":       Architectures.X64,
	"arm":       Architectures.ARM,
	"arm64":     Architectures.ARM64,
	"alpine64":  Architectures.Alpine64,
	"chromium":  Architectures.Chrome,
	"wireguard": Architectures.WireGuard,
	"arml":      Architectures.ARML,

	"usp_adapter": Architectures.USPAdapter,
}
View Source 
var StringToPlatform = map[string]uint32{
	"windows": Platforms.Windows,
	"linux":   Platforms.Linux,
	"macos":   Platforms.MacOS,
	"ios":     Platforms.IOS,
	"android": Platforms.Android,
	"chrome":  Platforms.ChromeOS,
	"vpn":     Platforms.VPN,

	"text":                Platforms.Text,
	"json":                Platforms.JSON,
	"gcp":                 Platforms.GCP,
	"aws":                 Platforms.AWS,
	"carbon_black":        Platforms.CarbonBlack,
	"1password":           Platforms.OnePassword,
	"office365":           Platforms.Office365,
	"sophos":              Platforms.Sophos,
	"itglue":              Platforms.ITGlue,
	"k8spods":             Platforms.K8sPods,
	"zeek":                Platforms.Zeek,
	"mac_unified_logging": Platforms.MacUnifiedLogging,
	"crowdstrike":         Platforms.Crowdstrike,
	"xml":                 Platforms.Xml,
	"wel":                 Platforms.Wel,
	"msdefender":          Platforms.MsDefender,
	"duo":                 Platforms.Duo,
	"okta":                Platforms.Okta,
	"sentinel_one":        Platforms.SentinelOne,
	"github":              Platforms.GitHub,
	"slack":               Platforms.Slack,
	"cef":                 Platforms.CEF,
	"lc_event":            Platforms.LCEvent,
	"azure_ad":            Platforms.AzureAD,
	"azure_monitor":       Platforms.AzureMonitor,
	"canary_token":        Platforms.CanaryToken,
	"guard_duty":          Platforms.GuardDuty,
}

Functions

func IsInterfaceNil 

func IsInterfaceNil(v interface{}) bool

func IsServiceNotRegisteredError 

func IsServiceNotRegisteredError(err error) bool

func LocalFileIncludeLoader 

func LocalFileIncludeLoader(parent string, toInclude string) ([]byte, error)

func UnmarshalCleanJSON 

func UnmarshalCleanJSON(data string) (map[string]interface{}, error)

func UnmarshalCleanJSONList 

func UnmarshalCleanJSONList(data string) ([]interface{}, error)

func WithNamespace 

func WithNamespace(namespace string) func(map[string]string)

Types

type ArtifactRule 

type ArtifactRule struct {
	By          string `json:"by"`
	LastUpdated uint64 `json:"updated"`

	IsIgnoreCert   bool               `json:"is_ignore_cert"`
	IsDeleteAfter  bool               `json:"is_delete_after"`
	DaysRetentions uint               `json:"days_retention"`
	Patterns       []string           `json:"patterns"`
	Filters        ArtifactRuleFilter `json:"filters"`
}

type ArtifactRuleFilter 

type ArtifactRuleFilter struct {
	Tags      []string `json:"tags"`
	Platforms []string `json:"platforms"`
}

type ArtifactRuleName 

type ArtifactRuleName = string

type ArtifactRulesByName 

type ArtifactRulesByName = map[ArtifactRuleName]ArtifactRule

type BatchResponse 

type BatchResponse struct {
	Data  Dict   `json:"data"`
	Error string `json:"error"`
}

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client makes raw request to LC cloud

func NewClient 

func NewClient(opt ClientOptions, logger LCLogger) (*Client, error)

NewClient loads client options from first, environment varibles; then from a file specified by the environment variable LC_CREDS_FILE; then from .limacharlie in home directory

func NewClientFromLoader 

func NewClientFromLoader(inOpt ClientOptions, logger LCLogger, optsLoaders ...ClientOptionLoader) (*Client, error)

NewClientFromLoader initialize a client from options loaders. Will return a valid client as soon as one loader returns valid requirements

func (*Client) GetCurrentJWT 

func (c *Client) GetCurrentJWT() string

GetCurrentJWT returns the JWT from the client options

func (*Client) RefreshJWT 

func (c *Client) RefreshJWT(expiry time.Duration) (string, error)

func (*Client) WhoAmI 

func (c *Client) WhoAmI() (WhoAmIJsonResponse, error)

type ClientOptionLoader 

type ClientOptionLoader interface {
	Load(inOpt ClientOptions) (ClientOptions, error)
}

ClientOptionLoader loads options for the limacharlie client

type ClientOptions 

type ClientOptions struct {
	OID           string
	APIKey        string
	UID           string
	JWT           string
	Environment   string
	Permissions   []string
	JWTExpiryTime time.Duration
}

ClientOptions holds all options for Client

func (*ClientOptions) FromConfig 

func (o *ClientOptions) FromConfig(cfg ConfigFile, environmentName string) error

FromConfig updates self from a config file

func (*ClientOptions) FromConfigFile 

func (o *ClientOptions) FromConfigFile(configFilePath string, environmentName string) error

FromConfigFile updates self from the file path

func (*ClientOptions) FromConfigString 

func (o *ClientOptions) FromConfigString(configFileString []byte, environmentName string) error

FromConfigString updates self from strings

type ConfigEnvironment 

type ConfigEnvironment struct {
	OID    string `yaml:"oid"`
	UID    string `yaml:"uid"`
	APIKey string `yaml:"api_key"`
}

ConfigEnvironment holds the different values parsed from the environment

type ConfigFile 

type ConfigFile struct {
	ConfigEnvironment
	Environments map[string]ConfigEnvironment `yaml:"env"`
}

ConfigFile is the actual config file format may seem a bit odd but it is structured to maintain backwards compatibility with the Python SDK/CLI format.

type ConfigRecordMutation 

type ConfigRecordMutation struct {
	SysMtd *SysMtd `json:"sys_mtd" yaml:"sys_mtd"`
	UsrMtd *UsrMtd `json:"usr_mtd" yaml:"usr_mtd"`
	Data   Dict    `json:"data" yaml:"data"`
	ARL    string  `json:"arl,omitempty" yaml:"arl,omitempty"`
}

type CoreDRRule 

type CoreDRRule struct {
	Name      string `json:"name,omitempty" yaml:"name,omitempty"`
	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
	Detect    Dict   `json:"detect" yaml:"detect"`
	Response  List   `json:"respond" yaml:"respond"`
	IsEnabled *bool  `json:"is_enabled,omitempty" yaml:"is_enabled,omitempty"`
}

func (CoreDRRule) Equal 

func (d CoreDRRule) Equal(dr CoreDRRule) bool

func (CoreDRRule) IsInSameNamespace 

func (d CoreDRRule) IsInSameNamespace(dr CoreDRRule) bool

type DRRuleFilter 

type DRRuleFilter func(map[string]string)

type DRRuleName 

type DRRuleName = string

type DelRecordRequest 

type DelRecordRequest struct {
	Record RecordID `json:"record_id" yaml:"record_id"`
}

type DetStats 

type DetStats struct {
	Totals map[string]map[string]int `json:"totals"`
}

type Detect 

type Detect struct {
	Author    string  `json:"author"`
	Cat       string  `json:"cat"`
	Detect    Dict    `json:"detect"`
	DetectID  string  `json:"detect_id"`
	DetectMtd Dict    `json:"detect_mtd"`
	Link      string  `json:"link"`
	Namespace string  `json:"namespace"`
	Routing   Routing `json:"routing"`
	Source    string  `json:"source"`
	Ts        int64   `json:"ts"`
}

type Device 

type Device struct {
	DID          string
	Organization *Organization
}

func (*Device) AddTag 

func (d *Device) AddTag(tag string, ttl time.Duration) error

type Dict 

type Dict map[string]interface{}

func (*Dict) ImportFromStruct 

func (d *Dict) ImportFromStruct(in interface{}) (Dict, error)

func (Dict) UnMarshalToStruct 

func (d Dict) UnMarshalToStruct(out interface{}) error

func (*Dict) UnmarshalJSON 

func (d *Dict) UnmarshalJSON(data []byte) error

func (*Dict) UnmarshalYAML 

func (d *Dict) UnmarshalYAML(unmarshal func(interface{}) error) error

type EnvironmentClientOptionLoader 

type EnvironmentClientOptionLoader struct{}

EnvironmentClientOptionLoader loads options from environement variables

func (*EnvironmentClientOptionLoader) Load 

func (l *EnvironmentClientOptionLoader) Load(inOpt ClientOptions) (ClientOptions, error)

Load retrieves options from environment variables

type Event 

type Event struct {
	Event     interface{} `json:"event"`
	Routing   Routing     `json:"routing"`
	TimeStamp string      `json:"ts"`
}

type EventContainer 

type EventContainer struct {
	Event Event `json:"event"`
}

type ExfilEventFilters 

type ExfilEventFilters struct {
	Tags      []string `json:"tags" yaml:"tags"`
	Platforms []string `json:"platforms" yaml:"platforms"`
}

type ExfilRuleEvent 

type ExfilRuleEvent struct {
	LastUpdated uint64 `json:"updated,omitempty" yaml:"updated,omitempty"`
	CreatedBy   string `json:"by,omitempty" yaml:"by,omitempty"`

	Events  []string          `json:"events" yaml:"events"`
	Filters ExfilEventFilters `json:"filters" yaml:"filters"`
}

func (ExfilRuleEvent) EqualsContent 

func (r ExfilRuleEvent) EqualsContent(other ExfilRuleEvent) bool

type ExfilRuleName 

type ExfilRuleName = string

type ExfilRuleWatch 

type ExfilRuleWatch struct {
	LastUpdated uint64 `json:"updated,omitempty" yaml:"updated,omitempty"`
	CreatedBy   string `json:"by,omitempty" yaml:"by,omitempty"`

	Event    string            `json:"event" yaml:"event"`
	Value    string            `json:"value" yaml:"value"`
	Path     []string          `json:"path" yaml:"path"`
	Operator string            `json:"operator" yaml:"operator"`
	Filters  ExfilEventFilters `json:"filters" yaml:"filters"`
}

func (ExfilRuleWatch) EqualsContent 

func (r ExfilRuleWatch) EqualsContent(other ExfilRuleWatch) bool

type ExfilRulesType 

type ExfilRulesType struct {
	Performance Dict                             `json:"perf,omitempty" yaml:"perf,omitempty"`
	Events      map[ExfilRuleName]ExfilRuleEvent `json:"list,omitempty" yaml:"list,omitempty"`
	Watches     map[ExfilRuleName]ExfilRuleWatch `json:"watch,omitempty" yaml:"watch,omitempty"`
}

type ExtensionName 

type ExtensionName = string

type FPRule 

type FPRule struct {
	Detection Dict       `json:"data" yaml:"data"`
	OID       string     `json:"oid" yaml:"oid"`
	Name      FPRuleName `json:"name,omitempty" yaml:"name,omitempty"`
}

type FPRuleName 

type FPRuleName = string

type FPRuleOptions 

type FPRuleOptions struct {
	// Replace rule if it already exists with this name.
	IsReplace bool
}

type FileClientOptionLoader 

type FileClientOptionLoader struct {
	// contains filtered or unexported fields
}

FileClientOptionLoader loads options from environement variables

func NewFileClientOptionLoader 

func NewFileClientOptionLoader(configFile string) *FileClientOptionLoader

NewFileClientOptionLoader initialize a new loader

func (*FileClientOptionLoader) Load 

func (l *FileClientOptionLoader) Load(inOpt ClientOptions) (ClientOptions, error)

Load retrieve options from a config file

type Firehose 

type Firehose struct {
	// Organization linked to this firehose
	Organization *Organization

	// Channel to receive the message from
	Messages chan FirehoseMessage

	// Channel to receive messages that could not be parsed
	// It will only be used if the supplied FirehoseOptions require message to be parsed
	ErrorMessages chan FirehoseMessage
	// contains filtered or unexported fields
}

Firehose is a listener to receive data from a limacharlie.io organization in push mode

func NewFirehose 

func NewFirehose(org *Organization, fhOpts FirehoseOptions, fhOutputOpts *FirehoseOutputOptions) (*Firehose, error)

NewFirehose initialize the firehose

func (*Firehose) GetMessageDropCount 

func (fh *Firehose) GetMessageDropCount() int

GetMessageDropCount returns the current count of dropped messages

func (*Firehose) IsRunning 

func (fh *Firehose) IsRunning() bool

IsRunning will return true if firehose has been started

func (*Firehose) ResetMessageDropCount 

func (fh *Firehose) ResetMessageDropCount()

ResetMessageDropCount reset the count of dropped messages

func (*Firehose) Shutdown 

func (fh *Firehose) Shutdown()

Shutdown stops the listener and delete the output previsouly registered if any

func (*Firehose) Start 

func (fh *Firehose) Start() error

Start register the optional output to limacharlie.io and start listening for data

type FirehoseMessage 

type FirehoseMessage struct {
	// Message content
	RawContent string
	Content    map[string]interface{}
}

FirehoseMessage holds the content of a message received from a firehose

type FirehoseOptions 

type FirehoseOptions struct {
	// IP to listen on
	ListenOnPort uint16

	// Port to listen on
	ListenOnIP net.IP

	// IP that LC should use to connect to this object
	ConnectToPort uint16

	// Port that LC should use to connect to this object
	ConnectTo string

	// Path to the SSL cert file (PEM) to use to receive from the cloud
	// Optional
	// If not set, generates self-signed certificate
	SSLCertPath string

	// Path to the SSL key file (PEM) to use to receive from the cloud
	// Optional
	// If not set, generates self-signed certificate
	SSLCertKeyPath string

	// Maximum number of message to buffer in the queue
	// Once the queue is full, messages will be considered as dropped
	MaxMessageCount int

	// Maximum number of dropped message to buffer
	// Once the queue is full, dropped count will continue to raise but will not be sent to the queue
	MaxErrorMessageCount int

	// If set to true, the data received will be parsed to json
	ParseMessage bool
}

FirehoseOptions holds the parameters for the firehose

type FirehoseOutputOptions 

type FirehoseOutputOptions struct {
	// Name to register as an Output
	UniqueName string

	// Type of data received from the cloud as specified in Output
	Type OutputDataType

	// Only receive events from this SensorID.
	SensorID string

	// Only receive events marked with this investigation ID
	// Optional
	InvestigationID string

	// Only receive events from sensor with this tag
	// Optional
	Tag string

	// Only receive detections of this category
	// Optional
	Category string

	// If set to true, delete the firehose output on failure (in LC cloud)
	// Optional
	IsDeleteOnFailure bool

	// If set to true, do not validate certs, useful for self-signed certs.
	IsNotStrictSSL bool
}

FirehoseOutputOptions holds the optional parameter for firehose output

type GenericJSON 

type GenericJSON = map[string]interface{}

GenericJSON is the default format for json data

type GetRecordRequest 

type GetRecordRequest struct {
	Record RecordID `json:"record_id" yaml:"record_id"`
}

type GlobalID 

type GlobalID string

type HistoricalDetectionsRequest 

type HistoricalDetectionsRequest struct {
	// Cat is the category of the detections to fetch
	Cat string `json:"cat"`
	// Cursor is optional for paginated access, set to '-' for first query
	Cursor string `json:"cursor"`
	// Start is the required timestamp in seconds where to stop fetching detections
	Start int `json:"start"`
	// End is the required timestamp in seconds where to stop fetching detections
	End int `json:"end"`
	// Limit maximum number of detections to return
	Limit int `json:"limit"`
}

type HistoricalDetectionsResponse 

type HistoricalDetectionsResponse struct {
	Detects    []Detect `json:"detects"`
	NextCursor string   `json:"next_cursor"`
}

type HiveArgs 

type HiveArgs struct {
	HiveName     string
	PartitionKey string
	Key          string
	Data         Dict
	Expiry       *int64
	Enabled      *bool
	Tags         []string
	ETag         *string
	Comment      *string
	ARL          string
}

type HiveBatch 

type HiveBatch struct {
	// contains filtered or unexported fields
}

func (*HiveBatch) DelRecord 

func (b *HiveBatch) DelRecord(record RecordID)

func (*HiveBatch) Execute 

func (b *HiveBatch) Execute() ([]BatchResponse, error)

func (*HiveBatch) GetRecord 

func (b *HiveBatch) GetRecord(record RecordID)

func (*HiveBatch) GetRecordMtd 

func (b *HiveBatch) GetRecordMtd(record RecordID)

func (*HiveBatch) SetRecord 

func (b *HiveBatch) SetRecord(record RecordID, config ConfigRecordMutation)

func (*HiveBatch) SetRecordMtd 

func (b *HiveBatch) SetRecordMtd(record RecordID, usrMtd UsrMtd, sysMtd SysMtd)

type HiveClient 

type HiveClient struct {
	Organization *Organization
}

func NewHiveClient 

func NewHiveClient(org *Organization) *HiveClient

func (*HiveClient) Add 

func (h *HiveClient) Add(args HiveArgs) (*HiveResp, error)

func (*HiveClient) Get 

func (h *HiveClient) Get(args HiveArgs) (*HiveData, error)

func (*HiveClient) GetMTD 

func (h *HiveClient) GetMTD(args HiveArgs) (*HiveData, error)

func (*HiveClient) List 

func (h *HiveClient) List(args HiveArgs) (HiveConfigData, error)

func (*HiveClient) ListMtd 

func (h *HiveClient) ListMtd(args HiveArgs) (HiveConfigData, error)

func (*HiveClient) NewBatchOperations 

func (h *HiveClient) NewBatchOperations() *HiveBatch

func (*HiveClient) Remove 

func (h *HiveClient) Remove(args HiveArgs) (interface{}, error)

func (*HiveClient) Rename 

func (h *HiveClient) Rename(args HiveArgs, newName string) (*HiveResp, error)

Rename renames a record in the Hive

func (*HiveClient) Update 

func (h *HiveClient) Update(args HiveArgs) (*HiveResp, error)

func (*HiveClient) UpdateTx 

func (h *HiveClient) UpdateTx(args HiveArgs, tx func(record *HiveData) (*HiveData, error)) (*HiveResp, error)

type HiveConfigData 

type HiveConfigData map[string]HiveData

func (HiveConfigData) AsSyncConfigData 

func (hcd HiveConfigData) AsSyncConfigData() SyncHiveConfigData

type HiveData 

type HiveData struct {
	Data   map[string]interface{} `json:"data" yaml:"data,omitempty"`
	SysMtd SysMtd                 `json:"sys_mtd" yaml:"sys_mtd"`
	UsrMtd UsrMtd                 `json:"usr_mtd" yaml:"usr_mtd"`
}

func (HiveData) AsSyncData 

func (hd HiveData) AsSyncData() SyncHiveData

func (*HiveData) Equals 

func (hsd *HiveData) Equals(cData HiveData) (bool, error)

type HiveID 

type HiveID struct {
	Name      HiveName    `json:"name" datastore:"name" yaml:"name"`
	Partition PartitionID `json:"partition" datastore:"partition" yaml:"partition"`
}

type HiveInfo 

type HiveInfo struct {
	Name      string `json:"name"`
	Partition string `json:"partition"`
}

type HiveKey 

type HiveKey = string

type HiveName 

type HiveName = string

type HiveResp 

type HiveResp struct {
	Guid string   `json:"guid"`
	Hive HiveInfo `json:"hive"`
	Name string   `json:"name"`
}

type IncludeLoaderCB 

type IncludeLoaderCB = func(parentFilePath string, filePathToInclude string) ([]byte, error)

type InsightObjectBatchResponse 

type InsightObjectBatchResponse struct {
	FromCache   bool `json:"from_cache"`
	Last1Day    Dict `json:"last_1_days"`
	Last7Days   Dict `json:"last_7_days"`
	Last30Days  Dict `json:"last_30_days"`
	Last365Days Dict `json:"last_365_days"`
}

type InsightObjectType 

type InsightObjectType string

type InsightObjectTypeInfoType 

type InsightObjectTypeInfoType string

type InsightObjectsBatchRequest 

type InsightObjectsBatchRequest struct {
	Objects         map[InsightObjectType][]string
	IsCaseSensitive bool
}

type InsightObjectsPerObjectResponse 

type InsightObjectsPerObjectResponse struct {
	ObjectType    InsightObjectType `json:"type"`
	IndicatorName string            `json:"name"`
	FromCache     bool              `json:"from_cache"`
	Last1Day      Dict              `json:"last_1_days"`
	Last7Days     Dict              `json:"last_7_days"`
	Last30Days    Dict              `json:"last_30_days"`
	Last365Days   Dict              `json:"last_365_days"`
}

type InsightObjectsRequest 

type InsightObjectsRequest struct {
	IndicatorName   string
	ObjectType      InsightObjectType
	ObjectTypeInfo  InsightObjectTypeInfoType
	IsCaseSensitive bool
	AllowWildcards  bool
	SearchInLogs    bool
}

type InsightObjectsResponse 

type InsightObjectsResponse struct {
	ObjectType    InsightObjectType `json:"type"`
	IndicatorName string            `json:"name"`
	FromCache     bool              `json:"from_cache"`
	Last1Day      int64             `json:"last_1_days"`
	Last7Days     int64             `json:"last_7_days"`
	Last30Days    int64             `json:"last_30_days"`
	Last365Days   int64             `json:"last_365_days"`
}

type InstallationKey 

type InstallationKey struct {
	CreatedAt   uint64   `json:"created,omitempty" yaml:"created,omitempty"`
	Description string   `json:"desc,omitempty" yaml:"desc,omitempty"`
	ID          string   `json:"iid,omitempty" yaml:"iid,omitempty"`
	Key         string   `json:"key,omitempty" yaml:"key,omitempty"`
	JsonKey     string   `json:"json_key,omitempty" yaml:"json_key,omitempty"`
	Tags        []string `json:"tags,omitempty" yaml:"tags,omitempty"`
	UsePublicCA bool     `json:"use_public_root_ca,omitempty" yaml:"use_public_root_ca,omitempty"`
}

func (InstallationKey) EqualsContent 

func (k InstallationKey) EqualsContent(k2 InstallationKey) bool

func (*InstallationKey) UnmarshalJSON 

func (ik *InstallationKey) UnmarshalJSON(data []byte) error

type InstallationKeyName 

type InstallationKeyName = string

type IntegrityRule 

type IntegrityRule struct {
	Patterns []string            `json:"patterns"`
	Filters  IntegrityRuleFilter `json:"filters"`

	CreatedBy   string `json:"by,omitempty"`
	LastUpdated uint64 `json:"updated,omitempty"`
}

func (IntegrityRule) WithPatterns 

func (ir IntegrityRule) WithPatterns(patterns []string) IntegrityRule

func (IntegrityRule) WithPlatforms 

func (ir IntegrityRule) WithPlatforms(platforms []string) IntegrityRule

func (IntegrityRule) WithTags 

func (ir IntegrityRule) WithTags(tags []string) IntegrityRule

type IntegrityRuleFilter 

type IntegrityRuleFilter struct {
	Tags      []string `json:"tags" yaml:"tags"`
	Platforms []string `json:"platforms" yaml:"platforms"`
}

type IntegrityRuleName 

type IntegrityRuleName = string

type IntegrityRulesByName 

type IntegrityRulesByName = map[IntegrityRuleName]IntegrityRule

type InvalidClientOptionsError 

type InvalidClientOptionsError struct {
	// contains filtered or unexported fields
}

InvalidClientOptionsError is the error type returned by Client

func NewInvalidClientOptionsError 

func NewInvalidClientOptionsError(err string) InvalidClientOptionsError

NewInvalidClientOptionsError makes a new error

func (InvalidClientOptionsError) Error 

func (e InvalidClientOptionsError) Error() string

type LCLogger 

type LCLogger interface {
	Fatal(msg string)
	Error(msg string)
	Warn(msg string)
	Info(msg string)
	Debug(msg string)
	Trace(msg string)
}

LCLogger is the interface for limacharlie logging

type LCLoggerEmpty 

type LCLoggerEmpty struct{}

LCLoggerEmpty does not actually log anything

func (*LCLoggerEmpty) Debug 

func (l *LCLoggerEmpty) Debug(msg string)

Debug empty stub for logging interface

func (*LCLoggerEmpty) Error 

func (l *LCLoggerEmpty) Error(msg string)

Error empty stub for logging interface

func (*LCLoggerEmpty) Fatal 

func (l *LCLoggerEmpty) Fatal(msg string)

Fatal empty stub for logging interface

func (*LCLoggerEmpty) Info 

func (l *LCLoggerEmpty) Info(msg string)

Info empty stub for logging interface

func (*LCLoggerEmpty) Trace 

func (l *LCLoggerEmpty) Trace(msg string)

Trace empty stub for logging interface

func (*LCLoggerEmpty) Warn 

func (l *LCLoggerEmpty) Warn(msg string)

Warn empty stub for logging interface

type LCLoggerGCP 

type LCLoggerGCP struct {
	// contains filtered or unexported fields
}

func (*LCLoggerGCP) Debug 

func (l *LCLoggerGCP) Debug(msg string)

Debug see GCP logger debug function

func (*LCLoggerGCP) Error 

func (l *LCLoggerGCP) Error(msg string)

Error see GCP logger error function

func (*LCLoggerGCP) Fatal 

func (l *LCLoggerGCP) Fatal(msg string)

Fatal see GCP logger fatal function

func (*LCLoggerGCP) Info 

func (l *LCLoggerGCP) Info(msg string)

Info see GCP logger info function

func (*LCLoggerGCP) Trace 

func (l *LCLoggerGCP) Trace(msg string)

Trace see GCP logger trace function

func (*LCLoggerGCP) Warn 

func (l *LCLoggerGCP) Warn(msg string)

Warn see GCP logger warn function

type LCLoggerZerolog 

type LCLoggerZerolog struct {
	// contains filtered or unexported fields
}

LCLoggerZerolog implements the logging interface with zerolog

func (*LCLoggerZerolog) Debug 

func (l *LCLoggerZerolog) Debug(msg string)

Debug see zerolog logger debug function

func (*LCLoggerZerolog) Error 

func (l *LCLoggerZerolog) Error(msg string)

Error see zerolog logger error function

func (*LCLoggerZerolog) Fatal 

func (l *LCLoggerZerolog) Fatal(msg string)

Fatal see zerolog logger fatal function

func (*LCLoggerZerolog) Info 

func (l *LCLoggerZerolog) Info(msg string)

Info see zerolog logger info function

func (*LCLoggerZerolog) Trace 

func (l *LCLoggerZerolog) Trace(msg string)

Trace see zerolog logger trace function

func (*LCLoggerZerolog) Warn 

func (l *LCLoggerZerolog) Warn(msg string)

Warn see zerolog logger warn function

type List 

type List []interface{}

func (*List) UnmarshalJSON 

func (l *List) UnmarshalJSON(data []byte) error

func (*List) UnmarshalYAML 

func (l *List) UnmarshalYAML(unmarshal func(interface{}) error) error

type MtdMutationRequest 

type MtdMutationRequest struct {
	Record RecordID `json:"record_id" yaml:"record_id"`
	UsrMtd UsrMtd   `json:"usr_mtd" yaml:"usr_mtd"`
	SysMtd SysMtd   `json:"sys_mtd" yaml:"sys_mtd"`
}

type MutationRenameRequest 

type MutationRenameRequest struct {
	Record  RecordID `json:"record_id" yaml:"record_id"`
	NewName string   `json:"new_name" yaml:"new_name"`
}

type MutationRequest 

type MutationRequest struct {
	Record RecordID             `json:"record_id" yaml:"record_id"`
	Config ConfigRecordMutation `json:"record" yaml:"record"`
}

type NewDRRuleOptions 

type NewDRRuleOptions struct {
	// Replace rule if it already exists with this name.
	IsReplace bool
	// Rule namespace, defaults to "general".
	Namespace string
	// Rule is enabled.
	IsEnabled bool
	// Number of seconds before rule auto-deletes.
	TTL int64
}

type NewOrganizationDataResponse 

type NewOrganizationDataResponse struct {
	Oid string `json:"oid,omitempty"`
}

type NewOrganizationResponse 

type NewOrganizationResponse struct {
	Data    NewOrganizationDataResponse `json:"data,omitempty"`
	Success bool                        `json:"success,omitempty"`
}

type NoopClientOptionLoader 

type NoopClientOptionLoader struct{}

NoopClientOptionLoader does not load any options

func (*NoopClientOptionLoader) Load 

func (l *NoopClientOptionLoader) Load(inOpt ClientOptions) (ClientOptions, error)

Load returns arguments passed

type OnlineCount 

type OnlineCount struct {
	Count int64 `json:"count,omitempty"`
}

OnlineCount contains the amount of active sensors for an organization

type OrgConfig 

type OrgConfig struct {
	Version          int                     `json:"version" yaml:"version"`
	Includes         []string                `json:"-" yaml:"-"`
	Resources        orgSyncResources        `json:"resources,omitempty" yaml:"resources,omitempty"`
	Extensions       orgSyncExtensions       `json:"extensions,omitempty" yaml:"extensions,omitempty"`
	DRRules          orgSyncDRRules          `json:"rules,omitempty" yaml:"rules,omitempty"`
	FPRules          orgSyncFPRules          `json:"fps,omitempty" yaml:"fps,omitempty"`
	Outputs          orgSyncOutputs          `json:"outputs,omitempty" yaml:"outputs,omitempty"`
	Integrity        orgSyncIntegrityRules   `json:"integrity,omitempty" yaml:"integrity,omitempty"`
	Exfil            *orgSyncExfilRules      `json:"exfil,omitempty" yaml:"exfil,omitempty"`
	Artifacts        orgSyncArtifacts        `json:"artifact,omitempty" yaml:"artifact,omitempty"`
	OrgValues        orgSyncOrgValues        `json:"org-value,omitempty" yaml:"org-value,omitempty"`
	Hives            orgSyncHives            `json:"hives,omitempty" yaml:"hives,omitempty"`
	InstallationKeys orgSyncInstallationKeys `json:"installation_keys,omitempty" yaml:"installation_keys,omitempty"`
	Yara             *orgSyncYara            `json:"yara,omitempty" yaml:"yara,omitempty"`
}

func (OrgConfig) Merge 

func (o OrgConfig) Merge(conf OrgConfig) OrgConfig

func (*OrgConfig) UnmarshalYAML 

func (o *OrgConfig) UnmarshalYAML(unmarshal func(interface{}) error) error

type OrgSyncArtifactRule 

type OrgSyncArtifactRule struct {
	IsIgnoreCert   bool     `json:"is_ignore_cert" yaml:"is_ignore_cert"`
	IsDeleteAfter  bool     `json:"is_delete_after" yaml:"is_delete_after"`
	DaysRetentions uint     `json:"days_retention" yaml:"days_retention"`
	Patterns       []string `json:"patterns" yaml:"patterns"`
	Tags           []string `json:"tags" yaml:"tags"`
	Platforms      []string `json:"platforms" yaml:"platforms"`
}

func (OrgSyncArtifactRule) EqualsContent 

func (oar OrgSyncArtifactRule) EqualsContent(artifact ArtifactRule) bool

func (OrgSyncArtifactRule) FromArtifactRule 

func (oar OrgSyncArtifactRule) FromArtifactRule(artifact ArtifactRule) OrgSyncArtifactRule

func (OrgSyncArtifactRule) ToArtifactRule 

func (oar OrgSyncArtifactRule) ToArtifactRule() ArtifactRule

func (OrgSyncArtifactRule) ToJson 

func (oar OrgSyncArtifactRule) ToJson() ([]byte, error)

type OrgSyncFPRule 

type OrgSyncFPRule struct {
	Detection Dict `json:"data" yaml:"data"`
}

func (OrgSyncFPRule) DetectionEquals 

func (r OrgSyncFPRule) DetectionEquals(fpRule FPRule) bool

type OrgSyncIntegrityRule 

type OrgSyncIntegrityRule struct {
	Patterns  []string `json:"patterns" yaml:"patterns"`
	Tags      []string `json:"tags" yaml:"tags"`
	Platforms []string `json:"platforms" yaml:"platforms"`
}

func (OrgSyncIntegrityRule) EqualsContent 

func (oir OrgSyncIntegrityRule) EqualsContent(ir IntegrityRule) bool

type OrgSyncOperation 

type OrgSyncOperation struct {
	ElementType string `json:"type"`
	ElementName string `json:"name"`
	IsAdded     bool   `json:"is_added"`
	IsRemoved   bool   `json:"is_removed"`
}

func (OrgSyncOperation) String 

func (o OrgSyncOperation) String() string

type OrgValue 

type OrgValue = string

type OrgValueInfo 

type OrgValueInfo struct {
	Name  OrgValueName `json:"config"`
	Value OrgValue     `json:"value"`
}

type OrgValueName 

type OrgValueName = string

type Organization 

type Organization struct {
	// contains filtered or unexported fields
}

Organization holds a connection to the LC cloud organization

func NewOrganization 

func NewOrganization(c *Client) (*Organization, error)

NewOrganization initialize a link to an organization

func NewOrganizationFromClientOptions 

func NewOrganizationFromClientOptions(opt ClientOptions, logger LCLogger) (*Organization, error)

NewOrganizationFromClientOptions initialize an organization from client options

func (*Organization) ActiveSensors 

func (org *Organization) ActiveSensors(sids []string) (map[string]bool, error)

func (Organization) AddInstallationKey 

func (org Organization) AddInstallationKey(k InstallationKey) (string, error)

func (*Organization) AddToGroup 

func (o *Organization) AddToGroup(gid string) (bool, error)

AddToGroup Adds this organization to a given group

func (Organization) ArtifactRuleAdd 

func (org Organization) ArtifactRuleAdd(ruleName ArtifactRuleName, rule ArtifactRule) error

func (Organization) ArtifactRuleDelete 

func (org Organization) ArtifactRuleDelete(ruleName ArtifactRuleName) error

func (Organization) ArtifactsRules 

func (org Organization) ArtifactsRules() (ArtifactRulesByName, error)

func (*Organization) Authorize 

func (org *Organization) Authorize(permissionsNeeded []string) (string, []Permission, error)

Authorize validate requested permissions for the organization

func (*Organization) Close 

func (org *Organization) Close()

func (Organization) CreateArtifactFromBytes 

func (org Organization) CreateArtifactFromBytes(name string, fileData []byte, fileType string, artifactId string, nDaysRetention int, ingestionKey string) error

func (Organization) CreateArtifactFromFile 

func (org Organization) CreateArtifactFromFile(name string, fileName string, fileType string, artifactId string, nDaysRetention int, ingestionKey string) error

func (*Organization) CreateOrganization 

func (o *Organization) CreateOrganization(location, name string, template ...interface{}) (NewOrganizationResponse, error)

func (Organization) CreatePayloadFromBytes 

func (org Organization) CreatePayloadFromBytes(name PayloadName, data []byte) error

Create a Payload in an LC organization.

func (Organization) CreatePayloadFromReader 

func (org Organization) CreatePayloadFromReader(name PayloadName, data io.Reader) error

func (Organization) DRRuleAdd 

func (org Organization) DRRuleAdd(name string, detection interface{}, response interface{}, opt ...NewDRRuleOptions) error

DRRuleAdd add a D&R Rule to an LC organization

func (Organization) DRRuleDelete 

func (org Organization) DRRuleDelete(name string, filters ...DRRuleFilter) error

DRRuleDelete delete a D&R rule from an LC organization

func (Organization) DRRules 

func (org Organization) DRRules(filters ...DRRuleFilter) (map[string]Dict, error)

DRRules get all D&R rules for an LC organization

func (Organization) DelIngestionKeys 

func (org Organization) DelIngestionKeys(name string) (Dict, error)

func (Organization) DelInstallationKey 

func (org Organization) DelInstallationKey(iid string) error

func (*Organization) DeleteOrganization 

func (o *Organization) DeleteOrganization(confirmationToken string) (bool, error)

func (Organization) DeletePayload 

func (org Organization) DeletePayload(name PayloadName) error

Delete a Payload from within an LC organization.

func (*Organization) DetectionStats 

func (org *Organization) DetectionStats(start int64, end int64) (DetStats, error)

func (*Organization) EventByAtom 

func (org *Organization) EventByAtom(sensorID, atom string) (EventContainer, error)

func (Organization) ExfilRuleEventAdd 

func (org Organization) ExfilRuleEventAdd(name ExfilRuleName, event ExfilRuleEvent) error

func (Organization) ExfilRuleEventDelete 

func (org Organization) ExfilRuleEventDelete(name ExfilRuleName) error

func (Organization) ExfilRuleWatchAdd 

func (org Organization) ExfilRuleWatchAdd(name ExfilRuleName, watch ExfilRuleWatch) error

func (Organization) ExfilRuleWatchDelete 

func (org Organization) ExfilRuleWatchDelete(name ExfilRuleName) error

func (Organization) ExfilRules 

func (org Organization) ExfilRules() (ExfilRulesType, error)

func (Organization) ExportArtifact 

func (org Organization) ExportArtifact(artifactID string, deadline time.Time) (io.ReadCloser, error)

func (Organization) ExportArtifactThroughGCS 

func (org Organization) ExportArtifactThroughGCS(ctx context.Context, artifactID string, deadline time.Time, bucketName string, writeCreds string, readClient *storage.Client) (io.ReadCloser, error)

func (Organization) ExportArtifactToGCS 

func (org Organization) ExportArtifactToGCS(ctx context.Context, artifactID string, deadline time.Time, bucketName string, writeCreds string, readClient *storage.Client) (string, error)

func (*Organization) ExtensionRequest 

func (o *Organization) ExtensionRequest(responseData interface{}, extensionName string, action string, data Dict, isImpersonate bool) error

func (Organization) Extensions 

func (org Organization) Extensions() ([]ExtensionName, error)

func (Organization) FPRuleAdd 

func (org Organization) FPRuleAdd(name FPRuleName, detection interface{}, opts ...FPRuleOptions) error

FPRuleAdd add a false positive rule to a LC organization

func (Organization) FPRuleDelete 

func (org Organization) FPRuleDelete(name FPRuleName) error

FPRuleDelete delete a false positive rule from a LC organization

func (Organization) FPRules 

func (org Organization) FPRules() (map[FPRuleName]FPRule, error)

FPRules get all false positive rules from a LC organization.

func (*Organization) GenericGETRequest 

func (org *Organization) GenericGETRequest(path string, query Dict, response interface{}) error

func (*Organization) GetAllTags 

func (org *Organization) GetAllTags() ([]string, error)

func (*Organization) GetCurrentJWT 

func (org *Organization) GetCurrentJWT() string

GetCurrentJWT returns the JWT of the client

func (*Organization) GetDeleteConfirmationToken 

func (o *Organization) GetDeleteConfirmationToken() (string, error)

func (*Organization) GetInfo 

func (o *Organization) GetInfo() (OrganizationInformation, error)

func (*Organization) GetIngestionKeys 

func (org *Organization) GetIngestionKeys() (Dict, error)

func (Organization) GetOID 

func (o Organization) GetOID() string

Get the OID of the organization.

func (*Organization) GetOnlineCount 

func (o *Organization) GetOnlineCount() (OnlineCount, error)

GetOnlineCount Gets the amount of online sensor for the organization

func (*Organization) GetSensor 

func (org *Organization) GetSensor(SID string) *Sensor

func (*Organization) GetSensors 

func (org *Organization) GetSensors(SIDs []string) map[string]*Sensor

func (*Organization) GetSensorsWithTag 

func (org *Organization) GetSensorsWithTag(tag string) (map[string][]string, error)

func (*Organization) GetSiteConnectivityInfo 

func (o *Organization) GetSiteConnectivityInfo() (*SiteConnectivityInfo, error)

func (*Organization) GetURLs 

func (o *Organization) GetURLs() (map[string]string, error)

func (Organization) HistoricalDetections 

func (org Organization) HistoricalDetections(detectionReq HistoricalDetectionsRequest) (HistoricalDetectionsResponse, error)

func (Organization) InsightObjects 

func (org Organization) InsightObjects(insightReq InsightObjectsRequest) (InsightObjectsResponse, error)

func (Organization) InsightObjectsBatch 

func (org Organization) InsightObjectsBatch(insightReq InsightObjectsBatchRequest) (InsightObjectBatchResponse, error)

func (Organization) InsightObjectsPerObject 

func (org Organization) InsightObjectsPerObject(insightReq InsightObjectsRequest) (InsightObjectsPerObjectResponse, error)

func (Organization) InstallationKey 

func (org Organization) InstallationKey(iid string) (*InstallationKey, error)

func (Organization) InstallationKeys 

func (org Organization) InstallationKeys() ([]InstallationKey, error)

func (Organization) IntegrityRuleAdd 

func (org Organization) IntegrityRuleAdd(ruleName IntegrityRuleName, rule IntegrityRule) error

func (Organization) IntegrityRuleDelete 

func (org Organization) IntegrityRuleDelete(ruleName string) error

func (Organization) IntegrityRules 

func (org Organization) IntegrityRules() (IntegrityRulesByName, error)

func (*Organization) ListSensors 

func (org *Organization) ListSensors() (map[string]*Sensor, error)

func (*Organization) ListSensorsFromSelector 

func (org *Organization) ListSensorsFromSelector(selector string) (map[string]*Sensor, error)

func (*Organization) ListSensorsFromSelectorIteratively 

func (org *Organization) ListSensorsFromSelectorIteratively(selector string, continuationToken string) (map[string]*Sensor, string, error)

func (*Organization) NewWebhookSender 

func (o *Organization) NewWebhookSender(hookName string, secretValue string) (*WebhookSender, error)

func (*Organization) OnlineStats 

func (org *Organization) OnlineStats(start int64, end int64) (Stats, error)

func (Organization) OrgValueGet 

func (org Organization) OrgValueGet(name string) (*OrgValueInfo, error)

Get an Org Value from a specific org.

func (Organization) OrgValueSet 

func (org Organization) OrgValueSet(name string, value string) error

Set an Org Value for a specific org.

func (Organization) OutputAdd 

func (org Organization) OutputAdd(output OutputConfig) (OutputConfig, error)

OutputAdd add an output to the LC organization

func (Organization) OutputDel 

func (org Organization) OutputDel(name string) (GenericJSON, error)

OutputDel deletes an output from the LC organization

func (Organization) Outputs 

func (org Organization) Outputs() (OutputsByName, error)

Outputs returns all outputs by name

func (Organization) OutputsGeneric 

func (org Organization) OutputsGeneric(outputs interface{}) error

OutputsGeneric fetches all outputs and returns it in outputs

func (Organization) Payload 

func (org Organization) Payload(name PayloadName) ([]byte, error)

Download the content of a Payload in an LC organization.

func (Organization) Payloads 

func (org Organization) Payloads() (map[PayloadName]Payload, error)

List all the Payloads in an LC organization.

func (Organization) ReKeyExtension 

func (org Organization) ReKeyExtension(name ExtensionName) error

func (*Organization) RefreshJWT 

func (org *Organization) RefreshJWT(duration time.Duration) string

RefreshJWT returns the refreshed JWT of the client

func (Organization) ResourceSubscribe 

func (org Organization) ResourceSubscribe(name ResourceName, category ResourceCategory) error

ResourceSubscribe subscribe to a resource. The backend call is async meaning that you will get a response right away but it might take a few seconds before a call to list resources shows up with the updated list.

func (Organization) ResourceUnsubscribe 

func (org Organization) ResourceUnsubscribe(name ResourceName, category ResourceCategory) error

ResourceUnsubscribe unsubscribe from a resource. The backend call is async meaning that you will get a response right away but it might take a few seconds before a call to list resources shows up with the updated list.

func (Organization) Resources 

func (org Organization) Resources() (ResourcesByCategory, error)

Resources list available resources

func (*Organization) ServiceRequest 

func (o *Organization) ServiceRequest(responseData interface{}, serviceName string, serviceData Dict, isAsync bool) error

func (Organization) SetIngestionKeys 

func (org Organization) SetIngestionKeys(name string) (Dict, error)

func (*Organization) SetQuota 

func (o *Organization) SetQuota(quota int64) (bool, error)

func (Organization) SubscribeToExtension 

func (org Organization) SubscribeToExtension(name ExtensionName) error

func (*Organization) SyncFetch 

func (org *Organization) SyncFetch(options SyncOptions) (orgConfig OrgConfig, err error)

func (*Organization) SyncPush 

func (org *Organization) SyncPush(conf OrgConfig, options SyncOptions) ([]OrgSyncOperation, error)

func (*Organization) SyncPushFromFiles 

func (org *Organization) SyncPushFromFiles(rootConfigFile string, options SyncOptions) ([]OrgSyncOperation, error)

func (*Organization) TrafficStats 

func (org *Organization) TrafficStats(start int64, end int64) (Stats, error)

func (Organization) UnsubscribeFromExtension 

func (org Organization) UnsubscribeFromExtension(name ExtensionName) error

func (Organization) UploadArtifact 

func (org Organization) UploadArtifact(data io.Reader, size int64, hint string, source string, artifactId string, originalPath string, nDaysRetention int, ingestionKey string) error

func (*Organization) WhoAmI 

func (org *Organization) WhoAmI() (WhoAmIJsonResponse, error)

Get detailed permission information about the current auth used.

func (*Organization) WithInvestigationID 

func (org *Organization) WithInvestigationID(invID string) *Organization

func (Organization) YaraGetSource 

func (org Organization) YaraGetSource(sourceName string) (string, error)

func (Organization) YaraListRules 

func (org Organization) YaraListRules() (YaraRules, error)

func (Organization) YaraListSources 

func (org Organization) YaraListSources() (YaraSources, error)

func (Organization) YaraRuleAdd 

func (org Organization) YaraRuleAdd(ruleName string, rule YaraRule) error

func (Organization) YaraRuleDelete 

func (org Organization) YaraRuleDelete(ruleName string) error

func (Organization) YaraSourceAdd 

func (org Organization) YaraSourceAdd(sourceName string, source YaraSource) error

func (Organization) YaraSourceDelete 

func (org Organization) YaraSourceDelete(ruleName string) error

type OrganizationInformation 

type OrganizationInformation struct {
	OID            string            `json:"oid,omitempty"`
	SensorVersion  string            `json:"sensor_version,omitempty"`
	LatestVersions map[string]string `json:"latest_versions,omitempty"`
	NumberOutputs  int64             `json:"n_outputs,omitempty"`
	NumberInstKeys int64             `json:"n_installation_keys,omitempty"`
	NumberRules    int64             `json:"n_rules,omitempty"`
	Name           string            `json:"name,omitempty"`
	SensorQuota    int64             `json:"sensor_quota,omitempty"`
}

OrganizationInformation has the information about the organization

type OutputConfig 

type OutputConfig struct {
	Name   string           `json:"name,omitempty"`
	Module OutputModuleType `json:"module"`
	Type   OutputDataType   `json:"type"`

	PrefixData        bool   `json:"is_prefix_data,omitempty,string" yaml:"is_prefix_data,omitempty"`
	DeleteOnFailure   bool   `json:"is_delete_on_failure,omitempty,string" yaml:"is_delete_on_failure,omitempty"`
	NoRouting         bool   `json:"is_no_routing,omitempty,string" yaml:"is_no_routing,omitempty"`
	NoSharding        bool   `json:"is_no_sharding,omitempty,string" yaml:"is_no_sharding,omitempty"`
	IsJsonList        bool   `json:"is_json_list,omitempty,string" yaml:"is_json_list,omitempty"`
	PayloadAsString   bool   `json:"is_payload_as_string,omitempty,string" yaml:"is_payload_as_string,omitempty"`
	InvestigationID   string `json:"inv_id,omitempty" yaml:"inv_id,omitempty"`
	Tag               string `json:"tag,omitempty" yaml:"tag,omitempty"`
	Category          string `json:"cat,omitempty" yaml:"cat,omitempty"`
	SensorID          string `json:"sid,omitempty" yaml:"sid,omitempty"`
	Flat              bool   `json:"is_flat,omitempty,string" yaml:"is_flat,omitempty"`
	Directory         string `json:"dir,omitempty" yaml:"dir,omitempty"`
	DestinationHost   string `json:"dest_host,omitempty" yaml:"dest_host,omitempty"`
	SlackToken        string `json:"slack_api_token,omitempty" yaml:"slack_api_token,omitempty"`
	SlackChannel      string `json:"slack_channel,omitempty" yaml:"slack_channel,omitempty"`
	Bucket            string `json:"bucket,omitempty" yaml:"bucket,omitempty"`
	UserName          string `json:"username,omitempty" yaml:"username,omitempty"`
	Password          string `json:"password,omitempty" yaml:"password,omitempty"`
	TLS               bool   `json:"is_tls,omitempty,string" yaml:"is_tls,omitempty"`
	StrictTLS         bool   `json:"is_strict_tls,omitempty,string" yaml:"is_strict_tls,omitempty"`
	NoHeader          bool   `json:"is_no_header,omitempty,string" yaml:"is_no_header,omitempty"`
	StructuredData    string `json:"structured_data,omitempty" yaml:"structured_data,omitempty"`
	SecretKey         string `json:"secret_key,omitempty" yaml:"secret_key,omitempty"`
	EventWhiteList    string `json:"event_white_list,omitempty" yaml:"event_white_list,omitempty"`
	EventBlackList    string `json:"event_black_list,omitempty" yaml:"event_black_list,omitempty"`
	SecondsPerFile    int    `json:"sec_per_file,omitempty,string" yaml:"sec_per_file,omitempty"`
	SampleRate        int    `json:"sample_rate,omitempty,string" yaml:"sample_rate,omitempty"`
	DestinationEmail  string `json:"dest_email,omitempty" yaml:"dest_email,omitempty"`
	FromEmail         string `json:"from_email,omitempty" yaml:"from_email,omitempty"`
	Readable          bool   `json:"is_readable,omitempty,string" yaml:"is_readable,omitempty"`
	Subject           string `json:"subject,omitempty" yaml:"subject,omitempty"`
	StartTLS          bool   `json:"is_starttls,omitempty,string" yaml:"is_starttls,omitempty"`
	AuthLogin         bool   `json:"is_authlogin,omitempty,string" yaml:"is_authlogin,omitempty"`
	Indexing          bool   `json:"is_indexing,omitempty,string" yaml:"is_indexing,omitempty"`
	Compressing       bool   `json:"is_compression,omitempty,string" yaml:"is_compression,omitempty"`
	CategoryBlackList string `json:"cat_black_list,omitempty" yaml:"cat_black_list,omitempty"`
	CategoryWhiteList string `json:"cat_white_list,omitempty" yaml:"cat_white_list,omitempty"`
	RegionName        string `json:"region_name,omitempty" yaml:"region_name,omitempty"`
	EndpointURL       string `json:"endpoint_url,omitempty" yaml:"endpoint_url,omitempty"`
	AuthHeaderName    string `json:"auth_header_name,omitempty" yaml:"auth_header_name,omitempty"`
	AuthHeaderValue   string `json:"auth_header_value,omitempty" yaml:"auth_header_value,omitempty"`
	RoutingTopic      string `json:"routing_topic,omitempty" yaml:"routing_topic,omitempty"`
	LiteralTopic      string `json:"literal_topic,omitempty" yaml:"literal_topic,omitempty"`
	Topic             string `json:"topic,omitempty" yaml:"topic,omitempty"`
	Project           string `json:"project,omitempty" yaml:"project,omitempty"`
	Dataset           string `json:"dataset,omitempty" yaml:"dataset,omitempty"`
	Table             string `json:"table,omitempty" yaml:"table,omitempty"`
	HumioRepo         string `json:"humio_repo,omitempty" yaml:"humio_repo,omitempty"`
	HumioToken        string `json:"humio_api_token,omitempty" yaml:"humio_api_token,omitempty"`
	CustomTransform   string `json:"custom_transform,omitempty" yaml:"custom_transform,omitempty"`
	KeyID             string `json:"key_id,omitempty" yaml:"key_id,omitempty"`
	AttachmentText    string `json:"attachment_text,omitempty" yaml:"attachment_text,omitempty"`
	Message           string `json:"message,omitempty" yaml:"message,omitempty"`
	Color             string `json:"color,omitempty" yaml:"color,omitempty"`
	CloudID           string `json:"cloud_id,omitempty" yaml:"cloud_id,omitempty"`
	Index             string `json:"index,omitempty" yaml:"index,omitempty"`
	Addresses         string `json:"addresses,omitempty" yaml:"addresses,omitempty"`
	APIKey            string `json:"api_key,omitempty" yaml:"api_key,omitempty"`
	Schema            string `json:"schema,omitempty" yaml:"schema,omitempty"`
}

OutputConfig hold all the possible options used to configure an output

func (OutputConfig) Equals 

func (o OutputConfig) Equals(other OutputConfig) bool

func (OutputConfig) MarshalYAML 

func (o OutputConfig) MarshalYAML() (interface{}, error)

func (*OutputConfig) UnmarshalYAML 

func (o *OutputConfig) UnmarshalYAML(unmarshal func(interface{}) error) error

type OutputDataType 

type OutputDataType = string

OutputDataType is the type of data

type OutputModuleType 

type OutputModuleType = string

OutputModuleType is the type of module

type OutputName 

type OutputName = string

OutputsByName represents OutputConfig where the key is the name of the OutputConfig

type OutputsByName 

type OutputsByName = map[OutputName]OutputConfig

type PartitionID 

type PartitionID string

type Payload 

type Payload struct {
	Name      string `json:"name"`
	Oid       string `json:"oid"`
	Size      uint64 `json:"size"`
	By        string `json:"by"`
	CreatedOn uint64 `json:"created"`
}

type PayloadName 

type PayloadName = string

type Permission 

type Permission struct {
	Name string
}

Permission represents the permission granted in LC

func MakePermissions 

func MakePermissions(arr []string) []Permission

MakePermissions create a permission slice based on permissions name

func NoPermission 

func NoPermission() []Permission

NoPermission is an empty permission slice

type RESTError 

type RESTError struct {
	// contains filtered or unexported fields
}

RESTError is a generic rest error

func NewRESTError 

func NewRESTError(err string) RESTError

NewRESTError makes a new RESTError

func (RESTError) Error 

func (e RESTError) Error() string

type RecordID 

type RecordID struct {
	Hive HiveID     `json:"hive" datastore:"hive,flatten" yaml:"hive"`
	Name RecordName `json:"name" datastore:"name" yaml:"name"`
	GUID GlobalID   `json:"guid" datastore:"guid" yaml:"guid"`
}

type RecordName 

type RecordName string

type ResourceCategory 

type ResourceCategory = string

type ResourceName 

type ResourceName = string

type ResourcesByCategory 

type ResourcesByCategory map[ResourceCategory]map[ResourceName]struct{}

func (*ResourcesByCategory) AddToCategory 

func (r *ResourcesByCategory) AddToCategory(category ResourceCategory, name ResourceName)

func (*ResourcesByCategory) GetForCategory 

func (r *ResourcesByCategory) GetForCategory(category ResourceCategory) map[ResourceName]struct{}

func (*ResourcesByCategory) RemoveFromCategory 

func (r *ResourcesByCategory) RemoveFromCategory(category ResourceCategory, name ResourceName)

type Routing 

type Routing struct {
	Arch      int      `json:"arch"`
	DID       string   `json:"did"`
	EventID   string   `json:"event_id"`
	EventTime int64    `json:"event_time"`
	EventType string   `json:"event_type"`
	ExtIP     string   `json:"ext_ip"`
	Hostname  string   `json:"hostname"`
	IID       string   `json:"iid"`
	IntIP     string   `json:"int_ip"`
	ModuleID  int      `json:"moduleid"`
	OID       string   `json:"oid"`
	Parent    string   `json:"parent"`
	Plat      int      `json:"plat"`
	SID       string   `json:"sid"`
	Tags      []string `json:"tags"`
	This      string   `json:"this"`
}

type Sensor 

type Sensor struct {
	OID          string `json:"oid"`
	IID          string `json:"iid"`
	SID          string `json:"sid"`
	DID          string `json:"did,omitempty"`
	Platform     uint32 `json:"plat"`
	Architecture uint32 `json:"arch"`

	EnrollTS string `json:"enroll"`
	AliveTS  string `json:"alive"`

	InternalIP string `json:"int_ip"`
	ExternalIP string `json:"ext_ip"`

	Hostname string `json:"hostname"`

	IsIsolated        bool `json:"isolated"`
	ShouldIsolate     bool `json:"should_isolate"`
	IsKernelAvailable bool `json:"kernel"`

	Organization *Organization `json:"-"`

	Device *Device `json:"-"`

	LastError error `json:"-"`

	InvestigationID string `json:"-"`
}

func (*Sensor) AddTag 

func (s *Sensor) AddTag(tag string, ttl time.Duration) error

func (*Sensor) Delete 

func (s *Sensor) Delete() error

func (*Sensor) GetTags 

func (s *Sensor) GetTags() ([]TagInfo, error)

func (*Sensor) IsOnline 

func (s *Sensor) IsOnline() (bool, error)

func (*Sensor) IsolateFromNetwork 

func (s *Sensor) IsolateFromNetwork() error

func (*Sensor) RejoinNetwork 

func (s *Sensor) RejoinNetwork() error

func (*Sensor) RemoveTag 

func (s *Sensor) RemoveTag(tag string) error

func (*Sensor) Task 

func (s *Sensor) Task(task string, options ...TaskingOptions) error

func (*Sensor) Update 

func (s *Sensor) Update() *Sensor

type SiteConnectivityInfo 

type SiteConnectivityInfo struct {
	URLs  map[string]string `json:"url"`
	Certs map[string]string `json:"certs"`
}

type Stats 

type Stats struct {
	Totals map[string]uint `json:"totals"`
}

type SyncHiveConfigData 

type SyncHiveConfigData map[string]SyncHiveData

type SyncHiveData 

type SyncHiveData struct {
	Data   map[string]interface{} `json:"data" yaml:"data,omitempty"`
	UsrMtd UsrMtd                 `json:"usr_mtd" yaml:"usr_mtd"`
}

func (*SyncHiveData) Equals 

func (hsd *SyncHiveData) Equals(cData SyncHiveData) (bool, error)

type SyncOptions 

type SyncOptions struct {
	// Force makes the remove Org an exact mirror of the
	// configuration provided, adding and removing.
	// Otherwise elements will only be added, not removed.
	IsForce bool `json:"is_force"`

	// IgnoreInaccessible ignores elements that are
	// locked and cannot be modified by the credentials
	// currently in use.
	IsIgnoreInaccessible bool `json:"ignore_inaccessible"`

	// Only simulate changes to the Org.
	IsDryRun bool `json:"is_dry_run"`

	// Tags used with isForce if tags set force delete will only delete rules with matched tags
	Tags []string `json:"tags"`

	SyncDRRules          bool            `json:"sync_dr"`
	SyncOutputs          bool            `json:"sync_outputs"`
	SyncResources        bool            `json:"sync_resources"`
	SyncExtensions       bool            `json:"sync_extensions"`
	SyncIntegrity        bool            `json:"sync_integrity"`
	SyncFPRules          bool            `json:"sync_fp"`
	SyncExfil            bool            `json:"sync_exfil"`
	SyncArtifacts        bool            `json:"sync_artifacts"`
	SyncOrgValues        bool            `json:"sync_org_values"`
	SyncHives            map[string]bool `json:"sync_hives"`
	SyncInstallationKeys bool            `json:"sync_installation_keys"`
	SyncYara             bool            `json:"sync_yara"`

	IncludeLoader IncludeLoaderCB `json:"-"`
}

Describes which configuration types to Sync.

func SyncAll 

func SyncAll() SyncOptions

type SysMtd 

type SysMtd struct {
	Etag        string `json:"etag" yaml:"etag"`
	CreatedBy   string `json:"created_by" yaml:"created_by"`
	CreatedAt   int64  `json:"created_at" yaml:"created_at"`
	LastAuthor  string `json:"last_author" yaml:"last_author"`
	LastMod     int64  `json:"last_mod" yaml:"last_mod"`
	GUID        string `json:"guid" yaml:"guid"`
	LastError   string `json:"last_error" yaml:"last_error"`
	LastErrorTs int64  `json:"last_error_ts" yaml:"last_error_ts"`
}

type TagInfo 

type TagInfo struct {
	Tag     string
	By      string
	AddedTS string
}

func (*TagInfo) UnmarshalJSON 

func (t *TagInfo) UnmarshalJSON(b []byte) error

type TaskingOptions 

type TaskingOptions struct {
	InvestigationID      string
	InvestigationContext string
}

type UsrMtd 

type UsrMtd struct {
	Enabled bool     `json:"enabled" yaml:"enabled"`
	Expiry  int64    `json:"expiry" yaml:"expiry"`
	Tags    []string `json:"tags" yaml:"tags"`
	Comment string   `json:"comment" yaml:"comment"`
}

type WebhookSender 

type WebhookSender struct {
	// contains filtered or unexported fields
}

func (*WebhookSender) Close 

func (w *WebhookSender) Close() error

func (*WebhookSender) Send 

func (w *WebhookSender) Send(data interface{}) error

type WhoAmIJsonResponse 

type WhoAmIJsonResponse struct {
	UserPermissions *map[string][]string `json:"user_perms:omitempty"`
	Organizations   *[]string            `json:"orgs"`
	Permissions     *[]string            `json:"perms"`
	Identity        *string              `json:"ident"`
}

func (WhoAmIJsonResponse) HasAccessToOrg 

func (w WhoAmIJsonResponse) HasAccessToOrg(oid string) bool

func (WhoAmIJsonResponse) HasPermissionForOrg 

func (w WhoAmIJsonResponse) HasPermissionForOrg(oid string, permName string) bool

type YaraRule 

type YaraRule struct {
	Author      string         `json:"by,omitempty" yaml:"by,omitempty"`
	Filters     YaraRuleFilter `json:"filters,omitempty" yaml:"filters,omitempty"`
	Sources     []string       `json:"sources,omitempty" yaml:"sources,omitempty"`
	LastUpdated int64          `json:"updated,omitempty" yaml:"updated,omitempty"`
}

func (YaraRule) EqualsContent 

func (r YaraRule) EqualsContent(r2 YaraRule) bool

type YaraRuleFilter 

type YaraRuleFilter struct {
	Tags      []string `json:"tags" yaml:"tags"`
	Platforms []string `json:"platforms" yaml:"platforms"`
}

type YaraRuleName 

type YaraRuleName = string

type YaraRules 

type YaraRules map[YaraRuleName]YaraRule

type YaraSource 

type YaraSource struct {
	Author      string `json:"by,omitempty" yaml:"by,omitempty"`
	Source      string `json:"source,omitempty" yaml:"source,omitempty"`
	Content     string `json:"content,omitempty" yaml:"content,omitempty"`
	LastUpdated int64  `json:"updated,omitempty" yaml:"updated,omitempty"`
}

func (YaraSource) EqualsContent 

func (s YaraSource) EqualsContent(s2 YaraSource) bool

type YaraSourceName 

type YaraSourceName = string

type YaraSources 

type YaraSources map[YaraSourceName]YaraSource

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.