GitHub - 40net-cloud/forticnapp_network_collector: Python based "application" which collects network based alerts to parse connection members and metrics

40net-cloud / forticnapp_network_collector Public

Notifications You must be signed in to change notification settings
Fork 0
Star 0

Python based "application" which collects network based alerts to parse connection members and metrics

Notifications

Name		Name	Last commit message	Last commit date
Latest commit History 8 Commits
parsers		parsers
.gitignore		.gitignore
README		README
alert_types.js		alert_types.js
network_parser.py		network_parser.py

Repository files navigation

Lacework Network Alert Parser
============================

This tool collects and parses network-related alerts from Lacework to help with policy creation and network monitoring. It handles different types of network connections and provides detailed alert information.

Alert Types Supported
-------------------
- NewExternalServerIp: Inbound connections from external IPs
- NewExternalServerIPConn: Detailed inbound connection information
- NewExternalServerDns: DNS-based inbound connections
- NewExternalServerDNSConn: Detailed DNS-based connection information
- NewExternalClientIp: Outbound connections to external IPs
- NewExternalClientConn: Detailed outbound connection information
- NewInternalConnection: Internal pod-to-pod/service connections

Configuration
------------
Requires a JSON config file (secretsfile.json) with Lacework credentials:
{
    "account": "your-account.lacework.net",
    "keyId": "your-key-id",
    "secret": "your-secret"
}

Usage
-----
1. Basic alert collection:
   python network_parser.py

2. Fetch specific alert by ID:
   python network_parser.py --alert-id YOUR_ALERT_ID

Output Files
-----------
When fetching a specific alert (e.g., alert ID 12701), the following files are generated in the output directory:

1. alert_[ID]_raw.json
   - Initial alert data from the search

2. Detailed Information Files:
   - alert_[ID]_details.json: Detailed alert information
   - alert_[ID]_investigation.json: Investigation data
   - alert_[ID]_events.json: Related events
   - alert_[ID]_relatedalerts.json: Related alerts
   - alert_[ID]_integrations.json: Integration information
   - alert_[ID]_timeline.json: Alert timeline
   - alert_[ID]_observationtimeline.json: Observation timeline

3. alert_[ID]_all.json
   - Combined data from all sources

Time Windows
-----------
- Default lookback period: 7 days
- Specific alert search: Searches in 7-day chunks up to 90 days back
- API limitation: Maximum time window of 7 days per request

Features
--------
1. Robust error handling and logging
2. Rate limiting support
3. Automatic retry on failures
4. Comprehensive data collection across all alert scopes
5. JSON output for easy integration with other tools
6. Support for both bulk alert collection and specific alert lookup

Parsed Information
-----------------
For each alert, the tool extracts:
- Source and destination IPs
- Port information
- Container/pod details
- User information
- Application names
- Geographic location (where applicable)
- DNS names (for DNS-based alerts)
- Cloud provider information (where applicable)

Requirements
-----------
- Python 3.6+
- requests library
- Internet access to Lacework API
- Valid Lacework API credentials

Note: The tool automatically creates an 'output' directory for storing JSON files if it doesn't exist.