public override void Invoke(AWSCredentials creds, RegionEndpoint region, int maxItems) { AmazonSecurityHubConfig config = new AmazonSecurityHubConfig(); config.RegionEndpoint = region; ConfigureClient(config); AmazonSecurityHubClient client = new AmazonSecurityHubClient(creds, config); GetFindingsResponse resp = new GetFindingsResponse(); do { GetFindingsRequest req = new GetFindingsRequest { NextToken = resp.NextToken , MaxResults = maxItems }; resp = client.GetFindings(req); CheckError(resp.HttpStatusCode, "200"); foreach (var obj in resp.Findings) { AddObject(obj); } }while (!string.IsNullOrEmpty(resp.NextToken)); }
static int Main(string[] args) { foreach (var line in titleBanner) { Console.WriteLine(line); } if (args == null || args.Length == 0) { // Help screen foreach (var line in helpScreen) { Console.WriteLine(line); } System.Environment.Exit(-1); } Options options = null; Parser.Default.ParseArguments <Options>(args) .WithParsed(o => options = o) .WithNotParsed(errors => { foreach (var error in errors) { Console.WriteLine(error); } System.Environment.Exit(-2); }); // Setup AWS credentials var chain = new CredentialProfileStoreChain(); AWSCredentials awsCredentials; RegionEndpoint awsRegion; if (!string.IsNullOrWhiteSpace(options.Profile)) { if (!chain.TryGetAWSCredentials(options.Profile, out awsCredentials)) { Console.WriteLine($"Unable to retrieve credentials for profile {options.Profile}"); System.Environment.Exit(-3); return(-3); } CredentialProfile credentialProfile; if (!chain.TryGetProfile(options.Profile, out credentialProfile)) { Console.WriteLine($"Unable to retrieve credential profile for {options.Profile}"); System.Environment.Exit(-4); return(-4); } awsRegion = credentialProfile.Region ?? RegionEndpoint.GetBySystemName(options.Region); } else { if (string.IsNullOrWhiteSpace(options.AccessKeyId)) { Console.Error.WriteLine("No profile was specified, but an access key ID was not provided either."); System.Environment.Exit(-5); return(-5); } if (string.IsNullOrWhiteSpace(options.AccessKeySecret)) { Console.Error.WriteLine("No profile was specified, but an access key secret was not provided either."); System.Environment.Exit(-6); return(-6); } awsCredentials = new BasicAWSCredentials(options.AccessKeyId, options.AccessKeySecret); awsRegion = RegionEndpoint.GetBySystemName(options.Region); } var cts = new CancellationTokenSource(); var getFindingsTask = Task.Run(new Func <Task <Tuple <object, Exception> > >(async() => { var client = new AmazonGuardDutyClient(awsCredentials, awsRegion); var detectorRequest = new ListDetectorsRequest(); var detectorResponse = await client.ListDetectorsAsync(detectorRequest, cts.Token); dynamic bundle = new ExpandoObject(); bundle.type = "bundle"; bundle.id = $"guardduty-stix-{DateTime.UtcNow.ToString("yyyy-MM-ddTHH:mm:ss.fffZ", System.Globalization.CultureInfo.InvariantCulture)}"; bundle.spec_version = "2.0"; var objects = new List <object>(); foreach (var detectorId in detectorResponse.DetectorIds) { var listFindingsRequest = new ListFindingsRequest() { DetectorId = detectorId, /*FindingCriteria = new FindingCriteria * { * Criterion = { { "service.archived", new Condition { Eq = { "FALSE" } } } } * }*/ }; try { // Get list of findings var listFindingsResponse = await client.ListFindingsAsync(listFindingsRequest, cts.Token); // For the list, get the details var getFindingsRequest = new GetFindingsRequest() { DetectorId = detectorId, FindingIds = listFindingsResponse.FindingIds }; var getFindingsResponse = await client.GetFindingsAsync(getFindingsRequest, cts.Token); foreach (var finding in getFindingsResponse.Findings) { var sdo = await ConvertFindingToStixAsync(finding); objects.Add(sdo); } } catch (Exception e) { await Console.Error.WriteLineAsync(e.ToString()); return(new Tuple <object, Exception>(null, e)); } } bundle.objects = objects; return(new Tuple <object, Exception>(bundle, null)); })); if (!Task.WaitAll(new[] { getFindingsTask }, 60000, cts.Token)) { Console.Error.WriteLine("Failed to complete within 60 seconds, aborted."); System.Environment.Exit(-7); return(-7); } var result = getFindingsTask.Result; if (result.Item2 != null) { Console.Error.WriteLine($"Unable to parse output: {result.Item2.ToString()}"); System.Environment.Exit(-8); return(-8); } if (string.IsNullOrWhiteSpace(options.OutputFile)) { Console.Out.WriteLine(Newtonsoft.Json.JsonConvert.SerializeObject(result.Item1)); } else { try { using (var fs = new FileStream(options.OutputFile, FileMode.Create, FileAccess.Write)) using (var sw = new StreamWriter(fs)) { sw.Write(Newtonsoft.Json.JsonConvert.SerializeObject(result.Item1)); } Console.Out.WriteLine($"Output saved to file {options.OutputFile}"); } catch (Exception e) { Console.Error.WriteLine($"Unable to write file: {e.ToString()}"); System.Environment.Exit(-9); return(-9); } } return(0); }