Skip to content

General utilities for querying SIEMs built as a container ontop of azure cli for simple deployments.

License

Notifications You must be signed in to change notification settings

petarpetrovski/siem-query-utils

 
 

Repository files navigation

siem-query-utils

General utilities for querying SIEMs developed using FastAPI built ontop of jupyter-datascience:python-3.10. This container supports direct execution using python-fire and a local webserver run on uvicorn using siem_query_utils serve.

High cost functions are cached using cacheout which significantly improves performance by defaulting to caching all azure cli calls in memory for 5 minutes.

Usage

The container image is intended to be hosted using a runtime such as Azure App Service (Custom Container). A Managed Identity is required to be configured to ensure the container can login to the Azure CLI. example_env should be populated and used as a local .env file within this repository or configured on your container hosting environment.

# Azure CLI quickstart
az webapp create --name <APP_NAME> --resource-group myRG --plan myPremiumPlan --deployment-container-image-name ghcr.io/wagov/siem-query-utils:v1.3.6
# Login to portal and configure env vars (these are needed for container to start)

Development

For local development under macOS and interactive debugging run as follows (requires python 3.10):

# macOS prerequisites
brew install quarto weasyprint wkhtmltopdf jupyterlab
# Install python dependencies
pip3 install .
# Install using poetry so project is editable
poetry install
# Login to azure cli (tenant is optional, but useful if e.g. one tenant has specific auth constraints).
az login --tenant $TENANT_ID
# Run the basic service api
siem_query_utils serve
# Run a jupyter lab instance in the project directory
jupyter lab

If you are using github codespaces, quickstart below:

# Jupyter lab in project
poetry run siem_query_utils jupyterlab /workspace
# API endpoints
poetry run siem_query_utils serve

After running the above you can open /api/v1/docs in your browser to get to the swagger debug ui which lets you test all the endpoints.

You can also build and test the container locally using docker.

docker build -t squ .; docker run --env-file .env -p 8000:8000 --entrypoint /bin/bash -it squ
# inside docker container (--tenant is optional, but useful if e.g. one tenant has specific auth constraints).
poetry run az login --tenant $TENANT_ID
# follow auth prompts
poetry run siem_query_utils serve

About

General utilities for querying SIEMs built as a container ontop of azure cli for simple deployments.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 91.5%
  • HTML 5.0%
  • CSS 1.3%
  • Other 2.2%