from flask import Flask, request, jsonify
import requests
from datetime import datetime

app = Flask(__name__)

# Replace with your HTTP server URL and set the port number to the custom port used on your log source configuration within qradar
HTTP_SERVER_URL = 'http://x.x.x.x:12469'  
# set ip of the eyeglass VM or FQDN DNS name if you access the VM by name.  The value here must match the method of access, IP or DNS name
source_ip = "FQDN" # change this value to ip or FQDN 
 
   

def format_uef(payload, source_ip):
    # Static fields as per UEF specification
    device_product = "Eyeglass Zero Trust"
    device_vendor = "Superna"
    device_version = "V1"  # Replace with the actual version if available
    device_event_class_id = "security"  # Replace or determine dynamically if possible
    version = "1.0"  # Literal string for version
    event_type = "threat_detection"  # Literal string for event_type

    # Extracting fields from the payload
    protocol = payload.get('protocol', 'Unknown')
    incidentid = payload.get('id', 'Unknown')
    incidentid = incidentid.replace("#", "")
    eyeglass_instance = source_ip
    incident_baseURL = "https://" + eyeglass_instance + "/rsw/alerts/" + incidentid + "?type=active" 
    client_ip = payload.get('clientIPs', ['Unknown'])[0]  # Assuming clientIPs is a list
    comments = [action.get('comment', '') for action in payload.get('actions', [])]
    comment = ' | '.join(comments)  # Concatenate all comments, separated by ' | '

    time = datetime.utcnow().strftime('%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z'
    user = payload.get('userName', 'Unknown')
    action = payload.get('actions', [{}])[0].get('action', 'Unknown')
    severity = payload.get('severity', 'Unknown')
    state = payload.get('state', 'Unknown')
	files = payload.get('files', 'Unknown')

    # Construct the UEF message as a dictionary
    uef_message = {
        "Incident_ID": incidentid,
        "device_product": device_product,
        "device_vendor": device_vendor,
        "device_version": device_version,
        "device_event_class_id": device_event_class_id,
        "incident_URL": incident_baseURL,
        "version": version,
        "event_type": event_type,
        "protocol": protocol,
        "client_ip": client_ip,
        #"comment": comment,  # uncomment this line if you want to recieve detailed incident steps taken by Security Edition
        "time": time,
        "user": user,
        "action": action,
        "severity": severity,
		"files": files,
        "state": state
    }

    return uef_message

def send_to_http(uef_message, source_ip):
    headers = {'Content-Type': 'application/json'}
    response = requests.post(HTTP_SERVER_URL, json=uef_message, headers=headers)
    print(f"HTTP Post Response: {response.status_code} - {response.text}")  # Print the response to console

@app.route('/webhook', methods=['POST'])
def webhook():
    try:
        payload = request.json
        uef_message = format_uef(payload, source_ip)
        send_to_http(uef_message, source_ip)  # Pass source_ip here as well
        return "Success", 200
    except Exception as e:
        return str(e), 500

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=5000, debug=True)