from flask import Flask, request, jsonify
import requests
import json
import logging
from datetime import datetime

app = Flask(__name__)

# Replace with your SentinelOne HEC token and URL
SENTINELONE_HEC_TOKEN = 'xxxxxxxx'
SENTINELONE_HEC_URL = 'https://ingest.us1.sentinelone.net/services/collector/event'

# Configure logging
logging.basicConfig(level=logging.DEBUG)  # You can change this to INFO, WARNING, ERROR as needed

@app.route('/webhook', methods=['POST'])
def webhook():
    try:
        # Log the incoming request payload
        logging.debug(f"Incoming request payload: {request.json}")
        
        # Parse the incoming JSON payload
        payload = request.json

        # Convert 'detected' time to epoch timestamp
        detected_time_str = payload.get("detected")
        detected_time_obj = datetime.strptime(detected_time_str, '%b %d, %Y, %I:%M:%S %p')
        detected_epoch = int(detected_time_obj.timestamp())

        # Filter and restructure the payload as needed for SentinelOne
        sentinelone_event = {
            "sourcetype": "json",
            "source":     "Superna_ZeroTrust",
            "attributes": {"dataset": "json"},
            "time": detected_epoch,
            "event": {
                "user": payload.get("user"),
                "state": payload.get("state"),
                "userName": payload.get("userName"),
                "protocol": payload.get("protocol"),
                "eventSource": payload.get("eventSource"),
                "numFiles": payload.get("numFiles"),
                "nes": payload.get("nes"),
                "detected": payload.get("detected"),  # Use the user friendly time
                "clientIPs": payload.get("clientIPs"),
                "shares": payload.get("shares"),
				"severity": payload.get("severity"),
                "eventid": payload.get("id"),
                "files": payload.get("files"),
                # Add other fields as required
            }
        }
        
        # Log the event being sent to SentinelOne
        logging.debug(f"Sending event to SentinelOne: {sentinelone_event}")

        # Send the event to SentinelOne HEC
        headers = {
            'Authorization': f'Bearer {SENTINELONE_HEC_TOKEN}',
            'Content-Type': 'application/json'
        }
        response = requests.post(SENTINELONE_HEC_URL, headers=headers, data=json.dumps(sentinelone_event), verify=True)
        
        # Log the response from SentinelOne
        logging.debug(f"Response from SentinelOne: {response.status_code} - {response.text}")

        # Check for HTTP errors
        response.raise_for_status()

        return jsonify({"message": "Event sent to SentinelOne successfully"}), 200
    
    except requests.exceptions.HTTPError as err:
        logging.error(f"HTTPError: {err}")
        return jsonify({"error": str(err)}), err.response.status_code

    except Exception as e:
        logging.error(f"Error: {e}")
        return jsonify({"error": str(e)}), 500

if __name__ == '__main__':
    # Enable detailed logging in Flask's built-in web server
    app.run(host='0.0.0.0', port=5000, debug=True)