from flask import Flask, request, jsonify
import requests
import json
import logging
from datetime import datetime

app = Flask(__name__)

# Replace with your SentinelOne HEC token and URL
SENTINELONE_HEC_TOKEN = 'xxxxxxxx'
SENTINELONE_HEC_URL = 'https://ingest.us1.sentinelone.net/services/collector/event'

# Configure logging
logging.basicConfig(level=logging.DEBUG)  # You can change this to INFO, WARNING, ERROR as needed

@app.route('/webhook', methods=['POST'])
def webhook():
    try:
        logging.debug(f"Incoming request payload: {request.json}")
        payload = request.json

        # Use detectedTime directly instead of parsing the 'detected' string
        detected_epoch = int(payload.get("detectedTime", 0))  # default to 0 if missing

        # Build the SentinelOne event payload
        sentinelone_event = {
            "sourcetype": "json",
            "source": "Superna_ZeroTrust",
            "attributes": {"dataset": "json"},
            "time": detected_epoch,
            "event": {
                "user": payload.get("user"),
                "state": payload.get("state"),
                "userName": payload.get("userName"),
                "protocol": payload.get("protocol"),
                "eventSource": payload.get("eventSource"),
                "numFiles": payload.get("numFiles"),
                "nes": payload.get("nes"),
                "detected": payload.get("detected"),  # Keep for human readability
                "clientIPs": payload.get("clientIPs"),
                "shares": [share.get("name") for share in payload.get("shares", []) if "name" in share],
                "severity": payload.get("severity"),
                "eventid": payload.get("id"),
                "files": payload.get("files"),
            }
        }

        logging.debug("Sending event to SentinelOne:\n%s", json.dumps(sentinelone_event, indent=2))

        headers = {
            'Authorization': f'Bearer {SENTINELONE_HEC_TOKEN}',
            'Content-Type': 'application/json'
        }

        response = requests.post(SENTINELONE_HEC_URL, headers=headers, data=json.dumps(sentinelone_event), verify=True)
        logging.debug(f"Response from SentinelOne: {response.status_code} - {response.text}")
        response.raise_for_status()

        return jsonify({"message": "Event sent to SentinelOne successfully"}), 200

    except requests.exceptions.HTTPError as err:
        logging.error(f"HTTPError: {err}")
        return jsonify({"error": str(err)}), err.response.status_code

    except Exception as e:
        logging.error(f"Error: {e}")
        return jsonify({"error": str(e)}), 500

if __name__ == '__main__':
    # Enable detailed logging in Flask's built-in web server
    app.run(host='0.0.0.0', port=5000, debug=True)