Skip to content
Open
Empty file modified services/bin/m01-intelligence.js
100644 → 100755
Empty file.
4 changes: 4 additions & 0 deletions services/bin/octobus-tentacles.js
100644 → 100755
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,10 @@ const services = {
entryFile: "../qianxin__fw-secgate3600/bin/qianxin-fw-secgate3600.js",
serviceModule: "../qianxin__fw-secgate3600/src/service.js",
},
"qianxin-tianyan-platform": {
entryFile: "../qianxin__tianyan-platform/bin/qianxin-tianyan-platform.js",
serviceModule: "../qianxin__tianyan-platform/src/service.js",
},
"qianxin-fw-secgate3600-http-x": {
entryFile: "../qianxin__fw-secgate3600-http-x/bin/qianxin-fw-secgate3600-http-x.js",
serviceModule: "../qianxin__fw-secgate3600-http-x/src/service.js",
Expand Down
10 changes: 10 additions & 0 deletions services/bin/qianxin-tianyan-platform.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#!/usr/bin/env node

import { fileURLToPath } from "node:url";
import { runServiceMain } from "@chaitin-ai/octobus-sdk";

import { service } from "../qianxin__tianyan-platform/src/service.js";

runServiceMain(service, {
entryFile: fileURLToPath(new URL("../qianxin__tianyan-platform/bin/qianxin-tianyan-platform.js", import.meta.url)),
});
Empty file modified services/m01__intelligence/bin/m01-intelligence.js
100644 → 100755
Empty file.
3 changes: 3 additions & 0 deletions services/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@
"owasp-dependency-track-sca-v5-0": "bin/owasp-dependency-track-sca-v5-0.js",
"panabit-tang-r1": "bin/panabit-tang-r1.js",
"qianxin-fw-secgate3600": "bin/qianxin-fw-secgate3600.js",
"qianxin-tianyan-platform": "bin/qianxin-tianyan-platform.js",
"qianxin-fw-secgate3600-http-x": "bin/qianxin-fw-secgate3600-http-x.js",
"qianxin-hunter": "bin/qianxin-hunter.js",
"qiming-tianqing-waf": "bin/qiming-tianqing-waf.js",
Expand Down Expand Up @@ -105,6 +106,7 @@
"bin/owasp-dependency-track-sca-v5-0.js",
"bin/panabit-tang-r1.js",
"bin/qianxin-fw-secgate3600.js",
"bin/qianxin-tianyan-platform.js",
"bin/qianxin-fw-secgate3600-http-x.js",
"bin/qianxin-hunter.js",
"bin/qiming-tianqing-waf.js",
Expand Down Expand Up @@ -169,6 +171,7 @@
"owasp__dependency-track-sca_v5-0",
"panabit__tang-r1",
"qianxin__fw-secgate3600",
"qianxin__tianyan-platform",
"qianxin__fw-secgate3600-http-x",
"qianxin__hunter_v23-1",
"qiming-tianqing__waf",
Expand Down
51 changes: 51 additions & 0 deletions services/qianxin__tianyan-platform/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# QIANXIN TianYan Platform

OctoBus service package for **QIANXIN TianYan** (奇安信网神威胁监测与分析系统 - 天眼分析平台) V4.0.12.0.

- **Vendor**: QIANXIN (奇安信)
- **Product**: 天眼分析平台 V4.0.12.0
- **Proto package**: `QIANXIN_TianYan_Platform`

## Authentication

Fully automatic — no manual token management required.

Set `secret.login_key` (the platform's passwordless login key, found under 系统管理 → 帐号管理 → 本地帐号管理 → 免密LOGIN密钥). On each call the package:

1. Derives `client_id` and `client_secret` from `login_key` via SHA-256.
2. POSTs to `/skyeye/v1/admin/auth` to obtain an `access_token`.
3. GETs `/skyeye/v1/admin/auth?token=...` to acquire a session cookie and CSRF token from the HTML response.
4. Calls the target API with the CSRF token and session cookie.

The default login username is `tapadmin`; override via `secret.username`.

## Config

| Field | Required | Description |
|-------|----------|-------------|
| `restBaseUrl` | Yes | TianYan base URL, e.g. `https://tianyan.example.com:443` |
| `timeoutMs` | No | HTTP timeout in ms (default 15000) |
| `tlsInsecureSkipVerify` | No | Skip TLS verification for self-signed certs |

## Methods

| Method | HTTP | Endpoint | Description |
|--------|------|----------|-------------|
| `ListAlarms` | GET | `/skyeye/v1/alarm/alarm/list` | Query threat alarms with optional filters for hazard level, time range, attacker/victim IP (gzip+base64 encoded), IOC, threat type, and disposition status. |
| `UpdateAlarmStatus` | PUT | `/alarm/alarm/list` | Update alarm disposition: 0=未处置, 1=已处置, 6=忽略, 7=误报. |
| `SearchLogs` | GET | `/analysis/log-search/list` | Search raw security logs by keyword, time range, log index, and category. |
| `SPLSearch` | GET | `/analysis/log-search/spl-search` | Expert SPL query with structured field extraction. |
| `ListAssets` | GET | `/asset/asset/manage/info` | Query asset inventory with optional IP, name, group, port, and type filters. |
| `ListVulnerabilities` | GET | `/asset/vul/leaks/list` | List asset vulnerabilities with optional IP, name, and severity filters. |
| `ThreatHuntSearch` | GET | `/analysis/hunt/search` | Build a threat relationship graph for an IOC keyword (IP, domain, URL, MD5, or email). |
| `AddFlowWhitelist` | POST | `/system/rule_cfg/white_list_flow` | Add an IP, IOC, or threat type to the flow sensor whitelist to suppress future alerts. |
| `GetCompromisedHostStatus` | GET | `/analysis/hunting/stuck_host/status` | Check whether a host is compromised and return its alarm count, risk score, and IOC count. |

## Test

```bash
cd services
npm run validate -- --service-dir qianxin__tianyan-platform
npm test -- --service-dir qianxin__tianyan-platform
npm run pack:check
```
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/usr/bin/env node

import { runServiceMain } from "@chaitin-ai/octobus-sdk";

import { service } from "../src/service.js";

runServiceMain(service);
11 changes: 11 additions & 0 deletions services/qianxin__tianyan-platform/config.schema.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"type": "object",
"required": ["restBaseUrl"],
"properties": {
"restBaseUrl": {"type": "string", "description": "TianYan base URL, e.g. https://tianyan.example.com:443"},
"timeoutMs": {"type": "integer", "default": 15000, "description": "HTTP timeout in ms."},
"tlsInsecureSkipVerify": {"type": "boolean", "default": false}
},
"additionalProperties": false
}
12 changes: 12 additions & 0 deletions services/qianxin__tianyan-platform/package.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{
"name": "qianxin-tianyan-platform",
"version": "0.0.0",
"private": true,
"type": "module",
"bin": {
"qianxin-tianyan-platform": "bin/qianxin-tianyan-platform.js"
},
"dependencies": {
"@chaitin-ai/octobus-sdk": "^0.5.0"
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,157 @@
syntax = "proto3";

package QIANXIN_TianYan_Platform;

import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";

service QIANXIN_TianYan_Platform {
rpc ListAlarms (ListAlarmsRequest) returns (ListAlarmsResponse);
rpc UpdateAlarmStatus (UpdateAlarmStatusRequest) returns (UpdateAlarmStatusResponse);
rpc SearchLogs (SearchLogsRequest) returns (SearchLogsResponse);
rpc SPLSearch (SPLSearchRequest) returns (SPLSearchResponse);
rpc ListAssets (ListAssetsRequest) returns (ListAssetsResponse);
rpc ListVulnerabilities (ListVulnerabilitiesRequest) returns (ListVulnerabilitiesResponse);
rpc ThreatHuntSearch (ThreatHuntSearchRequest) returns (ThreatHuntSearchResponse);
rpc AddFlowWhitelist (AddFlowWhitelistRequest) returns (AddFlowWhitelistResponse);
rpc GetCompromisedHostStatus (GetCompromisedHostStatusRequest) returns (GetCompromisedHostStatusResponse);
}

// ListAlarms — query threat alarms with filters
message ListAlarmsRequest {
int32 offset = 1;
int32 limit = 2;
google.protobuf.Int32Value hazard_level = 3;
google.protobuf.Int64Value start_time = 4;
google.protobuf.Int64Value end_time = 5;
google.protobuf.StringValue threat_name = 6;
google.protobuf.StringValue attack_sip = 7;
google.protobuf.StringValue alarm_sip = 8;
google.protobuf.StringValue status = 9;
google.protobuf.StringValue threat_type = 10;
google.protobuf.StringValue host_state = 11;
google.protobuf.StringValue data_source = 12;
google.protobuf.StringValue serial_num = 13;
google.protobuf.StringValue ioc = 14;
google.protobuf.StringValue order_by = 15;
}

message ListAlarmsResponse {
int32 total = 1;
repeated google.protobuf.Value items = 2;
}

// UpdateAlarmStatus — update alarm disposition (handled/ignored/false-positive)
message UpdateAlarmStatusRequest {
string ids = 1;
int32 status = 2;
}

message UpdateAlarmStatusResponse {}

// SearchLogs — raw log search with keyword or SPL filter
message SearchLogsRequest {
int64 start_time = 1;
int64 end_time = 2;
int32 offset = 3;
int32 limit = 4;
google.protobuf.StringValue branch_id = 5;
google.protobuf.StringValue index = 6;
google.protobuf.StringValue category = 7;
google.protobuf.StringValue mode = 8;
google.protobuf.StringValue keyword = 9;
}

message SearchLogsResponse {
int32 total = 1;
repeated google.protobuf.Value items = 2;
repeated string fields = 3;
}

// SPLSearch — expert SPL query with field extraction
message SPLSearchRequest {
int64 start_time = 1;
int64 end_time = 2;
google.protobuf.StringValue category = 3;
google.protobuf.StringValue index = 4;
google.protobuf.StringValue branch_id = 5;
google.protobuf.StringValue keyword = 6;
}

message SPLSearchResponse {
repeated string fields = 1;
repeated google.protobuf.Value results = 2;
}

// ListAssets — asset inventory query with filters
message ListAssetsRequest {
int32 offset = 1;
int32 limit = 2;
google.protobuf.StringValue ipaddrs = 3;
google.protobuf.StringValue sname = 4;
google.protobuf.StringValue group_ids = 5;
google.protobuf.StringValue port = 6;
google.protobuf.StringValue stype_ids = 7;
google.protobuf.StringValue branch_id = 8;
}

message ListAssetsResponse {
int32 total = 1;
repeated google.protobuf.Value data = 2;
}

// ListVulnerabilities — asset vulnerability list
message ListVulnerabilitiesRequest {
int32 limit = 1;
int32 offset = 2;
google.protobuf.StringValue ip = 3;
google.protobuf.StringValue name = 4;
google.protobuf.Int32Value level = 5;
google.protobuf.StringValue branch_id = 6;
}

message ListVulnerabilitiesResponse {
int32 total = 1;
repeated google.protobuf.Value items = 2;
}

// ThreatHuntSearch — build threat relationship graph for an IOC
message ThreatHuntSearchRequest {
string kwd = 1;
int64 start_time = 2;
int64 end_time = 3;
}

message ThreatHuntSearchResponse {
repeated google.protobuf.Value nodes = 1;
repeated google.protobuf.Value links = 2;
}

// AddFlowWhitelist — add IP/IOC to flow sensor whitelist
message AddFlowWhitelistRequest {
google.protobuf.StringValue alarm_sips = 1;
google.protobuf.StringValue attack_sips = 2;
google.protobuf.StringValue ioc = 3;
google.protobuf.StringValue threat_name = 4;
google.protobuf.StringValue type_chain = 5;
google.protobuf.Int64Value end_time = 6;
google.protobuf.Int64Value start_time = 7;
}

message AddFlowWhitelistResponse {
google.protobuf.StringValue id = 1;
}

// GetCompromisedHostStatus — check if a host is compromised
message GetCompromisedHostStatusRequest {
int64 start_time = 1;
int64 end_time = 2;
string asset_ip = 3;
}

message GetCompromisedHostStatusResponse {
int32 alarm_count = 1;
int32 risk_value = 2;
int32 ioc_count = 3;
google.protobuf.Value detail = 4;
}
10 changes: 10 additions & 0 deletions services/qianxin__tianyan-platform/secret.schema.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"type": "object",
"required": ["login_key"],
"properties": {
"login_key": {"type": "string", "description": "Passwordless login key from TianYan: 系统管理 → 帐号管理 → 本地帐号管理 → 免密LOGIN密钥."},
"username": {"type": "string", "default": "tapadmin", "description": "Login username. Defaults to tapadmin."}
},
"additionalProperties": false
}
57 changes: 57 additions & 0 deletions services/qianxin__tianyan-platform/service.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
{
"schema": "chaitin.octobus.service.v1",
"name": "qianxin-tianyan-platform",
"displayName": "QIANXIN TianYan Platform",
"description": "OctoBus package for QIANXIN TianYan threat detection platform: alarm query/update, log search, asset management, vulnerability list, threat hunting, and IP whitelist management.",
"runtime": {
"mode": "long-running"
},
"proto": {
"roots": ["proto"],
"files": ["proto/qianxin_tianyan_platform.proto"]
},
"configSchema": "config.schema.json",
"secretSchema": "secret.schema.json",
"sdk": {
"cli": {
"commands": {
"QIANXIN_TianYan_Platform.QIANXIN_TianYan_Platform/ListAlarms": {
"name": "list-alarms",
"description": "Query threat alarms with optional filters for level, time range, attacker/victim IP (gzip+base64 encoded), IOC, and disposition status."
},
"QIANXIN_TianYan_Platform.QIANXIN_TianYan_Platform/UpdateAlarmStatus": {
"name": "update-alarm-status",
"description": "Update the disposition status of one or more alarms: 0=unhandled, 1=handled, 6=ignored, 7=false-positive."
},
"QIANXIN_TianYan_Platform.QIANXIN_TianYan_Platform/SearchLogs": {
"name": "search-logs",
"description": "Search raw security logs by keyword or SPL filter with time range, log index, and category."
},
"QIANXIN_TianYan_Platform.QIANXIN_TianYan_Platform/SPLSearch": {
"name": "spl-search",
"description": "Expert SPL query mode with structured field extraction and result rows."
},
"QIANXIN_TianYan_Platform.QIANXIN_TianYan_Platform/ListAssets": {
"name": "list-assets",
"description": "Query asset inventory with optional filters for IP, name, group, port, and type."
},
"QIANXIN_TianYan_Platform.QIANXIN_TianYan_Platform/ListVulnerabilities": {
"name": "list-vulnerabilities",
"description": "List asset vulnerabilities with optional filters for IP, name, and severity level."
},
"QIANXIN_TianYan_Platform.QIANXIN_TianYan_Platform/ThreatHuntSearch": {
"name": "threat-hunt-search",
"description": "Build a threat relationship graph for an IOC keyword (IP, domain, URL, MD5, or email)."
},
"QIANXIN_TianYan_Platform.QIANXIN_TianYan_Platform/AddFlowWhitelist": {
"name": "add-flow-whitelist",
"description": "Add an IP, IOC, or threat type to the flow sensor whitelist to suppress future alerts."
},
"QIANXIN_TianYan_Platform.QIANXIN_TianYan_Platform/GetCompromisedHostStatus": {
"name": "get-compromised-host-status",
"description": "Check whether a host is compromised and return its alarm count, risk score, and IOC count."
}
}
}
}
}
Loading
Loading