# Calling Kestrel via OpenC2
OpenC2 is the standard, vendor agnostic language for command and control for cyber defense from OASIS. OpenC2 commands are instructions to execute on an system, and are composed of two main components: an `action` and a `target`. The Kestrel Actuator profile supports the `investigate` action. Targets are cyber observables, such as files, devices, IP addresses and processes. In an OpenC2 implementation, there are two main components, a `producer` of a command, and a `consumer`, which executes the command, and returns a `response`. The transport and serialization is an implementation detail. In our example, we use HTTP and JSON. 

Let's get started! First, you'll need to run the consumer

`$ python consumer.py`

Do that in a separate terminal, and return here.

In [None]:
import sys
import uuid
import json
import time

import requests
import pandas as pd
import openc2

In [None]:
host = 'localhost'
port = '5000'

In [None]:
def get_uuid():
    return str(uuid.uuid4())

def get_headers(uuid):
    headers = {
        "request_id": uuid,
        "created": time.time()
    }
    return headers

### Query Command
Every OpenC2 consumer must suppor the `query` command which specifies what profiles, actions, and targets it supports. 

In [None]:
def _get_query():
    cmd = {
        "action": "query",
        "target": {"features": ["versions", "profiles", "rate_limit", "pairs"]},
        "args": {},
        "actuator": {
            "x-kestrel": {}
        }
    }
    return cmd

In [None]:
def run_command(cmd):
    uuid = get_uuid()
    headers = {
        "Content-type": "application/openc2+json;version=1.0",
        "Accept": "application/openc2+json;version=1.0",
        "X-Request-ID": uuid
    }
    body = {
        "headers": get_headers(uuid),
        "body": {"openc2": { "request": cmd } }
        }

    if isinstance(body, str):
        res = requests.post(f'http://{host}:{port}/v1/openc2', data=body, headers=headers)
    else:
        res = requests.post(f'http://{host}:{port}/v1/openc2', json=body, headers=headers)
    print('response from server:',res.status_code)
    return res.json()['body']['openc2']

In [None]:
profile = run_command(_get_query())
print(profile)

In [None]:
cmd = {
        "action": "investigate",
        "target": {
            "process": {
                "name": "node"
                }
        },
        "args": {
            "huntargs": {},
            "returnvars": ["exploits"],
            "response_requested": "complete"
            },
        "actuator": {
            "x-kestrel": {
                "huntbook": "exploits"
            }
        }
    }
response = run_command(cmd)
pd.DataFrame(response['results']['exploits'])

In [None]:
cmd = {
        "action": "investigate",
        "target": {
            "process": {
                "name": "WinMail.exe"
                }
        },
        "args": {
            "huntargs": {"source" : "bh22-windows-192.168.56.111"},
            "returnvars": ["exploits"],
            "response_requested": "complete"
            },
        "actuator": {
            "x-kestrel": {
                "huntbook": "exploits"
            }
        }
    }
response = run_command(cmd)
pd.DataFrame(response['results']['exploits'])

In [None]:
_[['name', 'parent_ref.name']]

In [None]:
from openc2.v10 import IPv4Address
from oc2.custom import KestrelArgs, KestrelActuator

In [None]:
huntbook = 'check_c2'
hb = profile['results']['x-kestrel'][huntbook]
hb

In [None]:
huntargs = {}
returnvars = hb['retvars']
target = IPv4Address(ipv4_net='192.168.56.150')

cmd = openc2.v10.Command(
    action="investigate",
    target=target,
    args=KestrelArgs(huntargs=huntargs, returnvars=returnvars, response_requested="complete"),
    actuator=KestrelActuator(huntbook=huntbook, 
    )
)

In [None]:
cmd.serialize()

In [None]:
response = run_command(cmd.serialize())
pd.DataFrame(response['results']['proc'])

In [None]:
pd.DataFrame(response['results']['traffic'])