diff --git a/agent_based/checkpoint_threat_emulation.py b/agent_based/checkpoint_threat_emulation.py
new file mode 100644
index 0000000000000000000000000000000000000000..b48b94e3d425a5fa70fa978610fc2e08d0866f6f
--- /dev/null
+++ b/agent_based/checkpoint_threat_emulation.py
@@ -0,0 +1,287 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+# License: GNU General Public License v2
+#
+# Author: thl-cmk[at]outlook[dot]com
+# URL : https://thl-cmk.hopto.org
+# Date : 2018-03-14
+#
+# Monitor status of Check Point Threat Emulation
+#
+# 2018-05-02: fixed: monthly_quota_on_cloud_used = ''
+# 2018-05-30: removed 'unknown' OIDs
+# removed counters for last day, last week, last month
+# code cleanup
+# 2020-06-08: changed snmp-scan function
+# 2021-08-27: rewritten for CMK 2.0
+#
+# snmpwalk sample
+#
+# sample info
+#
+# [
+# [
+# [u'0%', u'0', u'up-to-date', u'Gateway is up to date.', u'1548979200', u'100000', u'100000', u'valid', u'ok',
+# u'Quota subscription is valid', u'990002053', u'0', u'ok', u'']
+# ],
+# [
+# [u'0', u'0', u'0', u'0', u'0', u'0', u'0', u'0']
+# ]
+# ]
+#
+# threat emulation not active
+# [[], []]
+#
+
+import time
+from dataclasses import dataclass
+from typing import List, Optional, Tuple
+
+from cmk.base.plugins.agent_based.agent_based_api.v1 import (
+ register,
+ Service,
+ Result,
+ check_levels,
+ State,
+ SNMPTree,
+ all_of,
+ startswith,
+ any_of,
+ equals,
+ Metric,
+)
+from cmk.base.plugins.agent_based.agent_based_api.v1.type_defs import (
+ DiscoveryResult,
+ CheckResult,
+ StringTable,
+)
+
+
+@dataclass
+class CheckpointTeStatus:
+ current_files_waiting_for_emulation: int
+ teUpdateStatus: str
+ teUpdateDesc: str
+ teSubscriptionExpDate: int
+ teSubscriptionExpDateStr: str
+ quota_on_cloud: int
+ remaining_quota_on_cloud: int
+ teSubscriptionStatus: str
+ teCloudSubscriptionStatus: str
+ teSubscriptionDesc: str
+ build: str
+ teStatusCode: int
+ teStatusShortDesc: str
+ teStatusLongDesc: str
+ metric_count: List[Tuple[str, int]]
+ monthly_quota_on_cloud_used: Optional[int] = None
+
+
+def parse_checkpoint_threat_emulation(string_table: List[StringTable]) -> Optional[CheckpointTeStatus]:
+ testatus, tecounter = string_table
+ try:
+ monthly_quota_on_cloud_used, current_files_waiting_for_emulation, teUpdateStatus, teUpdateDesc, \
+ teSubscriptionExpDate, quota_on_cloud, remaining_quota_on_cloud, teSubscriptionStatus, \
+ teCloudSubscriptionStatus, teSubscriptionDesc, build, teStatusCode, teStatusShortDesc, \
+ teStatusLongDesc = testatus[0]
+ except(IndexError, ValueError):
+ return
+
+ scanned_files, malicious_files_detected, files_scanned_by_threat_cloud, malicious_files_detected_by_threat_cloud, \
+ average_process_time, average_emulated_file_size, average_queue_size, peak_queue_size, = tecounter[0]
+
+ metric_count = [
+ ('scanned_files', int(scanned_files)),
+ ('malicious_files_detected', int(malicious_files_detected)),
+ ('files_scanned_by_threat_cloud', int(files_scanned_by_threat_cloud)),
+ ('malicious_files_detected_by_threat_cloud', int(malicious_files_detected_by_threat_cloud)),
+ ('average_process_time', int(average_process_time)),
+ ('average_emulated_file_size', int(average_emulated_file_size)),
+ ('average_queue_size', int(average_queue_size)),
+ ('peak_queue_size', int(peak_queue_size)),
+ ]
+
+ monthly_quota_on_cloud_used = monthly_quota_on_cloud_used.replace('%', '')
+
+ if teStatusCode != '3': # possible TE not activated
+ return CheckpointTeStatus(
+ monthly_quota_on_cloud_used=int(monthly_quota_on_cloud_used) if monthly_quota_on_cloud_used.isdigit() else None,
+ current_files_waiting_for_emulation=int(current_files_waiting_for_emulation),
+ teUpdateStatus=teUpdateStatus,
+ teUpdateDesc=teUpdateDesc,
+ teSubscriptionExpDate=int(teSubscriptionExpDate),
+ teSubscriptionExpDateStr=time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(teSubscriptionExpDate)),
+ quota_on_cloud=int(quota_on_cloud),
+ remaining_quota_on_cloud=int(remaining_quota_on_cloud),
+ teSubscriptionStatus=teSubscriptionStatus,
+ teCloudSubscriptionStatus=teCloudSubscriptionStatus,
+ teSubscriptionDesc=teSubscriptionDesc.replace('\n', ' '),
+ build=build,
+ teStatusCode=int(teStatusCode),
+ teStatusShortDesc=teStatusShortDesc,
+ teStatusLongDesc=teStatusLongDesc,
+ metric_count=metric_count
+ )
+
+
+def discovery_checkpoint_threat_emulation(section: CheckpointTeStatus) -> DiscoveryResult:
+ yield Service()
+
+
+def check_checkpoint_threat_emulation(params, section: CheckpointTeStatus) -> CheckResult:
+ yield Result(state=State.OK, summary=f'Subscription valid until: {section.teSubscriptionExpDateStr}')
+ yield Result(state=State.OK, summary=f'Build: {section.build}')
+
+ if section.teUpdateStatus != 'up-to-date':
+ yield Result(state=State.WARN, notice=f'Update status {section.teUpdateStatus}, {section.teUpdateDesc}')
+ if not section.teStatusCode == 0:
+ yield Result(state=State.WARN, notice=f'Status {section.teStatusShortDesc}, {section.teStatusLongDesc}')
+ if section.teSubscriptionStatus != 'valid':
+ yield Result(state=State.WARN, notice=f'Subscription status: {section.teCloudSubscriptionStatus}, {section.teSubscriptionDesc}')
+ if section.teCloudSubscriptionStatus != 'ok':
+ yield Result(state=State.WARN, notice=f'Cloud subscription status {section.teCloudSubscriptionStatus}')
+
+ for levels, metric, label, value in [
+ (params.get('used_monthly_quota_levels'), 'monthly_quota_on_cloud_used', 'Used quota on cloud', section.monthly_quota_on_cloud_used),
+ (params.get('remaining_quota_levels'), 'remaining_quota_on_cloud', 'Remaining quota on cloud', section.remaining_quota_on_cloud), # max: quota_on_cloud
+ (params.get('files_waiting_levels'), 'current_files_waiting_for_emulation', 'Current files waiting for emulation', section.current_files_waiting_for_emulation), # max: quota_on_cloud
+ ]:
+ if value:
+ yield from check_levels(
+ value=value,
+ label=label,
+ levels_upper=levels,
+ metric_name=metric,
+ render_func=lambda v: f'{v:.0f}'
+ )
+
+ for metric, value in section.metric_count:
+ yield Metric(
+ value=value,
+ name=f'checkpoint_threat_emulation_{metric}_current'
+ )
+
+
+register.snmp_section(
+ name='checkpoint_threat_emulation',
+ parse_function=parse_checkpoint_threat_emulation,
+ fetch=[
+ SNMPTree(
+ base='.1.3.6.1.4.1.2620.1.49', # CHECKPOINT-MIB::te (status)
+ oids=[
+ '3', # monthly_quota_on_cloud_used
+ '12', # current_files_waiting_for_emulation
+ '16', # teUpdateStatus
+ '17', # teUpdateDesc
+ '20', # teSubscriptionExpDate
+ '22', # quota_on_cloud
+ '23', # remaining_quota_on_cloud
+ '25', # teSubscriptionStatus
+ '26', # teCloudSubscriptionStatus
+ '27', # teSubscriptionDesc
+ '30', # build
+ '101', # teStatusCode
+ '102', # teStatusShortDesc
+ '103', # teStatusLongDesc
+ ]
+ ),
+ SNMPTree(
+ base='.1.3.6.1.4.1.2620.1.49', # CHECKPOINT-MIB::te (counter)
+ oids=[
+ '4.1', # scanned_files current
+ '5.1', # malicious_files_detected current
+ '6.1', # files_scanned_by_threat_cloud current
+ '7.1', # malicious_files_detected_by_threat_cloud current
+ '8.1', # average_process_time current
+ '9.1', # average_emulated_file_size current
+ '10.1', # average_queue_size current
+ '11.1', # peak_queue_size current
+ ]
+ ),
+
+ ],
+ detect=any_of(
+ startswith('.1.3.6.1.2.1.1.2.0', '.1.3.6.1.4.1.2620'),
+ all_of(
+ equals('.1.3.6.1.2.1.1.2.0', '.1.3.6.1.4.1.8072.3.2.10'),
+ equals('.1.3.6.1.4.1.2620.1.6.1.0', 'SVN Foundation'),
+ )
+ )
+)
+
+register.check_plugin(
+ name='checkpoint_threat_emulation',
+ service_name='Threat Emulation status',
+ discovery_function=discovery_checkpoint_threat_emulation,
+ check_function=check_checkpoint_threat_emulation,
+ check_ruleset_name='checkpoint_threat_emulation',
+ check_default_parameters={
+ 'used_monthly_quota_levels': [90, 95],
+ 'remaining_quota_levels': [10000, 5000],
+ 'files_waiting_levels': [5, 10],
+ }
+)
+
+
+# Name Last Day Last Week Last Month
+# Scanned Files 0 0 0
+# Malicious Files Detected 0 0 0
+# Average Process Time 0 Sec 0 Sec 0 Sec
+# Average Emulated File Size 0 B 0 B 0 B
+# Average Queue Size 0 0 0
+# Peak Queue Size 0 0 0
+#
+# Scanned Files in the Last 7 Days: 0
+# Malicious Files Detected in the Last 7 Days: 0
+# Remaining Quota on Cloud: "Wait"
+# Monthly Quota on Cloud Used: NaN%
+
+# ('.1.3.6.1.4.1.2620.1.49.2.1', [
+# '1', #
+# '2', #
+# '3', #
+# '4', #
+# '5', #
+# '6', #
+# '7', #
+# '8', #
+# '9', #
+# '10', #
+# '11', #
+# ]),
+
+# if item == 'anaylsis':
+#
+# #
+# # sample te_analysis
+# #
+# # [[u'1', u'Image', u'1afbde2e-d593-45a8-a686-6cbd42f37823', u'', u'0', u'0', u'0', u'0', u'0', u'0', u'0'],
+# # [u'2', u'Image', u'1b0c5014-714d-47f3-9b10-0b7ee386e745', u'', u'0', u'0', u'0', u'0', u'0', u'0', u'0'],
+# # [u'3', u'Image', u'5e5de275-a103-4f67-b55b-47532918fa59', u'Win7,Office 2013,Adobe 11', u'0', u'0', u'0', u'0', u'0', u'0', u'0'],
+# # [u'4', u'Image', u'e50e99f3-5963-4573-af9e-e3f4750b55e2', u'WinXP,Office 2003/7,Adobe 9', u'0', u'0', u'0', u'0', u'0', u'0', u'0'],
+# # [u'5', u'Detection Rules', u'5e5de275-a103-4f67-b55b-47532918fa59', u'Win7,Office 2013,Adobe 11', u'56431', u'46960', u'Thu Mar 15 08:39:31 2018', u'0', u'0', u'0', u'0'],
+# # [u'6', u'Detection Rules', u'e50e99f3-5963-4573-af9e-e3f4750b55e2', u'WinXP,Office 2003/7,Adobe 9', u'56431', u'52602', u'Thu Mar 15 08:39:26 2018', u'0', u'0', u'0', u'0'],
+# # [u'7', u'Static Analysis Rules', u'496149D5-0689-472B-8F50-21DD409F0EC6', u'Static Analysis Detection Rules', u'53030', u'25049', u'Thu Mar 15 08:39:24 2018', u'0', u'0', u'0', u'0']]
+# #
+# # eher fuer inventory (?)
+# #
+#
+# te_analysis_1, te_analysis_2, te_analysis_3, te_analysis_4, te_analysis_5, te_analysis_6, te_analysis_7, \
+# te_analysis_8, te_analysis_9, te_analysis_10, te_analysis_11 = te_analysis[0]
+#
+# infotext = ''
+#
+# longoutput += '\nte_analysis_1 : %s (Status)' % te_analysis_1
+# longoutput += '\nte_analysis_2 : %s (Cloud or Local: Image --> local, Static Analysis Rules --> Cloud (??))' % te_analysis_2
+# longoutput += '\nte_analysis_3 : %s (UID)' % te_analysis_3
+# longoutput += '\nte_analysis_4 : %s (Name)' % te_analysis_4
+# longoutput += '\nte_analysis_5 : %s (Revision)' % te_analysis_5
+# longoutput += '\nte_analysis_6 : %s (Size in Bytes)' % te_analysis_6
+# longoutput += '\nte_analysis_7 : %s (Download Time)' % te_analysis_7
+# longoutput += '\nte_analysis_8 : %s' % te_analysis_8
+# longoutput += '\nte_analysis_9 : %s' % te_analysis_9
+# longoutput += '\nte_analysis_10: %s' % te_analysis_10
+# longoutput += '\nte_analysis_11: %s' % te_analysis_11
+#
+# state = 0
diff --git a/checkpoint_threat_emulation.mkp b/checkpoint_threat_emulation.mkp
index 8e12e71296e5c9a9e9fe85e46fb4ad31b6ee3062..c8426d7c431b694d19acba8674367f1bb704f8bc 100644
Binary files a/checkpoint_threat_emulation.mkp and b/checkpoint_threat_emulation.mkp differ
diff --git a/packages/checkpoint_threat_emulation b/packages/checkpoint_threat_emulation
index ffce644eb8650096d449566b7e4a9bd59a71d7ae..2d9384be77160c7ebcf61502f0c729f509eb233a 100644
--- a/packages/checkpoint_threat_emulation
+++ b/packages/checkpoint_threat_emulation
@@ -9,7 +9,7 @@
'warn on: status, update status, subscription and cloud '
'subscription\n',
'download_url': 'https://thl-cmk.hopto.org',
- 'files': {'agent_based': ['utils/checkpoint_threat_emulation.py'],
+ 'files': {'agent_based': ['checkpoint_threat_emulation.py'],
'web': ['plugins/metrics/checkpoint_threat_emulation.py',
'plugins/wato/checkpoint_threat_emulation.py']},
'name': 'checkpoint_threat_emulation',