def getoffenses(self):
"""Gets all offenses.
:return dict; all offenses or None if failed
"""
try:
iter = 0
response = checkanswer(
requests.request('GET',
self.server + "/api/siem/offenses",
headers=self.headers,
verify=self.verifySSL), 200, True)
while not response['API_status'] and iter < 10:
response = checkanswer(
requests.request('GET',
self.server + "/api/siem/offenses",
headers=self.headers,
verify=self.verifySSL), 200, True)
iter += 1
if response['API_status']:
return response['response']
else:
print("API call to get rules did not return expected value")
return None
except Exception as err:
print("API call to get rules did result in error: " + str(err))
return None
def getrule(self, rule_id):
""" Get information about specified rule
:param rule_id str; ID of the rule requested
:return dict; information about rule or None if failed
"""
try:
iter = 0
response = checkanswer(
requests.request('GET',
self.server + "/api/analytics/rules/" +
str(rule_id),
headers=self.headers,
verify=self.verifySSL), 200, True)
while not response['API_status'] and iter < 10:
response = checkanswer(
requests.request('GET',
self.server + "/api/analytics/rules/" +
str(rule_id),
headers=self.headers,
verify=self.verifySSL), 200, True)
iter += 1
if response['API_status']:
return response['response']
else:
print("API call to get rules did not return expected value")
return None
except Exception as err:
print("API call to get rules did result in error: " + str(err))
return None
def deletealert(self, ID):
""" Deletes alert by id
:param ID: int; id of alert to delete
:return Bool; indicates if operation succeded;
"""
self.validate_session()
try:
iter = 0
response = checkanswer(
requests.delete(self.server +
'/plugin/products/detect3/api/v1/alerts/' +
str(ID),
headers=self.session_key,
verify=self.verifySSL), 204, False)
while not response['API_status'] and iter < 10:
response = checkanswer(
requests.delete(self.server +
'/plugin/products/detect3/api/v1/alerts/' +
str(ID),
headers=self.session_key,
verify=self.verifySSL), 204, False)
iter += 1
if response['API_status']:
return True
else:
logger.error(
"API call to delete alert did not return expected value")
return False
except Exception as err:
logger.error("API call to delete alert did result in error: " +
str(err))
return False
def getsignals(self):
""" Get all signals.
:return dict; all signals or None if failed
"""
self.validate_session()
try:
iter = 0
response = checkanswer(
requests.request(
"POST",
self.server +
'/plugin/products/detect3/api/v1/intels/export/signals',
headers=self.session_key,
data="",
verify=self.verifySSL), 200, True)
while not response['API_status'] and iter < 10:
response = checkanswer(
requests.request(
"POST",
self.server +
'/plugin/products/detect3/api/v1/intels/export/signals',
headers=self.session_key,
data="",
verify=self.verifySSL), 200, True)
iter += 1
if response['API_status']:
return response['response']
else:
print("API call to get signals did not return expected value")
return None
except Exception as err:
print("API call to get signals did result in error: " + str(err))
return None
def getincidents(self, starttime):
"""
"""
starter = starttime - timedelta(days=1)
unix_time = time.mktime(starter.timetuple())
payload = {
"request_data": {
"filters": [{
"field": "modification_time",
"operator": "gte",
"value": int(unix_time) * 1000
}],
"search_from":
0,
"search_to":
100,
"sort": {
"field": "modification_time",
"keyword": "desc"
}
}
}
request = json.dumps(payload)
try:
iter = 0
response = checkanswer(
requests.request('POST',
self.server +
'/public_api/v1/incidents/get_incidents/',
headers=self.headers,
data=request,
verify=self.verifySSL), 200, True)
while not response['API_status'] and iter < 10:
response = checkanswer(
requests.request('POST',
self.server +
'/public_api/v1/incidents/get_incidents/',
headers=self.headers,
data=request,
verify=self.verifySSL), 200, True)
iter += 1
if response['API_status']:
return response['response']
else:
print(
"API call to get incidents did not return expected value")
return None
except Exception as err:
print("API call to get incidents did result in error: " + str(err))
return None
def getalerts_time(self, starttime, endtime):
"""
"""
unix_start = time.mktime(starttime.timetuple())
unix_end = time.mktime(endtime.timetuple())
payload = {
"request_data": {
"filters": [{
"field": "creation_time",
"operator": "gte",
"value": int(unix_start) * 1000
}, {
"field": "creation_time",
"operator": "lte",
"value": int(unix_end) * 1000
}]
}
}
request = json.dumps(payload)
try:
iter = 0
response = checkanswer(
requests.request('POST',
self.server +
'/public_api/v1/alerts/get_alerts/',
headers=self.headers,
data=request,
verify=self.verifySSL), 200, True)
while not response['API_status'] and iter < 10:
response = checkanswer(
requests.request('POST',
self.server +
'/public_api/v1/alerts/get_alerts/',
headers=self.headers,
data=request,
verify=self.verifySSL), 200, True)
iter += 1
if response['API_status']:
return response['response']
else:
print("API call to get alerts did not return expected value")
return None
except Exception as err:
print("API call to get alerts did result in error: " + str(err))
return None
def authenticate(self):
""" Logs on Tanium Server
:format of API call reponse: {u'data': {u'session': u'some_string'}}
:return None or error message
"""
json_string = json.dumps({
'username': self.username,
'password': self.password
})
try:
iter = 0
response = checkanswer(
requests.request(
"POST",
'https://tanium.sec-lab.local/api/v2/session/login',
data=json_string,
verify=self.verifySSL), 200, True)
while not response['API_status'] and iter < 10:
response = checkanswer(
requests.request(
"POST",
'https://tanium.sec-lab.local/api/v2/session/login',
data=json_string,
verify=self.verifySSL), 200, True)
iter += 1
if response['API_status']:
self.session_key = {
'session': response['response']['data']['session']
}
self.session_validated = datetime.now()
return ''
else:
print(
"API call to authenticate tanium did not return expected value"
)
return 'API_call did not return expected value'
except Exception as err:
print("API call to authenticate tanium did result in error: " +
str(err))
return 'API call to authenticate tanium did result in error: ' + str(
err)
def getalerts(self, computer_name='', offset=0):
""" Get up to 500 alerts starting from offset for given host
:param computer_name(optional): str; host which caused alerts. If none given, all are returned
:param offset(optional): int; offset of alerts
:return dict; alerts or None if failed
"""
self.validate_session()
if offset == 0 and computer_name == '':
querystring = {"limit": "500"}
else:
querystring = {
"limit": "500",
"offset": offset,
"computerName": computer_name
}
try:
iter = 0
response = checkanswer(
requests.get(self.server +
'/plugin/products/detect3/api/v1/alerts',
headers=self.session_key,
params=querystring,
verify=self.verifySSL), 200, True)
while not response['API_status'] and iter < 10:
response = checkanswer(
requests.get(self.server +
'/plugin/products/detect3/api/v1/alerts',
headers=self.session_key,
params=querystring,
verify=self.verifySSL), 200, True)
iter += 1
if response['API_status']:
return response['response']
else:
logger.error(
"API call to get alerts did not return expected value")
return None
except Exception as err:
logger.error("API call to get alerts did result in error: " +
str(err))
return None
def getincidentextra(self, incident_id):
"""
"""
payload = {"request_data": {"incident_id": str(incident_id)}}
request = json.dumps(payload)
try:
iter = 0
response = checkanswer(
requests.request(
'POST',
self.server +
'/public_api/v1/incidents/get_incident_extra_data/',
headers=self.headers,
data=request,
verify=self.verifySSL), 200, True)
while not response['API_status'] and iter < 10:
response = checkanswer(
requests.request(
'POST',
self.server +
'/public_api/v1/incidents/get_incident_extra_data/',
headers=self.headers,
data=request,
verify=self.verifySSL), 200, True)
iter += 1
if response['API_status']:
return response['response']
else:
print(
"API call to get incident details did not return expected value"
)
return None
except Exception as err:
print("API call to get incident details did result in error: " +
str(err))
return None
def snapshot(self, computername="WS-Win10-001.sec-lab.local"):
""" Makes a snapshot of the specified system
:param computername: string, name of computer system of interest
:return string, name of snapshot or error message
"""
self.validate_session()
parameter = {
"remote": True,
"dst": computername,
"dstType": "computer_name",
"connTimeout": 0
}
try:
iter = 0
response = checkanswer(
requests.post(self.server + '/plugin/products/trace/conns',
headers=self.session_key,
json=parameter,
verify=self.verifySSL), 202, False)
while not response['API_status'] and iter < 10:
response = checkanswer(
requests.post(self.server + '/plugin/products/trace/conns',
headers=self.session_key,
json=parameter,
verify=self.verifySSL), 202, False)
iter += 1
if not response['API_status']:
logger.error(
"API call to start connection did not return expected value"
)
return 'API_call did not return expected value'
except Exception as err:
logger.error("API call to start connection did result in error: " +
str(err))
return 'API_call did result in error: ' + str(err)
try:
iter = 0
response = checkanswer(
requests.post(self.server + '/plugin/products/trace/conns/' +
computername + '/snapshots',
headers=self.session_key,
verify=self.verifySSL), 202, False)
while not response['API_status'] and iter < 25:
time.sleep(2)
response = checkanswer(
requests.post(self.server +
'/plugin/products/trace/conns/' +
computername + '/snapshots',
headers=self.session_key,
verify=self.verifySSL), 202, False)
iter += 1
if not response['API_status']:
logger.error(
"API call to take snapshot did not return expected value")
return 'API_call did not return expected value'
except Exception as err:
logger.error("API call to take snapshot did result in error: " +
str(err))
return 'API_call did result in error: ' + str(err)
try:
iter = 0
response = checkanswer(
requests.get(self.server + '/plugin/products/trace/snapshots',
headers=self.session_key,
verify=self.verifySSL), 200, True)
while not response['API_status'] and iter < 10:
time.sleep(2)
response = checkanswer(
requests.get(self.server +
'/plugin/products/trace/snapshots',
headers=self.session_key,
verify=self.verifySSL), 200, True)
iter += 1
if response['API_status']:
return computername + '-' + response['response'][
computername].keys()[0]
else:
logger.error(
"API call to get snapshotname did not return expected value"
)
return 'API_call did not return expected value'
except Exception as err:
logger.error("API call to get snapshotname did result in error: " +
str(err))
return 'API_call did result in error: ' + str(err)
def gettraces(self, starttime, endtime):
""" Get executed process trees within specified time interval from all machines with parent containing 'python'
:param starttime: datetime; start of interval of interest (in UTC tanium time)
:param endtime: datetime; end of interval of interest (in UTC tanium time)
:return dict; trace information or None if failed
"""
self.validate_session()
starter = starttime - timedelta(minutes=1)
unixstart = time.mktime(starter.timetuple())
unixend = time.mktime(endtime.timetuple())
question = {
"query_text":
"Get Trace Executed Process Trees[python,0,0,0,As Parent,10000," +
str(unixstart)[:-2] + "000|" + str(unixend)[:-2] +
"000] from all machines"
}
try:
iter = 0
response = checkanswer(
requests.post(self.server + '/api/v2/questions',
headers=self.session_key,
json=question,
verify=self.verifySSL), 200, True)
while not response['API_status'] and iter < 10:
checkanswer(
requests.post(self.server + '/api/v2/questions',
headers=self.session_key,
json=question,
verify=self.verifySSL), 200, True)
iter += 1
if not response['API_status']:
logger.error(
"API call to ask trace question did not return expected value"
)
return None
except Exception as err:
logger.error(
"API call to ask trace question did result in error: " +
str(err))
return None
question_id = response['response']['data']['id']
try:
iter = 0
response = checkanswer(
requests.get(self.server + '/api/v2/result_data/question/' +
str(question_id),
headers=self.session_key,
verify=self.verifySSL), 200, True)
while (not response['API_status'] or response['response']['data']
['result_sets'][0]['estimated_total'] !=
response['response']['data']['result_sets'][0]['mr_passed']
) and iter < 25:
time.sleep(2)
self.validate_session()
response = checkanswer(
requests.get(self.server +
'/api/v2/result_data/question/' +
str(question_id),
headers=self.session_key,
verify=self.verifySSL), 200, True)
iter += 1
if response['API_status']:
return response['response']
else:
logger.error(
"API call to get trace answer did not return expected value"
)
return None
except Exception as err:
logger.error("API call to get trace answer did result in error: " +
str(err))
return None