def test_watchlist_save(cbcsdk_mock):
"""Testing Watchlist.save()."""
api = cbcsdk_mock.api
id = "watchlistId"
cbcsdk_mock.mock_request("POST", "/threathunter/watchlistmgr/v3/orgs/test/watchlists", WATCHLIST_GET_SPECIFIC_RESP)
watchlist = Watchlist(api, model_unique_id="watchlistId", initial_data=CREATE_WATCHLIST_DATA)
watchlist.validate()
watchlist.save()
# if Watchlist response is missing a required field per enterprise_edr.models.Watchlist, raise InvalidObjectError
cbcsdk_mock.mock_request("GET", f"/threathunter/watchlistmgr/v2/watchlist/{id}",
WATCHLIST_GET_SPECIFIC_MISSING_FIELDS_RESP)
watchlist = api.select(Watchlist, "watchlistId")
with pytest.raises(InvalidObjectError):
watchlist.validate()
with pytest.raises(InvalidObjectError):
watchlist.save()
def enterprise_edr():
"""
Enterprise EDR operations, using research from TAU.
1. Find Processes with Indicators of Compromise (IOC's) matching Egregor ransomware, then
2. Combine observed Process hashes with TAU research into Reports, finally
3. Add the Reports to a new Watchlist.
"""
print(f"\n{BOLD}****************************************************\n"
" 3. Carbon Black Cloud Enterprise EDR Watchlist API \n"
f"****************************************************{UNBOLD}\n")
logging.info("Building Egregor ransomware Reports and Watchlist from IOCs")
egregor_query = "filemod_count:[10000 TO *] filemod_name:recover-files.txt (modload_name:rundll32.exe "\
"OR modload_name:regsvr32.exe)"
print(
"Using Enterprise EDR to create Threat Reports and a Watchlist, based on Egregor Ransomware IOCs: "
f"\n{egregor_query}\n")
# Find Enterprise EDR Processes that match Egregor ransomware behavior
egregor_ransomware_processes = enterprise_edr_api.select(Process).where(
egregor_query)
# Extract the Process hashes
process_hashes = set()
print("Finding Process hashes that matched Egregor IOC query.\n")
for process in egregor_ransomware_processes:
process_hashes.add(process.process_md5)
process_hashes.add(process.process_sha256)
# Create an Enterprise EDR Report with the found Process hashes
ransomware_hashes_report = create_eedr_report(
title="Egregor Ransomware MD5/SHA256 Hashes",
description="Process hashes suggesting Egregor ransomware behavior",
severity=10,
iocs={
"id": 1,
"match_type": "equality",
"field": "process_hash",
"values": list(process_hashes)
})
# Save the Report as a Watchlist Report (vs. a Feed Report)
ransomware_hashes_report.save_watchlist()
egregor_query = (
"filemod_count:[10000 TO *] filemod_name:recover-files.txt "
"(modload_name:rundll32.exe OR modload_name:regsvr32.exe)")
# Continuously monitor for any Processes that exhibit Egregor ransomware behavior
ransomware_query_report = create_eedr_report(
title="Egregor Ransomware Query",
description="IOCs suggesting ransomware behavior",
severity=10,
iocs={
"id": 1,
"match_type": "query",
"values": [egregor_query]
})
# Save the Report as a Watchlist Report (vs. a Feed Report)
ransomware_query_report.save_watchlist()
print("Creating an Engregor ransomware Watchlist.\n")
# Create a new Watchlist to track ransomware Process hashes
wldata = {
"name": "CBCSDK-Test",
"description": "Egregor Ransomware Watchlist",
"create_timestamp": time.time(),
"last_update_timestamp": time.time(),
"id": 1
}
ransomware_watchlist = Watchlist(enterprise_edr_api, initial_data=wldata)
# Save the new Watchlist
ransomware_watchlist.save()
# Add the Reports to the Watchlist
logging.info(f"Adding Reports to Watchlist {ransomware_watchlist.id}")
print(
"Adding Egregor ransomware SHA256/MD5 hashes Report and Query Report to Watchlist.\n"
)
ransomware_watchlist.update(
report_ids=[ransomware_hashes_report.id, ransomware_query_report.id])
return ransomware_watchlist.id