def main():
parser = build_cli_parser("Delete duplicate computers")
parser.add_argument(
"--dry-run",
"-d",
help="perform a dry run, don't actually delete the computers",
action="store_true",
dest="dry_run")
args = parser.parse_args()
p = get_cb_protection_object(args)
computer_list = defaultdict(list)
for computer in p.select(Computer).where("deleted:false"):
computer_list[computer.name].append({
"id": computer.id,
"offline": computer.daysOffline
})
for computer_name, computer_ids in iteritems(computer_list):
if len(computer_ids) > 1:
sorted_computers = sorted(computer_ids,
key=lambda x: x["offline"],
reverse=True)
for computer_id in sorted_computers[:-1]:
if computer_id["offline"] > 0:
print(
"deleting computer id %d (offline %d days, hostname %s)"
% (computer_id["id"], computer_id["offline"],
computer_name))
if not args.dry_run:
print("deleting from server...")
p.select(Computer, computer_id["id"]).delete()
def main():
parser = build_cli_parser("VirusTotal Connector")
parser.add_argument("--config",
"-c",
help="Path to configuration file",
default="virustotal.ini")
args = parser.parse_args()
inifile = RawConfigParser({
"vt_api_key": None,
"retrieve_files": "true",
"upload_binaries_to_vt": "false",
"connector_name": "VirusTotal",
"log_file": None,
})
inifile.read(args.config)
config = {}
config["vt_api_key"] = inifile.get("bridge", "vt_api_key")
config["retrieve_files"] = inifile.getboolean("bridge", "retrieve_files")
config["connector_name"] = inifile.get("bridge", "connector_name")
config["upload_binaries_to_vt"] = inifile.getboolean(
"bridge", "upload_binaries_to_vt")
log_file = inifile.get("bridge", "log_file")
if log_file:
file_handler = logging.FileHandler(log_file)
formatter = logging.Formatter('%(asctime)s %(levelname)s:%(message)s')
file_handler.setFormatter(formatter)
file_handler.setLevel(logging.DEBUG)
logging.getLogger().addHandler(file_handler)
if not config["vt_api_key"]:
log.fatal("Cannot start without a valid VirusTotal API key, exiting")
return 1
log.info("Configuration:")
for k, v in iteritems(config):
log.info(" %-20s: %s" % (k, v))
api = get_cb_protection_object(args)
vt = VirusTotalConnector(
api,
vt_token=config["vt_api_key"],
allow_uploads=config[
"upload_binaries_to_vt"], # Allow VT connector to upload binary files to VirusTotal
connector_name=config["connector_name"],
)
log.info("Starting VirusTotal processing loop")
vt.run()
def main():
parser = build_cli_parser("VirusTotal Connector")
parser.add_argument("--config", "-c", help="Path to configuration file", default="virustotal.ini")
args = parser.parse_args()
inifile = RawConfigParser({
"vt_api_key": None,
"retrieve_files": "true",
"upload_binaries_to_vt": "false",
"connector_name": "VirusTotal",
"log_file": None,
})
inifile.read(args.config)
config = {}
config["vt_api_key"] = inifile.get("bridge", "vt_api_key")
config["retrieve_files"] = inifile.getboolean("bridge", "retrieve_files")
config["connector_name"] = inifile.get("bridge", "connector_name")
config["upload_binaries_to_vt"] = inifile.getboolean("bridge", "upload_binaries_to_vt")
log_file = inifile.get("bridge", "log_file")
if log_file:
file_handler = logging.FileHandler(log_file)
formatter = logging.Formatter('%(asctime)s %(levelname)s:%(message)s')
file_handler.setFormatter(formatter)
file_handler.setLevel(logging.DEBUG)
logging.getLogger().addHandler(file_handler)
if not config["vt_api_key"]:
log.fatal("Cannot start without a valid VirusTotal API key, exiting")
return 1
log.info("Configuration:")
for k, v in iteritems(config):
log.info(" %-20s: %s" % (k,v))
api = get_cb_protection_object(args)
vt = VirusTotalConnector(
api,
vt_token=config["vt_api_key"],
allow_uploads=config["upload_binaries_to_vt"], # Allow VT connector to upload binary files to VirusTotal
connector_name=config["connector_name"],
)
log.info("Starting VirusTotal processing loop")
vt.run()
def main():
parser = build_cli_parser("Revert computers in policy to previous policy")
parser.add_argument("--policy", "-p", help="Policy name or ID", required=True)
args = parser.parse_args()
p = get_cb_protection_object(args)
try:
policyId = int(args.policy)
except ValueError:
policyId = p.select(Policy).where("name:{}".format(args.policy)).id
for computer in p.select(Computer).where("policyId:{}".format(policyId)):
print("%s was in %s" % (computer.name, computer.policyName))
computer.policyId = computer.previousPolicyId
computer.save()
print("%s is now in %s" % (computer.name, computer.policyName))
def main():
parser = build_cli_parser()
parser.add_argument("--query", help="file property to query upon. e.x.\nmd5:D2F7A0ADC2EE0F65AB1F19D2E00C16B8", default='')
parser.add_argument("--list", help="If provided this will list all the queryable fields", action="store_true")
args = parser.parse_args()
cb = get_cb_protection_object(args)
if args.list:
print "Here's a list of all the available fields in the File Catalog (and can be used in a query):"
file = cb.select(FileCatalog).where('prevalence:1')
print file[0]
print "="*80
print "Here's a list of all the fields available from the File Instance table."
fi_query = 'fileCatalogId:%s' % (file[0].id)
file_instance = cb.select(FileInstance).where(fi_query)
print file_instance[0]
sys.exit(0)
if not args.query:
raise TypeError('Missing the query argument. Run %s --help for additional instructions'% (sys.argv[0]))
try:
file_catalog = cb.select(FileCatalog).where(args.query)
except:
raise
for f in file_catalog:
print "File Name : ", f.fileName
print "Sha256 Hash: ", f.sha256
print "FileState: ", f.fileState
fi_query='fileCatalogId:%s' % (f.id)
file_instances = cb.select(FileInstance).where(fi_query)
for file in file_instances:
comp_query = 'id:%s' % (file.computerId)
comp = cb.select(Computer).where(comp_query)
for c in comp:
cname = c.name
print cname, file.pathName
print "fileCatalogId: %s" % (file.fileCatalogId)
def main():
parser = build_cli_parser("Approve files")
parser.add_argument("--policy", "-p", help="Policy name to use", required=True)
parser.add_argument("--threshold", "-t", help="Prevalence threshold", default=10, type=int)
args = parser.parse_args()
api = get_cb_protection_object(args)
comps = api.select(Computer).where("policyName:{0:s}".format(args.policy)).and_("deleted:false")
for c in comps:
changed_files = []
files = c.fileInstances.where("localState:1")
for f in files:
if f.fileCatalog.prevalence >= args.threshold:
f.localState = 2
f.save()
changed_files.append(f)
if len(changed_files) > 0:
print("Locally approved {0:d} files on computer {1:s}".format(len(changed_files), c.name))
def main():
parser = build_cli_parser("Revert computers in policy to previous policy")
parser.add_argument("--policy",
"-p",
help="Policy name or ID",
required=True)
args = parser.parse_args()
p = get_cb_protection_object(args)
try:
policyId = int(args.policy)
except ValueError:
policyId = p.select(Policy).where("name:{}".format(args.policy)).id
for computer in p.select(Computer).where("policyId:{}".format(policyId)):
print("%s was in %s" % (computer.name, computer.policyName))
computer.policyId = computer.previousPolicyId
computer.save()
print("%s is now in %s" % (computer.name, computer.policyName))
def main():
parser = build_cli_parser("Delete duplicate computers")
parser.add_argument("--dry-run", "-d", help="perform a dry run, don't actually delete the computers",
action="store_true", dest="dry_run")
args = parser.parse_args()
p = get_cb_protection_object(args)
computer_list = defaultdict(list)
for computer in p.select(Computer).where("deleted:false"):
computer_list[computer.name].append({"id": computer.id, "offline": computer.daysOffline})
for computer_name, computer_ids in iteritems(computer_list):
if len(computer_ids) > 1:
sorted_computers = sorted(computer_ids, key=lambda x: x["offline"], reverse=True)
for computer_id in sorted_computers[:-1]:
if computer_id["offline"] > 0:
print("deleting computer id %d (offline %d days, hostname %s)" % (computer_id["id"],
computer_id["offline"],
computer_name))
if not args.dry_run:
print("deleting from server...")
p.select(Computer, computer_id["id"]).delete()
"severity": "high",
"type": "whoa"
})
n.save()
else:
# wait till next time
log.info("Waiting until hash {0:s} is uploaded".format(i.fileHash))
if __name__ == '__main__':
parser = build_cli_parser(
"EmptyAnalysis: example connector for Carbon Black Enterprise Protection"
)
args = parser.parse_args()
api = get_cb_protection_object(args)
vt_connector = api.create(Connector,
data={
"name": "EmptyAnalysis",
"analysisName": "EmptyAnalysis",
"connectorVersion": "1.0",
"canAnalyze": True,
"analysisEnabled": True,
"enabled": True
})
vt_connector.save()
connector_id = vt_connector.id
log.info("Connector: {0:s}".format(str(vt_connector)))
log.info("Starting processing loop")
# create a notification
n = i.create_notification(data={"product": "EmptyAnalysis", "malwareName": "TEST MALWARE",
"analysisResult": Notification.ResultMalicious, "severity": "high",
"type": "whoa"})
n.save()
else:
# wait till next time
log.info("Waiting until hash {0:s} is uploaded".format(i.fileHash))
if __name__ == '__main__':
parser = build_cli_parser("EmptyAnalysis: example connector for Carbon Black Enterprise Protection")
args = parser.parse_args()
api = get_cb_protection_object(args)
vt_connector = api.create(Connector, data={"name": "EmptyAnalysis", "analysisName": "EmptyAnalysis",
"connectorVersion": "1.0", "canAnalyze": True, "analysisEnabled": True,
"enabled": True})
vt_connector.save()
connector_id = vt_connector.id
log.info("Connector: {0:s}".format(str(vt_connector)))
log.info("Starting processing loop")
while True:
for i in vt_connector.pendingAnalyses:
process_request(api, i)
time.sleep(10)
def main():
parser = build_cli_parser(
"Manage users on Cb Connect 2018 Developer Day servers")
commands = parser.add_subparsers(help="User commands", dest="command_name")
bulk_command = commands.add_parser("bulkadd",
help="Bulk add users from CSV file")
bulk_command.add_argument("-f",
"--csvfile",
help="input CSV file name",
required=True)
bulk_command.add_argument("-g",
"--group",
help="Group to add these users to",
default="devday")
print_command = commands.add_parser(
"print", help="Print user credentials to docx file")
print_command.add_argument("-p",
"--protection",
help="Cb Protection base login URL",
default="https://cbprotection.devday2018.com")
print_command.add_argument(
"-d",
"--defense",
help="Cb Defense base login URL",
default="https://defense-eap01.conferdeploy.net")
print_command.add_argument("-r",
"--response",
help="Cb Response base login URL",
default="https://cbresponse.devday2018.com")
print_command.add_argument("-o",
"--output",
help="Output file for credentials docx file",
default="credentials.docx")
print_command.add_argument("-f",
"--csvfile",
help="input CSV file name",
required=True)
args = parser.parse_args()
if args.command_name == "bulkadd":
# Get the Cb Response and Cb Protection API objects, respectively
cbr = get_cb_response_object(args)
cbp = get_cb_protection_object(args)
# Read the list of emails and passwords from our CSV file
users = read_from_csv(args.csvfile)
# Create the Response users
add_to_response(cbr, args.group, users)
add_to_protection(cbp, args.group, users)
elif args.command_name == "print":
# Read the list of emails and passwords from our CSV file
users = read_from_csv(args.csvfile)
doc = generate_user_credential_doc(users, args)
doc.save(args.output)
else:
print("Invalid command: {0}".format(args.command_name))