def main(): """Main function for Device Processes script.""" parser = build_cli_parser() args = parser.parse_args() cb = get_cb_cloud_object(args) query = cb.select(Device).where('1').set_status(['ACTIVE']) devices = list(query) if args.verbose: print(f"Querying {len(devices)} device(s)...") active_queries = set() for device in devices: query = cb.select(Process).where( f"device_id:{device.id}").set_time_range(window='-6h') if args.verbose: print(f"Sending query for device ID {device.id}...") active_queries.add(query.execute_async()) if args.verbose: print("Done sending queries, waiting for responses...") concurrent.futures.wait(active_queries) print("{0:16} {1:5} {2:60}".format("Device Name", "PID", "Process Name")) print("{0:16} {1:5} {2:60}".format("-----------", "---", "------------")) for future in active_queries: result = future.result() for process in result: print("{0:16} {1:5} {2:60}".format(process['device_name'], process['process_pid'][0], process['process_name']))
def main(): """Main function for the user listing script""" parser = build_cli_parser('Find Users With Grants') parser.add_argument( '-n', '--number', type=int, default=0, help="Maximum number of users to find (default no limit)") args = parser.parse_args() cb = get_cb_cloud_object(args) users = cb.select(User) result_list = [] count = 0 for user in users: if has_grant(user): result_list.append(user) if 0 < args.number == len(result_list): break count = count + 1 if count % 100 == 0: print(f"Processed {count} users") print( f"Found {len(result_list)} 'interesting' users (that have profiles) out of {count}" ) for user in result_list: grant = user.grant() print( f"{user.login_id} - '{user.first_name} {user.last_name}' - {len(grant.profiles_)} profile(s)" ) return 0
def main(): parser = build_cli_parser("List devices") parser.add_argument("-q", "--query", help="Query string for looking for devices") parser.add_argument("-A", "--ad_group_id", action="append", type=int, help="Active Directory Group ID") parser.add_argument("-p", "--policy_id", action="append", type=int, help="Policy ID") parser.add_argument("-s", "--status", action="append", help="Status of device") parser.add_argument("-P", "--priority", action="append", help="Target priority of device") parser.add_argument("-S", "--sort_by", help="Field to sort the output by") parser.add_argument("-R", "--reverse", action="store_true", help="Reverse order of sort") args = parser.parse_args() cb = get_cb_cloud_object(args) query = cb.select(Device) if args.query: query = query.where(args.query) if args.ad_group_id: query = query.set_ad_group_ids(args.ad_group_id) if args.policy_id: query = query.set_policy_ids(args.policy_id) if args.status: query = query.set_status(args.status) if args.priority: query = query.set_target_priorities(args.priority) if args.sort_by: direction = "DESC" if args.reverse else "ASC" query = query.sort_by(args.sort_by, direction) devices = list(query) print("{0:9} {1:40}{2:18}{3}".format("ID", "Hostname", "IP Address", "Last Checkin Time")) for device in devices: print("{0:9} {1:40s}{2:18s}{3}".format(device.id, device.name or "None", device.last_internal_ip_address or "Unknown", device.last_contact_time))
def main(): """Script entry point""" parser = build_cli_parser() args = parser.parse_args() cb = get_cb_cloud_object(args) header_line() start_api_call('Get Sensor Configuration Template') templ_sdk = get_config_template_sdk(cb) templ_api = get_config_template_api(cb) base_compare(templ_sdk, templ_api, 'Get Sensor Configuration Template') start_api_call('Get Sensor Kit and Configuration Links') expires_date = (datetime.now() + timedelta(days=2)).isoformat() + "Z" kits_sdk = get_sensor_kits_sdk(cb, expires_date) kits_api = get_sensor_kits_api(cb, expires_date) sensorkit_compare(kits_sdk, kits_api) # We use an arbitrary resource to serve as the target for a sensor install. resource = lookup_compute_resource(cb) start_api_call('Request Workload Sensor Installation') result_sdk = request_install_sdk(resource) result_api = request_install_api(cb, resource) base_compare(result_sdk, result_api, 'Request Workload Sensor Installation')
def main(cbc=None, menu=None, parser=None): """Script entry point""" # Initiate argparser parser = build_cli_parser() parser.add_argument('--appliance_uuid', nargs='+') parser.add_argument('--eligibility', nargs='+') parser.add_argument('--cluster_name', nargs='+') parser.add_argument('--name', nargs='+') parser.add_argument('--ip_address', nargs='+') parser.add_argument('--installation_status', nargs='+') parser.add_argument('--uuid', nargs='+') parser.add_argument('--os_type', nargs='+') parser.add_argument('--os_architecture', nargs='+') args = parser.parse_args() # Create cbc Instance cbc = get_cb_cloud_object(args) # Generate menu menu = generate_menu() # Get user menu choice user_choice = user_input(menu) # Call user specified sdk call menu[user_choice]['function_call'](cbc, menu, parser)
def main(): """Script entry point""" parser = build_cli_parser() parser.add_argument("--window", help="Define search window", default='3d') args = parser.parse_args() global ORG_KEY global HOSTNAME print_detail = False cb = get_cb_cloud_object(args) HEADERS['X-Auth-Token'] = cb.credentials.token ORG_KEY = cb.credentials.org_key HOSTNAME = cb.credentials.url start_date = (datetime.now() + timedelta(days=-2)).isoformat() + "Z" end_date = (datetime.now() + timedelta(days=-1)).isoformat() + "Z" if print_detail: print("Start date: {}\nEnd date: {}".format(start_date, end_date)) run_process_invalid_search(cb, print_detail) run_process_event_invalid_search(cb, print_detail) get_list_of_available_process_results(cb) process_guid = get_process_guid(cb, print_detail, start_date, end_date) process_name = retrieve_process_name_from_process_details(cb, process_guid) get_process_facet(cb, print_detail, process_name, start_date, end_date) get_process_events_for_single_process(cb, process_guid, start_date, end_date, print_detail) get_events_facet_associated_with_a_process(cb, print_detail, start_date, end_date, process_guid) print('END OF TEST')
def main(): """Script entry point""" parser = build_cli_parser() args = parser.parse_args() print_detail = args.verbose window = '-' + args.window do_process = True do_enriched_events = True if print_detail: print(f"profile being used is {args.__dict__}") process_guid = "" cb = get_cb_cloud_object(args) if do_process: process_guid = get_process_basic_window_enriched(cb, print_detail, window) get_process_events_for_single_process(cb, print_detail, process_guid) run_process_invalid_search(cb, print_detail) run_process_event_invalid_search(cb, print_detail) get_process_facet(cb, window) get_list_of_available_process_results(cb) get_events_facet_associated_with_a_process(cb, process_guid) if do_enriched_events: if not process_guid: process_guid = get_process_basic_window_enriched(cb, print_detail, window) event_id = get_enriched_events_for_single_process(cb, process_guid) get_enriched_event_facet(cb, print_detail, window) enriched_events_details(cb, event_id) enriched_events_aggregation(cb)
def get_args(): """Build argument parser and process cli args""" parser = build_cli_parser() parser.add_argument("--severity", "-s", type=int, default=1, help="Minimum severity of alerts") parser.add_argument("--range", "-r", type=str, default="3d", help="Time range from current time to X time ago. " "Format: [quantity][unit] where unit is one of" " s for seconds, m for minutes, h for hours," " d for days, and w for weeks") return parser.parse_args()
def main(): """Main function for the user listing script""" parser = build_cli_parser('List Permitted Roles') args = parser.parse_args() cb = get_cb_cloud_object(args) roles = Grant.get_permitted_role_urns(cb) for index, role in enumerate(sorted(roles)): print(f"{index + 1}. {role}") return 0
def main(): """Script entry point""" parser = build_cli_parser() args = parser.parse_args() do_devices = True cb = get_cb_cloud_object(args) if do_devices: search_devices(cb)
def main(): """Main function for Device Actions script.""" parser = build_cli_parser("Send control messages to device") parser.add_argument("-d", "--device_id", type=int, required=True, help="The ID of the device to be controlled") subparsers = parser.add_subparsers(dest="command", help="Device command help") bgscan_p = subparsers.add_parser("background_scan", help="Set background scanning status") toggle = bgscan_p.add_mutually_exclusive_group(required=True) toggle.add_argument("--on", action="store_true", help="Turn background scanning on") toggle.add_argument("--off", action="store_true", help="Turn background scanning off") bypass_p = subparsers.add_parser("bypass", help="Set bypass mode") toggle = bypass_p.add_mutually_exclusive_group(required=True) toggle.add_argument("--on", action="store_true", help="Enable bypass mode") toggle.add_argument("--off", action="store_true", help="Disable bypass mode") subparsers.add_parser("delete", help="Delete sensor") subparsers.add_parser("uninstall", help="Uninstall sensor") quarantine_p = subparsers.add_parser("quarantine", help="Set quarantine mode") toggle = quarantine_p.add_mutually_exclusive_group(required=True) toggle.add_argument("--on", action="store_true", help="Enable quarantine mode") toggle.add_argument("--off", action="store_true", help="Disable quarantine mode") policy_p = subparsers.add_parser("policy", help="Update policy for node") policy_p.add_argument("-p", "--policy_id", type=int, required=True, help="New policy ID to set for node") sensorv_p = subparsers.add_parser("sensor_version", help="Update sensor version for node") sensorv_p.add_argument("-o", "--os", required=True, help="Operating system for sensor") sensorv_p.add_argument("-V", "--version", required=True, help="Version number of sensor") args = parser.parse_args() cb = get_cb_cloud_object(args) dev = cb.select(Device, args.device_id) if args.command: if args.command == "background_scan": dev.background_scan(toggle_value(args)) elif args.command == "bypass": dev.bypass(toggle_value(args)) elif args.command == "delete": dev.delete_sensor() elif args.command == "uninstall": dev.uninstall_sensor() elif args.command == "quarantine": dev.quarantine(toggle_value(args)) elif args.command == "policy": dev.update_policy(args.policy_id) elif args.command == "sensor_version": dev.update_sensor_version({args.os: args.version}) else: raise NotImplementedError("Unknown command") print("OK") else: print(dev)
def test_argument_parser_default_values(): """Tests the default credential values.""" parser = build_cli_parser("Test helpers.py") args = parser.parse_known_args()[0] assert args.cburl is None assert args.apitoken is None assert args.orgkey is None assert args.no_ssl_verify is False assert args.profile == 'default' assert args.verbose is False
def main(): """Script entry point""" global ORG_KEY global HOSTNAME parser = build_cli_parser() parser.add_argument("--window", help="Define search window", default='3d') args = parser.parse_args() print_detail = args.verbose window = '-' + args.window if print_detail: print("args provided {}".format(args)) cb = get_cb_cloud_object(args) HEADERS["X-Auth-Token"] = cb.credentials.token ORG_KEY = cb.credentials.org_key HOSTNAME = cb.credentials.url print() print(17 * " ", "Enriched Events For Alerts") print(SYMBOLS * DELIMITER) # get alert created in the last four weeks, because enriched events are kept for some time query = cb.select(CBAnalyticsAlert).set_create_time(range="-4w") if len(query) == 0: return item = query[0] alert_id = item._info["legacy_alert_id"] eevents = [event._info for event in item.get_events()] job_id = start_search_job(alert_id) wait_till_job_ready(job_id) records = get_results_search_job(job_id) assert records == eevents, "Actual: {}, Expected: {}".format( records, eevents) print("Get events for CBAnalyticsAlert...........................OK") async_eevents = [ event._info for event in item.get_events(async_mode=True).result() ] assert records == async_eevents, "Actual: {}, Expected: {}".format( records, async_eevents) print("Get async events for CBAnalyticsAlert.....................OK") # TODO rewrite the functionality below process_guid = "" if not process_guid: process_guid = get_process_basic_window_enriched( cb, print_detail, window) event_id = get_enriched_events_for_single_process(cb, process_guid) get_enriched_event_facet(cb, print_detail, window) enriched_events_details(cb, event_id) enriched_events_aggregation(cb)
def test_apicloudapi_object_with_command_line_arguments(): """Tests the CBCloudAPI object with command line arguments.""" parser = build_cli_parser("Test helpers.py") args = parser.parse_known_args()[0] args.cburl = 'https://example.com' args.apitoken = 'ABCDEFGH' args.orgkey = 'A1B2C3D4' args.no_ssl_verify = 'false' api = get_cb_cloud_object(args) assert api.credential_profile_name is None
def main(): parser = build_cli_parser("Carbon Black Cloud Live Response CLI") parser.add_argument("--log", help="Log activity to a file", default='') args = parser.parse_args() cb = get_cb_cloud_object(args) if args.log: file_handler = logging.FileHandler(args.log) file_handler.setLevel(logging.DEBUG) log.addHandler(file_handler) cli = CblrCli(cb, connect_callback) cli.cmdloop()
def main(): """Script entry point""" parser = build_cli_parser() args = parser.parse_args() global ORG_KEY global HOSTNAME cb = get_cb_cloud_object(args) HEADERS['X-Auth-Token'] = cb.credentials.token ORG_KEY = cb.credentials.org_key HOSTNAME = cb.credentials.url search_devices(cb)
def main(): """Script entry point""" parser = build_cli_parser() args = parser.parse_args() cb = get_cb_cloud_object(args) sdk_resp, event_id = search_and_facet_compute_resources_sdk(cb) api_resp = search_and_facet_compute_resources_api(cb) compare_data_facet(sdk_resp, api_resp, 'Search and Facet Compute Resources') sdk_resp = fetch_compute_resource_by_id_sdk(cb, event_id) api_resp = fetch_compute_resource_by_id_api(cb, event_id) compare_data_id(sdk_resp, api_resp, 'Fetch Compute Resource by ID')
def main(): """Main function for the user creation script""" parser = build_cli_parser('Create a User') parser.add_argument('first_name', help='First name for the new user') parser.add_argument('last_name', help='Last name for the new user') parser.add_argument('email', help='E-mail address for the new user') parser.add_argument('phone', help='Phone number for the new user') parser.add_argument('role', help='Role URN to assign the new user') parser.add_argument('-P', '--accessprofiles', action='store_true', help='Use access profiles when creating the user') args = parser.parse_args() cb = get_cb_cloud_object(args) builder = User.create(cb).set_first_name(args.first_name).set_last_name(args.last_name).set_email(args.email) builder.set_phone(args.phone) if args.accessprofiles: builder.add_grant_profile([cb.org_urn], [args.role]) else: builder.set_role(args.role) builder.build() print("New user created.") return 0
def main(): """Main function for the role changing script""" parser = build_cli_parser("Change User's Role") parser.add_argument('email', help='E-mail address of the user to change role of') parser.add_argument('role', help='New role URN for the user') args = parser.parse_args() cb = get_cb_cloud_object(args) user = cb.select(User).email_addresses([args.email]).one() grant = user.grant() need_reset = True for profile in grant.profiles_: if profile.allowed_orgs == [cb.org_urn]: profile.roles = [args.role] profile.save() need_reset = False if need_reset: grant.roles = [args.role] grant.save() print("Role changed.") return 0
def main(): """Script entry point""" parser = build_cli_parser() parser.add_argument("-m", "--machinename", help="machinename to run host forensics recon on") parser.add_argument("-g", "--get", help="Get the Dell BIOS Verification images", action="store_true") args = parser.parse_args() # Create the CBCloud cb = get_cb_cloud_object(args) if args.machinename: if args.get: live_response(cb, host=args.machinename, response="get") else: print("Nothing to do...") else: print( "[ ! ] You must specify a machinename with a --machinename parameter." " IE ./BiosVerification.py --machinename cheese")
def main(): """Main function of the Feed Operations script.""" parser = build_cli_parser() commands = parser.add_subparsers(help="Feed commands", dest="command_name") list_command = commands.add_parser("list", help="List all configured feeds") list_command.add_argument( "-P", "--public", help="Include public feeds", action="store_true", default=False, ) list_command.add_argument( "-r", "--reports", help="Include reports for each feed", action="store_true", default=False, ) list_command.add_argument( "-i", "--iocs", help="Include IOCs for each feed's reports", action="store_true", default=False, ) list_iocs_command = commands.add_parser( "list-iocs", help="List all IOCs for a feed" ) specifier = list_iocs_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-i", "--id", type=str, help="Feed ID") specifier.add_argument("-f", "--feedname", type=str, help="Feed Name") export_command = commands.add_parser( "export", help="Export a feed into an importable format" ) specifier = export_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-i", "--id", type=str, help="Feed ID") specifier.add_argument("-f", "--feedname", type=str, help="Feed Name") import_command = commands.add_parser( "import", help="Import a previously exported feed" ) import_command.add_argument( "-f", "--feedname", type=str, help="Renames the imported feed" ) import_command.add_argument( "-P", "--public", help="Make the feed public", action="store_true" ) del_command = commands.add_parser("delete", help="Delete feed") specifier = del_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-i", "--id", type=str, help="Feed ID") specifier.add_argument("-f", "--feedname", type=str, help="Feed Name") export_report_command = commands.add_parser( "export-report", help="Export a feed's report into an importable format" ) specifier = export_report_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-i", "--id", type=str, help="Feed ID") specifier.add_argument("-f", "--feedname", type=str, help="Feed Name") specifier = export_report_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-I", "--reportid", type=str, help="Report ID") specifier.add_argument("-r", "--reportname", type=str, help="Report Name") import_report_command = commands.add_parser( "import-report", help="Import a previously exported report" ) specifier = import_report_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-i", "--id", type=str, help="Feed ID") specifier.add_argument("-f", "--feedname", type=str, help="Feed Name") delete_report_command = commands.add_parser( "delete-report", help="Delete a report from a feed" ) specifier = delete_report_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-i", "--id", type=str, help="Feed ID") specifier.add_argument("-f", "--feedname", type=str, help="Feed Name") specifier = delete_report_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-I", "--reportid", type=str, help="Report ID") specifier.add_argument("-r", "--reportname", type=str, help="Report Name") replace_report_command = commands.add_parser( "replace-report", help="Replace a feed's report" ) specifier = replace_report_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-i", "--id", type=str, help="Feed ID") specifier.add_argument("-f", "--feedname", type=str, help="Feed Name") args = parser.parse_args() cb = get_cb_cloud_object(args) if args.command_name == "list": return list_feeds(cb, parser, args) elif args.command_name == "list-iocs": return list_iocs(cb, parser, args) elif args.command_name == "export": return export_feed(cb, parser, args) elif args.command_name == "import": return import_feed(cb, parser, args) elif args.command_name == "delete": return delete_feed(cb, parser, args) elif args.command_name == "export-report": return export_report(cb, parser, args) elif args.command_name == "import-report": return import_report(cb, parser, args) elif args.command_name == "delete-report": return delete_report(cb, parser, args) elif args.command_name == "replace-report": return replace_report(cb, parser, args)
def test_apicloudapi_object_with_default_arguments(): """Tests the CBCloudAPI object with default arguments.""" parser = build_cli_parser("Test helpers.py") args = parser.parse_known_args()[0] assert args.profile == 'default'
def main(): """Script entry point""" parser = build_cli_parser() parser.add_argument("--job", action="store", default="examplejob", required=True) args = parser.parse_args() cb = get_cb_cloud_object(args) device_query = cb.select(Device) # Retrieve the list of devices that are online # calculate based on devices that have checked in during the last five minutes now = datetime.utcnow() delta = timedelta(minutes=5) online_devices = [] offline_devices = [] for device in device_query: if now - datetime.strptime(device.last_contact_time, FORMAT) < delta: online_devices.append(device) else: offline_devices.append(device) print("The following devices are offline and will not be queried:") for device in offline_devices: print(" {0}: {1}".format(device.id, device.name)) print("The following devices are online and WILL be queried:") for device in offline_devices: print(" {0}: {1}".format(device.id, device.name)) # import our job object from the jobfile job = __import__(args.job) jobobject = job.getjob() completed_devices = [] futures = {} # collect 'future' objects for all jobs for device in online_devices: f = cb.live_response.submit_job(jobobject.run, device) futures[f] = device.id # iterate over all the futures for f in as_completed(futures.keys(), timeout=100): if f.exception() is None: print("Device {0} had result:".format(futures[f])) print(f.result()) completed_devices.append(futures[f]) else: print("Device {0} had error:".format(futures[f])) print(f.exception()) still_to_do = set([s.id for s in online_devices]) - set(completed_devices) print( "The following devices were attempted but not completed or errored out:" ) for device in still_to_do: print(" {0}".format(device))
def main(): """Main function for the LiveQuery runs manager.""" parser = build_cli_parser("Create and manage LiveQuery runs") commands = parser.add_subparsers(help="Commands", dest="command_name") create_command = commands.add_parser("create", help="Create a new LiveQuery run") create_command.add_argument("-s", "--sql", type=str, required=True, help="The query to run") create_command.add_argument( "-n", "--notify", action="store_true", help="Notify by email when the run finishes", ) create_command.add_argument("-N", "--name", type=str, required=False, help="The name of the run") create_command.add_argument( "--device_ids", nargs="+", type=int, required=False, help="Device IDs to filter on", ) create_command.add_argument( "--device_types", nargs="+", type=str, required=False, help="Device types to filter on", ) create_command.add_argument( "--policy_id", type=int, required=False, help="Policy ID to filter on. Only one policy_id can be specified.", ) status_command = commands.add_parser( "status", help="Retrieve information about a run") status_command.add_argument("-i", "--id", type=str, required=True, help="The run ID") stop_command = commands.add_parser("stop", help="Stops/cancels a current run") stop_command.add_argument("-i", "--id", type=str, required=True, help="The run ID") delete_command = commands.add_parser("delete", help="Permanently delete a run") delete_command.add_argument("-i", "--id", type=str, required=True, help="The run ID") history_command = commands.add_parser("history", help="List history of all runs") history_command.add_argument("-q", "--query", type=str, required=False, help="Query string to use") history_command.add_argument("-S", "--sort_by", type=str, help="sort by this field", required=False) history_command.add_argument("-D", "--descending_results", help="return results in descending order", action="store_true", required=False) args = parser.parse_args() cb = get_cb_cloud_object(args) if args.command_name == "create": return create_run(cb, args) elif args.command_name == "status": return run_status(cb, args) elif args.command_name == "stop": return run_stop(cb, args) elif args.command_name == "delete": return run_delete(cb, args) elif args.command_name == "history": return run_history(cb, args)
def main(): """Script entry point""" global ORG_KEY global HOSTNAME parser = build_cli_parser() args = parser.parse_args() print_detail = args.verbose if print_detail: print(f"profile being used is {args.__dict__}") cb = get_cb_cloud_object(args) ReputationOverride.create(cb, { "description": "An override for a sha256 hash", "override_list": "BLACK_LIST", "override_type": "SHA256", "sha256_hash": "af62e6b3d475879c4234fe7bd8ba67ff6544ce6510131a069aaac75aa92aee7a", "filename": "foo.exe" }) sha256_override = cb.select(ReputationOverride) \ .where("foo*") \ .set_override_list("BLACK_LIST") \ .set_override_type("SHA256") \ .sort_by("create_time", "desc") \ .first() assert sha256_override.sha256_hash == "af62e6b3d475879c4234fe7bd8ba67ff6544ce6510131a069aaac75aa92aee7a" assert sha256_override.filename == "foo.exe" print('Configure Reputation Override - SHA256 .......OK') print('Search Reputation Overrides - SHA256 .........OK') override_by_id = cb.select(ReputationOverride, sha256_override.id) assert override_by_id.id == sha256_override.id assert override_by_id.sha256_hash == sha256_override.sha256_hash print('Get Reputation Override ......................OK') sha256_override.delete() delete_query = cb.select(ReputationOverride) \ .where("foo") \ .set_override_list("BLACK_LIST") \ .set_override_type("SHA256") \ .sort_by("create_time", "desc") assert len(delete_query) == 0 print('Delete Reputation Override ...................OK') caught = False try: sha256_override.delete() except ObjectNotFoundError: caught = True assert caught print('Delete Reputation Override - 404 .............OK') ReputationOverride.create(cb, { "description": "Approved IT Tools", "override_list": "WHITE_LIST", "override_type": "IT_TOOL", "path": "C://tools//*.exe", "include_child_processes": True }) it_tool_override = cb.select(ReputationOverride) \ .set_override_list("WHITE_LIST") \ .set_override_type("IT_TOOL") \ .sort_by("create_time", "desc") \ .first() assert it_tool_override.path == "C://tools//*.exe" assert it_tool_override.include_child_processes print('Configure Reputation Override - IT_TOOL ......OK') print('Search Reputation Overrides - IT_TOOL ........OK') ReputationOverride.create(cb, { "description": "Approved Certificate", "override_list": "WHITE_LIST", "override_type": "CERT", "signed_by": "VMware Inc.", "certificate_authority": "VMware" }) cert_override = cb.select(ReputationOverride) \ .set_override_list("WHITE_LIST") \ .set_override_type("CERT") \ .sort_by("create_time", "desc") \ .first() assert cert_override.signed_by == "VMware Inc." assert cert_override.certificate_authority == "VMware" print('Configure Reputation Override - CERT .........OK') print('Search Reputation Overrides - CERT ...........OK') ReputationOverride.bulk_delete(cb, [it_tool_override.id, cert_override.id]) with pytest.raises(ObjectNotFoundError): cb.select(ReputationOverride, it_tool_override.id) with pytest.raises(ObjectNotFoundError): cb.select(ReputationOverride, cert_override.id) print('Bulk Delete Reputation Overrides .............OK')
def main(): """Main function for the Policy Operations script.""" parser = build_cli_parser("Policy operations") commands = parser.add_subparsers(help="Policy commands", dest="command_name") commands.add_parser("list", help="List all configured policies") import_policy_command = commands.add_parser( "import", help="Import policy from JSON file") import_policy_command.add_argument("-N", "--name", help="Name of new policy", required=True) import_policy_command.add_argument("-d", "--description", help="Description of new policy", required=True) import_policy_command.add_argument( "-p", "--prioritylevel", help="Priority level (HIGH, MEDIUM, LOW)", default="LOW") import_policy_command.add_argument( "-f", "--policyfile", help="Filename containing the JSON policy description", required=True) export_policy_command = commands.add_parser( "export", help="Export policy to JSON file") export_policy_specifier = export_policy_command.add_mutually_exclusive_group( required=False) export_policy_specifier.add_argument("-i", "--id", type=int, help="ID of policy") export_policy_specifier.add_argument("-N", "--name", help="Name of policy") del_command = commands.add_parser("delete", help="Delete policies") del_policy_specifier = del_command.add_mutually_exclusive_group( required=True) del_policy_specifier.add_argument("-i", "--id", type=int, help="ID of policy to delete") del_policy_specifier.add_argument( "-N", "--name", help="Name of policy to delete. Specify --force to delete" " multiple policies that have the same name") del_command.add_argument( "--force", help="If NAME matches multiple policies, delete all matching policies", action="store_true", default=False) add_rule_command = commands.add_parser( "add-rule", help="Add rule to existing policy from JSON rule file") add_rule_specifier = add_rule_command.add_mutually_exclusive_group( required=True) add_rule_specifier.add_argument("-i", "--id", type=int, help="ID of policy (can specify multiple)", action="append", metavar="POLICYID") add_rule_specifier.add_argument( "-N", "--name", help="Name of policy (can specify multiple)", action="append", metavar="POLICYNAME") add_rule_command.add_argument("-f", "--rulefile", help="Filename containing the JSON rule", required=True) del_rule_command = commands.add_parser( "del-rule", help="Delete rule from existing policy") del_rule_specifier = del_rule_command.add_mutually_exclusive_group( required=True) del_rule_specifier.add_argument("-i", "--id", type=int, help="ID of policy") del_rule_specifier.add_argument("-N", "--name", help="Name of policy") del_rule_command.add_argument("-r", "--ruleid", type=int, help="ID of rule", required=True) replace_rule_command = commands.add_parser( "replace-rule", help="Replace existing rule with a new one") replace_rule_specifier = replace_rule_command.add_mutually_exclusive_group( required=True) replace_rule_specifier.add_argument("-i", "--id", type=int, help="ID of policy") replace_rule_specifier.add_argument("-N", "--name", help="Name of policy") replace_rule_command.add_argument("-r", "--ruleid", type=int, help="ID of rule", required=True) replace_rule_command.add_argument("-f", "--rulefile", help="Filename containing the JSON rule", required=True) args = parser.parse_args() cb = get_cb_cloud_object(args) if args.command_name == "list": return list_policies(cb, parser, args) elif args.command_name == "import": return import_policy(cb, parser, args) elif args.command_name == "export": return export_policy(cb, parser, args) elif args.command_name == "delete": return delete_policy(cb, parser, args) elif args.command_name == "add-rule": return add_rule(cb, parser, args) elif args.command_name == "del-rule": return del_rule(cb, parser, args) elif args.command_name == "replace-rule": return replace_rule(cb, parser, args)
def main(): """Script entry point""" global ORG_KEY global HOSTNAME parser = build_cli_parser() args = parser.parse_args() print_detail = args.verbose if print_detail: print(f"profile being used is {args.__dict__}") cb = get_cb_cloud_object(args) HEADERS['X-Auth-Token'] = cb.credentials.token ORG_KEY = cb.credentials.org_key HOSTNAME = cb.credentials.url print() print(18 * ' ', 'Vulnerability Organization Level') print(SYMBOLS * DELIMITER) api_results = get_vulnerability_summary() sdk_results = cb.select(Vulnerability.OrgSummary).submit() assert api_results == sdk_results._info, 'Test Failed Expected: {} Actual: {}'.\ format(api_results, sdk_results) print('Get Vulnerability Summary...........................................OK') api_results = get_vulnerability_summary(severity='LOW') sdk_results = cb.select(Vulnerability.OrgSummary).set_severity('LOW').submit() assert api_results == sdk_results._info, 'Test Failed Expected: {} Actual: {}'.\ format(api_results, sdk_results) print('Get Vulnerability Summary with severity.............................OK') data = { "criteria": { "severity": { "value": "LOW", "operator": "EQUALS" }, "os_type": { "value": "WINDOWS", "operator": "EQUALS" } } } api_results = search_vulnerability_summary(data)['results'] query = cb.select(Vulnerability.AssetView).set_severity('LOW', 'EQUALS') \ .set_os_type('WINDOWS', 'EQUALS') sdk_results = [asset for asset in query] assert api_results == sdk_results, 'Test Failed Expected: {} Actual: {}'.\ format(api_results, sdk_results) print('Get Asset View with Vulnerability Summary...........................OK') data = { 'criteria': {'severity': {'value': 'LOW', 'operator': 'EQUALS'}}, 'sort': [{'field': 'highest_risk_score', 'order': 'DESC'}], 'rows': 5 } api_results = search_vulnerabilities(data=data) query = cb.select(Vulnerability).set_severity('LOW', 'EQUALS').sort_by('highest_risk_score', 'DESC') sdk_results = [x._info for x in query[:5]] assert api_results == sdk_results, 'Test Failed Expected: {} Actual: {}'.\ format(api_results, sdk_results) print('Get Vulnerability List for Specific OS and Application..............OK') print() print(22 * ' ', 'Device Vulnerability Level') print(SYMBOLS * DELIMITER) device = cb.select(Device).set_status(['ACTIVE']).first() DEVICE_ID = device.id api_results = get_specific_device_summary(device_id=DEVICE_ID) sdk_results = device.get_vulnerability_summary() assert api_results == sdk_results, 'Test Failed Expected: {} Actual: {}'.\ format(api_results, sdk_results) print('Get Vulnerability Summary for a specific device.....................OK') query = device.get_vulnerabilties() api_results = get_specific_device_list(device_id=DEVICE_ID) sdk_results = [x._info for x in query] CVE_ID = sdk_results[0]["cve_id"] assert api_results == sdk_results, 'Test Failed Expected: {} Actual: {}'.\ format(api_results, sdk_results) print('Get Vulnerabilities for a specific device...........................OK') device = cb.select(Device, DEVICE_ID) sdk_results = device.vulnerability_refresh() sdk_results.pop('updated_at') api_results = refresh_device(device_id=DEVICE_ID) api_results.pop('updated_at') assert api_results == sdk_results, 'Test Failed Expected: {} Actual: {}'.\ format(api_results, sdk_results) print('Perform an action on a specific device..............................OK') print() print(25 * ' ', 'Vulnerability Level') print(SYMBOLS * DELIMITER) CVE_ID = 'CVE-2008-5915' api_results = get_vulnerability(cve_id=CVE_ID) vulnerability = None try: vulnerability = Vulnerability(cb, CVE_ID) except MoreThanOneResultError as ex: vulnerability = ex.results if type(vulnerability) == list: sdk_results = [vuln._info for vuln in vulnerability] # Select a singular vulnerabilty for follow up tests vulnerability = vulnerability[0] else: sdk_results = vulnerability._info assert api_results == sdk_results, 'Test Failed Expected: {} Actual: {}'.format(api_results, sdk_results) print('Get vulnerability details for a specific CVE ID.....................OK') api_response = get_affected_devices(cve_id=CVE_ID, data={'os_product_id': vulnerability.os_product_id})['results'] query = vulnerability.get_affected_assets() sdk_results = [] api_results = [] for x in query: sdk_results.append({'device_id': x.id, 'type': x.deployment_type, 'name': x.vm_name, 'host_name': x.name}) for x in api_response: api_results.append({'device_id': x['device_id'], 'type': x['type'], 'name': x['name'], 'host_name': x['host_name']}) assert api_results == sdk_results, 'Test Failed Expected: {} Actual: {}'.\ format(api_results, sdk_results) print('Get Affected Assets for Specific Vulnerability......................OK')
def main(): """Script entry point""" global ORG_KEY global HOSTNAME parser = build_cli_parser() args = parser.parse_args() print_detail = args.verbose if print_detail: print(f"args provided {args}") cb = get_cb_cloud_object(args) HEADERS['X-Auth-Token'] = cb.credentials.token ORG_KEY = cb.credentials.org_key HOSTNAME = cb.credentials.url print(13 * ' ' + 'Live Response Commands') print(SYMBOLS * DELIMITER) try: device = cb.select(Device, DEVICE_ID) except Exception: # if this is not run on dev01, pick a random active device devices = cb.select(Device).set_status(['ACTIVE']) device = devices[0] lr_session = device.lr_session() print(f'Created Session {lr_session.session_id}...............OK') print() # create the file that will be uploaded on the server, # will be deleted once we are done with the test fp = open("test.txt", "w") fp.write(FILE_CONTENT) fp.close() print() print(10 * ' ' + 'Live Response Files Commands') print(SYMBOLS * DELIMITER) # create directory try: lr_session.create_directory(DIR) except LiveResponseError as ex: if 'ERROR_ALREADY_EXISTS' in str(ex): print('Directory already exists, continue with the test.') else: raise print('Create Dir....................................OK') # show that test.txt is not present in that directory response = lr_session.list_directory(DIR) directories = flatten_response(response) assert 'test.txt' not in directories, f'Dirs: {directories}' # upload the file on the server lr_session.put_file(open("test.txt", "r"), FILE) print('PUT File......................................OK') # show that test.txt is present in that directory response = lr_session.list_directory(DIR) directories = flatten_response(response) assert 'test.txt' in directories, f'Dirs: {directories}' # walk through the directories for entry in lr_session.walk(DIR): print(entry) print('WALK dir......................................OK') content = lr_session.get_file(FILE) assert content == FILE_CONTENT_BINARY, f'{content} {FILE_CONTENT}' print('GET File......................................OK') lr_session.delete_file(FILE) exc_raise = False try: content = lr_session.get_file(FILE) except LiveResponseError as ex: assert 'ERROR_FILE_NOT_FOUND' in str( ex) or 'ERROR_PATH_NOT_FOUND' in str(ex), f'Other error {ex}' exc_raise = True finally: assert exc_raise print('DELETE File...................................OK') # delete the directory too lr_session.delete_file(DIR) print('DELETE Dir....................................OK') # This command takes a lot of time! # uncomment only if this needs to be tested! """ lr_session.memdump(LOCAL_FILE, MEMDUMP_FILE) assert path.exists(LOCAL_FILE) exc_raise = False try: content = lr_session.get_file(MEMDUMP_FILE) except LiveResponseError as ex: assert 'ERROR_FILE_NOT_FOUND' in str(ex), f'Other error {ex}' exc_raise = True finally: assert exc_raise print('Memdump.......................................OK') """ print() print(9 * ' ' + 'Live Response Process Commands') print(SYMBOLS * DELIMITER) # list processes processes = lr_session.list_processes() pprint(flatten_processes_response(processes)) print('List Processes................................OK') # create infinite ping, that could be killed afterwards lr_session.create_process(r'cmd.exe /c "ping.exe -t 127.0.0.1"', wait_for_completion=False, wait_for_output=False) processes = lr_session.list_processes() found = False for process in processes: if 'ping.exe' in process['process_path']: found = True # assert that indeed there is such a process assert found print('Create Process................................OK') # kill all of the processes that are for ping.exe for pid in flatten_processes_response_filter(processes, 'ping.exe'): print(f'Killing process with pid {pid}') lr_session.kill_process(pid) print('Kill Process..................................OK') print() print(6 * ' ' + 'Live Response Registry Keys Commands') print(SYMBOLS * DELIMITER) result = lr_session.list_registry_keys_and_values(KEY_PATH_PARENT) pprint(result) print('List Registry Keys and Values.................OK') found = False for item in result['values']: if item['registry_name'] == 'Test': found = True break # make sure the value for the key doesn't exist assert found is False exists = True try: result = lr_session.list_registry_keys_and_values(KEY_PATH) print(result) except LiveResponseError as ex: # make sure such registry key does not exist exists = not ('ERROR_FILE_NOT_FOUND' in str(ex)) assert exists is False print(f'Registry key with path {KEY_PATH} does not exist. Creating...') lr_session.create_registry_key(KEY_PATH) exists = True try: result = lr_session.list_registry_keys_and_values(KEY_PATH) except LiveResponseError as ex: exists = False assert 'ERROR_FILE_NOT_FOUND' in str(ex) # make sure that now the key exists assert exists print('Create Registry Key...........................OK') # create value for the key lr_session.set_registry_value(KEY_PATH, 1) result = lr_session.get_registry_value(KEY_PATH) assert result['registry_data'] == '1' assert result['registry_name'] == 'Test' print('Create Registry Value.........................OK') pprint(result) print('Get Registry Value............................OK') result = lr_session.list_registry_keys_and_values(KEY_PATH_PARENT) pprint(result) print('List Registry Keys and Values.................OK') found = False for item in result['values']: if item['registry_name'] == 'Test': found = True break # make sure the value for the key exists assert found is True result = lr_session.delete_registry_value(KEY_PATH) deleted = False try: result = lr_session.get_registry_value(KEY_PATH) except LiveResponseError as ex: deleted = 'ERROR_FILE_NOT_FOUND' in str(ex) # make sure the value is deleted assert deleted print('Delete Registry Value.........................OK') result = lr_session.list_registry_keys_and_values(KEY_PATH_PARENT) found = False for item in result['values']: if item['registry_name'] == 'Test': found = True break # make sure the value for the key was deleted successfully assert found is False result = lr_session.delete_registry_key(KEY_PATH) exists = True try: result = lr_session.list_registry_keys_and_values(KEY_PATH) except LiveResponseError as ex: # make sure such registry key does not exist exists = False assert 'ERROR_FILE_NOT_FOUND' in str(ex) assert exists is False, 'Registry key was not properly deleted.' print('Delete Registry Key...........................OK') # clean-up actions after the tests if path.exists(LOCAL_FILE): os.remove(LOCAL_FILE) if path.exists("test.txt"): os.remove("test.txt") lr_session.close() print(f'Deleted the session {lr_session.session_id}...........OK')
def main(): """Main function of the process events script.""" parser = build_cli_parser() parser.add_argument("--query", "-q", type=str, help="Query string for the search", default=None) parser.add_argument( "--include", "-i", action='append', type=str, help="Specifies included event field values, as key=value") parser.add_argument( "--exclude", "-x", action='append', type=str, help="Specifies excluded event field values, as key=value") parser.add_argument("--fields", "-f", action='append', type=str, help="Specifies names of fields to include") parser.add_argument("--numrows", "-n", type=int, help="Maximum number of rows to be returned", default=None) parser.add_argument( "--group", "-g", type=str, help="Field to group by, either device_id or process_sha256", default=None) parser.add_argument("--timeout", "-T", type=int, help="Timeout for the search in milliseconds", default=None) args = parser.parse_args() cb = get_cb_cloud_object(args) query = cb.select(EnrichedEvent) if args.query: query.where(args.query) inclusions = parse_key_value_pairs(args.include) for (key, value) in inclusions: query.update_criteria(key, value) exclusions = parse_key_value_pairs(args.exclude) for (key, value) in exclusions: query.add_exclusion(key, value) if args.fields: query.set_fields(args.fields) if args.numrows: query.set_rows(args.numrows) if args.group: query.aggregation(args.group) if args.timeout: query.timeout(args.timeout) separator = False for event in query: if separator: print( "------------------------------------------------------------------------\n" ) separator = True print(f"{event}\n")
def main(): """Script entry point""" global ORG_KEY global HOSTNAME parser = build_cli_parser() args = parser.parse_args() print_detail = args.verbose if print_detail: print(f"profile being used is {args.__dict__}") cb = get_cb_cloud_object(args) HEADERS['X-Auth-Token'] = cb.credentials.token ORG_KEY = cb.credentials.org_key HOSTNAME = cb.credentials.url # USB Device Approvals """USB Device Control Approval""" print('USB Device Control Approvals') print(SYMBOLS * DELIMITER) # create the usb device approval data = [{ "vendor_id": "0x0781", "product_id": "0x5581", "serial_number": "4C531001331122115172", "notes": "A few notes", "approval_name": "Example Approval" }] sdk_result = USBDeviceApproval.bulk_create(cb, data) sdk_created_obj = sdk_result[0] sdk_obj = USBDeviceApproval(cb, sdk_created_obj.id) api_result = get_usb_device_approval_by_id_api(sdk_created_obj.id).json() dict_sdk_obj = sdk_obj._info assert api_result == dict_sdk_obj, 'Get Approval by ID Failed - ' \ 'Expected: {}, Actual: {}'.format(api_result, dict_sdk_obj) print('Get Approval by ID............................OK') # get the USB Device Approval query = cb.select(USBDeviceApproval) sdk_results = [] for approval in query: if approval.id == sdk_created_obj.id: print('Bulk Create Test..............................OK') sdk_results.append(approval._info) api_search = search_usb_device_approval().json()['results'] assert sdk_results == api_search, 'Search Test Failed Expected: {}, ' \ 'Actual: {}'.format(api_search, sdk_results) print('Search Test...................................OK') # update the object sdk_created_obj.approval_name = 'Changed Approval' sdk_created_obj._update_object() sdk_created_new = None query = cb.select(USBDeviceApproval) sdk_created_new = query[0] assert sdk_created_new.approval_name == 'Changed Approval', 'Update Test '\ 'Failed - Excepted: {}, Actual: {}'.format( sdk_created_obj._info, sdk_created_new._info) print('Update Test...................................OK') # delete the usb approval if sdk_created_obj is not None: sdk_created_obj.delete() query = cb.select(USBDeviceApproval) assert query._total_results == 0, 'Delete Approval Test Failed - Record '\ 'was not deleted... {}'.format(query._total_results) print('Delete Approval...............................OK') print(NEWLINES * '\n') """USB Device Control Blocks""" print('USB Device Control Blocks') print(SYMBOLS * DELIMITER) # create the usb device block data = ["6997287"] sdk_result = USBDeviceBlock.bulk_create(cb, data) sdk_created_obj = sdk_result[0] api_result = get_usb_device_block_by_id_api(sdk_created_obj.id).json() block_obj = USBDeviceBlock(cb, sdk_created_obj.id) dict_block_obj = block_obj._info assert dict_block_obj == api_result, 'Get Block by ID Failed - Expected: '\ '{}, Actual: {}'.format(api_result, dict_block_obj) print('Get Block by ID...............................OK') # get the USB Device Block query = cb.select(USBDeviceBlock) sdk_results = [] for block in query: if block.id == sdk_created_obj.id: print('Bulk Create Test..............................OK') sdk_results.append(block._info) api_search = search_usb_device_blocks().json()['results'] assert sdk_results == api_search, 'Search Test Failed Expected: {}, ' \ 'Actual: {}'.format(api_search.json()['results'], sdk_results) print('Search Test...................................OK') # delete the usb approval if sdk_created_obj is not None: sdk_created_obj.delete() query = cb.select(USBDeviceBlock) assert query._total_results == 0, 'Delete Block Failed - Record was not '\ 'deleted... {}'.format(query._total_results) print('Delete Block..................................OK') print(NEWLINES * '\n') """USB Devices""" print('USB Devices') print(SYMBOLS * DELIMITER) query = cb.select(USBDevice) sdk_results = [] for device in query: sdk_results.append(device._info) api_search = search_usb_devices().json() assert api_search['num_found'] == query._total_results, 'Device Search ' \ 'Failed - Expected: {}, Actual: {}'.format(api_search['num_found'], query._total_results) assert sdk_results == api_search['results'], 'Device Search Test Failed -'\ 'Expected: {}, Actual: {}'.format(api_search['results'], sdk_results) print('Device Search.................................OK') # Facet USB Devices query = cb.select(USBDevice).facets(["status"]) api_search = search_usb_devices_facets().json() assert query == api_search['terms'], 'Facet USB Devices Failed - Expected'\ ': {}, Actual: {}'.format(api_search['terms'], query) print('Facet USB Devices.............................OK') print(NEWLINES * '\n') # vendors and products print('Testing Get USB Device Vendors and Products Seen') print(SYMBOLS * DELIMITER) api_result = get_products_n_vendors_api() sdk_result = USBDevice.get_vendors_and_products_seen(cb) api_results = api_result.json()['results'] assert api_results == sdk_result, 'Get USB Device Vendors and Products '\ 'Failed - Expected: {}, Actual: {}'.format(api_results, sdk_result) print('Get USB Device Vendors and Products Seen......OK')