def get_events():
dsm = Manager(username="******",
password="******",
host="127.0.0.1",
port="4119")
try:
print("Getting AM events")
am_events = dsm.antimalware_event_retrieve(time_type="LAST_HOUR")
print("Getting Webrep events")
webrep_events = dsm.webrep_event_retrieve(time_type="LAST_7_DAYS")
print("Getting FW events")
fw_events = dsm.fw_event_retrieve(time_type="LAST_7_DAYS")
print("Getting DPI events")
dpi_events = dsm.dpi_event_retrieve(time_type="LAST_7_DAYS")
print("Getting IM events")
im_events = dsm.im_event_retrieve(time_type="LAST_7_DAYS")
print("Getting LI events")
li_events = dsm.li_event_retrieve(time_type="LAST_7_DAYS")
print("Getting System events")
system_events = dsm.system_event_retrieve(time_type="LAST_7_DAYS")
event_list = {
'am_events': am_events,
'webrep_events': webrep_events,
'fw_events': fw_events,
'dpi_events': dpi_events,
'im_events': im_events,
'li_events': li_events,
'system_events': system_events
}
for file_name, events in event_list.items():
process_event_list(file_name, events)
except Exception as e:
logging.error(e, exc_info=True)
finally:
dsm.end_session()
def lambda_handler(event=None, context=None):
print("hello")
if event != None:
if 'detail' in event:
type = event['detail']['type'] if 'type' in event['detail'] else ""
print("EVENT=", event)
if type != "":
if 'Recon:IAMUser/MaliciousIPCaller.Custom' in type:
#Not secure. should be passed and environment variables to function
dsm = Manager(username='******', password='******', tenant='ACME Corp')
print("************* Initiating connection to Deep Security As A Service")
ip = event['detail']['service']['action']['awsApiCallAction']['remoteIpDetails']['ipAddressV4']
ip_list = dsm.get_ip_list_by_name('Guard Duty Block List')
ip_list.items = ip_list.items + ('\n%s' % ip)
dsm.ip_list_save(ip_list)
print("************* Adding %s to IP List - Guard Duty Block List" % ip)
dsm.end_session()
print("************* Closing connection to Deep Security As A Service")
return 'gd-test'
hash = hash.split(' - ')[0].strip()
data = dsm.list_block_by_hash_rules()
data = data['DescribeGlobalRulesetResponse']['ruleset']['rules']
for into in data:
if (into['sha256']) == hash:
print (hash)
ruleid = into['ruleID']
dsm.delete_block_by_hash_rule(ruleid)
print ("The hash was deleted with successful" + '\n')
input("Press Enter to continue...")
print ("\n" * 100)
case = 0
elif case == 5:
parsed = dsm.list_block_by_hash_rules()
print (json.dumps(parsed, indent=4, sort_keys=True))
print ('\n')
input("Press Enter to continue...")
print ("\n" * 100)
case = 0
elif case == 6:
print ("Thank you! We will close the session with Deep Security." + '\n')
dsm.end_session()
exit
"roleArn": String,
}
}
'''
import sys
import os
sys.path.append(os.path.join(os.path.dirname(__file__), '..', '..'))
from sejam_python_bootcamp import config
from dsp3.models.manager import Manager
dsm = Manager(username=config.DSAS_USER, password=config.DSAS_PASSWORD, tenant=config.DSAS_TENANT)
#print(dsm.add_aws_cloud_account_with_keys('access_key', 'secret_key'))
# or
print(dsm.get_api_version())
# How to set up cross account role - https://help.deepsecurity.trendmicro.com/Add-Computers/add-aws.html
print( dsm.add_aws_cloud_account_with_cross_account_role(config.EXTERNAL_ID, config.ARN))
# View DSPS Implentation -> https://github.com/jeffthorne/DSP3/blob/master/dsp3/utilities/cloudacct_utils.py
dsm.end_session() # don' forget to end sessions. They can run out!