def handleDomains(filename): try: domain_list = readIocsFile(filename) time = datetime.now().isoformat() domain_list_f = [] #TODO: call the correct function to remove duplicate domains from the domain list #domain_list = MISSION env_lab.print_missing_mission_warn(env_lab.get_line()) #TODO: loop through every domain in the domain list HINT: for ... in ...: for domain in domain_list: print(f"Working on {domain} .....") get_url = investigate_url + domain + "?showLabels" status = get_DomainStatus(get_url, domain) if (status != "error"): if ((status == "bad") or (status == "risky")): post_Enforcement(domain) domain_list_f.append(domain) else: print( f"Found clean domain, ignoring enforcement on {domain}" ) else: print("got error from Umbrella investigate") #Let's save another file with Umbrella Disposition on Domains # so that we block only bad & risky domains on firewalls filenamed = repository_root / "mission-data/riskydomains.json" write_risky_domains_for_firewall(filenamed, domain_list_f) except KeyboardInterrupt: print("\nExiting...\n")
def get_amp_computer_details( url, client_id=env_user.AMP_CLIENT_ID, api_key=env_user.AMP_API_KEY, ): """Get details of infected computer from Cisco AMP.""" url = f"https://{client_id}:{api_key}@{url}" #TODO: do a GET request to retrieve infected computer details (remmeber to NOT do SSL verification!) # Hint: Remember to assign it varibale "response" env_lab.print_missing_mission_warn(env_lab.get_line()) response.raise_for_status() events_list = response.json()["data"] return events_list
def login(sw_session, data): print("\n==> Logging in to the SMC") url = f'https://{SMC_HOST}/token/v2/authenticate' env_lab.print_missing_mission_warn(env_lab.get_line()) response = sw_session.request(MISSION, url, verify=False, data=data) # TODO: Check if the login was successful env_lab.print_missing_mission_warn(env_lab.get_line()) if(MISSION == MISSION): print(green("Login SUCCESSFUL!")) return True print(red(f'An error has ocurred, while trying to login to SMC, with the following code {response.status_code}')) print(red(f"Responso body:\n{response.json()}")) return False
def remove_tag(tag_id): print(f"\n==> Removing TAG {tag_id}") # TODO: Set the correct URL to remove the chosen TAG env_lab.print_missing_mission_warn(env_lab.get_line()) url = MISSION response = api_session.request("DELETE", url, verify=False) # TODO: Check if you maanged to successfully remove the chosen TAG env_lab.print_missing_mission_warn(env_lab.get_line()) if (response.status_code == MISSION): print(green(f"Tag {tag_id} has been successfully removed")) return True print(red(f"An error has ocurred, while removing the tag, with the following code {response.status_code}")) print(red(f"Responso body:\n{response.json()}")) return False
def post_to_ise(maclist, namelist): #TODO: Create the URL for the PUT request to apply the ANC policy! assign it variable "url" env_lab.print_missing_mission_warn(env_lab.get_line()) for items in maclist: payload = "{\r\n \"OperationAdditionalData\": {\r\n \"additionalData\": [{\r\n \"name\": \"macAddress\",\r\n \"value\": \"" + items + "\"\r\n },\r\n {\r\n \"name\": \"policyName\",\r\n \"value\": \"" + namelist + '"' + "\r\n }]\r\n }\r\n}" print(json.dumps(payload, sort_keys=True, indent=3)) response = requests.request("PUT", url, data=payload, verify=False, headers=headers) if (response.status_code == 204): print( "Done!..Applied Quarantine policy to the rogue endpoint...MAC: {0} Threat is now contained...." .format(items)) else: print("An error has ocurred with the following code %(error)s" % {'error': response.status_code})
def create_new_tag(tag_data): print(f"\n==> Creating new TAG named: {tag_data[0]['name']}") url = f'https://{SMC_HOST}/smc-configuration/rest/v1/tenants/{SMC_TENANT_ID}/tags' request_headers = {'Content-type': 'application/json', 'Accept': 'application/json'} # TODO: Pass the data to the POST request, remember thet 'requests' library requires the JSON object to be converted in String. env_lab.print_missing_mission_warn(env_lab.get_line()) response = api_session.request("POST", url, verify=False, data=MISSION, headers=request_headers) # If successfully able to add the tag (host group) if (response.status_code == 200): print(green(f"New tag (host group) successfully added")) print(json.dumps(response.json(), indent=4)) return str(response.json()['data'][0]['id']) # If unable to add the new tag (host group) print(red(f"An error has ocurred, while adding tags (host groups), with the following code {response.status_code}")) print(red(f"Responso body:\n{response.json()}")) return None
def get_policy_ise(): #TODO: Create the URL for the GET request to get the ANC policy from ISE assign it to variable "url" env_lab.print_missing_mission_warn(env_lab.get_line()) #Create GET Request req = requests.get(url, verify=False, headers=headers) #req = requests.request("GET", url, verify=False, headers=headers) namelist = " " if (req.status_code == 200): resp_json = req.json() policies = resp_json["SearchResult"]["resources"] for policy in policies: namelist = policy["name"] print( "\nI've Found the Quarantine Policy {0} to Nuke the Rogue computers from the corp network... \n" .format(namelist)) else: print("An error has ocurred with the following code %(error)s" % {'error': req.status_code}) return namelist
def get_security_events(time_window=60): # TODO: Set the URL for the query to POST the filter and initiate the search env_lab.print_missing_mission_warn(env_lab.get_line()) url = MISSION # Set the timestamps for the filters, in the correct format, for last 'time_window' minutes end_datetime = datetime.datetime.utcnow() start_datetime = end_datetime - datetime.timedelta(minutes=time_window) end_timestamp = end_datetime.strftime('%Y-%m-%dT%H:%M:%SZ') start_timestamp = start_datetime.strftime('%Y-%m-%dT%H:%M:%SZ') # Set the filter with the request data. # TODO: Look for all the hosts generating High Total Traffic (security event ID: ?) # HINT: Don't know how to filter the query request? Have a look at the APIs on DevNet # (https://developer.cisco.com/docs/stealthwatch/enterprise/#!reporting-api-version-1) # Don't know which Security Event ID you need to use? Hve a look at this PDF # (https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/management_console/securit_events_alarm_categories/SW_7_2_1_Security_Events_and_Alarm_Categories_DV_1_0.pdf) env_lab.print_missing_mission_warn(env_lab.get_line()) request_data = MISSION # Perform the query to initiate the search request_headers = {'Content-type': 'application/json', 'Accept': 'application/json'} env_lab.print_missing_mission_warn(env_lab.get_line()) response = api_session.request(MISSION, url, verify=False, data=json.dumps(request_data), headers=request_headers) if response.status_code == 200: # This is an asyncronous query, thus the processing will not be returned right away. # TODO: Find the search query ID, so as to later check the status and access the result. # HINT: The API documentation is your friend ;) env_lab.print_missing_mission_warn(env_lab.get_line()) search_id = MISSION return search_id print(red(f"An error has ocurred, while creating search query, with the following code {response.status_code}")) print(red(f"Responso body:\n{response.json()}")) return None
json.dump(glist, file, indent=2) else: jsondata = [o[ioc] for o in glist] json.dump(jsondata, file, indent=2) file.close() if __name__ == "__main__": # Save the MAC addresses of the endpoints where malware executed to a JSON # file. In the ISE Mission we will read this file and quarantine these # endpoints.sha256-list.json shalist_path = repository_root / "mission-data/sha256-list.json" shalist = readIocsFile(shalist_path) #TODO: iterate trhough the shalist and find the obereravales per sha! hint: for ... in ...: env_lab.print_missing_mission_warn(env_lab.get_line()) #Create data files for the Umbrella Mission. domainlist_path = repository_root / "mission-data/domainlist.json" iplist_path = repository_root / "mission-data/iplist.json" writer_file(domainlist_path, observables, "domains") #TODO: Write the ipaddress from observables to a file: Hint look above how we did the domains env_lab.print_missing_mission_warn(env_lab.get_line()) # Finally, post a message to the Webex Teams Room to brag!!! print(blue("\n==> Posting message to Webex Teams")) teams = webexteamssdk.WebexTeamsAPI(WEBEX_TEAMS_ACCESS_TOKEN) teams.messages.create(