def run(self, params={}):
threat_identifier = params.get(Input.THREAT_IDENTIFIER)
threats = self.connection.client.search_threats([threat_identifier])
if len(threats) > 1:
self.logger.info(
f"Multiple threats found that matched the query: {threat_identifier}."
"We will only act upon the first match")
payload = {"threat_id": threats[0].get('sha256')}
if params.get(Input.QUARANTINE_STATE):
payload["event"] = "Quarantine"
else:
payload["event"] = "Waive"
# If IPv4, attempt to find its ID
agent = params.get(Input.AGENT)
if validators.ipv4(agent):
agent = find_agent_by_ip(self.connection, agent)
errors = self.connection.client.update_agent_threat(
self.connection.client.get_agent_details(agent).get('id'), payload)
if len(errors) != 0:
raise PluginException(
cause=
'The response from the CylancePROTECT API was not in the correct format.',
assistance='Contact support for help. See log for more details',
data=errors)
return {Output.SUCCESS: True}
def run(self, params={}):
whitelist = params.get(Input.WHITELIST, None)
agent = params.get(Input.AGENT)
if validators.ipv4(agent):
found_agent = find_agent_by_ip(self.connection, agent)
if found_agent != agent:
agent = found_agent
else:
raise PluginException(
cause="Agent not found.",
assistance=f"Unable to find an agent with IP: {agent},"
f" please ensure that the IP address is correct.",
)
device_obj = self.connection.client.get_agent_details(agent)
if whitelist:
matches = find_in_whitelist(device_obj, whitelist)
if matches:
raise PluginException(
cause="Agent found in the whitelist.",
assistance=f"If you would like to block this host, remove {str(matches)[1:-1]} from the whitelist.",
)
return {Output.LOCKDOWN_DETAILS: self.connection.client.device_lockdown(device_obj.get("id"))}
def run(self, params={}):
# If IPv4, attempt to find its ID first
agent = params.get(Input.AGENT)
if validators.ipv4(agent):
agent = find_agent_by_ip(self.connection, agent)
agent = self.connection.client.get_agent_details(agent)
policy = params.get(Input.POLICY)
if policy == "":
policy = self._find_default_policy_id()
errors = self.connection.client.update_agent(
agent.get("id"),
{
"add_zone_ids": params.get(Input.ADD_ZONES, None),
"name": agent.get("name"),
"policy_id": policy,
"remove_zone_ids": params.get(Input.REMOVE_ZONES, None),
},
)
if len(errors) != 0:
raise PluginException(
cause=
"The response from the CylancePROTECT API was not in the correct format.",
assistance="Contact support for help. See log for more details",
data=errors,
)
return {Output.SUCCESS: True}
def run(self, params={}):
# If IPv4, attempt to find its ID first
agent = params.get(Input.AGENT)
if validators.ipv4(agent):
agent = find_agent_by_ip(self.connection, agent)
return {Output.AGENTS: self.connection.client.search_agents_all(agent)}
def run(self, params={}):
whitelist = params.get(Input.WHITELIST, None)
agents = params.get(Input.AGENTS)
valid_ids = []
valid_devices = []
invalid_devices = []
for agent in agents:
try:
# If IPv4, attempt to find its ID
ip_agent = None
if validators.ipv4(agent):
ip_agent = find_agent_by_ip(self.connection, agent)
if ip_agent:
device_obj = self.connection.client.get_agent_details(ip_agent)
else:
device_obj = self.connection.client.get_agent_details(agent)
if device_obj:
# Device was found in Cylance
if whitelist:
# Any whitelisted devices will not be deleted
matches = find_in_whitelist(device_obj, whitelist)
if matches:
self.logger.info(f"{agent} found in whitelist. Will not delete.")
invalid_devices.append(agent)
else:
valid_devices.append(agent)
valid_ids = self.add_to_valid_devices(device_obj, valid_ids)
else:
valid_devices.append(agent)
valid_ids = self.add_to_valid_devices(device_obj, valid_ids)
# Device was not found, therefore invalid to delete
except PluginException:
self.logger.info(f"{agent} device was not found.")
invalid_devices.append(agent)
if not valid_ids:
raise PluginException(
cause="No valid devices to delete.",
assistance=f"Be sure that the devices exist in Cylance and are not part of the whitelist."
)
payload = {"device_ids": valid_ids}
success = self.connection.client.delete_devices(payload)
if not success:
raise PluginException(
cause="One of the devices failed to delete.",
assistance=f"A valid agent deletion may have failed, check your Cylance console."
)
return {Output.SUCCESS: True, Output.DELETED: valid_devices, Output.NOT_DELETED: invalid_devices}
def test_find_agent_by_ip(self):
ip = "10.0.2.15"
ip_device_id = "6be117da-2f5d-4645-8878-1bc6476a399a"
log = logging.getLogger("Test")
test_conn = Connection()
test_action = DeleteAsset()
test_conn.logger = log
test_action.logger = log
try:
with open("../tests/delete_asset.json") as file:
test_json = json.loads(file.read()).get("body")
connection_params = test_json.get("connection")
except Exception as e:
message = "Could not connection from /tests directory"
self.fail(message)
test_conn.connect(connection_params)
test_action.connection = test_conn
self.assertEqual(find_agent_by_ip(test_action.connection, "1.1.1.1"), "1.1.1.1")
self.assertEqual(find_agent_by_ip(test_action.connection, ip), ip_device_id)
self.assertNotEqual(find_agent_by_ip(test_action.connection, ip), "1.1.1.1")
self.assertNotEqual(find_agent_by_ip(test_action.connection, ip), "10.0.2.15")