from datetime import datetime, timedelta
from dsp3.models.manager import Manager
dsm = Manager(username="******",
password="******",
host="127.0.0.1",
port="4119")
#Example 1: Get antimalware events for all hosts in the last hour
# time_type options: "LAST_HOUR", "LAST_24_HOURS", "LAST_7_DAYS", "CUSTOM_RANGE"
am_events = dsm.antimalware_event_retrieve(time_type="LAST_HOUR")
#Example 2: Get fw events for all hosts during a specific time
date_to = datetime.now()
date_from = date_to - timedelta(hours=3)
fw_events = dsm.fw_event_retrieve(range_from=date_from,
range_to=date_to,
time_type="CUSTOM_RANGE")
#Example 3: Get web reputation events for a specific host in the last 24 hours
wr_events = dsm.webrep_event_retrieve(time_type="LAST_24_HOURS",
host_id=11,
host_type="SPECIFIC_HOST")
#Example 4: Retrieve DPI Events by Host Group
dpi_events = dsm.dpi_event_retrieve(time_type="LAST_24_HOURS",
host_group_id=7,
host_type="HOSTS_IN_GROUP")
dsm.end_session()
"""
Run Script from project root dir:
python -m app.intro.c_control_flow
"""
import json
from ..utils import utils
from dsp3.models.manager import Manager
username, password, tenant = utils.parse_dsas_crendentials()
dsm = Manager(username=username, password=password, tenant=tenant)
api_version = dsm.get_api_version()
#string interpolation
print('API version is: %d' % api_version)
print(f'API version is: {api_version}')
print('API version is {}'.format(api_version))
# conditional logic
if api_version > 10:
print('we are good')
if api_version < 20:
print('we are good')
else:
print('what is going on in Ottawa?')
print('we are good\n') if api_version > 20 else print(
'I am on the wrong version\n')
def get_events():
dsm = Manager(username="******",
password="******",
host="127.0.0.1",
port="4119")
try:
print("Getting AM events")
am_events = dsm.antimalware_event_retrieve(time_type="LAST_HOUR")
print("Getting Webrep events")
webrep_events = dsm.webrep_event_retrieve(time_type="LAST_7_DAYS")
print("Getting FW events")
fw_events = dsm.fw_event_retrieve(time_type="LAST_7_DAYS")
print("Getting DPI events")
dpi_events = dsm.dpi_event_retrieve(time_type="LAST_7_DAYS")
print("Getting IM events")
im_events = dsm.im_event_retrieve(time_type="LAST_7_DAYS")
print("Getting LI events")
li_events = dsm.li_event_retrieve(time_type="LAST_7_DAYS")
print("Getting System events")
system_events = dsm.system_event_retrieve(time_type="LAST_7_DAYS")
event_list = {
'am_events': am_events,
'webrep_events': webrep_events,
'fw_events': fw_events,
'dpi_events': dpi_events,
'im_events': im_events,
'li_events': li_events,
'system_events': system_events
}
for file_name, events in event_list.items():
process_event_list(file_name, events)
except Exception as e:
logging.error(e, exc_info=True)
finally:
dsm.end_session()
#!/Users/jeff/playbooks/se_jam/venv/bin/python3.6
import datetime
import json
from ansible.module_utils.basic import *
from dsp3.models.manager import Manager
module = AnsibleModule(argument_spec=dict(ds_tenant=dict(required=True, aliases=['ds_tenant']),
ds_user=dict(required=True, aliases=['ds_user']),
ds_password=dict(required=True, aliases=['ds_password']),
host_id=dict(required=True, aliases=['host_id'])))
ds_tenant = module.params.get('ds_tenant')
ds_user= module.params.get('ds_user')
ds_password = module.params.get('ds_password')
host_id = module.params.get('host_id')
dsm = Manager(username=ds_user, password=ds_password, tenant=ds_tenant)
dsm.set_trusted_update_mode(int(host_id), 3, False)
api_version = dsm.get_api_version()
dsm.end_session()
print(json.dumps({
"api_version" : api_version
}))
ai = boto3.client('inspector')
findings = ai.list_findings()
findings_dict = ai.describe_findings(findingArns=findings['findingArns'])
cves = []
for finding in findings_dict['findings']:
for attr in finding['attributes']:
if attr['key'] == 'CVE_ID':
cves.append(attr['value'])
print("Amazon Inspector Findings")
print(cves)
#Not secure. should be passed and environment variables to function
dsm = Manager(username="******", password="******", tenant="ACME CORP")
print("Getting DPI rules from DSM")
rules = dsm.dpi_rules_all()
dsm_cves_all = []
dsm_cves = []
for rule in rules:
if 'cveNumbers' in rule and rule['cveNumbers'] != None:
for cve in rule['cveNumbers'].split(","):
dsm_cves_all.append(cve.strip())
if cve.strip() in cves:
dsm_cves.append(cve)
print()
print("DSM Coverage")
print(dsm_cves)
with open('usecases/ips.txt') as f:
ips = f.readlines()
for ip in ips:
ip = ip.split(';')[0].strip()
if "/" in ip:
ip_addr = ipaddress.ip_network(ip)
address = ip_addr.network_address.exploded
if ip_addr.prefixlen == 16:
pattern = re.compile("\d+\d{1,3}.\d{1,3}")
ip_addr = re.search(pattern, address).group(0)
elif ip_addr.prefixlen == 24:
pattern = re.compile("\d{1,3}.\d{1,3}.\d{1,3}")
ip_addr = re.search(pattern, address).group(0)
else:
ip_addr = ipaddress.ip_address(ip)
rule = '<rule pat="X-Forwarded-For: %s" cmask="0x3" ctest="0x1">\n' % ip_addr
rule = rule + 'drop "Found IP from Block List in XFF Header"\n'
rule = rule + "</rule>\n"
ruleXML = ruleXML + rule
dsm = Manager(username='******', password='******', tenant='ACME Corp')
result = dsm.dpi_rule_save("Web Server Common", "Block-X-Forward-List", True, True, "CUSTOM_XML", "DROP_CLOSE",
"ANY_PATTERNS_FOUND", "NORMAL", "DROP_CLOSE", "MEDIUM", ruleXML)
dsm.end_session()
print(result)
'Secure Devops Pipeline'
import sys
import os
sys.path.append(os.path.join(os.path.dirname(__file__), '..', '..'))
from sejam_python_bootcamp import config
from dsp3.models.manager import Manager
dsm = Manager(username=config.DSAS_USER,
password=config.DSAS_PASSWORD,
tenant=config.DSAS_TENANT)
# Step 1: Initiate ansible development pipeline:
# Opens App Control maintenance window
# pull git repo to server
# shuts down exisiting docker container
# rebuilds new container
# closes app control maintenance window.
# Step 2: Use DSP3 to put Fernando's Donuts webserver in detect only mode.
#dsm.security_profile_assign_to_host(6122, 33603)
# Step 3: lauch sql injection attacks against fernando donuts then run
#dsm.host_getevents_now([33603])
#events = dsm.dpi_event_retreive(host_id=33603)['DPIEvents']['item']
#print(events[0])
# Step 4: use DSP3 to put Fernando's Donuts webserver in prevent mode.
#dsm.security_profile_assign_to_host(6123, 33603)
"""
Run Script from project root dir:
python -m app.intro.e_classes
"""
import json
from dsp3.models.manager import Manager
from ..utils import utils
from .person import Person
username, password, tenant = utils.parse_dsas_crendentials()
dsm = Manager(username=username, password=password, tenant=tenant)
hosts = dsm.host_retrieve_all()
if len(hosts) > 0:
host_model = dsm.get_host_by_name(
hosts[0]
['name']) # check out utils -> dsp3_host.py file for model definition
print(host_model.__dict__)
print(json.dumps(host_model.__dict__))
jen = Person('Jen', 'Smith')
print(jen.first_name)
print(jen.last_name)
print(jen)
from dsp3.models.manager import Manager
dsm = Manager(username="******",
password="******",
host="127.0.0.1",
port="4119")
# Example 1: Retrieve DSM version.
version = dsm.manager_info_version()
# Example 2: Retrieve the status summary of the system.
status_summary = dsm.manager_info_status_summary()
#Example 3: Retrieve the status summary of each protection feature.
feature_summary = dsm.manager_info_feature_summary(1)
# Example 4: Retrieves detailed component info in current system
component_info = dsm.manager_info_components()
dsm.end_session()
They needed to add 300 aws accounts to the DSM
https://help.deepsecurity.trendmicro.com/Add-Computers/add-aws.html
Add by AK/SAK
https://help.deepsecurity.trendmicro.com/Add-Computers/add-aws.html#Add5
Add by cross account role
https://help.deepsecurity.trendmicro.com/Add-Computers/add-aws.html#Add2
run file from project root dir as:
python -m app.customer_examples.add_aws_account
'''
username, password, tenant = utils.parse_dsas_crendentials()
access_key, secret_key = utils.parse_aws_crendentials()
dsm = Manager(username=username, password=password, tenant=tenant)
print(dsm.get_cloudaccounts(), end='\n')
dsm.add_aws_cloud_account_with_keys(access_key=access_key,
secret_key=secret_key)
# or
#dsm.add_aws_cloud_account_with_cross_account_role('randomsecret2', 'arn:aws:iam::5385xvxv281:role/DS_Cross_account')
print(dsm.get_cloudaccounts(), end='\n')
dsm.end_session()
{
"externalId": String,
"roleArn": String,
}
}
'''
import sys
import os
sys.path.append(os.path.join(os.path.dirname(__file__), '..', '..'))
from sejam_python_bootcamp import config
from dsp3.models.manager import Manager
dsm = Manager(username=config.DSAS_USER, password=config.DSAS_PASSWORD, tenant=config.DSAS_TENANT)
#print(dsm.add_aws_cloud_account_with_keys('access_key', 'secret_key'))
# or
print(dsm.get_api_version())
# How to set up cross account role - https://help.deepsecurity.trendmicro.com/Add-Computers/add-aws.html
print( dsm.add_aws_cloud_account_with_cross_account_role(config.EXTERNAL_ID, config.ARN))
# View DSPS Implentation -> https://github.com/jeffthorne/DSP3/blob/master/dsp3/utilities/cloudacct_utils.py
dsm.end_session() # don' forget to end sessions. They can run out!
from dsp3.models.manager import Manager
dsm = Manager(username="******", password="******", tenant="ACME Corp")
# list administrators
admins = dsm.administrators(
admin_id=1, admin_op="eq")['ListAdministratorsResponse']['administrators']
# get admin where id = 1
admins = dsm.administrators(
admin_id=1, admin_op="eq")['ListAdministratorsResponse']['administrators']
# get admin where id > 1
admins = dsm.administrators(
admin_id=1, admin_op="gt")['ListAdministratorsResponse']['administrators']
dsm.end_session()
from dsp3.models.manager import Manager
dsm = Manager(username="******",
password="******",
host="127.0.0.1",
port="4119")
rules = dsm.list_block_by_hash_rules(
) # returns json object representing list of Block by Hash Rules
# adds new block by hash rule. based on sha256 file hash.
# The blacklist rules are then applied and enforced on any agent that has AppControl turned on.
dsm.add_block_by_hash_rule(
"0143f7ba86d17cabdfffdc5247362871ba35ffd431f2c3d314a09b8c568b692a",
"Block test.sh File")
dsm.delete_block_by_hash_rule(1) #deletes block by hash rule by rule id
dsm.end_session()
from dsp3.models.manager import Manager
# authenticate to DSaS
dsm = Manager(username="******", password="******", tenant="ACME Corp")
# list event based tasks
event_tasks = dsm.event_based()
# delete an event based task
resp = dsm.event_based_delete(205)
# create and event based task
conditions = [{'field': 'hostname', 'key': '', 'value': 'k8s.*'}]
actions = [{'type': 'assign-group', 'parameterValue': 4201}]
resp = dsm.event_based_task_create("Test Task", conditions=conditions, actions=actions)
#end session
dsm.end_session()
tempDict[field] = type(obj[field]).__name__
return tempDict
def process_event_list(file_name, events):
fields = events[0].__keylist__
file = open('%s.csv' % file_name, 'w')
with file:
writer = csv.DictWriter(file, fieldnames=fields)
writer.writeheader()
for event in events:
writer.writerow(obj_to_dictionary(fields, event))
dsm = Manager(tenant='', username='', password='', verify_ssl=True)
print("Connected to Deep Security SaaS")
print("Session ID: " + dsm.session_id)
print("Retrieving firewall events (may take a while)...")
start = datetime.now()
end = start - timedelta(days=7)
delta = timedelta(hours=1)
print("Using " + str(delta) + " deltas.")
fw_events = []
while (start > end):
chunk = dsm.fw_event_retrieve(range_from=(start - delta),
from dsp3.models.manager import Manager # authenticate to DSaS dsm = Manager(username="******", password="******", tenant="ACME Corp") # list report templates reports = dsm.reports() dsm.end_session()
from dsp3.models.manager import Manager
dsm = Manager(username="******", password="******", tenant="ACME Corp")
# retrieve all alerts
alerts = dsm.alerts()['ListAlertsResponse']['alerts']
# include alerts that have been dismissed
alerts = dsm.alerts(dismissed=True)['ListAlertsResponse']['alerts']
# retrieve alerts with an id >= 17601
alerts = dsm.alerts(dismissed=True, alert_id=17601,
op="ge")['ListAlertsResponse']['alerts']
# close session
dsm.end_session()
from dsp3.models.manager import Manager dsm = Manager(username='******', password='******',host="127.0.0.1", port="4119") # get detail for a specific host by id host = dsm.host_detail_retrieve(host_id=11) # clear error and warnings for a host dsm.host_clear_warnings_and_errors([11]) # initiate recommendation scans for a list of hosts by id dsm.host_recommendation_scan([11, 12, 14]) # Immediately initiates the fetch of events from hosts identified by IDs. does not retrieve events dsm.host_getevents_now(11) # retrieve all hosts hosts = dsm.host_retrieve_all() # retrieve antimalware events for a specific host am_events = dsm.antimalware_event_retrieve(host_id=11, host_type="SPECIFIC_HOST", time_type="LAST_24_HOURS") # end dsm session dsm.end_session()