def handleDomains(filename):
try:
domain_list = readIocsFile(filename)
time = datetime.now().isoformat()
domain_list_f = []
#TODO: call the correct function to remove duplicate domains from the domain list
#domain_list = MISSION
env_lab.print_missing_mission_warn(env_lab.get_line())
#TODO: loop through every domain in the domain list HINT: for ... in ...:
for domain in domain_list:
print(f"Working on {domain} .....")
get_url = investigate_url + domain + "?showLabels"
status = get_DomainStatus(get_url, domain)
if (status != "error"):
if ((status == "bad") or (status == "risky")):
post_Enforcement(domain)
domain_list_f.append(domain)
else:
print(
f"Found clean domain, ignoring enforcement on {domain}"
)
else:
print("got error from Umbrella investigate")
#Let's save another file with Umbrella Disposition on Domains
# so that we block only bad & risky domains on firewalls
filenamed = repository_root / "mission-data/riskydomains.json"
write_risky_domains_for_firewall(filenamed, domain_list_f)
except KeyboardInterrupt:
print("\nExiting...\n")
def get_amp_computer_details( url,
client_id=env_user.AMP_CLIENT_ID,
api_key=env_user.AMP_API_KEY,
):
"""Get details of infected computer from Cisco AMP."""
url = f"https://{client_id}:{api_key}@{url}"
#TODO: do a GET request to retrieve infected computer details (remmeber to NOT do SSL verification!)
# Hint: Remember to assign it varibale "response"
env_lab.print_missing_mission_warn(env_lab.get_line())
response.raise_for_status()
events_list = response.json()["data"]
return events_list
def login(sw_session, data):
print("\n==> Logging in to the SMC")
url = f'https://{SMC_HOST}/token/v2/authenticate'
env_lab.print_missing_mission_warn(env_lab.get_line())
response = sw_session.request(MISSION, url, verify=False, data=data)
# TODO: Check if the login was successful
env_lab.print_missing_mission_warn(env_lab.get_line())
if(MISSION == MISSION):
print(green("Login SUCCESSFUL!"))
return True
print(red(f'An error has ocurred, while trying to login to SMC, with the following code {response.status_code}'))
print(red(f"Responso body:\n{response.json()}"))
return False
def remove_tag(tag_id):
print(f"\n==> Removing TAG {tag_id}")
# TODO: Set the correct URL to remove the chosen TAG
env_lab.print_missing_mission_warn(env_lab.get_line())
url = MISSION
response = api_session.request("DELETE", url, verify=False)
# TODO: Check if you maanged to successfully remove the chosen TAG
env_lab.print_missing_mission_warn(env_lab.get_line())
if (response.status_code == MISSION):
print(green(f"Tag {tag_id} has been successfully removed"))
return True
print(red(f"An error has ocurred, while removing the tag, with the following code {response.status_code}"))
print(red(f"Responso body:\n{response.json()}"))
return False
def post_to_ise(maclist, namelist):
#TODO: Create the URL for the PUT request to apply the ANC policy! assign it variable "url"
env_lab.print_missing_mission_warn(env_lab.get_line())
for items in maclist:
payload = "{\r\n \"OperationAdditionalData\": {\r\n \"additionalData\": [{\r\n \"name\": \"macAddress\",\r\n \"value\": \"" + items + "\"\r\n },\r\n {\r\n \"name\": \"policyName\",\r\n \"value\": \"" + namelist + '"' + "\r\n }]\r\n }\r\n}"
print(json.dumps(payload, sort_keys=True, indent=3))
response = requests.request("PUT",
url,
data=payload,
verify=False,
headers=headers)
if (response.status_code == 204):
print(
"Done!..Applied Quarantine policy to the rogue endpoint...MAC: {0} Threat is now contained...."
.format(items))
else:
print("An error has ocurred with the following code %(error)s" %
{'error': response.status_code})
def create_new_tag(tag_data):
print(f"\n==> Creating new TAG named: {tag_data[0]['name']}")
url = f'https://{SMC_HOST}/smc-configuration/rest/v1/tenants/{SMC_TENANT_ID}/tags'
request_headers = {'Content-type': 'application/json', 'Accept': 'application/json'}
# TODO: Pass the data to the POST request, remember thet 'requests' library requires the JSON object to be converted in String.
env_lab.print_missing_mission_warn(env_lab.get_line())
response = api_session.request("POST", url, verify=False, data=MISSION, headers=request_headers)
# If successfully able to add the tag (host group)
if (response.status_code == 200):
print(green(f"New tag (host group) successfully added"))
print(json.dumps(response.json(), indent=4))
return str(response.json()['data'][0]['id'])
# If unable to add the new tag (host group)
print(red(f"An error has ocurred, while adding tags (host groups), with the following code {response.status_code}"))
print(red(f"Responso body:\n{response.json()}"))
return None
def get_policy_ise():
#TODO: Create the URL for the GET request to get the ANC policy from ISE assign it to variable "url"
env_lab.print_missing_mission_warn(env_lab.get_line())
#Create GET Request
req = requests.get(url, verify=False, headers=headers)
#req = requests.request("GET", url, verify=False, headers=headers)
namelist = " "
if (req.status_code == 200):
resp_json = req.json()
policies = resp_json["SearchResult"]["resources"]
for policy in policies:
namelist = policy["name"]
print(
"\nI've Found the Quarantine Policy {0} to Nuke the Rogue computers from the corp network... \n"
.format(namelist))
else:
print("An error has ocurred with the following code %(error)s" %
{'error': req.status_code})
return namelist
def get_security_events(time_window=60):
# TODO: Set the URL for the query to POST the filter and initiate the search
env_lab.print_missing_mission_warn(env_lab.get_line())
url = MISSION
# Set the timestamps for the filters, in the correct format, for last 'time_window' minutes
end_datetime = datetime.datetime.utcnow()
start_datetime = end_datetime - datetime.timedelta(minutes=time_window)
end_timestamp = end_datetime.strftime('%Y-%m-%dT%H:%M:%SZ')
start_timestamp = start_datetime.strftime('%Y-%m-%dT%H:%M:%SZ')
# Set the filter with the request data.
# TODO: Look for all the hosts generating High Total Traffic (security event ID: ?)
# HINT: Don't know how to filter the query request? Have a look at the APIs on DevNet
# (https://developer.cisco.com/docs/stealthwatch/enterprise/#!reporting-api-version-1)
# Don't know which Security Event ID you need to use? Hve a look at this PDF
# (https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/management_console/securit_events_alarm_categories/SW_7_2_1_Security_Events_and_Alarm_Categories_DV_1_0.pdf)
env_lab.print_missing_mission_warn(env_lab.get_line())
request_data = MISSION
# Perform the query to initiate the search
request_headers = {'Content-type': 'application/json', 'Accept': 'application/json'}
env_lab.print_missing_mission_warn(env_lab.get_line())
response = api_session.request(MISSION, url, verify=False, data=json.dumps(request_data), headers=request_headers)
if response.status_code == 200:
# This is an asyncronous query, thus the processing will not be returned right away.
# TODO: Find the search query ID, so as to later check the status and access the result.
# HINT: The API documentation is your friend ;)
env_lab.print_missing_mission_warn(env_lab.get_line())
search_id = MISSION
return search_id
print(red(f"An error has ocurred, while creating search query, with the following code {response.status_code}"))
print(red(f"Responso body:\n{response.json()}"))
return None
json.dump(glist, file, indent=2)
else:
jsondata = [o[ioc] for o in glist]
json.dump(jsondata, file, indent=2)
file.close()
if __name__ == "__main__":
# Save the MAC addresses of the endpoints where malware executed to a JSON
# file. In the ISE Mission we will read this file and quarantine these
# endpoints.sha256-list.json
shalist_path = repository_root / "mission-data/sha256-list.json"
shalist = readIocsFile(shalist_path)
#TODO: iterate trhough the shalist and find the obereravales per sha! hint: for ... in ...:
env_lab.print_missing_mission_warn(env_lab.get_line())
#Create data files for the Umbrella Mission.
domainlist_path = repository_root / "mission-data/domainlist.json"
iplist_path = repository_root / "mission-data/iplist.json"
writer_file(domainlist_path, observables, "domains")
#TODO: Write the ipaddress from observables to a file: Hint look above how we did the domains
env_lab.print_missing_mission_warn(env_lab.get_line())
# Finally, post a message to the Webex Teams Room to brag!!!
print(blue("\n==> Posting message to Webex Teams"))
teams = webexteamssdk.WebexTeamsAPI(WEBEX_TEAMS_ACCESS_TOKEN)
teams.messages.create(
