def ctr_auth( host=env.THREATRESPONSE.get("host"), client_id=env.CTR_CLIENT_ID, api_key=env.CTR_API_KEY, ): print(white("\n==> Authenticating to Cisco Threat Response...")) url = f"https://{host}/iroh/oauth2/token" headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'application/json' } # MISSION12: Construct payload to pass in authentication request to Threat Response env.print_missing_mission_warn( env.get_line()) # Delete this line when mission is complete. payload = {'MISSION12': 'MISSION12'} response = requests.post(url, headers=headers, auth=(client_id, api_key), data=payload) response.raise_for_status() access_token = response.json()["access_token"] return access_token
def get_amp_computers( host=env.AMP.get("host"), client_id=env.AMP_CLIENT_ID, api_key=env.AMP_API_KEY, ): """Get a list of computers from Cisco AMP.""" print("\n==> Getting computers from AMP") # MISSION02: Construct the URL env.print_missing_mission_warn( env.get_line()) # Delete this line when mission is complete. url = f"https://MISSION02" response = requests.get(url, verify=False) # Consider any status other than 2xx an error response.raise_for_status() computer_list = response.json()["data"] return computer_list
def post_umbrella_events( blocklist_domains, host=env.UMBRELLA.get("en_url"), api_key=env.UMBRELLA_ENFORCEMENT_KEY, ): print( white( f"\n==> Post malware events to the Umbrella Enforcement API for processing and optionally adding to a customer's domain lists." )) # MISSION11: Construct the API endpoint to post malware events to the Umbrella Enforcement API env.print_missing_mission_warn( env.get_line()) # Delete this line when mission is complete. url = f"MISSION11" headers = { 'Content-type': 'application/json', 'Accept': 'application/json' } # Time for AlertTime and EventTime when domains are added to Umbrella time = datetime.now().isoformat() data = [] for domain in blocklist_domains: obj = { "alertTime": time + "Z", "deviceId": "ba6a59f4-e692-4724-ba36-c28132c761de", "deviceVersion": "13.7a", "dstDomain": domain, "dstUrl": "http://" + domain + "/", "eventTime": time + "Z", "protocolVersion": "1.0a", "providerName": "Security Platform" } data.append(obj) response = requests.post(url, data=json.dumps(data), headers=headers) response.raise_for_status() id = response.json()["id"] return id, data
def threatgrid_search_submissions( sha256, host=env.THREATGRID.get("host"), api_key=env.THREATGRID_API_KEY, ): """Search TreatGrid Submissions, by sha256. Args: sha256(str): Lookup this hash in ThreatGrid Submissions. host(str): The ThreatGrid host. api_key(str): Your ThreatGrid API key. """ print( white( f"\n==> Searching the ThreatGrid Submissions for sha256: {sha256}") ) query_parameters = { "q": sha256, "api_key": api_key, "after": "2019-12-01T05:00:00.000Z" } response = requests.get( f"https://{host}/api/v2/search/submissions", params=query_parameters, ) # MISSION06: Put proper function to consider any status other than 2xx an error env.print_missing_mission_warn( env.get_line()) # Delete this line when mission is complete. # Put your code here: MISSION06 submission_info = response.json()["data"]["items"] if submission_info: print(green("Successfully retrieved data on the sha256 submission")) else: print(red("Unable to retrieve data on the sha256 submission")) sys.exit(1) return submission_info
def get_umbrella_domain_status( domain, host=env.UMBRELLA.get("inv_url"), api_key=env.UMBRELLA_INVESTIGATE_KEY, ): print( white( f"\n==> Checking domain against Umbrella Investigate to retrieve its status" )) url = f"https://{host}/domains/categorization/{domain}?showLabels" # MISSION09: Construct authentication headers for Umbrella Investigate env.print_missing_mission_warn( env.get_line()) # Delete this line when mission is complete. headers = {'MISSION09': 'MISSION09'} response = requests.get(url, headers=headers) response.raise_for_status() domain_status = response.json()[domain]["status"] return domain_status
amp_computer_list = get_amp_computers() print(green(f"Fetched AMP4E Computer List")) for computer in amp_computer_list: if computer["hostname"] == amp_computer_name: amp_computer_guid = computer["connector_guid"] print( green( f"AMP4E Computer name: {amp_computer_name}, GUID: {amp_computer_guid}" )) # MISSION03: Complete the AMP query with correct event types to fetch event list env.print_missing_mission_warn( env.get_line()) # Delete this line when mission is complete. amp_query_params = f"connector_guid[]={amp_computer_guid}&MISSIONO3" amp_event_list = get_amp_events(query_params=amp_query_params) print(green(f"Retrieved {len(amp_event_list)} events from AMP")) amp_event = amp_event_list[0] print( green(f"First Event: {amp_event['event_type']} \ \nDetection: {amp_event['detection']} \ \nFile name: {amp_event['file']['file_name']} \ \nFile sha256: {amp_event['file']['identity']['sha256']}")) threatgrid_sha = amp_event["file"]["identity"]["sha256"]