def run(self, params={}): threat_identifier = params.get(Input.THREAT_IDENTIFIER) threats = self.connection.client.search_threats([threat_identifier]) if len(threats) > 1: self.logger.info( f"Multiple threats found that matched the query: {threat_identifier}." "We will only act upon the first match") payload = {"threat_id": threats[0].get('sha256')} if params.get(Input.QUARANTINE_STATE): payload["event"] = "Quarantine" else: payload["event"] = "Waive" # If IPv4, attempt to find its ID agent = params.get(Input.AGENT) if validators.ipv4(agent): agent = find_agent_by_ip(self.connection, agent) errors = self.connection.client.update_agent_threat( self.connection.client.get_agent_details(agent).get('id'), payload) if len(errors) != 0: raise PluginException( cause= 'The response from the CylancePROTECT API was not in the correct format.', assistance='Contact support for help. See log for more details', data=errors) return {Output.SUCCESS: True}
def run(self, params={}): whitelist = params.get(Input.WHITELIST, None) agent = params.get(Input.AGENT) if validators.ipv4(agent): found_agent = find_agent_by_ip(self.connection, agent) if found_agent != agent: agent = found_agent else: raise PluginException( cause="Agent not found.", assistance=f"Unable to find an agent with IP: {agent}," f" please ensure that the IP address is correct.", ) device_obj = self.connection.client.get_agent_details(agent) if whitelist: matches = find_in_whitelist(device_obj, whitelist) if matches: raise PluginException( cause="Agent found in the whitelist.", assistance=f"If you would like to block this host, remove {str(matches)[1:-1]} from the whitelist.", ) return {Output.LOCKDOWN_DETAILS: self.connection.client.device_lockdown(device_obj.get("id"))}
def run(self, params={}): # If IPv4, attempt to find its ID first agent = params.get(Input.AGENT) if validators.ipv4(agent): agent = find_agent_by_ip(self.connection, agent) agent = self.connection.client.get_agent_details(agent) policy = params.get(Input.POLICY) if policy == "": policy = self._find_default_policy_id() errors = self.connection.client.update_agent( agent.get("id"), { "add_zone_ids": params.get(Input.ADD_ZONES, None), "name": agent.get("name"), "policy_id": policy, "remove_zone_ids": params.get(Input.REMOVE_ZONES, None), }, ) if len(errors) != 0: raise PluginException( cause= "The response from the CylancePROTECT API was not in the correct format.", assistance="Contact support for help. See log for more details", data=errors, ) return {Output.SUCCESS: True}
def run(self, params={}): # If IPv4, attempt to find its ID first agent = params.get(Input.AGENT) if validators.ipv4(agent): agent = find_agent_by_ip(self.connection, agent) return {Output.AGENTS: self.connection.client.search_agents_all(agent)}
def run(self, params={}): whitelist = params.get(Input.WHITELIST, None) agents = params.get(Input.AGENTS) valid_ids = [] valid_devices = [] invalid_devices = [] for agent in agents: try: # If IPv4, attempt to find its ID ip_agent = None if validators.ipv4(agent): ip_agent = find_agent_by_ip(self.connection, agent) if ip_agent: device_obj = self.connection.client.get_agent_details(ip_agent) else: device_obj = self.connection.client.get_agent_details(agent) if device_obj: # Device was found in Cylance if whitelist: # Any whitelisted devices will not be deleted matches = find_in_whitelist(device_obj, whitelist) if matches: self.logger.info(f"{agent} found in whitelist. Will not delete.") invalid_devices.append(agent) else: valid_devices.append(agent) valid_ids = self.add_to_valid_devices(device_obj, valid_ids) else: valid_devices.append(agent) valid_ids = self.add_to_valid_devices(device_obj, valid_ids) # Device was not found, therefore invalid to delete except PluginException: self.logger.info(f"{agent} device was not found.") invalid_devices.append(agent) if not valid_ids: raise PluginException( cause="No valid devices to delete.", assistance=f"Be sure that the devices exist in Cylance and are not part of the whitelist." ) payload = {"device_ids": valid_ids} success = self.connection.client.delete_devices(payload) if not success: raise PluginException( cause="One of the devices failed to delete.", assistance=f"A valid agent deletion may have failed, check your Cylance console." ) return {Output.SUCCESS: True, Output.DELETED: valid_devices, Output.NOT_DELETED: invalid_devices}
def test_find_agent_by_ip(self): ip = "10.0.2.15" ip_device_id = "6be117da-2f5d-4645-8878-1bc6476a399a" log = logging.getLogger("Test") test_conn = Connection() test_action = DeleteAsset() test_conn.logger = log test_action.logger = log try: with open("../tests/delete_asset.json") as file: test_json = json.loads(file.read()).get("body") connection_params = test_json.get("connection") except Exception as e: message = "Could not connection from /tests directory" self.fail(message) test_conn.connect(connection_params) test_action.connection = test_conn self.assertEqual(find_agent_by_ip(test_action.connection, "1.1.1.1"), "1.1.1.1") self.assertEqual(find_agent_by_ip(test_action.connection, ip), ip_device_id) self.assertNotEqual(find_agent_by_ip(test_action.connection, ip), "1.1.1.1") self.assertNotEqual(find_agent_by_ip(test_action.connection, ip), "10.0.2.15")