def getoffenses(self): """Gets all offenses. :return dict; all offenses or None if failed """ try: iter = 0 response = checkanswer( requests.request('GET', self.server + "/api/siem/offenses", headers=self.headers, verify=self.verifySSL), 200, True) while not response['API_status'] and iter < 10: response = checkanswer( requests.request('GET', self.server + "/api/siem/offenses", headers=self.headers, verify=self.verifySSL), 200, True) iter += 1 if response['API_status']: return response['response'] else: print("API call to get rules did not return expected value") return None except Exception as err: print("API call to get rules did result in error: " + str(err)) return None
def getrule(self, rule_id): """ Get information about specified rule :param rule_id str; ID of the rule requested :return dict; information about rule or None if failed """ try: iter = 0 response = checkanswer( requests.request('GET', self.server + "/api/analytics/rules/" + str(rule_id), headers=self.headers, verify=self.verifySSL), 200, True) while not response['API_status'] and iter < 10: response = checkanswer( requests.request('GET', self.server + "/api/analytics/rules/" + str(rule_id), headers=self.headers, verify=self.verifySSL), 200, True) iter += 1 if response['API_status']: return response['response'] else: print("API call to get rules did not return expected value") return None except Exception as err: print("API call to get rules did result in error: " + str(err)) return None
def deletealert(self, ID): """ Deletes alert by id :param ID: int; id of alert to delete :return Bool; indicates if operation succeded; """ self.validate_session() try: iter = 0 response = checkanswer( requests.delete(self.server + '/plugin/products/detect3/api/v1/alerts/' + str(ID), headers=self.session_key, verify=self.verifySSL), 204, False) while not response['API_status'] and iter < 10: response = checkanswer( requests.delete(self.server + '/plugin/products/detect3/api/v1/alerts/' + str(ID), headers=self.session_key, verify=self.verifySSL), 204, False) iter += 1 if response['API_status']: return True else: logger.error( "API call to delete alert did not return expected value") return False except Exception as err: logger.error("API call to delete alert did result in error: " + str(err)) return False
def getsignals(self): """ Get all signals. :return dict; all signals or None if failed """ self.validate_session() try: iter = 0 response = checkanswer( requests.request( "POST", self.server + '/plugin/products/detect3/api/v1/intels/export/signals', headers=self.session_key, data="", verify=self.verifySSL), 200, True) while not response['API_status'] and iter < 10: response = checkanswer( requests.request( "POST", self.server + '/plugin/products/detect3/api/v1/intels/export/signals', headers=self.session_key, data="", verify=self.verifySSL), 200, True) iter += 1 if response['API_status']: return response['response'] else: print("API call to get signals did not return expected value") return None except Exception as err: print("API call to get signals did result in error: " + str(err)) return None
def getincidents(self, starttime): """ """ starter = starttime - timedelta(days=1) unix_time = time.mktime(starter.timetuple()) payload = { "request_data": { "filters": [{ "field": "modification_time", "operator": "gte", "value": int(unix_time) * 1000 }], "search_from": 0, "search_to": 100, "sort": { "field": "modification_time", "keyword": "desc" } } } request = json.dumps(payload) try: iter = 0 response = checkanswer( requests.request('POST', self.server + '/public_api/v1/incidents/get_incidents/', headers=self.headers, data=request, verify=self.verifySSL), 200, True) while not response['API_status'] and iter < 10: response = checkanswer( requests.request('POST', self.server + '/public_api/v1/incidents/get_incidents/', headers=self.headers, data=request, verify=self.verifySSL), 200, True) iter += 1 if response['API_status']: return response['response'] else: print( "API call to get incidents did not return expected value") return None except Exception as err: print("API call to get incidents did result in error: " + str(err)) return None
def getalerts_time(self, starttime, endtime): """ """ unix_start = time.mktime(starttime.timetuple()) unix_end = time.mktime(endtime.timetuple()) payload = { "request_data": { "filters": [{ "field": "creation_time", "operator": "gte", "value": int(unix_start) * 1000 }, { "field": "creation_time", "operator": "lte", "value": int(unix_end) * 1000 }] } } request = json.dumps(payload) try: iter = 0 response = checkanswer( requests.request('POST', self.server + '/public_api/v1/alerts/get_alerts/', headers=self.headers, data=request, verify=self.verifySSL), 200, True) while not response['API_status'] and iter < 10: response = checkanswer( requests.request('POST', self.server + '/public_api/v1/alerts/get_alerts/', headers=self.headers, data=request, verify=self.verifySSL), 200, True) iter += 1 if response['API_status']: return response['response'] else: print("API call to get alerts did not return expected value") return None except Exception as err: print("API call to get alerts did result in error: " + str(err)) return None
def authenticate(self): """ Logs on Tanium Server :format of API call reponse: {u'data': {u'session': u'some_string'}} :return None or error message """ json_string = json.dumps({ 'username': self.username, 'password': self.password }) try: iter = 0 response = checkanswer( requests.request( "POST", 'https://tanium.sec-lab.local/api/v2/session/login', data=json_string, verify=self.verifySSL), 200, True) while not response['API_status'] and iter < 10: response = checkanswer( requests.request( "POST", 'https://tanium.sec-lab.local/api/v2/session/login', data=json_string, verify=self.verifySSL), 200, True) iter += 1 if response['API_status']: self.session_key = { 'session': response['response']['data']['session'] } self.session_validated = datetime.now() return '' else: print( "API call to authenticate tanium did not return expected value" ) return 'API_call did not return expected value' except Exception as err: print("API call to authenticate tanium did result in error: " + str(err)) return 'API call to authenticate tanium did result in error: ' + str( err)
def getalerts(self, computer_name='', offset=0): """ Get up to 500 alerts starting from offset for given host :param computer_name(optional): str; host which caused alerts. If none given, all are returned :param offset(optional): int; offset of alerts :return dict; alerts or None if failed """ self.validate_session() if offset == 0 and computer_name == '': querystring = {"limit": "500"} else: querystring = { "limit": "500", "offset": offset, "computerName": computer_name } try: iter = 0 response = checkanswer( requests.get(self.server + '/plugin/products/detect3/api/v1/alerts', headers=self.session_key, params=querystring, verify=self.verifySSL), 200, True) while not response['API_status'] and iter < 10: response = checkanswer( requests.get(self.server + '/plugin/products/detect3/api/v1/alerts', headers=self.session_key, params=querystring, verify=self.verifySSL), 200, True) iter += 1 if response['API_status']: return response['response'] else: logger.error( "API call to get alerts did not return expected value") return None except Exception as err: logger.error("API call to get alerts did result in error: " + str(err)) return None
def getincidentextra(self, incident_id): """ """ payload = {"request_data": {"incident_id": str(incident_id)}} request = json.dumps(payload) try: iter = 0 response = checkanswer( requests.request( 'POST', self.server + '/public_api/v1/incidents/get_incident_extra_data/', headers=self.headers, data=request, verify=self.verifySSL), 200, True) while not response['API_status'] and iter < 10: response = checkanswer( requests.request( 'POST', self.server + '/public_api/v1/incidents/get_incident_extra_data/', headers=self.headers, data=request, verify=self.verifySSL), 200, True) iter += 1 if response['API_status']: return response['response'] else: print( "API call to get incident details did not return expected value" ) return None except Exception as err: print("API call to get incident details did result in error: " + str(err)) return None
def snapshot(self, computername="WS-Win10-001.sec-lab.local"): """ Makes a snapshot of the specified system :param computername: string, name of computer system of interest :return string, name of snapshot or error message """ self.validate_session() parameter = { "remote": True, "dst": computername, "dstType": "computer_name", "connTimeout": 0 } try: iter = 0 response = checkanswer( requests.post(self.server + '/plugin/products/trace/conns', headers=self.session_key, json=parameter, verify=self.verifySSL), 202, False) while not response['API_status'] and iter < 10: response = checkanswer( requests.post(self.server + '/plugin/products/trace/conns', headers=self.session_key, json=parameter, verify=self.verifySSL), 202, False) iter += 1 if not response['API_status']: logger.error( "API call to start connection did not return expected value" ) return 'API_call did not return expected value' except Exception as err: logger.error("API call to start connection did result in error: " + str(err)) return 'API_call did result in error: ' + str(err) try: iter = 0 response = checkanswer( requests.post(self.server + '/plugin/products/trace/conns/' + computername + '/snapshots', headers=self.session_key, verify=self.verifySSL), 202, False) while not response['API_status'] and iter < 25: time.sleep(2) response = checkanswer( requests.post(self.server + '/plugin/products/trace/conns/' + computername + '/snapshots', headers=self.session_key, verify=self.verifySSL), 202, False) iter += 1 if not response['API_status']: logger.error( "API call to take snapshot did not return expected value") return 'API_call did not return expected value' except Exception as err: logger.error("API call to take snapshot did result in error: " + str(err)) return 'API_call did result in error: ' + str(err) try: iter = 0 response = checkanswer( requests.get(self.server + '/plugin/products/trace/snapshots', headers=self.session_key, verify=self.verifySSL), 200, True) while not response['API_status'] and iter < 10: time.sleep(2) response = checkanswer( requests.get(self.server + '/plugin/products/trace/snapshots', headers=self.session_key, verify=self.verifySSL), 200, True) iter += 1 if response['API_status']: return computername + '-' + response['response'][ computername].keys()[0] else: logger.error( "API call to get snapshotname did not return expected value" ) return 'API_call did not return expected value' except Exception as err: logger.error("API call to get snapshotname did result in error: " + str(err)) return 'API_call did result in error: ' + str(err)
def gettraces(self, starttime, endtime): """ Get executed process trees within specified time interval from all machines with parent containing 'python' :param starttime: datetime; start of interval of interest (in UTC tanium time) :param endtime: datetime; end of interval of interest (in UTC tanium time) :return dict; trace information or None if failed """ self.validate_session() starter = starttime - timedelta(minutes=1) unixstart = time.mktime(starter.timetuple()) unixend = time.mktime(endtime.timetuple()) question = { "query_text": "Get Trace Executed Process Trees[python,0,0,0,As Parent,10000," + str(unixstart)[:-2] + "000|" + str(unixend)[:-2] + "000] from all machines" } try: iter = 0 response = checkanswer( requests.post(self.server + '/api/v2/questions', headers=self.session_key, json=question, verify=self.verifySSL), 200, True) while not response['API_status'] and iter < 10: checkanswer( requests.post(self.server + '/api/v2/questions', headers=self.session_key, json=question, verify=self.verifySSL), 200, True) iter += 1 if not response['API_status']: logger.error( "API call to ask trace question did not return expected value" ) return None except Exception as err: logger.error( "API call to ask trace question did result in error: " + str(err)) return None question_id = response['response']['data']['id'] try: iter = 0 response = checkanswer( requests.get(self.server + '/api/v2/result_data/question/' + str(question_id), headers=self.session_key, verify=self.verifySSL), 200, True) while (not response['API_status'] or response['response']['data'] ['result_sets'][0]['estimated_total'] != response['response']['data']['result_sets'][0]['mr_passed'] ) and iter < 25: time.sleep(2) self.validate_session() response = checkanswer( requests.get(self.server + '/api/v2/result_data/question/' + str(question_id), headers=self.session_key, verify=self.verifySSL), 200, True) iter += 1 if response['API_status']: return response['response'] else: logger.error( "API call to get trace answer did not return expected value" ) return None except Exception as err: logger.error("API call to get trace answer did result in error: " + str(err)) return None