def create_api_call():
if USE_SSL:
return duo_client.Admin(ikey=INTEGRATION_KEY,
skey=SECRET_KEY,
host=HOST,
ca_certs='DISABLE')
return duo_client.Admin(ikey=INTEGRATION_KEY, skey=SECRET_KEY, host=HOST)
def run(self):
Responder.run(self)
if self.get_param('data.dataType') == 'username':
str_username = self.get_param('data.data', None, 'No artifacts available')
admin_api = duo_client.Admin(self.iKey, self.sKey, self.API_hostname)
response = admin_api.get_users_by_name(username=str_username)
# print(response)
user_id=response[0]["user_id"]
# print("user_id:",user_id)
r = admin_api.update_user(user_id=user_id,status='disabled')
# print("response:",r)
if r.get('status') == 'disabled':
self.report({'message': 'User is locked in Duo Security.'})
else:
self.error('Failed to lock User Account in Duo.')
else:
self.error('Incorrect dataType. "username" expected.')
def main():
try:
state = pickle.load(open(options.statepath, "rb"))
except IOError:
# Oh, you're new.
# Note API v2 expect full, correct and within range timestamps in millisec so we start recently
# API v1 uses normal timestamps in seconds instead
state = {
"administration": 0,
"administration_offset": None,
"authentication": 1547000000000,
"authentication_offset": None,
"telephony": 0,
"telephony_offset": None,
}
# Convert v1 (sec) timestamp to v2 (ms)...
if state["authentication"] < 1547000000000:
state["authentication"] = int(str(state["authentication"]) + "000")
duo = duo_client.Admin(ikey=options.IKEY,
skey=options.SKEY,
host=options.URL)
mozmsg = mozdef.MozDefEvent(options.MOZDEF_URL)
mozmsg.tags = ["duosecurity"]
if options.update_tags != "":
mozmsg.tags.append(options.update_tags)
mozmsg.set_category("authentication")
mozmsg.source = "DuoSecurityAPI"
if options.DEBUG:
mozmsg.debug = options.DEBUG
mozmsg.set_send_to_syslog(True, only_syslog=True)
# This will process events for all 3 log types and send them to MozDef. the state stores the last position in the
# log when this script was last called.
# NOTE: If administration and telephone logs support a "v2" API in the future it will most likely need to have the
# same code with `next_offset` as authentication uses.
state = process_events(
mozmsg, duo.get_administrator_log(mintime=state["administration"] + 1),
"administration", state)
state = process_events(
mozmsg,
duo.get_authentication_log(
api_version=2,
limit="1000",
sort="ts:asc",
mintime=state["authentication"] + 1,
next_offset=state["authentication_offset"],
),
"authentication",
state,
)
state = process_events(
mozmsg, duo.get_telephony_log(mintime=state["telephony"] + 1),
"telephony", state)
pickle.dump(state, open(options.statepath, "wb"))
def _setup_plugins_config(self):
"""Setup values from plugins.ini configuration."""
option = get_plugin_config_options('duo')
try:
self.admin_api = duo_client.Admin(
ikey=option['integration_key'],
skey=option['secret_key'],
host=option['api_hostname'],
)
except KeyError as err:
raise PluginError('No "%s" option in plugins.ini' % err.message)
def create_api_call():
if USE_SSL:
client = duo_client.Admin(
ikey=INTEGRATION_KEY,
skey=SECRET_KEY,
host=HOST,
)
else:
client = duo_client.Admin(ikey=INTEGRATION_KEY,
skey=SECRET_KEY,
host=HOST,
ca_certs='DISABLE')
try:
client._make_request = lambda method, uri, body, headers: override_make_request(
client, method, uri, body, headers)
except Exception as e:
demisto.error(
"Error making request - failed to create client: {}".format(e))
raise Exception
return client
def main(mytimer: func.TimerRequest) -> None:
logging.info('Starting script')
admin_api = duo_client.Admin(
ikey=CISCO_DUO_INTEGRATION_KEY,
skey=CISCO_DUO_SECRET_KEY,
host=CISCO_DUO_API_HOSTNAME,
)
sentinel = AzureSentinelConnector(log_analytics_uri=LOG_ANALYTICS_URI,
workspace_id=WORKSPACE_ID,
shared_key=SHARED_KEY,
log_type=LOG_TYPE,
queue_size=5000)
state_manager = StateManager(
FILE_SHARE_CONN_STRING,
file_path='cisco_duo_trust_monitor_logs_last_ts.txt')
process_trust_monitor_events(admin_api,
state_manager=state_manager,
sentinel=sentinel)
state_manager = StateManager(FILE_SHARE_CONN_STRING,
file_path='cisco_duo_auth_logs_last_ts.txt')
process_auth_logs(admin_api,
state_manager=state_manager,
sentinel=sentinel)
state_manager = StateManager(FILE_SHARE_CONN_STRING,
file_path='cisco_duo_admin_logs_last_ts.txt')
process_admin_logs(admin_api,
state_manager=state_manager,
sentinel=sentinel)
state_manager = StateManager(FILE_SHARE_CONN_STRING,
file_path='cisco_duo_tele_logs_last_ts.txt')
process_tele_logs(admin_api,
state_manager=state_manager,
sentinel=sentinel)
state_manager = StateManager(
FILE_SHARE_CONN_STRING,
file_path='cisco_duo_offline_enrollment_logs_last_ts.txt')
process_offline_enrollment_logs(admin_api,
state_manager=state_manager,
sentinel=sentinel)
logging.info('Script finished. Sent events: {}'.format(
sentinel.successfull_sent_events_number))
def admin_api_from_config(config_path):
"""
Return a duo_client.Admin object created using the parameters
stored in a config file.
"""
config = ConfigParser.ConfigParser()
config.read(config_path)
config_d = dict(config.items('duo'))
ca_certs = config_d.get("ca_certs", None)
if ca_certs is None:
ca_certs = config_d.get("ca", None)
return duo_client.Admin(
ikey=config_d['ikey'],
skey=config_d['skey'],
host=config_d['host'],
ca_certs=ca_certs,
)
def main():
try:
state = pickle.load(open(options.statepath, 'rb'))
except IOError:
# Oh, you're new.
# Note API v2 expect full, correct and within range timestamps in millisec so we start recently
# API v1 uses normal timestamps in seconds instead
state = {
'administration': 0,
'authentication': 1547000000000,
'telephony': 0
}
# Convert v1 (sec) timestamp to v2 (ms)...
if state['authentication'] < 1547000000000:
state['authentication'] = int(str(state['authentication']) + '000')
duo = duo_client.Admin(ikey=options.IKEY,
skey=options.SKEY,
host=options.URL)
mozmsg = mozdef.MozDefEvent(options.MOZDEF_URL)
mozmsg.tags = ['duosecurity']
if options.update_tags != '':
mozmsg.tags.append(options.update_tags)
mozmsg.set_category('authentication')
mozmsg.source = 'DuoSecurityAPI'
if options.DEBUG:
mozmsg.debug = options.DEBUG
mozmsg.set_send_to_syslog(True, only_syslog=True)
# This will process events for all 3 log types and send them to MozDef. the state stores the last position in the
# log when this script was last called.
state = process_events(
mozmsg, duo.get_administrator_log(mintime=state['administration'] + 1),
'administration', state)
# TODO Should use `next_offset` instead of mintime in the future (for api v2) as its more efficient
state = process_events(
mozmsg,
duo.get_authentication_log(api_version=2,
mintime=state['authentication'] + 1),
'authentication', state)
state = process_events(
mozmsg, duo.get_telephony_log(mintime=state['telephony'] + 1),
'telephony', state)
pickle.dump(state, open(options.statepath, 'wb'))
def init_duoclient(self, config):
try:
client = duo_client.Admin(
ikey=config['duoclient']['ikey'],
skey=config['duoclient']['skey'],
host=config['duoclient']['host'],
user_agent=('Duo Log Sync/' + __version__),
)
logging.info(
"Adminapi initialized for ikey {} and host {}...".format(
config['duoclient']['ikey'], config['duoclient']['host']))
except Exception as e:
logging.error(
"Unable to create duo client. Pls check credentials...")
sys.exit(1)
return client
