else:
log.write("**debug - debug logging is disabled!\n")
# Check to make sure there is data in the parameters
for key, value in var.iteritems():
if key == "debug":
continue
elif value != "":
log.write("**debug - {} is {}.... OK!\n".format(key, value))
else:
log.write("**debug - {} is Blank.... FAIL!\n".format(key, value))
print "MISSING - value for {}".format(key)
sys.exit()
if var["debug"]:
log.write("**debug - parameter check complete.... OK!\n")
amp = amp_api.amp(var["endpoint"], var["client_id"], var["api_key"])
group_data = amp.get("/v1/groups")
found = False
for group in group_data["data"]:
if group["name"] == var["group_name"]:
group_guid = group["guid"]
found = True
if found and var["debug"]:
log.write("**debug - group found with ID {}.... OK!\n".format(group_guid))
elif not found:
print "FAIL - group name doesnt exist: {}".format(var["group_name"])
sys.exit()
computers = amp.get("/v1/computers?group_guid[]={}".format(group_guid))
print(
"Parameter - 'FMC_host_vuln_db_overwrite_OR_update' can be either set to \"update\" or \"overwrite\". Any other value is not allowed... So exiting! Check out the sample 'parameters.json' file for example.... "
)
sys.exit()
if 'push_changes_to_fmc' not in var.keys():
logger.error(
"Missing the Parameter - 'push_changes_to_fmc'. So exiting! Check out the sample 'parameters.json' file for example.... "
)
print(
"Missing the Parameter - 'push_changes_to_fmc'. So exiting! Check out the sample 'parameters.json' file for example.... "
)
sys.exit()
logger.info("Parameter check complete")
amp = amp_api.amp(var["A4E_API_hostname"], var["A4E_client_id"],
var["A4E_api_key"])
# Getting Groups infomation and checking if the provided group names exist on AMP for Endpoints Console
group_data = amp.get("/v1/groups")
if type(group_data) != dict:
logger.error(
"The output of API query to GET all the Groups is not as expected. So exiting! Below is the output.... "
)
logger.error(group_data)
print(
"The output of API query to GET all the Groups is not as expected. So exiting! Below is the output.... "
)
print(group_data)
sys.exit()
group_guids = []
def amp():
# This is the key that is used to decrypt the cipher string that contains the username and password
key = b''
# The following pulls the fernet class to tie end with the cipher key
cipher_suite = Fernet(key)
# Below is the cipher text for the password for the SecretServer API
ciphered_text = b''
# We create an object that contains the unencrypted password and store it to a string
unciphered_text = (cipher_suite.decrypt(ciphered_text))
# This will convert the object from byte to string
password = unciphered_text.decode('ascii')
# Below is the cipher text for the username for the SecretServer API
ciphered_text1 = b''
# We create an object that contains the unencrypted password and store it to a string
unciphered_text1 = (cipher_suite.decrypt(ciphered_text1))
# This will convert the object from byte to string
username = unciphered_text1.decode('ascii')
# This will search for the specific secret based on ID
searchSecret = client.service.GetSecret(token.Token, secretId=8802)
# The following will split the results from the searchSecret into multiple splices
split = str(searchSecret)
# Below will split the object to include the username from the secretitem
split_username = split.split("SecretItem")[5]
# This will remove any blank lines that are stored in the object
username = split_username.split("\n")[1]
# Below will split the object to include the username from the secretitem
split_password = split.split("SecretItem")[6]
# This will remove any blank lines that are stored in the object
password = split_password.split("\n")[1]
# The following will remove any white spaces stored in the string
user = username.split()[2]
pass1 = password.split()[2]
# Below will remove the '"' from the object
SNowuser = user.replace('"', '')
# Below will remove the '"' from the object
SNowpass = pass1.replace('"', '')
# Import variables to get configuration
log = open("debug.log", "w")
log.write("**debug - loading in parameters now....\n")
# Create dictionary of variables
var = {
"debug":
"true",
"client_id":
AMP_CLIENT_ID,
"api_key":
AMP_API_KEY,
"endpoint":
"api.amp.cisco.com",
"group_name":
"Protect - Global",
"event_name":
"Threat Detected",
"event_ids": [
1107296274, 1107296262, 2164260880, 1091567628, 1090519084,
1090519112, 1107296272, 553648166, 1003, 1004, 1005, 553648147,
1107296257, 1107296258, 1107296261, 1107296263, 1107296264,
1107296266, 1107296267, 1107296268, 1107296269, 1107296270,
1107296271, 1107296273, 1107296275, 1107296276, 1107296277,
1107296278, 1107296280, 1107296281, 1107296282, 1107296284,
1107296283, 1090519081, 1090519105, 553648199
],
"event_choice":
"id"
}
if var["debug"]:
log.write("**debug - parameters loaded in.... OK!\n")
log.write("**debug - begin parameter check....\n")
else:
log.write("**debug - debug logging is disabled!\n")
if var["debug"]:
log.write("**debug - parameter check complete.... OK!\n")
amp = amp_api.amp(var["endpoint"], var["client_id"], var["api_key"])
group_data = amp.get("/v1/groups")
found = False
for group in group_data["data"]:
if group["name"] == var["group_name"]:
group_guid = group["guid"]
found = True
if found and var["debug"]:
log.write(
"**debug - group found with ID {}.... OK!\n".format(group_guid))
elif not found:
print("FAIL - group name doesnt exist: {}".format(var["group_name"]))
sys.exit()
if var["event_choice"] == "name":
found = False
event_list = amp.get("/v1/event_types")
for event in event_list["data"]:
if event["name"] == var["event_name"]:
event_id = event["id"]
found = True
if found and var["debug"]:
log.write("**debug - event type found with ID {}.... OK!\n".format(
event_id))
elif not found:
print("FAIL - event type doesnt exist: {}".format(
var["event_name"]))
sys.exit()
body = {
"name": "InfoSec_Dev",
"event_type": ["{}".format(event_id)],
"group_guid": ["{}".format(group_guid)]
}
if var["event_choice"] == "id":
body = {
"name": "InfoSec_Dev",
"event_type": var["event_ids"],
"group_guid": ["{}".format(group_guid)]
}
print(body)
event_stream = amp.post("/v1/event_streams", body)
if var["debug"]:
log.write("**debug - event stream created.... OK!\n")
log.write(
"**debug - begining work to start listening for events.... OK!\n")
print(event_stream)
print("---------")
url = "amqps://{}:{}@{}:{}".format(
event_stream["data"]["amqp_credentials"]["user_name"],
event_stream["data"]["amqp_credentials"]["password"],
event_stream["data"]["amqp_credentials"]["host"],
event_stream["data"]["amqp_credentials"]["port"])
print(url)
parameters = pika.URLParameters(url)
SelectConnection = pika.BlockingConnection(parameters)
channel = SelectConnection.channel()
channel.queue_declare(
queue=event_stream["data"]["amqp_credentials"]["queue_name"],
passive=True)
c = pysnow.Client(instance='COMPANY', user=SNowuser, password=SNowpass)
incident = c.resource(api_path='/table/incident')
def callback(ch, method, properties, body):
# json_acceptable_string = body.replace("'", "\"")
d = json.loads(body)
print(" [x] Received %r" % body)
event = d["event_type"]
print(event)
pc = d["computer"]["hostname"]
severity = d["severity"]
log = body.decode('ascii')
def recursive_items(dictionary):
for key, value in dictionary.items():
if type(value) is dict:
yield from recursive_items(value)
else:
yield (key, value)
test = []
test1 = []
for key, value in recursive_items(d):
work_notes = key, "=", value
test.append(work_notes)
for tup in test[:-1]:
a = str(' '.join(map(str, tup)))
test1.append(a)
data = "\n".join(test1)
with open("event.txt", "a") as myfile:
myfile.write(log)
new_record = {
'short_description':
'AMP : ' + severity + ' : Event : ' + event + ' : ' + pc,
'description':
'As a Cisco AMP security analyst, I need to perform detailed analysis on the following '
'event "' + event +
'" to determine if any malicious behavior has be identified. All '
'findings will be documented in this incident.',
'work_notes':
data,
'contact_type':
'automation',
'category':
'security',
'subcategory':
'event',
'cmdb_ci':
'AMP',
'assignment_group':
'InfoSec'
}
result = incident.create(payload=new_record)
# json_acceptable_string = body.replace("'", "\"")
channel.basic_consume(
on_message_callback=callback,
queue=event_stream["data"]["amqp_credentials"]["queue_name"])
print(' [*] Waiting for messages. To exit press CTRL+C')
channel.start_consuming()