def main():
parser = build_cli_parser("List devices")
parser.add_argument("-q", "--query", help="Query string for looking for devices")
parser.add_argument("-A", "--ad_group_id", action="append", type=int, help="Active Directory Group ID")
parser.add_argument("-p", "--policy_id", action="append", type=int, help="Policy ID")
parser.add_argument("-s", "--status", action="append", help="Status of device")
parser.add_argument("-P", "--priority", action="append", help="Target priority of device")
parser.add_argument("-S", "--sort_by", help="Field to sort the output by")
parser.add_argument("-R", "--reverse", action="store_true", help="Reverse order of sort")
args = parser.parse_args()
cb = get_cb_psc_object(args)
query = cb.select(Device)
if args.query:
query = query.where(args.query)
if args.ad_group_id:
query = query.set_ad_group_ids(args.ad_group_id)
if args.policy_id:
query = query.set_policy_ids(args.policy_id)
if args.status:
query = query.set_status(args.status)
if args.priority:
query = query.set_target_priorities(args.priority)
if args.sort_by:
direction = "DESC" if args.reverse else "ASC"
query = query.sort_by(args.sort_by, direction)
devices = list(query)
print("{0:9} {1:40}{2:18}{3}".format("ID", "Hostname", "IP Address", "Last Checkin Time"))
for device in devices:
print("{0:9} {1:40s}{2:18s}{3}".format(device.id, device.name or "None",
device.last_internal_ip_address or "Unknown",
device.last_contact_time))
def main():
parser = build_cli_parser("List VMware alert facets")
setup_parser_with_vmware_criteria(parser)
parser.add_argument("-F",
"--facet",
action="append",
choices=[
"ALERT_TYPE", "CATEGORY", "REPUTATION", "WORKFLOW",
"TAG", "POLICY_ID", "POLICY_NAME", "DEVICE_ID",
"DEVICE_NAME", "APPLICATION_HASH",
"APPLICATION_NAME", "STATUS", "RUN_STATE",
"POLICY_APPLIED_STATE", "POLICY_APPLIED",
"SENSOR_ACTION"
],
required=True,
help="Retrieve these fields as facet information")
args = parser.parse_args()
cb = get_cb_psc_object(args)
query = cb.select(VMwareAlert)
load_vmware_criteria(query, args)
facetinfos = query.facets(args.facet)
for facetinfo in facetinfos:
print("For field '{0}':".format(facetinfo["field"]))
for facetval in facetinfo["values"]:
print("\tValue {0}: {1} occurrences".format(
facetval["id"], facetval["total"]))
def main():
parser = build_cli_parser("List CB Analytics alerts")
setup_parser_with_cbanalytics_criteria(parser)
parser.add_argument("-S", "--sort_by", help="Field to sort the output by")
parser.add_argument("-R",
"--reverse",
action="store_true",
help="Reverse order of sort")
args = parser.parse_args()
cb = get_cb_psc_object(args)
query = cb.select(CBAnalyticsAlert)
load_cbanalytics_criteria(query, args)
if args.sort_by:
direction = "DESC" if args.reverse else "ASC"
query = query.sort_by(args.sort_by, direction)
alerts = list(query)
print("{0:40} {1:40s} {2:40s} {3}".format("ID", "Hostname", "Threat ID",
"Last Updated"))
for alert in alerts:
print("{0:40} {1:40s} {2:40s} {3}".format(alert.id, alert.device_name
or "None", alert.threat_id
or "Unknown",
alert.last_update_time))
def main():
parser = build_cli_parser("CB Runner")
subparsers = parser.add_subparsers(help="Sensor commands",
dest="command_name")
parser.add_argument("-J",
"--job",
action="store",
required=False,
default="job",
help="Name of the job to run.")
parser.add_argument("-LR",
"--lrprofile",
action="store",
required=False,
help="Live Response profile name configured in your \
credentials.psc file.")
parser.add_argument(
"-A",
"--actions",
required=True,
help="CSV file with a list of actions to run in the format \
of 'DeviceId, DeviceName, Command, Resource'")
args = parser.parse_args()
cb_psc = get_cb_psc_object(args)
cb_def = CbDefenseAPI(profile=args.lrprofile)
run_actions(args.actions, cb_def, cb_psc, args)
def main():
parser = build_cli_parser("Download device list in CSV format")
parser.add_argument("-q",
"--query",
help="Query string for looking for devices")
parser.add_argument("-A",
"--ad_group_id",
action="append",
type=int,
help="Active Directory Group ID")
parser.add_argument("-p",
"--policy_id",
action="append",
type=int,
help="Policy ID")
parser.add_argument("-s",
"--status",
action="append",
help="Status of device")
parser.add_argument("-P",
"--priority",
action="append",
help="Target priority of device")
parser.add_argument("-S", "--sort_by", help="Field to sort the output by")
parser.add_argument("-R",
"--reverse",
action="store_true",
help="Reverse order of sort")
parser.add_argument("-O",
"--output",
help="File to save output to (default stdout)")
args = parser.parse_args()
cb = get_cb_psc_object(args)
query = cb.select(Device)
if args.query:
query = query.where(args.query)
if args.ad_group_id:
query = query.set_ad_group_ids(args.ad_group_id)
if args.policy_id:
query = query.set_policy_ids(args.policy_id)
if args.status:
query = query.set_status(args.status)
if args.priority:
query = query.set_target_priorities(args.priority)
if args.sort_by:
direction = "DESC" if args.reverse else "ASC"
query = query.sort_by(args.sort_by, direction)
data = query.download()
if args.output:
file = open(args.output, "w")
file.write(data)
file.close()
else:
print(data)
def main():
parser = build_cli_parser("Bulk update the status of watchlist alerts")
setup_parser_with_watchlist_criteria(parser)
parser.add_argument(
"-R",
"--remediation",
help="Remediation message to store for the selected alerts")
parser.add_argument(
"-C",
"--comment",
help="Comment message to store for the selected alerts")
operation = parser.add_mutually_exclusive_group(required=True)
operation.add_argument("--dismiss",
action="store_true",
help="Dismiss all selected alerts")
operation.add_argument("--undismiss",
action="store_true",
help="Undismiss all selected alerts")
args = parser.parse_args()
cb = get_cb_psc_object(args)
query = cb.select(WatchlistAlert)
load_watchlist_criteria(query, args)
if args.dismiss:
reqid = query.dismiss(args.remediation, args.comment)
elif args.undismiss:
reqid = query.update(args.remediation, args.comment)
else:
raise NotImplementedError(
"one of --dismiss or --undismiss must be specified")
print("Submitted query with ID {0}".format(reqid))
statobj = cb.select(WorkflowStatus, reqid)
while not statobj.finished:
print("Waiting...")
sleep(1)
if statobj.errors:
print("Errors encountered:")
for err in statobj.errors:
print("\t{0}".format(err))
if statobj.failed_ids:
print("Failed alert IDs:")
for i in statobj.failed_ids:
print("\t{0}".format(err))
print("{0} total alert(s) found, of which {1} were successfully changed".
format(statobj.num_hits, statobj.num_success))
def main():
parser = build_cli_parser("Get suggestions for searching alerts")
parser.add_argument("-q",
"--query",
default="",
help="Query string for looking for alerts")
args = parser.parse_args()
cb = get_cb_psc_object(args)
suggestions = cb.alert_search_suggestions(args.query)
for suggestion in suggestions:
print("Search term: '{0}'".format(suggestion["term"]))
print("\tWeight: {0}".format(suggestion["weight"]))
print("\tAvailable with products: {0}".format(", ".join(
suggestion["required_skus_some"])))
def main():
parser = build_cli_parser("Send control messages to device")
parser.add_argument("-d",
"--device_id",
type=int,
required=True,
help="The ID of the device to be controlled")
subparsers = parser.add_subparsers(dest="command",
help="Device command help")
bgscan_p = subparsers.add_parser("background_scan",
help="Set background scanning status")
toggle = bgscan_p.add_mutually_exclusive_group(required=True)
toggle.add_argument("--on",
action="store_true",
help="Turn background scanning on")
toggle.add_argument("--off",
action="store_true",
help="Turn background scanning off")
bypass_p = subparsers.add_parser("bypass", help="Set bypass mode")
toggle = bypass_p.add_mutually_exclusive_group(required=True)
toggle.add_argument("--on", action="store_true", help="Enable bypass mode")
toggle.add_argument("--off",
action="store_true",
help="Disable bypass mode")
subparsers.add_parser("delete", help="Delete sensor")
subparsers.add_parser("uninstall", help="Uninstall sensor")
quarantine_p = subparsers.add_parser("quarantine",
help="Set quarantine mode")
toggle = quarantine_p.add_mutually_exclusive_group(required=True)
toggle.add_argument("--on",
action="store_true",
help="Enable quarantine mode")
toggle.add_argument("--off",
action="store_true",
help="Disable quarantine mode")
policy_p = subparsers.add_parser("policy", help="Update policy for node")
policy_p.add_argument("-p",
"--policy_id",
type=int,
required=True,
help="New policy ID to set for node")
sensorv_p = subparsers.add_parser("sensor_version",
help="Update sensor version for node")
sensorv_p.add_argument("-o",
"--os",
required=True,
help="Operating system for sensor")
sensorv_p.add_argument("-V",
"--version",
required=True,
help="Version number of sensor")
args = parser.parse_args()
cb = get_cb_psc_object(args)
dev = cb.select(Device, args.device_id)
if args.command:
if args.command == "background_scan":
dev.background_scan(toggle_value(args))
elif args.command == "bypass":
dev.bypass(toggle_value(args))
elif args.command == "delete":
dev.delete_sensor()
elif args.command == "uninstall":
dev.uninstall_sensor()
elif args.command == "quarantine":
dev.quarantine(toggle_value(args))
elif args.command == "policy":
dev.update_policy(args.policy_id)
elif args.command == "sensor_version":
dev.update_sensor_version({args.os: args.version})
else:
raise NotImplementedError("Unknown command")
print("OK")
else:
print(dev)
