def get_ips_rules(self):
ips_rules = dict()
search_criteria = api.SearchCriteria()
search_criteria.id_value = 0
search_criteria.id_test = 'greater-than'
search_filter = api.SearchFilter()
search_filter.max_items = 5000
search_filter.search_criteria = [search_criteria]
ips_api = api.IntrusionPreventionRulesApi(self.api_client)
while True:
try:
rule_list = ips_api.search_intrusion_prevention_rules(
self.api_version, search_filter=search_filter)
num_found = len(rule_list.intrusion_prevention_rules)
if num_found == 0:
break
except ApiException as e:
return 'Exception: ' + str(e)
for rule in rule_list.intrusion_prevention_rules:
ips_rules[rule.id] = rule
last_id = rule_list.intrusion_prevention_rules[-1].id
search_criteria.id_value = last_id
return ips_rules
def search_firewall_rules(api, configuration, api_version, api_exception):
""" Searches the firewall rules for any rule that contains DHCP in the rule name.
:param api: The Deep Security API modules.
:param configuration: Configuration object to pass to the api client.
:param api_version: The version of the API to use.
:param api_exception: The Deep Security API exception module.
:return: A list containing all firewall rules that match the search criteria.
"""
# Define the search criteria
search_criteria = api.SearchCriteria()
search_criteria.field_name = "name"
search_criteria.string_value = "%DHCP%"
search_criteria.string_test = "equal"
search_criteria.string_wildcards = True
# Create search filter to find the rule
search_filter = api.SearchFilter(None,[search_criteria])
# Create a FirewallRulesApi object
firewall_rules_api = api.FirewallRulesApi(api.ApiClient(configuration))
try:
# Perform the search
firewall_rules = firewall_rules_api.search_firewall_rules(api_version, search_filter=search_filter)
firewall_rules_list = []
for rule in firewall_rules.firewall_rules:
firewall_rules_list.append(rule)
return firewall_rules
except api_exception as e:
return "Exception: " + str(e)
def getIPSrules(cve):
# Initialization
# Set Any Required Values
api_instance = deepsecurity.IntrusionPreventionRulesApi(
deepsecurity.ApiClient(configuration))
api_version = 'v1'
# Set search criteria for the date range
search_criteria = deepsecurity.SearchCriteria()
search_criteria.field_name = "CVE"
search_criteria.string_value = "%" + cve + "%"
search_filter = deepsecurity.SearchFilter(None, [search_criteria])
try:
ipsrules = api_instance.search_intrusion_prevention_rules(
api_version, search_filter=search_filter)
i = 0
for ipsrid in ipsrules.intrusion_prevention_rules:
ipsruleidentifier = ipsrid.identifier
ipsrulename = ipsrid.name
print("ID: " + str(ipsruleidentifier), "- " + str(ipsrulename))
i += 1
except ApiException as e:
print(
"An exception occurred when calling IntrusionPreventionRulesApi.search_intrusion_prevention_rules: %s\n"
% e)
def tune_app_control(api, configuration, api_version, api_exception):
try:
# Create a PoliciesApi object
policies_api = api.PoliciesApi(api.ApiClient(configuration))
# List policies using version v1 of the API
policies_list = policies_api.list_policies(api_version)
# View the list of policies
# return policies_list
except api_exception as e:
return "Exception: " + str(e)
# Search computer in deep security dashboard
search_criteria = api.SearchCriteria()
search_criteria.field_name = "displayName"
search_criteria.string_value = '%' + search_name + '%'
search_criteria.string_test = "equal"
search_criteria.string_wildcards = True
# Create search filter to find computer
search_filter = api.SearchFilter(None, [search_criteria])
# Create a ComputerApi object
computer_api = api.ComputersApi(api.ApiClient(configuration))
try:
# Perform the search
computer_details = computer_api.search_computers(api_version, search_filter=search_filter)
ec2_instance_id = []
ds_ids = []
for ec2_details in computer_details.computers:
ec2_instance_id.append(ec2_details.ec2_virtual_machine_summary.instance_id)
ds_ids.append(ec2_details.id)
# Set the Reconnaissance Scan value
setting_value = api.SettingValue()
setting_value.value = "true"
# Add the SettingValue to a ComputerSettings object
computer_settings = api.ComputerSettings()
computer_settings.firewall_setting_reconnaissance_enabled = setting_value
app_controll_settings = api.ApplicationControlComputerExtension()
app_controll_settings.state = app_control_status
# Add the ComputerSettings object to a Computer object
computer = api.Computer()
computer.computer_settings = computer_settings
computer.application_control = app_controll_settings
for ds_id in ds_ids:
computer_api.modify_computer(ds_id, computer, api_version, overrides=True)
return ec2_instance_id
except api_exception as e:
return "Exception: " + str(e)
def get_affected_instance_in_deep_security(instance_id):
"""
Find and return the specified instance in Deep Security
Returns a deepsecurity.computers.Computer object or None
"""
result = None
# if not DSM: return result
DSM_computer = client.ComputersApi(client.ApiClient(configuration))
try:
# NEED TO CHANGE THIS CODE TO SEARCH SPECIFIC INSTANCE ID
search_filter = deepsecurity.SearchFilter()
overrides = True
response = DSM_computer.search_computers('v1', search_filter=search_filter, overrides=overrides)
for computer in response.computers:
if computer.ec2_virtual_machine_summary.instance_id == instance_id:
attr = vars(computer)
print(attr['_id'])
print(type(attr['_id']))
return attr['_id']
except api_exception as ex:
print("Could not find the instance in Deep Security. Threw exception: {}".format(ex))
def lambda_handler(event, context):
global DSM
global configuration
configuration = client.Configuration()
# DSM_policy = client.PoliciesApi(client.ApiClient(configuration))
# DSM_client = client.ComputersApi(client.ApiClient(configuration))
ds_api_key = '2:CC8BLAbBl8VH5sfPFjygafiV7heQc9fkHhDWkNjsxRk='
ds_hostname = 'app.deepsecurity.trendmicro.com'
ds_port = '443'
# ds_ignore_ssl_validation = None
# if 'dsIgnoreSslValidation' in os.environ: ds_ignore_ssl_validation = os.environ['dsIgnoreSslValidation']
try:
# DSM connection string
configuration.host = 'https://' + ds_hostname + ':' + ds_port + '/api'
configuration.verify_ssl = False
# Authentication
configuration.api_key['api-secret-key'] = ds_api_key
api_version = 'v1'
print("Signed into Deep Security")
except api_exception as ex:
print(
"Could not successfully sign into Deep Security. Threw exception: {}"
.format(ex))
# From here we have to fetch data
DSM_computer = client.ComputersApi(client.ApiClient(configuration))
try:
# NEED TO CHANGE THIS CODE TO SEARCH SPECIFIC INSTANCE ID
search_filter = deepsecurity.SearchFilter()
overrides = False
response = DSM_computer.search_computers('v1',
search_filter=search_filter,
overrides=overrides)
for computer in response.computers:
if computer.ec2_virtual_machine_summary.instance_id == 'i-0ab687235eddfb3ad':
attr = vars(computer)
instance_in_ds = attr['_id']
api_instance = deepsecurity.ScheduledTasksApi(
deepsecurity.ApiClient(configuration))
scheduled_task = deepsecurity.ScheduledTask(
).scan_for_recommendations_task_parameters
res = api_instance.create_scheduled_task(
scheduled_task, api_version)
print("Found the instance in Deep Security as computer {}".format(
len(response.computers)))
except api_exception as ex:
print(
"Could not find the instance in Deep Security. Threw exception: {}"
.format(ex))
def GetAllComputers(configuration):
expand = Expand(Expand.ec2_virtual_machine_summary)
expndList = expand.list()
# Set search criteria
search_criteria = api.SearchCriteria()
search_criteria.id_value = 0
search_criteria.id_test = "greater-than"
# Create a search filter with maximum returned items
page_size = 50
search_filter = api.SearchFilter()
search_filter.max_items = page_size
search_filter.search_criteria = [search_criteria]
# Perform the search and do work on the results
computers_api = api.ComputersApi(api.ApiClient(configuration))
paged_computers = []
while True:
try:
t0 = time.time()
computers = computers_api.search_computers(
api_version, search_filter=search_filter, expand=expndList)
t1 = time.time()
num_found = len(computers.computers)
current_paged_computers = []
if num_found == 0:
print("No computers found.")
break
for computer in computers.computers:
current_paged_computers.append(computer)
paged_computers.append(current_paged_computers)
# Get the ID of the last computer in the page and return it with the number of computers on the page
last_id = computers.computers[-1].id
search_criteria.id_value = last_id
print("Last ID: " + str(last_id),
"Computers found: " + str(num_found))
print("Return rate: {0} hosts/sec".format(num_found / (t1 - t0)))
if num_found != page_size:
print("Num_found {0} - Page size is {1}".format(
num_found, page_size))
except api_exception as e:
print("Exception: {0}".format(str(e)))
return paged_computers
def search_ips_rules(self, criteria):
max_items = None
search_filter = deepsecurity.SearchFilter(max_items, criteria)
im_api = deepsecurity.IntrusionPreventionRulesApi(
deepsecurity.ApiClient(self.api_config))
try:
api_response = im_api.search_intrusion_prevention_rules(
self.version, search_filter=search_filter)
except Exception as e:
raise
return api_response.intrusion_prevention_rules
def search_im_rules(self, criteria):
max_items = None
search_filter = deepsecurity.SearchFilter(max_items, criteria)
im_api = deepsecurity.IntegrityMonitoringRulesApi(
deepsecurity.ApiClient(self.api_config))
try:
api_response = im_api.search_integrity_monitoring_rules(
self.version, search_filter=search_filter)
except Exception as e:
raise
return api_response.integrity_monitoring_rules
def _find_exact_match(self, search_field, search_string, object_api):
search_criteria = api.SearchCriteria()
search_criteria.field_name = search_field
search_criteria.string_test = 'equal'
search_criteria.string_value = search_string
search_filter = api.SearchFilter(None, [search_criteria])
search_filter.max_items = 1
try:
result = object_api(self.api_version, search_filter=search_filter)
return result
except ApiException as e:
print(str(e))
sys.exit(1)
def get_connector_id(self, aws_account_id):
search_filter = deepsecurity.SearchFilter(search_criteria={
"fieldName": "accountId",
"stringValue": aws_account_id
})
try:
connectors = self.connectorClient.search_aws_connectors(
self.apiVersion, search_filter=search_filter)
logger.info(
f"Connector ID {connectors.aws_connectors[0].id} found for accountid {aws_account_id}"
)
return connectors.aws_connectors[0].id
except ApiException as e:
logger.info(
"An exception occurred when calling AWSConnectorSettingsApi.list_aws_connector_settings: %s\n"
% e)
except Exception as e:
logger.info(e)
def GetAllGroups(self, configuration):
# Set search criteria
search_criteria = api.SearchCriteria()
search_criteria.id_value = 0
search_criteria.id_test = "greater-than"
# Create a search filter with maximum returned items
page_size = 5000
search_filter = api.SearchFilter()
search_filter.max_items = page_size
search_filter.search_criteria = [search_criteria]
groupsapi = api.ComputerGroupsApi(api.ApiClient(configuration))
paged_groups = []
try:
while True:
t0 = time.time()
groups = groupsapi.search_computer_groups(
api_version, search_filter=search_filter)
t1 = time.time()
num_found = len(groups.computer_groups)
if num_found == 0:
print("No groups found.")
break
paged_groups.extend(groups.computer_groups)
# Get the ID of the last group in the page and return it with the number of groups on the page
last_id = groups.computer_groups[-1].id
search_criteria.id_value = last_id
print("Last ID: " + str(last_id),
"Groups found: " + str(num_found))
print("Return rate: {0} groups/sec".format(num_found /
(t1 - t0)))
if num_found != page_size:
print("Num_found {0} - Page size is {1}".format(
num_found, page_size))
except api_exception as e:
return "Exception: " + str(e)
return paged_groups
expand_options.add(api.Expand.security_updates)
expand_options.add(api.Expand.intrusion_prevention)
expand_options.add(api.Expand.anti_malware)
expand_options.add(api.Expand.interfaces)
expand_options.add(api.Expand.azure_arm_virtual_machine_summary)
expand = expand_options.list()
overrides = False
# Set search criteria
search_criteria = api.SearchCriteria()
search_criteria.id_value = 0
search_criteria.id_test = "greater-than"
# Create a search filter with maximum returned items
page_size = 50
search_filter = api.SearchFilter()
search_filter.max_items = page_size
search_filter.search_criteria = [search_criteria]
# Add column titles to comma-separated values string
csv = "Host Name;Displayname;DNS Name;Agent version;Platform;IP Address;Agent Status;Agent Status Message;PolicyId;GroupId;Last Communication;Last Policy Sent;Last Policy Success;Update Status;AM Module State;AM Status;AM Status Message;AM Update Status;IPS Status;IPS Status Message\n"
try:
# Perform the search and do work on the results
print("Start reading computers")
while True:
computers = api_instance.search_computers(api_version,
search_filter=search_filter,
expand=expand,
overrides=False)
num_found = len(computers.computers)
# Authentication
configuration.api_key['api-secret-key'] = '2:PZGmBIe8rcKSF6fK2HeMkoyh5ZrC/fQeeyJyUjcpzyk='
# Initialization
# Set Any Required Values
api_instance = deepsecurity.PoliciesApi(deepsecurity.ApiClient(configuration))
api_version = 'v1'
search_criteria = deepsecurity.SearchCriteria()
search_criteria.field_name = "name"
search_criteria.string_test = "equal"
search_criteria.string_value = "%Linux Server%"
# Create a search filter
search_filter = deepsecurity.SearchFilter(None, [search_criteria])
policies_api = deepsecurity.PoliciesApi(deepsecurity.ApiClient(configuration))
computers_api = deepsecurity.ComputersApi(deepsecurity.ApiClient(configuration))
computer = deepsecurity.Computer()
try:
# Perform the search
policy_search_results = policies_api.search_policies(api_version, search_filter=search_filter)
# Assign the policy to the computer
computer.policy_id = REPLACE_WITH_THE_POLICY_ID_TO_ASSIGN
computers_api.modify_computer(REPLACE_WITH_THE_COMPUTER_ID_TO_MODIFY, computer, api_version)
except ApiException as e:
pprint( "Exception: " + str(e))
def _GetGroupComputers(self, configuration, groupID):
# Set search group criteria
search_group_criteria = api.SearchCriteria()
search_group_criteria.field_name = "groupID"
if groupID:
search_group_criteria.numeric_value = groupID
search_group_criteria.numeric_test = "equal"
else:
search_group_criteria.null_test = True
# Set search criteria
search_criteria = api.SearchCriteria()
search_criteria.id_value = 0
search_criteria.id_test = "greater-than"
# Create a search filter with maximum returned items
page_size = 250
search_filter = api.SearchFilter()
search_filter.max_items = page_size
search_filter.search_criteria = [
search_criteria, search_group_criteria
]
# Perform the search and do work on the results
computers_api = api.ComputersApi(api.ApiClient(configuration))
paged_computers = []
while True:
try:
expand = Expand(Expand.ec2_virtual_machine_summary)
t0 = time.time()
computers = computers_api.search_computers(
api_version,
search_filter=search_filter,
expand=expand.list())
t1 = time.time()
num_found = len(computers.computers)
current_paged_computers = []
if num_found == 0:
#This gets noise with so many threads
#print("No computers found.")
break
for computer in computers.computers:
current_paged_computers.append(computer)
paged_computers.append(current_paged_computers)
# Get the ID of the last computer in the page and return it with the number of computers on the page
last_id = computers.computers[-1].id
search_criteria.id_value = last_id
print("Last ID: " + str(last_id),
"Computers found: " + str(num_found))
print("Return rate: {0} hosts/sec".format(num_found /
(t1 - t0)))
if num_found != page_size:
print("Num_found {0} - Page size is {1}".format(
num_found, page_size))
except api_exception as e:
print("Exception: {0}".format(str(e)))
return paged_computers
def __init__(self):
self.api_config = deepsecurity.Configuration()
self.api_version = ''
self.API_CONFIG_PATH = "config/api_config.yml"
self.MAX_RETRY_ERROR_MSG = "ERROR: Failed to establish connection - Make sure the hostname is correct"
self.MAX_ITEMS_PER_PAGE = 1000 #Up To 5000
expand_options = deepsecurity.Expand()
expand_options.add(
# deepsecurity.Expand.anti_malware,
# deepsecurity.Expand.application_control,
# deepsecurity.Expand.firewall,
# deepsecurity.Expand.web_reputation,
# deepsecurity.Expand.log_inspection,
# deepsecurity.Expand.integrity_monitoring,
# deepsecurity.Expand.intrusion_prevention,
# deepsecurity.Expand.computer_settings,
# deepsecurity.Expand.computer_status,
# deepsecurity.Expand.ec2_virtual_machine_summary,
# deepsecurity.Expand.azure_arm_virtual_machine_summary,
# deepsecurity.Expand.azure_vm_virtual_machine_summary,
# deepsecurity.Expand.gcp_virtual_machine_summary
deepsecurity.Expand.all
)
self.COMPUTER_EXPAND = expand_options.list()
search_criteria = deepsecurity.SearchCriteria()
search_criteria.id_value = 0
search_criteria.id_test = "greater-than"
self.SEARCH_FILTER = deepsecurity.SearchFilter(max_items=self.MAX_ITEMS_PER_PAGE, search_criteria=search_criteria)
#Turns off warnings unless specified
if not sys.warnoptions:
warnings.simplefilter("ignore")
file_config = dict()
try:
with open(self.API_CONFIG_PATH, "r", encoding = 'utf-8') as cfg_fd:
file_config = yaml.safe_load(cfg_fd.read())
if file_config is None:
file_config = dict()
self.api_config.host = file_config["host"]
self.api_config.api_key['api-secret-key'] = file_config["api-secret-key"]
self.api_version = file_config["api-version"]
if not "https://" in self.api_config.host:
self.api_config.host = "https://"+self.api_config.host
except Exception as e:
print(Fore.LIGHTRED_EX + "Error while loading the config/api_config.yml file, resetting it...")
try:
os.makedirs("config")
except Exception as e:
pass
try:
if "host" not in file_config or file_config["host"] == "https://<Your DSM Hostname or IP>:<DSM Port>/api" or \
"api-secret-key" not in file_config or file_config["api-secret-key"] == "" or "api-version" not in file_config:
print(Fore.LIGHTRED_EX+"CONFIG FILE NOT SET!")
print("{}Insert the DSM host (link) following this example {}[{}https://{}<Your DSM Hostname or IP>{}:{}<DSM Port if on-premise>{}/api{}]".
format(Fore.LIGHTCYAN_EX, Fore.LIGHTWHITE_EX,Fore.LIGHTBLUE_EX, Fore.LIGHTGREEN_EX,Fore.LIGHTWHITE_EX,Fore.LIGHTRED_EX,Fore.LIGHTMAGENTA_EX,Fore.LIGHTWHITE_EX))
self.api_config.host = input("Inset the DSM Host: ").rstrip().lstrip()
file_config["host"] = self.api_config.host
if self.api_config.host == "":
raise TypeError("Empty Host Configuration is NOT VALID")
print(Fore.LIGHTCYAN_EX + "Insert the secret key for the API (Check the documentation if lost)")
self.api_config.api_key['api-secret-key'] = input("Inset the Api Secret key: ").rstrip().lstrip()
file_config["api-secret-key"] = self.api_config.api_key['api-secret-key']
if self.api_config.api_key['api-secret-key'] == "":
raise TypeError("Empty key Configuration is NOT VALID")
self.api_version = "v1"
file_config["api-version"] = self.api_version
print(Fore.LIGHTGREEN_EX + "Saving to config/api_config.yml (you can modify the info here)")
try:
with open(self.API_CONFIG_PATH, "w+") as config:
yaml.dump(file_config,config, default_flow_style=False)
except Exception as e:
print("Could not save configs to file, you will have to type them again later")
except Exception as e:
raise IOError("Corrupted api_config, please re download the file: " + str(e))
if self.api_config.host is None or self.api_config.api_key is None or self.api_version is None:
raise TypeError( ("API Configuration values on {} are NOT VALID".format(self.API_CONFIG_PATH)))
