def get_hostname_from_sha( query_params="", host=env.AMP.get("host"), client_id=env.AMP_CLIENT_ID, api_key=env.AMP_API_KEY, ): """Get a list of recent events from Cisco AMP.""" print("\n==> Getting events from AMP") i_got_it = 0 if i_got_it == 0: print(cyan(env.get_line(), bold=True)) print( yellow( "Second : Call the correct AMP API with the correct syntax...The API call which gives you the list of all infected endpoints " )) print() print(yellow("Hint :")) print( yellow( "https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1%2Fevents&api_host=api.eu.amp.cisco.com&api_resource=Event&api_version=v1" )) print() print( yellow( "Change the value of i_got_it to 1 in order to move forward")) sys.exit() #url = f"https://{client_id}:{api_key}@{host}/v1/events" response = requests.get(url, params=query_params, verify=False) if debug: print(cyan(env.get_line(), bold=True)) print(cyan(response.json())) # Consider any status other than 2xx an error response.raise_for_status() events_list = response.json() if debug: events_list = response.json() print(green((events_list))) for events in events_list: #hostname=event['computer']['hostname'] print(red(events)) ''' hostname=response.json()['data'][0]['computer']['hostname'] return hostname ''' events_list = response.json()['data'] return events_list
def get_amp_events(query_params="", host=env.AMP.get("host"), client_id=env.AMP_CLIENT_ID, api_key=env.AMP_API_KEY, ): """Get a list of recent events from Cisco AMP.""" print("\n==> Getting events from AMP") url = f"https://{client_id}:{api_key}@{host}/v1/events" response = requests.get(url, params=query_params, verify=False) if debug:#PATRICK print(cyan(env.get_line(),bold=True)) print(cyan(response.json())) # Consider any status other than 2xx an error response.raise_for_status() events_list = response.json()["data"] return events_list
computers_list = response.json()["data"] for computer in computers_list: if computer['hostname']==hostname: comp_guid=computer['connector_guid'] return comp_guid def write_events_to_file(filepath, ampevents): with open(computers_path, "w") as file: json.dump(ampevents, file, indent=2) if __name__ == "__main__": # Get the list of computers from AMP print (yellow("TODO :")) i_got_it=0 if i_got_it==0: print(cyan(env.get_line(),bold=True)) print (yellow("First : assign the correct value to the variable : sha ")) print (yellow("Change the value of i_got_it to 1 in order to move forward")) sys.exit() sha="MISSION - PASTE HERE THE SHA256" amp_query_params = f"detection_sha256={sha}" i_got_it=0 if i_got_it==0: print(cyan(env.get_line(),bold=True)) print (yellow("Third : Call the correct function with the correct query params ")) print (yellow("Hint : ")) print (yellow("https://www.base64decode.org/")) print (yellow("Here under the solution :")) print (yellow("Change the value of i_got_it to 1 in order to move forward"))