def check(self):
client_secret = auth.getPasswordFromENC(self.client_secret)
sophosAPI = sophos.sophos(certSettings["ca"], self.client_id,
client_secret, self.XOrganizationID)
for tenant in self.tenants:
if sophosAPI.setTenant(tenant):
alerts = sophosAPI.getAlerts(
["category={}".format(",".join(self.category))])
self.result["events"] = {**alerts, "estate": tenant}
def run(self, data, persistentData, actionResult):
endpointID = helpers.evalString(self.endpointID, {"data": data})
tenant = helpers.evalString(self.tenant, {"data": data})
client_secret = auth.getPasswordFromENC(self.client_secret)
sophos = sophosApi.sophos(None, self.client_id, client_secret,
self.XOrganizationID)
sophos.setTenant(tenant)
res = sophos.getTamperProtection(endpointID)
if res["result"]:
actionResult["result"] = True
actionResult["rc"] = 0
actionResult["data"] = res["data"]
return actionResult
def check(self):
if not hasattr(self,"client_secret_plain"):
self.client_secret_plain = auth.getPasswordFromENC(self.client_secret)
sophosAPI = sophos.sophos(certSettings["ca"],self.client_id,self.client_secret_plain,self.XOrganizationID)
self.filters.append("view=full")
for tenant in self.tenants:
computers = []
if sophosAPI.setTenant(tenant):
computers = sophosAPI.getEndpoints(filters=self.filters)
if computers["result"]:
for computer in computers["data"]:
result = {}
# Name
if "hostname" in computer:
result["name"] = computer["hostname"].lower()
# LastSeen converted to epoch
if "lastSeenAt" in computer:
result["lastSeen"] = int(datetime.datetime.strptime(computer["lastSeenAt"],"%Y-%m-%dT%H:%M:%S.%fZ").timestamp()*1000)
# OS
if "os" in computer:
if "platform" in computer["os"]:
result["platform"] = computer["os"]["platform"].lower()
if result["platform"] == "windows":
if "name" in computer["os"]:
os = re.search('(.*) ((pro|enterprise|standard|datacenter))', computer["os"]["name"], re.IGNORECASE)
if os:
result["operatingSystem"] = os.group(1).lower()
result["operatingSystemEdition"] = os.group(2).lower()
if "build" in computer["os"]:
result["operatingSystemBuild"] = computer["os"]["build"]
if "majorVersion" in computer["os"] and "minorVersion" in computer["os"]:
result["operatingSystemVersion"] = "{0}.{1}".format(computer["os"]["majorVersion"],computer["os"]["minorVersion"])
elif result["platform"] == "linux":
if "name" in computer["os"]:
os = re.search('(.*) ((pro|enterprise|standard|datacenter)).*([0-9]\.[0-9]*)', computer["os"]["name"], re.IGNORECASE)
if os:
result["operatingSystem"] = os.group(1).lower()
result["operatingSystemEdition"] = os.group(2).lower()
result["operatingSystemVersion"] = os.group(2)
elif result["platform"] == "macOS":
result["operatingSystem"] = result["platform"]
if "majorVersion" in computer["os"] and "minorVersion" in computer["os"]:
result["operatingSystemVersion"] = "{0}.{1}".format(computer["os"]["majorVersion"],computer["os"]["minorVersion"])
if "build" in computer["os"]:
result["operatingSystemBuild"] = computer["os"]["build"]
# IP
if "ipv4Addresses" in computer:
if type(computer["ipv4Addresses"]) is list:
result["src_ip"] = computer["ipv4Addresses"][0]
# User
if "associatedPerson" in computer:
if "viaLogin" in computer["associatedPerson"]:
if "\\" in computer["associatedPerson"]["viaLogin"]:
userInfo = re.search('(.*)\\\\(.*)', computer["associatedPerson"]["viaLogin"], re.IGNORECASE)
if userInfo:
user = userInfo.group(2)
domain = userInfo.group(1)
else:
user = computer["associatedPerson"]["viaLogin"]
result["user"] = user.lower()
result["domain"] = domain.lower()
# Estate
result["estate"] = tenant
# Other Sophos Values
if "tamperProtectionEnabled" in computer:
result["tamperProtection"] = computer["tamperProtectionEnabled"]
versions = {}
if "assignedProducts" in computer:
for product in computer["assignedProducts"]:
if product["status"] == "installed":
versions[product["code"]] = product["version"]
result["versions"] = versions
if "health" in computer:
result["health"] = computer["health"]["overall"]
result["sophos_id"] = computer["id"]
self.result["events"].append(result)