def _fn_amp_delete_file_list_files_function(self, event, *args, **kwargs):
"""Function: Delete file list item with a given SHA-256 and associated to file list with given file_list_guid."""
try:
# Get the function parameters:
amp_file_list_guid = kwargs.get("amp_file_list_guid") # text
amp_file_sha256 = kwargs.get("amp_file_sha256") # text
log = logging.getLogger(__name__)
log.info("amp_file_list_guid: %s", amp_file_list_guid)
log.info("amp_file_sha256: %s", amp_file_sha256)
if is_none(amp_file_list_guid):
raise ValueError(
"Required parameter 'amp_file_list_guid' not set.")
if is_none(amp_file_sha256):
raise ValueError(
"Required parameter 'amp_file_sha256' not set.")
yield StatusMessage(
"Running Cisco AMP for endpoints delete file lists files by guid and sha256..."
)
params = {
"file_list_guid": amp_file_list_guid,
"file_sha256": amp_file_sha256
}
validate_params(params)
amp = Ampclient(self.options, RATE_LIMITER)
rtn = amp.delete_file_list_files(**params)
query_execution_time = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
# Add in "query_execution_time" and "ip_address" to result to facilitate post-processing.
results = {
"response": json.loads(json.dumps(rtn)),
"query_execution_time": query_execution_time,
"input_params": params
}
yield StatusMessage(
"Returning 'delete file lists files' results for file list guid '{}' and sha256 value "
"'{}'.".format(params["file_list_guid"],
params["file_sha256"]))
log.debug(json.dumps(results))
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
yield FunctionError()
def _fn_amp_move_computer_function(self, event, *args, **kwargs):
"""Function: Move computer to a group with given connector guid and group guid."""
try:
# Get the function parameters:
amp_conn_guid = kwargs.get("amp_conn_guid") # text
amp_group_guid = kwargs.get("amp_group_guid") # text
log = logging.getLogger(__name__)
log.info("amp_conn_guid: %s", amp_conn_guid)
log.info("amp_group_guid: %s", amp_group_guid)
if is_none(amp_conn_guid):
raise ValueError("Required parameter 'amp_conn_guid' not set.")
if is_none(amp_group_guid):
raise ValueError(
"Required parameter 'amp_group_guid' not set.")
yield StatusMessage(
"Running Cisco AMP for endpoints get computer by guid query..."
)
params = {
"conn_guid": amp_conn_guid,
"group_guid": amp_group_guid,
}
validate_params(params)
amp = Ampclient(self.options, RATE_LIMITER)
rtn = amp.move_computer(params["conn_guid"], params["group_guid"])
query_execution_time = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
# Add in "query_execution_time" and "response" to result to facilitate post-processing.
results = {
"response": rtn,
"query_execution_time": query_execution_time,
"input_params": params
}
yield StatusMessage(
"Returning 'move computer' results for connector guid '{}' and new group guid '{}'."
.format(params["conn_guid"], params["group_guid"]))
log.debug(json.dumps(results))
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
log.exception(
"Exception in Resilient Function for Cisco AMP for endpoints.")
yield FunctionError()
def _fn_amp_get_file_list_files_function(self, event, *args, **kwargs):
"""Function: Returns a list of items for a particular file_list. You need to provide file_list_guid
to retrieve these items."""
try:
# Get the function parameters:
amp_file_list_guid = kwargs.get("amp_file_list_guid") # text
amp_file_sha256 = kwargs.get("amp_file_sha256") # text
amp_limit = kwargs.get("amp_limit") # number
amp_offset = kwargs.get("amp_offset") # number
log = logging.getLogger(__name__)
log.info("amp_file_list_guid: %s", amp_file_list_guid)
log.info("amp_file_sha256: %s", amp_file_sha256)
log.info("amp_limit: %s", amp_limit)
log.info("amp_offset: %s", amp_offset)
if is_none(amp_file_list_guid):
raise ValueError(
"Required parameter 'amp_file_list_guid' not set.")
yield StatusMessage(
"Running Cisco AMP for endpoints get file lists files by guid..."
)
params = {
"file_list_guid": amp_file_list_guid,
"file_sha256": amp_file_sha256,
"limit": amp_limit,
"offset": amp_offset
}
validate_params(params)
amp = Ampclient(self.options, RATE_LIMITER)
rtn = amp.get_paginated_total(amp.get_file_list_files, **params)
query_execution_time = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
# Add in "query_execution_time" and "ip_address" to result to facilitate post-processing.
results = {
"response": rtn,
"query_execution_time": query_execution_time,
"input_params": params
}
yield StatusMessage(
"Returning 'file list files' results for file list guid '{}'.".
format(params["file_list_guid"]))
log.debug(json.dumps(results))
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
log.exception(
"Exception in Resilient Function for Cisco AMP for endpoints.")
yield FunctionError()
def _fn_amp_set_file_list_files_function(self, event, *args, **kwargs):
"""Function: Add a SHA-256 to a file list using file_list_guid."""
try:
# Get the function parameters:
amp_file_list_guid = kwargs.get("amp_file_list_guid") # text
amp_file_sha256 = kwargs.get("amp_file_sha256") # text
amp_file_description = kwargs.get("amp_file_description") # text
log = logging.getLogger(__name__)
log.info("amp_file_list_guid: %s", amp_file_list_guid)
log.info("amp_file_sha256: %s", amp_file_sha256)
log.info("amp_file_description: %s", amp_file_description)
if is_none(amp_file_list_guid):
raise ValueError(
"Required parameter 'amp_file_list_guid' not set.")
if is_none(amp_file_sha256):
raise ValueError(
"Required parameter 'amp_file_sha256' not set.")
if is_none(amp_file_description):
raise ValueError(
"Required parameter 'amp_file_description' not set.")
yield StatusMessage(
"Running Cisco AMP for endpoints set file lists file by guid and sha256 ..."
)
params = {
"file_list_guid": amp_file_list_guid,
"file_sha256": amp_file_sha256,
"description": amp_file_description
}
validate_params(params)
amp = Ampclient(self.options, RATE_LIMITER)
rtn = amp.set_file_list_files(**params)
query_execution_time = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
# Add in "query_execution_time" and "ip_address" to result to facilitate post-processing.
if "errors" in rtn and rtn["errors"][0]["error_code"] == 409:
# If this error was trapped user probably tried to re-add a sha256 to a file list.
yield StatusMessage(
"Got a 409 error while attempting to set a sha256 '{0}' to list with guid '{1}' because of a possible "
"attempt to redo a set operation.".format(
params["file_sha256"], params["file_list_guid"]))
else:
yield StatusMessage(
"Returning 'set file lists files' results for file list guid '{}', sha256 value "
"'{}' and description '{}'.".format(
params["file_list_guid"], params["file_sha256"],
params["description"]))
results = {
"response": rtn,
"query_execution_time": query_execution_time,
"input_params": params
}
log.debug(json.dumps(results))
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
log.exception(
"Exception in Resilient Function for Cisco AMP for endpoints.")
yield FunctionError()
def _fn_amp_get_computer_function(self, event, *args, **kwargs):
"""Function: Returns a computer with an agent deployed on them by connector guid."""
try:
# Get the function parameters:
amp_conn_guid = kwargs.get("amp_conn_guid") # text
log = logging.getLogger(__name__)
log.info("amp_conn_guid: %s", amp_conn_guid)
if is_none(amp_conn_guid):
raise ValueError("Required parameter 'amp_conn_guid' not set.")
yield StatusMessage(
"Running Cisco AMP for endpoints get computer by guid query..."
)
params = {"conn_guid": amp_conn_guid}
validate_params(params)
amp = Ampclient(self.options, RATE_LIMITER)
rtn = amp.get_computer(amp_conn_guid)
query_execution_time = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
# Add in "query_execution_time" to facilitate post-processing.
if "errors" in rtn and rtn["errors"][0]["error_code"] == 404:
# If this error was trapped user probably tried to get information on invalid connector guid.
yield StatusMessage(
"Got a 404 error while attempting to get computer information for connector guid '{0}' "
"because of a possible invalid or deleted guid.".format(
params["conn_guid"]))
else:
yield StatusMessage(
"Returning 'computer by guid' results for connector guid '{}'."
.format(params["conn_guid"]))
results = {
"response": rtn,
"query_execution_time": query_execution_time,
"input_params": params
}
log.debug(json.dumps(results))
# Produce a FunctionResult with the results
yield FunctionResult(results)
except ValueError as ve:
# Trap ValueErrors so we can send unicode ValueErrors back to safely to Resilient
# as a StatusMessage.
if version_info.major == 2:
ve_msg = ve.message
else:
ve_msg = ve.args[0]
yield StatusMessage("{0}".format(ve_msg))
log.exception(
"ValueError in Resilient Function for Cisco AMP for endpoints."
.format(ve_msg))
raise ValueError(
"A ValueError exception was raised by function fn_amp_get_computer"
)
except Exception:
log.exception(
"Exception in Resilient Function for Cisco AMP for endpoints.")
yield FunctionError()