def main(): parser = build_cli_parser("List devices") parser.add_argument("-q", "--query", help="Query string for looking for devices") parser.add_argument("-A", "--ad_group_id", action="append", type=int, help="Active Directory Group ID") parser.add_argument("-p", "--policy_id", action="append", type=int, help="Policy ID") parser.add_argument("-s", "--status", action="append", help="Status of device") parser.add_argument("-P", "--priority", action="append", help="Target priority of device") parser.add_argument("-S", "--sort_by", help="Field to sort the output by") parser.add_argument("-R", "--reverse", action="store_true", help="Reverse order of sort") args = parser.parse_args() cb = get_cb_psc_object(args) query = cb.select(Device) if args.query: query = query.where(args.query) if args.ad_group_id: query = query.set_ad_group_ids(args.ad_group_id) if args.policy_id: query = query.set_policy_ids(args.policy_id) if args.status: query = query.set_status(args.status) if args.priority: query = query.set_target_priorities(args.priority) if args.sort_by: direction = "DESC" if args.reverse else "ASC" query = query.sort_by(args.sort_by, direction) devices = list(query) print("{0:9} {1:40}{2:18}{3}".format("ID", "Hostname", "IP Address", "Last Checkin Time")) for device in devices: print("{0:9} {1:40s}{2:18s}{3}".format(device.id, device.name or "None", device.last_internal_ip_address or "Unknown", device.last_contact_time))
def main(): parser = build_cli_parser("List VMware alert facets") setup_parser_with_vmware_criteria(parser) parser.add_argument("-F", "--facet", action="append", choices=[ "ALERT_TYPE", "CATEGORY", "REPUTATION", "WORKFLOW", "TAG", "POLICY_ID", "POLICY_NAME", "DEVICE_ID", "DEVICE_NAME", "APPLICATION_HASH", "APPLICATION_NAME", "STATUS", "RUN_STATE", "POLICY_APPLIED_STATE", "POLICY_APPLIED", "SENSOR_ACTION" ], required=True, help="Retrieve these fields as facet information") args = parser.parse_args() cb = get_cb_psc_object(args) query = cb.select(VMwareAlert) load_vmware_criteria(query, args) facetinfos = query.facets(args.facet) for facetinfo in facetinfos: print("For field '{0}':".format(facetinfo["field"])) for facetval in facetinfo["values"]: print("\tValue {0}: {1} occurrences".format( facetval["id"], facetval["total"]))
def main(): parser = build_cli_parser("List CB Analytics alerts") setup_parser_with_cbanalytics_criteria(parser) parser.add_argument("-S", "--sort_by", help="Field to sort the output by") parser.add_argument("-R", "--reverse", action="store_true", help="Reverse order of sort") args = parser.parse_args() cb = get_cb_psc_object(args) query = cb.select(CBAnalyticsAlert) load_cbanalytics_criteria(query, args) if args.sort_by: direction = "DESC" if args.reverse else "ASC" query = query.sort_by(args.sort_by, direction) alerts = list(query) print("{0:40} {1:40s} {2:40s} {3}".format("ID", "Hostname", "Threat ID", "Last Updated")) for alert in alerts: print("{0:40} {1:40s} {2:40s} {3}".format(alert.id, alert.device_name or "None", alert.threat_id or "Unknown", alert.last_update_time))
def main(): parser = build_cli_parser("CB Runner") subparsers = parser.add_subparsers(help="Sensor commands", dest="command_name") parser.add_argument("-J", "--job", action="store", required=False, default="job", help="Name of the job to run.") parser.add_argument("-LR", "--lrprofile", action="store", required=False, help="Live Response profile name configured in your \ credentials.psc file.") parser.add_argument( "-A", "--actions", required=True, help="CSV file with a list of actions to run in the format \ of 'DeviceId, DeviceName, Command, Resource'") args = parser.parse_args() cb_psc = get_cb_psc_object(args) cb_def = CbDefenseAPI(profile=args.lrprofile) run_actions(args.actions, cb_def, cb_psc, args)
def main(): parser = build_cli_parser("Download device list in CSV format") parser.add_argument("-q", "--query", help="Query string for looking for devices") parser.add_argument("-A", "--ad_group_id", action="append", type=int, help="Active Directory Group ID") parser.add_argument("-p", "--policy_id", action="append", type=int, help="Policy ID") parser.add_argument("-s", "--status", action="append", help="Status of device") parser.add_argument("-P", "--priority", action="append", help="Target priority of device") parser.add_argument("-S", "--sort_by", help="Field to sort the output by") parser.add_argument("-R", "--reverse", action="store_true", help="Reverse order of sort") parser.add_argument("-O", "--output", help="File to save output to (default stdout)") args = parser.parse_args() cb = get_cb_psc_object(args) query = cb.select(Device) if args.query: query = query.where(args.query) if args.ad_group_id: query = query.set_ad_group_ids(args.ad_group_id) if args.policy_id: query = query.set_policy_ids(args.policy_id) if args.status: query = query.set_status(args.status) if args.priority: query = query.set_target_priorities(args.priority) if args.sort_by: direction = "DESC" if args.reverse else "ASC" query = query.sort_by(args.sort_by, direction) data = query.download() if args.output: file = open(args.output, "w") file.write(data) file.close() else: print(data)
def main(): parser = build_cli_parser("Bulk update the status of watchlist alerts") setup_parser_with_watchlist_criteria(parser) parser.add_argument( "-R", "--remediation", help="Remediation message to store for the selected alerts") parser.add_argument( "-C", "--comment", help="Comment message to store for the selected alerts") operation = parser.add_mutually_exclusive_group(required=True) operation.add_argument("--dismiss", action="store_true", help="Dismiss all selected alerts") operation.add_argument("--undismiss", action="store_true", help="Undismiss all selected alerts") args = parser.parse_args() cb = get_cb_psc_object(args) query = cb.select(WatchlistAlert) load_watchlist_criteria(query, args) if args.dismiss: reqid = query.dismiss(args.remediation, args.comment) elif args.undismiss: reqid = query.update(args.remediation, args.comment) else: raise NotImplementedError( "one of --dismiss or --undismiss must be specified") print("Submitted query with ID {0}".format(reqid)) statobj = cb.select(WorkflowStatus, reqid) while not statobj.finished: print("Waiting...") sleep(1) if statobj.errors: print("Errors encountered:") for err in statobj.errors: print("\t{0}".format(err)) if statobj.failed_ids: print("Failed alert IDs:") for i in statobj.failed_ids: print("\t{0}".format(err)) print("{0} total alert(s) found, of which {1} were successfully changed". format(statobj.num_hits, statobj.num_success))
def main(): parser = build_cli_parser("Get suggestions for searching alerts") parser.add_argument("-q", "--query", default="", help="Query string for looking for alerts") args = parser.parse_args() cb = get_cb_psc_object(args) suggestions = cb.alert_search_suggestions(args.query) for suggestion in suggestions: print("Search term: '{0}'".format(suggestion["term"])) print("\tWeight: {0}".format(suggestion["weight"])) print("\tAvailable with products: {0}".format(", ".join( suggestion["required_skus_some"])))
def main(): parser = build_cli_parser("Send control messages to device") parser.add_argument("-d", "--device_id", type=int, required=True, help="The ID of the device to be controlled") subparsers = parser.add_subparsers(dest="command", help="Device command help") bgscan_p = subparsers.add_parser("background_scan", help="Set background scanning status") toggle = bgscan_p.add_mutually_exclusive_group(required=True) toggle.add_argument("--on", action="store_true", help="Turn background scanning on") toggle.add_argument("--off", action="store_true", help="Turn background scanning off") bypass_p = subparsers.add_parser("bypass", help="Set bypass mode") toggle = bypass_p.add_mutually_exclusive_group(required=True) toggle.add_argument("--on", action="store_true", help="Enable bypass mode") toggle.add_argument("--off", action="store_true", help="Disable bypass mode") subparsers.add_parser("delete", help="Delete sensor") subparsers.add_parser("uninstall", help="Uninstall sensor") quarantine_p = subparsers.add_parser("quarantine", help="Set quarantine mode") toggle = quarantine_p.add_mutually_exclusive_group(required=True) toggle.add_argument("--on", action="store_true", help="Enable quarantine mode") toggle.add_argument("--off", action="store_true", help="Disable quarantine mode") policy_p = subparsers.add_parser("policy", help="Update policy for node") policy_p.add_argument("-p", "--policy_id", type=int, required=True, help="New policy ID to set for node") sensorv_p = subparsers.add_parser("sensor_version", help="Update sensor version for node") sensorv_p.add_argument("-o", "--os", required=True, help="Operating system for sensor") sensorv_p.add_argument("-V", "--version", required=True, help="Version number of sensor") args = parser.parse_args() cb = get_cb_psc_object(args) dev = cb.select(Device, args.device_id) if args.command: if args.command == "background_scan": dev.background_scan(toggle_value(args)) elif args.command == "bypass": dev.bypass(toggle_value(args)) elif args.command == "delete": dev.delete_sensor() elif args.command == "uninstall": dev.uninstall_sensor() elif args.command == "quarantine": dev.quarantine(toggle_value(args)) elif args.command == "policy": dev.update_policy(args.policy_id) elif args.command == "sensor_version": dev.update_sensor_version({args.os: args.version}) else: raise NotImplementedError("Unknown command") print("OK") else: print(dev)