def MAR_Query(self, mar_search_str):
# Create the client
with DxlClient(self.config) as client:
# Connect to the fabric
client.connect()
# Create the McAfee Active Response (MAR) client
marclient = MarClient(client)
marclient.response_timeout = 30
# Start the search
results_context = marclient.search(
projections=[{
"name": "HostInfo",
"outputs": ["hostname", "ip_address"]
}],
conditions={"or": [{
"and": mar_search_str
}]})
# Iterate the results of the search
if results_context.has_results:
results = results_context.get_results()
for item in results[ResultConstants.ITEMS]:
yield (item['output']['HostInfo|ip_address'])
def action(md5):
CONFIG_FILE = "path to the config file"
config = DxlClientConfig.create_dxl_config_from_file(CONFIG_FILE)
with DxlClient(config) as client:
client.connect()
marclient = MarClient(client)
results_context = \
marclient.search(
projections=[{
"name": "HostInfo",
"outputs": ["hostname","ip_address"]
}, {
"name": "Files",
"outputs": ["md5","status"]
}],
conditions={
"or": [{
"and": [{
"name": "Files",
"output": "md5",
"op": "EQUALS",
"value": md5
}]
}]
}
)
if results_context.has_results:
results = results_context.get_results()
return results
else:
pass
def MAR_Query(self, mar_search_str):
# Create the client
with DxlClient(self.config) as client:
# Connect to the fabric
client.connect()
# Create the McAfee Active Response (MAR) client
marclient = MarClient(client)
marclient.response_timeout = 30
# Start the search
results_context = marclient.search(
projections=[
{
"name": "HostInfo",
"outputs": ["hostname", "ip_address"]
}
],
conditions={
"or": [
{
"and": mar_search_str
}
]
}
)
# Iterate the results of the search
if results_context.has_results:
results = results_context.get_results()
for item in results[ResultConstants.ITEMS]:
yield (item['output']['HostInfo|ip_address'])
def edr_search(self, eventid, hash, attr_id, attr_uuid):
hostnames = []
with DxlClient(self.config) as client:
client.connect()
marclient = MarClient(client)
results_context = \
marclient.search(
projections=[{
"name": "HostInfo",
"outputs": ["hostname", "ip_address"]
}, {
"name": "Files",
"outputs": ["name", "md5", "status", "full_name"]
}],
conditions={
"or": [{
"and": [{
"name": "Files",
"output": "md5",
"op": "EQUALS",
"value": hash
}]
}]
}
)
if results_context.has_results:
results = results_context.get_results()
total = results['totalItems']
print('SUCCESS: Found {0} Host(s) with hash {1}.'.format(str(total), hash))
for item in results['items']:
hostname = item['output']['HostInfo|hostname']
ip = item['output']['HostInfo|ip_address']
status = item['output']['Files|status']
full_name = item['output']['Files|full_name']
md5 = item['output']['Files|md5']
finding = 'Hostname: {0} | IP: {1} | Status: {2} | Location: {3} | MD5: {4}'\
.format(hostname, ip, status, full_name, md5)
hostnames.append(hostname)
self.found = True
self.add_sighting(attr_id, hostname)
self.add_attribute(eventid, finding)
self.update_attribute(attr_id, hostnames, attr_uuid)
else:
print('SUCCESS: No System found containing files with hash {0}'.format(hash))
def action(md5, md5main):
# Create DXL configuration from file
CONFIG_FILE = "/home/kai/Documents/Pen/OpenDXL-ATD-MAR-Elasticsearch/configdxlclient1.config"
config = DxlClientConfig.create_dxl_config_from_file(CONFIG_FILE)
# Create the client
with DxlClient(config) as client:
# Connect to the fabric
client.connect()
# Create the McAfee Active Response (MAR) client
marclient = MarClient(client)
# Start the search
results_context = \
marclient.search(
projections=[{
"name": "HostInfo",
"outputs": ["hostname","ip_address"]
}, {
"name": "Files",
"outputs": ["md5","status"]
}],
conditions={
"or": [{
"and": [{
"name": "Files",
"output": "md5",
"op": "EQUALS",
"value": md5
}]
}]
}
)
# Iterate the results of the search in pages
if results_context.has_results:
results = results_context.get_results()
# Display items in the current page
for item in results[ResultConstants.ITEMS]:
#print " " + item["output"]["HostInfo|hostname"] + " " + item["output"]["HostInfo|ip_address"] + " " + item["output"]["Files|md5"]
item[u'Summary'] = {u'Subject': {u'md5': md5main}}
item[u'Customer'] = {u'name': 'customer2'}
res = es.index(index='marc2', doc_type='response', body=item)
def mar_search(self, filedict):
hostlist = []
mar_client = MarClient(client)
result_context = \
mar_client.search(
projections=[
{
ProjectionConstants.NAME: "HostInfo",
ProjectionConstants.OUTPUTS: ["hostname", "ip_address"]
},
{
ProjectionConstants.NAME: "Files",
ProjectionConstants.OUTPUTS: ["dir", "name", "status"]
}],
conditions={
"or": [{
"and": [{
ConditionConstants.COND_NAME: "Files",
ConditionConstants.COND_OUTPUT: "md5",
ConditionConstants.COND_OP: "EQUALS",
ConditionConstants.COND_VALUE: filedict["MD5"]
}]
}],
[{
"and": [{
ConditionConstants.COND_NAME: "Files",
ConditionConstants.COND_OUTPUT: "name",
ConditionConstants.COND_OP: "EQUALS",
ConditionConstants.COND_VALUE: filedict["filename"]
}]
}]
}
)
if result_context.has_results:
search_result = result_context.get_results(limit=5000)
for item in search_result["items"]:
print "Host: %s, %s" %(item["output"]['HostInfo|hostname'], item["output"]['HostInfo|ip_address'])
print "--File: %s, %s, Status: %s" %(item["output"]['Files|dir'], item["output"]['Files|name'], item["output"]['Files|status'])
hostlist.append(item["output"]['HostInfo|hostname'])
hosts = ','.join(str(x) for x in hostlist)
#apply tag to hosts
thread = threading.Thread(target=self.epo_set_flag, args=[hosts, ePO_TAG]) #ePO Tagging
thread.start()
def search(collector, projection_collector, outputs, filter_by,
filter_operator, filter_value):
config = get_client_config()
with DxlClient(config) as client:
client.connect()
mar_client = MarClient(client)
if (not filter_by and not filter_operator and not filter_value):
result_context = mar_client.search(
projections=[{
ProjectionConstants.NAME: collector,
ProjectionConstants.OUTPUTS: outputs
}])
else:
if (not filter_by or not filter_operator or not filter_value):
raise Exception(
'you must specify filter-by, filter-operator & filter-value (or specify none of them)'
)
else:
result_context = mar_client.search(
projections=[{
ProjectionConstants.NAME: projection_collector,
ProjectionConstants.OUTPUTS: outputs
}],
conditions={
ConditionConstants.OR: [{
ConditionConstants.AND: [{
ConditionConstants.COND_NAME:
collector,
ConditionConstants.COND_OUTPUT:
filter_by,
ConditionConstants.COND_OP:
FILTER_OPERATORS[filter_operator],
ConditionConstants.COND_VALUE:
filter_value
}]
}]
})
if result_context.has_results:
return result_context.get_results()
return None
def test():
config = get_client_config()
demisto.info('######## config created ########')
with DxlClient(config) as client:
client.connect()
demisto.info('######## client connected ########')
client.disconnect()
demisto.info('######## client disconnected ########')
MarClient(client)
demisto.info('######## client MAR client created ########')
def mar_search(HOST_IP):
# Create the McAfee Active Response (MAR) client
marclient = MarClient(client)
# Start the search
results_context = \
marclient.search(
projections=[{
ProjectionConstants.NAME: "Processes",
}],
conditions={
ConditionConstants.OR: [{
ConditionConstants.AND: [{
ConditionConstants.COND_NAME: "HostInfo",
ConditionConstants.COND_OUTPUT: "ip_address",
ConditionConstants.COND_OP: OperatorConstants.EQUALS,
ConditionConstants.COND_VALUE: HOST_IP
}]
}]
}
)
# Iterate the results of the search in pages
if results_context.has_results:
for index in range(0, results_context.result_count, PAGE_SIZE):
# Retrieve the next page of results (sort by process name, ascending)
results = results_context.get_results(
index,
PAGE_SIZE,
sort_by="Processes|name",
sort_direction=SortConstants.ASC)
# Display items in the current page
print "Page: " + str((index / PAGE_SIZE) + 1)
for item in results[ResultConstants.ITEMS]:
print " " + item[
ResultConstants.ITEM_OUTPUT]["Processes|name"]
dummy_text = raw_input("Press Enter for Next Page")
return
def search_multiple(collectors, filter_collector, filter_by, filter_operator,
filter_value):
config = get_client_config()
with DxlClient(config) as client:
client.connect()
mar_client = MarClient(client)
if (not filter_collector):
result_context = mar_client.search(
projections=[get_projection(c, None) for c in collectors])
else:
if (not filter_by or not filter_operator or not filter_value):
raise Exception(
'you must specify filter-by,'
' filter-operator & filter-value when you provide filter_collector argument'
)
else:
result_context = mar_client.search(
projections=[get_projection(c, None) for c in collectors],
conditions={
ConditionConstants.OR: [{
ConditionConstants.AND: [{
ConditionConstants.COND_NAME:
filter_collector,
ConditionConstants.COND_OUTPUT:
filter_by,
ConditionConstants.COND_OP:
FILTER_OPERATORS[filter_operator],
ConditionConstants.COND_VALUE:
filter_value
}]
}]
})
if result_context.has_results:
return result_context.get_results()
return None
# Configure local logger
logging.getLogger().setLevel(logging.ERROR)
logger = logging.getLogger(__name__)
# Create DXL configuration from file
config = DxlClientConfig.create_dxl_config_from_file(CONFIG_FILE)
# Create the client
with DxlClient(config) as client:
# Connect to the fabric
client.connect()
# Create the McAfee Active Response (MAR) client
mar_client = MarClient(client)
# Performs the search
result_context = \
mar_client.search(
projections=[{
"name": "HostInfo",
"outputs": ["ip_address"]
}]
)
# Loop and display the results
if result_context.has_results:
search_result = result_context.get_results(limit=10)
print "Results:"
for item in search_result["items"]:
# Create DXL configuration from file
config = DxlClientConfig.create_dxl_config_from_file(CONFIG_FILE)
# The size of each page
PAGE_SIZE = 5
# The IP address of the host to retrieve the processes for
HOST_IP = "<SPECIFY_IP_ADDRESS>"
# Create the client
with DxlClient(config) as client:
# Connect to the fabric
client.connect()
# Create the McAfee Active Response (MAR) client
marclient = MarClient(client)
# Start the search
results_context = \
marclient.search(
projections=[{
ProjectionConstants.NAME: "Processes",
}],
conditions={
ConditionConstants.OR: [{
ConditionConstants.AND: [{
ConditionConstants.COND_NAME: "HostInfo",
ConditionConstants.COND_OUTPUT: "ip_address",
ConditionConstants.COND_OP: OperatorConstants.EQUALS,
ConditionConstants.COND_VALUE: HOST_IP
}]
def doGetSystems(btn):
#This function request a systems query with any system given a hash.
#MAR supports MD5 and SHA1
page_size = 5
strHash = str(chatWin.getEntry("TIE_Hash"))
mar_client = MarClient(client)
results_context = mar_client.search(
projections=[{
ProjectionConstants.NAME: "HostInfo",
ProjectionConstants.OUTPUTS: ["hostname", "ip_address"]
}, {
ProjectionConstants.NAME: "Files",
ProjectionConstants.OUTPUTS: ["full_name"]
}],
conditions={
ConditionConstants.OR: [{
ConditionConstants.AND: [{
ConditionConstants.COND_NAME:
"Files",
ConditionConstants.COND_OUTPUT:
"md5",
ConditionConstants.COND_OP:
OperatorConstants.EQUALS,
ConditionConstants.COND_VALUE:
strHash
}]
}, {
ConditionConstants.AND: [{
ConditionConstants.COND_NAME:
"Files",
ConditionConstants.COND_OUTPUT:
"sha1",
ConditionConstants.COND_OP:
OperatorConstants.EQUALS,
ConditionConstants.COND_VALUE:
strHash
}]
}]
})
if results_context.has_results:
for index in range(0, results_context.result_count, page_size):
# Retrieve the next page of results (sort by process name, ascending)
results = results_context.get_results(
index,
page_size,
sort_by="HostInfo|ip_address",
sort_direction=SortConstants.ASC)
# Display items in the current page
logger.info("Page: " + str((index / page_size) + 1))
for item in results[ResultConstants.ITEMS]:
strResults = str("{}({}): {}".format(
item[ResultConstants.ITEM_OUTPUT]["HostInfo|hostname"],
item[ResultConstants.ITEM_OUTPUT]["HostInfo|ip_address"],
item[ResultConstants.ITEM_OUTPUT]["Files|full_name"]))
logger.info(strResults)
chatWin.setTextArea("HashResults", strResults + "\n", False)
chatWin.setTextArea("HashResults", "ActiveResponse Results\n", False)
else:
chatWin.setTextArea("HashResults", "No MAR results for search.", False)
logger.info("No MAR results for search.")
agentGuid = json.dumps(first_instance_dict['agentGuid'])[1:-1]
fileName = json.dumps(first_instance_dict['name'])[1:-1]
sha1 = json.dumps(first_instance_dict['hashes']['sha1'])[1:-1]
print agentGuid, fileName, sha1
searchHASH(sha1,agentGuid,fileName)
# Create the client
client1 = DxlClient(config)
client2 = DxlClient(config)
# Connect to the fabric
client1.connect()
client2.connect()
# Create the McAfee Active Response (MAR) client
mar_client = MarClient(client1)
# Create the McAfee Threat Intelligence Exchange (TIE) client
tie_client = TieClient(client2)
# Create first instance callback
first_instance_callback = MyFirstInstanceCallback()
# Register first instance callback with the client
tie_client.add_file_first_instance_callback(first_instance_callback)
def searchHASH(sha1,agentGuid,fileName):
# Performs the search
# Execute the search
print "Searching for hash: "+sha1
result_context = mar_client.search(
with DxlClient(config) as client:
# Read in hashes from file
hashes = []
hashesFile = open('bad-hashes.txt', 'r')
for rowofdata in hashesFile:
rowofdata = rowofdata.strip('\r\n')
rowofdata = list(rowofdata.split(','))
hashes.append(rowofdata[1])
hashesFile.close()
# Connect to the fabric
client.connect()
# Create the McAfee Active Response (MAR) client
mar_client = MarClient(client)
for hashitem in hashes:
# Performs the search
# Execute the search
print "Searching for hash: "+hashitem
result_context = mar_client.search(
projections=[{
"name": "HostInfo",
"outputs": ["hostname"]
}],
conditions={
"or": [{
"and": [{
"name": "Files",
"output": "sha1",
