# McAfee Mvision Cloud APIs

In [1]:
import requests
from requests.auth import HTTPBasicAuth
import json
from credentials import username, password
from datetime import datetime, timedelta, timezone

In [2]:
base_url = 'https://www.myshn.net/{}'

## Snippet 1 - How to get all the tenants associated with current credentials.

In [3]:
# List of tenants available for the specific credentials
# This happens when a user is associated to multiple tenants
# Note: Note this REST API uses the old API schema

url = base_url.format('shnapi/rest/external/api/v1/groups')
params = '?source=shn.ec.x'
url = url + params

r = requests.get(url, auth=HTTPBasicAuth(username, password))
value = json.loads(r.text)

if r.status_code == 200:
    print('Sucessful Authentication')
    tenant_id = [i['bps-tenant-id'] for i in value if i['company-name'] == 'Skyhigh5608'][0]
    print(f'Default Tenant ID: {tenant_id}')

else:
    print(f'Unsucessful authentication {r.status_code}')

print(value)

Sucessful Authentication
Default Tenant ID: 6F93BFFC-F34A-4D6D-B21E-8550DA6356CF
[{'bps-tenant-id': '6F93BFFC-F34A-4D6D-B21E-8550DA6356CF', 'company-name': 'Skyhigh5608'}, {'bps-tenant-id': '14FE51F8-5394-4F99-A6B6-CF224D618461', 'company-name': 'ISecG'}, {'bps-tenant-id': '57D35E70-8AF6-4391-9376-8CC2547E2762', 'company-name': 'Cesicat_POC'}, {'bps-tenant-id': '0AA1231F-B1CF-4B95-A60D-9054D7616129', 'company-name': 'dmontilla'}]


## Snippet 2 - Authenticate against the default Tenant

In [4]:
# Authentication procedure
auth_url = base_url.format('neo/neo-auth-service/oauth/token')
params = '?grant_type=password'
auth_url = auth_url + params

# BPS-TENANT-ID uses  a Default value which in my case is the ID related to the company-name Skyhgh5608, it is suppose that
# we can add this parameter on the header in order to logon to a different tenant, but in my tests I always connect
# to the default one no matters what value I introduce on the BPS-TENANT-ID parameter.
header = {
    'Content-Type': 'application/json',
    'x-auth-username': username,
    'x-auth-password': password,
    'BPS-TENANT-ID': tenant_id
}

r = requests.post(auth_url, headers=header)
value = json.loads(r.text)

if r.status_code == 200:
    print('Sucessful Authentication')
    auth_token = value['access_token']
    tenant_id = value['tenantID']

else:
    print(f'Unsucessful authentication {r.status_code}')

print(value)

Sucessful Authentication
{'access_token': 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsic3ByaW5nLWJvb3QtYXBwbGljYXRpb24iXSwidGVuYW50TmFtZSI6IlNreWhpZ2g1NjA4IiwidXNlcl9uYW1lIjoiY2FybG9zX211bm96Z2Fycmlkb0BtY2FmZWUuY29tIiwic2NvcGUiOlsicmVhZCIsIndyaXRlIl0sInRlbmFudElEIjo3NzMwNCwiZXhwIjoxNjA1ODc5NzY1LCJ1c2VyIjoiY2FybG9zX211bm96Z2Fycmlkb0BtY2FmZWUuY29tIiwidXNlcklkIjo0MzYwNCwianRpIjoiNmEzNjhhZTktNjBmOS00MzFhLThkM2ItMDFkN2NlYTgxYjJmIiwiZW1haWwiOiJjYXJsb3NfbXVub3pnYXJyaWRvQG1jYWZlZS5jb20iLCJjbGllbnRfaWQiOiJ0cnVzdGVkLWFwcCJ9.mwPjOTwvIhFV-qwgl3oTtpdIYmOWAn_avyMj8HZ3zttX9qmlNBIsWVuaLbwZvA-187-n7epzp9Yo0_XScUkaXtmt1vtlNsGxVVNKGfYiTpgg9W10vqwUSw9f0QH9yraiz_3k_Cc1TxTOipu98kc3dGLJ7pf52OHeM9GmlplaEMs', 'token_type': 'bearer', 'refresh_token': 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsic3ByaW5nLWJvb3QtYXBwbGljYXRpb24iXSwidGVuYW50TmFtZSI6IlNreWhpZ2g1NjA4IiwidXNlcl9uYW1lIjoiY2FybG9zX211bm96Z2Fycmlkb0BtY2FmZWUuY29tIiwic2NvcGUiOlsicmVhZCIsIndyaXRlIl0sImF0aSI6IjZhMzY4YWU5LTYwZjktNDMxYS04ZDNiLTAxZD

## Snippet 3 - Submit a CSP template document for CSPM inspection.

In [5]:
# AWS Shift left, submit a template for analysis using a Cloud Formation template

# Mvision Cloud supports multiple CSP (currently aws and azure).
# For aws MVision Cloud supports Cloudformation aswell as Terraform templates
# For azure Mvision Cloud supports Resource Manager aswell as Terraform templates
# This exaple uses aws and a Cloud formation template.

CSP = 'aws' 
url = base_url.format('neo/config-audit/devops/v1/scan')
params = f'?service={CSP}'
url = url + params

current_path = os.path.abspath(os.getcwd())
template_path = current_path + os.sep + 'templates' + os.sep + 'aws_s3_lifecycle_violation.json'

# IMPORTANT: As the template that is going to be submitted is open in binary ('rb') don't indicate application/json on the
# header
header = {
    #'Content-Type': 'application/json',
    'x-access-token': auth_token
}
payload = {}

files = [('templateFile', open(template_path, 'rb'))]

r = requests.post(url, headers=header, data=payload, files=files)
value = json.loads(r.text)

if r.status_code == 200:
    if 'Failure' in value['status']:
        print('Template file submitted succesfully, but a failure happens')
    else:
        url_scan_result = value['message']
else:
    print(f'Error submitting template, error code: {r.status_code}')

print(value)


{'file_name': 'aws_s3_lifecycle_violation.json', 'message': 'https://www.myshn.net/neo/config-audit/devops/v1/scan/result/7524d538-f3c1-4c3f-b477-a22dccf86533', 'status': 'The request is being processed. Please call the API to get the evaluation result.', 'additional_details': None}


In [6]:
# Check the status of the analysis
header = {
    'Content-Type': 'application/json',
    'x-access-token': auth_token
}


r = requests.get(url_scan_result, headers=header)
value = json.loads(r.text)

if r.status_code == 200:
    if value['status'] == "Submitted" or value['status'] == "In Progress":
        print('Analysis not yet completed')
    elif value['status'] == 'Failure':
        print('Something went wrong during analysis')
    else:
        print('Analysis completed')
        print('{0} violations found on template'.format({value['message']['violation_count']}))
else:
    print('Error checking if analysis was completed')

print(value)

Analysis completed
{4} violations found on template
{'file_name': 'aws_s3_lifecycle_violation.json', 'message': {'file_name': 'aws_s3_lifecycle_violation.json', 'violation_count': 4, 'policies_violated': ['S3 buckets should not be publicly writable', 'S3 buckets should not have unrestricted access', 'MFA Delete should be enabled on S3 buckets', 'S3 buckets should not be world readable']}, 'status': 'Success', 'additional_details': None}


## Snippet 4 - Get the incidents generated

In [7]:
# Data Retrieval API - Incidents retrieval using the new API Schema
# Note this API is not documented this information has been obtained using Chrome developer tools

url_suffix = f'neo/watchtower/ui/v1/{tenant_id}/incident/search'
url = base_url.format(url_suffix)

header = {
    'Content-Type': 'application/json',
    'x-access-token': auth_token
}

# incident_types, is a value uses in the payload that indicates the type of incidents that will be obtained, monitoring the
# requests of the application I have found the following correlation

# 0: policy_violation, DLP incidents, Sharepoint, Onedrive, Azure BLOB, AWS S3, etc.
# 1: Anomaly violation (UEBA)
# 2: I have not been able to identify the corresponding correlation, between the Incident type id and the violation desc.
# 3: IaaS resources violation
# 4: cloud_access_policy_violation - Proxy Rules
# 5: I have not been able to identify the corresponding correlation, between the Incident type id and the violation desc.
# 6: I have not been able to identify the corresponding correlation, between the Incident type id and the violation desc.
# 7: I have not been able to identify the corresponding correlation, between the Incident type id and the violation desc.
# 8: vulnerability in containers images (Example. ECR)

# Add the numerical values explained before to indicate the type of incidents to collect.
incident_types = [0,3] 

now = datetime.now(timezone.utc)
past = now - timedelta(days=300) # Adjust this value to the number of days you want to collect the information from.

from_date = past.isoformat()
to_date   = now.isoformat()

payload = {
    "query_request":
        {
            "sort_dimensions":
                [
                    {
                        "field":"created_on_date",
                        "order":"desc"
                    }
                ],
            "pagination":
                {
                    "offset":0,
                    "limit":100
                },
            "search_query":
                {
                    "type":"between_search_query",
                    "field":"created_on_date",
                    "lower_bound": from_date,
                    "upper_bound": to_date
                },
            "timezone":"UTC"
        },
    "add_default_filters":False,
    "incident_types":incident_types
}

r = requests.post(url, headers=header, data=json.dumps(payload))

value = json.loads(r.text)

# As the returned json depends on the incident type, and depending on the incident type certain keys may not exist this 
# code will ensure that no errors like key doesn't exists are generated when trying to print the results
def safe_print(string_to_execute):
    try:
        exec(string_to_execute)
    except:
        pass

if r.status_code == 200:
    print('*'*20)
    safe_print("print(f'Detected {value[\"total\"]} incidents')")
    print('*'*20)
    for result in value['results']:
        print('')
        safe_print("print(f'Detection date: {result[\"created_on_date\"]}')")
        safe_print("print(f'Source: {result[\"incident_detail\"][\"source\"]}')")
        safe_print("print(f'Service: {result[\"incident_detail\"][\"service\"][\"name\"]}')")
        safe_print("print(f'Instancia: {result[\"incident_detail\"][\"service\"][\"instance\"][\"instance_name\"]}')")
        safe_print("print(f'Incident type: {result[\"type\"]}')")
        safe_print("print(f'Content: {result[\"incident_detail\"][\"content\"][\"item\"][\"name\"]}')")
        safe_print("print(f'Matched policies: {result[\"incident_detail\"][\"matched_policies\"][\"matched_policy_names\"]}')")
        safe_print("print(f'Match coincidences: {result[\"incident_detail\"][\"content\"][\"policy_result\"][\"total_match_count\"] }')")
        print('*'*5)
else:
    print('Error getting incidents')

# print(value) # Uncomment to see the full returned json, can be quite long

********************
Detected 251 incidents
********************

Detection date: 2020-11-19T13:55:09.581Z
Service: Amazon Web Services
Instancia: CMG - AWS
Incident type: audit_violation
Content: aws_s3_lifecycle_violation.json
*****

Detection date: 2020-11-19T13:55:09.569Z
Service: Amazon Web Services
Instancia: CMG - AWS
Incident type: audit_violation
Content: aws_s3_lifecycle_violation.json
*****

Detection date: 2020-11-19T13:55:09.554Z
Service: Amazon Web Services
Instancia: CMG - AWS
Incident type: audit_violation
Content: aws_s3_lifecycle_violation.json
*****

Detection date: 2020-11-19T13:55:09.543Z
Service: Amazon Web Services
Instancia: CMG - AWS
Incident type: audit_violation
Content: aws_s3_lifecycle_violation.json
*****

Detection date: 2020-10-28T13:21:12.883Z
Service: Microsoft Azure
Instancia: Visual Studio
Incident type: audit_violation
Content: azuredeploy.json
*****

Detection date: 2020-10-28T13:10:25.288Z
Service: Microsoft Azure
Instancia: Visual Studio
Incident

## Snippet 5 - Get the audit log

In [9]:
# Data Retrieval API - Audit logs - Using the old API Schema

url = base_url.format('shnapi/rest/reporting/csv/')
endpoint = 'queryAuditTrails'
url = url + endpoint

last_48_hours = datetime.now() - timedelta(days=2)
milliseconds_since_epoch = int(last_48_hours.timestamp()) * 1000

header = {
    'Content-Type': 'application/json'
}

####### FROM THE DOCUMENTATION #######

# Payload construction:

# Match: A single word search term to filter the results; searches the DESCRIPTION and EVENTINFO fields, but
# cannot perform multiple searches and cannot not use “AND” or “OR” operators. It doesn't search on the Event Type
# information either

#eventTypes: Filters the results by a specific event action. Each action is mapped to a numeric value. Enter that
#value in the request:


# fromTime/toTime: Used to filter the response to a specific time period. Leave either or both as null to not set an
# upper or lower time bound. Enter the time and date in milliseconds, calculated from Unix Epoch Time

############ My tests ###########

# This API is old, currently MV Cloud uses another API (not documented), because of this, this code has some limitations:
#  * match field only search on the Additional Info field
#  * eventTypes are not used, no matter which value you introduce  the information is not filtered by this value.
# Current API, uses the new schema where the authentication token is part of the request header being the endpoint url
# https://www.myshn.net/neo/shnadmin-service/v1/auditService/auditEventsSummary this new API demands a payload with the
# following structure:
#
# {"pageCriteria":{"startIndex":0,"numRecords":200},"sortCriteria":{"sortColumn":"timestamp","sortAscending":false}, 
# "dateCriteria":{"presetRange":"LAST_7_DAYS"},"searchString":"","eventCategories":[110],"events":[],"userIds":[]}
# 
# In order to develop further this new mechanism a table with the correspondences between the event category id and the 
# name of the category as well as the list of valid date ranges would be necessary (For instance eventCategories 110 means
# User)

data = {
    'auditFilter': {
        'match': '', 
        'eventTypes': 'LOGIN',
        'fromTime': milliseconds_since_epoch,
        'toTime': ''
    }
}

session = requests.session()
r = session.post(url, auth=HTTPBasicAuth(username, password), headers=header, data=json.dumps(data))
#value = json.loads(r.text) # The information is returned in csv format so don't transform it.

if r.status_code == 200:
    print('Sucessful Authentication')
    

else:
    print(f'Unsucessful authentication {r.status_code}')

print(r.text)

Sucessful Authentication
TimeStamp,Event Type,Description,Additional Info,User Name,IP Address
Wed Nov 18 14:51:18 UTC 2020,User logged in,,,carlos_munozgarrido@mcafee.com,213.37.35.216
Wed Nov 18 15:04:57 UTC 2020,Started On-Demand Scan,,User requested start scan,carlos_munozgarrido@mcafee.com,Not Available
Thu Nov 19 07:04:05 UTC 2020,New user created,,First Name set to Arun;Last Name set to Nirmal;Email set to arun_nirmal+Skyhigh5608@mcafee.com;User Access set to Manage ;User Status set to Activate ;,arunn@skyhighnetworks.com,Not Available
Thu Nov 19 07:04:06 UTC 2020,User information edited,,"User role change - Added following user roles: Detokenization Privilege,Executive Summary,Compliance Manager ,Usage Analytics Users,Incident Management,Policy Management,Administrator,Enterprise Connector User; Resource Information edited:  Compliance Manager  role - Risk Management - Allow (Manage), Cloud Registry - Allow (Manage), Service Group - Allow (Manage);  Incident Management role - T