Latest community apps.

fn_cisco_amp4ep/MANIFEST.in

@@ -0,0 +1,5 @@
+include README.md
+include fn_cisco_amp4ep/util/*
+include fn_cisco_amp4ep/lib/*
+include fn_cisco_amp4ep/LICENSE
+include fn_cisco_amp4ep/doc/*

fn_cisco_amp4ep/README.md

@@ -0,0 +1,158 @@
+# Resilient Function Integration for Cisco AMP for Endpoints
+
+This Resilient function package can be used to perform the following actions from a workflow using the Functions feature of the Resilient
+Circuits integration framework.
+
+* Retrieve list of all computers with agents deployed on them, in a Cisco AMP for endpoints environment.
+* Get information about a specific computer by guid
+* Get list of all activities associated with a particular computer, search by guid.
+* Search all computers for any events or activities associated with a file or network operation
+
+
+##Prerequisites:
+```
+Resilient version 31 or later
+resilient_circuits version 30 or later
+```
+* For more info about Cisco AMP for Endpoints, please visit https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html
+* For more info about Cisco AMP for Endpoints Rest API, please visit https://api-docs.amp.cisco.com/
+
+
+## Environment
+
+This package requires that it is installed on a RHEL or CentOS platform and that the resilient-circuits application is running.
+Install this package with 'pip', or `python setup.py install`.
+To set the config values in the app.config file with a new resilient instance run `resilient-circuits config -c`.
+To set the config values in the app.config file with an existing resilient instance run `resilient-circuits config -u`.
+
+Config values example:
+(Note: The api token will be supplied by Cisco and will be in uuid format)
+```
+[fn_cisco_amp4ep]
+base_url=https://api.amp.cisco.com/
+# Version of api to use.
+api_version=v1
+# The client id will be generated on the Cisco AMP for endpoints dashboard.
+client_id=01234abcde56789efedc
+# The api_token will be generated on the Cisco AMP for endpoints dashboard and will be will be in uuid format.
+api_token=abcd1234-a123-123a-123a-123456abcdef
+# Settings for access to cisco AMP website via a proxy
+#http_proxy=http':'http://proxy:80
+#https_proxy=https':'http://proxy:80
+# Query results global limit override for the integration global default which is set to 1000.
+#query_limit=1000
+# Max number of retry attempts on Rate Limit exception
+max_retries=3
+```
+
+Run with: `resilient-circuits run`.
+
+## Supported functions:
+```
+fn_amp_get_computer
+fn_amp_get_computers
+fn_amp_get_computer_trajectory
+fn_amp_get_activity
+fn_amp_get_file_lists
+fn_amp_get_file_list_files
+fn_amp_set_file_list_files
+fn_amp_delete_file_list_files
+fn_amp_get_event_types
+fn_amp_get_events
+fn_amp_get_groups
+fn_amp_move_computer
+```
+## Sample workflows provided:
+```
+Example: AMP add artifact from activity
+Example: AMP Add artifact from event
+Example: AMP add artifact from trajectory
+Example: AMP delete file from list
+Example: AMP get computer by guid
+Example: AMP get computer by name
+Example: AMP get computers with activity
+Example: AMP get computer trajectory
+Example: AMP get computer trajectory by activity
+Example: AMP get events
+Example: AMP get events by type
+Example: AMP get event types
+Example: AMP get file lists
+Example: AMP get files from list
+Example: AMP get group name by guid
+Example: AMP get groups
+Example: AMP move computer
+Example: AMP set file in list
+```
+## Sample rules provided:
+```
+Example: AMP add artifact from activity
+Example: AMP add artifact from event
+Example: AMP add artifact from trajectory
+Example: AMP delete file from list
+Example: AMP get computer by guid
+Example: AMP get computer by name
+Example: AMP get computers with activity
+Example: AMP get computer trajectory
+Example: AMP get computer trajectory by activity
+Example: AMP get events
+Example: AMP get events by type
+Example: AMP get event types
+Example: AMP get file lists
+Example: AMP get files from list
+Example: AMP get group name by guid
+Example: AMP get groups
+Example: AMP move computer
+Example: AMP set file in list
+```
+## Get Computer Example
+
+The fn_amp_get_computer function requires one input parameter: amp_conn_guid. 
+The following example shows the configuration of the parameter using a simple workflow pre-processing script:
+
+```
+inputs.amp_conn_guid = artifact.value
+```
+For example, if artifact.value is set to guid 00da1a57-b833-43ba-8ea2-79a5ab21908f, the results
+returned to will be in JSON format similar to the following:
+```
+{
+  "response": {
+    "version": "v1.2.0",
+    "data": {
+      "operating_system": "Windows 7, SP 1.0",
+      "connector_guid": "00da1a57-b833-43ba-8ea2-79a5ab21908f",
+      "links": {
+        "trajectory": "https://api.amp.cisco.com/v1/computers/00da1a57-b833-43ba-8ea2-79a5ab21908f/trajectory",
+        "computer": "https://api.amp.cisco.com/v1/computers/00da1a57-b833-43ba-8ea2-79a5ab21908f",
+        "group": "https://api.amp.cisco.com/v1/groups/9d55c259-c960-488b-9b2d-06478fa19ee4"
+      },
+      "external_ip": "145.1.91.176",
+      "group_guid": "9d55c259-c960-488b-9b2d-06478fa19ee4",
+      "hostname": "Demo_AMP",
+      "install_date": "2018-05-22T16:53:27Z",
+      "network_addresses": [
+        {
+          "ip": "255.240.221.92",
+          "mac": "a0:28:f5:c3:71:d5"
+        }
+      ],
+      "connector_version": "6.0.9.10685",
+      "internal_ips": [
+        "255.240.221.92"
+      ],
+      "policy": {
+        "guid": "a98a0f97-4d54-4175-9eef-b8dee9c8e74b",
+        "name": "Audit"
+      },
+      "active": true,
+      "last_seen": "2018-05-22T16:53:27Z"
+    },
+    "metadata": {
+      "links": {
+        "self": "https://api.amp.cisco.com/v1/computers/00da1a57-b833-43ba-8ea2-79a5ab21908f"
+      }
+    }
+  },
+  "query_execution_time": "2018-08-09 11:56:02"
+}
+```

fn_cisco_amp4ep/fn_cisco_amp4ep/LICENSE

@@ -0,0 +1,19 @@
+Copyright © IBM Corporation 2010, 2018
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+IN THE SOFTWARE.

fn_cisco_amp4ep/fn_cisco_amp4ep/__init__.py

@@ -0,0 +1,5 @@
+import pkg_resources
+try:
+    __version__ = pkg_resources.get_distribution(__name__).version
+except pkg_resources.DistributionNotFound:
+    pass

fn_cisco_amp4ep/fn_cisco_amp4ep/components/__init__.py

@@ -0,0 +1 @@
+#

fn_cisco_amp4ep/fn_cisco_amp4ep/components/fn_amp_delete_file_list_files.py

@@ -0,0 +1,100 @@
+## -*- coding: utf-8 -*-
+# pragma pylint: disable=unused-argument, no-self-use
+
+# (c) Copyright IBM Corp. 2010, 2018. All Rights Reserved.
+
+""" Resilient functions component to run a Cisco AMP for endpoints query - delete file lists files """
+
+# Set up:
+# Destination: a Queue named "amp_delete_file_list_files".
+# Manual Action: Execute a REST delete operation against a Cisco AMP for endpoints server
+import logging
+import json
+from datetime import datetime
+
+from resilient_circuits import ResilientComponent, function, handler, StatusMessage, FunctionResult, FunctionError
+from fn_cisco_amp4ep.lib.amp_client import Ampclient
+from fn_cisco_amp4ep.lib.helpers import validate_opts, validate_params, is_none
+from fn_cisco_amp4ep.lib.amp_ratelimit import AmpRateLimit
+
+RATE_LIMITER = AmpRateLimit()
+
+class FunctionComponent(ResilientComponent):
+    """Component that implements Resilient function 'amp_delete_file_list_files' of
+    package fn_cisco_amp4ep.
+
+    The Function takes the following parameters:
+        amp_file_list_guid, amp_file_sha256
+
+
+    An example of a set of query parameter might look like the following:
+            amp_file_list_guid  = "e773a9eb-296c-40df-98d8-bed46322589d"
+            amp_file_sha256     = "8a68fc7ffd25e12cb92e3cb8a51bf219cada775baef73991bee384b3656fa284"
+
+    The function will execute a REST api delete request against a Cisco AMP for endpoints server and returns a result
+    in JSON format similar to the following.
+
+    {
+      "input_params": {"file_list_guid": "e773a9eb-296c-40df-98d8-bed46322589d",
+                       "file_sha256": "8a68fc7ffd25e12cb92e3cb8a51bf219cada775baef73991bee384b3656fa284"}
+      "response": {u'version': u'v1.2.0',
+                                u'data': {},
+                                u'metadata': {u'links': {
+                                                u'self': u'https://api.amp.cisco.com/v1/file_lists/e773a9eb-296c-40df-98d8-bed46322589d/files/4ce4e7ab22a8900bf438ff84baebe74d3ef3828a716b933b6e2a85b991b36f31'}
+                                             }
+                                },
+      "query_execution_time": "2018-08-09 11:56:02"
+    }
+    """
+    def __init__(self, opts):
+        """constructor provides access to the configuration options"""
+        super(FunctionComponent, self).__init__(opts)
+        self.options = opts.get("fn_cisco_amp4ep", {})
+        validate_opts(self)
+
+    @handler("reload")
+    def _reload(self, event, opts):
+        """Configuration options have changed, save new values"""
+        self.options = opts.get("fn_cisco_amp4ep", {})
+        validate_opts(self)
+
+    @function("fn_amp_delete_file_list_files")
+    def _fn_amp_delete_file_list_files_function(self, event, *args, **kwargs):
+        """Function: Delete file list item with a given SHA-256 and associated to file list with given file_list_guid."""
+        try:
+            # Get the function parameters:
+            amp_file_list_guid = kwargs.get("amp_file_list_guid")  # text
+            amp_file_sha256 = kwargs.get("amp_file_sha256")  # text
+
+            log = logging.getLogger(__name__)
+            log.info("amp_file_list_guid: %s", amp_file_list_guid)
+            log.info("amp_file_sha256: %s", amp_file_sha256)
+
+            if is_none(amp_file_list_guid):
+                raise ValueError("Required parameter 'amp_file_list_guid' not set.")
+            if is_none(amp_file_sha256):
+                raise ValueError("Required parameter 'amp_file_sha256' not set.")
+
+            yield StatusMessage("Running Cisco AMP for endpoints delete file lists files by guid and sha256...")
+
+            params = {"file_list_guid": amp_file_list_guid, "file_sha256": amp_file_sha256}
+
+            validate_params(params)
+
+            amp = Ampclient(self.options, RATE_LIMITER)
+
+            rtn = amp.delete_file_list_files(**params)
+            query_execution_time = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
+            # Add in "query_execution_time" and "ip_address" to result to facilitate post-processing.
+            results = {"response": json.loads(json.dumps(rtn)),"query_execution_time": query_execution_time,
+                       "input_params": params}
+            yield StatusMessage("Returning 'delete file lists files' results for file list guid '{}' and sha256 value "
+                                "'{}'.".format(params["file_list_guid"], params["file_sha256"]))
+
+            log.debug(json.dumps(results))
+
+
+            # Produce a FunctionResult with the results
+            yield FunctionResult(results)
+        except Exception:
+            yield FunctionError()