-
Notifications
You must be signed in to change notification settings - Fork 95
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
110 changed files
with
17,214 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
include README.md | ||
include fn_cisco_amp4ep/util/* | ||
include fn_cisco_amp4ep/lib/* | ||
include fn_cisco_amp4ep/LICENSE | ||
include fn_cisco_amp4ep/doc/* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,158 @@ | ||
# Resilient Function Integration for Cisco AMP for Endpoints | ||
|
||
This Resilient function package can be used to perform the following actions from a workflow using the Functions feature of the Resilient | ||
Circuits integration framework. | ||
|
||
* Retrieve list of all computers with agents deployed on them, in a Cisco AMP for endpoints environment. | ||
* Get information about a specific computer by guid | ||
* Get list of all activities associated with a particular computer, search by guid. | ||
* Search all computers for any events or activities associated with a file or network operation | ||
|
||
|
||
##Prerequisites: | ||
``` | ||
Resilient version 31 or later | ||
resilient_circuits version 30 or later | ||
``` | ||
* For more info about Cisco AMP for Endpoints, please visit https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html | ||
* For more info about Cisco AMP for Endpoints Rest API, please visit https://api-docs.amp.cisco.com/ | ||
|
||
|
||
## Environment | ||
|
||
This package requires that it is installed on a RHEL or CentOS platform and that the resilient-circuits application is running. | ||
Install this package with 'pip', or `python setup.py install`. | ||
To set the config values in the app.config file with a new resilient instance run `resilient-circuits config -c`. | ||
To set the config values in the app.config file with an existing resilient instance run `resilient-circuits config -u`. | ||
|
||
Config values example: | ||
(Note: The api token will be supplied by Cisco and will be in uuid format) | ||
``` | ||
[fn_cisco_amp4ep] | ||
base_url=https://api.amp.cisco.com/ | ||
# Version of api to use. | ||
api_version=v1 | ||
# The client id will be generated on the Cisco AMP for endpoints dashboard. | ||
client_id=01234abcde56789efedc | ||
# The api_token will be generated on the Cisco AMP for endpoints dashboard and will be will be in uuid format. | ||
api_token=abcd1234-a123-123a-123a-123456abcdef | ||
# Settings for access to cisco AMP website via a proxy | ||
#http_proxy=http':'http://proxy:80 | ||
#https_proxy=https':'http://proxy:80 | ||
# Query results global limit override for the integration global default which is set to 1000. | ||
#query_limit=1000 | ||
# Max number of retry attempts on Rate Limit exception | ||
max_retries=3 | ||
``` | ||
|
||
Run with: `resilient-circuits run`. | ||
|
||
## Supported functions: | ||
``` | ||
fn_amp_get_computer | ||
fn_amp_get_computers | ||
fn_amp_get_computer_trajectory | ||
fn_amp_get_activity | ||
fn_amp_get_file_lists | ||
fn_amp_get_file_list_files | ||
fn_amp_set_file_list_files | ||
fn_amp_delete_file_list_files | ||
fn_amp_get_event_types | ||
fn_amp_get_events | ||
fn_amp_get_groups | ||
fn_amp_move_computer | ||
``` | ||
## Sample workflows provided: | ||
``` | ||
Example: AMP add artifact from activity | ||
Example: AMP Add artifact from event | ||
Example: AMP add artifact from trajectory | ||
Example: AMP delete file from list | ||
Example: AMP get computer by guid | ||
Example: AMP get computer by name | ||
Example: AMP get computers with activity | ||
Example: AMP get computer trajectory | ||
Example: AMP get computer trajectory by activity | ||
Example: AMP get events | ||
Example: AMP get events by type | ||
Example: AMP get event types | ||
Example: AMP get file lists | ||
Example: AMP get files from list | ||
Example: AMP get group name by guid | ||
Example: AMP get groups | ||
Example: AMP move computer | ||
Example: AMP set file in list | ||
``` | ||
## Sample rules provided: | ||
``` | ||
Example: AMP add artifact from activity | ||
Example: AMP add artifact from event | ||
Example: AMP add artifact from trajectory | ||
Example: AMP delete file from list | ||
Example: AMP get computer by guid | ||
Example: AMP get computer by name | ||
Example: AMP get computers with activity | ||
Example: AMP get computer trajectory | ||
Example: AMP get computer trajectory by activity | ||
Example: AMP get events | ||
Example: AMP get events by type | ||
Example: AMP get event types | ||
Example: AMP get file lists | ||
Example: AMP get files from list | ||
Example: AMP get group name by guid | ||
Example: AMP get groups | ||
Example: AMP move computer | ||
Example: AMP set file in list | ||
``` | ||
## Get Computer Example | ||
|
||
The fn_amp_get_computer function requires one input parameter: amp_conn_guid. | ||
The following example shows the configuration of the parameter using a simple workflow pre-processing script: | ||
|
||
``` | ||
inputs.amp_conn_guid = artifact.value | ||
``` | ||
For example, if artifact.value is set to guid 00da1a57-b833-43ba-8ea2-79a5ab21908f, the results | ||
returned to will be in JSON format similar to the following: | ||
``` | ||
{ | ||
"response": { | ||
"version": "v1.2.0", | ||
"data": { | ||
"operating_system": "Windows 7, SP 1.0", | ||
"connector_guid": "00da1a57-b833-43ba-8ea2-79a5ab21908f", | ||
"links": { | ||
"trajectory": "https://api.amp.cisco.com/v1/computers/00da1a57-b833-43ba-8ea2-79a5ab21908f/trajectory", | ||
"computer": "https://api.amp.cisco.com/v1/computers/00da1a57-b833-43ba-8ea2-79a5ab21908f", | ||
"group": "https://api.amp.cisco.com/v1/groups/9d55c259-c960-488b-9b2d-06478fa19ee4" | ||
}, | ||
"external_ip": "145.1.91.176", | ||
"group_guid": "9d55c259-c960-488b-9b2d-06478fa19ee4", | ||
"hostname": "Demo_AMP", | ||
"install_date": "2018-05-22T16:53:27Z", | ||
"network_addresses": [ | ||
{ | ||
"ip": "255.240.221.92", | ||
"mac": "a0:28:f5:c3:71:d5" | ||
} | ||
], | ||
"connector_version": "6.0.9.10685", | ||
"internal_ips": [ | ||
"255.240.221.92" | ||
], | ||
"policy": { | ||
"guid": "a98a0f97-4d54-4175-9eef-b8dee9c8e74b", | ||
"name": "Audit" | ||
}, | ||
"active": true, | ||
"last_seen": "2018-05-22T16:53:27Z" | ||
}, | ||
"metadata": { | ||
"links": { | ||
"self": "https://api.amp.cisco.com/v1/computers/00da1a57-b833-43ba-8ea2-79a5ab21908f" | ||
} | ||
} | ||
}, | ||
"query_execution_time": "2018-08-09 11:56:02" | ||
} | ||
``` |
Binary file added
BIN
+5.38 MB
fn_cisco_amp4ep/doc/Resilient Integrations Function Guide for Cisco AMP for Endpoints.docx
Binary file not shown.
Binary file added
BIN
+3.95 MB
fn_cisco_amp4ep/doc/Resilient Integrations Function Guide for Cisco AMP for Endpoints.pdf
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
Copyright © IBM Corporation 2010, 2018 | ||
|
||
Permission is hereby granted, free of charge, to any person obtaining a copy | ||
of this software and associated documentation files (the "Software"), to | ||
deal in the Software without restriction, including without limitation the | ||
rights to use, copy, modify, merge, publish, distribute, sublicense, and/or | ||
sell copies of the Software, and to permit persons to whom the Software is | ||
furnished to do so, subject to the following conditions: | ||
|
||
The above copyright notice and this permission notice shall be included in | ||
all copies or substantial portions of the Software. | ||
|
||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING | ||
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS | ||
IN THE SOFTWARE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
import pkg_resources | ||
try: | ||
__version__ = pkg_resources.get_distribution(__name__).version | ||
except pkg_resources.DistributionNotFound: | ||
pass |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
# |
100 changes: 100 additions & 0 deletions
100
fn_cisco_amp4ep/fn_cisco_amp4ep/components/fn_amp_delete_file_list_files.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,100 @@ | ||
## -*- coding: utf-8 -*- | ||
# pragma pylint: disable=unused-argument, no-self-use | ||
|
||
# (c) Copyright IBM Corp. 2010, 2018. All Rights Reserved. | ||
|
||
""" Resilient functions component to run a Cisco AMP for endpoints query - delete file lists files """ | ||
|
||
# Set up: | ||
# Destination: a Queue named "amp_delete_file_list_files". | ||
# Manual Action: Execute a REST delete operation against a Cisco AMP for endpoints server | ||
import logging | ||
import json | ||
from datetime import datetime | ||
|
||
from resilient_circuits import ResilientComponent, function, handler, StatusMessage, FunctionResult, FunctionError | ||
from fn_cisco_amp4ep.lib.amp_client import Ampclient | ||
from fn_cisco_amp4ep.lib.helpers import validate_opts, validate_params, is_none | ||
from fn_cisco_amp4ep.lib.amp_ratelimit import AmpRateLimit | ||
|
||
RATE_LIMITER = AmpRateLimit() | ||
|
||
class FunctionComponent(ResilientComponent): | ||
"""Component that implements Resilient function 'amp_delete_file_list_files' of | ||
package fn_cisco_amp4ep. | ||
The Function takes the following parameters: | ||
amp_file_list_guid, amp_file_sha256 | ||
An example of a set of query parameter might look like the following: | ||
amp_file_list_guid = "e773a9eb-296c-40df-98d8-bed46322589d" | ||
amp_file_sha256 = "8a68fc7ffd25e12cb92e3cb8a51bf219cada775baef73991bee384b3656fa284" | ||
The function will execute a REST api delete request against a Cisco AMP for endpoints server and returns a result | ||
in JSON format similar to the following. | ||
{ | ||
"input_params": {"file_list_guid": "e773a9eb-296c-40df-98d8-bed46322589d", | ||
"file_sha256": "8a68fc7ffd25e12cb92e3cb8a51bf219cada775baef73991bee384b3656fa284"} | ||
"response": {u'version': u'v1.2.0', | ||
u'data': {}, | ||
u'metadata': {u'links': { | ||
u'self': u'https://api.amp.cisco.com/v1/file_lists/e773a9eb-296c-40df-98d8-bed46322589d/files/4ce4e7ab22a8900bf438ff84baebe74d3ef3828a716b933b6e2a85b991b36f31'} | ||
} | ||
}, | ||
"query_execution_time": "2018-08-09 11:56:02" | ||
} | ||
""" | ||
def __init__(self, opts): | ||
"""constructor provides access to the configuration options""" | ||
super(FunctionComponent, self).__init__(opts) | ||
self.options = opts.get("fn_cisco_amp4ep", {}) | ||
validate_opts(self) | ||
|
||
@handler("reload") | ||
def _reload(self, event, opts): | ||
"""Configuration options have changed, save new values""" | ||
self.options = opts.get("fn_cisco_amp4ep", {}) | ||
validate_opts(self) | ||
|
||
@function("fn_amp_delete_file_list_files") | ||
def _fn_amp_delete_file_list_files_function(self, event, *args, **kwargs): | ||
"""Function: Delete file list item with a given SHA-256 and associated to file list with given file_list_guid.""" | ||
try: | ||
# Get the function parameters: | ||
amp_file_list_guid = kwargs.get("amp_file_list_guid") # text | ||
amp_file_sha256 = kwargs.get("amp_file_sha256") # text | ||
|
||
log = logging.getLogger(__name__) | ||
log.info("amp_file_list_guid: %s", amp_file_list_guid) | ||
log.info("amp_file_sha256: %s", amp_file_sha256) | ||
|
||
if is_none(amp_file_list_guid): | ||
raise ValueError("Required parameter 'amp_file_list_guid' not set.") | ||
if is_none(amp_file_sha256): | ||
raise ValueError("Required parameter 'amp_file_sha256' not set.") | ||
|
||
yield StatusMessage("Running Cisco AMP for endpoints delete file lists files by guid and sha256...") | ||
|
||
params = {"file_list_guid": amp_file_list_guid, "file_sha256": amp_file_sha256} | ||
|
||
validate_params(params) | ||
|
||
amp = Ampclient(self.options, RATE_LIMITER) | ||
|
||
rtn = amp.delete_file_list_files(**params) | ||
query_execution_time = datetime.now().strftime('%Y-%m-%d %H:%M:%S') | ||
# Add in "query_execution_time" and "ip_address" to result to facilitate post-processing. | ||
results = {"response": json.loads(json.dumps(rtn)),"query_execution_time": query_execution_time, | ||
"input_params": params} | ||
yield StatusMessage("Returning 'delete file lists files' results for file list guid '{}' and sha256 value " | ||
"'{}'.".format(params["file_list_guid"], params["file_sha256"])) | ||
|
||
log.debug(json.dumps(results)) | ||
|
||
|
||
# Produce a FunctionResult with the results | ||
yield FunctionResult(results) | ||
except Exception: | ||
yield FunctionError() |
Oops, something went wrong.