From ef796b0269bf1b3e1bef43796d8d47d8989e4efb Mon Sep 17 00:00:00 2001 From: ngarg Date: Wed, 28 Jun 2023 23:55:39 -0700 Subject: [PATCH 1/3] sample scripts for AF --- samplescript/activity_feed.py | 151 ++++++++++++++++++ samplescript/configfile.py | 6 +- .../ActivityFeed/patch_activity_feed.json | 16 ++ .../ActivityFeed/post_activity_feed.json | 16 ++ samplescript/results/ActivityFeed/readme.txt | 0 5 files changed, 186 insertions(+), 3 deletions(-) create mode 100644 samplescript/activity_feed.py create mode 100644 samplescript/payloads/ActivityFeed/patch_activity_feed.json create mode 100644 samplescript/payloads/ActivityFeed/post_activity_feed.json create mode 100644 samplescript/results/ActivityFeed/readme.txt diff --git a/samplescript/activity_feed.py b/samplescript/activity_feed.py new file mode 100644 index 0000000..e8d00a1 --- /dev/null +++ b/samplescript/activity_feed.py @@ -0,0 +1,151 @@ +import logging +import json +import requests +import time +from requests.models import Response +import controller +import urllib3 +import configfile + +class activity_feed(object): + #Post the activity feed api + def post_activity_feed(self): + global Auth_token + global headers + Auth_token= "Bearer {}".format(controller.get_token(configfile.client_userid, configfile.client_credentials)) + headers = { + 'x-api-key': configfile.x_api_key, + 'Authorization': Auth_token, + 'Content-Type': 'application/vnd.api+json' + } + with open('./payloads/ActivityFeed/post_activity_feed.json') as json_path: + activity_feed_payload = json_path.read() + req_payload = json.loads(activity_feed_payload) + activity_feed_url = "{}/edr/v2/activity-feed/configurations".format(configfile.base_url) + + print("\n***************Sending POST request for post Activity Feed********************") + time.sleep(5) + urllib3.disable_warnings() + response = controller.callapirequest("Post-activity_feed", "POST", activity_feed_url, headers, req_payload, False) + response_status = response.status_code + print("\nStatus code received for post activity_feed: {}.\n\nResponse received for post activity_feed:\n\n{}".format(response_status, response.text)) + + if response_status == 201: + print("\nPost activity_feed request sent Successfully") + else: + print("\nResponse error status code for post activity_feed is: {}.".format(response_status)) + + controller.write_responsetoFile(response.text, './results/ActivityFeed/post_activity_feed_response.json') + + # Get the activity_feed api result + # API response is written into ./results/activity_feed/get_activity_feed_response.json file + def get_activity_feed(self): + print("\n***************Sending GET request for Activity Feed********************") + activityFeedId = "" + #To create the URL, make necessary changes in configfile.py + activity_feed_url = "{}/edr/v2/activity-feed/configurations".format(configfile.base_url) + print("activity_feed URL is : {}".format(activity_feed_url)) + # print("activity_feed header is : {}".format(headers)) + #call the get method for activity_feed api + response = controller.callapirequest("activity_feed", "GET", activity_feed_url, headers, False) + response_status = response.status_code + print("\nStatus code received for Activity Feed API: {}.\n\nResponse received for get_activity_feed:\n\n{}".format(response_status, response.text)) + if response_status == 200: + if response.json()['meta']['totalResourceCount'] > 0: + activityFeedId = response.json()['data'][0]['id'] + print("\nGET request for activity_feed fetched {} records".format( response.json()['meta']['totalResourceCount'])) + else: + print("\nNo records found to validate the activity_feed functionality!!!") + else: + print("\nResponse error Status code for get_activity_feed is: {}".format(response_status)) + + # Write the response Json to /results/ActionHistory/get_actionhistory_response.json file + controller.write_responsetoFile(response.text, './results/ActivityFeed/get_activity_feed_response.json') + return activityFeedId + + # Retrieve activity_feed by configuration ID + def get_activity_feedByConfigurationId(self, activity_feed_id): + print("\n***************Sending GET request for get_activity_feedByConfigurationId********************") + get_activity_feedByConfigurationId = "{}/edr/v2/activity-feed/configurations/{}".format(configfile.base_url, activity_feed_id) + response = controller.callapirequest("Get_activity_feedByConfigurationId", "GET", get_activity_feedByConfigurationId, headers, False) + response_status = response.status_code + print("\nStatus code received for get_activity_feedByConfigurationId: {}.\n\nResponse received for get_activity_feedByConfigurationId:\n\n{}".format(response_status, response.text)) + + if response_status == 200: + if response.json()['meta']['totalResourceCount'] > 0: + print("\nGET request for get-activity_feed By configuration ID is Successful") + else: + print("\nNo records found to validate the activity_feed functionality!!!") + else: + print("\nResponse error Status code for get_activity_feed is: {}".format(response_status)) + + controller.write_responsetoFile(response.text, './results/ActivityFeed/get_activity_feed_by_configuration_id_response.json') + + #Patch the activity_feed api + def patch_activity_feed(self, activity_feed_id): + with open('./payloads/ActivityFeed/patch_activity_feed.json') as json_path: + activity_feed_payload = json_path.read() + req_payload = json.loads(activity_feed_payload) + req_payload["data"]["id"] = activity_feed_id + activity_feed_url = "{}/edr/v2/activity-feed/configurations/{}".format(configfile.base_url, activity_feed_id) + + print("\n***************Sending PATCH request for patch_activity_feed********************") + time.sleep(5) + urllib3.disable_warnings() + response = controller.callapirequest("Patch-activity_feed", "PATCH", activity_feed_url, headers, req_payload, False) + response_status = response.status_code + print("\nStatus code received for patch_activity_feed: {}.\n\nResponse received for patch_activity_feed:\n\n{}".format(response_status, response.text)) + + if response_status == 200: + print("\nPatch Activity Feed request sent Successfully") + else: + print("\nResponse error status code for patch Activity Feed is: {}.".format(response_status)) + + controller.write_responsetoFile(response.text, './results/ActivityFeed/patch_activity_feed_response.json') + + # Delete activity feed by configuration ID + def delete_activity_feedByConfigurationId(self, activity_feed_id): + print("\n***************Sending DELETE request for delete_activity_feedByConfigurationId********************") + delete_activity_feedByConfigurationId = "{}/edr/v2/activity-feed/configurations/{}".format(configfile.base_url, activity_feed_id) + response = controller.callapirequest("Delete-activity_feedbyactivity_feedId", "DELETE", delete_activity_feedByConfigurationId, headers, False) + response_status = response.status_code + print("\nStatus code received for delete_activity_feedByConfigurationId: {}.\n\nResponse received for delete_activity_feedByConfigurationId:\n\n{}".format(response_status, response.text)) + + if response_status == 200: + print("\nDELETE request for delete-activity_feed By activity_feed ID is Successful") + else: + print("\nResponse error Status code for delete_activity_feed is: {}".format(response_status)) + + controller.write_responsetoFile(response.text, './results/ActivityFeed/delete_activity_feed_by_configuration_id_response.json') + + #Delete activity feed by Tenant + def delete_activity_feedByTenant(self): + print("\n***************Sending DELETE request for delete_activity_feedByTenant********************") + delete_activity_feedByTenant = "{}/edr/v2/activity-feed/tenant".format(configfile.base_url) + response = controller.callapirequest("Delete-activity_feedbyactivity_feedId", "DELETE", delete_activity_feedByTenant, headers, False) + response_status = response.status_code + print("\nStatus code received for delete_activity_feed_by_activity_feedId: {}.\n\nResponse received for delete_activity_feed_by_activity_feedId:\n\n{}".format(response_status, response.text)) + + if response_status == 204: + print("\nDELETE request for delete-activity_feed By activity_feed ID is Successful") + else: + print("\nResponse error Status code for delete_activity_feed is: {}".format(response_status)) + + controller.write_responsetoFile(response.text, './results/ActivityFeed/delete_activity_feed_by_tenant_response.json') + +def main(): + #removing response json files before execution starts + controller.remove_filesfromdir("./results/ActivityFeed") + obj_activity_feed = activity_feed() + print("\n*********************START OF ACTIVITY FEED***********************") + obj_activity_feed.post_activity_feed() # calling Post activity_feed API + activity_feed_id = obj_activity_feed.get_activity_feed() # calling get activity_feed API + obj_activity_feed.patch_activity_feed(activity_feed_id) # calling Patch activity_feed API + obj_activity_feed.get_activity_feedByConfigurationId(activity_feed_id) # calling get activity_feed by configuration ID API + obj_activity_feed.delete_activity_feedByConfigurationId(activity_feed_id) # calling delete activity_feed by configuration ID API + obj_activity_feed.delete_activity_feedByTenant() # calling delete activity_feed by tenant + print("\n*********************END OF ACTIVITY FEED**************************") + +#Main Function +if __name__=="__main__": + main() \ No newline at end of file diff --git a/samplescript/configfile.py b/samplescript/configfile.py index e3896c1..77f2c25 100644 --- a/samplescript/configfile.py +++ b/samplescript/configfile.py @@ -5,11 +5,11 @@ #Headers to be included x_api_key="ECYPmTx9g01rWmT3TXUTs8mNkHjbaNSv7lAp6uov" grant_type = "client_credentials" -scope = "epo.admin mi.user.config mi.user.investigate gsd.a.e soc.rts.c soc.rts.r soc.hts.c soc.hts.r soc.act.tg" +scope = "epo.admin mi.user.config mi.user.investigate gsd.a.e soc.rts.c soc.rts.r soc.hts.c soc.hts.r soc.act.tg soc.edrfd.r soc.edrfd.w" # User to update tenant credentials -client_userid="Z3C5ke6wQeVFnC-0LLSDmgHM6" -client_credentials="wF-EJpHq73FQm1mmhNzC399D1" +client_userid="QqiBnhxoJPQgzIs9rieVTPANW"#"Z3C5ke6wQeVFnC-0LLSDmgHM6" +client_credentials="IL5raQCN8ePZzBgJtm9fYYjEF"#"wF-EJpHq73FQm1mmhNzC399D1" # For get-threat API please use below tenant as threats are present here gtclient_id="7wDiu-mIqPdh0t1iM5CPfsYTc" gtclient_credentials="f0KUdEbXYGo84a591NQ7Awru9" diff --git a/samplescript/payloads/ActivityFeed/patch_activity_feed.json b/samplescript/payloads/ActivityFeed/patch_activity_feed.json new file mode 100644 index 0000000..bd1c793 --- /dev/null +++ b/samplescript/payloads/ActivityFeed/patch_activity_feed.json @@ -0,0 +1,16 @@ +{ + "data": { + "type": "activityFeed", + "attributes": { + "topic": "threatEvents", + "configType": "s3Config", + "clientEmailId": "example@gmail.com", + "s3Config": { + "s3Prefix": "trellix-eaf", + "roleARN": "arn:aws:iam::915741471013:role/customer_eaf_s3_cross_account_role", + "s3BucketName": "customer-eaf-bucket", + "awsRegion": "us-west-2" + } + } + } +} \ No newline at end of file diff --git a/samplescript/payloads/ActivityFeed/post_activity_feed.json b/samplescript/payloads/ActivityFeed/post_activity_feed.json new file mode 100644 index 0000000..e37e9b5 --- /dev/null +++ b/samplescript/payloads/ActivityFeed/post_activity_feed.json @@ -0,0 +1,16 @@ +{ + "data": { + "type": "activityFeed", + "attributes": { + "topic": "threatEvents", + "clientEmailId": "abc1234@gmail.com", + "configType":"s3Config", + "s3Config": { + "s3Prefix": "trellix-eaf", + "roleARN": "arn:aws:iam::915741471013:role/customer_eaf_s3_cross_account_role", + "s3BucketName": "customer-eaf-bucket", + "awsRegion": "us-west-2" + } + } + } +} \ No newline at end of file diff --git a/samplescript/results/ActivityFeed/readme.txt b/samplescript/results/ActivityFeed/readme.txt new file mode 100644 index 0000000..e69de29 From a1eb996c050b875a4b3e259aea234043ce28fe35 Mon Sep 17 00:00:00 2001 From: ngarg Date: Wed, 28 Jun 2023 23:57:19 -0700 Subject: [PATCH 2/3] sample scripts for AF --- samplescript/activity_feed.py | 2 +- samplescript/results/ActivityFeed/readme.txt | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/samplescript/activity_feed.py b/samplescript/activity_feed.py index e8d00a1..7c507f4 100644 --- a/samplescript/activity_feed.py +++ b/samplescript/activity_feed.py @@ -59,7 +59,7 @@ def get_activity_feed(self): else: print("\nResponse error Status code for get_activity_feed is: {}".format(response_status)) - # Write the response Json to /results/ActionHistory/get_actionhistory_response.json file + # Write the response Json to /results/ActivityFeed/get_activity_feed_response.json file controller.write_responsetoFile(response.text, './results/ActivityFeed/get_activity_feed_response.json') return activityFeedId diff --git a/samplescript/results/ActivityFeed/readme.txt b/samplescript/results/ActivityFeed/readme.txt index e69de29..8b13789 100644 --- a/samplescript/results/ActivityFeed/readme.txt +++ b/samplescript/results/ActivityFeed/readme.txt @@ -0,0 +1 @@ + From f403e2c2e1e3f9921a2610bf4f6248048a140f25 Mon Sep 17 00:00:00 2001 From: ngarg Date: Thu, 29 Jun 2023 01:59:27 -0700 Subject: [PATCH 3/3] adding comments and removing unwanted imports --- samplescript/activity_feed.py | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/samplescript/activity_feed.py b/samplescript/activity_feed.py index 7c507f4..17074d0 100644 --- a/samplescript/activity_feed.py +++ b/samplescript/activity_feed.py @@ -1,14 +1,16 @@ -import logging import json -import requests import time -from requests.models import Response import controller import urllib3 import configfile class activity_feed(object): - #Post the activity feed api + #Post the activity feed api to registers a new activity-feed configuration for the tenant. + #using the payload "./payloads/ActivityFeed/post_activity_feed.json" + # topic attribute in the payload "./payloads/ActivityFeed/post_activity_feed.json" is set to "threatEvents" + # other Supported values are from the given list ["threatEvents", "cas-mgmt-events", "buisnessEvents"] + # configType attribute in the payload "./payloads/ActivityFeed/post_activity_feed.json" is set to "s3Config" + # other Supported values are from the given list ["s3Config", "webhook", "syslog"] def post_activity_feed(self): global Auth_token global headers @@ -64,6 +66,7 @@ def get_activity_feed(self): return activityFeedId # Retrieve activity_feed by configuration ID + # API response is written into ./results/activity_feed/get_activity_feed_by_configuration_id_response.json file def get_activity_feedByConfigurationId(self, activity_feed_id): print("\n***************Sending GET request for get_activity_feedByConfigurationId********************") get_activity_feedByConfigurationId = "{}/edr/v2/activity-feed/configurations/{}".format(configfile.base_url, activity_feed_id) @@ -81,7 +84,9 @@ def get_activity_feedByConfigurationId(self, activity_feed_id): controller.write_responsetoFile(response.text, './results/ActivityFeed/get_activity_feed_by_configuration_id_response.json') - #Patch the activity_feed api + #Patch the activity_feed api to update an existing activity-feed configuration for the tenant. + #using the payload "./payloads/ActivityFeed/patch_activity_feed.json" + # API response is written into ./results/activity_feed/patch_activity_feed_response.json file def patch_activity_feed(self, activity_feed_id): with open('./payloads/ActivityFeed/patch_activity_feed.json') as json_path: activity_feed_payload = json_path.read() @@ -104,6 +109,8 @@ def patch_activity_feed(self, activity_feed_id): controller.write_responsetoFile(response.text, './results/ActivityFeed/patch_activity_feed_response.json') # Delete activity feed by configuration ID + # Deletes single configuration details. + # API response is written into ./results/activity_feed/delete_activity_feed_by_configuration_id_response.json file def delete_activity_feedByConfigurationId(self, activity_feed_id): print("\n***************Sending DELETE request for delete_activity_feedByConfigurationId********************") delete_activity_feedByConfigurationId = "{}/edr/v2/activity-feed/configurations/{}".format(configfile.base_url, activity_feed_id) @@ -118,7 +125,9 @@ def delete_activity_feedByConfigurationId(self, activity_feed_id): controller.write_responsetoFile(response.text, './results/ActivityFeed/delete_activity_feed_by_configuration_id_response.json') - #Delete activity feed by Tenant + # Delete activity feed by Tenant + # Deletes all the activity-feed configurations for a tenant. + # API response is written into ./results/activity_feed/delete_activity_feed_by_tenant_response.json file def delete_activity_feedByTenant(self): print("\n***************Sending DELETE request for delete_activity_feedByTenant********************") delete_activity_feedByTenant = "{}/edr/v2/activity-feed/tenant".format(configfile.base_url)