-
Notifications
You must be signed in to change notification settings - Fork 0
/
xdr.py
147 lines (112 loc) · 4.62 KB
/
xdr.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
import requests
import json
from datetime import datetime
#XDR Base URL
url_base = 'https://api.xdr.trendmicro.com'
#Your XDR user token
token = 'YOUR_XDR_API_TOKEN_HERE'
headers = {'Authorization': 'Bearer ' + token, 'Content-Type': 'application/json;charset=utf-8'}
def getRoles():
#Function to get all XDR User Roles.
url_path = '/v1.0/xdr/portal/accounts/roles'
query_params = {}
r = requests.get(url_base + url_path, params=query_params, headers=headers)
return(r.json()['data']['roles'])
def getModels():
#Function to get all XDR Machine Learning Models.
url_path = '/v1.0/xdr/dmm/models'
query_params = {}
r = requests.get(url_base + url_path, params=query_params, headers=headers)
resp_dict = json.loads(r.text)
result = []
for k in resp_dict["data"]:
result.append(k['name'] + ' || ')
return(result)
def getWorkbench():
#Get the Workenchs opened since 09/01/2020 with High or Medium Severity.
url_path = '/v2.0/siem/events'
#Get the exactly hour during the script execution
date = datetime.now().strftime("%Y-%m-%dT%H:%M:%S"+ ".000Z")
#If you want to change the timeframe edit the startDateTime and endDateTime.
query_params = {'startDateTime':'2020-09-01T10:00:00.000Z','endDateTime': date}
r = requests.get(url_base + url_path, params=query_params, headers=headers)
resp_dict = json.loads(r.text)
result = []
for k in resp_dict['data']['workbenchRecords']:
if k['severity'] == 'high' or k['severity'] == 'medium':
result.append(k['workbenchName'] + ' - ' + k['workbenchId'] + ' - ' + k['severity'] + ' - '+ k['workbenchLink'] + ' || ')
return(result)
def countWorkbench():
#Get the Workenchs opened since 09/01/2020 with all Severity.
url_path = '/v2.0/siem/events'
#Get the exactly hour during the script execution
date = datetime.now().strftime("%Y-%m-%dT%H:%M:%S"+ ".000Z")
#If you want to change the timeframe edit the startDateTime and endDateTime.
query_params = {'startDateTime':'2020-09-01T10:00:00.000Z','endDateTime': date}
r = requests.get(url_base + url_path, params=query_params, headers=headers)
resp_dict = json.loads(r.text)
countH = 0
countM = 0
countL = 0
for k in resp_dict['data']['workbenchRecords']:
if k['severity'] == 'high':
countH += 1
elif k['severity'] == 'medium':
countM += 1
else:
countL += 1
return("Low:" + str(countL) + "\nMedium:" + str(countM) + "\nHigh:" + str(countH))
def blockDomain():
#Block the domain 0secops.com. If you want to change the domain, set your own in the targetValue.
url_path = '/v1.0/xdr/response/block'
query_params = {}
body = '''
{
"valueType": "domain",
"targetValue": "0secops.com",
"productId": "sao",
"description": "Telegram Bot"
}
'''
r = requests.post(url_base + url_path, params=query_params, headers=headers, data=body)
action_id = (r.json()['actionId'])
return(action_id)
def removeDomain():
#Remove the domain 0secops.com. If you want to change the domain, set your own in the targetValue.
url_path = '/v1.0/xdr/response/restoreBlock'
query_params = {}
body = '''
{
"valueType": "domain",
"targetValue": "0secops.com",
"productId": "sao",
"description": "Telegram Bot"
}
'''
r = requests.post(url_base + url_path, params=query_params, headers=headers, data=body)
action_id = r.json()['actionId']
while True:
status = r.json()['taskStatus']
if status == "skipped":
return("ID: " + action_id + "\nStatus: Skipped")
if status == "success":
return("ID: " + action_id + "\nStatus: Success")
elif status == "failed":
return("ID: " + action_id + "\nStatus: Failed")
else:
return("ID: " + action_id + "\nStatus: STATUS NOT WORKING YET...")
def getResponse(action_id):
#Function to monitoring the status of a response sent to the console.
url_path = '/v1.0/xdr/response/getTask'
query_params = {'actionId': action_id}
r = requests.get(url_base + url_path, params=query_params, headers=headers)
while True:
status = r.json()['data']['taskStatus']
if status == "skipped":
return("Skipped")
if status == "success":
return("Success")
elif status == "failed":
return("Failed")
else:
return("STATUS NOT WORKING YET...")