Skip to content
/ python-cybereason Public

Command line interface to interact with Cybereason via API

License

MIT license
1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

psmiraglia/python-cybereason

BranchesTags

Repository files navigation

Cybereason

Command line interface for Cybereason.

Install

$ virtualenv -p python3 .venv
$ . .venv/bin/activate
$ pip install .

Get help

$ crcli --help

                   _____      _
                  / ____|    | |
      _ __  _   _| |    _   _| |__   ___ _ __ ___  __ _ ___  ___  _ __
     | '_ \| | | | |   | | | | '_ \ / _ \ '__/ _ \/ _` / __|/ _ \| '_ \
     | |_) | |_| | |___| |_| | |_) |  __/ | |  __/ (_| \__ \ (_) | | | |
     | .__/ \__, |\_____\__, |_.__/ \___|_|  \___|\__,_|___/\___/|_| |_|
     | |     __/ |       __/ |
     |_|    |___/       |___/  v0.1a0

 
usage: crcli [-h] [-s SERVER] [-u USERNAME] [-p PASSWORD] [-c CONF]
             {sensors,policies} ...

positional arguments:
  {sensors,policies}

optional arguments:
  -h, --help            show this help message and exit
  -s SERVER, --server SERVER
  -u USERNAME, --username USERNAME
  -p PASSWORD, --password PASSWORD
  -c CONF, --conf CONF

Examples

List policies

$ CRCLI_LOG_LEVEL=INFO crcli -c conf.json policies list

                   _____      _
                  / ____|    | |
      _ __  _   _| |    _   _| |__   ___ _ __ ___  __ _ ___  ___  _ __
     | '_ \| | | | |   | | | | '_ \ / _ \ '__/ _ \/ _` / __|/ _ \| '_ \
     | |_) | |_| | |___| |_| | |_) |  __/ | |  __/ (_| \__ \ (_) | | | |
     | .__/ \__, |\_____\__, |_.__/ \___|_|  \___|\__,_|___/\___/|_| |_|
     | |     __/ |       __/ |
     |_|    |___/       |___/  v0.1a0

 
[*] Servers (6abe26b0-4708-41f0-aa89-4ecb5a5be964)
[*] Clients (667295f9-9cca-46fc-aba2-40dad13ee0ec)
[*] Critical Servers (f5f5ed9e-d8a3-4621-b761-268152e3560b)

Dump policy configuration

$ CRCLI_LOG_LEVEL=INFO crcli -c conf.json policies dump --policy-id f5f5ed9e-d8a3-4621-b761-268152e3560b

                   _____      _
                  / ____|    | |
      _ __  _   _| |    _   _| |__   ___ _ __ ___  __ _ ___  ___  _ __
     | '_ \| | | | |   | | | | '_ \ / _ \ '__/ _ \/ _` / __|/ _ \| '_ \
     | |_) | |_| | |___| |_| | |_) |  __/ | |  __/ (_| \__ \ (_) | | | |
     | .__/ \__, |\_____\__, |_.__/ \___|_|  \___|\__,_|___/\___/|_| |_|
     | |     __/ |       __/ |
     |_|    |___/       |___/  v0.1a0

 
INFO: pycybereason.app.policies: Policy dump saved: policy-f5f5ed9e-d8a3-4621-b761-268152e3560b.json

Query sensors by loading filters from file

$ crcli -c conf.json sensors query --filters @filters.json

                   _____      _
                  / ____|    | |
      _ __  _   _| |    _   _| |__   ___ _ __ ___  __ _ ___  ___  _ __
     | '_ \| | | | |   | | | | '_ \ / _ \ '__/ _ \/ _` / __|/ _ \| '_ \
     | |_) | |_| | |___| |_| | |_) |  __/ | |  __/ (_| \__ \ (_) | | | |
     | .__/ \__, |\_____\__, |_.__/ \___|_|  \___|\__,_|___/\___/|_| |_|
     | |     __/ |       __/ |
     |_|    |___/       |___/  v0.1a0


+---------------+
| machineName   |
+---------------+
| sql03         |
| sql12         |
+---------------+

Query sensors by loading filters from file and by specifying details to be shown

$ crcli -c conf.json sensors query --filters @filters.json --cols machineName osType status

                   _____      _
                  / ____|    | |
      _ __  _   _| |    _   _| |__   ___ _ __ ___  __ _ ___  ___  _ __
     | '_ \| | | | |   | | | | '_ \ / _ \ '__/ _ \/ _` / __|/ _ \| '_ \
     | |_) | |_| | |___| |_| | |_) |  __/ | |  __/ (_| \__ \ (_) | | | |
     | .__/ \__, |\_____\__, |_.__/ \___|_|  \___|\__,_|___/\___/|_| |_|
     | |     __/ |       __/ |
     |_|    |___/       |___/  v0.1a0

+---------------+---------+--------+
| machineName   | osType  | status |
+---------------+---------+--------+
| sql03         | WINDOWS | Stale  |
| sql12         | WINDOWS | Stale  |
+---------------+---------+--------+

Compare policies (interactive)

$ crcli -c conf.json policies compare

                   _____      _
                  / ____|    | |
      _ __  _   _| |    _   _| |__   ___ _ __ ___  __ _ ___  ___  _ __
     | '_ \| | | | |   | | | | '_ \ / _ \ '__/ _ \/ _` / __|/ _ \| '_ \
     | |_) | |_| | |___| |_| | |_) |  __/ | |  __/ (_| \__ \ (_) | | | |
     | .__/ \__, |\_____\__, |_.__/ \___|_|  \___|\__,_|___/\___/|_| |_|
     | |     __/ |       __/ |
     |_|    |___/       |___/  v0.1a0

 

(0) Policy Alpha
(1) Policy Beta
(2) Policy Gamma
[?] Select the A policy (0 - 2): 2

(0) Policy Alpha
(1) Policy Beta
(2) Policy Gamma
[?] Select the B policy (0 - 2): 0

Comparison saved to compare-9034336c-0a4e-4461-b93b-f2153a55ed96--1e798691-4eb7-4f2c-98e8-a5d70c63d79b.txt

Compare policies (with options)

$ crcli -c conf.json policies compare -a 9034336c-0a4e-4461-b93b-f2153a55ed96 -b 1e798691-4eb7-4f2c-98e8-a5d70c63d79b -o mycompare.txt

                   _____      _
                  / ____|    | |
      _ __  _   _| |    _   _| |__   ___ _ __ ___  __ _ ___  ___  _ __
     | '_ \| | | | |   | | | | '_ \ / _ \ '__/ _ \/ _` / __|/ _ \| '_ \
     | |_) | |_| | |___| |_| | |_) |  __/ | |  __/ (_| \__ \ (_) | | | |
     | .__/ \__, |\_____\__, |_.__/ \___|_|  \___|\__,_|___/\___/|_| |_|
     | |     __/ |       __/ |
     |_|    |___/       |___/  v0.1a0

 
Comparison saved to mycompare.txt

Upgrade sensors

$ crcli -c conf.json sensors upgrade --filters @filters.json 

                   _____      _
                  / ____|    | |
      _ __  _   _| |    _   _| |__   ___ _ __ ___  __ _ ___  ___  _ __
     | '_ \| | | | |   | | | | '_ \ / _ \ '__/ _ \/ _` / __|/ _ \| '_ \
     | |_) | |_| | |___| |_| | |_) |  __/ | |  __/ (_| \__ \ (_) | | | |
     | .__/ \__, |\_____\__, |_.__/ \___|_|  \___|\__,_|___/\___/|_| |_|
     | |     __/ |       __/ |
     |_|    |___/       |___/  v0.1a0

 
[*] Scheduling upgrate for
[-]   sql03 (version: 20.2.222.0, id: 112233445566778899112233:PYLUMCLIENT_ANTANI_SQL03_0050568611AA)
[-]   sql12 (version: 20.1.343.0, id: 112233445566778899112233:PYLUMCLIENT_ANTANI_SQL12_00505686BB22)
Should I proceed? [y/n]

Show malops in a time range

$ crcli -c conf.json malops inbox --start-time '20220722T000000' --end-time '20220722T235959'

                   _____      _
                  / ____|    | |
      _ __  _   _| |    _   _| |__   ___ _ __ ___  __ _ ___  ___  _ __
     | '_ \| | | | |   | | | | '_ \ / _ \ '__/ _ \/ _` / __|/ _ \| '_ \
     | |_) | |_| | |___| |_| | |_) |  __/ | |  __/ (_| \__ \ (_) | | | |
     | .__/ \__, |\_____\__, |_.__/ \___|_|  \___|\__,_|___/\___/|_| |_|
     | |     __/ |       __/ |
     |_|    |___/       |___/  v0.1a0

 
[MALOP] system.componentmodel.dataannotations.ni.dll (guid: jVLbH23o4vyybRY7, url: https://antani.cybereason.net/#/detection-malop/jVLbH23o4vyybRY7)
[MALOP] windowsbase.ni.dll (guid: A0Qzt3G1yGIkYci3, url: https://antani.cybereason.net/#/detection-malop/A0Qzt3G1yGIkYci3)

Show malops in a time range, with details of affected machines

$ crcli -c conf.json malops inbox --start-time '20220722T000000' --end-time '20220722T235959' --show-machines

                   _____      _
                  / ____|    | |
      _ __  _   _| |    _   _| |__   ___ _ __ ___  __ _ ___  ___  _ __
     | '_ \| | | | |   | | | | '_ \ / _ \ '__/ _ \/ _` / __|/ _ \| '_ \
     | |_) | |_| | |___| |_| | |_) |  __/ | |  __/ (_| \__ \ (_) | | | |
     | .__/ \__, |\_____\__, |_.__/ \___|_|  \___|\__,_|___/\___/|_| |_|
     | |     __/ |       __/ |
     |_|    |___/       |___/  v0.1a0

 
[MALOP] system.componentmodel.dataannotations.ni.dll (guid: jVLbH23o4vyybRY7, url: https://antani.cybereason.net/#/detection-malop/jVLbH23o4vyybRY7)
[MALOP > MACHINE] sql03
[MALOP > MACHINE] sql12
[MALOP] windowsbase.ni.dll (guid: A0Qzt3G1yGIkYci3, url: https://antani.cybereason.net/#/detection-malop/A0Qzt3G1yGIkYci3)
[MALOP > MACHINE] sql03
[MALOP > MACHINE] sql12

Show malops in a time range, with details of affected machines and by filtering on the malop title

$ crcli -c conf.json malops inbox --start-time '20220722T000000' --end-time '20220722T235959' --show-machines --filter 'dataannotations.ni.dll'

                   _____      _
                  / ____|    | |
      _ __  _   _| |    _   _| |__   ___ _ __ ___  __ _ ___  ___  _ __
     | '_ \| | | | |   | | | | '_ \ / _ \ '__/ _ \/ _` / __|/ _ \| '_ \
     | |_) | |_| | |___| |_| | |_) |  __/ | |  __/ (_| \__ \ (_) | | | |
     | .__/ \__, |\_____\__, |_.__/ \___|_|  \___|\__,_|___/\___/|_| |_|
     | |     __/ |       __/ |
     |_|    |___/       |___/  v0.1a0

 
[MALOP] system.componentmodel.dataannotations.ni.dll (guid: jVLbH23o4vyybRY7, url: https://antani.cybereason.net/#/detection-malop/jVLbH23o4vyybRY7)
[MALOP > MACHINE] sql03
[MALOP > MACHINE] sql12

About

Command line interface to interact with Cybereason via API

Topics

cybersecurity cybereason

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages