Evident Security Platform (ESP) SDK for Python
A Python interface for calling the Evident.io API.
This is still being built and subject to changes.
Install the latest stable using pip:
pip install esp
If you prefer to install from the latest git HEAD, you can use the setup.py script:
git clone https://github.com/EvidentSecurity/esp-sdk-python cd esp-sdk-python python setup.py install
The recommended way to set your keys is with environment variables. Export one for your access key and another one for your secret access key:
export ENV['ESP_ACCESS_KEY_ID']='access key from ESP' export ENV['ESP_SECRET_ACCESS_KEY']='secret access key from ESP'
You can also set them in the ESP module directly:
from esp.settings import settings settings.access_key_id = 'access key from ESP' settings.secret_access_key = 'secret access key from ESP'
If you need to use an http proxy to hit the ESP API, you can set that using the settings as well:
settings.http_proxy = 'your-proxy-uri:8080'
For appliance users, you can change the host the SDK points at in the settings:
settings.host = 'esp.my-host'
All resources provided are class objects. You they export common methods to help you interact with the ESP API. Below are a few examples that describe how the SDK can be used.
Import the SDK using the “esp” namespace:
In : import esp
Fetching reports is simple:
In : reports = esp.Report.find() In : reports Out: <esp.resource.PaginatedCollection at 0x10b291dd8>
This returns a paginated collection object that will let you navigate the pages returned:
In : reports.current_page_number Out: '1' In : reports = reports.next_page() In : reports.current_page_number Out: '2'
This object acts like a list and supports indexing and the len() function:
In : len(reports) Out: 20 In : reports Out: <esp.report.Report at 0x10b2ce278>
Lets checkout that report:
In : report.id_ Out: '592' In : report.status Out: 'complete' In : report.alerts Out: <esp.resource.PaginatedCollection at 0x10b2d68d0>
Looks like it’s complete and we have alerts attached to it. calling .alerts returns a PaginatedCollection of Alert objects, lets look at one:
In : alert = report.alerts In : alert.id_ Out: '97' In : alert.resource Out: 'fisheye-rel-build' In : alert.status Out: 'pass' In : alert.signature.name Out: 'VPC ELB Security Groups'
In that last line we accessed the signature object by calling .signature, then called .name on that object to get the name of the signature. Method chaining like this makes using the ESP API data very useful and simple.
Okay, so we know a report ID we want to look up, lets try that:
In : report = esp.Report.find(1) In : report Out: <esp.report.Report at 0x10b2e2978>
Here we used find() again, but we passed in an ID as a argument. This did not return a paginated collection, but instead returned an instance of the report by itself.
So maybe we want to get a collection of signatures who check for DNS related stuff, we can do that:
In : signatures = esp.Signature.where(name_cont='dns') In : len(signatures) Out: 3 In : signatures.name Out: 'Global DNS TCP' In : signatures.name Out: 'Global DNS UDP' In : signatures.name Out: 'Route53 DNS'
Looks like the API gaves us 3 and all of them have DNS in the name. Good job! where() takes parameters and converts them into search filters for ESP. There is a list of predicates available can be found here http://api-docs.evident.io/?json#available-predicates
Predicates are used within Evident.io API search queries to determine what information to match. For instance, the cont predicate, when added to the name attribute, will check to see if name` contains a value using a wildcard query.
You can add more to where() to form complex queries:
In : esp.Suppression.where(regions_code_start='us', resource_not_null='1') Out: <esp.resource.PaginatedCollection at 0x104a18dd8>
You can also change the combinator for complex queries from the default AND to OR by adding the m=’or’ parameter:
In : esp.Suppression.where(regions_code_start='us', resource_not_null='1', m='or')