msiempy 0.1.4

McAfee SIEM API Python wrapper

McAfee SIEM API Python wrapper

This project aims to provide a basic API wrapper around the McAfee SIEM API to help make it more accessible and pythonic.

⚠️ This python module is currently experimental ⚠️

Main features

• ESM monitoring (work in progress)
• Datasource management : add, edit, del - including client datasources (work in progress)
• Alarm management and querying : [asynchronous] filter, [un]acknowledge, delete (not working in v11.2.1 see #11).
• Event querying : [asynchronous] dynamic query
• Watchlist operations : list all watchlists and add values (work in progress)
• Single stable session handler and built-in asynchronous jobs

Documentation and links

• Python msiempy module documentation : https://mfesiem.github.io/docs/msiempy/index.html
• Class diagram : https://mfesiem.github.io/docs/msiempy/classes.png
• SIEM API documentation : https://ESM_HOSTNAME/rs/esm/help

Installation

pip install msiempy

Configuration setup

The configuration file should be located securely in your path since it has credentials.

• For Windows: %APPDATA%.msiem\conf.ini
• For Mac : $HOME/.msiem/conf.ini
• For Linux : $XDG_CONFIG_HOME/.msiem/conf.ini or : $HOME/.msiem/conf.ini

[esm]
host = ESM HOST NAME OR IP
user = USERNAME
passwd = PASSWORD IN BASE64, generate it like `echo 'p@ssw0d' | base 64`

[general]
verbose = yes
quiet = no
logfile = /var/log/msiempy/log.txt
timeout = 30
ssl_verify = no
output = text

You can initiate and configure the file with python cli.

$ python3
>>> from msiempy import NitroConfig
>>> config=NitroConfig()
>>> config.iset('esm')
Enter [esm]host. Press <Enter> to keep empty: <type here>
Enter [esm]user. Press <Enter> to keep empty: <type here>
Enter [esm]passwd. Press <Enter> to skip: <type here>
>>> config.iset('general') [...]
>>> print(config)
Configuration file : /Users/username/.msiem/conf.ini
{'esm': {'host': '***', 'user': '***', 'passwd': '***=='}, 'general': {'verbose': 'no', 'quiet': 'False', 'logfile': '', 'timeout': '60', 'ssl_verify': 'no', 'output': 'text'}}
>>>config.write()

Run tests

./setup.py test
[...]
----------------------------------------------------------------------
Ran 13 tests in 182.815s

OK

It souldn't take more than 5 minutes

Example

Alarm

Print all unacknowledged alarms of the year. The number of alarms retreived is defined by the page_size property.

import msiempy.alarm

alarms=msiempy.alarm.AlarmManager(
        time_range='CURRENT_YEAR',
        status_filter='unacknowledged',
        filters=[
                ('alarmName', 'IPS alarm'),
                ('ruleMessage','Wordpress')],
        page_zize='400')

alarms.load_data()
print(alarms)

alarms.load_events(extra_fields=['HostID','UserIDSrc'])
[ print alarm['events'] for alarm in alarms ]

See: https://mfesiem.github.io/docs/msiempy/alarm.html#msiempy.alarm.AlarmManager

Event

Query events according to filters, loading the data with comprensive parralel tasks and printing relevant data.

import msiempy.event

events = msiempy.event.EventManager(
        time_range='LAST_3_DAYS',
        fields=['HostID', 'UserIDSrc'],
        filters=[
                msiempy.query.FieldFilter('DstIP', ['8.8.0.0/8',]),
                msiem.query.FieldFilter('HostID', ['mydomain.local'], operator='CONTAINS') ],
        limit=500,
        max_query_depth=2)
events.load_data(delta='2h', slots='4', workers=5)
print(events.get_text(fields=['Alert.LastTime','Alert.SrcIP', 'Alert.BIN(4', 'Alert.BIN(7)', 'Rule.msg']))

See: https://mfesiem.github.io/docs/msiempy/event.html#msiempy.event.EventManager

ESM

Print a few esm infos. This is still work in progress.

>>> import msiempy.device

>>> esm=msiempy.device.ESM()
>>> esm.version()
'11.2.1'
>>> esm.recs()
[('ERC-1', 144116287587483648)]
>>> esm.buildstamp()
'11.2.1 20190725050014'

See: https://mfesiem.github.io/docs/msiempy/device.html#msiempy.device.ESM

Datasource

Load all datasources and search. This is still work in progress.

import msiempy.device

devtree = msiempy.device.DevTree()

See: https://mfesiem.github.io/docs/msiempy/device.html#msiempy.device.DevTree

Contribute

If you like the project and think you could help with making it better, there are many ways you can do it:

Create new issue for new feature proposal or a bug Implement existing issues Help with improving the documentation Spread a word about the project to your collegues, friends, blogs or any other channels Any other things you could imagine Any contribution would be of great help and I will highly appreciate it! If you have any questions, please create a new issue, or concact me via tris.la.tr@gmail.com

Error report

Execute : cat ./.msiem/*.txt | cut -c 25-500 | grep -i error | sort | uniq

Disclaimer

This is an UNOFFICIAL project and is NOT sponsored or supported by McAfee, Inc. If you accidentally delete all of your datasources, don't call support (or me). Product access will always be limited to 'safe' methods and with respect to McAfee's intellectual property.