Symantec™ Cloud Workload Protection
Symantec™ Cloud Workload Protection
1. Cloud Workload Protection Public API
1.1. Token-based authentication service
API to generate an authentication token to be used for subsequent API calls.
1.1.1. Overview
To retrieve data from Cloud Workload Protection, you must generate a token by using the system credentials. Use the token for subsequent API calls.
|
Note
|
The authentication token is valid for 60 minutes only. |
1.1.2. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/oauth/tokens
1.1.3. Request Method
POST
1.1.4. Request Header
content-type: application/json x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.1.5. Request Body
{"client_id":"<client id from portal>","client_secret": "<client secret key>"}
1.1.6. Request Parameters
Field |
Description |
Component |
Customer ID |
This value is a unique identifier of the customer. The field name is x-epmp-customer-id. |
Header |
Domain ID |
This value identifies the relevant domain for a customer. The field name is x-epmp-domain-id. |
Header |
Client ID |
This value identifies the client ID to be used in the API to get the token. The field name is client_id. |
Body |
Client Secret Key |
This value is the secret key that should be shared and stored securely by the customer. The field name is client_secret. Customers can renew the client secret key on the product portal. |
Body |
To obtain the above parameters, log on to the Cloud Workload Protection portal, go to Settings > API Keys, and enable the API Keys.
1.1.7. Response Header
content-type: application/json
1.1.8. Response Data
{"access_token": "<valid token>","expires_in":3600,
"token_type":"Bearer", "x-epmp-customer-id": "<customer-id>",
"x-epmp-domain-id": "<domain-id>"}
1.1.9. Response Codes
Code |
Description |
200 / 202 |
Successful operation. |
400 |
Bad request. The request body is incorrect. |
401 |
Unauthorized access. The token is either invalid or expired. |
403 |
Forbidden. The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource. |
404 |
URL is incorrect. |
429 |
Too many requests. |
500 |
Internal server error if the Symantec service attending to the API calls is down. |
1.2. Fetch assets service
API for getting a list of all instances in the cloud infrastructure.
1.2.1. Overview
This service lets you get a list of all available instances deployed in the cloud infrastructure. It also gets a list of the instance attributes that the system supports.
1.2.2. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/assets
1.2.3. Request Method
POST
1.2.4. Request Header
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.2.5. Request Body
{'limit':<number>,'offset':<number>, 'where':'', 'include':''}
1.2.6. Request Parameters
Attribute |
Description |
Example |
Limit |
The number of records to display on one page. This value can be set up to 1000. |
'limit':10 |
Offset |
Specifies the number of pages to skip in the result. An offset 0 denotes the first page. If you set the offset to 2, the result starts from the third page. |
'offset':0 |
Where |
Lets you add conditions based on instance attributes and logical and relational operators. |
where=(region=’us_west_1’)or(region=’us_west_2’) |
Include |
Includes the specified information in the result. |
'include':'installed_products' The attribute in this example returns all the installed products in the instances. |
Filter Criteria |
Possible filter values that can be used in an example |
||
Recommendations |
This filter gets instances that have a policy recommendation generated or a policy recommendation to be reapplied. where=(included_dcs_device_states.policyRecommendationState in ['Generated','Reapply']) |
||
Platform |
This filter gets instances belonging to Linux or Windows. where=(platform in ['Linux','Windows']) |
||
Instance state |
This filter gets instances based on the state of the instance - Running or Stopped. where=(instance_state in ['Running','Stopped']) |
||
Policy status |
This filter gets instances based on the status of the policy application. where=(policy_applied in ['pending','failed', 'intermediate','completed','NOTAPPLIED']) |
||
Agent status |
This filter gets instances based on the status of the agent. where=(agent_installed in ['Not_Installed','Installed','Initializing', 'Installed_Reboot_Required','Uninstalled']) |
||
Source |
This filter gets instances based on the source of the instance. where=(cloud_platform in ['Private','Azure','AWS']) |
||
Discovery |
This filter gets instances based on the status of the software service discovery. where=(adr_state in ['Failed','In Progress','Succeeded']) |
||
Instance |
This filter gets instances without a policy group, with a policy group, or without an agent. where=(policy_applied='completed')and (policy_applied!='completed')and(agent_installed!='Installed') |
||
Discovered on |
This filter gets instances created prior to the current time. The options available are 8 hours, 1 day, 7 days, and 30 days prior to the current date. You can also specify a range as explained in the examples.
If the date today is 16th of February 2016, this example gets instances created 30 days prior to the current date. where=(created>='2017-01-16T05:26:22.232Z') |
Response Header
content-type: application/json
Response Data - Example
HTTP/1.1 200 OK
{
"id": "3cKGgHxxxxxxxxxxbeWl1A",
"name": "AzureRHELTest",
},
"policy_applied": "NOTAPPLIED",
"host": "AzureRHELTest",
"mac_address": "00-0D-xx-xx-xx-12",
"ip_addresses": [
"1xx.xx.2xx.1xx"
],
"fqdn": "AzureRHELTest",
"instance_id": "cxxxxx3-fxx-4axx-axx-5xxxxec9xxx7",
"cloud_platform": "Azure",
"instance_state": "Running",
"instance_type": "Standard_Dxx_xx",
"subscription_id": "exxxxxxf-dxx7-xxxd-9xxx-3xxxxc7xxxx4",
"subscription_name": "Visual Studio Enterprise",
"resource_group_name": "Default",
"vm_type": "Microsoft.Compute/virtualMachines",
"machine_image_id": "https://xxxxxxxxxxskvmssxzisa.blob.core.windows.net/vhds/AzureRHELTestxxxxxxxxxx.vhd",
"public_dns": "",
"private_ips": [
"1x.x.x.x"
],
"subnet_id": "/subscriptions/xxxxxxxx-dxxx-4xxx-9xxx-34xxxxxxxx4/resourceGroups/testCloudVM/providers/
Microsoft.Network/virtualNetworks/MyVNET/subnets/Subnet",
"firewall_groups": [
"RS-RHEL72"
],
"region": "southeastasia",
"updated": false,
"deleted": false,
"agent_installed": "Not_Installed",
"created": "2016-07-26T05:04:38.105Z",
"modified": "2016-07-26T05:12:02.349Z",
"reconciled": true,
"obj_classes": [
"device",
"dcs_device"
],
"platform": "Linux"
}
1.2.7. Supported Operators
=! = < <= > >= In, not_in, and like
1.2.8. Response Codes
Code |
Description |
200 |
Successful operation. |
400 |
Invalid operation. The body of the response contains information about the error. |
401 |
Authentication required. Make sure that you use a correct account ID and security token. |
500 |
Server error. Please try again later, and if the problem persists, contact Symantec Support. |
1.2.9. Examples
Get a list of all instances created between a specific period
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/assets? fields=name,instance_id,created&where=(created>='<yyyy-MM-ddTHH:mm:ss.SSSZ>') and(created<='<yyyy-MM-ddTHH:mm:ss.SSSZ>')
For example:
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/assets? fields=name,instance_id,created&where=(created>='2017-02-13T18:30:00.891Z')and (created<='2017-02-15T18:29:59.891Z')
Search for an instance ID
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/assets? fields=name,instance_id,modified&where= (instance_id in ['<instance_name_1>’,’<instance_name_2>'])
For example:
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/assets? fields=name,instance_id,modified&where= (instance_id in ['i-01033bd4f26301f22','vm493132851e'])
Get all instances including the instances belonging to the VPC ID ‘vpc-b920bbdd’
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/assets? where=(vpc_id= '<vpc id>')
For example:
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/assets? where=(vpc_id='vpc-b920bbdd')
Get instances discovered in the last 7 days belonging to Azure platform that do not have a policy group applied and an agent installed
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/assets? fields=name,instance_id,modified&where= ((policy_applied in ['<policy_state>'])and (agent_installed in ['<agent_state>'])and(cloud_platform in ['<platform>']) and(created>='<yyyy-MM-ddTHH:mm:ss.SSSZ>'))
For example:
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/assets? fields=name,instance_id,modified&where= ((policy_applied in ['NOTAPPLIED'])and (agent_installed in ['Not_Installed'])and(cloud_platform in ['Azure'])and (created>='2017-02-08T04:43:56.634Z'))
1.2.10. Sample Script
Try the sample Python script from our GitHub location.
Use the script cwpasset.py to get a list of the instances along with information such as agent version, installation application, LiveUpdate version and so on.
The script cwpasset_paged.py provides the same information one page at a time. Use this script if you have more than 1000 instances in your environment.
1.3. Events service
API to retrieve the events that are generated.
1.3.1. Overview
This service lets you query the events that are generated on the instances that the system taps. The events information can be used for external data integration. For example, consuming the events in a custom triaging or a ticketing solution that you may have.
1.3.2. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/event/query
1.3.3. Request Method
POST
1.3.4. Request Header
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.3.5. Request Body
{
"pageSize":<Integer size of records per page, for example 8>,
"pageNumber":<Integer indicating the number of page, for example 2>,
"productName":"Either CWP or CWP-S",
"startDate":"<Start date with time. For example, 2016-07-18T18:30:00.000Z>",
"endDate":"<End date with time. For example, 2016-07-28T18:29:59.999Z>",
"displayLabels":false,
"searchFilter":{"searchQuery":"<any part of the message of an event for example, conf>"},
"additionalFilters":"(<add additional filter as required>)"
}
1.3.6. Request Parameters
Attribute name |
Values |
Example |
Description |
||
|
|
" |
The result includes events of queried severities. The values and their corresponding severities are:
|
||
|
|
" |
The result includes events of queried categories. The values and their corresponding categories are:
|
||
|
The following type_class are supported for CWP for Storage
The following type_class are supported for Symantec Protection Engine 8.0 *
|
|
The result includes events of queried types. The values and their corresponding events types are:
|
||
|
For Events, For Alerts, |
" |
The result includes events of queried parameter.
|
||
|
|
" " " |
|
||
|
|
"productName" : "CWP" |
This parameter is optional. To retrieve Cloud Workload Protection events, enter For CWP for Storage events, enter For Symantec Protection Engine 8.0 events, enter If you want to retrieve all events, omit the parameter from the request body. |
1.3.7. Response Body
{
"result": [<array of events/alerts>],
"total": <Integer, count of events/alerts>
}
1.3.8. Response Codes
Code |
Description |
200 |
Successful operation. |
400 |
Bad request. The request body is incorrect. |
401 |
Unauthorized access. The token is either invalid or expired. |
403 |
Forbidden. The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource. |
404 |
URL is incorrect. |
429 |
Too many requests. |
500 |
Internal server error if the Symantec service attending to the API calls is down. |
1.3.9. Examples
Get the Anti-Malware events for Cloud Workload Protection
{
"pageSize": 10,
"pageNumber": 0,
"productName" : "CWP",
"displayLabels": false,
"order": "DESCENDING",
"startDate": "2018-01-11T18:30:00.000Z",
"endDate": "2018-01-19T18:29:59.999Z",
"searchFilter": {},
"additionalFilters":"(type_class IN ['AntiMalware'])"
}
Get the Anti-Malware events for CWP for Storage
{
"pageSize": 10,
"pageNumber": 0,
"productName" : "CWP-S",
"displayLabels": false,
"order": "DESCENDING",
"startDate": "2018-01-11T18:30:00.000Z",
"endDate": "2018-01-23T18:29:59.999Z",
"searchFilter": {},
"additionalFilters":"(type_class IN ['ANTIMALWARE'])"
}
To get all events
{
"pageSize": 10,
"pageNumber": 0,
"displayLabels": false,
"order": "DESCENDING",
"startDate": "2017-12-09T18:30:00.000Z",
"endDate": "2018-01-22T18:29:59.999Z",
"searchFilter": {}
}
Free-text search for UNIX policy
{
"pageSize": 10,
"pageNumber": 0,
"startDate": "2016-11-18T18:30:00.000Z",
"endDate": "2017-02-17T18:29:59.999Z",
"displayLabels": false,
"searchFilter": {
"searchQuery": "UNIX policy"
},
}
List only AWS CloudTrail events of Cloud Workload Protection
{
"pageSize": 10,
"pageNumber": 0,
"productName":"CWP",
"startDate": "2017-02-09T18:30:00.000Z",
"endDate": "2017-02-17T18:29:59.999Z",
"displayLabels": false,
"searchFilter": {
"searchQuery": ""
},
"additionalFilters": "(type_class IN [\"AmazonCloudTrail\"])
}
Search by using the key:value pair Instance ID:WIN-QMSJRHECBTH_10.211.105.202
{
"pageSize": 10,
"pageNumber": 0,
"productName":"CWP",
"startDate": "2017-02-09T18:30:00.000Z",
"endDate": "2017-02-17T18:29:59.999Z",
"displayLabels": false,
"searchFilter": {
"searchQuery": ""
},
"additionalFilters": "(source_asset.source_name like \"WIN-QMSJRHECBTH_10.211.105.202\")"
}
List only PCI events that is, events generated on instances that are tagged as PCI
{
"pageSize": 10,
"pageNumber": 0,
"productName":"CWP",
"startDate": "2017-02-09T18:30:00.000Z",
"endDate": "2017-02-17T18:29:59.999Z",
"displayLabels": false,
"searchFilter": {},
"additionalFilters": "(dcs_data.is_pci_event match \".*?true.*?\")"
}
List informational events of type Prevention that have occurred from January 16th through February 15th 2017
{
"pageSize": 10,
"pageNumber": 0,
"productName":"CWP",
"eventSeverities": [
1
],
"startDate": "2017-01-15T18:30:00.000Z",
"endDate": "2017-02-15T18:29:59.999Z",
"displayLabels": false,
"searchFilter": {},
"additionalFilters": "(type_class IN [\"IPS\"])"
}
List Fatal and Major events of type Management, AWS CloudTrail, and Monitoring that have occurred in the last 24 hours on instances with a PCI tag
{
"pageSize": 10,
"pageNumber": 0,
"productName":"CWP",
"eventSeverities": [
6,
4
],
"startDate": "2017-02-14T06:36:28.119Z",
"endDate": "2017-02-15T06:36:28.119Z",
"displayLabels": false,
"searchFilter": {},
"additionalFilters": "(type_class IN [\"MONITORING\",\"AmazonCloudTrail\",\"MGMT\"])
&& (dcs_data.is_pci_event match \".*?true.*?\")"
}
1.3.10. Sample Script
Try the sample Python script from our GitHub location.
Use the script cwpgetevents.py to download the Cloud Workload Protection events.
1.4. Alerts service
API to retrieve the alerts that are raised.
1.4.1. Overview
This service lets you query the alerts that are raised as a result of the events. The alerts information can be used for external data integration. For example, consuming the alerts in a custom triaging or a ticketing solution that you may have.
1.4.2. URL
https://scwp.securitycloud.symantec.com/dcs-service/sccs/v1/events/search
1.4.3. Request Method
POST
1.4.4. Request Header
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.4.5. Request Body
{
"eventTypeToQuery": 16,
"pageSize": <Integer size of records per page, for example 10>,
"pageNumber": <Integer indicating the number of page, for example 2>,
"startDate": "<Start date with time for example, 2016-07-18T18:30:00.000Z>",
"endDate": "<End date with time for example, 2016-07-28T18:29:59.999Z>",
"searchFilter":{"searchQuery":"<any part of the message of an alert for example, file modified>"},
"additionalFilters":"(type_id = 16 && events.type_class is_not null)"
}
|
Note
|
The attributes pageSize, pageNumber, startDate, endDate, and eventTypeToQuery=16 (for alerts only) are mandatory to be entered in the request body. |
1.4.6. Request Parameters
Attribute name |
Values |
Example |
Description |
|
* 1 * 2 * 3 |
" |
The result includes alerts of queried severities. The values and their corresponding severities are: * 1 = Notice * 2 = Warning * 3 = Critical |
|
* IDS * IPS * AmazonCloudTrail * MGMT * Monitoring * Antimalware * SCAN_STATUS * ANTIMALWARE * PERMISSION_ASSESSMENT |
type_class IN [\"IPS\",\"AmazonCloudTrail\"]) |
The result includes events of queried types. The values and their corresponding events types are: * IDS = Intrusion detection events * IPS = Intrusion prevention events * AmazonCloudTrail = AWS CloudTrail events * MGMT = Management events * Monitoring = Monitoring events * Antimalware = The Anti-Malware events raised by Cloud Workload Protection * SCAN_STATUS = Detection events generated by CWP for Storage due to AWS S3 bucket scans * ANTIMALWARE = The Anti-Malware events generated by CWP for Storage due to the AWS S3 bucket near real-time scan * PERMISSION_ASSESSMENT = the permission assessment events are generated by CWP for Storage when it detects S3 buckets or objects with public access [NOTE] ==== CWP for Storage requires additional subscription. ==== |
|
For Events, For Alerts, |
" |
The result includes events of queried parameter. [NOTE] ==== This attribute is optional. ==== |
|
|
" " " |
* Policy group: policy_group_name * Policy Name: policy_name * Instance Name: source_asset.source_name [NOTE] ==== This attribute is optional. ==== |
1.4.7. Response Body
{
"result": [<array of events/alerts>],
"total": <Integer, count of events/alerts>
}
1.4.8. Response Codes
Code |
Description |
200 |
Successful operation. |
400 |
Bad request. The request body is incorrect. |
401 |
Unauthorized access. The token is either invalid or expired. |
403 |
Forbidden. The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource. |
404 |
URL is incorrect. |
429 |
Too many requests. |
500 |
Internal server error if the Symantec service attending to the API calls is down. |
1.4.9. Examples
List alerts raised for AWS CloudTrail events
{
"eventTypeToQuery": 16,
"pageSize": 10,
"pageNumber": 0,
"startDate": "2017-02-09T18:30:00.000Z",
"endDate": "2017-02-17T18:29:59.999Z",
"searchFilter": {
"searchQuery": ""
},
"additionalFilters": "(events.type_class IN [\"AmazonCloudTrail\"]) && (type_id = 16 && events.type_class is_not null)"
}
Get all alerts for CWP for Storage
{
"eventTypeToQuery": 16,
"pageSize": 10,
"pageNumber": 0,
"order": "DESCENDING",
"startDate": "2017-10-25T18:30:00.000Z",
"endDate": "2018-01-24T18:29:59.999Z",
"searchFilter": {},
"additionalFilters": "(type_id = 16) && ((events.type_class IN [\"ANTIMALWARE\",\"SCAN_STATUS\",\"PERMISSION_ASSESSMENT\"]))"
}
Get Anti-Malware alerts for CWP for Storage
{
"eventTypeToQuery": 16,
"pageSize": 10,
"pageNumber": 0,
"order": "DESCENDING",
"startDate": "2017-10-25T18:30:00.000Z",
"endDate": "2018-01-24T18:29:59.999Z",
"searchFilter": {},
"additionalFilters": "(type_id = 16) && ((events.type_class IN [\"ANTIMALWARE\"]))"
}
Search by using the key:value pair Alert Title: Process Access alert
{
"eventTypeToQuery": 16,
"pageSize": 10,
"pageNumber": 0,
"startDate": "2017-02-09T18:30:00.000Z",
"endDate": "2017-02-17T18:29:59.999Z",
"searchFilter": {
"searchQuery": ""
},
"additionalFilters": "(rule_name like \"Process Access alert\") && (type_id = 16 && events.type_class is_not null)"
}
List critical alerts of type Detection, Management, and AWS CloudTrail that have occurred in the last 2 days
{
"eventTypeToQuery": 16,
"pageSize": 10,
"pageNumber": 0,
"eventSeverities": [
3
],
"startDate": "2017-02-12T18:30:00.000Z",
"endDate": "2017-02-15T07:57:48.328Z",
"searchFilter": {},
"additionalFilters": "(events.type_class IN [\"MGMT\",\"IDS\",\"AmazonCloudTrail\"])
&& (type_id = 16 && events.type_class is_not null)"
}
List all alerts of all types that have an alert title as Multi Rule
{
"eventTypeToQuery": 16,
"pageSize": 10,
"pageNumber": 0,
"startDate": "2016-11-16T18:30:00.000Z",
"endDate": "2017-02-15T18:29:59.999Z",
"searchFilter": {
"searchQuery": ""
},
"additionalFilters": "(rule_name like \"Multi Rule\")
&& (type_id = 16 && events.type_class is_not null)"
}
1.4.10. Sample Script
Try the sample Python script from our GitHub location.
Use the script cwpgetalerts.py to download the Cloud Workload Protection alerts.
1.5. Anti-Malware scan service
API to start or schedule an Anti-Malware scan.
1.5.1. Overview
This service lets you start an on-demand Anti-Malware scan or schedule an Anti-Malware scan for the instances that you specify. If a malware is detected, Cloud Workload Protection quarantines the infected file and generates an event.
For more information, see Protecting the instances from malware
1.5.2. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/agents/av/scan
1.5.3. Request Method
Post
1.5.4. Request Header
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.5.5. Request Body
{
"instanceIds":["<Instance ID>"],
"recurringJobDetails":{"recurringJobType":"<Job Type>"}
}
1.5.6. Request Parameters
Attribute name |
Values |
Component |
|
Specify one or more instance IDs in the format: This field specifies the instances where you want to schedule an Anti-Malware scan. |
Body |
|
The recurringJobDetails object contains an attribute recurringJobType. The values for recurringJobType can be: *
|
Body |
Scan frequency |
Parameters |
Example |
MANUAL |
The on-demand scan does not require any additional parameters. |
"recurringJobType":"MANUAL" |
ONETIME |
Specifies when the scan should start. Format: YYYY-MM-DD HH-MM-SS |
"recurringJobType": "ONETIME","startTime":"2017-09-07 00:00:00" |
HOURLY |
|
"recurringJobType": "HOURLY","hour":1,"startTime":"2017-09-07 00:00:00", "endTime":"2017-09-30 23:59:00" |
DAILY |
|
"recurringJobType": "DAILY","hour":1,"minute":0,"second":0, "startTime":"2017-09-07 00:00:00", "endTime":"2017-09-30 23:59:00" |
WEEKLY |
|
"recurringJobType": "WEEKLY","dayOfWeek":"MON","hour":1,"minute":0, "second":0,"startTime":"2017-09-07 00:00:00", "endTime":"2017-09-30 23:59:00" |
MONTHLY |
|
"recurringJobType": "MONTHLY","dayOfMonth":1,"hour":1,"minute":0, "second":0,"startTime":"2017-06-28 13:36:00", "endTime":"2017-09-28 13:36:00" |
1.5.7. Response Codes
Code |
Description |
200 |
Successful operation. |
400 |
Bad request. The request body is incorrect. |
401 |
Unauthorized access. The token is either invalid or expired. |
403 |
Forbidden. The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource. |
404 |
URL is incorrect. |
409 |
Conflict. An Anti-Malware scan is already running on the specified instance. |
429 |
Too many requests. |
500 |
Internal server error if the Symantec service attending to the API calls is down. |
1.5.8. Examples
Start an on-demand Anti-Malware scan job
Request body:
{"instanceIds":["i-0efaa23619747c47c"],"recurringJobDetails":{"recurringJobType":"MANUAL"}}
Schedule an one-time Anti-Malware scan job
Request body:
{"instanceIds":["i-0efaa23619747c47c"],"recurringJobDetails":{"recurringJobType":"ONETIME","startTime":"2017-09-07 00:00:00"}}
Schedule an hourly recurring Anti-Malware scan job
Request body:
{"instanceIds":["i-0efaa23619747c47c"],"recurringJobDetails":{"recurringJobType":"HOURLY","hour":1,"startTime":"2017-09-07 00:00:00","endTime":"2017-09-30 23:59:00"}}
Schedule a daily recurring Anti-Malware scan job
Request body:
{"instanceIds":["i-0efaa23619747c47c"],"recurringJobDetails":{"recurringJobType":"DAILY","hour":1,"minute":0,"second":0,"startTime":"2017-09-07 00:00:00","endTime":"2017-09-30 23:59:00"}}
Schedule a weekly recurring Anti-Malware scan job
Request body:
{"instanceIds":["i-0efaa23619747c47c"],"recurringJobDetails":{"recurringJobType":"WEEKLY","dayOfWeek":"MON","hour":1,"minute":0,"second":0,"startTime":"2017-09-07 00:00:00","endTime":"2017-09-30 23:59:00"}}
Schedule a monthly recurring Anti-Malware scan job
Request body:
{"instanceIds":["i-0efaa23619747c47c"],"recurringJobDetails":{"recurringJobType":"MONTHLY","dayOfMonth":1,"hour":1,"minute":0,"second":0,"startTime":"2017-09-07 00:00:00","endTime":"2017-09-30 23:59:00"}}
1.5.9. Sample Script
Try the sample Python script from our GitHub location.
Use the script cwprunavscan.py to run an on-demand Anti-Malware scan.
1.6. Anti-Malware cancel scan service
API to cancel Anti-Malware scans.
1.6.1. Overview
This service lets you cancel a running Anti-Malware scan job for the instances that you specify.
1.6.2. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/agents/av/cancel-scan
1.6.3. Request Method
Post
1.6.4. Request Header
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.6.5. Request Body
["<List Of instanceIds>"]
1.6.6. Request Parameters
Attribute name |
Values |
Component |
|
Specify one or more instance IDs in the format: This attribute specifies the instances where you want to cancel an Anti-Malware scan. |
Body |
1.6.7. Response Codes
Code |
Description |
200 |
Successful operation. |
400 |
Bad request. The request body is incorrect. |
401 |
Unauthorized access. The token is either invalid or expired. |
403 |
Forbidden. The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource. |
404 |
URL is incorrect. |
429 |
Too many requests. |
500 |
Internal server error if the Symantec service attending to the API calls is down. |
1.6.8. Examples
Cancel an Anti-Malware scan job on two instances
Request body:
["i-01033bd4f26301f22","vm493132851e"]
1.7. Download agent package service
API for downloading the Cloud Workload Protection agent.
1.7.1. Overview
This service lets you download the Cloud Workload Protection agent package for the platforms that you specify. You can then install the agent on the instances.
To download the agent package, you must first obtain the authorization token.
1.7.2. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/agents/packages/download/platform/<PLATFORM>
<PLATFORM> can be any one of the following:
centos6, centos7, rhel6, rhel7, oel6, oel7, ubuntu14, ubuntu16, amazonlinux, or windows.
1.7.3. Request Method
Get
1.7.4. Request Header
Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.7.5. Example
URL for downloading the agent for the Ubuntu 16.04 LTS platform
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/agents/packages/download/platform/ubuntu16
1.7.6. Sample Script
Try the sample Python script from our GitHub location.
Use the script cwpagentinstall.py to download and install the agent on Linux instances.
1.8. Get instance basic details
Service to get the basic details of the instances.
1.8.1. Overview
This service returns a detailed list of all the instances in your environment. The instance details include instance id, name, platform, instance state, policy group applied status, and the agent installation status.
You must obtain the authorization token to use this service.
1.8.2. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/assets/basic
1.8.3. Request Method
GET
1.8.4. Request Header
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.8.5. Response Codes
Code |
Description |
200 |
Successful operation. |
400 |
Bad request. The request body is incorrect. |
401 |
Unauthorized access. The token is either invalid or expired. |
403 |
Forbidden. The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource. |
404 |
URL is incorrect. |
429 |
Too many requests. |
500 |
Internal server error if the Symantec service attending to the API calls is down. |
1.9. Get policy group basic details
Service to get the basic details of the policy groups.
1.9.1. Overview
This service returns a detailed list of all the policy groups in your environment. The policy group details include policy group id, name, description, group type, mode (Test or Production), and the enabled capabilities.
You must obtain the authorization token to use this service.
1.9.2. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/policy_groups/basic
1.9.3. Request Method
GET
1.9.4. Request Header
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.9.5. Request Parameters
Attribute name |
Values |
Component |
|
The number of records to display on a page. This value can be set up to 1000. |
'limit':10 |
|
Specifies the number of pages to skip in the result. An offset 0 denotes the first page. If you set the offset to 2, the result starts from the third page. |
'offset':0 |
Where |
Lets you add conditions based on policy group attributes, and logical and relational operators. |
where=(name=’AcmeWebServerGroup’) |
1.9.6. Response Codes
Code |
Description |
200 |
Successful operation. |
400 |
Bad request. The request body is incorrect. |
401 |
Unauthorized access. The token is either invalid or expired. |
403 |
Forbidden. The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource. |
404 |
URL is incorrect. |
429 |
Too many requests. |
500 |
Internal server error if the Symantec service attending to the API calls is down. |
1.10. Apply policy group on an instance
Service to apply policy group on a single instance.
1.10.1. Overview
This service lets you apply a policy group on an instance. The policy group ID and the instance ID must be provided in the request URL. If you want to apply the same policy group to multiple instances,
You must obtain the authorization token to use this service.
1.10.2. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/assets/{InstanceId}/policy_groups/{policyGroupId}
InstanceID = Enter the Cloud Workload Protection instance ID. You can get the instance ID from the Instances and Software Services page of the Cloud Workload Protection portal.
policyGroupId = When you click on a policy group, you can see the policyGroupId in the URL.
1.10.3. Request Method
PUT
1.10.4. Request Header
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.10.5. Response Codes
Code |
Description |
200 |
Successful operation. |
400 |
Bad request. The request body is incorrect. |
401 |
Unauthorized access. The token is either invalid or expired. |
403 |
Forbidden. The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource. |
404 |
URL is incorrect. |
405 |
The request method is incorrect. |
429 |
Too many requests. |
500 |
Internal server error if the Symantec service attending to the API calls is down. |
1.10.6. Example
Request URL:
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/assets/i-0a11435c1370e6130/policy_groups/CzYwugVDRUmdWgaEPNi9wA
1.10.7. Sample Script
Try the sample Python script from our GitHub location.
Use the script cwppolicygroup.py to apply a policy group on an instance.
1.11. Apply policy group on multiple instances
Service to apply policy group on multiple instances.
1.11.1. Overview
This service lets you apply a policy group on multiple instances.
You must obtain the authorization token to use this service.
1.11.2. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/policy_groups/{policyGroupId}/assets
When you click on a policy group, you can see the policyGroupId in the URL.
1.11.3. Request Method
PUT
1.11.4. Request Header
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.11.5. Request Body
["instance_id-1","instance_id-2"]
1.11.6. Request Parameters
Field |
Description |
Component |
instance_id |
Specify the Cloud Workload Protection instance IDs where you want to apply the policy group. You can see the instance IDs on the Instances and Software Services page of the Cloud Workload Protection portal. The policy group ID must be specified in the request URL. |
Body |
1.11.7. Response Codes
Code |
Description |
200 |
Successful operation. |
400 |
Bad request. The request body is incorrect. |
401 |
Unauthorized access. The token is either invalid or expired. |
403 |
Forbidden. The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource. |
404 |
URL is incorrect. |
405 |
The request method is incorrect. |
429 |
Too many requests. |
500 |
Internal server error if the Symantec service attending to the API calls is down. |
1.11.8. Example
Request body:
["i-01033bd4f26301f22","vm493132851e"]
1.12. Remove policy group from an instance
Service to remove the applied policy group from an instance.
1.12.1. Overview
This service lets you remove the applied policy group from an instance. The instance id, from where you want to remove the policy group, must be specified in the URL.
You must obtain the authorization token to use this service.
1.12.2. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/policygroups/{instanceId}/all
instanceId = Enter the Cloud Workload Protection instance ID. You can get the instance ID from the Instances and Software Services page of the Cloud Workload Protection portal.
1.12.3. Request Method
DELETE
1.12.4. Request Header
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.12.5. Response Codes
Code |
Description |
200 |
Successful operation. |
400 |
Bad request. The request body is incorrect. |
401 |
Unauthorized access. The token is either invalid or expired. |
403 |
Forbidden. The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource. |
404 |
URL is incorrect. |
405 |
The request method is incorrect. |
429 |
Too many requests. |
500 |
Internal server error if the Symantec service attending to the API calls is down. |
1.12.6. Example
Request URL:
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/policygroups/i-0a11435c1370e6130/all
1.13. View applied policy group
Get the policy group that is applied to an instance.
1.13.1. Overview
This service lets you get the policy group that is applied on a particular instance. The asset ID must be provided in the request URL.
You must obtain the authorization token to use this service.
1.13.2. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/assets/{AssetId}/policy_groups/
AssetId = Enter the Cloud Workload Protection asset ID. You can get the asset ID from the fetch asset API.
1.13.3. Request Method
GET
1.13.4. Request Header
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.13.5. Response Codes
Code |
Description |
200 |
Successful operation. |
400 |
Bad request. The request body is incorrect. |
401 |
Unauthorized access. The token is either invalid or expired. |
403 |
Forbidden. The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource. |
404 |
URL is incorrect. |
405 |
The request method is incorrect. |
429 |
Too many requests. |
500 |
Internal server error if the Symantec service attending to the API calls is down. |
1.13.6. Example
Request URL:
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/assets/i-0a11435c1370e6130/policy_groups/
1.14. Check OS and kernel support service
API to check if Symantec Cloud Workload Protection supports a specific Linux distribution and kernel.
1.14.1. Overview
To protect an instance with Cloud Workload Protection, you must ensure that the instance is running a supported OS and kernel as mentioned in the following list:
Use this API to check if Cloud Workload Protection supports a specific Linux distribution or kernel.
You must obtain the authorization token to use this service.
1.14.2. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/agents/packages/supported-platforms
1.14.3. Request Method
PUT
1.14.4. Request Header
content-type: application/json x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id> Authorization: Bearer <token>
1.14.5. Request Body
{
"osDistribution": "The OS distribution name",
"kernelVersion": "Kernel version"
}
1.14.6. Request Parameters
osDistribution: The name of the OS distribution that you want to check. For example:
"osDistribution": "Amazon Linux"
kernelVersion: The kernel version that you want to check. For example:
"kernelVersion": "4.9.17-1.amzn1.x86_64"
1.14.7. Response Codes
Code |
Description |
200 |
Successful operation. |
400 |
Invalid OS distribution. |
401 |
Unauthorized access. The token is either invalid or has expired. |
403 |
Forbidden. The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource. |
404 |
URL is incorrect. |
405 |
The request method is incorrect. |
429 |
Too many requests. |
500 |
Failed to retrieve OS and kernel. |
1.14.8. Response Header
content-type: application/json
1.14.9. Response Data
The following table lists sample response data:
Scenario |
Response data |
The OS distribution and kernel version are supported. For example: {
"osDistribution": "Amazon Linux",
"kernelVersion": "4.9.17-1.amzn1.x86_64"
}
|
{
"description": "Agent is supported on 'Amazon Linux' with kernel version '4.9.17-1.amzn1.x86_64'",
"supported": true
}
|
The OS distribution is not supported. For example: {
"osDistribution": "SLES",
"kernelVersion": "4.4.74-*"
}
|
{
"description": "Agent supported OS distributions: Amazon Linux, CentOS release 6.*, CentOS release 7.*, Microsoft Windows 2008 R2.*, Microsoft Windows 2012 R2.*, Microsoft Windows 2016.*, Red Hat Enterprise Linux Server release 6.*, Red Hat Enterprise Linux Server release 7.*, Ubuntu 14.*, Ubuntu 16.*",
"supported": false
}
|
The kernel version is not supported. For example: {
"osDistribution": "Amazon Linux",
"kernelVersion": "4.4.11-1.amzn1.x86_64"
}
|
{
"description": "Agent supported kernel versions for 'Amazon Linux': 4.9.17-.*.amzn1.x86_64,
4.9.20-.*.amzn1.x86_64, 4.9.27-.*.amzn1.x86_64, 4.9.32-.*.amzn1.x86_64",
"supported": false
}
|
1.14.10. Example
The following is a sample Python code for this API service that you can use on a Linux instance.
import requests
import json
token = {}
mydict = {}
#CWP REST API endpoint URL for auth function
url = 'https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/oauth/tokens'
#TODO: Make sure you save your own CWP API keys here
clientsecret='1ncYYYQYYYQYQYYYYYQg8j4s7'
clientID=‘O2ID.SEJxecA###################2d0qfan5j91g5'
customerID=‘SEJ################YCxAg'
domainID=‘Dqdfie################IITB2w'
#Add to payload and header your CWP tenant & API keys - client_id, client_secret, x-epmp-customer-id and x-epmp-domain-id
payload = {'client_id' : clientID, 'client_secret' : clientsecret}
header = {"Content-type": "application/json" ,'x-epmp-customer-id' : customerID , 'x-epmp-domain-id' : domainID}
response = requests.post(url, data=json.dumps(payload), headers=header)
authresult=response.status_code
token=response.json()
if (authresult!=200) :
print "\nAuthentication Failed. Did you replace the API keys in the code with your CWP API Keys? Check clientsecret, clientID, customerID, and domainID\n"
exit()
#Extracting auth token
accesstoken= token['access_token']
accesstoken = "Bearer " + accesstoken
#Additional checks to make sure the agent is installed on supported Kernel versions
kernel = platform.release()
kernelversion = kernel.strip()
print "Detected OS: " + osdistribution + ", Kernel: " + kernelversion
#CWP REST API function endpoint URL for checking if platform and kernel is supported
urlplatformcheck = 'https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/agents/packages/supported-platforms'
payload={}
payload['osDistribution'] = osdistribution
payload['kernelVersion'] = kernelversion
#print 'Payload: ' + str(payload)
headerplatformcheck = {"Authorization": accesstoken ,'x-epmp-customer-id' : customerID , 'x-epmp-domain-id' : domainID , "Content-Type": "application/json"}
#print 'Headers: ' + str(headerplatformcheck)
response = requests.put(urlplatformcheck, data= json.dumps(payload), headers=headerplatformcheck)
if response.status_code != 200:
print "supported-platforms API call failed \n"
exit()
outputplatformcheck = {}
outputplatformcheck = response.json()
#print outputplatformcheck
if (outputplatformcheck['supported']) :
print "Supported OS: " + osdistribution + ", Kernel: " + kernelversion
print "\n" + outputplatformcheck['description']
else :
print "Non Supported OS: " + osdistribution + ", Kernel: " + kernelversion
print outputplatformcheck['description'] + "\n"
exit()
1.15. Threat and vulnerability service
API to get a list of potential threats and vulnerabilities.
1.15.1. Overview
Use this API service to get a list of the potential threats and vulnerabilities that may impact your instances.
You must obtain the authorization token to use this service.
1.15.2. URL
Depending on whether you want the potential vulnerabilities or the threats, use any of the following URLs:
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/vulnerabilities https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/threats
1.15.3. Request Method
POST
1.15.4. Request Header
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.15.5. Request Body
{
"cve" : ["CVE_ID"],
"name" : ["name1","name2"],
"description" : ["description"],
"application" : ["application1","application2"],
"severity" : ["severity1","severity2"],
"instances" : ["instanceID"]
}
The request body filters the records as per your requirement. If you want to get all the records, provide an empty request body as: {}.
1.15.6. Request Parameters
Attribute |
Description |
Example |
cve |
Accepts multiple CVE IDs as comma separated values and displays records that are a part of all the specified CVE IDs. |
"cve":["CVE-2017-5715", "CVE-2017-5753", "CVE-2017-5754"] |
name |
Accepts multiple phrases as comma separated values and displays records that have all the specified names. This attribute is case sensitive. Specify the exact name. Ensure that the value does not contain any trailing spaces. |
"name":["overflow","integer"] |
description |
Accepts multiple words as comma separated values and displays records that have all the specified values. This attribute is case sensitive. |
"description":["attack"] |
application |
Accepts multiple application names and displays records that are a part of any of the specified values. |
"application":["MySQL","Apache"] |
severity |
Accepts multiple severity values and displays the records that are a part of any of the specified severities. The accepted values are: HIGH, MEDIUM, LOW. These values must be provided in capital letters. |
"severity":["HIGH","LOW"] |
instances |
Accepts multiple instance IDs and displays records that are a part of any of the specified instances. |
"instances" : ["i-08eacf36d1xxxxx"] |
1.15.7. Example
To fetch vulnerabilities of high or low severity that have overflow and integer in its name and impacts either MySQL or Apache.
Sample request body:
{
"cve" : [],
"name" : ["overflow","Integer"],
"description" : ["attack"],
"application" : ["MySql","Apache"],
"severity" : ["HIGH","LOW"]
}
Sample response body:
{
"vulnerabilities": [
{
"title": "OpenSSL CVE-2016-2177 Integer Overflow Vulnerability",
"severity_level": "HIGH",
"description": "OpenSSL is an open-source cryptography library. OpenSSL is prone to an integer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it into an insufficiently sized buffer. Specifically, this issue affects the codebase because it incorrectly uses pointer arithmetic for heap-buffer boundary checks. An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. OpenSSL 1.0.2h and prior versions are vulnerable.",
"cves": "[\"CVE-2016-2177\"]",
"instances": [
"i-08eacf36d1891424a"
],
"threats": [],
"applications": [
"Oracle!MySql Server!5.6.31!Unix!cpe:2.3:a:oracle:mysql:5.6.31::::::"
]
}
],
"totalcount": 1
}
1.15.8. Sample Script
Try the sample Python script from our GitHub location.
Use the script cwptandv.py to get information about the potential threats and vulnerabilities.
1.16. Agent version service
API to know the latest version of the Cloud Workload Protection agent for different platforms.
1.16.1. Overview
Use this API to know the latest version of the Cloud Workload Protection agent for all the supported platforms. You can either see the latest agent version for a particular platform or get a list of the latest agent versions for all platforms.
You must obtain the authorization token to use this service.
1.16.2. URL
To get the agent versions for all platforms, use:
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/agents/packages/platform/all
To know the latest agent version for a particular platform, use:
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/agents/packages/latestversion/platform/Supported_Platform
Where Supported_Platform can be any one of the following:
centos6, centos7, rhel6, rhel7, oel6, oel7, ubuntu14, ubuntu16, amazonlinux, windows.
1.16.3. Request Method
GET
1.16.4. Request Header
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.16.5. Example
To know the latest agent version for CentOS 7:
GET https://dcs-stage.symprotectcloud.com/dcs-service/dcscloud/v1/agents/packages/latestversion/platform/centos7
Sample output:
{
"CWPAgentVersionInfo": {
"version": "6.7.4.406"
}
}
1.16.6. Sample Script
Try the sample Python script from our GitHub location.
Use the script cwp_agent_version.py to see the latest Cloud Workload Protection agent version for the supported platforms.
1.17. Create or update AWS connection
REST API Sample to create an AWS connection and update the Role ARN, SQS URL, and Polling interval in a single call. Use this if you are automating the creation of AWS connection in Cloud Workload Protection with your AWS account from within your AWS infrastructure building scripts where an AWS account is created on the fly.
1.17.1. Overview
Use this API to get a list of all the existing connections, create a new AWS connection, and update an existing AWS connection.
You must obtain the authorization token to use this service.
1.17.2. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/cpif/cloud_connections
To get details about a specific existing connection:
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/cpif/cloud_connections/id
Where id is the connection id that you get after creating a connection.
1.17.3. Request Method
To get a list of the existing connections, use: GET
To create a new AWS connection, use: POST
To update an existing AWS connection, use: PUT
1.17.4. Request Header
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.17.5. Request Body
The request body is required only for updating a connection. See the following sample request body:
For connections with Sync Option as Periodic Sync:
{
"cloud_platform":"AWS",
"id":"b_xxxxxxx_IeY6r6w",
"name":"Connection Name",
"external_id":"wxxxxxxxx",
"pollingIntervalHours":1,
"pollingIntervalMinutes":30,
"cross_account_role_arn":"arn:aws:iam::000000:role/Sample Role",
"description":"FROM API",
"requires_polling":true,
"events_url":[]
}
For connections with Sync Option as AWS CloudTrail:
{
"cloud_platform":"AWS",
"id":"b_xxxxxxx_IeY6r6w",
"name":"Connection Name",
"external_id":"wxxxxxxxx",
"aws_properties":{
"cloudWatchLogEnabled": true,
"cloudwatch_loggroup_name": "cwpalerts",
"cloudwatch_logstream_name": "cwpalerts",
"cloudwatch_log_enabled": true,
"cloudwatchlog_region": "us-west-2"
},
"pollingIntervalHours":1,
"pollingIntervalMinutes":30,
"cross_account_role_arn":"arn:aws:iam::000000:role/Sample Role",
"description":"FROM API",
"requires_polling":false,
"events_url":[
{
"name":"SCWPSQSQueue1",
"url":"https://sqs.us-west-2.amazonaws.com/143926267875/SCWPSQSQueue1"
}
]
}
1.17.6. Response Body
The following is a sample response body for the create connection (POST) method:
{
"cloud_platform": "AWS",
"name": "jKcLmwajq9",
"external_id": "axxxxxxx",
"access_mechanism": 0,
"created": "2018-06-03T06:01:59.864Z",
"modified": "2018-06-03T06:01:59.864Z",
"obj_classes": [
"dcs_adapter_config"
],
"uri": "/v1/mdr/dcs_adapter_configs/cByexxxxxxxxx",
"id": "cByexxxxxxxxx"
}
1.17.7. Sample Script
Try the sample Python script from our GitHub location.
Use the script cwp_aws_connection_get_create.py to get the list of existing connections and to create a new AWS connection.
Use the script cwp_aws_connection_create_single_call.py to create an AWS connection.
Use the script cwp_aws_connection_update.py to update an existing AWS connection.
1.18. Download agent logs
Download and save the agent logs of a Windows or Linux instance of Cloud Workload Protection using the agentlogsdownloadzip.py script. This script can be downloaded from our GitHub location.
1.18.1. Prerequisites to use the script
-
Python 2.7.15 or higher version must be installed
-
pip must be installed
-
Packages or modules such as requests, json, time, sys, re, os, are installed.
1.18.2. Parameters
You must obtain the following parameters from the Settings > API Keys page of the Cloud Workload Protection console to execute the script.
Customer ID : <customer-id> Domain ID : <domain-id> Client ID : <client-id> Client Secret Key : <client-secret-key>
Get the Instance ID from the Instance Details page of the Cloud Workload Protection console. The instance ID is that of the virtual machine, and is required to download the agent logs.
Instance ID : <instance-id>
Execute the script as:
python downloadagentlogs.py <Customer ID> <Domain ID> <Client Id> <Client Secret Key> <Instance ID>
1.19. Add a Symantec tag to an instance
Tags are about labelling instances. Tags are used based on what purpose the instance serves. For example, you can tag instances with labels such as Production, Test, Finance, Logistics, Online_Transactions, and so on. Add a tag to segregate the instances of Cloud Workload Protection.
1.19.1. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/tags/add
1.19.2. Request Method
PUT
1.19.3. Request Header
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.19.4. Request Body
{"asset_ids":["i-02cxxxxxxxx3de", "i-0dtxxxxxxxx2st"],"tags":["sampletag1","sampletag2"]}
1.19.5. Request Parameters
Attribute |
Description |
Asset id |
The ID of the instance that you want to tag. |
Tags |
Name of the tags that you want to apply to the instances. |
1.19.6. Response Code
Code |
Description |
201 |
Tags are added successfully. |
401 |
Unauthorized access. The token is either invalid or expired. |
404 |
URL is incorrect. |
500 |
Internal server error if Asset Id is invalid. |
1.19.7. Example
Download thesample scriptto add a tag to an instance.
1.20. Delete a Symantec tag from an instance
Delete a tag that you applied to an instance of Cloud Workload Protection.
1.20.1. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/tags/delete
1.20.2. Request Method
DELETE
1.20.3. Request Header
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.20.4. Request Body
{"asset_ids":["i-02cxxxxxxxx3de", "i-0dtxxxxxxxx2st"],"tags":["sampletag1","sampletag2"]}
1.20.5. Request Parameters
Field |
Description |
Asset id |
The ID of the instance from where you want to delete the tag. |
Tags |
Name of the tags that you want to delete from the instances. |
1.20.6. Response Code
Code |
Description |
201 |
Tags are deleted successfully. |
401 |
Unauthorized access. The token is either invalid or expired. |
404 |
URL is incorrect. |
500 |
Internal server error if Asset Id is invalid. |
1.20.7. Example
Download thesample script to delete a tag from an instance.
1.21. Export policy settings of a policy group
API to retrieve the settings configured for the policies of a policy group.
1.21.1. Overview
This API returns a list of settings that are configured in the policies of a policy group. The settings are classified as IPS (Prevention related settings) and IDS (Detection related settings) wherever applicable. These are the same settings that are displayed for the policy details in the console. This API provides option to return the list of settings of all the policies in the policy group, or of a single specific policy of the policy group. Refer to the examples section for more information. You must obtain the authorization token to use this service or API.
1.21.2. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/public/policy_groups/{policyGroupId}/policies/{policyId}/settings
1.21.3. Request Method
GET
1.21.4. Request Header
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.21.5. Response Codes
Code |
Description |
200 |
Successful operation. |
400 |
Bad request. The request body is incorrect. |
401 |
Unauthorized access. The token is either invalid or expired. |
403 |
Forbidden. The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource. |
404 |
URL is incorrect. |
405 |
The request method is incorrect.. |
429 |
Too many requests. |
500 |
Internal server error if the Symantec service attending to the API calls is down. |
1.21.6. Example
Request URL
This will return settings of ALL the policies present in the policy group with id ‘CzYwugVDRUmdWgaEPNi9wA’.
GET https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/public/policy_groups/CzYwugVDRUmdWgaEPNi9wA/policies/all/settings
This will return settings of policy with id ‘BGf_hGUGT56BHX5op6Swdg’ present in the policy group with id ‘CzYwugVDRUmdWgaEPNi9wA’.
GET https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/public/policy_groups/CzYwugVDRUmdWgaEPNi9wA/policies/BGf_hGUGT56BHX5op6Swdg/settings
1.22. Create a Google Cloud Platform (GCP) connection
Create a Google Cloud Platform connection.
1.22.1. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/gcp/adapter_configs/public
1.22.2. REQUEST METHOD
POST
1.22.3. REQUEST HEADER
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.22.4. REQUEST BODY
{
"cloud_platform": "GCP",
"name": "xxxxxxxx",
"description": "xxxxxxxxxxxx",
"gcpProperties": {
"serviceAccountJson": “{}”
},
"pollingIntervalHours": 6,
"pollingIntervalMinutes": 15
}
1.22.5. RESPONSE CODE
Code |
Description |
200 |
GCP cloud connection created successfully. |
404 |
URL is incorrect. |
500 |
Internal server error. |
1.22.6. Sample Script
Try the sample Python script from our GitHub location.
1.23. Update a GCP connection
Update an established Google Cloud Platform cloud connection
1.23.1. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/gcp/adapter_configs/public
1.23.2. REQUEST METHOD
PUT
1.23.3. REQUEST HEADER
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.23.4. REQUEST BODY
{
"id":"xxxxxxxxx",
"cloud_platform": "GCP",
"name": "xxxxxxxx",
"description": "xxxxxxxxxxxx",
"gcpProperties": {
"serviceAccountJson": “{}”
},
"pollingIntervalHours": 6,
"pollingIntervalMinutes": 15
}
1.23.5. RESPONSE CODE
Code |
Description |
200 |
GCP cloud connection updated successfully. |
404 |
URL is incorrect. |
500 |
Internal server error. |
1.23.6. Sample Script
Try the sample Python script from our GitHub location.
1.24. Create an Oracle Cloud Infrastructure (OCI) connection
Create an Oracle Cloud Infrastructure connection
1.24.1. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/ocp/adapter_configs/public
1.24.2. REQUEST METHOD
POST
1.24.3. REQUEST HEADER
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.24.4. REQUEST BODY
{
"cloud_platform": "OCI",
"name": "xxxxxxxxxx",
"description": "xxxxxxxxx",
"ocpProperties": {
"auditevent_sync": false,
"homeRegion": "xxxxxxxxxxxxx",
"userId": "ocid1.user.oc1xxxxxxxxxxxxxxxxxxxxxxxx5svgf2xxxxxxxxxxxxxmlfrekjpa",
"tenancyId": "ocid1.tenancy.oc1xxxxxxxxxxxxxxxxxrw2ntxxxxxxxxxxxp4jq",
"fingerPrint": "xxxxxxxxxxxxxxxxxxxxxxx",
"privateRSAKey": "-----BEGIN RSA PRIVATE KEY-----xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx----END RSA PRIVATE KEY-----"
},
"pollingIntervalHours": 6,
"pollingIntervalMinutes": 0
}
1.24.5. RESPONSE CODE
Code |
Description |
200 |
OCI cloud connection created successfully. |
404 |
URL is incorrect. |
500 |
Internal server error. |
1.24.6. Sample Script
Try the sample Python script from our GitHub location.
1.25. Update an OCI connection
Use this API to update an established Oracle Cloud Infrastructure cloud connection.
1.25.1. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/ocp/adapter_configs/public
1.25.2. REQUEST METHOD
PUT
1.25.3. REQUEST HEADER
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.25.4. REQUEST BODY
{
"id":"xxxxxxxxxxxxxx",
"cloud_platform": "OCI",
"name": "xxxxxxxxxx",
"description": "xxxxxxxxx",
"ocpProperties": {
"auditevent_sync": false,
"homeRegion": "xxxxxxxxxxxxx",
"userId": "ocid1.user.oc1xxxxxxxxxxxxxxxxxxxxxxxx5svgf2xxxxxxxxxxxxxmlfrekjpa",
"tenancyId": "ocid1.tenancy.oc1xxxxxxxxxxxxxxxxxrw2ntxxxxxxxxxxxp4jq",
"fingerPrint": "xxxxxxxxxxxxxxxxxxxxxxx",
"privateRSAKey": "-----BEGIN RSA PRIVATE KEY-----xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx----END RSA PRIVATE KEY-----"
},
"pollingIntervalHours": 6,
"pollingIntervalMinutes": 0
}
1.25.5. RESPONSE CODE
Code |
Description |
200 |
OCI cloud connection updated successfully. |
404 |
URL is incorrect. |
500 |
Internal server error. |
1.25.6. Sample Script
Try the sample Python script from out GitHub location.
1.26. Create an Azure Cloud connection
Create an Azure Cloud connection.
1.26.1. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/cpif/cloud_connections
1.26.2. REQUEST METHOD
POST
1.26.3. REQUEST HEADER
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.26.4. REQUEST BODY
{
"cloud_platform":"AZURE",
"requires_polling":true,
"azure_properties":{
"client_id":"<>",
"tenant_id":"<>",
"secret":"<>"
},
"pollingIntervalHours": 6,
"pollingIntervalMinutes": 15
}
1.26.5. REQUEST PARAMETER
No Request parameters.
Code |
Description |
200 |
Azure cloud connection created successfully. |
404 |
URL is incorrect. |
500 |
Internal sever error. |
1.27. Update an Azure Cloud Connection
Update an established Azure Cloud Connection
1.27.1. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/cpif/cloud_connections
1.27.2. REQUEST METHOD
PUT
1.27.3. REQUEST HEADER
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.27.4. REQUEST BODY
{
“Id”:”<>”
"cloud_platform":"AZURE",
"requires_polling":true,
"azure_properties":{
"client_id":"<>",
"tenant_id":"<>",
"secret":"<>"
},
"pollingIntervalHours": 6,
"pollingIntervalMinutes": 15
}
1.27.5. REQUEST PARAMETER
No Request parameters.
1.27.6. RESPONSE CODE
Code |
Description |
200 |
Azure cloud connection update successfully. |
404 |
URL is incorrect. |
500 |
Internal server error. |
1.28. Upload Distributor package
Use this API to create a Distributor package using different agent installation packages for the various platform versions. You can provide a package name and provide an S3 bucket location. This API creates the Distributor package using different agent packages and a manifest file, and upload it on the S3 bucket. This package is listed on the AWS Systems Manager console under Distributor
This API does the following:
-
Gets the agent packages for various OS versions from the Cloud Workload Protection console
-
Deletes the agent package if package of same version already exists in the SSM Distributor.
-
Uploads different agent packages to S3 buckets in the format required for the SSM Distributor.
-
Publishes the package using the Distributor APIs.
More details about the workflow is here.
1.28.1. URL
https://scwp.securitycloud.symantec.com//dcs-service/dcscloud/v1/manage-agent/ssmpackage/upload
1.28.2. REQUEST METHOD
POST
1.28.3. REQUEST HEADER
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.28.4. REQUEST BODY
-
Without proxy
{
"bucketName": "Bucket Name",
"packageName": "Package Name",
"connectionId": "KxxxxxxxxxxxxxxxxxxxxQ",
"rebootInstances": "true",
"uploadAmazonLinux2": "true",
"comments": "Description of package",
"proxyDetails": {}
}
-
With proxy
{ "bucketName": "Bucket Name", "packageName": "Package Name", "connectionId": "KxxxxxxxxxxxxxxxxxxxxQ", "rebootInstances": "true", "uploadAmazonLinux2": "true", "comments": "Description of package", "proxyDetails": { "proxy_server": "1xx.xx.2xx.1xx", "proxy_port": "xxxx", "proxy_username": "User name", "proxy_password": "Password", "proxy_protocol": "http or https" } }The description of the parameters are:
Parameter |
Description |
packageName |
You can upload multiple packages by providing the package name while uploading. Package names cannot contain special characters or spaces, and can be a maximum of 128 characters. |
rebootInstances |
Instance reboots when this package is installed. |
uploadAmazonLinux2 |
Upload the Linux amazon2 package but not Linux amazon1. By default, upload AmazonLinux2 platform is false, which means that amazon1 is bundled. |
comments |
This is optional. You can limit up to 255 characters for the comments. |
1.28.5. RESPONSE CODE
{"jobId":"12345","packageName":"CWPPackage","packageVersion":"1.0.0"}
1.29. Install/Remove Distributor package
Install or remove the Distributor packages that you uploaded to the AWS SSM Distributor using the Upload package API. The Distributor package is installed on a set of AWS instances based on the instance IDs or the instance tags. To remove an existing agent from the instances, make sure that the instances are in active state and that SSM Distributor was used to install the agent on the instances.
1.29.1. URL
Install
https://scwp.securitycloud.symantec.com//dcs-service/dcscloud/v1/manage-agent/ssmpackage/install
Remove
https://scwp.securitycloud.symantec.com//dcs-service/dcscloud/v1/manage-agent/ssmpackage/remove
More details about the workflow is here.
1.29.2. REQUEST METHOD
POST
1.29.3. REQUEST HEADER
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.29.4. REQUEST BODY
-
With instance ID
{ "bucketName": "Bucket Name", "packageName": "Package Name", "connectionId": "KxxxxxxxxxxxxxxxxxxxxQ", "region": "us-east-1", "instanceIds": [ "i-xxxxxxxxxxxxxxxxf" ], "packageVersion": "1.0.0", "tags": {} } -
With tags
{ "bucketName": "Bucket Name", "connectionId": "KxxxxxxxxxxxxxxxxxxxxQ", "region": "us-east-1", "instanceIds": [], "packageVersion": "1.0.0", "tags": { "Department": "Finance", "Environment ": "Prod" } }
1.29.5. RESPONSE BODY
{
"bucketName": "Bucket Name",
"packageName": "Package Name",
"connectionId": "KxxxxxxxxxxxxxxxxxxxxQ",
"region": "us-east-1",
"instanceIds": [],
"packageVersion": "1.0.0",
"tags": {
"Department": "Finance",
"Environment ": "Prod"
}
}
1.30. Get Upload/Install/Remove job status
Get the job status for the jobs that are triggered for uploading the agent installation package to the SSM Distributor.
1.30.1. URL
- https://scwp.securitycloud.symantec.com//dcs-service/dcscloud/v1/manage-agent/ssmpackage/upload/{jobId}/status
1.30.2. REQUEST METHOD
GET
1.30.3. REQUEST HEADER
Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
1.30.4. RESPONSE BODY
{
"jobParameter": {
"amazonlinux": "SUCCESS",
"ubuntu18": "SUCCESS",
"ubuntu16": "SUCCESS",
"windows": "SUCCESS",
"centos6": "SUCCESS",
"rhel7": "SUCCESS",
"centos7": "SUCCESS",
"ubuntu14": "SUCCESS",
"rhel6": "SUCCESS"
},
"failureReason": "",
"comments": "Description of package",
"bucketName": "Bucket Name",
"bucketLocation": "us-east-1",
"connectionId": "KxxxxxxxxxxxxxxxxxxxxQ",
"connectionName": "V3uBOHku7M",
"proxy_server": "1xx.xx.2xx.1xx",
"proxy_port": "xxxx",
"proxy_username": "User name",
"proxy_password": "Password",
"proxy_protocol": "http or https",
"packageName": "Package Name",
"packageVersion": "1.0.0",
"uploadAmazonLinux2": false,
"rebootInstances": false,
"supportedOS": {
"amazon": [
"2018.03",
"2017.09.01",
"2017.12"
],
"ubuntu": [
"14.04",
"16.04",
"18.04"
],
"windows": [
"_any"
],
"redhat": [
"6.8",
"6.9",
"7.2",
"7.3",
"7.4",
"6.10",
"7.5",
"6.7",
"7.6"
],
"centos": [
"6.8",
"6.9",
"7",
"7.0",
"7.1",
"7.2",
"7.3",
"7.4",
"6.10",
"7.5",
"6.7"
]
}
}
1.31. Get Install/Remove job status
Get the job status of the jobs that are during installation or uninstallation of the agent package.
1.31.1. URL
-
Install job status
https://scwp.securitycloud.symantec.com//dcs-service/dcscloud/v1/manage-agent/ssmpackage/install/{jobId}/status Uninstall job status - https://scwp.securitycloud.symantec.com//dcs-service/dcscloud/v1/manage-agent/ssmpackage/uninstall/{jobId}/status -
Uninstall job status
https://scwp.securitycloud.symantec.com//dcs-service/dcscloud/v1/manage-agent/ssmpackage/uninstall/{jobId}/status
1.31.2. REQUEST METHOD
GET
1.31.3. REQUEST HEADER
Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id
1.31.4. RESPONSE BODY
-
With instance IDs
{ "jobParameterInstances": { "i-xxxxxxxxxxxxxxxxd": "S3 logs link", "i-xxxxxxxxxxxxxxxxf": "S3 logs link" }, "jobParameterTags": null, "failureReason": "", "bucketName": "Bucket Name", "bucketLocation": "us-east-1", "connectionId": "KxxxxxxxxxxxxxxxxxxxxQ", "connectionName": "Connection Name", "commandId": "2574e1cf-05fb-458c-bf4e-83a48750f65b", "packageName": "Package Name" } -
With tags
{ "jobParameterInstances": null, "jobParameterTags": { "Name": "{\"tagValue\":\" Tag Value\",\"tagName\":\"Name\",\"logLocation\":\"S3 logs link\"}" }, "failureReason": "", "bucketName": "Bucket Name", "bucketLocation": "us-east-1", "connectionId": "KxxxxxxxxxxxxxxxxxxxxQ", "connectionName": "CWP AWS Connectionh", "commandId": "2574e1cf-05fb-458c-bf4e-83a48750f65b", "packageName": "Package Name", "packageVersion": "1.0.0" }
1.32. Export subscription usage
Export the Cloud Workload Protection subscription usages.
1.32.1. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/metering/{usageType}/{domain}/?month_type={month_type}
1.32.2. REQUEST METHOD
GET
1.32.3. REQUEST HEADER
Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id> "Content-Type": "application/json
1.32.4. RESPONSE CODE
Code |
Description |
200 |
Successful operation |
1.32.5. Example
Refer to the sample script here.
2. Cloud Workload Protection Incident Response Use Cases
2.1. Viewing the critical alerts that were raised in the last X hours or days
Alerts of different severities are generated based on the defined alert rules. Use the Cloud Workload Protection Alerts service to get a list all the alerts. You can apply filters to get alerts of a given severity in a given time interval.
Procedure
Perform the following steps to get a list of critical alerts that were raised in a specific time interval.
Step |
Task |
Step 1 |
Establish a connection by using authorization service and get authorization token. |
Step 2 |
Fetch the alerts by using the alerts service. |
Step 3 |
Apply the required filters:
|
Example
The following is an example of how you can get a list of the critical alerts that were raised in a specific time interval.
Request URL |
https://scwp.securitycloud.symantec.com/dcs-service/sccs/v1/events/search |
Request Method |
POST |
Request Headers |
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id> |
Request Body |
{
"eventTypeToQuery": 16,
"pageSize": 10,
"pageNumber": 0,
"order": "DESCENDING",
"eventSeverities": [3],
"startDate": "2017-10-17T18:30:00.000Z",
"endDate": "2017-10-25T18:29:59.999Z",
"searchFilter": {},
"additionalFilters": "(type_id = 16 && events.type_class is_not null)"
}
|
Response |
[{
"customer_uid":"<customer-id>","domain_uid": "<domain-id>",
"rule_id": "27cd1ca0-bc09-11e6-c686-0000000006a9",
"rule_name": "Unsecured Instances Detected",
"rule_type": "one_event_rule",
"description": "Instance is unprotected for more than 1 hour.",
"log_name": "epmp_events-2017-10-24/16",
"type_id": 16, "timezone": 0,
"severity_id": 3,
"time": "2017-10-24T15:02:22.649Z",
"end_time": "2017-10-24T15:02:22.649Z",
"message": "An event has occurred that needs your attention",
"uuid": "16:56c21a90-b8cc-11e7-d59a-00000041bb0b",
"log_time": "2017-10-24T15:02:22.649Z",
"device_ip": "<device-ip>","device_name":"<device-name>",
"device_end_time": "2017-10-24T15:02:22.649Z",
"composite": 1, "id": 0, "notify": [],
"events": [{"customer_uid": "<customer-id>",
"data": {"eventID": "0402c726-b6d1-4016-b11e-d1a82a3ed9c2",
"user_info": {
"invokedBy": "dcs.cloud.event.monitoring.service" },
"requestID": "8ff42727-d34e-4ae8-9094-5de3b7636007",
"eventVersion": "1.0",
"eventSource": "dcs.cloud.event.monitoring.service",
"recipientAccountId": "NA",
"description": "Unprotected Instance",
"userAgent": "dcs.cloud.event.monitoring.service",
"eventType": "InstanceProtectionTimeout"},
"type_id": 6000, "type_class": "MONITORING",
"timezone": 0, "system_state": "NA",
"message": "Agent is not yet installed on Instance i-09331f4788a6d0051",
"type": "1008","priority": "0","version": "1.0",
"product_name": "Symantec Cloud Workload Protection",
"uuid": "6000:56c1f380-b8cc-11e7-c12f-00000041bb0a",
"log_time": "2017-10-24T15:02:22.648Z",
"disposition": "NA", "category_id": 1, "severity_id": 5,
"user_info": { "user_name": "dcs-cloud-admin" }, "domain_uid": "<domain-id>",
"time": "2017-10-24T15:02:22.648Z",
"product_uid": "F979E61C-A412-4A58-8879-B83E25B7327F",
"type_description": "Instance Protection Time Out",
"source_asset": {"source_vpc": "vpc-ec15e68b", "source_autoscaling_group": "SG",
"instanceState":"Running","agentInstalled":"Not_Installed",
"policyAppliedStatus": "NOTAPPLIED",
"source_subnet": "<subnet-id>",
"source_region": "us-east-1",
"source_id": "hIuV8mUqQ32vr0HZQ16MIw",
"source_cloud_platform": "AWS",
"source_name": "i-09331f4788a6d0051",
"tags": [{ "name": "CreatorName","value": "symc-prod"},
{"name": "ApplicationRole","value": "compute"} ] },
"type_code": "InstanceProtectionTimeOut" } ],
"device_time": "2017-10-24T15:02:22.649Z"
}]
|
2.1.1. Sample scripts
You can fetch the alerts by using the following python scripts too. Create the files as mentioned below. Ensure that all the files are present in the same folder.
-
Create a configuration file as ScwpGetAlertsConfig.ini with the following code and update the credentials section. Get the credentials from the Settings > API Keys page of the Cloud Workload Protection portal.
v125098428linespecific #ScwpGetAlertsConfig.ini #You can get following details from 'Settings' page of the portal [Credentials] *CUSTOMER_ID* = SEJx##############A8YCxAg *DOMAIN_ID* = Dqd####################w *CLIENT_ID* = O2########################b74d2d0qfan5j91g5 *CLIENT_SECRET* = 1n#####################6g8j4s7 #You can provide following details to filter the alerts based on rule name and time interval [Alerts] GetAlertsFromDays = 90 AlertProfileRuleName=MalwareDetection
-
Create a file as ScwpGetAlertsStatus.status with the following code. This is an intermediate file that is used while fetching alerts. Data stored in this file will be used to optimize the interval for which alerts are fetched.
#ScwpGetAlertsStatus.status [ScwpGetAlertsDates] startdate =
-
Create a python script as ScwpGetAlerts.py with the following code. Run the python script to fetch alerts based on the above configuration parameters.
#ScwpGetAlerts.py #!/usr/bin/env python # # Copyright 2017 Symantec Corporation. All rights reserved. # import json import requests import ConfigParser import os from datetime import datetime, timedelta import time import sys CUSTOMER_ID = 'CUSTOMER_ID' DOMAIN_ID = 'DOMAIN_ID' CLIENT_ID = 'CLIENT_ID' CLIENT_SECRET = 'CLIENT_SECRET' PAGE_SIZE = 100 RETRY_COUNT = 3 CONFIG_INI = os.path.join('./', 'ScwpGetAlertsConfig.ini') STATUS_INI = os.path.join('./', 'ScwpGetAlertsStatus.status') STATUS_DATES_SECTION = 'ScwpGetAlertsDates' CONFIG_CREDS_SECTION = 'Credentials' CONFIG_ALERTS_SECTION = 'Alerts' START_DATE = 'startDate' ALERT_TYPE_FILTER = 'AlertTypeFilter' GET_ALERTS_FROM_DAYS = 'GetAlertsFromDays' SEARCH_FILTER= 'SearchFilter' ALERT_PROFILE_RULE='AlertProfileRuleName' scwpAuthUrl = 'https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/oauth/tokens' getScwpAlertsUrl = 'https://scwp.securitycloud.symantec.com/dcs-service/sccs/v1/events/search' authHeaders = {'Content-type':'application/json'} authRequest = {} alertDatetime = '' getScwpAlertsRequest = {'eventTypeToQuery':16,'pageSize':PAGE_SIZE, 'searchFilter':{}} def updateStatusIniFile(): config = ConfigParser.RawConfigParser() config.add_section(STATUS_DATES_SECTION) config.set(STATUS_DATES_SECTION, START_DATE, alertDatetime) with open(STATUS_INI, 'wb') as configfile: config.write(configfile) def authenticate(): for retry in range(RETRY_COUNT): authRequestJson = json.dumps(authRequest) authResponse = requests.post(scwpAuthUrl, data=authRequestJson, headers=authHeaders) if authResponse.status_code != requests.codes.ok: if retry >= RETRY_COUNT: authResponse.raise_for_status() time.sleep(retry * 60) continue else: break accessToken = authResponse.json()['access_token'] authHeaders['Authorization'] = 'Bearer ' + accessToken try: Config = ConfigParser.SafeConfigParser() Config.read(CONFIG_INI) customerId = Config.get(CONFIG_CREDS_SECTION, CUSTOMER_ID) domainId = Config.get(CONFIG_CREDS_SECTION, DOMAIN_ID) clientId = Config.get(CONFIG_CREDS_SECTION, CLIENT_ID) clientSecret = Config.get(CONFIG_CREDS_SECTION, CLIENT_SECRET) alertProfileRuleName = Config.get(CONFIG_ALERTS_SECTION, ALERT_PROFILE_RULE) authHeaders['x-epmp-customer-id'] = customerId authHeaders['x-epmp-domain-id'] = domainId authRequest['client_id'] = clientId authRequest['client_secret'] = clientSecret statusIni = ConfigParser.SafeConfigParser() statusIni.read(STATUS_INI) startDate = statusIni.get(STATUS_DATES_SECTION, START_DATE) getAlertsFromDays = Config.getint(CONFIG_ALERTS_SECTION, GET_ALERTS_FROM_DAYS) if (startDate is None) or (startDate == ""): startDate = (datetime.today() - timedelta(days=getAlertsFromDays)).isoformat() else: if startDate.endswith('Z'): startDate = (datetime.strptime(startDate, '%Y-%m-%dT%H:%M:%S.%fZ') + timedelta(milliseconds=1)).isoformat() else: startDate = (datetime.strptime(startDate, '%Y-%m-%dT%H:%M:%S.%f') + timedelta(milliseconds=1)).isoformat() alertTypeFilter = '(rule_name like \"' + alertProfileRuleName + '\") && (type_id = 16 && events.type_class is_not null)' getScwpAlertsRequest['startDate'] = startDate getScwpAlertsRequest['endDate'] = datetime.now().isoformat() getScwpAlertsRequest['additionalFilters'] = alertTypeFilter alertDatetime = startDate pageNumber = 0 while True: getScwpAlertsRequest['pageNumber'] = pageNumber getScwpAlertsRequestJson = json.dumps(getScwpAlertsRequest) scwpAlertsResponse = requests.post(getScwpAlertsUrl, data=getScwpAlertsRequestJson, headers=authHeaders) if scwpAlertsResponse.status_code == 401: authenticate() scwpAlertsResponse = requests.post(getScwpAlertsUrl, data=getScwpAlertsRequestJson, headers=authHeaders) if scwpAlertsResponse.status_code != requests.codes.ok: scwpAlertsResponse.raise_for_status() scwpAlertsJson = scwpAlertsResponse.json() scwpAlerts = scwpAlertsJson totalScwpAlerts = len(scwpAlertsJson) if totalScwpAlerts == 0: break for scwpAlert in scwpAlerts: print(json.dumps(scwpAlert)) print('\n') sys.stdout.flush() alertDatetime = scwpAlert['time'] pageNumber += 1 except: raise finally: updateStatusIniFile()
2.2. Applying policy group on instances
If any instance has the agent installed, but does not have any policy group, apply the default policy group that has the best ranking.
To apply a policy group on an instance, you will need ID of that policy group. You can fetch policy group details using the Get policy group basic details service.
You can then apply the required policy group using the Apply policy group on an instance service.
Procedure
Perform the following steps to apply a policy group on an instance.
Step |
Task |
Step 1 |
Establish a connection using authorization service and get authorization token. |
Step 2 |
You can use the Get policy group basic details service to fetch the details of available policy groups. This is an optional step. Perform this step only if you do not have the ID of the policy group. The following is a sample response from the Get policy group basic details service. You can use the "id" field of the policy group that you want to apply. linespecific
{
"count": 1,
"results": [
{
"number_of_policies": 0,
"number_of_instances": 0,
"associated_policies": [
{
"name": "Apache Policy", "revision": 0,
"id": "DlVi8gm-TwS-09sn7hl8Dg",
"uri": "/v1/mdr/policies/DlVi8gm-TwS-09sn7hl8Dg",
"platform": "unix",
"version": { "major_ver": 1, "minor_ver": 0,
"serial": "0"},
"is_template": false,"template_type": "cwp",
"capabilities": "ips,ids", "is_latest": false,
"obj_classes": ["policy","dcs_policy"]
}
],
"name": "Apache-tomcat-Protection",
"description": "", "mode": "PRODUCTION",
*"id": "wf1HCzT3S3KWwOJjml8oOA"*,
"policy_rules": [], "upgradable": false,
"enabled_capabilities": ["ids"]
}
]
}
|
Step 3 |
You can use Fetch assets service to fetch the details of available instances. This is an optional step. Perform this step only if you do not have the ID of the instance on which you want to apply the policy group. The following is a sample response from th e Fetch assets service. You can use "id" field of instance. linespecific
[{
*"id": "--7OJt6ZSBSc-qGh1YgSGw"*,
"name": "Instance_large_1",
"policy_applied": "NOTAPPLIED",
"ip_addresses": [],
"instance_id": "i-0c99e1cf12345ce11",
"cloud_platform": "AWS",
"instance_state": "Running",
"instance_type": "r4.8xlarge",
"availability_zone": "<zone-id>",
"machine_image_id": "ami-f23967e5",
"public_dns": "",
"private_dns": "ip-address.ec2.internal",
"private_ips": ["<ip_address>"],"elastic_ips": [],
"subnet_id": "<subnet-id>",
"attachment_ids": [],
"association_ids": [],
"launch_time": "2017-09-22T01:28:00.000Z",
"vpc_id": "<vpc-id>",
"auto_scaling_group_name": "AG-1",
"firewall_groups": ["FG-1"],
"region": "us-east-1", "updated": false,
"deleted": false, "agent_installed": "Not_Installed",
"created": "2017-10-25T14:00:54.991Z",
"modified": "2017-10-25T14:07:40.010Z",
"shutdown_behavior": "stop","reconciled": true,
"obj_classes": ["device","dcs_device"],
"platform": ""
}]
|
Step 4 |
You can now apply a given policy group by using the Apply policy group on an instance service. For example, the following request URL applies the policy group (ID = wf1HCzT3S3KWwOJjml8oOA) to the instance (ID = --7OJt6ZSBSc-qGh1YgSGw): linespecifichttps://scwp.securitycloud.symantec.com/dcscloud/v1/policy/assets /*--7OJt6ZSBSc-qGh1YgSGw*/policy_groups*/wf1HCzT3S3KWwOJjml8oOA* |
Example
The following example shows how you can apply a policy group on an instance.
Request URL |
https://scwp.securitycloud.symantec.com/dcscloud/v1/policy/assets /--7OJt6ZSBSc-qGh1YgSGw/policy_groups/wf1HCzT3S3KWwOJjml8oOA |
Request Method |
PUT |
Request Headers |
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id> |
Response |
HTTP status code: 200 |
2.3. Running an Anti-Malware scan and quarantining the infected files
You can use the Cloud Workload Protection Anti-Malware scan service to scan the instances and quarantine all the infected files. You can either run an on-demand scan or schedule a scan. The following example explains how you can run the on-demand scan on multiple, specific instances and quarantine any infected files.
Procedure
Perform the following steps to run an on-demand Anti-Malware scan on specific instances.
Step |
Task |
Step 1 |
Establish a connection by using authorization service and get authorization token. |
Step 2 |
Specify the instances IDs and scan type. The following example shows how you can start an on-demand Anti-Malware scan on the specified instance: v124521404linespecific
{
"instanceIds": ["i-09331f4788a6d0051"],
"recurringJobDetails": {
"recurringJobType": *"MANUAL"*
}
}
The following example shows how you can schedule an Anti-Malware scan on multiple instances. The scan is scheduled to run at 01:00 hours everyday for the duration specified in startTime and endTime. v124521406linespecific
{
"instanceIds": [
"i-09331f4788a6d0051",
"i-09331f4788a6d0052"
],
" recurringJobDetails": {
"recurringJobType": *"DAILY"*,
"hour": 1,
"minute": 0,
"second": 0,
*"startTime": "2017-09-07 00:00:00"*,
*"endTime": "2017-09-30 23:59:00"*
}
}
The fields and the scheduling options are explained in the following topic: |
Example
The following is an end-to-end example of how you can start an on-demand Anti-Malware scan on a specific instance.
Request URL |
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/agents/av/scan |
Request Method |
POST |
Request Headers |
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id> |
Request Body |
{
"instanceIds": [
"i-09331f4788a6d0051"
],
" recurringJobDetails": {
"recurringJobType": "MANUAL"
}
}
|
Response |
HTTP status code: 200 |
3. Cloud Workload Protection for Storage Public API
3.1. Fetch buckets service
API for getting a list of all AWS S3 buckets in the cloud infrastructure.
3.1.1. Overview
This service lets you get a list of all available AWS S3 buckets deployed in the cloud infrastructure. The service also gets a list of the bucket attributes that Symantec Cloud Workload Protection supports.
3.1.2. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/storageassets
3.1.3. Request Method
POST
3.1.4. Request Header
content-type: application/json Authorization: <token-type> <access-token> x-epmp-customer-id: <customer-id> x-epmp-domain-id: <domain-id>
3.1.5. Request Body
{"fields":"name,cloud_platform,region,cloud_account,account_id,storage_notification_config,storage_created_date,props,bridge_id","limit":10,"offset":0,"include_count":true,"include":"","sort":"-created","where":"","search":""}
3.1.6. Fields description
Parameter |
Description |
name |
Name of the S3 bucket. |
cloud_platform |
Cloud platform of the S3 bucket. |
region |
Region of the S3 bucket. |
cloud_account |
Owner name and owner ID for the S3 bucket. |
account_id |
AWS account ID to which S3 bucket belongs to. |
storage_notification_config |
Events details about the events configured for the S3 bucket in AWS. |
storage_created_date |
The date Cloud Workload Protection for Storage discovered S3 bucket. |
props |
Raw values for protection status for S3 bucket - Scheduled or NRTS). |
protection_status |
Protection status of the S3 bucket computed by Cloud Workload Protection for Storage - Unprotected, Protected, or Bridge Not Configured. |
scan_configured |
S3 Bucket scan configuration status - Scheduled, NRTS, None, or Both) |
bridge_id |
Indicates which Cloud Workload Protection bridge/controller is configured. |
limit |
Limit number of records to be fetched. |
offset |
Fetch next set of records. |
Response Header
content-type: application/json
Response Data - Example
{
"results": [{
"id": "ZtmmK5ZMRvO-itu8sGOLqw",
"name": "spe-marketplace",
"cloud_platform": "AWS",
"cloud_account": {
"owner_name": "DL-xxx-AWS-xxx-xxxV",
"owner_id": "eec1xxxxxxcxxxbe34f668xxxc6e4b5afxxx41c91cf1f"
},
"account_id": "08xxxxxxxxx8",
"region": "us-east-1",
"region_name": "US East (N. Virginia)",
"storage_created_date": "2017-11-13T14:08:10.187Z",
"storage_notification_config": [{
"name": "d95d9056-9b76-4284-a38c-c7f4e130b751",
"events_configured": ["s3:ObjectCreated:*"],
"send_to": "SNS",
"send_to_value": "arn:aws:sns:us-east-1:08xxxxxxxxx8:CWPForStorage_OnAccessSNS"
}],
"deleted": false,
"bridge_id": "g0JELQsSREWBksXTzo6Evw",
"props": {
"ScanConfigured": false,
"NotificationConfigured": false,
"arn:aws:sns:us-east-1:08xxxxxxxxx8:
CWPForStorage_OnAccessSNS": ["arn:aws:sqs:us-east-1:08xxxxxxxxx8:CWPForStorage_OnAccessSNS"]
},
"protection_status": "Unprotected",
"scan_configured": "NONE",
"is_cloudtrail_event": false,
"created": "2017-11-13T14:08:10.187Z"
}.........],
"count": 150 //Total buckets present in the system.
}
3.1.7. Supported Operators
=! = < <= > >= In, not_in, and like
3.1.8. Response Codes
Code |
Description |
200 |
Successful operation. |
400 |
Invalid operation. The body of the response contains information about the error. |
401 |
Authentication required. Make sure that you use a correct account ID and security token. |
500 |
Server error. Please try again later, and if the problem persists, contact Symantec Support. |
3.1.9. Examples - Filtering the results by passing filter condition to the API
To fetch the protected S3 buckets:
Request body:
"where":"((((props.ScanConfigured=true)or(props.NotificationConfigured=true))and(bridge_id!='')))"
To fetch the S3 buckets that have both scheduled and near real-time scan configured:
Request body:
"where":"(((props.ScanConfigured=true)and(props.NotificationConfigured=true)))"
To fetch the S3 buckets for last 7 days:
Request body:
"where":"(created>='2017-11-08T05:55:29.603Z')"
3.2. Apply storage policy on Controller Unit
3.2.1. Overview
Service to apply a storage Antimalware policy on one or multiple Controller Units.
You must obtain an authorization token to use this service: Token-based authentication
3.2.2. URL
https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/apply/{policy_name}/controllers
3.2.3. Request Method
PUT
3.2.4. Request Header
content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>
3.2.5. Request Body
["instance_id-1","instance_id-2"]
3.2.6. Request Parameters
instance_id |
Specify the Controllers instance IDs where you want to apply the policy. You can see the instance IDs on the Controllers page of the Cloud Workload Protection console. The policy name must be specified in the request URL. |
3.2.7. Response Codes
Code |
Description |
200 |
Successful operation. |
400 |
Bad request The body of the response contains information about the error. |
401 |
Authentication required. The token is either invalid or expired. |
403 |
Forbidden The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource. |
404 |
URL is incorrect. |
405 |
The request method is incorrect. |
500 |
Internal server error if the Symantec service attending to the API calls is down. |
Example: Request body:
["i-01033bd4f26301f22","vm493132851e"]