Symantec-Broadcom_Horizontal_yellow-black
Symantec™ Cloud Workload Protection

Symantec™ Cloud Workload Protection

1. Cloud Workload Protection Public API

1.1. Token-based authentication service

API to generate an authentication token to be used for subsequent API calls.

1.1.1. Overview

To retrieve data from Cloud Workload Protection, you must generate a token by using the system credentials. Use the token for subsequent API calls.

Note

The authentication token is valid for 60 minutes only.

1.1.2. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/oauth/tokens

1.1.3. Request Method

POST

1.1.4. Request Header

content-type: application/json
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.1.5. Request Body

{"client_id":"<client id from portal>","client_secret": "<client secret key>"}

1.1.6. Request Parameters

Field

Description

Component

Customer ID

This value is a unique identifier of the customer. The field name is x-epmp-customer-id.

Header

Domain ID

This value identifies the relevant domain for a customer. The field name is x-epmp-domain-id.

Header

Client ID

This value identifies the client ID to be used in the API to get the token. The field name is client_id.

Body

Client Secret Key

This value is the secret key that should be shared and stored securely by the customer. The field name is client_secret. Customers can renew the client secret key on the product portal.

Body

To obtain the above parameters, log on to the Cloud Workload Protection portal, go to Settings > API Keys, and enable the API Keys.

1.1.7. Response Header

content-type: application/json

1.1.8. Response Data

{"access_token": "<valid token>","expires_in":3600,
"token_type":"Bearer", "x-epmp-customer-id": "<customer-id>",
"x-epmp-domain-id": "<domain-id>"}

1.1.9. Response Codes

Code

Description

200 / 202

Successful operation.

400

Bad request.

The request body is incorrect.

401

Unauthorized access.

The token is either invalid or expired.

403

Forbidden.

The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource.

404

URL is incorrect.

429

Too many requests.

500

Internal server error if the Symantec service attending to the API calls is down.

1.2. Fetch assets service

API for getting a list of all instances in the cloud infrastructure.

1.2.1. Overview

This service lets you get a list of all available instances deployed in the cloud infrastructure. It also gets a list of the instance attributes that the system supports.

1.2.2. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/assets

1.2.3. Request Method

POST

1.2.4. Request Header

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.2.5. Request Body

{'limit':<number>,'offset':<number>, 'where':'', 'include':''}

1.2.6. Request Parameters

Attribute

Description

Example

Limit

The number of records to display on one page. This value can be set up to 1000.

'limit':10

Offset

Specifies the number of pages to skip in the result. An offset 0 denotes the first page. If you set the offset to 2, the result starts from the third page.

'offset':0

Where

Lets you add conditions based on instance attributes and logical and relational operators.

where=(region=’us_west_1’)or(region=’us_west_2’)

Include

Includes the specified information in the result.

'include':'installed_products'

The attribute in this example returns all the installed products in the instances.

Filter Criteria

Possible filter values that can be used in an example

Recommendations

This filter gets instances that have a policy recommendation generated or a policy recommendation to be reapplied.

where=(included_dcs_device_states.policyRecommendationState in
 ['Generated','Reapply'])

Platform

This filter gets instances belonging to Linux or Windows.

where=(platform in ['Linux','Windows'])

Instance state

This filter gets instances based on the state of the instance - Running or Stopped.

where=(instance_state in ['Running','Stopped'])

Policy status

This filter gets instances based on the status of the policy application.

where=(policy_applied in ['pending','failed',
'intermediate','completed','NOTAPPLIED'])

Agent status

This filter gets instances based on the status of the agent.

where=(agent_installed in ['Not_Installed','Installed','Initializing',
'Installed_Reboot_Required','Uninstalled'])

Source

This filter gets instances based on the source of the instance.

where=(cloud_platform in ['Private','Azure','AWS'])

Discovery

This filter gets instances based on the status of the software service discovery.

where=(adr_state in ['Failed','In Progress','Succeeded'])

Instance

This filter gets instances without a policy group, with a policy group, or without an agent.

where=(policy_applied='completed')and
(policy_applied!='completed')and(agent_installed!='Installed')

Discovered on

This filter gets instances created prior to the current time. The options available are 8 hours, 1 day, 7 days, and 30 days prior to the current date. You can also specify a range as explained in the examples.

Note

You must specify the value in a date and time format as yyyy-MM-ddTHH:mm:ss.SSSZ.

If the date today is 16th of February 2016, this example gets instances created 30 days prior to the current date.

where=(created>='2017-01-16T05:26:22.232Z')

Response Header

content-type: application/json

Response Data - Example

HTTP/1.1 200 OK
{
    "id": "3cKGgHxxxxxxxxxxbeWl1A",
    "name": "AzureRHELTest",
    },
    "policy_applied": "NOTAPPLIED",
    "host": "AzureRHELTest",
    "mac_address": "00-0D-xx-xx-xx-12",
    "ip_addresses": [
      "1xx.xx.2xx.1xx"
    ],
    "fqdn": "AzureRHELTest",
    "instance_id": "cxxxxx3-fxx-4axx-axx-5xxxxec9xxx7",
    "cloud_platform": "Azure",
    "instance_state": "Running",
    "instance_type": "Standard_Dxx_xx",
    "subscription_id": "exxxxxxf-dxx7-xxxd-9xxx-3xxxxc7xxxx4",
    "subscription_name": "Visual Studio Enterprise",
    "resource_group_name": "Default",
    "vm_type": "Microsoft.Compute/virtualMachines",
    "machine_image_id": "https://xxxxxxxxxxskvmssxzisa.blob.core.windows.net/vhds/AzureRHELTestxxxxxxxxxx.vhd",
    "public_dns": "",
    "private_ips": [
      "1x.x.x.x"
    ],
    "subnet_id": "/subscriptions/xxxxxxxx-dxxx-4xxx-9xxx-34xxxxxxxx4/resourceGroups/testCloudVM/providers/
     Microsoft.Network/virtualNetworks/MyVNET/subnets/Subnet",
    "firewall_groups": [
      "RS-RHEL72"
    ],
    "region": "southeastasia",
    "updated": false,
    "deleted": false,
    "agent_installed": "Not_Installed",
    "created": "2016-07-26T05:04:38.105Z",
    "modified": "2016-07-26T05:12:02.349Z",
    "reconciled": true,
    "obj_classes": [
      "device",
      "dcs_device"
    ],
    "platform": "Linux"
}

1.2.7. Supported Operators

=! = < <= > >= In, not_in, and like

1.2.8. Response Codes

Code

Description

200

Successful operation.

400

Invalid operation.

The body of the response contains information about the error.

401
Authentication required.
Make sure that you use a correct account ID and security token.
500

Server error.

Please try again later, and if the problem persists, contact Symantec Support.

1.2.9. Examples

Get a list of all instances created between a specific period

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/assets?
fields=name,instance_id,created&where=(created>='<yyyy-MM-ddTHH:mm:ss.SSSZ>')
and(created<='<yyyy-MM-ddTHH:mm:ss.SSSZ>')

For example:

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/assets?
fields=name,instance_id,created&where=(created>='2017-02-13T18:30:00.891Z')and
(created<='2017-02-15T18:29:59.891Z')

Search for an instance ID

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/assets?
fields=name,instance_id,modified&where=
(instance_id in ['<instance_name_1>’,’<instance_name_2>'])

For example:

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/assets?
fields=name,instance_id,modified&where= (instance_id in
['i-01033bd4f26301f22','vm493132851e'])

Get all instances including the instances belonging to the VPC ID ‘vpc-b920bbdd’

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/assets?
where=(vpc_id= '<vpc id>')

For example:

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/assets?
where=(vpc_id='vpc-b920bbdd')

Get instances discovered in the last 7 days belonging to Azure platform that do not have a policy group applied and an agent installed

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/assets?
 fields=name,instance_id,modified&where= ((policy_applied in ['<policy_state>'])and
(agent_installed in ['<agent_state>'])and(cloud_platform in ['<platform>'])
and(created>='<yyyy-MM-ddTHH:mm:ss.SSSZ>'))

For example:

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/assets?
fields=name,instance_id,modified&where= ((policy_applied in ['NOTAPPLIED'])and
(agent_installed in ['Not_Installed'])and(cloud_platform in ['Azure'])and
(created>='2017-02-08T04:43:56.634Z'))

1.2.10. Sample Script

Try the sample Python script from our GitHub location.

Use the script cwpasset.py to get a list of the instances along with information such as agent version, installation application, LiveUpdate version and so on.

The script cwpasset_paged.py provides the same information one page at a time. Use this script if you have more than 1000 instances in your environment.

1.3. Events service

API to retrieve the events that are generated.

1.3.1. Overview

This service lets you query the events that are generated on the instances that the system taps. The events information can be used for external data integration. For example, consuming the events in a custom triaging or a ticketing solution that you may have.

1.3.2. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/event/query

1.3.3. Request Method

POST

1.3.4. Request Header

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.3.5. Request Body

{
  "pageSize":<Integer size of records per page, for example 8>,
  "pageNumber":<Integer indicating the number of page, for example 2>,
  "productName":"Either CWP or CWP-S",
  "startDate":"<Start date with time. For example, 2016-07-18T18:30:00.000Z>",
  "endDate":"<End date with time. For example, 2016-07-28T18:29:59.999Z>",
  "displayLabels":false,
  "searchFilter":{"searchQuery":"<any part of the message of an event for example, conf>"},
  "additionalFilters":"(<add additional filter as required>)"
}

1.3.6. Request Parameters

Attribute name

Values

Example

Description

eventSeverities

  • 1

  • 2

  • 3

  • 4

  • 5

  • 6

"eventSeverities":[4,5]

The result includes events of queried severities.

The values and their corresponding severities are:

  • 1 = Information

  • 2 = Notice

  • 3 = Warning

  • 4 = Major

  • 5 = Critical

  • 6 = Error

Note

This attribute is optional.

eventCategories

  • 1

  • 2

  • 3

  • 4

  • 5

"eventCategories":[4,3]

The result includes events of queried categories.

The values and their corresponding categories are:

  • 1 = Security

  • 2 = Licensing

  • 3 = System

  • 4 = Audit

  • 5 = Policy

Note

This attribute is optional.

type_class

  • IDS

  • IPS

  • AmazonCloudTrail

  • MGMT

  • MONITORING

  • AntiMalware

  • AUDIT

The following type_class are supported for CWP for Storage

  • ANTIMALWARE

  • SCAN_STATUS

  • PERMISSION_ASSESSMENT

  • DLP_VIOLATION

  • AUDIT

The following type_class are supported for Symantec Protection Engine 8.0 *

  • ANTIMALWARE

  • SCAN_STATUS

  • APPLICATION_LIFECYCLE

  • LICENSE_EXPIRY

  • LIVE_UPDATE

  • HEALTH_STATUS

  • APPLICATION_LOG

  • COMMAND_ACTIVITY

  • AUDIT

type_class IN [\"IPS\",\"AmazonCloudTrail\"])

The result includes events of queried types.

The values and their corresponding events types are:

  • IDS = Intrusion detection events.

  • IPS = Intrusion prevention events.

  • AmazonCloudTrail = AWS CloudTrail events

  • MGMT = Management events.

  • MONITORING = Monitoring events.

  • AntiMalware = Anti-Malware events.

  • AUDIT = Generated for various user actions.

  • SCAN_STATUS = Detection events generated by CWP for Storage due to AWS S3 bucket scans.

  • ANTIMALWARE = The Anti-Malware events generated by CWP for Storage due to the AWS S3 bucket near real-time scan.

  • PERMISSION_ASSESSMENT = The permission assessment events are generated by CWP for Storage when it detects S3 buckets or objects with public access.

  • DLP_VIOLATION = The DLP violation events that are generated if you have CWP for Storage and Symantec Data Loss Prevention subscriptions.

  • APPLICATION_LIFECYCLE = Events generate to indicate if the application has started or requires a manual shut down or so on.

  • LICENSE_EXPIRY = Events generate when the license expires for the user.

  • LIVE_UPDATE = Events generate every time the antivirus definitions are downloaded or updated through LiveUpdate..

  • HEALTH_STATUS = The status of the scanners.

  • APPLICATION_LOG = Events generate for applications to derive their logging statistics.

  • COMMAND_ACTIVITY = Events generate whenever a command is executed in Symantec Protection Engine.

Note

CWP for Storage, Symantec Data Loss Prevention, and Symantec Protection Engine require additional subscriptions.

searchFilter

searchFilter object has an attribute called “searchQuery”.

For Events, searchFilter should contain any part of message of an event for example, conf.

For Alerts, searchFilter should contain any part of an alert title for example, Instance Stopped.

"searchFilter":{"searchQuery":"confidentialfile.data "}

The result includes events of queried parameter.

Note

This attribute is optional.

additionalFilters

additionalFilters is a string attribute. It contains logical conditions.

"additionalFilters":"(policy_group_name match \".?pg.?\") && (type_class IN [\"IPS\",\"AmazonCloudTrail\"])"

"additionalFilters":"(source_asset.source_name match \".?i.?\") && (type_class IN [\"IPS\",\"AmazonCloudTrail\"])"

"additionalFilters":"(policy_name match \".?name.?\") && (type_class IN [\"IPS\",\"AmazonCloudTrail\"])"

  • Policy group: policy_group_name

  • Policy Name: policy_name

  • Instance Name: source_asset.source_name

Note

This attribute is optional.

productName

  • CWP

  • CWP-S

  • CWP-SPE

"productName" : "CWP"

This parameter is optional. To retrieve Cloud Workload Protection events, enter CWP.

For CWP for Storage events, enter CWP-S.

For Symantec Protection Engine 8.0 events, enter CWP-SPE

If you want to retrieve all events, omit the parameter from the request body.

1.3.7. Response Body

{
  "result": [<array of events/alerts>],
  "total": <Integer, count of events/alerts>
}

1.3.8. Response Codes

Code

Description

200

Successful operation.

400

Bad request.

The request body is incorrect.

401

Unauthorized access.

The token is either invalid or expired.

403

Forbidden.

The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource.

404

URL is incorrect.

429

Too many requests.

500

Internal server error if the Symantec service attending to the API calls is down.

1.3.9. Examples

Get the Anti-Malware events for Cloud Workload Protection

{
   "pageSize": 10,
   "pageNumber": 0,
   "productName" : "CWP",
   "displayLabels": false,
   "order": "DESCENDING",
   "startDate": "2018-01-11T18:30:00.000Z",
   "endDate": "2018-01-19T18:29:59.999Z",
   "searchFilter": {},
   "additionalFilters":"(type_class IN ['AntiMalware'])"
}

Get the Anti-Malware events for CWP for Storage

{
   "pageSize": 10,
   "pageNumber": 0,
   "productName" : "CWP-S",
   "displayLabels": false,
   "order": "DESCENDING",
   "startDate": "2018-01-11T18:30:00.000Z",
   "endDate": "2018-01-23T18:29:59.999Z",
   "searchFilter": {},
   "additionalFilters":"(type_class IN ['ANTIMALWARE'])"

}

To get all events

{
   "pageSize": 10,
   "pageNumber": 0,
   "displayLabels": false,
   "order": "DESCENDING",
   "startDate": "2017-12-09T18:30:00.000Z",
   "endDate": "2018-01-22T18:29:59.999Z",
   "searchFilter": {}

}

Free-text search for UNIX policy

{
  "pageSize": 10,
  "pageNumber": 0,
  "startDate": "2016-11-18T18:30:00.000Z",
  "endDate": "2017-02-17T18:29:59.999Z",
  "displayLabels": false,
  "searchFilter": {
    "searchQuery": "UNIX policy"
  },
}

List only AWS CloudTrail events of Cloud Workload Protection

{
  "pageSize": 10,
  "pageNumber": 0,
  "productName":"CWP",
  "startDate": "2017-02-09T18:30:00.000Z",
  "endDate": "2017-02-17T18:29:59.999Z",
  "displayLabels": false,
  "searchFilter": {
    "searchQuery": ""
  },
  "additionalFilters": "(type_class IN [\"AmazonCloudTrail\"])
}

Search by using the key:value pair Instance ID:WIN-QMSJRHECBTH_10.211.105.202

{
  "pageSize": 10,
  "pageNumber": 0,
  "productName":"CWP",
  "startDate": "2017-02-09T18:30:00.000Z",
  "endDate": "2017-02-17T18:29:59.999Z",
  "displayLabels": false,
  "searchFilter": {
  "searchQuery": ""
  },
  "additionalFilters": "(source_asset.source_name like \"WIN-QMSJRHECBTH_10.211.105.202\")"
}

List only PCI events that is, events generated on instances that are tagged as PCI

{
  "pageSize": 10,
  "pageNumber": 0,
  "productName":"CWP",
  "startDate": "2017-02-09T18:30:00.000Z",
  "endDate": "2017-02-17T18:29:59.999Z",
  "displayLabels": false,
  "searchFilter": {},
  "additionalFilters": "(dcs_data.is_pci_event match \".*?true.*?\")"
}

List informational events of type Prevention that have occurred from January 16th through February 15th 2017

{
  "pageSize": 10,
  "pageNumber": 0,
  "productName":"CWP",
  "eventSeverities": [
    1
  ],
  "startDate": "2017-01-15T18:30:00.000Z",
  "endDate": "2017-02-15T18:29:59.999Z",
  "displayLabels": false,
  "searchFilter": {},
  "additionalFilters": "(type_class IN [\"IPS\"])"
}

List Fatal and Major events of type Management, AWS CloudTrail, and Monitoring that have occurred in the last 24 hours on instances with a PCI tag

{
  "pageSize": 10,
  "pageNumber": 0,
  "productName":"CWP",
  "eventSeverities": [
    6,
    4
  ],
  "startDate": "2017-02-14T06:36:28.119Z",
  "endDate": "2017-02-15T06:36:28.119Z",
  "displayLabels": false,
  "searchFilter": {},
  "additionalFilters": "(type_class IN [\"MONITORING\",\"AmazonCloudTrail\",\"MGMT\"])
 && (dcs_data.is_pci_event match \".*?true.*?\")"
}

1.3.10. Sample Script

Try the sample Python script from our GitHub location.

Use the script cwpgetevents.py to download the Cloud Workload Protection events.

1.4. Alerts service

API to retrieve the alerts that are raised.

1.4.1. Overview

This service lets you query the alerts that are raised as a result of the events. The alerts information can be used for external data integration. For example, consuming the alerts in a custom triaging or a ticketing solution that you may have.

1.4.2. URL

https://scwp.securitycloud.symantec.com/dcs-service/sccs/v1/events/search

1.4.3. Request Method

POST

1.4.4. Request Header

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>
x-epmp-product-uid: F979E61C-A412-4A58-8879-B83E25B7327F

1.4.5. Request Body

{
"eventTypeToQuery": 16,
"pageSize": <Integer size of records per page, for example 10>,
"pageNumber": <Integer indicating the number of page, for example 2>,
"startDate": "<Start date with time for example, 2016-07-18T18:30:00.000Z>",
"endDate": "<End date with time for example, 2016-07-28T18:29:59.999Z>",
"searchFilter":{"searchQuery":"<any part of the message of an alert for example, file modified>"},
"additionalFilters":"(type_id = 16 &&  events.type_class is_not null)"
}
Note

The attributes pageSize, pageNumber, startDate, endDate, and eventTypeToQuery=16 (for alerts only) are mandatory to be entered in the request body.

1.4.6. Request Parameters

Attribute name

Values

Example

Description

alertSeverities

* 1

* 2

* 3

"eventSeverities":[1,2]

The result includes alerts of queried severities.

The values and their corresponding severities are:

* 1 = Notice

* 2 = Warning

* 3 = Critical

type_class

* IDS

* IPS

* AmazonCloudTrail

* MGMT

* Monitoring

* Antimalware

* SCAN_STATUS

* ANTIMALWARE

* PERMISSION_ASSESSMENT

type_class IN [\"IPS\",\"AmazonCloudTrail\"])

The result includes events of queried types.

The values and their corresponding events types are:

* IDS = Intrusion detection events

* IPS = Intrusion prevention events

* AmazonCloudTrail = AWS CloudTrail events

* MGMT = Management events

* Monitoring = Monitoring events

* Antimalware = The Anti-Malware events raised by Cloud Workload Protection

* SCAN_STATUS = Detection events generated by CWP for Storage due to AWS S3 bucket scans

* ANTIMALWARE = The Anti-Malware events generated by CWP for Storage due to the AWS S3 bucket near real-time scan

* PERMISSION_ASSESSMENT = the permission assessment events are generated by CWP for Storage when it detects S3 buckets or objects with public access

[NOTE] ==== CWP for Storage requires additional subscription. ====

searchFilter

searchFilter object has an attribute called “searchQuery”.

For Events, searchFilter should contain any part of message of an event for example, conf.

For Alerts, searchFilter should contain any part of an alert title for example, Instance Stopped.

"searchFilter":{"searchQuery":"confidentialfile.data "}

The result includes events of queried parameter.

[NOTE] ==== This attribute is optional. ====

additionalFilters

additionalFilters is a string attribute. It contains logical conditions.

"additionalFilters":"(policy_group_name match \".?pg.?\") && (type_class IN [\"IPS\",\"AmazonCloudTrail\"])"

"additionalFilters":"(source_asset.source_name match \".?i.?\") && (type_class IN [\"IPS\",\"AmazonCloudTrail\"])"

"additionalFilters":"(policy_name match \".?name.?\") && (type_class IN [\"IPS\",\"AmazonCloudTrail\"])"

* Policy group: policy_group_name

* Policy Name: policy_name

* Instance Name: source_asset.source_name

[NOTE] ==== This attribute is optional. ====

1.4.7. Response Body

    [array of alerts]

1.4.8. Response Codes

Code

Description

200

Successful operation.

400

Bad request.

The request body is incorrect.

401

Unauthorized access.

The token is either invalid or expired.

403

Forbidden.

The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource.

404

URL is incorrect.

429

Too many requests.

500

Internal server error if the Symantec service attending to the API calls is down.

1.4.9. Examples

List alerts raised for AWS CloudTrail events

{
  "eventTypeToQuery": 16,
  "pageSize": 10,
  "pageNumber": 0,
  "startDate": "2017-02-09T18:30:00.000Z",
  "endDate": "2017-02-17T18:29:59.999Z",
  "searchFilter": {
  "searchQuery": ""
  },
  "additionalFilters": "(events.type_class IN [\"AmazonCloudTrail\"]) && (type_id = 16 &&  events.type_class is_not null)"
}

Get all alerts for CWP for Storage

{
  "eventTypeToQuery": 16,
  "pageSize": 10,
  "pageNumber": 0,
  "order": "DESCENDING",
  "startDate": "2017-10-25T18:30:00.000Z",
  "endDate": "2018-01-24T18:29:59.999Z",
  "searchFilter": {},
  "additionalFilters": "(type_id = 16) && ((events.type_class IN [\"ANTIMALWARE\",\"SCAN_STATUS\",\"PERMISSION_ASSESSMENT\"]))"
}

Get Anti-Malware alerts for CWP for Storage

{
  "eventTypeToQuery": 16,
  "pageSize": 10,
  "pageNumber": 0,
  "order": "DESCENDING",
  "startDate": "2017-10-25T18:30:00.000Z",
  "endDate": "2018-01-24T18:29:59.999Z",
  "searchFilter": {},
  "additionalFilters": "(type_id = 16) && ((events.type_class IN [\"ANTIMALWARE\"]))"
}

Search by using the key:value pair Alert Title: Process Access alert

{
  "eventTypeToQuery": 16,
  "pageSize": 10,
  "pageNumber": 0,
  "startDate": "2017-02-09T18:30:00.000Z",
  "endDate": "2017-02-17T18:29:59.999Z",
  "searchFilter": {
    "searchQuery": ""
  },
  "additionalFilters": "(rule_name like \"Process Access alert\") && (type_id = 16 &&  events.type_class is_not null)"
}

List critical alerts of type Detection, Management, and AWS CloudTrail that have occurred in the last 2 days

{
  "eventTypeToQuery": 16,
  "pageSize": 10,
  "pageNumber": 0,
  "eventSeverities": [
    3
  ],
  "startDate": "2017-02-12T18:30:00.000Z",
  "endDate": "2017-02-15T07:57:48.328Z",
  "searchFilter": {},
  "additionalFilters": "(events.type_class IN [\"MGMT\",\"IDS\",\"AmazonCloudTrail\"])
 && (type_id = 16 &&  events.type_class is_not null)"
}

List all alerts of all types that have an alert title as Multi Rule

{
  "eventTypeToQuery": 16,
  "pageSize": 10,
  "pageNumber": 0,
  "startDate": "2016-11-16T18:30:00.000Z",
  "endDate": "2017-02-15T18:29:59.999Z",
  "searchFilter": {
    "searchQuery": ""
  },
  "additionalFilters": "(rule_name like \"Multi Rule\")
 && (type_id = 16 &&  events.type_class is_not null)"
}

1.4.10. Sample Script

Try the sample Python script from our GitHub location.

Use the script cwpgetalerts.py to download the Cloud Workload Protection alerts.

1.5. Anti-Malware scan service

API to start or schedule an Anti-Malware scan.

1.5.1. Overview

This service lets you start an on-demand Anti-Malware scan or schedule an Anti-Malware scan for the instances that you specify. If a malware is detected, Cloud Workload Protection quarantines the infected file and generates an event.

For more information, see Protecting the instances from malware

1.5.2. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/agents/av/scan

1.5.3. Request Method

Post

1.5.4. Request Header

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.5.5. Request Body

{
"instanceIds":["<Instance ID>"],
"recurringJobDetails":{"recurringJobType":"<Job Type>"}
}

1.5.6. Request Parameters

Attribute name

Values

Component

instanceIds

Specify one or more instance IDs in the format:

This field specifies the instances where you want to schedule an Anti-Malware scan.

Body

recurringJobDetails

The recurringJobDetails object contains an attribute recurringJobType.

The values for recurringJobType can be: *

  • MANUAL - starts an on-demand scan.

  • ONETIME - schedules a scan that runs only once.

  • HOURLY - schedules a recurring scan that runs once every hour.

  • DAILY - schedules a recurring scan that runs once every day.

  • WEEKLY - schedules a recurring scan that runs once every week.

  • MONTHLY - schedules a recurring scan that runs once every month.

Body

Scan frequency

Parameters

Example

MANUAL

The on-demand scan does not require any additional parameters.

"recurringJobType":"MANUAL"

ONETIME

startTime

Specifies when the scan should start. Format:

YYYY-MM-DD HH-MM-SS

"recurringJobType":
"ONETIME","startTime":"2017-09-07 00:00:00"

HOURLY

  • hour - specifies the hour at which the scan job should start.

  • startTime - specifies when the schedule should start.

  • endTime - specifies when the schedule should end. Format: YYYY-MM-DD HH-MM-SS

"recurringJobType":
"HOURLY","hour":1,"startTime":"2017-09-07 00:00:00",
"endTime":"2017-09-30 23:59:00"

DAILY

  • hour - specifies the hour at which the scan job should start.

  • minute - specifies the minute at which the scan job should start.

  • second - specifies the second at which the scan job should start.

  • startTime - specifies when the schedule should start.

  • endTime - specifies when the schedule should end.

"recurringJobType":
"DAILY","hour":1,"minute":0,"second":0,
"startTime":"2017-09-07 00:00:00",
"endTime":"2017-09-30 23:59:00"

WEEKLY

  • dayOfWeek - specifies the day on which the scan job should run every week. The accepted values are: MON, TUE, WED, THU, FRI, SAT, SUN.

  • hour - specifies the hour at which the scan job should start.

  • minute - specifies the minute at which the scan job should start.

  • second - specifies the second at which the scan job should start.

  • startTime - specifies when the schedule should start.

  • endTime - specifies when the schedule should end.

"recurringJobType":
"WEEKLY","dayOfWeek":"MON","hour":1,"minute":0,
"second":0,"startTime":"2017-09-07 00:00:00",
"endTime":"2017-09-30 23:59:00"

MONTHLY

  • dayOfMonth - specifies the day on which the scan job should run every month.

  • hour - specifies the hour at which the scan job should start.

  • minute - specifies the minute at which the scan job should start.

  • second - specifies the second at which the scan job should start.

  • startTime - specifies when the schedule should start.

  • endTime - specifies when the schedule should end.

"recurringJobType":
"MONTHLY","dayOfMonth":1,"hour":1,"minute":0,
"second":0,"startTime":"2017-06-28 13:36:00",
"endTime":"2017-09-28 13:36:00"

1.5.7. Response Codes

Code

Description

200

Successful operation.

400

Bad request.

The request body is incorrect.

401

Unauthorized access.

The token is either invalid or expired.

403

Forbidden.

The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource.

404

URL is incorrect.

409

Conflict.

An Anti-Malware scan is already running on the specified instance.

429

Too many requests.

500

Internal server error if the Symantec service attending to the API calls is down.

1.5.8. Examples

Start an on-demand Anti-Malware scan job

Request body:

{"instanceIds":["i-0efaa23619747c47c"],"recurringJobDetails":{"recurringJobType":"MANUAL"}}

Schedule an one-time Anti-Malware scan job

Request body:

{"instanceIds":["i-0efaa23619747c47c"],"recurringJobDetails":{"recurringJobType":"ONETIME","startTime":"2017-09-07 00:00:00"}}

Schedule an hourly recurring Anti-Malware scan job

Request body:

{"instanceIds":["i-0efaa23619747c47c"],"recurringJobDetails":{"recurringJobType":"HOURLY","hour":1,"startTime":"2017-09-07 00:00:00","endTime":"2017-09-30 23:59:00"}}

Schedule a daily recurring Anti-Malware scan job

Request body:

{"instanceIds":["i-0efaa23619747c47c"],"recurringJobDetails":{"recurringJobType":"DAILY","hour":1,"minute":0,"second":0,"startTime":"2017-09-07 00:00:00","endTime":"2017-09-30 23:59:00"}}

Schedule a weekly recurring Anti-Malware scan job

Request body:

{"instanceIds":["i-0efaa23619747c47c"],"recurringJobDetails":{"recurringJobType":"WEEKLY","dayOfWeek":"MON","hour":1,"minute":0,"second":0,"startTime":"2017-09-07 00:00:00","endTime":"2017-09-30 23:59:00"}}

Schedule a monthly recurring Anti-Malware scan job

Request body:

{"instanceIds":["i-0efaa23619747c47c"],"recurringJobDetails":{"recurringJobType":"MONTHLY","dayOfMonth":1,"hour":1,"minute":0,"second":0,"startTime":"2017-09-07 00:00:00","endTime":"2017-09-30 23:59:00"}}

1.5.9. Sample Script

Try the sample Python script from our GitHub location.

Use the script cwprunavscan.py to run an on-demand Anti-Malware scan.

1.6. Anti-Malware cancel scan service

API to cancel Anti-Malware scans.

1.6.1. Overview

This service lets you cancel a running Anti-Malware scan job for the instances that you specify.

1.6.2. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/agents/av/cancel-scan

1.6.3. Request Method

Post

1.6.4. Request Header

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.6.5. Request Body

["<List Of instanceIds>"]

1.6.6. Request Parameters

Attribute name

Values

Component

instanceIds

Specify one or more instance IDs in the format:

This attribute specifies the instances where you want to cancel an Anti-Malware scan.

Body

1.6.7. Response Codes

Code

Description

200

Successful operation.

400

Bad request.

The request body is incorrect.

401

Unauthorized access.

The token is either invalid or expired.

403

Forbidden.

The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource.

404

URL is incorrect.

429

Too many requests.

500

Internal server error if the Symantec service attending to the API calls is down.

1.6.8. Examples

Cancel an Anti-Malware scan job on two instances

Request body:

["i-01033bd4f26301f22","vm493132851e"]

1.7. Download agent package service

API for downloading the Cloud Workload Protection agent.

1.7.1. Overview

This service lets you download the Cloud Workload Protection agent package for the platforms that you specify. You can then install the agent on the instances.

To download the agent package, you must first obtain the authorization token.

1.7.2. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/agents/packages/download/platform/<PLATFORM>

<PLATFORM> can be any one of the following:

centos6, centos7, rhel6, rhel7, oel6, oel7, ubuntu14, ubuntu16, amazonlinux, windows, sles12.

1.7.3. Request Method

Get

1.7.4. Request Header

Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.7.5. Example

URL for downloading the agent for the Ubuntu 16.04 LTS platform

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/agents/packages/download/platform/ubuntu16

1.7.6. Sample Script

Try the sample Python script from our GitHub location.

Use the script cwpagentinstall.py to download and install the agent on Linux instances.

1.8. Get instance basic details

Service to get the basic details of the instances.

1.8.1. Overview

This service returns a detailed list of all the instances in your environment. The instance details include instance id, name, platform, instance state, policy group applied status, and the agent installation status.

You must obtain the authorization token to use this service.

1.8.2. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/assets/basic

1.8.3. Request Method

GET

1.8.4. Request Header

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.8.5. Response Codes

Code

Description

200

Successful operation.

400

Bad request.

The request body is incorrect.

401

Unauthorized access.

The token is either invalid or expired.

403

Forbidden.

The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource.

404

URL is incorrect.

429

Too many requests.

500

Internal server error if the Symantec service attending to the API calls is down.

1.9. Get policy group basic details

Service to get the basic details of the policy groups.

1.9.1. Overview

This service returns a detailed list of all the policy groups in your environment. The policy group details include policy group id, name, description, group type, mode (Test or Production), and the enabled capabilities.

You must obtain the authorization token to use this service.

1.9.2. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/policy_groups/basic

1.9.3. Request Method

GET

1.9.4. Request Header

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.9.5. Request Parameters

Attribute name

Values

Component

Limit

The number of records to display on a page. This value can be set up to 1000.

'limit':10

Offset

Specifies the number of pages to skip in the result. An offset 0 denotes the first page. If you set the offset to 2, the result starts from the third page.

'offset':0

Where

Lets you add conditions based on policy group attributes, and logical and relational operators.

where=(name=’AcmeWebServerGroup’)

1.9.6. Response Codes

Code

Description

200

Successful operation.

400

Bad request.

The request body is incorrect.

401

Unauthorized access.

The token is either invalid or expired.

403

Forbidden.

The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource.

404

URL is incorrect.

429

Too many requests.

500

Internal server error if the Symantec service attending to the API calls is down.

1.10. Apply policy group on an instance

Service to apply policy group on a single instance.

1.10.1. Overview

This service lets you apply a policy group on an instance. The policy group ID and the instance ID must be provided in the request URL. If you want to apply the same policy group to multiple instances,

You must obtain the authorization token to use this service.

1.10.2. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/assets/{InstanceId}/policy_groups/{policyGroupId}

InstanceID = Enter the Cloud Workload Protection instance ID. You can get the instance ID from the Instances and Software Services page of the Cloud Workload Protection portal.

policyGroupId = When you click on a policy group, you can see the policyGroupId in the URL.

1.10.3. Request Method

PUT

1.10.4. Request Header

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.10.5. Response Codes

Code

Description

200

Successful operation.

400

Bad request.

The request body is incorrect.

401

Unauthorized access.

The token is either invalid or expired.

403

Forbidden.

The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource.

404

URL is incorrect.

405

The request method is incorrect.

429

Too many requests.

500

Internal server error if the Symantec service attending to the API calls is down.

1.10.6. Example

Request URL:

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/assets/i-0a11435c1370e6130/policy_groups/CzYwugVDRUmdWgaEPNi9wA

1.10.7. Sample Script

Try the sample Python script from our GitHub location.

Use the script cwppolicygroup.py to apply a policy group on an instance.

1.11. Apply policy group on multiple instances

Service to apply policy group on multiple instances.

1.11.1. Overview

This service lets you apply a policy group on multiple instances.

You must obtain the authorization token to use this service.

1.11.2. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/policy_groups/{policyGroupId}/assets

When you click on a policy group, you can see the policyGroupId in the URL.

1.11.3. Request Method

PUT

1.11.4. Request Header

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.11.5. Request Body

["instance_id-1","instance_id-2"]

1.11.6. Request Parameters

Field

Description

Component

instance_id

Specify the Cloud Workload Protection instance IDs where you want to apply the policy group. You can see the instance IDs on the Instances and Software Services page of the Cloud Workload Protection portal.

The policy group ID must be specified in the request URL.

Body

1.11.7. Response Codes

Code

Description

200

Successful operation.

400

Bad request.

The request body is incorrect.

401

Unauthorized access.

The token is either invalid or expired.

403

Forbidden.

The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource.

404

URL is incorrect.

405

The request method is incorrect.

429

Too many requests.

500

Internal server error if the Symantec service attending to the API calls is down.

1.11.8. Example

Request body:

["i-01033bd4f26301f22","vm493132851e"]

1.12. Remove policy group from an instance

Service to remove the applied policy group from an instance.

1.12.1. Overview

This service lets you remove the applied policy group from an instance. The instance id, from where you want to remove the policy group, must be specified in the URL.

You must obtain the authorization token to use this service.

1.12.2. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/policygroups/{instanceId}/all

instanceId = Enter the Cloud Workload Protection instance ID. You can get the instance ID from the Instances and Software Services page of the Cloud Workload Protection portal.

1.12.3. Request Method

DELETE

1.12.4. Request Header

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.12.5. Response Codes

Code

Description

200

Successful operation.

400

Bad request.

The request body is incorrect.

401

Unauthorized access.

The token is either invalid or expired.

403

Forbidden.

The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource.

404

URL is incorrect.

405

The request method is incorrect.

429

Too many requests.

500

Internal server error if the Symantec service attending to the API calls is down.

1.12.6. Example

Request URL:

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/policygroups/i-0a11435c1370e6130/all

1.13. View applied policy group

Get the policy group that is applied to an instance.

1.13.1. Overview

This service lets you get the policy group that is applied on a particular instance. The asset ID must be provided in the request URL.

You must obtain the authorization token to use this service.

1.13.2. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/assets/{AssetId}/policy_groups/

AssetId = Enter the Cloud Workload Protection asset ID. You can get the asset ID from the fetch asset API.

1.13.3. Request Method

GET

1.13.4. Request Header

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.13.5. Response Codes

Code

Description

200

Successful operation.

400

Bad request.

The request body is incorrect.

401

Unauthorized access.

The token is either invalid or expired.

403

Forbidden.

The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource.

404

URL is incorrect.

405

The request method is incorrect.

429

Too many requests.

500

Internal server error if the Symantec service attending to the API calls is down.

1.13.6. Example

Request URL:

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/assets/i-0a11435c1370e6130/policy_groups/

1.14. Check OS and kernel support service

API to check if Symantec Cloud Workload Protection supports a specific Linux distribution and kernel.

1.14.1. Overview

To protect an instance with Cloud Workload Protection, you must ensure that the instance is running a supported OS and kernel as mentioned in the following list:

Use this API to check if Cloud Workload Protection supports a specific Linux distribution or kernel.

You must obtain the authorization token to use this service.

1.14.2. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/agents/packages/supported-platforms

1.14.3. Request Method

PUT

1.14.4. Request Header

content-type: application/json
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>
Authorization: Bearer <token>

1.14.5. Request Body

{
"osDistribution": "The OS distribution name",
"kernelVersion": "Kernel version"
}

1.14.6. Request Parameters

osDistribution: The name of the OS distribution that you want to check. For example:

"osDistribution": "Amazon Linux"

kernelVersion: The kernel version that you want to check. For example:

"kernelVersion": "4.9.17-1.amzn1.x86_64"

1.14.7. Response Codes

Code

Description

200

Successful operation.

400

Invalid OS distribution.

401

Unauthorized access.

The token is either invalid or has expired.

403

Forbidden.

The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource.

404

URL is incorrect.

405

The request method is incorrect.

429

Too many requests.

500

Failed to retrieve OS and kernel.

1.14.8. Response Header

content-type: application/json

1.14.9. Response Data

The following table lists sample response data:

Scenario

Response data

The OS distribution and kernel version are supported. For example:

{
"osDistribution": "Amazon Linux",
"kernelVersion": "4.9.17-1.amzn1.x86_64"
}
{
"description": "Agent is supported on 'Amazon Linux' with kernel version '4.9.17-1.amzn1.x86_64'",
"supported": true
}

The OS distribution is not supported. For example:

{
"osDistribution": "SLES",
"kernelVersion": "4.4.74-*"
}
{
"description": "Agent supported OS distributions: Amazon Linux, CentOS release 6.*, CentOS release 7.*, Microsoft Windows 2008 R2.*, Microsoft Windows 2012 R2.*, Microsoft Windows 2016.*, Red Hat Enterprise Linux Server release 6.*, Red Hat Enterprise Linux Server release 7.*, Ubuntu 14.*, Ubuntu 16.*",
"supported": false
}

The kernel version is not supported. For example:

{
"osDistribution": "Amazon Linux",
"kernelVersion": "4.4.11-1.amzn1.x86_64"
}
{
"description": "Agent supported kernel versions for 'Amazon Linux': 4.9.17-.*.amzn1.x86_64,
 4.9.20-.*.amzn1.x86_64, 4.9.27-.*.amzn1.x86_64, 4.9.32-.*.amzn1.x86_64",
"supported": false
}

1.14.10. Example

The following is a sample Python code for this API service that you can use on a Linux instance.

import requests
import json

token = {}
mydict = {}

#CWP REST API endpoint URL for auth function
url = 'https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/oauth/tokens'

#TODO: Make sure you save your own CWP API keys here
clientsecret='1ncYYYQYYYQYQYYYYYQg8j4s7'
clientID=‘O2ID.SEJxecA###################2d0qfan5j91g5'
customerID=‘SEJ################YCxAg'
domainID=‘Dqdfie################IITB2w'

#Add to payload and header your CWP tenant & API keys - client_id, client_secret, x-epmp-customer-id and x-epmp-domain-id
payload = {'client_id' : clientID, 'client_secret' : clientsecret}
header = {"Content-type": "application/json" ,'x-epmp-customer-id' : customerID , 'x-epmp-domain-id' : domainID}
response = requests.post(url, data=json.dumps(payload), headers=header)
authresult=response.status_code
token=response.json()
if (authresult!=200) :
  print "\nAuthentication Failed. Did you replace the API keys in the code with your CWP API Keys? Check clientsecret, clientID, customerID, and domainID\n"
  exit()

#Extracting auth token
accesstoken= token['access_token']
accesstoken = "Bearer " + accesstoken

#Additional checks to make sure the agent is installed on supported Kernel versions
kernel = platform.release()
kernelversion = kernel.strip()
print "Detected OS: " + osdistribution + ", Kernel: " +  kernelversion

#CWP REST API function endpoint URL for checking if platform and kernel is supported
urlplatformcheck = 'https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/agents/packages/supported-platforms'
payload={}
payload['osDistribution'] = osdistribution
payload['kernelVersion'] = kernelversion

#print 'Payload: ' + str(payload)
headerplatformcheck = {"Authorization": accesstoken ,'x-epmp-customer-id' : customerID , 'x-epmp-domain-id' : domainID , "Content-Type": "application/json"}
#print 'Headers: ' + str(headerplatformcheck)

response = requests.put(urlplatformcheck, data= json.dumps(payload), headers=headerplatformcheck)
if response.status_code != 200:
      print "supported-platforms API call failed \n"
      exit()
outputplatformcheck = {}
outputplatformcheck = response.json()
#print outputplatformcheck

if (outputplatformcheck['supported']) :
      print "Supported OS: " + osdistribution + ", Kernel: " +  kernelversion
      print "\n" + outputplatformcheck['description']
else :
      print "Non Supported OS: " + osdistribution + ", Kernel: " +  kernelversion
      print outputplatformcheck['description'] + "\n"
      exit()

1.15. Threat and vulnerability service

API to get a list of potential threats and vulnerabilities.

1.15.1. Overview

Use this API service to get a list of the potential threats and vulnerabilities that may impact your instances.

You must obtain the authorization token to use this service.

1.15.2. URL

Depending on whether you want the potential vulnerabilities or the threats, use any of the following URLs:

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/vulnerabilities

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/threats

1.15.3. Request Method

POST

1.15.4. Request Header

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.15.5. Request Body

{
   "cve" : ["CVE_ID"],
   "name" : ["name1","name2"],
   "description" : ["description"],
   "application" : ["application1","application2"],
   "severity" : ["severity1","severity2"],
   "instances" : ["instanceID"]
}

The request body filters the records as per your requirement. If you want to get all the records, provide an empty request body as: {}.

1.15.6. Request Parameters

Attribute

Description

Example

cve

Accepts multiple CVE IDs as comma separated values and displays records that are a part of all the specified CVE IDs.

"cve":["CVE-2017-5715", "CVE-2017-5753", "CVE-2017-5754"]

name

Accepts multiple phrases as comma separated values and displays records that have all the specified names.

This attribute is case sensitive.

Specify the exact name. Ensure that the value does not contain any trailing spaces.

"name":["overflow","integer"]

description

Accepts multiple words as comma separated values and displays records that have all the specified values.

This attribute is case sensitive.

"description":["attack"]

application

Accepts multiple application names and displays records that are a part of any of the specified values.

"application":["MySQL","Apache"]

severity

Accepts multiple severity values and displays the records that are a part of any of the specified severities.

The accepted values are:

HIGH, MEDIUM, LOW.

These values must be provided in capital letters.

"severity":["HIGH","LOW"]

instances

Accepts multiple instance IDs and displays records that are a part of any of the specified instances.

"instances" : ["i-08eacf36d1xxxxx"]

1.15.7. Example

To fetch vulnerabilities of high or low severity that have overflow and integer in its name and impacts either MySQL or Apache.

Sample request body:

{
   "cve" : [],
   "name" : ["overflow","Integer"],
   "description" : ["attack"],
   "application" : ["MySql","Apache"],
   "severity" : ["HIGH","LOW"]
}

Sample response body:

{
    "vulnerabilities": [
    {
     "title": "OpenSSL CVE-2016-2177 Integer Overflow Vulnerability",
     "severity_level": "HIGH",
     "description": "OpenSSL is an open-source cryptography library. OpenSSL is prone to an integer-overflow vulnerability because             it         fails to adequately bounds-check user-supplied data before copying it into an insufficiently sized buffer. Specifically, this issue affects the codebase because it incorrectly uses pointer arithmetic for heap-buffer boundary checks. An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. OpenSSL 1.0.2h and prior versions are vulnerable.",
    "cves": "[\"CVE-2016-2177\"]",
    "instances": [
         "i-08eacf36d1891424a"
     ],
   "threats": [],
   "applications": [
         "Oracle!MySql Server!5.6.31!Unix!cpe:2.3:a:oracle:mysql:5.6.31::::::"
  ]
 }
 ],
"totalcount": 1
}

1.15.8. Sample Script

Try the sample Python script from our GitHub location.

Use the script cwptandv.py to get information about the potential threats and vulnerabilities.

1.16. Agent version service

API to know the latest version of the Cloud Workload Protection agent for different platforms.

1.16.1. Overview

Use this API to know the latest version of the Cloud Workload Protection agent for all the supported platforms. You can either see the latest agent version for a particular platform or get a list of the latest agent versions for all platforms.

You must obtain the authorization token to use this service.

1.16.2. URL

To get the agent versions for all platforms, use:

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/agents/packages/platform/all

To know the latest agent version for a particular platform, use:

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/agents/packages/latestversion/platform/Supported_Platform

Where Supported_Platform can be any one of the following:

centos6, centos7, rhel6, rhel7, oel6, oel7, ubuntu14, ubuntu16, amazonlinux, windows.

1.16.3. Request Method

GET

1.16.4. Request Header

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.16.5. Example

To know the latest agent version for CentOS 7:

GET https://dcs-stage.symprotectcloud.com/dcs-service/dcscloud/v1/agents/packages/latestversion/platform/centos7

Sample output:

{
    "CWPAgentVersionInfo": {
        "version": "6.7.4.406"
    }
}

1.16.6. Sample Script

Try the sample Python script from our GitHub location.

Use the script cwp_agent_version.py to see the latest Cloud Workload Protection agent version for the supported platforms.

1.17. Create or update AWS connection

REST API Sample to create an AWS connection and update the Role ARN, SQS URL, and Polling interval in a single call. Use this if you are automating the creation of AWS connection in Cloud Workload Protection with your AWS account from within your AWS infrastructure building scripts where an AWS account is created on the fly.

1.17.1. Overview

Use this API to get a list of all the existing connections, create a new AWS connection, and update an existing AWS connection.

You must obtain the authorization token to use this service.

1.17.2. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/cpif/cloud_connections

To get details about a specific existing connection:

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/cpif/cloud_connections/id

Where id is the connection id that you get after creating a connection.

1.17.3. Request Method

To get a list of the existing connections, use: GET

To create a new AWS connection, use: POST

To update an existing AWS connection, use: PUT

1.17.4. Request Header

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.17.5. Request Body

The request body is required only for updating a connection. See the following sample request body:

For connections with Sync Option as Periodic Sync:

{
   "cloud_platform":"AWS",
   "id":"b_xxxxxxx_IeY6r6w",
   "name":"Connection Name",
   "external_id":"wxxxxxxxx",
   "pollingIntervalHours":1,
   "pollingIntervalMinutes":30,
   "cross_account_role_arn":"arn:aws:iam::000000:role/Sample Role",
   "description":"FROM API",
   "requires_polling":true,
   "events_url":[]
}

For connections with Sync Option as AWS CloudTrail:

{
   "cloud_platform":"AWS",
   "id":"b_xxxxxxx_IeY6r6w",
   "name":"Connection Name",
   "external_id":"wxxxxxxxx",
   "aws_properties":{
       "cloudWatchLogEnabled": true,
       "cloudwatch_loggroup_name": "cwpalerts",
       "cloudwatch_logstream_name": "cwpalerts",
       "cloudwatch_log_enabled": true,
       "cloudwatchlog_region": "us-west-2"
   },
   "pollingIntervalHours":1,
   "pollingIntervalMinutes":30,
   "cross_account_role_arn":"arn:aws:iam::000000:role/Sample Role",
   "description":"FROM API",
   "requires_polling":false,
   "events_url":[
      {
         "name":"SCWPSQSQueue1",
         "url":"https://sqs.us-west-2.amazonaws.com/143926267875/SCWPSQSQueue1"
      }
   ]
}

1.17.6. Response Body

The following is a sample response body for the create connection (POST) method:

{
        "cloud_platform": "AWS",
        "name": "jKcLmwajq9",
        "external_id": "axxxxxxx",
        "access_mechanism": 0,
        "created": "2018-06-03T06:01:59.864Z",
        "modified": "2018-06-03T06:01:59.864Z",
        "obj_classes": [
            "dcs_adapter_config"
        ],
        "uri": "/v1/mdr/dcs_adapter_configs/cByexxxxxxxxx",
        "id": "cByexxxxxxxxx"
    }

1.17.7. Sample Script

Try the sample Python script from our GitHub location.

Use the script cwp_aws_connection_get_create.py to get the list of existing connections and to create a new AWS connection.

Use the script cwp_aws_connection_create_single_call.py to create an AWS connection.

Use the script cwp_aws_connection_update.py to update an existing AWS connection.

1.18. Download agent logs

Download and save the agent logs of a Windows or Linux instance of Cloud Workload Protection using the agentlogsdownloadzip.py script. This script can be downloaded from our GitHub location.

1.18.1. Prerequisites to use the script

  • Python 2.7.15 or higher version must be installed

  • pip must be installed

  • Packages or modules such as requests, json, time, sys, re, os, are installed.

1.18.2. Parameters

You must obtain the following parameters from the Settings > API Keys page of the Cloud Workload Protection console to execute the script.

Customer ID : <customer-id>
Domain ID : <domain-id>
Client ID : <client-id>
Client Secret Key : <client-secret-key>

Get the Instance ID from the Instance Details page of the Cloud Workload Protection console. The instance ID is that of the virtual machine, and is required to download the agent logs.

Instance ID : <instance-id>

Execute the script as:

python downloadagentlogs.py <Customer ID> <Domain ID> <Client Id> <Client Secret Key> <Instance ID>

1.19. Add a Symantec tag to an instance

Tags are about labelling instances. Tags are used based on what purpose the instance serves. For example, you can tag instances with labels such as Production, Test, Finance, Logistics, Online_Transactions, and so on. Add a tag to segregate the instances of Cloud Workload Protection.

1.19.1. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/tags/add

1.19.2. Request Method

PUT

1.19.3. Request Header

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.19.4. Request Body

{"asset_ids":["i-02cxxxxxxxx3de", "i-0dtxxxxxxxx2st"],"tags":["sampletag1","sampletag2"]}

1.19.5. Request Parameters

Attribute

Description

Asset id

The ID of the instance that you want to tag.

Tags

Name of the tags that you want to apply to the instances.

1.19.6. Response Code

Code

Description

201

Tags are added successfully.

401

Unauthorized access. The token is either invalid or expired.

404

URL is incorrect.

500

Internal server error if Asset Id is invalid.

1.19.7. Example

Download thesample scriptto add a tag to an instance.

1.20. Delete a Symantec tag from an instance

Delete a tag that you applied to an instance of Cloud Workload Protection.

1.20.1. URL

 https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/tags/delete

1.20.2. Request Method

DELETE

1.20.3. Request Header

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.20.4. Request Body

 {"asset_ids":["i-02cxxxxxxxx3de", "i-0dtxxxxxxxx2st"],"tags":["sampletag1","sampletag2"]}

1.20.5. Request Parameters

Field

Description

Asset id

The ID of the instance from where you want to delete the tag.

Tags

Name of the tags that you want to delete from the instances.

1.20.6. Response Code

Code

Description

201

Tags are deleted successfully.

401

Unauthorized access. The token is either invalid or expired.

404

URL is incorrect.

500

Internal server error if Asset Id is invalid.

1.20.7. Example

Download thesample script to delete a tag from an instance.

1.21. Export policy settings of a policy group

API to retrieve the settings configured for the policies of a policy group.

1.21.1. Overview

This API returns a list of settings that are configured in the policies of a policy group. The settings are classified as IPS (Prevention related settings) and IDS (Detection related settings) wherever applicable. These are the same settings that are displayed for the policy details in the console. This API provides option to return the list of settings of all the policies in the policy group, or of a single specific policy of the policy group. Refer to the examples section for more information. You must obtain the authorization token to use this service or API.

1.21.2. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/public/policy_groups/{policyGroupId}/policies/{policyId}/settings

1.21.3. Request Method

GET

1.21.4. Request Header

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.21.5. Response Codes

Code

Description

200

Successful operation.

400

Bad request.

The request body is incorrect.

401

Unauthorized access.

The token is either invalid or expired.

403

Forbidden.

The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource.

404

URL is incorrect.

405

The request method is incorrect..

429

Too many requests.

500

Internal server error if the Symantec service attending to the API calls is down.

1.21.6. Example

Request URL

This will return settings of ALL the policies present in the policy group with id ‘CzYwugVDRUmdWgaEPNi9wA’.

GET https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/public/policy_groups/CzYwugVDRUmdWgaEPNi9wA/policies/all/settings

This will return settings of policy with id ‘BGf_hGUGT56BHX5op6Swdg’ present in the policy group with id ‘CzYwugVDRUmdWgaEPNi9wA’.

GET https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/public/policy_groups/CzYwugVDRUmdWgaEPNi9wA/policies/BGf_hGUGT56BHX5op6Swdg/settings

1.22. Create a Google Cloud Platform (GCP) connection

Create a Google Cloud Platform connection.

1.22.1. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/gcp/adapter_configs/public

1.22.2. REQUEST METHOD

POST

1.22.3. REQUEST HEADER

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.22.4. REQUEST BODY

{
  "cloud_platform": "GCP",
  "name": "xxxxxxxx",
  "description": "xxxxxxxxxxxx",
  "gcpProperties": {
    "serviceAccountJson": “{}”
  },
  "pollingIntervalHours": 6,
  "pollingIntervalMinutes": 15
}

1.22.5. RESPONSE CODE

Code

Description

200

GCP cloud connection created successfully.

404

URL is incorrect.

500

Internal server error.

1.22.6. Sample Script

Try the sample Python script from our GitHub location.

1.23. Update a GCP connection

Update an established Google Cloud Platform cloud connection

1.23.1. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/gcp/adapter_configs/public

1.23.2. REQUEST METHOD

PUT

1.23.3. REQUEST HEADER

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.23.4. REQUEST BODY

{
  "id":"xxxxxxxxx",
  "cloud_platform": "GCP",
  "name": "xxxxxxxx",
  "description": "xxxxxxxxxxxx",
  "gcpProperties": {
    "serviceAccountJson": “{}”
  },
  "pollingIntervalHours": 6,
  "pollingIntervalMinutes": 15
}

1.23.5. RESPONSE CODE

Code

Description

200

GCP cloud connection updated successfully.

404

URL is incorrect.

500

Internal server error.

1.23.6. Sample Script

Try the sample Python script from our GitHub location.

1.24. Create an Oracle Cloud Infrastructure (OCI) connection

Create an Oracle Cloud Infrastructure connection

1.24.1. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/ocp/adapter_configs/public

1.24.2. REQUEST METHOD

POST

1.24.3. REQUEST HEADER

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.24.4. REQUEST BODY

{
  "cloud_platform": "OCI",
  "name": "xxxxxxxxxx",
  "description": "xxxxxxxxx",
  "ocpProperties": {
                 "auditevent_sync": false,
                 "homeRegion": "xxxxxxxxxxxxx",
                 "userId": "ocid1.user.oc1xxxxxxxxxxxxxxxxxxxxxxxx5svgf2xxxxxxxxxxxxxmlfrekjpa",
                 "tenancyId": "ocid1.tenancy.oc1xxxxxxxxxxxxxxxxxrw2ntxxxxxxxxxxxp4jq",
                 "fingerPrint": "xxxxxxxxxxxxxxxxxxxxxxx",
                 "privateRSAKey": "-----BEGIN RSA PRIVATE KEY-----xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx----END RSA PRIVATE KEY-----"
  },
  "pollingIntervalHours": 6,
  "pollingIntervalMinutes": 0
}

1.24.5. RESPONSE CODE

Code

Description

200

OCI cloud connection created successfully.

404

URL is incorrect.

500

Internal server error.

1.24.6. Sample Script

Try the sample Python script from our GitHub location.

1.25. Update an OCI connection

Use this API to update an established Oracle Cloud Infrastructure cloud connection.

1.25.1. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/ocp/adapter_configs/public

1.25.2. REQUEST METHOD

PUT

1.25.3. REQUEST HEADER

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.25.4. REQUEST BODY

{
  "id":"xxxxxxxxxxxxxx",
  "cloud_platform": "OCI",
  "name": "xxxxxxxxxx",
  "description": "xxxxxxxxx",
  "ocpProperties": {
                 "auditevent_sync": false,
                 "homeRegion": "xxxxxxxxxxxxx",
                 "userId": "ocid1.user.oc1xxxxxxxxxxxxxxxxxxxxxxxx5svgf2xxxxxxxxxxxxxmlfrekjpa",
                 "tenancyId": "ocid1.tenancy.oc1xxxxxxxxxxxxxxxxxrw2ntxxxxxxxxxxxp4jq",
                 "fingerPrint": "xxxxxxxxxxxxxxxxxxxxxxx",
                 "privateRSAKey": "-----BEGIN RSA PRIVATE KEY-----xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx----END RSA PRIVATE KEY-----"
  },
  "pollingIntervalHours": 6,
  "pollingIntervalMinutes": 0
}

1.25.5. RESPONSE CODE

Code

Description

200

OCI cloud connection updated successfully.

404

URL is incorrect.

500

Internal server error.

1.25.6. Sample Script

Try the sample Python script from out GitHub location.

1.26. Create an Azure Cloud connection

Create an Azure Cloud connection.

1.26.1. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/cpif/cloud_connections

1.26.2. REQUEST METHOD

POST

1.26.3. REQUEST HEADER

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.26.4. REQUEST BODY

{
  "cloud_platform":"AZURE",
  "requires_polling":true,
  "azure_properties":{
               "client_id":"<>",
                "tenant_id":"<>",
                "secret":"<>"
},
"pollingIntervalHours": 6,
"pollingIntervalMinutes": 15
}

1.26.5. REQUEST PARAMETER

No Request parameters.

Code

Description

200

Azure cloud connection created successfully.

404

URL is incorrect.

500

Internal sever error.

1.27. Update an Azure Cloud Connection

Update an established Azure Cloud Connection

1.27.1. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/cpif/cloud_connections

1.27.2. REQUEST METHOD

PUT

1.27.3. REQUEST HEADER

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.27.4. REQUEST BODY

{
“Id”:”<>”
  "cloud_platform":"AZURE",
  "requires_polling":true,
  "azure_properties":{
               "client_id":"<>",
                "tenant_id":"<>",
                "secret":"<>"
},
"pollingIntervalHours": 6,
"pollingIntervalMinutes": 15
}

1.27.5. REQUEST PARAMETER

No Request parameters.

1.27.6. RESPONSE CODE

Code

Description

200

Azure cloud connection update successfully.

404

URL is incorrect.

500

Internal server error.

1.28. Upload Distributor package

Use this API to create a Distributor package using different agent installation packages for the various platform versions. You can provide a package name and provide an S3 bucket location. This API creates the Distributor package using different agent packages and a manifest file, and upload it on the S3 bucket. This package is listed on the AWS Systems Manager console under Distributor

This API does the following:

  • Gets the agent packages for various OS versions from the Cloud Workload Protection console

  • Deletes the agent package if package of same version already exists in the SSM Distributor.

  • Uploads different agent packages to S3 buckets in the format required for the SSM Distributor.

  • Publishes the package using the Distributor APIs.

More details about the workflow is here.

1.28.1. URL

https://scwp.securitycloud.symantec.com//dcs-service/dcscloud/v1/manage-agent/ssmpackage/upload

1.28.2. REQUEST METHOD

POST

1.28.3. REQUEST HEADER

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.28.4. REQUEST BODY

  • Without proxy

{
  "bucketName": "Bucket Name",
  "packageName": "Package Name",
  "connectionId": "KxxxxxxxxxxxxxxxxxxxxQ",
  "rebootInstances": "true",
  "uploadAmazonLinux2": "true",
  "comments": "Description of package",
  "proxyDetails": {}
}
  • With proxy

    {
      "bucketName": "Bucket Name",
      "packageName": "Package Name",
      "connectionId": "KxxxxxxxxxxxxxxxxxxxxQ",
      "rebootInstances": "true",
      "uploadAmazonLinux2": "true",
      "comments": "Description of package",
      "proxyDetails": {
        "proxy_server": "1xx.xx.2xx.1xx",
        "proxy_port": "xxxx",
        "proxy_username": "User name",
        "proxy_password": "Password",
        "proxy_protocol": "http or https"
      }
    }

    The description of the parameters are:

Parameter

Description

packageName

You can upload multiple packages by providing the package name while uploading. Package names cannot contain special characters or spaces, and can be a maximum of 128 characters.

rebootInstances

Instance reboots when this package is installed.

uploadAmazonLinux2

Upload the Linux amazon2 package but not Linux amazon1. By default, upload AmazonLinux2 platform is false, which means that amazon1 is bundled.

comments

This is optional. You can limit up to 255 characters for the comments.

1.28.5. RESPONSE CODE

{"jobId":"12345","packageName":"CWPPackage","packageVersion":"1.0.0"}

1.29. Install/Remove Distributor package

Install or remove the Distributor packages that you uploaded to the AWS SSM Distributor using the Upload package API. The Distributor package is installed on a set of AWS instances based on the instance IDs or the instance tags. To remove an existing agent from the instances, make sure that the instances are in active state and that SSM Distributor was used to install the agent on the instances.

1.29.1. URL

Install

https://scwp.securitycloud.symantec.com//dcs-service/dcscloud/v1/manage-agent/ssmpackage/install

Remove

https://scwp.securitycloud.symantec.com//dcs-service/dcscloud/v1/manage-agent/ssmpackage/remove

More details about the workflow is here.

1.29.2. REQUEST METHOD

POST

1.29.3. REQUEST HEADER

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.29.4. REQUEST BODY

  • With instance ID

    {
      "bucketName": "Bucket Name",
      "packageName": "Package Name",
      "connectionId": "KxxxxxxxxxxxxxxxxxxxxQ",
      "region": "us-east-1",
      "instanceIds": [
        "i-xxxxxxxxxxxxxxxxf"
      ],
      "packageVersion": "1.0.0",
      "tags": {}
    }
  • With tags

    {
      "bucketName": "Bucket Name",
      "connectionId": "KxxxxxxxxxxxxxxxxxxxxQ",
      "region": "us-east-1",
      "instanceIds": [],
      "packageVersion": "1.0.0",
      "tags": {
        {"name": "Department", "value": "Finance"},
        {"name": "Environment", "value": " Prod"},
      }
    }

1.29.5. RESPONSE BODY

{
  "bucketName": "Bucket Name",
  "packageName": "Package Name",
  "connectionId": "KxxxxxxxxxxxxxxxxxxxxQ",
  "region": "us-east-1",
  "instanceIds": [],
  "packageVersion": "1.0.0",
  "tags": {
    "Department": "Finance",
    "Environment ": "Prod"
  }
}

1.30. Get Upload/Install/Remove job status

Get the job status for the jobs that are triggered for uploading the agent installation package to the SSM Distributor.

1.30.1. URL

- https://scwp.securitycloud.symantec.com//dcs-service/dcscloud/v1/manage-agent/ssmpackage/upload/{jobId}/status

1.30.2. REQUEST METHOD

GET

1.30.3. REQUEST HEADER

Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.30.4. RESPONSE BODY

{
  "jobParameter": {
    "amazonlinux": "SUCCESS",
    "ubuntu18": "SUCCESS",
    "ubuntu16": "SUCCESS",
    "windows": "SUCCESS",
    "centos6": "SUCCESS",
    "rhel7": "SUCCESS",
    "centos7": "SUCCESS",
    "ubuntu14": "SUCCESS",
    "rhel6": "SUCCESS"
  },
  "failureReason": "",
  "comments": "Description of package",
  "bucketName": "Bucket Name",
  "bucketLocation": "us-east-1",
  "connectionId": "KxxxxxxxxxxxxxxxxxxxxQ",
  "connectionName": "V3uBOHku7M",
  "proxy_server": "1xx.xx.2xx.1xx",
  "proxy_port": "xxxx",
  "proxy_username": "User name",
  "proxy_password": "Password",
  "proxy_protocol": "http or https",
  "packageName": "Package Name",
  "packageVersion": "1.0.0",
  "uploadAmazonLinux2": false,
  "rebootInstances": false,
  "supportedOS": {
    "amazon": [
      "2018.03",
      "2017.09.01",
      "2017.12"
    ],
    "ubuntu": [
      "14.04",
      "16.04",
      "18.04"
    ],
    "windows": [
      "_any"
    ],
    "redhat": [
      "6.8",
      "6.9",
      "7.2",
      "7.3",
      "7.4",
      "6.10",
      "7.5",
      "6.7",
      "7.6"
    ],
    "centos": [
      "6.8",
      "6.9",
      "7",
      "7.0",
      "7.1",
      "7.2",
      "7.3",
      "7.4",
      "6.10",
      "7.5",
      "6.7"
    ]
  }
}

1.31. Get Install/Remove job status

Get the job status of the jobs that are during installation or uninstallation of the agent package.

1.31.1. URL

  • Install job status

    https://scwp.securitycloud.symantec.com//dcs-service/dcscloud/v1/manage-agent/ssmpackage/install/{jobId}/status
    Uninstall job status - https://scwp.securitycloud.symantec.com//dcs-service/dcscloud/v1/manage-agent/ssmpackage/uninstall/{jobId}/status
  • Uninstall job status

    https://scwp.securitycloud.symantec.com//dcs-service/dcscloud/v1/manage-agent/ssmpackage/uninstall/{jobId}/status

1.31.2. REQUEST METHOD

GET

1.31.3. REQUEST HEADER

Authorization:
<token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id

1.31.4. RESPONSE BODY

  • With instance IDs

    {
      "jobParameterInstances": {
        "i-xxxxxxxxxxxxxxxxd": "S3 logs link",
        "i-xxxxxxxxxxxxxxxxf": "S3 logs link"
      },
      "jobParameterTags": null,
      "failureReason": "",
      "bucketName": "Bucket Name",
      "bucketLocation": "us-east-1",
      "connectionId": "KxxxxxxxxxxxxxxxxxxxxQ",
      "connectionName": "Connection Name",
      "commandId": "2574e1cf-05fb-458c-bf4e-83a48750f65b",
      "packageName": "Package Name"
    }
  • With tags

    {
      "jobParameterInstances": null,
      "jobParameterTags": {
        "Name": "{\"tagValue\":\" Tag Value\",\"tagName\":\"Name\",\"logLocation\":\"S3 logs link\"}"
      },
      "failureReason": "",
      "bucketName": "Bucket Name",
      "bucketLocation": "us-east-1",
      "connectionId": "KxxxxxxxxxxxxxxxxxxxxQ",
      "connectionName": "CWP AWS Connectionh",
      "commandId": "2574e1cf-05fb-458c-bf4e-83a48750f65b",
      "packageName": "Package Name",
      "packageVersion": "1.0.0"
    }

1.32. Export subscription usage

Export the Cloud Workload Protection subscription usages.

1.32.1. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/metering/{usageType}/{domain}/?month_type={month_type}

1.32.2. REQUEST METHOD

GET

1.32.3. REQUEST HEADER

Authorization:
<token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>
"Content-Type": "application/json

1.32.4. RESPONSE CODE

Code

Description

200

Successful operation

1.32.5. Example

Refer to the sample script here.

1.33. Clone Policy Group

API to clone a policy group from an existing policy group, and rename it.

1.33.1. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/policy_groups/{SourcepolicygroupId}/clone

Enter the "SourcepolicygroupId" that you want to clone.

1.33.2. Request Method

POST

1.33.3. Request Header

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

1.33.4. Request Body

{ "name": "Name of clone policy", "author": "Author name" }

1.33.5. Response Header

content-type: application/json

1.33.6. Response Code

Code

Description

200

Successful operation

1.33.7. Example

If you want to clone policy group with id :'Eo0xeF9gQXCqXDs8dgyoeQ', then invoke the following API:

Request Type : POST

Request header:

Content-Type:application/json
x-epmp-customer-id:l86Kf3XhRZaye1fuVM93AQ
x-epmp-domain-id:QDp2a-XMSR2KTp4c_cFXTA
Cache-Control:no-cache
Authorization:eyJraWQiOiJMU3FJU1ZLRlF1S3cwdkpoSWRPckhBIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJ7XCJkb21haW5faWRcIjpcIlFEcDJhLVhNU1IyS1RwNGNfY0ZYVEFcIixcIm93bmVyX3VyaVwiOlwiXC92MVwvbWRyXC91c2Vyc1wvWW1rVkhDTkJSTUc3SVJiSTdDTnBmd1wiLFwic2NvcGVcIjpcIlwiLFwicHJpdnNcIjpcImN3cF92aWV3X2RvbWFpbiBjd3BfcG9saWN5X2FjY2VzcyB2aWV3X2V2ZW50cyBkY3NfY2xpZW50X2FwaV9hY2Nlc3NcIixcImN1c3RvbWVyX2lkXCI6XCJsODZLZjNYaFJaYXllMWZ1Vk05M0FRXCIsXCJ1cmlcIjpcIlwvb2F1dGgyXC9jbGllbnRzXC9PMklELmw4NktmM1hoUlpheWUxZnVWTTkzQVEuUURwMmEtWE1TUjJLVHA0Y19jRlhUQS4xb2pzams2cjJtczRvMnI2YTV1Nm1ldmJkYlwiLFwiY2xpZW50X2lkXCI6XCJPMklELmw4NktmM1hoUlpheWUxZnVWTTkzQVEuUURwMmEtWE1TUjJLVHA0Y19jRlhUQS4xb2pzams2cjJtczRvMnI2YTV1Nm1ldmJkYlwifSIsInZlciI6MSwiaXNzIjoiaWRlbnRpdHkuY2Mtc3RhZ2UtMi11cy1lYXN0LTEuQ1VTX1BBUlQxIiwidHR5IjoiYWNjZXNzIiwiZXhwIjoxNTY3Njg4NDUzLCJpYXQiOjE1Njc2ODQ4NTMsImp0aSI6IkJUVU9JZDBUVEZXVmk3azJOS2VhbWcifQ.q5UDqN2SIPdjHfHIquqzq20PsNqyQ-o-ggKA3ZiRNHe-jFZ5s773Lo5w8XRtcuZaXQZIwoKn4DPwvpFiNET4fsFwMhPA_AANDzj8zMw7bs2zBb94d28QsG03E0k3u43VqW33KAZgbYHivnsJlm6QBWE6riYQBXeWUuTI85CPPAao0d6ei8BMh-sng6et_Fg8l1jXJpc44YEjS2m8WvUciEz0EtmPyhRXTgryTXLHd2Lcd3b5Sh5yTz1QWj28SLioCmqEvl2qO2pOLZ2WZn2iV_n7qWkWmxzrnzhwhKpgTFl7nJmbc27HORJdApSmaGnon0Ry2A36MruWbAOfBXZpCA

Request body :

{ "name": "Clone-pg-test-api12", "author": "john"}

2. Cloud Workload Protection Incident Response Use Cases

2.1. Viewing the critical alerts that were raised in the last X hours or days

Alerts of different severities are generated based on the defined alert rules. Use the Cloud Workload Protection Alerts service to get a list all the alerts. You can apply filters to get alerts of a given severity in a given time interval.

Procedure

Perform the following steps to get a list of critical alerts that were raised in a specific time interval.

Step

Task

Step 1

Establish a connection by using authorization service and get authorization token.

Step 2

Fetch the alerts by using the alerts service.

Step 3

Apply the required filters:

  • Time-based filter: You can specify time interval by specifying the startDate and endDate parameters in the request. The date parameters must be in UTC. Example of time-based filters:

    v124521271linespecific
    {
     "eventTypeToQuery": 16,
     "pageSize": 10,
     "pageNumber": 0,
     "order": "DESCENDING",
     *"startDate": "2017-10-17T18:30:00.000Z"*,
     *"endDate": "2017-10-25T18:29:59.999Z"*,
     "searchFilter": {},
     "additionalFilters": "(type_id = 16 &&  events.type_class is_not null)"
    }
    
  • Severity-based filter: The critical alerts can be filtered by specifying the eventSeverities parameter as 3, as shown in the following example:

    v124521274linespecific
    {
    "eventTypeToQuery": 16,
    "pageSize": 10,
    "pageNumber": 0,
    "order": "DESCENDING",
    *"eventSeverities": [3]*,
    "startDate": "2017-10-17T18:30:00.000Z",
    "endDate": "2017-10-25T18:29:59.999Z",
    "searchFilter": {},
    "additionalFilters": "(type_id = 16 &&  events.type_class is_not null)"
    }
    

Example

The following is an example of how you can get a list of the critical alerts that were raised in a specific time interval.

Request URL

https://scwp.securitycloud.symantec.com/dcs-service/sccs/v1/events/search

Request Method

POST

Request Headers

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

Request Body

{
"eventTypeToQuery": 16,
"pageSize": 10,
"pageNumber": 0,
"order": "DESCENDING",
"eventSeverities": [3],
"startDate": "2017-10-17T18:30:00.000Z",
"endDate": "2017-10-25T18:29:59.999Z",
"searchFilter": {},
"additionalFilters": "(type_id = 16 && events.type_class is_not null)"
}

Response

[{
"customer_uid":"<customer-id>","domain_uid": "<domain-id>",
"rule_id": "27cd1ca0-bc09-11e6-c686-0000000006a9",
"rule_name": "Unsecured Instances Detected",
"rule_type": "one_event_rule",
"description": "Instance is unprotected  for  more than 1 hour.",
"log_name": "epmp_events-2017-10-24/16",
"type_id": 16,  "timezone": 0,
"severity_id": 3,
"time": "2017-10-24T15:02:22.649Z",
"end_time": "2017-10-24T15:02:22.649Z",
"message": "An event has occurred that needs your attention",
"uuid": "16:56c21a90-b8cc-11e7-d59a-00000041bb0b",
"log_time": "2017-10-24T15:02:22.649Z",
"device_ip": "<device-ip>","device_name":"<device-name>",
"device_end_time": "2017-10-24T15:02:22.649Z",
"composite": 1,  "id": 0, "notify": [],
"events": [{"customer_uid": "<customer-id>",
"data": {"eventID": "0402c726-b6d1-4016-b11e-d1a82a3ed9c2",
"user_info": {
"invokedBy": "dcs.cloud.event.monitoring.service" },
"requestID": "8ff42727-d34e-4ae8-9094-5de3b7636007",
"eventVersion": "1.0",
"eventSource": "dcs.cloud.event.monitoring.service",
"recipientAccountId": "NA",
"description": "Unprotected Instance",
"userAgent": "dcs.cloud.event.monitoring.service",
"eventType": "InstanceProtectionTimeout"},
"type_id": 6000,  "type_class": "MONITORING",
"timezone": 0,	"system_state": "NA",
"message": "Agent is not yet installed on Instance i-09331f4788a6d0051",
"type": "1008","priority": "0","version": "1.0",
"product_name": "Symantec Cloud Workload Protection",
"uuid": "6000:56c1f380-b8cc-11e7-c12f-00000041bb0a",
"log_time": "2017-10-24T15:02:22.648Z",
"disposition": "NA", "category_id": 1,  "severity_id": 5,
"user_info": { "user_name": "dcs-cloud-admin" }, 	"domain_uid": "<domain-id>",
"time": "2017-10-24T15:02:22.648Z",
"product_uid": "F979E61C-A412-4A58-8879-B83E25B7327F",
"type_description": "Instance Protection Time Out",
"source_asset": {"source_vpc": "vpc-ec15e68b", 	"source_autoscaling_group": "SG",
"instanceState":"Running","agentInstalled":"Not_Installed",
"policyAppliedStatus": "NOTAPPLIED",
"source_subnet": "<subnet-id>",
"source_region": "us-east-1",
"source_id": "hIuV8mUqQ32vr0HZQ16MIw",
"source_cloud_platform": "AWS",
"source_name": "i-09331f4788a6d0051",
"tags": [{ "name": "CreatorName","value": "symc-prod"},
     {"name": "ApplicationRole","value": "compute"} ] },
     "type_code": "InstanceProtectionTimeOut"  }  ],
    	"device_time": "2017-10-24T15:02:22.649Z"
}]

2.1.1. Sample scripts

You can fetch the alerts by using the following python scripts too. Create the files as mentioned below. Ensure that all the files are present in the same folder.

  • Create a configuration file as ScwpGetAlertsConfig.ini with the following code and update the credentials section. Get the credentials from the Settings > API Keys page of the Cloud Workload Protection portal.

    v125098428linespecific
    #ScwpGetAlertsConfig.ini
    #You can get following details from 'Settings' page of the portal
    [Credentials]
    *CUSTOMER_ID* = SEJx##############A8YCxAg
    *DOMAIN_ID* = Dqd####################w
    *CLIENT_ID* = O2########################b74d2d0qfan5j91g5
    *CLIENT_SECRET* = 1n#####################6g8j4s7
    #You can provide following details to filter the alerts based on rule name and time interval
    [Alerts]
    GetAlertsFromDays = 90
    AlertProfileRuleName=MalwareDetection
  • Create a file as ScwpGetAlertsStatus.status with the following code. This is an intermediate file that is used while fetching alerts. Data stored in this file will be used to optimize the interval for which alerts are fetched.

    #ScwpGetAlertsStatus.status
    [ScwpGetAlertsDates]
    startdate =
  • Create a python script as ScwpGetAlerts.py with the following code. Run the python script to fetch alerts based on the above configuration parameters.

    #ScwpGetAlerts.py
    #!/usr/bin/env python
    #
    # Copyright 2017 Symantec Corporation. All rights reserved.
    #
    import json
    import requests
    import ConfigParser
    import os
    from datetime import datetime, timedelta
    import time
    import sys
    CUSTOMER_ID = 'CUSTOMER_ID'
    DOMAIN_ID = 'DOMAIN_ID'
    CLIENT_ID = 'CLIENT_ID'
    CLIENT_SECRET = 'CLIENT_SECRET'
    PAGE_SIZE = 100
    RETRY_COUNT = 3
    CONFIG_INI = os.path.join('./', 'ScwpGetAlertsConfig.ini')
    STATUS_INI = os.path.join('./', 'ScwpGetAlertsStatus.status')
    STATUS_DATES_SECTION = 'ScwpGetAlertsDates'
    CONFIG_CREDS_SECTION = 'Credentials'
    CONFIG_ALERTS_SECTION = 'Alerts'
    START_DATE = 'startDate'
    ALERT_TYPE_FILTER = 'AlertTypeFilter'
    GET_ALERTS_FROM_DAYS = 'GetAlertsFromDays'
    SEARCH_FILTER= 'SearchFilter'
    ALERT_PROFILE_RULE='AlertProfileRuleName'
    scwpAuthUrl = 'https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/oauth/tokens'
    getScwpAlertsUrl = 'https://scwp.securitycloud.symantec.com/dcs-service/sccs/v1/events/search'
    authHeaders = {'Content-type':'application/json'}
    authRequest = {}
    alertDatetime = ''
    getScwpAlertsRequest = {'eventTypeToQuery':16,'pageSize':PAGE_SIZE, 'searchFilter':{}}
    def updateStatusIniFile():
    config = ConfigParser.RawConfigParser()
    config.add_section(STATUS_DATES_SECTION)
    config.set(STATUS_DATES_SECTION, START_DATE, alertDatetime)
    with open(STATUS_INI, 'wb') as configfile:
    config.write(configfile)
    def authenticate():
    for retry in range(RETRY_COUNT):
    authRequestJson = json.dumps(authRequest)
    authResponse = requests.post(scwpAuthUrl, data=authRequestJson, headers=authHeaders)
    if authResponse.status_code != requests.codes.ok:
    if retry >= RETRY_COUNT:
    authResponse.raise_for_status()
    time.sleep(retry * 60)
    continue
    else:
    break
    accessToken = authResponse.json()['access_token']
    authHeaders['Authorization'] = 'Bearer ' + accessToken
    try:
    Config = ConfigParser.SafeConfigParser()
    Config.read(CONFIG_INI)
    customerId = Config.get(CONFIG_CREDS_SECTION, CUSTOMER_ID)
    domainId = Config.get(CONFIG_CREDS_SECTION, DOMAIN_ID)
    clientId = Config.get(CONFIG_CREDS_SECTION, CLIENT_ID)
    clientSecret = Config.get(CONFIG_CREDS_SECTION, CLIENT_SECRET)
    alertProfileRuleName = Config.get(CONFIG_ALERTS_SECTION, ALERT_PROFILE_RULE)
    
    authHeaders['x-epmp-customer-id'] = customerId
    authHeaders['x-epmp-domain-id'] = domainId
    authRequest['client_id'] = clientId
    authRequest['client_secret'] = clientSecret
    statusIni = ConfigParser.SafeConfigParser()
    statusIni.read(STATUS_INI)
    startDate = statusIni.get(STATUS_DATES_SECTION, START_DATE)
    getAlertsFromDays = Config.getint(CONFIG_ALERTS_SECTION, GET_ALERTS_FROM_DAYS)
    if (startDate is None) or (startDate == ""):
    startDate = (datetime.today() - timedelta(days=getAlertsFromDays)).isoformat()
    else:
    if startDate.endswith('Z'):
    startDate = (datetime.strptime(startDate, '%Y-%m-%dT%H:%M:%S.%fZ') + timedelta(milliseconds=1)).isoformat()
    else:
    startDate = (datetime.strptime(startDate, '%Y-%m-%dT%H:%M:%S.%f') + timedelta(milliseconds=1)).isoformat()
    alertTypeFilter = '(rule_name like \"' + alertProfileRuleName + '\") && (type_id = 16 && events.type_class is_not null)'
    
    getScwpAlertsRequest['startDate'] = startDate
    getScwpAlertsRequest['endDate'] = datetime.now().isoformat()
    getScwpAlertsRequest['additionalFilters'] = alertTypeFilter
    alertDatetime = startDate
    pageNumber = 0
    while True:
    getScwpAlertsRequest['pageNumber'] = pageNumber
    getScwpAlertsRequestJson = json.dumps(getScwpAlertsRequest)
    scwpAlertsResponse = requests.post(getScwpAlertsUrl, data=getScwpAlertsRequestJson, headers=authHeaders)
    if scwpAlertsResponse.status_code == 401:
    authenticate()
    scwpAlertsResponse = requests.post(getScwpAlertsUrl, data=getScwpAlertsRequestJson, headers=authHeaders)
    
    if scwpAlertsResponse.status_code != requests.codes.ok:
    scwpAlertsResponse.raise_for_status()
    scwpAlertsJson = scwpAlertsResponse.json()
    scwpAlerts = scwpAlertsJson
    totalScwpAlerts = len(scwpAlertsJson)
    
    if totalScwpAlerts == 0:
    break
    for scwpAlert in scwpAlerts:
    print(json.dumps(scwpAlert))
    print('\n')
    sys.stdout.flush()
    alertDatetime = scwpAlert['time']
    
    pageNumber += 1
    except:
    raise
    finally:
    updateStatusIniFile()

2.2. Applying policy group on instances

If any instance has the agent installed, but does not have any policy group, apply the default policy group that has the best ranking.

To apply a policy group on an instance, you will need ID of that policy group. You can fetch policy group details using the Get policy group basic details service.

You can then apply the required policy group using the Apply policy group on an instance service.

Procedure

Perform the following steps to apply a policy group on an instance.

Step

Task

Step 1

Establish a connection using authorization service and get authorization token.

Step 2

You can use the Get policy group basic details service to fetch the details of available policy groups. This is an optional step. Perform this step only if you do not have the ID of the policy group.

The following is a sample response from the Get policy group basic details service. You can use the "id" field of the policy group that you want to apply.

linespecific
{
  "count": 1,
  "results": [
    {
      "number_of_policies": 0,
      "number_of_instances": 0,
      "associated_policies": [
        {
          "name": "Apache Policy", "revision": 0,
          "id": "DlVi8gm-TwS-09sn7hl8Dg",
          "uri": "/v1/mdr/policies/DlVi8gm-TwS-09sn7hl8Dg",
          "platform": "unix",
          "version": { "major_ver": 1, "minor_ver": 0,
            "serial": "0"},
          "is_template": false,"template_type": "cwp",
          "capabilities": "ips,ids", "is_latest": false,
          "obj_classes": ["policy","dcs_policy"]
        }
      ],
      "name": "Apache-tomcat-Protection",
      "description": "", "mode": "PRODUCTION",
      *"id": "wf1HCzT3S3KWwOJjml8oOA"*,
      "policy_rules": [], "upgradable": false,
      "enabled_capabilities": ["ids"]
    }
  ]
}

Step 3

You can use Fetch assets service to fetch the details of available instances. This is an optional step. Perform this step only if you do not have the ID of the instance on which you want to apply the policy group.

The following is a sample response from th e Fetch assets service. You can use "id" field of instance.

linespecific
[{
    *"id": "--7OJt6ZSBSc-qGh1YgSGw"*,
    "name": "Instance_large_1",
    "policy_applied": "NOTAPPLIED",
    "ip_addresses": [],
    "instance_id": "i-0c99e1cf12345ce11",
    "cloud_platform": "AWS",
    "instance_state": "Running",
    "instance_type": "r4.8xlarge",
    "availability_zone": "<zone-id>",
    "machine_image_id": "ami-f23967e5",
    "public_dns": "",
    "private_dns": "ip-address.ec2.internal",
    "private_ips": ["<ip_address>"],"elastic_ips": [],
    "subnet_id": "<subnet-id>",
    "attachment_ids": [],
    "association_ids": [],
    "launch_time": "2017-09-22T01:28:00.000Z",
    "vpc_id": "<vpc-id>",
    "auto_scaling_group_name": "AG-1",
    "firewall_groups": ["FG-1"],
    "region": "us-east-1", "updated": false,
    "deleted": false, "agent_installed": "Not_Installed",
    "created": "2017-10-25T14:00:54.991Z",
    "modified": "2017-10-25T14:07:40.010Z",
    "shutdown_behavior": "stop","reconciled": true,
    "obj_classes": ["device","dcs_device"],
    "platform": ""
  }]

 

Step 4

You can now apply a given policy group by using the Apply policy group on an instance service.

For example, the following request URL applies the policy group (ID = wf1HCzT3S3KWwOJjml8oOA) to the instance (ID = --7OJt6ZSBSc-qGh1YgSGw):

linespecifichttps://scwp.securitycloud.symantec.com/dcscloud/v1/policy/assets
/*--7OJt6ZSBSc-qGh1YgSGw*/policy_groups*/wf1HCzT3S3KWwOJjml8oOA*

Example

The following example shows how you can apply a policy group on an instance.

Request URL

https://scwp.securitycloud.symantec.com/dcscloud/v1/policy/assets
/--7OJt6ZSBSc-qGh1YgSGw/policy_groups/wf1HCzT3S3KWwOJjml8oOA

Request Method

PUT

Request Headers

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

Response

HTTP status code: 200

2.3. Running an Anti-Malware scan and quarantining the infected files

You can use the Cloud Workload Protection Anti-Malware scan service to scan the instances and quarantine all the infected files. You can either run an on-demand scan or schedule a scan. The following example explains how you can run the on-demand scan on multiple, specific instances and quarantine any infected files.

Procedure

Perform the following steps to run an on-demand Anti-Malware scan on specific instances.

Step

Task

Step 1

Establish a connection by using authorization service and get authorization token.

Step 2

Specify the instances IDs and scan type.

The following example shows how you can start an on-demand Anti-Malware scan on the specified instance:

v124521404linespecific
{
"instanceIds": ["i-09331f4788a6d0051"],
"recurringJobDetails": {
"recurringJobType": *"MANUAL"*
     }
}

The following example shows how you can schedule an Anti-Malware scan on multiple instances. The scan is scheduled to run at 01:00 hours everyday for the duration specified in startTime and endTime.

v124521406linespecific
{
  "instanceIds": [
    "i-09331f4788a6d0051",
    "i-09331f4788a6d0052"
  ],
  " recurringJobDetails": {
    "recurringJobType": *"DAILY"*,
    "hour": 1,
    "minute": 0,
    "second": 0,
    *"startTime": "2017-09-07 00:00:00"*,
    *"endTime": "2017-09-30 23:59:00"*
  }
}

The fields and the scheduling options are explained in the following topic:

Example

The following is an end-to-end example of how you can start an on-demand Anti-Malware scan on a specific instance.

Request URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/agents/av/scan

Request Method

POST

Request Headers

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

Request Body

{
  "instanceIds": [
    "i-09331f4788a6d0051"
  ],
  " recurringJobDetails": {
    "recurringJobType": "MANUAL"
  }
}

Response

HTTP status code: 200

3. Cloud Workload Protection for Storage Public API

3.1. Fetch buckets service

API for getting a list of all AWS S3 buckets in the cloud infrastructure.

3.1.1. Overview

This service lets you get a list of all available AWS S3 buckets deployed in the cloud infrastructure. The service also gets a list of the bucket attributes that Symantec Cloud Workload Protection supports.

3.1.2. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/ui/storageassets

3.1.3. Request Method

POST

3.1.4. Request Header

content-type: application/json
Authorization: <token-type> <access-token>
x-epmp-customer-id: <customer-id>
x-epmp-domain-id: <domain-id>

3.1.5. Request Body

{"fields":"name,cloud_platform,region,cloud_account,account_id,storage_notification_config,storage_created_date,props,bridge_id","limit":10,"offset":0,"include_count":true,"include":"","sort":"-created","where":"","search":""}

3.1.6. Fields description

Parameter

Description

name

Name of the S3 bucket.

cloud_platform

Cloud platform of the S3 bucket.

region

Region of the S3 bucket.

cloud_account

Owner name and owner ID for the S3 bucket.

account_id

AWS account ID to which S3 bucket belongs to.

storage_notification_config

Events details about the events configured for the S3 bucket in AWS.

storage_created_date

The date Cloud Workload Protection for Storage discovered S3 bucket.

props

Raw values for protection status for S3 bucket - Scheduled or NRTS).

protection_status

Protection status of the S3 bucket computed by Cloud Workload Protection for Storage - Unprotected, Protected, or Bridge Not Configured.

scan_configured

S3 Bucket scan configuration status - Scheduled, NRTS, None, or Both)

bridge_id

Indicates which Cloud Workload Protection bridge/controller is configured.

limit

Limit number of records to be fetched.

offset

Fetch next set of records.

Response Header

content-type: application/json

Response Data - Example

{
        "results": [{
               "id": "ZtmmK5ZMRvO-itu8sGOLqw",
               "name": "spe-marketplace",
               "cloud_platform": "AWS",
               "cloud_account": {
                       "owner_name": "DL-xxx-AWS-xxx-xxxV",
                       "owner_id": "eec1xxxxxxcxxxbe34f668xxxc6e4b5afxxx41c91cf1f"
               },
               "account_id": "08xxxxxxxxx8",
               "region": "us-east-1",
               "region_name": "US East (N. Virginia)",
               "storage_created_date": "2017-11-13T14:08:10.187Z",
               "storage_notification_config": [{
                       "name": "d95d9056-9b76-4284-a38c-c7f4e130b751",
                       "events_configured": ["s3:ObjectCreated:*"],
                       "send_to": "SNS",
                       "send_to_value": "arn:aws:sns:us-east-1:08xxxxxxxxx8:CWPForStorage_OnAccessSNS"
               }],
               "deleted": false,
               "bridge_id": "g0JELQsSREWBksXTzo6Evw",
               "props": {
                       "ScanConfigured": false,
                       "NotificationConfigured": false,
                       "arn:aws:sns:us-east-1:08xxxxxxxxx8:
																							 CWPForStorage_OnAccessSNS": ["arn:aws:sqs:us-east-1:08xxxxxxxxx8:CWPForStorage_OnAccessSNS"]
               },
               "protection_status": "Unprotected",
               "scan_configured": "NONE",
               "is_cloudtrail_event": false,
               "created": "2017-11-13T14:08:10.187Z"
        }.........],
        "count": 150    //Total buckets present in the system.
}

3.1.7. Supported Operators

=! = < <= > >= In, not_in, and like

3.1.8. Response Codes

Code

Description

200

Successful operation.

400

Invalid operation.

The body of the response contains information about the error.

401

Authentication required.

Make sure that you use a correct account ID and security token.

500

Server error.

Please try again later, and if the problem persists, contact Symantec Support.

3.1.9. Examples - Filtering the results by passing filter condition to the API

To fetch the protected S3 buckets:

Request body:

"where":"((((props.ScanConfigured=true)or(props.NotificationConfigured=true))and(bridge_id!='')))"

To fetch the S3 buckets that have both scheduled and near real-time scan configured:

Request body:

"where":"(((props.ScanConfigured=true)and(props.NotificationConfigured=true)))"

To fetch the S3 buckets for last 7 days:

Request body:

"where":"(created>='2017-11-08T05:55:29.603Z')"

3.2. Apply storage policy on Controller Unit

3.2.1. Overview

Service to apply a storage Antimalware policy on one or multiple Controller Units.

You must obtain an authorization token to use this service: Token-based authentication

3.2.2. URL

https://scwp.securitycloud.symantec.com/dcs-service/dcscloud/v1/policy/apply/{policy_name}/controllers

3.2.3. Request Method

PUT

3.2.4. Request Header

content-type: application/json
       Authorization: <token-type> <access-token>
       x-epmp-customer-id: <customer-id>
       x-epmp-domain-id: <domain-id>

3.2.5. Request Body

 ["instance_id-1","instance_id-2"]

3.2.6. Request Parameters

instance_id

Specify the Controllers instance IDs where you want to apply the policy. You can see the instance IDs on the Controllers page of the Cloud Workload Protection console. The policy name must be specified in the request URL.

3.2.7. Response Codes

Code

Description

200

Successful operation.

400

Bad request

The body of the response contains information about the error.

401

Authentication required.

The token is either invalid or expired.

403

Forbidden

The request was valid and the credentials were successfully authenticated. However, the credentials do not grant permission to access the resource.

404

URL is incorrect.

405

The request method is incorrect.

500

Internal server error if the Symantec service attending to the API calls is down.

Example: Request body:

["i-01033bd4f26301f22","vm493132851e"]