时间戳

首页 > 解决方案 > 推荐的不是可搜索的字段

api - 推荐的不是可搜索的字段

问题描述

通过 CVE 搜索我可以从深度安全中检索数据以获取唯一策略以及从许多计算机中检索数据,但无法按 Recommendable 字段进行过滤。

recom="no"

在执行时

find_rules_for_recom(api, configuration, api_version, api_exception, recom))

终端说:

显示policesException:(400)原因:HTTP响应头:HTTPHeaderDict({'Cache-Control':'no-cache,no-store,no-cache =“set-cookie”','Content-Type':'application / json', 'Date': 'Thu, 27 Jun 2019 08:28:45 GMT', 'Pragma': 'n o-cache', 'Set-Cookie': 'AWSELB=8121890904A881CF1D6DF15EFDA53CC511612D62EB2B0749F6B1D0FE96DF2375AF5AB194BB3A0FCE0D676C1691AC480BB7AA104DD3549FC5F5C8B49F73540C9295DA200417;PATH=/;MAX-AGE =180 0', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload', 'X-DSM-Version': 'Deep Security/12.5.85', 'X-Frame-Options': 'SAMEORIGIN', 'X-XSS-Protection': '1;mode=block', 'Content-Length': '76', 'Connection': 'keep-alive'}) HTTP 响应正文:{"message":"Invalid SearchFilter: Recommended is not a searchable field."}

标签: apideepsecurity

解决方案

要查找推荐扫描可以推荐的入侵防御 (IPS/IDS) 规则,您需要搜索 IPS 规则的 RecommendationsMode 字段(IPS 规则没有推荐字段)。

API 字段名称和值不一定与您在 UI 中看到的相同。要查看 API 参考中的字段名称:

  1. 转到 API 参考: https ://automation.deepsecurity.trendmicro.com/article/12_0/api-reference?platform=on-premise
  2. 列表项向下滚动到入侵防御区域并单击 描述入侵防御规则
  3. 在中心面板,点击200 操作成功
  4. 在响应模式中,查找recommendationsMode

指示推荐扫描是否考虑规则。为避免现有规则出错,仅在启用(规则包含在推荐扫描中)和忽略(规则被推荐扫描忽略)之间更改值。其他值(禁用或忽略)表示推荐扫描不支持该规则。可作为选择进行搜索。

因此,您希望对具有recommendationsModeequals的规则执行选择搜索ignored

def find_rules_for_recommendable(api, configuration, api_version, api_exception):

    rule_id_s = []

    # Set search criteria
    search_criteria = api.SearchCriteria()
    search_criteria.field_name = "recommendationsMode"
    search_criteria.choice_value = "ignored"
    search_criteria.choice_test = "equal"

    # Create a search filter
    search_filter = api.SearchFilter()
    search_filter.search_criteria = [search_criteria]

    try:
        # Search for all intrusion prevention rules for the CVE
        ip_rules_api = api.IntrusionPreventionRulesApi(api.ApiClient(configuration))
        ip_rules_search_results = ip_rules_api.search_intrusion_prevention_rules(api_version,
                                                                             search_filter=search_filter)
        print(ip_rules_search_results)
        for rule in ip_rules_search_results.intrusion_prevention_rules:
            rule_id_s.append(rule.id)

        return rule_id_s

    except api_exception as e:
        return "Exception: " + str(e)`

作为奖励,并预测您下一步要去哪里,以下是您如何将规则列表分配给策略:

def apply_intrusion_prevention_recommendations(api, configuration, api_version, api_exception, policy_id, rule_ids):
    rule_ids_obj = api.models.RuleIDs(rule_ids)
    ips_recommendations_api = api.PolicyIntrusionPreventionRuleAssignmentsRecommendationsApi(api.ApiClient(configuration))
    try:
        ip_assignments = ips_recommendations_api.add_intrusion_prevention_rule_ids_to_policy(policy_id, api_version, intrusion_prevention_rule_ids=rule_ids_obj, overrides=False)
        return ip_assignments

    except api_exception as e:
        return "Exception: " + str(e)

希望有帮助!(顺便说一句,我是 DS 内容开发人员)

推荐阅读