0

Searching by CVE I can retrieve data from deep security for unique policy and from many computers but cannot filter by Recommendable field.

recom="no"

while executing 

find_rules_for_recom(api, configuration, api_version, api_exception, recom))

Terminal says:

Displaying policesException: (400) Reason: HTTP response headers: HTTPHeaderDict({'Cache-Control': 'no-cache,no-store, no-cache="set-cookie"', 'Content-Type': 'application/json', 'Date': 'Thu, 27 Jun 2019 08:28:45 GMT', 'Pragma': 'n o-cache', 'Set-Cookie': 'AWSELB=8121890904A881CF1D6DF15EFDA53CC511612D62EB2B0749F6B1D0FE96DF2375AF5AB194BB3A0FCE0D676C1691AC480BB7AA104DD3549FC5F5C8B49F73540C9295DA200417;PATH=/;MAX-AGE=180 0', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload', 'X-DSM-Version': 'Deep Security/12.5.85', 'X-Frame-Options': 'SAMEORIGIN', 'X-XSS-Protection': '1;mode=block ', 'Content-Length': '76', 'Connection': 'keep-alive'}) HTTP response body: {"message":"Invalid SearchFilter: recommendable is not a searchable field."}

ScottBro
  • 309
  • 1
  • 12
ZAIN
  • 3
  • 1
  • it would be helpful if you could post more of your code so that we can better understand what you are trying to accomplish. – ScottBro Jun 27 '19 at 13:09

2 Answers2

0

The specific error you're seeing ("Invalid SearchFilter: recommendable is not a searchable field.") is because 'recommendable' is not a field of any object in the DSM /api. (source: not mentioned anywhere in the DSM swagger spec)

As Scott said, if you can update your question with your goal (what object are you looking at, what field do you want to filter on) and the code you're using (what python function are you calling, and the parameters), we can answer it more fully.

P.S. I work in R&D on Deep Security

Morgan
  • 281
  • 2
  • 5
  • The main requirement is to change recommendable field under Intrusion prevention rules of many computers with unique policy_id (one policy applied eg: policy_id 1) which ever computer recommendable field set to No need to change Yes. Can tell me steps to follow or code to run python script. – ZAIN Jun 29 '19 at 08:41
  • @ZAIN I appreciate the follow-up. I understand your goal a little more, but I don't understand it all, or where you are seeing a field called "recommendable". Are you using the Automation Center's API Reference? https://review2doc.deepsecurity.trendmicro.com/article/12_5/api-reference?platform=dsaas My current best guess is that you're trying to find out which Intrusion Prevention rules are not included in a recommendation scan (by looking at the RecommendationsMode field). Then you want to change that for some set of rules. Is that correct? – Morgan Jul 02 '19 at 19:37
0

To find Intrusion Prevention (IPS/IDS) rules that can be recommended by a Recommendation Scan, you need to search on the recommendationsMode field of the IPS rules (IPS rules do not have a recommendable field).

The API field names and values are not necessarily the same as you see in the UI. To see the field names in the API Reference:

  1. Go to the API Reference: https://automation.deepsecurity.trendmicro.com/article/12_0/api-reference?platform=on-premise
  2. List item Scroll down to the Intrusion Prevention area and click Describe an Intrusion Prevention Rule
  3. In the center panel, click 200 successful operation
  4. In the Response Schema, look for recommendationsMode:

Indicates whether recommendation scans consider the rule. To avoid errors on existing rules, only change the value between enabled (rule is included in recommendations scan) and ignored (rule is ignored by recommendations scan). Other values (disabled or ignored) indicate that the rule is not supported by recommendation scans. Searchable as Choice.

So, you want to perform a Choice search for rules that have recommendationsMode equals ignored. 

def find_rules_for_recommendable(api, configuration, api_version, api_exception):

    rule_id_s = []

    # Set search criteria
    search_criteria = api.SearchCriteria()
    search_criteria.field_name = "recommendationsMode"
    search_criteria.choice_value = "ignored"
    search_criteria.choice_test = "equal"

    # Create a search filter
    search_filter = api.SearchFilter()
    search_filter.search_criteria = [search_criteria]

    try:
        # Search for all intrusion prevention rules for the CVE
        ip_rules_api = api.IntrusionPreventionRulesApi(api.ApiClient(configuration))
        ip_rules_search_results = ip_rules_api.search_intrusion_prevention_rules(api_version,
                                                                             search_filter=search_filter)
        print(ip_rules_search_results)
        for rule in ip_rules_search_results.intrusion_prevention_rules:
            rule_id_s.append(rule.id)

        return rule_id_s

    except api_exception as e:
        return "Exception: " + str(e)`

As a bonus, and anticipating where you are going next, here is how you would assign a list of rules to a policy:

def apply_intrusion_prevention_recommendations(api, configuration, api_version, api_exception, policy_id, rule_ids):
    rule_ids_obj = api.models.RuleIDs(rule_ids)
    ips_recommendations_api = api.PolicyIntrusionPreventionRuleAssignmentsRecommendationsApi(api.ApiClient(configuration))
    try:
        ip_assignments = ips_recommendations_api.add_intrusion_prevention_rule_ids_to_policy(policy_id, api_version, intrusion_prevention_rule_ids=rule_ids_obj, overrides=False)
        return ip_assignments

    except api_exception as e:
        return "Exception: " + str(e)

Hope that helps! (BTW I'm a DS content developer)

ScottBro
  • 309
  • 1
  • 12