Bulk Policy Management in Python with Deep Instinct REST API
Patrick Van Zandt
Principal Customer Success Manager at Airlock Digital, cybersecurity enthusiast, ex-[Deep Instinct, Carbon Black, IBM]
If you have worked with me before, you know I am passionate about scripting and automation, especially around repetitive tasks.
During the COVID-19 pandemic I polished up on my Python skills by taking Columbia Business School's excellent Python For Managers course, and this week I sat down to put them to work against the Deep Instinct REST API.
A common pain point I hear with my customers at Deep Instinct is bulk policy management, especially for our MSSP customers using our multi-tenancy feature. The more policies they have, the harder it is to manage them accurately and efficiently, especially when it comes to making bulk changes for things like enabling or disabling automatic upgrades. Sounds like a perfect use case for a Python script to me!
toggle_agent_upgrades_all_policies.py
The first use case I tackled was toggling the automatic agent upgrade setting. In Deep Instinct, this is a per-policy setting. Best practices are to keep up-to-date on agent releases, but sometimes organizations have strict change management requirements which requires toggling this setting on and off. The script below does exactly that, for both Enterprise and Multi-Tenancy Deep Instinct servers versions 2.4 and above. Just plug in your server name, a valid API key ("Full Access" role required), and either True or False for the upgrade setting, then run it with no arguments (python toggle_agent_upgrades_all_policies.py).
import requests
import urllib3
import json
# D-APPLIANCE CONFIG AND WHAT TO SET UPGRADE SETTING TO (True | False)
di_fqdn = 'SERVER-NAME.customers.deepinstinctweb.com'
headers = {'Authorization': 'API-KEY', 'accept': 'application/json'}
enable_upgrades = True
# GET LIST OF POLICIES
request_url = f'https://{di_fqdn}/api/v1/policies/'
response = requests.get(request_url, headers=headers)
policies = response.json()
# ITERATE THROUGH LIST OF POLICIES, MODIFY UPDGRADE SETTING WHEN APPLICABLE
for policy in policies:
if policy['os'] == 'WINDOWS' or policy['os'] == 'MAC':
current_policy_id = policy['id']
request_url = f'https://{di_fqdn}/api/v1/policies/{current_policy_id}/data'
response = requests.get(request_url, headers=headers)
policy_data = response.json()
if policy_data['data']['automatic_upgrade'] != enable_upgrades:
policy_data['data']['automatic_upgrade'] = enable_upgrades
request = requests.put(request_url, json=policy_data, headers=headers)
update_brain_all_policies.py
Next I set out to make another bulk modification to policies: D-Brain version. Starting with the above script as a template, this was even easier than I thought. I introduced an extra variable since D-Brain versions are platform-specific, but even so it took perhaps 2 minutes of effort and I had a working script. Usage is similar to the above. Just plug in your server name, a valid API key ("Full Access" role required), the platform you want to modify, and the desired D-Brain version. Then run it with no arguments (python update_brain_all_policies.py).
import requests
import urllib3
import json
# D-APPLIANCE CONFIG
di_fqdn = 'SERVER-NAME.customers.deepinstinctweb.com'
headers = {'Authorization': 'API-KEY', 'accept': 'application/json'}
# WHAT TO SET THE BRAIN TO AND FOR WHAT PLATFORM (WINDOWS | MAC)
brain_version = '121w'
platform = 'WINDOWS'
# GET LIST OF POLICIES
request_url = f'https://{di_fqdn}/api/v1/policies/'
response = requests.get(request_url, headers=headers)
policies = response.json()
# ITERATE THROUGH LIST OF POLICIES, UPDATE BRAIN IF OS MATCHES AND BRAIN VERSION DOESN'T
for policy in policies:
if policy['os'] == platform:
current_policy_id = policy['id']
request_url = f'https://{di_fqdn}/api/v1/policies/{current_policy_id}/data'
response = requests.get(request_url, headers=headers)
policy_data = response.json()
if policy_data['data']['brain'] != brain_version:
policy_data['data']['brain'] = brain_version
request = requests.put(request_url, json=policy_data, headers=headers)
For production usage it would be advisable to add logging and error checking, which I had in my original version but removed here to make the examples easier to understand.
I hope these examples are useful and get you thinking about how you can improve accuracy and efficiency in making bulk policy changes in Deep Instinct or similar products with just a moderate effort to convert your run-book logic into Python.
Happy coding!
-Patrick
Busy with PFA component contract manufacturing.
4 年I'll have to take a look at this.
Prevention is key
4 年Nice work Patrick! very well written and easy to follow. your instructor would be proud.
Great content Patrick. Thanks for sharing.