-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtriggerIsolation.ps1
46 lines (35 loc) · 2.09 KB
/
triggerIsolation.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
##########################
####
# Author: @jkopacko - 2023
# Version: 1.02
# Comments: this logic stores a list of IDs of endpoints with bad or suspicious health, v1 only isolates a single ID that is manually enter in line 42. In v1.1, I will add in the for-each logic to trigger on the list(s) of endpoints. In v1.2, I will salt/secure the storage.
####
#########################
## Your credentials (MUST SALT LATER)
$clientID = "<ID>"
$clientSecret = "<SECRET>"
## This will authenticate to Sophos API
$tokenReply = Invoke-RestMethod -Method Post -ContentType "application/x-www-form-urlencoded" -Body "grant_type=client_credentials&client_id=$clientID&client_secret=$clientSecret&scope=token" -uri https://id.sophos.com/api/v2/oauth2/token
$bearerToken = $tokenReply.access_token
$header = @{Authorization="Bearer $($tokenReply.access_token)"}
## This will return your tenant ID
$whoami_resp = Invoke-RestMethod -Method Get -Headers $header https://api.central.sophos.com/whoami/v1
$tenantID = $whoami_resp.id
$header = @{Authorization="Bearer $($tokenReply.access_token)"; "X-Tenant-ID"=$tenantID}
## This will extract your Central API region
$apiRegion = $whoami_resp.apiHosts.dataRegion
## Get all endpoints within the tenant with bad status
$endpointBad = Invoke-RestMethod -Method Get -Headers $header ($($apiRegion)+"/endpoint/v1/endpoints?healthStatus=bad")
## Extract bad endpoint IDs into a list
$endpointBadList = $endpointBad.items | Select-Object -Property id
## Get all endpoints within the tenant with suspicious status
$endpointSusp = Invoke-RestMethod -Method Get -Headers $header ($($apiRegion)+"/endpoint/v1/endpoints?healthStatus=suspicious")
## Extract suspicious endpoint IDs into a list
$endpointSuspList = $endpointSusp.items | Select-Object -Property id
## Trigger isolation
$isoTriggerBody = @{
"enabled" = 'true'
"comment" = 'auto iso test'
} | ConvertTo-Json
$isoTriggerUri = ($($apiRegion)+"/endpoint/v1/endpoints/")
$isoTriggerBad = Invoke-RestMethod -Method Patch -Headers $header -Body $isoTriggerBody -ContentType "application/json" -uri ($($isoTriggerUri) + "<singleID>" + "/isolation")