Introducing our Python API Wrapper


Introducing our Python API Wrapper

With our shiny new Python API wrapper, managing your deployed Canaries has never been simpler. With just a few simple lines of code you'll be able to sort and store incident data, reboot all of your devices, create Canarytokens, and much more (Building URLs correctly and parsing JSON strings is for the birds...).

So, how do you get started? Firstly you'll need to install our package. You can grab it from a number of places:
  • Or simply startup your favourite shell and run "pip install canarytools"
Assuming you already have your own Canary Console (see our website for product options) and a flock of devices, getting started is very easy indeed! First, instantiate the Console object: 

import canarytools
console = canarytools.Console(api_key='API_KEY', domain='CLIENT_DOMAIN')
view raw canarytools.py hosted with ❤ by GitHub

Your API_KEY can be retrieved from your Console's Console Setup page. The CLIENT_DOMAIN is the tag in-front of "canary.tools" in your Console's url. For example in https://testconsole.canary.tools/settings "testconsole" is the domain.

Alternatively a .config file can be downloaded and placed on your system (place this in ~/ for Unix (and Unix-like) environments and C:\Users\{Current Users}\ for Windows environments). This file contains all the goodies needed for the wrapper to communicate with the Console. Grab this from the Canary Console API tab under Console Setup (This is great if you'd rather not keep your api_key and/or domain name in your code base).



Click 'Download Token File' to download the API configuration file.




To give you a taste of what you can do with this wrapper, let's have a look at a few of its features:

Device Features

Want to manage all of your devices from the comfort of your bash-shell? No Problem...

Assuming we have instantiated our Console object we can get a handle to all our devices in a single line of code:

console.devices.all()
view raw devices_all.py hosted with ❤ by GitHub
From here it is straightforward to do things such as update all your devices, or even reboot them:

for device in console.devices.all():
device.reboot()
view raw devices_reboot.py hosted with ❤ by GitHub

Incident Features

Need the ability to quickly access all of the incidents in your console? We've got you covered. Getting a list of incidents across all your devices and printing the source IP of the incident is easy:

for incident in console.incidents.all():
print incident.description, incident.src_host
view raw incidents_print.py hosted with ❤ by GitHub
Acknowledging incidents is also straightforward. Let's take a look at acknowledging all incidents from a particular device that are 3 weeks or older:

console.incidents.acknowledge(node_id='000000044c2232z', older_than='3w')
view raw incidents_ack.py hosted with ❤ by GitHub

Canarytoken Features

Canarytokens are one of the newest features enabled on our consoles. (You can read about them here). Manage your Canarytokens with ease. To get a list of all your tokens simply call:

for token console.tokens.all():
print token
view raw canarytoken_all.py hosted with ❤ by GitHub
You can also create tokens:

console.token.create(
kind=canarytools.CanaryTokenKinds.WEB_IMAGE,
mimetype='image/jpg',
web_image='/home/image.jpg')
view raw canarytoken_create.py hosted with ❤ by GitHub

Enable/disable your tokens:

for token in console.tokens.all():
token.enable()
view raw canarytoken_enable.py hosted with ❤ by GitHub

Whitelist Features

If you'd like to whitelist IP addresses and destination ports programmatically, we cater for that too:

client.settings.is_ip_whitelisted(src_ip='10.0.0.2', dst_port='5000')
view raw settings_is_whitelisted.py hosted with ❤ by GitHub

This is just a tiny taste of what you can do with the API. Head over to our documentation to see more. We're hoping the API will make your (programatic) interactions with our birds a breeze.

Comments

Post a Comment

Popular posts from this blog

Using the Linux Audit System to detect badness

Image
Security vendors have a mediocre track record in keeping their own applications and infrastructure safe. As a security product company, we need to make sure that we don’t get compromised. But we also need to plan for the horrible event that a customer console is compromised, at which point the goal is to quickly detect the breach. This post talks about how we use Linux's Audit System (LAS) along with ELK (Elasticsearch, Logstash, and Kibana) to help us achieve this goal. Background Every Canary customer has multiple Canaries on their network (physical, virtual, cloud) that reports in to their console which is hosted in AWS. Consoles are single tenant, hardened instances that live in an AWS region. This architecture choice means that a single customer console being compromised, won’t translate to a compromise of other customer consoles. ( In fact, customers would not trivially even discover other customer consoles, but that's irrelevant for this post. ) Hundreds of consoles runn...
Read more

Good UNIX tools

Image
aka:   Small things done well  We spend a lot of time sweating the details when we build Canary. From our user flows to our dialogues, we try hard to make sure that there’s very few opportunities for users to be stuck or confused. We also never add features just because they sound cool. Do you “explode malware”? No.  Export to STYX? No.  Darknet AI IOCs? No. No. No..  Vendors add rafts of “check-list-development” features as a crutch. They hope that one more integration (or one more buzz-word) can help make the sale. This is why enterprise software looks like it does, and why it’s probably the most insecure software on your network. This also leads to a complete lack of focus. To quote industry curmudgeon (and all around smartypants) Kelly Shortridge : " it is better to whole-ass one thing than to half-ass many" . We feel this deeply. Most of us cut our teeth on UNIX and UNIX clones and cling pretty fastidiously to the original Unix philosophies ¹ : Make each...
Read more

The lamest hacks

Image
A little while back, a colleague of a colleague approached me with a favour request that was hard to refuse (no, not that kind...) They had one of these external harddrives that supports on-drive encryption and, as you will have guessed, had forgotten the password. No more saved business docs, but also no more saved baby pics. "Could we have a look?", they asked. A brief search online revealed companies who claim to be able to recover passwords for these very drives, but required shipping the drive from South Africa to Europe, and the cost was not instantly dismissible. Surely there was another way? Automating password entry was easy enough; when powered on, the drive's password entry dialog popped up and it was simple to drive the GUI and enter passwords. However, the slight hiccup was that, after five password guesses, the drive needed to be powercycled to reset the guess counter. One of my many failings is a distinct lack of basic electronic experience, and even being...
Read more