CyCLI

0.9.6

CyThreats.ps1

                                <#

.SYNOPSIS

    Gets the threat list

.PARAMETER API

    Optional. API Handle (use only when not using session scope).

#>

function Get-CyThreatList {

    Param (

        [parameter(Mandatory=$false)]

        [ValidateNotNullOrEmpty()]

        [CylanceAPIHandle]$API = $GlobalCyAPIHandle

        )

    Read-CyData -API $API -Uri "$($API.BaseUrl)/threats/v2"

}

<#

.SYNOPSIS

    Gets the threat list for the given device

.PARAMETER API

    Optional. API Handle (use only when not using session scope).

.PARAMETER Device

    The device to retrieve the threats for.

#>

function Get-CyDeviceThreatList {

    Param (

        [parameter(Mandatory=$false)]

        [ValidateNotNullOrEmpty()]

        [CylanceAPIHandle]$API = $GlobalCyAPIHandle,

        [Parameter(Mandatory=$true,ParameterSetName="ByDevice",ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)]

        [object]$Device,

        [Parameter(Mandatory=$true,ParameterSetName="ByDeviceId")]

        [object]$DeviceId

        )

    Process {

        switch ($PSCmdlet.ParameterSetName) {

            "ByDevice" {

                $Uri = "$($API.BaseUrl)/devices/v2/$($Device.id)/threats"

            }

            "ByDeviceId" {

                $Uri = "$($API.BaseUrl)/devices/v2/$($DeviceId)/threats"

            }

        }

        Read-CyData -API $API -Uri $Uri    

    }

}

<#

.SYNOPSIS

    Update a device threat.

.PARAMETER API

    Optional. API Handle (use only when not using session scope).

.PARAMETER Action

    The action to take (quarantine or waive the threat)

.PARAMETER Device

    The device object to apply this threat action to.

#>

function Update-CyDeviceThreat {

    Param (

        [parameter(Mandatory=$false)]

        [ValidateNotNullOrEmpty()]

        [CylanceAPIHandle]$API = $GlobalCyAPIHandle,

        [Parameter(

            Mandatory=$true, 

            ValueFromPipeline=$true,

            ValueFromPipelineByPropertyName=$true)]

            [object[]]$DeviceThreat,

        [Parameter(Mandatory=$true)]

        [ValidateSet("Quarantine", "Waive")]

        [String]$Action,

        [Parameter(Mandatory=$true,ParameterSetName="ByDevice")]

        [object]$Device,

        [Parameter(Mandatory=$true,ParameterSetName="ByDeviceId")]

        [object]$DeviceId

    )

    Begin {

    }

    Process {

        $hash = $DeviceThreat.sha256

        if ($null -eq $hash) {

            $hash = $DeviceThreat

        }

        $updateMap = @{

            "threat_id" = $($hash)

            "event" = $Action

        }

        $json = $updateMap | ConvertTo-Json

        # remain silent

        switch ($PSCmdlet.ParameterSetName) {

            "ByDeviceId" {

                $output = Invoke-CyRestMethod -API $API -Method POST -Uri "$($API.BaseUrl)/devices/v2/$($DeviceId)/threats" -ContentType "application/json; charset=utf-8" -Body $json

            }

            "ByDevice" {

                $output = Invoke-CyRestMethod -API $API -Method POST -Uri "$($API.BaseUrl)/devices/v2/$($Device.id)/threats" -ContentType "application/json; charset=utf-8" -Body $json

            }

        }

    }

}

<#

.SYNOPSIS

    Retrieves the given threat's Detail from the console. Gets full data, not a shallow version.

.PARAMETER API

    Optional. API Handle (use only when not using session scope).

.PARAMETER SHA256

    A collection of SHA256 values (as strings) to retrieve the data for, or threat objects with a "sha256" property.

#>

function Get-CyThreatDetail {

    Param (

        [parameter(Mandatory=$false)]

        [ValidateNotNullOrEmpty()]

        [CylanceAPIHandle]$API = $GlobalCyAPIHandle,

        [Parameter(Mandatory=$true, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)]

        [object]$SHA256

        )

    Process {

        if ($SHA256 -is [String]) {

            $Hash = $SHA256

        } elseif (![String]::IsNullOrEmpty($SHA256.sha256)) {

            $Hash = $SHA256.sha256

        } else {

            Throw "Cannot determine SHA256 value from threat object"

        }

        Invoke-CyRestMethod -API $API -Method GET -Uri  "$($API.BaseUrl)/threats/v2/$($Hash)" | Convert-CyObject

    }

}

<#

.SYNOPSIS

    Retrieves a download link for the given threat

.PARAMETER API

    Optional. API Handle (use only when not using session scope).

.PARAMETER SHA256

    The threat to retrieve the download link for.

#>

function Get-CyThreatDownloadLink {

    Param (

        [parameter(Mandatory=$false)]

        [ValidateNotNullOrEmpty()]

        [CylanceAPIHandle]$API = $GlobalCyAPIHandle,

        [Parameter(

            Mandatory=$true, 

            ValueFromPipeline=$true,

            ValueFromPipelineByPropertyName=$true)]

            [String[]]$SHA256

        )

    Process {

        Invoke-CyRestMethod -API $API -Method GET -Uri  "$($API.BaseUrl)/threats/v2/download/$($SHA256)" 

    }

}

<#

.SYNOPSIS

    Gets the devices affected by a particular threat.

.PARAMETER API

    Optional. API Handle (use only when not using session scope).

.PARAMETER SHA256

    The threat SHA256 hash

#>

function Get-CyThreatDeviceList {

    Param (

        [parameter(Mandatory=$false)]

        [ValidateNotNullOrEmpty()]

        [CylanceAPIHandle]$API = $GlobalCyAPIHandle,

        [Parameter(Mandatory=$true, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)]

        [object]$SHA256

        )

    Process {

        if ($SHA256 -is [String]) {

            $Hash = $SHA256

        } elseif (![String]::IsNullOrEmpty($SHA256.sha256)) {

            $Hash = $SHA256.sha256

        } else {

            Throw "Cannot determine SHA256 value from threat object"

        }

        Read-CyData -API $API -Uri "$($API.BaseUrl)/threats/v2/$($Hash)/devices"

    }

}