Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Creating Remediation Scripts for Forcepoint DLP > Remediation script code samples
Remediation script code samples
Creating Remediation Scripts | Forcepoint DLP | v8.4.x, v8.5.x, v8.6.x
Some of the code samples in this section use DiscoveryIncidentProcessing, but others do not.
Example 1
This example is one of the 3 scripts that come with Forcepoint DLP and reside in the "%dss_home%/RunCommands" folder.
It provides an example of using the DiscoveryIncidentProcessing module, and is self-explanatory.
#Set the destination folder for sensitive files
Location = r'\\127.0.0.1\quarantine'
DaysKeepActiveFiles = 0
#-----------------------------------------------------------
#DO NOT MODIFYSCRIPT PAST THIS LINE
import sys
from DiscoveryIncidentProcessing import MoveDiscoveryIncident
 
MoveDiscoveryIncident(sys.argv[1],Location,False,DaysKeepActiveFiles,'')
Example 2
The following example is a little more involved and does the XML parsing without using the helper module, which is useful only for discovery incidents.
#Send an email to the recipients of a DLP incident
 
# XML search path constants for easier XML handling
NS1=u".//{http://www.portauthoritytech.com/schmea/xml-rpc/1.0}"
EVT=u".//{http://www.portauthoritytech.com/schmea/incident/1.0}"
EVTSOURCE=EVT+u"source"
EVTDETAIL=EVT+u"detail"
EVTDESTINATIONS=EVT+u"destinations"
EVTDESTINATION=EVT+u"destination"
EVTSUBJECT=EVT+u"subject"
 
## Email message to send to the users
EMAILMESSAGE="""From: Forcepoint DLP <dlp@example.com>\r
To: %(deststring)s\r
Subject: Re: %(subject)s\r
\r
Dear Sir or Madam,\r
\r
A message sent to you from %(source)s with the subject "%(subject)s" has violated PCI regulations, and has been blocked by Forcepoint DLP. Please contact the sender and request that they redact all cardholder information (such as name, credit card number, expiration date, CVV) from the message and resend it.\r
\r
Regards,\r
\r
Forcepoint DLP\r
"""
 
# Email gateway
SMTPGATEWAY='10.4.228.240:25'
 
import sys
import xml.etree.ElementTree as ET
import smtplib
 
# Parse the XML file
oXMLTree=ET.parse(sys.argv[1])
 
## Search for a few key pieces of data
dIncidentDetails={}
 
# source
dIncidentDetails['source']=oXMLTree.find(EVTSOURCE).find(EVTDETAIL).get('value')
 
# destinations
lDests=[
elem.find(EVTDETAIL).get('value')
for elem
in oXMLTree.find(EVTDESTINATIONS)
]
dIncidentDetails['deststring']=', '.join(lDests)
 
# extract the subject
dIncidentDetails['subject']=oXMLTree.find(EVTSUBJECT).text
 
## send an email message
 
oSMTP=smtplib.SMTP(SMTPGATEWAY)
oSMTP.sendmail(dIncidentDetails['source'],lDests,EMAILMESSAGE % dIncidentDetails)
oSMTP=None
Please note several important aspects of this example:
*
The search paths constructed on lines 4–10 do not contain the xmlns shortcuts for the namespaces but rather the full URL. This is a requirement of the particular XML library used (xml.etree). It is also more resilient to future changes in the XML format.
*
Lines 13 to 24 contain an IMF message (RFC5322) ready to be sent by SMTP. The Pythonic variable substitutions inside the script makes for an easy ad-hock template language.
*
Lines 30 and 34 are all that is required to parse the XML file. Then, extracting information from the XML file is done in a series of searches on lines 40, 44, 46, and 51. It does not get easier than this.
*
Lines 43–47 are a Python construct called "list comprehension"—a powerful and useful Python constructs for transforming lists. Find more information about it at http://www.python.org/dev/peps/pep-0202/.
*
Lines 55–57 send an SMTP message. The gateway must accept SMTP connections for this to work.
*
There is a bug in this code: if an incoming mail has destinations outside of the organization as well as inside, then all of the destinations will receive the notification message. This is usually not the desired action. Fixing it is easy and left as an exercise to the reader.
Example 3
This example is a VB script that copies or moves files found in a discovery scan.
option explicit
 
const isMove = True
const quarantineFolder = "\\10.0.46.40\quarantine"
const quarantineText = "Content has been removed please contact administrator"
'------------------------------
'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'------------------------------
 
Dim xmlFile
Dim xmlDoc
Dim Node
Dim filePath
Dim objFSO
Dim objFile
Dim root
Dim destFilePath
Set objFSO = CreateObject("Scripting.FileSystemObject")
 
'Functions
'---------
Function GeneratePath(pFolderPath)
GeneratePath = False
wscript.echo "GeneratePath " & pFolderPath
If Not objFSO.FolderExists(pFolderPath) Then
If GeneratePath(objFSO.GetParentFolderName(pFolderPath)) Then
GeneratePath = True
Call objFSO.CreateFolder(pFolderPath)
End If
Else
GeneratePath = True
End If
End Function
 
 
'main
'----
xmlFile = WScript.Arguments.Item(0)
 
set xmlDoc=CreateObject("Microsoft.XMLDOM")
if xmlDoc.load(xmlFile) then
wscript.echo "Load XML succeeded"
else
wscript.echo "Load XML failed"
wscript.exit -1
end if
Set Node = xmlDoc.documentElement.selectSingleNode("//ns1:pa-xml-rpc/ns1:request/ns1:params/evt:incident/evt:dataAtRest/evt:incidentInfo/evt:resourceType")
if Node.text <> "NETWORK" and Node.text <> "ENDPOINT" then
wscript.echo "Incident is not file system discovery incident"
wscript.exit 0
end if
Set Node = xmlDoc.documentElement.selectSingleNode("//ns1:pa-xml-rpc/ns1:request/ns1:params/evt:incident/evt:dataAtRest/evt:file/evt:filepath")
filePath = right(Node.text,len(Node.text)-5)
wscript.echo "file path is : " & filePath
 
destFilePath = quarantineFolder + "\" + right(filePath,len(filePath)-2)
wscript.echo "Destination: " & destFilePath
GeneratePath(objFSO.GetParentFolderName(destFilePath))
objFSO.CopyFile filePath, destFilePath
if isMove then
Set objFile = objFSO.CreateTextFile(filePath + ".txt")
objFile.WriteLine(quarantineText)
objFile.Close
objFSO.DeleteFile filePath
end if
wscript.echo "File, " & filePath & " was processed successfully"
To invoke the script, create a batch file with this command:
cscript "%~dp0DiscoveryIncidentProcessing.vbs" %1 %2
Please note that this script requires cscript.exe; using wscript.exe will halt the script.
Example 4
The following example is short but very useful:
# Copy the context xml file into a backup folder
import sys,os
 
fileName=sys.argv[1]
 
# Check the current OS platform
if sys.platform[:5]=='linux':
tempFolder='/tmp'
elif sys.platform[:3]=='win':
tempFolder=r'c:\temp' # assumes the folder is there!!!
else:
# different platform?
sys.exit(1)
 
newName=os.path.join(tempFolder,os.path.split(fileName)[1])
 
# copy!
newFile=open(newName,'wb')
oldFile=open(fileName,'rb')
newFile.write(oldFile.read())
newFile.close()
This short piece of code simply copies the provided XML file to a temporary location, usually for debugging or further examination.
 
* 
Note 
Lines 7–13 demonstrate how to write a remediation script that is valid on both Windows and Linux. It uses the "sys.platform" facility to determine the file system structure.
The complete string in sys.platform may be linux2, win32, etc., but the script only looks at the first few characters to make a determination.
See Tips for writing multi-platform Python code.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Creating Remediation Scripts for Forcepoint DLP > Remediation script code samples
Copyright 2018 Forcepoint. All rights reserved.