Data Loss Prevention

 View Only

  • 1.  DLP POSH Scripting with Invoke-WebRequest - Sample Code

    Posted May 10, 2017 11:54 AM

    I've successfully been able to update a reusable sender pattern by scripting it with powershell and the very pwoerful Invoke-WebRequest cmdlet.

     

    This code was just a proof-of-concept. Now that I know updates can be scripted.. I'm going to clean up the static variables and loop some of the logic based on lists. At the end of the day, i want to automate some of the more remedial parts of DLP such as metrics gathering or simple poicy updates.

     

    #login and save session
$credential = Get-Credential
$uaString = "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$webRequest = Invoke-WebRequest -Uri 'https://dlp.com/ProtectManager/enforce/navigate?menuID=default' -SessionVariable webSession -UserAgent $uaString
$logonForm = $webRequest.Forms | Where-Object {$_.Id -eq 'logonForm'}
$logonForm.Fields.username  = $credential.UserName
$logonForm.Fields.j_username  = $credential.UserName + ':DLP.com'
$logonForm.Fields.password = $credential.GetNetworkCredential().Password
$logonForm.Fields.j_password = $credential.GetNetworkCredential().Password
$logonForm.Fields.domain = 'DLP.com'
$webRequest = Invoke-WebRequest -Uri 'https://dlp.com/ProtectManager/j_security_check' -Method $logonForm.Method -Body $logonForm.Fields -WebSession $webSession -UserAgent $uaString
if ($webRequest.Links | Where-Object {$_ -like '*logout*'}) {

    Write-Host "Login verified!"

} else {

    Write-Host 'Login unsuccessful!' -ForegroundColor Red -BackgroundColor DarkBlue
    exit
}
$csrf = ($webRequest.ParsedHTML.getElementsByName('csrf-protection-token') | Select-Object *).Content
#update TLS Policy
$domains = Get-Content .\tls-domains.csv -Raw
$ListSenderPatterns = Invoke-WebRequest -WebSession $webSession -Uri 'https://dlp.com/ProtectManager/enforce/admin/senderrecipientpatterns/list'
$v1 = ($ListSenderPatterns.Links | where-object {$_.'data-edit-url' -like '*5043*'}).'data-edit-url'
$version = $v1.Replace('amp;','')
$edit_policy = 'https://dlp.com/ProtectManager/enforce/admin/senderrecipientpatterns/'+$version
$GoToPattern = Invoke-WebRequest -WebSession $webSession -Uri $edit_policy
$UpdatePattern = $GoToPattern.Forms | Where-Object {$_.Id -eq 'editReusableRecipientPatternForm'}
$UpdatePattern.Fields.name = $UpdatePattern.Fields.'recipient-name-edit'
#$UpdatePattern.Fields.description = ''
$UpdatePattern.Fields.userPatterns = $domains
#$UpdatePattern.Fields.ipAddresses = ''
#$UpdatePattern.Fields.urlDomains = ''
$UpdatePattern.Fields.csrfProtectionToken = $csrf
$UpdatePattern.Fields.'value(csrfProtectionToken)' = $csrf
$ApplyPattern = Invoke-WebRequest -WebSession $webSession -Uri 'https://dlp.com/ProtectManager/enforce/admin/senderrecipientpatterns/recipient_patterns/update' -Method $UpdatePattern.Method -Body $UpdatePattern.Fields 
Write-Host "Updated TLS List"

     



  • 2.  RE: DLP POSH Scripting with Invoke-WebRequest - Sample Code

    Trusted Advisor
    Posted May 11, 2017 01:40 AM

    thanks for this very useful script.

     



  • 3.  RE: DLP POSH Scripting with Invoke-WebRequest - Sample Code

    Posted May 12, 2017 04:58 PM

    Here is a "polished" version of the script that updates reusable patterns based on any CSV file in the running directory. CSV file name must match the reusable pattern name!

     

    #login and save session
Write-Host "Initiating Login and Web Session"
$credential = Get-Credential
$uaString = "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$webRequest = Invoke-WebRequest -Uri 'https://dlp.com/ProtectManager/enforce/navigate?menuID=default' -SessionVariable webSession -UserAgent $uaString
$logonForm = $webRequest.Forms | Where-Object {$_.Id -eq 'logonForm'}
$logonForm.Fields.username  = $credential.UserName
$logonForm.Fields.j_username  = $credential.UserName + ':DLP.COM'
$logonForm.Fields.password = $credential.GetNetworkCredential().Password
$logonForm.Fields.j_password = $credential.GetNetworkCredential().Password
$logonForm.Fields.domain = 'DLP.COM'
$webRequest = Invoke-WebRequest -Uri 'https://dlp.com/ProtectManager/j_security_check' -Method $logonForm.Method -Body $logonForm.Fields -WebSession $webSession -UserAgent $uaString
if ($webRequest.Links | Where-Object {$_ -like '*logout*'}) {

    Write-Host "Login verified!"

} else {

    Write-Host 'Login unsuccessful!' -ForegroundColor Red -BackgroundColor DarkBlue
    exit
}

#update Find Exclusion name and URL

$pathCSV = '.' 
$listCSVFiles = Get-ChildItem $pathCSV -Filter *.csv

foreach ($exclusioncsvname in $listCSVFiles) {
$csrf = ($webRequest.ParsedHTML.getElementsByName('csrf-protection-token') | Select-Object *).Content

$domains = Get-Content $exclusioncsvname.Name -Raw
$exclusionname = $exclusioncsvname.BaseName
#$exclusionname = 'SSSSS'
Write-Host "Updating $exclusionname Exclusions"
$ListSenderPatterns = Invoke-WebRequest -WebSession $webSession -Uri 'https://dlp.com/ProtectManager/enforce/admin/senderrecipientpatterns/list'
$v1 = ($ListSenderPatterns.Links | where-object {$_.'outerHTML' -like ('*' + $exclusionname + '*')}).'href'
If ($v1 -eq $null) {
    Write-Host "Incorrect Exclusion List " $exclusioncsvname.BaseName -ForegroundColor Red -BackgroundColor DarkBlue
    return
} else {
    Write-Host "Found exclusion list " $exclusioncsvname.BaseName 
    }
$id = $v1.Replace('delete?id=','')
$v2 = ($ListSenderPatterns.Links | where-object {$_.'data-edit-url' -like ('*' + $id + '*')}).'data-edit-url'
$version = $v2.Replace('amp;','')
$direction = $version.split('_')[0]
$edit_policy = 'https://dlp.com/ProtectManager/enforce/admin/senderrecipientpatterns/'+$version
$GoToPattern = Invoke-WebRequest -WebSession $webSession -Uri $edit_policy
$UpdatePattern = $GoToPattern.Forms | Where-Object {$_.Id -like 'editReusable' + '*' + 'PatternForm'}
$nameedit = "$direction" + '-name-edit'
$UpdatePattern.Fields.name = $UpdatePattern.Fields."$nameedit"
#$UpdatePattern.Fields.description = ''
$UpdatePattern.Fields.userPatterns = $domains
#$UpdatePattern.Fields.ipAddresses = ''
#$UpdatePattern.Fields.urlDomains = ''
$UpdatePattern.Fields.csrfProtectionToken = $csrf
$UpdatePattern.Fields.'value(csrfProtectionToken)' = $csrf
$updateURI = 'https://dlp.com/ProtectManager/enforce/admin/senderrecipientpatterns/' + $direction + '_patterns/update'
$ApplyPattern = Invoke-WebRequest -WebSession $webSession -Uri $updateURI -Method $UpdatePattern.Method -Body $UpdatePattern.Fields 
#verify TLS policy
$domains = Get-Content $exclusioncsvname.Name -Raw
$ListSenderPatterns = Invoke-WebRequest -WebSession $webSession -Uri 'https://dlp.com/ProtectManager/enforce/admin/senderrecipientpatterns/list'
$v1 = ($ListSenderPatterns.Links | where-object {$_.'data-edit-url' -like ('*' + $id + '*')}).'data-edit-url'
$version = $v1.Replace('amp;','')
$edit_policy = 'https://dlp.com/ProtectManager/enforce/admin/senderrecipientpatterns/'+$version
$GoToPattern = Invoke-WebRequest -WebSession $webSession -Uri $edit_policy
$verify = $GoToPattern.ParsedHtml.getElementsByName('userPatterns')
$verifyvalue = ($verify | Select-Object *).value
If ($verifyvalue -eq $domains) {
    Write-Host "Updated " $exclusioncsvname.BaseName
    } else {
    Write-Host "Something went wrong with " $exclusioncsvname.BaseName "!" -ForegroundColor Red -BackgroundColor DarkBlue
    return
}
}

     



  • 4.  RE: DLP POSH Scripting with Invoke-WebRequest - Sample Code

    Posted May 25, 2017 07:44 PM

    This is really awesome! I see a lot of possibilities here. Thanks for sharing.