Isolate a Security Agent

This task retrieves a list of Security Agents and then isolates a specific Security Agent.

Obtain an application ID and API key.
Define the libraries and functions necessary to create JSON Web Tokens for authorization.
Obtain the host name of the Security Agent that you want to isolate.
Isolate the Security Agent.

Obtain an Application ID and API Key

This task retrieves the application ID and API key for an external application that consumes Apex Central Automation APIs.

Go to Administration > Settings > Automation API Access Settings.

The Automation API Access Settings screen appears.
Click Add.
The Application Access Settings section appears and displays the following information:
- Application ID: Used by Apex Central to identify the external application
- API key: Used by the external application to sign requests sent to Apex Central
- API type: Indicates the API functions that the external application can access
Select Enable application integration using Apex Central Automation APIs.
Configure the following settings.
- Application name: Specify an easily identifiable name for the application.
- Communication time-out: Select the maximum number of seconds allowed for a request to reach Apex Central after the application generates the request.
Click Save.

The Automation API Access Settings screen appears and displays the newly added application in the table.

In Python, assign values to following parameters.


Parameter	Value
`use_application_id`	Your application ID
`use_api_key`	Your API key
`use_url_base`	Your server URL

use_application_id = YOUR_APPLICATION_ID
use_api_key = YOUR_API_KEY
use_url_base = YOUR_SERVER_URL

Define the Libraries and Functions Required for JSON Web Token Creation

This task defines the necessary libraries and functions for creating the JSON web token (JWT).

Define the necessary libraries.

import base64
import jwt
import hashlib
import time
import json

Define the function that creates the checksum.

def create_checksum(http_method, raw_url, headers, request_body):
    string_to_hash = http_method.upper() + '|' + raw_url.lower() + '|' + headers + '|' + request_body
    base64_string = base64.b64encode(hashlib.sha256(str.encode(string_to_hash)).digest()).decode('utf-8')
    return base64_string

Define the function that creates the JWT.


def create_jwt_token(appication_id, api_key, http_method, raw_url, headers, request_body,
                     iat=time.time(), algorithm='HS256', version='V1'):
    checksum = create_checksum(http_method, raw_url, headers, request_body)
    payload = {'appid': appication_id,
               'iat': iat,
               'version': version,
               'checksum': checksum}
    token = jwt.encode(payload, api_key, algorithm=algorithm).decode('utf-8')
    return token

Obtain the Host Name of the Security Agent

This task retrieves the host name of the Security Agent that you want to isolate.

Retrieve the list of Security Agents that are managed by the selected server, and assign the response value to r.

For more information about the "List Security Agents" API, see https://automation.trendmicro.com/apex-central/api#tag/Security-Agents.

print('(Optional) Get the Security Agent list, if you does not have host name.')
productAgentAPIPath = '/WebApp/API/AgentResource/ProductAgents'
canonicalRequestHeaders = ''
 
useRequestBody = ''
useQueryString=''
 
jwt_token = create_jwt_token(use_application_id, use_api_key, 'GET',
                              productAgentAPIPath + useQueryString,
                              canonicalRequestHeaders, useRequestBody, iat=time.time())
 
headers = {'Authorization': 'Bearer ' + jwt_token , 'Content-Type': 'application/json;charset=utf-8'}
r = requests.get(use_url_base + productAgentAPIPath + useQueryString, headers=headers, verify=False)

Perform error handling and print the API response.

if r.status_code !=200 and r.status_code!=201:
  print('Not successful, please handle your error')
 
#Show the information of agents. 
# print(r.status_code)
# print(json.dumps(r.json(), indent=4))
host_name = r.json()["result_content"][0]["host_name"]
print("host name:", host_name)

Locate the host name in the response.

200
{
    "result_code": 1,
    "result_description": "Operation successful",
    "result_content": [
       {
            "entity_id": "492E8584-0114-694D-BF9D-44CC20141501",
            "product": "SLF_PRODUCT_OFFICESCAN_CE",
            "managing_server_id": "33111111-1111-AAAA-AAAA-111100000001",
            "ad_domain": "",
            "folder_path": "DOMAIN",
            "ip_address_list": "10.1.1.1",
            "mac_address_list": "00-60-59-A4-70-2D",
            "host_name": "client01",
            "isolation_status": "normal",
            "capabilities": [
                "cmd_restore_isolated_agent",
                "cmd_isolate_agent",
                "cmd_relocate_agent",
                "cmd_uninstall_agent"
            ]
        },
        ...
        {
            "entity_id": "80180123-1059-CCCC-CCCC-111100000010",
            "product": "SLF_PRODUCT_HEADLESS_DSM",
            "managing_server_id": "80180123-1059-694D-BF9D-44CC80320001",
            "ad_domain": "",
            "folder_path": "iptlab",
            "ip_address_list": "100.1.1.10",
            "mac_address_list": "00-50-56-A7-69-10",
            "host_name": "host8",
            "isolation_status": "not_supported",
            "capabilities": []
        }
    ]
}

Verify that the Security Agent can be isolated using the API.

Note:

If the capabilities parameter contains cmd_isolate_agent, then the Security Agent can be isolated using the API.

Assign a value to host_name.

### Setting the host name of security agent.
print('Setting the host name of security agent.')
host_name = r.json()["result_content"][0]["host_name"]
print("host name:", host_name)

Isolate the Security Agent

This task isolates the specified Security Agent from the network.

Specify the host name of the Security Agent.

For more information about the "Isolate, Restore, Relocate, or Uninstall Security Agent" API, see https://automation.trendmicro.com/apex-central/api#tag/Update-Agents.

To successfully isolate the Security Agent, you must include all of the following parameters in the payload.


Parameter	Value	Purpose
`host_name`	`YOUR_HOST_NAME`	Identifies the endpoint on which the Security Agent is installed
`act`	`cmd_isolate_agent`	Isolates the Security Agent
`allow_multiple_match`	`True`	Allows modification of multiple Security Agents

You can identify the Security Agent using one or more (any combination) of the following parameters. In this use case, only host_name is specified.


Name	Type	Description
`entity_id`	String	GUID of the managed product agent
`host_name`	String	Endpoint name of the managed product agent
`ip_address`	String	IP address of the managed product agent
`mac_address`	String	MAC address of the managed product agent
`product`	String	Trend Micro product on the server instance

### Using host name to isolate the security agent network connection.
print('Using host name to isolate the security agent network connection.')
productAgentAPIPath = '/WebApp/API/AgentResource/ProductAgents'
canonicalRequestHeaders = ''
useQueryString = ''
  
payload = {
  "host_name":host_name,
  "act":"cmd_isolate_agent",
  "allow_multiple_match":True
  }
useRequestBody = json.dumps(payload) 
  
jwt_token = create_jwt_token(use_application_id, use_api_key, 'POST',
                              productAgentAPIPath + useQueryString,
                              canonicalRequestHeaders, useRequestBody, iat=time.time())
 
headers = {'Authorization': 'Bearer ' + jwt_token , 'Content-Type': 'application/json;charset=utf-8'}
r = requests.post(use_url_base + productAgentAPIPath + useQueryString, headers=headers, data=useRequestBody, verify=False)

Note:

If the allow_multiple_match value is False and the specified parameters match multiple agents, the operation will be unsuccessful.

Perform error handling and print the API response.

if r.status_code !=200 and r.status_code!=201:
  print('Not successful, please handle your error')
 
# print(r.status_code)
# print(json.dumps(r.json(), indent=4))

Verify that the isolated_status value is isolated.


Value	Description
`connection_restoration_pending`	The agent restoration command has been issued and reconnection of the Security Agent to the network is pending.
`endpoint_isolation_pending`	The agent isolation command has been issued and agent isolation is pending.
`isolated`	The Security Agent is currently isolated from the network.
`normal`	The network connection of the Security Agent is normal and, if applicable, can be isolated from the network.
`not_supported`	The Security Agent version does not support this function.

If your request was successful, the response will be similar to the following:

200
{
    "result_code": 1,
    "result_description": "Operation successful",
    "result_content": [
      {
       "entity_id":"8a1a84550462-40bc9afc-3770-16ac-cd6c",
       "product":"SLF_PRODUCT_OFFICESCAN_CE",
       "managing_server_id":
          "026332F39EBC-41C19604-02DD-2C5F-EDE5",
       "ad_domain":"",
       "folder_path":"Workgroup",         
       "ip_address_list":"192.168.121.132",
       "mac_address_list":"00-0C-29-9B-AB-65",         
       "host_name":"OSCECLIENT",
       "isolation_status":"normal",         
       "capabilities":[
          "cmd_uninstall_agent",
          "cmd_relocate_agent",
          "cmd_isolate_agent",
          "cmd_restore_isolated_agent"
        ]
      }
    ]
}

Important:

Not all Security Agents can be isolated using the API. If result_code value is 1 and the result_content value is a null array [], the operation was successful but the specified Security Agent cannot be isolated using the API.

Automation Center

Trend Micro Apex Central™

Apex Central Automation API Guide

Isolate a Security Agent

Obtain an Application ID and API Key

Define the Libraries and Functions Required for JSON Web Token Creation

Obtain the Host Name of the Security Agent

Isolate the Security Agent