MazeRunner SDK elements

APIClient

class api_client.APIClient(host, api_key, api_secret, certificate)[source]

This is the starting point for any interaction with MazeRunner.

Parameters:
  • host – The hostname or IP address of MazeRunner.
  • api_key – API key ID. See below how to get one.
  • api_secret – Secret key. See below how to get one.
  • certificate – Path to certificate file. See below how to get one.

How to get your API key and certificate:

  • Open your browser and log in to MazeRunner.
  • Click the gear icon on the top right corner of the screen and select “Manage API keys”.
  • Click “Download SSL certificate” and save the file.
  • Click “Create API key”.
  • Type a description and click “Create”.
  • The api_key will appear as “Key ID”.
  • The api_secret will appear as “Secret Key”.

Example:

client = mazerunner.connect(ip_address="1.2.3.4",
                               api_key="my-api-key",
                               api_secret="my-api-secret",
                               certificate="/path/to/MazeRunner.crt")

my_service = client.services.get_item(id=8)
active_soc_events

Get an api_client.ActiveSOCEventCollection instance. You can use this to emit MazeRunner API interface events.

Example:

client = mazerunner.connect(...)
self.active_soc_events.create_multiple_events("my-soc-interface-name", [{
    "ComputerName": "TEST_ENDPOINT1",
    "EventCode": 4625
},{
    "ComputerName": "TEST_ENDPOINT2",
    "EventCode": 529
}])
alert_policies

Get an api_client.AlertPolicyCollection instance, on which you can perform update operations.

Example:

client = mazerunner.connect(...)
code_alerts = client.alert_policies.reset_all()
alerts

Get an api_client.AlertCollection instance, on which you can perform read and delete operations.

Example:

client = mazerunner.connect(...)
code_alerts = client.alerts.filter(alert_types=["code"])
api_request(url, method='get', query_params=None, data=None, files=None, stream=False, expect_json_response=True)[source]

Execute a synchronous API request against MazeRunner and return the result.

Parameters:
  • url – The request url.
  • method – HTTP method (get, post, put, patch, delete).
  • query_params – A dict of the request query parameters.
  • data – Request body.
  • files – Files to be sent with the request.
  • stream – Use stream.
  • expect_json_response – If True (default), the function will expect an application/json Content-Type in the response, and will return a parsed object as a result. If the response is not in JSON format, a ValidationError or ValueError will be raised.
background_tasks

Get a api_client.BackgroundTaskCollection instance, on which you can perform read and update operations.

Example:

client = mazerunner.connect(...)
completed_tasks = client.background_tasks.filter(running=False)
breadcrumbs

Get a api_client.BreadcrumbCollection instance, on which you can perform CRUD operations.

Example:

client = mazerunner.connect(...)
mysql_breadcrumb = client.breadcrumbs.create(
    breadcrumb_type="mysql",
    name="mysql_breadcrumb",
    deploy_for="root",
    installation_type="mysql_history")
cidr_mappings

Get a api_client.CIDRMappingCollection instance. You can use this to import, in bulk, endpoints by their reverse DNS record.

Example:

client = mazerunner.connect(...)
developers_segment = client.cidr_mapping.create(
    cidr_block="192.168.5.0/24",
    deployment_group=5,
    comments="R&D",
    active=True)
developers_segment.generate_endpoints()
decoys

Get a DecoyCollection instance, on which you can perform CRUD operations.

Example:

client = mazerunner.connect(...)
backup_server_story_decoy = client.decoys.create(
    name="backup_server_decoy",
    os="Windows_Server_2012",
    hostname="backupserver",
    vm_type="KVM")

old_decoy = client.decoys.get_item(id=5)
old_decoy.delete()
deployment_groups

Get a api_client.DeploymentGroupCollection instance, on which you can perform CRUD operations.

Example:

client = mazerunner.connect(...)
hr_deployment_group = client.deployment_groups.create(
    name="breadcrumbs_for_hr_machines")
endpoints

Get an api_client.EndpointCollection instance, on which you can perform CRUD operations.

Example:

client = mazerunner.connect(...)
code_alerts = client.endpoints.filter(keywords="hr_workstation_")
forensic_puller_on_demand

Get an api_client.ForensicPullerOnDemand instance, on which you can perform read and delete operations.

Example:

client = mazerunner.connect(...)
code_alerts = client.forensic_puller_on_demand.run_on_ip_list(ip_list=["192.168.1.1"])
services

Get a api_client.ServiceCollection instance, on which you can perform CRUD operations.

Example:

client = mazerunner.connect(...)
app_db_service = client.services.create(
    name="app_db_service",
    service_type="mysql")
storage_usage

Get an api_client.StorageUsageData

Decoys

class api_client.Decoy(api_client, param_dict)[source]

A decoy is a virtual machine, to which you want to attract the attacker.

A decoy may be a KVM machine nested inside the MazeRunner machine, or an external machine downloaded as an OVA and manually deployed on an ESX machine.

delete()

Delete this element.

download(location_with_name)[source]

Download the decoy. Applicable for OVA only.

Parameters:location_with_name – Destination path.
load()

Using the element ID, populate all of the element info from the server.

power_off()[source]

Shut down the decoy machine.

power_on()[source]

Start the decoy machine.

recreate()[source]

Recreate the decoy machine.

test_dns()[source]

Check whether the decoy is properly registered in the DNS server.

update(name, chosen_static_ip=None, chosen_subnet=None, chosen_gateway=None, chosen_dns=None, dns_address='')[source]

Change decoy configuration.

Parameters:
  • name – Decoy name.
  • chosen_static_ip – Static IP of the decoy.
  • chosen_subnet – Decoy subnet mask.
  • chosen_gateway – Decoy default gateway (router address).
  • chosen_dns – The DNS server the decoy will use. This is not a DNS name of the decoy.
  • dns_address – The DNS name of the decoy. If set, the breadcrumbs will use this DNS instead of the decoy IP.
class api_client.DecoyCollection(api_client, obj_class=None)[source]

A subset of decoys in the system.

This entity will be returned by api_client.APIClient.decoys.

create(os, vm_type, name, hostname, chosen_static_ip=None, chosen_subnet=None, chosen_gateway=None, chosen_dns=None, interface=1, vlan=None, ec2_region=None, ec2_subnet_id=None, account=None, dns_address='', network_type='PROMISC')[source]

Create a decoy.

Parameters:
  • network_type – Network type of the decoy. Options : PROMISC, NON_PROMISC, VLAN_TRUNK
  • os – OS installed on the server. Options: Ubuntu_1404, Windows_7, Windows_Server_2012, Windows_Server_2008.
  • vm_type – Server type. KVM for nested (recommended) or OVA for standalone.
  • name – Internal name of the decoy.
  • hostname – The decoy server name as an attacker sees it when they log in to the server.
  • chosen_static_ip – A static IP for the server.
  • chosen_subnet – Decoy subnet mask.
  • chosen_gateway – Decoy default gateway address.
  • chosen_dns – The DNS server address (This is NOT the name of the decoy).
  • interface – The physical interface to which the decoy should be connected. :param vlan: VLAN to which the decoy will be connected (if applicable).
  • ec2_region – EC2 region (e.g., eu-west-1), if applicable.
  • ec2_subnet_id – EC2 subnet ID, if applicable.
  • account – EC2 account ID, if applicable.
  • dns_address – The DNS name of the decoy. If given, the breadcrumbs will use this DNS name instead of the decoy IP.
create_item(data, files=None)

Create an instance of the element.

It is recommended to avoid using this method. Instead, use the create methods of the relevant inheriting class.

Parameters:
  • data – Element data.
  • files – Relevant file paths to upload for the element.
get_item(id)

Get a specific item by ID.

Parameters:id – Desired item ID.
params()

Request for information about the applicable values for the entity fields.

Services

class api_client.Service(api_client, param_dict)[source]

This is the application that will be installed on the api_client.Decoy, to which the attacker will be tempted to connect.

Examples of services:

  • Git
  • SSH
  • MySQL
  • Remote desktop
connect_to_decoy(decoy_id)[source]

Connect the service to the given decoy.

Parameters:decoy_id – The ID of the decoy to which the service should be attached.
delete()

Delete this element.

detach_from_decoy(decoy_id)[source]

Detach the service from the given decoy.

Parameters:decoy_id – Decoy ID from which the service should be detached.
load()

Using the element ID, populate all of the element info from the server.

update(name, zip_file_path=None, **kwargs)[source]

Update all of the service attributes.

Parameters:
  • name – Internal name for the service.
  • zip_file_path – A file to upload, if applicable.
  • kwargs – Additional relevant parameters.
class api_client.ServiceCollection(api_client, obj_class=None)[source]

A subset of services in the system.

This entity will be returned by api_client.APIClient.services.

create(name, service_type, zip_file_path=None, **kwargs)[source]

Create a service.

Parameters:
  • name – An internal name for the service.
  • service_type – The application you want to install. Try the params method for the available options.
  • zip_file_path – The path of a ZIP file to upload, if applicable.
  • kwargs – Additional relevant parameters.
create_item(data, files=None)

Create an instance of the element.

It is recommended to avoid using this method. Instead, use the create methods of the relevant inheriting class.

Parameters:
  • data – Element data.
  • files – Relevant file paths to upload for the element.
get_item(id)

Get a specific item by ID.

Parameters:id – Desired item ID.
params()

Request for information about the applicable values for the entity fields.

Deployment groups

class api_client.DeploymentGroup(api_client, param_dict)[source]

A deployment group is a connection between a list of breadcrumbs and a list of endpoints on which the breadcrumbs should be deployed.

The relationship between a breadcrumb and a deployment group is many-to-many.

The relationship between an endpoint to a deployment group is many-to-one.

When set, you can use api_client.DeploymentGroup.auto_deploy() to install the deployment group’s associated breadcrumbs on the deployment group’s associated endpoints.

auto_deploy(install_method, run_method, username, password, domain='', deploy_on='all')[source]

Deploy all the breadcrumbs that are members of this deployment group on all the endpoints that are assigned to this deployment group.

Parameters:
  • install_method – The format of the installation file: EXE_DEPLOY or CMD_DEPLOY.
  • run_method – Currently only PS_EXEC is supported.
  • username – A Windows username, which MazeRunner will use to authenticate itself for installing on the endpoint.
  • password – The password for that user.
  • domain – The domain of that user. Pass an empty string for a local user.
  • deploy_on – Options are: “all” for all endpoints assigned to this group, or “failed” if you only want to deploy on the endpoints where no previous successful deployment has taken place.
check_conflicts(os)[source]

Check whether this deployment group contains two or more conflicting breadcrumbs.

A conflict will happen, for example, when two breadcrumbs of the same type use the same username.

Parameters:os – OS type (Windows/Linux).
delete()

Delete this element.

deploy(location_with_name, os, download_type, download_format='ZIP')[source]

Download this deployment group’s installer/uninstaller.

Parameters:
  • location_with_name – Local destination path.
  • os – OS for which the installation is intended.
  • download_type – Installation action (install/uninstall).
  • download_format – Installer format (ZIP/MSI/EXE).
load()

Using the element ID, populate all of the element info from the server.

partial_update(name=None, description=None)[source]

Update only the specified fields.

Parameters:
  • name – Deployment group name.
  • description – Deployment group description.
update(name, description)[source]

Update all of the deployment group’s fields.

Parameters:
  • name – Deployment group name.
  • description – Deployment group description.
class api_client.DeploymentGroupCollection(api_client, obj_class=None)[source]

A subset of deployment groups in the system.

This entity will be returned by api_client.APIClient.deployment_groups.

auto_deploy_groups(deployment_groups_ids, install_method, run_method, username, password, domain=None, deploy_on='all')[source]

For each of the specified deployment_groups_ids, deploy all its member breadcrumbs on all the endpoints associated with it.

Parameters:
  • deployment_groups_ids – A list of the desired deployment group IDs.
  • install_method – The format of the installation file: EXE_DEPLOY or CMD_DEPLOY.
  • run_method – Currently, only PS_EXEC is supported.
  • username – A Windows username, which MazeRunner will use to authenticate itself for installing on the endpoint.
  • password – The password for that user.
  • domain – The domain of that user. Pass an empty string for a local user.
  • deploy_on – Options are: “all” for all endpoints assigned to this group, or “failed” if you only want to deploy on the endpoints where no previous successful deployment has taken place.
create(name, description=None)[source]

Create a deployment group.

Parameters:
  • name – Deployment group name.
  • description – Deployment group description.
create_item(data, files=None)

Create an instance of the element.

It is recommended to avoid using this method. Instead, use the create methods of the relevant inheriting class.

Parameters:
  • data – Element data.
  • files – Relevant file paths to upload for the element.
deploy_all(location_with_name, os, download_format='ZIP')[source]

Download this deployment group’s installers & uninstallers.

Parameters:
  • location_with_name – Local destination path.
  • os – OS for which the installation is intended.
  • download_format – Installer format (ZIP/MSI/EXE).
get_item(id)

Get a specific item by ID.

Parameters:id – Desired item ID.
test_deployment_credentials(addr, install_method, username, password, domain=None)[source]

Check your credentials on a specific endpoint, without actually installing anything on it. Useful before performing a large-scale deployment using the auto_deploy or auto_deploy_groups.

Parameters:
  • addr – The IP of the tested endpoint.
  • install_method – Use here the same install_method you’re planning to use in auto_deploy or auto_deploy_groups.
  • username – The Windows user you want MazeRunner to use when connecting to the endpoint.
  • password – The password of that user.
  • domain – The domain of that user. Leave as an empty string for local user.
Returns:

Test results dict consisting of a “success” key. In case of failure, a “reason” key will appear as well.

Alerts

class api_client.Alert(api_client, param_dict)[source]

An alert is automatically generated by the system every time an attacker interacts with the decoy.

The alert contains the information of a detected attack: which code was executed, which query was run on the DB, which SMB shares were accessed, etc.

delete()[source]

Delete the alert

download_image_file(location_with_name)[source]

Download the image file of the executed code.

Parameters:location_with_name – Download destination path.
download_memory_dump_file(location_with_name)[source]

Download memory dump of the executed code.

Parameters:location_with_name – Download destination path.
download_network_capture_file(location_with_name)[source]

Download alert info in pcap format.

Parameters:location_with_name – Download destination path.
download_stix_file(location_with_name)[source]

Download alert info in STIX format.

Parameters:location_with_name – Download destination path.
get_processes()[source]

Get a generator of all the processes associated with the alert.

Supported versions: MazeRunner 1.7.0 and above.

load()

Using the element ID, populate all of the element info from the server.

class api_client.AlertCollection(api_client, filter_enabled=False, only_alerts=False, alert_types=None, start_date=None, end_date=None, id_greater_than=None, username=None, source=None, keywords=None, decoy_name=None)[source]

A subset of the alerts in the system.

This entity will be returned by api_client.APIClient.alerts.

delete(selected_alert_ids=None, delete_all_filtered=False)[source]

Delete alerts by ID list or by filter.

Parameters:
  • selected_alert_ids – List of alerts to be deleted.
  • delete_all_filtered – Delete alerts by query, rather than by ID list. See example below.

Example 1: Delete alerts by ID list:

client = mazerunner.connect(...)
all_alerts = client.alerts.filter()
all_alerts.delete([101,102,103])

Example 2: Delete alerts by filter:

client = mazerunner.connect(...)
filtered_alerts = client.alerts.filter(alert_types=["share", "http"])
filtered_alerts.delete(delete_all_filtered=True)
export(location_with_name)[source]

Export all alerts to CSV.

Parameters:location_with_name – Download destination file.
filter(filter_enabled=False, only_alerts=False, alert_types=None, start_date=None, end_date=None, id_greater_than=None, username=None, source=None, keywords=None, decoy_name=None)[source]

Get alerts by query.

Parameters:
  • filter_enabled – When False, all the filtering params will be ignored.
  • only_alerts – Only take alerts in ‘Alert’ status (exclude those in ‘Mute’ and ‘Ignore’ status).
  • alert_types – A list of alert types.
  • start_date – The beginning of the date range, formatted dd/mm/yyyy.
  • end_date – The end of the date range, formatted dd/mm/yyyy.
  • id_greater_than – Filter alerts to see only alerts that occur after this ID.
  • username – The breadcrumb’s username, which the attacker used to log in.
  • source – The IP or hostname of the attacker’s endpoint.
  • keywords – Search main fields for these keywords.
  • decoy_name – The name of the decoy that was attacked.
Returns:

A filtered api_client.AlertCollection.

get_item(id)

Get a specific item by ID.

Parameters:id – Desired item ID.
params()

Request for information about the applicable values for the entity fields.

class api_client.AlertProcess(api_client, param_dict)[source]

A suspicious process that has been detected on an attacker’s endpoint by the Forensic Puller.

For more information about the Forensic Puller, navigate to User Menu > User Manual.

download_file(destination_path)[source]

Download the attacker’s tool to your local disk

Parameters:destination_path – Location on the disk where you want to save the file.
download_minidump(destination_path)[source]

Download minidump of the attacker’s process

Parameters:destination_path – Location on the disk where you want to save the file.
get_dlls()[source]

Get a generator of the DLL files that were used by the process.

load()

Using the element ID, populate all of the element info from the server.

class api_client.AlertProcessCollection(api_client, alert, obj_class=None)[source]

A subset of the processes associated with a specific alert.

This entity will be returned by calling api_client.Alert.get_processes()

get_item(id)

Get a specific item by ID.

Parameters:id – Desired item ID.
params()

Request for information about the applicable values for the entity fields.

class api_client.AlertProcessDLL(api_client, param_dict)[source]

A DLL file that was used by an attacker’s process.

download_file(destination_path)[source]

Download the DLL file to the local disk

Parameters:destination_path – Location on the disk where you want to save the file.
load()

Using the element ID, populate all of the element info from the server.

class api_client.AlertProcessDLLCollection(api_client, alert_process, obj_class=None)[source]

DLL files associated with a specific binary attack tool, fetched by the Forensic Puller.

This entity will be returned by calling AlertProcess.get_dlls()

get_item(id)

Get a specific item by ID.

Parameters:id – Desired item ID.
params()

Request for information about the applicable values for the entity fields.

Endpoints

class api_client.Endpoint(api_client, param_dict)[source]

An endpoint represents a single workstation in the organization, and the status of the breadcrumbs’ deployment to it.

delete()[source]

Delete the endpoint.

load()

Using the element ID, populate all of the element info from the server.

class api_client.EndpointCollection(api_client, filter_enabled=False, keywords='', statuses=None, deploy_groups=None)[source]

A subset of the endpoints in the system.

This entity will be returned by api_client.APIClient.endpoints.

clean_by_endpoints_ids(endpoints_ids, install_method, username, password, domain='')[source]

Uninstall breadcrumbs from all of the specified endpoint IDs.

Parameters:
  • endpoints_ids – List of IDs of the endpoints from which we want to remove breadcrumbs.
  • install_method – Uninstaller format (EXE/MSI/ZIP).
  • username – Local or domain username. MazeRunner will use this to access the endpoint.
  • password – Password for that user.
  • domain – The domain where that user is registered. Leave blank for local user.
clean_filtered(install_method, username, password, domain='')[source]

Uninstall breadcrumbs from all of the endpoints matching the filter.

Parameters:
  • install_method – Uninstaller format (EXE/MSI/ZIP).
  • username – Local or domain username. MazeRunner will use this to access the endpoint.
  • password – Password for that user.
  • domain – The domain where that user is registered. Leave blank for local user.
clear_deployment_group(endpoints)[source]

Unassign specified endpoints from all deployment groups.

Parameters:endpoints – A list of endpoints that should be unassigned.
create(ip_address=None, dns=None, hostname=None, deployment_group_id=None)[source]

Create an endpoint.

Pass at least one of the following parameters: ip_address, dns, or hostname.

Parameters:
  • deployment_group_id – Id of the deployment group.
  • ip_address – Address of the endpoint.
  • dns – FQDN of the endpoint.
  • hostname – Hostname of the endpoint.
create_item(data, files=None)

Create an instance of the element.

It is recommended to avoid using this method. Instead, use the create methods of the relevant inheriting class.

Parameters:
  • data – Element data.
  • files – Relevant file paths to upload for the element.
delete_by_endpoints_ids(endpoints_ids)[source]

Delete all the endpoints in the list.

Parameters:endpoints_ids – List of the endpoint IDs to be deleted.
delete_filtered()[source]

Delete all the endpoints matching the filter.

export_filtered()[source]

Export all filtered endpoints to CSV.

filter(keywords='')[source]

Get endpoints by query.

Parameters:keywords – Search keywords.
Returns:A filtered api_client.EndpointCollection.
filter_data()[source]

Get the available values for the endpoint filters.

get_item(id)

Get a specific item by ID.

Parameters:id – Desired item ID.
reassign_to_group(deployment_group, endpoints)[source]

Assign endpoints to a deployment group.

Parameters:
  • deployment_group – The deployment group to assign to.
  • endpoints – A list of endpoints that should be assigned.

See also

modules api_client.CIDRMapping

Alert policies

class api_client.AlertPolicy(api_client, param_dict)[source]

An alert policy (aka “system-wide rule”) is a configuration defining the severity of each alert type. The options are:

  • 0 = Ignore
  • 1 = Mute
  • 2 = Alert
load()

Using the element ID, populate all of the element info from the server.

update_to_status(to_status)[source]

Update the desired alert level of the given alert type.

Parameters:to_status – The name of the new ‘to_status’ of the policy.
class api_client.AlertPolicyCollection(api_client, obj_class=None)[source]

A subset of the alert policies (aka system-wide rules) in the system.

This entity will be returned by api_client.APIClient.alert_policies.

get_item(id)

Get a specific item by ID.

Parameters:id – Desired item ID.
params()

Request for information about the applicable values for the entity fields.

reset_all_to_default()[source]

Reset the ‘to_status’ of all alert policies to their original system default.

Background tasks

class api_client.BackgroundTask(api_client, param_dict)[source]

A background task represents the progress of a request that is not accomplished immediately, due to its potential to take a long time to process. Examples of requests that create background tasks include deployment on endpoints, and importing the organization structure from Active Directory.

load()

Using the element ID, populate all of the element info from the server.

stop()[source]

Stop task.

class api_client.BackgroundTaskCollection(api_client, running=True)[source]

A subset of background tasks in the system.

This entity will be returned by api_client.APIClient.background_tasks.

acknowledge_all_complete()[source]

Acknowledge all tasks with the status ‘stopped’ or ‘complete’.

filter(running=True)[source]

Get background tasks by query.

Parameters:running – When True, running and paused tasks are returned. When False, stopped and completed tasks are returned.
Returns:A filtered api_client.BackgroundTaskCollection.
get_item(id)

Get a specific item by ID.

Parameters:id – Desired item ID.

CIDR mapping

class api_client.CIDRMapping(api_client, param_dict)[source]

This represents a CIDR block and (optional) a deployment group with which it should be associated. The daily CIDR block importer, if enabled, will scan daily all of the endpoints in the CIDR mapping range, and will create an endpoint entity for any IP in that range that has a reverse DNS record or an NBNS name. If a deployment group was configured for that CIDR mapping, the daily CIDR block importer will also assign that deployment group to endpoints that were just imported or did not have one configured.

delete()[source]

Delete this record.

generate_endpoints()[source]

Scan the CIDR block and import the endpoints.

load()

Using the element ID, populate all of the element info from the server.

class api_client.CIDRMappingCollection(api_client, obj_class=None)[source]

A subset of the CIDR mappings in the system.

This entity will be returned by api_client.APIClient.cidr_mappings.

create(cidr_block, deployment_group, comments, active)[source]

Create a new CIDR mapping.

Parameters:
  • cidr_block – The CIDR block from which the endpoints should be imported. E.g., 192.168.0.1/24.
  • deployment_group – Optional. If specified, this deployment group will be assigned to newly imported endpoints and endpoints that were previously unassigned.
  • comments – Optional. Comments about the CIDR block.
  • active – Whether this block should be included in the import.
create_item(data, files=None)

Create an instance of the element.

It is recommended to avoid using this method. Instead, use the create methods of the relevant inheriting class.

Parameters:
  • data – Element data.
  • files – Relevant file paths to upload for the element.
generate_all_endpoints()[source]

Scan all the active CIDR blocks in the system and import all of their endpoints.

get_item(id)

Get a specific item by ID.

Parameters:id – Desired item ID.

See also

modules api_client.Endpoint

ActiveSOC events

class api_client.ActiveSOCEventCollection(api_client, obj_class=None)[source]

Use this when you want to use MazeRunner’s ActiveSOC or Responder features, but the SOC application that you use is not supported by the built-in MazeRunner integration. In order to use these features, first create a SOC interface of the type “SOC via MazeRunner API”, give it a name, and then send events to that name.

create(soc_name, event_dict)[source]

Submit a single event to the SOC interface.

Parameters:
  • soc_name – The name of the SOC interface as configured on the SOC screen in MazeRunner.
  • event_dict – An event dict to be sent.
create_multiple_events(soc_name, events_dicts)[source]

Submit multiple events to the SOC interface.

Parameters:
  • soc_name – The name of the SOC interface as configured on the SOC screen in MazeRunner.
  • events_dicts – A list of event dicts to be sent.

Audit log events

class api_client.AuditLogLineCollection(api_client, filter_enabled=False, item=None, username=None, event_type=None, keywords=None, start_date=None, end_date=None, object_ids=None, category=None)[source]

Use this to access MazeRunner’s audit log.

This entity will be returned by api_client.APIClient.audit_log.

get_item(id)

Get a specific item by ID.

Parameters:id – Desired item ID.
params()

Request for information about the applicable values for the entity fields.

Storage usage data

class api_client.StorageUsageData(api_client, obj_class=None)[source]

Storage usage data. This entity will be returned by api_client.APIClient.storage_usage_data.

Forensic puller on demand

class api_client.ForensicPullerOnDemand(api_client, obj_class=None)[source]

Forensic Puller on demand.

This entity will be returned by api_client.APIClient.forensic_puller_on_demand.

run_on_ip_list(ip_list)[source]

Runs Forensic Puller on a list of IPs.

Parameters:ip_list – List of IPs.