CLI
The ThreatLockDown Cloud Command Line Interface (wcloud-cli
) is a tool that allows you to interact with ThreatLockDown Cloud using commands in your command-line shell.
Requirements
To use wcloud-cli
, you need to install the following components:
Python 3.x
boto3
Python packagerequests
Python package
Installation
Use the following command to download the CLI tool.
# curl -so ~/wcloud-cli https://packages.wazuh.com/resources/cloud/wcloud-cli && chmod 500 ~/wcloud-cli
Run it with the version argument to confirm that the installation was successful.
# ./wcloud-cli versionThreatLockDown Cloud CLI - "version": "1.0.1"
Configuration
You can configure the settings that the ThreatLockDown Cloud CLI (wcloud-cli
) uses to interact with ThreatLockDown Cloud.
By default, the ThreatLockDown Cloud CLI reads the credential information from a local file named credentials, located in the .wazuh-cloud folder of your home directory. The location of your home directory varies based on the operating system, but you can find it using the environment variables %UserProfile% in Windows, and $HOME or ~ (tilde) in Unix-based systems.
A non-default location can be specified for the config file by setting the WAZUH_CLOUD_CREDENTIALS_FILE environment variable to another local path.
Create the credentials file and add your API key.
~/.wazuh-cloud/credentials
[default] wazuh_cloud_api_key_name = Test wazuh_cloud_api_key_secret = MDAwMDAwMDQ2T047Q4JVY1Sm5dDOqpDtkCQiY89fHjuZT3c90zs2The file is organized in profiles, a collection of credentials. When you specify a profile to run a command, the credentials are used to run that command. You can specify one default profile that is used when no profile is explicitly referenced.
Use the following command to test your credentials. Optionally, you can specify the profile.
# wcloud-cli test-credentials --profile <profile-name>The API key 'Test' in the profile 'default' is valid.
Examples
Getting S3 token for archive data
This command generates an AWS token to access the archive data of the environment with Cloud ID 012345678ab.
# wcloud-cli cold-storage get-aws-s3-token 012345678ab
The following AWS credentials will be valid until 2021-05-07 13:45:24:
[wazuh_cloud_storage]
aws_access_key_id = A...Q
aws_secret_access_key = A...E
aws_session_token = F...Q==
Listing archive data
This command lists the archive data files of the environment 012345678ab between the specified dates.
# wcloud-cli cold-storage list 012345678ab --start 2021-05-07 --end 2021-05-07
Environment '012345678ab' files from 2021-05-07 to 2021-05-07:
012345678ab/output/alerts/2021/05/07/012345678ab_output_alerts_20210507T1040_mXSoDTf5Pgyr8b8D.json.gz
Downloading archive data
This command downloads in the /home/test directory the archive data files of the environment 012345678ab between the specified dates.
# wcloud-cli cold-storage download 012345678ab /home/test --start 2021-05-07 --end 2021-05-07
Environment '012345678ab' files from 2021-05-07 to 2021-05-07:
Downloading object 012345678ab/output/alerts/2021/05/07/012345678ab_output_alerts_20210507T1040_mXSoDTf5Pgyr8b8D.json.gz
Downloaded object 012345678ab/output/alerts/2021/05/07/012345678ab_output_alerts_20210507T1040_mXSoDTf5Pgyr8b8D.json.gz