def _tanium_sweep_for_hash_function(self, event, *args, **kwargs):
"""Function: Checks if a given MD5 hash is among running
processes in our environment [Windows OS].
Returns a list of hostnames of False"""
now = datetime.datetime.now()
try:
# Get the function parameters:
incident_id = kwargs.get("incident_id") # number
file_hash_md5 = kwargs.get("file_hash_md5") # text
# Get Tanium config values
tanium_user = self.options.get("tanium_user")
tanium_password = self.options.get("tanium_password")
tanium_server = self.options.get("tanium_server")
tanium_port = self.options.get("tanium_port")
tanium_pytan_loc = self.options.get("tanium_pytan_loc")
log = logging.getLogger(__name__)
log.debug("incident_id: %s", incident_id)
log.debug("file_hash_md5: %s", file_hash_md5)
log.debug("tanium_user: %s", tanium_user)
log.debug("tanium_password: %s", tanium_password)
log.debug("tanium_server: %s", tanium_server)
log.debug("tanium_port: %s", tanium_port)
log.debug("tanium_pytan_loc: %s", tanium_pytan_loc)
yield StatusMessage("starting...")
tanium_object = tanium.TaniumWorker(tanium_user, \
tanium_password, tanium_server, tanium_port, tanium_pytan_loc)
machines_where_hash_was_found = []
yield StatusMessage("querying Tanium for data...")
machines_where_hash_was_found = tanium_object.sweep_for_hash(
file_hash_md5)
if machines_where_hash_was_found:
yield StatusMessage("Tanium returned data...")
# header, data, file_name, incident_id
convert.convert_to_csv_and_attach_to_incident([ \
'Computer Name', 'MD5 Hash', 'Path'], \
machines_where_hash_was_found, \
now.strftime("%Y-%m-%d_%H:%M")+'-sweep_for_hash-'+ \
file_hash_md5+'.csv', incident_id, self)
else:
yield StatusMessage("hash not found")
results = {
"machines": machines_where_hash_was_found,
"hash": file_hash_md5
}
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
yield FunctionError()
def _tanium_get_ip_conns_function(self, event, *args, **kwargs):
"""Function: Returns the protocol, local address / port,
process name, application name, remote port, and
connection state for all active IP connections on an endpoint.
Example: tcp|192.168.95.186:51866|explorer.exe|
Windows Explorer|165.254.58.66:80|established"""
now = datetime.datetime.now()
try:
# Get the function parameters:
tanium_endpoint = kwargs.get("tanium_endpoint") # text
incident_id = kwargs.get("incident_id") # number
# Get Tanium config values
tanium_user = self.options.get("tanium_user")
tanium_password = self.options.get("tanium_password")
tanium_server = self.options.get("tanium_server")
tanium_port = self.options.get("tanium_port")
tanium_pytan_loc = self.options.get("tanium_pytan_loc")
log = logging.getLogger(__name__)
log.debug("tanium_endpoint: %s", tanium_endpoint)
log.debug("incident_id: %s", incident_id)
log.debug("tanium_user: %s", tanium_user)
log.debug("tanium_password: %s", tanium_password)
log.debug("tanium_server: %s", tanium_server)
log.debug("tanium_port: %s", tanium_port)
log.debug("tanium_pytan_loc: %s", tanium_pytan_loc)
yield StatusMessage("starting...")
tanium_object = tanium.TaniumWorker(tanium_user, \
tanium_password, tanium_server, tanium_port, tanium_pytan_loc)
ip_conns = []
yield StatusMessage("querying Tanium for data...")
ip_conns = tanium_object.get_ip_connections(tanium_endpoint)
if ip_conns:
yield StatusMessage("Tanium returned data...")
# header, data, file_name, incident_id
convert.convert_to_csv_and_attach_to_incident(\
["Application","Connection State", \
"Local IP and Port", "Process", "Protocol", \
"Remote IP and Port"], ip_conns, \
now.strftime("%Y-%m-%d_%H:%M")+'-IP_Conns-'+\
tanium_endpoint+'.csv', incident_id, self)
else:
yield StatusMessage("No data returned")
results = {"ip_conns": ip_conns}
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
yield FunctionError()
def _tanium_get_open_ports_function(self, event, *args, **kwargs):
"""Function: Identifies the listening TCP ports,
including the process listening to the port,
the MD5 hash of the process, the display name
of the process (if available), and the listening IP Address
and port. The Sensor definition can be modified to exclude
process and IP range."""
now = datetime.datetime.now()
try:
# Get the function parameters:
tanium_endpoint = kwargs.get("tanium_endpoint") # text
incident_id = kwargs.get("incident_id") # number
# Get Tanium config values
tanium_user = self.options.get("tanium_user")
tanium_password = self.options.get("tanium_password")
tanium_server = self.options.get("tanium_server")
tanium_port = self.options.get("tanium_port")
tanium_pytan_loc = self.options.get("tanium_pytan_loc")
log = logging.getLogger(__name__)
log.debug("tanium_endpoint: %s", tanium_endpoint)
log.debug("incident_id: %s", incident_id)
log.debug("tanium_user: %s", tanium_user)
log.debug("tanium_password: %s", tanium_password)
log.debug("tanium_server: %s", tanium_server)
log.debug("tanium_port: %s", tanium_port)
log.debug("tanium_pytan_loc: %s", tanium_pytan_loc)
yield StatusMessage("starting...")
tanium_object = tanium.TaniumWorker(tanium_user, \
tanium_password, tanium_server, tanium_port, tanium_pytan_loc)
open_ports = []
yield StatusMessage("querying Tanium for data...")
open_ports = tanium_object.get_open_ports(tanium_endpoint)
if open_ports:
yield StatusMessage("Tanium returned data...")
# header, data, file_name, incident_id
convert.convert_to_csv_and_attach_to_incident(\
['Open Port'], open_ports, \
now.strftime("%Y-%m-%d_%H:%M")+'-Open_Ports-' + \
tanium_endpoint+'.csv', incident_id, self)
else:
yield StatusMessage("No data returned")
results = {"open_ports": open_ports}
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
yield FunctionError()
def _tanium_get_autoruns_function(self, event, *args, **kwargs):
"""Function: Retrieves Autorun data for the enabled auto-start
extension points (ASEPs). Use parameters to specify
the category and hash for each ASEP."""
now = datetime.datetime.now()
try:
# Get the function parameters:
tanium_endpoint = kwargs.get("tanium_endpoint") # text
incident_id = kwargs.get("incident_id") # number
# Get Tanium config values
tanium_user = self.options.get("tanium_user")
tanium_password = self.options.get("tanium_password")
tanium_server = self.options.get("tanium_server")
tanium_port = self.options.get("tanium_port")
tanium_pytan_loc = self.options.get("tanium_pytan_loc")
log = logging.getLogger(__name__)
log.debug("tanium_endpoint: %s", tanium_endpoint)
log.debug("incident_id: %s", incident_id)
log.debug("tanium_user: %s", tanium_user)
log.debug("tanium_password: %s", tanium_password)
log.debug("tanium_server: %s", tanium_server)
log.debug("tanium_port: %s", tanium_port)
log.debug("tanium_pytan_loc: %s", tanium_pytan_loc)
yield StatusMessage("starting...")
tanium_object = tanium.TaniumWorker(tanium_user, \
tanium_password, tanium_server, tanium_port, tanium_pytan_loc)
autoruns = []
yield StatusMessage("querying Tanium for data...")
autoruns = tanium_object.get_autoruns_by_category(\
tanium_endpoint, 'MD5', '0')
if autoruns:
yield StatusMessage("Tanium returned data...")
# header, data, file_name, incident_id
convert.convert_to_csv_and_attach_to_incident(\
['Hash', 'Category', 'Description', 'Entry', \
'Entry Location', 'Image Path', 'Launch String', \
'Profile', 'Publisher', 'Version'], \
autoruns, now.strftime("%Y-%m-%d_%H:%M")+\
'-Autoruns-'+tanium_endpoint+'.csv', incident_id, self)
else:
yield StatusMessage("No data returned")
results = {"autoruns": autoruns}
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
yield FunctionError()
def _tanium_get_installed_apps_function(self, event, *args, **kwargs):
"""Function: List of the applications and versions of those
applications installed on the client machine.
Example: Mozilla Firefox | 16.0.1"""
now = datetime.datetime.now()
try:
# Get the function parameters:
tanium_endpoint = kwargs.get("tanium_endpoint") # text
incident_id = kwargs.get("incident_id") # number
# Get Tanium config values
tanium_user = self.options.get("tanium_user")
tanium_password = self.options.get("tanium_password")
tanium_server = self.options.get("tanium_server")
tanium_port = self.options.get("tanium_port")
tanium_pytan_loc = self.options.get("tanium_pytan_loc")
log = logging.getLogger(__name__)
log.debug("tanium_endpoint: %s", tanium_endpoint)
log.debug("incident_id: %s", incident_id)
log.debug("tanium_user: %s", tanium_user)
log.debug("tanium_password: %s", tanium_password)
log.debug("tanium_server: %s", tanium_server)
log.debug("tanium_port: %s", tanium_port)
log.debug("tanium_pytan_loc: %s", tanium_pytan_loc)
yield StatusMessage("starting...")
tanium_object = tanium.TaniumWorker(tanium_user, \
tanium_password, tanium_server, tanium_port, tanium_pytan_loc)
installed_apps = []
yield StatusMessage("querying Tanium for data...")
installed_apps = tanium_object.get_installed_apps(tanium_endpoint)
if installed_apps:
yield StatusMessage("Tanium returned data...")
# header, data, file_name, incident_id
convert.convert_to_csv_and_attach_to_incident(\
['Name', 'Silent Uninstall String', 'Uninstallable',\
'Version'], installed_apps, \
now.strftime("%Y-%m-%d_%H:%M")+'-Installed_Apps-'+\
tanium_endpoint+'.csv', incident_id, self)
else:
yield StatusMessage("No applications returned")
results = {"installed_apps": installed_apps}
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
yield FunctionError()
def _tanium_get_processes_function(self, event, *args, **kwargs):
"""Function: Returns list of processes with MD5 hashes"""
now = datetime.datetime.now()
try:
# Get the function parameters:
tanium_endpoint = kwargs.get("tanium_endpoint") # text
incident_id = kwargs.get("incident_id") # number
# Get Tanium config values
tanium_user = self.options.get("tanium_user")
tanium_password = self.options.get("tanium_password")
tanium_server = self.options.get("tanium_server")
tanium_port = self.options.get("tanium_port")
tanium_pytan_loc = self.options.get("tanium_pytan_loc")
log = logging.getLogger(__name__)
log.debug("tanium_endpoint: %s", tanium_endpoint)
log.debug("incident_id: %s", incident_id)
log.debug("tanium_user: %s", tanium_user)
log.debug("tanium_password: %s", tanium_password)
log.debug("tanium_server: %s", tanium_server)
log.debug("tanium_port: %s", tanium_port)
log.debug("tanium_pytan_loc: %s", tanium_pytan_loc)
yield StatusMessage("starting...")
tanium_object = tanium.TaniumWorker(tanium_user, \
tanium_password, tanium_server, tanium_port, tanium_pytan_loc)
list_of_processes = []
yield StatusMessage("querying Tanium for data...")
list_of_processes = tanium_object.get_running_processes(
tanium_endpoint)
if list_of_processes:
yield StatusMessage("Tanium returned data...")
# header, data, file_name, incident_id
convert.convert_to_csv_and_attach_to_incident(\
['md5','path'], list_of_processes, \
now.strftime("%Y-%m-%d_%H:%M")+'-Running_Processes-'+\
tanium_endpoint+'.csv', incident_id, self)
else:
yield StatusMessage("No processes returned")
results = {"data": list_of_processes, "hostname": tanium_endpoint}
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
yield FunctionError()
def _tanium_agent_search_function(self, event, *args, **kwargs):
"""Function: Tanium holds client status for last 30d.
This functions checks if given endpoint is on the list.
If it is not, we could presume the agent needs to be deployed"""
try:
# Get the function parameters:
tanium_endpoint = kwargs.get("tanium_endpoint") # text
# Get Tanium config values
tanium_user = self.options.get("tanium_user")
tanium_password = self.options.get("tanium_password")
tanium_server = self.options.get("tanium_server")
tanium_port = self.options.get("tanium_port")
tanium_pytan_loc = self.options.get("tanium_pytan_loc")
log = logging.getLogger(__name__)
log.debug("tanium_endpoint: %s", tanium_endpoint)
log.debug("tanium_user: %s", tanium_user)
log.debug("tanium_password: %s", tanium_password)
log.debug("tanium_server: %s", tanium_server)
log.debug("tanium_port: %s", tanium_port)
log.debug("tanium_pytan_loc: %s", tanium_pytan_loc)
yield StatusMessage("starting...")
tanium_object = tanium.TaniumWorker(tanium_user, \
tanium_password, tanium_server, tanium_port, tanium_pytan_loc)
yield StatusMessage("querying Tanium for logged in users...")
agent_check = tanium_object.check_agent(tanium_endpoint)
results = {"found": False, "input": tanium_endpoint}
if agent_check:
results['found'] = True
results['ipaddr'] = agent_check['ipaddress_client']
results['last_seen'] = agent_check['last_seen']
results['hostname'] = agent_check['hostname']
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
yield FunctionError()
def _tanium_online_check_function(self, event, *args, **kwargs):
"""Function: Checks if a given hostname is online
(running the Tanium agent)"""
try:
# Get the function parameters:
tanium_endpoint = kwargs.get("tanium_endpoint") # text
# Get Tanium config values
tanium_user = self.options.get("tanium_user")
tanium_password = self.options.get("tanium_password")
tanium_server = self.options.get("tanium_server")
tanium_port = self.options.get("tanium_port")
tanium_pytan_loc = self.options.get("tanium_pytan_loc")
log = logging.getLogger(__name__)
log.debug("tanium_endpoint: %s", tanium_endpoint)
log.debug("tanium_user: %s", tanium_user)
log.debug("tanium_password: %s", tanium_password)
log.debug("tanium_server: %s", tanium_server)
log.debug("tanium_port: %s", tanium_port)
log.debug("tanium_pytan_loc: %s", tanium_pytan_loc)
yield StatusMessage("starting...")
is_endpoint_online = False
tanium_object = tanium.TaniumWorker(tanium_user, \
tanium_password, tanium_server, tanium_port, tanium_pytan_loc)
yield StatusMessage("querying Tanium for data...")
is_endpoint_online = tanium_object.check_online(tanium_endpoint)
yield StatusMessage("done...")
results = {
"check": is_endpoint_online,
"hostname": tanium_endpoint
}
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
yield FunctionError()
def _tanium_get_asset_info_function(self, event, *args, **kwargs):
"""Function: Returns asset information including the currently
logged in users to assist in potential asset ownership"""
try:
# Get the function parameters:
tanium_endpoint = kwargs.get("tanium_endpoint") # text
# Get Tanium config values
tanium_user = self.options.get("tanium_user")
tanium_password = self.options.get("tanium_password")
tanium_server = self.options.get("tanium_server")
tanium_port = self.options.get("tanium_port")
tanium_pytan_loc = self.options.get("tanium_pytan_loc")
log = logging.getLogger(__name__)
log.debug("tanium_endpoint: %s", tanium_endpoint)
log.debug("tanium_user: %s", tanium_user)
log.debug("tanium_password: %s", tanium_password)
log.debug("tanium_server: %s", tanium_server)
log.debug("tanium_port: %s", tanium_port)
log.debug("tanium_pytan_loc: %s", tanium_pytan_loc)
yield StatusMessage("starting...")
tanium_object = tanium.TaniumWorker(tanium_user, \
tanium_password, tanium_server, tanium_port, tanium_pytan_loc)
logged_in_users = []
yield StatusMessage("querying Tanium for logged in users...")
logged_in_users = tanium_object.get_logged_in_users(
tanium_endpoint)
ip_addresses = []
yield StatusMessage("querying Tanium for ip addresses...")
ip_addresses = tanium_object.get_ip_address(tanium_endpoint)
os_info = []
yield StatusMessage("querying Tanium for OS version...")
os_info = tanium_object.get_os_info(tanium_endpoint)
cpu_arch = []
yield StatusMessage("querying Tanium for cpu architecture..")
cpu_arch = tanium_object.get_cpu_arch(tanium_endpoint)
chassis_type = []
yield StatusMessage("querying Tanium for chassis type...")
chassis_type = tanium_object.get_chassis_type(tanium_endpoint)
serial_number = []
yield StatusMessage("querying Tanium for serial number...")
serial_number = tanium_object.get_serial_number(tanium_endpoint)
yield StatusMessage("done...")
results = {
"hostname": tanium_endpoint,
"users": logged_in_users,
"os_info": os_info,
"ip_addr": ip_addresses,
"cpu_arch": cpu_arch,
"chassis_type": chassis_type,
"serial_number": serial_number
}
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
yield FunctionError()