def _fn_bigfix_assets_function(self, event, *args, **kwargs): """Function: Resilient Function : Bigfix assets - Get properties in BigFix for an endpoint.""" try: # Get the function parameters: bigfix_asset_name = kwargs.get("bigfix_asset_name") # text bigfix_asset_id = kwargs.get("bigfix_asset_id") # number bigfix_incident_id = kwargs.get("bigfix_incident_id") # number log = logging.getLogger(__name__) log.info("bigfix_asset_name: %s", bigfix_asset_name) log.info("bigfix_asset_id: %s", bigfix_asset_id) log.info("bigfix_incident_id: %s", bigfix_incident_id) params = { "asset_name": bigfix_asset_name, "asset_id": bigfix_asset_id, "incident_id": bigfix_incident_id } validate_params(params, "fn_bigfix_assets") yield StatusMessage( u"Running BigFix Query for Endpoint id {0}, with name {1} ...". format(params["asset_id"], params["asset_name"])) bigfix_client = BigFixClient(self.options) try: # Perform the BigFix Query response = bigfix_client.get_bf_computer_properties( params["asset_id"]) except Exception as e: log.exception("Failed to query a BigFix asset.") yield StatusMessage( "Failed with exception '{}' while trying to query a BigFix asset" .format(type(e).__name__)) raise Exception( "Failed with exception '{}' while trying to query a BigFix asset" .format(type(e).__name__)) if not response: yield StatusMessage( "No properties retrieved for the asset id '{}'".format( params["asset_id"])) results = {} else: # Create a Resilient attachment file_name = "bigfix-properties-" + params["asset_name"] + "-" + \ datetime.datetime.today().strftime('%Y%m%d') + ".xml" att_report = create_attachment(self.rest_client(), file_name, response, params) results = {"status": "OK", "att_name": att_report["name"]} yield StatusMessage("done...") log.debug(results) # Produce a FunctionResult with the results yield FunctionResult(results) except Exception: yield FunctionError()
def _fn_bigfix_artifact_function(self, event, *args, **kwargs): """Function: Resilient Function : Bigfix artifact - Get hits in BigFix for artifact.""" try: # Get the function parameters: bigfix_artifact_id = kwargs.get("bigfix_artifact_id") # number bigfix_artifact_value = kwargs.get("bigfix_artifact_value") # text bigfix_artifact_type = kwargs.get("bigfix_artifact_type") # text bigfix_artifact_properties_name = kwargs.get( "bigfix_artifact_properties_name") # text bigfix_artifact_properties_value = kwargs.get( "bigfix_artifact_properties_value") # text bigfix_incident_id = kwargs.get("bigfix_incident_id") # number bigfix_incident_plan_status = kwargs.get( "bigfix_incident_plan_status") # text log = logging.getLogger(__name__) log.info("bigfix_artifact_id: %s", bigfix_artifact_id) log.info("bigfix_artifact_value: %s", bigfix_artifact_value) log.info("bigfix_artifact_type: %s", bigfix_artifact_type) log.info("bigfix_artifact_properties_name: %s", bigfix_artifact_properties_name) log.info("bigfix_artifact_properties_value: %s", bigfix_artifact_properties_value) log.info("bigfix_incident_id: %s", bigfix_incident_id) log.info("bigfix_incident_plan_status: %s", bigfix_incident_plan_status) params = { "artifact_id": bigfix_artifact_id, "artifact_value": bigfix_artifact_value, "artifact_properties_name": bigfix_artifact_properties_name, "artifact_properties_value": bigfix_artifact_properties_value, "artifact_type": bigfix_artifact_type, "incident_id": bigfix_incident_id, "incident_plan_status": bigfix_incident_plan_status } validate_params(params, "fn_bigfix_artifact") yield StatusMessage( "Running BigFix Query for Artifact id {0}, with value {1} ...". format(params["artifact_id"], params["artifact_value"])) bigfix_client = BigFixClient(self.options) try: artifact_data = None if params["incident_plan_status"] != 'C': # If incident isn't closed if params["artifact_type"] == "IP Address": artifact_data = bigfix_client.get_bf_computer_by_ip( bigfix_artifact_value) elif params["artifact_type"] == "File Path": artifact_data = bigfix_client.get_bf_computer_by_file_path( bigfix_artifact_value) elif params["artifact_type"] == "Process Name": artifact_data = bigfix_client.get_bf_computer_by_process_name( bigfix_artifact_value) elif params["artifact_type"] == "Service": artifact_data = bigfix_client.get_bf_computer_by_service_name( bigfix_artifact_value) elif params["artifact_type"] == "Registry Key": artifact_data = bigfix_client.get_bf_computer_by_registry_key_name_value( bigfix_artifact_value, params["artifact_properties_name"], params["artifact_properties_value"]) else: raise ValueError( "Unsupported artifact type {}.".format( bigfix_artifact_type)) except Exception as e: log.exception("Failed to query BigFix.") yield StatusMessage( "Failed with exception '{}' while trying to query BigFix.". format(type(e).__name__)) raise Exception( "Failed with exception '{}' while trying to query BigFix.". format(type(e).__name__)) if bigfix_incident_plan_status == 'C': yield StatusMessage( "Ignoring action, incident {} is closed".format( params["incident_id"])) results = {} elif not artifact_data: yield StatusMessage( "Could not find data about the artifact {}".format( params["artifact_value"])) results = {} else: hits = get_hits(artifact_data, params) if len(hits) == 0: yield StatusMessage( "No hits detected for artifact id '{0}' with value '{1}' and of type '{2}'." .format(params["artifact_id"], params["artifact_value"], params["artifact_type"])) results = {} elif len(hits) > int( self.options.get("hunt_results_limit", "200")): yield StatusMessage( "Adding artifact data as an incident attachment") # Define file name and content to add as an attachment file_name = "query_for_artifact_{0}_{1}_{2}.txt" \ .format(params["artifact_id"], params["artifact_type"], datetime.datetime.today().strftime('%Y%m%d')) file_content = "" for data in hits: file_content += "Resource ID: {0}. Resource Name: {1}. Artifact value: {2}. Artifact Type: {3} \n" \ .format(data["computer_id"], data["computer_name"], params["artifact_value"], params["artifact_type"]) # Create an attachment att_report = create_attachment(self.rest_client(), file_name, file_content, params) results = { "hits_over_limit": True, "att_name": att_report["name"], "hits_count": len(hits) } else: query_execution_date = datetime.datetime.now().strftime( '%m-%d-%Y %H:%M:%S') results = { "endpoint_hits": json.loads(json.dumps(hits)), "hits_count": len(hits), "query_execution_date": query_execution_date } yield StatusMessage("done...") log.debug(results) # Produce a FunctionResult with the results yield FunctionResult(results) except Exception: log.exception( "Exception in Resilient Function for BigFix integration.") yield FunctionError()