forked from shaniacht1/content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
automation-CBLiveGetFile.yml
152 lines (143 loc) · 6.75 KB
/
automation-CBLiveGetFile.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
args:
- default: true
description: hostname of a Carbon Black sensor
name: hostname
- description: path to file on system
name: path
required: true
- description: ip of a Carbon Black sensor
name: ip
comment: Use Carbon black Response Live session to retrieve a file from an endpoint.
Endpoint needs to have a CbResponse sensor deployed.
commonfields:
id: CBLiveGetFile
version: -1
dependson:
must:
- cb-sensor-info
- cb-list-sessions
- cb-session-create
- cb-session-info
- cb-command-create
- cb-command-info
- cb-file-get
name: CBLiveGetFile
runonce: false
script: |-
import time
secTimeout = 120
# find sensor ID
if not demisto.get(demisto.args(), 'ip') and not demisto.get(demisto.args(), 'hostname'):
demisto.results({ 'Type' : entryTypes['error'], 'ContentsFormat' : formats['text'], 'Contents' : 'You must provide ip or hostname for Cb sensor.'})
sys.exit()
else:
dArgs = {'ip': demisto.args()['ip']} if demisto.get(demisto.args(), 'ip') else {'hostname': demisto.args()['hostname']}
resFind = demisto.executeCommand( 'cb-sensor-info', dArgs )
if isError(resFind[0]):
demisto.results(resFind)
sys.exit()
else:
matches = resFind[0]['Contents']
if matches:
if len(matches) == 1:
sensorId = str(matches[0]['id'])
else:
demisto.results({ 'Type' : entryTypes['error'], 'ContentsFormat' : formats['text'], 'Contents' : 'More than one sensor returned.\nResult:\n' + str(matches)})
sys.exit()
else:
demisto.results({ 'Type' : entryTypes['error'], 'ContentsFormat' : formats['text'], 'Contents' : 'Sensor not found.'})
sys.exit()
demisto.log('[*] Located sensor ID ' + sensorId)
# Get a live session to the endpoint
resSessions = demisto.executeCommand( 'cb-list-sessions', {} )
if isError(resSessions[0]):
demisto.results(resSessions)
sys.exit()
else:
existingSessions = [s for s in resSessions[0]['Contents'] if str(s['sensor_id']) == sensorId and s['status'] in ['pending', 'active']]
if not existingSessions:
resSessionCreate = demisto.executeCommand( 'cb-session-create', {'sensor': sensorId} )
if isError(resSessionCreate[0]):
demisto.results(resSessionCreate + [{ 'Type' : entryTypes['error'], 'ContentsFormat' : formats['text'], 'Contents' : 'Error while trying to create session.'}])
sys.exit()
else:
sessionId = str(resSessionCreate[0]['Contents']['id'])
demisto.log('[*] Created session ' + sessionId + ' for sensor ' + sensorId + '. Waiting for session to become active.')
else:
es = existingSessions[0]
demisto.log('[*] Found existing %s session %d..' %(es['status'],es['id']))
sessionId = str(es['id'])
session = {'status':'pending'}
resSessionInfo = []
while session['status'] == 'pending':
resSessionInfo = demisto.executeCommand( 'cb-session-info', { 'session' : sessionId } )
if isError(resSessionInfo[0]):
demisto.results(resSessionInfo + [{ 'Type' : entryTypes['error'], 'ContentsFormat' : formats['text'], 'Contents' : 'Error while polling for session status.'}])
sys.exit()
else:
session = resSessionInfo[0]['Contents']
time.sleep(3)
if not session['status'] == 'active':
demisto.results(resSessionInfo + [{ 'Type' : entryTypes['error'], 'ContentsFormat' : formats['text'], 'Contents' : 'Finished polling but session is not in active state.'}])
sys.exit()
else:
demisto.log('[*] Session ' + sessionId + ' active.')
# Create async command
resCreate = demisto.executeCommand( 'cb-command-create', { 'session' : sessionId, 'name' : 'get file', 'object' : demisto.args()['path'] } )
if not isError( resCreate[0] ):
if len( resCreate ) == 1:
# Get command id from response
cmdID = demisto.get( resCreate[0], 'Contents.id' )
else:
demisto.results( { 'Type' : entryTypes['error'], 'ContentsFormat' : formats['text'], 'Contents' : 'Unexpected output returned from command-create.' } )
sys.exit(0)
else:
demisto.results(resCreate)
sys.exit(0)
# Poll for command completion
secRemaining = secTimeout
while secRemaining:
resInfo = demisto.executeCommand( 'cb-command-info', { 'session' : sessionId, 'command' : str(cmdID) } )
if not isError( resInfo[0] ):
if len( resInfo ) == 1:
status = demisto.get( resInfo[0], 'Contents.status' )
# If still working
if 'pending' == status:
secRemaining -= 1
time.sleep(1)
elif 'error' == status:
demisto.results( { 'Type' : entryTypes['error'], 'ContentsFormat' : formats['text'], 'Contents' : 'Command "get file" returned error: [Type:' + str(demisto.get( resInfo[0], 'Contents.result_type' )) + ' , Code:' + str(int(demisto.get( resInfo[0], 'Contents.result_code' ))) + ' , Desc:' + str(demisto.get( resInfo[0], 'Contents.result_desc' )) + ' ]' } )
sys.exit(0)
elif 'complete' == status:
# Get FileID from command info response
fileID = demisto.get( resInfo[0], 'Contents.file_id' )
resFileGet = demisto.executeCommand( 'cb-file-get', { 'session' : sessionId, 'file-id' : str(fileID) } )
if not isError( resFileGet[0] ):
if len( resFileGet ) == 1:
demisto.results(resFileGet)
sys.exit(0)
else:
demisto.results( { 'Type' : entryTypes['error'], 'ContentsFormat' : formats['text'], 'Contents' : 'Unexpected output returned from file-get command.' } )
sys.exit(0)
else:
demisto.results(resFileGet)
sys.exit(0)
else:
demisto.results( { 'Type' : entryTypes['error'], 'ContentsFormat' : formats['text'], 'Contents' : 'Unexpected status "' + status + '" returned from command-info.' } )
sys.exit(0)
else:
demisto.results( { 'Type' : entryTypes['error'], 'ContentsFormat' : formats['text'], 'Contents' : 'Unexpected output returned from command-create command.' } )
sys.exit(0)
else:
demisto.results(resInfo)
sys.exit(0)
else:
demisto.results( { 'Type' : entryTypes['error'], 'ContentsFormat' : formats['text'], 'Contents' : 'Command timed out after %d seconds' % secTimeout } )
sys.exit(0)
scripttarget: 0
system: true
tags:
- carbon-black
- endpoint
timeout: 300ns
type: python