Comments (7)
lifehackjim
commented on July 30, 2024
I'll look into this further next week, although I'll be travelling so will have limited time to do so. Something that would help me when I can look into this fully is the sensor object for the sensor "Index Query File Exists". A JSON export via get_sensor.py would be ideal.
from pytan.
superponible
commented on July 30, 2024
I can probably get that if needed, but I think the issue applies to any sensor's parameters when used as a filter.
./ask_manual.py -s 'Computer Name' -f 'Installed Application Version{application=Google}, that contains:40'
++ Asked Question 'Get Computer Name from all machines with Installed Application Version containing "40"' ID: 2378233
I think the changes I made above show that I got it to include the parameters all the way up until it sends the request to the server, but I didn't look at what it actually POSTs over the network yet. In the Tanium console, if I view the question history, it also shows up there without the parameters. So at some point it's getting stripped, but I'm not sure where.
from pytan.
lotekdan
commented on July 30, 2024
Might be worth following it through shell mode and reviewing the body at each point.
from pytan.
superponible
commented on July 30, 2024
Looks like the parameter in the SOAP request. This is from printing request_body in pytan/session.py's add() method.
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<typens:tanium_soap_request xmlns:typens="urn:TaniumSOAP">
<command>AddObject</command>
<object_list><question><group><filters><filter><not_flag>0</not_flag><value>.*Yes.*</value><operator>RegexMatch</operator><sensor><source_id>1295</source_id><id>1295</id><parameters><parameter><value>b32189bdff6e577a92baa61ad49264e6</value><key>||fileMD5Hash||</key></parameter></parameters></sensor></filter></filters></group><selects><select><filter><sensor><hash>3409330187</hash></sensor></filter><sensor><hash>3409330187</hash></sensor></select></selects></question></object_list>
<options><suppress_object_list>1</suppress_object_list></options>
</typens:tanium_soap_request>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
from pytan.
superponible
commented on July 30, 2024
As an alternative, I tried to see if ask_parsed.py would work. It's in the request, but the suggested questions aren't using the parameters:
./ask_parsed.py -q 'GET Computer Name FROM machines WITH Index Query File Exists[, , , b32189bdff6e577a92baa61ad49264e6, , , ] containing "Yes"'
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<typens:tanium_soap_request xmlns:typens="urn:TaniumSOAP">
<command>AddObject</command>
<object_list><parse_job><parser_version>2</parser_version><question_text>GET Computer Name FROM machines WITH Index Query File Exists[, , , b32189bdff6e577a92baa61ad49264e6, , , ] containing "Yes"</question_text></parse_job></object_list>
<options><export_format>csv</export_format></options>
</typens:tanium_soap_request>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
2016-08-05 18:32:39,246 CRITICAL pytan.handler: You must supply an index as picker=$index to choose one of the parse responses -- re-run ask_parsed with picker set to one of these indexes!!
2016-08-05 18:32:39,247 CRITICAL pytan.handler: Index 1, Score: 6231, Query: 'Get Computer Name from machines with Index Query File Exists containing "b32189bdff6e577a92baa61ad49264e6,"'
2016-08-05 18:32:39,247 CRITICAL pytan.handler: Index 2, Score: 1852, Query: 'Get Computer Name from machines with Index Query File Exists containing "b32189bdff6e577a92baa61ad49264e6"'
2016-08-05 18:32:39,247 CRITICAL pytan.handler: Index 3, Score: 550, Query: 'Get Computer Name from machines with Index Query File Exists containing "b32189bdff6e577a92baa61ad49264e"'
2016-08-05 18:32:39,247 CRITICAL pytan.handler: Index 4, Score: 339, Query: 'Get BIOS Name from machines with Index Query File Exists containing "b32189bdff6e577a92baa61ad49264e6,"'
2016-08-05 18:32:39,247 CRITICAL pytan.handler: Index 5, Score: 239, Query: 'Get Domain Name from machines with Index Query File Exists containing "b32189bdff6e577a92baa61ad49264e6,"'
<snip>
I also printed the servers response to this and the question_text still had the parameters:
<question_text>GET Computer Name FROM machines WITH Index Query File Exists[, , , b32189bdff6e577a92baa61ad49264e6, , , ] containing "Yes"</question_text>
from pytan.
lotekdan
commented on July 30, 2024
This is a known issue with ask_parsed and how the parser API handles request bodies. A work around has been added to the next release already. Jim and I will look into the original issue as soon as time permits.
from pytan.
lotekdan
commented on July 30, 2024
Parameters work in filters now with manual questions. I've not ported the ask_parsed functionality.
from pytan.
Related Issues (20)
- Exports of questions with repeated column names returns incorrectly HOT 1
- Submit pytan package to PyPI HOT 7
- Action targets Computer Group instead of Action Group
- requests has issues with connecting to SSL servers that have more securely. HOT 1
- pytan does not recognize/know about new object types in Tanium v7.2
- release
- remove BUILD directory
- run unit / functional tests HOT 2
- update README.md before release
- lint all of pytan
- get rid of 6.2/6.5 branching logic
- remove debug method locals methods/calls/loggers
- change default of xml cleaner to false
- add command line arguments to ask_manual and deploy_action
- add computer_group native support to methods
- Change get_server_version() to be more error proof
- rework logging system for file logging support
- modify and add methods & scripts for RBAC
- Deploy Action throws RBAC error HOT 4
- How do you specify the content set when calling create_package HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pytan.