App Control: Create Powershell API script checking for “New unapproved file to computer” subtype going back two weeks from the current date and if no event results then change the endpoint’s policy.
search cancel

App Control: Create Powershell API script checking for “New unapproved file to computer” subtype going back two weeks from the current date and if no event results then change the endpoint’s policy.

book

Article ID: 287874

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

How to Create an API script in Powershell that can check for the “New unapproved file to computer” subtype going back two weeks from the current date along with if no events are found then change the endpoint’s policy.

Environment

  • App Control Agent: All Supported Versions
  • App Control Server: All Supported Versions

Resolution

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

$ErrorActionPreference = 'Stop'
Clear-Host

# Define the App Control console server name to be interacted with
$Server = @(
"enterservernamehere"
)

# Define the domain name
$ServerDomain = "enterdomainnamehere"

# Define the location of the API keys
$APIKeys = "C:\Scripts\CBProtection\APIKey\$Server`_$env:USERNAME"

# Define the script's name and location, move to that location
$scriptPath = split-path -parent $MyInvocation.MyCommand.Definition
$scriptName = $MyInvocation.MyCommand.Name
$CurrentLocalFolder = "$scriptPath"
Set-Location -Path $CurrentLocalFolder

# Get the API key
$SecurePassword = Get-Content "$APIKeys" | ConvertTo-SecureString
$Marshal = [System.Runtime.InteropServices.Marshal]
$BSTR = $Marshal::SecureStringToBSTR($SecurePassword)
$apiKey = $Marshal::PtrToStringBSTR($BSTR)
$Marshal::ZeroFreeBSTR($BSTR)

# Get the list of endpoints in Low Enforcement ("Monitored-LOW" policy) that have registered with the console TWO WEEKS AGO OR MORE
$contenttype = 'application/json'
$baseuri = "https://$Server.$ServerDomain/api/bit9platform/v1/"
$TimePeriod = "<-2w"
$enforcementLevel = 40
$policyName = "Monitored-LOW"
$query = "?q=name:*&q=dateCreated$TimePeriod&q=connected:true&q=initializing:false&q=enforcementLevel:$enforcementLevel&q=policyName:$policyName"
$objecttype = "computer"
$uri = $baseuri + $objecttype + $query
$headers = @{}
$headers.add('X-Auth-Token',$apiKey)
$parameters = @{}
$parameters.add('Method','Get')
$parameters.add('Uri',$uri)
$parameters.add('ErrorVariable','RESTError')
$endpointresults = Invoke-RestMethod -Headers $headers @parameters -ContentType $contenttype

# Declare and remove any previous iteration of the output file
$OutputFile = ".\test.csv"
If (Test-Path -Path $OutputFile) {Remove-Item -Path $OutputFile -Force}

# For each endpoint previously retrieved, get all events from the most recent two weeks with the subtypeName "New unapproved file to computer"
Write-Host "For each endpoint previously retrieved, get all events from the most recent two weeks with the subtypeName `"New unapproved file to computer`""
Write-Host "Export file is" $OutputFile

ForEach ($IndividualSystem in $endpointresults) {
    $objecttype = "event"
    $eventsubtypeID = 1003
    $TimePeriod = ">-1d"
    $fileNameIDoNotWant = "getpaths.cmd"

    # For each system, remove the prefix netbios domain name and "\" character
    $COMPUTERNAME = $IndividualSystem.name
    $pos = $COMPUTERNAME.IndexOf("\")
    $NetbiosDomain = $COMPUTERNAME.Substring(0, $pos)
    $JustComputerName = $COMPUTERNAME.Substring($pos+1)

    $query = "?limit=0&sort=timestamp" + "&q=timeStamp" + $TimePeriod + "&q=computerName:*" + $JustComputerName + "&q=subtype:" + $eventsubtypeID + "&q=fileName!" + $fileNameIDoNotWant
    $uri = $baseuri + $objecttype + $query
    $headers = @{}
    $headers.add('X-Auth-Token',$apiKey)
    $parameters = @{}
    $parameters.add('Method','Get')
    $parameters.add('Uri',$uri)
    $parameters.add('ErrorVariable','RESTError')
    $endpointEventResults = Invoke-RestMethod -Headers $headers @parameters -ContentType $contenttype

    # Convert the UTC time to Eastern time
    ForEach ($Event in $endpointEventResults) {
        $Event.timeStamp = [System.TimeZoneInfo]::ConvertTimeBySystemTimeZoneId($Event.timeStamp, [System.TimeZoneInfo]::Local.Id, 'Eastern Standard Time')
        $Event.receivedTimeStamp = [System.TimeZoneInfo]::ConvertTimeBySystemTimeZoneId($Event.timeStamp, [System.TimeZoneInfo]::Local.Id, 'Eastern Standard Time')
        $Event.fileFirstExecutionDate = [System.TimeZoneInfo]::ConvertTimeBySystemTimeZoneId($Event.timeStamp, [System.TimeZoneInfo]::Local.Id, 'Eastern Standard Time')
    }
    $endpointEventResults | Select-Object -Property timestamp,subtypeName,computerName,ipAddress,policyName,pathName,fileName,userName,process,installerFileName,fileFirstExecutionDate,sha256 | Export-Csv -Path $OutputFile -NoClobber -Append -NoTypeInformation
}