forked from Infocyte/PowershellTools
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathAnalysisExport.ps1
130 lines (104 loc) · 4.25 KB
/
AnalysisExport.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
<#
#>
Param(
[Parameter()]
[Int]$Days = 0, # Age of new data to pull from HUNT (in days)
[Parameter()]
[String]$HuntServer = "https://localhost:4443",
[Parameter()]
[String]$OutPath = "C:\Program Files\Infocyte\SplunkData\", # Output Path of SplunkData json files
[Parameter()]
[Switch]$Replace,
[Parameter()]
[PSCredential]$HuntCredential
)
# $Script:HuntServer = 'https://demo.infocyte.com'
if (-NOT $HuntCredential.username) {
#Use Default Infocyte Credentials
$username = 'infocyte'
$password = 'pulse' | ConvertTo-SecureString -asPlainText -Force
$Script:HuntCredential = New-Object System.Management.Automation.PSCredential($username,$password)
}
if (-NOT (Test-Path $OutPath)) {
New-Item $OutPath -ItemType "directory"
}
# MAIN
New-ICToken $Credential $HuntServer
# splunkscan
$AllScans = Get-ICScans
# Create Time Box
if ($Days -ne 0 -AND $AllScans) {
$CurrentDT = Get-Date
$FirstDT = $CurrentDT.AddDays(-$Days)
$Scans = $AllScans | where { $_.scancompletedon } | where { [datetime]$_.scancompletedon -gt $FirstDT -AND $_.hostCount -gt 0 }
} else {
$Scans = $AllScans
}
if (-NOT $Scans) {
Write-Warning "No Scans were found for the given date range"
exit
}
# splunkscans
$itemtype = "Scans"
if (Test-Path $OutPath\$itemtype.json) {
if ($Replace) {
Remove-Item $OutPath\$itemtype.json
Write-Host "Requesting data from $($Scans.count) Scans."
} else {
#Check latest, only append new scanids
$old = gc $OutPath\$itemtype.json | convertfrom-JSON
$scanIds = $old.scanid
Write-Host "$($Scans.count) Scans found. $($scanIds.count) scans have already been exported"
$Scans = $Scans | where { $scanIds -notcontains $_.scanid }
Write-Host "Requesting $($Scans.count) new Scans."
}
}
$Scans | % { $_ | ConvertTo-Json -compress | Out-File $OutPath\$itemtype.json -Append }
if ((Test-Path $OutPath\$scanname.json) -AND $Replace) {
Remove-Item $OutPath\$scanname.json
}
$Scans | % {
$scanname = "$($_.targetlist)-$($_.scanname)"
# splunkprocesses
$itemtype = "Processes"
Write-Host "[] Exporting $itemtype from $scanname"
$time = Measure-Command { $obj = Get-ICProcesses $_.id }
Write-Host "Received $($obj.count) $itemtype from Hunt server in $($time.TotalSeconds) seconds"
$obj | % { $_ | ConvertTo-Json -compress | Out-File $OutPath\$scanname.json -Append }
# splunkmodules
$itemtype = "Modules"
Write-Host "[] Exporting $itemtype from $scanname"
$time = Measure-Command { $obj = Get-ICModules $_.id }
Write-Host "Received $($obj.count) $itemtype from Hunt server in $($time.TotalSeconds) seconds"
$obj | % { $_ | ConvertTo-Json -compress | Out-File $OutPath\$scanname.json -Append }
# splunkdrivers
$itemtype = "Drivers"
Write-Host "[] Exporting $itemtype from $scanname"
$time = Measure-Command { $obj = Get-ICDrivers $_.id }
Write-Host "Received $($obj.count) $itemtype from Hunt server in $($time.TotalSeconds) seconds"
$obj | % { $_ | ConvertTo-Json -compress | Out-File $OutPath\$scanname.json -Append }
# splunkautostarts
$itemtype = "Autostarts"
Write-Host "[] Exporting $itemtype from $scanname"
$time = Measure-Command { $obj = Get-ICAutostarts $_.id }
Write-Host "Received $($obj.count) $itemtype from Hunt server in $($time.TotalSeconds) seconds"
$obj | % { $_ | ConvertTo-Json -compress | Out-File $OutPath\$scanname.json -Append }
# splunkmemscans
$itemtype = "Memscans"
Write-Host "[] Exporting $itemtype from $scanname"
$time = Measure-Command { $obj = Get-ICMemscans $_.id }
Write-Host "Received $($obj.count) $itemtype from Hunt server in $($time.TotalSeconds) seconds"
$obj | % { $_ | ConvertTo-Json -compress | Out-File $OutPath\$scanname.json -Append }
# splunkconnections
$itemtype = "Connections"
Write-Host "[] Exporting $itemtype from $scanname"
$time = Measure-Command { $obj = Get-ICConnections $_.id }
Write-Host "Received $($obj.count) $itemtype from Hunt server in $($time.TotalSeconds) seconds"
$obj | % { $_ | ConvertTo-Json -compress | Out-File $OutPath\$scanname.json -Append }
# splunkhosts
$itemtype = "Hosts"
Write-Host "[] Exporting $itemtype from $scanname"
$time = Measure-Command { $obj = Get-ICHosts $_.id }
Write-Host "Received $($obj.count) $itemtype from Hunt server in $($time.TotalSeconds) seconds"
$obj | % { $_ | ConvertTo-Json -compress | Out-File $OutPath\$scanname.json -Append }
}