Environment

Question

Answer

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

$ErrorActionPreference = 'Stop'
Clear-Host

# Define the App Control console server name to be interacted with
$Server = @(
"enterservernamehere"
)

# Define the domain name
$ServerDomain = "enterdomainnamehere"

# Define the location of the API keys
$APIKeys = "C:\Scripts\CBProtection\APIKey\$Server`_$env:USERNAME"

# Define the script's name and location, move to that location
$scriptPath = split-path -parent $MyInvocation.MyCommand.Definition
$scriptName = $MyInvocation.MyCommand.Name
$CurrentLocalFolder = "$scriptPath"
Set-Location -Path $CurrentLocalFolder

# Get the API key
$SecurePassword = Get-Content "$APIKeys" | ConvertTo-SecureString
$Marshal = [System.Runtime.InteropServices.Marshal]
$BSTR = $Marshal::SecureStringToBSTR($SecurePassword)
$apiKey = $Marshal::PtrToStringBSTR($BSTR)
$Marshal::ZeroFreeBSTR($BSTR)

# Get the list of endpoints in Low Enforcement ("Monitored-LOW" policy) that have registered with the console TWO WEEKS AGO OR MORE
$contenttype = 'application/json'
$baseuri = "https://$Server.$ServerDomain/api/bit9platform/v1/"
$TimePeriod = "<-2w"
$enforcementLevel = 40
$policyName = "Monitored-LOW"
$query = "?q=name:*&q=dateCreated$TimePeriod&q=connected:true&q=initializing:false&q=enforcementLevel:$enforcementLevel&q=policyName:$policyName"
$objecttype = "computer"
$uri = $baseuri + $objecttype + $query
$headers = @{}
$headers.add('X-Auth-Token',$apiKey)
$parameters = @{}
$parameters.add('Method','Get')
$parameters.add('Uri',$uri)
$parameters.add('ErrorVariable','RESTError')
$endpointresults = Invoke-RestMethod -Headers $headers @parameters -ContentType $contenttype

# Declare and remove any previous iteration of the output file
$OutputFile = ".\test.csv"
If (Test-Path -Path $OutputFile) {Remove-Item -Path $OutputFile -Force}

# For each endpoint previously retrieved, get all events from the most recent two weeks with the subtypeName "New unapproved file to computer"
Write-Host "For each endpoint previously retrieved, get all events from the most recent two weeks with the subtypeName `"New unapproved file to computer`""
Write-Host "Export file is" $OutputFile

ForEach ($IndividualSystem in $endpointresults) {
    $objecttype = "event"
    $eventsubtypeID = 1003
    $TimePeriod = ">-1d"
    $fileNameIDoNotWant = "getpaths.cmd"

    # For each system, remove the prefix netbios domain name and "\" character
    $COMPUTERNAME = $IndividualSystem.name
    $pos = $COMPUTERNAME.IndexOf("\")
    $NetbiosDomain = $COMPUTERNAME.Substring(0, $pos)
    $JustComputerName = $COMPUTERNAME.Substring($pos+1)

    $query = "?limit=0&sort=timestamp" + "&q=timeStamp" + $TimePeriod + "&q=computerName:*" + $JustComputerName + "&q=subtype:" + $eventsubtypeID + "&q=fileName!" + $fileNameIDoNotWant
    $uri = $baseuri + $objecttype + $query
    $headers = @{}
    $headers.add('X-Auth-Token',$apiKey)
    $parameters = @{}
    $parameters.add('Method','Get')
    $parameters.add('Uri',$uri)
    $parameters.add('ErrorVariable','RESTError')
    $endpointEventResults = Invoke-RestMethod -Headers $headers @parameters -ContentType $contenttype

    # Convert the UTC time to Eastern time
    ForEach ($Event in $endpointEventResults) {
        $Event.timeStamp = [System.TimeZoneInfo]::ConvertTimeBySystemTimeZoneId($Event.timeStamp, [System.TimeZoneInfo]::Local.Id, 'Eastern Standard Time')
        $Event.receivedTimeStamp = [System.TimeZoneInfo]::ConvertTimeBySystemTimeZoneId($Event.timeStamp, [System.TimeZoneInfo]::Local.Id, 'Eastern Standard Time')
        $Event.fileFirstExecutionDate = [System.TimeZoneInfo]::ConvertTimeBySystemTimeZoneId($Event.timeStamp, [System.TimeZoneInfo]::Local.Id, 'Eastern Standard Time')
    }
    $endpointEventResults | Select-Object -Property timestamp,subtypeName,computerName,ipAddress,policyName,pathName,fileName,userName,process,installerFileName,fileFirstExecutionDate,sha256 | Export-Csv -Path $OutputFile -NoClobber -Append -NoTypeInformation
}