Hi guys,
I have created a code in python for checking some unwanted softwares like anydesk.exe using Cisco Orbital .
client_id = 'THREATRESPONSE_CLIENT_ID'
client_password = 'THREATRESPONSE_CLIENT_PASSWORD'
computers_list = []
url = 'https://visibility.amp.cisco.com/iroh/oauth2/token'
headers = {'Content-Type':'application/x-www-form-urlencoded', 'Accept':'application/json'}
payload = {'grant_type':'client_credentials'}
request = requests.post(url, headers=headers, auth=(client_id, client_password), data=payload)
token = request.json()['access_token']
orb_headers = {
'Authorization': 'Bearer ' + token
}
response = requests.get(url='https://orbital.amp.cisco.com/v0/jobs/<jobquerycode>/results', headers=orb_headers)
response_json = response.json()
for item in response_json["results"]:
for i in item['osQueryResult'][0]['values']:
if i == 'AnyDesk.exe':
computer = item['hostinfo']['hostname']
if computer not in computers_list:
computers_list.append(computer)
print('Computers with programs not authorized:\n')
for computer in computers_list:
print(computer)
I could create a simple securex workflow with the python code above and its working fine:
BUT I'd like to move this python code to atomic actions and I'm lost when creating a for looping inside a for looping checking a "json array".
The SecureX Documentation https://ciscosecurity.github.io/sxo-05-security-workflows/activities/jsonpath-query helps a lot when talking about jsonpath, and I'm a little familiar thanks for that and the website https://jsonpath.com/ helped with the JSONPath Syntax $.osQueryResult[0].values[:] to get the content I could work with.
Now I need to to go through each value inside this json array called "values" in each computer.
{
"node": "OXhMF1DwWjblahdusg1-sJAw",
"ampuuid": "",
"lastseen": null,
"osQuery": [
{
"types": [
"file_name",
"file_path",
"ip",
"listening_ports_protocol",
"transport_port"
],
"sql": "SELECT p.name, p.path, lp.address, lp.protocol, lp.port \\nFROM listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid \\nWHERE lp.port != 0 \\nAND lp.address!=\\\\\"127.0.0.1\\\\\" \\nAND lp.address!=\\\\\"::1\\\\\" \\nAND p.path NOT LIKE \\\\\"c:\\windows\\system32\\%\\\\\" \\nAND p.path NOT LIKE \\\\\"/usr/sbin/%\\\\\" \\nAND p.path NOT LIKE \\\\\"/sbin/%\\\\\" \\nAND p.path NOT LIKE \\\\\"/usr/libexec/%\\\\\";\\n",
"label": "listening_ports",
"name": "Listening Ports"
}
],
"osQueryResult": [
{
"types": [
"file_name",
"file_path",
"ip",
"",
""
],
"columns": [
"name",
"path",
"address",
"protocol",
"port"
],
"values": [
"System",
"",
"0.0.0.0",
"6",
"445",
"winvnc.exe",
"C:\\Program Files\\uvnc bvba\\UltraVNC\\winvnc.exe",
"0.0.0.0",
"6",
"5800",
"winvnc.exe",
"C:\\Program Files\\uvnc bvba\\UltraVNC\\winvnc.exe",
"0.0.0.0",
"6",
"12344",
"System",
"",
"10.0.20.20",
"6",
"139",
"System",
"",
"::",
"6",
"445",
"chrome.exe",
"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
"0.0.0.0",
"17",
"5353",
"chrome.exe",
"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
"0.0.0.0",
"17",
"5353",
"nvcontainer.exe",
"C:\\Program Files\\NVIDIA Corporation\\NvContainer\\nvcontainer.exe",
"0.0.0.0",
"17",
"49307",
"System",
"",
"10.0.20.20",
"17",
"137",
"System",
"",
"10.0.20.20",
"17",
"138",
"nvcontainer.exe",
"C:\\Program Files\\NVIDIA Corporation\\NvContainer\\nvcontainer.exe",
"10.0.20.20",
"17",
"5353",
"chrome.exe",
"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
"::",
"17",
"5353",
"nvcontainer.exe",
"C:\\Program Files\\NVIDIA Corporation\\NvContainer\\nvcontainer.exe",
"::",
"17",
"49308"
],
"error": "",
"secs": 0.17353829741477966,
"label": "listening_ports",
"name": "Listening Ports"
}
],
"error": {
"en": ""
},
"hostinfo": {
"osinfo": {
"os": "windows",
"osname": "Windows 10 Enterprise LTSC 2019",
"release": "6.3",
"version": "10.0.17763",
"arch": "amd64"
},
"hostname": "computer-teste",
"fqdn": {
"10.0.20.20": "computer-teste.dominio.com.br",
"169.254.89.171": "computer-teste.dominio.com.br",
"fe80::ac20:48ea:d0ab:59ab": "computer-teste.dominio.com.br"
},
"interfaces": {
"Ethernet": {
"name": "Ethernet",
"mac": "1c:1b:0d:a8:0c:52",
"ipv4": "10.0.20.20/24",
"ipv6": "fe80::ac20:48ea:d0ab:59ab/64",
"active": true
}
},
"external": {
"name": "",
"mac": "",
"ipv4": "203.203.203.203",
"active": true
},
"updated": "2022-01-02T15:57:33.0877151Z",
"version": "1.14.18",
"osqueryversion": "",
"machine": "",
"anyconnectudid": ""
},
"rowcount": 14
}
As a SecureX workflow base I'm using https://ciscosecurity.github.io/sxo-05-security-workflows/workflows/orbital/0009-cve-hunt-to-servicenow
Now i'm trying to create what i have created in the python code lines 22-28 but this second for looping I have created it's not looping in the json array "values":
"values": [
"System",
"",
"0.0.0.0",
"6",
"445",
"winvnc.exe",
"C:\\Program Files\\uvnc bvba\\UltraVNC\\winvnc.exe",
"0.0.0.0",
"6",
"5800",
"winvnc.exe",
"C:\\Program Files\\uvnc bvba\\UltraVNC\\winvnc.exe",
"0.0.0.0",
"6",
"12344",
"System",
"",
"10.0.20.20",
"6",
"139",
"System",
"",
"::",
"6",
"445",
"chrome.exe",
"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
"0.0.0.0",
"17",
"5353",
"chrome.exe",
"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
"0.0.0.0",
"17",
"5353",
"nvcontainer.exe",
"C:\\Program Files\\NVIDIA Corporation\\NvContainer\\nvcontainer.exe",
"0.0.0.0",
"17",
"49307",
"System",
"",
"10.0.20.20",
"17",
"137",
"System",
"",
"10.0.20.20",
"17",
"138",
"nvcontainer.exe",
"C:\\Program Files\\NVIDIA Corporation\\NvContainer\\nvcontainer.exe",
"10.0.20.20",
"17",
"5353",
"chrome.exe",
"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
"::",
"17",
"5353",
"nvcontainer.exe",
"C:\\Program Files\\NVIDIA Corporation\\NvContainer\\nvcontainer.exe",
"::",
"17",
"49308"
]The parte of securex workflow I'm working in:
In the picture above I'm trying to create a table with each value in the 'json array' "values" but unfortunately using the 'Read Table From Json' flagging the 'Populating columns from json' using json path '$.osQueryResult[0].values' it's bringing all values in a single line instead mutiples for each value:
All values are in a single column of table and it's not slicing if I use $.osQueryResult[0].values[:]
Is there someone who knows how to create a table with the 'json array'? I know how to do it with json objects in key:value pairs but I don't know how check it in a json array.
Maybe there's another solution, any idea?
