SHARE
TWEET

carbon black simple api query bash script

a guest Nov 14th, 2019 178 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/bash
  2. # save as cpapiprocquery.sh
  3. # by @cuvy
  4.  
  5. # usage:
  6. # ./cbapiprocquery.sh <process query string>
  7. #
  8. # eg ./cbapiprocquery.sh "process_name:powershell.exe AND netconn_count:[1 TO *]"
  9. #
  10. # json results will be returned. you can then process that with grep, jq, or whatever tool you prefer
  11. #
  12. # eg
  13. # ./cbapiprocquery.sh "netutil.exe" | jq '.results[].cmdline'
  14.  
  15. # update these variables with your details
  16. APIKEY=''
  17. CBSERVER='' # no trailing slash
  18.  
  19. API_PROCESS="/api/v1/process"
  20. AUTHHEADER="X-Auth-Token: $APIKEY"
  21. REQUEST_URL="$CBSERVER$API_PROCESS"
  22. SEARCHSTR_UNENCODED="$1"
  23.  
  24. rawurlencode() {
  25.   local string="${1}"
  26.   local strlen=${#string}
  27.   local encoded=""
  28.   local pos c o
  29.  
  30.   for (( pos=0 ; pos<strlen ; pos++ )); do
  31.      c=${string:$pos:1}
  32.      case "$c" in
  33.         [-_.~a-zA-Z0-9] ) o="${c}" ;;
  34.         * )               printf -v o '%%%02x' "'$c"
  35.      esac
  36.      encoded+="${o}"
  37.   done
  38.   echo "${encoded}"    # You can either set a return variable (FASTER)
  39.   REPLY="${encoded}"   #+or echo the result (EASIER)... or both... :p
  40. }
  41.  
  42. SEARCHSTR=$(rawurlencode "$SEARCHSTR_UNENCODED")
  43. QUERY_STR="?cb.urlver=1&rows=10&facet=false&facet.field=process_name&facet.field=group&facet.field=hostname&facet.field=parent_name&facet.field=path_full&facet.field=process_md5&start=0&rows=1&q=$SEARCHSTR"
  44. # add -k if your server doesn't have a valid cert
  45. curl -s -H "$AUTHHEADER" "$REQUEST_URL$QUERY_STR"
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top