Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [ {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd67313",
- "name" : "COMPLIANCE - Systems Patched in Oct 2015",
- "description" : "List of systems patched in October of 2015. ",
- "type" : null,
- "expression" : "HostInfo and InstalledUpdates where InstalledUpdates install_date after \"2015-10-01\"",
- "temporal" : false,
- "invalid" : false,
- "aggregated" : true,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec5",
- "name" : "HostInfo",
- "description" : "Shows Hostname, 1st IP Address, OS version and Connection Status",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about host\n#\n# Version: 1\n\ngetOsRelease() {\n if [[ -x /usr/bin/lsb_release ]]; then\n lsb_release -sd\n elif [[ -r /etc/system-release ]]; then\n cat /etc/system-release\n else\n echo -e \"Unknown\"\n fi\n}\n\ngetHostName() {\n hostname -s\n}\n\ngetInterfacesInfoCommand() {\n current_os=$(getOsRelease)\n if [[ $current_os == \"Red Hat\"*\"7.\"* ]]; then\n echo -e \"ip addr show\"\n else\n echo -e \"ifconfig\"\n fi\n}\n\ngetInterfacesDir() {\n echo -e \"/sys/class/net\"\n}\n\nisInterfacePhysical() {\n interface_path=\"$1\"\n if [ -z \"$interface_path\" ]; then\n return 1\n fi\n\n real_location=$(readlink \"$interface_path\")\n if [[ \"$real_location\" =~ \"virtual\" ]]; then\n return 1\n else\n return 0\n fi\n}\n\nparsePrimaryIPInterface() {\n interface_name=\"$1\"\n if [ -z \"$interface_name\" ]; then\n return 1\n fi\n cmd=$(getInterfacesInfoCommand)\n eval \"$cmd $interface_name\" | grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" | grep -vE \"^2[2-5]\" | head -n 1\n}\n\ngetPrimaryIPHost() {\n interfaces_dir=$(getInterfacesDir)\n physical_interfaces=()\n\n shopt -s nullglob\n for interface in \"$interfaces_dir\"/*; do\n if isInterfacePhysical \"$interface\"; then\n current_interface=$(basename \"$interface\")\n physical_interfaces+=(\"$current_interface\")\n fi\n done\n shopt -u nullglob\n\n i=0\n for interface in \"${physical_interfaces[@]}\"; do\n ips[$i]=$(parsePrimaryIPInterface \"$interface\")\n ((i++))\n done\n\n if [ \"${#ips[@]}\" -ge 1 ]; then\n echo -e \"${ips[0]}\"\n fi\n}\n\n\ngetConnectionStatus() {\n echo \"Online\"\n}\n\ngetPlatform() {\n echo \"Linux\"\n}\n\nprocessHostInfo() {\n name=$(getHostName)\n os=$(getOsRelease)\n ipaddress=$(getPrimaryIPHost)\n connection_status=$(getConnectionStatus)\n platform=$(getPlatform)\n\n echo -e \"\\\"$name\\\",\\\"$ipaddress\\\",\\\"$os\\\",\\\"$connection_status\\\",\\\"$platform\\\"\"\n}\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHostInfo\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n\r\nstrComputer = \".\"\r\nFirstIP=\"\"\r\nCurrentMac=\"\"\r\nConnectionStatus = \"\"\r\nSet objWMIService=GetObject(\"winmgmts:\" & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\r\n\r\nSet NetAdapters = objWMIService.ExecQuery(\"Select * From Win32_NetworkAdapter Where NOT PNPDeviceID LIKE 'ROOT\\\\%'\")\r\nFor Each NetAdapter in NetAdapters\r\n CurrentMac = NetAdapter.MACAddress\r\n Set IPConfigSet = objWMIService.ExecQuery(\"Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE AND MacAddress = '\" & CurrentMac & \"'\")\r\n For Each IPConfig in IPConfigSet\r\n If Not IsNull(IPConfig.IPAddress) Then\r\n For i=LBound(IPConfig.IPAddress) to UBound(IPConfig.IPAddress)\r\n FirstIP=IPConfig.IPAddress(i)\r\n Exit For\r\n Next\r\n End If\r\n Next\r\nNext\r\n\r\nSet objNet = CreateObject(\"WScript.Network\")\r\nstrCompName = objNet.ComputerName\r\n\r\nSet shell = CreateObject(\"WScript.Shell\")\r\nSet getOSVersion = shell.exec(\"%comspec% /D /c ver\")\r\ngetOSVersion.stdout.readLine\r\nversion = getOSVersion.stdout.readLine\r\n\r\nFunction Registry_Read(Key_Path, Key_Name)\r\n On Error Resume Next\r\n Set Registry = CreateObject(\"WScript.Shell\")\r\n Registry_Read = Registry.RegRead(Key_Path & \"\\\" & Key_Name)\r\nEnd Function\r\n\r\nSet shell_arch = CreateObject(\"WScript.Shell\")\r\nIf shell_arch.ExpandEnvironmentStrings(\"%PROCESSOR_ARCHITECTURE%\") = \"AMD64\" then\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\WOW6432Node\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nElse\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nEnd If\r\n\r\nIf ConnectionStatus = \"false\" then\r\n ConnectionStatus = \"Quarantined\"\r\nElse\r\n ConnectionStatus = \"Online\"\r\nEnd If\r\n\r\nplatform = \"Windows\"\r\n\r\nWScript.Echo strCompName & \",\" & FirstIP & \",\" & version & \",\" & ConnectionStatus & \",\" & platform\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7183",
- "name" : "HostInfo SysInfo",
- "description" : "Shows Hostname, 1st IP Address and OS version",
- "module" : "SysInfo",
- "function" : "HostInfo",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec3",
- "name" : "ip_address",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec4",
- "name" : "os",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6346",
- "name" : "connection_status",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6347",
- "name" : "platform",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- } ]
- },
- "sequence" : "1",
- "output" : [ ]
- }, {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8eca",
- "name" : "InstalledUpdates",
- "description" : "Shows all installed updates, hot fixes and security updates",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7187",
- "name" : "Updates SysInfo",
- "description" : "List of installed updates",
- "module" : "SysInfo",
- "function" : "SoftwareUpdate",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e61",
- "name" : "Execute PowerShell Script",
- "description" : "Runs Windows PowerShell Scripts",
- "module" : "SystemRuntime",
- "function" : "executePS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n#\r\n# Purpose: Shows all installed updates, hot fixes and security updates\r\n#\r\n# Version: 1.0\r\n$OutputEncoding = New-Object -typename System.Text.UTF8Encoding\r\n$pshost = get-host\r\n$pswindow = $pshost.ui.rawui\r\n$newsize = $pswindow.buffersize\r\n$newsize.height = 3000\r\n$newsize.width = 3000\r\n$pswindow.buffersize = $newsize\r\n\r\n\r\n$objQuickFixes = Get-WmiObject Win32_QuickFixEngineering;\r\nforeach ($objQuickFix in $objQuickFixes){\r\n $date = \"\";\r\n if($objQuickFix.InstalledOn){\r\n $date = $objQuickFix.InstalledOn.ToString(\"yyyy-MM-dd HH:mm:ss\")\r\n }\r\n Write-Output ($objQuickFix.Description + \",\" +$objQuickFix.HotFixID + \",\" + $date + \",\" + ($objQuickFix.InstalledBy -replace '\\\\','/') + \",,\")\r\n}\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec6",
- "name" : "description",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec7",
- "name" : "hotfix_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec8",
- "name" : "install_date",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8ec9",
- "name" : "installed_by",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5a1a45cbe4b0401274ab7193",
- "name" : "source",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 998
- }, {
- "id" : "5a1a45cbe4b0401274ab7194",
- "name" : "version",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 999
- } ]
- },
- "sequence" : "2",
- "output" : [ ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8ec8",
- "name" : "install_date",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 3
- },
- "operator" : "AFTER",
- "value" : "2015-10-01 00:00:00",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8eca",
- "name" : "InstalledUpdates",
- "description" : "Shows all installed updates, hot fixes and security updates",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7187",
- "name" : "Updates SysInfo",
- "description" : "List of installed updates",
- "module" : "SysInfo",
- "function" : "SoftwareUpdate",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e61",
- "name" : "Execute PowerShell Script",
- "description" : "Runs Windows PowerShell Scripts",
- "module" : "SystemRuntime",
- "function" : "executePS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n#\r\n# Purpose: Shows all installed updates, hot fixes and security updates\r\n#\r\n# Version: 1.0\r\n$OutputEncoding = New-Object -typename System.Text.UTF8Encoding\r\n$pshost = get-host\r\n$pswindow = $pshost.ui.rawui\r\n$newsize = $pswindow.buffersize\r\n$newsize.height = 3000\r\n$newsize.width = 3000\r\n$pswindow.buffersize = $newsize\r\n\r\n\r\n$objQuickFixes = Get-WmiObject Win32_QuickFixEngineering;\r\nforeach ($objQuickFix in $objQuickFixes){\r\n $date = \"\";\r\n if($objQuickFix.InstalledOn){\r\n $date = $objQuickFix.InstalledOn.ToString(\"yyyy-MM-dd HH:mm:ss\")\r\n }\r\n Write-Output ($objQuickFix.Description + \",\" +$objQuickFix.HotFixID + \",\" + $date + \",\" + ($objQuickFix.InstalledBy -replace '\\\\','/') + \",,\")\r\n}\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec6",
- "name" : "description",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec7",
- "name" : "hotfix_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec8",
- "name" : "install_date",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8ec9",
- "name" : "installed_by",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5a1a45cbe4b0401274ab7193",
- "name" : "source",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 998
- }, {
- "id" : "5a1a45cbe4b0401274ab7194",
- "name" : "version",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 999
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630230,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd67314",
- "name" : "COMPLIANCE - Systems not protected from heartbleed",
- "description" : "list of systems that do not have MS hotfix 2992611",
- "type" : null,
- "expression" : "HostInfo where InstalledUpdates hotfix_id not contains \"2992611\"",
- "temporal" : false,
- "invalid" : false,
- "aggregated" : true,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec5",
- "name" : "HostInfo",
- "description" : "Shows Hostname, 1st IP Address, OS version and Connection Status",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about host\n#\n# Version: 1\n\ngetOsRelease() {\n if [[ -x /usr/bin/lsb_release ]]; then\n lsb_release -sd\n elif [[ -r /etc/system-release ]]; then\n cat /etc/system-release\n else\n echo -e \"Unknown\"\n fi\n}\n\ngetHostName() {\n hostname -s\n}\n\ngetInterfacesInfoCommand() {\n current_os=$(getOsRelease)\n if [[ $current_os == \"Red Hat\"*\"7.\"* ]]; then\n echo -e \"ip addr show\"\n else\n echo -e \"ifconfig\"\n fi\n}\n\ngetInterfacesDir() {\n echo -e \"/sys/class/net\"\n}\n\nisInterfacePhysical() {\n interface_path=\"$1\"\n if [ -z \"$interface_path\" ]; then\n return 1\n fi\n\n real_location=$(readlink \"$interface_path\")\n if [[ \"$real_location\" =~ \"virtual\" ]]; then\n return 1\n else\n return 0\n fi\n}\n\nparsePrimaryIPInterface() {\n interface_name=\"$1\"\n if [ -z \"$interface_name\" ]; then\n return 1\n fi\n cmd=$(getInterfacesInfoCommand)\n eval \"$cmd $interface_name\" | grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" | grep -vE \"^2[2-5]\" | head -n 1\n}\n\ngetPrimaryIPHost() {\n interfaces_dir=$(getInterfacesDir)\n physical_interfaces=()\n\n shopt -s nullglob\n for interface in \"$interfaces_dir\"/*; do\n if isInterfacePhysical \"$interface\"; then\n current_interface=$(basename \"$interface\")\n physical_interfaces+=(\"$current_interface\")\n fi\n done\n shopt -u nullglob\n\n i=0\n for interface in \"${physical_interfaces[@]}\"; do\n ips[$i]=$(parsePrimaryIPInterface \"$interface\")\n ((i++))\n done\n\n if [ \"${#ips[@]}\" -ge 1 ]; then\n echo -e \"${ips[0]}\"\n fi\n}\n\n\ngetConnectionStatus() {\n echo \"Online\"\n}\n\ngetPlatform() {\n echo \"Linux\"\n}\n\nprocessHostInfo() {\n name=$(getHostName)\n os=$(getOsRelease)\n ipaddress=$(getPrimaryIPHost)\n connection_status=$(getConnectionStatus)\n platform=$(getPlatform)\n\n echo -e \"\\\"$name\\\",\\\"$ipaddress\\\",\\\"$os\\\",\\\"$connection_status\\\",\\\"$platform\\\"\"\n}\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHostInfo\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n\r\nstrComputer = \".\"\r\nFirstIP=\"\"\r\nCurrentMac=\"\"\r\nConnectionStatus = \"\"\r\nSet objWMIService=GetObject(\"winmgmts:\" & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\r\n\r\nSet NetAdapters = objWMIService.ExecQuery(\"Select * From Win32_NetworkAdapter Where NOT PNPDeviceID LIKE 'ROOT\\\\%'\")\r\nFor Each NetAdapter in NetAdapters\r\n CurrentMac = NetAdapter.MACAddress\r\n Set IPConfigSet = objWMIService.ExecQuery(\"Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE AND MacAddress = '\" & CurrentMac & \"'\")\r\n For Each IPConfig in IPConfigSet\r\n If Not IsNull(IPConfig.IPAddress) Then\r\n For i=LBound(IPConfig.IPAddress) to UBound(IPConfig.IPAddress)\r\n FirstIP=IPConfig.IPAddress(i)\r\n Exit For\r\n Next\r\n End If\r\n Next\r\nNext\r\n\r\nSet objNet = CreateObject(\"WScript.Network\")\r\nstrCompName = objNet.ComputerName\r\n\r\nSet shell = CreateObject(\"WScript.Shell\")\r\nSet getOSVersion = shell.exec(\"%comspec% /D /c ver\")\r\ngetOSVersion.stdout.readLine\r\nversion = getOSVersion.stdout.readLine\r\n\r\nFunction Registry_Read(Key_Path, Key_Name)\r\n On Error Resume Next\r\n Set Registry = CreateObject(\"WScript.Shell\")\r\n Registry_Read = Registry.RegRead(Key_Path & \"\\\" & Key_Name)\r\nEnd Function\r\n\r\nSet shell_arch = CreateObject(\"WScript.Shell\")\r\nIf shell_arch.ExpandEnvironmentStrings(\"%PROCESSOR_ARCHITECTURE%\") = \"AMD64\" then\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\WOW6432Node\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nElse\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nEnd If\r\n\r\nIf ConnectionStatus = \"false\" then\r\n ConnectionStatus = \"Quarantined\"\r\nElse\r\n ConnectionStatus = \"Online\"\r\nEnd If\r\n\r\nplatform = \"Windows\"\r\n\r\nWScript.Echo strCompName & \",\" & FirstIP & \",\" & version & \",\" & ConnectionStatus & \",\" & platform\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7183",
- "name" : "HostInfo SysInfo",
- "description" : "Shows Hostname, 1st IP Address and OS version",
- "module" : "SysInfo",
- "function" : "HostInfo",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec3",
- "name" : "ip_address",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec4",
- "name" : "os",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6346",
- "name" : "connection_status",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6347",
- "name" : "platform",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- } ]
- },
- "sequence" : "1",
- "output" : [ ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8ec7",
- "name" : "hotfix_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 2
- },
- "operator" : "CONTAINS",
- "value" : "2992611",
- "negated" : true,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8eca",
- "name" : "InstalledUpdates",
- "description" : "Shows all installed updates, hot fixes and security updates",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7187",
- "name" : "Updates SysInfo",
- "description" : "List of installed updates",
- "module" : "SysInfo",
- "function" : "SoftwareUpdate",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e61",
- "name" : "Execute PowerShell Script",
- "description" : "Runs Windows PowerShell Scripts",
- "module" : "SystemRuntime",
- "function" : "executePS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n#\r\n# Purpose: Shows all installed updates, hot fixes and security updates\r\n#\r\n# Version: 1.0\r\n$OutputEncoding = New-Object -typename System.Text.UTF8Encoding\r\n$pshost = get-host\r\n$pswindow = $pshost.ui.rawui\r\n$newsize = $pswindow.buffersize\r\n$newsize.height = 3000\r\n$newsize.width = 3000\r\n$pswindow.buffersize = $newsize\r\n\r\n\r\n$objQuickFixes = Get-WmiObject Win32_QuickFixEngineering;\r\nforeach ($objQuickFix in $objQuickFixes){\r\n $date = \"\";\r\n if($objQuickFix.InstalledOn){\r\n $date = $objQuickFix.InstalledOn.ToString(\"yyyy-MM-dd HH:mm:ss\")\r\n }\r\n Write-Output ($objQuickFix.Description + \",\" +$objQuickFix.HotFixID + \",\" + $date + \",\" + ($objQuickFix.InstalledBy -replace '\\\\','/') + \",,\")\r\n}\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec6",
- "name" : "description",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec7",
- "name" : "hotfix_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec8",
- "name" : "install_date",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8ec9",
- "name" : "installed_by",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5a1a45cbe4b0401274ab7193",
- "name" : "source",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 998
- }, {
- "id" : "5a1a45cbe4b0401274ab7194",
- "name" : "version",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 999
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630237,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd67315",
- "name" : "Expiring Certificates",
- "description" : "",
- "type" : null,
- "expression" : null,
- "temporal" : false,
- "invalid" : false,
- "aggregated" : false,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec5",
- "name" : "HostInfo",
- "description" : "Shows Hostname, 1st IP Address, OS version and Connection Status",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about host\n#\n# Version: 1\n\ngetOsRelease() {\n if [[ -x /usr/bin/lsb_release ]]; then\n lsb_release -sd\n elif [[ -r /etc/system-release ]]; then\n cat /etc/system-release\n else\n echo -e \"Unknown\"\n fi\n}\n\ngetHostName() {\n hostname -s\n}\n\ngetInterfacesInfoCommand() {\n current_os=$(getOsRelease)\n if [[ $current_os == \"Red Hat\"*\"7.\"* ]]; then\n echo -e \"ip addr show\"\n else\n echo -e \"ifconfig\"\n fi\n}\n\ngetInterfacesDir() {\n echo -e \"/sys/class/net\"\n}\n\nisInterfacePhysical() {\n interface_path=\"$1\"\n if [ -z \"$interface_path\" ]; then\n return 1\n fi\n\n real_location=$(readlink \"$interface_path\")\n if [[ \"$real_location\" =~ \"virtual\" ]]; then\n return 1\n else\n return 0\n fi\n}\n\nparsePrimaryIPInterface() {\n interface_name=\"$1\"\n if [ -z \"$interface_name\" ]; then\n return 1\n fi\n cmd=$(getInterfacesInfoCommand)\n eval \"$cmd $interface_name\" | grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" | grep -vE \"^2[2-5]\" | head -n 1\n}\n\ngetPrimaryIPHost() {\n interfaces_dir=$(getInterfacesDir)\n physical_interfaces=()\n\n shopt -s nullglob\n for interface in \"$interfaces_dir\"/*; do\n if isInterfacePhysical \"$interface\"; then\n current_interface=$(basename \"$interface\")\n physical_interfaces+=(\"$current_interface\")\n fi\n done\n shopt -u nullglob\n\n i=0\n for interface in \"${physical_interfaces[@]}\"; do\n ips[$i]=$(parsePrimaryIPInterface \"$interface\")\n ((i++))\n done\n\n if [ \"${#ips[@]}\" -ge 1 ]; then\n echo -e \"${ips[0]}\"\n fi\n}\n\n\ngetConnectionStatus() {\n echo \"Online\"\n}\n\ngetPlatform() {\n echo \"Linux\"\n}\n\nprocessHostInfo() {\n name=$(getHostName)\n os=$(getOsRelease)\n ipaddress=$(getPrimaryIPHost)\n connection_status=$(getConnectionStatus)\n platform=$(getPlatform)\n\n echo -e \"\\\"$name\\\",\\\"$ipaddress\\\",\\\"$os\\\",\\\"$connection_status\\\",\\\"$platform\\\"\"\n}\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHostInfo\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n\r\nstrComputer = \".\"\r\nFirstIP=\"\"\r\nCurrentMac=\"\"\r\nConnectionStatus = \"\"\r\nSet objWMIService=GetObject(\"winmgmts:\" & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\r\n\r\nSet NetAdapters = objWMIService.ExecQuery(\"Select * From Win32_NetworkAdapter Where NOT PNPDeviceID LIKE 'ROOT\\\\%'\")\r\nFor Each NetAdapter in NetAdapters\r\n CurrentMac = NetAdapter.MACAddress\r\n Set IPConfigSet = objWMIService.ExecQuery(\"Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE AND MacAddress = '\" & CurrentMac & \"'\")\r\n For Each IPConfig in IPConfigSet\r\n If Not IsNull(IPConfig.IPAddress) Then\r\n For i=LBound(IPConfig.IPAddress) to UBound(IPConfig.IPAddress)\r\n FirstIP=IPConfig.IPAddress(i)\r\n Exit For\r\n Next\r\n End If\r\n Next\r\nNext\r\n\r\nSet objNet = CreateObject(\"WScript.Network\")\r\nstrCompName = objNet.ComputerName\r\n\r\nSet shell = CreateObject(\"WScript.Shell\")\r\nSet getOSVersion = shell.exec(\"%comspec% /D /c ver\")\r\ngetOSVersion.stdout.readLine\r\nversion = getOSVersion.stdout.readLine\r\n\r\nFunction Registry_Read(Key_Path, Key_Name)\r\n On Error Resume Next\r\n Set Registry = CreateObject(\"WScript.Shell\")\r\n Registry_Read = Registry.RegRead(Key_Path & \"\\\" & Key_Name)\r\nEnd Function\r\n\r\nSet shell_arch = CreateObject(\"WScript.Shell\")\r\nIf shell_arch.ExpandEnvironmentStrings(\"%PROCESSOR_ARCHITECTURE%\") = \"AMD64\" then\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\WOW6432Node\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nElse\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nEnd If\r\n\r\nIf ConnectionStatus = \"false\" then\r\n ConnectionStatus = \"Quarantined\"\r\nElse\r\n ConnectionStatus = \"Online\"\r\nEnd If\r\n\r\nplatform = \"Windows\"\r\n\r\nWScript.Echo strCompName & \",\" & FirstIP & \",\" & version & \",\" & ConnectionStatus & \",\" & platform\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7183",
- "name" : "HostInfo SysInfo",
- "description" : "Shows Hostname, 1st IP Address and OS version",
- "module" : "SysInfo",
- "function" : "HostInfo",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec3",
- "name" : "ip_address",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec4",
- "name" : "os",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6346",
- "name" : "connection_status",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6347",
- "name" : "platform",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- } ]
- },
- "sequence" : "1",
- "output" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- } ]
- }, {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8fe4b0c390d69a8f19",
- "name" : "InstalledCertificates",
- "description" : "Shows a list of installed certificates on Windows and Linux endpoints. Details the issuer, expiration date and purposes of the certificates.",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e61",
- "name" : "Execute PowerShell Script",
- "description" : "Runs Windows PowerShell Scripts",
- "module" : "SystemRuntime",
- "function" : "executePS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n#\r\n# Purpose: Shows a list of installed certificates on Windows and Linux endpoints. Details the issuer, expiration date and purposes of the certificates.\r\n#\r\n# Version: 1.0\r\n\r\n$pshost = get-host\r\n$pswindow = $pshost.ui.rawui\r\n$newsize = $pswindow.buffersize\r\n$newsize.height = 5000\r\n$newsize.width = 5000\r\n$pswindow.buffersize = $newsize\r\n\r\n$OutputEncoding = New-Object -typename System.Text.UTF8Encoding\r\n\r\nFunction ParseIntendedPurposes ($ip){\r\n $fields = $ip | ForEach-Object {$_.FriendlyName}\r\n $res = \"\"\r\n if($fields.Count -eq 1) {\r\n $res = [string]$fields\r\n } else {\r\n for($i=0; $i -lt $fields.Count; $i++) {\r\n $res += [string]$fields[$i]\r\n if($i+1 -lt $fields.Count){ $res += \" , \" }\r\n }\r\n }\r\n return $res\r\n}\r\n\r\n$result = @()\r\nforeach( $cert in Get-ChildItem -Recurse Cert:) {\r\n\r\n Try {\r\n $issued_to = ([string]$cert.Subject) -replace \"\\\\\",\"\\\\\";\r\n $issued_to = ([string]$issued_to) -replace \"`\"\",\"`\\`\"\";\r\n } Catch {\r\n $issued_to = \"\";\r\n }\r\n Try {\r\n $issued_by = ([string]$cert.Issuer) -replace \"\\\\\",\"\\\\\";\r\n $issued_by = ([string]$issued_by) -replace \"`\"\",\"`\\`\"\";\r\n } Catch {\r\n $issued_by = \"\";\r\n }\r\n Try {\r\n $expiration_date = [string]$cert.NotAfter.Year + \"-\" + [string]$cert.NotAfter.Month + \"-\" + [string]$cert.NotAfter.Day + \" \" + [string]$cert.NotAfter.Hour + \":\" + [string]$cert.NotAfter.Minute + \":\" + [string]$cert.NotAfter.Second;\r\n } Catch {\r\n $expiration_date = \"-- ::\";\r\n }\r\n Try {\r\n $key_usages = \"\";\r\n foreach( $ext in $cert.Extensions) {\r\n foreach( $eku in $ext.KeyUsages) {\r\n $key_usages += [string]$eku;\r\n }\r\n }\r\n } Catch {\r\n $key_usages = \"\";\r\n }\r\n Try {\r\n $enhanced_key_usages = ParseIntendedPurposes(($cert | Select-Object EnhancedKeyUsageList).EnhancedKeyUsageList);\r\n } Catch {\r\n $enhanced_key_usages = \"\";\r\n }\r\n Try {\r\n $friendly_name = ([string]$cert.FriendlyName);\r\n } Catch {\r\n $friendly_name = \"\";\r\n }\r\n\r\n if(!(([string]$issued_to -eq \"\") -and ([string]$issued_by -eq \"\") -and ([string]$expiration_date -eq \"-- ::\") -and ([string]$key_usages -eq \"\") -and ([string]$enhanced_key_usages -eq \"\") -and ([string]$friendly_name -eq \"\"))) {\r\n $result += \"`\"\" + $issued_to + \"`\",`\"\" + $issued_by + \"`\",`\"\" + $expiration_date + \"`\",`\"\" + $key_usages + \"`\",`\"\" + $enhanced_key_usages + \"`\",`\"\" + $friendly_name + \"`\"\";\r\n }\r\n}\r\n\r\nfor($i=0; $i -lt $result.Count; $i++) {\r\n Write-Output $result[$i];\r\n}\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows a list of installed certificates on Windows, Linux and Mac endpoints. Details the issuer, expiration date and purposes of the certificates.\n#\n# Version: 1.0\n\nfunction escapeSpecialCharacters(){\n read -r arg\n local str=\"$arg\"\n str=${str//\\\\/\\\\\\\\}\n str=${str//\\\"/\\\\\\\"}\n echo \"$str\"\n}\n\nfunction add_certificates_to_array {\n while read -r line; do\n certificates_array[$index_certificates]=\"${certificates_array[$index_certificates]}\\n$line\"\n if [[ $line =~ \"END CERTIFICATE\" ]]; then\n ((index_certificates++))\n fi\n done <<< \"$1\"\n}\n\nfunction add_user_keychains {\n _RAWDB=$(dscl . -readall /Users 'NFSHomeDirectory' | sed 's/^RecordName://g' | sed '/^$/d')\n oldIFS=\"$IFS\"\n IFS='-'\n _ARRAYRAWDB=( $_RAWDB )\n IFS=\"$oldIFS\"\n\n for (( i=0; i<${#_ARRAYRAWDB[*]}; i=i+1 ))\n do\n _ARRAYRAWDB[i]=${_ARRAYRAWDB[i]//NFSHomeDirectory: /}\n IFS=$'\\n'\n userInfo=( ${_ARRAYRAWDB[i]} )\n IFS=\"$oldIFS\"\n loginKeychain=\"${userInfo[0]}/Library/Keychains/login.keychain\"\n if [ -r \"$loginKeychain\" ]\n then\n keychainFiles[$index_user_keychains]=\"$loginKeychain\"\n ((index_user_keychains++))\n fi\n done\n}\n\n\nkeychainFiles=()\nindex_user_keychains=0\nadd_user_keychains\nkeychainFiles+=(\"/System/Library/Keychains/SystemCACertificates.keychain\")\nkeychainFiles+=(\"/Library/Keychains/System.keychain\")\nkeychainFiles+=(\"/System/Library/Keychains/SystemRootCertificates.keychain\")\n\nindex_certificates=0\ncertificates_array=()\nfor f in \"${keychainFiles[@]}\"\ndo\n add_certificates_to_array \"$(security find-certificate -p -a \"$f\")\"\ndone\n\nfor cert in \"${certificates_array[@]}\"\ndo\n plain_cert=$(echo -e \"$cert\" | openssl x509 -text -nameopt utf8,oneline,-esc_msb)\n issuer=$(echo -e \"$plain_cert\" | sed -n -Ee 's/.*Issuer: //p' | escapeSpecialCharacters)\n subject=$(echo -e \"$plain_cert\" | sed -n -Ee 's/.*Subject: //p' | escapeSpecialCharacters)\n exp_date=$(echo -e \"$plain_cert\" | sed -n -Ee 's/.*After : (.*)/\\\"\\1\\\"/p' | xargs date -j -f \"%b %d %T %Y %Z\" \"+%F %T\" | escapeSpecialCharacters)\n purposes=$(echo -e \"$plain_cert\" | grep -A1 \"X509v3 Key Usage:\" | perl -0777 -pe 's/\\s*X509v3 Key Usage:.*?\\n\\s*(.*?$).*/\\1\\n/ms' | escapeSpecialCharacters)\n echo -e \"\\\"$subject\\\",\\\"$issuer\\\",\\\"$exp_date\\\",\\\"$purposes\\\",\\\"\\\",\\\"\\\"\"\ndone\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows a list of installed certificates on Windows, Linux and Mac endpoints. Details the issuer, expiration date and purposes of the certificates.\n\ngetCertificates() {\n openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/certs/ca-bundle.trust.crt -certfile /etc/pki/tls/certs/ca-bundle.crt | openssl pkcs7 -print_certs -text -noout\n}\n\n\nescapeSpecialCharacters() {\n read -r arg\n local str=\"$arg\"\n str=${str//\\\\/\\\\\\\\\\\\\\\\}\n str=${str//\\\"/\\\\\\\"}\n echo \"$str\"\n}\n\nparseDate() {\n unformatted_date=\"$1\"\n if [ -z \"$unformatted_date\" ]; then\n return 1\n else\n date \"+%F %T\" -d \"$unformatted_date\" 2>/dev/null\n fi\n}\n\nprintCert() {\n cert=\"$1\"\n if [ -z \"$cert\" ]; then\n return 1\n fi\n issuer=$(echo -e \"$cert\" | sed -n -Ee 's/.*Issuer: //p' | escapeSpecialCharacters)\n subject=$(echo -e \"$cert\" | sed -n -Ee 's/.*Subject: //p' | escapeSpecialCharacters)\n purposes=$(echo -e \"$cert\" | grep -A1 \"X509v3 Key Usage:\" | perl -0777 -pe 's/\\s*X509v3 Key Usage:.*?\\n\\s*(.*?$).*/\\1\\n/ms' | escapeSpecialCharacters)\n exp_date=$(echo -e \"$cert\" | sed -n -Ee 's/.*After : (.*)/\\1/p')\n exp_date_parsed=$(parseDate \"$exp_date\" | escapeSpecialCharacters)\n echo -e \"\\\"$subject\\\",\\\"$issuer\\\",\\\"$exp_date_parsed\\\",\\\"$purposes\\\",\\\"\\\",\\\"\\\"\"\n}\n\nprocessCertificates() {\n certs=$(getCertificates)\n if [ -z \"$certs\" ]; then\n return 0\n fi\n\n is_first_line=true\n current_cert=\"\"\n\n while read -r line; do\n if [[ $line =~ \"Certificate:\" && $is_first_line == false ]]; then\n printCert \"$current_cert\"\n current_cert=\"\"\n elif [[ $is_first_line == true ]]; then\n is_first_line=false\n fi\n current_cert=\"$current_cert\\n$line\"\n done <<< \"$certs\"\n\n printCert \"$current_cert\"\n}\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processCertificates\n\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8f13",
- "name" : "issued_to",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8f14",
- "name" : "issued_by",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8f15",
- "name" : "expiration_date",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8f16",
- "name" : "purposes",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8f17",
- "name" : "purposes_extended",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8f18",
- "name" : "friendly_name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- } ]
- },
- "sequence" : "2",
- "output" : [ {
- "id" : "58efec8ee4b0c390d69a8f18",
- "name" : "friendly_name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8f15",
- "name" : "expiration_date",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 3
- } ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8f15",
- "name" : "expiration_date",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 3
- },
- "operator" : "AFTER",
- "value" : "2017-08-01 05:00:00",
- "negated" : true,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8fe4b0c390d69a8f19",
- "name" : "InstalledCertificates",
- "description" : "Shows a list of installed certificates on Windows and Linux endpoints. Details the issuer, expiration date and purposes of the certificates.",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e61",
- "name" : "Execute PowerShell Script",
- "description" : "Runs Windows PowerShell Scripts",
- "module" : "SystemRuntime",
- "function" : "executePS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n#\r\n# Purpose: Shows a list of installed certificates on Windows and Linux endpoints. Details the issuer, expiration date and purposes of the certificates.\r\n#\r\n# Version: 1.0\r\n\r\n$pshost = get-host\r\n$pswindow = $pshost.ui.rawui\r\n$newsize = $pswindow.buffersize\r\n$newsize.height = 5000\r\n$newsize.width = 5000\r\n$pswindow.buffersize = $newsize\r\n\r\n$OutputEncoding = New-Object -typename System.Text.UTF8Encoding\r\n\r\nFunction ParseIntendedPurposes ($ip){\r\n $fields = $ip | ForEach-Object {$_.FriendlyName}\r\n $res = \"\"\r\n if($fields.Count -eq 1) {\r\n $res = [string]$fields\r\n } else {\r\n for($i=0; $i -lt $fields.Count; $i++) {\r\n $res += [string]$fields[$i]\r\n if($i+1 -lt $fields.Count){ $res += \" , \" }\r\n }\r\n }\r\n return $res\r\n}\r\n\r\n$result = @()\r\nforeach( $cert in Get-ChildItem -Recurse Cert:) {\r\n\r\n Try {\r\n $issued_to = ([string]$cert.Subject) -replace \"\\\\\",\"\\\\\";\r\n $issued_to = ([string]$issued_to) -replace \"`\"\",\"`\\`\"\";\r\n } Catch {\r\n $issued_to = \"\";\r\n }\r\n Try {\r\n $issued_by = ([string]$cert.Issuer) -replace \"\\\\\",\"\\\\\";\r\n $issued_by = ([string]$issued_by) -replace \"`\"\",\"`\\`\"\";\r\n } Catch {\r\n $issued_by = \"\";\r\n }\r\n Try {\r\n $expiration_date = [string]$cert.NotAfter.Year + \"-\" + [string]$cert.NotAfter.Month + \"-\" + [string]$cert.NotAfter.Day + \" \" + [string]$cert.NotAfter.Hour + \":\" + [string]$cert.NotAfter.Minute + \":\" + [string]$cert.NotAfter.Second;\r\n } Catch {\r\n $expiration_date = \"-- ::\";\r\n }\r\n Try {\r\n $key_usages = \"\";\r\n foreach( $ext in $cert.Extensions) {\r\n foreach( $eku in $ext.KeyUsages) {\r\n $key_usages += [string]$eku;\r\n }\r\n }\r\n } Catch {\r\n $key_usages = \"\";\r\n }\r\n Try {\r\n $enhanced_key_usages = ParseIntendedPurposes(($cert | Select-Object EnhancedKeyUsageList).EnhancedKeyUsageList);\r\n } Catch {\r\n $enhanced_key_usages = \"\";\r\n }\r\n Try {\r\n $friendly_name = ([string]$cert.FriendlyName);\r\n } Catch {\r\n $friendly_name = \"\";\r\n }\r\n\r\n if(!(([string]$issued_to -eq \"\") -and ([string]$issued_by -eq \"\") -and ([string]$expiration_date -eq \"-- ::\") -and ([string]$key_usages -eq \"\") -and ([string]$enhanced_key_usages -eq \"\") -and ([string]$friendly_name -eq \"\"))) {\r\n $result += \"`\"\" + $issued_to + \"`\",`\"\" + $issued_by + \"`\",`\"\" + $expiration_date + \"`\",`\"\" + $key_usages + \"`\",`\"\" + $enhanced_key_usages + \"`\",`\"\" + $friendly_name + \"`\"\";\r\n }\r\n}\r\n\r\nfor($i=0; $i -lt $result.Count; $i++) {\r\n Write-Output $result[$i];\r\n}\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows a list of installed certificates on Windows, Linux and Mac endpoints. Details the issuer, expiration date and purposes of the certificates.\n#\n# Version: 1.0\n\nfunction escapeSpecialCharacters(){\n read -r arg\n local str=\"$arg\"\n str=${str//\\\\/\\\\\\\\}\n str=${str//\\\"/\\\\\\\"}\n echo \"$str\"\n}\n\nfunction add_certificates_to_array {\n while read -r line; do\n certificates_array[$index_certificates]=\"${certificates_array[$index_certificates]}\\n$line\"\n if [[ $line =~ \"END CERTIFICATE\" ]]; then\n ((index_certificates++))\n fi\n done <<< \"$1\"\n}\n\nfunction add_user_keychains {\n _RAWDB=$(dscl . -readall /Users 'NFSHomeDirectory' | sed 's/^RecordName://g' | sed '/^$/d')\n oldIFS=\"$IFS\"\n IFS='-'\n _ARRAYRAWDB=( $_RAWDB )\n IFS=\"$oldIFS\"\n\n for (( i=0; i<${#_ARRAYRAWDB[*]}; i=i+1 ))\n do\n _ARRAYRAWDB[i]=${_ARRAYRAWDB[i]//NFSHomeDirectory: /}\n IFS=$'\\n'\n userInfo=( ${_ARRAYRAWDB[i]} )\n IFS=\"$oldIFS\"\n loginKeychain=\"${userInfo[0]}/Library/Keychains/login.keychain\"\n if [ -r \"$loginKeychain\" ]\n then\n keychainFiles[$index_user_keychains]=\"$loginKeychain\"\n ((index_user_keychains++))\n fi\n done\n}\n\n\nkeychainFiles=()\nindex_user_keychains=0\nadd_user_keychains\nkeychainFiles+=(\"/System/Library/Keychains/SystemCACertificates.keychain\")\nkeychainFiles+=(\"/Library/Keychains/System.keychain\")\nkeychainFiles+=(\"/System/Library/Keychains/SystemRootCertificates.keychain\")\n\nindex_certificates=0\ncertificates_array=()\nfor f in \"${keychainFiles[@]}\"\ndo\n add_certificates_to_array \"$(security find-certificate -p -a \"$f\")\"\ndone\n\nfor cert in \"${certificates_array[@]}\"\ndo\n plain_cert=$(echo -e \"$cert\" | openssl x509 -text -nameopt utf8,oneline,-esc_msb)\n issuer=$(echo -e \"$plain_cert\" | sed -n -Ee 's/.*Issuer: //p' | escapeSpecialCharacters)\n subject=$(echo -e \"$plain_cert\" | sed -n -Ee 's/.*Subject: //p' | escapeSpecialCharacters)\n exp_date=$(echo -e \"$plain_cert\" | sed -n -Ee 's/.*After : (.*)/\\\"\\1\\\"/p' | xargs date -j -f \"%b %d %T %Y %Z\" \"+%F %T\" | escapeSpecialCharacters)\n purposes=$(echo -e \"$plain_cert\" | grep -A1 \"X509v3 Key Usage:\" | perl -0777 -pe 's/\\s*X509v3 Key Usage:.*?\\n\\s*(.*?$).*/\\1\\n/ms' | escapeSpecialCharacters)\n echo -e \"\\\"$subject\\\",\\\"$issuer\\\",\\\"$exp_date\\\",\\\"$purposes\\\",\\\"\\\",\\\"\\\"\"\ndone\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows a list of installed certificates on Windows, Linux and Mac endpoints. Details the issuer, expiration date and purposes of the certificates.\n\ngetCertificates() {\n openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/certs/ca-bundle.trust.crt -certfile /etc/pki/tls/certs/ca-bundle.crt | openssl pkcs7 -print_certs -text -noout\n}\n\n\nescapeSpecialCharacters() {\n read -r arg\n local str=\"$arg\"\n str=${str//\\\\/\\\\\\\\\\\\\\\\}\n str=${str//\\\"/\\\\\\\"}\n echo \"$str\"\n}\n\nparseDate() {\n unformatted_date=\"$1\"\n if [ -z \"$unformatted_date\" ]; then\n return 1\n else\n date \"+%F %T\" -d \"$unformatted_date\" 2>/dev/null\n fi\n}\n\nprintCert() {\n cert=\"$1\"\n if [ -z \"$cert\" ]; then\n return 1\n fi\n issuer=$(echo -e \"$cert\" | sed -n -Ee 's/.*Issuer: //p' | escapeSpecialCharacters)\n subject=$(echo -e \"$cert\" | sed -n -Ee 's/.*Subject: //p' | escapeSpecialCharacters)\n purposes=$(echo -e \"$cert\" | grep -A1 \"X509v3 Key Usage:\" | perl -0777 -pe 's/\\s*X509v3 Key Usage:.*?\\n\\s*(.*?$).*/\\1\\n/ms' | escapeSpecialCharacters)\n exp_date=$(echo -e \"$cert\" | sed -n -Ee 's/.*After : (.*)/\\1/p')\n exp_date_parsed=$(parseDate \"$exp_date\" | escapeSpecialCharacters)\n echo -e \"\\\"$subject\\\",\\\"$issuer\\\",\\\"$exp_date_parsed\\\",\\\"$purposes\\\",\\\"\\\",\\\"\\\"\"\n}\n\nprocessCertificates() {\n certs=$(getCertificates)\n if [ -z \"$certs\" ]; then\n return 0\n fi\n\n is_first_line=true\n current_cert=\"\"\n\n while read -r line; do\n if [[ $line =~ \"Certificate:\" && $is_first_line == false ]]; then\n printCert \"$current_cert\"\n current_cert=\"\"\n elif [[ $is_first_line == true ]]; then\n is_first_line=false\n fi\n current_cert=\"$current_cert\\n$line\"\n done <<< \"$certs\"\n\n printCert \"$current_cert\"\n}\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processCertificates\n\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8f13",
- "name" : "issued_to",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8f14",
- "name" : "issued_by",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8f15",
- "name" : "expiration_date",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8f16",
- "name" : "purposes",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8f17",
- "name" : "purposes_extended",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8f18",
- "name" : "friendly_name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630240,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd67316",
- "name" : "Full MAR Hashing Status",
- "description" : "",
- "type" : null,
- "expression" : null,
- "temporal" : false,
- "invalid" : false,
- "aggregated" : false,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb07ce4b0cbe06dd672f9",
- "name" : "HashStatusAll",
- "description" : "Displays full File Hashing Status",
- "type" : "CUSTOM",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, Inc. All Rights Reserved.\n'\n' This script will display full File Hashing Status\n'\nDim objFSO, objFile, line, arrLines\nSet objFSO = CreateObject(\"Scripting.FileSystemObject\")\nstartFile = \"C:\\ProgramData\\McAfee\\MAR\\data\\marlog.log\"\n' ***********************************************\n' Open Mar Log and Check Status\n' ***********************************************\nIF objFSO.FileExists(startFile) Then\n\tobjFile = objFSO.OpenTextFile(startFile, 1).ReadAll\n\tarrLines = Split(objFile,vbCrLf)\n\t\tFor Each line in arrLines\n\t\t\tIF inStr(line,\"Analyzing parent dir\") > 1 Then\n\t\t\t\tWScript.echo \"Start\" & \",\" & Trim(Left(line, (inStr(line,\" \")))) & \",\" & Replace(Replace(Replace(Right(line, (len(line)-(inStr(line,\"dir [\")))),\"ir [\",\"\"),\"]\",\"\"),\"\\\",\"\\\\\")\n\t\t\tEnd IF\n\t\t\tIF inStr(line,\"Stop Hashing - Total Hashing Time\") > 1 Then\n\t\t\t\tWScript.echo \"Stop\" & \",\" & Trim(Left(line, (inStr(line,\" \")))) & \",,\" & Replace(Replace(Right(line, (len(line)-(inStr(line,\"Stop Hashing -\")))),\"top Hashing - Total Hashing Time: \",\"\"),\" seconds\",\"\")\n\t\t\tEnd IF\n\t\tNext\nELSE\n\tWScript.Quit\nEnd IF\n' ***********************************************\n' End\n' ***********************************************\nWScript.Quit",
- "arguments" : null,
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "5b3fb07ce4b0cbe06dd672cf",
- "name" : "event_type",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672d0",
- "name" : "date",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672d1",
- "name" : "directory",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672d2",
- "name" : "hashing_time",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- } ]
- },
- "sequence" : "1",
- "output" : [ {
- "id" : "5b3fb07ce4b0cbe06dd672d0",
- "name" : "date",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672d1",
- "name" : "directory",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672cf",
- "name" : "event_type",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672d2",
- "name" : "hashing_time",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- } ]
- }, {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec5",
- "name" : "HostInfo",
- "description" : "Shows Hostname, 1st IP Address, OS version and Connection Status",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about host\n#\n# Version: 1\n\ngetOsRelease() {\n if [[ -x /usr/bin/lsb_release ]]; then\n lsb_release -sd\n elif [[ -r /etc/system-release ]]; then\n cat /etc/system-release\n else\n echo -e \"Unknown\"\n fi\n}\n\ngetHostName() {\n hostname -s\n}\n\ngetInterfacesInfoCommand() {\n current_os=$(getOsRelease)\n if [[ $current_os == \"Red Hat\"*\"7.\"* ]]; then\n echo -e \"ip addr show\"\n else\n echo -e \"ifconfig\"\n fi\n}\n\ngetInterfacesDir() {\n echo -e \"/sys/class/net\"\n}\n\nisInterfacePhysical() {\n interface_path=\"$1\"\n if [ -z \"$interface_path\" ]; then\n return 1\n fi\n\n real_location=$(readlink \"$interface_path\")\n if [[ \"$real_location\" =~ \"virtual\" ]]; then\n return 1\n else\n return 0\n fi\n}\n\nparsePrimaryIPInterface() {\n interface_name=\"$1\"\n if [ -z \"$interface_name\" ]; then\n return 1\n fi\n cmd=$(getInterfacesInfoCommand)\n eval \"$cmd $interface_name\" | grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" | grep -vE \"^2[2-5]\" | head -n 1\n}\n\ngetPrimaryIPHost() {\n interfaces_dir=$(getInterfacesDir)\n physical_interfaces=()\n\n shopt -s nullglob\n for interface in \"$interfaces_dir\"/*; do\n if isInterfacePhysical \"$interface\"; then\n current_interface=$(basename \"$interface\")\n physical_interfaces+=(\"$current_interface\")\n fi\n done\n shopt -u nullglob\n\n i=0\n for interface in \"${physical_interfaces[@]}\"; do\n ips[$i]=$(parsePrimaryIPInterface \"$interface\")\n ((i++))\n done\n\n if [ \"${#ips[@]}\" -ge 1 ]; then\n echo -e \"${ips[0]}\"\n fi\n}\n\n\ngetConnectionStatus() {\n echo \"Online\"\n}\n\ngetPlatform() {\n echo \"Linux\"\n}\n\nprocessHostInfo() {\n name=$(getHostName)\n os=$(getOsRelease)\n ipaddress=$(getPrimaryIPHost)\n connection_status=$(getConnectionStatus)\n platform=$(getPlatform)\n\n echo -e \"\\\"$name\\\",\\\"$ipaddress\\\",\\\"$os\\\",\\\"$connection_status\\\",\\\"$platform\\\"\"\n}\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHostInfo\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n\r\nstrComputer = \".\"\r\nFirstIP=\"\"\r\nCurrentMac=\"\"\r\nConnectionStatus = \"\"\r\nSet objWMIService=GetObject(\"winmgmts:\" & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\r\n\r\nSet NetAdapters = objWMIService.ExecQuery(\"Select * From Win32_NetworkAdapter Where NOT PNPDeviceID LIKE 'ROOT\\\\%'\")\r\nFor Each NetAdapter in NetAdapters\r\n CurrentMac = NetAdapter.MACAddress\r\n Set IPConfigSet = objWMIService.ExecQuery(\"Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE AND MacAddress = '\" & CurrentMac & \"'\")\r\n For Each IPConfig in IPConfigSet\r\n If Not IsNull(IPConfig.IPAddress) Then\r\n For i=LBound(IPConfig.IPAddress) to UBound(IPConfig.IPAddress)\r\n FirstIP=IPConfig.IPAddress(i)\r\n Exit For\r\n Next\r\n End If\r\n Next\r\nNext\r\n\r\nSet objNet = CreateObject(\"WScript.Network\")\r\nstrCompName = objNet.ComputerName\r\n\r\nSet shell = CreateObject(\"WScript.Shell\")\r\nSet getOSVersion = shell.exec(\"%comspec% /D /c ver\")\r\ngetOSVersion.stdout.readLine\r\nversion = getOSVersion.stdout.readLine\r\n\r\nFunction Registry_Read(Key_Path, Key_Name)\r\n On Error Resume Next\r\n Set Registry = CreateObject(\"WScript.Shell\")\r\n Registry_Read = Registry.RegRead(Key_Path & \"\\\" & Key_Name)\r\nEnd Function\r\n\r\nSet shell_arch = CreateObject(\"WScript.Shell\")\r\nIf shell_arch.ExpandEnvironmentStrings(\"%PROCESSOR_ARCHITECTURE%\") = \"AMD64\" then\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\WOW6432Node\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nElse\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nEnd If\r\n\r\nIf ConnectionStatus = \"false\" then\r\n ConnectionStatus = \"Quarantined\"\r\nElse\r\n ConnectionStatus = \"Online\"\r\nEnd If\r\n\r\nplatform = \"Windows\"\r\n\r\nWScript.Echo strCompName & \",\" & FirstIP & \",\" & version & \",\" & ConnectionStatus & \",\" & platform\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7183",
- "name" : "HostInfo SysInfo",
- "description" : "Shows Hostname, 1st IP Address and OS version",
- "module" : "SysInfo",
- "function" : "HostInfo",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec3",
- "name" : "ip_address",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec4",
- "name" : "os",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6346",
- "name" : "connection_status",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6347",
- "name" : "platform",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- } ]
- },
- "sequence" : "2",
- "output" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- } ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- },
- "operator" : "EQUALS",
- "value" : "WIN71",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec5",
- "name" : "HostInfo",
- "description" : "Shows Hostname, 1st IP Address, OS version and Connection Status",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about host\n#\n# Version: 1\n\ngetOsRelease() {\n if [[ -x /usr/bin/lsb_release ]]; then\n lsb_release -sd\n elif [[ -r /etc/system-release ]]; then\n cat /etc/system-release\n else\n echo -e \"Unknown\"\n fi\n}\n\ngetHostName() {\n hostname -s\n}\n\ngetInterfacesInfoCommand() {\n current_os=$(getOsRelease)\n if [[ $current_os == \"Red Hat\"*\"7.\"* ]]; then\n echo -e \"ip addr show\"\n else\n echo -e \"ifconfig\"\n fi\n}\n\ngetInterfacesDir() {\n echo -e \"/sys/class/net\"\n}\n\nisInterfacePhysical() {\n interface_path=\"$1\"\n if [ -z \"$interface_path\" ]; then\n return 1\n fi\n\n real_location=$(readlink \"$interface_path\")\n if [[ \"$real_location\" =~ \"virtual\" ]]; then\n return 1\n else\n return 0\n fi\n}\n\nparsePrimaryIPInterface() {\n interface_name=\"$1\"\n if [ -z \"$interface_name\" ]; then\n return 1\n fi\n cmd=$(getInterfacesInfoCommand)\n eval \"$cmd $interface_name\" | grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" | grep -vE \"^2[2-5]\" | head -n 1\n}\n\ngetPrimaryIPHost() {\n interfaces_dir=$(getInterfacesDir)\n physical_interfaces=()\n\n shopt -s nullglob\n for interface in \"$interfaces_dir\"/*; do\n if isInterfacePhysical \"$interface\"; then\n current_interface=$(basename \"$interface\")\n physical_interfaces+=(\"$current_interface\")\n fi\n done\n shopt -u nullglob\n\n i=0\n for interface in \"${physical_interfaces[@]}\"; do\n ips[$i]=$(parsePrimaryIPInterface \"$interface\")\n ((i++))\n done\n\n if [ \"${#ips[@]}\" -ge 1 ]; then\n echo -e \"${ips[0]}\"\n fi\n}\n\n\ngetConnectionStatus() {\n echo \"Online\"\n}\n\ngetPlatform() {\n echo \"Linux\"\n}\n\nprocessHostInfo() {\n name=$(getHostName)\n os=$(getOsRelease)\n ipaddress=$(getPrimaryIPHost)\n connection_status=$(getConnectionStatus)\n platform=$(getPlatform)\n\n echo -e \"\\\"$name\\\",\\\"$ipaddress\\\",\\\"$os\\\",\\\"$connection_status\\\",\\\"$platform\\\"\"\n}\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHostInfo\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n\r\nstrComputer = \".\"\r\nFirstIP=\"\"\r\nCurrentMac=\"\"\r\nConnectionStatus = \"\"\r\nSet objWMIService=GetObject(\"winmgmts:\" & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\r\n\r\nSet NetAdapters = objWMIService.ExecQuery(\"Select * From Win32_NetworkAdapter Where NOT PNPDeviceID LIKE 'ROOT\\\\%'\")\r\nFor Each NetAdapter in NetAdapters\r\n CurrentMac = NetAdapter.MACAddress\r\n Set IPConfigSet = objWMIService.ExecQuery(\"Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE AND MacAddress = '\" & CurrentMac & \"'\")\r\n For Each IPConfig in IPConfigSet\r\n If Not IsNull(IPConfig.IPAddress) Then\r\n For i=LBound(IPConfig.IPAddress) to UBound(IPConfig.IPAddress)\r\n FirstIP=IPConfig.IPAddress(i)\r\n Exit For\r\n Next\r\n End If\r\n Next\r\nNext\r\n\r\nSet objNet = CreateObject(\"WScript.Network\")\r\nstrCompName = objNet.ComputerName\r\n\r\nSet shell = CreateObject(\"WScript.Shell\")\r\nSet getOSVersion = shell.exec(\"%comspec% /D /c ver\")\r\ngetOSVersion.stdout.readLine\r\nversion = getOSVersion.stdout.readLine\r\n\r\nFunction Registry_Read(Key_Path, Key_Name)\r\n On Error Resume Next\r\n Set Registry = CreateObject(\"WScript.Shell\")\r\n Registry_Read = Registry.RegRead(Key_Path & \"\\\" & Key_Name)\r\nEnd Function\r\n\r\nSet shell_arch = CreateObject(\"WScript.Shell\")\r\nIf shell_arch.ExpandEnvironmentStrings(\"%PROCESSOR_ARCHITECTURE%\") = \"AMD64\" then\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\WOW6432Node\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nElse\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nEnd If\r\n\r\nIf ConnectionStatus = \"false\" then\r\n ConnectionStatus = \"Quarantined\"\r\nElse\r\n ConnectionStatus = \"Online\"\r\nEnd If\r\n\r\nplatform = \"Windows\"\r\n\r\nWScript.Echo strCompName & \",\" & FirstIP & \",\" & version & \",\" & ConnectionStatus & \",\" & platform\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7183",
- "name" : "HostInfo SysInfo",
- "description" : "Shows Hostname, 1st IP Address and OS version",
- "module" : "SysInfo",
- "function" : "HostInfo",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec3",
- "name" : "ip_address",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec4",
- "name" : "os",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6346",
- "name" : "connection_status",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6347",
- "name" : "platform",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630245,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd67317",
- "name" : "Hosts with Manual Proxy Settings",
- "description" : "",
- "type" : null,
- "expression" : null,
- "temporal" : false,
- "invalid" : false,
- "aggregated" : false,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec5",
- "name" : "HostInfo",
- "description" : "Shows Hostname, 1st IP Address, OS version and Connection Status",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about host\n#\n# Version: 1\n\ngetOsRelease() {\n if [[ -x /usr/bin/lsb_release ]]; then\n lsb_release -sd\n elif [[ -r /etc/system-release ]]; then\n cat /etc/system-release\n else\n echo -e \"Unknown\"\n fi\n}\n\ngetHostName() {\n hostname -s\n}\n\ngetInterfacesInfoCommand() {\n current_os=$(getOsRelease)\n if [[ $current_os == \"Red Hat\"*\"7.\"* ]]; then\n echo -e \"ip addr show\"\n else\n echo -e \"ifconfig\"\n fi\n}\n\ngetInterfacesDir() {\n echo -e \"/sys/class/net\"\n}\n\nisInterfacePhysical() {\n interface_path=\"$1\"\n if [ -z \"$interface_path\" ]; then\n return 1\n fi\n\n real_location=$(readlink \"$interface_path\")\n if [[ \"$real_location\" =~ \"virtual\" ]]; then\n return 1\n else\n return 0\n fi\n}\n\nparsePrimaryIPInterface() {\n interface_name=\"$1\"\n if [ -z \"$interface_name\" ]; then\n return 1\n fi\n cmd=$(getInterfacesInfoCommand)\n eval \"$cmd $interface_name\" | grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" | grep -vE \"^2[2-5]\" | head -n 1\n}\n\ngetPrimaryIPHost() {\n interfaces_dir=$(getInterfacesDir)\n physical_interfaces=()\n\n shopt -s nullglob\n for interface in \"$interfaces_dir\"/*; do\n if isInterfacePhysical \"$interface\"; then\n current_interface=$(basename \"$interface\")\n physical_interfaces+=(\"$current_interface\")\n fi\n done\n shopt -u nullglob\n\n i=0\n for interface in \"${physical_interfaces[@]}\"; do\n ips[$i]=$(parsePrimaryIPInterface \"$interface\")\n ((i++))\n done\n\n if [ \"${#ips[@]}\" -ge 1 ]; then\n echo -e \"${ips[0]}\"\n fi\n}\n\n\ngetConnectionStatus() {\n echo \"Online\"\n}\n\ngetPlatform() {\n echo \"Linux\"\n}\n\nprocessHostInfo() {\n name=$(getHostName)\n os=$(getOsRelease)\n ipaddress=$(getPrimaryIPHost)\n connection_status=$(getConnectionStatus)\n platform=$(getPlatform)\n\n echo -e \"\\\"$name\\\",\\\"$ipaddress\\\",\\\"$os\\\",\\\"$connection_status\\\",\\\"$platform\\\"\"\n}\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHostInfo\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n\r\nstrComputer = \".\"\r\nFirstIP=\"\"\r\nCurrentMac=\"\"\r\nConnectionStatus = \"\"\r\nSet objWMIService=GetObject(\"winmgmts:\" & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\r\n\r\nSet NetAdapters = objWMIService.ExecQuery(\"Select * From Win32_NetworkAdapter Where NOT PNPDeviceID LIKE 'ROOT\\\\%'\")\r\nFor Each NetAdapter in NetAdapters\r\n CurrentMac = NetAdapter.MACAddress\r\n Set IPConfigSet = objWMIService.ExecQuery(\"Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE AND MacAddress = '\" & CurrentMac & \"'\")\r\n For Each IPConfig in IPConfigSet\r\n If Not IsNull(IPConfig.IPAddress) Then\r\n For i=LBound(IPConfig.IPAddress) to UBound(IPConfig.IPAddress)\r\n FirstIP=IPConfig.IPAddress(i)\r\n Exit For\r\n Next\r\n End If\r\n Next\r\nNext\r\n\r\nSet objNet = CreateObject(\"WScript.Network\")\r\nstrCompName = objNet.ComputerName\r\n\r\nSet shell = CreateObject(\"WScript.Shell\")\r\nSet getOSVersion = shell.exec(\"%comspec% /D /c ver\")\r\ngetOSVersion.stdout.readLine\r\nversion = getOSVersion.stdout.readLine\r\n\r\nFunction Registry_Read(Key_Path, Key_Name)\r\n On Error Resume Next\r\n Set Registry = CreateObject(\"WScript.Shell\")\r\n Registry_Read = Registry.RegRead(Key_Path & \"\\\" & Key_Name)\r\nEnd Function\r\n\r\nSet shell_arch = CreateObject(\"WScript.Shell\")\r\nIf shell_arch.ExpandEnvironmentStrings(\"%PROCESSOR_ARCHITECTURE%\") = \"AMD64\" then\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\WOW6432Node\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nElse\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nEnd If\r\n\r\nIf ConnectionStatus = \"false\" then\r\n ConnectionStatus = \"Quarantined\"\r\nElse\r\n ConnectionStatus = \"Online\"\r\nEnd If\r\n\r\nplatform = \"Windows\"\r\n\r\nWScript.Echo strCompName & \",\" & FirstIP & \",\" & version & \",\" & ConnectionStatus & \",\" & platform\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7183",
- "name" : "HostInfo SysInfo",
- "description" : "Shows Hostname, 1st IP Address and OS version",
- "module" : "SysInfo",
- "function" : "HostInfo",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec3",
- "name" : "ip_address",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec4",
- "name" : "os",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6346",
- "name" : "connection_status",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6347",
- "name" : "platform",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- } ]
- },
- "sequence" : "1",
- "output" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec3",
- "name" : "ip_address",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 2
- } ]
- }, {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ea9",
- "name" : "WinRegistry",
- "description" : "Shows the registries keys",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e31",
- "name" : "WinRegistry",
- "description" : "Gets registry key info",
- "module" : "WinRegistry",
- "function" : "FindRegistry",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ea5",
- "name" : "keypath",
- "type" : "REG_PATH",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ea6",
- "name" : "keyvalue",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ea7",
- "name" : "valuedata",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8ea8",
- "name" : "valuetype",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 4
- } ]
- },
- "sequence" : "2",
- "output" : [ ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8ea5",
- "name" : "keypath",
- "type" : "REG_PATH",
- "byDefault" : false,
- "sequence" : 1
- },
- "operator" : "EQUALS",
- "value" : "HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ea9",
- "name" : "WinRegistry",
- "description" : "Shows the registries keys",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e31",
- "name" : "WinRegistry",
- "description" : "Gets registry key info",
- "module" : "WinRegistry",
- "function" : "FindRegistry",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ea5",
- "name" : "keypath",
- "type" : "REG_PATH",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ea6",
- "name" : "keyvalue",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ea7",
- "name" : "valuedata",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8ea8",
- "name" : "valuetype",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 4
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8ea6",
- "name" : "keyvalue",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 2
- },
- "operator" : "EQUALS",
- "value" : "PROXYSERVER",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ea9",
- "name" : "WinRegistry",
- "description" : "Shows the registries keys",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e31",
- "name" : "WinRegistry",
- "description" : "Gets registry key info",
- "module" : "WinRegistry",
- "function" : "FindRegistry",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ea5",
- "name" : "keypath",
- "type" : "REG_PATH",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ea6",
- "name" : "keyvalue",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ea7",
- "name" : "valuedata",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8ea8",
- "name" : "valuetype",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 4
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630249,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd67318",
- "name" : "INFO GATHERING - REALTIME - Port Bound Services not running as NT AUTHORITY",
- "description" : "",
- "type" : null,
- "expression" : "CurrentFlow where CurrentFlow status equals \"Listening\" and CurrentFlow user not contains \"NT\"",
- "temporal" : false,
- "invalid" : false,
- "aggregated" : true,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ea4",
- "name" : "CurrentFlow",
- "description" : "Shows the current network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e98",
- "name" : "local_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e99",
- "name" : "local_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e9a",
- "name" : "remote_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e9b",
- "name" : "remote_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e9c",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e9d",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e9e",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e9f",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8ea0",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8ea1",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8ea2",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8ea3",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "5a1a45cbe4b0401274ab7192",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- } ]
- },
- "sequence" : "1",
- "output" : [ ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e9c",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 5
- },
- "operator" : "EQUALS",
- "value" : "Listening",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ea4",
- "name" : "CurrentFlow",
- "description" : "Shows the current network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e98",
- "name" : "local_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e99",
- "name" : "local_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e9a",
- "name" : "remote_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e9b",
- "name" : "remote_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e9c",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e9d",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e9e",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e9f",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8ea0",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8ea1",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8ea2",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8ea3",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "5a1a45cbe4b0401274ab7192",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8ea0",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- },
- "operator" : "CONTAINS",
- "value" : "NT",
- "negated" : true,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ea4",
- "name" : "CurrentFlow",
- "description" : "Shows the current network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e98",
- "name" : "local_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e99",
- "name" : "local_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e9a",
- "name" : "remote_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e9b",
- "name" : "remote_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e9c",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e9d",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e9e",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e9f",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8ea0",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8ea1",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8ea2",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8ea3",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "5a1a45cbe4b0401274ab7192",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630254,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd67319",
- "name" : "INFO GATHERING - REALTIME - System local net connections",
- "description" : "",
- "type" : null,
- "expression" : "Processes name, user_id, user, cmdline where CurrentFlow remote_ip contains 192.168.1.0/24",
- "temporal" : false,
- "invalid" : false,
- "aggregated" : true,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e79",
- "name" : "Processes",
- "description" : "Shows the running processes",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e6a",
- "name" : "name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e6b",
- "name" : "id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e6c",
- "name" : "threadcount",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e6d",
- "name" : "parentid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e6e",
- "name" : "parentname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 999
- }, {
- "id" : "5a1a45cae4b0401274ab718e",
- "name" : "parentimagepath",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1000
- }, {
- "id" : "5a1a45cae4b0401274ab718f",
- "name" : "file_reputation",
- "type" : "REPUTATION",
- "byDefault" : false,
- "sequence" : 1001
- }, {
- "id" : "5b3f9b64e4b0dfaf321a630e",
- "name" : "process_reputation",
- "type" : "REPUTATION",
- "byDefault" : false,
- "sequence" : 1002
- }, {
- "id" : "5b3f9b64e4b0dfaf321a630f",
- "name" : "started_at",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 1003
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6310",
- "name" : "content_size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 1004
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6311",
- "name" : "content",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1005
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6312",
- "name" : "content_file",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1006
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6313",
- "name" : "execution_mode",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1007
- }, {
- "id" : "58efec8ee4b0c390d69a8e6f",
- "name" : "size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e70",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e71",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e72",
- "name" : "cmdline",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e73",
- "name" : "imagepath",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e74",
- "name" : "kerneltime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e75",
- "name" : "usertime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e76",
- "name" : "uptime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e77",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e78",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "5a1a45cae4b0401274ab7190",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 15
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6314",
- "name" : "normalized_cmdline",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1009
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6315",
- "name" : "parent_cmdline",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1010
- } ]
- },
- "sequence" : "1",
- "output" : [ {
- "id" : "58efec8ee4b0c390d69a8e6a",
- "name" : "name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e78",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e77",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e72",
- "name" : "cmdline",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- } ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e9a",
- "name" : "remote_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- },
- "operator" : "CONTAINS",
- "value" : "192.168.1.0/24",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ea4",
- "name" : "CurrentFlow",
- "description" : "Shows the current network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e98",
- "name" : "local_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e99",
- "name" : "local_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e9a",
- "name" : "remote_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e9b",
- "name" : "remote_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e9c",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e9d",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e9e",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e9f",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8ea0",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8ea1",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8ea2",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8ea3",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "5a1a45cbe4b0401274ab7192",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630261,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd6731a",
- "name" : "INFO GATHERING - Systems outbound SSH with local certs",
- "description" : "Potential shadow IT users \nSystems that have made outbound SSH connections that also have local certs. ",
- "type" : null,
- "expression" : "HostInfo and NetworkFlow and Files full_name where NetworkFlow direction equals \"out\" and NetworkFlow dst_port equals 22 and Files full_name ends with \".pem\"",
- "temporal" : false,
- "invalid" : false,
- "aggregated" : true,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec5",
- "name" : "HostInfo",
- "description" : "Shows Hostname, 1st IP Address, OS version and Connection Status",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about host\n#\n# Version: 1\n\ngetOsRelease() {\n if [[ -x /usr/bin/lsb_release ]]; then\n lsb_release -sd\n elif [[ -r /etc/system-release ]]; then\n cat /etc/system-release\n else\n echo -e \"Unknown\"\n fi\n}\n\ngetHostName() {\n hostname -s\n}\n\ngetInterfacesInfoCommand() {\n current_os=$(getOsRelease)\n if [[ $current_os == \"Red Hat\"*\"7.\"* ]]; then\n echo -e \"ip addr show\"\n else\n echo -e \"ifconfig\"\n fi\n}\n\ngetInterfacesDir() {\n echo -e \"/sys/class/net\"\n}\n\nisInterfacePhysical() {\n interface_path=\"$1\"\n if [ -z \"$interface_path\" ]; then\n return 1\n fi\n\n real_location=$(readlink \"$interface_path\")\n if [[ \"$real_location\" =~ \"virtual\" ]]; then\n return 1\n else\n return 0\n fi\n}\n\nparsePrimaryIPInterface() {\n interface_name=\"$1\"\n if [ -z \"$interface_name\" ]; then\n return 1\n fi\n cmd=$(getInterfacesInfoCommand)\n eval \"$cmd $interface_name\" | grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" | grep -vE \"^2[2-5]\" | head -n 1\n}\n\ngetPrimaryIPHost() {\n interfaces_dir=$(getInterfacesDir)\n physical_interfaces=()\n\n shopt -s nullglob\n for interface in \"$interfaces_dir\"/*; do\n if isInterfacePhysical \"$interface\"; then\n current_interface=$(basename \"$interface\")\n physical_interfaces+=(\"$current_interface\")\n fi\n done\n shopt -u nullglob\n\n i=0\n for interface in \"${physical_interfaces[@]}\"; do\n ips[$i]=$(parsePrimaryIPInterface \"$interface\")\n ((i++))\n done\n\n if [ \"${#ips[@]}\" -ge 1 ]; then\n echo -e \"${ips[0]}\"\n fi\n}\n\n\ngetConnectionStatus() {\n echo \"Online\"\n}\n\ngetPlatform() {\n echo \"Linux\"\n}\n\nprocessHostInfo() {\n name=$(getHostName)\n os=$(getOsRelease)\n ipaddress=$(getPrimaryIPHost)\n connection_status=$(getConnectionStatus)\n platform=$(getPlatform)\n\n echo -e \"\\\"$name\\\",\\\"$ipaddress\\\",\\\"$os\\\",\\\"$connection_status\\\",\\\"$platform\\\"\"\n}\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHostInfo\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n\r\nstrComputer = \".\"\r\nFirstIP=\"\"\r\nCurrentMac=\"\"\r\nConnectionStatus = \"\"\r\nSet objWMIService=GetObject(\"winmgmts:\" & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\r\n\r\nSet NetAdapters = objWMIService.ExecQuery(\"Select * From Win32_NetworkAdapter Where NOT PNPDeviceID LIKE 'ROOT\\\\%'\")\r\nFor Each NetAdapter in NetAdapters\r\n CurrentMac = NetAdapter.MACAddress\r\n Set IPConfigSet = objWMIService.ExecQuery(\"Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE AND MacAddress = '\" & CurrentMac & \"'\")\r\n For Each IPConfig in IPConfigSet\r\n If Not IsNull(IPConfig.IPAddress) Then\r\n For i=LBound(IPConfig.IPAddress) to UBound(IPConfig.IPAddress)\r\n FirstIP=IPConfig.IPAddress(i)\r\n Exit For\r\n Next\r\n End If\r\n Next\r\nNext\r\n\r\nSet objNet = CreateObject(\"WScript.Network\")\r\nstrCompName = objNet.ComputerName\r\n\r\nSet shell = CreateObject(\"WScript.Shell\")\r\nSet getOSVersion = shell.exec(\"%comspec% /D /c ver\")\r\ngetOSVersion.stdout.readLine\r\nversion = getOSVersion.stdout.readLine\r\n\r\nFunction Registry_Read(Key_Path, Key_Name)\r\n On Error Resume Next\r\n Set Registry = CreateObject(\"WScript.Shell\")\r\n Registry_Read = Registry.RegRead(Key_Path & \"\\\" & Key_Name)\r\nEnd Function\r\n\r\nSet shell_arch = CreateObject(\"WScript.Shell\")\r\nIf shell_arch.ExpandEnvironmentStrings(\"%PROCESSOR_ARCHITECTURE%\") = \"AMD64\" then\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\WOW6432Node\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nElse\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nEnd If\r\n\r\nIf ConnectionStatus = \"false\" then\r\n ConnectionStatus = \"Quarantined\"\r\nElse\r\n ConnectionStatus = \"Online\"\r\nEnd If\r\n\r\nplatform = \"Windows\"\r\n\r\nWScript.Echo strCompName & \",\" & FirstIP & \",\" & version & \",\" & ConnectionStatus & \",\" & platform\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7183",
- "name" : "HostInfo SysInfo",
- "description" : "Shows Hostname, 1st IP Address and OS version",
- "module" : "SysInfo",
- "function" : "HostInfo",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec3",
- "name" : "ip_address",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec4",
- "name" : "os",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6346",
- "name" : "connection_status",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6347",
- "name" : "platform",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- } ]
- },
- "sequence" : "1",
- "output" : [ ]
- }, {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- },
- "sequence" : "2",
- "output" : [ ]
- }, {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e84",
- "name" : "Files",
- "description" : "Shows the existing files",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e15",
- "name" : "Files",
- "description" : "Gets the list of files",
- "module" : "FileHashing",
- "function" : "FindFiles",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e15",
- "name" : "Files",
- "description" : "Gets the list of files",
- "module" : "FileHashing",
- "function" : "FindFiles",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e15",
- "name" : "Files",
- "description" : "Gets the list of files",
- "module" : "FileHashing",
- "function" : "FindFiles",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e7a",
- "name" : "name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e7b",
- "name" : "dir",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e7c",
- "name" : "full_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e7d",
- "name" : "size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e7e",
- "name" : "last_write",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e7f",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e80",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e81",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e82",
- "name" : "created_at",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e83",
- "name" : "deleted_at",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 10
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6333",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 11
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6334",
- "name" : "create_process_pid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6335",
- "name" : "create_process_sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6336",
- "name" : "create_process_full_path",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6337",
- "name" : "modify_process_pid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6338",
- "name" : "modify_process_sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6339",
- "name" : "modify_process_full_path",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 17
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633a",
- "name" : "delete_process_pid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633b",
- "name" : "delete_process_sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633c",
- "name" : "delete_process_full_path",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 20
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633d",
- "name" : "create_user_domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 21
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633e",
- "name" : "create_user_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 22
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633f",
- "name" : "create_user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 23
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6340",
- "name" : "modify_user_domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 24
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6341",
- "name" : "modify_user_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 25
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6342",
- "name" : "modify_user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 26
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6343",
- "name" : "delete_user_domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 27
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6344",
- "name" : "delete_user_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 28
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6345",
- "name" : "delete_user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 29
- } ]
- },
- "sequence" : "3",
- "output" : [ {
- "id" : "58efec8ee4b0c390d69a8e7c",
- "name" : "full_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- } ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- },
- "operator" : "EQUALS",
- "value" : "out",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- },
- "operator" : "EQUALS",
- "value" : "22",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e7c",
- "name" : "full_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- },
- "operator" : "ENDS_WITH",
- "value" : ".pem",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e84",
- "name" : "Files",
- "description" : "Shows the existing files",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e15",
- "name" : "Files",
- "description" : "Gets the list of files",
- "module" : "FileHashing",
- "function" : "FindFiles",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e15",
- "name" : "Files",
- "description" : "Gets the list of files",
- "module" : "FileHashing",
- "function" : "FindFiles",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e15",
- "name" : "Files",
- "description" : "Gets the list of files",
- "module" : "FileHashing",
- "function" : "FindFiles",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e7a",
- "name" : "name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e7b",
- "name" : "dir",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e7c",
- "name" : "full_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e7d",
- "name" : "size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e7e",
- "name" : "last_write",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e7f",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e80",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e81",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e82",
- "name" : "created_at",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e83",
- "name" : "deleted_at",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 10
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6333",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 11
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6334",
- "name" : "create_process_pid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6335",
- "name" : "create_process_sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6336",
- "name" : "create_process_full_path",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6337",
- "name" : "modify_process_pid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6338",
- "name" : "modify_process_sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6339",
- "name" : "modify_process_full_path",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 17
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633a",
- "name" : "delete_process_pid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633b",
- "name" : "delete_process_sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633c",
- "name" : "delete_process_full_path",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 20
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633d",
- "name" : "create_user_domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 21
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633e",
- "name" : "create_user_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 22
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633f",
- "name" : "create_user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 23
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6340",
- "name" : "modify_user_domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 24
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6341",
- "name" : "modify_user_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 25
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6342",
- "name" : "modify_user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 26
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6343",
- "name" : "delete_user_domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 27
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6344",
- "name" : "delete_user_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 28
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6345",
- "name" : "delete_user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 29
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630266,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd6731b",
- "name" : "INVESTIGATION-pscp usage",
- "description" : "show host and process where pscp is being run\n",
- "type" : null,
- "expression" : "HostInfo hostname and Processes where Processes name contains \"pscp\"",
- "temporal" : false,
- "invalid" : false,
- "aggregated" : true,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec5",
- "name" : "HostInfo",
- "description" : "Shows Hostname, 1st IP Address, OS version and Connection Status",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about host\n#\n# Version: 1\n\ngetOsRelease() {\n if [[ -x /usr/bin/lsb_release ]]; then\n lsb_release -sd\n elif [[ -r /etc/system-release ]]; then\n cat /etc/system-release\n else\n echo -e \"Unknown\"\n fi\n}\n\ngetHostName() {\n hostname -s\n}\n\ngetInterfacesInfoCommand() {\n current_os=$(getOsRelease)\n if [[ $current_os == \"Red Hat\"*\"7.\"* ]]; then\n echo -e \"ip addr show\"\n else\n echo -e \"ifconfig\"\n fi\n}\n\ngetInterfacesDir() {\n echo -e \"/sys/class/net\"\n}\n\nisInterfacePhysical() {\n interface_path=\"$1\"\n if [ -z \"$interface_path\" ]; then\n return 1\n fi\n\n real_location=$(readlink \"$interface_path\")\n if [[ \"$real_location\" =~ \"virtual\" ]]; then\n return 1\n else\n return 0\n fi\n}\n\nparsePrimaryIPInterface() {\n interface_name=\"$1\"\n if [ -z \"$interface_name\" ]; then\n return 1\n fi\n cmd=$(getInterfacesInfoCommand)\n eval \"$cmd $interface_name\" | grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" | grep -vE \"^2[2-5]\" | head -n 1\n}\n\ngetPrimaryIPHost() {\n interfaces_dir=$(getInterfacesDir)\n physical_interfaces=()\n\n shopt -s nullglob\n for interface in \"$interfaces_dir\"/*; do\n if isInterfacePhysical \"$interface\"; then\n current_interface=$(basename \"$interface\")\n physical_interfaces+=(\"$current_interface\")\n fi\n done\n shopt -u nullglob\n\n i=0\n for interface in \"${physical_interfaces[@]}\"; do\n ips[$i]=$(parsePrimaryIPInterface \"$interface\")\n ((i++))\n done\n\n if [ \"${#ips[@]}\" -ge 1 ]; then\n echo -e \"${ips[0]}\"\n fi\n}\n\n\ngetConnectionStatus() {\n echo \"Online\"\n}\n\ngetPlatform() {\n echo \"Linux\"\n}\n\nprocessHostInfo() {\n name=$(getHostName)\n os=$(getOsRelease)\n ipaddress=$(getPrimaryIPHost)\n connection_status=$(getConnectionStatus)\n platform=$(getPlatform)\n\n echo -e \"\\\"$name\\\",\\\"$ipaddress\\\",\\\"$os\\\",\\\"$connection_status\\\",\\\"$platform\\\"\"\n}\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHostInfo\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n\r\nstrComputer = \".\"\r\nFirstIP=\"\"\r\nCurrentMac=\"\"\r\nConnectionStatus = \"\"\r\nSet objWMIService=GetObject(\"winmgmts:\" & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\r\n\r\nSet NetAdapters = objWMIService.ExecQuery(\"Select * From Win32_NetworkAdapter Where NOT PNPDeviceID LIKE 'ROOT\\\\%'\")\r\nFor Each NetAdapter in NetAdapters\r\n CurrentMac = NetAdapter.MACAddress\r\n Set IPConfigSet = objWMIService.ExecQuery(\"Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE AND MacAddress = '\" & CurrentMac & \"'\")\r\n For Each IPConfig in IPConfigSet\r\n If Not IsNull(IPConfig.IPAddress) Then\r\n For i=LBound(IPConfig.IPAddress) to UBound(IPConfig.IPAddress)\r\n FirstIP=IPConfig.IPAddress(i)\r\n Exit For\r\n Next\r\n End If\r\n Next\r\nNext\r\n\r\nSet objNet = CreateObject(\"WScript.Network\")\r\nstrCompName = objNet.ComputerName\r\n\r\nSet shell = CreateObject(\"WScript.Shell\")\r\nSet getOSVersion = shell.exec(\"%comspec% /D /c ver\")\r\ngetOSVersion.stdout.readLine\r\nversion = getOSVersion.stdout.readLine\r\n\r\nFunction Registry_Read(Key_Path, Key_Name)\r\n On Error Resume Next\r\n Set Registry = CreateObject(\"WScript.Shell\")\r\n Registry_Read = Registry.RegRead(Key_Path & \"\\\" & Key_Name)\r\nEnd Function\r\n\r\nSet shell_arch = CreateObject(\"WScript.Shell\")\r\nIf shell_arch.ExpandEnvironmentStrings(\"%PROCESSOR_ARCHITECTURE%\") = \"AMD64\" then\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\WOW6432Node\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nElse\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nEnd If\r\n\r\nIf ConnectionStatus = \"false\" then\r\n ConnectionStatus = \"Quarantined\"\r\nElse\r\n ConnectionStatus = \"Online\"\r\nEnd If\r\n\r\nplatform = \"Windows\"\r\n\r\nWScript.Echo strCompName & \",\" & FirstIP & \",\" & version & \",\" & ConnectionStatus & \",\" & platform\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7183",
- "name" : "HostInfo SysInfo",
- "description" : "Shows Hostname, 1st IP Address and OS version",
- "module" : "SysInfo",
- "function" : "HostInfo",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec3",
- "name" : "ip_address",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec4",
- "name" : "os",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6346",
- "name" : "connection_status",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6347",
- "name" : "platform",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- } ]
- },
- "sequence" : "1",
- "output" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- } ]
- }, {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e79",
- "name" : "Processes",
- "description" : "Shows the running processes",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e6a",
- "name" : "name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e6b",
- "name" : "id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e6c",
- "name" : "threadcount",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e6d",
- "name" : "parentid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e6e",
- "name" : "parentname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 999
- }, {
- "id" : "5a1a45cae4b0401274ab718e",
- "name" : "parentimagepath",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1000
- }, {
- "id" : "5a1a45cae4b0401274ab718f",
- "name" : "file_reputation",
- "type" : "REPUTATION",
- "byDefault" : false,
- "sequence" : 1001
- }, {
- "id" : "5b3f9b64e4b0dfaf321a630e",
- "name" : "process_reputation",
- "type" : "REPUTATION",
- "byDefault" : false,
- "sequence" : 1002
- }, {
- "id" : "5b3f9b64e4b0dfaf321a630f",
- "name" : "started_at",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 1003
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6310",
- "name" : "content_size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 1004
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6311",
- "name" : "content",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1005
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6312",
- "name" : "content_file",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1006
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6313",
- "name" : "execution_mode",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1007
- }, {
- "id" : "58efec8ee4b0c390d69a8e6f",
- "name" : "size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e70",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e71",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e72",
- "name" : "cmdline",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e73",
- "name" : "imagepath",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e74",
- "name" : "kerneltime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e75",
- "name" : "usertime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e76",
- "name" : "uptime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e77",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e78",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "5a1a45cae4b0401274ab7190",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 15
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6314",
- "name" : "normalized_cmdline",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1009
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6315",
- "name" : "parent_cmdline",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1010
- } ]
- },
- "sequence" : "2",
- "output" : [ ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e6a",
- "name" : "name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- },
- "operator" : "CONTAINS",
- "value" : "pscp",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e79",
- "name" : "Processes",
- "description" : "Shows the running processes",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e6a",
- "name" : "name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e6b",
- "name" : "id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e6c",
- "name" : "threadcount",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e6d",
- "name" : "parentid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e6e",
- "name" : "parentname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 999
- }, {
- "id" : "5a1a45cae4b0401274ab718e",
- "name" : "parentimagepath",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1000
- }, {
- "id" : "5a1a45cae4b0401274ab718f",
- "name" : "file_reputation",
- "type" : "REPUTATION",
- "byDefault" : false,
- "sequence" : 1001
- }, {
- "id" : "5b3f9b64e4b0dfaf321a630e",
- "name" : "process_reputation",
- "type" : "REPUTATION",
- "byDefault" : false,
- "sequence" : 1002
- }, {
- "id" : "5b3f9b64e4b0dfaf321a630f",
- "name" : "started_at",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 1003
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6310",
- "name" : "content_size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 1004
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6311",
- "name" : "content",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1005
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6312",
- "name" : "content_file",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1006
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6313",
- "name" : "execution_mode",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1007
- }, {
- "id" : "58efec8ee4b0c390d69a8e6f",
- "name" : "size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e70",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e71",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e72",
- "name" : "cmdline",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e73",
- "name" : "imagepath",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e74",
- "name" : "kerneltime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e75",
- "name" : "usertime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e76",
- "name" : "uptime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e77",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e78",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "5a1a45cae4b0401274ab7190",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 15
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6314",
- "name" : "normalized_cmdline",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1009
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6315",
- "name" : "parent_cmdline",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1010
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630283,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd6731c",
- "name" : "Manual Proxy Settings Enabled",
- "description" : "",
- "type" : null,
- "expression" : null,
- "temporal" : false,
- "invalid" : false,
- "aggregated" : false,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec5",
- "name" : "HostInfo",
- "description" : "Shows Hostname, 1st IP Address, OS version and Connection Status",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about host\n#\n# Version: 1\n\ngetOsRelease() {\n if [[ -x /usr/bin/lsb_release ]]; then\n lsb_release -sd\n elif [[ -r /etc/system-release ]]; then\n cat /etc/system-release\n else\n echo -e \"Unknown\"\n fi\n}\n\ngetHostName() {\n hostname -s\n}\n\ngetInterfacesInfoCommand() {\n current_os=$(getOsRelease)\n if [[ $current_os == \"Red Hat\"*\"7.\"* ]]; then\n echo -e \"ip addr show\"\n else\n echo -e \"ifconfig\"\n fi\n}\n\ngetInterfacesDir() {\n echo -e \"/sys/class/net\"\n}\n\nisInterfacePhysical() {\n interface_path=\"$1\"\n if [ -z \"$interface_path\" ]; then\n return 1\n fi\n\n real_location=$(readlink \"$interface_path\")\n if [[ \"$real_location\" =~ \"virtual\" ]]; then\n return 1\n else\n return 0\n fi\n}\n\nparsePrimaryIPInterface() {\n interface_name=\"$1\"\n if [ -z \"$interface_name\" ]; then\n return 1\n fi\n cmd=$(getInterfacesInfoCommand)\n eval \"$cmd $interface_name\" | grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" | grep -vE \"^2[2-5]\" | head -n 1\n}\n\ngetPrimaryIPHost() {\n interfaces_dir=$(getInterfacesDir)\n physical_interfaces=()\n\n shopt -s nullglob\n for interface in \"$interfaces_dir\"/*; do\n if isInterfacePhysical \"$interface\"; then\n current_interface=$(basename \"$interface\")\n physical_interfaces+=(\"$current_interface\")\n fi\n done\n shopt -u nullglob\n\n i=0\n for interface in \"${physical_interfaces[@]}\"; do\n ips[$i]=$(parsePrimaryIPInterface \"$interface\")\n ((i++))\n done\n\n if [ \"${#ips[@]}\" -ge 1 ]; then\n echo -e \"${ips[0]}\"\n fi\n}\n\n\ngetConnectionStatus() {\n echo \"Online\"\n}\n\ngetPlatform() {\n echo \"Linux\"\n}\n\nprocessHostInfo() {\n name=$(getHostName)\n os=$(getOsRelease)\n ipaddress=$(getPrimaryIPHost)\n connection_status=$(getConnectionStatus)\n platform=$(getPlatform)\n\n echo -e \"\\\"$name\\\",\\\"$ipaddress\\\",\\\"$os\\\",\\\"$connection_status\\\",\\\"$platform\\\"\"\n}\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHostInfo\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n\r\nstrComputer = \".\"\r\nFirstIP=\"\"\r\nCurrentMac=\"\"\r\nConnectionStatus = \"\"\r\nSet objWMIService=GetObject(\"winmgmts:\" & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\r\n\r\nSet NetAdapters = objWMIService.ExecQuery(\"Select * From Win32_NetworkAdapter Where NOT PNPDeviceID LIKE 'ROOT\\\\%'\")\r\nFor Each NetAdapter in NetAdapters\r\n CurrentMac = NetAdapter.MACAddress\r\n Set IPConfigSet = objWMIService.ExecQuery(\"Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE AND MacAddress = '\" & CurrentMac & \"'\")\r\n For Each IPConfig in IPConfigSet\r\n If Not IsNull(IPConfig.IPAddress) Then\r\n For i=LBound(IPConfig.IPAddress) to UBound(IPConfig.IPAddress)\r\n FirstIP=IPConfig.IPAddress(i)\r\n Exit For\r\n Next\r\n End If\r\n Next\r\nNext\r\n\r\nSet objNet = CreateObject(\"WScript.Network\")\r\nstrCompName = objNet.ComputerName\r\n\r\nSet shell = CreateObject(\"WScript.Shell\")\r\nSet getOSVersion = shell.exec(\"%comspec% /D /c ver\")\r\ngetOSVersion.stdout.readLine\r\nversion = getOSVersion.stdout.readLine\r\n\r\nFunction Registry_Read(Key_Path, Key_Name)\r\n On Error Resume Next\r\n Set Registry = CreateObject(\"WScript.Shell\")\r\n Registry_Read = Registry.RegRead(Key_Path & \"\\\" & Key_Name)\r\nEnd Function\r\n\r\nSet shell_arch = CreateObject(\"WScript.Shell\")\r\nIf shell_arch.ExpandEnvironmentStrings(\"%PROCESSOR_ARCHITECTURE%\") = \"AMD64\" then\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\WOW6432Node\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nElse\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nEnd If\r\n\r\nIf ConnectionStatus = \"false\" then\r\n ConnectionStatus = \"Quarantined\"\r\nElse\r\n ConnectionStatus = \"Online\"\r\nEnd If\r\n\r\nplatform = \"Windows\"\r\n\r\nWScript.Echo strCompName & \",\" & FirstIP & \",\" & version & \",\" & ConnectionStatus & \",\" & platform\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7183",
- "name" : "HostInfo SysInfo",
- "description" : "Shows Hostname, 1st IP Address and OS version",
- "module" : "SysInfo",
- "function" : "HostInfo",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec3",
- "name" : "ip_address",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec4",
- "name" : "os",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6346",
- "name" : "connection_status",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6347",
- "name" : "platform",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- } ]
- },
- "sequence" : "1",
- "output" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec3",
- "name" : "ip_address",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 2
- } ]
- }, {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ea9",
- "name" : "WinRegistry",
- "description" : "Shows the registries keys",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e31",
- "name" : "WinRegistry",
- "description" : "Gets registry key info",
- "module" : "WinRegistry",
- "function" : "FindRegistry",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ea5",
- "name" : "keypath",
- "type" : "REG_PATH",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ea6",
- "name" : "keyvalue",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ea7",
- "name" : "valuedata",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8ea8",
- "name" : "valuetype",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 4
- } ]
- },
- "sequence" : "2",
- "output" : [ ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8ea5",
- "name" : "keypath",
- "type" : "REG_PATH",
- "byDefault" : false,
- "sequence" : 1
- },
- "operator" : "EQUALS",
- "value" : "HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ea9",
- "name" : "WinRegistry",
- "description" : "Shows the registries keys",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e31",
- "name" : "WinRegistry",
- "description" : "Gets registry key info",
- "module" : "WinRegistry",
- "function" : "FindRegistry",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ea5",
- "name" : "keypath",
- "type" : "REG_PATH",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ea6",
- "name" : "keyvalue",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ea7",
- "name" : "valuedata",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8ea8",
- "name" : "valuetype",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 4
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8ea6",
- "name" : "keyvalue",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 2
- },
- "operator" : "EQUALS",
- "value" : "PROXYENABLE",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ea9",
- "name" : "WinRegistry",
- "description" : "Shows the registries keys",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e31",
- "name" : "WinRegistry",
- "description" : "Gets registry key info",
- "module" : "WinRegistry",
- "function" : "FindRegistry",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ea5",
- "name" : "keypath",
- "type" : "REG_PATH",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ea6",
- "name" : "keyvalue",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ea7",
- "name" : "valuedata",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8ea8",
- "name" : "valuetype",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 4
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8ea7",
- "name" : "valuedata",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 3
- },
- "operator" : "CONTAINS",
- "value" : "1",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ea9",
- "name" : "WinRegistry",
- "description" : "Shows the registries keys",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e31",
- "name" : "WinRegistry",
- "description" : "Gets registry key info",
- "module" : "WinRegistry",
- "function" : "FindRegistry",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ea5",
- "name" : "keypath",
- "type" : "REG_PATH",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ea6",
- "name" : "keyvalue",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ea7",
- "name" : "valuedata",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8ea8",
- "name" : "valuetype",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 4
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8ea6",
- "name" : "keyvalue",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 2
- },
- "operator" : "EQUALS",
- "value" : "PROXYENABLE",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ea9",
- "name" : "WinRegistry",
- "description" : "Shows the registries keys",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e31",
- "name" : "WinRegistry",
- "description" : "Gets registry key info",
- "module" : "WinRegistry",
- "function" : "FindRegistry",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ea5",
- "name" : "keypath",
- "type" : "REG_PATH",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ea6",
- "name" : "keyvalue",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ea7",
- "name" : "valuedata",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8ea8",
- "name" : "valuetype",
- "type" : "REG_STR",
- "byDefault" : false,
- "sequence" : 4
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630290,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd6731d",
- "name" : "Memory Utilization per Process",
- "description" : "",
- "type" : null,
- "expression" : null,
- "temporal" : false,
- "invalid" : false,
- "aggregated" : false,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb07ce4b0cbe06dd672fd",
- "name" : "MemoryUsage",
- "description" : "Executes VBS script on target client to return memory utilization per process",
- "type" : "CUSTOM",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, Inc. All Rights Reserved.\n'\n' This script will output the memory utilization\n'\nOption Explicit\nOn Error Resume Next\n' ***********************************************\n' Declare all variables\n' ***********************************************\nDim objShell, objPing, line, strFull\nSet objShell = CreateObject(\"WScript.Shell\")\n' ***********************************************\nSet objPing = objShell.Exec(\"cmd /c tasklist /NH /FO CSV\")\nDo Until objPing.Stdout.atEndOfStream = True\n\tline = objPing.StdOut.ReadLine()\n\tstrFull = Replace(Replace(Replace(Replace(line,\"\"\",\"\"\",\"zzz\"),\",\",\"\"),\"zzz\",\",\"),\"\"\"\",\"\")\n\tWscript.echo LEFT(strFull, (LEN(strFull)-2))\nLoop",
- "arguments" : null,
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "5b3fb07ce4b0cbe06dd672d8",
- "name" : "image_name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672d9",
- "name" : "pid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672da",
- "name" : "session_name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672db",
- "name" : "session_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672dc",
- "name" : "mem_usage_kb",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 5
- } ]
- },
- "sequence" : "1",
- "output" : [ {
- "id" : "5b3fb07ce4b0cbe06dd672d8",
- "name" : "image_name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672d9",
- "name" : "pid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672da",
- "name" : "session_name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672db",
- "name" : "session_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672dc",
- "name" : "mem_usage_kb",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 5
- } ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- },
- "operator" : "EQUALS",
- "value" : "WIN71",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec5",
- "name" : "HostInfo",
- "description" : "Shows Hostname, 1st IP Address, OS version and Connection Status",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about host\n#\n# Version: 1\n\ngetOsRelease() {\n if [[ -x /usr/bin/lsb_release ]]; then\n lsb_release -sd\n elif [[ -r /etc/system-release ]]; then\n cat /etc/system-release\n else\n echo -e \"Unknown\"\n fi\n}\n\ngetHostName() {\n hostname -s\n}\n\ngetInterfacesInfoCommand() {\n current_os=$(getOsRelease)\n if [[ $current_os == \"Red Hat\"*\"7.\"* ]]; then\n echo -e \"ip addr show\"\n else\n echo -e \"ifconfig\"\n fi\n}\n\ngetInterfacesDir() {\n echo -e \"/sys/class/net\"\n}\n\nisInterfacePhysical() {\n interface_path=\"$1\"\n if [ -z \"$interface_path\" ]; then\n return 1\n fi\n\n real_location=$(readlink \"$interface_path\")\n if [[ \"$real_location\" =~ \"virtual\" ]]; then\n return 1\n else\n return 0\n fi\n}\n\nparsePrimaryIPInterface() {\n interface_name=\"$1\"\n if [ -z \"$interface_name\" ]; then\n return 1\n fi\n cmd=$(getInterfacesInfoCommand)\n eval \"$cmd $interface_name\" | grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" | grep -vE \"^2[2-5]\" | head -n 1\n}\n\ngetPrimaryIPHost() {\n interfaces_dir=$(getInterfacesDir)\n physical_interfaces=()\n\n shopt -s nullglob\n for interface in \"$interfaces_dir\"/*; do\n if isInterfacePhysical \"$interface\"; then\n current_interface=$(basename \"$interface\")\n physical_interfaces+=(\"$current_interface\")\n fi\n done\n shopt -u nullglob\n\n i=0\n for interface in \"${physical_interfaces[@]}\"; do\n ips[$i]=$(parsePrimaryIPInterface \"$interface\")\n ((i++))\n done\n\n if [ \"${#ips[@]}\" -ge 1 ]; then\n echo -e \"${ips[0]}\"\n fi\n}\n\n\ngetConnectionStatus() {\n echo \"Online\"\n}\n\ngetPlatform() {\n echo \"Linux\"\n}\n\nprocessHostInfo() {\n name=$(getHostName)\n os=$(getOsRelease)\n ipaddress=$(getPrimaryIPHost)\n connection_status=$(getConnectionStatus)\n platform=$(getPlatform)\n\n echo -e \"\\\"$name\\\",\\\"$ipaddress\\\",\\\"$os\\\",\\\"$connection_status\\\",\\\"$platform\\\"\"\n}\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHostInfo\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n\r\nstrComputer = \".\"\r\nFirstIP=\"\"\r\nCurrentMac=\"\"\r\nConnectionStatus = \"\"\r\nSet objWMIService=GetObject(\"winmgmts:\" & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\r\n\r\nSet NetAdapters = objWMIService.ExecQuery(\"Select * From Win32_NetworkAdapter Where NOT PNPDeviceID LIKE 'ROOT\\\\%'\")\r\nFor Each NetAdapter in NetAdapters\r\n CurrentMac = NetAdapter.MACAddress\r\n Set IPConfigSet = objWMIService.ExecQuery(\"Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE AND MacAddress = '\" & CurrentMac & \"'\")\r\n For Each IPConfig in IPConfigSet\r\n If Not IsNull(IPConfig.IPAddress) Then\r\n For i=LBound(IPConfig.IPAddress) to UBound(IPConfig.IPAddress)\r\n FirstIP=IPConfig.IPAddress(i)\r\n Exit For\r\n Next\r\n End If\r\n Next\r\nNext\r\n\r\nSet objNet = CreateObject(\"WScript.Network\")\r\nstrCompName = objNet.ComputerName\r\n\r\nSet shell = CreateObject(\"WScript.Shell\")\r\nSet getOSVersion = shell.exec(\"%comspec% /D /c ver\")\r\ngetOSVersion.stdout.readLine\r\nversion = getOSVersion.stdout.readLine\r\n\r\nFunction Registry_Read(Key_Path, Key_Name)\r\n On Error Resume Next\r\n Set Registry = CreateObject(\"WScript.Shell\")\r\n Registry_Read = Registry.RegRead(Key_Path & \"\\\" & Key_Name)\r\nEnd Function\r\n\r\nSet shell_arch = CreateObject(\"WScript.Shell\")\r\nIf shell_arch.ExpandEnvironmentStrings(\"%PROCESSOR_ARCHITECTURE%\") = \"AMD64\" then\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\WOW6432Node\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nElse\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nEnd If\r\n\r\nIf ConnectionStatus = \"false\" then\r\n ConnectionStatus = \"Quarantined\"\r\nElse\r\n ConnectionStatus = \"Online\"\r\nEnd If\r\n\r\nplatform = \"Windows\"\r\n\r\nWScript.Echo strCompName & \",\" & FirstIP & \",\" & version & \",\" & ConnectionStatus & \",\" & platform\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7183",
- "name" : "HostInfo SysInfo",
- "description" : "Shows Hostname, 1st IP Address and OS version",
- "module" : "SysInfo",
- "function" : "HostInfo",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec3",
- "name" : "ip_address",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec4",
- "name" : "os",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6346",
- "name" : "connection_status",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6347",
- "name" : "platform",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630298,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd6731e",
- "name" : "Netflow Details",
- "description" : "Provides netflow information based on the host and a defined time window",
- "type" : null,
- "expression" : null,
- "temporal" : false,
- "invalid" : false,
- "aggregated" : false,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec5",
- "name" : "HostInfo",
- "description" : "Shows Hostname, 1st IP Address, OS version and Connection Status",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about host\n#\n# Version: 1\n\ngetOsRelease() {\n if [[ -x /usr/bin/lsb_release ]]; then\n lsb_release -sd\n elif [[ -r /etc/system-release ]]; then\n cat /etc/system-release\n else\n echo -e \"Unknown\"\n fi\n}\n\ngetHostName() {\n hostname -s\n}\n\ngetInterfacesInfoCommand() {\n current_os=$(getOsRelease)\n if [[ $current_os == \"Red Hat\"*\"7.\"* ]]; then\n echo -e \"ip addr show\"\n else\n echo -e \"ifconfig\"\n fi\n}\n\ngetInterfacesDir() {\n echo -e \"/sys/class/net\"\n}\n\nisInterfacePhysical() {\n interface_path=\"$1\"\n if [ -z \"$interface_path\" ]; then\n return 1\n fi\n\n real_location=$(readlink \"$interface_path\")\n if [[ \"$real_location\" =~ \"virtual\" ]]; then\n return 1\n else\n return 0\n fi\n}\n\nparsePrimaryIPInterface() {\n interface_name=\"$1\"\n if [ -z \"$interface_name\" ]; then\n return 1\n fi\n cmd=$(getInterfacesInfoCommand)\n eval \"$cmd $interface_name\" | grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" | grep -vE \"^2[2-5]\" | head -n 1\n}\n\ngetPrimaryIPHost() {\n interfaces_dir=$(getInterfacesDir)\n physical_interfaces=()\n\n shopt -s nullglob\n for interface in \"$interfaces_dir\"/*; do\n if isInterfacePhysical \"$interface\"; then\n current_interface=$(basename \"$interface\")\n physical_interfaces+=(\"$current_interface\")\n fi\n done\n shopt -u nullglob\n\n i=0\n for interface in \"${physical_interfaces[@]}\"; do\n ips[$i]=$(parsePrimaryIPInterface \"$interface\")\n ((i++))\n done\n\n if [ \"${#ips[@]}\" -ge 1 ]; then\n echo -e \"${ips[0]}\"\n fi\n}\n\n\ngetConnectionStatus() {\n echo \"Online\"\n}\n\ngetPlatform() {\n echo \"Linux\"\n}\n\nprocessHostInfo() {\n name=$(getHostName)\n os=$(getOsRelease)\n ipaddress=$(getPrimaryIPHost)\n connection_status=$(getConnectionStatus)\n platform=$(getPlatform)\n\n echo -e \"\\\"$name\\\",\\\"$ipaddress\\\",\\\"$os\\\",\\\"$connection_status\\\",\\\"$platform\\\"\"\n}\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHostInfo\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n\r\nstrComputer = \".\"\r\nFirstIP=\"\"\r\nCurrentMac=\"\"\r\nConnectionStatus = \"\"\r\nSet objWMIService=GetObject(\"winmgmts:\" & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\r\n\r\nSet NetAdapters = objWMIService.ExecQuery(\"Select * From Win32_NetworkAdapter Where NOT PNPDeviceID LIKE 'ROOT\\\\%'\")\r\nFor Each NetAdapter in NetAdapters\r\n CurrentMac = NetAdapter.MACAddress\r\n Set IPConfigSet = objWMIService.ExecQuery(\"Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE AND MacAddress = '\" & CurrentMac & \"'\")\r\n For Each IPConfig in IPConfigSet\r\n If Not IsNull(IPConfig.IPAddress) Then\r\n For i=LBound(IPConfig.IPAddress) to UBound(IPConfig.IPAddress)\r\n FirstIP=IPConfig.IPAddress(i)\r\n Exit For\r\n Next\r\n End If\r\n Next\r\nNext\r\n\r\nSet objNet = CreateObject(\"WScript.Network\")\r\nstrCompName = objNet.ComputerName\r\n\r\nSet shell = CreateObject(\"WScript.Shell\")\r\nSet getOSVersion = shell.exec(\"%comspec% /D /c ver\")\r\ngetOSVersion.stdout.readLine\r\nversion = getOSVersion.stdout.readLine\r\n\r\nFunction Registry_Read(Key_Path, Key_Name)\r\n On Error Resume Next\r\n Set Registry = CreateObject(\"WScript.Shell\")\r\n Registry_Read = Registry.RegRead(Key_Path & \"\\\" & Key_Name)\r\nEnd Function\r\n\r\nSet shell_arch = CreateObject(\"WScript.Shell\")\r\nIf shell_arch.ExpandEnvironmentStrings(\"%PROCESSOR_ARCHITECTURE%\") = \"AMD64\" then\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\WOW6432Node\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nElse\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nEnd If\r\n\r\nIf ConnectionStatus = \"false\" then\r\n ConnectionStatus = \"Quarantined\"\r\nElse\r\n ConnectionStatus = \"Online\"\r\nEnd If\r\n\r\nplatform = \"Windows\"\r\n\r\nWScript.Echo strCompName & \",\" & FirstIP & \",\" & version & \",\" & ConnectionStatus & \",\" & platform\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7183",
- "name" : "HostInfo SysInfo",
- "description" : "Shows Hostname, 1st IP Address and OS version",
- "module" : "SysInfo",
- "function" : "HostInfo",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec3",
- "name" : "ip_address",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec4",
- "name" : "os",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6346",
- "name" : "connection_status",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6347",
- "name" : "platform",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- } ]
- },
- "sequence" : "1",
- "output" : [ ]
- }, {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- },
- "sequence" : "2",
- "output" : [ {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- } ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- },
- "operator" : "EQUALS",
- "value" : "WIN72",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec5",
- "name" : "HostInfo",
- "description" : "Shows Hostname, 1st IP Address, OS version and Connection Status",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about host\n#\n# Version: 1\n\ngetOsRelease() {\n if [[ -x /usr/bin/lsb_release ]]; then\n lsb_release -sd\n elif [[ -r /etc/system-release ]]; then\n cat /etc/system-release\n else\n echo -e \"Unknown\"\n fi\n}\n\ngetHostName() {\n hostname -s\n}\n\ngetInterfacesInfoCommand() {\n current_os=$(getOsRelease)\n if [[ $current_os == \"Red Hat\"*\"7.\"* ]]; then\n echo -e \"ip addr show\"\n else\n echo -e \"ifconfig\"\n fi\n}\n\ngetInterfacesDir() {\n echo -e \"/sys/class/net\"\n}\n\nisInterfacePhysical() {\n interface_path=\"$1\"\n if [ -z \"$interface_path\" ]; then\n return 1\n fi\n\n real_location=$(readlink \"$interface_path\")\n if [[ \"$real_location\" =~ \"virtual\" ]]; then\n return 1\n else\n return 0\n fi\n}\n\nparsePrimaryIPInterface() {\n interface_name=\"$1\"\n if [ -z \"$interface_name\" ]; then\n return 1\n fi\n cmd=$(getInterfacesInfoCommand)\n eval \"$cmd $interface_name\" | grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" | grep -vE \"^2[2-5]\" | head -n 1\n}\n\ngetPrimaryIPHost() {\n interfaces_dir=$(getInterfacesDir)\n physical_interfaces=()\n\n shopt -s nullglob\n for interface in \"$interfaces_dir\"/*; do\n if isInterfacePhysical \"$interface\"; then\n current_interface=$(basename \"$interface\")\n physical_interfaces+=(\"$current_interface\")\n fi\n done\n shopt -u nullglob\n\n i=0\n for interface in \"${physical_interfaces[@]}\"; do\n ips[$i]=$(parsePrimaryIPInterface \"$interface\")\n ((i++))\n done\n\n if [ \"${#ips[@]}\" -ge 1 ]; then\n echo -e \"${ips[0]}\"\n fi\n}\n\n\ngetConnectionStatus() {\n echo \"Online\"\n}\n\ngetPlatform() {\n echo \"Linux\"\n}\n\nprocessHostInfo() {\n name=$(getHostName)\n os=$(getOsRelease)\n ipaddress=$(getPrimaryIPHost)\n connection_status=$(getConnectionStatus)\n platform=$(getPlatform)\n\n echo -e \"\\\"$name\\\",\\\"$ipaddress\\\",\\\"$os\\\",\\\"$connection_status\\\",\\\"$platform\\\"\"\n}\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHostInfo\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n\r\nstrComputer = \".\"\r\nFirstIP=\"\"\r\nCurrentMac=\"\"\r\nConnectionStatus = \"\"\r\nSet objWMIService=GetObject(\"winmgmts:\" & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\r\n\r\nSet NetAdapters = objWMIService.ExecQuery(\"Select * From Win32_NetworkAdapter Where NOT PNPDeviceID LIKE 'ROOT\\\\%'\")\r\nFor Each NetAdapter in NetAdapters\r\n CurrentMac = NetAdapter.MACAddress\r\n Set IPConfigSet = objWMIService.ExecQuery(\"Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE AND MacAddress = '\" & CurrentMac & \"'\")\r\n For Each IPConfig in IPConfigSet\r\n If Not IsNull(IPConfig.IPAddress) Then\r\n For i=LBound(IPConfig.IPAddress) to UBound(IPConfig.IPAddress)\r\n FirstIP=IPConfig.IPAddress(i)\r\n Exit For\r\n Next\r\n End If\r\n Next\r\nNext\r\n\r\nSet objNet = CreateObject(\"WScript.Network\")\r\nstrCompName = objNet.ComputerName\r\n\r\nSet shell = CreateObject(\"WScript.Shell\")\r\nSet getOSVersion = shell.exec(\"%comspec% /D /c ver\")\r\ngetOSVersion.stdout.readLine\r\nversion = getOSVersion.stdout.readLine\r\n\r\nFunction Registry_Read(Key_Path, Key_Name)\r\n On Error Resume Next\r\n Set Registry = CreateObject(\"WScript.Shell\")\r\n Registry_Read = Registry.RegRead(Key_Path & \"\\\" & Key_Name)\r\nEnd Function\r\n\r\nSet shell_arch = CreateObject(\"WScript.Shell\")\r\nIf shell_arch.ExpandEnvironmentStrings(\"%PROCESSOR_ARCHITECTURE%\") = \"AMD64\" then\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\WOW6432Node\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nElse\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nEnd If\r\n\r\nIf ConnectionStatus = \"false\" then\r\n ConnectionStatus = \"Quarantined\"\r\nElse\r\n ConnectionStatus = \"Online\"\r\nEnd If\r\n\r\nplatform = \"Windows\"\r\n\r\nWScript.Echo strCompName & \",\" & FirstIP & \",\" & version & \",\" & ConnectionStatus & \",\" & platform\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7183",
- "name" : "HostInfo SysInfo",
- "description" : "Shows Hostname, 1st IP Address and OS version",
- "module" : "SysInfo",
- "function" : "HostInfo",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec3",
- "name" : "ip_address",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec4",
- "name" : "os",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6346",
- "name" : "connection_status",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6347",
- "name" : "platform",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- },
- "operator" : "AFTER",
- "value" : "2017-10-30 20:00:00",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- },
- "operator" : "BEFORE",
- "value" : "2017-10-30 20:10:00",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- },
- "operator" : "EQUALS",
- "value" : "0",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- },
- "operator" : "CONTAINS",
- "value" : "10.0.0.0/24",
- "negated" : true,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630301,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd6731f",
- "name" : "Non Standard Hosts Files",
- "description" : "",
- "type" : null,
- "expression" : null,
- "temporal" : false,
- "invalid" : false,
- "aggregated" : false,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec5",
- "name" : "HostInfo",
- "description" : "Shows Hostname, 1st IP Address, OS version and Connection Status",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about host\n#\n# Version: 1\n\ngetOsRelease() {\n if [[ -x /usr/bin/lsb_release ]]; then\n lsb_release -sd\n elif [[ -r /etc/system-release ]]; then\n cat /etc/system-release\n else\n echo -e \"Unknown\"\n fi\n}\n\ngetHostName() {\n hostname -s\n}\n\ngetInterfacesInfoCommand() {\n current_os=$(getOsRelease)\n if [[ $current_os == \"Red Hat\"*\"7.\"* ]]; then\n echo -e \"ip addr show\"\n else\n echo -e \"ifconfig\"\n fi\n}\n\ngetInterfacesDir() {\n echo -e \"/sys/class/net\"\n}\n\nisInterfacePhysical() {\n interface_path=\"$1\"\n if [ -z \"$interface_path\" ]; then\n return 1\n fi\n\n real_location=$(readlink \"$interface_path\")\n if [[ \"$real_location\" =~ \"virtual\" ]]; then\n return 1\n else\n return 0\n fi\n}\n\nparsePrimaryIPInterface() {\n interface_name=\"$1\"\n if [ -z \"$interface_name\" ]; then\n return 1\n fi\n cmd=$(getInterfacesInfoCommand)\n eval \"$cmd $interface_name\" | grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" | grep -vE \"^2[2-5]\" | head -n 1\n}\n\ngetPrimaryIPHost() {\n interfaces_dir=$(getInterfacesDir)\n physical_interfaces=()\n\n shopt -s nullglob\n for interface in \"$interfaces_dir\"/*; do\n if isInterfacePhysical \"$interface\"; then\n current_interface=$(basename \"$interface\")\n physical_interfaces+=(\"$current_interface\")\n fi\n done\n shopt -u nullglob\n\n i=0\n for interface in \"${physical_interfaces[@]}\"; do\n ips[$i]=$(parsePrimaryIPInterface \"$interface\")\n ((i++))\n done\n\n if [ \"${#ips[@]}\" -ge 1 ]; then\n echo -e \"${ips[0]}\"\n fi\n}\n\n\ngetConnectionStatus() {\n echo \"Online\"\n}\n\ngetPlatform() {\n echo \"Linux\"\n}\n\nprocessHostInfo() {\n name=$(getHostName)\n os=$(getOsRelease)\n ipaddress=$(getPrimaryIPHost)\n connection_status=$(getConnectionStatus)\n platform=$(getPlatform)\n\n echo -e \"\\\"$name\\\",\\\"$ipaddress\\\",\\\"$os\\\",\\\"$connection_status\\\",\\\"$platform\\\"\"\n}\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHostInfo\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n\r\nstrComputer = \".\"\r\nFirstIP=\"\"\r\nCurrentMac=\"\"\r\nConnectionStatus = \"\"\r\nSet objWMIService=GetObject(\"winmgmts:\" & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\r\n\r\nSet NetAdapters = objWMIService.ExecQuery(\"Select * From Win32_NetworkAdapter Where NOT PNPDeviceID LIKE 'ROOT\\\\%'\")\r\nFor Each NetAdapter in NetAdapters\r\n CurrentMac = NetAdapter.MACAddress\r\n Set IPConfigSet = objWMIService.ExecQuery(\"Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE AND MacAddress = '\" & CurrentMac & \"'\")\r\n For Each IPConfig in IPConfigSet\r\n If Not IsNull(IPConfig.IPAddress) Then\r\n For i=LBound(IPConfig.IPAddress) to UBound(IPConfig.IPAddress)\r\n FirstIP=IPConfig.IPAddress(i)\r\n Exit For\r\n Next\r\n End If\r\n Next\r\nNext\r\n\r\nSet objNet = CreateObject(\"WScript.Network\")\r\nstrCompName = objNet.ComputerName\r\n\r\nSet shell = CreateObject(\"WScript.Shell\")\r\nSet getOSVersion = shell.exec(\"%comspec% /D /c ver\")\r\ngetOSVersion.stdout.readLine\r\nversion = getOSVersion.stdout.readLine\r\n\r\nFunction Registry_Read(Key_Path, Key_Name)\r\n On Error Resume Next\r\n Set Registry = CreateObject(\"WScript.Shell\")\r\n Registry_Read = Registry.RegRead(Key_Path & \"\\\" & Key_Name)\r\nEnd Function\r\n\r\nSet shell_arch = CreateObject(\"WScript.Shell\")\r\nIf shell_arch.ExpandEnvironmentStrings(\"%PROCESSOR_ARCHITECTURE%\") = \"AMD64\" then\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\WOW6432Node\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nElse\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nEnd If\r\n\r\nIf ConnectionStatus = \"false\" then\r\n ConnectionStatus = \"Quarantined\"\r\nElse\r\n ConnectionStatus = \"Online\"\r\nEnd If\r\n\r\nplatform = \"Windows\"\r\n\r\nWScript.Echo strCompName & \",\" & FirstIP & \",\" & version & \",\" & ConnectionStatus & \",\" & platform\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7183",
- "name" : "HostInfo SysInfo",
- "description" : "Shows Hostname, 1st IP Address and OS version",
- "module" : "SysInfo",
- "function" : "HostInfo",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec3",
- "name" : "ip_address",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec4",
- "name" : "os",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6346",
- "name" : "connection_status",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6347",
- "name" : "platform",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- } ]
- },
- "sequence" : "1",
- "output" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- } ]
- }, {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec1",
- "name" : "HostEntries",
- "description" : "Shows the IP Address and Hostname from hosts file on Windows, Linux and Mac systems",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about hosts file\n#\n# Version: 1\n\n\ngetHostsFile() {\n if [ -r \"/etc/hosts\" ]; then\n cat \"/etc/hosts\"\n else\n exit 1\n fi\n}\n\ngetParsedHosts() {\n getHostsFile | perl -pe 's/(.*?)\\#(.*)/\\1/' | sed '/^$/d'\n}\n\nformatHost() {\n line=\"$1\"\n echo \"$line\" | awk \\\n '{ for (i = 2; i <= NF; i++)\n print \"\\\"\"$1\"\\\",\\\"\"$i\"\\\"\"\n }'\n\n}\n\nprintEnvFile() {\n procFile=\"$1\"\n pid=$(getPidFromProcFile \"$procFile\")\n user=$(getUserFromPid \"$pid\")\n getEnvFile \"$procFile\" | while read -r -d $'\\0' var; do\n var=$(escapeEnvVariable \"$var\")\n if [[ $var == *\"=\"* ]]\n then\n echo \"\\\"$user\\\",\\\"$pid\\\",\\\"${var/=/\",\"}\\\"\"\n fi\n done\n}\n\nprocessHosts() {\n getParsedHosts | while read -r host; do\n formatHost \"$host\"\n done\n}\n\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHosts\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about hosts file\n#\n# Version: 1\n\ngrep -vE \"^\\#\" /etc/hosts | awk \\\n '{ for (i = 2; i <= NF; i++)\n print $1\",\"$i\n }'\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "'\r\n' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n'\r\n' Purpose: Read IP Address and Hostname from hosts file on Windows Systems\r\n'\r\n' Version: 1.0\r\n'\r\n'\r\nOption Explicit\r\n\r\nConst TristateUseDefault = -2\r\n\r\n'Declare variables\r\nDim fso\r\nDim wshShell\r\nDim winDir\r\nDim hostsFile\r\nDim objFSO\r\nDim ObjFile\r\n\r\nDim inputString\r\nDim inputArray\r\nDim ipAddress\r\nDim hostname1\r\n\r\nSet fso = CreateObject(\"Scripting.FileSystemObject\")\r\nSet wshShell = CreateObject(\"WScript.Shell\")\r\n\r\n'Detect the Windows directory\r\nwinDir = WshShell.ExpandEnvironmentStrings(\"%WinDir%\")\r\n\r\n'Path to hosts file\r\nhostsFile = winDir & \"\\System32\\Drivers\\etc\\hosts\"\r\n\r\n'Check if hosts file exists\r\nIf (fso.FileExists(hostsFile)) Then\r\n\r\n'Open hosts file for reading, do not create one if it does not exist\r\n Const ForReading = 1\r\n Set objFSO = CreateObject(\"Scripting.FileSystemObject\")\r\n Set objFile = objFSO.OpenTextFile(hostsFile, ForReading, False, TristateUseDefault)\r\n\r\n'Read from hosts file line by line\r\nDo Until objFile.AtEndOfStream\r\n inputString = objFile.ReadLine\r\n\r\n 'Ignore comment lines and empty lines\r\n If (Left (inputString, 1) <> \"#\" And Len (inputString) <> 0) Then\r\n ipAddress = \"\"\r\n hostname1 = \"\"\r\n\r\n 'Replace Tabs with Spaces\r\n Do Until InStr (inputString, Chr(9)) = 0\r\n inputString = Replace(inputString, Chr(9), Chr(32))\r\n Loop\r\n\r\n 'Replace double Spaces with Space\r\n Do Until InStr (inputString, Chr(32) & Chr(32)) = 0\r\n inputString = Replace(inputString, Chr(32) & Chr(32), Chr(32))\r\n Loop\r\n\r\n 'Convert string to an array, values separated by space\r\n inputArray = Split(Trim (inputString), Chr(32))\r\n\r\n 'Read output values from array, only first hostname per line\r\n ipAddress = inputArray(0)\r\n hostname1 = inputArray(1)\r\n\r\n 'Write output separated by comma\r\n WScript.Echo ipAddress & \",\" & hostname1\r\n End If\r\nLoop\r\n\r\n'Close hosts file\r\nobjFile.Close\r\nEnd If\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ebf",
- "name" : "ipaddress",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec0",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 2
- } ]
- },
- "sequence" : "2",
- "output" : [ {
- "id" : "58efec8ee4b0c390d69a8ec0",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ebf",
- "name" : "ipaddress",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 1
- } ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8ebf",
- "name" : "ipaddress",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 1
- },
- "operator" : "EQUALS",
- "value" : "127.0.0.1",
- "negated" : true,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec1",
- "name" : "HostEntries",
- "description" : "Shows the IP Address and Hostname from hosts file on Windows, Linux and Mac systems",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about hosts file\n#\n# Version: 1\n\n\ngetHostsFile() {\n if [ -r \"/etc/hosts\" ]; then\n cat \"/etc/hosts\"\n else\n exit 1\n fi\n}\n\ngetParsedHosts() {\n getHostsFile | perl -pe 's/(.*?)\\#(.*)/\\1/' | sed '/^$/d'\n}\n\nformatHost() {\n line=\"$1\"\n echo \"$line\" | awk \\\n '{ for (i = 2; i <= NF; i++)\n print \"\\\"\"$1\"\\\",\\\"\"$i\"\\\"\"\n }'\n\n}\n\nprintEnvFile() {\n procFile=\"$1\"\n pid=$(getPidFromProcFile \"$procFile\")\n user=$(getUserFromPid \"$pid\")\n getEnvFile \"$procFile\" | while read -r -d $'\\0' var; do\n var=$(escapeEnvVariable \"$var\")\n if [[ $var == *\"=\"* ]]\n then\n echo \"\\\"$user\\\",\\\"$pid\\\",\\\"${var/=/\",\"}\\\"\"\n fi\n done\n}\n\nprocessHosts() {\n getParsedHosts | while read -r host; do\n formatHost \"$host\"\n done\n}\n\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHosts\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about hosts file\n#\n# Version: 1\n\ngrep -vE \"^\\#\" /etc/hosts | awk \\\n '{ for (i = 2; i <= NF; i++)\n print $1\",\"$i\n }'\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "'\r\n' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n'\r\n' Purpose: Read IP Address and Hostname from hosts file on Windows Systems\r\n'\r\n' Version: 1.0\r\n'\r\n'\r\nOption Explicit\r\n\r\nConst TristateUseDefault = -2\r\n\r\n'Declare variables\r\nDim fso\r\nDim wshShell\r\nDim winDir\r\nDim hostsFile\r\nDim objFSO\r\nDim ObjFile\r\n\r\nDim inputString\r\nDim inputArray\r\nDim ipAddress\r\nDim hostname1\r\n\r\nSet fso = CreateObject(\"Scripting.FileSystemObject\")\r\nSet wshShell = CreateObject(\"WScript.Shell\")\r\n\r\n'Detect the Windows directory\r\nwinDir = WshShell.ExpandEnvironmentStrings(\"%WinDir%\")\r\n\r\n'Path to hosts file\r\nhostsFile = winDir & \"\\System32\\Drivers\\etc\\hosts\"\r\n\r\n'Check if hosts file exists\r\nIf (fso.FileExists(hostsFile)) Then\r\n\r\n'Open hosts file for reading, do not create one if it does not exist\r\n Const ForReading = 1\r\n Set objFSO = CreateObject(\"Scripting.FileSystemObject\")\r\n Set objFile = objFSO.OpenTextFile(hostsFile, ForReading, False, TristateUseDefault)\r\n\r\n'Read from hosts file line by line\r\nDo Until objFile.AtEndOfStream\r\n inputString = objFile.ReadLine\r\n\r\n 'Ignore comment lines and empty lines\r\n If (Left (inputString, 1) <> \"#\" And Len (inputString) <> 0) Then\r\n ipAddress = \"\"\r\n hostname1 = \"\"\r\n\r\n 'Replace Tabs with Spaces\r\n Do Until InStr (inputString, Chr(9)) = 0\r\n inputString = Replace(inputString, Chr(9), Chr(32))\r\n Loop\r\n\r\n 'Replace double Spaces with Space\r\n Do Until InStr (inputString, Chr(32) & Chr(32)) = 0\r\n inputString = Replace(inputString, Chr(32) & Chr(32), Chr(32))\r\n Loop\r\n\r\n 'Convert string to an array, values separated by space\r\n inputArray = Split(Trim (inputString), Chr(32))\r\n\r\n 'Read output values from array, only first hostname per line\r\n ipAddress = inputArray(0)\r\n hostname1 = inputArray(1)\r\n\r\n 'Write output separated by comma\r\n WScript.Echo ipAddress & \",\" & hostname1\r\n End If\r\nLoop\r\n\r\n'Close hosts file\r\nobjFile.Close\r\nEnd If\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ebf",
- "name" : "ipaddress",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec0",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 2
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8ebf",
- "name" : "ipaddress",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 1
- },
- "operator" : "EQUALS",
- "value" : "::1",
- "negated" : true,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec1",
- "name" : "HostEntries",
- "description" : "Shows the IP Address and Hostname from hosts file on Windows, Linux and Mac systems",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about hosts file\n#\n# Version: 1\n\n\ngetHostsFile() {\n if [ -r \"/etc/hosts\" ]; then\n cat \"/etc/hosts\"\n else\n exit 1\n fi\n}\n\ngetParsedHosts() {\n getHostsFile | perl -pe 's/(.*?)\\#(.*)/\\1/' | sed '/^$/d'\n}\n\nformatHost() {\n line=\"$1\"\n echo \"$line\" | awk \\\n '{ for (i = 2; i <= NF; i++)\n print \"\\\"\"$1\"\\\",\\\"\"$i\"\\\"\"\n }'\n\n}\n\nprintEnvFile() {\n procFile=\"$1\"\n pid=$(getPidFromProcFile \"$procFile\")\n user=$(getUserFromPid \"$pid\")\n getEnvFile \"$procFile\" | while read -r -d $'\\0' var; do\n var=$(escapeEnvVariable \"$var\")\n if [[ $var == *\"=\"* ]]\n then\n echo \"\\\"$user\\\",\\\"$pid\\\",\\\"${var/=/\",\"}\\\"\"\n fi\n done\n}\n\nprocessHosts() {\n getParsedHosts | while read -r host; do\n formatHost \"$host\"\n done\n}\n\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHosts\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about hosts file\n#\n# Version: 1\n\ngrep -vE \"^\\#\" /etc/hosts | awk \\\n '{ for (i = 2; i <= NF; i++)\n print $1\",\"$i\n }'\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "'\r\n' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n'\r\n' Purpose: Read IP Address and Hostname from hosts file on Windows Systems\r\n'\r\n' Version: 1.0\r\n'\r\n'\r\nOption Explicit\r\n\r\nConst TristateUseDefault = -2\r\n\r\n'Declare variables\r\nDim fso\r\nDim wshShell\r\nDim winDir\r\nDim hostsFile\r\nDim objFSO\r\nDim ObjFile\r\n\r\nDim inputString\r\nDim inputArray\r\nDim ipAddress\r\nDim hostname1\r\n\r\nSet fso = CreateObject(\"Scripting.FileSystemObject\")\r\nSet wshShell = CreateObject(\"WScript.Shell\")\r\n\r\n'Detect the Windows directory\r\nwinDir = WshShell.ExpandEnvironmentStrings(\"%WinDir%\")\r\n\r\n'Path to hosts file\r\nhostsFile = winDir & \"\\System32\\Drivers\\etc\\hosts\"\r\n\r\n'Check if hosts file exists\r\nIf (fso.FileExists(hostsFile)) Then\r\n\r\n'Open hosts file for reading, do not create one if it does not exist\r\n Const ForReading = 1\r\n Set objFSO = CreateObject(\"Scripting.FileSystemObject\")\r\n Set objFile = objFSO.OpenTextFile(hostsFile, ForReading, False, TristateUseDefault)\r\n\r\n'Read from hosts file line by line\r\nDo Until objFile.AtEndOfStream\r\n inputString = objFile.ReadLine\r\n\r\n 'Ignore comment lines and empty lines\r\n If (Left (inputString, 1) <> \"#\" And Len (inputString) <> 0) Then\r\n ipAddress = \"\"\r\n hostname1 = \"\"\r\n\r\n 'Replace Tabs with Spaces\r\n Do Until InStr (inputString, Chr(9)) = 0\r\n inputString = Replace(inputString, Chr(9), Chr(32))\r\n Loop\r\n\r\n 'Replace double Spaces with Space\r\n Do Until InStr (inputString, Chr(32) & Chr(32)) = 0\r\n inputString = Replace(inputString, Chr(32) & Chr(32), Chr(32))\r\n Loop\r\n\r\n 'Convert string to an array, values separated by space\r\n inputArray = Split(Trim (inputString), Chr(32))\r\n\r\n 'Read output values from array, only first hostname per line\r\n ipAddress = inputArray(0)\r\n hostname1 = inputArray(1)\r\n\r\n 'Write output separated by comma\r\n WScript.Echo ipAddress & \",\" & hostname1\r\n End If\r\nLoop\r\n\r\n'Close hosts file\r\nobjFile.Close\r\nEnd If\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ebf",
- "name" : "ipaddress",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec0",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 2
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630317,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd67320",
- "name" : "Powershell out",
- "description" : "",
- "type" : null,
- "expression" : null,
- "temporal" : false,
- "invalid" : false,
- "aggregated" : false,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec5",
- "name" : "HostInfo",
- "description" : "Shows Hostname, 1st IP Address, OS version and Connection Status",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about host\n#\n# Version: 1\n\ngetOsRelease() {\n if [[ -x /usr/bin/lsb_release ]]; then\n lsb_release -sd\n elif [[ -r /etc/system-release ]]; then\n cat /etc/system-release\n else\n echo -e \"Unknown\"\n fi\n}\n\ngetHostName() {\n hostname -s\n}\n\ngetInterfacesInfoCommand() {\n current_os=$(getOsRelease)\n if [[ $current_os == \"Red Hat\"*\"7.\"* ]]; then\n echo -e \"ip addr show\"\n else\n echo -e \"ifconfig\"\n fi\n}\n\ngetInterfacesDir() {\n echo -e \"/sys/class/net\"\n}\n\nisInterfacePhysical() {\n interface_path=\"$1\"\n if [ -z \"$interface_path\" ]; then\n return 1\n fi\n\n real_location=$(readlink \"$interface_path\")\n if [[ \"$real_location\" =~ \"virtual\" ]]; then\n return 1\n else\n return 0\n fi\n}\n\nparsePrimaryIPInterface() {\n interface_name=\"$1\"\n if [ -z \"$interface_name\" ]; then\n return 1\n fi\n cmd=$(getInterfacesInfoCommand)\n eval \"$cmd $interface_name\" | grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" | grep -vE \"^2[2-5]\" | head -n 1\n}\n\ngetPrimaryIPHost() {\n interfaces_dir=$(getInterfacesDir)\n physical_interfaces=()\n\n shopt -s nullglob\n for interface in \"$interfaces_dir\"/*; do\n if isInterfacePhysical \"$interface\"; then\n current_interface=$(basename \"$interface\")\n physical_interfaces+=(\"$current_interface\")\n fi\n done\n shopt -u nullglob\n\n i=0\n for interface in \"${physical_interfaces[@]}\"; do\n ips[$i]=$(parsePrimaryIPInterface \"$interface\")\n ((i++))\n done\n\n if [ \"${#ips[@]}\" -ge 1 ]; then\n echo -e \"${ips[0]}\"\n fi\n}\n\n\ngetConnectionStatus() {\n echo \"Online\"\n}\n\ngetPlatform() {\n echo \"Linux\"\n}\n\nprocessHostInfo() {\n name=$(getHostName)\n os=$(getOsRelease)\n ipaddress=$(getPrimaryIPHost)\n connection_status=$(getConnectionStatus)\n platform=$(getPlatform)\n\n echo -e \"\\\"$name\\\",\\\"$ipaddress\\\",\\\"$os\\\",\\\"$connection_status\\\",\\\"$platform\\\"\"\n}\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHostInfo\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n\r\nstrComputer = \".\"\r\nFirstIP=\"\"\r\nCurrentMac=\"\"\r\nConnectionStatus = \"\"\r\nSet objWMIService=GetObject(\"winmgmts:\" & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\r\n\r\nSet NetAdapters = objWMIService.ExecQuery(\"Select * From Win32_NetworkAdapter Where NOT PNPDeviceID LIKE 'ROOT\\\\%'\")\r\nFor Each NetAdapter in NetAdapters\r\n CurrentMac = NetAdapter.MACAddress\r\n Set IPConfigSet = objWMIService.ExecQuery(\"Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE AND MacAddress = '\" & CurrentMac & \"'\")\r\n For Each IPConfig in IPConfigSet\r\n If Not IsNull(IPConfig.IPAddress) Then\r\n For i=LBound(IPConfig.IPAddress) to UBound(IPConfig.IPAddress)\r\n FirstIP=IPConfig.IPAddress(i)\r\n Exit For\r\n Next\r\n End If\r\n Next\r\nNext\r\n\r\nSet objNet = CreateObject(\"WScript.Network\")\r\nstrCompName = objNet.ComputerName\r\n\r\nSet shell = CreateObject(\"WScript.Shell\")\r\nSet getOSVersion = shell.exec(\"%comspec% /D /c ver\")\r\ngetOSVersion.stdout.readLine\r\nversion = getOSVersion.stdout.readLine\r\n\r\nFunction Registry_Read(Key_Path, Key_Name)\r\n On Error Resume Next\r\n Set Registry = CreateObject(\"WScript.Shell\")\r\n Registry_Read = Registry.RegRead(Key_Path & \"\\\" & Key_Name)\r\nEnd Function\r\n\r\nSet shell_arch = CreateObject(\"WScript.Shell\")\r\nIf shell_arch.ExpandEnvironmentStrings(\"%PROCESSOR_ARCHITECTURE%\") = \"AMD64\" then\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\WOW6432Node\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nElse\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nEnd If\r\n\r\nIf ConnectionStatus = \"false\" then\r\n ConnectionStatus = \"Quarantined\"\r\nElse\r\n ConnectionStatus = \"Online\"\r\nEnd If\r\n\r\nplatform = \"Windows\"\r\n\r\nWScript.Echo strCompName & \",\" & FirstIP & \",\" & version & \",\" & ConnectionStatus & \",\" & platform\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7183",
- "name" : "HostInfo SysInfo",
- "description" : "Shows Hostname, 1st IP Address and OS version",
- "module" : "SysInfo",
- "function" : "HostInfo",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec3",
- "name" : "ip_address",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec4",
- "name" : "os",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6346",
- "name" : "connection_status",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6347",
- "name" : "platform",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- } ]
- },
- "sequence" : "1",
- "output" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- } ]
- }, {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- },
- "sequence" : "2",
- "output" : [ {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- } ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- },
- "operator" : "CONTAINS",
- "value" : "powershell.exe",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- },
- "operator" : "EQUALS",
- "value" : "443",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630323,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd67321",
- "name" : "Recent MAR Hashing Status",
- "description" : "",
- "type" : null,
- "expression" : null,
- "temporal" : false,
- "invalid" : false,
- "aggregated" : false,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb07ce4b0cbe06dd672fa",
- "name" : "HashStatusRecent",
- "description" : "Displays the most recent File Hashing Status",
- "type" : "CUSTOM",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, Inc. All Rights Reserved.\n'\n' This script will display the most recent File Hashing Status\n'\nDim objFSO, objFile, line, arrLines, strAnalyztime, strHashtime\nSet objFSO = CreateObject(\"Scripting.FileSystemObject\")\nstartFile = \"C:\\ProgramData\\McAfee\\MAR\\data\\marlog.log\"\n' ***********************************************\n' Open Mar Log and Check Status\n' ***********************************************\nIF objFSO.FileExists(startFile) Then\n\tobjFile = objFSO.OpenTextFile(startFile, 1).ReadAll\n\tarrLines = Split(objFile,vbCrLf)\n\t\tFor Each line in arrLines\n\t\t\tIF inStr(line,\"Analyzing parent dir\") > 1 Then\n\t\t\t\tstrAnalyztime = line\n\t\t\tEnd IF\n\t\t\tIF inStr(line,\"Stop Hashing - Total Hashing Time\") > 1 Then\n\t\t\t\tstrHashtime = line\n\t\t\tEnd IF\n\t\tNext\nELSE\n\tWScript.Quit\nEnd IF\n' ***********************************************\n' Output Logic\n' ***********************************************\nWScript.echo Trim(Left(strAnalyztime, (inStr(strAnalyztime,\" \")))) & \",\" & _\nTrim(Left(strHashtime, (inStr(strHashtime,\" \")))) & \",\" &_\nReplace(Replace(Right(strHashtime, (len(strHashtime)-(inStr(strHashtime,\"Stop Hashing -\")))),\"top Hashing - Total Hashing Time: \",\"\"),\" seconds\",\"\")\n' ***********************************************\n' End\n' ***********************************************\nWScript.Quit",
- "arguments" : null,
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "5b3fb07ce4b0cbe06dd672d3",
- "name" : "start_time",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672d4",
- "name" : "completion_time",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672d5",
- "name" : "runtime_seconds",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 3
- } ]
- },
- "sequence" : "1",
- "output" : [ {
- "id" : "5b3fb07ce4b0cbe06dd672d3",
- "name" : "start_time",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672d4",
- "name" : "completion_time",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672d5",
- "name" : "runtime_seconds",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 3
- } ]
- }, {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec5",
- "name" : "HostInfo",
- "description" : "Shows Hostname, 1st IP Address, OS version and Connection Status",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about host\n#\n# Version: 1\n\ngetOsRelease() {\n if [[ -x /usr/bin/lsb_release ]]; then\n lsb_release -sd\n elif [[ -r /etc/system-release ]]; then\n cat /etc/system-release\n else\n echo -e \"Unknown\"\n fi\n}\n\ngetHostName() {\n hostname -s\n}\n\ngetInterfacesInfoCommand() {\n current_os=$(getOsRelease)\n if [[ $current_os == \"Red Hat\"*\"7.\"* ]]; then\n echo -e \"ip addr show\"\n else\n echo -e \"ifconfig\"\n fi\n}\n\ngetInterfacesDir() {\n echo -e \"/sys/class/net\"\n}\n\nisInterfacePhysical() {\n interface_path=\"$1\"\n if [ -z \"$interface_path\" ]; then\n return 1\n fi\n\n real_location=$(readlink \"$interface_path\")\n if [[ \"$real_location\" =~ \"virtual\" ]]; then\n return 1\n else\n return 0\n fi\n}\n\nparsePrimaryIPInterface() {\n interface_name=\"$1\"\n if [ -z \"$interface_name\" ]; then\n return 1\n fi\n cmd=$(getInterfacesInfoCommand)\n eval \"$cmd $interface_name\" | grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" | grep -vE \"^2[2-5]\" | head -n 1\n}\n\ngetPrimaryIPHost() {\n interfaces_dir=$(getInterfacesDir)\n physical_interfaces=()\n\n shopt -s nullglob\n for interface in \"$interfaces_dir\"/*; do\n if isInterfacePhysical \"$interface\"; then\n current_interface=$(basename \"$interface\")\n physical_interfaces+=(\"$current_interface\")\n fi\n done\n shopt -u nullglob\n\n i=0\n for interface in \"${physical_interfaces[@]}\"; do\n ips[$i]=$(parsePrimaryIPInterface \"$interface\")\n ((i++))\n done\n\n if [ \"${#ips[@]}\" -ge 1 ]; then\n echo -e \"${ips[0]}\"\n fi\n}\n\n\ngetConnectionStatus() {\n echo \"Online\"\n}\n\ngetPlatform() {\n echo \"Linux\"\n}\n\nprocessHostInfo() {\n name=$(getHostName)\n os=$(getOsRelease)\n ipaddress=$(getPrimaryIPHost)\n connection_status=$(getConnectionStatus)\n platform=$(getPlatform)\n\n echo -e \"\\\"$name\\\",\\\"$ipaddress\\\",\\\"$os\\\",\\\"$connection_status\\\",\\\"$platform\\\"\"\n}\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHostInfo\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n\r\nstrComputer = \".\"\r\nFirstIP=\"\"\r\nCurrentMac=\"\"\r\nConnectionStatus = \"\"\r\nSet objWMIService=GetObject(\"winmgmts:\" & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\r\n\r\nSet NetAdapters = objWMIService.ExecQuery(\"Select * From Win32_NetworkAdapter Where NOT PNPDeviceID LIKE 'ROOT\\\\%'\")\r\nFor Each NetAdapter in NetAdapters\r\n CurrentMac = NetAdapter.MACAddress\r\n Set IPConfigSet = objWMIService.ExecQuery(\"Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE AND MacAddress = '\" & CurrentMac & \"'\")\r\n For Each IPConfig in IPConfigSet\r\n If Not IsNull(IPConfig.IPAddress) Then\r\n For i=LBound(IPConfig.IPAddress) to UBound(IPConfig.IPAddress)\r\n FirstIP=IPConfig.IPAddress(i)\r\n Exit For\r\n Next\r\n End If\r\n Next\r\nNext\r\n\r\nSet objNet = CreateObject(\"WScript.Network\")\r\nstrCompName = objNet.ComputerName\r\n\r\nSet shell = CreateObject(\"WScript.Shell\")\r\nSet getOSVersion = shell.exec(\"%comspec% /D /c ver\")\r\ngetOSVersion.stdout.readLine\r\nversion = getOSVersion.stdout.readLine\r\n\r\nFunction Registry_Read(Key_Path, Key_Name)\r\n On Error Resume Next\r\n Set Registry = CreateObject(\"WScript.Shell\")\r\n Registry_Read = Registry.RegRead(Key_Path & \"\\\" & Key_Name)\r\nEnd Function\r\n\r\nSet shell_arch = CreateObject(\"WScript.Shell\")\r\nIf shell_arch.ExpandEnvironmentStrings(\"%PROCESSOR_ARCHITECTURE%\") = \"AMD64\" then\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\WOW6432Node\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nElse\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nEnd If\r\n\r\nIf ConnectionStatus = \"false\" then\r\n ConnectionStatus = \"Quarantined\"\r\nElse\r\n ConnectionStatus = \"Online\"\r\nEnd If\r\n\r\nplatform = \"Windows\"\r\n\r\nWScript.Echo strCompName & \",\" & FirstIP & \",\" & version & \",\" & ConnectionStatus & \",\" & platform\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7183",
- "name" : "HostInfo SysInfo",
- "description" : "Shows Hostname, 1st IP Address and OS version",
- "module" : "SysInfo",
- "function" : "HostInfo",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec3",
- "name" : "ip_address",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec4",
- "name" : "os",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6346",
- "name" : "connection_status",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6347",
- "name" : "platform",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- } ]
- },
- "sequence" : "2",
- "output" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- } ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- },
- "operator" : "EQUALS",
- "value" : "WIN71",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec5",
- "name" : "HostInfo",
- "description" : "Shows Hostname, 1st IP Address, OS version and Connection Status",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about host\n#\n# Version: 1\n\ngetOsRelease() {\n if [[ -x /usr/bin/lsb_release ]]; then\n lsb_release -sd\n elif [[ -r /etc/system-release ]]; then\n cat /etc/system-release\n else\n echo -e \"Unknown\"\n fi\n}\n\ngetHostName() {\n hostname -s\n}\n\ngetInterfacesInfoCommand() {\n current_os=$(getOsRelease)\n if [[ $current_os == \"Red Hat\"*\"7.\"* ]]; then\n echo -e \"ip addr show\"\n else\n echo -e \"ifconfig\"\n fi\n}\n\ngetInterfacesDir() {\n echo -e \"/sys/class/net\"\n}\n\nisInterfacePhysical() {\n interface_path=\"$1\"\n if [ -z \"$interface_path\" ]; then\n return 1\n fi\n\n real_location=$(readlink \"$interface_path\")\n if [[ \"$real_location\" =~ \"virtual\" ]]; then\n return 1\n else\n return 0\n fi\n}\n\nparsePrimaryIPInterface() {\n interface_name=\"$1\"\n if [ -z \"$interface_name\" ]; then\n return 1\n fi\n cmd=$(getInterfacesInfoCommand)\n eval \"$cmd $interface_name\" | grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" | grep -vE \"^2[2-5]\" | head -n 1\n}\n\ngetPrimaryIPHost() {\n interfaces_dir=$(getInterfacesDir)\n physical_interfaces=()\n\n shopt -s nullglob\n for interface in \"$interfaces_dir\"/*; do\n if isInterfacePhysical \"$interface\"; then\n current_interface=$(basename \"$interface\")\n physical_interfaces+=(\"$current_interface\")\n fi\n done\n shopt -u nullglob\n\n i=0\n for interface in \"${physical_interfaces[@]}\"; do\n ips[$i]=$(parsePrimaryIPInterface \"$interface\")\n ((i++))\n done\n\n if [ \"${#ips[@]}\" -ge 1 ]; then\n echo -e \"${ips[0]}\"\n fi\n}\n\n\ngetConnectionStatus() {\n echo \"Online\"\n}\n\ngetPlatform() {\n echo \"Linux\"\n}\n\nprocessHostInfo() {\n name=$(getHostName)\n os=$(getOsRelease)\n ipaddress=$(getPrimaryIPHost)\n connection_status=$(getConnectionStatus)\n platform=$(getPlatform)\n\n echo -e \"\\\"$name\\\",\\\"$ipaddress\\\",\\\"$os\\\",\\\"$connection_status\\\",\\\"$platform\\\"\"\n}\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHostInfo\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n\r\nstrComputer = \".\"\r\nFirstIP=\"\"\r\nCurrentMac=\"\"\r\nConnectionStatus = \"\"\r\nSet objWMIService=GetObject(\"winmgmts:\" & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\r\n\r\nSet NetAdapters = objWMIService.ExecQuery(\"Select * From Win32_NetworkAdapter Where NOT PNPDeviceID LIKE 'ROOT\\\\%'\")\r\nFor Each NetAdapter in NetAdapters\r\n CurrentMac = NetAdapter.MACAddress\r\n Set IPConfigSet = objWMIService.ExecQuery(\"Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE AND MacAddress = '\" & CurrentMac & \"'\")\r\n For Each IPConfig in IPConfigSet\r\n If Not IsNull(IPConfig.IPAddress) Then\r\n For i=LBound(IPConfig.IPAddress) to UBound(IPConfig.IPAddress)\r\n FirstIP=IPConfig.IPAddress(i)\r\n Exit For\r\n Next\r\n End If\r\n Next\r\nNext\r\n\r\nSet objNet = CreateObject(\"WScript.Network\")\r\nstrCompName = objNet.ComputerName\r\n\r\nSet shell = CreateObject(\"WScript.Shell\")\r\nSet getOSVersion = shell.exec(\"%comspec% /D /c ver\")\r\ngetOSVersion.stdout.readLine\r\nversion = getOSVersion.stdout.readLine\r\n\r\nFunction Registry_Read(Key_Path, Key_Name)\r\n On Error Resume Next\r\n Set Registry = CreateObject(\"WScript.Shell\")\r\n Registry_Read = Registry.RegRead(Key_Path & \"\\\" & Key_Name)\r\nEnd Function\r\n\r\nSet shell_arch = CreateObject(\"WScript.Shell\")\r\nIf shell_arch.ExpandEnvironmentStrings(\"%PROCESSOR_ARCHITECTURE%\") = \"AMD64\" then\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\WOW6432Node\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nElse\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nEnd If\r\n\r\nIf ConnectionStatus = \"false\" then\r\n ConnectionStatus = \"Quarantined\"\r\nElse\r\n ConnectionStatus = \"Online\"\r\nEnd If\r\n\r\nplatform = \"Windows\"\r\n\r\nWScript.Echo strCompName & \",\" & FirstIP & \",\" & version & \",\" & ConnectionStatus & \",\" & platform\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7183",
- "name" : "HostInfo SysInfo",
- "description" : "Shows Hostname, 1st IP Address and OS version",
- "module" : "SysInfo",
- "function" : "HostInfo",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec3",
- "name" : "ip_address",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec4",
- "name" : "os",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6346",
- "name" : "connection_status",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6347",
- "name" : "platform",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630332,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd67322",
- "name" : "Remote Connections",
- "description" : "",
- "type" : null,
- "expression" : "CurrentFlow where CurrentFlow process not equals \"chrome.exe\" and CurrentFlow process not equals \"iexplore.exe\" and CurrentFlow process not equals \"firefox.exe\" and CurrentFlow status equals \"ESTABLISHED\" and CurrentFlow remote_ip not contains 172.16.33.0/24 and CurrentFlow remote_ip not equals 127.0.0.1 and CurrentFlow remote_ip not contains 172.16.34.0/24 and CurrentFlow remote_ip not contains ::1",
- "temporal" : false,
- "invalid" : false,
- "aggregated" : true,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ea4",
- "name" : "CurrentFlow",
- "description" : "Shows the current network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e98",
- "name" : "local_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e99",
- "name" : "local_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e9a",
- "name" : "remote_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e9b",
- "name" : "remote_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e9c",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e9d",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e9e",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e9f",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8ea0",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8ea1",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8ea2",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8ea3",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "5a1a45cbe4b0401274ab7192",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- } ]
- },
- "sequence" : "1",
- "output" : [ ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e9f",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- },
- "operator" : "EQUALS",
- "value" : "chrome.exe",
- "negated" : true,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ea4",
- "name" : "CurrentFlow",
- "description" : "Shows the current network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e98",
- "name" : "local_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e99",
- "name" : "local_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e9a",
- "name" : "remote_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e9b",
- "name" : "remote_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e9c",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e9d",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e9e",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e9f",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8ea0",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8ea1",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8ea2",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8ea3",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "5a1a45cbe4b0401274ab7192",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e9f",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- },
- "operator" : "EQUALS",
- "value" : "iexplore.exe",
- "negated" : true,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ea4",
- "name" : "CurrentFlow",
- "description" : "Shows the current network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e98",
- "name" : "local_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e99",
- "name" : "local_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e9a",
- "name" : "remote_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e9b",
- "name" : "remote_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e9c",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e9d",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e9e",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e9f",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8ea0",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8ea1",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8ea2",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8ea3",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "5a1a45cbe4b0401274ab7192",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e9f",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- },
- "operator" : "EQUALS",
- "value" : "firefox.exe",
- "negated" : true,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ea4",
- "name" : "CurrentFlow",
- "description" : "Shows the current network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e98",
- "name" : "local_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e99",
- "name" : "local_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e9a",
- "name" : "remote_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e9b",
- "name" : "remote_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e9c",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e9d",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e9e",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e9f",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8ea0",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8ea1",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8ea2",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8ea3",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "5a1a45cbe4b0401274ab7192",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e9c",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 5
- },
- "operator" : "EQUALS",
- "value" : "ESTABLISHED",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ea4",
- "name" : "CurrentFlow",
- "description" : "Shows the current network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e98",
- "name" : "local_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e99",
- "name" : "local_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e9a",
- "name" : "remote_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e9b",
- "name" : "remote_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e9c",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e9d",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e9e",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e9f",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8ea0",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8ea1",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8ea2",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8ea3",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "5a1a45cbe4b0401274ab7192",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e9a",
- "name" : "remote_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- },
- "operator" : "CONTAINS",
- "value" : "172.16.33.0/24",
- "negated" : true,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ea4",
- "name" : "CurrentFlow",
- "description" : "Shows the current network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e98",
- "name" : "local_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e99",
- "name" : "local_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e9a",
- "name" : "remote_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e9b",
- "name" : "remote_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e9c",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e9d",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e9e",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e9f",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8ea0",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8ea1",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8ea2",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8ea3",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "5a1a45cbe4b0401274ab7192",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e9a",
- "name" : "remote_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- },
- "operator" : "EQUALS",
- "value" : "127.0.0.1",
- "negated" : true,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ea4",
- "name" : "CurrentFlow",
- "description" : "Shows the current network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e98",
- "name" : "local_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e99",
- "name" : "local_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e9a",
- "name" : "remote_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e9b",
- "name" : "remote_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e9c",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e9d",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e9e",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e9f",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8ea0",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8ea1",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8ea2",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8ea3",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "5a1a45cbe4b0401274ab7192",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e9a",
- "name" : "remote_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- },
- "operator" : "CONTAINS",
- "value" : "172.16.34.0/24",
- "negated" : true,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ea4",
- "name" : "CurrentFlow",
- "description" : "Shows the current network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e98",
- "name" : "local_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e99",
- "name" : "local_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e9a",
- "name" : "remote_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e9b",
- "name" : "remote_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e9c",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e9d",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e9e",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e9f",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8ea0",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8ea1",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8ea2",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8ea3",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "5a1a45cbe4b0401274ab7192",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e9a",
- "name" : "remote_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- },
- "operator" : "CONTAINS",
- "value" : "::1",
- "negated" : true,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ea4",
- "name" : "CurrentFlow",
- "description" : "Shows the current network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e20",
- "name" : "CurrentFlow",
- "description" : "Gets current network information",
- "module" : "NetworkFlow",
- "function" : "CurrentFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e98",
- "name" : "local_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e99",
- "name" : "local_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e9a",
- "name" : "remote_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e9b",
- "name" : "remote_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e9c",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e9d",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e9e",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e9f",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8ea0",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8ea1",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8ea2",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8ea3",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "5a1a45cbe4b0401274ab7192",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630336,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd67323",
- "name" : "Test search",
- "description" : "",
- "type" : null,
- "expression" : null,
- "temporal" : false,
- "invalid" : false,
- "aggregated" : true,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec5",
- "name" : "HostInfo",
- "description" : "Shows Hostname, 1st IP Address, OS version and Connection Status",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about host\n#\n# Version: 1\n\ngetOsRelease() {\n if [[ -x /usr/bin/lsb_release ]]; then\n lsb_release -sd\n elif [[ -r /etc/system-release ]]; then\n cat /etc/system-release\n else\n echo -e \"Unknown\"\n fi\n}\n\ngetHostName() {\n hostname -s\n}\n\ngetInterfacesInfoCommand() {\n current_os=$(getOsRelease)\n if [[ $current_os == \"Red Hat\"*\"7.\"* ]]; then\n echo -e \"ip addr show\"\n else\n echo -e \"ifconfig\"\n fi\n}\n\ngetInterfacesDir() {\n echo -e \"/sys/class/net\"\n}\n\nisInterfacePhysical() {\n interface_path=\"$1\"\n if [ -z \"$interface_path\" ]; then\n return 1\n fi\n\n real_location=$(readlink \"$interface_path\")\n if [[ \"$real_location\" =~ \"virtual\" ]]; then\n return 1\n else\n return 0\n fi\n}\n\nparsePrimaryIPInterface() {\n interface_name=\"$1\"\n if [ -z \"$interface_name\" ]; then\n return 1\n fi\n cmd=$(getInterfacesInfoCommand)\n eval \"$cmd $interface_name\" | grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" | grep -vE \"^2[2-5]\" | head -n 1\n}\n\ngetPrimaryIPHost() {\n interfaces_dir=$(getInterfacesDir)\n physical_interfaces=()\n\n shopt -s nullglob\n for interface in \"$interfaces_dir\"/*; do\n if isInterfacePhysical \"$interface\"; then\n current_interface=$(basename \"$interface\")\n physical_interfaces+=(\"$current_interface\")\n fi\n done\n shopt -u nullglob\n\n i=0\n for interface in \"${physical_interfaces[@]}\"; do\n ips[$i]=$(parsePrimaryIPInterface \"$interface\")\n ((i++))\n done\n\n if [ \"${#ips[@]}\" -ge 1 ]; then\n echo -e \"${ips[0]}\"\n fi\n}\n\n\ngetConnectionStatus() {\n echo \"Online\"\n}\n\ngetPlatform() {\n echo \"Linux\"\n}\n\nprocessHostInfo() {\n name=$(getHostName)\n os=$(getOsRelease)\n ipaddress=$(getPrimaryIPHost)\n connection_status=$(getConnectionStatus)\n platform=$(getPlatform)\n\n echo -e \"\\\"$name\\\",\\\"$ipaddress\\\",\\\"$os\\\",\\\"$connection_status\\\",\\\"$platform\\\"\"\n}\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHostInfo\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n\r\nstrComputer = \".\"\r\nFirstIP=\"\"\r\nCurrentMac=\"\"\r\nConnectionStatus = \"\"\r\nSet objWMIService=GetObject(\"winmgmts:\" & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\r\n\r\nSet NetAdapters = objWMIService.ExecQuery(\"Select * From Win32_NetworkAdapter Where NOT PNPDeviceID LIKE 'ROOT\\\\%'\")\r\nFor Each NetAdapter in NetAdapters\r\n CurrentMac = NetAdapter.MACAddress\r\n Set IPConfigSet = objWMIService.ExecQuery(\"Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE AND MacAddress = '\" & CurrentMac & \"'\")\r\n For Each IPConfig in IPConfigSet\r\n If Not IsNull(IPConfig.IPAddress) Then\r\n For i=LBound(IPConfig.IPAddress) to UBound(IPConfig.IPAddress)\r\n FirstIP=IPConfig.IPAddress(i)\r\n Exit For\r\n Next\r\n End If\r\n Next\r\nNext\r\n\r\nSet objNet = CreateObject(\"WScript.Network\")\r\nstrCompName = objNet.ComputerName\r\n\r\nSet shell = CreateObject(\"WScript.Shell\")\r\nSet getOSVersion = shell.exec(\"%comspec% /D /c ver\")\r\ngetOSVersion.stdout.readLine\r\nversion = getOSVersion.stdout.readLine\r\n\r\nFunction Registry_Read(Key_Path, Key_Name)\r\n On Error Resume Next\r\n Set Registry = CreateObject(\"WScript.Shell\")\r\n Registry_Read = Registry.RegRead(Key_Path & \"\\\" & Key_Name)\r\nEnd Function\r\n\r\nSet shell_arch = CreateObject(\"WScript.Shell\")\r\nIf shell_arch.ExpandEnvironmentStrings(\"%PROCESSOR_ARCHITECTURE%\") = \"AMD64\" then\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\WOW6432Node\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nElse\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nEnd If\r\n\r\nIf ConnectionStatus = \"false\" then\r\n ConnectionStatus = \"Quarantined\"\r\nElse\r\n ConnectionStatus = \"Online\"\r\nEnd If\r\n\r\nplatform = \"Windows\"\r\n\r\nWScript.Echo strCompName & \",\" & FirstIP & \",\" & version & \",\" & ConnectionStatus & \",\" & platform\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7183",
- "name" : "HostInfo SysInfo",
- "description" : "Shows Hostname, 1st IP Address and OS version",
- "module" : "SysInfo",
- "function" : "HostInfo",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec3",
- "name" : "ip_address",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec4",
- "name" : "os",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6346",
- "name" : "connection_status",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6347",
- "name" : "platform",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- } ]
- },
- "sequence" : "1",
- "output" : [ ]
- }, {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- },
- "sequence" : "2",
- "output" : [ {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- } ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- },
- "operator" : "EQUALS",
- "value" : "WIN72",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec5",
- "name" : "HostInfo",
- "description" : "Shows Hostname, 1st IP Address, OS version and Connection Status",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about host\n#\n# Version: 1\n\ngetOsRelease() {\n if [[ -x /usr/bin/lsb_release ]]; then\n lsb_release -sd\n elif [[ -r /etc/system-release ]]; then\n cat /etc/system-release\n else\n echo -e \"Unknown\"\n fi\n}\n\ngetHostName() {\n hostname -s\n}\n\ngetInterfacesInfoCommand() {\n current_os=$(getOsRelease)\n if [[ $current_os == \"Red Hat\"*\"7.\"* ]]; then\n echo -e \"ip addr show\"\n else\n echo -e \"ifconfig\"\n fi\n}\n\ngetInterfacesDir() {\n echo -e \"/sys/class/net\"\n}\n\nisInterfacePhysical() {\n interface_path=\"$1\"\n if [ -z \"$interface_path\" ]; then\n return 1\n fi\n\n real_location=$(readlink \"$interface_path\")\n if [[ \"$real_location\" =~ \"virtual\" ]]; then\n return 1\n else\n return 0\n fi\n}\n\nparsePrimaryIPInterface() {\n interface_name=\"$1\"\n if [ -z \"$interface_name\" ]; then\n return 1\n fi\n cmd=$(getInterfacesInfoCommand)\n eval \"$cmd $interface_name\" | grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" | grep -vE \"^2[2-5]\" | head -n 1\n}\n\ngetPrimaryIPHost() {\n interfaces_dir=$(getInterfacesDir)\n physical_interfaces=()\n\n shopt -s nullglob\n for interface in \"$interfaces_dir\"/*; do\n if isInterfacePhysical \"$interface\"; then\n current_interface=$(basename \"$interface\")\n physical_interfaces+=(\"$current_interface\")\n fi\n done\n shopt -u nullglob\n\n i=0\n for interface in \"${physical_interfaces[@]}\"; do\n ips[$i]=$(parsePrimaryIPInterface \"$interface\")\n ((i++))\n done\n\n if [ \"${#ips[@]}\" -ge 1 ]; then\n echo -e \"${ips[0]}\"\n fi\n}\n\n\ngetConnectionStatus() {\n echo \"Online\"\n}\n\ngetPlatform() {\n echo \"Linux\"\n}\n\nprocessHostInfo() {\n name=$(getHostName)\n os=$(getOsRelease)\n ipaddress=$(getPrimaryIPHost)\n connection_status=$(getConnectionStatus)\n platform=$(getPlatform)\n\n echo -e \"\\\"$name\\\",\\\"$ipaddress\\\",\\\"$os\\\",\\\"$connection_status\\\",\\\"$platform\\\"\"\n}\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHostInfo\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n\r\nstrComputer = \".\"\r\nFirstIP=\"\"\r\nCurrentMac=\"\"\r\nConnectionStatus = \"\"\r\nSet objWMIService=GetObject(\"winmgmts:\" & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\r\n\r\nSet NetAdapters = objWMIService.ExecQuery(\"Select * From Win32_NetworkAdapter Where NOT PNPDeviceID LIKE 'ROOT\\\\%'\")\r\nFor Each NetAdapter in NetAdapters\r\n CurrentMac = NetAdapter.MACAddress\r\n Set IPConfigSet = objWMIService.ExecQuery(\"Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE AND MacAddress = '\" & CurrentMac & \"'\")\r\n For Each IPConfig in IPConfigSet\r\n If Not IsNull(IPConfig.IPAddress) Then\r\n For i=LBound(IPConfig.IPAddress) to UBound(IPConfig.IPAddress)\r\n FirstIP=IPConfig.IPAddress(i)\r\n Exit For\r\n Next\r\n End If\r\n Next\r\nNext\r\n\r\nSet objNet = CreateObject(\"WScript.Network\")\r\nstrCompName = objNet.ComputerName\r\n\r\nSet shell = CreateObject(\"WScript.Shell\")\r\nSet getOSVersion = shell.exec(\"%comspec% /D /c ver\")\r\ngetOSVersion.stdout.readLine\r\nversion = getOSVersion.stdout.readLine\r\n\r\nFunction Registry_Read(Key_Path, Key_Name)\r\n On Error Resume Next\r\n Set Registry = CreateObject(\"WScript.Shell\")\r\n Registry_Read = Registry.RegRead(Key_Path & \"\\\" & Key_Name)\r\nEnd Function\r\n\r\nSet shell_arch = CreateObject(\"WScript.Shell\")\r\nIf shell_arch.ExpandEnvironmentStrings(\"%PROCESSOR_ARCHITECTURE%\") = \"AMD64\" then\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\WOW6432Node\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nElse\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nEnd If\r\n\r\nIf ConnectionStatus = \"false\" then\r\n ConnectionStatus = \"Quarantined\"\r\nElse\r\n ConnectionStatus = \"Online\"\r\nEnd If\r\n\r\nplatform = \"Windows\"\r\n\r\nWScript.Echo strCompName & \",\" & FirstIP & \",\" & version & \",\" & ConnectionStatus & \",\" & platform\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7183",
- "name" : "HostInfo SysInfo",
- "description" : "Shows Hostname, 1st IP Address and OS version",
- "module" : "SysInfo",
- "function" : "HostInfo",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec3",
- "name" : "ip_address",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec4",
- "name" : "os",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6346",
- "name" : "connection_status",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6347",
- "name" : "platform",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- },
- "operator" : "AFTER",
- "value" : "2017-10-30 20:00:00",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- },
- "operator" : "BEFORE",
- "value" : "2017-10-30 20:10:00",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- },
- "operator" : "EQUALS",
- "value" : "0",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- },
- "operator" : "CONTAINS",
- "value" : "10.0.0.0/24",
- "negated" : true,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630369,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd67324",
- "name" : "UNUSUAL BEHAVIOR - Files created and deleted same day",
- "description" : "**Change dates!\nThough not always and indicator of wrongdoing, potentially evidence of evasion",
- "type" : null,
- "expression" : "Files full_name, created_at, deleted_at where Files created_at after \"2015-10-11\" and Files deleted_at after \"2015-10-11\" ",
- "temporal" : false,
- "invalid" : false,
- "aggregated" : true,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e84",
- "name" : "Files",
- "description" : "Shows the existing files",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e15",
- "name" : "Files",
- "description" : "Gets the list of files",
- "module" : "FileHashing",
- "function" : "FindFiles",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e15",
- "name" : "Files",
- "description" : "Gets the list of files",
- "module" : "FileHashing",
- "function" : "FindFiles",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e15",
- "name" : "Files",
- "description" : "Gets the list of files",
- "module" : "FileHashing",
- "function" : "FindFiles",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e7a",
- "name" : "name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e7b",
- "name" : "dir",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e7c",
- "name" : "full_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e7d",
- "name" : "size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e7e",
- "name" : "last_write",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e7f",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e80",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e81",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e82",
- "name" : "created_at",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e83",
- "name" : "deleted_at",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 10
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6333",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 11
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6334",
- "name" : "create_process_pid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6335",
- "name" : "create_process_sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6336",
- "name" : "create_process_full_path",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6337",
- "name" : "modify_process_pid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6338",
- "name" : "modify_process_sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6339",
- "name" : "modify_process_full_path",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 17
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633a",
- "name" : "delete_process_pid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633b",
- "name" : "delete_process_sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633c",
- "name" : "delete_process_full_path",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 20
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633d",
- "name" : "create_user_domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 21
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633e",
- "name" : "create_user_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 22
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633f",
- "name" : "create_user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 23
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6340",
- "name" : "modify_user_domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 24
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6341",
- "name" : "modify_user_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 25
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6342",
- "name" : "modify_user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 26
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6343",
- "name" : "delete_user_domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 27
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6344",
- "name" : "delete_user_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 28
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6345",
- "name" : "delete_user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 29
- } ]
- },
- "sequence" : "1",
- "output" : [ {
- "id" : "58efec8ee4b0c390d69a8e7c",
- "name" : "full_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e82",
- "name" : "created_at",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e83",
- "name" : "deleted_at",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 10
- } ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e82",
- "name" : "created_at",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 9
- },
- "operator" : "AFTER",
- "value" : "2015-10-11 00:00:00",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e84",
- "name" : "Files",
- "description" : "Shows the existing files",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e15",
- "name" : "Files",
- "description" : "Gets the list of files",
- "module" : "FileHashing",
- "function" : "FindFiles",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e15",
- "name" : "Files",
- "description" : "Gets the list of files",
- "module" : "FileHashing",
- "function" : "FindFiles",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e15",
- "name" : "Files",
- "description" : "Gets the list of files",
- "module" : "FileHashing",
- "function" : "FindFiles",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e7a",
- "name" : "name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e7b",
- "name" : "dir",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e7c",
- "name" : "full_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e7d",
- "name" : "size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e7e",
- "name" : "last_write",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e7f",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e80",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e81",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e82",
- "name" : "created_at",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e83",
- "name" : "deleted_at",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 10
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6333",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 11
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6334",
- "name" : "create_process_pid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6335",
- "name" : "create_process_sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6336",
- "name" : "create_process_full_path",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6337",
- "name" : "modify_process_pid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6338",
- "name" : "modify_process_sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6339",
- "name" : "modify_process_full_path",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 17
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633a",
- "name" : "delete_process_pid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633b",
- "name" : "delete_process_sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633c",
- "name" : "delete_process_full_path",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 20
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633d",
- "name" : "create_user_domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 21
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633e",
- "name" : "create_user_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 22
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633f",
- "name" : "create_user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 23
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6340",
- "name" : "modify_user_domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 24
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6341",
- "name" : "modify_user_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 25
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6342",
- "name" : "modify_user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 26
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6343",
- "name" : "delete_user_domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 27
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6344",
- "name" : "delete_user_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 28
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6345",
- "name" : "delete_user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 29
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e83",
- "name" : "deleted_at",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 10
- },
- "operator" : "AFTER",
- "value" : "2015-10-11 00:00:00",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e84",
- "name" : "Files",
- "description" : "Shows the existing files",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e15",
- "name" : "Files",
- "description" : "Gets the list of files",
- "module" : "FileHashing",
- "function" : "FindFiles",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e15",
- "name" : "Files",
- "description" : "Gets the list of files",
- "module" : "FileHashing",
- "function" : "FindFiles",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e15",
- "name" : "Files",
- "description" : "Gets the list of files",
- "module" : "FileHashing",
- "function" : "FindFiles",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e7a",
- "name" : "name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e7b",
- "name" : "dir",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e7c",
- "name" : "full_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e7d",
- "name" : "size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e7e",
- "name" : "last_write",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e7f",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e80",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e81",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e82",
- "name" : "created_at",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e83",
- "name" : "deleted_at",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 10
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6333",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 11
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6334",
- "name" : "create_process_pid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6335",
- "name" : "create_process_sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6336",
- "name" : "create_process_full_path",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6337",
- "name" : "modify_process_pid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6338",
- "name" : "modify_process_sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6339",
- "name" : "modify_process_full_path",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 17
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633a",
- "name" : "delete_process_pid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633b",
- "name" : "delete_process_sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633c",
- "name" : "delete_process_full_path",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 20
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633d",
- "name" : "create_user_domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 21
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633e",
- "name" : "create_user_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 22
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633f",
- "name" : "create_user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 23
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6340",
- "name" : "modify_user_domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 24
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6341",
- "name" : "modify_user_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 25
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6342",
- "name" : "modify_user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 26
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6343",
- "name" : "delete_user_domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 27
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6344",
- "name" : "delete_user_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 28
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6345",
- "name" : "delete_user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 29
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630386,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd67325",
- "name" : "UNUSUAL BEHAVIOR - Inbound SSH connections",
- "description" : "Inbound SSH connections. Sort on count.\n\nHigh count may indicate attempted brute force.",
- "type" : null,
- "expression" : "NetworkFlow where NetworkFlow direction equals \"in\" and NetworkFlow dst_port equals 22 ",
- "temporal" : false,
- "invalid" : false,
- "aggregated" : true,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- },
- "sequence" : "1",
- "output" : [ ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- },
- "operator" : "EQUALS",
- "value" : "in",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- },
- "operator" : "EQUALS",
- "value" : "22",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630396,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd67326",
- "name" : "UNUSUAL BEHAVIOR - Local Administrator Enabled",
- "description" : "",
- "type" : null,
- "expression" : "UserProfiles where UserProfiles domain not equals \"MINNEMOTO\" and UserProfiles accountname equals \"Administrator\" and UserProfiles accountdisabled equals \"False\"",
- "temporal" : false,
- "invalid" : false,
- "aggregated" : true,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8edb",
- "name" : "UserProfiles",
- "description" : "Shows all local user information, to include group memberships.",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows all local user information, to include group memberships.\n#\n# Version: 1.0\n\n_RAWDBUSER=$(dscl . -readall /Users 'RealName' 'PrimaryGroupID' 'NFSHomeDirectory' 'UserShell')\n_RAWDBGROUPS=$(dscl . -readall /groups 'RecordName' 'PrimaryGroupID')\nARRAYDBUSER[0]='NO USER'\nARRAYDBGROUP[0]='NO GROUP'\nARRAYDBGROUP_ID[0]='NO GROUP'\nARRAYDBGROUP_NAME[0]='NO GROUP'\n_NU=0\n_NG=0\n\n# Separate group info\nwhile IFS= read -r line\ndo\n if [[ \"$line\" =~ ^-$ ]]; then\n _NG=$((_NG+1));\n else\n ARRAYDBGROUP[_NG]=\"${ARRAYDBGROUP[_NG]}\\n$line\";\n fi\ndone <<< \"$_RAWDBGROUPS\"\n\n\n# Group Details\nfor (( i=0; i < ${#ARRAYDBGROUP[@]} ; i++))\ndo\n ARRAYDBGROUP_ID[i]=$(eval \"echo -e \\\"${ARRAYDBGROUP[i]}\\\" 2>/dev/null | grep PrimaryGroupID: |\\\n sed -Ee 's/PrimaryGroupID:[[:space:]]*(.*)$/\\1/'\")\n ARRAYDBGROUP_NAME[i]=$(eval \"echo -e \\\"${ARRAYDBGROUP[i]}\\\" 2>/dev/null |\\\n perl -0777 -pe 's/RecordName:\\n/RecordName:/g' | sed -Ee '/RecordName/!d;s/RecordName: //g'\")\ndone\n\n# Function Search by id\nfunction searchGroupByID(){\n local id=\"$1\"\n for (( i=1; i < ${#ARRAYDBGROUP_ID[@]} ; i++))\n do\n if [[ \"${ARRAYDBGROUP_ID[i]}\" == \"$id\" ]];then\n echo -n \"${ARRAYDBGROUP_NAME[i]}\"\n return 0;\n fi\n done\n return 0;\n}\n\n\n# Separate User account\nwhile IFS= read -r line\ndo\n if [[ \"$line\" =~ ^-$ ]]; then\n _NU=$((_NU+1));\n else\n ARRAYDBUSER[_NU]=\"${ARRAYDBUSER[_NU]}\\n$line\";\n fi\ndone <<< \"$_RAWDBUSER\"\n\n# Account details\nfor (( i=1; i < ${#ARRAYDBUSER[@]} ; i++))\ndo\n Disabled=\"False\"\n GroupID=$(eval \"echo -e \\\"${ARRAYDBUSER[i]}\\\" 2>/dev/null | perl -0777 -pe 's/PrimaryGroupID:\\n/PrimaryGroupID:/g' |\\\n sed -Ee '/PrimaryGroupID/!d;s/PrimaryGroupID: //g'\")\n Username=$(eval \"echo -e \\\"${ARRAYDBUSER[i]}\\\" 2>/dev/null | perl -0777 -pe 's/RecordName:\\n/RecordName:/g' |\\\n sed -Ee '/RecordName/!d;s/RecordName: //g'\")\n FullName=$(eval \"echo -e \\\"${ARRAYDBUSER[i]}\\\" 2>/dev/null | perl -0777 -pe 's/RealName:\\n/RealName:/g' |\\\n sed -Ee '/RealName/!d;s/RealName: //g'\")\n GROUP_NAME=$(eval \"searchGroupByID $GroupID\")\n GROUP_NAME=${GROUP_NAME/\\\\/\\\\\\\\}\n UserShell=$(echo \"${ARRAYDBUSER[i]}\" 2>/dev/null | grep \"UserShell\")\n [[ \"$UserShell\" =~ \"false\" || \"$UserShell\" =~ \"nologin\" ]] && Disabled=\"True\"\n echo \"\\\"$Disabled\\\",\\\"\\\",\\\"$FullName\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"$Username\\\",\\\"\\\",\\\"\\\",\\\"$GROUP_NAME\\\"\"\ndone\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows all local user information, to include group memberships.\n#\n# Version: 1.0\n\nescapeSpecialCharacters(){\n read -r arg\n local str=\"$arg\"\n str=${str//\\\\/\\\\\\\\}\n str=${str//\\\"/\\\\\\\"}\n echo \"$str\"\n}\n\ngetPasswdFile() {\n if [ -r /etc/passwd ]; then\n cat \"/etc/passwd\"\n else\n return 1\n fi\n}\n\ngetDisabledStatus() {\n passwdLine=\"$1\"\n disabled=\"False\"\n\n userPasswd=$(echo \"$passwdLine\" | cut -d ':' -f2)\n userPasswdFirstChar=\"${userPasswd:0:1}\"\n userShell=$(echo \"$passwdLine\" | cut -d ':' -f7)\n [[ \"$userShell\" =~ \"nologin\" || \"$userShell\" =~ \"false\" || \"$userPasswdFirstChar\" == \"!\" ]] && disabled=\"True\"\n\n echo \"$disabled\"\n}\n\ngetExpirationStatus() {\n userName=\"$1\"\n passwordExpires=\"False\"\n passwordExpireDate=$(chage -l \"$userName\" | grep \"Password expires\" | cut -d ':' -f2)\n [[ ! \"$passwordExpireDate\" =~ \"never\" ]] && passwordExpires=\"True\"\n\n echo \"$passwordExpires\"\n}\n\ngetGroups() {\n userName=\"$1\"\n groups=$(groups \"$userName\" | sed -e 's/.*:[[:space:]]//')\n echo \"$groups\"\n}\n\ngetUserName() {\n passwdLine=\"$1\"\n userName=$(echo \"$passwdLine\" | cut -d \":\" -f1)\n echo \"$userName\"\n}\n\ngetUserFullName() {\n passwdLine=\"$1\"\n userFullName=$(echo \"$passwdLine\" | awk 'BEGIN { FS=\":\" } { if($5==\"\") print \" \"; else print $5 }' | cut -d ',' -f 1)\n [[ \"$userFullName\" == \" \" ]] && userFullName=\"\"\n echo \"$userFullName\"\n}\n\nprintUserInfo() {\n passwdLine=\"$1\"\n\n userName=$(getUserName \"$passwdLine\"| escapeSpecialCharacters)\n userFullName=$(getUserFullName \"$passwdLine\" | escapeSpecialCharacters)\n disabled=$(getDisabledStatus \"$passwdLine\")\n\n groups=$(getGroups \"$userName\" | escapeSpecialCharacters)\n passwordExpires=$(getExpirationStatus \"$userName\")\n\n echo \"\\\"$disabled\\\",,\\\"$userFullName\\\",,,,\\\"$userName\\\",,\\\"$passwordExpires\\\",\\\"$groups\\\"\"\n}\n\nprocessUsers() {\n passwdContents=$(getPasswdFile)\n while read -r passwdLine; do\n printUserInfo \"$passwdLine\"\n done <<< \"$passwdContents\"\n}\n\n\nmain() {\n\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processUsers\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e61",
- "name" : "Execute PowerShell Script",
- "description" : "Runs Windows PowerShell Scripts",
- "module" : "SystemRuntime",
- "function" : "executePS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n#\r\n# Purpose: Shows all local user information, to include group memberships.\r\n#\r\n# Version: 1.0\r\n\r\n$pshost = get-host\r\n$pswindow = $pshost.ui.rawui\r\n$newsize = $pswindow.buffersize\r\n$newsize.height = 3000\r\n$newsize.width = 3000\r\n$pswindow.buffersize = $newsize\r\n\r\n$OutputEncoding = New-Object -typename System.Text.UTF8Encoding\r\n\r\n$user_objects = @();\r\n$user_objects = Get-WmiObject Win32_UserAccount -Filter \"LocalAccount=True\";\r\n\r\nNew-PSDrive -PSProvider Registry -Name HKU -Root 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList' | Out-Null;\r\n\r\n$loggedUserAccounts= @(Get-ChildItem -Path \"HKU:\\\");\r\n\r\nforeach ($user in $loggedUserAccounts){\r\n $exist = $false;\r\n if(([string]$user.PSChildName -ne \"S-1-5-18\") -and ([string]$user.PSChildName -ne \"S-1-5-19\") -and ([string]$user.PSChildName -ne \"S-1-5-20\")) {\r\n for($i=0; ($i -lt $user_objects.Count) -and -not $exist; $i++) {\r\n if($user.PSChildName -eq $user_objects[$i].SID) {$exist = $true;}\r\n }\r\n if(-not $exist) {\r\n $disabled = \"\"\r\n $domain = \"\"\r\n $fullname = \"\"\r\n $path = $user.Name;\r\n $folder = \"\"\r\n $name = \"\"\r\n $sid = \"\"\r\n if (Test-Path((\"HKU:/\"+$path))){\r\n $folder=(Get-Item -Path (\"HKU:/\"+$path)).GetValue(\"ProfileImagePath\");\r\n $name = [string]($folder -split \"\\\\\")[2];\r\n $sid = $user.PSChildName\r\n }\r\n if ((Test-Path ($folder)) -and ($folder -ne \"\")) {\r\n Try { $installdate = [string](((Get-Item $folder).CreationTime).ToString(\"yyyy-MM-dd hh:mm:ss\")); } Catch { $installdate = \"\";}\r\n } else {\r\n $installdate = \"\";\r\n }\r\n $localaccount = \"False\"\r\n $lockout = \"\"\r\n $passwordexpires = \"\"\r\n $groups = \"\"\r\n\r\n $result = \"`\"\" + $disabled + \"`\",`\"\" + $domain + \"`\",`\"\" + $fullname + \"`\",`\"\" + $installdate + \"`\",`\"\" + $localaccount + \"`\",`\"\" + $lockout + \"`\",`\"\" + $name + \"`\",`\"\" + $sid + \"`\",`\"\" + $passwordexpires + \"`\",`\"\" + $groups + \"`\"\";\r\n Write-Output $result;\r\n }\r\n }\r\n}\r\n\r\nforeach ($user in $user_objects) {\r\n Try { $disabled = [string]$user.Disabled; } Catch { $disabled = \"\"; }\r\n Try { $domain = [string]$user.Domain; } Catch { $domain = \"\"; }\r\n Try { $fullname = [string]$user.FullName; } Catch { $fullname = \"\"; }\r\n Try { $name = [string]$user.Name; } Catch { $name = \"\"; }\r\n Try { $path = (\"C:\\Users\\\"+$name); } Catch { $path = \"\"; }\r\n if ((Test-Path ($path)) -and ($path -ne \"\")) {\r\n Try { $installdate = [string](((Get-Item $path).CreationTime).ToString(\"yyyy-MM-dd hh:mm:ss\")); } Catch { $installdate = \"\";}\r\n } else {\r\n $installdate = \"\";\r\n }\r\n Try { $localaccount = [string]$user.LocalAccount; } Catch { $localaccount = \"\"; }\r\n Try { $lockout = [string]$user.Lockout; } Catch { $lockout = \"\"; }\r\n Try { $sid = [string]$user.SID; } Catch { $sid = \"\"; }\r\n Try { $passwordexpires = [string]$user.PasswordExpires; } Catch { $passwordexpires = \"\"; }\r\n $groups = \"\"\r\n\r\n $result = \"`\"\" + $disabled + \"`\",`\"\" + $domain + \"`\",`\"\" + $fullname + \"`\",`\"\" + $installdate + \"`\",`\"\" + $localaccount + \"`\",`\"\" + $lockout + \"`\",`\"\" + $name + \"`\",`\"\" + $sid + \"`\",`\"\" + $passwordexpires + \"`\",`\"\" + $groups + \"`\"\";\r\n Write-Output $result;\r\n}\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ed1",
- "name" : "accountdisabled",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ed2",
- "name" : "domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ed3",
- "name" : "fullname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8ed4",
- "name" : "installdate",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8ed5",
- "name" : "localaccount",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8ed6",
- "name" : "lockedout",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8ed7",
- "name" : "accountname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8ed8",
- "name" : "sid",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8ed9",
- "name" : "passwordexpires",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8eda",
- "name" : "groups",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 10
- } ]
- },
- "sequence" : "1",
- "output" : [ ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8ed2",
- "name" : "domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 2
- },
- "operator" : "EQUALS",
- "value" : "MINNEMOTO",
- "negated" : true,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8edb",
- "name" : "UserProfiles",
- "description" : "Shows all local user information, to include group memberships.",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows all local user information, to include group memberships.\n#\n# Version: 1.0\n\n_RAWDBUSER=$(dscl . -readall /Users 'RealName' 'PrimaryGroupID' 'NFSHomeDirectory' 'UserShell')\n_RAWDBGROUPS=$(dscl . -readall /groups 'RecordName' 'PrimaryGroupID')\nARRAYDBUSER[0]='NO USER'\nARRAYDBGROUP[0]='NO GROUP'\nARRAYDBGROUP_ID[0]='NO GROUP'\nARRAYDBGROUP_NAME[0]='NO GROUP'\n_NU=0\n_NG=0\n\n# Separate group info\nwhile IFS= read -r line\ndo\n if [[ \"$line\" =~ ^-$ ]]; then\n _NG=$((_NG+1));\n else\n ARRAYDBGROUP[_NG]=\"${ARRAYDBGROUP[_NG]}\\n$line\";\n fi\ndone <<< \"$_RAWDBGROUPS\"\n\n\n# Group Details\nfor (( i=0; i < ${#ARRAYDBGROUP[@]} ; i++))\ndo\n ARRAYDBGROUP_ID[i]=$(eval \"echo -e \\\"${ARRAYDBGROUP[i]}\\\" 2>/dev/null | grep PrimaryGroupID: |\\\n sed -Ee 's/PrimaryGroupID:[[:space:]]*(.*)$/\\1/'\")\n ARRAYDBGROUP_NAME[i]=$(eval \"echo -e \\\"${ARRAYDBGROUP[i]}\\\" 2>/dev/null |\\\n perl -0777 -pe 's/RecordName:\\n/RecordName:/g' | sed -Ee '/RecordName/!d;s/RecordName: //g'\")\ndone\n\n# Function Search by id\nfunction searchGroupByID(){\n local id=\"$1\"\n for (( i=1; i < ${#ARRAYDBGROUP_ID[@]} ; i++))\n do\n if [[ \"${ARRAYDBGROUP_ID[i]}\" == \"$id\" ]];then\n echo -n \"${ARRAYDBGROUP_NAME[i]}\"\n return 0;\n fi\n done\n return 0;\n}\n\n\n# Separate User account\nwhile IFS= read -r line\ndo\n if [[ \"$line\" =~ ^-$ ]]; then\n _NU=$((_NU+1));\n else\n ARRAYDBUSER[_NU]=\"${ARRAYDBUSER[_NU]}\\n$line\";\n fi\ndone <<< \"$_RAWDBUSER\"\n\n# Account details\nfor (( i=1; i < ${#ARRAYDBUSER[@]} ; i++))\ndo\n Disabled=\"False\"\n GroupID=$(eval \"echo -e \\\"${ARRAYDBUSER[i]}\\\" 2>/dev/null | perl -0777 -pe 's/PrimaryGroupID:\\n/PrimaryGroupID:/g' |\\\n sed -Ee '/PrimaryGroupID/!d;s/PrimaryGroupID: //g'\")\n Username=$(eval \"echo -e \\\"${ARRAYDBUSER[i]}\\\" 2>/dev/null | perl -0777 -pe 's/RecordName:\\n/RecordName:/g' |\\\n sed -Ee '/RecordName/!d;s/RecordName: //g'\")\n FullName=$(eval \"echo -e \\\"${ARRAYDBUSER[i]}\\\" 2>/dev/null | perl -0777 -pe 's/RealName:\\n/RealName:/g' |\\\n sed -Ee '/RealName/!d;s/RealName: //g'\")\n GROUP_NAME=$(eval \"searchGroupByID $GroupID\")\n GROUP_NAME=${GROUP_NAME/\\\\/\\\\\\\\}\n UserShell=$(echo \"${ARRAYDBUSER[i]}\" 2>/dev/null | grep \"UserShell\")\n [[ \"$UserShell\" =~ \"false\" || \"$UserShell\" =~ \"nologin\" ]] && Disabled=\"True\"\n echo \"\\\"$Disabled\\\",\\\"\\\",\\\"$FullName\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"$Username\\\",\\\"\\\",\\\"\\\",\\\"$GROUP_NAME\\\"\"\ndone\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows all local user information, to include group memberships.\n#\n# Version: 1.0\n\nescapeSpecialCharacters(){\n read -r arg\n local str=\"$arg\"\n str=${str//\\\\/\\\\\\\\}\n str=${str//\\\"/\\\\\\\"}\n echo \"$str\"\n}\n\ngetPasswdFile() {\n if [ -r /etc/passwd ]; then\n cat \"/etc/passwd\"\n else\n return 1\n fi\n}\n\ngetDisabledStatus() {\n passwdLine=\"$1\"\n disabled=\"False\"\n\n userPasswd=$(echo \"$passwdLine\" | cut -d ':' -f2)\n userPasswdFirstChar=\"${userPasswd:0:1}\"\n userShell=$(echo \"$passwdLine\" | cut -d ':' -f7)\n [[ \"$userShell\" =~ \"nologin\" || \"$userShell\" =~ \"false\" || \"$userPasswdFirstChar\" == \"!\" ]] && disabled=\"True\"\n\n echo \"$disabled\"\n}\n\ngetExpirationStatus() {\n userName=\"$1\"\n passwordExpires=\"False\"\n passwordExpireDate=$(chage -l \"$userName\" | grep \"Password expires\" | cut -d ':' -f2)\n [[ ! \"$passwordExpireDate\" =~ \"never\" ]] && passwordExpires=\"True\"\n\n echo \"$passwordExpires\"\n}\n\ngetGroups() {\n userName=\"$1\"\n groups=$(groups \"$userName\" | sed -e 's/.*:[[:space:]]//')\n echo \"$groups\"\n}\n\ngetUserName() {\n passwdLine=\"$1\"\n userName=$(echo \"$passwdLine\" | cut -d \":\" -f1)\n echo \"$userName\"\n}\n\ngetUserFullName() {\n passwdLine=\"$1\"\n userFullName=$(echo \"$passwdLine\" | awk 'BEGIN { FS=\":\" } { if($5==\"\") print \" \"; else print $5 }' | cut -d ',' -f 1)\n [[ \"$userFullName\" == \" \" ]] && userFullName=\"\"\n echo \"$userFullName\"\n}\n\nprintUserInfo() {\n passwdLine=\"$1\"\n\n userName=$(getUserName \"$passwdLine\"| escapeSpecialCharacters)\n userFullName=$(getUserFullName \"$passwdLine\" | escapeSpecialCharacters)\n disabled=$(getDisabledStatus \"$passwdLine\")\n\n groups=$(getGroups \"$userName\" | escapeSpecialCharacters)\n passwordExpires=$(getExpirationStatus \"$userName\")\n\n echo \"\\\"$disabled\\\",,\\\"$userFullName\\\",,,,\\\"$userName\\\",,\\\"$passwordExpires\\\",\\\"$groups\\\"\"\n}\n\nprocessUsers() {\n passwdContents=$(getPasswdFile)\n while read -r passwdLine; do\n printUserInfo \"$passwdLine\"\n done <<< \"$passwdContents\"\n}\n\n\nmain() {\n\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processUsers\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e61",
- "name" : "Execute PowerShell Script",
- "description" : "Runs Windows PowerShell Scripts",
- "module" : "SystemRuntime",
- "function" : "executePS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n#\r\n# Purpose: Shows all local user information, to include group memberships.\r\n#\r\n# Version: 1.0\r\n\r\n$pshost = get-host\r\n$pswindow = $pshost.ui.rawui\r\n$newsize = $pswindow.buffersize\r\n$newsize.height = 3000\r\n$newsize.width = 3000\r\n$pswindow.buffersize = $newsize\r\n\r\n$OutputEncoding = New-Object -typename System.Text.UTF8Encoding\r\n\r\n$user_objects = @();\r\n$user_objects = Get-WmiObject Win32_UserAccount -Filter \"LocalAccount=True\";\r\n\r\nNew-PSDrive -PSProvider Registry -Name HKU -Root 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList' | Out-Null;\r\n\r\n$loggedUserAccounts= @(Get-ChildItem -Path \"HKU:\\\");\r\n\r\nforeach ($user in $loggedUserAccounts){\r\n $exist = $false;\r\n if(([string]$user.PSChildName -ne \"S-1-5-18\") -and ([string]$user.PSChildName -ne \"S-1-5-19\") -and ([string]$user.PSChildName -ne \"S-1-5-20\")) {\r\n for($i=0; ($i -lt $user_objects.Count) -and -not $exist; $i++) {\r\n if($user.PSChildName -eq $user_objects[$i].SID) {$exist = $true;}\r\n }\r\n if(-not $exist) {\r\n $disabled = \"\"\r\n $domain = \"\"\r\n $fullname = \"\"\r\n $path = $user.Name;\r\n $folder = \"\"\r\n $name = \"\"\r\n $sid = \"\"\r\n if (Test-Path((\"HKU:/\"+$path))){\r\n $folder=(Get-Item -Path (\"HKU:/\"+$path)).GetValue(\"ProfileImagePath\");\r\n $name = [string]($folder -split \"\\\\\")[2];\r\n $sid = $user.PSChildName\r\n }\r\n if ((Test-Path ($folder)) -and ($folder -ne \"\")) {\r\n Try { $installdate = [string](((Get-Item $folder).CreationTime).ToString(\"yyyy-MM-dd hh:mm:ss\")); } Catch { $installdate = \"\";}\r\n } else {\r\n $installdate = \"\";\r\n }\r\n $localaccount = \"False\"\r\n $lockout = \"\"\r\n $passwordexpires = \"\"\r\n $groups = \"\"\r\n\r\n $result = \"`\"\" + $disabled + \"`\",`\"\" + $domain + \"`\",`\"\" + $fullname + \"`\",`\"\" + $installdate + \"`\",`\"\" + $localaccount + \"`\",`\"\" + $lockout + \"`\",`\"\" + $name + \"`\",`\"\" + $sid + \"`\",`\"\" + $passwordexpires + \"`\",`\"\" + $groups + \"`\"\";\r\n Write-Output $result;\r\n }\r\n }\r\n}\r\n\r\nforeach ($user in $user_objects) {\r\n Try { $disabled = [string]$user.Disabled; } Catch { $disabled = \"\"; }\r\n Try { $domain = [string]$user.Domain; } Catch { $domain = \"\"; }\r\n Try { $fullname = [string]$user.FullName; } Catch { $fullname = \"\"; }\r\n Try { $name = [string]$user.Name; } Catch { $name = \"\"; }\r\n Try { $path = (\"C:\\Users\\\"+$name); } Catch { $path = \"\"; }\r\n if ((Test-Path ($path)) -and ($path -ne \"\")) {\r\n Try { $installdate = [string](((Get-Item $path).CreationTime).ToString(\"yyyy-MM-dd hh:mm:ss\")); } Catch { $installdate = \"\";}\r\n } else {\r\n $installdate = \"\";\r\n }\r\n Try { $localaccount = [string]$user.LocalAccount; } Catch { $localaccount = \"\"; }\r\n Try { $lockout = [string]$user.Lockout; } Catch { $lockout = \"\"; }\r\n Try { $sid = [string]$user.SID; } Catch { $sid = \"\"; }\r\n Try { $passwordexpires = [string]$user.PasswordExpires; } Catch { $passwordexpires = \"\"; }\r\n $groups = \"\"\r\n\r\n $result = \"`\"\" + $disabled + \"`\",`\"\" + $domain + \"`\",`\"\" + $fullname + \"`\",`\"\" + $installdate + \"`\",`\"\" + $localaccount + \"`\",`\"\" + $lockout + \"`\",`\"\" + $name + \"`\",`\"\" + $sid + \"`\",`\"\" + $passwordexpires + \"`\",`\"\" + $groups + \"`\"\";\r\n Write-Output $result;\r\n}\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ed1",
- "name" : "accountdisabled",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ed2",
- "name" : "domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ed3",
- "name" : "fullname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8ed4",
- "name" : "installdate",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8ed5",
- "name" : "localaccount",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8ed6",
- "name" : "lockedout",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8ed7",
- "name" : "accountname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8ed8",
- "name" : "sid",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8ed9",
- "name" : "passwordexpires",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8eda",
- "name" : "groups",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 10
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8ed7",
- "name" : "accountname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 7
- },
- "operator" : "EQUALS",
- "value" : "Administrator",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8edb",
- "name" : "UserProfiles",
- "description" : "Shows all local user information, to include group memberships.",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows all local user information, to include group memberships.\n#\n# Version: 1.0\n\n_RAWDBUSER=$(dscl . -readall /Users 'RealName' 'PrimaryGroupID' 'NFSHomeDirectory' 'UserShell')\n_RAWDBGROUPS=$(dscl . -readall /groups 'RecordName' 'PrimaryGroupID')\nARRAYDBUSER[0]='NO USER'\nARRAYDBGROUP[0]='NO GROUP'\nARRAYDBGROUP_ID[0]='NO GROUP'\nARRAYDBGROUP_NAME[0]='NO GROUP'\n_NU=0\n_NG=0\n\n# Separate group info\nwhile IFS= read -r line\ndo\n if [[ \"$line\" =~ ^-$ ]]; then\n _NG=$((_NG+1));\n else\n ARRAYDBGROUP[_NG]=\"${ARRAYDBGROUP[_NG]}\\n$line\";\n fi\ndone <<< \"$_RAWDBGROUPS\"\n\n\n# Group Details\nfor (( i=0; i < ${#ARRAYDBGROUP[@]} ; i++))\ndo\n ARRAYDBGROUP_ID[i]=$(eval \"echo -e \\\"${ARRAYDBGROUP[i]}\\\" 2>/dev/null | grep PrimaryGroupID: |\\\n sed -Ee 's/PrimaryGroupID:[[:space:]]*(.*)$/\\1/'\")\n ARRAYDBGROUP_NAME[i]=$(eval \"echo -e \\\"${ARRAYDBGROUP[i]}\\\" 2>/dev/null |\\\n perl -0777 -pe 's/RecordName:\\n/RecordName:/g' | sed -Ee '/RecordName/!d;s/RecordName: //g'\")\ndone\n\n# Function Search by id\nfunction searchGroupByID(){\n local id=\"$1\"\n for (( i=1; i < ${#ARRAYDBGROUP_ID[@]} ; i++))\n do\n if [[ \"${ARRAYDBGROUP_ID[i]}\" == \"$id\" ]];then\n echo -n \"${ARRAYDBGROUP_NAME[i]}\"\n return 0;\n fi\n done\n return 0;\n}\n\n\n# Separate User account\nwhile IFS= read -r line\ndo\n if [[ \"$line\" =~ ^-$ ]]; then\n _NU=$((_NU+1));\n else\n ARRAYDBUSER[_NU]=\"${ARRAYDBUSER[_NU]}\\n$line\";\n fi\ndone <<< \"$_RAWDBUSER\"\n\n# Account details\nfor (( i=1; i < ${#ARRAYDBUSER[@]} ; i++))\ndo\n Disabled=\"False\"\n GroupID=$(eval \"echo -e \\\"${ARRAYDBUSER[i]}\\\" 2>/dev/null | perl -0777 -pe 's/PrimaryGroupID:\\n/PrimaryGroupID:/g' |\\\n sed -Ee '/PrimaryGroupID/!d;s/PrimaryGroupID: //g'\")\n Username=$(eval \"echo -e \\\"${ARRAYDBUSER[i]}\\\" 2>/dev/null | perl -0777 -pe 's/RecordName:\\n/RecordName:/g' |\\\n sed -Ee '/RecordName/!d;s/RecordName: //g'\")\n FullName=$(eval \"echo -e \\\"${ARRAYDBUSER[i]}\\\" 2>/dev/null | perl -0777 -pe 's/RealName:\\n/RealName:/g' |\\\n sed -Ee '/RealName/!d;s/RealName: //g'\")\n GROUP_NAME=$(eval \"searchGroupByID $GroupID\")\n GROUP_NAME=${GROUP_NAME/\\\\/\\\\\\\\}\n UserShell=$(echo \"${ARRAYDBUSER[i]}\" 2>/dev/null | grep \"UserShell\")\n [[ \"$UserShell\" =~ \"false\" || \"$UserShell\" =~ \"nologin\" ]] && Disabled=\"True\"\n echo \"\\\"$Disabled\\\",\\\"\\\",\\\"$FullName\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"$Username\\\",\\\"\\\",\\\"\\\",\\\"$GROUP_NAME\\\"\"\ndone\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows all local user information, to include group memberships.\n#\n# Version: 1.0\n\nescapeSpecialCharacters(){\n read -r arg\n local str=\"$arg\"\n str=${str//\\\\/\\\\\\\\}\n str=${str//\\\"/\\\\\\\"}\n echo \"$str\"\n}\n\ngetPasswdFile() {\n if [ -r /etc/passwd ]; then\n cat \"/etc/passwd\"\n else\n return 1\n fi\n}\n\ngetDisabledStatus() {\n passwdLine=\"$1\"\n disabled=\"False\"\n\n userPasswd=$(echo \"$passwdLine\" | cut -d ':' -f2)\n userPasswdFirstChar=\"${userPasswd:0:1}\"\n userShell=$(echo \"$passwdLine\" | cut -d ':' -f7)\n [[ \"$userShell\" =~ \"nologin\" || \"$userShell\" =~ \"false\" || \"$userPasswdFirstChar\" == \"!\" ]] && disabled=\"True\"\n\n echo \"$disabled\"\n}\n\ngetExpirationStatus() {\n userName=\"$1\"\n passwordExpires=\"False\"\n passwordExpireDate=$(chage -l \"$userName\" | grep \"Password expires\" | cut -d ':' -f2)\n [[ ! \"$passwordExpireDate\" =~ \"never\" ]] && passwordExpires=\"True\"\n\n echo \"$passwordExpires\"\n}\n\ngetGroups() {\n userName=\"$1\"\n groups=$(groups \"$userName\" | sed -e 's/.*:[[:space:]]//')\n echo \"$groups\"\n}\n\ngetUserName() {\n passwdLine=\"$1\"\n userName=$(echo \"$passwdLine\" | cut -d \":\" -f1)\n echo \"$userName\"\n}\n\ngetUserFullName() {\n passwdLine=\"$1\"\n userFullName=$(echo \"$passwdLine\" | awk 'BEGIN { FS=\":\" } { if($5==\"\") print \" \"; else print $5 }' | cut -d ',' -f 1)\n [[ \"$userFullName\" == \" \" ]] && userFullName=\"\"\n echo \"$userFullName\"\n}\n\nprintUserInfo() {\n passwdLine=\"$1\"\n\n userName=$(getUserName \"$passwdLine\"| escapeSpecialCharacters)\n userFullName=$(getUserFullName \"$passwdLine\" | escapeSpecialCharacters)\n disabled=$(getDisabledStatus \"$passwdLine\")\n\n groups=$(getGroups \"$userName\" | escapeSpecialCharacters)\n passwordExpires=$(getExpirationStatus \"$userName\")\n\n echo \"\\\"$disabled\\\",,\\\"$userFullName\\\",,,,\\\"$userName\\\",,\\\"$passwordExpires\\\",\\\"$groups\\\"\"\n}\n\nprocessUsers() {\n passwdContents=$(getPasswdFile)\n while read -r passwdLine; do\n printUserInfo \"$passwdLine\"\n done <<< \"$passwdContents\"\n}\n\n\nmain() {\n\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processUsers\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e61",
- "name" : "Execute PowerShell Script",
- "description" : "Runs Windows PowerShell Scripts",
- "module" : "SystemRuntime",
- "function" : "executePS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n#\r\n# Purpose: Shows all local user information, to include group memberships.\r\n#\r\n# Version: 1.0\r\n\r\n$pshost = get-host\r\n$pswindow = $pshost.ui.rawui\r\n$newsize = $pswindow.buffersize\r\n$newsize.height = 3000\r\n$newsize.width = 3000\r\n$pswindow.buffersize = $newsize\r\n\r\n$OutputEncoding = New-Object -typename System.Text.UTF8Encoding\r\n\r\n$user_objects = @();\r\n$user_objects = Get-WmiObject Win32_UserAccount -Filter \"LocalAccount=True\";\r\n\r\nNew-PSDrive -PSProvider Registry -Name HKU -Root 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList' | Out-Null;\r\n\r\n$loggedUserAccounts= @(Get-ChildItem -Path \"HKU:\\\");\r\n\r\nforeach ($user in $loggedUserAccounts){\r\n $exist = $false;\r\n if(([string]$user.PSChildName -ne \"S-1-5-18\") -and ([string]$user.PSChildName -ne \"S-1-5-19\") -and ([string]$user.PSChildName -ne \"S-1-5-20\")) {\r\n for($i=0; ($i -lt $user_objects.Count) -and -not $exist; $i++) {\r\n if($user.PSChildName -eq $user_objects[$i].SID) {$exist = $true;}\r\n }\r\n if(-not $exist) {\r\n $disabled = \"\"\r\n $domain = \"\"\r\n $fullname = \"\"\r\n $path = $user.Name;\r\n $folder = \"\"\r\n $name = \"\"\r\n $sid = \"\"\r\n if (Test-Path((\"HKU:/\"+$path))){\r\n $folder=(Get-Item -Path (\"HKU:/\"+$path)).GetValue(\"ProfileImagePath\");\r\n $name = [string]($folder -split \"\\\\\")[2];\r\n $sid = $user.PSChildName\r\n }\r\n if ((Test-Path ($folder)) -and ($folder -ne \"\")) {\r\n Try { $installdate = [string](((Get-Item $folder).CreationTime).ToString(\"yyyy-MM-dd hh:mm:ss\")); } Catch { $installdate = \"\";}\r\n } else {\r\n $installdate = \"\";\r\n }\r\n $localaccount = \"False\"\r\n $lockout = \"\"\r\n $passwordexpires = \"\"\r\n $groups = \"\"\r\n\r\n $result = \"`\"\" + $disabled + \"`\",`\"\" + $domain + \"`\",`\"\" + $fullname + \"`\",`\"\" + $installdate + \"`\",`\"\" + $localaccount + \"`\",`\"\" + $lockout + \"`\",`\"\" + $name + \"`\",`\"\" + $sid + \"`\",`\"\" + $passwordexpires + \"`\",`\"\" + $groups + \"`\"\";\r\n Write-Output $result;\r\n }\r\n }\r\n}\r\n\r\nforeach ($user in $user_objects) {\r\n Try { $disabled = [string]$user.Disabled; } Catch { $disabled = \"\"; }\r\n Try { $domain = [string]$user.Domain; } Catch { $domain = \"\"; }\r\n Try { $fullname = [string]$user.FullName; } Catch { $fullname = \"\"; }\r\n Try { $name = [string]$user.Name; } Catch { $name = \"\"; }\r\n Try { $path = (\"C:\\Users\\\"+$name); } Catch { $path = \"\"; }\r\n if ((Test-Path ($path)) -and ($path -ne \"\")) {\r\n Try { $installdate = [string](((Get-Item $path).CreationTime).ToString(\"yyyy-MM-dd hh:mm:ss\")); } Catch { $installdate = \"\";}\r\n } else {\r\n $installdate = \"\";\r\n }\r\n Try { $localaccount = [string]$user.LocalAccount; } Catch { $localaccount = \"\"; }\r\n Try { $lockout = [string]$user.Lockout; } Catch { $lockout = \"\"; }\r\n Try { $sid = [string]$user.SID; } Catch { $sid = \"\"; }\r\n Try { $passwordexpires = [string]$user.PasswordExpires; } Catch { $passwordexpires = \"\"; }\r\n $groups = \"\"\r\n\r\n $result = \"`\"\" + $disabled + \"`\",`\"\" + $domain + \"`\",`\"\" + $fullname + \"`\",`\"\" + $installdate + \"`\",`\"\" + $localaccount + \"`\",`\"\" + $lockout + \"`\",`\"\" + $name + \"`\",`\"\" + $sid + \"`\",`\"\" + $passwordexpires + \"`\",`\"\" + $groups + \"`\"\";\r\n Write-Output $result;\r\n}\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ed1",
- "name" : "accountdisabled",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ed2",
- "name" : "domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ed3",
- "name" : "fullname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8ed4",
- "name" : "installdate",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8ed5",
- "name" : "localaccount",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8ed6",
- "name" : "lockedout",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8ed7",
- "name" : "accountname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8ed8",
- "name" : "sid",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8ed9",
- "name" : "passwordexpires",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8eda",
- "name" : "groups",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 10
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8ed1",
- "name" : "accountdisabled",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- },
- "operator" : "EQUALS",
- "value" : "False",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8edb",
- "name" : "UserProfiles",
- "description" : "Shows all local user information, to include group memberships.",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows all local user information, to include group memberships.\n#\n# Version: 1.0\n\n_RAWDBUSER=$(dscl . -readall /Users 'RealName' 'PrimaryGroupID' 'NFSHomeDirectory' 'UserShell')\n_RAWDBGROUPS=$(dscl . -readall /groups 'RecordName' 'PrimaryGroupID')\nARRAYDBUSER[0]='NO USER'\nARRAYDBGROUP[0]='NO GROUP'\nARRAYDBGROUP_ID[0]='NO GROUP'\nARRAYDBGROUP_NAME[0]='NO GROUP'\n_NU=0\n_NG=0\n\n# Separate group info\nwhile IFS= read -r line\ndo\n if [[ \"$line\" =~ ^-$ ]]; then\n _NG=$((_NG+1));\n else\n ARRAYDBGROUP[_NG]=\"${ARRAYDBGROUP[_NG]}\\n$line\";\n fi\ndone <<< \"$_RAWDBGROUPS\"\n\n\n# Group Details\nfor (( i=0; i < ${#ARRAYDBGROUP[@]} ; i++))\ndo\n ARRAYDBGROUP_ID[i]=$(eval \"echo -e \\\"${ARRAYDBGROUP[i]}\\\" 2>/dev/null | grep PrimaryGroupID: |\\\n sed -Ee 's/PrimaryGroupID:[[:space:]]*(.*)$/\\1/'\")\n ARRAYDBGROUP_NAME[i]=$(eval \"echo -e \\\"${ARRAYDBGROUP[i]}\\\" 2>/dev/null |\\\n perl -0777 -pe 's/RecordName:\\n/RecordName:/g' | sed -Ee '/RecordName/!d;s/RecordName: //g'\")\ndone\n\n# Function Search by id\nfunction searchGroupByID(){\n local id=\"$1\"\n for (( i=1; i < ${#ARRAYDBGROUP_ID[@]} ; i++))\n do\n if [[ \"${ARRAYDBGROUP_ID[i]}\" == \"$id\" ]];then\n echo -n \"${ARRAYDBGROUP_NAME[i]}\"\n return 0;\n fi\n done\n return 0;\n}\n\n\n# Separate User account\nwhile IFS= read -r line\ndo\n if [[ \"$line\" =~ ^-$ ]]; then\n _NU=$((_NU+1));\n else\n ARRAYDBUSER[_NU]=\"${ARRAYDBUSER[_NU]}\\n$line\";\n fi\ndone <<< \"$_RAWDBUSER\"\n\n# Account details\nfor (( i=1; i < ${#ARRAYDBUSER[@]} ; i++))\ndo\n Disabled=\"False\"\n GroupID=$(eval \"echo -e \\\"${ARRAYDBUSER[i]}\\\" 2>/dev/null | perl -0777 -pe 's/PrimaryGroupID:\\n/PrimaryGroupID:/g' |\\\n sed -Ee '/PrimaryGroupID/!d;s/PrimaryGroupID: //g'\")\n Username=$(eval \"echo -e \\\"${ARRAYDBUSER[i]}\\\" 2>/dev/null | perl -0777 -pe 's/RecordName:\\n/RecordName:/g' |\\\n sed -Ee '/RecordName/!d;s/RecordName: //g'\")\n FullName=$(eval \"echo -e \\\"${ARRAYDBUSER[i]}\\\" 2>/dev/null | perl -0777 -pe 's/RealName:\\n/RealName:/g' |\\\n sed -Ee '/RealName/!d;s/RealName: //g'\")\n GROUP_NAME=$(eval \"searchGroupByID $GroupID\")\n GROUP_NAME=${GROUP_NAME/\\\\/\\\\\\\\}\n UserShell=$(echo \"${ARRAYDBUSER[i]}\" 2>/dev/null | grep \"UserShell\")\n [[ \"$UserShell\" =~ \"false\" || \"$UserShell\" =~ \"nologin\" ]] && Disabled=\"True\"\n echo \"\\\"$Disabled\\\",\\\"\\\",\\\"$FullName\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"$Username\\\",\\\"\\\",\\\"\\\",\\\"$GROUP_NAME\\\"\"\ndone\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows all local user information, to include group memberships.\n#\n# Version: 1.0\n\nescapeSpecialCharacters(){\n read -r arg\n local str=\"$arg\"\n str=${str//\\\\/\\\\\\\\}\n str=${str//\\\"/\\\\\\\"}\n echo \"$str\"\n}\n\ngetPasswdFile() {\n if [ -r /etc/passwd ]; then\n cat \"/etc/passwd\"\n else\n return 1\n fi\n}\n\ngetDisabledStatus() {\n passwdLine=\"$1\"\n disabled=\"False\"\n\n userPasswd=$(echo \"$passwdLine\" | cut -d ':' -f2)\n userPasswdFirstChar=\"${userPasswd:0:1}\"\n userShell=$(echo \"$passwdLine\" | cut -d ':' -f7)\n [[ \"$userShell\" =~ \"nologin\" || \"$userShell\" =~ \"false\" || \"$userPasswdFirstChar\" == \"!\" ]] && disabled=\"True\"\n\n echo \"$disabled\"\n}\n\ngetExpirationStatus() {\n userName=\"$1\"\n passwordExpires=\"False\"\n passwordExpireDate=$(chage -l \"$userName\" | grep \"Password expires\" | cut -d ':' -f2)\n [[ ! \"$passwordExpireDate\" =~ \"never\" ]] && passwordExpires=\"True\"\n\n echo \"$passwordExpires\"\n}\n\ngetGroups() {\n userName=\"$1\"\n groups=$(groups \"$userName\" | sed -e 's/.*:[[:space:]]//')\n echo \"$groups\"\n}\n\ngetUserName() {\n passwdLine=\"$1\"\n userName=$(echo \"$passwdLine\" | cut -d \":\" -f1)\n echo \"$userName\"\n}\n\ngetUserFullName() {\n passwdLine=\"$1\"\n userFullName=$(echo \"$passwdLine\" | awk 'BEGIN { FS=\":\" } { if($5==\"\") print \" \"; else print $5 }' | cut -d ',' -f 1)\n [[ \"$userFullName\" == \" \" ]] && userFullName=\"\"\n echo \"$userFullName\"\n}\n\nprintUserInfo() {\n passwdLine=\"$1\"\n\n userName=$(getUserName \"$passwdLine\"| escapeSpecialCharacters)\n userFullName=$(getUserFullName \"$passwdLine\" | escapeSpecialCharacters)\n disabled=$(getDisabledStatus \"$passwdLine\")\n\n groups=$(getGroups \"$userName\" | escapeSpecialCharacters)\n passwordExpires=$(getExpirationStatus \"$userName\")\n\n echo \"\\\"$disabled\\\",,\\\"$userFullName\\\",,,,\\\"$userName\\\",,\\\"$passwordExpires\\\",\\\"$groups\\\"\"\n}\n\nprocessUsers() {\n passwdContents=$(getPasswdFile)\n while read -r passwdLine; do\n printUserInfo \"$passwdLine\"\n done <<< \"$passwdContents\"\n}\n\n\nmain() {\n\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processUsers\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e61",
- "name" : "Execute PowerShell Script",
- "description" : "Runs Windows PowerShell Scripts",
- "module" : "SystemRuntime",
- "function" : "executePS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n#\r\n# Purpose: Shows all local user information, to include group memberships.\r\n#\r\n# Version: 1.0\r\n\r\n$pshost = get-host\r\n$pswindow = $pshost.ui.rawui\r\n$newsize = $pswindow.buffersize\r\n$newsize.height = 3000\r\n$newsize.width = 3000\r\n$pswindow.buffersize = $newsize\r\n\r\n$OutputEncoding = New-Object -typename System.Text.UTF8Encoding\r\n\r\n$user_objects = @();\r\n$user_objects = Get-WmiObject Win32_UserAccount -Filter \"LocalAccount=True\";\r\n\r\nNew-PSDrive -PSProvider Registry -Name HKU -Root 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList' | Out-Null;\r\n\r\n$loggedUserAccounts= @(Get-ChildItem -Path \"HKU:\\\");\r\n\r\nforeach ($user in $loggedUserAccounts){\r\n $exist = $false;\r\n if(([string]$user.PSChildName -ne \"S-1-5-18\") -and ([string]$user.PSChildName -ne \"S-1-5-19\") -and ([string]$user.PSChildName -ne \"S-1-5-20\")) {\r\n for($i=0; ($i -lt $user_objects.Count) -and -not $exist; $i++) {\r\n if($user.PSChildName -eq $user_objects[$i].SID) {$exist = $true;}\r\n }\r\n if(-not $exist) {\r\n $disabled = \"\"\r\n $domain = \"\"\r\n $fullname = \"\"\r\n $path = $user.Name;\r\n $folder = \"\"\r\n $name = \"\"\r\n $sid = \"\"\r\n if (Test-Path((\"HKU:/\"+$path))){\r\n $folder=(Get-Item -Path (\"HKU:/\"+$path)).GetValue(\"ProfileImagePath\");\r\n $name = [string]($folder -split \"\\\\\")[2];\r\n $sid = $user.PSChildName\r\n }\r\n if ((Test-Path ($folder)) -and ($folder -ne \"\")) {\r\n Try { $installdate = [string](((Get-Item $folder).CreationTime).ToString(\"yyyy-MM-dd hh:mm:ss\")); } Catch { $installdate = \"\";}\r\n } else {\r\n $installdate = \"\";\r\n }\r\n $localaccount = \"False\"\r\n $lockout = \"\"\r\n $passwordexpires = \"\"\r\n $groups = \"\"\r\n\r\n $result = \"`\"\" + $disabled + \"`\",`\"\" + $domain + \"`\",`\"\" + $fullname + \"`\",`\"\" + $installdate + \"`\",`\"\" + $localaccount + \"`\",`\"\" + $lockout + \"`\",`\"\" + $name + \"`\",`\"\" + $sid + \"`\",`\"\" + $passwordexpires + \"`\",`\"\" + $groups + \"`\"\";\r\n Write-Output $result;\r\n }\r\n }\r\n}\r\n\r\nforeach ($user in $user_objects) {\r\n Try { $disabled = [string]$user.Disabled; } Catch { $disabled = \"\"; }\r\n Try { $domain = [string]$user.Domain; } Catch { $domain = \"\"; }\r\n Try { $fullname = [string]$user.FullName; } Catch { $fullname = \"\"; }\r\n Try { $name = [string]$user.Name; } Catch { $name = \"\"; }\r\n Try { $path = (\"C:\\Users\\\"+$name); } Catch { $path = \"\"; }\r\n if ((Test-Path ($path)) -and ($path -ne \"\")) {\r\n Try { $installdate = [string](((Get-Item $path).CreationTime).ToString(\"yyyy-MM-dd hh:mm:ss\")); } Catch { $installdate = \"\";}\r\n } else {\r\n $installdate = \"\";\r\n }\r\n Try { $localaccount = [string]$user.LocalAccount; } Catch { $localaccount = \"\"; }\r\n Try { $lockout = [string]$user.Lockout; } Catch { $lockout = \"\"; }\r\n Try { $sid = [string]$user.SID; } Catch { $sid = \"\"; }\r\n Try { $passwordexpires = [string]$user.PasswordExpires; } Catch { $passwordexpires = \"\"; }\r\n $groups = \"\"\r\n\r\n $result = \"`\"\" + $disabled + \"`\",`\"\" + $domain + \"`\",`\"\" + $fullname + \"`\",`\"\" + $installdate + \"`\",`\"\" + $localaccount + \"`\",`\"\" + $lockout + \"`\",`\"\" + $name + \"`\",`\"\" + $sid + \"`\",`\"\" + $passwordexpires + \"`\",`\"\" + $groups + \"`\"\";\r\n Write-Output $result;\r\n}\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ed1",
- "name" : "accountdisabled",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ed2",
- "name" : "domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ed3",
- "name" : "fullname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8ed4",
- "name" : "installdate",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8ed5",
- "name" : "localaccount",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8ed6",
- "name" : "lockedout",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8ed7",
- "name" : "accountname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8ed8",
- "name" : "sid",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8ed9",
- "name" : "passwordexpires",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8eda",
- "name" : "groups",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 10
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630404,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd67327",
- "name" : "UNUSUAL BEHAVIOR - Outbound DNS Requests not coming from DC ",
- "description" : "outbound DNS requests not originating from the DNS Servers\n",
- "type" : null,
- "expression" : "NetworkFlow where NetworkFlow src_ip not equals 192.168.1.254 and NetworkFlow dst_port equals 53",
- "temporal" : false,
- "invalid" : false,
- "aggregated" : true,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- },
- "sequence" : "1",
- "output" : [ ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- },
- "operator" : "EQUALS",
- "value" : "192.168.1.254",
- "negated" : true,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- },
- "operator" : "EQUALS",
- "value" : "53",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630411,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd67328",
- "name" : "UNUSUAL BEHAVIOR - Outbound SSH",
- "description" : "Outbound SSH sessions. High number of connections out may indicate data leakage",
- "type" : null,
- "expression" : "NetworkFlow where NetworkFlow direction equals \"out\" and NetworkFlow dst_port equals 22 ",
- "temporal" : false,
- "invalid" : false,
- "aggregated" : true,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- },
- "sequence" : "1",
- "output" : [ ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- },
- "operator" : "EQUALS",
- "value" : "out",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- },
- "operator" : "EQUALS",
- "value" : "22",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630419,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd67329",
- "name" : "USER INVESTIGATION - REALTIME - Proccesses",
- "description" : "Show all running processes where user = X",
- "type" : null,
- "expression" : "Processes where Processes user contains \"xxx\"",
- "temporal" : false,
- "invalid" : false,
- "aggregated" : true,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e79",
- "name" : "Processes",
- "description" : "Shows the running processes",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e6a",
- "name" : "name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e6b",
- "name" : "id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e6c",
- "name" : "threadcount",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e6d",
- "name" : "parentid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e6e",
- "name" : "parentname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 999
- }, {
- "id" : "5a1a45cae4b0401274ab718e",
- "name" : "parentimagepath",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1000
- }, {
- "id" : "5a1a45cae4b0401274ab718f",
- "name" : "file_reputation",
- "type" : "REPUTATION",
- "byDefault" : false,
- "sequence" : 1001
- }, {
- "id" : "5b3f9b64e4b0dfaf321a630e",
- "name" : "process_reputation",
- "type" : "REPUTATION",
- "byDefault" : false,
- "sequence" : 1002
- }, {
- "id" : "5b3f9b64e4b0dfaf321a630f",
- "name" : "started_at",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 1003
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6310",
- "name" : "content_size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 1004
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6311",
- "name" : "content",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1005
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6312",
- "name" : "content_file",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1006
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6313",
- "name" : "execution_mode",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1007
- }, {
- "id" : "58efec8ee4b0c390d69a8e6f",
- "name" : "size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e70",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e71",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e72",
- "name" : "cmdline",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e73",
- "name" : "imagepath",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e74",
- "name" : "kerneltime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e75",
- "name" : "usertime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e76",
- "name" : "uptime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e77",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e78",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "5a1a45cae4b0401274ab7190",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 15
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6314",
- "name" : "normalized_cmdline",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1009
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6315",
- "name" : "parent_cmdline",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1010
- } ]
- },
- "sequence" : "1",
- "output" : [ ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e77",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- },
- "operator" : "CONTAINS",
- "value" : "xxx",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e79",
- "name" : "Processes",
- "description" : "Shows the running processes",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e6a",
- "name" : "name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e6b",
- "name" : "id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e6c",
- "name" : "threadcount",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e6d",
- "name" : "parentid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e6e",
- "name" : "parentname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 999
- }, {
- "id" : "5a1a45cae4b0401274ab718e",
- "name" : "parentimagepath",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1000
- }, {
- "id" : "5a1a45cae4b0401274ab718f",
- "name" : "file_reputation",
- "type" : "REPUTATION",
- "byDefault" : false,
- "sequence" : 1001
- }, {
- "id" : "5b3f9b64e4b0dfaf321a630e",
- "name" : "process_reputation",
- "type" : "REPUTATION",
- "byDefault" : false,
- "sequence" : 1002
- }, {
- "id" : "5b3f9b64e4b0dfaf321a630f",
- "name" : "started_at",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 1003
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6310",
- "name" : "content_size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 1004
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6311",
- "name" : "content",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1005
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6312",
- "name" : "content_file",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1006
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6313",
- "name" : "execution_mode",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1007
- }, {
- "id" : "58efec8ee4b0c390d69a8e6f",
- "name" : "size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e70",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e71",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e72",
- "name" : "cmdline",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e73",
- "name" : "imagepath",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e74",
- "name" : "kerneltime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e75",
- "name" : "usertime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e76",
- "name" : "uptime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e77",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e78",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "5a1a45cae4b0401274ab7190",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 15
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6314",
- "name" : "normalized_cmdline",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1009
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6315",
- "name" : "parent_cmdline",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1010
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630426,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd6732a",
- "name" : "WinRegistry Runkeys Info",
- "description" : "",
- "type" : null,
- "expression" : null,
- "temporal" : false,
- "invalid" : false,
- "aggregated" : false,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec5",
- "name" : "HostInfo",
- "description" : "Shows Hostname, 1st IP Address, OS version and Connection Status",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about host\n#\n# Version: 1\n\ngetOsRelease() {\n if [[ -x /usr/bin/lsb_release ]]; then\n lsb_release -sd\n elif [[ -r /etc/system-release ]]; then\n cat /etc/system-release\n else\n echo -e \"Unknown\"\n fi\n}\n\ngetHostName() {\n hostname -s\n}\n\ngetInterfacesInfoCommand() {\n current_os=$(getOsRelease)\n if [[ $current_os == \"Red Hat\"*\"7.\"* ]]; then\n echo -e \"ip addr show\"\n else\n echo -e \"ifconfig\"\n fi\n}\n\ngetInterfacesDir() {\n echo -e \"/sys/class/net\"\n}\n\nisInterfacePhysical() {\n interface_path=\"$1\"\n if [ -z \"$interface_path\" ]; then\n return 1\n fi\n\n real_location=$(readlink \"$interface_path\")\n if [[ \"$real_location\" =~ \"virtual\" ]]; then\n return 1\n else\n return 0\n fi\n}\n\nparsePrimaryIPInterface() {\n interface_name=\"$1\"\n if [ -z \"$interface_name\" ]; then\n return 1\n fi\n cmd=$(getInterfacesInfoCommand)\n eval \"$cmd $interface_name\" | grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" | grep -vE \"^2[2-5]\" | head -n 1\n}\n\ngetPrimaryIPHost() {\n interfaces_dir=$(getInterfacesDir)\n physical_interfaces=()\n\n shopt -s nullglob\n for interface in \"$interfaces_dir\"/*; do\n if isInterfacePhysical \"$interface\"; then\n current_interface=$(basename \"$interface\")\n physical_interfaces+=(\"$current_interface\")\n fi\n done\n shopt -u nullglob\n\n i=0\n for interface in \"${physical_interfaces[@]}\"; do\n ips[$i]=$(parsePrimaryIPInterface \"$interface\")\n ((i++))\n done\n\n if [ \"${#ips[@]}\" -ge 1 ]; then\n echo -e \"${ips[0]}\"\n fi\n}\n\n\ngetConnectionStatus() {\n echo \"Online\"\n}\n\ngetPlatform() {\n echo \"Linux\"\n}\n\nprocessHostInfo() {\n name=$(getHostName)\n os=$(getOsRelease)\n ipaddress=$(getPrimaryIPHost)\n connection_status=$(getConnectionStatus)\n platform=$(getPlatform)\n\n echo -e \"\\\"$name\\\",\\\"$ipaddress\\\",\\\"$os\\\",\\\"$connection_status\\\",\\\"$platform\\\"\"\n}\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHostInfo\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n\r\nstrComputer = \".\"\r\nFirstIP=\"\"\r\nCurrentMac=\"\"\r\nConnectionStatus = \"\"\r\nSet objWMIService=GetObject(\"winmgmts:\" & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\r\n\r\nSet NetAdapters = objWMIService.ExecQuery(\"Select * From Win32_NetworkAdapter Where NOT PNPDeviceID LIKE 'ROOT\\\\%'\")\r\nFor Each NetAdapter in NetAdapters\r\n CurrentMac = NetAdapter.MACAddress\r\n Set IPConfigSet = objWMIService.ExecQuery(\"Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE AND MacAddress = '\" & CurrentMac & \"'\")\r\n For Each IPConfig in IPConfigSet\r\n If Not IsNull(IPConfig.IPAddress) Then\r\n For i=LBound(IPConfig.IPAddress) to UBound(IPConfig.IPAddress)\r\n FirstIP=IPConfig.IPAddress(i)\r\n Exit For\r\n Next\r\n End If\r\n Next\r\nNext\r\n\r\nSet objNet = CreateObject(\"WScript.Network\")\r\nstrCompName = objNet.ComputerName\r\n\r\nSet shell = CreateObject(\"WScript.Shell\")\r\nSet getOSVersion = shell.exec(\"%comspec% /D /c ver\")\r\ngetOSVersion.stdout.readLine\r\nversion = getOSVersion.stdout.readLine\r\n\r\nFunction Registry_Read(Key_Path, Key_Name)\r\n On Error Resume Next\r\n Set Registry = CreateObject(\"WScript.Shell\")\r\n Registry_Read = Registry.RegRead(Key_Path & \"\\\" & Key_Name)\r\nEnd Function\r\n\r\nSet shell_arch = CreateObject(\"WScript.Shell\")\r\nIf shell_arch.ExpandEnvironmentStrings(\"%PROCESSOR_ARCHITECTURE%\") = \"AMD64\" then\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\WOW6432Node\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nElse\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nEnd If\r\n\r\nIf ConnectionStatus = \"false\" then\r\n ConnectionStatus = \"Quarantined\"\r\nElse\r\n ConnectionStatus = \"Online\"\r\nEnd If\r\n\r\nplatform = \"Windows\"\r\n\r\nWScript.Echo strCompName & \",\" & FirstIP & \",\" & version & \",\" & ConnectionStatus & \",\" & platform\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7183",
- "name" : "HostInfo SysInfo",
- "description" : "Shows Hostname, 1st IP Address and OS version",
- "module" : "SysInfo",
- "function" : "HostInfo",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec3",
- "name" : "ip_address",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec4",
- "name" : "os",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6346",
- "name" : "connection_status",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6347",
- "name" : "platform",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- } ]
- },
- "sequence" : "1",
- "output" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- } ]
- }, {
- "collector" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb07ce4b0cbe06dd672fe",
- "name" : "Runkeys",
- "description" : "Executes VBS script on target client",
- "type" : "CUSTOM",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "'\n' Copyright (C) 2017 McAfee, Inc. All Rights Reserved.\n' This Script will enumerate the Run and RunOnce Keys from the registry and return a list of Values\n' Created by Nick Mauriello of Intel Security\n'\n'\n' ***********************************************\n' Declare all variables\n' ***********************************************\nOption Explicit\nDim objectShell, objectReg, objWMIService, strKeyValuePath, strKeyValueData, strKeyPath, arrValueNames, I, user, strFullPath, arrValueNames2, dict\nConst HKEY_LOCAL_MACHINE = &H80000002\nConst HKEY_USERS = &H80000003\nSet objectShell = WScript.CreateObject(\"WScript.Shell\")\nSet objectReg = GetObject(\"winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\default:StdRegProv\")\nSet objWMIService = GetObject(\"winmgmts:\\\\.\\root\\cimv2\")\n' ***********************************************\n' Ignore Values in this list. They are known safe so we can filter them out during collection\n' If you want all keys returned without any filtering just remove lives from below section\n' ***********************************************\nSet dict = CreateObject(\"Scripting.Dictionary\")\ndict.Add \"\", \"\"\ndict.Add \"McAfeeUpdaterUI\", \"McAfee\"\ndict.Add \"TIEStatusExe\", \"McAfee\"\ndict.Add \"ShStatEXE\", \"McAfee\"\ndict.Add \"McAfee Host Intrusion Prevention Tray\", \"McAfee Host Intrusion Prevention Tray\"\ndict.Add \"Sidebar\", \"Sidebar\"\ndict.Add \"McAfeeTalkBackMonitor\", \"McAfeeTalkBackMonitor\"\ndict.Add \"MfeEpePcMonitor\", \"MfeEpePcMonitor\"\ndict.Add \"MfeFfCore\", \"MfeFfCore\"\ndict.Add \"VMware User Process\", \"VMware User Process\"\ndict.Add \"SunJavaUpdateSched\", \"SunJavaUpdateSched\"\ndict.Add \"Persistence\", \"Persistence\"\ndict.Add \"IgfxTray\", \"IgfxTray\"\ndict.Add \"HotKeysCmds\", \"HotKeysCmds\"\ndict.Add \"RTHDVCPL\", \"RTHDVCPL\"\ndict.Add \"Adobe ARM\", \"Adobe ARM\"\ndict.Add \"QuickTime Task\", \"QuickTime Task\"\ndict.Add \"Lync\", \"Lync\"\ndict.Add \"BCSSync\", \"BCSSync\"\ndict.Add \"!!SecureLogin\", \"!!SecureLogin\"\ndict.Add \"Acrobat Assistant 8.0\", \"Acrobat Assistant 8.0\"\ndict.Add \"AdobeAAMUpdater-1.0\", \"AdobeAAMUpdater-1.0\"\ndict.Add \"OfficeSyncProcess\", \"OfficeSyncProcess\"\ndict.Add \"Bginfo\", \"Bginfo\"\ndict.Add \"MSPCLOCK\", \"MSCLOCK\"\ndict.Add \"MSKSSR\", \"Streaming\"\ndict.Add \"MSTEE.Splitter\", \"Streaming 2\"\ndict.Add \"MSPQM\", \"Streaming 3\"\ndict.Add \"MSKSSRV\", \"Streaming 4\"\ndict.Add \"MSTEE.CxTransform\", \"MSTEE.CxTransform1\"\ndict.Add \"WDM_DRMKAUD\", \"Audio Descrambler\"\ndict.Add \"mctadmin\", \"mctadmin1\"\n' ***********************************************\n' Enumerate standard 32 Bit Run keys\n' ***********************************************\nstrKeyPath = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"\nobjectReg.EnumValues HKEY_LOCAL_MACHINE, strKeyPath, arrValueNames\nIF IsArray(arrValueNames) Then \n\tFor I=0 To UBound(arrValueNames) \n\t\tstrKeyValuePath = \"HKEY_LOCAL_MACHINE\" & \"\\\" & strKeyPath & \"\\\" & arrValueNames(I)\n\t\tstrKeyValueData = objectShell.RegRead(\"HKEY_LOCAL_MACHINE\" & \"\\\" & strKeyPath & \"\\\" & arrValueNames(I))\t\n\t\tIF arrValueNames(I) <> \"\" Then\n\t\t\tIF dict.Exists(arrValueNames(I)) Then\n\t\t\tELSE\n\t\t\t\tWScript.Echo Replace(strKeyValuePath,\"\\\",\"\\\\\") & \",,\" & arrValueNames(I) & \",\" & Replace(Replace(Replace(strKeyValueData,\"\\\",\"\\\\\"),\"\"\"\",\"\\\"\"\"),\",\",\"\\,\")\n\t\t\tEnd IF\n\t\tEnd IF\n Next\nEnd IF\n' ***********************************************\n' Enumerate standard 32 Bit RunOnce keys\n' ***********************************************\nstrKeyPath = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"\nobjectReg.EnumValues HKEY_LOCAL_MACHINE, strKeyPath, arrValueNames\nIF IsArray(arrValueNames) Then \n\tFor I=0 To UBound(arrValueNames) \n\t\tstrKeyValuePath = \"HKEY_LOCAL_MACHINE\" & \"\\\" & strKeyPath & \"\\\" & arrValueNames(I)\n\t\tstrKeyValueData = objectShell.RegRead(\"HKEY_LOCAL_MACHINE\" & \"\\\" & strKeyPath & \"\\\" & arrValueNames(I))\t\n\t\tIF arrValueNames(I) <> \"\" Then\n\t\t\tIF dict.Exists(arrValueNames(I)) Then\n\t\t\tELSE\n\t\t\t\tWScript.Echo Replace(strKeyValuePath,\"\\\",\"\\\\\") & \",,\" & arrValueNames(I) & \",\" & Replace(Replace(Replace(strKeyValueData,\"\\\",\"\\\\\"),\"\"\"\",\"\\\"\"\"),\",\",\"\\,\")\n\t\t\tEnd IF\n\t\tEnd IF\n Next\nEnd IF\n' ***********************************************\n' Enumerate 64 Bit Run keys\n' ***********************************************\nstrKeyPath = \"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\"\nobjectReg.EnumValues HKEY_LOCAL_MACHINE, strKeyPath, arrValueNames\nIF IsArray(arrValueNames) Then \n\tFor I=0 To UBound(arrValueNames) \n\t\tstrKeyValuePath = \"HKEY_LOCAL_MACHINE\" & \"\\\" & strKeyPath & \"\\\" & arrValueNames(I)\n\t\tstrKeyValueData = objectShell.RegRead(\"HKEY_LOCAL_MACHINE\" & \"\\\" & strKeyPath & \"\\\" & arrValueNames(I))\t\n\t\tIF arrValueNames(I) <> \"\" Then\n\t\t\tIF dict.Exists(arrValueNames(I)) Then\n\t\t\tELSE\n\t\t\t\tWScript.Echo Replace(strKeyValuePath,\"\\\",\"\\\\\") & \",,\" & arrValueNames(I) & \",\" & Replace(Replace(Replace(strKeyValueData,\"\\\",\"\\\\\"),\"\"\"\",\"\\\"\"\"),\",\",\"\\,\")\n\t\t\tEnd IF\n\t\tEnd IF\n Next\nEnd IF\n' ***********************************************\n' Enumerate 64 Bit RunOnce keys\n' ***********************************************\nstrKeyPath = \"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"\nobjectReg.EnumValues HKEY_LOCAL_MACHINE, strKeyPath, arrValueNames\nIF IsArray(arrValueNames) Then \n\tFor I=0 To UBound(arrValueNames) \n\t\tstrKeyValuePath = \"HKEY_LOCAL_MACHINE\" & \"\\\" & strKeyPath & \"\\\" & arrValueNames(I)\n\t\tstrKeyValueData = objectShell.RegRead(\"HKEY_LOCAL_MACHINE\" & \"\\\" & strKeyPath & \"\\\" & arrValueNames(I))\t\n\t\tIF arrValueNames(I) <> \"\" Then\n\t\t\tIF dict.Exists(arrValueNames(I)) Then\n\t\t\tELSE\n\t\t\t\tWScript.Echo Replace(strKeyValuePath,\"\\\",\"\\\\\") & \",,\" & arrValueNames(I) & \",\" & Replace(Replace(Replace(strKeyValueData,\"\\\",\"\\\\\"),\"\"\"\",\"\\\"\"\"),\",\",\"\\,\")\n\t\t\tEnd IF\n\t\tEnd IF\n Next\nEnd IF\n' ***********************************************\n' Enumerate User Run Keys\n' ***********************************************\nstrKeyPath = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"\nobjectReg.EnumKey HKEY_USERS, \"\", arrValueNames\nIF IsArray(arrValueNames) Then\n\tFor Each user in arrValueNames\n\t\tstrFullPath = user & \"\\\" & strKeyPath\n\t\tIF user <> \".DEFAULT\" Then\n\t\t\tobjectReg.EnumValues HKEY_USERS, strFullPath, arrValueNames2\n\t\t\tIF IsArray(arrValueNames2) Then\n\t\t\t\tFor I=0 To UBound(arrValueNames2)\n\t\t\t\t\tstrKeyValuePath = \"HKEY_USERS\" & \"\\\" & user & \"\\\" & strKeyPath & \"\\\" & arrValueNames2(I)\n\t\t\t\t\tstrKeyValueData = objectShell.RegRead(strKeyValuePath)\n\t\t\t\t\tIF arrValueNames2(I) <> \"\" Then\n\t\t\t\t\t\tIF dict.Exists(arrValueNames2(I)) Then\n\t\t\t\t\t\tELSE\n\t\t\t\t\t\t\tWScript.Echo Replace(strKeyValuePath,\"\\\",\"\\\\\") & \",\" & _\n\t\t\t\t\t\t\t(objWMIService.Get(\"Win32_SID.SID='\" & user & \"'\").AccountName) & \",\" & arrValueNames2(I) & \",\" & Replace(Replace(Replace(strKeyValueData,\"\\\",\"\\\\\"),\"\"\"\",\"\\\"\"\"),\",\",\"\\,\")\n\t\t\t\t\t\tEnd IF\n\t\t\t\t\tEnd IF\n\t\t\t\tNext\n\t\t\tEnd IF\n\t\tEnd IF\n\tNext\nEnd IF\n' ***********************************************\n' Enumerate User RunOnce Keys\n' ***********************************************\nstrKeyPath = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"\nobjectReg.EnumKey HKEY_USERS, \"\", arrValueNames\nIF IsArray(arrValueNames) Then\n\tFor Each user in arrValueNames\n\t\tstrFullPath = user & \"\\\" & strKeyPath\n\t\tIF user <> \".DEFAULT\" Then\n\t\t\tobjectReg.EnumValues HKEY_USERS, strFullPath, arrValueNames2\n\t\t\tIF IsArray(arrValueNames2) Then\n\t\t\t\tFor I=0 To UBound(arrValueNames2)\n\t\t\t\t\tstrKeyValuePath = \"HKEY_USERS\" & \"\\\" & user & \"\\\" & strKeyPath & \"\\\" & arrValueNames2(I)\n\t\t\t\t\tstrKeyValueData = objectShell.RegRead(strKeyValuePath)\n\t\t\t\t\tIF arrValueNames2(I) <> \"\" Then\n\t\t\t\t\t\tIF dict.Exists(arrValueNames2(I)) Then\n\t\t\t\t\t\tELSE\n\t\t\t\t\t\t\tWScript.Echo Replace(strKeyValuePath,\"\\\",\"\\\\\") & \",\" & _\n\t\t\t\t\t\t\t(objWMIService.Get(\"Win32_SID.SID='\" & user & \"'\").AccountName) & \",\" & arrValueNames2(I) & \",\" & Replace(Replace(Replace(strKeyValueData,\"\\\",\"\\\\\"),\"\"\"\",\"\\\"\"\"),\",\",\"\\,\")\n\t\t\t\t\t\tEnd IF\n\t\t\t\t\tEnd IF\n\t\t\t\tNext\n\t\t\tEnd IF\n\t\tEnd IF\n\tNext\nEnd IF",
- "arguments" : null,
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "5b3fb07ce4b0cbe06dd672dd",
- "name" : "fullpath",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672de",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672df",
- "name" : "keypath",
- "type" : "REG_STR",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672e0",
- "name" : "keyvalue",
- "type" : "REG_STR",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672e1",
- "name" : "valuedata",
- "type" : "REG_STR",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672e2",
- "name" : "valuetype",
- "type" : "REG_STR",
- "byDefault" : true,
- "sequence" : 6
- } ]
- },
- "sequence" : "2",
- "output" : [ ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "5b3fb07ce4b0cbe06dd672dd",
- "name" : "fullpath",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- },
- "operator" : "EQUALS",
- "value" : "",
- "negated" : true,
- "collector" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb07ce4b0cbe06dd672fe",
- "name" : "Runkeys",
- "description" : "Executes VBS script on target client",
- "type" : "CUSTOM",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "'\n' Copyright (C) 2017 McAfee, Inc. All Rights Reserved.\n' This Script will enumerate the Run and RunOnce Keys from the registry and return a list of Values\n' Created by Nick Mauriello of Intel Security\n'\n'\n' ***********************************************\n' Declare all variables\n' ***********************************************\nOption Explicit\nDim objectShell, objectReg, objWMIService, strKeyValuePath, strKeyValueData, strKeyPath, arrValueNames, I, user, strFullPath, arrValueNames2, dict\nConst HKEY_LOCAL_MACHINE = &H80000002\nConst HKEY_USERS = &H80000003\nSet objectShell = WScript.CreateObject(\"WScript.Shell\")\nSet objectReg = GetObject(\"winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\default:StdRegProv\")\nSet objWMIService = GetObject(\"winmgmts:\\\\.\\root\\cimv2\")\n' ***********************************************\n' Ignore Values in this list. They are known safe so we can filter them out during collection\n' If you want all keys returned without any filtering just remove lives from below section\n' ***********************************************\nSet dict = CreateObject(\"Scripting.Dictionary\")\ndict.Add \"\", \"\"\ndict.Add \"McAfeeUpdaterUI\", \"McAfee\"\ndict.Add \"TIEStatusExe\", \"McAfee\"\ndict.Add \"ShStatEXE\", \"McAfee\"\ndict.Add \"McAfee Host Intrusion Prevention Tray\", \"McAfee Host Intrusion Prevention Tray\"\ndict.Add \"Sidebar\", \"Sidebar\"\ndict.Add \"McAfeeTalkBackMonitor\", \"McAfeeTalkBackMonitor\"\ndict.Add \"MfeEpePcMonitor\", \"MfeEpePcMonitor\"\ndict.Add \"MfeFfCore\", \"MfeFfCore\"\ndict.Add \"VMware User Process\", \"VMware User Process\"\ndict.Add \"SunJavaUpdateSched\", \"SunJavaUpdateSched\"\ndict.Add \"Persistence\", \"Persistence\"\ndict.Add \"IgfxTray\", \"IgfxTray\"\ndict.Add \"HotKeysCmds\", \"HotKeysCmds\"\ndict.Add \"RTHDVCPL\", \"RTHDVCPL\"\ndict.Add \"Adobe ARM\", \"Adobe ARM\"\ndict.Add \"QuickTime Task\", \"QuickTime Task\"\ndict.Add \"Lync\", \"Lync\"\ndict.Add \"BCSSync\", \"BCSSync\"\ndict.Add \"!!SecureLogin\", \"!!SecureLogin\"\ndict.Add \"Acrobat Assistant 8.0\", \"Acrobat Assistant 8.0\"\ndict.Add \"AdobeAAMUpdater-1.0\", \"AdobeAAMUpdater-1.0\"\ndict.Add \"OfficeSyncProcess\", \"OfficeSyncProcess\"\ndict.Add \"Bginfo\", \"Bginfo\"\ndict.Add \"MSPCLOCK\", \"MSCLOCK\"\ndict.Add \"MSKSSR\", \"Streaming\"\ndict.Add \"MSTEE.Splitter\", \"Streaming 2\"\ndict.Add \"MSPQM\", \"Streaming 3\"\ndict.Add \"MSKSSRV\", \"Streaming 4\"\ndict.Add \"MSTEE.CxTransform\", \"MSTEE.CxTransform1\"\ndict.Add \"WDM_DRMKAUD\", \"Audio Descrambler\"\ndict.Add \"mctadmin\", \"mctadmin1\"\n' ***********************************************\n' Enumerate standard 32 Bit Run keys\n' ***********************************************\nstrKeyPath = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"\nobjectReg.EnumValues HKEY_LOCAL_MACHINE, strKeyPath, arrValueNames\nIF IsArray(arrValueNames) Then \n\tFor I=0 To UBound(arrValueNames) \n\t\tstrKeyValuePath = \"HKEY_LOCAL_MACHINE\" & \"\\\" & strKeyPath & \"\\\" & arrValueNames(I)\n\t\tstrKeyValueData = objectShell.RegRead(\"HKEY_LOCAL_MACHINE\" & \"\\\" & strKeyPath & \"\\\" & arrValueNames(I))\t\n\t\tIF arrValueNames(I) <> \"\" Then\n\t\t\tIF dict.Exists(arrValueNames(I)) Then\n\t\t\tELSE\n\t\t\t\tWScript.Echo Replace(strKeyValuePath,\"\\\",\"\\\\\") & \",,\" & arrValueNames(I) & \",\" & Replace(Replace(Replace(strKeyValueData,\"\\\",\"\\\\\"),\"\"\"\",\"\\\"\"\"),\",\",\"\\,\")\n\t\t\tEnd IF\n\t\tEnd IF\n Next\nEnd IF\n' ***********************************************\n' Enumerate standard 32 Bit RunOnce keys\n' ***********************************************\nstrKeyPath = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"\nobjectReg.EnumValues HKEY_LOCAL_MACHINE, strKeyPath, arrValueNames\nIF IsArray(arrValueNames) Then \n\tFor I=0 To UBound(arrValueNames) \n\t\tstrKeyValuePath = \"HKEY_LOCAL_MACHINE\" & \"\\\" & strKeyPath & \"\\\" & arrValueNames(I)\n\t\tstrKeyValueData = objectShell.RegRead(\"HKEY_LOCAL_MACHINE\" & \"\\\" & strKeyPath & \"\\\" & arrValueNames(I))\t\n\t\tIF arrValueNames(I) <> \"\" Then\n\t\t\tIF dict.Exists(arrValueNames(I)) Then\n\t\t\tELSE\n\t\t\t\tWScript.Echo Replace(strKeyValuePath,\"\\\",\"\\\\\") & \",,\" & arrValueNames(I) & \",\" & Replace(Replace(Replace(strKeyValueData,\"\\\",\"\\\\\"),\"\"\"\",\"\\\"\"\"),\",\",\"\\,\")\n\t\t\tEnd IF\n\t\tEnd IF\n Next\nEnd IF\n' ***********************************************\n' Enumerate 64 Bit Run keys\n' ***********************************************\nstrKeyPath = \"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\"\nobjectReg.EnumValues HKEY_LOCAL_MACHINE, strKeyPath, arrValueNames\nIF IsArray(arrValueNames) Then \n\tFor I=0 To UBound(arrValueNames) \n\t\tstrKeyValuePath = \"HKEY_LOCAL_MACHINE\" & \"\\\" & strKeyPath & \"\\\" & arrValueNames(I)\n\t\tstrKeyValueData = objectShell.RegRead(\"HKEY_LOCAL_MACHINE\" & \"\\\" & strKeyPath & \"\\\" & arrValueNames(I))\t\n\t\tIF arrValueNames(I) <> \"\" Then\n\t\t\tIF dict.Exists(arrValueNames(I)) Then\n\t\t\tELSE\n\t\t\t\tWScript.Echo Replace(strKeyValuePath,\"\\\",\"\\\\\") & \",,\" & arrValueNames(I) & \",\" & Replace(Replace(Replace(strKeyValueData,\"\\\",\"\\\\\"),\"\"\"\",\"\\\"\"\"),\",\",\"\\,\")\n\t\t\tEnd IF\n\t\tEnd IF\n Next\nEnd IF\n' ***********************************************\n' Enumerate 64 Bit RunOnce keys\n' ***********************************************\nstrKeyPath = \"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"\nobjectReg.EnumValues HKEY_LOCAL_MACHINE, strKeyPath, arrValueNames\nIF IsArray(arrValueNames) Then \n\tFor I=0 To UBound(arrValueNames) \n\t\tstrKeyValuePath = \"HKEY_LOCAL_MACHINE\" & \"\\\" & strKeyPath & \"\\\" & arrValueNames(I)\n\t\tstrKeyValueData = objectShell.RegRead(\"HKEY_LOCAL_MACHINE\" & \"\\\" & strKeyPath & \"\\\" & arrValueNames(I))\t\n\t\tIF arrValueNames(I) <> \"\" Then\n\t\t\tIF dict.Exists(arrValueNames(I)) Then\n\t\t\tELSE\n\t\t\t\tWScript.Echo Replace(strKeyValuePath,\"\\\",\"\\\\\") & \",,\" & arrValueNames(I) & \",\" & Replace(Replace(Replace(strKeyValueData,\"\\\",\"\\\\\"),\"\"\"\",\"\\\"\"\"),\",\",\"\\,\")\n\t\t\tEnd IF\n\t\tEnd IF\n Next\nEnd IF\n' ***********************************************\n' Enumerate User Run Keys\n' ***********************************************\nstrKeyPath = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"\nobjectReg.EnumKey HKEY_USERS, \"\", arrValueNames\nIF IsArray(arrValueNames) Then\n\tFor Each user in arrValueNames\n\t\tstrFullPath = user & \"\\\" & strKeyPath\n\t\tIF user <> \".DEFAULT\" Then\n\t\t\tobjectReg.EnumValues HKEY_USERS, strFullPath, arrValueNames2\n\t\t\tIF IsArray(arrValueNames2) Then\n\t\t\t\tFor I=0 To UBound(arrValueNames2)\n\t\t\t\t\tstrKeyValuePath = \"HKEY_USERS\" & \"\\\" & user & \"\\\" & strKeyPath & \"\\\" & arrValueNames2(I)\n\t\t\t\t\tstrKeyValueData = objectShell.RegRead(strKeyValuePath)\n\t\t\t\t\tIF arrValueNames2(I) <> \"\" Then\n\t\t\t\t\t\tIF dict.Exists(arrValueNames2(I)) Then\n\t\t\t\t\t\tELSE\n\t\t\t\t\t\t\tWScript.Echo Replace(strKeyValuePath,\"\\\",\"\\\\\") & \",\" & _\n\t\t\t\t\t\t\t(objWMIService.Get(\"Win32_SID.SID='\" & user & \"'\").AccountName) & \",\" & arrValueNames2(I) & \",\" & Replace(Replace(Replace(strKeyValueData,\"\\\",\"\\\\\"),\"\"\"\",\"\\\"\"\"),\",\",\"\\,\")\n\t\t\t\t\t\tEnd IF\n\t\t\t\t\tEnd IF\n\t\t\t\tNext\n\t\t\tEnd IF\n\t\tEnd IF\n\tNext\nEnd IF\n' ***********************************************\n' Enumerate User RunOnce Keys\n' ***********************************************\nstrKeyPath = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"\nobjectReg.EnumKey HKEY_USERS, \"\", arrValueNames\nIF IsArray(arrValueNames) Then\n\tFor Each user in arrValueNames\n\t\tstrFullPath = user & \"\\\" & strKeyPath\n\t\tIF user <> \".DEFAULT\" Then\n\t\t\tobjectReg.EnumValues HKEY_USERS, strFullPath, arrValueNames2\n\t\t\tIF IsArray(arrValueNames2) Then\n\t\t\t\tFor I=0 To UBound(arrValueNames2)\n\t\t\t\t\tstrKeyValuePath = \"HKEY_USERS\" & \"\\\" & user & \"\\\" & strKeyPath & \"\\\" & arrValueNames2(I)\n\t\t\t\t\tstrKeyValueData = objectShell.RegRead(strKeyValuePath)\n\t\t\t\t\tIF arrValueNames2(I) <> \"\" Then\n\t\t\t\t\t\tIF dict.Exists(arrValueNames2(I)) Then\n\t\t\t\t\t\tELSE\n\t\t\t\t\t\t\tWScript.Echo Replace(strKeyValuePath,\"\\\",\"\\\\\") & \",\" & _\n\t\t\t\t\t\t\t(objWMIService.Get(\"Win32_SID.SID='\" & user & \"'\").AccountName) & \",\" & arrValueNames2(I) & \",\" & Replace(Replace(Replace(strKeyValueData,\"\\\",\"\\\\\"),\"\"\"\",\"\\\"\"\"),\",\",\"\\,\")\n\t\t\t\t\t\tEnd IF\n\t\t\t\t\tEnd IF\n\t\t\t\tNext\n\t\t\tEnd IF\n\t\tEnd IF\n\tNext\nEnd IF",
- "arguments" : null,
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "5b3fb07ce4b0cbe06dd672dd",
- "name" : "fullpath",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672de",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672df",
- "name" : "keypath",
- "type" : "REG_STR",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672e0",
- "name" : "keyvalue",
- "type" : "REG_STR",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672e1",
- "name" : "valuedata",
- "type" : "REG_STR",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672e2",
- "name" : "valuetype",
- "type" : "REG_STR",
- "byDefault" : true,
- "sequence" : 6
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630432,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd6732b",
- "name" : "Wireless LAN Information",
- "description" : "",
- "type" : null,
- "expression" : null,
- "temporal" : false,
- "invalid" : false,
- "aggregated" : false,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb07ce4b0cbe06dd67301",
- "name" : "WLAN_Info",
- "description" : "Displays WLAN Connection Status",
- "type" : "CUSTOM",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, Inc. All Rights Reserved.\n' Created by Nick Mauriello of McAfee Inc.\n' This script will display WLAN connection status\n'\nDim objShell, objRun, netshOut, individualLine, strSSID, strSignal, strDescription, strState, strBSSID\nSet objShell = CreateObject(\"WScript.Shell\")\n' ***********************************************\n' Find WLAN Connection Info\n' ***********************************************\nSet objRun = objShell.Exec(\"cmd /c netsh wlan show interfaces\") \nnetshOut = Split(objRun.StdOut.ReadAll, vbCrLf)\n\tFor Each individualLine in netshOut\n\t\tIF Not IsNull(individualLine) Then\n\t\t\tIF len(individualLine) > 1 Then\n\t\t\t\tIF inStr(1, individualLine, \" SSID\", 1) <> 0 Then\n\t\t\t\t\tstrSSID = Trim(Replace(Replace(individualLine,\" :\",\"\"),\"SSID\",\"\"))\n\t\t\t\tELSE\n\t\t\t\t\tIF inStr(1, individualLine, \"Signal\", 1) <> 0 Then\n\t\t\t\t\t\tstrSignal = Trim(Replace(Replace(individualLine,\" :\",\"\"),\"Signal\",\"\"))\n\t\t\t\t\tELSE\n\t\t\t\t\t\tIF inStr(1, individualLine, \"Description\", 1) <> 0 Then\n\t\t\t\t\t\tstrDescription = Trim(Replace(Replace(individualLine,\" :\",\"\"),\"Description\",\"\"))\n\t\t\t\t\t\tELSE\n\t\t\t\t\t\t\tIF inStr(1, individualLine, \"State\", 1) <> 0 Then\n\t\t\t\t\t\t\tstrState = Trim(Replace(Replace(individualLine,\" :\",\"\"),\"State\",\"\"))\n\t\t\t\t\t\t\tELSE\n\t\t\t\t\t\t\t\tIF inStr(1, individualLine, \"BSSID\", 1) <> 0 Then\n\t\t\t\t\t\t\t\tstrBSSID = Trim(Replace(Replace(individualLine,\" :\",\"\"),\"BSSID\",\"\"))\n\t\t\t\t\t\t\t\t ELSE\n\t\t\t\t\t\t\t \tIF inStr(1, individualLine, \"Authentication\", 1) <> 0 Then\n\t\t\t\t\t\t\t \tstrAuthentication = Trim(Replace(Replace(individualLine,\" :\",\"\"),\"BSSID\",\"\"))\n\t\t\t\t\t\t\t \tEnd IF\n\t\t\t\t\t\t\t\tEnd IF\n\t\t\t\t\t\t\tEnd IF\n\t\t\t\t\t\tEnd IF\n\t\t\t\t\tEnd IF\n\t\t\t\tEnd IF\n\t\t\tEnd IF\n\t\tEnd IF\n\tNext\nWscript.echo strSSID & \",\" & strSignal & \",\" & strDescription & \",\" & strState & \",\" & strBSSID & \",\" & strAuthentication\n' ***********************************************\n' End\n' ***********************************************\nWScript.Quit",
- "arguments" : null,
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e51",
- "name" : "NotAvailable",
- "description" : "Capability not available",
- "module" : "Internal",
- "function" : "GetFalseResult",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- } ],
- "platformSettings" : [ ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ ]
- },
- "content" : null,
- "arguments" : null,
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "5b3fb07ce4b0cbe06dd672e8",
- "name" : "ssid",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672e9",
- "name" : "signal",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672ea",
- "name" : "description",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672eb",
- "name" : "state",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672ec",
- "name" : "bssid",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "5b3fb07ce4b0cbe06dd672ed",
- "name" : "authentication",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- } ]
- },
- "sequence" : "1",
- "output" : [ ]
- }, {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8ec5",
- "name" : "HostInfo",
- "description" : "Shows Hostname, 1st IP Address, OS version and Connection Status",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e14",
- "name" : "Bash Script",
- "description" : "Executes Bash script on target client",
- "module" : "SystemRuntime",
- "function" : "executeBash",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "#!/bin/bash\n# Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\n#\n# Purpose: Shows information about host\n#\n# Version: 1\n\ngetOsRelease() {\n if [[ -x /usr/bin/lsb_release ]]; then\n lsb_release -sd\n elif [[ -r /etc/system-release ]]; then\n cat /etc/system-release\n else\n echo -e \"Unknown\"\n fi\n}\n\ngetHostName() {\n hostname -s\n}\n\ngetInterfacesInfoCommand() {\n current_os=$(getOsRelease)\n if [[ $current_os == \"Red Hat\"*\"7.\"* ]]; then\n echo -e \"ip addr show\"\n else\n echo -e \"ifconfig\"\n fi\n}\n\ngetInterfacesDir() {\n echo -e \"/sys/class/net\"\n}\n\nisInterfacePhysical() {\n interface_path=\"$1\"\n if [ -z \"$interface_path\" ]; then\n return 1\n fi\n\n real_location=$(readlink \"$interface_path\")\n if [[ \"$real_location\" =~ \"virtual\" ]]; then\n return 1\n else\n return 0\n fi\n}\n\nparsePrimaryIPInterface() {\n interface_name=\"$1\"\n if [ -z \"$interface_name\" ]; then\n return 1\n fi\n cmd=$(getInterfacesInfoCommand)\n eval \"$cmd $interface_name\" | grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" | grep -vE \"^2[2-5]\" | head -n 1\n}\n\ngetPrimaryIPHost() {\n interfaces_dir=$(getInterfacesDir)\n physical_interfaces=()\n\n shopt -s nullglob\n for interface in \"$interfaces_dir\"/*; do\n if isInterfacePhysical \"$interface\"; then\n current_interface=$(basename \"$interface\")\n physical_interfaces+=(\"$current_interface\")\n fi\n done\n shopt -u nullglob\n\n i=0\n for interface in \"${physical_interfaces[@]}\"; do\n ips[$i]=$(parsePrimaryIPInterface \"$interface\")\n ((i++))\n done\n\n if [ \"${#ips[@]}\" -ge 1 ]; then\n echo -e \"${ips[0]}\"\n fi\n}\n\n\ngetConnectionStatus() {\n echo \"Online\"\n}\n\ngetPlatform() {\n echo \"Linux\"\n}\n\nprocessHostInfo() {\n name=$(getHostName)\n os=$(getOsRelease)\n ipaddress=$(getPrimaryIPHost)\n connection_status=$(getConnectionStatus)\n platform=$(getPlatform)\n\n echo -e \"\\\"$name\\\",\\\"$ipaddress\\\",\\\"$os\\\",\\\"$connection_status\\\",\\\"$platform\\\"\"\n}\n\nmain() {\n if [ \"$1\" == \"--no-exec\" ]; then\n return 0\n fi\n\n processHostInfo\n}\n\nmain \"$@\"\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e12",
- "name" : "Visual Basic Script",
- "description" : "Executes VBS script on target client",
- "module" : "SystemRuntime",
- "function" : "executeVBS",
- "contentEnabled" : true,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : {
- "hasHeaders" : false,
- "delimiter" : ","
- },
- "format" : "CSV",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "CUSTOM",
- "catalogItems" : [ "COLLECTOR", "REACTION" ]
- },
- "content" : "' Copyright (C) 2017 McAfee, LLC, 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.mcafee.com\r\n\r\nstrComputer = \".\"\r\nFirstIP=\"\"\r\nCurrentMac=\"\"\r\nConnectionStatus = \"\"\r\nSet objWMIService=GetObject(\"winmgmts:\" & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\r\n\r\nSet NetAdapters = objWMIService.ExecQuery(\"Select * From Win32_NetworkAdapter Where NOT PNPDeviceID LIKE 'ROOT\\\\%'\")\r\nFor Each NetAdapter in NetAdapters\r\n CurrentMac = NetAdapter.MACAddress\r\n Set IPConfigSet = objWMIService.ExecQuery(\"Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE AND MacAddress = '\" & CurrentMac & \"'\")\r\n For Each IPConfig in IPConfigSet\r\n If Not IsNull(IPConfig.IPAddress) Then\r\n For i=LBound(IPConfig.IPAddress) to UBound(IPConfig.IPAddress)\r\n FirstIP=IPConfig.IPAddress(i)\r\n Exit For\r\n Next\r\n End If\r\n Next\r\nNext\r\n\r\nSet objNet = CreateObject(\"WScript.Network\")\r\nstrCompName = objNet.ComputerName\r\n\r\nSet shell = CreateObject(\"WScript.Shell\")\r\nSet getOSVersion = shell.exec(\"%comspec% /D /c ver\")\r\ngetOSVersion.stdout.readLine\r\nversion = getOSVersion.stdout.readLine\r\n\r\nFunction Registry_Read(Key_Path, Key_Name)\r\n On Error Resume Next\r\n Set Registry = CreateObject(\"WScript.Shell\")\r\n Registry_Read = Registry.RegRead(Key_Path & \"\\\" & Key_Name)\r\nEnd Function\r\n\r\nSet shell_arch = CreateObject(\"WScript.Shell\")\r\nIf shell_arch.ExpandEnvironmentStrings(\"%PROCESSOR_ARCHITECTURE%\") = \"AMD64\" then\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\WOW6432Node\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nElse\r\n ConnectionStatus = Registry_Read(\"HKLM\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\MAR_____1000\",\"connection_status\")\r\nEnd If\r\n\r\nIf ConnectionStatus = \"false\" then\r\n ConnectionStatus = \"Quarantined\"\r\nElse\r\n ConnectionStatus = \"Online\"\r\nEnd If\r\n\r\nplatform = \"Windows\"\r\n\r\nWScript.Echo strCompName & \",\" & FirstIP & \",\" & version & \",\" & ConnectionStatus & \",\" & platform\r\n",
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45cae4b0401274ab7183",
- "name" : "HostInfo SysInfo",
- "description" : "Shows Hostname, 1st IP Address and OS version",
- "module" : "SysInfo",
- "function" : "HostInfo",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8ec3",
- "name" : "ip_address",
- "type" : "IPV4IPV6",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8ec4",
- "name" : "os",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6346",
- "name" : "connection_status",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6347",
- "name" : "platform",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 5
- } ]
- },
- "sequence" : "2",
- "output" : [ {
- "id" : "58efec8ee4b0c390d69a8ec2",
- "name" : "hostname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1
- } ]
- } ],
- "disjunction" : null,
- "running" : false,
- "createdAt" : 1530900630436,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd6732c",
- "name" : "investigation-exfil 22",
- "description" : "",
- "type" : null,
- "expression" : "Processes where Processes name contains \"pscp\"",
- "temporal" : false,
- "invalid" : false,
- "aggregated" : true,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e79",
- "name" : "Processes",
- "description" : "Shows the running processes",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e6a",
- "name" : "name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e6b",
- "name" : "id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e6c",
- "name" : "threadcount",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e6d",
- "name" : "parentid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e6e",
- "name" : "parentname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 999
- }, {
- "id" : "5a1a45cae4b0401274ab718e",
- "name" : "parentimagepath",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1000
- }, {
- "id" : "5a1a45cae4b0401274ab718f",
- "name" : "file_reputation",
- "type" : "REPUTATION",
- "byDefault" : false,
- "sequence" : 1001
- }, {
- "id" : "5b3f9b64e4b0dfaf321a630e",
- "name" : "process_reputation",
- "type" : "REPUTATION",
- "byDefault" : false,
- "sequence" : 1002
- }, {
- "id" : "5b3f9b64e4b0dfaf321a630f",
- "name" : "started_at",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 1003
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6310",
- "name" : "content_size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 1004
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6311",
- "name" : "content",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1005
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6312",
- "name" : "content_file",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1006
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6313",
- "name" : "execution_mode",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1007
- }, {
- "id" : "58efec8ee4b0c390d69a8e6f",
- "name" : "size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e70",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e71",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e72",
- "name" : "cmdline",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e73",
- "name" : "imagepath",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e74",
- "name" : "kerneltime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e75",
- "name" : "usertime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e76",
- "name" : "uptime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e77",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e78",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "5a1a45cae4b0401274ab7190",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 15
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6314",
- "name" : "normalized_cmdline",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1009
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6315",
- "name" : "parent_cmdline",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1010
- } ]
- },
- "sequence" : "1",
- "output" : [ ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e6a",
- "name" : "name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- },
- "operator" : "CONTAINS",
- "value" : "pscp",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e79",
- "name" : "Processes",
- "description" : "Shows the running processes",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e6a",
- "name" : "name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e6b",
- "name" : "id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e6c",
- "name" : "threadcount",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e6d",
- "name" : "parentid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e6e",
- "name" : "parentname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 999
- }, {
- "id" : "5a1a45cae4b0401274ab718e",
- "name" : "parentimagepath",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1000
- }, {
- "id" : "5a1a45cae4b0401274ab718f",
- "name" : "file_reputation",
- "type" : "REPUTATION",
- "byDefault" : false,
- "sequence" : 1001
- }, {
- "id" : "5b3f9b64e4b0dfaf321a630e",
- "name" : "process_reputation",
- "type" : "REPUTATION",
- "byDefault" : false,
- "sequence" : 1002
- }, {
- "id" : "5b3f9b64e4b0dfaf321a630f",
- "name" : "started_at",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 1003
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6310",
- "name" : "content_size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 1004
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6311",
- "name" : "content",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1005
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6312",
- "name" : "content_file",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1006
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6313",
- "name" : "execution_mode",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1007
- }, {
- "id" : "58efec8ee4b0c390d69a8e6f",
- "name" : "size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e70",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e71",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e72",
- "name" : "cmdline",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e73",
- "name" : "imagepath",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e74",
- "name" : "kerneltime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e75",
- "name" : "usertime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e76",
- "name" : "uptime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e77",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e78",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "5a1a45cae4b0401274ab7190",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 15
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6314",
- "name" : "normalized_cmdline",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1009
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6315",
- "name" : "parent_cmdline",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1010
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630439,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- }, {
- "item" : {
- "catalogVersion" : 1,
- "dbVersion" : 2,
- "id" : "5b3fb096e4b0cbe06dd6732d",
- "name" : "multithread processes making outbound net conections",
- "description" : "",
- "type" : null,
- "expression" : "Processes name, cmdline where Processes threadcount greater than 5 and Files created_at not before \"2015-10-11\" and NetworkFlow dst_ip not equals 192.168.1.0/24",
- "temporal" : false,
- "invalid" : false,
- "aggregated" : true,
- "projections" : [ {
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e79",
- "name" : "Processes",
- "description" : "Shows the running processes",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e6a",
- "name" : "name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e6b",
- "name" : "id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e6c",
- "name" : "threadcount",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e6d",
- "name" : "parentid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e6e",
- "name" : "parentname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 999
- }, {
- "id" : "5a1a45cae4b0401274ab718e",
- "name" : "parentimagepath",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1000
- }, {
- "id" : "5a1a45cae4b0401274ab718f",
- "name" : "file_reputation",
- "type" : "REPUTATION",
- "byDefault" : false,
- "sequence" : 1001
- }, {
- "id" : "5b3f9b64e4b0dfaf321a630e",
- "name" : "process_reputation",
- "type" : "REPUTATION",
- "byDefault" : false,
- "sequence" : 1002
- }, {
- "id" : "5b3f9b64e4b0dfaf321a630f",
- "name" : "started_at",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 1003
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6310",
- "name" : "content_size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 1004
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6311",
- "name" : "content",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1005
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6312",
- "name" : "content_file",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1006
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6313",
- "name" : "execution_mode",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1007
- }, {
- "id" : "58efec8ee4b0c390d69a8e6f",
- "name" : "size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e70",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e71",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e72",
- "name" : "cmdline",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e73",
- "name" : "imagepath",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e74",
- "name" : "kerneltime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e75",
- "name" : "usertime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e76",
- "name" : "uptime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e77",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e78",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "5a1a45cae4b0401274ab7190",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 15
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6314",
- "name" : "normalized_cmdline",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1009
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6315",
- "name" : "parent_cmdline",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1010
- } ]
- },
- "sequence" : "1",
- "output" : [ {
- "id" : "58efec8ee4b0c390d69a8e6a",
- "name" : "name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e72",
- "name" : "cmdline",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- } ]
- } ],
- "disjunction" : {
- "conjunctions" : [ {
- "terms" : [ {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e6c",
- "name" : "threadcount",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 3
- },
- "operator" : "GREATER_THAN",
- "value" : "5",
- "negated" : false,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e79",
- "name" : "Processes",
- "description" : "Shows the running processes",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e10",
- "name" : "Running Processes",
- "description" : "Obtains the list of the running processes",
- "module" : "SystemInfo",
- "function" : "CollectProcess",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e6a",
- "name" : "name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e6b",
- "name" : "id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e6c",
- "name" : "threadcount",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e6d",
- "name" : "parentid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e6e",
- "name" : "parentname",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 999
- }, {
- "id" : "5a1a45cae4b0401274ab718e",
- "name" : "parentimagepath",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1000
- }, {
- "id" : "5a1a45cae4b0401274ab718f",
- "name" : "file_reputation",
- "type" : "REPUTATION",
- "byDefault" : false,
- "sequence" : 1001
- }, {
- "id" : "5b3f9b64e4b0dfaf321a630e",
- "name" : "process_reputation",
- "type" : "REPUTATION",
- "byDefault" : false,
- "sequence" : 1002
- }, {
- "id" : "5b3f9b64e4b0dfaf321a630f",
- "name" : "started_at",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 1003
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6310",
- "name" : "content_size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 1004
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6311",
- "name" : "content",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1005
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6312",
- "name" : "content_file",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1006
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6313",
- "name" : "execution_mode",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1007
- }, {
- "id" : "58efec8ee4b0c390d69a8e6f",
- "name" : "size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e70",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e71",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e72",
- "name" : "cmdline",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e73",
- "name" : "imagepath",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e74",
- "name" : "kerneltime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e75",
- "name" : "usertime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e76",
- "name" : "uptime",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e77",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e78",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "5a1a45cae4b0401274ab7190",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 15
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6314",
- "name" : "normalized_cmdline",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1009
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6315",
- "name" : "parent_cmdline",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 1010
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e82",
- "name" : "created_at",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 9
- },
- "operator" : "BEFORE",
- "value" : "2015-10-11 00:00:00",
- "negated" : true,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e84",
- "name" : "Files",
- "description" : "Shows the existing files",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e15",
- "name" : "Files",
- "description" : "Gets the list of files",
- "module" : "FileHashing",
- "function" : "FindFiles",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e15",
- "name" : "Files",
- "description" : "Gets the list of files",
- "module" : "FileHashing",
- "function" : "FindFiles",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e15",
- "name" : "Files",
- "description" : "Gets the list of files",
- "module" : "FileHashing",
- "function" : "FindFiles",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e7a",
- "name" : "name",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e7b",
- "name" : "dir",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e7c",
- "name" : "full_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e7d",
- "name" : "size",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e7e",
- "name" : "last_write",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e7f",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e80",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e81",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e82",
- "name" : "created_at",
- "type" : "DATE",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e83",
- "name" : "deleted_at",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 10
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6333",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 11
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6334",
- "name" : "create_process_pid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6335",
- "name" : "create_process_sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 13
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6336",
- "name" : "create_process_full_path",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6337",
- "name" : "modify_process_pid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6338",
- "name" : "modify_process_sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6339",
- "name" : "modify_process_full_path",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 17
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633a",
- "name" : "delete_process_pid",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633b",
- "name" : "delete_process_sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633c",
- "name" : "delete_process_full_path",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 20
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633d",
- "name" : "create_user_domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 21
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633e",
- "name" : "create_user_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 22
- }, {
- "id" : "5b3f9b64e4b0dfaf321a633f",
- "name" : "create_user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 23
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6340",
- "name" : "modify_user_domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 24
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6341",
- "name" : "modify_user_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 25
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6342",
- "name" : "modify_user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 26
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6343",
- "name" : "delete_user_domain",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 27
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6344",
- "name" : "delete_user_name",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 28
- }, {
- "id" : "5b3f9b64e4b0dfaf321a6345",
- "name" : "delete_user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 29
- } ]
- }
- }, {
- "output" : {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- },
- "operator" : "EQUALS",
- "value" : "192.168.1.0/24",
- "negated" : true,
- "collector" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e97",
- "name" : "NetworkFlow",
- "description" : "Shows the network flow",
- "type" : "BUILTIN",
- "contents" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "capability" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e1f",
- "name" : "NetworkFlow",
- "description" : "Gets flow information",
- "module" : "NetworkFlow",
- "function" : "FindFlow",
- "contentEnabled" : false,
- "arguments" : [ ],
- "outputs" : [ ],
- "formatArgs" : { },
- "format" : "BIN",
- "platforms" : [ {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- }, {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- } ],
- "platformSettings" : [ {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0e",
- "name" : "windows",
- "topic" : "/mcafee/mar/agent/query/windows",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "58efec8ee4b0c390d69a8e0f",
- "name" : "linux",
- "topic" : "/mcafee/mar/agent/query/linux",
- "enabled" : true
- },
- "utf8Sensitive" : false
- }, {
- "platform" : {
- "catalogVersion" : 230233,
- "dbVersion" : 2,
- "id" : "5a1a45c9e4b0401274ab7141",
- "name" : "macos",
- "topic" : "/mcafee/mar/agent/query/macos",
- "enabled" : true
- },
- "utf8Sensitive" : false
- } ],
- "itemType" : "BUILTIN",
- "catalogItems" : [ "COLLECTOR" ]
- },
- "content" : null,
- "arguments" : [ ],
- "utf8Sensitive" : false
- } ],
- "timeout" : 60,
- "outputs" : [ {
- "id" : "58efec8ee4b0c390d69a8e85",
- "name" : "time",
- "type" : "DATE",
- "byDefault" : true,
- "sequence" : 1
- }, {
- "id" : "58efec8ee4b0c390d69a8e86",
- "name" : "direction",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 2
- }, {
- "id" : "58efec8ee4b0c390d69a8e87",
- "name" : "src_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 3
- }, {
- "id" : "58efec8ee4b0c390d69a8e88",
- "name" : "src_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 4
- }, {
- "id" : "58efec8ee4b0c390d69a8e89",
- "name" : "dst_ip",
- "type" : "IPV4IPV6",
- "byDefault" : true,
- "sequence" : 5
- }, {
- "id" : "58efec8ee4b0c390d69a8e8a",
- "name" : "dst_port",
- "type" : "NUMBER",
- "byDefault" : true,
- "sequence" : 6
- }, {
- "id" : "58efec8ee4b0c390d69a8e8b",
- "name" : "status",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 7
- }, {
- "id" : "58efec8ee4b0c390d69a8e8c",
- "name" : "proto",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 8
- }, {
- "id" : "58efec8ee4b0c390d69a8e8d",
- "name" : "ip_class",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 9
- }, {
- "id" : "58efec8ee4b0c390d69a8e8e",
- "name" : "seq_number",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 10
- }, {
- "id" : "58efec8ee4b0c390d69a8e8f",
- "name" : "src_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 11
- }, {
- "id" : "58efec8ee4b0c390d69a8e90",
- "name" : "dst_mac",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 12
- }, {
- "id" : "58efec8ee4b0c390d69a8e91",
- "name" : "process",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 13
- }, {
- "id" : "58efec8ee4b0c390d69a8e92",
- "name" : "process_id",
- "type" : "NUMBER",
- "byDefault" : false,
- "sequence" : 14
- }, {
- "id" : "58efec8ee4b0c390d69a8e93",
- "name" : "md5",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 15
- }, {
- "id" : "58efec8ee4b0c390d69a8e94",
- "name" : "sha1",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 16
- }, {
- "id" : "58efec8ee4b0c390d69a8e95",
- "name" : "user",
- "type" : "STRING",
- "byDefault" : true,
- "sequence" : 17
- }, {
- "id" : "58efec8ee4b0c390d69a8e96",
- "name" : "user_id",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 18
- }, {
- "id" : "5a1a45cbe4b0401274ab7191",
- "name" : "sha256",
- "type" : "STRING",
- "byDefault" : false,
- "sequence" : 19
- } ]
- }
- } ]
- } ]
- },
- "running" : false,
- "createdAt" : 1530900630445,
- "executedAt" : null,
- "status" : "CREATED",
- "ttl" : 60000,
- "startTime" : null,
- "endpointPermission" : null,
- "maGuidsTarget" : null,
- "expectedHostResponses" : 0
- },
- "type" : "com.intel.mar.model.search.Search"
- } ]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement