diff --git a/.github/workflows/generate-doc.yml b/.github/workflows/generate-doc.yml new file mode 100644 index 0000000..9284f9d --- /dev/null +++ b/.github/workflows/generate-doc.yml @@ -0,0 +1,20 @@ +name: Generate Readme Doc +on: + workflow_dispatch: + push: + paths: + - '*.json' + - 'readme.html' + - 'manual_readme_content.md' + tags-ignore: + - '**' + branches-ignore: + - next + - main +jobs: + generate-doc: + runs-on: ubuntu-latest + steps: + - uses: 'phantomcyber/dev-cicd-tools/github-actions/generate-doc@main' + with: + GITHUB_TOKEN: ${{ secrets.SOAR_APPS_TOKEN }} diff --git a/.github/workflows/review-release.yml b/.github/workflows/review-release.yml new file mode 100644 index 0000000..6f3bf31 --- /dev/null +++ b/.github/workflows/review-release.yml @@ -0,0 +1,22 @@ +name: Review Release +concurrency: + group: app-release + cancel-in-progress: true +permissions: + contents: read + id-token: write + statuses: write +on: + workflow_dispatch: + inputs: + task_token: + description: 'StepFunction task token' + required: true + +jobs: + review: + uses: 'phantomcyber/dev-cicd-tools/.github/workflows/review-release.yml@main' + with: + task_token: ${{ inputs.task_token }} + secrets: + resume_release_role_arn: ${{ secrets.RESUME_RELEASE_ROLE_ARN }} diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml deleted file mode 100644 index 23d31c5..0000000 --- a/.github/workflows/semgrep.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Semgrep -on: - pull_request_target: - branches: - - next - - main - push: - branches: - - next - - main -jobs: - semgrep: - runs-on: ubuntu-latest - steps: - - if: github.event_name == 'push' - run: | - echo "REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV - echo "REF=${{ github.REF }}" >> $GITHUB_ENV - - if: github.event_name == 'pull_request_target' - run: | - echo "REPOSITORY=${{ github.event.pull_request.head.repo.full_name }}" >> $GITHUB_ENV - echo "REF=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV - - uses: 'phantomcyber/dev-cicd-tools/github-actions/semgrep@main' - with: - SEMGREP_DEPLOYMENT_ID: ${{ secrets.SEMGREP_DEPLOYMENT_ID }} - SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} - REPOSITORY: ${{ github.repository }} - REF: ${{ github.ref }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5934b2c..3a6e014 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,11 +1,11 @@ repos: - repo: https://github.com/phantomcyber/dev-cicd-tools - rev: v1.9 + rev: v1.16 hooks: - id: org-hook - id: package-app-dependencies - repo: https://github.com/Yelp/detect-secrets - rev: v1.1.0 + rev: v1.4.0 hooks: - id: detect-secrets args: ['--no-verify', '--exclude-files', '^winrm.json$'] diff --git a/LICENSE b/LICENSE index 6349266..f4b5039 100644 --- a/LICENSE +++ b/LICENSE @@ -186,7 +186,7 @@ same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright (c) 2018-2022 Splunk Inc. + Copyright (c) 2018-2023 Splunk Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/NOTICE b/NOTICE index 35cd7ea..7dcb1d0 100644 --- a/NOTICE +++ b/NOTICE @@ -1,5 +1,5 @@ Splunk SOAR Windows Remote Management -Copyright (c) 2018-2022 Splunk Inc. +Copyright (c) 2018-2023 Splunk Inc. Third-party Software Attributions: diff --git a/README.md b/README.md index eda3101..b84bcf4 100644 --- a/README.md +++ b/README.md @@ -2,17 +2,17 @@ # Windows Remote Management Publisher: Splunk -Connector Version: 2\.2\.4 +Connector Version: 2.2.6 Product Vendor: Microsoft Product Name: Windows Remote Management -Product Version Supported (regex): "\.\*" -Minimum Product Version: 5\.1\.0 +Product Version Supported (regex): ".\*" +Minimum Product Version: 6.1.1 This app integrates with the Windows Remote Management service to execute various actions [comment]: # "" [comment]: # " File: README.md" -[comment]: # " Copyright (c) 2018-2022 Splunk Inc." +[comment]: # " Copyright (c) 2018-2023 Splunk Inc." [comment]: # " " [comment]: # " Licensed under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt)" [comment]: # "" @@ -136,10 +136,10 @@ The below configuration variables are required for this Connector to operate. T VARIABLE | REQUIRED | TYPE | DESCRIPTION -------- | -------- | ---- | ----------- -**endpoint** | optional | string | IP/Hostname \(For TEST CONNECTIVITY and default, if not provided in an action\) -**verify\_server\_cert** | optional | boolean | Verify Server Certificate -**default\_protocol** | optional | string | Default protocol for actions -**default\_port** | optional | numeric | Default port for actions +**endpoint** | optional | string | IP/Hostname (For TEST CONNECTIVITY and default, if not provided in an action) +**verify_server_cert** | optional | boolean | Verify Server Certificate +**default_protocol** | optional | string | Default protocol for actions +**default_port** | optional | numeric | Default port for actions **domain** | optional | string | Domain **username** | required | string | Username **password** | required | password | Password @@ -188,7 +188,7 @@ Execute a command on the endpoint Type: **generic** Read only: **False** -Unless you implement a custom parser, this action will always succeed regardless of the input\. Either a command or pair of command\_id and shell\_id must be specified\. If a command\_id is present, all other parameters will be ignored\.

Note\: The command\_id and shell\_id you provide to fetch the output can only be used once because once the output is fetched successfully server will remove output from its cache\.

+Unless you implement a custom parser, this action will always succeed regardless of the input. Either a command or pair of command_id and shell_id must be specified. If a command_id is present, all other parameters will be ignored.

Note: The command_id and shell_id you provide to fetch the output can only be used once because once the output is fetched successfully server will remove output from its cache.

#### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS @@ -196,31 +196,31 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **command** | optional | The command to be run | string | **arguments** | optional | The arguments for the command | string | **parser** | optional | The vault ID of a custom parser to use for output | string | `vault id` -**ip\_hostname** | optional | IP/Hostname | string | `ip` `host name` +**ip_hostname** | optional | IP/Hostname | string | `ip` `host name` **async** | optional | Start the command, but don't wait for output | boolean | -**command\_id** | optional | Command ID of async command \(Provide with shell\_id\) | string | `winrm command id` -**shell\_id** | optional | Shell ID of async command \(Provide with command\_id\) | string | `winrm shell id` +**command_id** | optional | Command ID of async command (Provide with shell_id) | string | `winrm command id` +**shell_id** | optional | Shell ID of async command (Provide with command_id) | string | `winrm shell id` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.parameter\.arguments | string | -action\_result\.parameter\.async | boolean | -action\_result\.parameter\.command | string | -action\_result\.parameter\.command\_id | string | `winrm command id` -action\_result\.parameter\.ip\_hostname | string | `ip` `host name` -action\_result\.parameter\.parser | string | `vault id` -action\_result\.parameter\.shell\_id | string | `winrm shell id` -action\_result\.data\.\*\.status\_code | numeric | -action\_result\.data\.\*\.std\_err | string | -action\_result\.data\.\*\.std\_out | string | -action\_result\.status | string | -action\_result\.message | string | -action\_result\.summary | string | -action\_result\.summary\.command\_id | string | `winrm command id` -action\_result\.summary\.shell\_id | string | `winrm shell id` -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.arguments | string | | /all +action_result.parameter.async | boolean | | True False +action_result.parameter.command | string | | ipconfig +action_result.parameter.command_id | string | `winrm command id` | 1AAA1111-1A11-11A1-1111-1A1AAA1A11A1 +action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local +action_result.parameter.parser | string | `vault id` | 8afa5c86de9ea94ecfe5b4c0837d2543d0b20b56 +action_result.parameter.shell_id | string | `winrm shell id` | 1AAA1111-1A11-11A1-1111-1A1AAA1A11A1 +action_result.data.\*.status_code | numeric | | 0 +action_result.data.\*.std_err | string | | Error message +action_result.data.\*.std_out | string | | Successful output +action_result.status | string | | success failed +action_result.message | string | | Successfully ran command +action_result.summary | string | | +action_result.summary.command_id | string | `winrm command id` | 1AAA1111-1A11-11A1-1111-1A1AAA1A11A1 +action_result.summary.shell_id | string | `winrm shell id` | 1AAA1111-1A11-11A1-1111-1A1AAA1A11A1 +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'run script' Run a PowerShell script on the endpoint @@ -228,39 +228,39 @@ Run a PowerShell script on the endpoint Type: **generic** Read only: **False** -The script you provide can either be in the vault, or it can just be a string of the script to run\. If both values are present, it will use the script\_file over the script\_str\. Unless you implement a custom parser, this action will always succeed regardless of the input\. If command\_id and shell\_id are present, script\_file and script\_str will be ignored\. This action will fail if at least one of script\_file, script\_str, or the pair of command\_id and shell\_id are not specified\.

Note\: The command\_id and shell\_id you provide to fetch the output can only be used once because once the output is fetched successfully server will remove output from its cache\.

+The script you provide can either be in the vault, or it can just be a string of the script to run. If both values are present, it will use the script_file over the script_str. Unless you implement a custom parser, this action will always succeed regardless of the input. If command_id and shell_id are present, script_file and script_str will be ignored. This action will fail if at least one of script_file, script_str, or the pair of command_id and shell_id are not specified.

Note: The command_id and shell_id you provide to fetch the output can only be used once because once the output is fetched successfully server will remove output from its cache.

#### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**script\_file** | optional | The vault ID of a PowerShell script to run | string | `vault id` -**script\_str** | optional | A PowerShell script to run | string | +**script_file** | optional | The vault ID of a PowerShell script to run | string | `vault id` +**script_str** | optional | A PowerShell script to run | string | **parser** | optional | The vault ID of a custom parser to use for output | string | `vault id` -**ip\_hostname** | optional | IP/Hostname | string | `ip` `host name` +**ip_hostname** | optional | IP/Hostname | string | `ip` `host name` **async** | optional | Start the command, but don't wait for output | boolean | -**command\_id** | optional | Command ID of async command \(Provide with shell\_id\) | string | `winrm command id` -**shell\_id** | optional | Shell ID of async command \(Provide with command\_id\) | string | `winrm shell id` +**command_id** | optional | Command ID of async command (Provide with shell_id) | string | `winrm command id` +**shell_id** | optional | Shell ID of async command (Provide with command_id) | string | `winrm shell id` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.parameter\.async | boolean | -action\_result\.parameter\.command\_id | string | `winrm command id` -action\_result\.parameter\.ip\_hostname | string | `ip` `host name` -action\_result\.parameter\.parser | string | `vault id` -action\_result\.parameter\.script\_file | string | `vault id` -action\_result\.parameter\.script\_str | string | -action\_result\.parameter\.shell\_id | string | `winrm shell id` -action\_result\.data\.\*\.status\_code | numeric | -action\_result\.data\.\*\.std\_err | string | -action\_result\.data\.\*\.std\_out | string | -action\_result\.status | string | -action\_result\.message | string | -action\_result\.summary | string | -action\_result\.summary\.command\_id | string | `winrm command id` -action\_result\.summary\.shell\_id | string | `winrm shell id` -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.async | boolean | | True False +action_result.parameter.command_id | string | `winrm command id` | 1AAA1111-1A11-11A1-1111-1A1AAA1A11A1 +action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local +action_result.parameter.parser | string | `vault id` | 8afa5c86de9ea94ecfe5b4c0837d2543d0b20b56 +action_result.parameter.script_file | string | `vault id` | 8afa5c86de9ea94ecfe5b4c0837d2543d0b20b56 +action_result.parameter.script_str | string | | Write-Host Hello +action_result.parameter.shell_id | string | `winrm shell id` | 1AAA1111-1A11-11A1-1111-1A1AAA1A11A1 +action_result.data.\*.status_code | numeric | | 0 +action_result.data.\*.std_err | string | | Error message +action_result.data.\*.std_out | string | | Successful output +action_result.status | string | | success failed +action_result.message | string | | Successfully ran PowerShell script +action_result.summary | string | | +action_result.summary.command_id | string | `winrm command id` | 1AAA1111-1A11-11A1-1111-1A1AAA1A11A1 +action_result.summary.shell_id | string | `winrm shell id` | 1AAA1111-1A11-11A1-1111-1A1AAA1A11A1 +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'list processes' List the currently running processes @@ -271,27 +271,27 @@ Read only: **True** #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ip\_hostname** | optional | IP/Hostname | string | `ip` `host name` +**ip_hostname** | optional | IP/Hostname | string | `ip` `host name` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.parameter\.ip\_hostname | string | `ip` `host name` -action\_result\.data\.\*\.handles | numeric | -action\_result\.data\.\*\.name | string | `process name` -action\_result\.data\.\*\.non\_paged\_memory | numeric | -action\_result\.data\.\*\.paged\_memory | numeric | -action\_result\.data\.\*\.pid | numeric | `pid` -action\_result\.data\.\*\.processor\_time\_\(s\) | numeric | -action\_result\.data\.\*\.virtual\_memory | numeric | -action\_result\.data\.\*\.working\_set | numeric | -action\_result\.data\.\*\.session\_id | numeric | -action\_result\.status | string | -action\_result\.message | string | -action\_result\.summary | string | -action\_result\.summary\.num\_processes | numeric | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local +action_result.data.\*.handles | numeric | | 33 +action_result.data.\*.name | string | `process name` | cmd +action_result.data.\*.non_paged_memory | numeric | | 3 +action_result.data.\*.paged_memory | numeric | | 1564 +action_result.data.\*.pid | numeric | `pid` | 3108 +action_result.data.\*.processor_time_(s) | numeric | | 0.02 +action_result.data.\*.virtual_memory | numeric | | 14 +action_result.data.\*.working_set | numeric | | 2384 +action_result.data.\*.session_id | numeric | | +action_result.status | string | | success failed +action_result.message | string | | Successfully got process list +action_result.summary | string | | +action_result.summary.num_processes | numeric | | 451 +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'terminate process' Terminate a process @@ -304,20 +304,20 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- **pid** | optional | The PID of the process to terminate | numeric | `pid` **name** | optional | Name of program to terminate, accepts wildcards | string | `process name` -**ip\_hostname** | optional | IP/Hostname | string | `ip` `host name` +**ip_hostname** | optional | IP/Hostname | string | `ip` `host name` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.parameter\.ip\_hostname | string | `ip` `host name` -action\_result\.parameter\.name | string | `process name` -action\_result\.parameter\.pid | numeric | `pid` -action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | -action\_result\.summary | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local +action_result.parameter.name | string | `process name` | iexplore +action_result.parameter.pid | numeric | `pid` | 451 +action_result.data | string | | +action_result.status | string | | success failed +action_result.message | string | | Successfully terminated process +action_result.summary | string | | +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'list connections' List all active connections @@ -328,25 +328,25 @@ Read only: **True** #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ip\_hostname** | optional | IP/Hostname | string | `ip` `host name` +**ip_hostname** | optional | IP/Hostname | string | `ip` `host name` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.parameter\.ip\_hostname | string | `ip` `host name` -action\_result\.data\.\*\.foreign\_address\_ip | string | `ip` -action\_result\.data\.\*\.foreign\_address\_port | string | `port` -action\_result\.data\.\*\.local\_address\_ip | string | `ip` -action\_result\.data\.\*\.local\_address\_port | string | `port` -action\_result\.data\.\*\.pid | numeric | `pid` -action\_result\.data\.\*\.protocol | string | -action\_result\.data\.\*\.state | string | -action\_result\.status | string | -action\_result\.message | string | -action\_result\.summary | string | -action\_result\.summary\.num\_connections | numeric | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local +action_result.data.\*.foreign_address_ip | string | `ip` | 8.8.8.8 +action_result.data.\*.foreign_address_port | string | `port` | 11100 +action_result.data.\*.local_address_ip | string | `ip` | 8.8.8.8 +action_result.data.\*.local_address_port | string | `port` | 11100 +action_result.data.\*.pid | numeric | `pid` | 451 +action_result.data.\*.protocol | string | | TCP +action_result.data.\*.state | string | | ESTABLISHED +action_result.status | string | | success failed +action_result.message | string | | Successfully listed connections +action_result.summary | string | | +action_result.summary.num_connections | numeric | | 451 +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'list firewall rules' List the firewall rules @@ -354,45 +354,45 @@ List the firewall rules Type: **investigate** Read only: **True** -When you are using the other parameter, you can match for any field which is returned in the action result\. It will only return a rule if it matches all of the criteria, not if it matches at least one\. +When you are using the other parameter, you can match for any field which is returned in the action result. It will only return a rule if it matches all of the criteria, not if it matches at least one. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**filter\_port** | optional | Only show firewall rules acting on this port | string | `port` -**filter\_ip** | optional | Only show firewall rules acting on this ip | string | `ip` +**filter_port** | optional | Only show firewall rules acting on this port | string | `port` +**filter_ip** | optional | Only show firewall rules acting on this ip | string | `ip` **direction** | optional | Only show firewall rules in this direction | string | **protocol** | optional | Only show firewall rules using this protocol | string | `winrm protocol` **other** | optional | JSON object of key value pairs of other fields to match | string | -**ip\_hostname** | optional | IP/Hostname | string | `ip` `host name` +**ip_hostname** | optional | IP/Hostname | string | `ip` `host name` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.parameter\.direction | string | -action\_result\.parameter\.filter\_ip | string | `ip` -action\_result\.parameter\.filter\_port | string | `port` -action\_result\.parameter\.ip\_hostname | string | `ip` `host name` -action\_result\.parameter\.other | string | -action\_result\.parameter\.protocol | string | `winrm protocol` -action\_result\.data\.\*\.action | string | -action\_result\.data\.\*\.direction | string | -action\_result\.data\.\*\.edge\_traversal | string | -action\_result\.data\.\*\.enabled | string | -action\_result\.data\.\*\.grouping | string | -action\_result\.data\.\*\.local\_ip | string | `ip` -action\_result\.data\.\*\.local\_port | string | `port` -action\_result\.data\.\*\.profiles | string | -action\_result\.data\.\*\.protocol | string | `winrm protocol` -action\_result\.data\.\*\.remote\_ip | string | `ip` -action\_result\.data\.\*\.remote\_port | string | `port` -action\_result\.data\.\*\.rule\_name | string | `windows firewall rule name` -action\_result\.status | string | -action\_result\.message | string | -action\_result\.summary | string | -action\_result\.summary\.num\_rules | numeric | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.direction | string | | in +action_result.parameter.filter_ip | string | `ip` | 8.8.8.8 +action_result.parameter.filter_port | string | `port` | 11100 +action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local +action_result.parameter.other | string | | {"enabled": "yes"} +action_result.parameter.protocol | string | `winrm protocol` | tcp +action_result.data.\*.action | string | | allow +action_result.data.\*.direction | string | | in +action_result.data.\*.edge_traversal | string | | no +action_result.data.\*.enabled | string | | yes +action_result.data.\*.grouping | string | | windows remote management +action_result.data.\*.local_ip | string | `ip` | any +action_result.data.\*.local_port | string | `port` | 5985 +action_result.data.\*.profiles | string | | domain,private +action_result.data.\*.protocol | string | `winrm protocol` | tcp +action_result.data.\*.remote_ip | string | `ip` | any +action_result.data.\*.remote_port | string | `port` | any +action_result.data.\*.rule_name | string | `windows firewall rule name` | windows remote management (http-in) +action_result.status | string | | success failed +action_result.message | string | | Successfully retrieved firewall rules +action_result.summary | string | | +action_result.summary.num_rules | numeric | | 451 +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'delete firewall rule' Remove a firewall rule using netsh @@ -400,40 +400,40 @@ Remove a firewall rule using netsh Type: **generic** Read only: **False** -This action will invoke the command netsh advfirewall firewall delete rule, and the rest is determined by the input\. At a minimum, the rule name must be provided, but if you need to you can also specify any other arguments which the command accepts, in the same manner, that input from the add firewall rule gets added\. +This action will invoke the command netsh advfirewall firewall delete rule, and the rest is determined by the input. At a minimum, the rule name must be provided, but if you need to you can also specify any other arguments which the command accepts, in the same manner, that input from the add firewall rule gets added. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- **name** | required | The name of the rule to remove | string | `windows firewall rule name` **dir** | optional | Blocks inbound or outbound traffic | string | -**remote\_ip** | optional | Firewall rule acts on this remote IP | string | `ip` -**local\_ip** | optional | Firewall rule acts on this local IP | string | `ip` -**remote\_port** | optional | Firewall rule acts on this remote port | string | `port` -**local\_port** | optional | Firewall rule acts on this local port | string | `port` +**remote_ip** | optional | Firewall rule acts on this remote IP | string | `ip` +**local_ip** | optional | Firewall rule acts on this local IP | string | `ip` +**remote_port** | optional | Firewall rule acts on this remote port | string | `port` +**local_port** | optional | Firewall rule acts on this local port | string | `port` **protocol** | optional | Firewall rule acts on this protocol | string | `winrm protocol` **other** | optional | JSON object of key value pairs for other parameters to include | string | -**ip\_hostname** | optional | IP/Hostname | string | `ip` `host name` +**ip_hostname** | optional | IP/Hostname | string | `ip` `host name` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.parameter\.dir | string | -action\_result\.parameter\.ip\_hostname | string | `ip` `host name` -action\_result\.parameter\.local\_ip | string | `ip` -action\_result\.parameter\.local\_port | string | `port` -action\_result\.parameter\.name | string | `windows firewall rule name` -action\_result\.parameter\.other | string | -action\_result\.parameter\.protocol | string | `winrm protocol` -action\_result\.parameter\.remote\_ip | string | `ip` -action\_result\.parameter\.remote\_port | string | `port` -action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | -action\_result\.summary | string | -action\_result\.summary\.rules\_deleted | numeric | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.dir | string | | in out +action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local +action_result.parameter.local_ip | string | `ip` | 8.8.8.8 +action_result.parameter.local_port | string | `port` | 443 +action_result.parameter.name | string | `windows firewall rule name` | test rule +action_result.parameter.other | string | | {"profile": "domain"} +action_result.parameter.protocol | string | `winrm protocol` | any tcp +action_result.parameter.remote_ip | string | `ip` | 8.8.8.8 +action_result.parameter.remote_port | string | `port` | 443 +action_result.data | string | | +action_result.status | string | | success failed +action_result.message | string | | Successfully deleted firewall rules +action_result.summary | string | | +action_result.summary.rules_deleted | numeric | | 2 +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'block ip' Create a firewall rule to block a specified IP @@ -444,22 +444,22 @@ Read only: **False** #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ip\_hostname** | optional | IP/Hostname | string | `ip` `host name` +**ip_hostname** | optional | IP/Hostname | string | `ip` `host name` **name** | required | The name of the rule to add | string | `windows firewall rule name` -**remote\_ip** | required | Block this IP | string | `ip` +**remote_ip** | required | Block this IP | string | `ip` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.parameter\.ip\_hostname | string | `ip` `host name` -action\_result\.parameter\.name | string | `windows firewall rule name` -action\_result\.parameter\.remote\_ip | string | `ip` -action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | -action\_result\.summary | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local +action_result.parameter.name | string | `windows firewall rule name` | test rule +action_result.parameter.remote_ip | string | `ip` | 8.8.8.8 +action_result.data | string | | +action_result.status | string | | success failed +action_result.message | string | | Successfully created firewall rule +action_result.summary | string | | +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'add firewall rule' Add a firewall rule using netsh @@ -467,7 +467,7 @@ Add a firewall rule using netsh Type: **generic** Read only: **False** -This action will invoke the command netsh advfirewall firewall add rule, where the rest is determined by the input\. Each key\-value pair from the other parameter will be added in the form of key=value\. The user input will be sanitized\. +This action will invoke the command netsh advfirewall firewall add rule, where the rest is determined by the input. Each key-value pair from the other parameter will be added in the form of key=value. The user input will be sanitized. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS @@ -475,33 +475,33 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **name** | required | The name of the rule to add | string | `windows firewall rule name` **dir** | required | Block inbound or outbound traffic | string | **action** | required | What the firewall will do with packets | string | -**remote\_ip** | optional | Firewall rule acts on this remote IP | string | `ip` -**local\_ip** | optional | Firewall rule acts on this local IP | string | `ip` -**remote\_port** | optional | Firewall rule acts on this remote port | string | `port` -**local\_port** | optional | Firewall rule acts on this local port | string | `port` +**remote_ip** | optional | Firewall rule acts on this remote IP | string | `ip` +**local_ip** | optional | Firewall rule acts on this local IP | string | `ip` +**remote_port** | optional | Firewall rule acts on this remote port | string | `port` +**local_port** | optional | Firewall rule acts on this local port | string | `port` **protocol** | optional | Firewall rule acts on this protocol | string | `winrm protocol` **other** | optional | JSON object of key value pairs for other parameters to include | string | -**ip\_hostname** | optional | IP/Hostname | string | `ip` `host name` +**ip_hostname** | optional | IP/Hostname | string | `ip` `host name` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.parameter\.action | string | -action\_result\.parameter\.dir | string | -action\_result\.parameter\.ip\_hostname | string | `ip` `host name` -action\_result\.parameter\.local\_ip | string | `ip` -action\_result\.parameter\.local\_port | string | `port` -action\_result\.parameter\.name | string | `windows firewall rule name` -action\_result\.parameter\.other | string | -action\_result\.parameter\.protocol | string | `winrm protocol` -action\_result\.parameter\.remote\_ip | string | `ip` -action\_result\.parameter\.remote\_port | string | `port` -action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | -action\_result\.summary | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.action | string | | block +action_result.parameter.dir | string | | in out +action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local +action_result.parameter.local_ip | string | `ip` | 8.8.8.8 +action_result.parameter.local_port | string | `port` | 443 +action_result.parameter.name | string | `windows firewall rule name` | test rule +action_result.parameter.other | string | | {"profile": "domain"} +action_result.parameter.protocol | string | `winrm protocol` | any tcp +action_result.parameter.remote_ip | string | `ip` | 8.8.8.8 +action_result.parameter.remote_port | string | `port` | 443 +action_result.data | string | | +action_result.status | string | | success failed +action_result.message | string | | Successfully created firewall rule +action_result.summary | string | | +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'logoff user' Logoff a user @@ -512,20 +512,20 @@ Read only: **False** #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ip\_hostname** | optional | IP/Hostname | string | `ip` `host name` -**session\_id** | required | Session ID | string | `windows session id` +**ip_hostname** | optional | IP/Hostname | string | `ip` `host name` +**session_id** | required | Session ID | string | `windows session id` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.parameter\.ip\_hostname | string | `ip` `host name` -action\_result\.parameter\.session\_id | string | `windows session id` -action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | -action\_result\.summary | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local +action_result.parameter.session_id | string | `windows session id` | 2 +action_result.data | string | | +action_result.status | string | | success failed +action_result.message | string | | Successfully logged off user +action_result.summary | string | | +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'list sessions' List all active sessions @@ -536,23 +536,23 @@ Read only: **True** #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ip\_hostname** | optional | IP/Hostname | string | `ip` `host name` +**ip_hostname** | optional | IP/Hostname | string | `ip` `host name` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.parameter\.ip\_hostname | string | `ip` `host name` -action\_result\.data\.\*\.id | string | `windows session id` -action\_result\.data\.\*\.name | string | -action\_result\.data\.\*\.this | boolean | -action\_result\.data\.\*\.type | string | -action\_result\.data\.\*\.username | string | `user name` -action\_result\.status | string | -action\_result\.message | string | -action\_result\.summary | string | -action\_result\.summary\.num\_sessions | numeric | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local +action_result.data.\*.id | string | `windows session id` | 0 +action_result.data.\*.name | string | | services +action_result.data.\*.this | boolean | | True False +action_result.data.\*.type | string | | +action_result.data.\*.username | string | `user name` | +action_result.status | string | | success failed +action_result.message | string | | Successfully listed all sessions +action_result.summary | string | | +action_result.summary.num_sessions | numeric | | 1 +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'deactivate partition' Deactivate a partition @@ -560,23 +560,23 @@ Deactivate a partition Type: **contain** Read only: **False** -Deactivates the system partitions of a machine, which disallows booting from said partition\. The subsequent boot of the machine results in using the next option specified in the BIOS to boot from\. Often used to netboot for remote reimaging\. +Deactivates the system partitions of a machine, which disallows booting from said partition. The subsequent boot of the machine results in using the next option specified in the BIOS to boot from. Often used to netboot for remote reimaging. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ip\_hostname** | optional | IP/Hostname | string | `ip` `host name` +**ip_hostname** | optional | IP/Hostname | string | `ip` `host name` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.parameter\.ip\_hostname | string | `ip` `host name` -action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | -action\_result\.summary | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local +action_result.data | string | | +action_result.status | string | | success failed +action_result.message | string | | Successfully deactivated partition +action_result.summary | string | | +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'activate partition' Activate a partition @@ -587,18 +587,18 @@ Read only: **False** #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ip\_hostname** | optional | IP/Hostname | string | `ip` `host name` +**ip_hostname** | optional | IP/Hostname | string | `ip` `host name` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.parameter\.ip\_hostname | string | `ip` `host name` -action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | -action\_result\.summary | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local +action_result.data | string | | +action_result.status | string | | success failed +action_result.message | string | | Successfully activated partition +action_result.summary | string | | +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'shutdown system' Shutdown a system @@ -609,20 +609,20 @@ Read only: **False** #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ip\_hostname** | optional | IP/Hostname | string | `ip` `host name` +**ip_hostname** | optional | IP/Hostname | string | `ip` `host name` **comment** | optional | Comment to show to users | string | #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.parameter\.comment | string | -action\_result\.parameter\.ip\_hostname | string | `ip` `host name` -action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | -action\_result\.summary | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.comment | string | | Test shutdown +action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local +action_result.data | string | | +action_result.status | string | | success failed +action_result.message | string | | Successfully initiated system shutdown +action_result.summary | string | | +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'restart system' Restart a system @@ -633,20 +633,20 @@ Read only: **False** #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ip\_hostname** | optional | IP/Hostname | string | `ip` `host name` +**ip_hostname** | optional | IP/Hostname | string | `ip` `host name` **comment** | optional | Comment to show to users | string | #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.parameter\.comment | string | -action\_result\.parameter\.ip\_hostname | string | `ip` `host name` -action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | -action\_result\.summary | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.comment | string | | Test restart +action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local +action_result.data | string | | +action_result.status | string | | success failed +action_result.message | string | | Successfully initiated system restart +action_result.summary | string | | +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'list policies' List AppLocker Policies @@ -657,34 +657,34 @@ Read only: **True** #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ip\_hostname** | optional | IP/Hostname | string | `ip` `host name` +**ip_hostname** | optional | IP/Hostname | string | `ip` `host name` **location** | required | Which policies to list | string | -**ldap** | optional | LDAP Server\. Will only have an effect if 'location' is set to 'domain' | string | +**ldap** | optional | LDAP Server. Will only have an effect if 'location' is set to 'domain' | string | #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.parameter\.ip\_hostname | string | `ip` `host name` -action\_result\.parameter\.ldap | string | -action\_result\.parameter\.location | string | -action\_result\.data\.\*\.Conditions\.FilePublisherCondition\.\@BinaryName | string | -action\_result\.data\.\*\.Conditions\.FilePublisherCondition\.\@ProductName | string | -action\_result\.data\.\*\.Conditions\.FilePublisherCondition\.\@PublisherName | string | -action\_result\.data\.\*\.Conditions\.FilePublisherCondition\.BinaryVersionRange\.\@HighSection | string | -action\_result\.data\.\*\.Conditions\.FilePublisherCondition\.BinaryVersionRange\.\@LowSection | string | `ip` -action\_result\.data\.\*\.action | string | -action\_result\.data\.\*\.description | string | -action\_result\.data\.\*\.enforcement\_mode | string | -action\_result\.data\.\*\.file\_path\_condition | string | `file path` -action\_result\.data\.\*\.id | string | `windows applocker policy id` -action\_result\.data\.\*\.name | string | -action\_result\.data\.\*\.type | string | -action\_result\.data\.\*\.user\_or\_group\_sid | string | `winrm user or group sid` -action\_result\.status | string | -action\_result\.message | string | -action\_result\.summary | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local +action_result.parameter.ldap | string | | LDAP://8.8.8.8/CN={31b2f340-016d-11d2-945f-00c04fb984f9},CN=Policies,CN=System,DC=domain,DC=local +action_result.parameter.location | string | | local +action_result.data.\*.Conditions.FilePublisherCondition.@BinaryName | string | | \* +action_result.data.\*.Conditions.FilePublisherCondition.@ProductName | string | | \* +action_result.data.\*.Conditions.FilePublisherCondition.@PublisherName | string | | \* +action_result.data.\*.Conditions.FilePublisherCondition.BinaryVersionRange.@HighSection | string | | \* +action_result.data.\*.Conditions.FilePublisherCondition.BinaryVersionRange.@LowSection | string | `ip` | 8.8.8.8 +action_result.data.\*.action | string | | Allow +action_result.data.\*.description | string | | Allows members of the Everyone group to run packaged apps that are signed. +action_result.data.\*.enforcement_mode | string | | NotConfigured +action_result.data.\*.file_path_condition | string | `file path` | %SYSTEM32%\\NOTEPAD.EXE +action_result.data.\*.id | string | `windows applocker policy id` | a9e18c21-ff8f-43cf-b9fc-db40eed693ba +action_result.data.\*.name | string | | (Default Rule) All signed packaged apps +action_result.data.\*.type | string | | Appx +action_result.data.\*.user_or_group_sid | string | `winrm user or group sid` | S-1-1-0 +action_result.status | string | | success failed +action_result.message | string | | Successfully listed AppLocker Policies +action_result.summary | string | | +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'block file path' Create a new AppLocker policy to block a file path @@ -692,33 +692,33 @@ Create a new AppLocker policy to block a file path Type: **generic** Read only: **False** -By default, this policy will apply to the "Everyone" group\. You can specify the user with either a variety of formats, which are documented here\. By specifying LDAP, it will apply that policy to that GPO, as opposed to just the local machine\. By default, Windows does not have the service required service running for AppLocker policies to be enforced\. The Application Identity service must be running for AppLocker to enforce its policies\. +By default, this policy will apply to the "Everyone" group. You can specify the user with either a variety of formats, which are documented here. By specifying LDAP, it will apply that policy to that GPO, as opposed to just the local machine. By default, Windows does not have the service required service running for AppLocker policies to be enforced. The Application Identity service must be running for AppLocker to enforce its policies. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ip\_hostname** | optional | IP/Hostname | string | `ip` `host name` -**deny\_allow** | required | Set this rule to allow or deny | string | -**file\_path** | required | File path to set rule to\. Allows wildcards \(i\.e\. C\:\\Windows\\System32\\\*\.exe\) | string | `file path` +**ip_hostname** | optional | IP/Hostname | string | `ip` `host name` +**deny_allow** | required | Set this rule to allow or deny | string | +**file_path** | required | File path to set rule to. Allows wildcards (i.e. C:\\Windows\\System32\\\*.exe) | string | `file path` **user** | optional | User or group to apply rule to | string | `winrm user or group sid` -**rule\_name\_prefix** | optional | Prefix for new rule name | string | +**rule_name_prefix** | optional | Prefix for new rule name | string | **ldap** | optional | LDAP Server | string | #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.parameter\.deny\_allow | string | -action\_result\.parameter\.file\_path | string | `file path` -action\_result\.parameter\.ip\_hostname | string | `ip` `host name` -action\_result\.parameter\.ldap | string | -action\_result\.parameter\.rule\_name\_prefix | string | -action\_result\.parameter\.user | string | `winrm user or group sid` -action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | -action\_result\.summary | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.deny_allow | string | | allow deny +action_result.parameter.file_path | string | `file path` | C:\\Windows\\System32\\notepad.exe +action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local +action_result.parameter.ldap | string | | LDAP://8.8.8.8/CN={31b2f340-016d-11d2-945f-00c04fb984f9},CN=Policies,CN=System,DC=domain,DC=local +action_result.parameter.rule_name_prefix | string | | test +action_result.parameter.user | string | `winrm user or group sid` | Administrator +action_result.data | string | | +action_result.status | string | | success failed +action_result.message | string | | Successfully created AppLocker policy +action_result.summary | string | | +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'delete policy' Delete an AppLocker policy @@ -729,22 +729,22 @@ Read only: **False** #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ip\_hostname** | optional | IP/Hostname | string | `ip` `host name` -**applocker\_policy\_id** | required | ID of policy to delete | string | `windows applocker policy id` +**ip_hostname** | optional | IP/Hostname | string | `ip` `host name` +**applocker_policy_id** | required | ID of policy to delete | string | `windows applocker policy id` **ldap** | optional | LDAP Server | string | #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.parameter\.applocker\_policy\_id | string | `windows applocker policy id` -action\_result\.parameter\.ip\_hostname | string | `ip` `host name` -action\_result\.parameter\.ldap | string | -action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | -action\_result\.summary | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.applocker_policy_id | string | `windows applocker policy id` | 084ab400-83b8-432d-8dc2-f180fbe301ca +action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local +action_result.parameter.ldap | string | | LDAP://8.8.8.8/CN={31b2f340-016d-11d2-945f-00c04fb984f9},CN=Policies,CN=System,DC=domain,DC=local +action_result.data | string | | +action_result.status | string | | success failed +action_result.message | string | | Successfully deleted AppLocker Policy +action_result.summary | string | | +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'get file' Copy a file from the Windows Endpoint to the Vault @@ -755,21 +755,21 @@ Read only: **True** #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ip\_hostname** | optional | IP/Hostname | string | `ip` `host name` -**file\_path** | required | Path to file | string | `file path` +**ip_hostname** | optional | IP/Hostname | string | `ip` `host name` +**file_path** | required | Path to file | string | `file path` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.parameter\.file\_path | string | `file path` -action\_result\.parameter\.ip\_hostname | string | `ip` `host name` -action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | -action\_result\.summary | string | -action\_result\.summary\.vault\_id | string | `sha1` `vault id` -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.file_path | string | `file path` | C:\\Users\\administrator.CORP\\logo.jpg C:\\Users\\Administrator\\Desktop\\c.txt +action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local +action_result.data | string | | +action_result.status | string | | success failed +action_result.message | string | | Successfully retrieved file and added it to the Vault +action_result.summary | string | | +action_result.summary.vault_id | string | `sha1` `vault id` | 8afa5c86de9ea94ecfe5b4c0837d2543d0b20b56 +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'upload file' Copy a file from the vault to the Windows Endpoint @@ -780,22 +780,22 @@ Read only: **False** #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ip\_hostname** | optional | IP/Hostname | string | `ip` `host name` -**vault\_id** | required | Vault ID of file | string | `vault id` +**ip_hostname** | optional | IP/Hostname | string | `ip` `host name` +**vault_id** | required | Vault ID of file | string | `vault id` **destination** | required | Path to copy file to | string | `file path` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.parameter\.destination | string | `file path` -action\_result\.parameter\.ip\_hostname | string | `ip` `host name` -action\_result\.parameter\.vault\_id | string | `vault id` -action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | -action\_result\.summary | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.destination | string | `file path` | C:\\Users\\administrator.CORP\\Desktop\\aasdf.txt +action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local +action_result.parameter.vault_id | string | `vault id` | 8afa5c86de9ea94ecfe5b4c0837d2543d0b20b56 +action_result.data | string | | +action_result.status | string | | success failed +action_result.message | string | | Successfully sent file +action_result.summary | string | | +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'copy file' Run the copy command on the Windows Endpoint @@ -803,27 +803,27 @@ Run the copy command on the Windows Endpoint Type: **generic** Read only: **False** -For best results, both the from and to parameters should be absolute paths to their respective locations\. +For best results, both the from and to parameters should be absolute paths to their respective locations. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ip\_hostname** | optional | IP/Hostname | string | `ip` `host name` -**from** | required | File source \(path\) | string | `file path` -**to** | required | File destination \(path\) | string | `file path` +**ip_hostname** | optional | IP/Hostname | string | `ip` `host name` +**from** | required | File source (path) | string | `file path` +**to** | required | File destination (path) | string | `file path` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.parameter\.from | string | `file path` -action\_result\.parameter\.ip\_hostname | string | `ip` `host name` -action\_result\.parameter\.to | string | `file path` -action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | -action\_result\.summary | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.from | string | `file path` | C:\\Windows\\System32\\notepad.exe +action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local +action_result.parameter.to | string | `file path` | C:\\Windows\\System32\\notepad_copy.exe +action_result.data | string | | +action_result.status | string | | success failed +action_result.message | string | | Successfully copied files +action_result.summary | string | | +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'delete file' Run the delete command on the Windows Endpoint @@ -831,24 +831,24 @@ Run the delete command on the Windows Endpoint Type: **generic** Read only: **False** -For best results, the file path parameter should be an absolute path to a location\. +For best results, the file path parameter should be an absolute path to a location. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ip\_hostname** | optional | IP/Hostname | string | `ip` `host name` -**file\_path** | required | Path to file | string | `file path` +**ip_hostname** | optional | IP/Hostname | string | `ip` `host name` +**file_path** | required | Path to file | string | `file path` **force** | optional | Use the force flag for delete | boolean | #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.parameter\.file\_path | string | `file path` -action\_result\.parameter\.force | boolean | -action\_result\.parameter\.ip\_hostname | string | `ip` `host name` -action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | -action\_result\.summary | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | \ No newline at end of file +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.file_path | string | `file path` | C:\\Windows\\System32\\notepad.exe +action_result.parameter.force | boolean | | True False +action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local +action_result.data | string | | +action_result.status | string | | success failed +action_result.message | string | | Successfully deleted files +action_result.summary | string | | +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 \ No newline at end of file diff --git a/__init__.py b/__init__.py index 3981118..f8b589a 100644 --- a/__init__.py +++ b/__init__.py @@ -1,6 +1,6 @@ # File: __init__.py # -# Copyright (c) 2018-2022 Splunk Inc. +# Copyright (c) 2018-2023 Splunk Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/manual_readme_content.md b/manual_readme_content.md new file mode 100644 index 0000000..b3179e7 --- /dev/null +++ b/manual_readme_content.md @@ -0,0 +1,119 @@ +[comment]: # "" +[comment]: # " File: README.md" +[comment]: # " Copyright (c) 2018-2023 Splunk Inc." +[comment]: # " " +[comment]: # " Licensed under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt)" +[comment]: # "" +[comment]: # "" +Without additional configuration on the proxy server, it will not be possible to connect to WinRM +using NTLM authentication through an HTTP(S) proxy. If authentication is set to basic, then it will +still work, however. + +To use the proxy settings you need to add the proxy server as an environment variable. You can add +an environment variable using the below command. + +- For Linux/Mac: ` export HTTP_PROXY="http://:/" ` +- For Windows powershell: ` $env:HTTP_PROXY="http://:/" ` + +If the user tries to add any invalid proxy URL, the proxy will be bypassed and won't affect the +app's connectivity. + +To use this app you must have the Windows Remote Management service running on the endpoint you wish +to connect to. For help regarding this process, consult this link: + + +WinRM Ports Requirements (Based on Standard Guidelines of [IANA +ORG](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml) ) + +- WinRM(service) TCP(transport layer protocol) port for Windows Remote Management Service - 47001 + +The protocol and port can be specified with the IP/hostname. For example, if using HTTPS on port +5986, the IP/Hostname should be **https://192.168.10.21:5986** . + +In the configuration options for the asset, a default protocol and port for actions can be +specified. These options will be prepended or appended to the IP/hostname provided for all actions +including **test connectivity** . If a different protocol or port number is specified in the +IP/hostname field, the corresponding default will be ignored. + +This app supports adding a custom parser for the actions **run script** and **run command** . By +default, the output of these actions will just be the status code, standard out, and standard error +of whatever gets ran. If you want to capture a specific string or fail on a certain status code, you +will need to provide a custom parser. + +The custom parser should be a file added to the vault containing a function named **custom_parser** +. + +``` shell + + import phantom.app as phantom + + + def custom_parser(action_result, response): + # type: (ActionResult, winrm.Response) -> bool + data = {} + data['status_code'] = response.status_code + data['std_out'] = response.std_out + data['std_err'] = response.std_err + + action_result.add_data(data) + return phantom.APP_SUCCESS + + +``` + +This is equivalent to the default parser which is used if nothing is provided. It takes in an +ActionResult and a Response object (from the pywinrm module), and it is expected to return a boolean +value (phantom.APP_SUCCESS and phantom.APP_ERROR are equivalent to True and False). + +Here is an example of a parser that will extract all the IPs from the output, and fail if there is a +non-zero status code. + +``` shell + + import re + import phantom.app as phantom + from phantom import utils as ph_utils + + + def custom_parser(action_result, response): + # type: (ActionResult, winrm.Response) -> bool + data = {} + data['status_code'] = response.status_code + data['std_out'] = response.std_out + data['std_err'] = response.std_err + + if data['status_code'] != 0: + # This will be the message displayed + action_result.add_data(data) + return action_result.set_status( + phantom.APP_ERROR, "Error: Returned a non-zero status code" + ) + + # This can still return values like 999.999.999.999 + ips = re.findall(r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}', data['std_out']) + # Get only valid IPs + filtered_ips = [] + for ip in ips: + if ph_utils.is_ip(ip): + filtered_ips.append(ip) + + data['ips'] = filtered_ips + + action_result.add_data(data) + return phantom.APP_SUCCESS + + +``` + +As a final thing to consider, the playbook editor will not be aware of any custom data paths which +your parser introduces. Using the above example, if you wanted to use the list of ips in a playbook, +you would need to type in the correct datapath manually (action_result.data.\*.ips). + +For more information on datapaths and the ActionResult object, refer to the Phantom App Developer +Guide. + +Both the **run script** and **run command** actions also support running commands asynchronously. By +default, the app will wait for these actions to finish. In the case of starting a long-running job +or some other command which you want to start but don't care for the output, then you can check the +**async** parameter. After the command starts, it will return a **command_id** and **shell_id** , +which you can optionally use to retrieve the output of that command at a later time. diff --git a/parse_callbacks.py b/parse_callbacks.py index 511a064..d4cec5b 100644 --- a/parse_callbacks.py +++ b/parse_callbacks.py @@ -1,6 +1,6 @@ # File: parse_callbacks.py # -# Copyright (c) 2018-2022 Splunk Inc. +# Copyright (c) 2018-2023 Splunk Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,7 +19,6 @@ # in any specific manner import base64 import json -import tempfile from builtins import str from collections import OrderedDict @@ -296,11 +295,11 @@ def list_firewall_rules(action_result, response, **kwargs): def create_firewall_rule(action_result, response): if response.status_code: try: - msg = response.std_out.splitlines()[1] + message = response.std_out.splitlines()[1] except: - msg = response.std_out + message = response.std_out return action_result.set_status( - phantom.APP_ERROR, "Error running command: {}".format(msg) + phantom.APP_ERROR, "Error running command: {}".format(message) ) return phantom.APP_SUCCESS @@ -453,13 +452,7 @@ def decodeb64_add_to_vault(action_result, response, container_id, file_name): b64string = response.std_out try: - if hasattr(Vault, 'create_attachment'): - resp = Vault.create_attachment(base64.b64decode(b64string), container_id, file_name=file_name) - else: - tmp_file = tempfile.NamedTemporaryFile(mode='wb', delete=False, dir='/opt/phantom/vault/tmp') - tmp_file.write(base64.b64decode(b64string)) - tmp_file.close() - resp = Vault.add_attachment(tmp_file.name, container_id, file_name=file_name) + resp = Vault.create_attachment(base64.b64decode(b64string), container_id, file_name=file_name) except Exception as e: return action_result.set_status( phantom.APP_ERROR, "Error adding file to vault", e diff --git a/readme.html b/readme.html deleted file mode 100644 index af1eb6c..0000000 --- a/readme.html +++ /dev/null @@ -1,127 +0,0 @@ - - - - -

- Without additional configuration on the proxy server, it will not be possible to connect to WinRM using NTLM authentication through an HTTP(S) proxy. - If authentication is set to basic, then it will still work, however. -

-

- To use the proxy settings you need to add the proxy server as an environment variable. You can add an environment variable using the below command. -

    -
  • For Linux/Mac: export HTTP_PROXY="http://<proxy server>:<proxy port>/"
    • -
  • For Windows powershell: $env:HTTP_PROXY="http://<proxy server>:<proxy port>/"
    • -
- If the user tries to add any invalid proxy URL, the proxy will be bypassed and won't affect the app's connectivity. -

-

- To use this app you must have the Windows Remote Management service running on the endpoint you wish to connect to. - For help regarding this process, consult this link: https://msdn.microsoft.com/en-us/library/aa384372(v=vs.85).aspx -

-

- WinRM Ports Requirements (Based on Standard Guidelines of IANA ORG) -

    -
  • WinRM(service) TCP(transport layer protocol) port for Windows Remote Management Service - 47001
    • -
-

-

- The protocol and port can be specified with the IP/hostname. For example, if using HTTPS on port 5986, the IP/Hostname should be https://192.168.10.21:5986. -

-

- In the configuration options for the asset, a default protocol and port for actions can be specified. - These options will be prepended or appended to the IP/hostname provided for all actions including test connectivity. - If a different protocol or port number is specified in the IP/hostname field, the corresponding default will be ignored. -

-

- This app supports adding a custom parser for the actions run script and run command. - By default, the output of these actions will just be the status code, standard out, and standard error of - whatever gets ran. If you want to capture a specific string or fail on a certain status code, you will need - to provide a custom parser. -

-

- The custom parser should be a file added to the vault containing a function named custom_parser. -

- 
-        
-        import phantom.app as phantom
-
-
-        def custom_parser(action_result, response):
-            # type: (ActionResult, winrm.Response) -> bool
-            data = {}
-            data['status_code'] = response.status_code
-            data['std_out'] = response.std_out
-            data['std_err'] = response.std_err
-
-            action_result.add_data(data)
-            return phantom.APP_SUCCESS
-        
-
-

- This is equivalent to the default parser which is used if nothing is provided. It takes in an ActionResult and - a Response object (from the pywinrm module), and it is expected to return a boolean value - (phantom.APP_SUCCESS and phantom.APP_ERROR are equivalent to True and False). -

-

- Here is an example of a parser that will extract all the IPs from the output, and fail if there - is a non-zero status code. -

- 
-        
-        import re
-        import phantom.app as phantom
-        from phantom import utils as ph_utils
-
-
-        def custom_parser(action_result, response):
-            # type: (ActionResult, winrm.Response) -> bool
-            data = {}
-            data['status_code'] = response.status_code
-            data['std_out'] = response.std_out
-            data['std_err'] = response.std_err
-
-            if data['status_code'] != 0:
-                # This will be the message displayed
-                action_result.add_data(data)
-                return action_result.set_status(
-                    phantom.APP_ERROR, "Error: Returned a non-zero status code"
-                )
-
-            # This can still return values like 999.999.999.999
-            ips = re.findall(r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}', data['std_out'])
-            # Get only valid IPs
-            filtered_ips = []
-            for ip in ips:
-                if ph_utils.is_ip(ip):
-                    filtered_ips.append(ip)
-
-            data['ips'] = filtered_ips
-
-            action_result.add_data(data)
-            return phantom.APP_SUCCESS
-        
-
-

- As a final thing to consider, the playbook editor will not be aware of any custom data paths - which your parser introduces. - Using the above example, if you wanted to use the list of ips in a playbook, you would need to type in the correct - datapath manually (action_result.data.*.ips). -

-

- For more information on datapaths and the ActionResult object, refer to the Phantom App Developer Guide. -

-

- Both the run script and run command actions also support running commands asynchronously. - By default, the app will wait for these actions to finish. In the case of starting a long-running job - or some other command which you want to start but don't care for the output, then you can check the async parameter. - After the command starts, it will return a command_id and shell_id, which you can optionally use to retrieve the - output of that command at a later time. -

- - diff --git a/release_notes/2.2.6.md b/release_notes/2.2.6.md new file mode 100644 index 0000000..978a1a9 --- /dev/null +++ b/release_notes/2.2.6.md @@ -0,0 +1,5 @@ +* Use the Vault API to create temporary files, instead of manual filesystem access [PAPP-32449] +* Update `min_phantom_version` to 6.1.1 +* Remove `requests` dependency, using the one built into the platform instead +* Suppress "progress" output from PowerShell, preventing actions from wrongly being marked as failed +* Improve Unicode parsing to prevent errors \ No newline at end of file diff --git a/release_notes/release_notes.html b/release_notes/release_notes.html deleted file mode 100644 index 45af764..0000000 --- a/release_notes/release_notes.html +++ /dev/null @@ -1,46 +0,0 @@ -Windows Remote Management Release Notes - Published by Splunk March 09, 2022 -

-Version 2.2.4 - Released March 09, 2022 -
    -
  • Changed the hashing algorithm to SHA256 when running in FIPS mode [PAPP-21569]
    • -
-Version 2.2.3 - Released February 10, 2022 -
    -
  • Removed 'pyc' files from the app tarball [PAPP-23403]
    • -
  • Added support for Python 3.9
    • -
-Version 2.1.0 - Released October 1, 2021 -
    -
  • Updated custom parser example to add_data if a non-zero status is returned
    • -
-Version 2.0.1 - Released April 23, 2021 -
    -
  • Updated the 'list processes' action to accommodate Windows 10 with more flexible code, and parsed raw output dictionary into the action_result data
    • -
  • Upgraded the 'ntlm_auth' wheel file to 1.5.0
    • -
-Version 2.0.0 - Released December 22, 2020 -
    -
  • Compatibility changes for Python 3 support
    • -
  • Fixed the parsing issue in 'run command' and 'run script' actions
    • -
  • Fixed default port issue in 'test connectivity' action
    • -
  • Removed unsupported action parameters
    • -
  • Added validations on action input parameters
    • -
  • Handled exceptions for Unicode character issues
    • -
  • Updated app documentation
    • -
-Version 1.0.19 - Released January 19, 2019 -
    -
  • NTLM authentication fix
    • -
  • Corrected vault ID issue
    • -
  • Compatibility updates for next Phantom release
    • -
-Version 1.0.15 - Released July 12, 2018 -
    -
  • Added delete file action
    • -
  • Added configuration options for HTTPS
    • -
  • Updated document on HTTPS connections
    • -
-Version 1.0.12 - Released January 18, 2018 -
    -
  • Initial Release
    • -
diff --git a/requirements.txt b/requirements.txt index 3a164f5..e52f8a9 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,7 +1,3 @@ beautifulsoup4==4.9.1 -ntlm_auth==1.5.0 -pywinrm==0.4.1 -requests==2.25.0 -requests_ntlm==1.1.0 -six==1.15.0 -xmltodict==0.12.0 +pywinrm==0.4.3 +xmltodict==0.13.0 diff --git a/tox.ini b/tox.ini new file mode 100644 index 0000000..c4644ad --- /dev/null +++ b/tox.ini @@ -0,0 +1,7 @@ +[flake8] +max-line-length = 145 +max-complexity = 28 +extend-ignore = F403,E128,E126,E111,E121,E127,E731,E201,E202,F405,E722,D,W292 + +[isort] +line_length = 145 diff --git a/wheels/py3/certifi-2023.7.22-py3-none-any.whl b/wheels/py3/certifi-2023.7.22-py3-none-any.whl new file mode 100644 index 0000000..78dfe27 Binary files /dev/null and b/wheels/py3/certifi-2023.7.22-py3-none-any.whl differ diff --git a/wheels/py3/cryptography-41.0.5-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/wheels/py3/cryptography-41.0.5-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl new file mode 100644 index 0000000..4a59f63 Binary files /dev/null and b/wheels/py3/cryptography-41.0.5-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl differ diff --git a/wheels/py3/idna-3.4-py3-none-any.whl b/wheels/py3/idna-3.4-py3-none-any.whl new file mode 100644 index 0000000..7343c68 Binary files /dev/null and b/wheels/py3/idna-3.4-py3-none-any.whl differ diff --git a/wheels/py3/pyspnego-0.10.2-py3-none-any.whl b/wheels/py3/pyspnego-0.10.2-py3-none-any.whl new file mode 100644 index 0000000..e246203 Binary files /dev/null and b/wheels/py3/pyspnego-0.10.2-py3-none-any.whl differ diff --git a/wheels/py3/requests-2.31.0-py3-none-any.whl b/wheels/py3/requests-2.31.0-py3-none-any.whl new file mode 100644 index 0000000..bfd5d2e Binary files /dev/null and b/wheels/py3/requests-2.31.0-py3-none-any.whl differ diff --git a/wheels/py3/requests_ntlm-1.2.0-py3-none-any.whl b/wheels/py3/requests_ntlm-1.2.0-py3-none-any.whl new file mode 100644 index 0000000..5104b09 Binary files /dev/null and b/wheels/py3/requests_ntlm-1.2.0-py3-none-any.whl differ diff --git a/wheels/py3/soupsieve-2.3.1-py3-none-any.whl b/wheels/py3/soupsieve-2.3.1-py3-none-any.whl deleted file mode 100644 index 85d33de..0000000 Binary files a/wheels/py3/soupsieve-2.3.1-py3-none-any.whl and /dev/null differ diff --git a/wheels/py3/soupsieve-2.5-py3-none-any.whl b/wheels/py3/soupsieve-2.5-py3-none-any.whl new file mode 100644 index 0000000..e1be128 Binary files /dev/null and b/wheels/py3/soupsieve-2.5-py3-none-any.whl differ diff --git a/wheels/py3/urllib3-2.0.7-py3-none-any.whl b/wheels/py3/urllib3-2.0.7-py3-none-any.whl new file mode 100644 index 0000000..9e6f189 Binary files /dev/null and b/wheels/py3/urllib3-2.0.7-py3-none-any.whl differ diff --git a/wheels/py36/cffi-1.15.0-cp36-cp36m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/wheels/py36/cffi-1.15.0-cp36-cp36m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index 90a9d25..0000000 Binary files a/wheels/py36/cffi-1.15.0-cp36-cp36m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/wheels/py36/cryptography-36.0.1-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/wheels/py36/cryptography-36.0.1-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index 5f39a49..0000000 Binary files a/wheels/py36/cryptography-36.0.1-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/wheels/py39/cffi-1.15.0-cp39-cp39-manylinux_2_12_x86_64.manylinux2010_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/wheels/py39/cffi-1.15.0-cp39-cp39-manylinux_2_12_x86_64.manylinux2010_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index 734216b..0000000 Binary files a/wheels/py39/cffi-1.15.0-cp39-cp39-manylinux_2_12_x86_64.manylinux2010_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/wheels/py39/cffi-1.16.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/wheels/py39/cffi-1.16.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl new file mode 100644 index 0000000..32f53c3 Binary files /dev/null and b/wheels/py39/cffi-1.16.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl differ diff --git a/wheels/py39/charset_normalizer-3.3.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/wheels/py39/charset_normalizer-3.3.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl new file mode 100644 index 0000000..d00bf3a Binary files /dev/null and b/wheels/py39/charset_normalizer-3.3.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl differ diff --git a/wheels/shared/certifi-2021.10.8-py2.py3-none-any.whl b/wheels/shared/certifi-2021.10.8-py2.py3-none-any.whl deleted file mode 100644 index fbcb86b..0000000 Binary files a/wheels/shared/certifi-2021.10.8-py2.py3-none-any.whl and /dev/null differ diff --git a/wheels/shared/chardet-3.0.4-py2.py3-none-any.whl b/wheels/shared/chardet-3.0.4-py2.py3-none-any.whl deleted file mode 100644 index d276977..0000000 Binary files a/wheels/shared/chardet-3.0.4-py2.py3-none-any.whl and /dev/null differ diff --git a/wheels/shared/idna-2.10-py2.py3-none-any.whl b/wheels/shared/idna-2.10-py2.py3-none-any.whl deleted file mode 100644 index 41225cb..0000000 Binary files a/wheels/shared/idna-2.10-py2.py3-none-any.whl and /dev/null differ diff --git a/wheels/shared/ntlm_auth-1.5.0-py2.py3-none-any.whl b/wheels/shared/ntlm_auth-1.5.0-py2.py3-none-any.whl deleted file mode 100644 index 6083118..0000000 Binary files a/wheels/shared/ntlm_auth-1.5.0-py2.py3-none-any.whl and /dev/null differ diff --git a/wheels/shared/pywinrm-0.4.1-py2.py3-none-any.whl b/wheels/shared/pywinrm-0.4.1-py2.py3-none-any.whl deleted file mode 100644 index 4f390da..0000000 Binary files a/wheels/shared/pywinrm-0.4.1-py2.py3-none-any.whl and /dev/null differ diff --git a/wheels/shared/pywinrm-0.4.3-py2.py3-none-any.whl b/wheels/shared/pywinrm-0.4.3-py2.py3-none-any.whl new file mode 100644 index 0000000..f7e6215 Binary files /dev/null and b/wheels/shared/pywinrm-0.4.3-py2.py3-none-any.whl differ diff --git a/wheels/shared/requests-2.25.0-py2.py3-none-any.whl b/wheels/shared/requests-2.25.0-py2.py3-none-any.whl deleted file mode 100644 index c3f28e5..0000000 Binary files a/wheels/shared/requests-2.25.0-py2.py3-none-any.whl and /dev/null differ diff --git a/wheels/shared/requests_ntlm-1.1.0-py2.py3-none-any.whl b/wheels/shared/requests_ntlm-1.1.0-py2.py3-none-any.whl deleted file mode 100644 index 5f97789..0000000 Binary files a/wheels/shared/requests_ntlm-1.1.0-py2.py3-none-any.whl and /dev/null differ diff --git a/wheels/shared/six-1.15.0-py2.py3-none-any.whl b/wheels/shared/six-1.15.0-py2.py3-none-any.whl deleted file mode 100644 index 89edace..0000000 Binary files a/wheels/shared/six-1.15.0-py2.py3-none-any.whl and /dev/null differ diff --git a/wheels/shared/six-1.16.0-py2.py3-none-any.whl b/wheels/shared/six-1.16.0-py2.py3-none-any.whl new file mode 100644 index 0000000..fd94265 Binary files /dev/null and b/wheels/shared/six-1.16.0-py2.py3-none-any.whl differ diff --git a/wheels/shared/urllib3-1.26.8-py2.py3-none-any.whl b/wheels/shared/urllib3-1.26.8-py2.py3-none-any.whl deleted file mode 100644 index bad52ab..0000000 Binary files a/wheels/shared/urllib3-1.26.8-py2.py3-none-any.whl and /dev/null differ diff --git a/wheels/shared/xmltodict-0.12.0-py2.py3-none-any.whl b/wheels/shared/xmltodict-0.12.0-py2.py3-none-any.whl deleted file mode 100644 index 540936b..0000000 Binary files a/wheels/shared/xmltodict-0.12.0-py2.py3-none-any.whl and /dev/null differ diff --git a/wheels/shared/xmltodict-0.13.0-py2.py3-none-any.whl b/wheels/shared/xmltodict-0.13.0-py2.py3-none-any.whl new file mode 100644 index 0000000..2381841 Binary files /dev/null and b/wheels/shared/xmltodict-0.13.0-py2.py3-none-any.whl differ diff --git a/winrm.json b/winrm.json index 8080de9..1f6c5d3 100644 --- a/winrm.json +++ b/winrm.json @@ -9,82 +9,18 @@ "product_name": "Windows Remote Management", "product_version_regex": ".*", "publisher": "Splunk", - "license": "Copyright (c) 2018-2022 Splunk Inc.", - "app_version": "2.2.4", - "utctime_updated": "2022-03-03T19:04:41.000000Z", + "license": "Copyright (c) 2018-2023 Splunk Inc.", + "app_version": "2.2.6", + "utctime_updated": "2023-12-05T12:42:47.000000Z", "package_name": "phantom_winrm", "main_module": "winrm_connector.py", - "min_phantom_version": "5.1.0", + "min_phantom_version": "6.1.1", "fips_compliant": true, "python_version": "3", "latest_tested_versions": [ "On-premise, Windows Server 2012 R2 Standard" ], "app_wizard_version": "1.0.0", - "pip_dependencies": { - "wheel": [ - { - "module": "beautifulsoup4", - "input_file": "wheels/py3/beautifulsoup4-4.9.1-py3-none-any.whl" - }, - { - "module": "certifi", - "input_file": "wheels/shared/certifi-2021.10.8-py2.py3-none-any.whl" - }, - { - "module": "cffi", - "input_file": "wheels/py36/cffi-1.15.0-cp36-cp36m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl" - }, - { - "module": "chardet", - "input_file": "wheels/shared/chardet-3.0.4-py2.py3-none-any.whl" - }, - { - "module": "cryptography", - "input_file": "wheels/py36/cryptography-36.0.1-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl" - }, - { - "module": "idna", - "input_file": "wheels/shared/idna-2.10-py2.py3-none-any.whl" - }, - { - "module": "ntlm_auth", - "input_file": "wheels/shared/ntlm_auth-1.5.0-py2.py3-none-any.whl" - }, - { - "module": "pycparser", - "input_file": "wheels/shared/pycparser-2.21-py2.py3-none-any.whl" - }, - { - "module": "pywinrm", - "input_file": "wheels/shared/pywinrm-0.4.1-py2.py3-none-any.whl" - }, - { - "module": "requests", - "input_file": "wheels/shared/requests-2.25.0-py2.py3-none-any.whl" - }, - { - "module": "requests_ntlm", - "input_file": "wheels/shared/requests_ntlm-1.1.0-py2.py3-none-any.whl" - }, - { - "module": "six", - "input_file": "wheels/shared/six-1.15.0-py2.py3-none-any.whl" - }, - { - "module": "soupsieve", - "input_file": "wheels/py3/soupsieve-2.3.1-py3-none-any.whl" - }, - { - "module": "urllib3", - "input_file": "wheels/shared/urllib3-1.26.8-py2.py3-none-any.whl" - }, - { - "module": "xmltodict", - "input_file": "wheels/shared/xmltodict-0.12.0-py2.py3-none-any.whl" - } - ] - }, "configuration": { "endpoint": { "description": "IP/Hostname (For TEST CONNECTIVITY and default, if not provided in an action)", @@ -3373,60 +3309,56 @@ }, { "module": "certifi", - "input_file": "wheels/shared/certifi-2021.10.8-py2.py3-none-any.whl" + "input_file": "wheels/py3/certifi-2023.7.22-py3-none-any.whl" }, { "module": "cffi", - "input_file": "wheels/py39/cffi-1.15.0-cp39-cp39-manylinux_2_12_x86_64.manylinux2010_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl" + "input_file": "wheels/py39/cffi-1.16.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl" }, { - "module": "chardet", - "input_file": "wheels/shared/chardet-3.0.4-py2.py3-none-any.whl" + "module": "charset_normalizer", + "input_file": "wheels/py39/charset_normalizer-3.3.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl" }, { "module": "cryptography", - "input_file": "wheels/py36/cryptography-36.0.1-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl" + "input_file": "wheels/py3/cryptography-41.0.5-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl" }, { "module": "idna", - "input_file": "wheels/shared/idna-2.10-py2.py3-none-any.whl" - }, - { - "module": "ntlm_auth", - "input_file": "wheels/shared/ntlm_auth-1.5.0-py2.py3-none-any.whl" + "input_file": "wheels/py3/idna-3.4-py3-none-any.whl" }, { "module": "pycparser", "input_file": "wheels/shared/pycparser-2.21-py2.py3-none-any.whl" }, { - "module": "pywinrm", - "input_file": "wheels/shared/pywinrm-0.4.1-py2.py3-none-any.whl" + "module": "pyspnego", + "input_file": "wheels/py3/pyspnego-0.10.2-py3-none-any.whl" }, { - "module": "requests", - "input_file": "wheels/shared/requests-2.25.0-py2.py3-none-any.whl" + "module": "pywinrm", + "input_file": "wheels/shared/pywinrm-0.4.3-py2.py3-none-any.whl" }, { "module": "requests_ntlm", - "input_file": "wheels/shared/requests_ntlm-1.1.0-py2.py3-none-any.whl" + "input_file": "wheels/py3/requests_ntlm-1.2.0-py3-none-any.whl" }, { "module": "six", - "input_file": "wheels/shared/six-1.15.0-py2.py3-none-any.whl" + "input_file": "wheels/shared/six-1.16.0-py2.py3-none-any.whl" }, { "module": "soupsieve", - "input_file": "wheels/py3/soupsieve-2.3.1-py3-none-any.whl" + "input_file": "wheels/py3/soupsieve-2.5-py3-none-any.whl" }, { "module": "urllib3", - "input_file": "wheels/shared/urllib3-1.26.8-py2.py3-none-any.whl" + "input_file": "wheels/py3/urllib3-2.0.7-py3-none-any.whl" }, { "module": "xmltodict", - "input_file": "wheels/shared/xmltodict-0.12.0-py2.py3-none-any.whl" + "input_file": "wheels/shared/xmltodict-0.13.0-py2.py3-none-any.whl" } ] } -} \ No newline at end of file +} diff --git a/winrm_connector.py b/winrm_connector.py index ef69c26..711dd48 100644 --- a/winrm_connector.py +++ b/winrm_connector.py @@ -1,6 +1,6 @@ # File: winrm_connector.py # -# Copyright (c) 2018-2022 Splunk Inc. +# Copyright (c) 2018-2023 Splunk Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -33,13 +33,13 @@ import phantom.rules as phantom_rules import requests import six +import winrm from bs4 import UnicodeDammit from phantom.action_result import ActionResult from phantom.base_connector import BaseConnector # Local imports import parse_callbacks as pc -import winrm import winrm_consts as consts @@ -81,32 +81,32 @@ def _get_error_message_from_exception(self, e): if e.args: if len(e.args) > 1: error_code = e.args[0] - error_msg = e.args[1] + error_message = e.args[1] elif len(e.args) == 1: - error_code = consts.WINRM_ERR_CODE_MSG - error_msg = e.args[0] + error_code = consts.WINRM_ERROR_CODE_MESSAGE + error_message = e.args[0] else: - error_code = consts.WINRM_ERR_CODE_MSG - error_msg = consts.WINRM_ERR_MSG_UNAVAILABLE + error_code = consts.WINRM_ERROR_CODE_MESSAGE + error_message = consts.WINRM_ERROR_MESSAGE_UNAVAILABLE except: - error_code = consts.WINRM_ERR_CODE_MSG - error_msg = consts.WINRM_ERR_MSG_UNAVAILABLE + error_code = consts.WINRM_ERROR_CODE_MESSAGE + error_message = consts.WINRM_ERROR_MESSAGE_UNAVAILABLE try: - error_msg = self._handle_py_ver_compat_for_input_str(error_msg) + error_message = self._handle_py_ver_compat_for_input_str(error_message) except TypeError: - error_msg = consts.WINRM_TYPE_ERR_MSG + error_message = consts.WINRM_TYPE_ERROR_MESSAGE except: - error_msg = consts.WINRM_ERR_MSG_UNAVAILABLE + error_message = consts.WINRM_ERROR_MESSAGE_UNAVAILABLE try: - if error_code in consts.WINRM_ERR_CODE_MSG: - error_text = "Error Message: {0}".format(error_msg) + if error_code in consts.WINRM_ERROR_CODE_MESSAGE: + error_text = "Error Message: {0}".format(error_message) else: - error_text = "Error Code: {0}. Error Message: {1}".format(error_code, error_msg) + error_text = "Error Code: {0}. Error Message: {1}".format(error_code, error_message) except: - self.debug_print(consts.WINRM_PARSE_ERR_MSG) - error_text = consts.WINRM_PARSE_ERR_MSG + self.debug_print(consts.WINRM_PARSE_ERROR_MESSAGE) + error_text = consts.WINRM_PARSE_ERROR_MESSAGE return error_text @@ -114,18 +114,18 @@ def _validate_integer(self, action_result, parameter, key, allow_zero=False): if parameter is not None: try: if not float(parameter).is_integer(): - return action_result.set_status(phantom.APP_ERROR, consts.WINRM_ERR_INVALID_INT.format(msg="", param=key)), None + return action_result.set_status(phantom.APP_ERROR, consts.WINRM_ERROR_INVALID_INT.format(msg="", param=key)), None parameter = int(parameter) except: - return action_result.set_status(phantom.APP_ERROR, consts.WINRM_ERR_INVALID_INT.format(msg="", param=key)), None + return action_result.set_status(phantom.APP_ERROR, consts.WINRM_ERROR_INVALID_INT.format(msg="", param=key)), None if parameter < 0: return action_result.set_status(phantom.APP_ERROR, - consts.WINRM_ERR_INVALID_INT.format(msg="non-negative", param=key)), None + consts.WINRM_ERROR_INVALID_INT.format(msg="non-negative", param=key)), None if not allow_zero and parameter == 0: return action_result.set_status(phantom.APP_ERROR, - consts.WINRM_ERR_INVALID_INT.format(msg="non-zero positive", param=key)), None + consts.WINRM_ERROR_INVALID_INT.format(msg="non-zero positive", param=key)), None return phantom.APP_SUCCESS, parameter @@ -145,10 +145,10 @@ def _get_vault_file_text(self, action_result, vault_id): try: success, message, file_info = phantom_rules.vault_info(vault_id=vault_id) if not file_info: - return action_result.set_status(phantom.APP_ERROR, consts.WINRM_ERR_INVALID_VAULT_ID), None + return action_result.set_status(phantom.APP_ERROR, consts.WINRM_ERROR_INVALID_VAULT_ID), None file_path = list(file_info)[0].get('path') except: - return action_result.set_status(phantom.APP_ERROR, consts.WINRM_ERR_INVALID_VAULT_ID), None + return action_result.set_status(phantom.APP_ERROR, consts.WINRM_ERROR_INVALID_VAULT_ID), None try: with open(file_path, 'r') as fp: @@ -164,10 +164,10 @@ def _get_custom_parser_method(self, action_result, vault_id): try: success, message, file_info = phantom_rules.vault_info(vault_id=vault_id) if not file_info: - return action_result.set_status(phantom.APP_ERROR, consts.WINRM_ERR_INVALID_VAULT_ID), None + return action_result.set_status(phantom.APP_ERROR, consts.WINRM_ERROR_INVALID_VAULT_ID), None file_path = list(file_info)[0].get('path') except: - return action_result.set_status(phantom.APP_ERROR, consts.WINRM_ERR_INVALID_VAULT_ID), None + return action_result.set_status(phantom.APP_ERROR, consts.WINRM_ERROR_INVALID_VAULT_ID), None try: custom_parser = imp.load_source('custom_parser', file_path) @@ -319,7 +319,7 @@ def _run_cmd(self, action_result, cmd, args=None, parse_callback=pc.basic, else: resp = self._session.run_cmd(cmd, args) except UnicodeDecodeError: - return action_result.set_status(phantom.APP_ERROR, "Error running command: {}".format(consts.WINRM_UNICODE_ERR_MESSAGE)) + return action_result.set_status(phantom.APP_ERROR, "Error running command: {}".format(consts.WINRM_UNICODE_ERROR_MESSAGE)) except Exception as e: return action_result.set_status(phantom.APP_ERROR, "Error running command: {}".format(unquote(self._get_error_message_from_exception(e)))) @@ -346,6 +346,11 @@ def _run_ps(self, action_result, script, parse_callback=pc.basic, additional_dat if additional_data is None: additional_data = {} resp = None + + if script is not None: + # Suppress the "progress" output that PowerShell sends to Standard Error + script = "$ProgressPreference = 'SilentlyContinue'; \n " + script + try: if command_id: if shell_id is None: @@ -358,7 +363,7 @@ def _run_ps(self, action_result, script, parse_callback=pc.basic, additional_dat if len(resp.std_err): resp.std_err = self._session._clean_error_msg(resp.std_err) if isinstance(resp.std_err, bytes): - resp.std_err = resp.std_err.decode('UTF-8') + resp.std_err = resp.std_err.decode('UTF-8', errors='backslashreplace') elif async_: encoded_ps = b64encode(script.encode('utf_16_le')).decode('ascii') shell_id = self._protocol.open_shell() @@ -372,7 +377,7 @@ def _run_ps(self, action_result, script, parse_callback=pc.basic, additional_dat script = UnicodeDammit(script).unicode_markup resp = self._session.run_ps(script) except UnicodeDecodeError: - return action_result.set_status(phantom.APP_ERROR, "Error running PowerShell script: {}".format(consts.WINRM_UNICODE_ERR_MESSAGE)) + return action_result.set_status(phantom.APP_ERROR, "Error running PowerShell script: {}".format(consts.WINRM_UNICODE_ERROR_MESSAGE)) except Exception as e: return action_result.set_status(phantom.APP_ERROR, "Error running PowerShell script: {}".format(self._get_error_message_from_exception(e))) @@ -493,7 +498,7 @@ def _handle_list_firewall_rules(self, param): action_result = self.add_action_result(ActionResult(dict(param))) direction = param.get('direction') if direction and direction not in consts.DIRECTION_VALUE_LIST: - return action_result.set_status(phantom.APP_ERROR, consts.VALUE_LIST_VALIDATION_MSG.format( + return action_result.set_status(phantom.APP_ERROR, consts.VALUE_LIST_VALIDATION_MESSAGE.format( consts.DIRECTION_VALUE_LIST, "direction")) if not self._init_session(action_result, param): @@ -528,7 +533,7 @@ def _handle_delete_firewall_rule(self, param): param.update(other_dict) dir = param.get('dir') if dir and dir not in consts.DIR_VALUE_LIST: - return action_result.set_status(phantom.APP_ERROR, consts.VALUE_LIST_VALIDATION_MSG.format(consts.DIR_VALUE_LIST, 'dir')) + return action_result.set_status(phantom.APP_ERROR, consts.VALUE_LIST_VALIDATION_MESSAGE.format(consts.DIR_VALUE_LIST, 'dir')) val_map = { "local_ip": "localip", @@ -597,11 +602,11 @@ def _handle_create_firewall_rule(self, param): param.update(other_dict) dir = param.get('dir') if dir and dir not in consts.DIR_VALUE_LIST: - return action_result.set_status(phantom.APP_ERROR, consts.VALUE_LIST_VALIDATION_MSG.format(consts.DIR_VALUE_LIST, 'dir')) + return action_result.set_status(phantom.APP_ERROR, consts.VALUE_LIST_VALIDATION_MESSAGE.format(consts.DIR_VALUE_LIST, 'dir')) action = param.get('action') if action and action not in consts.ACTION_VALUE_LIST: - return action_result.set_status(phantom.APP_ERROR, consts.VALUE_LIST_VALIDATION_MSG.format(consts.ACTION_VALUE_LIST, 'action')) + return action_result.set_status(phantom.APP_ERROR, consts.VALUE_LIST_VALIDATION_MESSAGE.format(consts.ACTION_VALUE_LIST, 'action')) val_map = { "local_ip": "localip", @@ -711,7 +716,7 @@ def _handle_deactivate_partition(self, param): "inactive" ) if phantom.is_fail(ret_val): - return action_result.set_status(phantom.APP_ERROR, consts.WINRM_ERR_PARTITION) + return action_result.set_status(phantom.APP_ERROR, consts.WINRM_ERROR_PARTITION) return action_result.set_status(phantom.APP_SUCCESS, "Successfully deactivated partition") @@ -725,7 +730,7 @@ def _handle_activate_partition(self, param): "active" ) if phantom.is_fail(ret_val): - return action_result.set_status(phantom.APP_ERROR, consts.WINRM_ERR_PARTITION) + return action_result.set_status(phantom.APP_ERROR, consts.WINRM_ERROR_PARTITION) return action_result.set_status(phantom.APP_SUCCESS, "Successfully activated partition") @@ -770,7 +775,7 @@ def _format_list_applocker_script(self, action_result, location, ldap, xml=True, suffix = "-XML" if xml else "" if location.lower() not in consts.LOCATION_VALUE_LIST: return action_result.set_status( - phantom.APP_ERROR, consts.VALUE_LIST_VALIDATION_MSG.format(consts.LOCATION_VALUE_LIST, "location") + phantom.APP_ERROR, consts.VALUE_LIST_VALIDATION_MESSAGE.format(consts.LOCATION_VALUE_LIST, "location") ), None if location.lower() == "domain": if not ldap: @@ -822,7 +827,7 @@ def _handle_create_applocker_policy(self, param): deny_allow = param['deny_allow'].lower() if deny_allow not in consts.DENY_ALLOW_VALUE_LIST: return action_result.set_status( - phantom.APP_ERROR, consts.VALUE_LIST_VALIDATION_MSG.format(consts.DENY_ALLOW_VALUE_LIST, "deny_allow") + phantom.APP_ERROR, consts.VALUE_LIST_VALIDATION_MESSAGE.format(consts.DENY_ALLOW_VALUE_LIST, "deny_allow") ) file_path = self._handle_py_ver_compat_for_input_str(param['file_path']) @@ -850,6 +855,8 @@ def _handle_create_applocker_policy(self, param): self._sanitize_string(file_path), new_policy_str, set_policy_str )) + self.debug_print(ps_script) + ret_val = self._run_ps(action_result, ps_script, parse_callback=pc.check_exit_no_data2) if phantom.is_fail(ret_val): return ret_val @@ -922,10 +929,10 @@ def _handle_send_file(self, param): vault_id = self._handle_py_ver_compat_for_input_str(param['vault_id']) success, message, file_info = phantom_rules.vault_info(vault_id=vault_id) if not file_info: - return action_result.set_status(phantom.APP_ERROR, consts.WINRM_ERR_INVALID_VAULT_ID) + return action_result.set_status(phantom.APP_ERROR, consts.WINRM_ERROR_INVALID_VAULT_ID) path = list(file_info)[0].get('path') except: - return action_result.set_status(phantom.APP_ERROR, consts.WINRM_ERR_INVALID_VAULT_ID) + return action_result.set_status(phantom.APP_ERROR, consts.WINRM_ERROR_INVALID_VAULT_ID) destination = self._handle_py_ver_compat_for_input_str(param['destination']) diff --git a/winrm_consts.py b/winrm_consts.py index 5ccb50e..1605773 100644 --- a/winrm_consts.py +++ b/winrm_consts.py @@ -1,6 +1,6 @@ # File: winrm_consts.py # -# Copyright (c) 2018-2022 Splunk Inc. +# Copyright (c) 2018-2023 Splunk Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -87,19 +87,19 @@ [Convert]::ToBase64String([IO.File]::ReadAllBytes($d)) """ -WINRM_UNICODE_ERR_MESSAGE = "Invalid unicode detected" +WINRM_UNICODE_ERROR_MESSAGE = "Invalid unicode detected" # Constants relating to '_validate_integer' -WINRM_ERR_INVALID_INT = 'Please provide a valid {msg} integer value in the "{param}"' -WINRM_ERR_PARTITION = "Failed to fetch system volume, Please check the asset configuration and|or \"ip hostname\" parameter" -WINRM_ERR_INVALID_VAULT_ID = "Could not retrieve vault file" +WINRM_ERROR_INVALID_INT = 'Please provide a valid {msg} integer value in the "{param}"' +WINRM_ERROR_PARTITION = "Failed to fetch system volume, Please check the asset configuration and|or \"ip hostname\" parameter" +WINRM_ERROR_INVALID_VAULT_ID = "Could not retrieve vault file" # Constants relating to '_get_error_message_from_exception' -WINRM_ERR_CODE_MSG = "Error code unavailable" -WINRM_ERR_MSG_UNAVAILABLE = "Error message unavailable. Please check the asset configuration and|or action parameters" -WINRM_PARSE_ERR_MSG = "Unable to parse the error message. Please check the asset configuration and|or action parameters" -WINRM_TYPE_ERR_MSG = "Error occurred while connecting to the Winrm Server. Please check the asset configuration and|or " \ - "the action parameters" +WINRM_ERROR_CODE_MESSAGE = "Error code unavailable" +WINRM_ERROR_MESSAGE_UNAVAILABLE = "Error message unavailable. Please check the asset configuration and|or action parameters" +WINRM_PARSE_ERROR_MESSAGE = "Unable to parse the error message. Please check the asset configuration and|or action parameters" +WINRM_TYPE_ERROR_MESSAGE = ("Error occurred while connecting to the Winrm Server. " + "Please check the asset configuration and|or the action parameters") # Constants relating to value_list check DIRECTION_VALUE_LIST = ["in", "out"] @@ -107,4 +107,4 @@ ACTION_VALUE_LIST = ["allow", "block", "bypass"] LOCATION_VALUE_LIST = ["local", "domain", "effective"] DENY_ALLOW_VALUE_LIST = ["deny", "allow"] -VALUE_LIST_VALIDATION_MSG = "Please provide valid input from {} in '{}' action parameter" +VALUE_LIST_VALIDATION_MESSAGE = "Please provide valid input from {} in '{}' action parameter"