From 5451df698e0c7a98ec0471c7bb118152622096e8 Mon Sep 17 00:00:00 2001 From: jonas2k Date: Tue, 3 Nov 2020 14:04:27 +0100 Subject: [PATCH 1/2] Adapted to CylanceAPI limitation of 'page_size' max value of 200; 'Show-MemProtectionEvents' now supports retrieval of up to 1000 events --- CylanceApiTools.psd1 | 4 +- modules/Helpers.ps1 | 64 +++++++++++++++++---- modules/Invoke-CylanceDuplicateCleanup.ps1 | 2 +- modules/Invoke-CylanceInactiveCleanup.ps1 | 2 +- modules/Show-CylanceMemProtectionEvents.ps1 | 16 +++--- 5 files changed, 65 insertions(+), 23 deletions(-) diff --git a/CylanceApiTools.psd1 b/CylanceApiTools.psd1 index fa1f5e8..60d490d 100644 --- a/CylanceApiTools.psd1 +++ b/CylanceApiTools.psd1 @@ -8,7 +8,7 @@ # RootModule = '' # Version number of this module. - ModuleVersion = '1.41' + ModuleVersion = '1.42' # Supported PSEditions CompatiblePSEditions = @("Core") @@ -99,7 +99,7 @@ cylanceApiAuthSuffix = "auth/v2/token" cylanceApiMemSuffix = "memoryprotection/v2" cylanceApiRegions = @{apne1 = "-apne1"; au = "-au"; euc1 = "-euc1"; sae1 = "-sae1"; us = ".us" } - devicePageSize = 10000 + maxPageSize = 200 expirationSeconds = 120 memProtectionActions = @{ 0 = "None"; diff --git a/modules/Helpers.ps1 b/modules/Helpers.ps1 index e11b3f5..351b425 100644 --- a/modules/Helpers.ps1 +++ b/modules/Helpers.ps1 @@ -182,9 +182,49 @@ function Get-CylanceDevices { $params = @{ "page" = 1 - "page_size" = $MyInvocation.MyCommand.Module.PrivateData["devicePageSize"] + "page_size" = $MyInvocation.MyCommand.Module.PrivateData["maxPageSize"] } - return Invoke-RestMethod -Method "GET" -Uri (Get-CylanceApiUri -type "Devices" -region $region) -Body $params -Headers $headers + + $devicesCylanceApiUri = Get-CylanceApiUri -type "Devices" -region $region + return (Get-CylanceItems -itemCylanceApiUri $devicesCylanceApiUri -params $params -headers $headers) +} + +function Get-CylanceItems { + param ( + [parameter(Mandatory = $true)] + [String]$itemCylanceApiUri, + [parameter(Mandatory = $true)] + [hashtable]$params, + [parameter(Mandatory = $true)] + [hashtable]$headers, + [parameter(Mandatory = $false)] + [int]$itemLimit = $null + ) + + $items = New-Object -TypeName "System.Collections.ArrayList" + + $initialResponse = Invoke-RestMethod -Method "GET" -Uri $itemCylanceApiUri -Body $params -Headers $headers + $items.AddRange($initialResponse.page_items) + + if ($initialResponse.total_pages -gt 1 -and ($items.Count -lt $itemLimit)) { + for ($i = $params.page + 1; $i -le $initialResponse.total_pages; $i++) { + $params.page = $i + $response = Invoke-RestMethod -Method "GET" -Uri $itemCylanceApiUri -Body $params -Headers $headers + $items.AddRange($response.page_items) + + if ($itemLimit -and ($items.Count -gt $itemLimit)) { + break + } + } + } + if ($itemLimit -and ($items.Count -gt $itemLimit)) { + $items = $items.GetRange(0, $itemLimit) + } + + if (($null -eq $itemLimit -and $initialResponse.total_number_of_items -ne $items.Count) -or ($null -ne $itemLimit -and $itemLimit -ne $items.Count)) { + Write-HostAs -mode "Warning" -message "Item count reported by API doesn't match actually returned item count, please proceed with caution." + } + return $items } function Get-FullCylanceDevice { @@ -208,7 +248,7 @@ function Get-FullCylanceDevice { function Get-MemProtectionEvents { param( [parameter(Mandatory = $true)] - [ValidateRange(1, 200)] + [ValidateRange(1, 1000)] [int]$count, [parameter(Mandatory = $true)] [String]$bearerToken, @@ -224,31 +264,33 @@ function Get-MemProtectionEvents { $params = @{ "page" = 1 - "page_size" = $count + "page_size" = $MyInvocation.MyCommand.Module.PrivateData["maxPageSize"] } - return Invoke-RestMethod -Method "GET" -Uri (Get-CylanceApiUri -type "Mem" -region $region) -Body $params -Headers $headers + + $memProtectionCylanceApiUri = Get-CylanceApiUri -type "Mem" -region $region + return (Get-CylanceItems -itemCylanceApiUri $memProtectionCylanceApiUri -headers $headers -params $params -itemLimit $count) } function Add-MemProtectionActionDescription { param( [parameter(ValueFromPipeline)] - $event + $memProtectionEvent ) $memProtectionActions = $MyInvocation.MyCommand.Module.PrivateData["memProtectionActions"] - if ($memProtectionActions.ContainsKey($([int32]$event.action))) { - $event | Add-Member -NotePropertyName "action_description" -NotePropertyValue $($memProtectionActions.$([int32]$event.action)) + if ($memProtectionActions.ContainsKey($([int32]$memProtectionEvent.action))) { + $memProtectionEvent | Add-Member -NotePropertyName "action_description" -NotePropertyValue $($memProtectionActions.$([int32]$evmemProtectionEventent.action)) } } function Add-MemProtectionViolationTypeDescription { param( [parameter(ValueFromPipeline)] - $event + $memProtectionEvent ) $memProtectionViolationTypes = $MyInvocation.MyCommand.Module.PrivateData["memProtectionViolationTypes"] - if ($memProtectionViolationTypes.ContainsKey($([int32]$event.violation_type))) { - $event | Add-Member -NotePropertyName "violation_type_description" -NotePropertyValue $($memProtectionViolationTypes.$([int32]$event.violation_type)) + if ($memProtectionViolationTypes.ContainsKey($([int32]$memProtectionEvent.violation_type))) { + $memProtectionEvent | Add-Member -NotePropertyName "violation_type_description" -NotePropertyValue $($memProtectionViolationTypes.$([int32]$memProtectionEvent.violation_type)) } } diff --git a/modules/Invoke-CylanceDuplicateCleanup.ps1 b/modules/Invoke-CylanceDuplicateCleanup.ps1 index 40b6022..24d2077 100644 --- a/modules/Invoke-CylanceDuplicateCleanup.ps1 +++ b/modules/Invoke-CylanceDuplicateCleanup.ps1 @@ -20,7 +20,7 @@ function Invoke-CylanceDuplicateCleanup { Write-HostAs -mode "Info" -message "Checking devices, this may take a while." $response = Get-CylanceDevices -bearerToken $bearerToken -region $region - $duplicates = $response.page_items | Group-Object -Property "name" | Where-Object { $_.count -ge 2 } + $duplicates = $response | Group-Object -Property "name" | Where-Object { $_.count -ge 2 } [Array]$devicesToBeRemoved = @() diff --git a/modules/Invoke-CylanceInactiveCleanup.ps1 b/modules/Invoke-CylanceInactiveCleanup.ps1 index 20b7712..393f47d 100644 --- a/modules/Invoke-CylanceInactiveCleanup.ps1 +++ b/modules/Invoke-CylanceInactiveCleanup.ps1 @@ -22,7 +22,7 @@ function Invoke-CylanceInactiveCleanup { Write-HostAs -mode "Info" -message "Checking devices, this may take a while." $response = Get-CylanceDevices -bearerToken $bearerToken -region $region - $offlineDevices = $response.page_items | Where-Object { $null -ne $_.id -and $_.state -eq "Offline" -and (Test-DateIsOutOfRange -inputDate $_.date_first_registered -daysBack 1) } + $offlineDevices = $response | Where-Object { $null -ne $_.id -and $_.state -eq "Offline" -and (Test-DateIsOutOfRange -inputDate $_.date_first_registered -daysBack 1) } [Array]$devicesToBeRemoved = @() $daysAgo = (Get-Date).AddDays(-$inactiveDays) diff --git a/modules/Show-CylanceMemProtectionEvents.ps1 b/modules/Show-CylanceMemProtectionEvents.ps1 index 7627c78..0df874e 100644 --- a/modules/Show-CylanceMemProtectionEvents.ps1 +++ b/modules/Show-CylanceMemProtectionEvents.ps1 @@ -7,7 +7,7 @@ function Show-CylanceMemProtectionEvents { [parameter(Mandatory = $false)] [String]$tenantId, [parameter(Mandatory = $false)] - [ValidateRange(1, 200)] + [ValidateRange(1, 1000)] [int]$count = 10, [parameter(Mandatory = $false)] [AllowEmptyString()] @@ -20,20 +20,20 @@ function Show-CylanceMemProtectionEvents { $bearerToken = Get-BearerToken -applicationId $applicationId -applicationSecret $applicationSecret -tenantId $tenantId -region $region Write-HostAs -mode "Info" -message "Fetching data, this may take a while." $response = Get-MemProtectionEvents -count $count -bearerToken $bearerToken -region $region - $memProtectionEvents = $response.page_items | ForEach-Object { $_.created = [DateTime]$_.created; $_ } + $memProtectionEvents = $response | ForEach-Object { $_.created = [DateTime]$_.created; $_ } - foreach ($event in $memProtectionEvents) { + foreach ($memProtectionEvent in $memProtectionEvents) { try { - $fullDevice = Get-FullCylanceDevice -device $event.device_id -bearerToken $bearerToken -region $region - $event | Add-Member -NotePropertyName "device_name" -NotePropertyValue $fullDevice.name - $event | Add-Member -NotePropertyName "device_policy" -NotePropertyValue $fullDevice.policy.name + $fullDevice = Get-FullCylanceDevice -device $memProtectionEvent.device_id -bearerToken $bearerToken -region $region + $memProtectionEvent | Add-Member -NotePropertyName "device_name" -NotePropertyValue $fullDevice.name + $memProtectionEvent | Add-Member -NotePropertyName "device_policy" -NotePropertyValue $fullDevice.policy.name } catch { Write-HostAs -mode "Error" -message "Can't get full device details for $($device.name)." Write-Error "$($device.name): $($_.Exception.Message)" } - $event | Add-MemProtectionActionDescription - $event | Add-MemProtectionViolationTypeDescription + $memProtectionEvent | Add-MemProtectionActionDescription + $memProtectionEvent | Add-MemProtectionViolationTypeDescription } if ($memProtectionEvents.Count -gt 0) { From e226f8d28d09e2682480d29d87a2e1b0b82a21c3 Mon Sep 17 00:00:00 2001 From: jonas2k Date: Tue, 3 Nov 2020 14:49:10 +0100 Subject: [PATCH 2/2] Fix for previous commit --- modules/Helpers.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/Helpers.ps1 b/modules/Helpers.ps1 index 351b425..9a2e5db 100644 --- a/modules/Helpers.ps1 +++ b/modules/Helpers.ps1 @@ -198,7 +198,7 @@ function Get-CylanceItems { [parameter(Mandatory = $true)] [hashtable]$headers, [parameter(Mandatory = $false)] - [int]$itemLimit = $null + [int]$itemLimit = 0 ) $items = New-Object -TypeName "System.Collections.ArrayList" @@ -206,7 +206,7 @@ function Get-CylanceItems { $initialResponse = Invoke-RestMethod -Method "GET" -Uri $itemCylanceApiUri -Body $params -Headers $headers $items.AddRange($initialResponse.page_items) - if ($initialResponse.total_pages -gt 1 -and ($items.Count -lt $itemLimit)) { + if ($initialResponse.total_pages -gt 1 -and ($itemLimit ? $items.Count -lt $itemLimit : $True)) { for ($i = $params.page + 1; $i -le $initialResponse.total_pages; $i++) { $params.page = $i $response = Invoke-RestMethod -Method "GET" -Uri $itemCylanceApiUri -Body $params -Headers $headers @@ -221,7 +221,7 @@ function Get-CylanceItems { $items = $items.GetRange(0, $itemLimit) } - if (($null -eq $itemLimit -and $initialResponse.total_number_of_items -ne $items.Count) -or ($null -ne $itemLimit -and $itemLimit -ne $items.Count)) { + if ((-not $itemLimit -and $initialResponse.total_number_of_items -ne $items.Count) -or ($itemLimit -and $itemLimit -ne $items.Count)) { Write-HostAs -mode "Warning" -message "Item count reported by API doesn't match actually returned item count, please proceed with caution." } return $items