iamtheky Posted March 16, 2016 Share Posted March 16, 2016 (edited) I will add the splunk remote export and then combine them if there is interest (think i might be the only security guy here). this will return the XML reports from paloalto for the hashes in the list. hashlist should be relative to the script, as well the reports will be written to the scriptdir. ;curl test #include<file.au3> local $aHashes $curldir = "C:\Users\curluser\Desktop\CURL\" ; with trailing backslash $sApiKey = "This is where the API Key Goes" _FileReadToArray("hashlist.csv" , $aHashes , 0) ; This is a list of SHA-256, one per line. As mine was exported from Splunk the first row is the table name.... For $i = 1 to ubound($aHashes) - 1 ; ...so its skipped here by starting on 1 instead of 0 $iPid = run($curldir & "curl -k -F hash=" & $aHashes[$i] & " -F format=xml -F apikey=" & $sApiKey & " https://wildfire.paloaltonetworks.com/publicapi/get/report", "", @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop EndIf WEnd filewrite($aHashes[$i] & ".xml" , $sOutput) next Edited March 16, 2016 by iamtheky ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
iamtheky Posted March 23, 2016 Author Share Posted March 23, 2016 (edited) This is the full boat: Exports the file_digest(s) from Splunk, splits that stdout into an array, then runs through that array downloading the full xml files from the WildFire API. We finally got our app working so dont really need to do this, but it was a fun exercise with curl. *I was messing with _File stuff, but not anymore, but since that include contains array and constants I am leaving it. expandcollapse popup#include<file.au3> $SplunkUser = "SPLUNKUSER-GOES-HERE" $SplunkPwd = "SPLUNKPASSWORD-GOES-HERE" $curldir = @ScriptDir & "\curl.exe" $sApiKey = "APIKEY-GOES-HERE" If NOT fileexists(@ScriptDir & "\WILDFIRE\") Then DirCreate(@ScriptDir & "\WILDFIRE\") $iPidSplunk = run("cmd /c " & $curldir & ' -k -u ' & $SplunkUser & ':' & $SplunkPwd & ' -d "search=search index=pan_logs log_subtype=wildfire category=malicious | table file_digest" -d output_mode=csv https://SPLUNKSERVER.com:8089/servicesNS/admin/search/search/jobs/export', "", @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPidSplunk) If @error Then ExitLoop EndIf WEnd $aHashes = stringsplit($sOutput , @LF , 2) _ArrayPop($aHashes) _ArrayDelete($aHashes , 0) $aHashes = _ArrayUnique($aHashes , 0 ,0 ,0 , 0) For $i = 0 to ubound($aHashes) - 1 $iPidFire = run("cmd /c " & $curldir & " -k -F hash=" & $aHashes[$i] & " -F format=xml -F apikey=" & $sApiKey & " https://wildfire.paloaltonetworks.com/publicapi/get/report", "", @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPidFire) If @error Then ExitLoop EndIf WEnd filewrite(@ScriptDir & "\WILDFIRE\" & $aHashes[$i] & ".xml" , $sOutput) next Edited March 23, 2016 by iamtheky ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now