Jump to content

WildFire Reports with Curl


iamtheky
 Share

Recommended Posts

I will add the splunk remote export and then combine them if there is interest (think i might be the only security guy here).

this will return the XML reports from paloalto for the hashes in the list.  hashlist should be relative to the script, as well the reports will be written to the scriptdir.

;curl test

#include<file.au3>

local $aHashes

$curldir = "C:\Users\curluser\Desktop\CURL\"  ; with trailing backslash
$sApiKey = "This is where the API Key Goes"

_FileReadToArray("hashlist.csv" , $aHashes , 0)  ; This is a list of SHA-256, one per line. As mine was exported from Splunk the first row is the table name....

For $i = 1 to ubound($aHashes) - 1   ; ...so its skipped here by starting on 1 instead of 0

 $iPid = run($curldir & "curl -k -F hash=" & $aHashes[$i] & " -F format=xml -F apikey=" & $sApiKey & " https://wildfire.paloaltonetworks.com/publicapi/get/report", "", @SW_HIDE , $stdout_child)

$sOutput = ""

 While 1
        $sOutput &= StdoutRead($iPID)
        If @error Then
            ExitLoop
        EndIf
 WEnd


filewrite($aHashes[$i] & ".xml" , $sOutput)

next

 

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites

This is the full boat:  Exports the file_digest(s) from Splunk, splits that stdout into an array, then runs through that array downloading the full xml files from the WildFire API.  We finally got our app working so dont really need to do this, but it was a fun exercise with curl.

*I was messing with _File stuff, but not anymore, but since that include contains array and constants I am leaving it.

#include<file.au3>

$SplunkUser = "SPLUNKUSER-GOES-HERE"
$SplunkPwd = "SPLUNKPASSWORD-GOES-HERE"
$curldir = @ScriptDir & "\curl.exe"
$sApiKey = "APIKEY-GOES-HERE"

If NOT fileexists(@ScriptDir & "\WILDFIRE\") Then DirCreate(@ScriptDir & "\WILDFIRE\")

$iPidSplunk = run("cmd /c " & $curldir & ' -k -u ' & $SplunkUser & ':' & $SplunkPwd & ' -d "search=search index=pan_logs log_subtype=wildfire category=malicious | table file_digest" -d output_mode=csv https://SPLUNKSERVER.com:8089/servicesNS/admin/search/search/jobs/export', "", @SW_HIDE , $stdout_child)

$sOutput = ""

 While 1
        $sOutput &= StdoutRead($iPidSplunk)
        If @error Then
            ExitLoop
        EndIf
 WEnd

$aHashes = stringsplit($sOutput , @LF , 2)
_ArrayPop($aHashes)
_ArrayDelete($aHashes , 0)
$aHashes = _ArrayUnique($aHashes , 0 ,0 ,0 , 0)


For $i = 0 to ubound($aHashes) - 1

 $iPidFire = run("cmd /c " & $curldir & " -k -F hash=" & $aHashes[$i] & " -F format=xml -F apikey=" & $sApiKey & " https://wildfire.paloaltonetworks.com/publicapi/get/report", "", @SW_HIDE , $stdout_child)

$sOutput = ""

 While 1
        $sOutput &= StdoutRead($iPidFire)
        If @error Then
            ExitLoop
        EndIf
 WEnd


filewrite(@ScriptDir & "\WILDFIRE\" & $aHashes[$i] & ".xml" , $sOutput)

next

 

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...