cancel
Showing results for 
Search instead for 
Did you mean: 

Python - Output query results to text file

Since ePO inexplicibly does not allow you to apply a tag to the results of an EEPC query I'm trying to call the same ePO query from python, dump the results to a file, and then use that same file with python to apply the tag I want.  Running the query is no problem, but I'm new to python so I'm having trouble dumping it to a file.....or would it be more efficient to store it in a list or array and iterate through that to apply the tag? 

4 Replies

Re: Python - Output query results to text file

Efficiancy is always a matter of opinion... I personally would use both. I would store the information in an array that I can iterate through while always storing it to a file for future use and logging.

If you are having a hard time with dumping the info to a file then I would just iterate through an array. You can always go back and modify your code once you figure it out.

Re: Python - Output query results to text file

If I manually populate the list i.e. list = [1,2,3,4,5] I can iterate through it and write it out to a file no problem.  My challenge is getting the results of core.executeQuery into a list or array.

Re: Python - Output query results to text file

The best way I have managed it in Powershell is with XML. By outputting in xml I can then iterate through the tree and pull out the info that I need...even put it into an array. Otherwise it would be a string which can be more complicated to manipulate. So consider what you are having it output as String, XML, JSON...and maybe tackle it from a different perspective.

Re: Python - Output query results to text file

Are you not able to apply a tag utilizing a server task?

Either way when you utilize the McAfee python API files the results that are returned to you are in a list. Each element within the list is a DICT of the data you requested. Here is a simple example to hopefully help you:

import mcafee


mc = mcafee.client(address, port, username, password)

target = 'EPOEvents'

select = '(select EPOEvents.DetectedUTC EPOEvents.ThreatName EPOEvents.AnalyzerName EPOEvents.SourceProcessName EPOEvents.TargetFileName EPOEvents.ThreatActionTaken)'

where = '( where ( and ( eq EPOEvents.AgentGUID "%s" ) ( newerThan EPOEvents.DetectedUTC 86400000  ) ) )' % (searchGUID)

order = '(order(asc EPOEvents.DetectedUTC))'

data = mc.core.executeQuery(target=target, select=select, where=where, order=order)

for event in data:

     print string.ljust('Event Generated Time (UTC)', 40), string.ljust(event['EPOEvents.DetectedUTC'], 80)

     print string.ljust('Detecting Product', 40), string.ljust(event['EPOEvents.AnalyzerName'], 80)

     print string.ljust('Threat Name', 40), string.ljust(event['EPOEvents.ThreatName'], 80)

     print string.ljust('Process Name', 40), string.ljust(event['EPOEvents.SourceProcessName'], 80)

     print string.ljust('File Name', 40), string.ljust(event['EPOEvents.TargetFileName'], 80)

     print string.ljust('Action Taken', 40), string.ljust(event['EPOEvents.ThreatActionTaken'], 80)

Now this code basically queries HBSS for events based on a Host Asset GUID and then loops the array and extracts the data.

Message was edited by: mrjester on 9/23/13 9:35:45 PM CDT