4 Replies Latest reply on Sep 23, 2013 9:35 PM by mrjester

    Python - Output query results to text file

    woodsjw

      Since ePO inexplicibly does not allow you to apply a tag to the results of an EEPC query I'm trying to call the same ePO query from python, dump the results to a file, and then use that same file with python to apply the tag I want.  Running the query is no problem, but I'm new to python so I'm having trouble dumping it to a file.....or would it be more efficient to store it in a list or array and iterate through that to apply the tag? 

        • 1. Re: Python - Output query results to text file
          mingle1

          Efficiancy is always a matter of opinion... I personally would use both. I would store the information in an array that I can iterate through while always storing it to a file for future use and logging.

           

          If you are having a hard time with dumping the info to a file then I would just iterate through an array. You can always go back and modify your code once you figure it out.

          • 2. Re: Python - Output query results to text file
            woodsjw

            If I manually populate the list i.e. list = [1,2,3,4,5] I can iterate through it and write it out to a file no problem.  My challenge is getting the results of core.executeQuery into a list or array.

            • 3. Re: Python - Output query results to text file
              mingle1

              The best way I have managed it in Powershell is with XML. By outputting in xml I can then iterate through the tree and pull out the info that I need...even put it into an array. Otherwise it would be a string which can be more complicated to manipulate. So consider what you are having it output as String, XML, JSON...and maybe tackle it from a different perspective.

              • 4. Re: Python - Output query results to text file
                mrjester

                Are you not able to apply a tag utilizing a server task?

                 

                Either way when you utilize the McAfee python API files the results that are returned to you are in a list. Each element within the list is a DICT of the data you requested. Here is a simple example to hopefully help you:

                 

                import mcafee


                mc = mcafee.client(address, port, username, password)

                target = 'EPOEvents'

                select = '(select EPOEvents.DetectedUTC EPOEvents.ThreatName EPOEvents.AnalyzerName EPOEvents.SourceProcessName EPOEvents.TargetFileName EPOEvents.ThreatActionTaken)'

                where = '( where ( and ( eq EPOEvents.AgentGUID "%s" ) ( newerThan EPOEvents.DetectedUTC 86400000  ) ) )' % (searchGUID)

                order = '(order(asc EPOEvents.DetectedUTC))'

                data = mc.core.executeQuery(target=target, select=select, where=where, order=order)

                for event in data:

                     print string.ljust('Event Generated Time (UTC)', 40), string.ljust(event['EPOEvents.DetectedUTC'], 80)

                     print string.ljust('Detecting Product', 40), string.ljust(event['EPOEvents.AnalyzerName'], 80)

                     print string.ljust('Threat Name', 40), string.ljust(event['EPOEvents.ThreatName'], 80)

                     print string.ljust('Process Name', 40), string.ljust(event['EPOEvents.SourceProcessName'], 80)

                     print string.ljust('File Name', 40), string.ljust(event['EPOEvents.TargetFileName'], 80)

                     print string.ljust('Action Taken', 40), string.ljust(event['EPOEvents.ThreatActionTaken'], 80)

                 

                Now this code basically queries HBSS for events based on a Host Asset GUID and then loops the array and extracts the data.

                 

                Message was edited by: mrjester on 9/23/13 9:35:45 PM CDT