public/Get-VPASPSMSessions.ps1
|
<#
.Synopsis GET PSM SESSIONS CREATED BY: Vadim Melamed, EMAIL: vmelamed5@gmail.com .DESCRIPTION USE THIS FUNCTION TO GET PSM SESSIONS .PARAMETER token HashTable of data containing various pieces of login information (PVWA, LoginToken, HeaderType, etc). If -token is not passed, function will use last known hashtable generated by New-VPASToken .PARAMETER SearchQuery Search string to find target resource via username, address, safe, platform, etc. Comma separated for multiple fields, or to search all pass a blank value like so: " " .PARAMETER FromTime Optional parameter to find target recordings based by Date Range Start date must be in epoch format .PARAMETER ToTime Optional parameter to find target recordings based by Date Range End date must be in epoch format .EXAMPLE $GetPSMSessionsJSON = Get-VPASPSMSessions -SearchQuery {SEARCHQUERY VALUE} .OUTPUTS If successful: { "Recordings": [ ... { "SessionID": "36_102", "SessionGuid": "kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89", "SafeName": "PSMRecordings", "FolderName": "Root", "IsLive": false, "FileName": "kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.session", "Start": 1712111269, "End": 1712111328, "Duration": 59, "User": "vadim@vman.com", "RemoteMachine": "192.168.111.111", "ProtectionDate": 0, "ProtectedBy": "", "ProtectionEnabled": false, "AccountUsername": "vmanda", "AccountPlatformID": "VadimWindowsDomain", "AccountAddress": "vman.com", "PIMSuCommand": "", "PIMSuCWD": "", "ConnectionComponentID": "PSM-RDP", "PSMRecordingEntity": "SessionRecording", "TicketID": "", "FromIP": "192.168.222.222", "Protocol": "RDP", "Client": "RDP", "RiskScore": -1, "Severity": "", "IncidentDetails": null, "RawProperties": "@{Address=vman.com; ConnectionComponentID=PSM-RDP; DeviceType=Operating System; EntityVersion=1.0; ExpectedRecordingsList=kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.WIN.txt,kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.VID.avi; PSMClientApp=mstsc.exe; PSMPasswordID=9; PSMProtocol=RDP; PSMRecordingEntity=SessionRecording; PSMRemoteMachine=192.168.111.111; PSMSafeID=68; PSMSourceAddress=192.168.222.222; PSMStartTime=1712111269; PSMStatus=Final; PSMVaultUserName=vadim@vman.com; PolicyID=VadimWindowsDomain; ProviderID=PSMApp_VmanCon01; UserName=vmanda; PSMEndTime=1712111328; ActualRecordings=kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.WIN.txt;187,kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.VID.avi;188; Safe=PSMRecordings; Folder=Root; Name=kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.session}", "RecordingFiles": " ", "RecordedActivities": "", "VideoSize": 1772412, "TextSize": 3048, "DetailsUrl": "recordingdetails.aspx?Data=qjwhefjkhwr789439rt8h4j3fj943mh093cmfcj8kfq43kjf093jmf03j0cfk83cmd587yn93f874y9t7473f734y875nt475" }, { "SessionID": "36_103", "SessionGuid": "kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89", "SafeName": "PSMRecordings", "FolderName": "Root", "IsLive": false, "FileName": "kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.session", "Start": 1712100199, "End": 1712100250, "Duration": 51, "User": "vadim@vman.com", "RemoteMachine": "192.168.111.111", "ProtectionDate": 0, "ProtectedBy": "", "ProtectionEnabled": false, "AccountUsername": "vmanda", "AccountPlatformID": "VadimWindowsDomain", "AccountAddress": "vman.com", "PIMSuCommand": "", "PIMSuCWD": "", "ConnectionComponentID": "PSM-RDP", "PSMRecordingEntity": "SessionRecording", "TicketID": "", "FromIP": "192.168.222.222", "Protocol": "RDP", "Client": "RDP", "RiskScore": -1, "Severity": "", "IncidentDetails": null, "RawProperties": "@{Address=vman.com; ConnectionComponentID=PSM-RDP; DeviceType=Operating System; EntityVersion=1.0; ExpectedRecordingsList=kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.WIN.txt,kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.VID.avi; PSMClientApp=mstsc.exe; PSMPasswordID=9; PSMProtocol=RDP; PSMRecordingEntity=SessionRecording; PSMRemoteMachine=192.168.111.111; PSMSafeID=68; PSMSourceAddress=192.168.222.222; PSMStartTime=1712100199; PSMStatus=Final; PSMVaultUserName=vadim@vman.com; PolicyID=VadimWindowsDomain; ProviderID=PSMApp_VmanCon01; UserName=vmanda; PSMEndTime=1712100250; ActualRecordings=kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.WIN.txt;184,kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.VID.avi;185; Safe=PSMRecordings; Folder=Root; Name=kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.session}", "RecordingFiles": " ", "RecordedActivities": "", "VideoSize": 1691132, "TextSize": 3048, "DetailsUrl": "recordingdetails.aspx?Data=je784o94kfg0ek67y8ke04958yefn5i847yjt78j4eo78t4jy5o7mt458yntd9285m70ws8k20348jytf4597fho94hmnoy9875mh49e87mh4o85d0wl89l509d38k45t983f54" }, ... ], "Total": 17 } --- $false if failed #> function Get-VPASPSMSessions{ [OutputType('System.Object',[bool])] [CmdletBinding()] Param( [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,HelpMessage="Enter wildcard search to query PSMSessions (for example: 'localadmin server1.vman.com')",Position=0)] [String]$SearchQuery, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=1)] [String]$FromTime, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=2)] [String]$ToTime, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=3)] [hashtable]$token ) Begin{ $tokenval,$sessionval,$PVWA,$Header,$ISPSS,$IdentityURL,$EnableTextRecorder,$AuditTimeStamp,$NoSSL,$VaultVersion,$HideWarnings,$AuthenticatedAs = Get-VPASSession -token $token $CommandName = $MyInvocation.MyCommand.Name $log = Write-VPASTextRecorder -inputval $CommandName -token $token -LogType COMMAND } Process{ Write-Verbose "SUCCESSFULLY PARSED PVWA VALUE" Write-Verbose "SUCCESSFULLY PARSED TOKEN VALUE" Write-Verbose "SUCCESSFULLY PARSED SEARCHQUERY VALUE: $SearchQuery" try{ $apiLimit = 1000 if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $uri = "http://$PVWA/PasswordVault/api/recordings?limit=$apiLimit" } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $uri = "https://$PVWA/PasswordVault/api/recordings?limit=$apiLimit" } if(![String]::IsNullOrEmpty($FromTime)){ $uri += "&FromTime=$FromTime" } if(![String]::IsNullOrEmpty($ToTime)){ $uri += "&ToTime=$ToTime" } $uri += "&Search=$SearchQuery" $log = Write-VPASTextRecorder -inputval $uri -token $token -LogType URI $log = Write-VPASTextRecorder -inputval "GET" -token $token -LogType METHOD write-verbose "MAKING API CALL TO CYBERARK" if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method GET -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method GET -ContentType "application/json" } $log = Write-VPASTextRecorder -inputval $response -token $token -LogType RETURNARRAY $curcount = $response.Total $curtotal = $curcount $curItems = $response.Recordings while($curcount -eq $apiLimit){ $LastStartTime = $response.Recordings[$apiLimit-1].start + 1 $TempEndTime = $LastStartTime - 31556926 if(![String]::IsNullOrEmpty($FromTime)){ if($FromTime -gt $TempEndTime){ $TempEndTime = $FromTime } } if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $uri = "http://$PVWA/PasswordVault/api/recordings?limit=$apiLimit&FromTime=$TempEndTime&ToTime=$LastStartTime&Search=$SearchQuery" } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $uri = "https://$PVWA/PasswordVault/api/recordings?limit=$apiLimit&FromTime=$TempEndTime&ToTime=$LastStartTime&Search=$SearchQuery" } Write-Verbose "SETTING URI: $uri" $log = Write-VPASTextRecorder -inputval $uri -token $token -LogType URI $log = Write-VPASTextRecorder -inputval "GET" -token $token -LogType METHOD write-verbose "MAKING API CALL TO CYBERARK" if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method GET -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method GET -ContentType "application/json" } $log = Write-VPASTextRecorder -inputval $response -token $token -LogType RETURNARRAY $curcount = $response.Total $curtotal += $curcount $curItems += $response.Recordings } $response.Recordings = $curItems $response.Total = $curtotal Write-Verbose "RETURNING JSON OBJECT" return $response }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "UNABLE TO GET PSM SESSIONS FOR SEARCHQUERY: $SearchQuery" Write-VPASOutput -str $_ -type E return $false } } End{ $log = Write-VPASTextRecorder -inputval $CommandName -token $token -LogType DIVIDER } } |