ibPS

1.9.8.0

Functions/BloxOne/BloxOneTD/Get-B1SOCInsightAssets.ps1

function Get-B1SOCInsightAssets {
    <#
    .SYNOPSIS
        Queries a list of assets related to a specific SOC Insight

    .DESCRIPTION
        This function is used to query a list of assets related to a specific SOC Insight

    .PARAMETER IP
        Filter the asset results by source IP

    .PARAMETER MACAddress
        Filter the asset results by source MAC address

    .PARAMETER OSVersion
        Filter the asset results by the detected source OS Version

    .PARAMETER Start
        Filter the asset results by observed start time

    .PARAMETER End
        Filter the asset results by observed end time

    .PARAMETER User
        Filter the asset results by associated user

    .PARAMETER Limit
        Limit the number of results

    .PARAMETER insightId
        The insightId of the Insight to retrieve impacted assets for. Accepts pipeline input (See examples)

    .EXAMPLE
        PS> Get-B1SOCInsight -Priority CRITICAL | Get-B1SOCInsightAssets | Sort-Object threatIndicatorDistinctCount -Descending | ft -AutoSize

        cid cmac count qip location osVersion threatLevelMax threatIndicatorDistinctCount timeMax timeMin
        --- ---- ----- --- -------- --------- -------------- ---------------------------- ------- -------
        cscuygwfybfsebfy4b4hf34h798fsbew:vlmfg90hgr54gmdg0g4rgdn9gh5ryg8l ab:cd:ef:12:34:56 4845 81.42.14.78 Alcalá de Henares,Spain macOS 14.2.1 3 9 3/1/2024 9:00:00AM 2/29/2024 7:00:00PM
        fsdfnje98jnsdxng984tjngmdhj6m6uj:vlmfg90hgr54gmdg0g4rgdn9gh5ryg8l 12:34:56:ab:cd:ef 2028 43.54.25.86 Marcq-en-Baroeul,France macOS 14.2.1 2 8 3/26/2024 11:00:00AM 3/26/2024 8:00:00AM
        fsdfnje98jnsdxng984tjngmdhj6m6uj:vlmfg90hgr54gmdg0g4rgdn9gh5ryg8l 12:34:56:ab:cd:ef 1097 43.54.25.86 Houilles,France macOS 14.2.1 2 5 3/25/2024 9:00:00PM 3/22/2024 8:00:00AM
        jmjkumfdadguyg76fvgdglniuhvoxdbd:vlmfg90hgr54gmdg0g4rgdn9gh5ryg8l ab:12:cd:34:ef:56 1300 120.134.53.53 Prague,Czechia macOS 14.3.1 3 4 2/26/2024 9:00:00AM 2/26/2024 8:00:00AM
        ...

    .FUNCTIONALITY
        BloxOneDDI

    .FUNCTIONALITY
        BloxOne Threat Defense

    .FUNCTIONALITY
        SOC Insights
    #>
    [CmdletBinding()]
    param(
      [IPAddress]$IP,
      [String]$MACAddress,
      [String]$OSVersion,
      [DateTime]$Start,
      [DateTime]$End,
      [String]$User,
      [Int]$Limit,
      [Parameter(
        ValueFromPipelineByPropertyName = $true,
        Mandatory=$true
      )]
      [String[]]$insightId
    )

    process {
      $QueryFilters = @()

      if ($IP) {
        $QueryFilters += "qip=$($IP.IPAddressToString)"
      }
      if ($MACAddress) {
        $QueryFilters += "cmac=$($MACAddress)"
      }
      if ($OSVersion) {
        $QueryFilters += "os_version=$($OSVersion)"
      }
      if ($Start) {
        $Start = $Start.ToUniversalTime()
        $StartTime = $Start.ToString("yyyy-MM-ddTHH:mm:ss.000")
        $QueryFilters += "from=$($StartTime)"
      }
      if ($End) {
        $End = $End.ToUniversalTime()
        $EndTime = $End.ToString("yyyy-MM-ddTHH:mm:ss.000")
        $QueryFilters += "to=$($EndTime)"
      }
      if ($User) {
        $QueryFilters += "user=$($User)"
      }
      if ($Limit) {
        $QueryFilters += "limit=$($Limit)"
      }
      if ($QueryFilters) {
        $QueryFilter = ConvertTo-QueryString $QueryFilters
      }
      Write-DebugMsg -Filters $QueryFilters
      $Results = Invoke-CSP -Uri "$(Get-B1CspUrl)/api/v1/insights/$insightId/assets$QueryFilter" -Method GET | Select-Object -ExpandProperty assets -ErrorAction SilentlyContinue -WarningAction SilentlyContinue

      if ($Results) {
        return $Results
      }
    }
}