Advanced Threat Analytics 1.8 Center Discovery Data Source

Microsoft.AdvancedThreatAnalytics.1_8.Center.Discovery.DataSource (DataSourceModuleType)

Data Source for Microsoft ATA 1.8 Center Discovery

Element properties:

Member Modules:

Overrideable Parameters:

Source Code:

<DataSourceModuleType ID="Microsoft.AdvancedThreatAnalytics.1_8.Center.Discovery.DataSource" Accessibility="Internal" Batching="false">

  <Configuration>

    <IncludeSchemaTypes>

      <SchemaType>System!System.ExpressionEvaluatorSchema</SchemaType>

    </IncludeSchemaTypes>

    <xsd:element xmlns:xsd="http://www.w3.org/2001/XMLSchema" minOccurs="1" name="computerName" type="xsd:string"/>

    <xsd:element xmlns:xsd="http://www.w3.org/2001/XMLSchema" minOccurs="1" name="IntervalSeconds" type="xsd:integer"/>

  </Configuration>

  <OverrideableParameters>

    <OverrideableParameter ID="IntervalSeconds" ParameterType="int" Selector="$Config/IntervalSeconds$"/>

  </OverrideableParameters>

  <ModuleImplementation Isolation="Any">

    <Composite>

      <MemberModules>

        <DataSource ID="Scheduler" TypeID="System!System.Discovery.Scheduler">

          <Scheduler>

            <SimpleReccuringSchedule>

              <Interval Unit="Seconds">$Config/IntervalSeconds$</Interval>

            </SimpleReccuringSchedule>

            <ExcludeDates/>

          </Scheduler>

        </DataSource>

        <ProbeAction ID="PowerShell" TypeID="Windows!Microsoft.Windows.PowerShellDiscoveryProbe">

          <ScriptName>ATACenterDiscovery.ps1</ScriptName>

          <ScriptBody><Script>param($SourceId,$ManagedEntityId,$computerName)



#Set SCOM Properties

$api = New-Object -comObject 'MOM.ScriptAPI'

$DiscoveryData = $api.CreateDiscoveryData(0, $sourceId, $managedEntityId)



#Set variables to be used in logging events

$whoami = whoami

$StartTime = Get-Date



#Log an event that our script is starting

$api.LogScriptEvent("ATACenterDiscovery.ps1",3280,0,"v1.8-ATA Center Discovery Script is starting.  Running as $whoami.")



If((Test-Path 'HKLM:\SOFTWARE\Microsoft\Microsoft Advanced Threat Analytics\Center')){

	#Get the ATA Install Path

	$WMIInfo = Get-WmiObject win32_service | ?{$_.Name -eq 'ATACenter'}

	[string]$EXEPath = $WMIInfo.PathName.Replace("""","")

	$ATAInstallationPath = $EXEPath.Replace("\Microsoft.Tri.Center.exe","")

	#Get File Version

	$FileVersion = (Get-ItemProperty $EXEPath).VersionInfo.ProductVersion



	If($FileVersion -like "1.8*"){

		#Get the Mongo Install Path

		$WMIInfo = Get-WmiObject win32_service | ?{$_.Name -eq 'MongoDB'}

		[string]$MongoPath = $WMIInfo.PathName.Replace("""","")

		$MongoInstallationPath = ($MongoPath.Replace("mongod.exe","_").Split("_"))[0]

		Set-Location $MongoInstallationPath



		#Query the Database

		$QueryConfiguration = 'db.SystemProfile.find({_t:`"CenterSystemProfile`"},{''Version'':1,''Configuration.CenterWebApplicationConfiguration.ServiceListeningIpEndpoint'':1,''Configuration.CenterWebClientConfiguration.ServiceCertificateThumbprints'':1,''Configuration.CenterWebClientConfiguration.ServiceEndpoints'':1,_id:0})'

		$DBdata = .\Mongo ATA --eval $QueryConfiguration



		#Process the data

		$jsondata = $DBdata[3] | convertfrom-json

		$ServiceIP = $jsondata.Configuration.CenterWebClientConfiguration.ServiceEndpoints.item(0).Address

		# evertyhing is 443 now so not needed.

		$ServicePort = $jsondata.Configuration.CenterWebApplicationConfiguration.ServiceListeningIpEndpoint.Port #not needed

		#No console ip anymore everything uses 1 ip

		#$ConsoleIP = $jsondata.Configuration  #not needed

		#$ConsolePort = $jsondata.Configuration  #not needed

		#technically dont need

		$ConsoleAddress = $jsondata.Configuration.CenterWebClientConfiguration.ServiceEndpoints.item(0).Address  #not needed

		#$CosnolePort = $jsondata.Configuration.CenterWebClientConfiguration.ServiceEndpoints.Port  #not needed

		$ConsoleCertificateThumbprint = $jsondata.Configuration.CenterWebClientConfiguration.ServiceCertificateThumbprints.item(0)

		$Version = $jsondata.Version



		#Query the Database

		$QueryDistinguishedName = 'db.UniqueEntity.find({_t:`"Site`"},{''DistinguishedName'':1})'

		$DBdata = .\Mongo ATA --eval $QueryDistinguishedName



		#Process the data

		$DBdata = $DBdata[3..($dbdata.Length-1)]

		$JsonData = $DBdata | ConvertFrom-Json

		foreach($DN in $JsonData){

		$string = $DN.DistinguishedName

		$ADForest = ($string -split "Configuration,")[1].replace("DC=","").replace(",",".")

		}



		#$api.LogScriptEvent("ATACenterDiscovery.ps1",3283,0,"v1.8-ForestJsonData is $JsonData")

		#$api.LogScriptEvent("ATACenterDiscovery.ps1",3283,0,"v1.8-ADForest is $ADForest")



		#Add the data into the PropertyBag

		$CenterInstance = $DiscoveryData.CreateClassInstance("$MPElement[Name='Microsoft.AdvancedThreatAnalytics.1_8.Center']$")

		$CenterInstance.AddProperty("$MPElement[Name='System!System.Entity']/DisplayName$", $computerName)

		$CenterInstance.AddProperty("$MPElement[Name='Windows!Microsoft.Windows.Computer']/PrincipalName$", $computerName)

		$CenterInstance.AddProperty("$MPElement[Name='Microsoft.AdvancedThreatAnalytics.1_8.Center']/ServerName$", $computerName)

		$CenterInstance.AddProperty("$MPElement[Name='Microsoft.AdvancedThreatAnalytics.1_8.Center']/Version$", $Version)

		$CenterInstance.AddProperty("$MPElement[Name='Microsoft.AdvancedThreatAnalytics.1_8.Center']/ConsoleAddress$", $ConsoleAddress)

		$CenterInstance.AddProperty("$MPElement[Name='Microsoft.AdvancedThreatAnalytics.1_8.Center']/ServiceIP$", $ServiceIP)

		$CenterInstance.AddProperty("$MPElement[Name='Microsoft.AdvancedThreatAnalytics.1_8.Center']/ServicePort$", $ServicePort)

		$CenterInstance.AddProperty("$MPElement[Name='Microsoft.AdvancedThreatAnalytics.1_8.Center']/ConsoleCertificateThumbprint$", $ConsoleCertificateThumbprint)

		$CenterInstance.AddProperty("$MPElement[Name='Microsoft.AdvancedThreatAnalytics.1_8.Center']/InstallationPath$", $ATAInstallationPath)

		$CenterInstance.AddProperty("$MPElement[Name='Microsoft.AdvancedThreatAnalytics.1_8.Center']/ADForest$", $ADForest)

		$DiscoveryData.AddInstance($CenterInstance)



		#$api.LogScriptEvent("ATACenterDiscovery.ps1",3281,0,"v1.8-CenterInstance is $CenterInstance")

		IF ($ERROR) {$api.LogScriptEvent("ATACenterDiscovery.ps1",3284,2,"v1.8-Error is $ERROR")}





		$CFGFile = $MongoInstallationPath +"\mongod.cfg"



		#Process the data

		$DBCFG = Get-Content $CFGFile

		$DBPath = $DBCFG | where {$_ -like "*dbpath*"}

		$DBPath = $DBPath.TrimStart(" dbPath: ")



		#$api.LogScriptEvent("ATACenterDiscovery.ps1",3283,0,"v1.8-DBPath is $DBPath")





		#Add the data into the PropertyBag

		$DatabaseInstance = $DiscoveryData.CreateClassInstance("$MPElement[Name='Microsoft.AdvancedThreatAnalytics.1_8.Database']$")

		# Add Props for MongoDB

		$DatabaseInstance.AddProperty("$MPElement[Name='System!System.Entity']/DisplayName$", $computerName)

		$DatabaseInstance.AddProperty("$MPElement[Name='Microsoft.AdvancedThreatAnalytics.1_8.Database']/DBPath$", $DBPath)

		$DatabaseInstance.AddProperty("$MPElement[Name='Microsoft.AdvancedThreatAnalytics.1_8.Database']/ServerName$", $computerName)

		$DatabaseInstance.AddProperty("$MPElement[Name='Microsoft.AdvancedThreatAnalytics.1_8.Center']/ServerName$", $computerName)

		$DatabaseInstance.AddProperty("$MPElement[Name='Microsoft.AdvancedThreatAnalytics.1_8.Center']/ServiceIP$", $ServiceIP)

		$DatabaseInstance.AddProperty("$MPElement[Name='Windows!Microsoft.Windows.Computer']/PrincipalName$", $ComputerName)

		$DiscoveryData.AddInstance($DatabaseInstance)



		#$api.LogScriptEvent("ATACenterDiscovery.ps1",3282,0,"v1.8-DatabaseInstance is $DatabaseInstance")

		IF ($ERROR) {$api.LogScriptEvent("ATACenterDiscovery.ps1",3284,2,"v1.8-Error is $ERROR")}



		#Log an event for script ending and total execution time.

		$EndTime = Get-Date

		$ScriptTime = ($EndTime - $StartTime).TotalSeconds

		$api.LogScriptEvent("ATACenterDiscovery.ps1",3281,0,"v1.8-ATA Center Discovery Script is complete.  Version is $Version.  Total runtime ($ScriptTime) seconds.")



		#Output the PropertyBag data for SCOM consumption:

		$DiscoveryData



		IF ($DiscoveryData) {$api.LogScriptEvent("ATACenterDiscovery.ps1",3283,0,"v1.8-Discovery Data is $DiscoveryData")}

	}

	Else{

		#Log an event for script ending and total execution time.

		$EndTime = Get-Date

		$ScriptTime = ($EndTime - $StartTime).TotalSeconds

		$api.LogScriptEvent("ATACenterDiscovery.ps1",3281,0,"v1.8-ATA Center Discovery Script is complete.  This server is not a 1.8 center.  Total runtime ($ScriptTime) seconds.")

		IF ($ERROR) {$api.LogScriptEvent("ATACenterDiscovery.ps1",3284,2,"V1.8-Error is $ERROR")}

	}

}

Else{

#Log an event for script ending and total execution time.

$EndTime = Get-Date

$ScriptTime = ($EndTime - $StartTime).TotalSeconds

$api.LogScriptEvent("ATACenterDiscovery.ps1",3281,0,"v1.8-ATA Center Discovery Script is complete.  This server is not a center.  Total runtime ($ScriptTime) seconds.")

IF ($ERROR) {$api.LogScriptEvent("ATACenterDiscovery.ps1",3284,2,"V1.8-Error is $ERROR")}

}</Script></ScriptBody>

          <Parameters>

            <Parameter>

              <Name>SourceID</Name>

              <Value>$MPElement$</Value>

            </Parameter>

            <Parameter>

              <Name>ManagedEntityID</Name>

              <Value>$Target/Id$</Value>

            </Parameter>

            <Parameter>

              <Name>computerName</Name>

              <Value>$Config/computerName$</Value>

            </Parameter>

          </Parameters>

          <TimeoutSeconds>60</TimeoutSeconds>

        </ProbeAction>

      </MemberModules>

      <Composition>

        <Node ID="PowerShell">

          <Node ID="Scheduler"/>

        </Node>

      </Composition>

    </Composite>

  </ModuleImplementation>

  <OutputType>System!System.Discovery.Data</OutputType>

</DataSourceModuleType>