Need fixlet ID into Action relevance query

mail2vij · November 19, 2018, 9:01am

Hi, i am using below session relevance query to find out action status which is working fine.

(IDs of Actions of it, Names of Issuers of Actions of it, Names of Actions of it, States of Actions of it, Times Issued of Actions of it, start date of action of it, end date of action of it, Names of Computers of it, Operating Systems of Computers of it, IP Addresses of Computers of it, Last Report Times of Computers of it, Detailed Status of it,Status of it,Names of member actions of actions of it) of results whose (((Name of Action of it as lowercase starts with "p10"))) of bes actions whose ((start time_of_day of it as string >=("01 oct 2018 00:00:00"))and (end time_of_day of it as string <=("13 nov 2018 23:59:59")))

Now i want to see the fixlet ID as well for the member action , for this i am tring to use the below query but unable to merge both of them

((id of it) of bes fixlets whose (name of it contains "MS14-057"))

Not working ??

((id of it) of bes fixlets whose (Names of member actions of actions of it) of results whose (((Name of Action of it as lowercase starts with "p"))) of bes actions whose ((start time_of_day of it as string >=("01 oct 2018 00:00:00"))and (end time_of_day of it as string <=("13 nov 2018 23:59:59"))))

Please suggest.

JasonWalker · November 19, 2018, 12:36pm

Are you and @tyagi.j posting the same question each time hoping for more responses? I don’t think this is the first time I’ve seen your questions duplicated. If that’s the case, I understand that you think asking more times gives a better chance of response, but I assure you it doesn’t. Asking duplicate questions really just confuses the issue - often it is the case that multiple answers can build from each other to get the best answer, but that only works if the responses are grouped together in a thread.

I don’t have a console handy, but in the results tuple where you have

names of member actions of actions of it
I think you would want to change to
(name of it & ":" & (id of source fixlet of it as string | "<missing source fixlet>")) of member actions of actions of it

You can format the result in many ways, such as creating a tuple from the query and returning (item 0 of it, item 1 of it). Based on the query you already have, I think you understand how to do that but reply back if you need some more guidance.

The important considerations are that you want the source fixlet of action property. You would also want to include error handling via the pipe (|) operator, as you cannot retrieve the source fixlet id for a ‘custom action’, a fixlet from a site your operator cannot access, or a source fixlet that has been deleted.

If this doesn’t work, let me know. I don’t have a console right now and I’m not certain you can retrieve a source fixlet for a member action directly - we may have to retrieve the source fixlet of the group action (baseline id) instead.

mail2vij · November 19, 2018, 12:56pm

Hi jason, Sorry , I was not aware that Tyagi has also raised this query , and not even aware in the past same has been done.

Will take care of that.

On the query side , i did try what you mentioned but it think source fixlet from action property is not present so i am getting error message only.

Please suggest.

(IDs of Actions of it, Names of Issuers of Actions of it, Names of Actions of it, States of Actions of it, Times Issued of Actions of it, start date of action of it, end date of action of it, Names of Computers of it, Operating Systems of Computers of it, IP Addresses of Computers of it, Last Report Times of Computers of it, Detailed Status of it,Status of it,(name of it & " ::: " & (id of source fixlet of it as string | "<missing source fixlet>")) of member actions of actions of it) of results whose (((Name of Action of it as lowercase starts with "p102018week2"))) of bes actions whose ((start time_of_day of it as string >=("01 oct 2018 00:00:00"))and (end time_of_day of it as string <=("13 nov 2018 23:59:59")))

Output

1150, Administrator, p102018week2, Expired, ( Thu, 04 Oct 2018 10:09:32 +0000 ), ( Thu, 04 Oct 2018 ), ( Sat, 06 Oct 2018 ), WIN-2983HT7EIDF, Win2012R2 6.3.9600, 10.0.1.15, ( Mon, 19 Nov 2018 12:39:48 +0000 ), Waiting for restart to complete action., Pending Restart, MS14-057: Vulnerabilities in .NET Framework Could Allow Remote Code Execution - Windows Server 2012 R2 Gold / Windows 8.1 Gold - .NET Framework 3.5 - KB2972103 (x64)  :::  <missing source fixlet>
1150, Administrator, p102018week2, Expired, ( Thu, 04 Oct 2018 10:09:32 +0000 ), ( Thu, 04 Oct 2018 ), ( Sat, 06 Oct 2018 ), WIN-2983HT7EIDF, Win2012R2 6.3.9600, 10.0.1.15, ( Mon, 19 Nov 2018 12:39:48 +0000 ), Waiting for restart to complete action., Pending Restart, MS15-041: Vulnerability in .NET Framework Could Allow Information Disclosure - Windows Server 2012 R2 Gold / Windows 8.1 Gold - .NET Framework 3.5 - KB3037576 (x64)  :::  <missing source fixlet>
1150, Administrator, p102018week2, Expired, ( Thu, 04 Oct 2018 10:09:32 +0000 ), ( Thu, 04 Oct 2018 ), ( Sat, 06 Oct 2018 ), WIN-2983HT7EIDF, Win2012R2 6.3.9600, 10.0.1.15, ( Mon, 19 Nov 2018 12:39:48 +0000 ), Waiting for restart to complete action., Pending Restart, MS15-048: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege - Windows Server 2012 R2 Gold / Windows 8.1 Gold - .NET Framework 3.5 - KB3023219 (x64)  :::  <missing source fixlet>

JasonWalker · November 19, 2018, 10:28pm

Ok, was afraid of that.
I can’t find a direct way to tie a member action to a source fixlet. I can tie the action group as a whole to the source baseline. This may explain the behavior I see in the console, where you have to navigate from a member action to the parent action to the source baseline to the baseline component.

I can retrieve the source baseline id, if that’s helpful. Here I wanted to illustrate that the “group action” will retrieve the source baseline’s id for both the group action and for each of its member actions:

q: ((id of source fixlet of (if group member flag of it then parent group of it else it) of it as string| "missing source fixlet"), name of it, id of it) of (it; member actions of it)of bes actions whose (id of it = 1194406)
A: 1184189,  GROUP ACTION NAME, 1194406
A: 1184189, MEMBER ACTION 1, 1194407
A: 1184189, MEMBER ACTION 2, 1194408
A: 1184189, MEMBER ACTION 3, 1194409

Try substituting this into your query and see whether it’s helpful for you:

(id of source fixlet of (if group member flag of it then parent group of it else it) of it as string| "missing source fixlet")

tyagi.j · November 20, 2018, 9:08am

Ok will check and let you know if any help required from your side.

mail2vij · November 20, 2018, 11:00am

thanks for your reply Jason, we are looking out here baseline component IDs in the action however we get baseline ID but we are looking out member action component(fixlets) IDs.

JasonWalker · November 20, 2018, 3:11pm

Because there doesn’t appear to be a direct link between Source Fixlet IDs and Group Action Members, I believe that an attempt to retrieve that in Relevance would be cumbersome, slow, and prone to errors.

I believe it’s possible, as the “Baseline Synchronization” dashboard can detect baseline actions which are out of sync with their source fixlets, but I do not know whether that is done in a single query or whether there is processing of the results in Flash or Javascript or something else.

I’m afraid what I’ve given is going to be the best I can do for the time being. (Again, to be clear, I’m just another customer. You may be able to talk with your VAR or support resources, but what you’re asking for would likely be either an RFE or a contract-for-code kind of deal).