I’m looking to pull the list of services for computers on our network, to check for new or weird services. (There’s no way I’ll be able to use the services baseline wizard to lock things down).
I’ve set the analyses on my test box –
Activated Globally Application Information (Windows) BES Inventory and License 3 EvaluationUser 1/13/2015 11:13:02 AM
I see the info in the web reports:
Computer Name | Services - Windows
this gives me my list of test workstations- https://bigfix/api/query?relevance= values of results from (bes property “Computer Name”) of bes computers
and this gives me my list of services on those test workstations https://bigfix/api/query?relevance= values of results from (bes property “Services - Windows”) of bes computers
but how do I list both?
i.e.
values of results from (bes property “Services - Windows” “,” bes property “Computer Name”) of bes computers
I saw this in the forum as well,
(name of it, hostname of it, id of it, operating system of it) of bes computers whose(id of it = 12345)
but I don’t see ‘services of it’ in the Inspectors Element tab for bes computers.
for example -
(name of it, services of it) of bes computers
I hope this is clear, not embarrassed to say I’ve been looking at this for awhile now.
If you just want to find unexpected services, then this is what I would recommend:
(multiplicity of it, it) of unique values of (preceding texts of lasts " (" of it) of values of results of bes property "Services - Windows"
This gives me over 4000 results. If I tried to do the combo of this property result along with the computer name, then it would take forever and would have over 5000000 results. There are some things you just can’t do in session relevance because it would just take far too long to return.
If you just wanted to take a look at the unusual results, then you could just look at the services that are only on a few machines, rather than those on all machines:
(multiplicity of it, it) of unique values whose(multiplicity of it < 50) of (preceding texts of lasts " (" of it) of values of results of bes property "Services - Windows"
Thank you for the response! That is really cool, and now I’ve got more questions about ‘multiplicity of it’ I haven’t seen that yet, lol! Not sure if I understand and maybe REST api isn’t the way to go with this…
We want to pull all the services and all the computer names down with REST api and then do all the work on the pulled data in a separate database(away from bigfix) where we can correlate other info from other security tools. I know it’s a lot of data but pulling the csv from our web reports only takes a couple minutes.
We need the computer name so that we can correlate other information ‘outside of bigfix’ from our network. That’s the reason we need to pull down all the services and the computer names. Is there an easier way to do this?
It might be possible to do this by concatenating the results of all of the services and the computer name so that there is only one result per computer. Otherwise you are asking for the computer name + service to be returned for every service from every computer. This means that you would have a result set the size of (avg # of services per computer) * (number of computers). In my case that would be a result set of over 5000000 entries, which would be impossible to return in a reasonable amount of time, and would be such a large set that it would be hard to do good analysis on it.
This is how to determine how large the result set would be:
number of values of results of bes property "Services - Windows"
I could try to come up with the relevance that will give you what you want, but it would only be useful if applied to a small number of machines. (and in my case not actually possible to return 5 million results)
Why not instead look at the results of the unique values of all services to determine which services are problematic and require investigation, then separately query for all systems which have that particular service installed? This would be much easier.
Hmm, I see what you’re saying about the size. That might work, to tell the truth I’m not sure how you’re pulling the unique part of it. I.E. I don’t understand how you are saying they are unique, or worth taking a look at.
Is it possible to run it against a list of 'known good windows services"? Like the ones on blackviper.com? In other words, all windows boxes are known to have these services and I’m not concerned about those I want to know about the ones that aren’t standard.
The problem is I need to the computer name to take this information and the correlate other information to it, i.e. snort alerts that tripped on this computer, etc.
The following will give you the unique listing of all service names across all computers. Some of the services you will know are benign, and others you might question if they are malicious or not, which you can then investigate further.
This gives you the same list as above, but also includes the number of computers in which that service appears, which could be a helpful indicator of the potential maliciousness of that service:
Once you have this data pulled out of IEM/BigFix, you can do further analysis to determine which should be investigated and which are definitely benign. I’m not sure how you do this, I’m just suggesting this is an approach you could take.
Also, if you have a specific list of computers that you have flagged as needing investigation due to external monitoring, you could then query the services and other data about that limited set of computers from IEM/BigFix to aid in this investigation. This would be much easier than trying to pull all services from all computers.
Also, you could create an analysis that has more data than the existing “Services - Windows” property, if that was needed for investigation. The issue is the more data you return the longer it takes for the client to compute, and the more data you are asking to return with session relevance for reporting.
This does appear to work and do what you want, but it takes quite a while to return results for a large set of endpoints. It also gets Truncated when I run the query in the “BigFix Session Relevance Tester”, but I’m not sure if that would happen elsewhere.
(name of it & " - " & concatenation ", " of (preceding texts of lasts " (" of it) of values of results from (bes property "Services - Windows") of it ) of bes computers whose(exists name of it AND exists results from (bes property "Services - Windows") of it)
This is the same idea, but only returns results from the computers that are members of a specific automatic computer group. If you only need to investigate the services on a specific set of endpoints, then you can create an automatic group that will dynamically contain those endpoints and then only return the service results from that set. This would greatly reduce the results and speed up the query:
(name of it & " - " & concatenation ", " of (preceding texts of lasts " (" of it) of values of results from (bes property "Services - Windows") of it ) of members whose(exists name of it AND exists results from (bes property "Services - Windows") of it) of bes computer groups whose(name of it = "_NameOfAutomaticGroupToInvestigate")
You are the man! When you uniqued it above do you mind sharing how you did it? I mean that may be a better way to do what we are trying to accomplish I just didn’t understand how you were uniquing the data.
Maybe the best way is to concatenate the ‘uniqued’ results with the computer name?
“unique values” is a built in relevance inspector. It takes all the string results and combines them into a unique sorted set, along with the count of each. I’m not doing anything special other than using the inspector.
As for concatenating the unique results with the computer name, that doesn’t reduce the set much since the service names for a computer are already mostly unique.
This works great in the relevance tester but won’t work with the REST api, ‘expression could not be parsed’
i.e.
https://bigfix:52311/api/query?relevance=(name of it & " - " & concatenation “, " of (preceding texts of lasts " (” of it) of values of results from (bes property “Services - Windows”) of it) of bes computers whose (exists name of it AND exists results from (bes property “Services - Windows”) of it)
I’m still learning so any documents etc you have would be greatly appreciated.
There is definitely a steep learning curve to writing relevance & session relevance, but it is very powerful once you get the hang of it.
There are tons of examples here: http://bigfix.me/ (which is where I share the majority of my work, as do others)
There is a difference between the Relevance used in Fixlets/Tasks/Analyses and Session Relevance that is used in reporting / queries. There are many similarities between them, but you can get easily confused if you don’t also try to keep them separate in your head.
There are many different documents on relevance and session relevance. I may have a list somewhere.
“money1968, post:11, topic:12174”] https://bigfix:52311/api/query?relevance=(name of it & " - " & concatenation “, " of (preceding texts of lasts " (” of it) of values of results from (bes property “Services - Windows”) of it) of bes computers whose (exists name of it AND exists results from (bes property “Services - Windows”) of it)
Needs to be surrounded in quotes, with internal quotes escaped: ( I think this is the issue, the spaces might need to be URL encoded as well )
https://bigfix:52311/api/query?relevance="(name of it & %22 - %22 & concatenation %22, %22 of (preceding texts of lasts %22 (%22 of it) of values of results from (bes property %22Services - Windows%22) of it) of bes computers whose (exists name of it AND exists results from (bes property %22Services - Windows%22) of it)"
If I run it with the quotes I get - 'A string constant had no ending quotation mark’
but I don’t see where one is missing, it looks like they all are matched.
You should be able to take the working query in the Session Relevance tester and then just plop it in something and tell it to “URLEncode” it, and then use that with the API.
Hmm Ok so we aren’t going to get REST api access just yet, trying to find a work around.
Is it possible to do something with this on the webreports? I see where to add the filters and I edited the columns to simply list ‘Computer Name’ and ‘Services - Windows’ .
Is there a way to only give me the services for each box that aren’t on this list? I see where to add the filters and I edited the columns to simply list ‘Computer Name’ and ‘Services - Windows’ . Is there a way to use the filter to ‘remove’ these ‘standard’ windows 7 services from the report?
You can use web reports to run reports against any session relevance.
I’m not sure of the easiest way to filter out the standard windows services from the results. The best I can think of at the moment is to turn the list to exclude into a set of strings and then only return the services that are not contained by that set.
Yeah that’s it! I guess my question is where do I put the session relelvance in the webreports?
Under filter, I can filter by computer, if I tell it I don’t want a particular service it just eliminates all computers that have that service and that’s not what I want. I still want it to report that computer but I want all services EXCEPT this list of standard windows services. Does that make sense?
I think you need to create a custom report. You should use the filters to include all of the computers that you want to contribute to the results of the services relevance.
Then you put custom relevance in the report like above, but you filter out certain services by modifying the relevance itself, not through a Wizard.
Custom report might work, I just want to trim down the data –
So using the session relevance that you gave me before why can’t I just go –
(name of it & " - " & concatenation “, " of (preceding texts of lasts " (” of it) of values of results from (bes property “Services - Windows”) of it) of bes computers whose (exists name of it AND exists results from ((bes property “Services - Windows”) whose (service name of it !=“ADWS”)) of it)
and then have a bunch of ‘or’ statements listing all the services I don’t care about?