I am SO close … I’m hoping one of you can push me that little extra inch …
The purpose, here, is to get a list of “sha256:” hashes from the action scripts of applicable, globally visible fixlets from a selection of bes sites.
I will eventually use this information to clean up my sha1 folder of stale data. Background, we are in an air-gapped environment so deleting of patch installation content is not something to take lightly. If we delete something we need, we have to go through extra security hoops to transfer the content to the air-gapped environment again.
I’ve managed to work out two queries that give me what I am looking for but I need to combine these to get the final list of applicable sha256 hashes.
Query 1: returns sha256 hashes from action scripts
(substring (0,64) of it) of (following texts of first "sha256:" of it) of ((scripts of actions of fixlets of bes sites) whose (it contains "sha256:"))
Query 2:
(id of it) of bes fixlets whose ((exists (results (it, bes computers)) whose (remediated flag of it = false)) and (applicable computer count of it > 0) and ((name of site of it = "Enterprise Security") or (name of site of it = "ESU Patching for Windows 10 22H2") or (name of site of it = "Updates for Windows Applications) or (name of site of it = "Updates for Windows Applications Extended")) and (globally visible flag of it = true) and (exists scripts whose (it as lowercase contains "sha256:" as lowercase) of actions of it))
Both of these work (though I did have to retype .. no copy/paste available from air-gapped environment).
Note: I originally had a pretty decent “back door” SQL script that would parse this data out of the BFEnterprise database but it has been “acting up” lately so I figured I would give the “front door” a try 