Pages

Showing posts with label Cylance. Show all posts
Showing posts with label Cylance. Show all posts

Thursday, August 25, 2022

Using Azure Function App and Logic Apps to create an automated report that downloads a CSV, creates a HTML table, sends an email with the HTML table and attaches the CSV

In this post, I would like to demonstrate the following using an Azure Function App and Logic App.

Function App:

  1. Download a CSV file from a URL
  2. Count the amount of records in the table
  3. Convert the CSV data into a table in HTML format
  4. Return a HTML formatted email for delivery

Logic App:

  1. Set up a recurring Logic App that runs at the end of the month
  2. Executes the Function App to retrieve the HTML formatted email report
  3. Download the CSV file from a URL
  4. Send an email with the HTML formatted email report with the CSV as the attachment

I will use a device list downloaded from a Cylance tenant to demonstrate this. For those who are not familiar with Cylance, it is a cyber threat detection software for endpoints such as Windows and Mac operating systems. It is possible to retrieve reports via a URL with a unique token that belongs to an organization’s tenant. Here is what the portal with the URLs look like:

image

We’ll be using the Devices URL with the unique token to retrieve our report:

https://protect-sae1.cylance.com/Reports/ThreatDataReportV1/devices/4B1FFFxxxxxxxxxxx296

The downloaded report will look as such:

image

Step #1 – Create a Function App that will retrieve Cylance Device List and generate and return a HTML email report

Begin by creating a Function App that will retrieve Cylance Device List and return it in HTML format. This Function App collects the data that will in turn be call by a Logic App to generate an email and send the report off to an email address.

image

Proceed to create a Function App with the following parameters:

Publish: Code

Runtime stack: PowerShell Core

Version: 7.2

Operating System: Windows

Configure the rest of the parameters as required by the environment.

image

image

With the Function App created, proceed to create the function trigger:

image

Select HTTP trigger as the template and provide a meaningful name:

image

With the trigger created, navigate to Code + Test and paste the following code into run.ps1:

https://github.com/terenceluk/Azure/blob/main/Function%20App/Get-CylanceDeviceReport.ps1

image

The following are changes you’ll need to apply to the code:

The client name:

image

With the function app code in place, proceed to use the Test/Run feature to test it. Note that the function app expects the tenant ID to be passed to it so the Body of the test should include the following:

{

  "token": "xxxxxxxxxxxxxxxxxxxxxxxxxx"

}

image

Confirm the HTTP response code of 200 OK and the HTTP response content results:

image

Step #2 – Create a Logic App that is scheduled and will download the device list CSV file, call the Azure Function App to retrieve the device list report and then send it out with the CSV as an attachment

With the Azure Function App created and tested, proceed to create the Logic App that will be scheduled, download the device list CSV file, call the Function App for the HTML device list report and then email it out.

image

Navigate to the Logic app designer blade and begin to configure the steps for the Logic App. The following are the steps we’ll be configuring:

The first is the Recurrence step that will schedule this logic app to run on the last day of each month:

image

**Note that the GUI doesn’t provide the required controls so we’ll be using the JSON code provided in this document for the configuration: https://docs.microsoft.com/en-us/azure/logic-apps/concepts-schedule-automated-recurring-tasks-workflows#run-once-at-last-day-of-the-month

Click on Code View:

image

Then edit the triggers section:

                },

"recurrence": {

"frequency": "Month",

"interval": 1,

"schedule": {

"monthDays": [-1]

                    }

image

Create an additional step by clicking on the + button and select Add an action then type in Function:

image

Select the Function App that was created:

image

Select the trigger that was created:

image

Place the body containing the tenant ID into the Request Body:

{

  "token": "xxxxxxxxxxxxxxxxxxxxxxxxxx"

}

image

Proceed to create two additional steps:

  1. Initialize variable
  2. Set variable

These two steps will place the retrieved HTML report into the body of the email:

Initialize variable

Name: EmailBody
Type: String
Value: <leave blank>

image

image

Set variable

Name: EmailBody
Value: Select the Body

image

image

Continue to create the HTTP step to download the device list so we can attach the CSV file as an attachment:

image

Configure the following parameters:

Method: GET
URI: Place the URL with the token to download the device list

**Note that I have hardcoded the token into the URI. It is possible to declare this as a variable and pass it into here as well.

image

Add the last step that will email this report to the email address required:

image

Note that we are placing the EmailBody variable we created from the Function App output into the Body, and attaching the Body from the HTTP step as an attachment. The Attachments Name can be any name you prefer.

image

Proceed to use the Run Trigger feature to execute the Logic App and confirm that the report is generated and sent:

image

I hope this helps anyone who may be looking for instructions on how to configure automated reports.

Posted by at No comments:
Labels: , , , , ,

Tuesday, June 8, 2021

Using AirWatch to remotely run batch files for uninstalling applications

I don’t get to work with MDM or UEM applications much anymore due to my focus on Azure so I got pretty excited when an ex-colleague asked me if there was a way to use VMware AirWatch (also known as Workspace One) to remotely execute an uninstall command for an application because I had gone through the process before. After digging up some old notes to guide him through the setup, I thought I’d write this blog post in case anyone else happens to ask me in the future.

The official documentation, although a bit outdated, for this feature can be found here:

Using Product Provisioning to Deliver Files to Windows 10: Workspace ONE Operational Tutorial
https://techzone.vmware.com/using-product-provisioning-deliver-files-windows-10-workspace-one-operational-tutorial#_991596

For the purpose of this example, I will be using a batch file that manually (and forcefully) removes Cylance Protect from devices. Not long ago I ran into an issue where attempting to uninstall Cylance Protect from devices would display the following error:

Cylance PROTECT
You are attempting to run the 32-bit installer on a 64-bit version of Windows. Please run the 64-bit installer.

image

I couldn’t determine how to get around this as none of the methods such as editing registry keys and executing the following msiexec.exe would work:

msiexec /x {2E64FC5C-9286-4A31-916B-0D8AE4B22954} /quiet

Reaching out to Blackberry support had an support engineer point me to:

Fix problems that block programs from being installed or removed

https://support.microsoft.com/en-us/mats/program_install_and_uninstall

The tool worked but it had to be ran interactively and did not allow me to use it at scale.

A bit more research led me to the following script written by James Gallagher, which worked but please note that as this was originally provided by Cylance but later modified by Cyberforce, use this at your own risk. It worked for me but may not for others.

Manual Removal Of CylancePROTECT
https://cyberforcesecurityhelp.freshdesk.com/support/solutions/articles/44002036687-manual-removal-of-cylanceprotect

In case the post ever gets deleted, I will paste the contents for the customized-CylanceCleanupTool.bat at the end of this post.

With the above scenario described, let’s begin creating the configuration in AirWatch Version: 20.11.0.5 (2011):

image

Create the Files/Actions

The first step is to create a Files/Actions that will allow you to upload the batch file, define where to store it on the device, and how to execute the batch file.

Begin by navigating to Devices > Provisioning > Components > Files/Actions:

image

Click on the ADD FILES/ACTIONS:

image

Select Windows under Add Files/Actions:

image

Select Windows Desktop under Select Device Type:

image

Type in a name for the action and select the appropriate organization for Managed By:

image

Navigate to the Files tab, click on the ADD FILES tab, then Choose Files to select the batch file that will be uploaded and pushed to the clients:

image

image

Specify a download path where the batch file will be downloaded to on the client:

C:\Temp\AirWatch\

image

Save the configuration and the following line will be displayed in the Files tab:

image

Navigate to the Manifest tab and click on Install Manifest:

image

Select Run for Action(s) To Perform:

image

Select System for the Execution Context so the batch file is running with elevated permissions and specify the path and batch file (the location specified earlier for downloading the batch file and the batch file name that was just uploaded:

C:\Temp\AirWatch\customized-CylanceCleanupTool.bat

image

The following configuration will be displayed under Install Manifest. We can specify a command to uninstall but there will not be one configured for this example:

image

Proceed to save the new Files/Actions:

image

Create the Product to assign to devices

With the creation of the Files/Actions completed, the next step is to assign it to devices.

Navigate to Devices > Provisioning > Product List View and click on ADD PRODUCT:

image

Select Windows under Add Product:

image

Select Windows Desktop under Select Device Type:

image

Provide a name and description for the product, select the appropriate organization, and select the Smart Group this product should be applied to. For the purpose of this example, we will be assigning it to all devices.

image

Click on the Manifest tab and then the ADD button:

image

Select File/Action - Install for Action(s) To Perform and the previously created Files/Actions for the Files/Actions field:

image

The saved Manifest will be displayed as such:

image

You can further specify Conditions, Deployment and Dependencies options:

image

image

image

With the configuration completed, decide to click Save button to simply save the Manifest or Activate to save and immediately activate the configuration:

image

For the purpose of this example, I will click on Activate, which will display the list of devices it will be applied to:

image

The new product should now be displayed:

image

Waiting a few seconds and refreshing the update the In Progress, Compliant and Failed values:

image

Hope this helps anyone who might be looking for instructions on how to remotely run batch files with AirWatch.

customized-CylanceCleanupTool.bat

@ECHO OFF

title UNIFIED DRIVER CYLANCE CLEANUP TOOL

Echo UNIFIED DRIVER CYLANCE CLEANUP TOOL

:SwitchToWorkingDirectory

cd /d "%~dp0" 1>nul 2>&1

:AdminCheck

openfiles>nul 2>&1

IF %ERRORLEVEL% == 0 (

:AdminCheckPass

GOTO ManualUninstall

) ELSE (

:AdminCheckFail

Echo * Please re-run the Unified Driver Cylance Cleanup Tool as Administrator.

Echo * Exiting...

GOTO CyExit

)

:ManualUninstall

reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Cylance /f

reg delete HKEY_CLASSES_ROOT\Installer\Products\C5CF46E2682913A419B6D0A84E2B9245 /f

reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CylanceSvc /f

taskkill /im CylanceUI.exe

takeown /f "C:\Program Files\Cylance" /r /d y

icacls "C:\Program Files\Cylance" /reset /T

rd /s /q "C:\Program Files\Cylance"

takeown /f "C:\programdata\Cylance" /r /d y

rd /s /q C:\programdata\Cylance

:InstallCleanup

Echo * Installing the Unified Driver Cylance Cleanup Tool service...

CyCleanupSvc.exe "-install"

IF %ERRORLEVEL% == 0 (

GOTO WaitCleanup

) ELSE (

Echo * Failed to install the Unified Driver Cylance Cleanup Tool service.

Echo * Please check the Logs directory.

Echo * Exiting...

GOTO CyExit

)

:WaitCleanup

Echo * Waiting for the Unified Driver Cylance Cleanup Tool service to cleanup...

ping -n 30 127.0.0.1 1>nul 2>&1

Echo * Unified Driver Cylance Cleanup Tool is finished.

Echo * Removing the Unified Driver Cylance Cleanup Tool service...

CyCleanupSvc.exe "-uninstall"

IF %ERRORLEVEL% == 0 (

GOTO FinishCleanup

) ELSE (

Echo * Failed to remove the Unified Driver Cylance Cleanup Tool service.

Echo * Please check the Logs directory.

Echo * Exiting...

GOTO CyExit

)

:FinishCleanup

Echo * Unified Driver Cylance Cleanup Tool service has been removed.

Echo * Exiting...

:CyExit

exit

Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)