Functions/Get-MCASDiscoverySampleLog.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
<#
.Synopsis
   Retrieves one or more sample discovery logs in a specified .
.DESCRIPTION
   Get-MCASDiscoverySampleLog gets the sample log files that are available for the specified device type.
 
.EXAMPLE
    PS C:\> Get-MCASDiscoverySampleLog
 
    C:\>Get-MCASDiscoverySampleLog -DeviceType CHECKPOINT
 
    C:\Users\alice\check-point_demo_log\check-point-2_demo_log.log
    C:\Users\alice\check-point_demo_log\check-point_demo_log.log
 
.FUNCTIONALITY
   Get-MCASDiscoverySampleLog is intended to download the sample log files that are available for the specified device type. It downloads these as compressed zip files,
   then extracts the text log files from the zip files to a newly created subdirectory of the current. It returns the full path to each sample log it extracts, unless
   the -Quiet switch is specified, in which case it returns nothing.
    
#>

function Get-MCASDiscoverySampleLog {
    [CmdletBinding()]
    param
    (
        # Specifies which device type for which a sample log file should be downloaded
        [Parameter(Mandatory=$true, ValueFromPipeline=$true, Position=0)]
        [ValidateNotNullOrEmpty()]
        [device_type]$DeviceType,

        # Specifies to not output the file names
        [switch]$Quiet
    )
    begin {
        Write-Verbose "Attempting to load assembly [system.io.compression.filesystem]"
        Add-Type -assembly "system.io.compression.filesystem"
    }
    process {

        # Select the sample log file to download based on the specified device type
        Write-Verbose "Device type specified was $DeviceType"
        switch ($DeviceType) {
            'BARRACUDA'                     {$fileName = 'barracuda-web-app-firewall-w3c_demo_log.log'}
            'BARRACUDA_NEXT_GEN_FW'         {$fileName = 'barracuda-f-series-firewall_demo_log.log'}
            'BARRACUDA_NEXT_GEN_FW_WEBLOG'  {$fileName = 'barracuda-f-series-firewall-web-log-streaming_demo_log.log'}
            'BLUECOAT'                      {$fileName = 'blue-coat-proxysg-access-log-w3c_demo_log.log'}
            'CHECKPOINT'                    {$fileName = 'check-point_demo_log.log'}
            'CHECKPOINT_SMART_VIEW_TRACKER' {$fileName = 'check-point-smartview-tracker_demo_log.log'}
            'CHECKPOINT_XML'                {$fileName = 'check-point-xml_demo_log.log'}   
            'CISCO_ASA'                     {$fileName = 'cisco-asa-firewall_demo_log.log'}
            'CISCO_ASA_FIREPOWER'           {$fileName = 'cisco-asa-firepower_demo_log.log'}
            'CISCO_FWSM'                    {$fileName = 'cisco-fwsm_demo_log.log'}
            'CISCO_IRONPORT_PROXY'          {$fileName = 'cisco-ironport-wsa_demo_log.log'}
            'CISCO_SCAN_SAFE'               {$fileName = 'cisco-scansafe_demo_log.log'}
            'CLAVISTER'                     {$fileName = 'clavister-ngfw-syslog_demo_log.log'}
            'FORCEPOINT'                    {$fileName = 'forcepoint-web-security-cloud_demo_log.log'} # NEW
            'FORTIGATE'                     {$fileName = 'fortinet-fortigate_demo_log.log'}
            'GENERIC_CEF'                   {$fileName = 'generic-cef-log_demo_log.log'}
            'GENERIC_LEEF'                  {$fileName = 'generic-leef-log_demo_log.log'} 
            'GENERIC_W3C'                   {$fileName = 'generic-w3c-log_demo_log.log'}
            'IBOSS'                         {$fileName = 'iboss-secure-cloud-gateway_demo_log.log'} # NEW
            'I_FILTER'                      {$fileName = 'digital-arts-i-filter_demo_log.log'}
            'JUNIPER_SRX'                   {$fileName = 'juniper-srx_demo_log.log'}
            'JUNIPER_SRX_SD'                {$fileName = 'juniper-srx-sd_demo_log.log'}
            'JUNIPER_SRX_WELF'              {$fileName = 'juniper-srx-welf_demo_log.log'}
            'JUNIPER_SSG'                   {$fileName = 'juniper-ssg_demo_log.log'}
            'MACHINE_ZONE_MERAKI'           {$fileName = 'meraki-urls-log_demo_log.log'}
            'MCAFEE_SWG'                    {$fileName = 'mcafee-web-gateway_demo_log.log'}
            'MICROSOFT_ISA_W3C'             {$fileName = 'microsoft-forefront-threat-management-gateway-w3c_demo_log.log'}
            'PALO_ALTO'                     {$fileName = 'pa-series-firewall_demo_log.log'}
            #'PALO_ALTO_SYSLOG' {$fileName = ''} # No sample available
            'SONICWALL_SYSLOG'              {$fileName = 'sonicwall_demo_log.log'}
            'SOPHOS_CYBEROAM'               {$fileName = 'sophos-cyberoam-web-filter-and-firewall-log_demo_log.log'}
            'SOPHOS_SG'                     {$fileName = 'sophos-sg_demo_log.log'}
            'SOPHOS_XG'                     {$fileName = 'sophos-xg_demo_log.log'}  # NEW
            'SQUID'                         {$fileName = 'squid-common_demo_log.log'}
            'SQUID_NATIVE'                  {$fileName = 'squid-native_demo_log.log'}
            'WEBSENSE_SIEM_CEF'             {$fileName = 'web-security-solutions-internet-activity-log-cef_demo_log.log'}
            'WEBSENSE_V7_5'                 {$fileName = 'web-security-solutions-investigative-detail-report-csv_demo_log.log'}
            'ZSCALER'                       {$fileName = 'zscaler-default-csv_demo_log.log'}
            'ZSCALER_QRADAR'                {$fileName = 'zscaler-qradar-leef_demo_log.log'}
            'ZSCALER_CEF'                   {$fileName = 'zscaler-cef_demo_log.log'}
        }

        $zipFile = "$fileName.zip"
        Write-Verbose "Zip file to download will is $zipFile"

        $targetFolder = '{0}\{1}' -f $PWD,($fileName.Substring(0,($fileName.length-4)))
        Write-Verbose "Target folder for extracted log files is $targetFolder"

        # Download the sample log zip file
        try {
            Write-Verbose "Attempting to download $zipFile"
            Invoke-WebRequest -Method Get -Uri "https://adaproddiscovery.blob.core.windows.net/logs/$zipFile" -OutFile $zipFile -UseBasicParsing
        }
        catch {
            throw "Could not retrieve $zipFile. Exception was $_"
        }

        # Cleanup the target folder, if it already exists
        if (Test-Path $targetFolder) {
            Write-Verbose "The target folder $targetFolder already exists, so it will now be deleted"
            try {
                Write-Verbose "Attempting to delete the target folder $targetFolder"
                Remove-Item $targetFolder -Recurse -Force
            }
            catch {
                throw "Could not delete $targetFolder. Exception was $_"
            }
        }

        # Extract the files from the zip file (some contain more than one log in them)
        try {
            Write-Verbose "Attempting to extract contents of $zipFile to $targetFolder"
            [io.compression.zipfile]::ExtractToDirectory("$PWD\$zipFile",$targetFolder)
        }
        catch {
            throw "Could not extract contents of $zipFile : $_"
        }

        # Clean up the zip files, since we have extracted the contents
        try {
            Write-Verbose "Attempting to delete $zipFile"
            Remove-Item $zipFile -Force
        }
        catch {
            Write-Warning "Could not delete $zipFile : $_"
        }

        # Output to the caller the full path of each sample log file, unless output was suppressed
        if (!$Quiet) {
            (Get-ChildItem $targetFolder).FullName
        }
    }
    end {}
}