Functions/Install-MCASSiemAgent.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
<#
.Synopsis
    Install-MCASSiemAgent downloads and installs Java, downloads and unzips the MCAS SIEM Agent JAR file, and creates a scheduled task to auto-start the agent on startup. (This works on 64-bit Windows hosts only.)
.DESCRIPTION
    Auto-deploy the MCAS SIEM Agent.
.EXAMPLE
    Install-MCASSiemAgent -UseInteractiveJavaSetup -Token 'ZV9LS...dGBwb'
 
    This example will auto-deploy the MCAS SIEM Agent with the user experiencing an interactive Java installation process
 
.EXAMPLE
    Install-MCASSiemAgent -TargetFolder 'C:\MCAS' -Force -Token 'ZV9LS...dGBwb'
 
    This example will auto-deploy the MCAS SIEM Agent in the C:\MCAS folder with no user interaction.
 
#>

function Install-MCASSiemAgent {
    [CmdletBinding()]
    param
    (
        # Token to be used by this SIEM agent to communicate with MCAS (provided during SIEM Agent creation in the MCAS console)
        [Parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        [ValidateScript({$_  -match $MCAS_TOKEN_VALIDATION_PATTERN})]
        [string]$Token,

        # Proxy address to be used for this SIEM agent for outbound communication to the MCAS service in the cloud
        [Parameter(Mandatory=$false)]
        [ValidateNotNullOrEmpty()]
        [string]$ProxyHost,

        # Proxy port number to be used for this SIEM agent to egress to MCAS cloud service (only applies if -ProxyHost is also used, default = 8080)
        [Parameter(Mandatory=$false)]
        [ValidateNotNullOrEmpty()]
        [ValidateRange(1,65535)]
        [int]$ProxyPort = 8080,

        # Target folder for installation of the SIEM Agent (default = "C:\MCAS-SIEM-Agent")
        [ValidateNotNullOrEmpty()]
        [string]$TargetFolder = 'C:\MCAS-SIEM-Agent',

        # Specifies whether to install Java interactively, if/when it is automatically installed. If this is not used, Java setup will be run silently
        [switch]$UseInteractiveJavaSetup,

        # Specifies whether to auto-download and silently install Java, if Java is not found on the machine
        [switch]$Force
    )

    # Check system requirements
    Write-Verbose 'Checking for 64-bit Windows host'
    try {
        $sysInfo = Get-CimInstance Win32_OperatingSystem | Select-Object  Caption,OSArchitecture
        $isWindows = $sysInfo.Caption -cmatch 'Windows'
        $is64Bit = $sysInfo.OSArchitecture -cmatch '64-bit'
        }
    catch {
        throw 'Error detecting host information. This command only works on 64-bit Windows hosts.'
    } 
    if (-not ($isWindows -ne $true -and $is64Bit -ne $true)) {
        throw 'This does not appear to be a 64-bit Windows host. This command only works on 64-bit Windows hosts.'
    }
    Write-Verbose 'This host does appear to be running 64-bit Windows. Proceeding'


    # Check for the SIEM agent folder and .jar file
    Write-Verbose "Checking for an existing SIEM Agent JAR file in $TargetFolder"
    if (-not (Test-Path "$TargetFolder\mcas-siemagent-*-signed.jar")) {
        Write-Verbose "A JAR file for the MCAS SIEM Agent was not found in $TargetFolder"
        
        @($TargetFolder, "$TargetFolder\Logs") | ForEach-Object {
            Write-Verbose "Checking for $_"
            if (-not (Test-Path $_)) {
                Write-Verbose "$_ was not found, creating it"
                try {
                    New-Item -ItemType Directory -Path $_ -Force
                }
                catch {
                    throw "An error occurred creating $_. The error was $_"
                }
            }
        }
        
        Write-Verbose "Downloading and extracting the latest MCAS SIEM Agent JAR file to $pwd"
        $jarFile = Get-MCASSiemAgentJarFile

        Write-Verbose "Moving the MCAS SIEM Agent JAR file to $TargetFolder"
        Move-Item -Path "$pwd\$jarFile" -Destination $TargetFolder -Force
    }


    # Get the installation location of the latest Java engine that is installed, if there is one installed
    $javaExePath = Get-JavaExePath


    # If Java is not found, download and install it
    if (-not $javaExePath) {
        if (-not $Force) {
            # Prompt user for confirmation before proceeding with automatic Java download and installation
            if ((Read-Host 'CONFIRM: No Java installation was detected. Java will now be automatically downloaded and installed Java. Do you wish to continue?`n[Y] Yes or [N] No (default is "No"').ToLower() -ne 'y') {
                Write-Verbose "User chose not to proceed with automatic Java download and installation. Exiting"
                return
            }
            Write-Verbose "User chose to proceed with automatic Java download and installation. Continuing"
        }
        
        # Download Java
        $javaSetupFileName = Get-JavaInstallationPackage

        # Install Java
        try {
            if ($UseInteractiveJavaSetup) {
                Write-Verbose "Starting interactive Java setup"
                Start-Process  "$pwd\$javaSetupFileName" -Wait
            }
            else {
                Write-Verbose "Starting silent Java setup"
                Start-Process "$pwd\$javaSetupFileName" -ArgumentList '/s' -Wait
            }
        }
        catch {
            throw "Something went wrong attempting to run the Java setup package. The error was $_"
        }
        Write-Verbose "Java setup seems to have finished"      
        
        Write-Verbose "Cleaning up the Java setup package"
        try {
            Remove-Item "$pwd\$javaSetupFileName" -Force
        }
        catch {
            Write-Warning ('Failed to clean up the Java setup exe file ({0})' -f "$pwd\$javaSetupFileName")
        }

        # Get the installation location of the newly installed Java engine
        $javaExePath = Get-JavaExePath
    }


    # Check again for Java, which should be there now
    if (-not $javaExePath) {
        throw "There seems to still be a problem with the Java installation, it could not be found"
    }

    if ($ProxyHost) {
        $javaArgs = '-jar {0} --logsDirectory {1} --token {2} --proxy {3}:{4} ' -f "$TargetFolder\$jarFile","$TargetFolder\Logs",$Token,$ProxyHost,$ProxyPort
    }
    else {
        $javaArgs = '-jar {0} --logsDirectory {1} --token {2}' -f "$TargetFolder\$jarFile","$TargetFolder\Logs",$Token
    }


    # Create a scheduled task to auto-run the MCAS SIEM Agent
    Write-Verbose 'Creating an MCAS SIEM Agent scheduled task that will automatically run at startup on this host.'
    try {
        $scheduledTask = @{}
        $scheduledTask.TaskName = 'MCAS SIEM Agent'
        $scheduledTask.Actions = New-ScheduledTaskAction -Execute $javaExePath -WorkingDirectory $TargetFolder -Argument $javaArgs
        $scheduledTask.Triggers = New-ScheduledTaskTrigger -AtStartup
        $scheduledTask.Principal = New-ScheduledTaskPrincipal -Id Author -LogonType S4U -ProcessTokenSidType Default -UserId SYSTEM
        $scheduledTask.Settings = New-ScheduledTaskSettingsSet -DontStopIfGoingOnBatteries -DontStopOnIdleEnd
        
        New-ScheduledTask $scheduledTask
    }
    catch {
        throw ('Something went wrong when creating the scheduled task named {0}' -f $scheduledTask.TaskName)
    }
}