Skip to content

Commit bcf7650

Browse files
author
Rishav Yaduvanshi
committed
fix spell
1 parent 62024ed commit bcf7650

File tree

1 file changed

+4
-3
lines changed

1 file changed

+4
-3
lines changed

docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -126,12 +126,13 @@ OUTPUT = {
126126
"data": "MY EXAMPLE STRING"
127127
}
128128
```
129-
8. **Regex Match** - Matches a string against a regex pattern and returns the first match.
129+
8. **Regex Match** - Matches a string against a regex pattern and returns the specified element.
130130
```css
131131
INPUT = {
132132
"string_input": "MY EXAMPLE STRING",
133133
"transform_function": "Regex",
134134
"transform_argument": "EXAMPLE"
135+
"array_element": 0
135136
}
136137
```
137138
```css
@@ -190,7 +191,7 @@ OUTPUT = {
190191
13. **Encode as UTF-8** - Encodes a string as UTF-8.
191192
```css
192193
INPUT = {
193-
"string_input": "Café",
194+
"string_input": "Cafe",
194195
"transform_function": "Encode UTF-8"
195196
}
196197
```
@@ -288,7 +289,7 @@ Output
288289
"allRecords": [
289290
{
290291
"baseImage": "C:\\Program Files\\Rapid7\\Insight Agent\\components\\endpoint_broker\\",
291-
"commandLine": "PowerShell \"$code = \\\"using System; using System.Linq; using System.Collections.Generic; using System.ComponentModel; using System.Runtime.InteropServices; using System.Security.Principal; using System.Text; namespace AuditEventPolicy { public class Collect { [DllImport(\\\"\\\"advapi32.dll\\\"\\\", SetLastError = false)] private static extern uint LsaClose(IntPtr ObjectHandle); [DllImport(\\\"\\\"advapi32.dll\\\"\\\", SetLastError = true)] private static extern uint LsaOpenPolicy( ref LSA_UNICODE_STRING SystemName, ref LSA_OBJECT_ATTRIBUTES ObjectAttributes, uint DesiredAccess, out IntPtr PolicyHandle); [DllImport(\\\"\\\"advapi32.dll\\\"\\\", SetLastError = false)] private static extern uint LsaNtStatusToWinError(uint status); [DllImport(\\\"\\\"advapi32.dll\\\"\\\")] private static extern uint LsaQueryInformationPolicy(IntPtr PolicyHandle, uint InformationClass, out IntPtr Buffer); internal const uint STATUS_SUCCESS = 0x00000000; internal const uint STATUS_ACCESS_DENIED = 0xC0000022; internal const uint STATUS_INSUFFICIENT_RESOURCES = 0xC000009A; internal const uint STATUS_INTERNAL_DB_ERROR = 0xC0000158; internal const uint STATUS_INVALID_HANDLE = 0xC0000008; internal const uint STATUS_INVALID_SERVER_STATE = 0xC00000DC; internal const uint STATUS_INVALID_PARAMETER = 0xC000000D; internal const uint STATUS_NO_SUCH_PRIVILEGE = 0xC0000060; internal const uint STATUS_OBJECT_NAME_NOT_FOUND = 0xC0000034; internal const uint STATUS_UNSUCCESSFUL = 0xC0000001; private static readonly Dictionary<uint, string> LsaNtStatusMessages = new Dictionary<uint, string>{ {STATUS_SUCCESS, \\\"\\\"The operation completed successfully.\\\"\\\"}, {STATUS_ACCESS_DENIED, \\\"\\\"Access is denied.\\\"\\\"}, {STATUS_INSUFFICIENT_RESOURCES, \\\"\\\"There are not enough system resources to complete the call.\\\"\\\"}, {STATUS_INTERNAL_DB_ERROR, \\\"\\\"The LSA database contains an internal inconsistency.\\\"\\\"}, {STATUS_INVALID_HANDLE, \\\"\\\"An object or RPC handle is not valid.\\\"\\\"}, {STATUS_INVALID_SERVER_STATE, \\\"\\\"The LSA server is currently disabled.\\\"\\\"}, {STATUS_INVALID_PARAMETER, \\\"\\\"One of the parameters is not valid.\\\"\\\"}, {STATUS_NO_SUCH_PRIVILEGE, \\\"\\\"A specified privilege does not exist.\\\"\\\"}, {STATUS_OBJECT_NAME_NOT_FOUND, \\\"\\\"An object in the LSA policy database was not found.\\\"\\\"}, {STATUS_UNSUCCESSFUL, \\\"\\\"The requested operation was unsuccessful.\\\"\\\"}}; [Flags]public enum LsaPolicyAccessRights : uint{ POLICY_VIEW_LOCAL_INFORMATION = 0x00000001, POLICY_VIEW_AUDIT_INFORMATION = 0x00000002, POLICY_GET_PRIVATE_INFORMATION = 0x00000004, POLICY_TRUST_ADMIN = 0x00000008, POLICY_CREATE_ACCOUNT = 0x00000010, POLICY_CREATE_SECRET = 0x00000020, POLICY_CREATE_PRIVILEGE = 0x00000040, POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080, POLICY_SET_AUDIT_REQUIREMENTS = 0x00000100, POLICY_AUDIT_LOG_ADMIN = 0x00000200, POLICY_SERVER_ADMIN = 0x00000400, POLICY_LOOKUP_NAMES = 0x00000800, POLICY_NOTIFICATION = 0x00001000, POLICY_ALL_ACCESS = POLICY_VIEW_LOCAL_INFORMATION |POLICY_VIEW_AUDIT_INFORMATION |POLICY_GET_PRIVATE_INFORMATION |POLICY_TRUST_ADMIN |POLICY_CREATE_ACCOUNT |POLICY_CREATE_SECRET |POLICY_CREATE_PRIVILEGE |POLICY_SET_DEFAULT_QUOTA_LIMITS |POLICY_SET_AUDIT_REQUIREMENTS |POLICY_AUDIT_LOG_ADMIN |POLICY_SERVER_ADMIN |POLICY_LOOKUP_NAMES |POLICY_NOTIFICATION} [StructLayout(LayoutKind.Sequential)]internal struct LSA_UNICODE_STRING{ internal ushort Length; internal ushort MaximumLength; internal IntPtr Buffer; } [StructLayout(LayoutKind.Sequential)]internal struct LSA_OBJECT_ATTRIBUTES{ internal uint Length; internal IntPtr RootDirectory; internal IntPtr ObjectName; internal uint Attributes; internal IntPtr SecurityDescriptor; internal IntPtr SecurityQualityOfService; } public struct POLICY_AUDIT_EVENTS_INFO{ public bool AuditingMode; public IntPtr EventAuditingOptions; public Int32 MaximumAuditEventCount; } private static void HandleLsaNtStatus(uint ntStatusCode){ if (ntStatusCode == STATUS_SUCCESS){ return; } var winErrorCode = (int)(LsaNtStatusToWinError(ntStatusCode)); if (LsaNtStatusMessages.ContainsKey(ntStatusCode)){ throw new Win32Exception(winErrorCode, LsaNtStatusMessages[ntStatusCode]); } throw new Win32Exception(winErrorCode); } private static IntPtr GetLsaPolicyHandle(){ var systemName = new LSA_UNICODE_STRING(); var objectAttributes = new LSA_OBJECT_ATTRIBUTES{ Length = 0, RootDirectory = IntPtr.Zero, ObjectName = IntPtr.Zero, Attributes = 0, SecurityDescriptor = IntPtr.Zero, SecurityQualityOfService = IntPtr.Zero}; IntPtr lsaPolicyHandle; var ntStatus = LsaOpenPolicy(ref systemName, ref objectAttributes, (uint)(LsaPolicyAccessRights.POLICY_ALL_ACCESS), out lsaPolicyHandle); HandleLsaNtStatus(ntStatus); return lsaPolicyHandle; } public static Dictionary<string, int> GetAuditEventPolicy(){ var settings = new Dictionary<string, int>{ {\\\"\\\"System\\\"\\\", -1}, {\\\"\\\"Logon\\\"\\\", -1}, {\\\"\\\"Object Access\\\"\\\", -1}, {\\\"\\\"Privilige Use\\\"\\\", -1}, {\\\"\\\"Detailed Tracking\\\"\\\", -1}, {\\\"\\\"Policy Change\\\"\\\", -1}, {\\\"\\\"Account Management\\\"\\\", -1}, {\\\"\\\"Directory Service Access\\\"\\\", -1}, {\\\"\\\"Account Logon\\\"\\\", -1}}; var lsaPolicyHandle = GetLsaPolicyHandle(); try{ IntPtr outBuffer; uint policyType = 2; var ntStatus = LsaQueryInformationPolicy(lsaPolicyHandle, policyType, out outBuffer); if (ntStatus == STATUS_OBJECT_NAME_NOT_FOUND){ return settings; } HandleLsaNtStatus(ntStatus); var auditEventsInfo = Marshal.PtrToStructure<POLICY_AUDIT_EVENTS_INFO>(outBuffer); var values = new int[auditEventsInfo.MaximumAuditEventCount]; Marshal.Copy(auditEventsInfo.EventAuditingOptions, values, 0, auditEventsInfo.MaximumAuditEventCount); var categoryIndex = settings.Keys.ToArray(); for (int i = 0; i < values.Length; i++){ settings[categoryIndex[i]] = values[i]; } return settings; } finally{ var ntStatus = LsaClose(lsaPolicyHandle); HandleLsaNtStatus(ntStatus); } } } } \\\";$previousEncoding = [Console]::OutputEncoding;[Console]::OutputEncoding = [Text.Encoding]::UTF8;Add-Type -TypeDefinition $code -Language CSharp;@([AuditEventPolicy.Collect]::GetAuditEventPolicy()) | ConvertTo-Json;[Console]::OutputEncoding = $previousEncoding;\"",
292+
"commandLine": "PowerShell \"$code = \\\"using System; using System.Linq; using System.Collections.Generic; using System.ComponentModel; using System.Runtime.InteropServices; using System.Security.Principal; using System.Text; namespace AuditEventPolicy { public class Collect { [DllImport(\\\"\\\"advapi32.dll\\\"\\\", SetLastError = false)] private static extern uint LsaClose(IntPtr ObjectHandle); [DllImport(\\\"\\\"advapi32.dll\\\"\\\", SetLastError = true)] private static extern uint LsaOpenPolicy( ref LSA_UNICODE_STRING SystemName, ref LSA_OBJECT_ATTRIBUTES ObjectAttributes, uint DesiredAccess, out IntPtr PolicyHandle); [DllImport(\\\"\\\"advapi32.dll\\\"\\\", SetLastError = false)] private static extern uint LsaNtStatusToWinError(uint status); [DllImport(\\\"\\\"advapi32.dll\\\"\\\")] private static extern uint LsaQueryInformationPolicy(IntPtr PolicyHandle, uint InformationClass, out IntPtr Buffer); internal const uint STATUS_SUCCESS = 0x00000000; internal const uint STATUS_ACCESS_DENIED = 0xC0000022; internal const uint STATUS_INSUFFICIENT_RESOURCES = 0xC000009A; internal const uint STATUS_INTERNAL_DB_ERROR = 0xC0000158; internal const uint STATUS_INVALID_HANDLE = 0xC0000008; internal const uint STATUS_INVALID_SERVER_STATE = 0xC00000DC; internal const uint STATUS_INVALID_PARAMETER = 0xC000000D; internal const uint STATUS_NO_SUCH_PRIVILEGE = 0xC0000060; internal const uint STATUS_OBJECT_NAME_NOT_FOUND = 0xC0000034; internal const uint STATUS_UNSUCCESSFUL = 0xC0000001; private static readonly Dictionary<uint, string> LsaNtStatusMessages = new Dictionary<uint, string>{ {STATUS_SUCCESS, \\\"\\\"The operation completed successfully.\\\"\\\"}, {STATUS_ACCESS_DENIED, \\\"\\\"Access is denied.\\\"\\\"}, {STATUS_INSUFFICIENT_RESOURCES, \\\"\\\"There are not enough system resources to complete the call.\\\"\\\"}, {STATUS_INTERNAL_DB_ERROR, \\\"\\\"The LSA database contains an internal inconsistency.\\\"\\\"}, {STATUS_INVALID_HANDLE, \\\"\\\"An object or RPC handle is not valid.\\\"\\\"}, {STATUS_INVALID_SERVER_STATE, \\\"\\\"The LSA server is currently disabled.\\\"\\\"}, {STATUS_INVALID_PARAMETER, \\\"\\\"One of the parameters is not valid.\\\"\\\"}, {STATUS_NO_SUCH_PRIVILEGE, \\\"\\\"A specified privilege does not exist.\\\"\\\"}, {STATUS_OBJECT_NAME_NOT_FOUND, \\\"\\\"An object in the LSA policy database was not found.\\\"\\\"}, {STATUS_UNSUCCESSFUL, \\\"\\\"The requested operation was unsuccessful.\\\"\\\"}}; [Flags]public enum LsaPolicyAccessRights : uint{ POLICY_VIEW_LOCAL_INFORMATION = 0x00000001, POLICY_VIEW_AUDIT_INFORMATION = 0x00000002, POLICY_GET_PRIVATE_INFORMATION = 0x00000004, POLICY_TRUST_ADMIN = 0x00000008, POLICY_CREATE_ACCOUNT = 0x00000010, POLICY_CREATE_SECRET = 0x00000020, POLICY_CREATE_PRIVILEGE = 0x00000040, POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080, POLICY_SET_AUDIT_REQUIREMENTS = 0x00000100, POLICY_AUDIT_LOG_ADMIN = 0x00000200, POLICY_SERVER_ADMIN = 0x00000400, POLICY_LOOKUP_NAMES = 0x00000800, POLICY_NOTIFICATION = 0x00001000, POLICY_ALL_ACCESS = POLICY_VIEW_LOCAL_INFORMATION |POLICY_VIEW_AUDIT_INFORMATION |POLICY_GET_PRIVATE_INFORMATION |POLICY_TRUST_ADMIN |POLICY_CREATE_ACCOUNT |POLICY_CREATE_SECRET |POLICY_CREATE_PRIVILEGE |POLICY_SET_DEFAULT_QUOTA_LIMITS |POLICY_SET_AUDIT_REQUIREMENTS |POLICY_AUDIT_LOG_ADMIN |POLICY_SERVER_ADMIN |POLICY_LOOKUP_NAMES |POLICY_NOTIFICATION} [StructLayout(LayoutKind.Sequential)]internal struct LSA_UNICODE_STRING{ internal ushort Length; internal ushort MaximumLength; internal IntPtr Buffer; } [StructLayout(LayoutKind.Sequential)]internal struct LSA_OBJECT_ATTRIBUTES{ internal uint Length; internal IntPtr RootDirectory; internal IntPtr ObjectName; internal uint Attributes; internal IntPtr SecurityDescriptor; internal IntPtr SecurityQualityOfService; } public struct POLICY_AUDIT_EVENTS_INFO{ public bool AuditingMode; public IntPtr EventAuditingOptions; public Int32 MaximumAuditEventCount; } private static void HandleLsaNtStatus(uint ntStatusCode){ if (ntStatusCode == STATUS_SUCCESS){ return; } var winErrorCode = (int)(LsaNtStatusToWinError(ntStatusCode)); if (LsaNtStatusMessages.ContainsKey(ntStatusCode)){ throw new Win32Exception(winErrorCode, LsaNtStatusMessages[ntStatusCode]); } throw new Win32Exception(winErrorCode); } private static IntPtr GetLsaPolicyHandle(){ var systemName = new LSA_UNICODE_STRING(); var objectAttributes = new LSA_OBJECT_ATTRIBUTES{ Length = 0, RootDirectory = IntPtr.Zero, ObjectName = IntPtr.Zero, Attributes = 0, SecurityDescriptor = IntPtr.Zero, SecurityQualityOfService = IntPtr.Zero}; IntPtr lsaPolicyHandle; var ntStatus = LsaOpenPolicy(ref systemName, ref objectAttributes, (uint)(LsaPolicyAccessRights.POLICY_ALL_ACCESS), out lsaPolicyHandle); HandleLsaNtStatus(ntStatus); return lsaPolicyHandle; } public static Dictionary<string, int> GetAuditEventPolicy(){ var settings = new Dictionary<string, int>{ {\\\"\\\"System\\\"\\\", -1}, {\\\"\\\"Logon\\\"\\\", -1}, {\\\"\\\"Object Access\\\"\\\", -1}, {\\\"\\\"Privilege Use\\\"\\\", -1}, {\\\"\\\"Detailed Tracking\\\"\\\", -1}, {\\\"\\\"Policy Change\\\"\\\", -1}, {\\\"\\\"Account Management\\\"\\\", -1}, {\\\"\\\"Directory Service Access\\\"\\\", -1}, {\\\"\\\"Account Logon\\\"\\\", -1}}; var lsaPolicyHandle = GetLsaPolicyHandle(); try{ IntPtr outBuffer; uint policyType = 2; var ntStatus = LsaQueryInformationPolicy(lsaPolicyHandle, policyType, out outBuffer); if (ntStatus == STATUS_OBJECT_NAME_NOT_FOUND){ return settings; } HandleLsaNtStatus(ntStatus); var auditEventsInfo = Marshal.PtrToStructure<POLICY_AUDIT_EVENTS_INFO>(outBuffer); var values = new int[auditEventsInfo.MaximumAuditEventCount]; Marshal.Copy(auditEventsInfo.EventAuditingOptions, values, 0, auditEventsInfo.MaximumAuditEventCount); var categoryIndex = settings.Keys.ToArray(); for (int i = 0; i < values.Length; i++){ settings[categoryIndex[i]] = values[i]; } return settings; } finally{ var ntStatus = LsaClose(lsaPolicyHandle); HandleLsaNtStatus(ntStatus); } } } } \\\";$previousEncoding = [Console]::OutputEncoding;[Console]::OutputEncoding = [Text.Encoding]::UTF8;Add-Type -TypeDefinition $code -Language CSharp;@([AuditEventPolicy.Collect]::GetAuditEventPolicy()) | ConvertTo-Json;[Console]::OutputEncoding = $previousEncoding;\"",
292293
"cseSignal": {},
293294
"day": 18,
294295
"description": "A new process has been created",

0 commit comments

Comments
 (0)