Create an Asset Mapping
Asset mapping helps with future Malop investigations as it gives you a solid understanding of the resources available to your team. Use the API, to map assets like operating systems, servers, network connections, and available IT tools.
The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.
In this topic:
Web servers
Use the following request to locate web servers of interest by searching for services running on a machine that are most commonly found on web servers.
Request
curl --request POST \
--url https://12.34.56.78/rest/visualsearch/query/simple \
--header 'Content-Type: application/json' \
--data '{
"queryPath": [
{
"requestedType": "Machine",
"filters": [
{
"facetName": "osVersionType",
"values": [
"server"
],
"filterType": "ContainsIgnoreCase"
}
],
"connectionFeature": {
"elementInstanceType": "Machine",
"featureName": "services"
}
},
{
"requestedType": "Service",
"filters": [
{
"facetName": "elementDisplayName",
"values": [
"apache",
"nginx",
"IIS",
"tomcat"
],
"filterType": "ContainsIgnoreCase"
},
{
"facetName": "isActive",
"values": [
true
],
"filterType": null
}
],
"isResult": true
}
],
"totalResultLimit": 100,
"perGroupLimit": 10,
"perFeatureLimit": 10,
"templateContext": "DETAILS",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"displayName",
"description",
"commandLineArguments",
"binaryFile",
"isActive",
"startType",
"ownerMachine",
"process",
"endTime"
]
}'
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"queryPath": [
{
"requestedType": "Machine",
"filters": [
{
"facetName": "osVersionType",
"values": [
"server"
],
"filterType": "ContainsIgnoreCase"
}
],
"connectionFeature": {
"elementInstanceType": "Machine",
"featureName": "services"
}
},
{
"requestedType": "Service",
"filters": [
{
"facetName": "elementDisplayName",
"values": [
"apache",
"nginx",
"IIS",
"tomcat"
],
"filterType": "ContainsIgnoreCase"
},
{
"facetName": "isActive",
"values": [
true
],
"filterType": null
}
],
"isResult": true
}
],
"totalResultLimit": 100,
"perGroupLimit": 10,
"perFeatureLimit": 10,
"templateContext": "DETAILS",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"displayName",
"description",
"commandLineArguments",
"binaryFile",
"isActive",
"startType",
"ownerMachine",
"process",
"endTime"
]
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "myserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/visualsearch/query/simple"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
query_element_1 = "Machine"
query_element_1_filter = "osVersionType"
query_element_1_filter_value = "Windows_Server_2016"
linking_element = "Machine"
linking_feature = "services"
query_element_2 = "Service"
query_element_2_filter = "elementDisplayName"
query_element_2_filter_value_1 = "apache"
query_element_2_filter_value_2 = "nginx"
query_element_2_filter_value_3 = "IIS"
query_element_2_filter_value_4 = "tomcat"
query_element_2_filter_2 = "isActive"
query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[query_element_1_filter_value],"filterType":"ContainsIgnoreCase"}],"connectionFeature":{"elementInstanceType":linking_element,"featureName":linking_feature}},{"requestedType":query_element_2,"filters":[{"facetName":query_element_2_filter,"values":[query_element_2_filter_value_1,query_element_2_filter_value_2,query_element_2_filter_value_3,query_element_2_filter_value_4],"filterType":"ContainsIgnoreCase"},{"facetName":query_element_2_filter_2,"values":[True],"filterType": "Equals"}],"isResult":True}],"totalResultLimit":100,"perGroupLimit":10,"perFeatureLimit":10,"templateContext":"DETAILS","queryTimeout":120000,"customFields":["elementDisplayName","displayName","description","commandLineArguments","binaryFile","isActive","startType","ownerMachine","process","endTime"]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Database servers
Use this request to locate database servers of interest by searching for services running on a machine that are most commonly found on databases.
Request
curl --request POST \
--url https://12.34.56.78/rest/visualsearch/query/simple \
--header 'Content-Type: application/json' \
--data '{
"queryPath": [
{
"requestedType": "Machine",
"filters": [
{
"facetName": "osVersionType",
"values": [
"server"
],
"filterType": "ContainsIgnoreCase"
}
],
"connectionFeature": {
"elementInstanceType": "Machine",
"featureName": "services"
}
},
{
"requestedType": "Service",
"filters": [
{
"facetName": "elementDisplayName",
"values": [
"sql",
"mysql",
"mongodb"
],
"filterType": "ContainsIgnoreCase"
}
],
"isResult": true
}
],
"totalResultLimit": 100,
"perGroupLimit": 10,
"perFeatureLimit": 10,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"displayName",
"description",
"commandLineArguments",
"binaryFile",
"isActive",
"startType",
"ownerMachine",
"process",
"endTime"
]
}'
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"queryPath": [
{
"requestedType": "Machine",
"filters": [
{
"facetName": "osVersionType",
"values": [
"server"
],
"filterType": "ContainsIgnoreCase"
}
],
"connectionFeature": {
"elementInstanceType": "Machine",
"featureName": "services"
}
},
{
"requestedType": "Service",
"filters": [
{
"facetName": "elementDisplayName",
"values": [
"sql",
"mysql",
"mongodb"
],
"filterType": "ContainsIgnoreCase"
}
],
"isResult": true
}
],
"totalResultLimit": 100,
"perGroupLimit": 10,
"perFeatureLimit": 10,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"displayName",
"description",
"commandLineArguments",
"binaryFile",
"isActive",
"startType",
"ownerMachine",
"process",
"endTime"
]
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/visualsearch/query/simple"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
query_element_1 = "Machine"
query_element_1_filter = "osVersionType"
query_element_1_filter_value = "Windows_Server_2016"
linking_element = "Machine"
linking_feature = "services"
query_element_2 = "Service"
query_element_2_filter = "elementDisplayName"
query_element_2_filter_value_1 = "sql"
query_element_2_filter_value_2 = "mysql"
query_element_2_filter_value_3 = "mongodb"
query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[query_element_1_filter_value],"filterType":"ContainsIgnoreCase"}],"connectionFeature":{"elementInstanceType":linking_element,"featureName":linking_feature}},{"requestedType":query_element_2,"filters":[{"facetName":query_element_2_filter,"values":[query_element_2_filter_value_1,query_element_2_filter_value_2,query_element_2_filter_value_3],"filterType":"ContainsIgnoreCase"}],"isResult":True}],"totalResultLimit":100,"perGroupLimit":10,"perFeatureLimit": 10,"templateContext": "SPECIFIC","queryTimeout": 120000,"customFields":["elementDisplayName","displayName","description","commandLineArguments","binaryFile","isActive","startType","ownerMachine","process","endTime"]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Mail servers
Use this API request to locate mail servers of interest by searching for services running on a machine that is commonly found on mail servers.
Request
curl --request POST \
--url https://12.34.56.78/rest/visualsearch/query/simple \
--header 'Content-Type: application/json' \
--data '{
"queryPath": [
{
"requestedType": "Machine",
"filters": [
{
"facetName": "osVersionType",
"values": [
"server"
],
"filterType": "ContainsIgnoreCase"
}
],
"connectionFeature": {
"elementInstanceType": "Machine",
"featureName": "services"
}
},
{
"requestedType": "Service",
"filters": [
{
"facetName": "elementDisplayName",
"values": [
"Exchange",
"Lotus",
"smtp",
"pop3",
"imap"
],
"filterType": "ContainsIgnoreCase"
}
],
"isResult": true
}
],
"totalResultLimit": 100,
"perGroupLimit": 10,
"perFeatureLimit": 10,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"displayName",
"description",
"commandLineArguments",
"binaryFile",
"isActive",
"startType",
"ownerMachine",
"process",
"endTime"
]
}'
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"queryPath": [
{
"requestedType": "Machine",
"filters": [
{
"facetName": "osVersionType",
"values": [
"server"
],
"filterType": "ContainsIgnoreCase"
}
],
"connectionFeature": {
"elementInstanceType": "Machine",
"featureName": "services"
}
},
{
"requestedType": "Service",
"filters": [
{
"facetName": "elementDisplayName",
"values": [
"Exchange",
"Lotus",
"smtp",
"pop3",
"imap"
],
"filterType": "ContainsIgnoreCase"
}
],
"isResult": true
}
],
"totalResultLimit": 100,
"perGroupLimit": 10,
"perFeatureLimit": 10,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"displayName",
"description",
"commandLineArguments",
"binaryFile",
"isActive",
"startType",
"ownerMachine",
"process",
"endTime"
]
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/visualsearch/query/simple"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
query_element_1 = "Machine"
query_element_1_filter = "osVersionType"
query_element_1_filter_value = "Windows_Server_2016"
linking_element = "Machine"
linking_feature = "services"
query_element_2 = "Service"
query_element_2_filter = "elementDisplayName"
query_element_2_filter_value_1 = "Exchange"
query_element_2_filter_value_2 = "Lotus"
query_element_2_filter_value_3 = "smtp"
query_element_2_filter_value_4 = "imap"
query_element_2_filter_value_5 = "pop3"
query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[query_element_1_filter_value],"filterType":"ContainsIgnoreCase"}],"connectionFeature":{"elementInstanceType":linking_element,"featureName":linking_feature}},{"requestedType":query_element_2,"filters":[{"facetName":query_element_2_filter,"values":[query_element_2_filter_value_1,query_element_2_filter_value_2,query_element_2_filter_value_3,query_element_2_filter_value_4,query_element_2_filter_value_5],"filterType":"ContainsIgnoreCase"}],"isResult":True}],"totalResultLimit":100,"perGroupLimit":10,"perFeatureLimit":10,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["elementDisplayName","displayName","description","commandLineArguments","binaryFile","isActive","startType","ownerMachine","process","endTime"]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))