Thanks Andrew -
Are there any examples of multiple trigger functions that anyone has done? The documentation for the functions seems like I would still have the same issue of the TPL order of things:
Since Triggers comes before the Body where you would do the functions .. logically it seems like I can't do it?
Unless you can write one big TPL and 'wrap up' 2 completely different sections of code:
Based on your requirement:
I want this pattern to trigger EVERY UNIX server .. OR where Discoveredprocess Finds "ABCD.EXE"
I think a simple workaround would be to identify 2 DiscoveredProcesses - one being a nominal unix process. Something like this:
triggers on p:= DiscoveredProcess where cmd matches "^/\S+" or cmd matches "ABCD.EXE" end triggers;
"/" is part of the standard Unix FS path- Windows processes would not start with it. I can't say it would be 100% foolproof - you might have some exceptions if a Unix Host is only running binaries without path (but this would be very odd and rare)- and of course Unix hosts with no DiscoveredProcesses (due to some failure with discovery) would also be missed.
Is there a way to do an "if" statement in the body
This is another option if triggering on something like DeviceInfo (rather than Host).
triggers on d:= DeviceInfo where device_type = "Windows Server" or device_type = "UNIX Server"; end triggers; body ap:= discovery.allProcesses(d); p:= search(ap where cmd matches "ABCD.EXE"); if size(p) > 0 then <do something>.... elif d.device_type = "UNIX Server" then <do something>.... else stop; end if;
There may be other ways to skin the cat but that's off the top of my head.
Both of there are much less efficient than just having two patterns.
definitions work 1.0
type := function;
// normal code
pattern fromWindowsHost 1.0
on process := DiscoveredProcess where cmd matches windows_exe "abcd";
pattern fromUnixHost 1.0
on host := Host created, confirmed where type = 'UNIX Server';
Thank you both for the suggestions. I was on kind of a time crunch today and wanted to get something in before the weekend scans. I'm still pretty new to TPL so I went the easy route. For now I just went with 2 completely separate patterns.
Now that I have a working solution .. I will spend some time next week reviewing your suggestions and see if I can't clean it up into 1 pattern.
I appreciate the ideas, have a good weekend! I will post follow-ups later!