6 Replies Latest reply on Sep 2, 2016 12:40 PM by Jeff Sikorski

    multiple triggers tpl

    Jeff Sikorski
      Share This:

      I'm trying to write a single pattern that will encompass both UNIX and Windows servers into the same TPL code.  The last resort way is to just create separate patterns, one for Windows and one for UNIX.

       

      In a perfect world I want the trigger to be able to do multiple things. 

       

      This is a trigger that would fire off on any UNIX or Windows Server

       

        triggers
          on host := Host created, confirmed where type = 'UNIX Server' or type='Windows Server';
        end triggers;
      

       

      But I also want this:

       

        triggers
            on process := DiscoveredProcess where (cmd matches regex "abcd.exe")
        end triggers;
      

       

      Obvioulsy I wouldn't need the "or type='Windows Server" in the first if I could do multiple different trigger types.  I would rather do it on the DiscoveredProcess

       

      But since I'm doing one "on host" and the other "on process" , I'm not sure how to get them into the same code.

       

      I want this pattern to trigger EVERY UNIX server .. OR where Discoveredprocess Finds "ABCD.EXE"

       

      If I kept

      on host := Host created, confirmed where type = 'UNIX Server' or type='Windows Server';
      

       

      Is there a way to do an "if" statement in the body where I can do like a:

      if host.DiscoveredProcess matches regex "abcd.exe" then
          <do_stuff>;
      end if;
      

       

      Essentially -- I'd prefer not to <do_stuff> on Windows Servers that don't have the process running.  It wouldn't be the end of the world, but unnecessary bandwidth.  I'm wondering what logic I'm missing that would solve my problem and keep everything in the same pattern?

       

      Ideal trigger:

        triggers
            on host := Host created, confirmed where type = 'UNIX Server'
         or on process := DiscoveredProcess where (cmd matches regex "abcd.exe");
        end triggers;
      

       

       

      Again -- worst case scenario I just give up my dream of putting them into the same TPL and do 2 separate TPLs if that's my only option.

       

      Thanks,

      Jeff

        • 1. Re: multiple triggers tpl
          Andrew Waters

          You can't combine two triggers.

           

          Write a function with the main code and two patterns with appropriate triggers which call that function.

          1 of 1 people found this helpful
          • 2. Re: multiple triggers tpl
            Jeff Sikorski

            Thanks Andrew -

             

            Are there any examples of multiple trigger functions that anyone has done?  The documentation for the functions seems like I would still have the same issue of the TPL order of things:
            1) Overview
            2) Triggers
            3) Body


            Since Triggers comes before the Body where you would do the functions .. logically it seems like I can't do it?

             

            Unless you can write one big TPL and 'wrap up' 2 completely different sections of code:


            Pattern
            Metadata

            Overview
            Constants

             

             

             

            {

            TriggersA
            BodyA
            <Stuff>
            End BodyA
            }


            {
            TriggerB
            BodyB
            <stuff>
            End BodyB
            }

             

             

             

            ~Jeff

            • 3. Re: multiple triggers tpl
              Wes Moskal-Fitzpatrick

              Hi Jeff,

               

              Based on your requirement:

               

              I want this pattern to trigger EVERY UNIX server .. OR where Discoveredprocess Finds "ABCD.EXE"

               

              I think a simple workaround would be to identify 2 DiscoveredProcesses - one being a nominal unix process. Something like this:

               

              triggers
                on p:= DiscoveredProcess where cmd matches "^/\S+" or cmd matches "ABCD.EXE"
              end triggers;
              

               

              "/" is part of the standard Unix FS path- Windows processes would not start with it. I can't say it would be 100% foolproof - you might have some exceptions if a Unix Host is only running binaries without path (but this would be very odd and rare)- and of course Unix hosts with no DiscoveredProcesses (due to some failure with discovery) would also be missed.

               

               

              Is there a way to do an "if" statement in the body

               

              This is another option if triggering on something like DeviceInfo (rather than Host).

               

              triggers
                 on d:= DeviceInfo where device_type = "Windows Server" or device_type = "UNIX Server";
              end triggers;
              
              body
                ap:= discovery.allProcesses(d);
                p:= search(ap where cmd matches "ABCD.EXE");
              
               if size(p) > 0 then
                 <do something>....
               elif d.device_type = "UNIX Server" then
                 <do something>....
               else
                 stop;
              end if;
              

               

              There may be other ways to skin the cat but that's off the top of my head.

              • 4. Re: multiple triggers tpl
                Andrew Waters

                Both of there are much less efficient than just having two patterns.

                • 5. Re: multiple triggers tpl
                  Andrew Waters

                  definitions work 1.0

                    'Definitions info'

                    type := function;

                   

                    define doWork(host)

                      'Define doWork'

                      // normal code

                    end define;

                  end definitions;

                   

                  pattern fromWindowsHost 1.0

                    '''Windows.'''

                    overview

                      tags test;

                    end overview;

                    triggers

                      on process := DiscoveredProcess where cmd matches windows_exe "abcd";

                    end triggers;

                    body

                      work.doWork(model.host(process));

                    end body;

                  end pattern;

                   

                  pattern fromUnixHost 1.0

                    '''Unix.'''

                    overview

                      tags test;

                    end overview;

                    triggers

                      on host := Host created, confirmed where type = 'UNIX Server';

                    end triggers;

                    body

                      work.doWork(host);

                    end body;

                  end pattern;

                  • 6. Re: multiple triggers tpl
                    Jeff Sikorski

                    Thank you both for the suggestions.  I was on kind of a time crunch today and wanted to get something in before the weekend scans. I'm still pretty new to TPL so I went the easy route.  For now I just went with 2 completely separate patterns.

                    Now that I have a working solution .. I will spend some time next week reviewing your suggestions and see if I can't clean it up into 1 pattern.

                    I appreciate the ideas, have a good weekend!  I will post follow-ups later!

                     

                    ~Jeff