The Guardicore Centra UI Insight plugin only lets Insight Queries run at a 4 hour minimum interval. This tool allows external schedules to run a query on any interval and fetch the results. It supports outputting the results to multiple different formats for consumption by other tools.
- Run multiple queries based on a standard configuration in
config.yml
- Run a single job via the job name and its configuration in
config.yml
- Run an ad-hoc query using
--query
- Label assets with
--label-agent
and--label-key
and--label-value
- Output to CSV
- Output to JSON
- Output to stdout
- Output to Elasticsearch
- Output to Memcached
- Clone the repository
pip install pipenv
pipenv install
- Add your jobs to
config.yaml
pipenv run python gc-insight.py
- Win
$ pipenv run python .\gc-insight.py -h
usage: gc-insight.py [-h] [--config CONFIG] [--query QUERY]
[--query-id QUERY_ID] [--job-name JOB_NAME] [--csv CSV]
[--json JSON] [--show-jobs] [--gc-timeout GC_TIMEOUT]
[--label-agents] [--label-key LABEL_KEY]
[--label-value LABEL_VALUE]
optional arguments:
-h, --help show this help message and exit
--config CONFIG The path to the configuration file
--query QUERY The OS Query you want to run
--query-id QUERY_ID Fetch the results from a previous query ID
--job-name JOB_NAME The job name you want to run manually
--csv CSV Output the results to a CSV, value is filename before extension
--json JSON Output the results to the screen in JSON format, value is filename before extension
--show-jobs Prints the configured jobs from the config.yml file
--gc-timeout GC_TIMEOUT How many seconds to wait for an Guardicore Insight query to finish before giving up
--label-agents Tells the tool to label the agents in the result set of the query
--label-key LABEL_KEY The key for the label
--label-value LABEL_VALUE The value for the label
Jobs are defined in yaml blocks like below
zscaler-status:
enabled: true
query: "SELECT * FROM services WHERE display_name in ('ZSAService','ZSATunnel') AND status in ('STOPPED','STOPPING')"
timeout: 300
label:
key: Zscaler Agent Status
value: Stopped
output:
csv:
stdout:
Outputs determine what to do with the results from the query, they can be sent to elasticsearch
, csv
, json
or just to stdout
Some outputs require additional configuration to connect to other systems
outputs:
elasticsearch:
hosts: ["localhost:9200"]
use_tls: true
auth_method: "api"
username: ""
password: ""
pipenv run python .\gc-insight.py --query "SELECT * FROM services" --csv service-status
pipenv run python .\gc-insight.py --query-id c51810f9-d6ae-40e8-8fde-de1965e4dfb6 --json
pipenv run python .\gc-insight.py --job-name service-status
I am not responsible if you break your system with this script. Usage is up to your own risk appetite. This software has no warranty.