public/Get-VPASPSMSessions.ps1
|
<#
.Synopsis GET PSM SESSIONS CREATED BY: Vadim Melamed, EMAIL: vpasmodule@gmail.com .DESCRIPTION USE THIS FUNCTION TO GET PSM SESSIONS .LINK https://vpasmodule.com/commands/Get-VPASPSMSessions .PARAMETER token HashTable of data containing various pieces of login information (PVWA, LoginToken, HeaderType, etc). If -token is not passed, function will use last known hashtable generated by New-VPASToken .PARAMETER SearchQuery Search string to find target resource via username, address, safe, platform, etc. Comma separated for multiple fields, or to search all pass a blank value like so: " " .PARAMETER FromTime Optional parameter to find target recordings based by Date Range Start date must be in epoch format .PARAMETER ToTime Optional parameter to find target recordings based by Date Range End date must be in epoch format .PARAMETER InputParameters HashTable of values containing the parameters required to make the API call .EXAMPLE $GetPSMSessionsJSON = Get-VPASPSMSessions -SearchQuery {SEARCHQUERY VALUE} .EXAMPLE $InputParameters = @{ SearchQuery = "DomainAdmin01" FromTime = "1724465648" #<-- EpochTime ToTime = "1729736048" #<-- EpochTime } $GetPSMSessionsJSON = Get-VPASPSMSessions -InputParameters $InputParameters .OUTPUTS If successful: { "Recordings": [ ... { "SessionID": "36_102", "SessionGuid": "kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89", "SafeName": "PSMRecordings", "FolderName": "Root", "IsLive": false, "FileName": "kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.session", "Start": 1712111269, "End": 1712111328, "Duration": 59, "User": "vadim@vman.com", "RemoteMachine": "192.168.111.111", "ProtectionDate": 0, "ProtectedBy": "", "ProtectionEnabled": false, "AccountUsername": "vmanda", "AccountPlatformID": "VadimWindowsDomain", "AccountAddress": "vman.com", "PIMSuCommand": "", "PIMSuCWD": "", "ConnectionComponentID": "PSM-RDP", "PSMRecordingEntity": "SessionRecording", "TicketID": "", "FromIP": "192.168.222.222", "Protocol": "RDP", "Client": "RDP", "RiskScore": -1, "Severity": "", "IncidentDetails": null, "RawProperties": "@{Address=vman.com; ConnectionComponentID=PSM-RDP; DeviceType=Operating System; EntityVersion=1.0; ExpectedRecordingsList=kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.WIN.txt,kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.VID.avi; PSMClientApp=mstsc.exe; PSMPasswordID=9; PSMProtocol=RDP; PSMRecordingEntity=SessionRecording; PSMRemoteMachine=192.168.111.111; PSMSafeID=68; PSMSourceAddress=192.168.222.222; PSMStartTime=1712111269; PSMStatus=Final; PSMVaultUserName=vadim@vman.com; PolicyID=VadimWindowsDomain; ProviderID=PSMApp_VmanCon01; UserName=vmanda; PSMEndTime=1712111328; ActualRecordings=kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.WIN.txt;187,kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.VID.avi;188; Safe=PSMRecordings; Folder=Root; Name=kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.session}", "RecordingFiles": " ", "RecordedActivities": "", "VideoSize": 1772412, "TextSize": 3048, "DetailsUrl": "recordingdetails.aspx?Data=qjwhefjkhwr789439rt8h4j3fj943mh093cmfcj8kfq43kjf093jmf03j0cfk83cmd587yn93f874y9t7473f734y875nt475" }, { "SessionID": "36_103", "SessionGuid": "kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89", "SafeName": "PSMRecordings", "FolderName": "Root", "IsLive": false, "FileName": "kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.session", "Start": 1712100199, "End": 1712100250, "Duration": 51, "User": "vadim@vman.com", "RemoteMachine": "192.168.111.111", "ProtectionDate": 0, "ProtectedBy": "", "ProtectionEnabled": false, "AccountUsername": "vmanda", "AccountPlatformID": "VadimWindowsDomain", "AccountAddress": "vman.com", "PIMSuCommand": "", "PIMSuCWD": "", "ConnectionComponentID": "PSM-RDP", "PSMRecordingEntity": "SessionRecording", "TicketID": "", "FromIP": "192.168.222.222", "Protocol": "RDP", "Client": "RDP", "RiskScore": -1, "Severity": "", "IncidentDetails": null, "RawProperties": "@{Address=vman.com; ConnectionComponentID=PSM-RDP; DeviceType=Operating System; EntityVersion=1.0; ExpectedRecordingsList=kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.WIN.txt,kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.VID.avi; PSMClientApp=mstsc.exe; PSMPasswordID=9; PSMProtocol=RDP; PSMRecordingEntity=SessionRecording; PSMRemoteMachine=192.168.111.111; PSMSafeID=68; PSMSourceAddress=192.168.222.222; PSMStartTime=1712100199; PSMStatus=Final; PSMVaultUserName=vadim@vman.com; PolicyID=VadimWindowsDomain; ProviderID=PSMApp_VmanCon01; UserName=vmanda; PSMEndTime=1712100250; ActualRecordings=kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.WIN.txt;184,kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.VID.avi;185; Safe=PSMRecordings; Folder=Root; Name=kajshd7389-zxcv-asdf-qwer-4238746kjwdfhs89.session}", "RecordingFiles": " ", "RecordedActivities": "", "VideoSize": 1691132, "TextSize": 3048, "DetailsUrl": "recordingdetails.aspx?Data=je784o94kfg0ek67y8ke04958yefn5i847yjt78j4eo78t4jy5o7mt458yntd9285m70ws8k20348jytf4597fho94hmnoy9875mh49e87mh4o85d0wl89l509d38k45t983f54" }, ... ], "Total": 17 } --- $false if failed #> function Get-VPASPSMSessions{ [OutputType('System.Object',[bool])] [CmdletBinding(DefaultParameterSetName='Set1')] Param( [Parameter(Mandatory=$true,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true,HelpMessage="Enter wildcard search to query PSMSessions (for example: 'localadmin server1.vman.com')")] [String]$SearchQuery, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [String]$FromTime, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [String]$ToTime, [Parameter(Mandatory=$true,ParameterSetName='InputParameters',ValueFromPipelineByPropertyName=$true,HelpMessage="Hashtable of parameters required to make API call, refer to get-help -examples for valid inputs")] [hashtable]$InputParameters, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true)] [hashtable]$token ) Begin{ $tokenval,$sessionval,$PVWA,$Header,$ISPSS,$IdentityURL,$EnableTextRecorder,$AuditTimeStamp,$NoSSL,$VaultVersion,$HideWarnings,$AuthenticatedAs,$SubDomain,$EnableTroubleshooting = Get-VPASSession -token $token $CommandName = $MyInvocation.MyCommand.Name $log = Write-VPASTextRecorder -inputval $CommandName -token $token -LogType COMMAND } Process{ try{ if($PSCmdlet.ParameterSetName -eq "InputParameters"){ $KeyHash = @{ set1 = @{ AcceptableKeys = @("SearchQuery","FromTime","ToTime") MandatoryKeys = @("SearchQuery") } } $CheckSet = Test-VPASHashtableKeysHelper -InputHash $InputParameters -KeyHash $KeyHash if(!$CheckSet){ $log = Write-VPASTextRecorder -inputval "FAILED TO FIND TARGET PARAMETER SET" -token $token -LogType MISC Write-Verbose "FAILED TO FIND TARGET PARAMETER SET" Write-VPASOutput -str "FAILED TO FIND TARGET PARAMETER SET...VIEW EXAMPLES BELOW:" -type E $examples = Write-VPASExampleHelper -CommandName $CommandName return $false } else{ foreach($key in $InputParameters.Keys){ Set-Variable -Name $key -Value $InputParameters.$key } } } }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "FAILED TO RETRIEVE PSM SESSIONS" Write-VPASOutput -str $_ -type E return $false } try{ $apiLimit = 1000 if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $uri = "http://$PVWA/PasswordVault/api/recordings?limit=$apiLimit" } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $uri = "https://$PVWA/PasswordVault/api/recordings?limit=$apiLimit" } if(![String]::IsNullOrEmpty($FromTime)){ $uri += "&FromTime=$FromTime" } if(![String]::IsNullOrEmpty($ToTime)){ $uri += "&ToTime=$ToTime" } $uri += "&Search=$SearchQuery" $log = Write-VPASTextRecorder -inputval $uri -token $token -LogType URI $log = Write-VPASTextRecorder -inputval "GET" -token $token -LogType METHOD write-verbose "MAKING API CALL TO CYBERARK" if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method GET -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method GET -ContentType "application/json" } $log = Write-VPASTextRecorder -inputval $response -token $token -LogType RETURNARRAY $curcount = $response.Total $curtotal = $curcount $curItems = $response.Recordings while($curcount -eq $apiLimit){ $LastStartTime = $response.Recordings[$apiLimit-1].start + 1 $TempEndTime = $LastStartTime - 31556926 if(![String]::IsNullOrEmpty($FromTime)){ if($FromTime -gt $TempEndTime){ $TempEndTime = $FromTime } } if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $uri = "http://$PVWA/PasswordVault/api/recordings?limit=$apiLimit&FromTime=$TempEndTime&ToTime=$LastStartTime&Search=$SearchQuery" } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $uri = "https://$PVWA/PasswordVault/api/recordings?limit=$apiLimit&FromTime=$TempEndTime&ToTime=$LastStartTime&Search=$SearchQuery" } Write-Verbose "SETTING URI: $uri" $log = Write-VPASTextRecorder -inputval $uri -token $token -LogType URI $log = Write-VPASTextRecorder -inputval "GET" -token $token -LogType METHOD write-verbose "MAKING API CALL TO CYBERARK" if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method GET -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method GET -ContentType "application/json" } $log = Write-VPASTextRecorder -inputval $response -token $token -LogType RETURNARRAY $curcount = $response.Total $curtotal += $curcount $curItems += $response.Recordings } $response.Recordings = $curItems $response.Total = $curtotal Write-Verbose "RETURNING JSON OBJECT" return $response }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "UNABLE TO GET PSM SESSIONS FOR SEARCHQUERY: $SearchQuery" Write-VPASOutput -str $_ -type E return $false } } End{ $log = Write-VPASTextRecorder -inputval $CommandName -token $token -LogType DIVIDER } } |