z1pti3 / jimiplugin-asset Goto Github PK

If we set it to assetFields it will not add the priority key which is a required key.

Recommended building an index based on timespan to speed up the common reads

db.assetRelationship.createIndex( { "timespan" : -1 } )

When duplicate assets are deleted it does not merge sources so data can be lost

I don't think searching within asset should be case sensitive as asset names should always be unique regardless of case.

Searching myworkstation-15 should be able to return the asset MyWorkStation-15

Describe the bug
When the 'updateExisitng' box is used in asset update, the asset can no longer be viewed in asset (you get server 500 error)

To Reproduce
Connect a trigger to an asset update, fill in details of an asset, select 'updateExisting', run trigger

Expected behaviour
Any fields specified are added to the asset

Screenshots
If applicable, add screenshots to help explain your problem.

Environment (please complete the following information):

Additional context
This seems to be because the updateExisitng fails to put the 'update source: manual' field in the data. Replacing this via the model editor returns asset to working state (though other data was also copied).

Duplicate assets are not being cleaned by the system when it runs the processing so many copies of the same asset are present within my system

assetHistory is updated each time not just one changes which causes slow performance

Currently, if an asset is updated and the value of a certain field is None (null), the asset field is updated with this value anyway. I feel like fields should only be added if they are not none. Maybe this should be a switch, as it may be useful to find assets where the value is None (although I suppose you could always do "$exists"...).

Thoughts @z1pti3?

Last seen is always updated it would be good to have an option to exclude a source from being valid for last seen or have it added to fields following priority ordering

As we can now save values inside fields, when JIMI pulls them out via assetSearch he will return something like this:
name, fields.src_ip, fields.operating_system, etc. Because these aren't as easy to reference, it would be nice to have an option to either

• a) remove the fields. prefix (although this could cause conflicts if anything in fields shares a name with the top level fields, like name, lastSeen, etc)
• b) have an additional form object that lets users specify what to rename any of the returned values to. This would give more control over the values passed down the flow.

Trying to duplicate an object with this in the search field:
{"assetType":"computer","fields.spiderStartTime":0,"lastSeen.inga.lastUpdate":{"$gt":"%%sum(now(),-90000)%%"}}

When JIMI tries to duplicate the object he runs into this issue:

The web part of the plugin does not reference the menu bar in the title. Although back and forward buttons on a users browser can be used, it feels like it would make the plugin integrate better into the main application if the menu bar was still there.

If you build a new asset for the first time that has more than one source it results in the asset being duplicated until the assetUpdate for the same asset is run again. When assetUpdate is run again it removes the duplicate but does not initially merge the results leaving the asset with only one source.

You can recreate this issue with:

Exported Flow

{ "flow": [ { "flowID": "7035e62c-9a35-4123-851e-02e12f9794a7", "next": [ { "flowID": "0440295a-694c-4a7f-ac9d-dd71def8524e", "logic": true, "order": 0 }, { "flowID": "60ad1a35-35ea-4418-85d9-fb61d858db17", "logic": true, "order": 0 } ], "type": "trigger", "subtype": "testFireTrigger", "triggerID": "60ce076f2e3d63f71e417895" }, { "flowID": "0440295a-694c-4a7f-ac9d-dd71def8524e", "next": [], "type": "action", "subtype": "assetUpdate", "actionID": "60ce07ce2e3d63f71e41789a" }, { "flowID": "60ad1a35-35ea-4418-85d9-fb61d858db17", "type": "action", "next": [], "actionID": "60ce081e2e3d63f71e41789f" } ], "action": { "60ce07ce2e3d63f71e41789a": { "className": "assetUpdate", "_id": "60ce07ce2e3d63f71e41789a", "assetEntity": "Some Company", "assetFields": { "ip": "%%data[event][ip]%%", "os": "%%data[event][os]%%" }, "assetName": "%%data[event][name]%%", "assetType": "computer", "comment": "", "createdBy": "", "delayedUpdate": 0, "logicString": "", "name": "Update Computer Asset AD", "scope": 0, "seen": [], "sourcePriority": 10, "sourcePriorityMaxAge": 86400, "updateSource": "Active Directory", "updateTime": "%%now()%%", "varDefinitions": {} }, "60ce081e2e3d63f71e41789f": { "className": "assetUpdate", "_id": "60ce081e2e3d63f71e41789f", "assetEntity": "Some Company", "assetFields": { "ip": "%%data[event][ip]%%", "user": "%%data[event][user]%%", "os": "%%data[event][os]%%" }, "assetName": "%%data[event][name]%%", "assetType": "computer", "comment": "", "createdBy": "", "delayedUpdate": 0, "logicString": "", "name": "Update Computer Asset AV", "scope": 0, "seen": [], "sourcePriority": 20, "sourcePriorityMaxAge": 86400, "updateSource": "Microsoft Defender", "updateTime": "%%now()%%", "varDefinitions": {} } }, "trigger": { "60ce076f2e3d63f71e417895": { "className": "testFireTrigger", "_id": "60ce076f2e3d63f71e417895", "attemptCount": 0, "autoRestartCount": 3, "clusterSet": 0, "comment": "", "concurrency": 0, "createdBy": "", "events": [ { "name": "ws-19522", "ip": "172.16.7.44", "user": "john.doh", "os": "Windows 10 Pro" }, { "name": "ws-72512", "ip": "172.16.1.104", "user": "tim.smith", "os": "Windows 7 Pro" } ], "lastCheck": 1624812183.2694452, "logicString": "", "maxDuration": 60, "name": "Build Computer Assets", "schedule": "60-300s", "scope": 0, "startTime": 0.0, "systemIndex": 0, "varDefinitions": {} } }, "ui": { "7035e62c-9a35-4123-851e-02e12f9794a7": { "x": -1472, "y": -572, "title": "Build Computer Assets" }, "0440295a-694c-4a7f-ac9d-dd71def8524e": { "x": -1171, "y": -623, "title": "Update Computer Asset AD" }, "60ad1a35-35ea-4418-85d9-fb61d858db17": { "x": -1166, "y": -534, "title": "Update Computer Asset AV" } } }

Last seen for an asset is always updated from all of the source information.

In my instance I am trying to use additional about compliance monitoring but do not want it to impact "last seen"