Closed aboese closed 1 year ago
jshcodes
commented
1 year ago Can you show us where you added the line? I'm working on reproducing this and am getting the default tabular display when I run a blank query. (I do also get a valid 403 on a bad key like you mention.)
aboese
commented
1 year ago I’m sorry. You’re reading wrong. I got a 403 on the script run for detects, which is a totally different 403 than the bad key message. It’s super generic with a message that results aren’t returned or something like that, so I had to add a print in the detects script for that. I can’t check the line number atm. I could probably also pull the lib list and get those as a requirements.txt if you like in a bit. What else would be useful?
-Alex
On Dec 8, 2022, at 18:52, Joshua Hiller @.***> wrote:
Can you show us where you added the line? I'm working on reproducing this and am getting the default tabular display when I run a blank query. (I do also get a valid 403 on a bad key like you mention.)
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.
jshcodes
commented
1 year ago Next time you have a chance paste the changes you had to make here and I can work backwards from there. 😄
aboese
commented
1 year ago Line 408 in detects advisor is where I’m having to put the error code print to see the 403. I can confirm that connectivity is not causal.
-Alex Boese
On Dec 8, 2022, at 22:29, Joshua Hiller @.***> wrote:
Next time you have a chance paste the changes you had to make here and I can work backwards from there. 😄
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.
aboese
commented
1 year ago Falconpy installed via pip, so maybe it’s calling it’s a slightly different version from sample which was a simple GitHub clone. Not seeing a version string for it on import.
-A
On Dec 9, 2022, at 08:10, A B @.***> wrote:
Line 408 in detects advisor is where I’m having to put the error code print to see the 403. I can confirm that connectivity is not causal.
-Alex Boese
On Dec 8, 2022, at 22:29, Joshua Hiller @.***> wrote:
Next time you have a chance paste the changes you had to make here and I can work backwards from there. 😄
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.
aboese
commented
1 year ago “Unable to retrieve list of detection IDs for the filter specified.” This is with no filter, so should work out of the box, but if I supply a filter, I get precisely the same.
-Alex
On Dec 9, 2022, at 08:10, A B @.***> wrote:
Line 408 in detects advisor is where I’m having to put the error code print to see the 403. I can confirm that connectivity is not causal.
-Alex Boese
On Dec 8, 2022, at 22:29, Joshua Hiller @.***> wrote:
Next time you have a chance paste the changes you had to make here and I can work backwards from there. 😄
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.
jshcodes
commented
1 year ago What was your filter? Something like an AID search? (Just curious. I'm looking into the no filter response as well.)
aboese
commented
1 year ago -f ‘vulnerabilities:!null’
On Dec 9, 2022, at 09:26, Joshua Hiller @.***> wrote:
What was your filter? (I'm looking into this.)
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.
jshcodes
commented
1 year ago That error message is definitely nebulous, we'll get that updated. (Will probably pass back the API error received.) Once this update is posted, I'll ask you to retest for us to confirm.
I had to tweak the filter above to be -f "vulnerabilities:!'null'" to get it to execute from my shell. That's just BASH being difficult though.
aboese
commented
1 year ago I don’t care about the ambiguity. The code is readable. -A
On Dec 9, 2022, at 09:28, A B @.***> wrote:
-f ‘vulnerabilities:!null’
On Dec 9, 2022, at 09:26, Joshua Hiller @.***> wrote:
What was your filter? (I'm looking into this.)
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.
jshcodes
commented
1 year ago Can you confirm your API key has READ / WRITE to Detections? (Should only need READ for the operation we are testing at the moment.)
Most of the authentication failures get handled by line 741, but if I strip the permissions from my API key and then try a default display, I do wind up in the list_elements method and hit our no-so-informative error condition. (The call to query_detects fails with a 403.)
I've got an update ready that speaks to the error message problem, but need to confirm if the scope issue addresses your problem retrieving results.
aboese
commented
1 year ago Has read, as other tools hitting that API with same key set work fine.
-Alex
On Dec 9, 2022, at 10:38, Joshua Hiller @.***> wrote:
Can you confirm your API key has READ / WRITE to Detections? (Should only need READ for the operation we are testing at the moment.)
Most of the authentication failures get handled by line 741, but if I strip the permissions from my API key and then try a default display, I do wind up in the list_elements method and hit our no-so-informative error condition. (The call to query_detects fails with a 403.)
I've got an update ready that speaks to the error message problem, but need to confirm if the scope issue addresses your problem retrieving results.
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.
jshcodes
commented
1 year ago That's really strange, as of yet I can't recreate this without pulling the scope from my API key. I'll keep poking about.
As soon as the v1.2.6 PR is approved and merged, I'll post the updated source for this sample and have you test that to see if there is something else that pops up.
jshcodes
commented
1 year ago The Detects Advisor sample update has been merged. More than likely it will just provide us the same 403 you've already worked out, so more of a nice to have than anything else.
Still trying to run down what could be causing this. The default no-filter behavior just "works" in my current test environment (displays a few detections that I generated). I'm going to try a few different keys / CIDs to see if perhaps I don't see something different. (The 403 is really what throws me here. A data issue would typically produce something like a 400 or a 500. If you have access to the scope, a 403 doesn't make sense.)
aboese
commented
1 year ago I can hand you the lib versions used and the base OS of the environment. Which libs would be critical to know?
-Alex Boese
On Dec 9, 2022, at 16:20, Joshua Hiller @.***> wrote:
The Detects Advisor sample update has been merged. More than likely it will just provide us the same 403 you've already worked out, so more of a nice to have than anything else.
Still trying to run down what could be causing this. The default no-filter behavior just "works" in my current test environment (displays a few detections that I generated). I'm going to try a few different keys / CIDs to see if perhaps I don't see something different. (The 403 is really what throws me here. A data issue would typically produce something like a 400 or a 500. If you have access to the scope, a 403 doesn't make sense.)
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.
jshcodes
commented
1 year ago The only 3rd party lib is gonna be requests and urllib3, FalconPy doesn't import anything else.
What minor version of Python 3? I ran into a couple 3.6 / 3.7 issues in the 1.3.0 code base last week. That got me to wondering if one of my cheaty arg-parsing / method handling tricks might be the culprit...
jshcodes
commented
1 year ago Correction (Forgot about the lib dependencies.)
These are the current imports for requests that will also be installed:
aboese
commented
1 year ago Python 3.6.8
Urllib3 1.26.12
On Dec 9, 2022, at 16:27, Joshua Hiller @.***> wrote:
The only 3rd party lib is gonna be requests and urllib3, FalconPy doesn't import anything else.
What minor version of Python 3? I ran into a couple 3.6 / 3.7 issues in the 1.3.0 code base last week. That got me to wondering if one of my cheaty arg-parsing / method handling tricks might be the culprit...
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.
jshcodes
commented
1 year ago Perfect. Let me see what I can't make happen. Stay tuned. 😃
aboese
commented
1 year ago Inline below:
On Dec 9, 2022, at 16:34, Joshua Hiller @.***> wrote:
Correction (Forgot about the lib dependencies.)
These are the current imports for requests that will also be installed:
certifi. 2022.9.24 charset_normalizer. 2.0.12 idna. 3.4 — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.
jshcodes
commented
1 year ago Doesn't appear that's it.
(general) ubuntu@ip-10-42-20-65:~/falconpy/samples/detects$ python3 --version
Python 3.6.8
(general) ubuntu@ip-10-42-20-65:~/falconpy/samples/detects$ pip3 show charset_normalizer idna certifi
Name: charset-normalizer
Version: 2.0.12
Summary: The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet.
Home-page: https://github.com/ousret/charset_normalizer
Author: Ahmed TAHRI @Ousret
Author-email: ahmed.tahri@cloudnursery.dev
License: MIT
Location: /home/ubuntu/.pyenv/versions/3.6.8/envs/general/lib/python3.6/site-packages
Requires:
Required-by: requests
---
Name: idna
Version: 3.4
Summary: Internationalized Domain Names in Applications (IDNA)
Home-page: None
Author: None
Author-email: Kim Davies <kim@cynosure.com.au>
License: None
Location: /home/ubuntu/.pyenv/versions/3.6.8/envs/general/lib/python3.6/site-packages
Requires:
Required-by: requests
---
Name: certifi
Version: 2022.9.24
Summary: Python package for providing Mozilla's CA Bundle.
Home-page: https://github.com/certifi/python-certifi
Author: Kenneth Reitz
Author-email: me@kennethreitz.com
License: MPL-2.0
Location: /home/ubuntu/.pyenv/versions/3.6.8/envs/general/lib/python3.6/site-packages
Requires:
Required-by: requests
(general) ubuntu@ip-10-42-20-65:~/falconpy/samples/detects$ python3 detects_advisor.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET
_____ __ __ __
| \.-----.| |_.-----.----.| |_|__|.-----.-----.-----.
| -- | -__|| _| -__| __|| _| || _ | |__ --|
|_____/|_____||____|_____|____||____|__||_____|__|__|_____|
╒═════════════╤════════════════════════════════════════╤══════════════════════════════╤════════════════════════════════════════════════╤══════════════════════╕
│ Detection │ Hostname / Agent ID │ Tactic │ Technique │ Date occurred │
╞═════════════╪════════════════════════════════════════╪══════════════════════════════╪════════════════════════════════════════════════╪══════════════════════╡
│ New │ REDACTED │ Defense Evasion (TA0005) │ Masquerading (T1036) │ 2022-09-15T17:46:57Z │
│ 2036551 │ REDACTED │ │ │ │
├─────────────┼────────────────────────────────────────┼──────────────────────────────┼────────────────────────────────────────────────┼──────────────────────┤
│ New │ REDACTED │ Defense Evasion (TA0005) │ Rootkit (T1014) │ 2022-09-15T17:46:58Z │
│ 2769743 │ REDACTED │ │ │ │
├─────────────┼────────────────────────────────────────┼──────────────────────────────┼────────────────────────────────────────────────┼──────────────────────┤
│ New │ REDACTED │ Exfiltration (TA0010) │ Exfiltration Over Alternative Protocol (T1048) │ 2022-09-15T17:47:01Z │
│ 3881347 │ REDACTED │ │ │ │
├─────────────┼────────────────────────────────────────┼──────────────────────────────┼────────────────────────────────────────────────┼──────────────────────┤
│ New │ REDACTED │ Command and Control (TA0011) │ Remote Access Software (T1219) │ 2022-09-15T17:47:05Z │
│ 4818459 │ REDACTED │ │ │ │
├─────────────┼────────────────────────────────────────┼──────────────────────────────┼────────────────────────────────────────────────┼──────────────────────┤
│ New │ REDACTED │ Credential Access (TA0006) │ OS Credential Dumping (T1003) │ 2022-09-15T17:47:07Z │
│ 6864647 │ REDACTED │ │ │ │
├─────────────┼────────────────────────────────────────┼──────────────────────────────┼────────────────────────────────────────────────┼──────────────────────┤
│ New │ REDACTED │ Machine Learning (CSTA0004) │ Cloud-based ML (CST0008) │ 2022-09-15T17:47:08Z │
│ 8991783 │ REDACTED │ Machine Learning (CSTA0004) │ Cloud-based ML (CST0008) │ 2022-09-15T17:47:08Z │
├─────────────┼────────────────────────────────────────┼──────────────────────────────┼────────────────────────────────────────────────┼──────────────────────┤
│ New │ REDACTED │ Collection (TA0009) │ Automated Collection (T1119) │ 2022-09-15T17:47:08Z │
│ 8349039 │ REDACTED │ │ │ │
├─────────────┼────────────────────────────────────────┼──────────────────────────────┼────────────────────────────────────────────────┼──────────────────────┤
│ New │ REDACTED │ Execution (TA0002) │ Command and Scripting Interpreter (T1059) │ 2022-09-15T17:47:09Z │
│ 10478243 │ REDACTED │ │ │ │
╘═════════════╧════════════════════════════════════════╧══════════════════════════════╧════════════════════════════════════════════════╧══════════════════════╛Not like the documentation or below. Just the error detailed. -A
On Dec 9, 2022, at 17:42, Joshua Hiller @.***> wrote:
Doesn't appear that's it.
(general) @.:~/falconpy/samples/detects$ python3 --version Python 3.6.8 (general) @.:~/falconpy/samples/detects$ pip3 show charset_normalizer idna certifi Name: charset-normalizer Version: 2.0.12 Summary: The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet. Home-page: https://github.com/ousret/charset_normalizer Author: Ahmed TAHRI @Ousret Author-email: @.*** License: MIT Location: /home/ubuntu/.pyenv/versions/3.6.8/envs/general/lib/python3.6/site-packages Requires: Required-by: requests
Name: idna Version: 3.4 Summary: Internationalized Domain Names in Applications (IDNA) Home-page: None Author: None Author-email: Kim Davies @.***> License: None Location: /home/ubuntu/.pyenv/versions/3.6.8/envs/general/lib/python3.6/site-packages Requires: Required-by: requests
Name: certifi Version: 2022.9.24 Summary: Python package for providing Mozilla's CA Bundle. Home-page: https://github.com/certifi/python-certifi Author: Kenneth Reitz Author-email: @. License: MPL-2.0 Location: /home/ubuntu/.pyenv/versions/3.6.8/envs/general/lib/python3.6/site-packages Requires: Required-by: requests (general) @.:~/falconpy/samples/detects$ python3 detects_advisor.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET
| .-----.| |.-----.----.| |||.-----.-----.-----. | -- | -|| | -| || | || _ | | --| |__/||||_|||__|||_|||_____|
╒═════════════╤════════════════════════════════════════╤══════════════════════════════╤════════════════════════════════════════════════╤══════════════════════╕ │ Detection │ Hostname / Agent ID │ Tactic │ Technique │ Date occurred │ ╞═════════════╪════════════════════════════════════════╪══════════════════════════════╪════════════════════════════════════════════════╪══════════════════════╡ │ New │ REDACTED │ Defense Evasion (TA0005) │ Masquerading (T1036) │ 2022-09-15T17:46:57Z │ │ 2036551 │ REDACTED │ │ │ │ ├─────────────┼────────────────────────────────────────┼──────────────────────────────┼────────────────────────────────────────────────┼──────────────────────┤ │ New │ REDACTED │ Defense Evasion (TA0005) │ Rootkit (T1014) │ 2022-09-15T17:46:58Z │ │ 2769743 │ REDACTED │ │ │ │ ├─────────────┼────────────────────────────────────────┼──────────────────────────────┼────────────────────────────────────────────────┼──────────────────────┤ │ New │ REDACTED │ Exfiltration (TA0010) │ Exfiltration Over Alternative Protocol (T1048) │ 2022-09-15T17:47:01Z │ │ 3881347 │ REDACTED │ │ │ │ ├─────────────┼────────────────────────────────────────┼──────────────────────────────┼────────────────────────────────────────────────┼──────────────────────┤ │ New │ REDACTED │ Command and Control (TA0011) │ Remote Access Software (T1219) │ 2022-09-15T17:47:05Z │ │ 4818459 │ REDACTED │ │ │ │ ├─────────────┼────────────────────────────────────────┼──────────────────────────────┼────────────────────────────────────────────────┼──────────────────────┤ │ New │ REDACTED │ Credential Access (TA0006) │ OS Credential Dumping (T1003) │ 2022-09-15T17:47:07Z │ │ 6864647 │ REDACTED │ │ │ │ ├─────────────┼────────────────────────────────────────┼──────────────────────────────┼────────────────────────────────────────────────┼──────────────────────┤ │ New │ REDACTED │ Machine Learning (CSTA0004) │ Cloud-based ML (CST0008) │ 2022-09-15T17:47:08Z │ │ 8991783 │ REDACTED │ Machine Learning (CSTA0004) │ Cloud-based ML (CST0008) │ 2022-09-15T17:47:08Z │ ├─────────────┼────────────────────────────────────────┼──────────────────────────────┼────────────────────────────────────────────────┼──────────────────────┤ │ New │ REDACTED │ Collection (TA0009) │ Automated Collection (T1119) │ 2022-09-15T17:47:08Z │ │ 8349039 │ REDACTED │ │ │ │ ├─────────────┼────────────────────────────────────────┼──────────────────────────────┼────────────────────────────────────────────────┼──────────────────────┤ │ New │ REDACTED │ Execution (TA0002) │ Command and Scripting Interpreter (T1059) │ 2022-09-15T17:47:09Z │ │ 10478243 │ REDACTED │ │ │ │ ╘═════════════╧════════════════════════════════════════╧══════════════════════════════╧════════════════════════════════════════════════╧══════════════════════╛ — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.
jshcodes
commented
1 year ago [403] access denied, authorization failedI can only generate it if I strip my API key of the Detections scope though.
jshcodes
commented
1 year ago Closing this one as completed. Please reopen if you identify any other variations of this error! 😄
Describe the bug 403 on detect script use - not related to bad key, as that was tested and the resource was giving a 403, but the sample gave a very generic error. I had to add a line to determine it was a 403.
To Reproduce Run a blank query with a good key and secret.
Expected behavior Results
Environment (please complete the following information):
Additional context Add any other context about the problem here.